Improve user_id detection for analytics

[gonzaloriestra]

WHY are these changes introduced?

When you have a stored session, but you are also using a token (like SHOPIFY_APP_AUTOMATION_TOKEN), we are sending to monorail the saved user ID from the session, but that's not actually used.

See https://shopify.slack.com/archives/C0ASQECGH2Q/p1776243522246889?thread_ts=1776203153.988669&cid=C0ASQECGH2Q

WHAT is this pull request doing?

If a token is being used, send the user ID generated from that instead of the stored session.

How to test your changes?

• shopify app deploy --verbose
• SHOPIFY_APP_AUTOMATION_TOKEN=xxx shopify app deploy --verbose

Checklist

• I've considered possible cross-platform impacts (Mac, Linux, Windows)
• I've considered possible documentation changes
• I've considered analytics changes to measure impact
• The change is user-facing, so I've added a changelog entry with pnpm changeset add

[gonzaloriestra]

/snapit

[github-actions]

🫰✨ Thanks @gonzaloriestra! Your snapshot has been published to npm.

Test the snapshot by installing your package globally:

 i -g --@shopify:registry=https://registry.npmjs.org @shopify/cli@0.0.0-snapshot-20260416091104

Caution

After installing, validate the version by running shopify version in your terminal.
If the versions don't match, you might have multiple global instances installed.
Use which shopify to find out which one you are running and uninstall it.

[github-actions]

Differences in type declarations

We detected differences in the type declarations generated by Typescript for this branch compared to the baseline ('main' branch). Please, review them to ensure they are backward-compatible. Here are some important things to keep in mind:

• Some seemingly private modules might be re-exported through public modules.
• If the branch is behind main you might see odd diffs, rebase main into this branch.

New type declarations

We found no new type declarations in this PR

Existing type declarations

packages/cli-kit/dist/private/node/session.d.ts

@@ -63,14 +63,14 @@ export interface OAuthSession {
 }
 type AuthMethod = 'partners_token' | 'device_auth' | 'theme_access_token' | 'custom_app_token' | 'none';
 /**
- * Retrieves the user ID from the current session or returns 'unknown' if not found.
+ * Retrieves a stable user identifier for analytics, or  if none applies.
  *
- * This function performs the following steps:
- * 1. Checks for a cached user ID in memory (obtained in the current run).
- * 2. Attempts to fetch it from the local storage (from a previous auth session).
- * 3. Checks if a custom token was used (either as a theme password or partners token).
- * 4. If a custom token is present in the environment, generates a UUID and uses it as userId.
- * 5. If after all this we don't have a userId, then reports as 'unknown'.
+ * Evaluation order:
+ * 1. If an app automation token or theme token is used, returns a deterministic UUID
+ *    derived from that secret.
+ * 2. Otherwise, if  was called (e.g. after OAuth), returns that value.
+ * 3. Otherwise, if a persisted CLI session id is available, returns it.
+ * 4. Otherwise returns .
  *
  * @returns A Promise that resolves to the user ID as a string.
  */