@boardwalk-labs/cli 0.1.0

package/LICENSE

@@ -0,0 +1,18 @@
+MIT License
+
+Copyright (c) 2026 Boardwalk
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and
+associated documentation files (the "Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the
+following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial
+portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO
+EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
+USE OR OTHER DEALINGS IN THE SOFTWARE.

package/README.md

@@ -0,0 +1,110 @@
+# @boardwalk-labs/cli
+
+The `boardwalk` command — author, validate, run locally, and deploy [Boardwalk](https://boardwalk.sh) workflows.
+
+```
+boardwalk init my-workflow                 # scaffold a project from a template
+boardwalk dev ./index.ts                   # run it NOW, locally — no account needed
+boardwalk check ./index.ts                 # validate locally (no auth/network)
+boardwalk login                            # browser OAuth (PKCE) → stores a session
+boardwalk deploy ./index.ts --org my-team  # ship it to the Boardwalk platform
+boardwalk run ./index.ts --org my-team --input '{"who":"world"}'   # deploy + trigger a real run
+boardwalk cancel <runId>
+boardwalk logout / whoami
+```
+
+## The author loop
+
+- **`init [dir]`** — scaffold a workflow project: program file, `package.json`, `.env.example`,
+  `.gitignore`. The default template runs green under `dev` immediately.
+- **`dev <file|dir>`** — run the workflow right here, right now. Derives + validates the manifest
+  (precise errors before anything runs), bundles the program, executes it in-process, and streams
+  the run-event log. Secrets resolve from `.env` (or `--env <path>`); values never print.
+  Exit code is the run's verdict: `0` completed, `1` failed, `130` cancelled (Ctrl-C).
+- **`check <file|dir>`** — everything `dev` validates, without running: full manifest-schema
+  validation (the same schema every engine enforces) + an esbuild compile proving every import
+  resolves.
+
+### Choosing what to watch
+
+Every engine emits the same typed event stream, and every event belongs to one channel:
+`lifecycle`, `phase`, `output`, `log`, `agent`. The flags mean the same thing everywhere:
+
+```
+boardwalk dev ./index.ts                    # default: lifecycle + phase + output (quiet, readable)
+boardwalk dev ./index.ts --verbose          # everything: agent turns, tool calls, captured logs
+boardwalk dev ./index.ts --stream output | jq   # just the result — pipe-friendly
+boardwalk dev ./index.ts --stream phase,log
+```
+
+> `dev` today executes the program primitives (secrets, sleeps, phases, output, artifacts)
+> in-process; `agent()` and `workflows.call()` need an engine and fail with a clear pointer.
+> The embedded local engine (`@boardwalk-labs/engine`) makes them work in `dev` — it's next on the
+> [roadmap](./SPEC.md).
+
+## Deploying
+
+- **`deploy <file|dir> --org <slug>`** — create/update the workflow (idempotent by `meta.name`).
+  `--dry-run` prints the plan only.
+- **`run <file|dir> --org <slug>`** — deploy the current source, trigger a **real run on the
+  platform**, and wait for it to finish. `--no-wait` triggers and exits.
+
+`deploy` builds the program into a content-addressed artifact: esbuild bundles your entry (deps
+pinned at deploy, `@boardwalk-labs/workflow` stays external), package assets (markdown skills, prompt
+templates) ride along at their relative paths, and the lot is packed into a deterministic tarball,
+uploaded via a presigned URL, and verified server-side. The server re-derives the manifest from
+your `meta` — the CLI never sends a hand-built manifest.
+
+### Project link (`.boardwalk/project.json`)
+
+The first `deploy`/`run` in a directory writes `.boardwalk/project.json` (gitignored, Vercel-style)
+with `{ orgSlug, workflowId }`. After that the workflow is identified by that stored **id**, so
+`--org` is optional and renaming `meta.name` or the entry file updates the same workflow instead of
+forking a new one. On a fresh clone, pass `--org` once to re-link (it adopts an existing same-name
+workflow if present, else creates one).
+
+## Authentication
+
+Resolved in this precedence:
+
+1. `--token <bearer>` flag (one-off / scripting)
+2. `BOARDWALK_API_KEY` env (CI / headless — a `bwk_…` API key)
+3. the stored session from `boardwalk login` — either a browser **OAuth/PKCE** session
+   (auto-refreshed when expired) **or** an API key persisted via `boardwalk login --token <key>`
+
+`boardwalk login` speaks standard OAuth 2.0 Authorization-Code + PKCE against the deployment's own
+issuer: it fetches `/.well-known/oauth-authorization-server` to discover the endpoints, starts a
+localhost callback server, opens your browser, exchanges the code, and stores the session in
+`<config>/credentials.json` (mode 0600). The CLI session is **scoped, least-privilege** — it can
+deploy and trigger/read runs, but cannot mint API keys, manage billing/members, or read secrets.
+
+`init`, `dev`, and `check` need no account at all.
+
+## Configuration (env)
+
+Point the CLI at any deployment — the Boardwalk platform (default), or a **self-hosted** install on your
+own domain — without rebuilding:
+
+| Variable                    | Default                    | Purpose                                        |
+| --------------------------- | -------------------------- | ---------------------------------------------- |
+| `BOARDWALK_API_DOMAIN`      | `api.boardwalk.sh`         | API host → `https://<domain>` (self-host knob) |
+| `BOARDWALK_API_URL`         | —                          | Full API URL override (local http / ports)     |
+| `BOARDWALK_ISSUER_URL`      | `https://api.boardwalk.sh` | OAuth issuer origin for `login` (discovery)    |
+| `BOARDWALK_OAUTH_CLIENT_ID` | `boardwalk-cli`            | OAuth client id (built-in default)             |
+| `BOARDWALK_OAUTH_PORT`      | `53682`                    | Loopback redirect port                         |
+| `BOARDWALK_API_KEY`         | —                          | API key for non-interactive auth               |
+| `BOARDWALK_CONFIG_DIR`      | XDG config dir             | Where credentials are stored                   |
+
+## Develop
+
+```
+pnpm install
+pnpm test
+pnpm lint
+pnpm build      # → dist/, run via ./bin/boardwalk.js
+pnpm boardwalk -- dev ./index.ts   # run from source via tsx
+```
+
+## License
+
+MIT

package/bin/boardwalk.js

@@ -0,0 +1,4 @@
+#!/usr/bin/env node
+// Thin shim → the compiled CLI entrypoint. Kept JS (not TS) so the published `bin` runs without a
+// build step on the consumer's machine; `dist/index.js` is produced by `pnpm build`.
+import "../dist/index.js";

package/dist/artifact.d.ts

@@ -0,0 +1,53 @@
+/** The entry module the runner imports after extraction. The whole local graph bundles into it. */
+export declare const ENTRY_OUTPUT = "index.mjs";
+/** The author's ORIGINAL entry source, stored verbatim under the `.bw-src/` tree so a dashboard's
+ *  code view shows what the user wrote (blank lines + comments intact) and quick-edit round-trips
+ *  real source — NOT the blank-line-stripped esbuild bundle. The runner never reads `.bw-src/`; it
+ *  runs {@link ENTRY_OUTPUT}. (A bundled package ships only its entry source here; its local
+ *  modules are inlined into {@link ENTRY_OUTPUT}.) */
+export declare const SOURCE_FILE = ".bw-src/index.ts";
+/** `sdk_version` for a program that pins no SDK version — defer to whatever the runner ships. */
+export declare const UNPINNED_SDK = "*";
+/** One non-code file shipped in the artifact, at its package-relative POSIX path. */
+export interface ArtifactAsset {
+    /** Path inside the artifact (POSIX, package-relative), e.g. `skills/review.md`. */
+    relPath: string;
+    /** Absolute path on disk to read the bytes from. */
+    absPath: string;
+}
+/** The built artifact + the metadata the deploy finalize call records on the version row. */
+export interface BuiltArtifact {
+    /** The `.tgz` bytes — the exact object uploaded to storage. */
+    tarball: Uint8Array;
+    /** sha256 hex of {@link tarball} — content-address + integrity digest. */
+    digest: string;
+    /** Byte length of {@link tarball}. */
+    size: number;
+    /** Entry module within the extracted tree ({@link ENTRY_OUTPUT}). */
+    entry: string;
+    /** Resolved `@boardwalk-labs/workflow` version the program was built against, or {@link UNPINNED_SDK}. */
+    sdkVersion: string;
+    /** sha256 of the project's lockfile (reproducibility anchor), or null when there is none. */
+    lockfileDigest: string | null;
+    /** The bundled entry source — lets the CLI extract `meta`/`name` without cracking the tarball. */
+    entrySource: string;
+    /** Sorted POSIX relative paths of the bundled assets (for `--check` output + validation). */
+    assetPaths: string[];
+}
+/** Build the deploy artifact for a file or package directory. */
+export declare function buildArtifact(target: string): Promise<BuiltArtifact>;
+/**
+ * Collect the package's runtime assets. With an explicit `boardwalk.assets` list in package.json,
+ * exactly those paths are shipped (a file, or a directory included recursively). Otherwise the
+ * default is npm-pack-style: every file under the package root EXCEPT source the bundle already
+ * inlines, build/config files, dotfiles, and excluded dirs (`node_modules`, `.git`, …). Returns a
+ * deterministic, path-sorted list with POSIX relative paths.
+ */
+export declare function collectAssets(pkgDir: string): ArtifactAsset[];
+/**
+ * Resolve the `@boardwalk-labs/workflow` version the program is built against (for runner SDK-layer
+ * compat): prefer the actually-installed version, then the declared dependency range, else UNPINNED.
+ */
+export declare function resolveSdkVersion(pkgDir: string | null): string;
+/** sha256 of the project's lockfile (first of pnpm/npm/yarn/bun found), or null when none. */
+export declare function lockfileDigest(pkgDir: string): string | null;

package/dist/artifact.js

@@ -0,0 +1,267 @@
+// Build a deploy ARTIFACT — the frozen, content-addressed program the runner executes.
+//
+// The packaging model: a workflow is built into a JS artifact AT DEPLOY (never at runtime).
+// `buildArtifact` esbuild-bundles the entry into one `index.mjs` (+ external sourcemap,
+// `@boardwalk-labs/workflow` left external — the host layer), collects the package's non-code assets
+// (markdown skills, prompt templates) at their relative paths, and packs the lot into a
+// DETERMINISTIC `tar.gz`. The artifact is content-addressed by the sha256 of its bytes: the same
+// bytes the CLI uploads are the bytes the runner downloads + verifies, so integrity holds
+// regardless of determinism; determinism just lets identical programs dedup.
+//
+// Pure logic + filesystem reads; no program execution, no network.
+import { createHash } from "node:crypto";
+import { existsSync, mkdirSync, mkdtempSync, readFileSync, readdirSync, rmSync, statSync, writeFileSync, } from "node:fs";
+import { tmpdir } from "node:os";
+import { dirname, join, posix, relative, resolve, sep } from "node:path";
+import { create as tarCreate } from "tar";
+import { bundleWorkflowWithMap, isPackageDir, resolveEntry } from "./bundle.js";
+import { CliError } from "./errors.js";
+const SDK_PACKAGE = "@boardwalk-labs/workflow";
+/** The entry module the runner imports after extraction. The whole local graph bundles into it. */
+export const ENTRY_OUTPUT = "index.mjs";
+/** The author's ORIGINAL entry source, stored verbatim under the `.bw-src/` tree so a dashboard's
+ *  code view shows what the user wrote (blank lines + comments intact) and quick-edit round-trips
+ *  real source — NOT the blank-line-stripped esbuild bundle. The runner never reads `.bw-src/`; it
+ *  runs {@link ENTRY_OUTPUT}. (A bundled package ships only its entry source here; its local
+ *  modules are inlined into {@link ENTRY_OUTPUT}.) */
+export const SOURCE_FILE = ".bw-src/index.ts";
+/** `sdk_version` for a program that pins no SDK version — defer to whatever the runner ships. */
+export const UNPINNED_SDK = "*";
+const LOCKFILES = ["pnpm-lock.yaml", "package-lock.json", "yarn.lock", "bun.lock"];
+// Source the esbuild bundle already inlines (or emits) — never shipped raw as a runtime asset.
+const SOURCE_EXT = new Set([".ts", ".tsx", ".mts", ".cts", ".js", ".jsx", ".mjs", ".cjs", ".map"]);
+// Build/config files that are not runtime assets.
+const EXCLUDE_FILES = new Set([
+    "package.json",
+    "tsconfig.json",
+    "tsconfig.build.json",
+    ".npmrc",
+    ".npmignore",
+    ".gitignore",
+    ".eslintrc",
+    ".eslintrc.json",
+    ".prettierrc",
+    ...LOCKFILES,
+]);
+const EXCLUDE_DIRS = new Set([
+    "node_modules",
+    ".git",
+    ".boardwalk",
+    "dist",
+    "build",
+    ".turbo",
+    ".cache",
+]);
+/** Build the deploy artifact for a file or package directory. */
+export async function buildArtifact(target) {
+    const entry = resolveEntry(target);
+    const { code, map } = await bundleWorkflowWithMap(entry);
+    // The author's original entry source — stored verbatim for display/quick-edit (the built `index.mjs`
+    // has its blank lines + comments stripped by esbuild).
+    const originalSource = readFileSync(entry, "utf8");
+    const pkgDir = isPackageDir(target) ? resolve(target) : null;
+    const assets = pkgDir === null ? [] : collectAssets(pkgDir);
+    const sdkVersion = resolveSdkVersion(pkgDir);
+    const lockDigest = pkgDir === null ? null : lockfileDigest(pkgDir);
+    // Stage every file at its target relative path, then pack the staging dir deterministically.
+    const staging = mkdtempSync(join(tmpdir(), "bw-artifact-"));
+    try {
+        writeStaged(staging, ENTRY_OUTPUT, Buffer.from(code, "utf8"));
+        writeStaged(staging, `${ENTRY_OUTPUT}.map`, Buffer.from(map, "utf8"));
+        writeStaged(staging, SOURCE_FILE, Buffer.from(originalSource, "utf8"));
+        for (const asset of assets)
+            writeStaged(staging, asset.relPath, readFileSync(asset.absPath));
+        const relPaths = [
+            ENTRY_OUTPUT,
+            `${ENTRY_OUTPUT}.map`,
+            SOURCE_FILE,
+            ...assets.map((a) => a.relPath),
+        ].sort();
+        const tarball = await packDir(staging, relPaths);
+        return {
+            tarball,
+            digest: sha256Hex(tarball),
+            size: tarball.length,
+            entry: ENTRY_OUTPUT,
+            sdkVersion,
+            lockfileDigest: lockDigest,
+            entrySource: code,
+            assetPaths: assets.map((a) => a.relPath).sort(),
+        };
+    }
+    finally {
+        rmSync(staging, { recursive: true, force: true });
+    }
+}
+/**
+ * Collect the package's runtime assets. With an explicit `boardwalk.assets` list in package.json,
+ * exactly those paths are shipped (a file, or a directory included recursively). Otherwise the
+ * default is npm-pack-style: every file under the package root EXCEPT source the bundle already
+ * inlines, build/config files, dotfiles, and excluded dirs (`node_modules`, `.git`, …). Returns a
+ * deterministic, path-sorted list with POSIX relative paths.
+ */
+export function collectAssets(pkgDir) {
+    const explicit = readAssetGlobs(pkgDir);
+    const out = [];
+    const seen = new Set();
+    const add = (absPath) => {
+        const rel = toPosix(relative(pkgDir, absPath));
+        if (rel.length === 0 || rel.startsWith("..") || seen.has(rel))
+            return;
+        seen.add(rel);
+        out.push({ relPath: rel, absPath });
+    };
+    if (explicit !== null) {
+        for (const entry of explicit) {
+            const abs = resolve(pkgDir, entry);
+            if (!existsSync(abs)) {
+                throw new CliError(`boardwalk.assets entry not found: ${entry}`);
+            }
+            if (statSync(abs).isDirectory())
+                walk(abs, () => true, add);
+            else
+                add(abs);
+        }
+    }
+    else {
+        walk(pkgDir, defaultAssetFilter, add);
+    }
+    out.sort((a, b) => (a.relPath < b.relPath ? -1 : a.relPath > b.relPath ? 1 : 0));
+    return out;
+}
+/** Default include rule: keep non-source, non-config, non-dot files; prune excluded dirs. */
+function defaultAssetFilter(isDir, name) {
+    if (name.startsWith("."))
+        return false; // dotfiles + dotdirs
+    if (isDir)
+        return !EXCLUDE_DIRS.has(name);
+    if (EXCLUDE_FILES.has(name))
+        return false;
+    const dot = name.lastIndexOf(".");
+    const ext = dot === -1 ? "" : name.slice(dot).toLowerCase();
+    return !SOURCE_EXT.has(ext);
+}
+/** Recursively walk `dir`, calling `onFile(abs)` for each file the `accept` predicate keeps. */
+function walk(dir, accept, onFile) {
+    for (const ent of readdirSync(dir, { withFileTypes: true })) {
+        const abs = join(dir, ent.name);
+        const isDir = ent.isDirectory();
+        if (!accept(isDir, ent.name))
+            continue;
+        if (isDir)
+            walk(abs, accept, onFile);
+        else if (ent.isFile())
+            onFile(abs);
+    }
+}
+/** Read `boardwalk.assets: string[]` from package.json, or null when unset/invalid. */
+function readAssetGlobs(pkgDir) {
+    const pkgPath = join(pkgDir, "package.json");
+    if (!existsSync(pkgPath))
+        return null;
+    try {
+        const parsed = JSON.parse(readFileSync(pkgPath, "utf8"));
+        const boardwalk = typeof parsed === "object" && parsed !== null
+            ? parsed.boardwalk
+            : undefined;
+        const assets = typeof boardwalk === "object" && boardwalk !== null
+            ? boardwalk.assets
+            : undefined;
+        if (Array.isArray(assets) && assets.every((a) => typeof a === "string")) {
+            return assets;
+        }
+    }
+    catch {
+        // Unreadable package.json → fall back to the default asset rule.
+    }
+    return null;
+}
+/**
+ * Resolve the `@boardwalk-labs/workflow` version the program is built against (for runner SDK-layer
+ * compat): prefer the actually-installed version, then the declared dependency range, else UNPINNED.
+ */
+export function resolveSdkVersion(pkgDir) {
+    if (pkgDir === null)
+        return UNPINNED_SDK;
+    const installed = join(pkgDir, "node_modules", SDK_PACKAGE, "package.json");
+    if (existsSync(installed)) {
+        const v = readJsonField(installed, "version");
+        if (v !== null)
+            return v;
+    }
+    const pkgPath = join(pkgDir, "package.json");
+    if (existsSync(pkgPath)) {
+        for (const field of ["dependencies", "devDependencies", "peerDependencies"]) {
+            const range = readDepRange(pkgPath, field, SDK_PACKAGE);
+            if (range !== null)
+                return range;
+        }
+    }
+    return UNPINNED_SDK;
+}
+/** sha256 of the project's lockfile (first of pnpm/npm/yarn/bun found), or null when none. */
+export function lockfileDigest(pkgDir) {
+    for (const name of LOCKFILES) {
+        const p = join(pkgDir, name);
+        if (existsSync(p))
+            return sha256Hex(readFileSync(p));
+    }
+    return null;
+}
+// ----- internals -----
+/** Deterministic tar.gz of `cwd`'s listed files: portable (no uid/gid/mtime), stable order. */
+async function packDir(cwd, files) {
+    const chunks = [];
+    await new Promise((res, rej) => {
+        const stream = tarCreate({ cwd, gzip: true, portable: true, noMtime: true }, files);
+        stream.on("data", (c) => chunks.push(c));
+        stream.on("end", () => {
+            res();
+        });
+        stream.on("error", rej);
+    });
+    return new Uint8Array(Buffer.concat(chunks));
+}
+function writeStaged(root, relPath, bytes) {
+    const abs = join(root, relPath.split(posix.sep).join(sep));
+    mkdirSync(dirname(abs), { recursive: true });
+    writeFileSync(abs, bytes);
+}
+function sha256Hex(bytes) {
+    return createHash("sha256").update(bytes).digest("hex");
+}
+function toPosix(p) {
+    return p.split(sep).join(posix.sep);
+}
+function readJsonField(jsonPath, field) {
+    try {
+        const parsed = JSON.parse(readFileSync(jsonPath, "utf8"));
+        if (typeof parsed === "object" && parsed !== null) {
+            const v = parsed[field];
+            if (typeof v === "string" && v.length > 0)
+                return v;
+        }
+    }
+    catch {
+        // ignore
+    }
+    return null;
+}
+function readDepRange(pkgPath, field, dep) {
+    try {
+        const parsed = JSON.parse(readFileSync(pkgPath, "utf8"));
+        const deps = typeof parsed === "object" && parsed !== null
+            ? parsed[field]
+            : undefined;
+        if (typeof deps === "object" && deps !== null) {
+            const range = deps[dep];
+            if (typeof range === "string" && range.length > 0)
+                return range;
+        }
+    }
+    catch {
+        // ignore
+    }
+    return null;
+}
+//# sourceMappingURL=artifact.js.map

package/dist/artifact.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"artifact.js","sourceRoot":"","sources":["../src/artifact.ts"],"names":[],"mappings":"AAAA,uFAAuF;AACvF,EAAE;AACF,4FAA4F;AAC5F,wFAAwF;AACxF,qGAAqG;AACrG,wFAAwF;AACxF,iGAAiG;AACjG,0FAA0F;AAC1F,6EAA6E;AAC7E,EAAE;AACF,mEAAmE;AAEnE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EACL,UAAU,EACV,SAAS,EACT,WAAW,EACX,YAAY,EACZ,WAAW,EACX,MAAM,EACN,QAAQ,EACR,aAAa,GACd,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,WAAW,CAAC;AACzE,OAAO,EAAE,MAAM,IAAI,SAAS,EAAE,MAAM,KAAK,CAAC;AAC1C,OAAO,EAAE,qBAAqB,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChF,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAEvC,MAAM,WAAW,GAAG,0BAA0B,CAAC;AAC/C,mGAAmG;AACnG,MAAM,CAAC,MAAM,YAAY,GAAG,WAAW,CAAC;AACxC;;;;sDAIsD;AACtD,MAAM,CAAC,MAAM,WAAW,GAAG,kBAAkB,CAAC;AAC9C,iGAAiG;AACjG,MAAM,CAAC,MAAM,YAAY,GAAG,GAAG,CAAC;AAEhC,MAAM,SAAS,GAAG,CAAC,gBAAgB,EAAE,mBAAmB,EAAE,WAAW,EAAE,UAAU,CAAU,CAAC;AAE5F,+FAA+F;AAC/F,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;AACnG,kDAAkD;AAClD,MAAM,aAAa,GAAG,IAAI,GAAG,CAAS;IACpC,cAAc;IACd,eAAe;IACf,qBAAqB;IACrB,QAAQ;IACR,YAAY;IACZ,YAAY;IACZ,WAAW;IACX,gBAAgB;IAChB,aAAa;IACb,GAAG,SAAS;CACb,CAAC,CAAC;AACH,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC;IAC3B,cAAc;IACd,MAAM;IACN,YAAY;IACZ,MAAM;IACN,OAAO;IACP,QAAQ;IACR,QAAQ;CACT,CAAC,CAAC;AA8BH,iEAAiE;AACjE,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,MAAc;IAChD,MAAM,KAAK,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IACnC,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,MAAM,qBAAqB,CAAC,KAAK,CAAC,CAAC;IACzD,qGAAqG;IACrG,uDAAuD;IACvD,MAAM,cAAc,GAAG,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAEnD,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC7D,MAAM,MAAM,GAAG,MAAM,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;IAC5D,MAAM,UAAU,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAC7C,MAAM,UAAU,GAAG,MAAM,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;IAEnE,6FAA6F;IAC7F,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,cAAc,CAAC,CAAC,CAAC;IAC5D,IAAI,CAAC;QACH,WAAW,CAAC,OAAO,EAAE,YAAY,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;QAC9D,WAAW,CAAC,OAAO,EAAE,GAAG,YAAY,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC;QACtE,WAAW,CAAC,OAAO,EAAE,WAAW,EAAE,MAAM,CAAC,IAAI,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC,CAAC;QACvE,KAAK,MAAM,KAAK,IAAI,MAAM;YAAE,WAAW,CAAC,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,YAAY,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAE7F,MAAM,QAAQ,GAAG;YACf,YAAY;YACZ,GAAG,YAAY,MAAM;YACrB,WAAW;YACX,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;SAChC,CAAC,IAAI,EAAE,CAAC;QACT,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAEjD,OAAO;YACL,OAAO;YACP,MAAM,EAAE,SAAS,CAAC,OAAO,CAAC;YAC1B,IAAI,EAAE,OAAO,CAAC,MAAM;YACpB,KAAK,EAAE,YAAY;YACnB,UAAU;YACV,cAAc,EAAE,UAAU;YAC1B,WAAW,EAAE,IAAI;YACjB,UAAU,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE;SAChD,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,MAAM,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACpD,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAAC,MAAc;IAC1C,MAAM,QAAQ,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,MAAM,GAAG,GAAoB,EAAE,CAAC;IAChC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,MAAM,GAAG,GAAG,CAAC,OAAe,EAAQ,EAAE;QACpC,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;QAC/C,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,OAAO;QACtE,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACd,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;IACtC,CAAC,CAAC;IAEF,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QACtB,KAAK,MAAM,KAAK,IAAI,QAAQ,EAAE,CAAC;YAC7B,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;YACnC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBACrB,MAAM,IAAI,QAAQ,CAAC,qCAAqC,KAAK,EAAE,CAAC,CAAC;YACnE,CAAC;YACD,IAAI,QAAQ,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE;gBAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;;gBACvD,GAAG,CAAC,GAAG,CAAC,CAAC;QAChB,CAAC;IACH,CAAC;SAAM,CAAC;QACN,IAAI,CAAC,MAAM,EAAE,kBAAkB,EAAE,GAAG,CAAC,CAAC;IACxC,CAAC;IAED,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACjF,OAAO,GAAG,CAAC;AACb,CAAC;AAED,6FAA6F;AAC7F,SAAS,kBAAkB,CAAC,KAAc,EAAE,IAAY;IACtD,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC,CAAC,qBAAqB;IAC7D,IAAI,KAAK;QAAE,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC1C,IAAI,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IAClC,MAAM,GAAG,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;IAC5D,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;AAC9B,CAAC;AAED,gGAAgG;AAChG,SAAS,IAAI,CACX,GAAW,EACX,MAAiD,EACjD,MAAiC;IAEjC,KAAK,MAAM,GAAG,IAAI,WAAW,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QAC5D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;QAChC,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;QAChC,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,GAAG,CAAC,IAAI,CAAC;YAAE,SAAS;QACvC,IAAI,KAAK;YAAE,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;aAChC,IAAI,GAAG,CAAC,MAAM,EAAE;YAAE,MAAM,CAAC,GAAG,CAAC,CAAC;IACrC,CAAC;AACH,CAAC;AAED,uFAAuF;AACvF,SAAS,cAAc,CAAC,MAAc;IACpC,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;IAC7C,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IACtC,IAAI,CAAC;QACH,MAAM,MAAM,GAAY,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;QAClE,MAAM,SAAS,GACb,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI;YAC3C,CAAC,CAAE,MAAkC,CAAC,SAAS;YAC/C,CAAC,CAAC,SAAS,CAAC;QAChB,MAAM,MAAM,GACV,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,KAAK,IAAI;YACjD,CAAC,CAAE,SAAqC,CAAC,MAAM;YAC/C,CAAC,CAAC,SAAS,CAAC;QAChB,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,EAAE,CAAC;YACrF,OAAO,MAAM,CAAC;QAChB,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,iEAAiE;IACnE,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAqB;IACrD,IAAI,MAAM,KAAK,IAAI;QAAE,OAAO,YAAY,CAAC;IAEzC,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,EAAE,cAAc,EAAE,WAAW,EAAE,cAAc,CAAC,CAAC;IAC5E,IAAI,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC1B,MAAM,CAAC,GAAG,aAAa,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;QAC9C,IAAI,CAAC,KAAK,IAAI;YAAE,OAAO,CAAC,CAAC;IAC3B,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;IAC7C,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QACxB,KAAK,MAAM,KAAK,IAAI,CAAC,cAAc,EAAE,iBAAiB,EAAE,kBAAkB,CAAC,EAAE,CAAC;YAC5E,MAAM,KAAK,GAAG,YAAY,CAAC,OAAO,EAAE,KAAK,EAAE,WAAW,CAAC,CAAC;YACxD,IAAI,KAAK,KAAK,IAAI;gBAAE,OAAO,KAAK,CAAC;QACnC,CAAC;IACH,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,8FAA8F;AAC9F,MAAM,UAAU,cAAc,CAAC,MAAc;IAC3C,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;QAC7B,MAAM,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QAC7B,IAAI,UAAU,CAAC,CAAC,CAAC;YAAE,OAAO,SAAS,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC;IACvD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,wBAAwB;AAExB,+FAA+F;AAC/F,KAAK,UAAU,OAAO,CAAC,GAAW,EAAE,KAAe;IACjD,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,IAAI,OAAO,CAAO,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QACnC,MAAM,MAAM,GAAG,SAAS,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,KAAK,CAAC,CAAC;QACpF,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QACjD,MAAM,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;YACpB,GAAG,EAAE,CAAC;QACR,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IAC1B,CAAC,CAAC,CAAC;IACH,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;AAC/C,CAAC;AAED,SAAS,WAAW,CAAC,IAAY,EAAE,OAAe,EAAE,KAAiB;IACnE,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3D,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC7C,aAAa,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;AAC5B,CAAC;AAED,SAAS,SAAS,CAAC,KAAiB;IAClC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC1D,CAAC;AAED,SAAS,OAAO,CAAC,CAAS;IACxB,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;AACtC,CAAC;AAED,SAAS,aAAa,CAAC,QAAgB,EAAE,KAAa;IACpD,IAAI,CAAC;QACH,MAAM,MAAM,GAAY,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;QACnE,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YAClD,MAAM,CAAC,GAAI,MAAkC,CAAC,KAAK,CAAC,CAAC;YACrD,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC;gBAAE,OAAO,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,SAAS;IACX,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,YAAY,CAAC,OAAe,EAAE,KAAa,EAAE,GAAW;IAC/D,IAAI,CAAC;QACH,MAAM,MAAM,GAAY,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;QAClE,MAAM,IAAI,GACR,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI;YAC3C,CAAC,CAAE,MAAkC,CAAC,KAAK,CAAC;YAC5C,CAAC,CAAC,SAAS,CAAC;QAChB,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;YAC9C,MAAM,KAAK,GAAI,IAAgC,CAAC,GAAG,CAAC,CAAC;YACrD,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;gBAAE,OAAO,KAAK,CAAC;QAClE,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,SAAS;IACX,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/auth/discovery.d.ts

@@ -0,0 +1,8 @@
+import type { FetchLike } from "./pkce.js";
+export interface OAuthDiscovery {
+    authorizationEndpoint: string;
+    tokenEndpoint: string;
+}
+/** Fetch + parse the issuer's OAuth Authorization Server Metadata. Throws `CliError` (actionable) on
+ *  an unreachable endpoint, a non-2xx, a non-JSON body, or a document missing the two endpoints. */
+export declare function discoverOAuth(issuerUrl: string, fetchImpl?: FetchLike): Promise<OAuthDiscovery>;

package/dist/auth/discovery.js

@@ -0,0 +1,43 @@
+// OAuth discovery — one `BOARDWALK_ISSUER_URL` resolves BOTH the authorize page and the token
+// endpoint, which live on different hosts in Boardwalk's self-hosted OAuth server (the themed consent
+// page on the web app, the token exchange on the api-server). The CLI fetches the RFC 8414 metadata
+// document and reads `authorization_endpoint` + `token_endpoint` from it.
+import { CliError } from "../errors.js";
+const DISCOVERY_PATH = "/.well-known/oauth-authorization-server";
+const DISCOVERY_TIMEOUT_MS = 15_000;
+/** Fetch + parse the issuer's OAuth Authorization Server Metadata. Throws `CliError` (actionable) on
+ *  an unreachable endpoint, a non-2xx, a non-JSON body, or a document missing the two endpoints. */
+export async function discoverOAuth(issuerUrl, fetchImpl = fetch) {
+    const url = `${issuerUrl.replace(/\/+$/, "")}${DISCOVERY_PATH}`;
+    let res;
+    try {
+        res = await fetchImpl(url, {
+            headers: { Accept: "application/json" },
+            signal: AbortSignal.timeout(DISCOVERY_TIMEOUT_MS),
+        });
+    }
+    catch (err) {
+        throw new CliError(`Could not reach the OAuth discovery endpoint (${url}).`, err instanceof Error ? err.message : undefined);
+    }
+    if (!res.ok) {
+        throw new CliError(`OAuth discovery failed (${String(res.status)}) at ${url}.`, "Check BOARDWALK_ISSUER_URL (or BOARDWALK_API_DOMAIN) points at a Boardwalk deployment.");
+    }
+    let body;
+    try {
+        body = await res.json();
+    }
+    catch {
+        throw new CliError("OAuth discovery returned a non-JSON body.");
+    }
+    const b = typeof body === "object" && body !== null ? body : {};
+    const authorizationEndpoint = b.authorization_endpoint;
+    const tokenEndpoint = b.token_endpoint;
+    if (typeof authorizationEndpoint !== "string" || authorizationEndpoint.length === 0) {
+        throw new CliError("OAuth discovery document is missing an authorization_endpoint.");
+    }
+    if (typeof tokenEndpoint !== "string" || tokenEndpoint.length === 0) {
+        throw new CliError("OAuth discovery document is missing a token_endpoint.");
+    }
+    return { authorizationEndpoint, tokenEndpoint };
+}
+//# sourceMappingURL=discovery.js.map

package/dist/auth/discovery.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"discovery.js","sourceRoot":"","sources":["../../src/auth/discovery.ts"],"names":[],"mappings":"AAAA,8FAA8F;AAC9F,sGAAsG;AACtG,oGAAoG;AACpG,0EAA0E;AAE1E,OAAO,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AAGxC,MAAM,cAAc,GAAG,yCAAyC,CAAC;AACjE,MAAM,oBAAoB,GAAG,MAAM,CAAC;AAOpC;oGACoG;AACpG,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,SAAiB,EACjB,YAAuB,KAAK;IAE5B,MAAM,GAAG,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,GAAG,cAAc,EAAE,CAAC;IAEhE,IAAI,GAAa,CAAC;IAClB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE;YACzB,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;YACvC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,oBAAoB,CAAC;SAClD,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,QAAQ,CAChB,iDAAiD,GAAG,IAAI,EACxD,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAC/C,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,QAAQ,CAChB,2BAA2B,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,GAAG,GAAG,EAC3D,wFAAwF,CACzF,CAAC;IACJ,CAAC;IAED,IAAI,IAAa,CAAC;IAClB,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,QAAQ,CAAC,2CAA2C,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,CAAC,GAAG,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI,CAAC,CAAC,CAAE,IAAgC,CAAC,CAAC,CAAC,EAAE,CAAC;IAC7F,MAAM,qBAAqB,GAAG,CAAC,CAAC,sBAAsB,CAAC;IACvD,MAAM,aAAa,GAAG,CAAC,CAAC,cAAc,CAAC;IACvC,IAAI,OAAO,qBAAqB,KAAK,QAAQ,IAAI,qBAAqB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpF,MAAM,IAAI,QAAQ,CAAC,gEAAgE,CAAC,CAAC;IACvF,CAAC;IACD,IAAI,OAAO,aAAa,KAAK,QAAQ,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpE,MAAM,IAAI,QAAQ,CAAC,uDAAuD,CAAC,CAAC;IAC9E,CAAC;IACD,OAAO,EAAE,qBAAqB,EAAE,aAAa,EAAE,CAAC;AAClD,CAAC"}

package/dist/auth/login.d.ts

@@ -0,0 +1,13 @@
+import type { CliConfig } from "../config.js";
+import type { CredentialStore, StoredSession } from "../credentials.js";
+import { type FetchLike } from "./pkce.js";
+export interface PerformLoginDeps {
+    config: CliConfig;
+    store: CredentialStore;
+    /** Opens a URL in the user's browser. Injected for tests; defaults to the `open` package. */
+    openBrowser?: (url: string) => Promise<void>;
+    fetchImpl?: FetchLike;
+    log?: (line: string) => void;
+    scope?: string;
+}
+export declare function performLogin(deps: PerformLoginDeps): Promise<StoredSession>;

package/dist/auth/login.js

@@ -0,0 +1,74 @@
+// performLogin — orchestrates the browser PKCE handshake and persists the session.
+//
+// Flow: start the loopback callback server → open the issuer's /oauth/authorize in the browser →
+// catch the redirect (validating state) → exchange the code at /oauth/token → store the session.
+// Requires a configured OAuth application (public client id) whose redirect allowlist includes the
+// loopback URI.
+import { CliError } from "../errors.js";
+import { buildAuthorizeUrl, exchangeCode, generatePkcePair, randomState, startLoopback, } from "./pkce.js";
+import { discoverOAuth } from "./discovery.js";
+/**
+ * openid+profile+email so the issued JWT carries the claims the backend JIT-provisions users from;
+ * `offline_access` so the IdP returns a refresh token (OIDC providers only mint one when it's
+ * requested) — without it every expired session would force a full re-login instead of a silent
+ * `resolveToken` refresh.
+ */
+const DEFAULT_SCOPE = "openid profile email offline_access";
+export async function performLogin(deps) {
+    const clientId = deps.config.oauthClientId;
+    if (clientId === null) {
+        throw new CliError("No OAuth client id configured for `boardwalk login`.", "Set BOARDWALK_OAUTH_CLIENT_ID to the OAuth application's public client id " +
+            `(its redirect allowlist must include http://127.0.0.1:${String(deps.config.loopbackPort)}/callback).`);
+    }
+    const endpoints = await discoverOAuth(deps.config.issuerUrl, deps.fetchImpl);
+    const { verifier, challenge } = generatePkcePair();
+    const state = randomState();
+    const log = deps.log ??
+        ((line) => {
+            console.log(line);
+        });
+    const loopback = await startLoopback(deps.config.loopbackPort);
+    try {
+        const url = buildAuthorizeUrl({
+            authorizeEndpoint: endpoints.authorizationEndpoint,
+            clientId,
+            redirectUri: loopback.redirectUri,
+            codeChallenge: challenge,
+            state,
+            scope: deps.scope ?? DEFAULT_SCOPE,
+        });
+        log("Opening your browser to sign in to Boardwalk…");
+        log(`If it doesn't open automatically, visit:\n  ${url}`);
+        const openBrowser = deps.openBrowser ?? defaultOpenBrowser;
+        await openBrowser(url).catch(() => {
+            // Non-fatal: the user can paste the URL printed above.
+        });
+        const code = await loopback.awaitCode(state);
+        const token = await exchangeCode({
+            tokenEndpoint: endpoints.tokenEndpoint,
+            clientId,
+            code,
+            codeVerifier: verifier,
+            redirectUri: loopback.redirectUri,
+            fetchImpl: deps.fetchImpl,
+        });
+        const session = {
+            accessToken: token.accessToken,
+            refreshToken: token.refreshToken,
+            expiresAt: token.expiresAt,
+            clientId,
+            tokenEndpoint: endpoints.tokenEndpoint,
+            scope: token.scope,
+        };
+        deps.store.putSession(session);
+        return session;
+    }
+    finally {
+        loopback.close();
+    }
+}
+async function defaultOpenBrowser(url) {
+    const open = (await import("open")).default;
+    await open(url);
+}
+//# sourceMappingURL=login.js.map

package/dist/auth/login.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"login.js","sourceRoot":"","sources":["../../src/auth/login.ts"],"names":[],"mappings":"AAAA,mFAAmF;AACnF,EAAE;AACF,iGAAiG;AACjG,iGAAiG;AACjG,mGAAmG;AACnG,gBAAgB;AAEhB,OAAO,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AAGxC,OAAO,EACL,iBAAiB,EACjB,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACX,aAAa,GAEd,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAE/C;;;;;GAKG;AACH,MAAM,aAAa,GAAG,qCAAqC,CAAC;AAY5D,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,IAAsB;IACvD,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;IAC3C,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QACtB,MAAM,IAAI,QAAQ,CAChB,sDAAsD,EACtD,4EAA4E;YAC1E,yDAAyD,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,aAAa,CACzG,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;IAC7E,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,gBAAgB,EAAE,CAAC;IACnD,MAAM,KAAK,GAAG,WAAW,EAAE,CAAC;IAC5B,MAAM,GAAG,GACP,IAAI,CAAC,GAAG;QACR,CAAC,CAAC,IAAY,EAAQ,EAAE;YACtB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACpB,CAAC,CAAC,CAAC;IAEL,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IAC/D,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,iBAAiB,CAAC;YAC5B,iBAAiB,EAAE,SAAS,CAAC,qBAAqB;YAClD,QAAQ;YACR,WAAW,EAAE,QAAQ,CAAC,WAAW;YACjC,aAAa,EAAE,SAAS;YACxB,KAAK;YACL,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,aAAa;SACnC,CAAC,CAAC;QAEH,GAAG,CAAC,+CAA+C,CAAC,CAAC;QACrD,GAAG,CAAC,+CAA+C,GAAG,EAAE,CAAC,CAAC;QAC1D,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,kBAAkB,CAAC;QAC3D,MAAM,WAAW,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;YAChC,uDAAuD;QACzD,CAAC,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC7C,MAAM,KAAK,GAAG,MAAM,YAAY,CAAC;YAC/B,aAAa,EAAE,SAAS,CAAC,aAAa;YACtC,QAAQ;YACR,IAAI;YACJ,YAAY,EAAE,QAAQ;YACtB,WAAW,EAAE,QAAQ,CAAC,WAAW;YACjC,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B,CAAC,CAAC;QAEH,MAAM,OAAO,GAAkB;YAC7B,WAAW,EAAE,KAAK,CAAC,WAAW;YAC9B,YAAY,EAAE,KAAK,CAAC,YAAY;YAChC,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,QAAQ;YACR,aAAa,EAAE,SAAS,CAAC,aAAa;YACtC,KAAK,EAAE,KAAK,CAAC,KAAK;SACnB,CAAC;QACF,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QAC/B,OAAO,OAAO,CAAC;IACjB,CAAC;YAAS,CAAC;QACT,QAAQ,CAAC,KAAK,EAAE,CAAC;IACnB,CAAC;AACH,CAAC;AAED,KAAK,UAAU,kBAAkB,CAAC,GAAW;IAC3C,MAAM,IAAI,GAAG,CAAC,MAAM,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC;IAC5C,MAAM,IAAI,CAAC,GAAG,CAAC,CAAC;AAClB,CAAC"}