@aaronsb/kg-cli 0.6.1

package/dist/lib/auth/device-flow.d.ts

@@ -0,0 +1,75 @@
+/**
+ * OAuth Device Authorization Grant Flow (ADR-054)
+ *
+ * Implements RFC 8628 Device Authorization Grant for CLI authentication.
+ *
+ * Flow:
+ * 1. Request device and user codes from server
+ * 2. Display user_code to user with verification URL
+ * 3. Poll token endpoint until user authorizes (or timeout/denial)
+ * 4. Store access and refresh tokens
+ *
+ * Usage:
+ *   const flow = new DeviceAuthFlow(apiUrl, clientId);
+ *   const codes = await flow.requestDeviceCode();
+ *   console.log(`Go to ${codes.verification_uri} and enter: ${codes.user_code}`);
+ *   const tokens = await flow.pollForToken(codes.device_code, codes.interval);
+ */
+import type { DeviceAuthorizationResponse, OAuthTokenInfo } from './oauth-types';
+export interface DeviceFlowCallbacks {
+    onDeviceCodeReceived?: (codes: DeviceAuthorizationResponse) => void;
+    onPollStart?: () => void;
+    onPollTick?: (attempt: number) => void;
+    onAuthorizationPending?: () => void;
+    onSlowDown?: () => void;
+    onSuccess?: (tokenInfo: OAuthTokenInfo) => void;
+    onError?: (error: Error) => void;
+}
+export declare class DeviceAuthFlow {
+    private client;
+    private clientId;
+    constructor(apiUrl: string, clientId?: string);
+    /**
+     * Step 1: Request device and user codes from the authorization server
+     *
+     * POST /auth/oauth/device
+     * Body: client_id=kg-cli&scope=read:* write:*
+     *
+     * Returns codes and verification URL for the user
+     */
+    requestDeviceCode(scope?: string): Promise<DeviceAuthorizationResponse>;
+    /**
+     * Step 2: Poll token endpoint until user authorizes
+     *
+     * POST /auth/oauth/token
+     * Body: grant_type=urn:ietf:params:oauth:grant-type:device_code&device_code=<code>&client_id=kg-cli
+     *
+     * Polls every `interval` seconds until:
+     * - User authorizes (returns tokens)
+     * - User denies (throws error)
+     * - Device code expires (throws error)
+     * - Timeout reached (throws error)
+     *
+     * @param deviceCode - Device code from requestDeviceCode()
+     * @param interval - Polling interval in seconds (from requestDeviceCode())
+     * @param maxAttempts - Maximum number of poll attempts (default: 120 = 10 minutes at 5s interval)
+     * @param callbacks - Optional callbacks for progress tracking
+     * @returns OAuth token information
+     */
+    pollForToken(deviceCode: string, interval?: number, maxAttempts?: number, callbacks?: DeviceFlowCallbacks): Promise<OAuthTokenInfo>;
+    /**
+     * Complete device flow: request codes and poll for token
+     *
+     * Convenience method that combines requestDeviceCode() and pollForToken()
+     *
+     * @param scope - OAuth scopes to request
+     * @param callbacks - Optional callbacks for progress tracking
+     * @returns OAuth token information
+     */
+    authenticate(scope?: string, callbacks?: DeviceFlowCallbacks): Promise<OAuthTokenInfo>;
+    /**
+     * Sleep utility for polling
+     */
+    private sleep;
+}
+//# sourceMappingURL=device-flow.d.ts.map

package/dist/lib/auth/device-flow.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-flow.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/device-flow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAGH,OAAO,KAAK,EACV,2BAA2B,EAE3B,cAAc,EAEf,MAAM,eAAe,CAAC;AAGvB,MAAM,WAAW,mBAAmB;IAClC,oBAAoB,CAAC,EAAE,CAAC,KAAK,EAAE,2BAA2B,KAAK,IAAI,CAAC;IACpE,WAAW,CAAC,EAAE,MAAM,IAAI,CAAC;IACzB,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IACvC,sBAAsB,CAAC,EAAE,MAAM,IAAI,CAAC;IACpC,UAAU,CAAC,EAAE,MAAM,IAAI,CAAC;IACxB,SAAS,CAAC,EAAE,CAAC,SAAS,EAAE,cAAc,KAAK,IAAI,CAAC;IAChD,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,IAAI,CAAC;CAClC;AAED,qBAAa,cAAc;IACzB,OAAO,CAAC,MAAM,CAAgB;IAC9B,OAAO,CAAC,QAAQ,CAAS;gBAEb,MAAM,EAAE,MAAM,EAAE,QAAQ,GAAE,MAAiB;IAWvD;;;;;;;OAOG;IACG,iBAAiB,CAAC,KAAK,GAAE,MAAyB,GAAG,OAAO,CAAC,2BAA2B,CAAC;IAyB/F;;;;;;;;;;;;;;;;;OAiBG;IACG,YAAY,CAChB,UAAU,EAAE,MAAM,EAClB,QAAQ,GAAE,MAAU,EACpB,WAAW,GAAE,MAAY,EACzB,SAAS,CAAC,EAAE,mBAAmB,GAC9B,OAAO,CAAC,cAAc,CAAC;IA+E1B;;;;;;;;OAQG;IACG,YAAY,CAAC,KAAK,GAAE,MAAyB,EAAE,SAAS,CAAC,EAAE,mBAAmB,GAAG,OAAO,CAAC,cAAc,CAAC;IAS9G;;OAEG;IACH,OAAO,CAAC,KAAK;CAGd"}

package/dist/lib/auth/device-flow.js

@@ -0,0 +1,177 @@
+"use strict";
+/**
+ * OAuth Device Authorization Grant Flow (ADR-054)
+ *
+ * Implements RFC 8628 Device Authorization Grant for CLI authentication.
+ *
+ * Flow:
+ * 1. Request device and user codes from server
+ * 2. Display user_code to user with verification URL
+ * 3. Poll token endpoint until user authorizes (or timeout/denial)
+ * 4. Store access and refresh tokens
+ *
+ * Usage:
+ *   const flow = new DeviceAuthFlow(apiUrl, clientId);
+ *   const codes = await flow.requestDeviceCode();
+ *   console.log(`Go to ${codes.verification_uri} and enter: ${codes.user_code}`);
+ *   const tokens = await flow.pollForToken(codes.device_code, codes.interval);
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DeviceAuthFlow = void 0;
+const axios_1 = __importDefault(require("axios"));
+const oauth_utils_1 = require("./oauth-utils");
+class DeviceAuthFlow {
+    constructor(apiUrl, clientId = 'kg-cli') {
+        this.clientId = clientId;
+        this.client = axios_1.default.create({
+            baseURL: apiUrl,
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+            },
+            timeout: 10000, // 10 seconds for API calls
+        });
+    }
+    /**
+     * Step 1: Request device and user codes from the authorization server
+     *
+     * POST /auth/oauth/device
+     * Body: client_id=kg-cli&scope=read:* write:*
+     *
+     * Returns codes and verification URL for the user
+     */
+    async requestDeviceCode(scope = 'read:* write:*') {
+        try {
+            const params = new URLSearchParams({
+                client_id: this.clientId,
+                scope: scope,
+            });
+            const response = await this.client.post('/auth/oauth/device', params.toString());
+            return response.data;
+        }
+        catch (error) {
+            if (axios_1.default.isAxiosError(error)) {
+                const axiosError = error;
+                const errorMessage = axiosError.response?.data?.error_description ||
+                    axiosError.response?.data?.error ||
+                    axiosError.message;
+                throw new Error(`Failed to request device code: ${errorMessage}`);
+            }
+            throw error;
+        }
+    }
+    /**
+     * Step 2: Poll token endpoint until user authorizes
+     *
+     * POST /auth/oauth/token
+     * Body: grant_type=urn:ietf:params:oauth:grant-type:device_code&device_code=<code>&client_id=kg-cli
+     *
+     * Polls every `interval` seconds until:
+     * - User authorizes (returns tokens)
+     * - User denies (throws error)
+     * - Device code expires (throws error)
+     * - Timeout reached (throws error)
+     *
+     * @param deviceCode - Device code from requestDeviceCode()
+     * @param interval - Polling interval in seconds (from requestDeviceCode())
+     * @param maxAttempts - Maximum number of poll attempts (default: 120 = 10 minutes at 5s interval)
+     * @param callbacks - Optional callbacks for progress tracking
+     * @returns OAuth token information
+     */
+    async pollForToken(deviceCode, interval = 5, maxAttempts = 120, callbacks) {
+        callbacks?.onPollStart?.();
+        let attempt = 0;
+        let currentInterval = interval * 1000; // Convert to milliseconds
+        while (attempt < maxAttempts) {
+            attempt++;
+            callbacks?.onPollTick?.(attempt);
+            try {
+                // Wait before polling (except first attempt)
+                if (attempt > 1) {
+                    await this.sleep(currentInterval);
+                }
+                const params = new URLSearchParams({
+                    grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
+                    device_code: deviceCode,
+                    client_id: this.clientId,
+                });
+                const response = await this.client.post('/auth/oauth/token', params.toString());
+                // Success! User authorized
+                const tokenInfo = (0, oauth_utils_1.convertTokenResponse)(response.data, this.clientId);
+                callbacks?.onSuccess?.(tokenInfo);
+                return tokenInfo;
+            }
+            catch (error) {
+                if (axios_1.default.isAxiosError(error)) {
+                    const axiosError = error;
+                    const errorCode = axiosError.response?.data?.error;
+                    const errorDescription = axiosError.response?.data?.error_description;
+                    // Handle OAuth error responses
+                    if (errorCode === 'authorization_pending') {
+                        // User hasn't completed authorization yet - continue polling
+                        callbacks?.onAuthorizationPending?.();
+                        continue;
+                    }
+                    else if (errorCode === 'slow_down') {
+                        // Server requested slower polling - increase interval by 5 seconds
+                        currentInterval += 5000;
+                        callbacks?.onSlowDown?.();
+                        continue;
+                    }
+                    else if (errorCode === 'access_denied') {
+                        // User explicitly denied authorization
+                        const err = new Error('User denied authorization');
+                        callbacks?.onError?.(err);
+                        throw err;
+                    }
+                    else if (errorCode === 'expired_token' || errorDescription?.includes('expired')) {
+                        // Device code expired
+                        const err = new Error('Device code expired. Please try again.');
+                        callbacks?.onError?.(err);
+                        throw err;
+                    }
+                    else {
+                        // Other OAuth error
+                        const err = new Error(`OAuth error: ${errorDescription || errorCode || axiosError.message}`);
+                        callbacks?.onError?.(err);
+                        throw err;
+                    }
+                }
+                // Non-axios error
+                const err = error instanceof Error ? error : new Error('Unknown error during polling');
+                callbacks?.onError?.(err);
+                throw err;
+            }
+        }
+        // Max attempts reached
+        const err = new Error('Polling timeout: User did not authorize within the expected time');
+        callbacks?.onError?.(err);
+        throw err;
+    }
+    /**
+     * Complete device flow: request codes and poll for token
+     *
+     * Convenience method that combines requestDeviceCode() and pollForToken()
+     *
+     * @param scope - OAuth scopes to request
+     * @param callbacks - Optional callbacks for progress tracking
+     * @returns OAuth token information
+     */
+    async authenticate(scope = 'read:* write:*', callbacks) {
+        // Step 1: Get device and user codes
+        const codes = await this.requestDeviceCode(scope);
+        callbacks?.onDeviceCodeReceived?.(codes);
+        // Step 2: Poll for token
+        return await this.pollForToken(codes.device_code, codes.interval, undefined, callbacks);
+    }
+    /**
+     * Sleep utility for polling
+     */
+    sleep(ms) {
+        return new Promise(resolve => setTimeout(resolve, ms));
+    }
+}
+exports.DeviceAuthFlow = DeviceAuthFlow;
+//# sourceMappingURL=device-flow.js.map

package/dist/lib/auth/device-flow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-flow.js","sourceRoot":"","sources":["../../../src/lib/auth/device-flow.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;GAgBG;;;;;;AAEH,kDAAyD;AAOzD,+CAAqD;AAYrD,MAAa,cAAc;IAIzB,YAAY,MAAc,EAAE,WAAmB,QAAQ;QACrD,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,MAAM,GAAG,eAAK,CAAC,MAAM,CAAC;YACzB,OAAO,EAAE,MAAM;YACf,OAAO,EAAE;gBACP,cAAc,EAAE,mCAAmC;aACpD;YACD,OAAO,EAAE,KAAK,EAAG,2BAA2B;SAC7C,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,iBAAiB,CAAC,QAAgB,gBAAgB;QACtD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;gBACjC,SAAS,EAAE,IAAI,CAAC,QAAQ;gBACxB,KAAK,EAAE,KAAK;aACb,CAAC,CAAC;YAEH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CACrC,oBAAoB,EACpB,MAAM,CAAC,QAAQ,EAAE,CAClB,CAAC;YAEF,OAAO,QAAQ,CAAC,IAAI,CAAC;QACvB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,eAAK,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC9B,MAAM,UAAU,GAAG,KAAuC,CAAC;gBAC3D,MAAM,YAAY,GAAG,UAAU,CAAC,QAAQ,EAAE,IAAI,EAAE,iBAAiB;oBAC7C,UAAU,CAAC,QAAQ,EAAE,IAAI,EAAE,KAAK;oBAChC,UAAU,CAAC,OAAO,CAAC;gBACvC,MAAM,IAAI,KAAK,CAAC,kCAAkC,YAAY,EAAE,CAAC,CAAC;YACpE,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;;;;;;;;;;;;;;;OAiBG;IACH,KAAK,CAAC,YAAY,CAChB,UAAkB,EAClB,WAAmB,CAAC,EACpB,cAAsB,GAAG,EACzB,SAA+B;QAE/B,SAAS,EAAE,WAAW,EAAE,EAAE,CAAC;QAE3B,IAAI,OAAO,GAAG,CAAC,CAAC;QAChB,IAAI,eAAe,GAAG,QAAQ,GAAG,IAAI,CAAC,CAAE,0BAA0B;QAElE,OAAO,OAAO,GAAG,WAAW,EAAE,CAAC;YAC7B,OAAO,EAAE,CAAC;YACV,SAAS,EAAE,UAAU,EAAE,CAAC,OAAO,CAAC,CAAC;YAEjC,IAAI,CAAC;gBACH,6CAA6C;gBAC7C,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC;oBAChB,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;gBACpC,CAAC;gBAED,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;oBACjC,UAAU,EAAE,8CAA8C;oBAC1D,WAAW,EAAE,UAAU;oBACvB,SAAS,EAAE,IAAI,CAAC,QAAQ;iBACzB,CAAC,CAAC;gBAEH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CACrC,mBAAmB,EACnB,MAAM,CAAC,QAAQ,EAAE,CAClB,CAAC;gBAEF,2BAA2B;gBAC3B,MAAM,SAAS,GAAG,IAAA,kCAAoB,EAAC,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACrE,SAAS,EAAE,SAAS,EAAE,CAAC,SAAS,CAAC,CAAC;gBAClC,OAAO,SAAS,CAAC;YAEnB,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IAAI,eAAK,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC9B,MAAM,UAAU,GAAG,KAAuC,CAAC;oBAC3D,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,EAAE,IAAI,EAAE,KAAK,CAAC;oBACnD,MAAM,gBAAgB,GAAG,UAAU,CAAC,QAAQ,EAAE,IAAI,EAAE,iBAAiB,CAAC;oBAEtE,+BAA+B;oBAC/B,IAAI,SAAS,KAAK,uBAAuB,EAAE,CAAC;wBAC1C,6DAA6D;wBAC7D,SAAS,EAAE,sBAAsB,EAAE,EAAE,CAAC;wBACtC,SAAS;oBACX,CAAC;yBAAM,IAAI,SAAS,KAAK,WAAW,EAAE,CAAC;wBACrC,mEAAmE;wBACnE,eAAe,IAAI,IAAI,CAAC;wBACxB,SAAS,EAAE,UAAU,EAAE,EAAE,CAAC;wBAC1B,SAAS;oBACX,CAAC;yBAAM,IAAI,SAAS,KAAK,eAAe,EAAE,CAAC;wBACzC,uCAAuC;wBACvC,MAAM,GAAG,GAAG,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;wBACnD,SAAS,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,CAAC;wBAC1B,MAAM,GAAG,CAAC;oBACZ,CAAC;yBAAM,IAAI,SAAS,KAAK,eAAe,IAAI,gBAAgB,EAAE,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;wBAClF,sBAAsB;wBACtB,MAAM,GAAG,GAAG,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;wBAChE,SAAS,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,CAAC;wBAC1B,MAAM,GAAG,CAAC;oBACZ,CAAC;yBAAM,CAAC;wBACN,oBAAoB;wBACpB,MAAM,GAAG,GAAG,IAAI,KAAK,CAAC,gBAAgB,gBAAgB,IAAI,SAAS,IAAI,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC;wBAC7F,SAAS,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,CAAC;wBAC1B,MAAM,GAAG,CAAC;oBACZ,CAAC;gBACH,CAAC;gBAED,kBAAkB;gBAClB,MAAM,GAAG,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;gBACvF,SAAS,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,CAAC;gBAC1B,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC;QAED,uBAAuB;QACvB,MAAM,GAAG,GAAG,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;QAC1F,SAAS,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,CAAC;QAC1B,MAAM,GAAG,CAAC;IACZ,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,YAAY,CAAC,QAAgB,gBAAgB,EAAE,SAA+B;QAClF,oCAAoC;QACpC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;QAClD,SAAS,EAAE,oBAAoB,EAAE,CAAC,KAAK,CAAC,CAAC;QAEzC,yBAAyB;QACzB,OAAO,MAAM,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,CAAC,QAAQ,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;IAC1F,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,EAAU;QACtB,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;IACzD,CAAC;CACF;AA9KD,wCA8KC"}

package/dist/lib/auth/index.d.ts

@@ -0,0 +1,14 @@
+/**
+ * OAuth 2.0 Authentication Library (ADR-054)
+ *
+ * Exports all OAuth utilities for CLI and MCP authentication
+ */
+export * from './oauth-types';
+export * from './oauth-utils';
+export * from './device-flow';
+export * from './client-credentials-flow';
+export * from './token-refresh';
+export * from './auth-client';
+export * from './challenge';
+export * from './token-manager';
+//# sourceMappingURL=index.d.ts.map

package/dist/lib/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,cAAc,eAAe,CAAC;AAG9B,cAAc,eAAe,CAAC;AAG9B,cAAc,eAAe,CAAC;AAC9B,cAAc,2BAA2B,CAAC;AAC1C,cAAc,iBAAiB,CAAC;AAGhC,cAAc,eAAe,CAAC;AAC9B,cAAc,aAAa,CAAC;AAC5B,cAAc,iBAAiB,CAAC"}

package/dist/lib/auth/index.js

@@ -0,0 +1,34 @@
+"use strict";
+/**
+ * OAuth 2.0 Authentication Library (ADR-054)
+ *
+ * Exports all OAuth utilities for CLI and MCP authentication
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+// Types
+__exportStar(require("./oauth-types"), exports);
+// Utilities
+__exportStar(require("./oauth-utils"), exports);
+// Flow implementations
+__exportStar(require("./device-flow"), exports);
+__exportStar(require("./client-credentials-flow"), exports);
+__exportStar(require("./token-refresh"), exports);
+// Legacy exports (keeping for backward compatibility during migration)
+__exportStar(require("./auth-client"), exports);
+__exportStar(require("./challenge"), exports);
+__exportStar(require("./token-manager"), exports);
+//# sourceMappingURL=index.js.map

package/dist/lib/auth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/lib/auth/index.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;;;;;;;;;;;;;;AAEH,QAAQ;AACR,gDAA8B;AAE9B,YAAY;AACZ,gDAA8B;AAE9B,uBAAuB;AACvB,gDAA8B;AAC9B,4DAA0C;AAC1C,kDAAgC;AAEhC,uEAAuE;AACvE,gDAA8B;AAC9B,8CAA4B;AAC5B,kDAAgC"}

package/dist/lib/auth/oauth-types.d.ts

@@ -0,0 +1,69 @@
+/**
+ * OAuth 2.0 Type Definitions (ADR-054)
+ *
+ * Shared types for OAuth client flows:
+ * - Device Authorization Grant (CLI)
+ * - Client Credentials (MCP)
+ */
+/**
+ * OAuth token response from token endpoint
+ */
+export interface OAuthTokenResponse {
+    access_token: string;
+    token_type: string;
+    expires_in: number;
+    refresh_token?: string;
+    scope: string;
+}
+/**
+ * Device authorization response (RFC 8628)
+ */
+export interface DeviceAuthorizationResponse {
+    device_code: string;
+    user_code: string;
+    verification_uri: string;
+    verification_uri_complete?: string;
+    expires_in: number;
+    interval: number;
+}
+/**
+ * Device code status
+ */
+export interface DeviceCodeStatus {
+    status: 'pending' | 'authorized' | 'denied' | 'expired';
+    user_code: string;
+    expires_at: string;
+}
+/**
+ * OAuth error response (RFC 6749)
+ */
+export interface OAuthErrorResponse {
+    error: string;
+    error_description?: string;
+    error_uri?: string;
+}
+/**
+ * Stored OAuth token information
+ */
+export interface OAuthTokenInfo {
+    access_token: string;
+    token_type: string;
+    expires_at: number;
+    refresh_token?: string;
+    scope: string;
+    client_id: string;
+}
+/**
+ * OAuth grant types
+ */
+export type OAuthGrantType = 'authorization_code' | 'urn:ietf:params:oauth:grant-type:device_code' | 'client_credentials' | 'refresh_token';
+/**
+ * OAuth client configuration
+ */
+export interface OAuthClientConfig {
+    client_id: string;
+    client_secret?: string;
+    grant_types: OAuthGrantType[];
+    api_url: string;
+}
+//# sourceMappingURL=oauth-types.d.ts.map

package/dist/lib/auth/oauth-types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-types.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/oauth-types.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC1C,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,gBAAgB,EAAE,MAAM,CAAC;IACzB,yBAAyB,CAAC,EAAE,MAAM,CAAC;IACnC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,SAAS,GAAG,YAAY,GAAG,QAAQ,GAAG,SAAS,CAAC;IACxD,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,MAAM,cAAc,GACtB,oBAAoB,GACpB,8CAA8C,GAC9C,oBAAoB,GACpB,eAAe,CAAC;AAEpB;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,cAAc,EAAE,CAAC;IAC9B,OAAO,EAAE,MAAM,CAAC;CACjB"}

package/dist/lib/auth/oauth-types.js

@@ -0,0 +1,10 @@
+"use strict";
+/**
+ * OAuth 2.0 Type Definitions (ADR-054)
+ *
+ * Shared types for OAuth client flows:
+ * - Device Authorization Grant (CLI)
+ * - Client Credentials (MCP)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=oauth-types.js.map

package/dist/lib/auth/oauth-types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-types.js","sourceRoot":"","sources":["../../../src/lib/auth/oauth-types.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG"}

package/dist/lib/auth/oauth-utils.d.ts

@@ -0,0 +1,51 @@
+/**
+ * OAuth 2.0 Utility Functions (ADR-054)
+ *
+ * Shared utilities for OAuth token management
+ */
+import { OAuthTokenInfo, OAuthTokenResponse } from './oauth-types';
+/**
+ * Check if an OAuth token is expired or about to expire
+ *
+ * @param tokenInfo - Token information with expires_at timestamp
+ * @param bufferSeconds - How many seconds before expiry to consider token expired (default: 60)
+ * @returns true if token is expired or will expire within buffer period
+ */
+export declare function isTokenExpired(tokenInfo: OAuthTokenInfo | null, bufferSeconds?: number): boolean;
+/**
+ * Convert OAuth token response to storable token info
+ *
+ * @param response - Token response from API
+ * @param clientId - OAuth client ID
+ * @returns Token info object ready for storage
+ */
+export declare function convertTokenResponse(response: OAuthTokenResponse, clientId: string): OAuthTokenInfo;
+/**
+ * Get time until token expires
+ *
+ * @param tokenInfo - Token information
+ * @returns Seconds until expiration, or 0 if already expired
+ */
+export declare function getTimeUntilExpiry(tokenInfo: OAuthTokenInfo | null): number;
+/**
+ * Format expiry time as human-readable string
+ *
+ * @param tokenInfo - Token information
+ * @returns Human-readable expiry time (e.g., "in 45 minutes")
+ */
+export declare function formatExpiryTime(tokenInfo: OAuthTokenInfo | null): string;
+/**
+ * Parse scope string into array
+ *
+ * @param scope - Space-separated scope string
+ * @returns Array of individual scopes
+ */
+export declare function parseScopes(scope: string): string[];
+/**
+ * Format scope array as space-separated string
+ *
+ * @param scopes - Array of scopes
+ * @returns Space-separated scope string
+ */
+export declare function formatScopes(scopes: string[]): string;
+//# sourceMappingURL=oauth-utils.d.ts.map

package/dist/lib/auth/oauth-utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-utils.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/oauth-utils.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAEnE;;;;;;GAMG;AACH,wBAAgB,cAAc,CAAC,SAAS,EAAE,cAAc,GAAG,IAAI,EAAE,aAAa,GAAE,MAAW,GAAG,OAAO,CASpG;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,kBAAkB,EAAE,QAAQ,EAAE,MAAM,GAAG,cAAc,CAWnG;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,cAAc,GAAG,IAAI,GAAG,MAAM,CAS3E;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,cAAc,GAAG,IAAI,GAAG,MAAM,CA2BzE;AAED;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,EAAE,CAKnD;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,CAErD"}

package/dist/lib/auth/oauth-utils.js

@@ -0,0 +1,110 @@
+"use strict";
+/**
+ * OAuth 2.0 Utility Functions (ADR-054)
+ *
+ * Shared utilities for OAuth token management
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isTokenExpired = isTokenExpired;
+exports.convertTokenResponse = convertTokenResponse;
+exports.getTimeUntilExpiry = getTimeUntilExpiry;
+exports.formatExpiryTime = formatExpiryTime;
+exports.parseScopes = parseScopes;
+exports.formatScopes = formatScopes;
+/**
+ * Check if an OAuth token is expired or about to expire
+ *
+ * @param tokenInfo - Token information with expires_at timestamp
+ * @param bufferSeconds - How many seconds before expiry to consider token expired (default: 60)
+ * @returns true if token is expired or will expire within buffer period
+ */
+function isTokenExpired(tokenInfo, bufferSeconds = 60) {
+    if (!tokenInfo) {
+        return true;
+    }
+    const now = Math.floor(Date.now() / 1000); // Current time in seconds
+    const expiresWithBuffer = tokenInfo.expires_at - bufferSeconds;
+    return now >= expiresWithBuffer;
+}
+/**
+ * Convert OAuth token response to storable token info
+ *
+ * @param response - Token response from API
+ * @param clientId - OAuth client ID
+ * @returns Token info object ready for storage
+ */
+function convertTokenResponse(response, clientId) {
+    const now = Math.floor(Date.now() / 1000);
+    return {
+        access_token: response.access_token,
+        token_type: response.token_type,
+        expires_at: now + response.expires_in,
+        refresh_token: response.refresh_token,
+        scope: response.scope,
+        client_id: clientId,
+    };
+}
+/**
+ * Get time until token expires
+ *
+ * @param tokenInfo - Token information
+ * @returns Seconds until expiration, or 0 if already expired
+ */
+function getTimeUntilExpiry(tokenInfo) {
+    if (!tokenInfo) {
+        return 0;
+    }
+    const now = Math.floor(Date.now() / 1000);
+    const remaining = tokenInfo.expires_at - now;
+    return Math.max(0, remaining);
+}
+/**
+ * Format expiry time as human-readable string
+ *
+ * @param tokenInfo - Token information
+ * @returns Human-readable expiry time (e.g., "in 45 minutes")
+ */
+function formatExpiryTime(tokenInfo) {
+    if (!tokenInfo) {
+        return 'expired';
+    }
+    const seconds = getTimeUntilExpiry(tokenInfo);
+    if (seconds === 0) {
+        return 'expired';
+    }
+    if (seconds < 60) {
+        return `in ${seconds} second${seconds !== 1 ? 's' : ''}`;
+    }
+    const minutes = Math.floor(seconds / 60);
+    if (minutes < 60) {
+        return `in ${minutes} minute${minutes !== 1 ? 's' : ''}`;
+    }
+    const hours = Math.floor(minutes / 60);
+    if (hours < 24) {
+        return `in ${hours} hour${hours !== 1 ? 's' : ''}`;
+    }
+    const days = Math.floor(hours / 24);
+    return `in ${days} day${days !== 1 ? 's' : ''}`;
+}
+/**
+ * Parse scope string into array
+ *
+ * @param scope - Space-separated scope string
+ * @returns Array of individual scopes
+ */
+function parseScopes(scope) {
+    if (!scope) {
+        return [];
+    }
+    return scope.trim().split(/\s+/);
+}
+/**
+ * Format scope array as space-separated string
+ *
+ * @param scopes - Array of scopes
+ * @returns Space-separated scope string
+ */
+function formatScopes(scopes) {
+    return scopes.join(' ');
+}
+//# sourceMappingURL=oauth-utils.js.map

package/dist/lib/auth/oauth-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-utils.js","sourceRoot":"","sources":["../../../src/lib/auth/oauth-utils.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;AAWH,wCASC;AASD,oDAWC;AAQD,gDASC;AAQD,4CA2BC;AAQD,kCAKC;AAQD,oCAEC;AA/GD;;;;;;GAMG;AACH,SAAgB,cAAc,CAAC,SAAgC,EAAE,gBAAwB,EAAE;IACzF,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,CAAE,0BAA0B;IACtE,MAAM,iBAAiB,GAAG,SAAS,CAAC,UAAU,GAAG,aAAa,CAAC;IAE/D,OAAO,GAAG,IAAI,iBAAiB,CAAC;AAClC,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,oBAAoB,CAAC,QAA4B,EAAE,QAAgB;IACjF,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAE1C,OAAO;QACL,YAAY,EAAE,QAAQ,CAAC,YAAY;QACnC,UAAU,EAAE,QAAQ,CAAC,UAAU;QAC/B,UAAU,EAAE,GAAG,GAAG,QAAQ,CAAC,UAAU;QACrC,aAAa,EAAE,QAAQ,CAAC,aAAa;QACrC,KAAK,EAAE,QAAQ,CAAC,KAAK;QACrB,SAAS,EAAE,QAAQ;KACpB,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAgB,kBAAkB,CAAC,SAAgC;IACjE,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,CAAC,CAAC;IACX,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,SAAS,GAAG,SAAS,CAAC,UAAU,GAAG,GAAG,CAAC;IAE7C,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;AAChC,CAAC;AAED;;;;;GAKG;AACH,SAAgB,gBAAgB,CAAC,SAAgC;IAC/D,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,OAAO,GAAG,kBAAkB,CAAC,SAAS,CAAC,CAAC;IAE9C,IAAI,OAAO,KAAK,CAAC,EAAE,CAAC;QAClB,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,IAAI,OAAO,GAAG,EAAE,EAAE,CAAC;QACjB,OAAO,MAAM,OAAO,UAAU,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IAC3D,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,EAAE,CAAC,CAAC;IACzC,IAAI,OAAO,GAAG,EAAE,EAAE,CAAC;QACjB,OAAO,MAAM,OAAO,UAAU,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IAC3D,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,EAAE,CAAC,CAAC;IACvC,IAAI,KAAK,GAAG,EAAE,EAAE,CAAC;QACf,OAAO,MAAM,KAAK,QAAQ,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IACrD,CAAC;IAED,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,EAAE,CAAC,CAAC;IACpC,OAAO,MAAM,IAAI,OAAO,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;AAClD,CAAC;AAED;;;;;GAKG;AACH,SAAgB,WAAW,CAAC,KAAa;IACvC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;AACnC,CAAC;AAED;;;;;GAKG;AACH,SAAgB,YAAY,CAAC,MAAgB;IAC3C,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC1B,CAAC"}

package/dist/lib/auth/token-manager.d.ts

@@ -0,0 +1,87 @@
+/**
+ * Token Manager
+ *
+ * Manages JWT token lifecycle: storage, retrieval, validation, expiration.
+ * Tokens are stored in the user's config file (~/.config/kg/config.json).
+ */
+import { ConfigManager } from '../config.js';
+export interface TokenInfo {
+    access_token: string;
+    token_type: string;
+    expires_at: number;
+    username: string;
+    role: string;
+}
+export declare class TokenManager {
+    private config;
+    constructor(config: ConfigManager);
+    /**
+     * Store JWT token with metadata
+     *
+     * @param tokenInfo Token information including access token, expiration, user details
+     */
+    storeToken(tokenInfo: TokenInfo): void;
+    /**
+     * Retrieve stored token (returns null if expired or not found)
+     *
+     * @returns Token information or null if not authenticated
+     */
+    getToken(): TokenInfo | null;
+    /**
+     * Check if token is expired (with 5-minute buffer for safety)
+     *
+     * @param tokenInfo Token information to check
+     * @returns true if token is expired or will expire within 5 minutes
+     */
+    isTokenExpired(tokenInfo: TokenInfo): boolean;
+    /**
+     * Clear stored token (logout)
+     */
+    clearToken(): void;
+    /**
+     * Check if user is logged in (valid token exists)
+     *
+     * @returns true if user has a valid, non-expired token
+     */
+    isLoggedIn(): boolean;
+    /**
+     * Get current username from token
+     *
+     * @returns Username or null if not logged in
+     */
+    getUsername(): string | null;
+    /**
+     * Get current user role from token
+     *
+     * @returns User role or null if not logged in
+     */
+    getRole(): string | null;
+    /**
+     * Get token expiration time as a human-readable string
+     *
+     * @returns Formatted expiration time or null if not logged in
+     */
+    getExpirationString(): string | null;
+    /**
+     * Get minutes until token expiration
+     *
+     * @returns Minutes until expiration or null if not logged in
+     */
+    getMinutesUntilExpiration(): number | null;
+    /**
+     * Create TokenInfo from login response
+     *
+     * @param loginResponse Response from /auth/login endpoint
+     * @returns TokenInfo object ready to be stored
+     */
+    static fromLoginResponse(loginResponse: {
+        access_token: string;
+        token_type: string;
+        expires_in: number;
+        user: {
+            username: string;
+            role: string;
+        };
+    }): TokenInfo;
+}
+//# sourceMappingURL=token-manager.d.ts.map