@bragduck/cli 2.28.1 → 2.29.2

package/dist/bin/bragduck.js

@@ -22,7 +22,7 @@ var init_esm_shims = __esm({
 import { config } from "dotenv";
 import { fileURLToPath as fileURLToPath2 } from "url";
 import { dirname, join } from "path";
-var __filename, __dirname, APP_NAME, CONFIG_KEYS, DEFAULT_CONFIG, OAUTH_CONFIG, API_ENDPOINTS, ENCRYPTION_CONFIG, STORAGE_PATHS, HTTP_STATUS, CONFIG_FILES;
+var __filename, __dirname, APP_NAME, CONFIG_KEYS, DEFAULT_CONFIG, OAUTH_CONFIG, ATLASSIAN_OAUTH_CONFIG, API_ENDPOINTS, ENCRYPTION_CONFIG, STORAGE_PATHS, HTTP_STATUS, CONFIG_FILES;
 var init_constants = __esm({
   "src/constants.ts"() {
     "use strict";
@@ -57,11 +57,23 @@ var init_constants = __esm({
       MIN_PORT: 8e3,
       MAX_PORT: 9e3
     };
+    ATLASSIAN_OAUTH_CONFIG = {
+      CLIENT_ID: "kJlsd66DLTnENE8p7Ru2JwqZg1Sie4yZ",
+      AUTH_URL: "https://auth.atlassian.com/authorize",
+      AUDIENCE: "api.atlassian.com",
+      SCOPES: "read:jira-work read:jira-user read:page:confluence read:confluence-user offline_access read:me",
+      ACCESSIBLE_RESOURCES_URL: "https://api.atlassian.com/oauth/token/accessible-resources",
+      API_GATEWAY_URL: "https://api.atlassian.com"
+    };
     API_ENDPOINTS = {
       AUTH: {
         INITIATE: "/v1/auth/cli/initiate",
         TOKEN: "/v1/auth/cli/token"
       },
+      ATLASSIAN: {
+        TOKEN: "/v1/auth/atlassian/token",
+        REFRESH: "/v1/auth/atlassian/refresh"
+      },
       BRAGS: {
         CREATE: "/v1/brags",
         LIST: "/v1/brags",
@@ -157,7 +169,7 @@ var init_env_loader = __esm({
 });
 
 // src/utils/errors.ts
-var BragduckError, AuthenticationError, GitError, ApiError, NetworkError, ValidationError, OAuthError, TokenExpiredError, GitHubError, BitbucketError, GitLabError, JiraError, ConfluenceError;
+var BragduckError, AuthenticationError, GitError, ApiError, NetworkError, ValidationError, OAuthError, TokenExpiredError, GitHubError, BitbucketError, GitLabError, JiraError, ConfluenceError, AtlassianError;
 var init_errors = __esm({
   "src/utils/errors.ts"() {
     "use strict";
@@ -248,6 +260,12 @@ var init_errors = __esm({
         this.name = "ConfluenceError";
       }
     };
+    AtlassianError = class extends BragduckError {
+      constructor(message, details) {
+        super(message, "ATLASSIAN_ERROR", details);
+        this.name = "AtlassianError";
+      }
+    };
   }
 });
 
@@ -1241,15 +1259,15 @@ __export(version_exports, {
   getCurrentVersion: () => getCurrentVersion,
   version: () => version
 });
-import { readFileSync as readFileSync3 } from "fs";
-import { fileURLToPath as fileURLToPath4 } from "url";
-import { dirname as dirname3, join as join5 } from "path";
+import { readFileSync as readFileSync4 } from "fs";
+import { fileURLToPath as fileURLToPath5 } from "url";
+import { dirname as dirname4, join as join6 } from "path";
 import chalk4 from "chalk";
 import boxen2 from "boxen";
 function getCurrentVersion() {
   try {
-    const packageJsonPath2 = join5(__dirname4, "../../package.json");
-    const packageJson2 = JSON.parse(readFileSync3(packageJsonPath2, "utf-8"));
+    const packageJsonPath2 = join6(__dirname5, "../../package.json");
+    const packageJson2 = JSON.parse(readFileSync4(packageJsonPath2, "utf-8"));
     return packageJson2.version;
   } catch {
     logger.debug("Failed to read package.json version");
@@ -1331,7 +1349,7 @@ function formatVersion(includePrefix = true) {
   const prefix = includePrefix ? "v" : "";
   return `${prefix}${version}`;
 }
-var __filename4, __dirname4, version;
+var __filename5, __dirname5, version;
 var init_version = __esm({
   "src/utils/version.ts"() {
     "use strict";
@@ -1339,22 +1357,22 @@ var init_version = __esm({
     init_api_service();
     init_storage_service();
     init_logger();
-    __filename4 = fileURLToPath4(import.meta.url);
-    __dirname4 = dirname3(__filename4);
+    __filename5 = fileURLToPath5(import.meta.url);
+    __dirname5 = dirname4(__filename5);
     version = getCurrentVersion();
   }
 });
 
 // src/services/api.service.ts
-import { ofetch as ofetch2 } from "ofetch";
-import { readFileSync as readFileSync4 } from "fs";
-import { fileURLToPath as fileURLToPath5 } from "url";
-import { URLSearchParams as URLSearchParams2 } from "url";
-import { dirname as dirname4, join as join6 } from "path";
+import { ofetch as ofetch3 } from "ofetch";
+import { readFileSync as readFileSync5 } from "fs";
+import { fileURLToPath as fileURLToPath6 } from "url";
+import { URLSearchParams as URLSearchParams3 } from "url";
+import { dirname as dirname5, join as join7 } from "path";
 function getCliVersion() {
   try {
-    const packageJsonPath2 = join6(__dirname5, "../../package.json");
-    const packageJson2 = JSON.parse(readFileSync4(packageJsonPath2, "utf-8"));
+    const packageJsonPath2 = join7(__dirname6, "../../package.json");
+    const packageJson2 = JSON.parse(readFileSync5(packageJsonPath2, "utf-8"));
     return packageJson2.version;
   } catch {
     logger.debug("Failed to read package.json version");
@@ -1366,7 +1384,7 @@ function getPlatformInfo() {
   const arch = process.arch;
   return `${platform}-${arch}`;
 }
-var __filename5, __dirname5, ApiService, apiService;
+var __filename6, __dirname6, ApiService, apiService;
 var init_api_service = __esm({
   "src/services/api.service.ts"() {
     "use strict";
@@ -1375,14 +1393,14 @@ var init_api_service = __esm({
     init_constants();
     init_errors();
     init_logger();
-    __filename5 = fileURLToPath5(import.meta.url);
-    __dirname5 = dirname4(__filename5);
+    __filename6 = fileURLToPath6(import.meta.url);
+    __dirname6 = dirname5(__filename6);
     ApiService = class {
       baseURL;
       client;
       constructor() {
         this.baseURL = process.env.API_BASE_URL || "https://api.bragduck.com";
-        this.client = ofetch2.create({
+        this.client = ofetch3.create({
           baseURL: this.baseURL,
           // Request interceptor
           onRequest: async ({ request, options }) => {
@@ -1546,7 +1564,7 @@ var init_api_service = __esm({
         const { limit = 50, offset = 0, tags, search } = params;
         logger.debug(`Listing brags: limit=${limit}, offset=${offset}`);
         try {
-          const queryParams = new URLSearchParams2({
+          const queryParams = new URLSearchParams3({
             limit: limit.toString(),
             offset: offset.toString()
           });
@@ -1643,7 +1661,7 @@ var init_api_service = __esm({
        */
       setBaseURL(url) {
         this.baseURL = url;
-        this.client = ofetch2.create({
+        this.client = ofetch3.create({
           baseURL: url
         });
       }
@@ -1661,18 +1679,267 @@ var init_api_service = __esm({
 // src/cli.ts
 init_esm_shims();
 import { Command } from "commander";
-import { readFileSync as readFileSync5 } from "fs";
-import { fileURLToPath as fileURLToPath6 } from "url";
-import { dirname as dirname5, join as join7 } from "path";
+import { readFileSync as readFileSync6 } from "fs";
+import { fileURLToPath as fileURLToPath7 } from "url";
+import { dirname as dirname6, join as join8 } from "path";
 
 // src/commands/auth.ts
 init_esm_shims();
 init_auth_service();
-init_storage_service();
 import boxen from "boxen";
 import chalk3 from "chalk";
 import { input } from "@inquirer/prompts";
 
+// src/services/atlassian-auth.service.ts
+init_esm_shims();
+init_constants();
+init_storage_service();
+init_oauth_server();
+init_browser();
+init_errors();
+init_logger();
+import { randomBytes as randomBytes3 } from "crypto";
+import { readFileSync as readFileSync3 } from "fs";
+import { fileURLToPath as fileURLToPath4, URLSearchParams as URLSearchParams2 } from "url";
+import { dirname as dirname3, join as join4 } from "path";
+import { ofetch as ofetch2 } from "ofetch";
+import { select } from "@inquirer/prompts";
+var __filename4 = fileURLToPath4(import.meta.url);
+var __dirname4 = dirname3(__filename4);
+function getUserAgent2() {
+  try {
+    const packageJsonPath2 = join4(__dirname4, "../../package.json");
+    const packageJson2 = JSON.parse(readFileSync3(packageJsonPath2, "utf-8"));
+    const version2 = packageJson2.version;
+    const platform = process.platform;
+    const arch = process.arch;
+    return `BragDuck-CLI/${version2} (${platform}-${arch})`;
+  } catch {
+    logger.debug("Failed to read package.json version");
+    return "BragDuck-CLI/2.0.0";
+  }
+}
+var AtlassianAuthService = class {
+  apiBaseUrl;
+  refreshPromise = null;
+  constructor() {
+    this.apiBaseUrl = process.env.API_BASE_URL || "https://api.bragduck.com";
+  }
+  /**
+   * Generate a random state string for CSRF protection
+   */
+  generateState() {
+    return randomBytes3(32).toString("hex");
+  }
+  /**
+   * Build the Atlassian OAuth authorization URL
+   */
+  buildAuthUrl(state, callbackUrl) {
+    const params = new URLSearchParams2({
+      audience: ATLASSIAN_OAUTH_CONFIG.AUDIENCE,
+      client_id: ATLASSIAN_OAUTH_CONFIG.CLIENT_ID,
+      scope: ATLASSIAN_OAUTH_CONFIG.SCOPES,
+      redirect_uri: callbackUrl,
+      state,
+      response_type: "code",
+      prompt: "consent"
+    });
+    return `${ATLASSIAN_OAUTH_CONFIG.AUTH_URL}?${params.toString()}`;
+  }
+  /**
+   * Exchange authorization code for tokens via BragDuck backend
+   */
+  async exchangeCodeForToken(code, redirectUri) {
+    try {
+      logger.debug("Exchanging Atlassian authorization code for token via backend");
+      const response = await ofetch2(
+        `${this.apiBaseUrl}${API_ENDPOINTS.ATLASSIAN.TOKEN}`,
+        {
+          method: "POST",
+          body: {
+            code,
+            redirect_uri: redirectUri
+          },
+          headers: {
+            "Content-Type": "application/json",
+            "User-Agent": getUserAgent2()
+          }
+        }
+      );
+      logger.debug("Atlassian token exchange successful");
+      return response;
+    } catch (error) {
+      logger.debug(`Atlassian token exchange failed: ${error.message}`);
+      throw new AtlassianError("Failed to exchange Atlassian authorization code", {
+        originalError: error.message
+      });
+    }
+  }
+  /**
+   * Fetch accessible Atlassian Cloud resources (sites) using the access token
+   */
+  async fetchAccessibleResources(accessToken) {
+    try {
+      logger.debug("Fetching accessible Atlassian resources");
+      const resources = await ofetch2(
+        ATLASSIAN_OAUTH_CONFIG.ACCESSIBLE_RESOURCES_URL,
+        {
+          headers: {
+            Authorization: `Bearer ${accessToken}`,
+            Accept: "application/json"
+          }
+        }
+      );
+      logger.debug(`Found ${resources.length} accessible resource(s)`);
+      return resources;
+    } catch (error) {
+      logger.debug(`Failed to fetch accessible resources: ${error.message}`);
+      throw new AtlassianError("Failed to fetch Atlassian Cloud sites", {
+        originalError: error.message
+      });
+    }
+  }
+  /**
+   * Let user pick a site if multiple accessible resources exist
+   */
+  async selectSite(resources) {
+    if (resources.length === 0) {
+      throw new AtlassianError(
+        "No accessible Atlassian Cloud sites found. Make sure your account has access to at least one site."
+      );
+    }
+    if (resources.length === 1) {
+      const site = resources[0];
+      logger.debug(`Auto-selecting single site: ${site.name}`);
+      return site;
+    }
+    const selectedId = await select({
+      message: "Select your Atlassian Cloud site:",
+      choices: resources.map((r) => ({
+        name: `${r.name} (${r.url})`,
+        value: r.id
+      }))
+    });
+    return resources.find((r) => r.id === selectedId);
+  }
+  /**
+   * Full OAuth login flow:
+   * 1. Open browser to Atlassian consent screen
+   * 2. Wait for callback with authorization code
+   * 3. Exchange code for tokens via BragDuck backend
+   * 4. Fetch accessible resources and pick site
+   * 5. Store credentials for jira, confluence, and atlassian services
+   */
+  async login() {
+    logger.debug("Starting Atlassian OAuth login flow");
+    const state = this.generateState();
+    const callbackUrl = await getCallbackUrl();
+    storageService.setOAuthState({
+      state,
+      createdAt: Date.now()
+    });
+    logger.debug(`OAuth state: ${state}`);
+    logger.debug(`Callback URL: ${callbackUrl}`);
+    const authUrl = this.buildAuthUrl(state, callbackUrl);
+    logger.debug(`Authorization URL: ${authUrl}`);
+    const serverPromise = startOAuthCallbackServer(state);
+    try {
+      await openBrowser(authUrl);
+    } catch {
+      logger.warning("Could not open browser automatically");
+      logger.info("Please open this URL in your browser:");
+      logger.log(authUrl);
+    }
+    let callbackResult;
+    try {
+      callbackResult = await serverPromise;
+    } catch (error) {
+      storageService.deleteOAuthState();
+      throw error;
+    }
+    storageService.deleteOAuthState();
+    const tokenResponse = await this.exchangeCodeForToken(callbackResult.code, callbackUrl);
+    const resources = await this.fetchAccessibleResources(tokenResponse.access_token);
+    const site = await this.selectSite(resources);
+    const expiresAt = tokenResponse.expires_in ? Date.now() + tokenResponse.expires_in * 1e3 : void 0;
+    const credentials = {
+      accessToken: tokenResponse.access_token,
+      refreshToken: tokenResponse.refresh_token,
+      expiresAt,
+      instanceUrl: site.url,
+      // Real Cloud URL for browse links
+      cloudId: site.id,
+      authMethod: "oauth"
+    };
+    await storageService.setServiceCredentials("jira", credentials);
+    await storageService.setServiceCredentials("confluence", credentials);
+    await storageService.setServiceCredentials("atlassian", credentials);
+    logger.debug("Atlassian OAuth login successful");
+    return { siteName: site.name, siteUrl: site.url };
+  }
+  /**
+   * Refresh Atlassian OAuth tokens via BragDuck backend.
+   * Uses a singleton promise to prevent concurrent refresh race conditions
+   * (Atlassian uses rotating refresh tokens - each refresh invalidates the previous one).
+   */
+  async refreshToken() {
+    if (this.refreshPromise) {
+      return this.refreshPromise;
+    }
+    this.refreshPromise = this.doRefreshToken();
+    try {
+      await this.refreshPromise;
+    } finally {
+      this.refreshPromise = null;
+    }
+  }
+  async doRefreshToken() {
+    logger.debug("Refreshing Atlassian OAuth token");
+    const creds = await storageService.getServiceCredentials("jira");
+    if (!creds?.refreshToken) {
+      throw new AtlassianError("No Atlassian refresh token available", {
+        hint: "Run: bragduck auth atlassian"
+      });
+    }
+    try {
+      const response = await ofetch2(
+        `${this.apiBaseUrl}${API_ENDPOINTS.ATLASSIAN.REFRESH}`,
+        {
+          method: "POST",
+          body: {
+            refresh_token: creds.refreshToken
+          },
+          headers: {
+            "Content-Type": "application/json",
+            "User-Agent": getUserAgent2()
+          }
+        }
+      );
+      const expiresAt = response.expires_in ? Date.now() + response.expires_in * 1e3 : void 0;
+      const updatedCreds = {
+        ...creds,
+        accessToken: response.access_token,
+        refreshToken: response.refresh_token,
+        expiresAt
+      };
+      await storageService.setServiceCredentials("jira", updatedCreds);
+      await storageService.setServiceCredentials("confluence", updatedCreds);
+      await storageService.setServiceCredentials("atlassian", updatedCreds);
+      logger.debug("Atlassian token refresh successful");
+    } catch (error) {
+      logger.debug(`Atlassian token refresh failed: ${error.message}`);
+      throw new AtlassianError(
+        'Atlassian token refresh failed. Please run "bragduck auth atlassian" to re-authenticate.',
+        { originalError: error.message }
+      );
+    }
+  }
+};
+var atlassianAuthService = new AtlassianAuthService();
+
+// src/commands/auth.ts
+init_storage_service();
+
 // src/services/github.service.ts
 init_esm_shims();
 init_errors();
@@ -1688,9 +1955,9 @@ import simpleGit from "simple-git";
 init_esm_shims();
 init_errors();
 import { existsSync as existsSync2 } from "fs";
-import { join as join4 } from "path";
+import { join as join5 } from "path";
 function validateGitRepository(path4) {
-  const gitDir = join4(path4, ".git");
+  const gitDir = join5(path4, ".git");
   if (!existsSync2(gitDir)) {
     throw new GitError(
       "Not a git repository. Please run this command from within a git repository.",
@@ -2404,7 +2671,14 @@ async function authStatus() {
   }
   for (const service of services) {
     if (service !== "bragduck") {
-      logger.info(`${colors.success("\u2713")} ${service}: Authenticated`);
+      const creds = await storageService.getServiceCredentials(service);
+      let methodLabel = "";
+      if (creds?.authMethod === "oauth") {
+        methodLabel = " (Cloud - OAuth)";
+      } else if (creds?.authMethod === "basic") {
+        methodLabel = " (Server - API Token)";
+      }
+      logger.info(`${colors.success("\u2713")} ${service}: Authenticated${methodLabel}`);
     }
   }
   logger.log("");
@@ -2556,68 +2830,21 @@ User: ${user.name} (@${user.username})`,
 }
 async function authAtlassian() {
   logger.log("");
-  logger.log(
-    boxen(
-      theme.info("Atlassian API Token Authentication") + "\n\nThis token works for Jira, Confluence, and Bitbucket\n\nCreate an API Token at:\n" + colors.highlight("https://id.atlassian.com/manage-profile/security/api-tokens") + "\n\nRequired access:\n  \u2022 Jira: Read issues\n  \u2022 Confluence: Read pages\n  \u2022 Bitbucket: Read repositories",
-      boxStyles.info
-    )
-  );
+  logger.info("Opening browser for Atlassian Cloud authentication...");
   logger.log("");
   try {
-    const instanceUrl = await input({
-      message: "Atlassian instance URL (e.g., company.atlassian.net):",
-      validate: (value) => value.length > 0 ? true : "Instance URL cannot be empty"
-    });
-    const email = await input({
-      message: "Atlassian account email:",
-      validate: (value) => value.includes("@") ? true : "Please enter a valid email address"
-    });
-    const apiToken = await input({
-      message: "API Token:",
-      validate: (value) => value.length > 0 ? true : "API token cannot be empty"
-    });
-    const testInstanceUrl = instanceUrl.startsWith("http") ? instanceUrl : `https://${instanceUrl}`;
-    const auth = Buffer.from(`${email}:${apiToken}`).toString("base64");
-    const response = await fetch(`${testInstanceUrl}/rest/api/2/myself`, {
-      headers: { Authorization: `Basic ${auth}` }
-    });
-    if (!response.ok) {
-      logger.log("");
-      logger.log(
-        boxen(
-          theme.error("\u2717 Authentication Failed") + "\n\nInvalid instance URL, email, or API token\nMake sure the instance URL is correct (e.g., company.atlassian.net)",
-          boxStyles.error
-        )
-      );
-      logger.log("");
-      process.exit(1);
-    }
-    const user = await response.json();
-    const credentials = {
-      accessToken: apiToken,
-      username: email,
-      instanceUrl: instanceUrl.startsWith("http") ? instanceUrl : `https://${instanceUrl}`
-    };
-    await storageService.setServiceCredentials("jira", credentials);
-    await storageService.setServiceCredentials("confluence", credentials);
-    await storageService.setServiceCredentials("bitbucket", {
-      ...credentials,
-      instanceUrl: "https://api.bitbucket.org"
-      // Bitbucket uses different API base
-    });
+    const result = await atlassianAuthService.login();
     logger.log("");
     logger.log(
       boxen(
-        theme.success("\u2713 Successfully authenticated with Atlassian") + `
+        theme.success("\u2713 Successfully authenticated with Atlassian Cloud") + `
 
-Instance: ${instanceUrl}
-User: ${user.displayName}
-Email: ${user.emailAddress}
+Site: ${result.siteName}
+URL: ${result.siteUrl}
 
 Services configured:
-  \u2022 Jira
-  \u2022 Confluence
-  \u2022 Bitbucket`,
+  - Jira (OAuth)
+  - Confluence (OAuth)`,
         boxStyles.success
       )
     );
@@ -2650,7 +2877,7 @@ var CancelPromptError = class extends Error {
 init_api_service();
 init_storage_service();
 init_auth_service();
-import { select as select3 } from "@inquirer/prompts";
+import { select as select4 } from "@inquirer/prompts";
 import boxen6 from "boxen";
 
 // src/utils/source-detector.ts
@@ -2659,7 +2886,7 @@ init_errors();
 init_storage_service();
 import { exec as exec3 } from "child_process";
 import { promisify as promisify3 } from "util";
-import { select } from "@inquirer/prompts";
+import { select as select2 } from "@inquirer/prompts";
 var execAsync3 = promisify3(exec3);
 var SourceDetector = class {
   /**
@@ -2715,7 +2942,7 @@ var SourceDetector = class {
         description: source.remoteUrl
       };
     });
-    return await select({
+    return await select2({
       message: "Multiple sources detected. Which do you want to sync?",
       choices
     });
@@ -3231,7 +3458,7 @@ init_logger();
 init_storage_service();
 import { exec as exec5 } from "child_process";
 import { promisify as promisify5 } from "util";
-import { URLSearchParams as URLSearchParams3 } from "url";
+import { URLSearchParams as URLSearchParams4 } from "url";
 var execAsync5 = promisify5(exec5);
 var GitLabService = class {
   DEFAULT_INSTANCE = "https://gitlab.com";
@@ -3377,7 +3604,7 @@ var GitLabService = class {
   async getMergedMRs(options = {}) {
     const { projectPath } = await this.getProjectFromGit();
     const encodedPath = encodeURIComponent(projectPath);
-    const params = new URLSearchParams3({
+    const params = new URLSearchParams4({
       state: "merged",
       order_by: "updated_at",
       sort: "desc",
@@ -3543,41 +3770,76 @@ init_esm_shims();
 init_errors();
 init_logger();
 init_storage_service();
+init_constants();
 var JiraService = class {
   MAX_DESCRIPTION_LENGTH = 5e3;
   /**
-   * Get stored Jira credentials
+   * Get stored Jira credentials, auto-refreshing OAuth tokens if expired
    */
   async getCredentials() {
     const creds = await storageService.getServiceCredentials("jira");
-    if (!creds || !creds.username || !creds.accessToken || !creds.instanceUrl) {
+    if (!creds || !creds.accessToken) {
       throw new JiraError("Not authenticated with Jira", {
         hint: "Run: bragduck auth atlassian"
       });
     }
-    if (creds.expiresAt && creds.expiresAt < Date.now()) {
+    if (creds.authMethod !== "oauth" && (!creds.username || !creds.instanceUrl)) {
+      throw new JiraError("Not authenticated with Jira", {
+        hint: "Run: bragduck auth atlassian"
+      });
+    }
+    if (creds.authMethod === "oauth" && !creds.cloudId) {
+      throw new JiraError("Missing Atlassian Cloud ID", {
+        hint: "Run: bragduck auth atlassian"
+      });
+    }
+    if (creds.authMethod === "oauth" && creds.expiresAt && creds.expiresAt < Date.now()) {
+      if (creds.refreshToken) {
+        logger.debug("Jira OAuth token expired, refreshing...");
+        await atlassianAuthService.refreshToken();
+        const refreshed = await storageService.getServiceCredentials("jira");
+        if (!refreshed?.accessToken) {
+          throw new JiraError("Token refresh failed", {
+            hint: "Run: bragduck auth atlassian"
+          });
+        }
+        return refreshed;
+      }
+      throw new JiraError("OAuth token has expired and no refresh token available", {
+        hint: "Run: bragduck auth atlassian"
+      });
+    }
+    if (creds.authMethod !== "oauth" && creds.expiresAt && creds.expiresAt < Date.now()) {
       throw new JiraError("API token has expired", {
         hint: "Run: bragduck auth atlassian"
       });
     }
-    return {
-      email: creds.username,
-      apiToken: creds.accessToken,
-      instanceUrl: creds.instanceUrl
-    };
+    return creds;
   }
   /**
-   * Make authenticated request to Jira API
+   * Make authenticated request to Jira API.
+   * Uses OAuth Bearer + API gateway for Cloud, Basic Auth for Server/DC.
+   * Retries once on 401 for OAuth (auto-refresh).
    */
   async request(endpoint, method = "GET", body) {
-    const { email, apiToken, instanceUrl } = await this.getCredentials();
-    const auth = Buffer.from(`${email}:${apiToken}`).toString("base64");
-    const baseUrl = instanceUrl.startsWith("http") ? instanceUrl : `https://${instanceUrl}`;
+    const creds = await this.getCredentials();
+    const isOAuth = creds.authMethod === "oauth";
+    let baseUrl;
+    let authHeader;
+    if (isOAuth) {
+      baseUrl = `${ATLASSIAN_OAUTH_CONFIG.API_GATEWAY_URL}/ex/jira/${creds.cloudId}`;
+      authHeader = `Bearer ${creds.accessToken}`;
+    } else {
+      const instanceUrl = creds.instanceUrl;
+      baseUrl = instanceUrl.startsWith("http") ? instanceUrl : `https://${instanceUrl}`;
+      const auth = Buffer.from(`${creds.username}:${creds.accessToken}`).toString("base64");
+      authHeader = `Basic ${auth}`;
+    }
     logger.debug(`Jira API: ${method} ${endpoint}`);
     const options = {
       method,
       headers: {
-        Authorization: `Basic ${auth}`,
+        Authorization: authHeader,
         "Content-Type": "application/json",
         Accept: "application/json"
       }
@@ -3585,7 +3847,17 @@ var JiraService = class {
     if (body) {
       options.body = JSON.stringify(body);
     }
-    const response = await fetch(`${baseUrl}${endpoint}`, options);
+    let response = await fetch(`${baseUrl}${endpoint}`, options);
+    if (response.status === 401 && isOAuth && creds.refreshToken) {
+      logger.debug("Jira OAuth 401, attempting token refresh and retry");
+      await atlassianAuthService.refreshToken();
+      const refreshedCreds = await storageService.getServiceCredentials("jira");
+      if (refreshedCreds?.accessToken) {
+        options.headers.Authorization = `Bearer ${refreshedCreds.accessToken}`;
+        const newBaseUrl = `${ATLASSIAN_OAUTH_CONFIG.API_GATEWAY_URL}/ex/jira/${refreshedCreds.cloudId}`;
+        response = await fetch(`${newBaseUrl}${endpoint}`, options);
+      }
+    }
     if (!response.ok) {
       const statusText = response.statusText;
       const status = response.status;
@@ -3991,40 +4263,75 @@ init_esm_shims();
 init_errors();
 init_logger();
 init_storage_service();
+init_constants();
 var ConfluenceService = class {
   /**
-   * Get stored Confluence credentials
+   * Get stored Confluence credentials, auto-refreshing OAuth tokens if expired
    */
   async getCredentials() {
     const creds = await storageService.getServiceCredentials("confluence");
-    if (!creds || !creds.username || !creds.accessToken || !creds.instanceUrl) {
+    if (!creds || !creds.accessToken) {
       throw new ConfluenceError("Not authenticated with Confluence", {
         hint: "Run: bragduck auth atlassian"
       });
     }
-    if (creds.expiresAt && creds.expiresAt < Date.now()) {
+    if (creds.authMethod !== "oauth" && (!creds.username || !creds.instanceUrl)) {
+      throw new ConfluenceError("Not authenticated with Confluence", {
+        hint: "Run: bragduck auth atlassian"
+      });
+    }
+    if (creds.authMethod === "oauth" && !creds.cloudId) {
+      throw new ConfluenceError("Missing Atlassian Cloud ID", {
+        hint: "Run: bragduck auth atlassian"
+      });
+    }
+    if (creds.authMethod === "oauth" && creds.expiresAt && creds.expiresAt < Date.now()) {
+      if (creds.refreshToken) {
+        logger.debug("Confluence OAuth token expired, refreshing...");
+        await atlassianAuthService.refreshToken();
+        const refreshed = await storageService.getServiceCredentials("confluence");
+        if (!refreshed?.accessToken) {
+          throw new ConfluenceError("Token refresh failed", {
+            hint: "Run: bragduck auth atlassian"
+          });
+        }
+        return refreshed;
+      }
+      throw new ConfluenceError("OAuth token has expired and no refresh token available", {
+        hint: "Run: bragduck auth atlassian"
+      });
+    }
+    if (creds.authMethod !== "oauth" && creds.expiresAt && creds.expiresAt < Date.now()) {
       throw new ConfluenceError("API token has expired", {
         hint: "Run: bragduck auth atlassian"
       });
     }
-    return {
-      email: creds.username,
-      apiToken: creds.accessToken,
-      instanceUrl: creds.instanceUrl
-    };
+    return creds;
   }
   /**
-   * Make authenticated request to Confluence API
+   * Make authenticated request to Confluence API.
+   * Uses OAuth Bearer + API gateway for Cloud, Basic Auth for Server/DC.
+   * Retries once on 401 for OAuth (auto-refresh).
    */
   async request(endpoint, method = "GET", body) {
-    const { email, apiToken, instanceUrl } = await this.getCredentials();
-    const auth = Buffer.from(`${email}:${apiToken}`).toString("base64");
-    const baseUrl = instanceUrl.startsWith("http") ? instanceUrl : `https://${instanceUrl}`;
+    const creds = await this.getCredentials();
+    const isOAuth = creds.authMethod === "oauth";
+    let baseUrl;
+    let authHeader;
+    if (isOAuth) {
+      baseUrl = `${ATLASSIAN_OAUTH_CONFIG.API_GATEWAY_URL}/ex/confluence/${creds.cloudId}`;
+      authHeader = `Bearer ${creds.accessToken}`;
+    } else {
+      const instanceUrl = creds.instanceUrl;
+      baseUrl = instanceUrl.startsWith("http") ? instanceUrl : `https://${instanceUrl}`;
+      const auth = Buffer.from(`${creds.username}:${creds.accessToken}`).toString("base64");
+      authHeader = `Basic ${auth}`;
+    }
     logger.debug(`Confluence API: ${method} ${endpoint}`);
     const options = {
       method,
       headers: {
-        Authorization: `Basic ${auth}`,
+        Authorization: authHeader,
         "Content-Type": "application/json",
         Accept: "application/json"
       }
@@ -4032,7 +4339,17 @@ var ConfluenceService = class {
     if (body) {
       options.body = JSON.stringify(body);
     }
-    const response = await fetch(`${baseUrl}${endpoint}`, options);
+    let response = await fetch(`${baseUrl}${endpoint}`, options);
+    if (response.status === 401 && isOAuth && creds.refreshToken) {
+      logger.debug("Confluence OAuth 401, attempting token refresh and retry");
+      await atlassianAuthService.refreshToken();
+      const refreshedCreds = await storageService.getServiceCredentials("confluence");
+      if (refreshedCreds?.accessToken) {
+        options.headers.Authorization = `Bearer ${refreshedCreds.accessToken}`;
+        const newBaseUrl = `${ATLASSIAN_OAUTH_CONFIG.API_GATEWAY_URL}/ex/confluence/${refreshedCreds.cloudId}`;
+        response = await fetch(`${newBaseUrl}${endpoint}`, options);
+      }
+    }
     if (!response.ok) {
       const statusText = response.statusText;
       const status = response.status;
@@ -4571,7 +4888,7 @@ init_logger();
 
 // src/ui/prompts.ts
 init_esm_shims();
-import { checkbox, confirm, input as input2, select as select2, editor } from "@inquirer/prompts";
+import { checkbox, confirm, input as input2, select as select3, editor } from "@inquirer/prompts";
 import boxen4 from "boxen";
 
 // src/ui/formatters.ts
@@ -4786,7 +5103,7 @@ async function promptDaysToScan(defaultDays = 30) {
     { name: "90 days", value: "90", description: "Last 3 months" },
     { name: "Custom", value: "custom", description: "Enter custom number of days" }
   ];
-  const selected = await select2({
+  const selected = await select3({
     message: "How many days back should we scan for PRs?",
     choices,
     default: "30"
@@ -4820,7 +5137,7 @@ async function promptScanMode() {
       description: "Scan git commits directly"
     }
   ];
-  return await select2({
+  return await select3({
     message: "What would you like to scan?",
     choices,
     default: "prs"
@@ -4837,7 +5154,7 @@ async function promptSortOption() {
     { name: "By files (most files)", value: "files", description: "Most files changed" },
     { name: "No sorting", value: "none", description: "Keep original order" }
   ];
-  return await select2({
+  return await select3({
     message: "How would you like to sort the PRs?",
     choices,
     default: "date"
@@ -4851,7 +5168,7 @@ async function promptSelectOrganisation(organisations) {
       value: org.id
     }))
   ];
-  const selected = await select2({
+  const selected = await select3({
     message: "Attach brags to which company?",
     choices,
     default: "none"
@@ -4916,7 +5233,7 @@ ${theme.label("PR Link")} ${colors.link(prUrl)}`;
       }
       console.log(boxen4(bragDetails, boxStyles.info));
       console.log("");
-      const action = await select2({
+      const action = await select3({
         message: `What would you like to do with this brag?`,
         choices: [
           { name: "\u2713 Accept", value: "accept", description: "Add this brag as-is" },
@@ -5533,7 +5850,7 @@ async function promptSelectService() {
       description: `Sync all ${authenticatedSyncServices.length} authenticated service${authenticatedSyncServices.length > 1 ? "s" : ""}`
     });
   }
-  const selected = await select3({
+  const selected = await select4({
     message: "Select a service to sync:",
     choices: serviceChoices
   });
@@ -6834,10 +7151,10 @@ function getConfigHint(error) {
 // src/cli.ts
 init_version();
 init_logger();
-var __filename6 = fileURLToPath6(import.meta.url);
-var __dirname6 = dirname5(__filename6);
-var packageJsonPath = join7(__dirname6, "../../package.json");
-var packageJson = JSON.parse(readFileSync5(packageJsonPath, "utf-8"));
+var __filename7 = fileURLToPath7(import.meta.url);
+var __dirname7 = dirname6(__filename7);
+var packageJsonPath = join8(__dirname7, "../../package.json");
+var packageJson = JSON.parse(readFileSync6(packageJsonPath, "utf-8"));
 var program = new Command();
 program.name("bragduck").description("CLI tool for managing developer achievements and brags\nAliases: bd, duck, brag").version(packageJson.version, "-v, --version", "Display version number").helpOption("-h, --help", "Display help information").option("--skip-version-check", "Skip automatic version check on startup").option("--debug", "Enable debug mode (shows detailed logs)");
 program.command("auth [subcommand]").description("Manage authentication (subcommands: login, status, bitbucket, gitlab)").action(async (subcommand) => {