@backstage/cli-module-auth 0.0.0-nightly-20260317031259

package/dist/commands/show.cjs.js

@@ -0,0 +1,59 @@
+'use strict';
+
+Object.defineProperty(exports, '__esModule', { value: true });
+
+var cleye = require('cleye');
+var http = require('../lib/http.cjs.js');
+var storage = require('../lib/storage.cjs.js');
+var auth = require('../lib/auth.cjs.js');
+var secretStore = require('../lib/secretStore.cjs.js');
+
+var show = async ({ args, info }) => {
+  const {
+    flags: { instance: instanceFlag }
+  } = cleye.cli(
+    {
+      help: info,
+      flags: {
+        instance: {
+          type: String,
+          description: "Name of the instance to show"
+        }
+      }
+    },
+    void 0,
+    args
+  );
+  let instance = await storage.getSelectedInstance(instanceFlag);
+  if (auth.accessTokenNeedsRefresh(instance)) {
+    process.stdout.write("Refreshing access token...\n");
+    instance = await auth.refreshAccessToken(instance.name);
+  }
+  const authBase = new URL("/api/auth", instance.baseUrl).toString().replace(/\/$/, "");
+  const secretStore$1 = await secretStore.getSecretStore();
+  const service = `backstage-cli:auth-instance:${instance.name}`;
+  const accessToken = await secretStore$1.get(service, "accessToken");
+  if (!accessToken) {
+    throw new Error('No access token found. Run "auth login" to authenticate.');
+  }
+  const userinfo = await http.httpJson(
+    `${authBase}/v1/userinfo`,
+    {
+      headers: { Authorization: `Bearer ${accessToken}` },
+      signal: AbortSignal.timeout(3e4)
+    }
+  );
+  process.stdout.write(`User: ${userinfo.claims.sub}
+`);
+  process.stdout.write(`
+`);
+  process.stdout.write(`Ownership:
+`);
+  for (const ent of userinfo.claims.ent ?? []) {
+    process.stdout.write(`  - ${ent}
+`);
+  }
+};
+
+exports.default = show;
+//# sourceMappingURL=show.cjs.js.map

package/dist/commands/show.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"show.cjs.js","sources":["../../src/commands/show.ts"],"sourcesContent":["/*\n * Copyright 2025 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { cli } from 'cleye';\nimport type { CliCommandContext } from '@backstage/cli-node';\nimport { httpJson } from '../lib/http';\nimport { getSelectedInstance } from '../lib/storage';\nimport { accessTokenNeedsRefresh, refreshAccessToken } from '../lib/auth';\nimport { getSecretStore } from '../lib/secretStore';\n\nexport default async ({ args, info }: CliCommandContext) => {\n  const {\n    flags: { instance: instanceFlag },\n  } = cli(\n    {\n      help: info,\n      flags: {\n        instance: {\n          type: String,\n          description: 'Name of the instance to show',\n        },\n      },\n    },\n    undefined,\n    args,\n  );\n\n  let instance = await getSelectedInstance(instanceFlag);\n\n  if (accessTokenNeedsRefresh(instance)) {\n    process.stdout.write('Refreshing access token...\\n');\n    instance = await refreshAccessToken(instance.name);\n  }\n  const authBase = new URL('/api/auth', instance.baseUrl)\n    .toString()\n    .replace(/\\/$/, '');\n\n  const secretStore = await getSecretStore();\n  const service = `backstage-cli:auth-instance:${instance.name}`;\n  const accessToken = await secretStore.get(service, 'accessToken');\n  if (!accessToken) {\n    throw new Error('No access token found. Run \"auth login\" to authenticate.');\n  }\n\n  const userinfo = await httpJson<{ claims: { sub: string; ent: string[] } }>(\n    `${authBase}/v1/userinfo`,\n    {\n      headers: { Authorization: `Bearer ${accessToken}` },\n      signal: AbortSignal.timeout(30_000),\n    },\n  );\n\n  process.stdout.write(`User: ${userinfo.claims.sub}\\n`);\n  process.stdout.write(`\\n`);\n  process.stdout.write(`Ownership:\\n`);\n  for (const ent of userinfo.claims.ent ?? []) {\n    process.stdout.write(`  - ${ent}\\n`);\n  }\n};\n"],"names":["cli","getSelectedInstance","accessTokenNeedsRefresh","refreshAccessToken","secretStore","getSecretStore","httpJson"],"mappings":";;;;;;;;;;AAuBA,WAAe,OAAO,EAAE,IAAA,EAAM,IAAA,EAAK,KAAyB;AAC1D,EAAA,MAAM;AAAA,IACJ,KAAA,EAAO,EAAE,QAAA,EAAU,YAAA;AAAa,GAClC,GAAIA,SAAA;AAAA,IACF;AAAA,MACE,IAAA,EAAM,IAAA;AAAA,MACN,KAAA,EAAO;AAAA,QACL,QAAA,EAAU;AAAA,UACR,IAAA,EAAM,MAAA;AAAA,UACN,WAAA,EAAa;AAAA;AACf;AACF,KACF;AAAA,IACA,MAAA;AAAA,IACA;AAAA,GACF;AAEA,EAAA,IAAI,QAAA,GAAW,MAAMC,2BAAA,CAAoB,YAAY,CAAA;AAErD,EAAA,IAAIC,4BAAA,CAAwB,QAAQ,CAAA,EAAG;AACrC,IAAA,OAAA,CAAQ,MAAA,CAAO,MAAM,8BAA8B,CAAA;AACnD,IAAA,QAAA,GAAW,MAAMC,uBAAA,CAAmB,QAAA,CAAS,IAAI,CAAA;AAAA,EACnD;AACA,EAAA,MAAM,QAAA,GAAW,IAAI,GAAA,CAAI,WAAA,EAAa,QAAA,CAAS,OAAO,CAAA,CACnD,QAAA,EAAS,CACT,OAAA,CAAQ,KAAA,EAAO,EAAE,CAAA;AAEpB,EAAA,MAAMC,aAAA,GAAc,MAAMC,0BAAA,EAAe;AACzC,EAAA,MAAM,OAAA,GAAU,CAAA,4BAAA,EAA+B,QAAA,CAAS,IAAI,CAAA,CAAA;AAC5D,EAAA,MAAM,WAAA,GAAc,MAAMD,aAAA,CAAY,GAAA,CAAI,SAAS,aAAa,CAAA;AAChE,EAAA,IAAI,CAAC,WAAA,EAAa;AAChB,IAAA,MAAM,IAAI,MAAM,0DAA0D,CAAA;AAAA,EAC5E;AAEA,EAAA,MAAM,WAAW,MAAME,aAAA;AAAA,IACrB,GAAG,QAAQ,CAAA,YAAA,CAAA;AAAA,IACX;AAAA,MACE,OAAA,EAAS,EAAE,aAAA,EAAe,CAAA,OAAA,EAAU,WAAW,CAAA,CAAA,EAAG;AAAA,MAClD,MAAA,EAAQ,WAAA,CAAY,OAAA,CAAQ,GAAM;AAAA;AACpC,GACF;AAEA,EAAA,OAAA,CAAQ,MAAA,CAAO,KAAA,CAAM,CAAA,MAAA,EAAS,QAAA,CAAS,OAAO,GAAG;AAAA,CAAI,CAAA;AACrD,EAAA,OAAA,CAAQ,OAAO,KAAA,CAAM;AAAA,CAAI,CAAA;AACzB,EAAA,OAAA,CAAQ,OAAO,KAAA,CAAM,CAAA;AAAA,CAAc,CAAA;AACnC,EAAA,KAAA,MAAW,GAAA,IAAO,QAAA,CAAS,MAAA,CAAO,GAAA,IAAO,EAAC,EAAG;AAC3C,IAAA,OAAA,CAAQ,MAAA,CAAO,KAAA,CAAM,CAAA,IAAA,EAAO,GAAG;AAAA,CAAI,CAAA;AAAA,EACrC;AACF,CAAA;;;;"}

package/dist/index.cjs.js

@@ -0,0 +1,45 @@
+'use strict';
+
+Object.defineProperty(exports, '__esModule', { value: true });
+
+var cliNode = require('@backstage/cli-node');
+var _package = require('./package.json.cjs.js');
+
+var index = cliNode.createCliModule({
+  packageJson: _package.default,
+  init: async (reg) => {
+    reg.addCommand({
+      path: ["auth", "login"],
+      description: "Log in the CLI to a Backstage instance",
+      execute: { loader: () => import('./commands/login.cjs.js') }
+    });
+    reg.addCommand({
+      path: ["auth", "logout"],
+      description: "Log out the CLI and clear stored credentials",
+      execute: { loader: () => import('./commands/logout.cjs.js') }
+    });
+    reg.addCommand({
+      path: ["auth", "show"],
+      description: "Show details of an authenticated instance",
+      execute: { loader: () => import('./commands/show.cjs.js') }
+    });
+    reg.addCommand({
+      path: ["auth", "list"],
+      description: "List authenticated instances",
+      execute: { loader: () => import('./commands/list.cjs.js') }
+    });
+    reg.addCommand({
+      path: ["auth", "print-token"],
+      description: "Print an access token to stdout (auto-refresh if needed)",
+      execute: { loader: () => import('./commands/printToken.cjs.js') }
+    });
+    reg.addCommand({
+      path: ["auth", "select"],
+      description: "Select the default instance",
+      execute: { loader: () => import('./commands/select.cjs.js') }
+    });
+  }
+});
+
+exports.default = index;
+//# sourceMappingURL=index.cjs.js.map

package/dist/index.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.cjs.js","sources":["../src/index.ts"],"sourcesContent":["/*\n * Copyright 2025 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { createCliModule } from '@backstage/cli-node';\nimport packageJson from '../package.json';\n\nexport default createCliModule({\n  packageJson,\n  init: async reg => {\n    reg.addCommand({\n      path: ['auth', 'login'],\n      description: 'Log in the CLI to a Backstage instance',\n      execute: { loader: () => import('./commands/login') },\n    });\n    reg.addCommand({\n      path: ['auth', 'logout'],\n      description: 'Log out the CLI and clear stored credentials',\n      execute: { loader: () => import('./commands/logout') },\n    });\n    reg.addCommand({\n      path: ['auth', 'show'],\n      description: 'Show details of an authenticated instance',\n      execute: { loader: () => import('./commands/show') },\n    });\n    reg.addCommand({\n      path: ['auth', 'list'],\n      description: 'List authenticated instances',\n      execute: { loader: () => import('./commands/list') },\n    });\n    reg.addCommand({\n      path: ['auth', 'print-token'],\n      description: 'Print an access token to stdout (auto-refresh if needed)',\n      execute: { loader: () => import('./commands/printToken') },\n    });\n    reg.addCommand({\n      path: ['auth', 'select'],\n      description: 'Select the default instance',\n      execute: { loader: () => import('./commands/select') },\n    });\n  },\n});\n"],"names":["createCliModule","packageJson"],"mappings":";;;;;;;AAmBA,YAAeA,uBAAA,CAAgB;AAAA,eAC7BC,gBAAA;AAAA,EACA,IAAA,EAAM,OAAM,GAAA,KAAO;AACjB,IAAA,GAAA,CAAI,UAAA,CAAW;AAAA,MACb,IAAA,EAAM,CAAC,MAAA,EAAQ,OAAO,CAAA;AAAA,MACtB,WAAA,EAAa,wCAAA;AAAA,MACb,SAAS,EAAE,MAAA,EAAQ,MAAM,OAAO,yBAAkB,CAAA;AAAE,KACrD,CAAA;AACD,IAAA,GAAA,CAAI,UAAA,CAAW;AAAA,MACb,IAAA,EAAM,CAAC,MAAA,EAAQ,QAAQ,CAAA;AAAA,MACvB,WAAA,EAAa,8CAAA;AAAA,MACb,SAAS,EAAE,MAAA,EAAQ,MAAM,OAAO,0BAAmB,CAAA;AAAE,KACtD,CAAA;AACD,IAAA,GAAA,CAAI,UAAA,CAAW;AAAA,MACb,IAAA,EAAM,CAAC,MAAA,EAAQ,MAAM,CAAA;AAAA,MACrB,WAAA,EAAa,2CAAA;AAAA,MACb,SAAS,EAAE,MAAA,EAAQ,MAAM,OAAO,wBAAiB,CAAA;AAAE,KACpD,CAAA;AACD,IAAA,GAAA,CAAI,UAAA,CAAW;AAAA,MACb,IAAA,EAAM,CAAC,MAAA,EAAQ,MAAM,CAAA;AAAA,MACrB,WAAA,EAAa,8BAAA;AAAA,MACb,SAAS,EAAE,MAAA,EAAQ,MAAM,OAAO,wBAAiB,CAAA;AAAE,KACpD,CAAA;AACD,IAAA,GAAA,CAAI,UAAA,CAAW;AAAA,MACb,IAAA,EAAM,CAAC,MAAA,EAAQ,aAAa,CAAA;AAAA,MAC5B,WAAA,EAAa,0DAAA;AAAA,MACb,SAAS,EAAE,MAAA,EAAQ,MAAM,OAAO,8BAAuB,CAAA;AAAE,KAC1D,CAAA;AACD,IAAA,GAAA,CAAI,UAAA,CAAW;AAAA,MACb,IAAA,EAAM,CAAC,MAAA,EAAQ,QAAQ,CAAA;AAAA,MACvB,WAAA,EAAa,6BAAA;AAAA,MACb,SAAS,EAAE,MAAA,EAAQ,MAAM,OAAO,0BAAmB,CAAA;AAAE,KACtD,CAAA;AAAA,EACH;AACF,CAAC,CAAA;;;;"}

package/dist/index.d.ts

@@ -0,0 +1,5 @@
+import * as _backstage_cli_node from '@backstage/cli-node';
+
+declare const _default: _backstage_cli_node.CliModule;
+
+export { _default as default };

package/dist/lib/auth.cjs.js

@@ -0,0 +1,60 @@
+'use strict';
+
+var zod = require('zod');
+var storage = require('./storage.cjs.js');
+var secretStore = require('./secretStore.cjs.js');
+var http = require('./http.cjs.js');
+
+const TokenResponseSchema = zod.z.object({
+  access_token: zod.z.string().min(1),
+  token_type: zod.z.string().min(1),
+  expires_in: zod.z.number().positive().finite(),
+  refresh_token: zod.z.string().min(1).optional()
+});
+function accessTokenNeedsRefresh(instance) {
+  return instance.accessTokenExpiresAt <= Date.now() + 2 * 6e4;
+}
+async function refreshAccessToken(instanceName) {
+  const secretStore$1 = await secretStore.getSecretStore();
+  return storage.withMetadataLock(async () => {
+    const instance = await storage.getInstanceByName(instanceName);
+    const service = `backstage-cli:auth-instance:${instanceName}`;
+    const refreshToken = await secretStore$1.get(service, "refreshToken") ?? "";
+    if (!refreshToken) {
+      throw new Error(
+        "Access token is expired and no refresh token is available"
+      );
+    }
+    const response = await http.httpJson(
+      `${instance.baseUrl}/api/auth/v1/token`,
+      {
+        method: "POST",
+        body: {
+          grant_type: "refresh_token",
+          refresh_token: refreshToken
+        },
+        signal: AbortSignal.timeout(3e4)
+      }
+    );
+    const parsed = TokenResponseSchema.safeParse(response);
+    if (!parsed.success) {
+      throw new Error(`Invalid token response: ${parsed.error.message}`);
+    }
+    const token = parsed.data;
+    await secretStore$1.set(service, "accessToken", token.access_token);
+    if (token.refresh_token) {
+      await secretStore$1.set(service, "refreshToken", token.refresh_token);
+    }
+    const newInstance = {
+      ...instance,
+      issuedAt: Date.now(),
+      accessTokenExpiresAt: Date.now() + token.expires_in * 1e3
+    };
+    await storage.upsertInstance(newInstance);
+    return newInstance;
+  });
+}
+
+exports.accessTokenNeedsRefresh = accessTokenNeedsRefresh;
+exports.refreshAccessToken = refreshAccessToken;
+//# sourceMappingURL=auth.cjs.js.map

package/dist/lib/auth.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.cjs.js","sources":["../../src/lib/auth.ts"],"sourcesContent":["/*\n * Copyright 2025 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { z } from 'zod';\nimport {\n  StoredInstance,\n  upsertInstance,\n  withMetadataLock,\n  getInstanceByName,\n} from './storage';\nimport { getSecretStore } from './secretStore';\nimport { httpJson } from './http';\n\nconst TokenResponseSchema = z.object({\n  access_token: z.string().min(1),\n  token_type: z.string().min(1),\n  expires_in: z.number().positive().finite(),\n  refresh_token: z.string().min(1).optional(),\n});\n\nexport function accessTokenNeedsRefresh(instance: StoredInstance): boolean {\n  return instance.accessTokenExpiresAt <= Date.now() + 2 * 60_000; // 2 minutes before expiration\n}\n\nexport async function refreshAccessToken(\n  instanceName: string,\n): Promise<StoredInstance> {\n  const secretStore = await getSecretStore();\n\n  return withMetadataLock(async () => {\n    const instance = await getInstanceByName(instanceName);\n\n    const service = `backstage-cli:auth-instance:${instanceName}`;\n    const refreshToken = (await secretStore.get(service, 'refreshToken')) ?? '';\n    if (!refreshToken) {\n      throw new Error(\n        'Access token is expired and no refresh token is available',\n      );\n    }\n\n    const response = await httpJson<unknown>(\n      `${instance.baseUrl}/api/auth/v1/token`,\n      {\n        method: 'POST',\n        body: {\n          grant_type: 'refresh_token',\n          refresh_token: refreshToken,\n        },\n        signal: AbortSignal.timeout(30_000),\n      },\n    );\n\n    const parsed = TokenResponseSchema.safeParse(response);\n    if (!parsed.success) {\n      throw new Error(`Invalid token response: ${parsed.error.message}`);\n    }\n    const token = parsed.data;\n\n    await secretStore.set(service, 'accessToken', token.access_token);\n    if (token.refresh_token) {\n      await secretStore.set(service, 'refreshToken', token.refresh_token);\n    }\n    const newInstance = {\n      ...instance,\n      issuedAt: Date.now(),\n      accessTokenExpiresAt: Date.now() + token.expires_in * 1000,\n    };\n    await upsertInstance(newInstance);\n    return newInstance;\n  });\n}\n"],"names":["z","secretStore","getSecretStore","withMetadataLock","getInstanceByName","httpJson","upsertInstance"],"mappings":";;;;;;;AA0BA,MAAM,mBAAA,GAAsBA,MAAE,MAAA,CAAO;AAAA,EACnC,YAAA,EAAcA,KAAA,CAAE,MAAA,EAAO,CAAE,IAAI,CAAC,CAAA;AAAA,EAC9B,UAAA,EAAYA,KAAA,CAAE,MAAA,EAAO,CAAE,IAAI,CAAC,CAAA;AAAA,EAC5B,YAAYA,KAAA,CAAE,MAAA,EAAO,CAAE,QAAA,GAAW,MAAA,EAAO;AAAA,EACzC,eAAeA,KAAA,CAAE,MAAA,GAAS,GAAA,CAAI,CAAC,EAAE,QAAA;AACnC,CAAC,CAAA;AAEM,SAAS,wBAAwB,QAAA,EAAmC;AACzE,EAAA,OAAO,QAAA,CAAS,oBAAA,IAAwB,IAAA,CAAK,GAAA,KAAQ,CAAA,GAAI,GAAA;AAC3D;AAEA,eAAsB,mBACpB,YAAA,EACyB;AACzB,EAAA,MAAMC,aAAA,GAAc,MAAMC,0BAAA,EAAe;AAEzC,EAAA,OAAOC,yBAAiB,YAAY;AAClC,IAAA,MAAM,QAAA,GAAW,MAAMC,yBAAA,CAAkB,YAAY,CAAA;AAErD,IAAA,MAAM,OAAA,GAAU,+BAA+B,YAAY,CAAA,CAAA;AAC3D,IAAA,MAAM,eAAgB,MAAMH,aAAA,CAAY,GAAA,CAAI,OAAA,EAAS,cAAc,CAAA,IAAM,EAAA;AACzE,IAAA,IAAI,CAAC,YAAA,EAAc;AACjB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAEA,IAAA,MAAM,WAAW,MAAMI,aAAA;AAAA,MACrB,CAAA,EAAG,SAAS,OAAO,CAAA,kBAAA,CAAA;AAAA,MACnB;AAAA,QACE,MAAA,EAAQ,MAAA;AAAA,QACR,IAAA,EAAM;AAAA,UACJ,UAAA,EAAY,eAAA;AAAA,UACZ,aAAA,EAAe;AAAA,SACjB;AAAA,QACA,MAAA,EAAQ,WAAA,CAAY,OAAA,CAAQ,GAAM;AAAA;AACpC,KACF;AAEA,IAAA,MAAM,MAAA,GAAS,mBAAA,CAAoB,SAAA,CAAU,QAAQ,CAAA;AACrD,IAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACnB,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,wBAAA,EAA2B,MAAA,CAAO,KAAA,CAAM,OAAO,CAAA,CAAE,CAAA;AAAA,IACnE;AACA,IAAA,MAAM,QAAQ,MAAA,CAAO,IAAA;AAErB,IAAA,MAAMJ,aAAA,CAAY,GAAA,CAAI,OAAA,EAAS,aAAA,EAAe,MAAM,YAAY,CAAA;AAChE,IAAA,IAAI,MAAM,aAAA,EAAe;AACvB,MAAA,MAAMA,aAAA,CAAY,GAAA,CAAI,OAAA,EAAS,cAAA,EAAgB,MAAM,aAAa,CAAA;AAAA,IACpE;AACA,IAAA,MAAM,WAAA,GAAc;AAAA,MAClB,GAAG,QAAA;AAAA,MACH,QAAA,EAAU,KAAK,GAAA,EAAI;AAAA,MACnB,oBAAA,EAAsB,IAAA,CAAK,GAAA,EAAI,GAAI,MAAM,UAAA,GAAa;AAAA,KACxD;AACA,IAAA,MAAMK,uBAAe,WAAW,CAAA;AAChC,IAAA,OAAO,WAAA;AAAA,EACT,CAAC,CAAA;AACH;;;;;"}

package/dist/lib/http.cjs.js

@@ -0,0 +1,26 @@
+'use strict';
+
+var fetch = require('cross-fetch');
+var errors = require('@backstage/errors');
+
+function _interopDefaultCompat (e) { return e && typeof e === 'object' && 'default' in e ? e : { default: e }; }
+
+var fetch__default = /*#__PURE__*/_interopDefaultCompat(fetch);
+
+async function httpJson(url, init) {
+  const res = await fetch__default.default(url, {
+    ...init,
+    body: init?.body ? JSON.stringify(init.body) : void 0,
+    headers: {
+      ...init?.body ? { "Content-Type": "application/json" } : {},
+      ...init?.headers
+    }
+  });
+  if (!res.ok) {
+    throw await errors.ResponseError.fromResponse(res);
+  }
+  return await res.json();
+}
+
+exports.httpJson = httpJson;
+//# sourceMappingURL=http.cjs.js.map

package/dist/lib/http.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http.cjs.js","sources":["../../src/lib/http.ts"],"sourcesContent":["/*\n * Copyright 2025 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport fetch from 'cross-fetch';\nimport { ResponseError } from '@backstage/errors';\n\ntype HttpInit = {\n  headers?: Record<string, string>;\n  method?: string;\n  body?: any;\n  signal?: AbortSignal;\n};\n\nexport async function httpJson<T>(url: string, init?: HttpInit): Promise<T> {\n  const res = await fetch(url, {\n    ...init,\n    body: init?.body ? JSON.stringify(init.body) : undefined,\n    headers: {\n      ...(init?.body ? { 'Content-Type': 'application/json' } : {}),\n      ...init?.headers,\n    },\n  });\n  if (!res.ok) {\n    throw await ResponseError.fromResponse(res);\n  }\n  return (await res.json()) as T;\n}\n"],"names":["fetch","ResponseError"],"mappings":";;;;;;;;;AA0BA,eAAsB,QAAA,CAAY,KAAa,IAAA,EAA6B;AAC1E,EAAA,MAAM,GAAA,GAAM,MAAMA,sBAAA,CAAM,GAAA,EAAK;AAAA,IAC3B,GAAG,IAAA;AAAA,IACH,MAAM,IAAA,EAAM,IAAA,GAAO,KAAK,SAAA,CAAU,IAAA,CAAK,IAAI,CAAA,GAAI,MAAA;AAAA,IAC/C,OAAA,EAAS;AAAA,MACP,GAAI,IAAA,EAAM,IAAA,GAAO,EAAE,cAAA,EAAgB,kBAAA,KAAuB,EAAC;AAAA,MAC3D,GAAG,IAAA,EAAM;AAAA;AACX,GACD,CAAA;AACD,EAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,IAAA,MAAM,MAAMC,oBAAA,CAAc,YAAA,CAAa,GAAG,CAAA;AAAA,EAC5C;AACA,EAAA,OAAQ,MAAM,IAAI,IAAA,EAAK;AACzB;;;;"}

package/dist/lib/localServer.cjs.js

@@ -0,0 +1,80 @@
+'use strict';
+
+var http = require('node:http');
+var node_url = require('node:url');
+
+function _interopDefaultCompat (e) { return e && typeof e === 'object' && 'default' in e ? e : { default: e }; }
+
+var http__default = /*#__PURE__*/_interopDefaultCompat(http);
+
+const CALLBACK_PORT = 8055;
+async function startCallbackServer(options) {
+  const server = http__default.default.createServer();
+  let resolveResult;
+  const resultPromise = new Promise(
+    (resolve) => {
+      resolveResult = resolve;
+    }
+  );
+  server.on("request", (req, res) => {
+    if (!req.url) {
+      res.statusCode = 400;
+      res.end("Bad Request");
+      return;
+    }
+    const u = new node_url.URL(req.url, "http://127.0.0.1");
+    if (u.pathname !== "/callback") {
+      res.statusCode = 404;
+      res.end("Not Found");
+      return;
+    }
+    const code = u.searchParams.get("code") ?? void 0;
+    const state = u.searchParams.get("state") ?? void 0;
+    if (!code) {
+      res.statusCode = 400;
+      res.end("Missing code");
+      return;
+    }
+    if (state !== options.state) {
+      res.statusCode = 400;
+      res.end("State mismatch");
+      return;
+    }
+    res.statusCode = 200;
+    res.setHeader("Content-Type", "text/plain; charset=utf-8");
+    res.end("You may now close this window.");
+    resolveResult?.({ code, state });
+  });
+  const port = await new Promise((resolve, reject) => {
+    server.on("error", (err) => {
+      if (err.code === "EADDRINUSE") {
+        reject(
+          new Error(
+            `Port ${CALLBACK_PORT} is already in use. Close the application using it and try again.`
+          )
+        );
+      } else {
+        reject(err);
+      }
+    });
+    server.listen(CALLBACK_PORT, "127.0.0.1", () => {
+      const address = server.address();
+      if (typeof address === "object" && address && "port" in address) {
+        resolve(address.port);
+      } else {
+        reject(new Error("Failed to bind local server"));
+      }
+    });
+  });
+  return {
+    url: `http://127.0.0.1:${port}/callback`,
+    waitForCode: () => resultPromise,
+    close: async () => {
+      server.closeAllConnections();
+      return new Promise((resolve) => server.close(() => resolve()));
+    }
+  };
+}
+
+exports.startCallbackServer = startCallbackServer;
+//# sourceMappingURL=localServer.cjs.js.map

package/dist/lib/localServer.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"localServer.cjs.js","sources":["../../src/lib/localServer.ts"],"sourcesContent":["/*\n * Copyright 2025 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport http from 'node:http';\nimport { URL } from 'node:url';\n\nconst CALLBACK_PORT = 8055;\n\nexport async function startCallbackServer(options: { state: string }): Promise<{\n  url: string;\n  waitForCode: () => Promise<{ code: string; state?: string }>;\n  close: () => Promise<void>;\n}> {\n  const server = http.createServer();\n\n  let resolveResult:\n    | ((v: { code: string; state?: string }) => void)\n    | undefined;\n  const resultPromise = new Promise<{ code: string; state?: string }>(\n    resolve => {\n      resolveResult = resolve;\n    },\n  );\n\n  server.on('request', (req, res) => {\n    if (!req.url) {\n      res.statusCode = 400;\n      res.end('Bad Request');\n      return;\n    }\n    const u = new URL(req.url, 'http://127.0.0.1');\n    if (u.pathname !== '/callback') {\n      res.statusCode = 404;\n      res.end('Not Found');\n      return;\n    }\n    const code = u.searchParams.get('code') ?? undefined;\n    const state = u.searchParams.get('state') ?? undefined;\n    if (!code) {\n      res.statusCode = 400;\n      res.end('Missing code');\n      return;\n    }\n    if (state !== options.state) {\n      res.statusCode = 400;\n      res.end('State mismatch');\n      return;\n    }\n    res.statusCode = 200;\n    res.setHeader('Content-Type', 'text/plain; charset=utf-8');\n    res.end('You may now close this window.');\n    resolveResult?.({ code, state });\n  });\n\n  const port = await new Promise<number>((resolve, reject) => {\n    server.on('error', (err: NodeJS.ErrnoException) => {\n      if (err.code === 'EADDRINUSE') {\n        reject(\n          new Error(\n            `Port ${CALLBACK_PORT} is already in use. Close the application using it and try again.`,\n          ),\n        );\n      } else {\n        reject(err);\n      }\n    });\n    server.listen(CALLBACK_PORT, '127.0.0.1', () => {\n      const address = server.address();\n      if (typeof address === 'object' && address && 'port' in address) {\n        resolve(address.port);\n      } else {\n        reject(new Error('Failed to bind local server'));\n      }\n    });\n  });\n\n  return {\n    url: `http://127.0.0.1:${port}/callback`,\n    waitForCode: () => resultPromise,\n    close: async () => {\n      server.closeAllConnections();\n      return new Promise<void>(resolve => server.close(() => resolve()));\n    },\n  };\n}\n"],"names":["http","URL"],"mappings":";;;;;;;;;AAmBA,MAAM,aAAA,GAAgB,IAAA;AAEtB,eAAsB,oBAAoB,OAAA,EAIvC;AACD,EAAA,MAAM,MAAA,GAASA,sBAAK,YAAA,EAAa;AAEjC,EAAA,IAAI,aAAA;AAGJ,EAAA,MAAM,gBAAgB,IAAI,OAAA;AAAA,IACxB,CAAA,OAAA,KAAW;AACT,MAAA,aAAA,GAAgB,OAAA;AAAA,IAClB;AAAA,GACF;AAEA,EAAA,MAAA,CAAO,EAAA,CAAG,SAAA,EAAW,CAAC,GAAA,EAAK,GAAA,KAAQ;AACjC,IAAA,IAAI,CAAC,IAAI,GAAA,EAAK;AACZ,MAAA,GAAA,CAAI,UAAA,GAAa,GAAA;AACjB,MAAA,GAAA,CAAI,IAAI,aAAa,CAAA;AACrB,MAAA;AAAA,IACF;AACA,IAAA,MAAM,CAAA,GAAI,IAAIC,YAAA,CAAI,GAAA,CAAI,KAAK,kBAAkB,CAAA;AAC7C,IAAA,IAAI,CAAA,CAAE,aAAa,WAAA,EAAa;AAC9B,MAAA,GAAA,CAAI,UAAA,GAAa,GAAA;AACjB,MAAA,GAAA,CAAI,IAAI,WAAW,CAAA;AACnB,MAAA;AAAA,IACF;AACA,IAAA,MAAM,IAAA,GAAO,CAAA,CAAE,YAAA,CAAa,GAAA,CAAI,MAAM,CAAA,IAAK,MAAA;AAC3C,IAAA,MAAM,KAAA,GAAQ,CAAA,CAAE,YAAA,CAAa,GAAA,CAAI,OAAO,CAAA,IAAK,MAAA;AAC7C,IAAA,IAAI,CAAC,IAAA,EAAM;AACT,MAAA,GAAA,CAAI,UAAA,GAAa,GAAA;AACjB,MAAA,GAAA,CAAI,IAAI,cAAc,CAAA;AACtB,MAAA;AAAA,IACF;AACA,IAAA,IAAI,KAAA,KAAU,QAAQ,KAAA,EAAO;AAC3B,MAAA,GAAA,CAAI,UAAA,GAAa,GAAA;AACjB,MAAA,GAAA,CAAI,IAAI,gBAAgB,CAAA;AACxB,MAAA;AAAA,IACF;AACA,IAAA,GAAA,CAAI,UAAA,GAAa,GAAA;AACjB,IAAA,GAAA,CAAI,SAAA,CAAU,gBAAgB,2BAA2B,CAAA;AACzD,IAAA,GAAA,CAAI,IAAI,gCAAgC,CAAA;AACxC,IAAA,aAAA,GAAgB,EAAE,IAAA,EAAM,KAAA,EAAO,CAAA;AAAA,EACjC,CAAC,CAAA;AAED,EAAA,MAAM,OAAO,MAAM,IAAI,OAAA,CAAgB,CAAC,SAAS,MAAA,KAAW;AAC1D,IAAA,MAAA,CAAO,EAAA,CAAG,OAAA,EAAS,CAAC,GAAA,KAA+B;AACjD,MAAA,IAAI,GAAA,CAAI,SAAS,YAAA,EAAc;AAC7B,QAAA,MAAA;AAAA,UACE,IAAI,KAAA;AAAA,YACF,QAAQ,aAAa,CAAA,iEAAA;AAAA;AACvB,SACF;AAAA,MACF,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA;AAAA,MACZ;AAAA,IACF,CAAC,CAAA;AACD,IAAA,MAAA,CAAO,MAAA,CAAO,aAAA,EAAe,WAAA,EAAa,MAAM;AAC9C,MAAA,MAAM,OAAA,GAAU,OAAO,OAAA,EAAQ;AAC/B,MAAA,IAAI,OAAO,OAAA,KAAY,QAAA,IAAY,OAAA,IAAW,UAAU,OAAA,EAAS;AAC/D,QAAA,OAAA,CAAQ,QAAQ,IAAI,CAAA;AAAA,MACtB,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,IAAI,KAAA,CAAM,6BAA6B,CAAC,CAAA;AAAA,MACjD;AAAA,IACF,CAAC,CAAA;AAAA,EACH,CAAC,CAAA;AAED,EAAA,OAAO;AAAA,IACL,GAAA,EAAK,oBAAoB,IAAI,CAAA,SAAA,CAAA;AAAA,IAC7B,aAAa,MAAM,aAAA;AAAA,IACnB,OAAO,YAAY;AACjB,MAAA,MAAA,CAAO,mBAAA,EAAoB;AAC3B,MAAA,OAAO,IAAI,QAAc,CAAA,OAAA,KAAW,MAAA,CAAO,MAAM,MAAM,OAAA,EAAS,CAAC,CAAA;AAAA,IACnE;AAAA,GACF;AACF;;;;"}

package/dist/lib/pkce.cjs.js

@@ -0,0 +1,23 @@
+'use strict';
+
+var crypto = require('node:crypto');
+
+function _interopDefaultCompat (e) { return e && typeof e === 'object' && 'default' in e ? e : { default: e }; }
+
+var crypto__default = /*#__PURE__*/_interopDefaultCompat(crypto);
+
+function base64url(input) {
+  return input.toString("base64").replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+function generateVerifier(length = 64) {
+  const bytes = crypto__default.default.randomBytes(Math.max(32, Math.min(96, length)));
+  return base64url(bytes);
+}
+function challengeFromVerifier(verifier) {
+  const hash = crypto__default.default.createHash("sha256").update(verifier).digest();
+  return base64url(hash);
+}
+
+exports.challengeFromVerifier = challengeFromVerifier;
+exports.generateVerifier = generateVerifier;
+//# sourceMappingURL=pkce.cjs.js.map

package/dist/lib/pkce.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce.cjs.js","sources":["../../src/lib/pkce.ts"],"sourcesContent":["/*\n * Copyright 2025 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport crypto from 'node:crypto';\n\nfunction base64url(input: Buffer): string {\n  return input\n    .toString('base64')\n    .replace(/=/g, '')\n    .replace(/\\+/g, '-')\n    .replace(/\\//g, '_');\n}\n\nexport function generateVerifier(length = 64): string {\n  // length in bytes ~ 48 results in 64 base64url chars; keep within 43..128 chars\n  const bytes = crypto.randomBytes(Math.max(32, Math.min(96, length)));\n  return base64url(bytes);\n}\n\nexport function challengeFromVerifier(verifier: string): string {\n  const hash = crypto.createHash('sha256').update(verifier).digest();\n  return base64url(hash);\n}\n"],"names":["crypto"],"mappings":";;;;;;;;AAkBA,SAAS,UAAU,KAAA,EAAuB;AACxC,EAAA,OAAO,KAAA,CACJ,QAAA,CAAS,QAAQ,CAAA,CACjB,QAAQ,IAAA,EAAM,EAAE,CAAA,CAChB,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAClB,OAAA,CAAQ,OAAO,GAAG,CAAA;AACvB;AAEO,SAAS,gBAAA,CAAiB,SAAS,EAAA,EAAY;AAEpD,EAAA,MAAM,KAAA,GAAQA,uBAAA,CAAO,WAAA,CAAY,IAAA,CAAK,GAAA,CAAI,EAAA,EAAI,IAAA,CAAK,GAAA,CAAI,EAAA,EAAI,MAAM,CAAC,CAAC,CAAA;AACnE,EAAA,OAAO,UAAU,KAAK,CAAA;AACxB;AAEO,SAAS,sBAAsB,QAAA,EAA0B;AAC9D,EAAA,MAAM,IAAA,GAAOA,wBAAO,UAAA,CAAW,QAAQ,EAAE,MAAA,CAAO,QAAQ,EAAE,MAAA,EAAO;AACjE,EAAA,OAAO,UAAU,IAAI,CAAA;AACvB;;;;;"}

package/dist/lib/prompt.cjs.js

@@ -0,0 +1,44 @@
+'use strict';
+
+var inquirer = require('inquirer');
+var storage = require('./storage.cjs.js');
+
+function _interopDefaultCompat (e) { return e && typeof e === 'object' && 'default' in e ? e : { default: e }; }
+
+var inquirer__default = /*#__PURE__*/_interopDefaultCompat(inquirer);
+
+async function pickInstance(name) {
+  if (name) {
+    return storage.getInstanceByName(name);
+  }
+  const { instances, selected } = await storage.getAllInstances();
+  if (instances.length === 0) {
+    throw new Error(
+      'No instances found. Run "auth login" to authenticate first.'
+    );
+  }
+  return await promptForInstance(instances, selected);
+}
+async function promptForInstance(instances, selected) {
+  const choices = instances.map((i) => ({
+    name: `${i.name === selected?.name ? "* " : "  "}${i.name} (${i.baseUrl})`,
+    value: i.name
+  }));
+  const { choice } = await inquirer__default.default.prompt([
+    {
+      type: "list",
+      name: "choice",
+      message: "Select instance:",
+      choices,
+      default: selected?.name
+    }
+  ]);
+  const instance = instances.find((i) => i.name === choice);
+  if (!instance) {
+    throw new Error(`Instance '${choice}' not found`);
+  }
+  return instance;
+}
+
+exports.pickInstance = pickInstance;
+//# sourceMappingURL=prompt.cjs.js.map

package/dist/lib/prompt.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"prompt.cjs.js","sources":["../../src/lib/prompt.ts"],"sourcesContent":["/*\n * Copyright 2025 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport inquirer from 'inquirer';\nimport { getInstanceByName, getAllInstances, StoredInstance } from './storage';\n\nexport async function pickInstance(name?: string): Promise<StoredInstance> {\n  if (name) {\n    return getInstanceByName(name);\n  }\n\n  const { instances, selected } = await getAllInstances();\n  if (instances.length === 0) {\n    throw new Error(\n      'No instances found. Run \"auth login\" to authenticate first.',\n    );\n  }\n  return await promptForInstance(instances, selected);\n}\n\nasync function promptForInstance(\n  instances: StoredInstance[],\n  selected: StoredInstance | undefined,\n): Promise<StoredInstance> {\n  const choices = instances.map(i => ({\n    name: `${i.name === selected?.name ? '* ' : '  '}${i.name} (${i.baseUrl})`,\n    value: i.name,\n  }));\n\n  const { choice } = await inquirer.prompt<{ choice: string }>([\n    {\n      type: 'list',\n      name: 'choice',\n      message: 'Select instance:',\n      choices,\n      default: selected?.name,\n    },\n  ]);\n\n  const instance = instances.find(i => i.name === choice);\n  if (!instance) {\n    throw new Error(`Instance '${choice}' not found`);\n  }\n  return instance;\n}\n"],"names":["getInstanceByName","getAllInstances","inquirer"],"mappings":";;;;;;;;;AAmBA,eAAsB,aAAa,IAAA,EAAwC;AACzE,EAAA,IAAI,IAAA,EAAM;AACR,IAAA,OAAOA,0BAAkB,IAAI,CAAA;AAAA,EAC/B;AAEA,EAAA,MAAM,EAAE,SAAA,EAAW,QAAA,EAAS,GAAI,MAAMC,uBAAA,EAAgB;AACtD,EAAA,IAAI,SAAA,CAAU,WAAW,CAAA,EAAG;AAC1B,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KACF;AAAA,EACF;AACA,EAAA,OAAO,MAAM,iBAAA,CAAkB,SAAA,EAAW,QAAQ,CAAA;AACpD;AAEA,eAAe,iBAAA,CACb,WACA,QAAA,EACyB;AACzB,EAAA,MAAM,OAAA,GAAU,SAAA,CAAU,GAAA,CAAI,CAAA,CAAA,MAAM;AAAA,IAClC,IAAA,EAAM,CAAA,EAAG,CAAA,CAAE,IAAA,KAAS,QAAA,EAAU,IAAA,GAAO,IAAA,GAAO,IAAI,CAAA,EAAG,CAAA,CAAE,IAAI,CAAA,EAAA,EAAK,EAAE,OAAO,CAAA,CAAA,CAAA;AAAA,IACvE,OAAO,CAAA,CAAE;AAAA,GACX,CAAE,CAAA;AAEF,EAAA,MAAM,EAAE,MAAA,EAAO,GAAI,MAAMC,0BAAS,MAAA,CAA2B;AAAA,IAC3D;AAAA,MACE,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,OAAA,EAAS,kBAAA;AAAA,MACT,OAAA;AAAA,MACA,SAAS,QAAA,EAAU;AAAA;AACrB,GACD,CAAA;AAED,EAAA,MAAM,WAAW,SAAA,CAAU,IAAA,CAAK,CAAA,CAAA,KAAK,CAAA,CAAE,SAAS,MAAM,CAAA;AACtD,EAAA,IAAI,CAAC,QAAA,EAAU;AACb,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,UAAA,EAAa,MAAM,CAAA,WAAA,CAAa,CAAA;AAAA,EAClD;AACA,EAAA,OAAO,QAAA;AACT;;;;"}

package/dist/lib/secretStore.cjs.js

@@ -0,0 +1,81 @@
+'use strict';
+
+var fs = require('fs-extra');
+var os = require('node:os');
+var path = require('node:path');
+
+function _interopDefaultCompat (e) { return e && typeof e === 'object' && 'default' in e ? e : { default: e }; }
+
+var fs__default = /*#__PURE__*/_interopDefaultCompat(fs);
+var os__default = /*#__PURE__*/_interopDefaultCompat(os);
+var path__default = /*#__PURE__*/_interopDefaultCompat(path);
+
+async function loadKeytar() {
+  try {
+    const keytar = require("keytar");
+    if (keytar && typeof keytar.getPassword === "function") {
+      return keytar;
+    }
+  } catch {
+  }
+  return void 0;
+}
+class KeytarSecretStore {
+  keytar;
+  constructor(keytar) {
+    this.keytar = keytar;
+  }
+  async get(service, account) {
+    const result = await this.keytar.getPassword(service, account);
+    return result ?? void 0;
+  }
+  async set(service, account, secret) {
+    await this.keytar.setPassword(service, account, secret);
+  }
+  async delete(service, account) {
+    await this.keytar.deletePassword(service, account);
+  }
+}
+class FileSecretStore {
+  baseDir;
+  constructor() {
+    const root = process.env.XDG_DATA_HOME || (process.platform === "win32" ? process.env.APPDATA || path__default.default.join(os__default.default.homedir(), "AppData", "Roaming") : path__default.default.join(os__default.default.homedir(), ".local", "share"));
+    this.baseDir = path__default.default.join(root, "backstage-cli", "auth-secrets");
+  }
+  filePath(service, account) {
+    return path__default.default.join(
+      this.baseDir,
+      encodeURIComponent(service),
+      `${encodeURIComponent(account)}.secret`
+    );
+  }
+  async get(service, account) {
+    const file = this.filePath(service, account);
+    if (!await fs__default.default.pathExists(file)) return void 0;
+    return await fs__default.default.readFile(file, "utf8");
+  }
+  async set(service, account, secret) {
+    const file = this.filePath(service, account);
+    await fs__default.default.ensureDir(path__default.default.dirname(file));
+    await fs__default.default.writeFile(file, secret, { encoding: "utf8", mode: 384 });
+  }
+  async delete(service, account) {
+    const file = this.filePath(service, account);
+    await fs__default.default.remove(file);
+  }
+}
+let singleton;
+async function getSecretStore() {
+  if (!singleton) {
+    const keytar = await loadKeytar();
+    if (keytar) {
+      singleton = new KeytarSecretStore(keytar);
+    } else {
+      singleton = new FileSecretStore();
+    }
+  }
+  return singleton;
+}
+
+exports.getSecretStore = getSecretStore;
+//# sourceMappingURL=secretStore.cjs.js.map

package/dist/lib/secretStore.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secretStore.cjs.js","sources":["../../src/lib/secretStore.ts"],"sourcesContent":["/*\n * Copyright 2025 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport fs from 'fs-extra';\nimport os from 'node:os';\nimport path from 'node:path';\n\ntype SecretStore = {\n  get(service: string, account: string): Promise<string | undefined>;\n  set(service: string, account: string, secret: string): Promise<void>;\n  delete(service: string, account: string): Promise<void>;\n};\n\nasync function loadKeytar(): Promise<typeof import('keytar') | undefined> {\n  try {\n    // eslint-disable-next-line import/no-extraneous-dependencies, @backstage/no-undeclared-imports\n    const keytar = require('keytar') as typeof import('keytar');\n    if (keytar && typeof keytar.getPassword === 'function') {\n      return keytar;\n    }\n  } catch {\n    // keytar not available\n  }\n  return undefined;\n}\n\nclass KeytarSecretStore implements SecretStore {\n  private readonly keytar: typeof import('keytar');\n  constructor(keytar: typeof import('keytar')) {\n    this.keytar = keytar;\n  }\n  async get(service: string, account: string): Promise<string | undefined> {\n    const result = await this.keytar.getPassword(service, account);\n    return result ?? undefined;\n  }\n  async set(service: string, account: string, secret: string): Promise<void> {\n    await this.keytar.setPassword(service, account, secret);\n  }\n  async delete(service: string, account: string): Promise<void> {\n    await this.keytar.deletePassword(service, account);\n  }\n}\n\nclass FileSecretStore implements SecretStore {\n  private readonly baseDir: string;\n  constructor() {\n    const root =\n      process.env.XDG_DATA_HOME ||\n      (process.platform === 'win32'\n        ? process.env.APPDATA || path.join(os.homedir(), 'AppData', 'Roaming')\n        : path.join(os.homedir(), '.local', 'share'));\n    this.baseDir = path.join(root, 'backstage-cli', 'auth-secrets');\n  }\n  private filePath(service: string, account: string): string {\n    return path.join(\n      this.baseDir,\n      encodeURIComponent(service),\n      `${encodeURIComponent(account)}.secret`,\n    );\n  }\n  async get(service: string, account: string): Promise<string | undefined> {\n    const file = this.filePath(service, account);\n    if (!(await fs.pathExists(file))) return undefined;\n    return await fs.readFile(file, 'utf8');\n  }\n  async set(service: string, account: string, secret: string): Promise<void> {\n    const file = this.filePath(service, account);\n    await fs.ensureDir(path.dirname(file));\n    await fs.writeFile(file, secret, { encoding: 'utf8', mode: 0o600 });\n  }\n  async delete(service: string, account: string): Promise<void> {\n    const file = this.filePath(service, account);\n    await fs.remove(file);\n  }\n}\n\nlet singleton: SecretStore | undefined;\n\nexport async function getSecretStore(): Promise<SecretStore> {\n  if (!singleton) {\n    const keytar = await loadKeytar();\n    if (keytar) {\n      singleton = new KeytarSecretStore(keytar);\n    } else {\n      singleton = new FileSecretStore();\n    }\n  }\n  return singleton;\n}\n\n/**\n * Reset the singleton instance (for testing purposes only)\n * @internal\n */\nexport function resetSecretStore(): void {\n  singleton = undefined;\n}\n"],"names":["path","os","fs"],"mappings":";;;;;;;;;;;;AA0BA,eAAe,UAAA,GAA2D;AACxE,EAAA,IAAI;AAEF,IAAA,MAAM,MAAA,GAAS,QAAQ,QAAQ,CAAA;AAC/B,IAAA,IAAI,MAAA,IAAU,OAAO,MAAA,CAAO,WAAA,KAAgB,UAAA,EAAY;AACtD,MAAA,OAAO,MAAA;AAAA,IACT;AAAA,EACF,CAAA,CAAA,MAAQ;AAAA,EAER;AACA,EAAA,OAAO,MAAA;AACT;AAEA,MAAM,iBAAA,CAAyC;AAAA,EAC5B,MAAA;AAAA,EACjB,YAAY,MAAA,EAAiC;AAC3C,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAAA,EAChB;AAAA,EACA,MAAM,GAAA,CAAI,OAAA,EAAiB,OAAA,EAA8C;AACvE,IAAA,MAAM,SAAS,MAAM,IAAA,CAAK,MAAA,CAAO,WAAA,CAAY,SAAS,OAAO,CAAA;AAC7D,IAAA,OAAO,MAAA,IAAU,MAAA;AAAA,EACnB;AAAA,EACA,MAAM,GAAA,CAAI,OAAA,EAAiB,OAAA,EAAiB,MAAA,EAA+B;AACzE,IAAA,MAAM,IAAA,CAAK,MAAA,CAAO,WAAA,CAAY,OAAA,EAAS,SAAS,MAAM,CAAA;AAAA,EACxD;AAAA,EACA,MAAM,MAAA,CAAO,OAAA,EAAiB,OAAA,EAAgC;AAC5D,IAAA,MAAM,IAAA,CAAK,MAAA,CAAO,cAAA,CAAe,OAAA,EAAS,OAAO,CAAA;AAAA,EACnD;AACF;AAEA,MAAM,eAAA,CAAuC;AAAA,EAC1B,OAAA;AAAA,EACjB,WAAA,GAAc;AACZ,IAAA,MAAM,IAAA,GACJ,OAAA,CAAQ,GAAA,CAAI,aAAA,KACX,OAAA,CAAQ,aAAa,OAAA,GAClB,OAAA,CAAQ,GAAA,CAAI,OAAA,IAAWA,qBAAA,CAAK,IAAA,CAAKC,oBAAG,OAAA,EAAQ,EAAG,SAAA,EAAW,SAAS,CAAA,GACnED,qBAAA,CAAK,KAAKC,mBAAA,CAAG,OAAA,EAAQ,EAAG,QAAA,EAAU,OAAO,CAAA,CAAA;AAC/C,IAAA,IAAA,CAAK,OAAA,GAAUD,qBAAA,CAAK,IAAA,CAAK,IAAA,EAAM,iBAAiB,cAAc,CAAA;AAAA,EAChE;AAAA,EACQ,QAAA,CAAS,SAAiB,OAAA,EAAyB;AACzD,IAAA,OAAOA,qBAAA,CAAK,IAAA;AAAA,MACV,IAAA,CAAK,OAAA;AAAA,MACL,mBAAmB,OAAO,CAAA;AAAA,MAC1B,CAAA,EAAG,kBAAA,CAAmB,OAAO,CAAC,CAAA,OAAA;AAAA,KAChC;AAAA,EACF;AAAA,EACA,MAAM,GAAA,CAAI,OAAA,EAAiB,OAAA,EAA8C;AACvE,IAAA,MAAM,IAAA,GAAO,IAAA,CAAK,QAAA,CAAS,OAAA,EAAS,OAAO,CAAA;AAC3C,IAAA,IAAI,CAAE,MAAME,mBAAA,CAAG,UAAA,CAAW,IAAI,GAAI,OAAO,MAAA;AACzC,IAAA,OAAO,MAAMA,mBAAA,CAAG,QAAA,CAAS,IAAA,EAAM,MAAM,CAAA;AAAA,EACvC;AAAA,EACA,MAAM,GAAA,CAAI,OAAA,EAAiB,OAAA,EAAiB,MAAA,EAA+B;AACzE,IAAA,MAAM,IAAA,GAAO,IAAA,CAAK,QAAA,CAAS,OAAA,EAAS,OAAO,CAAA;AAC3C,IAAA,MAAMA,mBAAA,CAAG,SAAA,CAAUF,qBAAA,CAAK,OAAA,CAAQ,IAAI,CAAC,CAAA;AACrC,IAAA,MAAME,mBAAA,CAAG,UAAU,IAAA,EAAM,MAAA,EAAQ,EAAE,QAAA,EAAU,MAAA,EAAQ,IAAA,EAAM,GAAA,EAAO,CAAA;AAAA,EACpE;AAAA,EACA,MAAM,MAAA,CAAO,OAAA,EAAiB,OAAA,EAAgC;AAC5D,IAAA,MAAM,IAAA,GAAO,IAAA,CAAK,QAAA,CAAS,OAAA,EAAS,OAAO,CAAA;AAC3C,IAAA,MAAMA,mBAAA,CAAG,OAAO,IAAI,CAAA;AAAA,EACtB;AACF;AAEA,IAAI,SAAA;AAEJ,eAAsB,cAAA,GAAuC;AAC3D,EAAA,IAAI,CAAC,SAAA,EAAW;AACd,IAAA,MAAM,MAAA,GAAS,MAAM,UAAA,EAAW;AAChC,IAAA,IAAI,MAAA,EAAQ;AACV,MAAA,SAAA,GAAY,IAAI,kBAAkB,MAAM,CAAA;AAAA,IAC1C,CAAA,MAAO;AACL,MAAA,SAAA,GAAY,IAAI,eAAA,EAAgB;AAAA,IAClC;AAAA,EACF;AACA,EAAA,OAAO,SAAA;AACT;;;;"}