@backstage/cli-node 0.2.19-next.1 → 0.3.1-next.0

package/CHANGELOG.md

@@ -1,5 +1,33 @@
 # @backstage/cli-node
 
+## 0.3.1-next.0
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/cli-common@0.2.1-next.0
+  - @backstage/errors@1.2.7
+  - @backstage/types@1.2.2
+
+## 0.3.0
+
+### Minor Changes
+
+- 7d055ef: Added `createCliModule` API and related types for building Backstage CLI plugins.
+
+### Patch Changes
+
+- 94a885a: Added a new `cli-module` package role for packages that provide CLI plugin extensions.
+- 12fa965: Added `CliAuth` class for managing CLI authentication state. This provides a class-based API with a static `create` method that resolves the currently selected (or explicitly named) auth instance, transparently refreshes expired access tokens, and exposes helpers for other CLI modules to authenticate with a Backstage backend.
+- 61cb976: Added `toString()` method to `Lockfile` for serializing lockfiles back to string format.
+- 06c2015: Added `runConcurrentTasks` and `runWorkerQueueThreads` utilities, moved from the `@backstage/cli` internal code.
+- 70fc178: Migrated from deprecated `findPaths` to `targetPaths` and `findOwnPaths` from `@backstage/cli-common`.
+- 3c811bf: Added `hasBackstageYarnPlugin` and `SuccessCache` exports, moved from `@backstage/cli`.
+- a49a40d: Updated dependency `zod` to `^3.25.76 || ^4.0.0` & migrated to `/v3` or `/v4` imports.
+- a9d23c4: Properly support `package.json` `workspaces` field
+- Updated dependencies
+  - @backstage/cli-common@0.2.0
+
 ## 0.2.19-next.1
 
 ### Patch Changes

package/config/nodeTransform.cjs

@@ -0,0 +1,87 @@
+/*
+ * Copyright 2024 The Backstage Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+const { pathToFileURL } = require('node:url');
+const { transformSync } = require('@swc/core');
+const { addHook } = require('pirates');
+const { Module } = require('node:module');
+
+// This hooks into module resolution and overrides imports of packages that
+// exist in the linked workspace to instead be resolved from the linked workspace.
+if (process.env.BACKSTAGE_CLI_LINKED_WORKSPACE) {
+  const { join: joinPath } = require('node:path');
+  const { getPackagesSync } = require('@manypkg/get-packages');
+  const { packages: linkedPackages, root: linkedRoot } = getPackagesSync(
+    process.env.BACKSTAGE_CLI_LINKED_WORKSPACE,
+  );
+
+  // Matches all packages in the linked workspaces, as well as sub-path exports from them
+  const replacementRegex = new RegExp(
+    `^(?:${linkedPackages
+      .map(pkg => pkg.packageJson.name)
+      .join('|')})(?:/.*)?$`,
+  );
+
+  const origLoad = Module._load;
+  Module._load = function requireHook(request, parent) {
+    if (!replacementRegex.test(request)) {
+      return origLoad.call(this, request, parent);
+    }
+
+    // The package import that we're overriding will always existing in the root
+    // node_modules of the linked workspace, so it's enough to override the
+    // parent paths with that single entry
+    return origLoad.call(this, request, {
+      ...parent,
+      paths: [joinPath(linkedRoot.dir, 'node_modules')],
+    });
+  };
+}
+
+addHook(
+  (code, filename) => {
+    const transformed = transformSync(code, {
+      filename,
+      sourceMaps: 'inline',
+      module: {
+        type: 'commonjs',
+        ignoreDynamic: true,
+      },
+      jsc: {
+        target: 'es2023',
+        parser: {
+          syntax: 'typescript',
+        },
+      },
+    });
+    process.send?.({ type: 'watch', path: filename });
+    return transformed.code;
+  },
+  { extensions: ['.ts', '.cts'], ignoreNodeModules: true },
+);
+
+addHook(
+  (code, filename) => {
+    process.send?.({ type: 'watch', path: filename });
+    return code;
+  },
+  { extensions: ['.js', '.cjs'], ignoreNodeModules: true },
+);
+
+// Register module hooks, used by "type": "module" in package.json, .mjs and
+// .mts files, as well as dynamic import(...)s, although dynamic imports will be
+// handled be the CommonJS hooks in this file if what it points to is CommonJS.
+Module.register('./nodeTransformHooks.mjs', pathToFileURL(__filename));

package/config/nodeTransformHooks.mjs

@@ -0,0 +1,294 @@
+/*
+ * Copyright 2024 The Backstage Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import { dirname, extname, resolve as resolvePath } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { transformFile } from '@swc/core';
+import { isBuiltin } from 'node:module';
+import { readFile } from 'node:fs/promises';
+import { existsSync } from 'node:fs';
+
+// @ts-check
+
+// No explicit file extension, no type in package.json
+const DEFAULT_MODULE_FORMAT = 'commonjs';
+
+// Source file extensions to look for when using bundle resolution strategy
+const SRC_EXTS = ['.ts', '.js'];
+const TS_EXTS = ['.ts', '.mts', '.cts'];
+const moduleTypeTable = {
+  '.mjs': 'module',
+  '.mts': 'module',
+  '.cjs': 'commonjs',
+  '.cts': 'commonjs',
+  '.ts': undefined,
+  '.js': undefined,
+};
+
+/** @type {import('module').ResolveHook} */
+export async function resolve(specifier, context, nextResolve) {
+  // Built-in modules are handled by the default resolver
+  if (isBuiltin(specifier)) {
+    return nextResolve(specifier, context);
+  }
+
+  const ext = extname(specifier);
+
+  // Unless there's an explicit import attribute, JSON files are loaded with our custom loader that's defined below.
+  if (ext === '.json' && !context.importAttributes?.type) {
+    const jsonResult = await nextResolve(specifier, context);
+    return {
+      ...jsonResult,
+      format: 'commonjs',
+      importAttributes: { type: 'json' },
+    };
+  }
+
+  // Anything else with an explicit extension is handled by the default
+  // resolver, except that we help determine the module type where needed.
+  if (ext !== '') {
+    return withDetectedModuleType(await nextResolve(specifier, context));
+  }
+
+  // Other external modules are handled by the default resolver, but again we
+  // help determine the module type where needed.
+  if (!specifier.startsWith('.')) {
+    return withDetectedModuleType(await nextResolve(specifier, context));
+  }
+
+  // The rest of this function handles the case of resolving imports that do not
+  // specify any extension and might point to a directory with an `index.*`
+  // file. We resolve those using the same logic as most JS bundlers would, with
+  // the addition of checking if there's an explicit module format listed in the
+  // closest `package.json` file.
+  //
+  // We use a bundle resolution strategy in order to keep code consistent across
+  // Backstage codebases that contains code both for Web and Node.js, and to
+  // support packages with common code that can be used in both environments.
+  try {
+    // This is expected to throw, but in the event that this module specifier is
+    // supported we prefer to use the default resolver.
+    return await nextResolve(specifier, context);
+  } catch (error) {
+    if (error.code === 'ERR_UNSUPPORTED_DIR_IMPORT') {
+      const spec = `${specifier}${specifier.endsWith('/') ? '' : '/'}index`;
+      const resolved = await resolveWithoutExt(spec, context, nextResolve);
+      if (resolved) {
+        return withDetectedModuleType(resolved);
+      }
+    } else if (error.code === 'ERR_MODULE_NOT_FOUND') {
+      const resolved = await resolveWithoutExt(specifier, context, nextResolve);
+      if (resolved) {
+        return withDetectedModuleType(resolved);
+      }
+    }
+
+    // Unexpected error or no resolution found
+    throw error;
+  }
+}
+
+/**
+ * Populates the `format` field in the resolved object based on the closest `package.json` file.
+ *
+ * @param {import('module').ResolveFnOutput} resolved
+ * @returns {Promise<import('module').ResolveFnOutput>}
+ */
+async function withDetectedModuleType(resolved) {
+  // Already has an explicit format
+  if (resolved.format) {
+    return resolved;
+  }
+  // Happens in Node.js v22 when there's a package.json without an explicit "type" field. Use the default.
+  if (resolved.format === null) {
+    return { ...resolved, format: DEFAULT_MODULE_FORMAT };
+  }
+
+  const ext = extname(resolved.url);
+
+  const explicitFormat = moduleTypeTable[ext];
+  if (explicitFormat) {
+    return {
+      ...resolved,
+      format: explicitFormat,
+    };
+  }
+
+  // Under normal circumstances .js files should reliably have a format and so
+  // we should only reach this point for .ts files. However, if additional
+  // custom loaders are being used the format may not be detected for .js files
+  // either. As such we don't restrict the file format at this point.
+
+  // TODO(Rugvip): Does this need caching? kept it simple for now but worth exploring
+  const packageJsonPath = await findPackageJSON(fileURLToPath(resolved.url));
+  if (!packageJsonPath) {
+    return resolved;
+  }
+
+  const packageJson = JSON.parse(await readFile(packageJsonPath, 'utf8'));
+  return {
+    ...resolved,
+    format: packageJson.type ?? DEFAULT_MODULE_FORMAT,
+  };
+}
+
+/**
+ * Find the closest package.json file from the given path.
+ *
+ * TODO(Rugvip): This can be replaced with the Node.js built-in with the same name once it is stable.
+ * @param {string} startPath
+ * @returns {Promise<string | undefined>}
+ */
+async function findPackageJSON(startPath) {
+  let path = startPath;
+
+  // Some confidence check to avoid infinite loop
+  for (let i = 0; i < 1000; i++) {
+    const packagePath = resolvePath(path, 'package.json');
+    if (existsSync(packagePath)) {
+      return packagePath;
+    }
+
+    const newPath = dirname(path);
+    if (newPath === path) {
+      return undefined;
+    }
+    path = newPath;
+  }
+
+  throw new Error(
+    `Iteration limit reached when searching for package.json at ${startPath}`,
+  );
+}
+
+/** @type {import('module').ResolveHook} */
+async function resolveWithoutExt(specifier, context, nextResolve) {
+  for (const tryExt of SRC_EXTS) {
+    try {
+      const resolved = await nextResolve(specifier + tryExt, {
+        ...context,
+        format: 'commonjs',
+      });
+      return {
+        ...resolved,
+        format: moduleTypeTable[tryExt] ?? resolved.format,
+      };
+    } catch {
+      /* ignore */
+    }
+  }
+  return undefined;
+}
+
+/** @type {import('module').LoadHook} */
+export async function load(url, context, nextLoad) {
+  // Non-file URLs are handled by the default loader
+  if (!url.startsWith('file://')) {
+    return nextLoad(url, context);
+  }
+
+  // JSON files loaded as CommonJS are handled by this custom loader, because
+  // the default one doesn't work. For JSON loading to work we'd need the
+  // synchronous hooks that aren't supported yet, or avoid using the CommonJS
+  // compatibility.
+  if (
+    context.format === 'commonjs' &&
+    context.importAttributes?.type === 'json'
+  ) {
+    try {
+      // TODO(Rugvip): Make sure this is valid JSON
+      const content = await readFile(fileURLToPath(url), 'utf8');
+      return {
+        source: `module.exports = (${content})`,
+        format: 'commonjs',
+        shortCircuit: true,
+      };
+    } catch {
+      // Let the default loader generate the error
+      return nextLoad(url, context);
+    }
+  }
+
+  const ext = extname(url);
+
+  // Non-TS files are handled by the default loader
+  if (!TS_EXTS.includes(ext)) {
+    return nextLoad(url, context);
+  }
+
+  const format = context.format ?? DEFAULT_MODULE_FORMAT;
+
+  // We have two choices at this point, we can either transform CommonJS files
+  // and return the transformed source code, or let the default loader handle
+  // them. If we transform them ourselves we will enter CommonJS compatibility
+  // mode in the new module system in Node.js, this effectively means all
+  // CommonJS loaded via `require` calls from this point will all be treated as
+  // if it was loaded via `import` calls from modules.
+  //
+  // The CommonJS compatibility layer will try to identify named exports and
+  // make them available directly, which is convenient as it avoids things like
+  // `import(...).then(m => m.default.foo)`, allowing you to instead write
+  // `import(...).then(m => m.foo)`. The compatibility layer doesn't always work
+  // all that well though, and can lead to module loading issues in many cases,
+  // especially for older code.
+
+  // This `if` block opts-out of using CommonJS compatibility mode by default,
+  // and instead leaves it to our existing loader to transform CommonJS. We do
+  // however use compatibility mode for the more explicit .cts file extension,
+  // allows for a way to opt-in to the new behavior.
+  //
+  // TODO(Rugvip): Once the synchronous hooks API is available for us to use, we might be able to adopt that instead
+  if (format === 'commonjs' && ext !== '.cts') {
+    return nextLoad(url, { ...context, format });
+  }
+
+  // If the Node.js version we're running supports TypeScript, i.e. type
+  // stripping, we hand over to the default loader. This is done for all cases
+  // except if we're loading a .ts file that's been resolved to CommonJS format.
+  // This is because these files aren't actually CommonJS in the Backstage build
+  // system, and need to be transformed to CommonJS.
+  if (
+    format === 'module-typescript' ||
+    (format === 'module-commonjs' && ext !== '.ts')
+  ) {
+    return nextLoad(url, { ...context, format });
+  }
+
+  const transformed = await transformFile(fileURLToPath(url), {
+    sourceMaps: 'inline',
+    module: {
+      type: format === 'module' ? 'es6' : 'commonjs',
+      ignoreDynamic: true,
+
+      // This helps the Node.js CommonJS compat layer identify named exports.
+      exportInteropAnnotation: true,
+    },
+    jsc: {
+      target: 'es2023',
+      parser: {
+        syntax: 'typescript',
+      },
+    },
+  });
+
+  return {
+    ...context,
+    shortCircuit: true,
+    source: transformed.code,
+    format,
+    responseURL: url,
+  };
+}

package/dist/auth/CliAuth.cjs.js

@@ -0,0 +1,108 @@
+'use strict';
+
+var storage = require('./storage.cjs.js');
+var secretStore = require('./secretStore.cjs.js');
+var authIdentifiers = require('./authIdentifiers.cjs.js');
+var httpJson = require('./httpJson.cjs.js');
+var v3 = require('zod/v3');
+
+const TokenResponseSchema = v3.z.object({
+  access_token: v3.z.string().min(1),
+  token_type: v3.z.string().min(1),
+  expires_in: v3.z.number().positive().finite(),
+  refresh_token: v3.z.string().min(1).optional()
+});
+class CliAuth {
+  #secretStore;
+  #instance;
+  /**
+   * Resolve the current auth instance and return a ready-to-use
+   * {@link CliAuth} object. Throws when no instance can be found.
+   */
+  static async create(options) {
+    const instance = await storage.getSelectedInstance(options?.instanceName);
+    const secretStore$1 = await secretStore.getSecretStore();
+    return new CliAuth(instance, secretStore$1);
+  }
+  constructor(instance, secretStore) {
+    this.#instance = instance;
+    this.#secretStore = secretStore;
+  }
+  /** Returns the name of the resolved auth instance. */
+  getInstanceName() {
+    return this.#instance.name;
+  }
+  /** Returns the base URL of the resolved auth instance. */
+  getBaseUrl() {
+    return this.#instance.baseUrl;
+  }
+  /**
+   * Returns a valid access token, refreshing it first if the current
+   * token is expired or about to expire.
+   */
+  async getAccessToken() {
+    if (storage.accessTokenNeedsRefresh(this.#instance)) {
+      await this.#refreshAccessToken();
+    }
+    const service = authIdentifiers.getAuthInstanceService(this.#instance.name);
+    const token = await this.#secretStore.get(service, "accessToken");
+    if (!token) {
+      throw new Error(
+        'No access token found. Run "auth login" to authenticate.'
+      );
+    }
+    return token;
+  }
+  /**
+   * Reads a per-instance metadata value previously stored by the
+   * auth module (e.g. `pluginSources`).
+   */
+  async getMetadata(key) {
+    return storage.getInstanceMetadata(this.#instance.name, key);
+  }
+  /**
+   * Writes a per-instance metadata value to the on-disk instance store.
+   */
+  async setMetadata(key, value) {
+    return storage.updateInstanceMetadata(this.#instance.name, key, value);
+  }
+  async #refreshAccessToken() {
+    const service = authIdentifiers.getAuthInstanceService(this.#instance.name);
+    const refreshToken = await this.#secretStore.get(service, "refreshToken") ?? "";
+    if (!refreshToken) {
+      throw new Error(
+        "Access token is expired and no refresh token is available"
+      );
+    }
+    const response = await httpJson.httpJson(
+      `${this.#instance.baseUrl}/api/auth/v1/token`,
+      {
+        method: "POST",
+        body: {
+          grant_type: "refresh_token",
+          refresh_token: refreshToken
+        },
+        signal: AbortSignal.timeout(3e4)
+      }
+    );
+    const parsed = TokenResponseSchema.safeParse(response);
+    if (!parsed.success) {
+      throw new Error(`Invalid token response: ${parsed.error.message}`);
+    }
+    const token = parsed.data;
+    await this.#secretStore.set(service, "accessToken", token.access_token);
+    if (token.refresh_token) {
+      await this.#secretStore.set(service, "refreshToken", token.refresh_token);
+    }
+    const issuedAt = Date.now();
+    const accessTokenExpiresAt = Date.now() + token.expires_in * 1e3;
+    this.#instance = { ...this.#instance, issuedAt, accessTokenExpiresAt };
+    await storage.updateInstance(this.#instance.name, {
+      issuedAt,
+      accessTokenExpiresAt
+    });
+  }
+}
+
+exports.CliAuth = CliAuth;
+//# sourceMappingURL=CliAuth.cjs.js.map

package/dist/auth/CliAuth.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"CliAuth.cjs.js","sources":["../../src/auth/CliAuth.ts"],"sourcesContent":["/*\n * Copyright 2025 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  type StoredInstance,\n  getSelectedInstance,\n  getInstanceMetadata,\n  updateInstanceMetadata,\n  updateInstance,\n  accessTokenNeedsRefresh,\n} from './storage';\nimport { getSecretStore, type SecretStore } from './secretStore';\nimport { getAuthInstanceService } from './authIdentifiers';\nimport { httpJson } from './httpJson';\nimport { z } from 'zod/v3';\n\nconst TokenResponseSchema = z.object({\n  access_token: z.string().min(1),\n  token_type: z.string().min(1),\n  expires_in: z.number().positive().finite(),\n  refresh_token: z.string().min(1).optional(),\n});\n\n/**\n * Options for creating a {@link CliAuth} instance.\n *\n * @public\n */\nexport interface CliAuthCreateOptions {\n  /**\n   * An explicit instance name to resolve. When omitted the currently\n   * selected instance is used.\n   */\n  instanceName?: string;\n}\n\n/**\n * Manages authentication state for Backstage CLI commands.\n *\n * Reads the currently selected (or explicitly named) auth instance from\n * the on-disk instance store, transparently refreshes expired access\n * tokens, and exposes helpers that other CLI modules need to talk to a\n * Backstage backend.\n *\n * @public\n */\nexport class CliAuth {\n  readonly #secretStore: SecretStore;\n  #instance: StoredInstance;\n\n  /**\n   * Resolve the current auth instance and return a ready-to-use\n   * {@link CliAuth} object. Throws when no instance can be found.\n   */\n  static async create(options?: CliAuthCreateOptions): Promise<CliAuth> {\n    const instance = await getSelectedInstance(options?.instanceName);\n    const secretStore = await getSecretStore();\n    return new CliAuth(instance, secretStore);\n  }\n\n  private constructor(instance: StoredInstance, secretStore: SecretStore) {\n    this.#instance = instance;\n    this.#secretStore = secretStore;\n  }\n\n  /** Returns the name of the resolved auth instance. */\n  getInstanceName(): string {\n    return this.#instance.name;\n  }\n\n  /** Returns the base URL of the resolved auth instance. */\n  getBaseUrl(): string {\n    return this.#instance.baseUrl;\n  }\n\n  /**\n   * Returns a valid access token, refreshing it first if the current\n   * token is expired or about to expire.\n   */\n  async getAccessToken(): Promise<string> {\n    if (accessTokenNeedsRefresh(this.#instance)) {\n      await this.#refreshAccessToken();\n    }\n\n    const service = getAuthInstanceService(this.#instance.name);\n    const token = await this.#secretStore.get(service, 'accessToken');\n    if (!token) {\n      throw new Error(\n        'No access token found. Run \"auth login\" to authenticate.',\n      );\n    }\n    return token;\n  }\n\n  /**\n   * Reads a per-instance metadata value previously stored by the\n   * auth module (e.g. `pluginSources`).\n   */\n  async getMetadata(key: string): Promise<unknown> {\n    return getInstanceMetadata(this.#instance.name, key);\n  }\n\n  /**\n   * Writes a per-instance metadata value to the on-disk instance store.\n   */\n  async setMetadata(key: string, value: unknown): Promise<void> {\n    return updateInstanceMetadata(this.#instance.name, key, value);\n  }\n\n  async #refreshAccessToken(): Promise<void> {\n    const service = getAuthInstanceService(this.#instance.name);\n    const refreshToken =\n      (await this.#secretStore.get(service, 'refreshToken')) ?? '';\n    if (!refreshToken) {\n      throw new Error(\n        'Access token is expired and no refresh token is available',\n      );\n    }\n\n    const response = await httpJson<unknown>(\n      `${this.#instance.baseUrl}/api/auth/v1/token`,\n      {\n        method: 'POST',\n        body: {\n          grant_type: 'refresh_token',\n          refresh_token: refreshToken,\n        },\n        signal: AbortSignal.timeout(30_000),\n      },\n    );\n\n    const parsed = TokenResponseSchema.safeParse(response);\n    if (!parsed.success) {\n      throw new Error(`Invalid token response: ${parsed.error.message}`);\n    }\n    const token = parsed.data;\n\n    await this.#secretStore.set(service, 'accessToken', token.access_token);\n    if (token.refresh_token) {\n      await this.#secretStore.set(service, 'refreshToken', token.refresh_token);\n    }\n    const issuedAt = Date.now();\n    const accessTokenExpiresAt = Date.now() + token.expires_in * 1000;\n    this.#instance = { ...this.#instance, issuedAt, accessTokenExpiresAt };\n    await updateInstance(this.#instance.name, {\n      issuedAt,\n      accessTokenExpiresAt,\n    });\n  }\n}\n"],"names":["z","getSelectedInstance","secretStore","getSecretStore","accessTokenNeedsRefresh","getAuthInstanceService","getInstanceMetadata","updateInstanceMetadata","httpJson","updateInstance"],"mappings":";;;;;;;;AA6BA,MAAM,mBAAA,GAAsBA,KAAE,MAAA,CAAO;AAAA,EACnC,YAAA,EAAcA,IAAA,CAAE,MAAA,EAAO,CAAE,IAAI,CAAC,CAAA;AAAA,EAC9B,UAAA,EAAYA,IAAA,CAAE,MAAA,EAAO,CAAE,IAAI,CAAC,CAAA;AAAA,EAC5B,YAAYA,IAAA,CAAE,MAAA,EAAO,CAAE,QAAA,GAAW,MAAA,EAAO;AAAA,EACzC,eAAeA,IAAA,CAAE,MAAA,GAAS,GAAA,CAAI,CAAC,EAAE,QAAA;AACnC,CAAC,CAAA;AAyBM,MAAM,OAAA,CAAQ;AAAA,EACV,YAAA;AAAA,EACT,SAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,aAAa,OAAO,OAAA,EAAkD;AACpE,IAAA,MAAM,QAAA,GAAW,MAAMC,2BAAA,CAAoB,OAAA,EAAS,YAAY,CAAA;AAChE,IAAA,MAAMC,aAAA,GAAc,MAAMC,0BAAA,EAAe;AACzC,IAAA,OAAO,IAAI,OAAA,CAAQ,QAAA,EAAUD,aAAW,CAAA;AAAA,EAC1C;AAAA,EAEQ,WAAA,CAAY,UAA0B,WAAA,EAA0B;AACtE,IAAA,IAAA,CAAK,SAAA,GAAY,QAAA;AACjB,IAAA,IAAA,CAAK,YAAA,GAAe,WAAA;AAAA,EACtB;AAAA;AAAA,EAGA,eAAA,GAA0B;AACxB,IAAA,OAAO,KAAK,SAAA,CAAU,IAAA;AAAA,EACxB;AAAA;AAAA,EAGA,UAAA,GAAqB;AACnB,IAAA,OAAO,KAAK,SAAA,CAAU,OAAA;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,cAAA,GAAkC;AACtC,IAAA,IAAIE,+BAAA,CAAwB,IAAA,CAAK,SAAS,CAAA,EAAG;AAC3C,MAAA,MAAM,KAAK,mBAAA,EAAoB;AAAA,IACjC;AAEA,IAAA,MAAM,OAAA,GAAUC,sCAAA,CAAuB,IAAA,CAAK,SAAA,CAAU,IAAI,CAAA;AAC1D,IAAA,MAAM,QAAQ,MAAM,IAAA,CAAK,YAAA,CAAa,GAAA,CAAI,SAAS,aAAa,CAAA;AAChE,IAAA,IAAI,CAAC,KAAA,EAAO;AACV,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AACA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,YAAY,GAAA,EAA+B;AAC/C,IAAA,OAAOC,2BAAA,CAAoB,IAAA,CAAK,SAAA,CAAU,IAAA,EAAM,GAAG,CAAA;AAAA,EACrD;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,WAAA,CAAY,GAAA,EAAa,KAAA,EAA+B;AAC5D,IAAA,OAAOC,8BAAA,CAAuB,IAAA,CAAK,SAAA,CAAU,IAAA,EAAM,KAAK,KAAK,CAAA;AAAA,EAC/D;AAAA,EAEA,MAAM,mBAAA,GAAqC;AACzC,IAAA,MAAM,OAAA,GAAUF,sCAAA,CAAuB,IAAA,CAAK,SAAA,CAAU,IAAI,CAAA;AAC1D,IAAA,MAAM,eACH,MAAM,IAAA,CAAK,aAAa,GAAA,CAAI,OAAA,EAAS,cAAc,CAAA,IAAM,EAAA;AAC5D,IAAA,IAAI,CAAC,YAAA,EAAc;AACjB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAEA,IAAA,MAAM,WAAW,MAAMG,iBAAA;AAAA,MACrB,CAAA,EAAG,IAAA,CAAK,SAAA,CAAU,OAAO,CAAA,kBAAA,CAAA;AAAA,MACzB;AAAA,QACE,MAAA,EAAQ,MAAA;AAAA,QACR,IAAA,EAAM;AAAA,UACJ,UAAA,EAAY,eAAA;AAAA,UACZ,aAAA,EAAe;AAAA,SACjB;AAAA,QACA,MAAA,EAAQ,WAAA,CAAY,OAAA,CAAQ,GAAM;AAAA;AACpC,KACF;AAEA,IAAA,MAAM,MAAA,GAAS,mBAAA,CAAoB,SAAA,CAAU,QAAQ,CAAA;AACrD,IAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACnB,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,wBAAA,EAA2B,MAAA,CAAO,KAAA,CAAM,OAAO,CAAA,CAAE,CAAA;AAAA,IACnE;AACA,IAAA,MAAM,QAAQ,MAAA,CAAO,IAAA;AAErB,IAAA,MAAM,KAAK,YAAA,CAAa,GAAA,CAAI,OAAA,EAAS,aAAA,EAAe,MAAM,YAAY,CAAA;AACtE,IAAA,IAAI,MAAM,aAAA,EAAe;AACvB,MAAA,MAAM,KAAK,YAAA,CAAa,GAAA,CAAI,OAAA,EAAS,cAAA,EAAgB,MAAM,aAAa,CAAA;AAAA,IAC1E;AACA,IAAA,MAAM,QAAA,GAAW,KAAK,GAAA,EAAI;AAC1B,IAAA,MAAM,oBAAA,GAAuB,IAAA,CAAK,GAAA,EAAI,GAAI,MAAM,UAAA,GAAa,GAAA;AAC7D,IAAA,IAAA,CAAK,YAAY,EAAE,GAAG,IAAA,CAAK,SAAA,EAAW,UAAU,oBAAA,EAAqB;AACrE,IAAA,MAAMC,sBAAA,CAAe,IAAA,CAAK,SAAA,CAAU,IAAA,EAAM;AAAA,MACxC,QAAA;AAAA,MACA;AAAA,KACD,CAAA;AAAA,EACH;AACF;;;;"}

package/dist/auth/authIdentifiers.cjs.js

@@ -0,0 +1,8 @@
+'use strict';
+
+function getAuthInstanceService(instanceName) {
+  return `backstage-cli:auth-instance:${instanceName}`;
+}
+
+exports.getAuthInstanceService = getAuthInstanceService;
+//# sourceMappingURL=authIdentifiers.cjs.js.map

package/dist/auth/authIdentifiers.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authIdentifiers.cjs.js","sources":["../../src/auth/authIdentifiers.ts"],"sourcesContent":["/*\n * Copyright 2025 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\n/** @internal */\nexport function getAuthInstanceService(instanceName: string): string {\n  return `backstage-cli:auth-instance:${instanceName}`;\n}\n"],"names":[],"mappings":";;AAiBO,SAAS,uBAAuB,YAAA,EAA8B;AACnE,EAAA,OAAO,+BAA+B,YAAY,CAAA,CAAA;AACpD;;;;"}

package/dist/auth/httpJson.cjs.js

@@ -0,0 +1,21 @@
+'use strict';
+
+var errors = require('@backstage/errors');
+
+async function httpJson(url, init) {
+  const res = await fetch(url, {
+    ...init,
+    body: init?.body ? JSON.stringify(init.body) : void 0,
+    headers: {
+      ...init?.body ? { "Content-Type": "application/json" } : {},
+      ...init?.headers
+    }
+  });
+  if (!res.ok) {
+    throw await errors.ResponseError.fromResponse(res);
+  }
+  return await res.json();
+}
+
+exports.httpJson = httpJson;
+//# sourceMappingURL=httpJson.cjs.js.map

package/dist/auth/httpJson.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"httpJson.cjs.js","sources":["../../src/auth/httpJson.ts"],"sourcesContent":["/*\n * Copyright 2025 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { ResponseError } from '@backstage/errors';\n\n/** @internal */\nexport type HttpInit = {\n  headers?: Record<string, string>;\n  method?: string;\n  body?: any;\n  signal?: AbortSignal;\n};\n\n/** @internal */\nexport async function httpJson<T>(url: string, init?: HttpInit): Promise<T> {\n  const res = await fetch(url, {\n    ...init,\n    body: init?.body ? JSON.stringify(init.body) : undefined,\n    headers: {\n      ...(init?.body ? { 'Content-Type': 'application/json' } : {}),\n      ...init?.headers,\n    },\n  });\n  if (!res.ok) {\n    throw await ResponseError.fromResponse(res);\n  }\n  return (await res.json()) as T;\n}\n"],"names":["ResponseError"],"mappings":";;;;AA2BA,eAAsB,QAAA,CAAY,KAAa,IAAA,EAA6B;AAC1E,EAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAA,EAAK;AAAA,IAC3B,GAAG,IAAA;AAAA,IACH,MAAM,IAAA,EAAM,IAAA,GAAO,KAAK,SAAA,CAAU,IAAA,CAAK,IAAI,CAAA,GAAI,MAAA;AAAA,IAC/C,OAAA,EAAS;AAAA,MACP,GAAI,IAAA,EAAM,IAAA,GAAO,EAAE,cAAA,EAAgB,kBAAA,KAAuB,EAAC;AAAA,MAC3D,GAAG,IAAA,EAAM;AAAA;AACX,GACD,CAAA;AACD,EAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,IAAA,MAAM,MAAMA,oBAAA,CAAc,YAAA,CAAa,GAAG,CAAA;AAAA,EAC5C;AACA,EAAA,OAAQ,MAAM,IAAI,IAAA,EAAK;AACzB;;;;"}

package/dist/auth/secretStore.cjs.js

@@ -0,0 +1,96 @@
+'use strict';
+
+var node_fs = require('node:fs');
+var os = require('node:os');
+var path = require('node:path');
+
+function _interopDefaultCompat (e) { return e && typeof e === 'object' && 'default' in e ? e : { default: e }; }
+
+var os__default = /*#__PURE__*/_interopDefaultCompat(os);
+var path__default = /*#__PURE__*/_interopDefaultCompat(path);
+
+async function loadKeytar() {
+  try {
+    const keytar = require("keytar");
+    if (keytar && typeof keytar.getPassword === "function") {
+      return keytar;
+    }
+  } catch {
+  }
+  return void 0;
+}
+class KeytarSecretStore {
+  keytar;
+  constructor(keytar) {
+    this.keytar = keytar;
+  }
+  async get(service, account) {
+    const result = await this.keytar.getPassword(service, account);
+    return result ?? void 0;
+  }
+  async set(service, account, secret) {
+    await this.keytar.setPassword(service, account, secret);
+  }
+  async delete(service, account) {
+    await this.keytar.deletePassword(service, account);
+  }
+}
+async function pathExists(p) {
+  try {
+    await node_fs.promises.stat(p);
+    return true;
+  } catch {
+    return false;
+  }
+}
+class FileSecretStore {
+  baseDir;
+  constructor() {
+    const root = process.env.XDG_DATA_HOME || (process.platform === "win32" ? process.env.APPDATA || path__default.default.join(os__default.default.homedir(), "AppData", "Roaming") : path__default.default.join(os__default.default.homedir(), ".local", "share"));
+    this.baseDir = path__default.default.join(root, "backstage-cli", "auth-secrets");
+  }
+  filePath(service, account) {
+    return path__default.default.join(
+      this.baseDir,
+      encodeURIComponent(service),
+      `${encodeURIComponent(account)}.secret`
+    );
+  }
+  async get(service, account) {
+    const file = this.filePath(service, account);
+    if (!await pathExists(file)) {
+      return void 0;
+    }
+    return await node_fs.promises.readFile(file, "utf8");
+  }
+  async set(service, account, secret) {
+    const file = this.filePath(service, account);
+    await node_fs.promises.mkdir(path__default.default.dirname(file), { recursive: true });
+    await node_fs.promises.writeFile(file, secret, { encoding: "utf8", mode: 384 });
+  }
+  async delete(service, account) {
+    const file = this.filePath(service, account);
+    try {
+      await node_fs.promises.unlink(file);
+    } catch (err) {
+      if (err.code !== "ENOENT") {
+        throw err;
+      }
+    }
+  }
+}
+let singleton;
+async function getSecretStore() {
+  if (!singleton) {
+    const keytar = await loadKeytar();
+    if (keytar) {
+      singleton = new KeytarSecretStore(keytar);
+    } else {
+      singleton = new FileSecretStore();
+    }
+  }
+  return singleton;
+}
+
+exports.getSecretStore = getSecretStore;
+//# sourceMappingURL=secretStore.cjs.js.map