@apitap/core 1.0.0

package/dist/auth/crypto.d.ts

@@ -0,0 +1,31 @@
+export interface EncryptedData {
+    salt: string;
+    iv: string;
+    ciphertext: string;
+    tag: string;
+}
+/**
+ * Derive a 256-bit key from a machine identifier using PBKDF2.
+ * Uses a fixed application salt — the entropy comes from the machine ID
+ * being stretched through 100K iterations.
+ */
+export declare function deriveKey(machineId: string): Buffer;
+/**
+ * Encrypt plaintext using AES-256-GCM.
+ * Each call generates a random IV for semantic security.
+ */
+export declare function encrypt(plaintext: string, key: Buffer): EncryptedData;
+/**
+ * Decrypt ciphertext using AES-256-GCM.
+ * Throws if key is wrong or data was tampered with.
+ */
+export declare function decrypt(data: EncryptedData, key: Buffer): string;
+/**
+ * Create an HMAC-SHA256 signature.
+ * Returns a prefixed string: "hmac-sha256:<hex>"
+ */
+export declare function hmacSign(data: string, key: Buffer): string;
+/**
+ * Verify an HMAC-SHA256 signature using timing-safe comparison.
+ */
+export declare function hmacVerify(data: string, signature: string, key: Buffer): boolean;

package/dist/auth/crypto.js

@@ -0,0 +1,66 @@
+// src/auth/crypto.ts
+import { createCipheriv, createDecipheriv, randomBytes, pbkdf2Sync, createHmac, timingSafeEqual, } from 'node:crypto';
+const ALGORITHM = 'aes-256-gcm';
+const KEY_LENGTH = 32; // 256 bits
+const IV_LENGTH = 16;
+const PBKDF2_ITERATIONS = 100_000;
+const PBKDF2_SALT = 'apitap-v0.2-key-derivation';
+/**
+ * Derive a 256-bit key from a machine identifier using PBKDF2.
+ * Uses a fixed application salt — the entropy comes from the machine ID
+ * being stretched through 100K iterations.
+ */
+export function deriveKey(machineId) {
+    return pbkdf2Sync(machineId, PBKDF2_SALT, PBKDF2_ITERATIONS, KEY_LENGTH, 'sha512');
+}
+/**
+ * Encrypt plaintext using AES-256-GCM.
+ * Each call generates a random IV for semantic security.
+ */
+export function encrypt(plaintext, key) {
+    const iv = randomBytes(IV_LENGTH);
+    const cipher = createCipheriv(ALGORITHM, key, iv);
+    let ciphertext = cipher.update(plaintext, 'utf8', 'hex');
+    ciphertext += cipher.final('hex');
+    const tag = cipher.getAuthTag();
+    return {
+        salt: PBKDF2_SALT,
+        iv: iv.toString('hex'),
+        ciphertext,
+        tag: tag.toString('hex'),
+    };
+}
+/**
+ * Decrypt ciphertext using AES-256-GCM.
+ * Throws if key is wrong or data was tampered with.
+ */
+export function decrypt(data, key) {
+    const decipher = createDecipheriv(ALGORITHM, key, Buffer.from(data.iv, 'hex'));
+    decipher.setAuthTag(Buffer.from(data.tag, 'hex'));
+    let plaintext = decipher.update(data.ciphertext, 'hex', 'utf8');
+    plaintext += decipher.final('utf8');
+    return plaintext;
+}
+/**
+ * Create an HMAC-SHA256 signature.
+ * Returns a prefixed string: "hmac-sha256:<hex>"
+ */
+export function hmacSign(data, key) {
+    const hmac = createHmac('sha256', key);
+    hmac.update(data);
+    return `hmac-sha256:${hmac.digest('hex')}`;
+}
+/**
+ * Verify an HMAC-SHA256 signature using timing-safe comparison.
+ */
+export function hmacVerify(data, signature, key) {
+    if (!signature.startsWith('hmac-sha256:'))
+        return false;
+    const expected = hmacSign(data, key);
+    const sigBuf = Buffer.from(signature);
+    const expBuf = Buffer.from(expected);
+    if (sigBuf.length !== expBuf.length)
+        return false;
+    return timingSafeEqual(sigBuf, expBuf);
+}
+//# sourceMappingURL=crypto.js.map

package/dist/auth/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../src/auth/crypto.ts"],"names":[],"mappings":"AAAA,qBAAqB;AACrB,OAAO,EACL,cAAc,EACd,gBAAgB,EAChB,WAAW,EACX,UAAU,EACV,UAAU,EACV,eAAe,GAChB,MAAM,aAAa,CAAC;AAErB,MAAM,SAAS,GAAG,aAAa,CAAC;AAChC,MAAM,UAAU,GAAG,EAAE,CAAC,CAAC,WAAW;AAClC,MAAM,SAAS,GAAG,EAAE,CAAC;AACrB,MAAM,iBAAiB,GAAG,OAAO,CAAC;AAClC,MAAM,WAAW,GAAG,4BAA4B,CAAC;AASjD;;;;GAIG;AACH,MAAM,UAAU,SAAS,CAAC,SAAiB;IACzC,OAAO,UAAU,CAAC,SAAS,EAAE,WAAW,EAAE,iBAAiB,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;AACrF,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,OAAO,CAAC,SAAiB,EAAE,GAAW;IACpD,MAAM,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IAClC,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAElD,IAAI,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;IACzD,UAAU,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAClC,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAEhC,OAAO;QACL,IAAI,EAAE,WAAW;QACjB,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC;QACtB,UAAU;QACV,GAAG,EAAE,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC;KACzB,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,OAAO,CAAC,IAAmB,EAAE,GAAW;IACtD,MAAM,QAAQ,GAAG,gBAAgB,CAC/B,SAAS,EACT,GAAG,EACH,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,KAAK,CAAC,CAC5B,CAAC;IACF,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;IAElD,IAAI,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAChE,SAAS,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IACpC,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,QAAQ,CAAC,IAAY,EAAE,GAAW;IAChD,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IACvC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAClB,OAAO,eAAe,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;AAC7C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,IAAY,EAAE,SAAiB,EAAE,GAAW;IACrE,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,cAAc,CAAC;QAAE,OAAO,KAAK,CAAC;IAExD,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACrC,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAErC,IAAI,MAAM,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAClD,OAAO,eAAe,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AACzC,CAAC"}

package/dist/auth/handoff.d.ts

@@ -0,0 +1,29 @@
+import type { AuthManager } from './manager.js';
+export interface HandoffOptions {
+    domain: string;
+    loginUrl?: string;
+    timeout?: number;
+}
+export interface HandoffResult {
+    success: boolean;
+    cookieCount: number;
+    authDetected?: 'bearer' | 'cookie' | 'api-key';
+    error?: string;
+}
+/**
+ * Detect whether a response indicates successful login.
+ * Checks for session-like Set-Cookie headers on 2xx responses.
+ */
+export declare function detectLoginSuccess(headers: Map<string, string>, status: number): boolean;
+/**
+ * Open a visible browser for human authentication.
+ *
+ * Flow:
+ * 1. Launch visible Chromium browser
+ * 2. Navigate to login URL
+ * 3. Wait for human to log in (watches for session cookies / auth headers)
+ * 4. Capture all cookies + detected auth
+ * 5. Store encrypted via AuthManager
+ * 6. Close browser, return result
+ */
+export declare function requestAuth(authManager: AuthManager, options: HandoffOptions): Promise<HandoffResult>;

package/dist/auth/handoff.js

@@ -0,0 +1,180 @@
+// Session-like cookie name patterns
+const SESSION_COOKIE_PATTERNS = [
+    /sess/i, /auth/i, /token/i, /jwt/i, /login/i,
+    /sid$/i, /^_session/i, /^connect\.sid$/i,
+];
+// Tracking/analytics cookie patterns (exclude from session detection)
+const TRACKING_COOKIE_PATTERNS = [
+    /^_ga/i, /^_gid/i, /^_fb/i, /^_gcl/i, /^__utm/i,
+];
+/**
+ * Detect whether a response indicates successful login.
+ * Checks for session-like Set-Cookie headers on 2xx responses.
+ */
+export function detectLoginSuccess(headers, status) {
+    if (status < 200 || status >= 300)
+        return false;
+    // Check for auth header
+    const authHeader = headers.get('authorization');
+    if (authHeader && (authHeader.startsWith('Bearer ') || authHeader.startsWith('Basic '))) {
+        return true;
+    }
+    // Check for session-like cookies
+    const setCookie = headers.get('set-cookie');
+    if (!setCookie)
+        return false;
+    // Parse cookie name from Set-Cookie header
+    const cookieName = setCookie.split('=')[0].trim();
+    // Exclude tracking cookies
+    if (TRACKING_COOKIE_PATTERNS.some(p => p.test(cookieName)))
+        return false;
+    // Match session-like cookies
+    return SESSION_COOKIE_PATTERNS.some(p => p.test(cookieName));
+}
+// Mutex to prevent concurrent handoffs for the same domain
+const handoffLocks = new Map();
+/**
+ * Open a visible browser for human authentication.
+ *
+ * Flow:
+ * 1. Launch visible Chromium browser
+ * 2. Navigate to login URL
+ * 3. Wait for human to log in (watches for session cookies / auth headers)
+ * 4. Capture all cookies + detected auth
+ * 5. Store encrypted via AuthManager
+ * 6. Close browser, return result
+ */
+export async function requestAuth(authManager, options) {
+    const { domain } = options;
+    // Mutex: prevent concurrent handoffs for same domain
+    const existing = handoffLocks.get(domain);
+    if (existing)
+        return existing;
+    const promise = doHandoff(authManager, options);
+    handoffLocks.set(domain, promise);
+    try {
+        return await promise;
+    }
+    finally {
+        handoffLocks.delete(domain);
+    }
+}
+async function doHandoff(authManager, options) {
+    const { domain } = options;
+    const loginUrl = options.loginUrl || `https://${domain}`;
+    const timeout = options.timeout ?? 300_000; // 5 minutes
+    const { chromium } = await import('playwright');
+    const browser = await chromium.launch({ headless: false });
+    try {
+        const context = await browser.newContext();
+        // Restore existing session cookies if available (warm start)
+        const cachedSession = await authManager.retrieveSession(domain);
+        if (cachedSession?.cookies?.length) {
+            await context.addCookies(cachedSession.cookies);
+        }
+        const page = await context.newPage();
+        let authDetected;
+        let detectedAuth;
+        // Watch network responses for auth signals
+        page.on('response', (response) => {
+            const headers = new Map();
+            for (const [key, value] of Object.entries(response.headers())) {
+                headers.set(key, value);
+            }
+            // Detect auth from request headers
+            const authHeader = response.request().headers()['authorization'];
+            if (authHeader) {
+                if (authHeader.startsWith('Bearer ')) {
+                    authDetected = 'bearer';
+                    detectedAuth = {
+                        type: 'bearer',
+                        header: 'authorization',
+                        value: authHeader,
+                    };
+                }
+                else if (authHeader.toLowerCase().startsWith('apikey ') || authHeader.toLowerCase().startsWith('api-key ')) {
+                    authDetected = 'api-key';
+                    detectedAuth = {
+                        type: 'api-key',
+                        header: 'authorization',
+                        value: authHeader,
+                    };
+                }
+            }
+        });
+        // Navigate to login page
+        await page.goto(loginUrl, { waitUntil: 'domcontentloaded', timeout: 30_000 });
+        // Poll for login success: check cookies periodically
+        const startTime = Date.now();
+        let loginDetected = false;
+        while (Date.now() - startTime < timeout) {
+            await page.waitForTimeout(2000);
+            // Check if we've detected session cookies
+            const cookies = await context.cookies();
+            const hasSessionCookie = cookies.some(c => SESSION_COOKIE_PATTERNS.some(p => p.test(c.name)) &&
+                !TRACKING_COOKIE_PATTERNS.some(p => p.test(c.name)));
+            if (hasSessionCookie || authDetected) {
+                // Wait a bit more for any final redirects/requests
+                await page.waitForTimeout(2000);
+                loginDetected = true;
+                break;
+            }
+            // Check if browser was closed by user
+            if (page.isClosed())
+                break;
+        }
+        // Capture final cookies
+        const cookies = await context.cookies();
+        if (cookies.length === 0 && !authDetected) {
+            return {
+                success: false,
+                cookieCount: 0,
+                error: loginDetected ? undefined : 'Timeout: no login detected within the allowed time',
+            };
+        }
+        // Store session cookies
+        const session = {
+            cookies,
+            savedAt: new Date().toISOString(),
+            maxAgeMs: 24 * 60 * 60 * 1000, // 24 hours
+        };
+        await authManager.storeSession(domain, session);
+        // Store detected auth header if found
+        if (detectedAuth) {
+            await authManager.store(domain, detectedAuth);
+        }
+        else if (cookies.length > 0) {
+            // Store as cookie auth
+            const sessionCookies = cookies
+                .filter(c => SESSION_COOKIE_PATTERNS.some(p => p.test(c.name)))
+                .filter(c => !TRACKING_COOKIE_PATTERNS.some(p => p.test(c.name)));
+            if (sessionCookies.length > 0) {
+                authDetected = 'cookie';
+                const cookieHeader = sessionCookies
+                    .map(c => `${c.name}=${c.value}`)
+                    .join('; ');
+                await authManager.store(domain, {
+                    type: 'cookie',
+                    header: 'cookie',
+                    value: cookieHeader,
+                });
+            }
+        }
+        return {
+            success: true,
+            cookieCount: cookies.length,
+            authDetected,
+        };
+    }
+    catch (error) {
+        return {
+            success: false,
+            cookieCount: 0,
+            error: error instanceof Error ? error.message : String(error),
+        };
+    }
+    finally {
+        await browser.close();
+    }
+}
+//# sourceMappingURL=handoff.js.map

package/dist/auth/handoff.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handoff.js","sourceRoot":"","sources":["../../src/auth/handoff.ts"],"names":[],"mappings":"AAiBA,oCAAoC;AACpC,MAAM,uBAAuB,GAAG;IAC9B,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ;IAC5C,OAAO,EAAE,YAAY,EAAE,iBAAiB;CACzC,CAAC;AAEF,sEAAsE;AACtE,MAAM,wBAAwB,GAAG;IAC/B,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS;CAChD,CAAC;AAEF;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAChC,OAA4B,EAC5B,MAAc;IAEd,IAAI,MAAM,GAAG,GAAG,IAAI,MAAM,IAAI,GAAG;QAAE,OAAO,KAAK,CAAC;IAEhD,wBAAwB;IACxB,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IAChD,IAAI,UAAU,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;QACxF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,iCAAiC;IACjC,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IAC5C,IAAI,CAAC,SAAS;QAAE,OAAO,KAAK,CAAC;IAE7B,2CAA2C;IAC3C,MAAM,UAAU,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAElD,2BAA2B;IAC3B,IAAI,wBAAwB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAEzE,6BAA6B;IAC7B,OAAO,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;AAC/D,CAAC;AAED,2DAA2D;AAC3D,MAAM,YAAY,GAAG,IAAI,GAAG,EAAkC,CAAC;AAE/D;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,WAAwB,EACxB,OAAuB;IAEvB,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC;IAE3B,qDAAqD;IACrD,MAAM,QAAQ,GAAG,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC1C,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAE9B,MAAM,OAAO,GAAG,SAAS,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;IAChD,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAElC,IAAI,CAAC;QACH,OAAO,MAAM,OAAO,CAAC;IACvB,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC9B,CAAC;AACH,CAAC;AAED,KAAK,UAAU,SAAS,CACtB,WAAwB,EACxB,OAAuB;IAEvB,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC;IAC3B,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,WAAW,MAAM,EAAE,CAAC;IACzD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,CAAC,YAAY;IAExD,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,CAAC;IAEhD,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC;IAE3D,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,EAAE,CAAC;QAE3C,6DAA6D;QAC7D,MAAM,aAAa,GAAG,MAAM,WAAW,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;QAChE,IAAI,aAAa,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;YACnC,MAAM,OAAO,CAAC,UAAU,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;QAClD,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,OAAO,EAAE,CAAC;QACrC,IAAI,YAAyD,CAAC;QAC9D,IAAI,YAAoC,CAAC;QAEzC,2CAA2C;QAC3C,IAAI,CAAC,EAAE,CAAC,UAAU,EAAE,CAAC,QAAQ,EAAE,EAAE;YAC/B,MAAM,OAAO,GAAG,IAAI,GAAG,EAAkB,CAAC;YAC1C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;gBAC9D,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YAC1B,CAAC;YAED,mCAAmC;YACnC,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,EAAE,CAAC,OAAO,EAAE,CAAC,eAAe,CAAC,CAAC;YACjE,IAAI,UAAU,EAAE,CAAC;gBACf,IAAI,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;oBACrC,YAAY,GAAG,QAAQ,CAAC;oBACxB,YAAY,GAAG;wBACb,IAAI,EAAE,QAAQ;wBACd,MAAM,EAAE,eAAe;wBACvB,KAAK,EAAE,UAAU;qBAClB,CAAC;gBACJ,CAAC;qBAAM,IAAI,UAAU,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,UAAU,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;oBAC7G,YAAY,GAAG,SAAS,CAAC;oBACzB,YAAY,GAAG;wBACb,IAAI,EAAE,SAAS;wBACf,MAAM,EAAE,eAAe;wBACvB,KAAK,EAAE,UAAU;qBAClB,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,yBAAyB;QACzB,MAAM,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,kBAAkB,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;QAE9E,qDAAqD;QACrD,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,IAAI,aAAa,GAAG,KAAK,CAAC;QAE1B,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,OAAO,EAAE,CAAC;YACxC,MAAM,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;YAEhC,0CAA0C;YAC1C,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,OAAO,EAAE,CAAC;YACxC,MAAM,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CACxC,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;gBACjD,CAAC,wBAAwB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CACpD,CAAC;YAEF,IAAI,gBAAgB,IAAI,YAAY,EAAE,CAAC;gBACrC,mDAAmD;gBACnD,MAAM,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;gBAChC,aAAa,GAAG,IAAI,CAAC;gBACrB,MAAM;YACR,CAAC;YAED,sCAAsC;YACtC,IAAI,IAAI,CAAC,QAAQ,EAAE;gBAAE,MAAM;QAC7B,CAAC;QAED,wBAAwB;QACxB,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,OAAO,EAAE,CAAC;QAExC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YAC1C,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,WAAW,EAAE,CAAC;gBACd,KAAK,EAAE,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,oDAAoD;aACxF,CAAC;QACJ,CAAC;QAED,wBAAwB;QACxB,MAAM,OAAO,GAAkB;YAC7B,OAAO;YACP,OAAO,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACjC,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,WAAW;SAC3C,CAAC;QACF,MAAM,WAAW,CAAC,YAAY,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAEhD,sCAAsC;QACtC,IAAI,YAAY,EAAE,CAAC;YACjB,MAAM,WAAW,CAAC,KAAK,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;QAChD,CAAC;aAAM,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9B,uBAAuB;YACvB,MAAM,cAAc,GAAG,OAAO;iBAC3B,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;iBAC9D,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,wBAAwB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAEpE,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC9B,YAAY,GAAG,QAAQ,CAAC;gBACxB,MAAM,YAAY,GAAG,cAAc;qBAChC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC;qBAChC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACd,MAAM,WAAW,CAAC,KAAK,CAAC,MAAM,EAAE;oBAC9B,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,KAAK,EAAE,YAAY;iBACpB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO;YACL,OAAO,EAAE,IAAI;YACb,WAAW,EAAE,OAAO,CAAC,MAAM;YAC3B,YAAY;SACb,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,OAAO,EAAE,KAAK;YACd,WAAW,EAAE,CAAC;YACd,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;SAC9D,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,MAAM,OAAO,CAAC,KAAK,EAAE,CAAC;IACxB,CAAC;AACH,CAAC"}

package/dist/auth/manager.d.ts

@@ -0,0 +1,46 @@
+import type { StoredAuth, StoredToken, StoredSession } from '../types.js';
+/**
+ * Manages encrypted auth credential storage.
+ * All credentials stored in a single encrypted file keyed by domain.
+ */
+export declare class AuthManager {
+    private key;
+    private authPath;
+    constructor(baseDir: string, machineId: string);
+    /** Store auth credentials for a domain (overwrites existing). */
+    store(domain: string, auth: StoredAuth): Promise<void>;
+    /** Retrieve auth credentials for a domain. Returns null if not found or decryption fails. */
+    retrieve(domain: string): Promise<StoredAuth | null>;
+    /** Check if auth exists for a domain without loading the value. */
+    has(domain: string): Promise<boolean>;
+    /** Store refreshable tokens for a domain (merges with existing auth). */
+    storeTokens(domain: string, tokens: Record<string, StoredToken>): Promise<void>;
+    /** Retrieve refreshable tokens for a domain. */
+    retrieveTokens(domain: string): Promise<Record<string, StoredToken> | null>;
+    /** Store browser session (cookies) for a domain (merges with existing auth). */
+    storeSession(domain: string, session: StoredSession): Promise<void>;
+    /** Retrieve browser session for a domain. */
+    retrieveSession(domain: string): Promise<StoredSession | null>;
+    /** Store OAuth credentials for a domain (merges with existing auth). */
+    storeOAuthCredentials(domain: string, creds: {
+        refreshToken?: string;
+        clientSecret?: string;
+    }): Promise<void>;
+    /** Retrieve OAuth credentials for a domain. */
+    retrieveOAuthCredentials(domain: string): Promise<{
+        refreshToken?: string;
+        clientSecret?: string;
+    } | null>;
+    /** List all domains with stored auth. */
+    listDomains(): Promise<string[]>;
+    /** Clear all auth for a domain. */
+    clear(domain: string): Promise<void>;
+    private loadAll;
+    private saveAll;
+}
+/**
+ * Get the machine ID for key derivation.
+ * Linux: /etc/machine-id
+ * Fallback: hostname + homedir (less secure but portable)
+ */
+export declare function getMachineId(): Promise<string>;

package/dist/auth/manager.js

@@ -0,0 +1,127 @@
+// src/auth/manager.ts
+import { readFile, writeFile, mkdir, chmod } from 'node:fs/promises';
+import { join } from 'node:path';
+import { encrypt, decrypt, deriveKey } from './crypto.js';
+const AUTH_FILENAME = 'auth.enc';
+/**
+ * Manages encrypted auth credential storage.
+ * All credentials stored in a single encrypted file keyed by domain.
+ */
+export class AuthManager {
+    key;
+    authPath;
+    constructor(baseDir, machineId) {
+        this.key = deriveKey(machineId);
+        this.authPath = join(baseDir, AUTH_FILENAME);
+    }
+    /** Store auth credentials for a domain (overwrites existing). */
+    async store(domain, auth) {
+        const allAuth = await this.loadAll();
+        allAuth[domain] = auth;
+        await this.saveAll(allAuth);
+    }
+    /** Retrieve auth credentials for a domain. Returns null if not found or decryption fails. */
+    async retrieve(domain) {
+        const allAuth = await this.loadAll();
+        return allAuth[domain] ?? null;
+    }
+    /** Check if auth exists for a domain without loading the value. */
+    async has(domain) {
+        const allAuth = await this.loadAll();
+        return domain in allAuth;
+    }
+    /** Store refreshable tokens for a domain (merges with existing auth). */
+    async storeTokens(domain, tokens) {
+        const all = await this.loadAll();
+        const existing = all[domain] || { type: 'custom', header: '', value: '' };
+        all[domain] = { ...existing, tokens };
+        await this.saveAll(all);
+    }
+    /** Retrieve refreshable tokens for a domain. */
+    async retrieveTokens(domain) {
+        const all = await this.loadAll();
+        return all[domain]?.tokens ?? null;
+    }
+    /** Store browser session (cookies) for a domain (merges with existing auth). */
+    async storeSession(domain, session) {
+        const all = await this.loadAll();
+        const existing = all[domain] || { type: 'custom', header: '', value: '' };
+        all[domain] = { ...existing, session };
+        await this.saveAll(all);
+    }
+    /** Retrieve browser session for a domain. */
+    async retrieveSession(domain) {
+        const all = await this.loadAll();
+        return all[domain]?.session ?? null;
+    }
+    /** Store OAuth credentials for a domain (merges with existing auth). */
+    async storeOAuthCredentials(domain, creds) {
+        const all = await this.loadAll();
+        const existing = all[domain] || { type: 'custom', header: '', value: '' };
+        if (creds.refreshToken !== undefined)
+            existing.refreshToken = creds.refreshToken;
+        if (creds.clientSecret !== undefined)
+            existing.clientSecret = creds.clientSecret;
+        all[domain] = existing;
+        await this.saveAll(all);
+    }
+    /** Retrieve OAuth credentials for a domain. */
+    async retrieveOAuthCredentials(domain) {
+        const all = await this.loadAll();
+        const auth = all[domain];
+        if (!auth)
+            return null;
+        if (!auth.refreshToken && !auth.clientSecret)
+            return null;
+        return { refreshToken: auth.refreshToken, clientSecret: auth.clientSecret };
+    }
+    /** List all domains with stored auth. */
+    async listDomains() {
+        const all = await this.loadAll();
+        return Object.keys(all);
+    }
+    /** Clear all auth for a domain. */
+    async clear(domain) {
+        const all = await this.loadAll();
+        delete all[domain];
+        await this.saveAll(all);
+    }
+    async loadAll() {
+        try {
+            const content = await readFile(this.authPath, 'utf-8');
+            const encrypted = JSON.parse(content);
+            const plaintext = decrypt(encrypted, this.key);
+            return JSON.parse(plaintext);
+        }
+        catch {
+            return {};
+        }
+    }
+    async saveAll(data) {
+        const dir = join(this.authPath, '..');
+        await mkdir(dir, { recursive: true });
+        const plaintext = JSON.stringify(data);
+        const encrypted = encrypt(plaintext, this.key);
+        await writeFile(this.authPath, JSON.stringify(encrypted, null, 2) + '\n', { mode: 0o600 });
+        // Ensure permissions even if file existed with different perms
+        await chmod(this.authPath, 0o600);
+    }
+}
+/**
+ * Get the machine ID for key derivation.
+ * Linux: /etc/machine-id
+ * Fallback: hostname + homedir (less secure but portable)
+ */
+export async function getMachineId() {
+    try {
+        const id = await readFile('/etc/machine-id', 'utf-8');
+        return id.trim();
+    }
+    catch {
+        // Fallback for non-Linux systems
+        const { hostname } = await import('node:os');
+        const { homedir } = await import('node:os');
+        return `${hostname()}-${homedir()}`;
+    }
+}
+//# sourceMappingURL=manager.js.map

package/dist/auth/manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"manager.js","sourceRoot":"","sources":["../../src/auth/manager.ts"],"names":[],"mappings":"AAAA,sBAAsB;AACtB,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACrE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAsB,MAAM,aAAa,CAAC;AAG9E,MAAM,aAAa,GAAG,UAAU,CAAC;AAEjC;;;GAGG;AACH,MAAM,OAAO,WAAW;IACd,GAAG,CAAS;IACZ,QAAQ,CAAS;IAEzB,YAAY,OAAe,EAAE,SAAiB;QAC5C,IAAI,CAAC,GAAG,GAAG,SAAS,CAAC,SAAS,CAAC,CAAC;QAChC,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;IAC/C,CAAC;IAED,iEAAiE;IACjE,KAAK,CAAC,KAAK,CAAC,MAAc,EAAE,IAAgB;QAC1C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACrC,OAAO,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC;QACvB,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAC9B,CAAC;IAED,6FAA6F;IAC7F,KAAK,CAAC,QAAQ,CAAC,MAAc;QAC3B,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACrC,OAAO,OAAO,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC;IACjC,CAAC;IAED,mEAAmE;IACnE,KAAK,CAAC,GAAG,CAAC,MAAc;QACtB,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACrC,OAAO,MAAM,IAAI,OAAO,CAAC;IAC3B,CAAC;IAED,yEAAyE;IACzE,KAAK,CAAC,WAAW,CAAC,MAAc,EAAE,MAAmC;QACnE,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACjC,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,QAAiB,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QACnF,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,MAAM,EAAE,CAAC;QACtC,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAED,gDAAgD;IAChD,KAAK,CAAC,cAAc,CAAC,MAAc;QACjC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACjC,OAAO,GAAG,CAAC,MAAM,CAAC,EAAE,MAAM,IAAI,IAAI,CAAC;IACrC,CAAC;IAED,gFAAgF;IAChF,KAAK,CAAC,YAAY,CAAC,MAAc,EAAE,OAAsB;QACvD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACjC,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,QAAiB,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QACnF,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,OAAO,EAAE,CAAC;QACvC,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAED,6CAA6C;IAC7C,KAAK,CAAC,eAAe,CAAC,MAAc;QAClC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACjC,OAAO,GAAG,CAAC,MAAM,CAAC,EAAE,OAAO,IAAI,IAAI,CAAC;IACtC,CAAC;IAED,wEAAwE;IACxE,KAAK,CAAC,qBAAqB,CAAC,MAAc,EAAE,KAAuD;QACjG,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACjC,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,QAAiB,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QACnF,IAAI,KAAK,CAAC,YAAY,KAAK,SAAS;YAAE,QAAQ,CAAC,YAAY,GAAG,KAAK,CAAC,YAAY,CAAC;QACjF,IAAI,KAAK,CAAC,YAAY,KAAK,SAAS;YAAE,QAAQ,CAAC,YAAY,GAAG,KAAK,CAAC,YAAY,CAAC;QACjF,GAAG,CAAC,MAAM,CAAC,GAAG,QAAQ,CAAC;QACvB,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAED,+CAA+C;IAC/C,KAAK,CAAC,wBAAwB,CAAC,MAAc;QAC3C,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACjC,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC;QACzB,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QACvB,IAAI,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,IAAI,CAAC,YAAY;YAAE,OAAO,IAAI,CAAC;QAC1D,OAAO,EAAE,YAAY,EAAE,IAAI,CAAC,YAAY,EAAE,YAAY,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC;IAC9E,CAAC;IAED,yCAAyC;IACzC,KAAK,CAAC,WAAW;QACf,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACjC,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAED,mCAAmC;IACnC,KAAK,CAAC,KAAK,CAAC,MAAc;QACxB,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACjC,OAAO,GAAG,CAAC,MAAM,CAAC,CAAC;QACnB,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAEO,KAAK,CAAC,OAAO;QACnB,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YACvD,MAAM,SAAS,GAAkB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACrD,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;YAC/C,OAAO,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAC/B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,OAAO,CAAC,IAAgC;QACpD,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QACtC,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAEtC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;QAE/C,MAAM,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC3F,+DAA+D;QAC/D,MAAM,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACpC,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY;IAChC,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,MAAM,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC;QACtD,OAAO,EAAE,CAAC,IAAI,EAAE,CAAC;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,iCAAiC;QACjC,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;QAC7C,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;QAC5C,OAAO,GAAG,QAAQ,EAAE,IAAI,OAAO,EAAE,EAAE,CAAC;IACtC,CAAC;AACH,CAAC"}

package/dist/auth/oauth-refresh.d.ts

@@ -0,0 +1,16 @@
+import type { OAuthConfig } from '../types.js';
+import type { AuthManager } from './manager.js';
+export interface OAuthRefreshResult {
+    success: boolean;
+    accessToken?: string;
+    tokenRotated?: boolean;
+    error?: string;
+}
+/**
+ * Refresh an OAuth2 access token via the token endpoint using stdlib fetch().
+ * Supports refresh_token and client_credentials grant types.
+ * Handles refresh token rotation (new refresh_token in response).
+ */
+export declare function refreshOAuth(domain: string, oauthConfig: OAuthConfig, authManager: AuthManager, options?: {
+    _skipSsrfCheck?: boolean;
+}): Promise<OAuthRefreshResult>;

package/dist/auth/oauth-refresh.js

@@ -0,0 +1,91 @@
+import { resolveAndValidateUrl } from '../skill/ssrf.js';
+/**
+ * Refresh an OAuth2 access token via the token endpoint using stdlib fetch().
+ * Supports refresh_token and client_credentials grant types.
+ * Handles refresh token rotation (new refresh_token in response).
+ */
+export async function refreshOAuth(domain, oauthConfig, authManager, options) {
+    const oauthCreds = await authManager.retrieveOAuthCredentials(domain);
+    // Build request body based on grant type
+    const body = new URLSearchParams();
+    body.append('grant_type', oauthConfig.grantType);
+    body.append('client_id', oauthConfig.clientId);
+    if (oauthConfig.scope) {
+        body.append('scope', oauthConfig.scope);
+    }
+    if (oauthConfig.grantType === 'refresh_token') {
+        if (!oauthCreds?.refreshToken) {
+            return { success: false, error: 'No refresh token available' };
+        }
+        body.append('refresh_token', oauthCreds.refreshToken);
+    }
+    if (oauthCreds?.clientSecret) {
+        body.append('client_secret', oauthCreds.clientSecret);
+    }
+    // SSRF check on token endpoint
+    if (!options?._skipSsrfCheck) {
+        const ssrfCheck = await resolveAndValidateUrl(oauthConfig.tokenEndpoint);
+        if (!ssrfCheck.safe) {
+            return { success: false, error: `Token endpoint blocked: ${ssrfCheck.reason}` };
+        }
+    }
+    // Domain match: token endpoint must match skill domain or be a known OAuth provider
+    const KNOWN_OAUTH_HOSTS = [
+        'oauth2.googleapis.com', 'accounts.google.com',
+        'login.microsoftonline.com', 'github.com',
+        'oauth.reddit.com', 'api.twitter.com',
+    ];
+    const tokenHost = new URL(oauthConfig.tokenEndpoint).hostname;
+    if (tokenHost !== domain && !tokenHost.endsWith('.' + domain) && !KNOWN_OAUTH_HOSTS.includes(tokenHost)) {
+        return { success: false, error: `Token endpoint domain mismatch: ${tokenHost} vs ${domain}` };
+    }
+    try {
+        const response = await fetch(oauthConfig.tokenEndpoint, {
+            method: 'POST',
+            headers: { 'content-type': 'application/x-www-form-urlencoded' },
+            body: body.toString(),
+            signal: AbortSignal.timeout(15_000), // 15s timeout for token refresh
+        });
+        if (!response.ok) {
+            const errorText = await response.text().catch(() => '');
+            return {
+                success: false,
+                error: `Token endpoint returned ${response.status}: ${errorText}`.trim(),
+            };
+        }
+        const data = await response.json();
+        const accessToken = data.access_token;
+        if (typeof accessToken !== 'string') {
+            return { success: false, error: 'No access_token in response' };
+        }
+        // Store new access token
+        const existingAuth = await authManager.retrieve(domain);
+        await authManager.store(domain, {
+            type: existingAuth?.type ?? 'bearer',
+            header: existingAuth?.header ?? 'authorization',
+            value: `Bearer ${accessToken}`,
+            tokens: existingAuth?.tokens,
+            session: existingAuth?.session,
+            refreshToken: existingAuth?.refreshToken,
+            clientSecret: existingAuth?.clientSecret,
+        });
+        // Handle refresh token rotation
+        let tokenRotated = false;
+        const newRefreshToken = data.refresh_token;
+        if (typeof newRefreshToken === 'string' &&
+            newRefreshToken !== oauthCreds?.refreshToken) {
+            await authManager.storeOAuthCredentials(domain, {
+                refreshToken: newRefreshToken,
+            });
+            tokenRotated = true;
+        }
+        return { success: true, accessToken, tokenRotated };
+    }
+    catch (error) {
+        return {
+            success: false,
+            error: error instanceof Error ? error.message : String(error),
+        };
+    }
+}
+//# sourceMappingURL=oauth-refresh.js.map

package/dist/auth/oauth-refresh.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-refresh.js","sourceRoot":"","sources":["../../src/auth/oauth-refresh.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AASzD;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,MAAc,EACd,WAAwB,EACxB,WAAwB,EACxB,OAAsC;IAEtC,MAAM,UAAU,GAAG,MAAM,WAAW,CAAC,wBAAwB,CAAC,MAAM,CAAC,CAAC;IAEtE,yCAAyC;IACzC,MAAM,IAAI,GAAG,IAAI,eAAe,EAAE,CAAC;IACnC,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,WAAW,CAAC,SAAS,CAAC,CAAC;IACjD,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,WAAW,CAAC,QAAQ,CAAC,CAAC;IAE/C,IAAI,WAAW,CAAC,KAAK,EAAE,CAAC;QACtB,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,WAAW,CAAC,KAAK,CAAC,CAAC;IAC1C,CAAC;IAED,IAAI,WAAW,CAAC,SAAS,KAAK,eAAe,EAAE,CAAC;QAC9C,IAAI,CAAC,UAAU,EAAE,YAAY,EAAE,CAAC;YAC9B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,4BAA4B,EAAE,CAAC;QACjE,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,eAAe,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC;IACxD,CAAC;IAED,IAAI,UAAU,EAAE,YAAY,EAAE,CAAC;QAC7B,IAAI,CAAC,MAAM,CAAC,eAAe,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC;IACxD,CAAC;IAED,+BAA+B;IAC/B,IAAI,CAAC,OAAO,EAAE,cAAc,EAAE,CAAC;QAC7B,MAAM,SAAS,GAAG,MAAM,qBAAqB,CAAC,WAAW,CAAC,aAAa,CAAC,CAAC;QACzE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;YACpB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,2BAA2B,SAAS,CAAC,MAAM,EAAE,EAAE,CAAC;QAClF,CAAC;IACH,CAAC;IAED,oFAAoF;IACpF,MAAM,iBAAiB,GAAG;QACxB,uBAAuB,EAAE,qBAAqB;QAC9C,2BAA2B,EAAE,YAAY;QACzC,kBAAkB,EAAE,iBAAiB;KACtC,CAAC;IACF,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,aAAa,CAAC,CAAC,QAAQ,CAAC;IAC9D,IAAI,SAAS,KAAK,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACxG,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,mCAAmC,SAAS,OAAO,MAAM,EAAE,EAAE,CAAC;IAChG,CAAC;IAED,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,aAAa,EAAE;YACtD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;YAChE,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;YACrB,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC,EAAG,gCAAgC;SACvE,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;YACxD,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,2BAA2B,QAAQ,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC,IAAI,EAAE;aACzE,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;QAC9D,MAAM,WAAW,GAAG,IAAI,CAAC,YAAY,CAAC;QAEtC,IAAI,OAAO,WAAW,KAAK,QAAQ,EAAE,CAAC;YACpC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,6BAA6B,EAAE,CAAC;QAClE,CAAC;QAED,yBAAyB;QACzB,MAAM,YAAY,GAAG,MAAM,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACxD,MAAM,WAAW,CAAC,KAAK,CAAC,MAAM,EAAE;YAC9B,IAAI,EAAE,YAAY,EAAE,IAAI,IAAI,QAAQ;YACpC,MAAM,EAAE,YAAY,EAAE,MAAM,IAAI,eAAe;YAC/C,KAAK,EAAE,UAAU,WAAW,EAAE;YAC9B,MAAM,EAAE,YAAY,EAAE,MAAM;YAC5B,OAAO,EAAE,YAAY,EAAE,OAAO;YAC9B,YAAY,EAAE,YAAY,EAAE,YAAY;YACxC,YAAY,EAAE,YAAY,EAAE,YAAY;SACzC,CAAC,CAAC;QAEH,gCAAgC;QAChC,IAAI,YAAY,GAAG,KAAK,CAAC;QACzB,MAAM,eAAe,GAAG,IAAI,CAAC,aAAa,CAAC;QAC3C,IACE,OAAO,eAAe,KAAK,QAAQ;YACnC,eAAe,KAAK,UAAU,EAAE,YAAY,EAC5C,CAAC;YACD,MAAM,WAAW,CAAC,qBAAqB,CAAC,MAAM,EAAE;gBAC9C,YAAY,EAAE,eAAe;aAC9B,CAAC,CAAC;YACH,YAAY,GAAG,IAAI,CAAC;QACtB,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,YAAY,EAAE,CAAC;IACtD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;SAC9D,CAAC;IACJ,CAAC;AACH,CAAC"}