Merge master + fix environment usage for downstream tests

- environment-test: use separate temp env for 'update name' test so shared
  development env is never renamed; bulk/entry/release/workflow keep using
  testData.environments.development
- bulkOperation-test: use testData.environments.development.name (envName)
  instead of hardcoded 'development' for all publish/unpublish payloads
- .talismanrc: update checksums for modified test files and merge artifacts
- No sensitive data: only process.env.API_KEY and env var references

Author: AniketDev7

.github/workflows/check-branch.yml

@@ -8,13 +8,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Comment PR
-        if: github.base_ref == 'master' && github.head_ref != 'staging'
+        if: github.base_ref == 'master' && github.head_ref != 'developement'
         uses: thollander/actions-comment-pull-request@v2
         with:
           message: |
-            We regret to inform you that you are currently not able to merge your changes into the master branch due to restrictions applied by our SRE team. To proceed with merging your changes, we kindly request that you create a pull request from the next branch. Our team will then review the changes and work with you to ensure a successful merge into the master branch.
+            We regret to inform you that you are currently not able to merge your changes into the master branch due to restrictions applied by our SRE team. To proceed with merging your changes, we kindly request that you create a pull request from the development branch. Our team will then review the changes and work with you to ensure a successful merge into the master branch.
       - name: Check branch
-        if: github.base_ref == 'master' && github.head_ref != 'staging'
+        if: github.base_ref == 'master' && github.head_ref != 'development'
         run: |
-          echo "ERROR: We regret to inform you that you are currently not able to merge your changes into the master branch due to restrictions applied by our SRE team. To proceed with merging your changes, we kindly request that you create a pull request from the next branch. Our team will then review the changes and work with you to ensure a successful merge into the master branch."
+          echo "ERROR: We regret to inform you that you are currently not able to merge your changes into the master branch due to restrictions applied by our SRE team. To proceed with merging your changes, we kindly request that you create a pull request from the development branch. Our team will then review the changes and work with you to ensure a successful merge into the master branch."
           exit 1

.github/workflows/check-version-bump.yml

@@ -0,0 +1,58 @@
+# Ensures package.json and CHANGELOG.md are bumped compared to the latest tag when relevant files change.
+name: Check Version Bump
+
+on:
+  pull_request:
+    paths:
+      - 'package.json'
+      - 'CHANGELOG.md'
+
+jobs:
+  version-bump:
+    name: Version & Changelog bump
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22.x'
+
+      - name: Check version bump
+        run: |
+          set -e
+          PKG_VERSION=$(node -p "require('./package.json').version.replace(/^v/, '')")
+          if [ -z "$PKG_VERSION" ]; then
+            echo "::error::Could not read version from package.json"
+            exit 1
+          fi
+          git fetch --tags --force 2>/dev/null || true
+          LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || true)
+          if [ -z "$LATEST_TAG" ]; then
+            echo "No existing tags found. Skipping version-bump check (first release)."
+            exit 0
+          fi
+          LATEST_VERSION="${LATEST_TAG#v}"
+          LATEST_VERSION="${LATEST_VERSION%%-*}"
+          if [ "$(printf '%s\n' "$LATEST_VERSION" "$PKG_VERSION" | sort -V | tail -1)" != "$PKG_VERSION" ]; then
+            echo "::error::Version bump required: package.json version ($PKG_VERSION) is not greater than latest tag ($LATEST_TAG). Please bump the version in package.json."
+            exit 1
+          fi
+          if [ "$PKG_VERSION" = "$LATEST_VERSION" ]; then
+            echo "::error::Version bump required: package.json version ($PKG_VERSION) equals latest tag ($LATEST_TAG). Please bump the version in package.json."
+            exit 1
+          fi
+          CHANGELOG_VERSION=$(sed -nE 's/^## \[v?([0-9]+\.[0-9]+\.[0-9]+).*/\1/p' CHANGELOG.md | head -1)
+          if [ -z "$CHANGELOG_VERSION" ]; then
+            echo "::error::Could not find a version entry in CHANGELOG.md (expected line like '## [v1.0.0](...)')."
+            exit 1
+          fi
+          if [ "$CHANGELOG_VERSION" != "$PKG_VERSION" ]; then
+            echo "::error::CHANGELOG version mismatch: CHANGELOG.md top version ($CHANGELOG_VERSION) does not match package.json version ($PKG_VERSION). Please add or update the CHANGELOG entry for $PKG_VERSION."
+            exit 1
+          fi
+          echo "Version bump check passed: package.json and CHANGELOG.md are at $PKG_VERSION (latest tag: $LATEST_TAG)."

.github/workflows/sca-scan.yml

@@ -13,3 +13,6 @@ jobs:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
           args: --all-projects --fail-on=all
+          json: true
+        continue-on-error: true
+      - uses: contentstack/sca-policy@main

.github/workflows/unit-test.yml

@@ -4,7 +4,6 @@ on:
     branches:
         - master
         - main
-        - staging
         - development
 jobs:
   build-test:

.gitignore

@@ -72,4 +72,7 @@ test-curls.txt
 dist
 jsdocs
 .early.coverage
-docs/
+docs/
+# Snyk Security Extension - AI Rules (auto-generated)
+.cursor/rules/snyk_rules.mdc
+.vscode/settings.json

.husky/post-checkout

@@ -0,0 +1,40 @@
+#!/usr/bin/env sh
+# When switching to a branch that doesn't exist on remote (e.g. newly created),
+# pull and merge origin/main or origin/master into current branch. Does not push.
+
+# Only run on branch checkout (not file checkout)
+if [ "$3" != "1" ]; then
+  exit 0
+fi
+
+# Skip if we don't have a remote
+if ! git rev-parse --verify origin 2>/dev/null; then
+  exit 0
+fi
+
+CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD)
+
+# Skip main/master/development - no need to merge base into these
+case "$CURRENT_BRANCH" in
+  main|master|development) exit 0 ;;
+esac
+
+# Only run when current branch does not exist on origin (treat as new local branch)
+if git ls-remote --heads origin "$CURRENT_BRANCH" 2>/dev/null | grep -q .; then
+  echo "post-checkout: $CURRENT_BRANCH exists on origin, skipping merge."
+  exit 0
+fi
+
+# Prefer main, fallback to master
+if git rev-parse --verify origin/main 2>/dev/null; then
+  BASE=origin/main
+elif git rev-parse --verify origin/master 2>/dev/null; then
+  BASE=origin/master
+else
+  exit 0
+fi
+
+echo "New branch detected: merging latest $BASE into $CURRENT_BRANCH (local only, not pushing)..."
+git fetch origin
+git merge "$BASE" --no-edit --no-ff
+echo "Done. Merge is local only; push when ready."

.talismanrc

@@ -9,7 +9,7 @@ fileignoreconfig:
     ignore_detectors:
       - filecontent
   - filename: package-lock.json
-    checksum: 92b88ce00603ede68344bac6bd6bf76bdb76f1e5f5ba8d1d0c79da2b72c5ecc0
+    checksum: ff309d2a910e885853fb25faa6aa3d2bd2cfc2d316c84a0e984bbda79c596ae9
   - filename: test/unit/ContentstackClient-test.js
     checksum: 5d8519b5b93c715e911a62b4033614cc4fb3596eabf31c7216ecb4cc08604a73
   - filename: .husky/pre-commit
@@ -28,7 +28,7 @@ fileignoreconfig:
     checksum: 2597efae3c1ab8cc173d5bf205f1c76932211f8e0eb2a16444e055d83481976c
   # Sanity check test files - use process.env for all secrets (no hardcoded values)
   - filename: test/sanity-check/api/environment-test.js
-    checksum: 91d76e6a2c4639db04071a30a9212df32777ab5f0e3a23dc101f4d62c13609b0
+    checksum: 5c3225c9013d7f0640ed7ef0e556fda4382e52b93da1af1f155c94eededd5195
   - filename: test/sanity-check/env.example.txt
     checksum: 3339944cd20d6d72f70a92e54af3de96736250b4b7117a29577575f9b52ed611
   - filename: test/sanity-check/api/token-test.js
@@ -94,7 +94,7 @@ fileignoreconfig:
   - filename: test/sanity-check/api/contentType-test.js
     checksum: 4d5178998f9f3c27550c5bd21540e254e08f79616e8615e7256ba2175cb4c8e1
   - filename: test/sanity-check/api/bulkOperation-test.js
-    checksum: 6281e14c7a10864c586e95139f47ae2ee5bb2322a2beaec166a1f6ece830431b
+    checksum: 1721c0e0f5b79a46fba21bfbedc3a87db4715bc97cd064f2361d35ab453b890c
   - filename: test/sanity-check/api/entry-test.js
     checksum: 9dc16b404a98ff9fa2c164fad0182b291b9c338dd58558dc5ef8dd75cf18bc1f
   - filename: test/sanity-check/api/entryVariants-test.js
@@ -107,4 +107,17 @@ fileignoreconfig:
     checksum: 6c0d8f6e7c85cd2fa5f0a20e8a49e94df0dde1b2c1d7e9c39e8c9c6c8b8d5e2f1
   - filename: test/unit/concurrency-Queue-test.js
     checksum: fd5c327f4fa1b334fdb1a2d903ac0213752e7829f31f19667215aa186c3efbbf
+  # From merge / Talisman allowlist (no secrets - env vars, test patterns, lockfile hashes)
+  - filename: lib/core/pkceStorage.js
+    checksum: e060690c5ed348a6914df7ecc36de5b6b45f9a7c3a9c164c88bd2c7fad2bea08
+  - filename: lib/stack/bulkOperation/index.js
+    checksum: c2eb400c6617a860bd5c519ace03c06cde169135e1c258106cfc3263dfcfc4d1
+  - filename: test/unit/pkceStorage-test.js
+    checksum: 567f557d37e8119c22cd4c5c4014c16dd660c03be35f65e803fb340cfd4b2136
+  - filename: test/unit/oauthHandler-test.js
+    checksum: 95a968c0d72d5bbe9e1acb30ea17ab505938f6174e917d7a25dda8facfda5a49
+  - filename: types/stack/bulkOperation/index.d.ts
+    checksum: d6771a51a021977ce9f428afc289c80aee3d2fca211f4102cf782afded354ce7
+  - filename: .github/workflows/check-version-bump.yml
+    checksum: c4aff7ca93f40213f67534e5c490d7a633cbebb21bbebd4517ff9b9db37ab52a
 version: "1.0"

CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## [v1.28.0](https://github.com/contentstack/contentstack-management-javascript/tree/v1.27.5) (2026-03-02)
+-  Enh
+   - Added DAM 2.0 query support 
+
+## [v1.27.6](https://github.com/contentstack/contentstack-management-javascript/tree/v1.27.5) (2026-02-23)
+ - Fix
+   - Skip token refresh on 401 when API returns error_code 161 (environment/permission) so the actual API error is returned instead of triggering refresh and a generic "Unable to refresh token" message
+   - When token refresh fails after a 401, return the original API error (error_message, error_code) instead of the generic "Unable to refresh token" message
+
 ## [v1.27.5](https://github.com/contentstack/contentstack-management-javascript/tree/v1.27.5) (2026-02-11)
  - Fix
    - Concurrency queue: when response errors have no `config` (e.g. after network retries exhaust in some environments, or when plugins return a new error object), the SDK now rejects with a catchable Error instead of throwing an unhandled TypeError and crashing the process

README.md

@@ -71,6 +71,39 @@ contentstackClient.stack({ api_key: 'API_KEY', management_token: 'MANAGEMENT_TOK
 	console.log(contenttype)
 })
 ```
+
+### Host and Region Configuration
+You can configure the SDK to use a specific region or custom host for API requests.
+
+#### Region
+The SDK supports multiple regions. Valid region values are: `NA`, `EU`, `AU`, `AZURE_NA`, `AZURE_EU`, `GCP_NA`, `GCP_EU`. The default region is `NA`.
+
+```javascript
+// Use EU region
+contentstackClient = contentstack.client({ 
+  authtoken: 'AUTHTOKEN',
+  region: 'EU' 
+})
+```
+
+#### Custom Host
+You can specify a custom host for API requests. If both `host` and `region` are provided, the `host` parameter takes priority.
+
+```javascript
+// Use custom host
+contentstackClient = contentstack.client({ 
+  authtoken: 'AUTHTOKEN',
+  host: 'api.contentstack.io' 
+})
+
+// Custom host takes priority over region
+contentstackClient = contentstack.client({ 
+  authtoken: 'AUTHTOKEN',
+  region: 'EU',
+  host: 'custom-api.example.com' 
+})
+```
+
 ### Contentstack Management JavaScript SDK: 5-minute Quickstart
 #### Initializing Your SDK:
 To use the JavaScript CMA SDK, you need to first initialize it. To do this, use the following code:
@@ -124,7 +157,7 @@ contentstackClient.stack({ api_key: 'API_KEY' }).asset().create({ asset })
 -   [Content Management API Docs](https://www.contentstack.com/docs/developers/apis/content-management-api)
 
 ### The MIT License (MIT)
-Copyright © 2012-2025  [Contentstack](https://www.contentstack.com/). All Rights Reserved
+Copyright © 2012-2026  [Contentstack](https://www.contentstack.com/). All Rights Reserved
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 

lib/core/concurrency-queue.js

@@ -404,16 +404,33 @@ export function ConcurrencyQueue ({ axios, config, plugins = [] }) {
         this.config.authtoken = token.authtoken
       }
     }).catch((error) => {
+      const apiError = this._last401ApiError
+      if (apiError) {
+        this._last401ApiError = null
+      }
       this.queue.forEach(queueItem => {
-        queueItem.reject({
-          errorCode: '401',
-          errorMessage: (error instanceof Error) ? error.message : error,
-          code: 'Unauthorized',
-          message: 'Unable to refresh token',
-          name: 'Token Error',
-          config: queueItem.request,
-          stack: (error instanceof Error) ? error.stack : null
-        })
+        if (apiError) {
+          queueItem.reject({
+            errorCode: apiError.error_code ?? '401',
+            errorMessage: apiError.error_message || apiError.message || ((error instanceof Error) ? error.message : String(error)),
+            code: 'Unauthorized',
+            message: apiError.error_message || apiError.message || 'Unable to refresh token',
+            name: 'Token Error',
+            config: queueItem.request,
+            stack: (error instanceof Error) ? error.stack : null,
+            response: { status: 401, statusText: 'Unauthorized', data: apiError }
+          })
+        } else {
+          queueItem.reject({
+            errorCode: '401',
+            errorMessage: (error instanceof Error) ? error.message : error,
+            code: 'Unauthorized',
+            message: 'Unable to refresh token',
+            name: 'Token Error',
+            config: queueItem.request,
+            stack: (error instanceof Error) ? error.stack : null
+          })
+        }
       })
       this.queue = []
       this.running = []
@@ -515,9 +532,11 @@ export function ConcurrencyQueue ({ axios, config, plugins = [] }) {
         return Promise.reject(responseHandler(err))
       }
     } else if ((response.status === 401 && this.config.refreshToken)) {
-      // If error_code is 294 (2FA required), don't retry/refresh - pass through the error as-is
+      // Retry/refresh only for authentication-related 401s (e.g. token expiry). Do not retry
+      // when the API returns a specific error_code for non-auth issues (2FA, permission, etc.).
       const apiErrorCode = response.data?.error_code
-      if (apiErrorCode === 294) {
+      const NON_AUTH_401_ERROR_CODES = new Set([294, 161]) // 294 = 2FA required, 161 = env/permission
+      if (apiErrorCode !== undefined && apiErrorCode !== null && NON_AUTH_401_ERROR_CODES.has(apiErrorCode)) {
         const err = runPluginOnResponseForError(error)
         return Promise.reject(responseHandler(err))
       }
@@ -530,6 +549,8 @@ export function ConcurrencyQueue ({ axios, config, plugins = [] }) {
         return Promise.reject(responseHandler(err))
       }
       this.running.shift()
+      // Store original API error so we can return it if refresh fails (instead of generic message)
+      this._last401ApiError = response.data
       // Cool down the running requests
       delay(wait, response.status === 401)
       error.config.retryCount = networkError