@boardwalk-labs/cli 0.1.0

package/dist/auth/pkce.d.ts

@@ -0,0 +1,63 @@
+export type FetchLike = typeof fetch;
+export interface PkcePair {
+    verifier: string;
+    challenge: string;
+}
+/** A 48-byte verifier (base64url) + its S256 challenge. */
+export declare function generatePkcePair(): PkcePair;
+/** Opaque CSRF state (random UUID, hyphens stripped). */
+export declare function randomState(): string;
+export interface OAuthEndpoints {
+    authorize: string;
+    token: string;
+}
+/** The issuer's OAuth2 endpoints, derived from the issuer origin. */
+export declare function oauthEndpoints(issuerUrl: string): OAuthEndpoints;
+export interface AuthorizeUrlParams {
+    authorizeEndpoint: string;
+    clientId: string;
+    redirectUri: string;
+    codeChallenge: string;
+    state: string;
+    scope: string;
+}
+export declare function buildAuthorizeUrl(p: AuthorizeUrlParams): string;
+export interface TokenResponse {
+    accessToken: string;
+    refreshToken: string | null;
+    /** Absolute expiry epoch ms, or null when the IdP didn't return `expires_in`. */
+    expiresAt: number | null;
+    scope: string | null;
+}
+export interface ExchangeCodeParams {
+    tokenEndpoint: string;
+    clientId: string;
+    code: string;
+    codeVerifier: string;
+    redirectUri: string;
+    fetchImpl?: FetchLike | undefined;
+    now?: number | undefined;
+}
+export declare function exchangeCode(p: ExchangeCodeParams): Promise<TokenResponse>;
+export interface RefreshParams {
+    tokenEndpoint: string;
+    clientId: string;
+    refreshToken: string;
+    fetchImpl?: FetchLike | undefined;
+    now?: number | undefined;
+}
+export declare function refreshAccessToken(p: RefreshParams): Promise<TokenResponse>;
+/** True when `expiresAt` is within the grace window of `now` (or already past). Null = never. */
+export declare function isExpired(expiresAt: number | null, now?: number): boolean;
+export interface Loopback {
+    redirectUri: string;
+    port: number;
+    /** Resolves with the authorization `code` once the browser redirects back (validates `state`). */
+    awaitCode(expectedState: string): Promise<string>;
+    close(): void;
+}
+/**
+ * Start a localhost callback server on the fixed `port`. The redirect URI it advertises must be
+ * allowlisted on the OAuth application.
+ */
+export declare function startLoopback(port: number): Promise<Loopback>;

package/dist/auth/pkce.js

@@ -0,0 +1,197 @@
+// OAuth 2.0 Authorization Code + PKCE — the primitives `boardwalk login` runs against the
+// platform's identity provider (an internal detail; the CLI only knows the issuer URL).
+//
+// Notable adaptations for this IdP:
+//   - The backend has no OAuth authorization server of its own (it only VERIFIES issued JWTs via
+//     JWKS), so we authenticate directly against the issuer's `/oauth/authorize` + `/oauth/token`.
+//   - No RFC 7591 dynamic client registration → the public client id is pre-provisioned (an OAuth
+//     application) and supplied via config, not registered on the fly.
+//   - The redirect allowlist wants exact URIs → we use a FIXED loopback port (config), not an
+//     ephemeral one. RFC 8707 resource indicators are dropped (single audience: the session).
+//
+// The pure pieces (pair/state/URL/exchange/refresh/expiry) are unit-tested with an injected fetch;
+// the loopback server + browser open are exercised by the login command, not unit tests.
+import { randomBytes, createHash, randomUUID } from "node:crypto";
+import { createServer } from "node:http";
+import { CliError } from "../errors.js";
+const CALLBACK_PATH = "/callback";
+const TOKEN_REQUEST_TIMEOUT_MS = 20_000;
+const CALLBACK_TIMEOUT_MS = 180_000;
+/** Treat a token as expired this long BEFORE its true expiry, to avoid using it mid-flight. */
+const EXPIRY_GRACE_MS = 30_000;
+/** A 48-byte verifier (base64url) + its S256 challenge. */
+export function generatePkcePair() {
+    const verifier = randomBytes(48).toString("base64url");
+    const challenge = createHash("sha256").update(verifier, "ascii").digest().toString("base64url");
+    return { verifier, challenge };
+}
+/** Opaque CSRF state (random UUID, hyphens stripped). */
+export function randomState() {
+    return randomUUID().replace(/-/g, "");
+}
+/** The issuer's OAuth2 endpoints, derived from the issuer origin. */
+export function oauthEndpoints(issuerUrl) {
+    const base = issuerUrl.replace(/\/+$/, "");
+    return { authorize: `${base}/oauth/authorize`, token: `${base}/oauth/token` };
+}
+export function buildAuthorizeUrl(p) {
+    const params = new URLSearchParams({
+        response_type: "code",
+        client_id: p.clientId,
+        redirect_uri: p.redirectUri,
+        code_challenge: p.codeChallenge,
+        code_challenge_method: "S256",
+        state: p.state,
+        scope: p.scope,
+    });
+    return `${p.authorizeEndpoint}?${params.toString()}`;
+}
+export async function exchangeCode(p) {
+    const form = new URLSearchParams({
+        grant_type: "authorization_code",
+        client_id: p.clientId,
+        code: p.code,
+        code_verifier: p.codeVerifier,
+        redirect_uri: p.redirectUri,
+    });
+    return postToken(p.tokenEndpoint, form, p.fetchImpl, p.now);
+}
+export async function refreshAccessToken(p) {
+    const form = new URLSearchParams({
+        grant_type: "refresh_token",
+        client_id: p.clientId,
+        refresh_token: p.refreshToken,
+    });
+    return postToken(p.tokenEndpoint, form, p.fetchImpl, p.now);
+}
+/** True when `expiresAt` is within the grace window of `now` (or already past). Null = never. */
+export function isExpired(expiresAt, now = Date.now()) {
+    if (expiresAt === null)
+        return false;
+    return now >= expiresAt - EXPIRY_GRACE_MS;
+}
+async function postToken(tokenEndpoint, form, fetchImpl = fetch, now = Date.now()) {
+    let res;
+    try {
+        res = await fetchImpl(tokenEndpoint, {
+            method: "POST",
+            headers: { "Content-Type": "application/x-www-form-urlencoded", Accept: "application/json" },
+            body: form.toString(),
+            signal: AbortSignal.timeout(TOKEN_REQUEST_TIMEOUT_MS),
+        });
+    }
+    catch (err) {
+        throw new CliError(`Could not reach the token endpoint (${tokenEndpoint}).`, err instanceof Error ? err.message : undefined);
+    }
+    const bodyText = await res.text();
+    if (!res.ok) {
+        throw new CliError(`Token request failed (${String(res.status)}).`, oauthErrorDetail(bodyText));
+    }
+    return parseTokenBody(bodyText, now);
+}
+function parseTokenBody(bodyText, now) {
+    let body;
+    try {
+        body = JSON.parse(bodyText);
+    }
+    catch {
+        throw new CliError("Token endpoint returned a non-JSON body.");
+    }
+    if (typeof body !== "object" || body === null) {
+        throw new CliError("Token endpoint returned an unexpected body.");
+    }
+    const b = body;
+    const accessToken = b.access_token;
+    if (typeof accessToken !== "string" || accessToken.length === 0) {
+        throw new CliError("Token endpoint response is missing an access_token.");
+    }
+    const expiresIn = typeof b.expires_in === "number" ? b.expires_in : null;
+    return {
+        accessToken,
+        refreshToken: typeof b.refresh_token === "string" ? b.refresh_token : null,
+        expiresAt: expiresIn !== null ? now + expiresIn * 1000 : null,
+        scope: typeof b.scope === "string" ? b.scope : null,
+    };
+}
+/** Best-effort `error_description`/`error` from an OAuth error body, for the hint line. */
+function oauthErrorDetail(bodyText) {
+    try {
+        const body = JSON.parse(bodyText);
+        if (typeof body === "object" && body !== null) {
+            const b = body;
+            const detail = b.error_description ?? b.error;
+            if (typeof detail === "string" && detail.length > 0)
+                return detail;
+        }
+    }
+    catch {
+        // not JSON — fall through
+    }
+    return bodyText.length > 0 ? bodyText.slice(0, 200) : undefined;
+}
+/**
+ * Start a localhost callback server on the fixed `port`. The redirect URI it advertises must be
+ * allowlisted on the OAuth application.
+ */
+export async function startLoopback(port) {
+    let resolveCode;
+    let rejectCode;
+    const codePromise = new Promise((resolve, reject) => {
+        resolveCode = resolve;
+        rejectCode = reject;
+    });
+    const server = createServer((req, res) => {
+        const url = new URL(req.url ?? "/", `http://127.0.0.1:${String(port)}`);
+        if (url.pathname !== CALLBACK_PATH) {
+            res.writeHead(404);
+            res.end();
+            return;
+        }
+        const code = url.searchParams.get("code") ?? "";
+        const state = url.searchParams.get("state") ?? "";
+        const error = url.searchParams.get("error") ?? "";
+        const expectedState = pendingState;
+        let message;
+        if (error.length > 0) {
+            message = `Authorization failed: ${error}`;
+            rejectCode(new CliError(message));
+        }
+        else if (code.length === 0) {
+            message = "Authorization failed: no code in the callback.";
+            rejectCode(new CliError(message));
+        }
+        else if (expectedState === null || state !== expectedState) {
+            message = "Authorization failed: state mismatch (possible CSRF).";
+            rejectCode(new CliError(message));
+        }
+        else {
+            message = "Boardwalk login complete — you can close this tab and return to the terminal.";
+            resolveCode(code);
+        }
+        res.writeHead(200, { "Content-Type": "text/plain; charset=utf-8" });
+        res.end(message);
+    });
+    let pendingState = null;
+    await new Promise((resolve, reject) => {
+        server.once("error", reject);
+        server.listen(port, "127.0.0.1", resolve);
+    });
+    return {
+        redirectUri: `http://127.0.0.1:${String(port)}${CALLBACK_PATH}`,
+        port,
+        awaitCode(expectedState) {
+            pendingState = expectedState;
+            const timeout = new Promise((_resolve, reject) => {
+                const t = setTimeout(() => {
+                    reject(new CliError("Timed out waiting for the browser authorization (3 min)."));
+                }, CALLBACK_TIMEOUT_MS);
+                t.unref();
+            });
+            return Promise.race([codePromise, timeout]);
+        },
+        close() {
+            server.close();
+        },
+    };
+}
+//# sourceMappingURL=pkce.js.map

package/dist/auth/pkce.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../../src/auth/pkce.ts"],"names":[],"mappings":"AAAA,0FAA0F;AAC1F,wFAAwF;AACxF,EAAE;AACF,oCAAoC;AACpC,iGAAiG;AACjG,mGAAmG;AACnG,kGAAkG;AAClG,uEAAuE;AACvE,8FAA8F;AAC9F,8FAA8F;AAC9F,EAAE;AACF,mGAAmG;AACnG,yFAAyF;AAEzF,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,YAAY,EAA6C,MAAM,WAAW,CAAC;AACpF,OAAO,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AAIxC,MAAM,aAAa,GAAG,WAAW,CAAC;AAClC,MAAM,wBAAwB,GAAG,MAAM,CAAC;AACxC,MAAM,mBAAmB,GAAG,OAAO,CAAC;AACpC,+FAA+F;AAC/F,MAAM,eAAe,GAAG,MAAM,CAAC;AAO/B,2DAA2D;AAC3D,MAAM,UAAU,gBAAgB;IAC9B,MAAM,QAAQ,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACvD,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAChG,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;AACjC,CAAC;AAED,yDAAyD;AACzD,MAAM,UAAU,WAAW;IACzB,OAAO,UAAU,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AACxC,CAAC;AAOD,qEAAqE;AACrE,MAAM,UAAU,cAAc,CAAC,SAAiB;IAC9C,MAAM,IAAI,GAAG,SAAS,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAC3C,OAAO,EAAE,SAAS,EAAE,GAAG,IAAI,kBAAkB,EAAE,KAAK,EAAE,GAAG,IAAI,cAAc,EAAE,CAAC;AAChF,CAAC;AAWD,MAAM,UAAU,iBAAiB,CAAC,CAAqB;IACrD,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;QACjC,aAAa,EAAE,MAAM;QACrB,SAAS,EAAE,CAAC,CAAC,QAAQ;QACrB,YAAY,EAAE,CAAC,CAAC,WAAW;QAC3B,cAAc,EAAE,CAAC,CAAC,aAAa;QAC/B,qBAAqB,EAAE,MAAM;QAC7B,KAAK,EAAE,CAAC,CAAC,KAAK;QACd,KAAK,EAAE,CAAC,CAAC,KAAK;KACf,CAAC,CAAC;IACH,OAAO,GAAG,CAAC,CAAC,iBAAiB,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;AACvD,CAAC;AAoBD,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,CAAqB;IACtD,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,UAAU,EAAE,oBAAoB;QAChC,SAAS,EAAE,CAAC,CAAC,QAAQ;QACrB,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,aAAa,EAAE,CAAC,CAAC,YAAY;QAC7B,YAAY,EAAE,CAAC,CAAC,WAAW;KAC5B,CAAC,CAAC;IACH,OAAO,SAAS,CAAC,CAAC,CAAC,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC;AAC9D,CAAC;AAUD,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,CAAgB;IACvD,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,UAAU,EAAE,eAAe;QAC3B,SAAS,EAAE,CAAC,CAAC,QAAQ;QACrB,aAAa,EAAE,CAAC,CAAC,YAAY;KAC9B,CAAC,CAAC;IACH,OAAO,SAAS,CAAC,CAAC,CAAC,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC;AAC9D,CAAC;AAED,iGAAiG;AACjG,MAAM,UAAU,SAAS,CAAC,SAAwB,EAAE,MAAc,IAAI,CAAC,GAAG,EAAE;IAC1E,IAAI,SAAS,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IACrC,OAAO,GAAG,IAAI,SAAS,GAAG,eAAe,CAAC;AAC5C,CAAC;AAED,KAAK,UAAU,SAAS,CACtB,aAAqB,EACrB,IAAqB,EACrB,YAAuB,KAAK,EAC5B,MAAc,IAAI,CAAC,GAAG,EAAE;IAExB,IAAI,GAAa,CAAC;IAClB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,SAAS,CAAC,aAAa,EAAE;YACnC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE,MAAM,EAAE,kBAAkB,EAAE;YAC5F,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;YACrB,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,wBAAwB,CAAC;SACtD,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,QAAQ,CAChB,uCAAuC,aAAa,IAAI,EACxD,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAC/C,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IAClC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,QAAQ,CAAC,yBAAyB,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAAC;IAClG,CAAC;IACD,OAAO,cAAc,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;AACvC,CAAC;AAED,SAAS,cAAc,CAAC,QAAgB,EAAE,GAAW;IACnD,IAAI,IAAa,CAAC;IAClB,IAAI,CAAC;QACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAC9B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,QAAQ,CAAC,0CAA0C,CAAC,CAAC;IACjE,CAAC;IACD,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;QAC9C,MAAM,IAAI,QAAQ,CAAC,6CAA6C,CAAC,CAAC;IACpE,CAAC;IACD,MAAM,CAAC,GAAG,IAA+B,CAAC;IAC1C,MAAM,WAAW,GAAG,CAAC,CAAC,YAAY,CAAC;IACnC,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAChE,MAAM,IAAI,QAAQ,CAAC,qDAAqD,CAAC,CAAC;IAC5E,CAAC;IACD,MAAM,SAAS,GAAG,OAAO,CAAC,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC;IACzE,OAAO;QACL,WAAW;QACX,YAAY,EAAE,OAAO,CAAC,CAAC,aAAa,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI;QAC1E,SAAS,EAAE,SAAS,KAAK,IAAI,CAAC,CAAC,CAAC,GAAG,GAAG,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI;QAC7D,KAAK,EAAE,OAAO,CAAC,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI;KACpD,CAAC;AACJ,CAAC;AAED,2FAA2F;AAC3F,SAAS,gBAAgB,CAAC,QAAgB;IACxC,IAAI,CAAC;QACH,MAAM,IAAI,GAAY,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QAC3C,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;YAC9C,MAAM,CAAC,GAAG,IAA+B,CAAC;YAC1C,MAAM,MAAM,GAAG,CAAC,CAAC,iBAAiB,IAAI,CAAC,CAAC,KAAK,CAAC;YAC9C,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC;gBAAE,OAAO,MAAM,CAAC;QACrE,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,0BAA0B;IAC5B,CAAC;IACD,OAAO,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AAClE,CAAC;AAUD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,IAAY;IAC9C,IAAI,WAAmC,CAAC;IACxC,IAAI,UAAgC,CAAC;IACrC,MAAM,WAAW,GAAG,IAAI,OAAO,CAAS,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC1D,WAAW,GAAG,OAAO,CAAC;QACtB,UAAU,GAAG,MAAM,CAAC;IACtB,CAAC,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,YAAY,CAAC,CAAC,GAAoB,EAAE,GAAmB,EAAE,EAAE;QACxE,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,oBAAoB,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACxE,IAAI,GAAG,CAAC,QAAQ,KAAK,aAAa,EAAE,CAAC;YACnC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YACnB,GAAG,CAAC,GAAG,EAAE,CAAC;YACV,OAAO;QACT,CAAC;QACD,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QAChD,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAClD,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAClD,MAAM,aAAa,GAAG,YAAY,CAAC;QAEnC,IAAI,OAAe,CAAC;QACpB,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrB,OAAO,GAAG,yBAAyB,KAAK,EAAE,CAAC;YAC3C,UAAU,CAAC,IAAI,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;QACpC,CAAC;aAAM,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC7B,OAAO,GAAG,gDAAgD,CAAC;YAC3D,UAAU,CAAC,IAAI,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;QACpC,CAAC;aAAM,IAAI,aAAa,KAAK,IAAI,IAAI,KAAK,KAAK,aAAa,EAAE,CAAC;YAC7D,OAAO,GAAG,uDAAuD,CAAC;YAClE,UAAU,CAAC,IAAI,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;QACpC,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,+EAA+E,CAAC;YAC1F,WAAW,CAAC,IAAI,CAAC,CAAC;QACpB,CAAC;QACD,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,2BAA2B,EAAE,CAAC,CAAC;QACpE,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACnB,CAAC,CAAC,CAAC;IAEH,IAAI,YAAY,GAAkB,IAAI,CAAC;IAEvC,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC1C,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC7B,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,WAAW,EAAE,oBAAoB,MAAM,CAAC,IAAI,CAAC,GAAG,aAAa,EAAE;QAC/D,IAAI;QACJ,SAAS,CAAC,aAAqB;YAC7B,YAAY,GAAG,aAAa,CAAC;YAC7B,MAAM,OAAO,GAAG,IAAI,OAAO,CAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,EAAE;gBACvD,MAAM,CAAC,GAAG,UAAU,CAAC,GAAG,EAAE;oBACxB,MAAM,CAAC,IAAI,QAAQ,CAAC,0DAA0D,CAAC,CAAC,CAAC;gBACnF,CAAC,EAAE,mBAAmB,CAAC,CAAC;gBACxB,CAAC,CAAC,KAAK,EAAE,CAAC;YACZ,CAAC,CAAC,CAAC;YACH,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC;QAC9C,CAAC;QACD,KAAK;YACH,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/auth/resolve.d.ts

@@ -0,0 +1,12 @@
+import type { CliConfig } from "../config.js";
+import type { CredentialStore } from "../credentials.js";
+import { type FetchLike } from "./pkce.js";
+export interface ResolveTokenDeps {
+    config: CliConfig;
+    store: CredentialStore;
+    tokenFlag?: string | undefined;
+    env?: NodeJS.ProcessEnv;
+    fetchImpl?: FetchLike;
+    now?: number;
+}
+export declare function resolveToken(deps: ResolveTokenDeps): Promise<string>;

package/dist/auth/resolve.js

@@ -0,0 +1,51 @@
+// resolveToken — the single place a command turns "the user" into a Bearer token.
+//
+// Precedence (highest first):
+//   1. an explicit `--token` flag (one-off / scripting)
+//   2. `BOARDWALK_API_KEY` env (CI / headless — a `bwk_…` key)
+//   3. the stored `boardwalk login` session — refreshed in place when expired
+//
+// Throws `CliError` (actionable) when none is available or a refresh can't proceed.
+import { CliError } from "../errors.js";
+import { isExpired, refreshAccessToken } from "./pkce.js";
+export async function resolveToken(deps) {
+    const env = deps.env ?? process.env;
+    // 1. explicit --token
+    const flag = deps.tokenFlag?.trim();
+    if (flag !== undefined && flag.length > 0)
+        return flag;
+    // 2. env API key (CI)
+    const envKey = env.BOARDWALK_API_KEY?.trim();
+    if (envKey !== undefined && envKey.length > 0)
+        return envKey;
+    // 3. stored login session
+    const session = deps.store.getSession();
+    if (session === null) {
+        throw new CliError("Not authenticated.", "Run `boardwalk login`, or set BOARDWALK_API_KEY.");
+    }
+    if (!isExpired(session.expiresAt, deps.now))
+        return session.accessToken;
+    // expired → refresh in place
+    if (session.refreshToken === null ||
+        session.tokenEndpoint === null ||
+        session.clientId === null) {
+        throw new CliError("Your session has expired.", "Run `boardwalk login` again.");
+    }
+    const refreshed = await refreshAccessToken({
+        tokenEndpoint: session.tokenEndpoint,
+        clientId: session.clientId,
+        refreshToken: session.refreshToken,
+        fetchImpl: deps.fetchImpl,
+        now: deps.now,
+    });
+    deps.store.putSession({
+        accessToken: refreshed.accessToken,
+        refreshToken: refreshed.refreshToken ?? session.refreshToken,
+        expiresAt: refreshed.expiresAt,
+        clientId: session.clientId,
+        tokenEndpoint: session.tokenEndpoint,
+        scope: refreshed.scope ?? session.scope,
+    });
+    return refreshed.accessToken;
+}
+//# sourceMappingURL=resolve.js.map

package/dist/auth/resolve.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolve.js","sourceRoot":"","sources":["../../src/auth/resolve.ts"],"names":[],"mappings":"AAAA,kFAAkF;AAClF,EAAE;AACF,8BAA8B;AAC9B,wDAAwD;AACxD,+DAA+D;AAC/D,8EAA8E;AAC9E,EAAE;AACF,oFAAoF;AAEpF,OAAO,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AAGxC,OAAO,EAAE,SAAS,EAAE,kBAAkB,EAAkB,MAAM,WAAW,CAAC;AAW1E,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,IAAsB;IACvD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,CAAC;IAEpC,sBAAsB;IACtB,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC;IACpC,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAEvD,sBAAsB;IACtB,MAAM,MAAM,GAAG,GAAG,CAAC,iBAAiB,EAAE,IAAI,EAAE,CAAC;IAC7C,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,MAAM,CAAC;IAE7D,0BAA0B;IAC1B,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;IACxC,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;QACrB,MAAM,IAAI,QAAQ,CAAC,oBAAoB,EAAE,kDAAkD,CAAC,CAAC;IAC/F,CAAC;IACD,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,OAAO,CAAC,WAAW,CAAC;IAExE,6BAA6B;IAC7B,IACE,OAAO,CAAC,YAAY,KAAK,IAAI;QAC7B,OAAO,CAAC,aAAa,KAAK,IAAI;QAC9B,OAAO,CAAC,QAAQ,KAAK,IAAI,EACzB,CAAC;QACD,MAAM,IAAI,QAAQ,CAAC,2BAA2B,EAAE,8BAA8B,CAAC,CAAC;IAClF,CAAC;IACD,MAAM,SAAS,GAAG,MAAM,kBAAkB,CAAC;QACzC,aAAa,EAAE,OAAO,CAAC,aAAa;QACpC,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,GAAG,EAAE,IAAI,CAAC,GAAG;KACd,CAAC,CAAC;IACH,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC;QACpB,WAAW,EAAE,SAAS,CAAC,WAAW;QAClC,YAAY,EAAE,SAAS,CAAC,YAAY,IAAI,OAAO,CAAC,YAAY;QAC5D,SAAS,EAAE,SAAS,CAAC,SAAS;QAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,aAAa,EAAE,OAAO,CAAC,aAAa;QACpC,KAAK,EAAE,SAAS,CAAC,KAAK,IAAI,OAAO,CAAC,KAAK;KACxC,CAAC,CAAC;IACH,OAAO,SAAS,CAAC,WAAW,CAAC;AAC/B,CAAC"}

package/dist/bundle.d.ts

@@ -0,0 +1,35 @@
+/** True when `target` is a directory (a workflow package), vs. a single program file. */
+export declare function isPackageDir(target: string): boolean;
+/**
+ * Resolve a deploy/dev target to its entry file: a file path returns itself; a directory resolves
+ * via package.json `module`/`main`, then `index.{ts,mts,js,mjs}`.
+ */
+export declare function resolveEntry(target: string): string;
+/**
+ * esbuild-bundle the entry into one self-contained ESM string. `@boardwalk-labs/workflow` is left
+ * external (host-provided). Not minified — the `meta` literal must stay statically extractable.
+ */
+export declare function bundleWorkflow(entryFile: string): Promise<string>;
+/** A bundled program plus its external sourcemap (for run-error symbolication back to user files). */
+export interface BundledProgram {
+    /** The bundled ESM (`index.mjs`); `@boardwalk-labs/workflow` left external, not minified. */
+    code: string;
+    /** The external sourcemap JSON (`index.mjs.map`). */
+    map: string;
+}
+/**
+ * esbuild-bundle the entry into `{ code, map }` for the deploy ARTIFACT. Same externals/format as
+ * {@link bundleWorkflow} but emits a `linked` sourcemap so a run's stack traces resolve back to the
+ * author's files. Output names are fixed (`index.mjs` / `index.mjs.map`) so the linked
+ * `sourceMappingURL` matches the artifact's layout.
+ */
+export declare function bundleWorkflowWithMap(entryFile: string): Promise<BundledProgram>;
+/**
+ * esbuild-bundle the entry for `boardwalk dev` — like {@link bundleWorkflow}, but
+ * `@boardwalk-labs/workflow` imports are rewritten to the ABSOLUTE path of the CLI's own installed
+ * copy. The SDK's host state is a module-level singleton, so the program and the CLI must load
+ * the SAME module instance for `installHost` (called by the CLI) to be visible to the program's
+ * hooks; an absolute specifier guarantees that regardless of where the bundle file lives or
+ * whether the project has its own `node_modules`.
+ */
+export declare function bundleForDev(entryFile: string): Promise<string>;

package/dist/bundle.js

@@ -0,0 +1,176 @@
+// Bundle-at-deploy.
+//
+// A workflow is a package with an `index` entrypoint; a single file is the no-deps case. When a
+// program pulls in npm packages, we bundle it AT DEPLOY (not at runtime) via esbuild into one
+// self-contained, version-pinned ESM artifact and upload THAT as the run's `source`:
+//   - `@boardwalk-labs/workflow` is marked EXTERNAL (host-provided — bundling a copy would give the
+//     program its own host state, separate from the engine's, and break the host seam).
+//   - `meta` stays a pure literal in the output, so engines re-derive the manifest from it.
+//   - Bundling at deploy keeps run cold-start fast and pins deps at PR time.
+import { build } from "esbuild";
+import { existsSync, readFileSync, statSync } from "node:fs";
+import { createRequire } from "node:module";
+import { join, resolve } from "node:path";
+import { CliError } from "./errors.js";
+const SDK_PACKAGE = "@boardwalk-labs/workflow";
+const ENTRY_CANDIDATES = ["index.ts", "index.mts", "index.js", "index.mjs"];
+/** True when `target` is a directory (a workflow package), vs. a single program file. */
+export function isPackageDir(target) {
+    try {
+        return statSync(resolve(target)).isDirectory();
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Resolve a deploy/dev target to its entry file: a file path returns itself; a directory resolves
+ * via package.json `module`/`main`, then `index.{ts,mts,js,mjs}`.
+ */
+export function resolveEntry(target) {
+    const abs = resolve(target);
+    let isDir;
+    try {
+        isDir = statSync(abs).isDirectory();
+    }
+    catch {
+        throw new CliError(`Path not found: ${target}`);
+    }
+    if (!isDir)
+        return abs;
+    const pkgPath = join(abs, "package.json");
+    if (existsSync(pkgPath)) {
+        const entry = readPkgEntry(pkgPath);
+        if (entry !== null) {
+            const entryAbs = resolve(abs, entry);
+            if (existsSync(entryAbs))
+                return entryAbs;
+        }
+    }
+    for (const name of ENTRY_CANDIDATES) {
+        const candidate = join(abs, name);
+        if (existsSync(candidate))
+            return candidate;
+    }
+    throw new CliError(`No entry file found in ${target}`, `Add an ${ENTRY_CANDIDATES.join(" / ")}, or set "module"/"main" in package.json.`);
+}
+/**
+ * esbuild-bundle the entry into one self-contained ESM string. `@boardwalk-labs/workflow` is left
+ * external (host-provided). Not minified — the `meta` literal must stay statically extractable.
+ */
+export async function bundleWorkflow(entryFile) {
+    let result;
+    try {
+        result = await build({
+            entryPoints: [entryFile],
+            bundle: true,
+            format: "esm",
+            platform: "node",
+            target: "node24",
+            external: [SDK_PACKAGE, `${SDK_PACKAGE}/*`],
+            write: false,
+            logLevel: "silent",
+            legalComments: "none",
+        });
+    }
+    catch (err) {
+        throw new CliError(`Bundling failed for ${entryFile}.`, err instanceof Error ? err.message : undefined);
+    }
+    const out = result.outputFiles[0];
+    if (out === undefined)
+        throw new CliError(`Bundling produced no output for ${entryFile}.`);
+    return out.text;
+}
+/**
+ * esbuild-bundle the entry into `{ code, map }` for the deploy ARTIFACT. Same externals/format as
+ * {@link bundleWorkflow} but emits a `linked` sourcemap so a run's stack traces resolve back to the
+ * author's files. Output names are fixed (`index.mjs` / `index.mjs.map`) so the linked
+ * `sourceMappingURL` matches the artifact's layout.
+ */
+export async function bundleWorkflowWithMap(entryFile) {
+    let result;
+    try {
+        result = await build({
+            entryPoints: [entryFile],
+            outfile: "index.mjs",
+            bundle: true,
+            format: "esm",
+            platform: "node",
+            target: "node24",
+            external: [SDK_PACKAGE, `${SDK_PACKAGE}/*`],
+            sourcemap: "linked",
+            minify: false,
+            write: false,
+            logLevel: "silent",
+            legalComments: "none",
+        });
+    }
+    catch (err) {
+        throw new CliError(`Bundling failed for ${entryFile}.`, err instanceof Error ? err.message : undefined);
+    }
+    const js = result.outputFiles.find((f) => !f.path.endsWith(".map"));
+    const map = result.outputFiles.find((f) => f.path.endsWith(".map"));
+    if (js === undefined || map === undefined) {
+        throw new CliError(`Bundling produced no output for ${entryFile}.`);
+    }
+    return { code: js.text, map: map.text };
+}
+/**
+ * esbuild-bundle the entry for `boardwalk dev` — like {@link bundleWorkflow}, but
+ * `@boardwalk-labs/workflow` imports are rewritten to the ABSOLUTE path of the CLI's own installed
+ * copy. The SDK's host state is a module-level singleton, so the program and the CLI must load
+ * the SAME module instance for `installHost` (called by the CLI) to be visible to the program's
+ * hooks; an absolute specifier guarantees that regardless of where the bundle file lives or
+ * whether the project has its own `node_modules`.
+ */
+export async function bundleForDev(entryFile) {
+    const requireFromCli = createRequire(import.meta.url);
+    let result;
+    try {
+        result = await build({
+            entryPoints: [entryFile],
+            bundle: true,
+            format: "esm",
+            platform: "node",
+            target: "node24",
+            write: false,
+            logLevel: "silent",
+            legalComments: "none",
+            plugins: [
+                {
+                    name: "boardwalk-sdk-shared-instance",
+                    setup(b) {
+                        b.onResolve({ filter: /^@boardwalk-labs\/workflow(\/.+)?$/ }, (args) => ({
+                            path: requireFromCli.resolve(args.path),
+                            external: true,
+                        }));
+                    },
+                },
+            ],
+        });
+    }
+    catch (err) {
+        throw new CliError(`Bundling failed for ${entryFile}.`, err instanceof Error ? err.message : undefined);
+    }
+    const out = result.outputFiles[0];
+    if (out === undefined)
+        throw new CliError(`Bundling produced no output for ${entryFile}.`);
+    return out.text;
+}
+function readPkgEntry(pkgPath) {
+    try {
+        const parsed = JSON.parse(readFileSync(pkgPath, "utf8"));
+        if (typeof parsed === "object" && parsed !== null) {
+            const pkg = parsed;
+            if (typeof pkg.module === "string")
+                return pkg.module;
+            if (typeof pkg.main === "string")
+                return pkg.main;
+        }
+    }
+    catch {
+        // Unreadable package.json → fall back to index.* discovery.
+    }
+    return null;
+}
+//# sourceMappingURL=bundle.js.map

package/dist/bundle.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bundle.js","sourceRoot":"","sources":["../src/bundle.ts"],"names":[],"mappings":"AAAA,oBAAoB;AACpB,EAAE;AACF,gGAAgG;AAChG,8FAA8F;AAC9F,qFAAqF;AACrF,oGAAoG;AACpG,wFAAwF;AACxF,4FAA4F;AAC5F,6EAA6E;AAE7E,OAAO,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAChC,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC7D,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAEvC,MAAM,WAAW,GAAG,0BAA0B,CAAC;AAC/C,MAAM,gBAAgB,GAAG,CAAC,UAAU,EAAE,WAAW,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC;AAE5E,yFAAyF;AACzF,MAAM,UAAU,YAAY,CAAC,MAAc;IACzC,IAAI,CAAC;QACH,OAAO,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;IACjD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,MAAc;IACzC,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC5B,IAAI,KAAc,CAAC;IACnB,IAAI,CAAC;QACH,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;IACtC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,QAAQ,CAAC,mBAAmB,MAAM,EAAE,CAAC,CAAC;IAClD,CAAC;IACD,IAAI,CAAC,KAAK;QAAE,OAAO,GAAG,CAAC;IAEvB,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC;IAC1C,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QACxB,MAAM,KAAK,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;QACpC,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YACnB,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YACrC,IAAI,UAAU,CAAC,QAAQ,CAAC;gBAAE,OAAO,QAAQ,CAAC;QAC5C,CAAC;IACH,CAAC;IACD,KAAK,MAAM,IAAI,IAAI,gBAAgB,EAAE,CAAC;QACpC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAClC,IAAI,UAAU,CAAC,SAAS,CAAC;YAAE,OAAO,SAAS,CAAC;IAC9C,CAAC;IACD,MAAM,IAAI,QAAQ,CAChB,0BAA0B,MAAM,EAAE,EAClC,UAAU,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,2CAA2C,CAClF,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,SAAiB;IACpD,IAAI,MAAM,CAAC;IACX,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,KAAK,CAAC;YACnB,WAAW,EAAE,CAAC,SAAS,CAAC;YACxB,MAAM,EAAE,IAAI;YACZ,MAAM,EAAE,KAAK;YACb,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,QAAQ;YAChB,QAAQ,EAAE,CAAC,WAAW,EAAE,GAAG,WAAW,IAAI,CAAC;YAC3C,KAAK,EAAE,KAAK;YACZ,QAAQ,EAAE,QAAQ;YAClB,aAAa,EAAE,MAAM;SACtB,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,QAAQ,CAChB,uBAAuB,SAAS,GAAG,EACnC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAC/C,CAAC;IACJ,CAAC;IACD,MAAM,GAAG,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;IAClC,IAAI,GAAG,KAAK,SAAS;QAAE,MAAM,IAAI,QAAQ,CAAC,mCAAmC,SAAS,GAAG,CAAC,CAAC;IAC3F,OAAO,GAAG,CAAC,IAAI,CAAC;AAClB,CAAC;AAUD;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,SAAiB;IAC3D,IAAI,MAAM,CAAC;IACX,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,KAAK,CAAC;YACnB,WAAW,EAAE,CAAC,SAAS,CAAC;YACxB,OAAO,EAAE,WAAW;YACpB,MAAM,EAAE,IAAI;YACZ,MAAM,EAAE,KAAK;YACb,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,QAAQ;YAChB,QAAQ,EAAE,CAAC,WAAW,EAAE,GAAG,WAAW,IAAI,CAAC;YAC3C,SAAS,EAAE,QAAQ;YACnB,MAAM,EAAE,KAAK;YACb,KAAK,EAAE,KAAK;YACZ,QAAQ,EAAE,QAAQ;YAClB,aAAa,EAAE,MAAM;SACtB,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,QAAQ,CAChB,uBAAuB,SAAS,GAAG,EACnC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAC/C,CAAC;IACJ,CAAC;IACD,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;IACpE,MAAM,GAAG,GAAG,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;IACpE,IAAI,EAAE,KAAK,SAAS,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;QAC1C,MAAM,IAAI,QAAQ,CAAC,mCAAmC,SAAS,GAAG,CAAC,CAAC;IACtE,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC;AAC1C,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,SAAiB;IAClD,MAAM,cAAc,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACtD,IAAI,MAAM,CAAC;IACX,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,KAAK,CAAC;YACnB,WAAW,EAAE,CAAC,SAAS,CAAC;YACxB,MAAM,EAAE,IAAI;YACZ,MAAM,EAAE,KAAK;YACb,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,QAAQ;YAChB,KAAK,EAAE,KAAK;YACZ,QAAQ,EAAE,QAAQ;YAClB,aAAa,EAAE,MAAM;YACrB,OAAO,EAAE;gBACP;oBACE,IAAI,EAAE,+BAA+B;oBACrC,KAAK,CAAC,CAAC;wBACL,CAAC,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,oCAAoC,EAAE,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;4BACvE,IAAI,EAAE,cAAc,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC;4BACvC,QAAQ,EAAE,IAAI;yBACf,CAAC,CAAC,CAAC;oBACN,CAAC;iBACF;aACF;SACF,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,QAAQ,CAChB,uBAAuB,SAAS,GAAG,EACnC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAC/C,CAAC;IACJ,CAAC;IACD,MAAM,GAAG,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;IAClC,IAAI,GAAG,KAAK,SAAS;QAAE,MAAM,IAAI,QAAQ,CAAC,mCAAmC,SAAS,GAAG,CAAC,CAAC;IAC3F,OAAO,GAAG,CAAC,IAAI,CAAC;AAClB,CAAC;AAED,SAAS,YAAY,CAAC,OAAe;IACnC,IAAI,CAAC;QACH,MAAM,MAAM,GAAY,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;QAClE,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YAClD,MAAM,GAAG,GAAG,MAAiC,CAAC;YAC9C,IAAI,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ;gBAAE,OAAO,GAAG,CAAC,MAAM,CAAC;YACtD,IAAI,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ;gBAAE,OAAO,GAAG,CAAC,IAAI,CAAC;QACpD,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,4DAA4D;IAC9D,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/client.d.ts

@@ -0,0 +1,65 @@
+import type { FetchLike } from "./auth/pkce.js";
+export interface WorkflowSummary {
+    id: string;
+    name: string;
+    currentVersionId: string | null;
+}
+export interface DeployResult {
+    workflow: WorkflowSummary;
+    version: {
+        id: string;
+        number: number;
+    };
+}
+/** The verified-artifact reference the finalize call records on the new version. */
+export interface DeployArtifactRef {
+    digest: string;
+    size: number;
+    entry: string;
+    sdkVersion: string;
+    lockfileDigest: string | null;
+}
+export interface RunSummary {
+    id: string;
+    workflowId: string;
+    status: string;
+    outcomeStatus: string | null;
+    startedAt: number | null;
+    completedAt: number | null;
+}
+export interface BoardwalkClientOptions {
+    baseUrl: string;
+    token: string;
+    fetchImpl?: FetchLike;
+}
+export declare class BoardwalkClient {
+    private readonly baseUrl;
+    private readonly token;
+    private readonly fetchImpl;
+    constructor(opts: BoardwalkClientOptions);
+    listWorkflows(orgSlug: string): Promise<WorkflowSummary[]>;
+    createWorkflow(orgSlug: string, artifact: DeployArtifactRef): Promise<DeployResult>;
+    updateWorkflow(id: string, artifact: DeployArtifactRef): Promise<DeployResult>;
+    /** Request a presigned PUT for a program artifact (the CLI then uploads the tarball directly). */
+    getArtifactUploadUrl(orgSlug: string, input: {
+        digest: string;
+        size: number;
+    }): Promise<{
+        uploadUrl: string;
+        contentType: string;
+    }>;
+    /** Upload the artifact bytes straight to storage via the presigned PUT. The Content-Type MUST
+     *  equal the one signed into the URL, or the store rejects the PUT. No auth header — the URL
+     *  carries the signature. */
+    uploadArtifact(uploadUrl: string, contentType: string, bytes: Uint8Array): Promise<void>;
+    triggerRun(orgSlug: string, workflowId: string, input: unknown): Promise<RunSummary>;
+    getRun(runId: string): Promise<RunSummary>;
+    /**
+     * Cancel a run. Idempotent server-side (a terminal/already-cancelling run is a no-op); the
+     * endpoint resolves the org from the run id, so no org slug is needed. Returns 204 No Content.
+     */
+    cancelRun(runId: string): Promise<void>;
+    private request;
+    private deployResult;
+    private runSummary;
+}