@databricks/sdk-auth 0.0.0-dev → 0.1.0-dev.2

package/dist/credentials/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/credentials/errors.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAUH;;;;GAIG;AACH,MAAM,OAAO,mBAAoB,SAAQ,KAAK;IACnC,IAAI,CAA0B;IAEvC,YAAY,IAA6B,EAAE,OAAe;QACxD,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;QAClC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;CACF;AAUD;;;;GAIG;AACH,MAAM,OAAO,mBAAoB,SAAQ,KAAK;IACnC,IAAI,CAA0B;IAEvC,YAAY,IAA6B,EAAE,OAAe;QACxD,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;QAClC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;CACF"}

package/dist/credentials/host-metadata.d.ts

@@ -0,0 +1,45 @@
+/**
+ * HostMetadata holds the parsed response from the
+ * /.well-known/databricks-config discovery endpoint.
+ */
+export interface HostMetadata {
+    /**
+     * oidcEndpoint is the OIDC discovery URL for this host. For account hosts,
+     * this may contain an {account_id} placeholder that callers must
+     * substitute.
+     */
+    oidcEndpoint: string;
+    /**
+     * accountId is the Databricks account ID associated with this host, if
+     * available.
+     */
+    accountId?: string;
+    /**
+     * workspaceId is the Databricks workspace ID associated with this host, if
+     * available.
+     */
+    workspaceId?: string;
+}
+/**
+ * getHostMetadata fetches the raw Databricks well-known configuration from
+ * {host}/.well-known/databricks-config. The returned HostMetadata contains
+ * raw values with no substitution (e.g., {account_id} placeholders are left
+ * as-is). Callers are responsible for interpreting the result.
+ */
+export declare function getHostMetadata(host: string): Promise<HostMetadata>;
+/**
+ * resolveTokenEndpoint resolves the OAuth `token_endpoint` for the given
+ * Databricks host via a two-step discovery:
+ *
+ * 1. `GET {host}/.well-known/databricks-config` to obtain the OIDC root.
+ * 2. `GET {oidcRoot}/.well-known/oauth-authorization-server` to obtain the
+ *    RFC 8414 authorization server metadata.
+ *
+ * If the OIDC root contains an `{account_id}` placeholder, it is substituted
+ * with the first defined value from: `configAccountId` (caller-supplied),
+ * then the `account_id` field returned by the host metadata response.
+ * Throws when any step fails, required fields are missing, or the placeholder
+ * cannot be resolved.
+ */
+export declare function resolveTokenEndpoint(host: string, configAccountId?: string): Promise<string>;
+//# sourceMappingURL=host-metadata.d.ts.map

package/dist/credentials/host-metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"host-metadata.d.ts","sourceRoot":"","sources":["../../src/credentials/host-metadata.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC3B;;;;OAIG;IACH,YAAY,EAAE,MAAM,CAAC;IAErB;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;;;;GAKG;AACH,wBAAsB,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAiCzE;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,oBAAoB,CACxC,IAAI,EAAE,MAAM,EACZ,eAAe,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,MAAM,CAAC,CA+CjB"}

package/dist/credentials/host-metadata.js

@@ -0,0 +1,122 @@
+import { z } from 'zod';
+/**
+ * getHostMetadata fetches the raw Databricks well-known configuration from
+ * {host}/.well-known/databricks-config. The returned HostMetadata contains
+ * raw values with no substitution (e.g., {account_id} placeholders are left
+ * as-is). Callers are responsible for interpreting the result.
+ */
+export async function getHostMetadata(host) {
+    const url = `${trimTrailingSlash(host)}/.well-known/databricks-config`;
+    let response;
+    try {
+        response = await fetch(url);
+    }
+    catch (e) {
+        throw new Error(`fetching host metadata from ${url} failed: ${stringifyError(e)}`);
+    }
+    if (!response.ok) {
+        const text = await safeReadText(response);
+        throw new Error(`fetching host metadata from ${url} failed with status ` +
+            `${response.status.toString()}: ${text}`);
+    }
+    let raw;
+    try {
+        raw = await response.json();
+    }
+    catch (e) {
+        throw new Error(`parsing host metadata from ${url} failed: ${stringifyError(e)}`);
+    }
+    const parsed = hostMetadataSchema.parse(raw);
+    return {
+        oidcEndpoint: parsed.oidc_endpoint,
+        ...(parsed.account_id !== undefined && { accountId: parsed.account_id }),
+        ...(parsed.workspace_id !== undefined && {
+            workspaceId: parsed.workspace_id,
+        }),
+    };
+}
+/**
+ * resolveTokenEndpoint resolves the OAuth `token_endpoint` for the given
+ * Databricks host via a two-step discovery:
+ *
+ * 1. `GET {host}/.well-known/databricks-config` to obtain the OIDC root.
+ * 2. `GET {oidcRoot}/.well-known/oauth-authorization-server` to obtain the
+ *    RFC 8414 authorization server metadata.
+ *
+ * If the OIDC root contains an `{account_id}` placeholder, it is substituted
+ * with the first defined value from: `configAccountId` (caller-supplied),
+ * then the `account_id` field returned by the host metadata response.
+ * Throws when any step fails, required fields are missing, or the placeholder
+ * cannot be resolved.
+ */
+export async function resolveTokenEndpoint(host, configAccountId) {
+    const meta = await getHostMetadata(host);
+    // Precedence mirrors the legacy SDK: a caller-supplied account ID
+    // overrides any value returned by the host metadata. The metadata
+    // back-fills only when the caller did not provide one.
+    const accountId = configAccountId !== undefined && configAccountId !== ''
+        ? configAccountId
+        : meta.accountId;
+    let oidcRoot = meta.oidcEndpoint;
+    if (oidcRoot.includes('{account_id}')) {
+        if (accountId === undefined || accountId === '') {
+            throw new Error('host metadata oidc_endpoint contains {account_id} placeholder but ' +
+                'no account_id was provided or returned by the metadata response');
+        }
+        oidcRoot = oidcRoot.replaceAll('{account_id}', accountId);
+    }
+    const discoveryUrl = `${trimTrailingSlash(oidcRoot)}/.well-known/oauth-authorization-server`;
+    let response;
+    try {
+        response = await fetch(discoveryUrl);
+    }
+    catch (e) {
+        throw new Error(`fetching oauth authorization server metadata from ${discoveryUrl} ` +
+            `failed: ${stringifyError(e)}`);
+    }
+    if (!response.ok) {
+        const text = await safeReadText(response);
+        throw new Error(`fetching oauth authorization server metadata from ${discoveryUrl} ` +
+            `failed with status ${response.status.toString()}: ${text}`);
+    }
+    let raw;
+    try {
+        raw = await response.json();
+    }
+    catch (e) {
+        throw new Error(`parsing oauth authorization server metadata from ${discoveryUrl} ` +
+            `failed: ${stringifyError(e)}`);
+    }
+    const parsed = oauthServerSchema.parse(raw);
+    return parsed.token_endpoint;
+}
+const hostMetadataSchema = z.object({
+    oidc_endpoint: z.string(),
+    account_id: z.string().optional(),
+    workspace_id: z.string().optional(),
+});
+const oauthServerSchema = z.object({
+    token_endpoint: z.string(),
+});
+function trimTrailingSlash(s) {
+    let end = s.length;
+    while (end > 0 && s.charAt(end - 1) === '/') {
+        end--;
+    }
+    return s.slice(0, end);
+}
+async function safeReadText(response) {
+    try {
+        return await response.text();
+    }
+    catch {
+        return '';
+    }
+}
+function stringifyError(e) {
+    if (e instanceof Error) {
+        return e.message;
+    }
+    return String(e);
+}
+//# sourceMappingURL=host-metadata.js.map

package/dist/credentials/host-metadata.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"host-metadata.js","sourceRoot":"","sources":["../../src/credentials/host-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AA2BtB;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,IAAY;IAChD,MAAM,GAAG,GAAG,GAAG,iBAAiB,CAAC,IAAI,CAAC,gCAAgC,CAAC;IACvE,IAAI,QAAkB,CAAC;IACvB,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,CAAC;IAC9B,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CACb,+BAA+B,GAAG,YAAY,cAAc,CAAC,CAAC,CAAC,EAAE,CAClE,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAC;QAC1C,MAAM,IAAI,KAAK,CACb,+BAA+B,GAAG,sBAAsB;YACtD,GAAG,QAAQ,CAAC,MAAM,CAAC,QAAQ,EAAE,KAAK,IAAI,EAAE,CAC3C,CAAC;IACJ,CAAC;IACD,IAAI,GAAY,CAAC;IACjB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC9B,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CACb,8BAA8B,GAAG,YAAY,cAAc,CAAC,CAAC,CAAC,EAAE,CACjE,CAAC;IACJ,CAAC;IACD,MAAM,MAAM,GAAG,kBAAkB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7C,OAAO;QACL,YAAY,EAAE,MAAM,CAAC,aAAa;QAClC,GAAG,CAAC,MAAM,CAAC,UAAU,KAAK,SAAS,IAAI,EAAC,SAAS,EAAE,MAAM,CAAC,UAAU,EAAC,CAAC;QACtE,GAAG,CAAC,MAAM,CAAC,YAAY,KAAK,SAAS,IAAI;YACvC,WAAW,EAAE,MAAM,CAAC,YAAY;SACjC,CAAC;KACH,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,IAAY,EACZ,eAAwB;IAExB,MAAM,IAAI,GAAG,MAAM,eAAe,CAAC,IAAI,CAAC,CAAC;IACzC,kEAAkE;IAClE,kEAAkE;IAClE,uDAAuD;IACvD,MAAM,SAAS,GACb,eAAe,KAAK,SAAS,IAAI,eAAe,KAAK,EAAE;QACrD,CAAC,CAAC,eAAe;QACjB,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC;IACrB,IAAI,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAC;IACjC,IAAI,QAAQ,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;QACtC,IAAI,SAAS,KAAK,SAAS,IAAI,SAAS,KAAK,EAAE,EAAE,CAAC;YAChD,MAAM,IAAI,KAAK,CACb,oEAAoE;gBAClE,iEAAiE,CACpE,CAAC;QACJ,CAAC;QACD,QAAQ,GAAG,QAAQ,CAAC,UAAU,CAAC,cAAc,EAAE,SAAS,CAAC,CAAC;IAC5D,CAAC;IACD,MAAM,YAAY,GAAG,GAAG,iBAAiB,CAAC,QAAQ,CAAC,yCAAyC,CAAC;IAC7F,IAAI,QAAkB,CAAC;IACvB,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,KAAK,CAAC,YAAY,CAAC,CAAC;IACvC,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CACb,qDAAqD,YAAY,GAAG;YAClE,WAAW,cAAc,CAAC,CAAC,CAAC,EAAE,CACjC,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAC;QAC1C,MAAM,IAAI,KAAK,CACb,qDAAqD,YAAY,GAAG;YAClE,sBAAsB,QAAQ,CAAC,MAAM,CAAC,QAAQ,EAAE,KAAK,IAAI,EAAE,CAC9D,CAAC;IACJ,CAAC;IACD,IAAI,GAAY,CAAC;IACjB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC9B,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CACb,oDAAoD,YAAY,GAAG;YACjE,WAAW,cAAc,CAAC,CAAC,CAAC,EAAE,CACjC,CAAC;IACJ,CAAC;IACD,MAAM,MAAM,GAAG,iBAAiB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC5C,OAAO,MAAM,CAAC,cAAc,CAAC;AAC/B,CAAC;AAED,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;IAClC,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE;IACzB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACpC,CAAC,CAAC;AAEH,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,CAAC;IACjC,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE;CAC3B,CAAC,CAAC;AAEH,SAAS,iBAAiB,CAAC,CAAS;IAClC,IAAI,GAAG,GAAG,CAAC,CAAC,MAAM,CAAC;IACnB,OAAO,GAAG,GAAG,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;QAC5C,GAAG,EAAE,CAAC;IACR,CAAC;IACD,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;AACzB,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,QAAkB;IAC5C,IAAI,CAAC;QACH,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,CAAU;IAChC,IAAI,CAAC,YAAY,KAAK,EAAE,CAAC;QACvB,OAAO,CAAC,CAAC,OAAO,CAAC;IACnB,CAAC;IACD,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC;AACnB,CAAC"}

package/dist/credentials/index.browser.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Browser entry point for credential implementations. Excludes credentials
+ * that depend on Node.js-only APIs (e.g. `databricks-cli` auth which spawns
+ * the CLI binary).
+ */
+export { M2mCredentialsError } from './errors';
+export type { M2mCredentialsErrorCode } from './errors';
+export { newM2mCredentials } from './m2m';
+export type { M2mCredentialsOptions } from './m2m';
+export { newPatCredentials } from './pat';
+//# sourceMappingURL=index.browser.d.ts.map

package/dist/credentials/index.browser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.browser.d.ts","sourceRoot":"","sources":["../../src/credentials/index.browser.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAC,mBAAmB,EAAC,MAAM,UAAU,CAAC;AAC7C,YAAY,EAAC,uBAAuB,EAAC,MAAM,UAAU,CAAC;AACtD,OAAO,EAAC,iBAAiB,EAAC,MAAM,OAAO,CAAC;AACxC,YAAY,EAAC,qBAAqB,EAAC,MAAM,OAAO,CAAC;AACjD,OAAO,EAAC,iBAAiB,EAAC,MAAM,OAAO,CAAC"}

package/dist/credentials/index.browser.js

@@ -0,0 +1,9 @@
+/**
+ * Browser entry point for credential implementations. Excludes credentials
+ * that depend on Node.js-only APIs (e.g. `databricks-cli` auth which spawns
+ * the CLI binary).
+ */
+export { M2mCredentialsError } from './errors';
+export { newM2mCredentials } from './m2m';
+export { newPatCredentials } from './pat';
+//# sourceMappingURL=index.browser.js.map

package/dist/credentials/index.browser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.browser.js","sourceRoot":"","sources":["../../src/credentials/index.browser.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAC,mBAAmB,EAAC,MAAM,UAAU,CAAC;AAE7C,OAAO,EAAC,iBAAiB,EAAC,MAAM,OAAO,CAAC;AAExC,OAAO,EAAC,iBAAiB,EAAC,MAAM,OAAO,CAAC"}

package/dist/credentials/index.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Credential implementations for the Databricks SDK.
+ */
+export { M2mCredentialsError, U2mCredentialsError } from './errors';
+export type { M2mCredentialsErrorCode, U2mCredentialsErrorCode } from './errors';
+export { newM2mCredentials } from './m2m';
+export type { M2mCredentialsOptions } from './m2m';
+export { newPatCredentials } from './pat';
+export { newU2mCredentials } from './u2m';
+export type { U2mCredentialsOptions } from './u2m';
+export { defaultCredentials } from './default/default-credentials';
+export { DefaultCredentialsError } from './default/errors';
+export type { DefaultCredentialsErrorCode } from './default/errors';
+//# sourceMappingURL=index.d.ts.map

package/dist/credentials/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/credentials/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAC,mBAAmB,EAAE,mBAAmB,EAAC,MAAM,UAAU,CAAC;AAClE,YAAY,EAAC,uBAAuB,EAAE,uBAAuB,EAAC,MAAM,UAAU,CAAC;AAC/E,OAAO,EAAC,iBAAiB,EAAC,MAAM,OAAO,CAAC;AACxC,YAAY,EAAC,qBAAqB,EAAC,MAAM,OAAO,CAAC;AACjD,OAAO,EAAC,iBAAiB,EAAC,MAAM,OAAO,CAAC;AACxC,OAAO,EAAC,iBAAiB,EAAC,MAAM,OAAO,CAAC;AACxC,YAAY,EAAC,qBAAqB,EAAC,MAAM,OAAO,CAAC;AACjD,OAAO,EAAC,kBAAkB,EAAC,MAAM,+BAA+B,CAAC;AACjE,OAAO,EAAC,uBAAuB,EAAC,MAAM,kBAAkB,CAAC;AACzD,YAAY,EAAC,2BAA2B,EAAC,MAAM,kBAAkB,CAAC"}

package/dist/credentials/index.js

@@ -0,0 +1,10 @@
+/**
+ * Credential implementations for the Databricks SDK.
+ */
+export { M2mCredentialsError, U2mCredentialsError } from './errors';
+export { newM2mCredentials } from './m2m';
+export { newPatCredentials } from './pat';
+export { newU2mCredentials } from './u2m';
+export { defaultCredentials } from './default/default-credentials';
+export { DefaultCredentialsError } from './default/errors';
+//# sourceMappingURL=index.js.map

package/dist/credentials/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/credentials/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAC,mBAAmB,EAAE,mBAAmB,EAAC,MAAM,UAAU,CAAC;AAElE,OAAO,EAAC,iBAAiB,EAAC,MAAM,OAAO,CAAC;AAExC,OAAO,EAAC,iBAAiB,EAAC,MAAM,OAAO,CAAC;AACxC,OAAO,EAAC,iBAAiB,EAAC,MAAM,OAAO,CAAC;AAExC,OAAO,EAAC,kBAAkB,EAAC,MAAM,+BAA+B,CAAC;AACjE,OAAO,EAAC,uBAAuB,EAAC,MAAM,kBAAkB,CAAC"}

package/dist/credentials/m2m.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Machine-to-machine (M2M) OAuth credentials for the Databricks SDK.
+ */
+import type { TokenCredentials } from '../auth';
+/** Options for {@link newM2mCredentials}. */
+export interface M2mCredentialsOptions {
+    /**
+     * Databricks host (workspace or account) used to discover the OAuth token
+     * endpoint.
+     */
+    host: string;
+    /**
+     * OAuth client ID issued to the service principal.
+     */
+    clientId: string;
+    /**
+     * OAuth client secret issued to the service principal.
+     */
+    clientSecret: string;
+    /**
+     * Databricks account ID. Required for account hosts.
+     */
+    accountId?: string;
+    /**
+     * OAuth scopes to request. When omitted or empty, defaults to
+     * `['all-apis']`.
+     */
+    scopes?: string[];
+}
+/**
+ * Creates a TokenCredentials that authenticates as a Databricks service
+ * principal using the OAuth client credentials grant.
+ *
+ * @param options - Host plus client credentials.
+ * @throws M2mCredentialsError when host, clientId, or clientSecret is empty,
+ * when token-endpoint discovery fails, or when the token endpoint returns
+ * an error.
+ */
+export declare function newM2mCredentials(options: M2mCredentialsOptions): TokenCredentials;
+//# sourceMappingURL=m2m.d.ts.map

package/dist/credentials/m2m.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"m2m.d.ts","sourceRoot":"","sources":["../../src/credentials/m2m.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,OAAO,KAAK,EAAQ,gBAAgB,EAAC,MAAM,SAAS,CAAC;AAMrD,6CAA6C;AAC7C,MAAM,WAAW,qBAAqB;IACpC;;;OAGG;IACH,IAAI,EAAE,MAAM,CAAC;IAEb;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAC;IAEjB;;OAEG;IACH,YAAY,EAAE,MAAM,CAAC;IAErB;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;CACnB;AAID;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,qBAAqB,GAC7B,gBAAgB,CAuDlB"}

package/dist/credentials/m2m.js

@@ -0,0 +1,91 @@
+/**
+ * Machine-to-machine (M2M) OAuth credentials for the Databricks SDK.
+ */
+import { z } from 'zod';
+import { newTokenCredentials, tokenProviderFn } from '../auth';
+import { M2mCredentialsError } from './errors';
+import { resolveTokenEndpoint } from './host-metadata';
+const DEFAULT_SCOPES = ['all-apis'];
+/**
+ * Creates a TokenCredentials that authenticates as a Databricks service
+ * principal using the OAuth client credentials grant.
+ *
+ * @param options - Host plus client credentials.
+ * @throws M2mCredentialsError when host, clientId, or clientSecret is empty,
+ * when token-endpoint discovery fails, or when the token endpoint returns
+ * an error.
+ */
+export function newM2mCredentials(options) {
+    if (options.clientId === '') {
+        throw new M2mCredentialsError('CLIENT_ID_REQUIRED', 'clientId is required');
+    }
+    if (options.clientSecret === '') {
+        throw new M2mCredentialsError('CLIENT_SECRET_REQUIRED', 'clientSecret is required');
+    }
+    if (options.host === '') {
+        throw new M2mCredentialsError('HOST_REQUIRED', 'host is required');
+    }
+    const scopes = options.scopes !== undefined && options.scopes.length > 0
+        ? options.scopes
+        : DEFAULT_SCOPES;
+    const body = new URLSearchParams({
+        grant_type: 'client_credentials',
+        scope: scopes.join(' '),
+    }).toString();
+    // Client ID and secret are URL-encoded before Basic auth encoding to
+    // avoid ambiguity with special characters in either value, matching the
+    // behavior of golang.org/x/oauth2.
+    const basicAuth = btoa(`${encodeURIComponent(options.clientId)}:${encodeURIComponent(options.clientSecret)}`);
+    let cachedTokenEndpoint;
+    const getTokenEndpoint = async () => {
+        if (cachedTokenEndpoint === undefined) {
+            try {
+                cachedTokenEndpoint = await resolveTokenEndpoint(options.host, options.accountId);
+            }
+            catch (e) {
+                throw new M2mCredentialsError('DISCOVERY_FAILED', `discovering token endpoint failed: ${stringifyError(e)}`);
+            }
+        }
+        return cachedTokenEndpoint;
+    };
+    const provider = tokenProviderFn(async () => {
+        const tokenEndpoint = await getTokenEndpoint();
+        return fetchAccessToken(tokenEndpoint, basicAuth, body);
+    });
+    return newTokenCredentials('oauth-m2m', provider);
+}
+async function fetchAccessToken(tokenEndpoint, basicAuth, body) {
+    const response = await fetch(tokenEndpoint, {
+        method: 'POST',
+        headers: {
+            Authorization: `Basic ${basicAuth}`,
+            'Content-Type': 'application/x-www-form-urlencoded',
+        },
+        body,
+    });
+    if (!response.ok) {
+        const text = await response.text();
+        throw new M2mCredentialsError('TOKEN_REQUEST_FAILED', `token request failed with status ${response.status.toString()}: ${text}`);
+    }
+    const parsed = tokenResponseSchema.parse(await response.json());
+    const expiry = parsed.expires_in !== undefined
+        ? new Date(Date.now() + parsed.expires_in * 1000)
+        : undefined;
+    return {
+        value: parsed.access_token,
+        ...(parsed.token_type !== undefined && { type: parsed.token_type }),
+        ...(expiry !== undefined && { expiry }),
+    };
+}
+const tokenResponseSchema = z.object({
+    access_token: z.string(),
+    token_type: z.string().optional(),
+    expires_in: z.number().optional(),
+});
+function stringifyError(e) {
+    if (e instanceof Error) {
+        return e.message;
+    }
+    return String(e);
+}
+//# sourceMappingURL=m2m.js.map

package/dist/credentials/m2m.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"m2m.js","sourceRoot":"","sources":["../../src/credentials/m2m.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,EAAC,mBAAmB,EAAE,eAAe,EAAC,MAAM,SAAS,CAAC;AAE7D,OAAO,EAAC,mBAAmB,EAAC,MAAM,UAAU,CAAC;AAC7C,OAAO,EAAC,oBAAoB,EAAC,MAAM,iBAAiB,CAAC;AAgCrD,MAAM,cAAc,GAAsB,CAAC,UAAU,CAAC,CAAC;AAEvD;;;;;;;;GAQG;AACH,MAAM,UAAU,iBAAiB,CAC/B,OAA8B;IAE9B,IAAI,OAAO,CAAC,QAAQ,KAAK,EAAE,EAAE,CAAC;QAC5B,MAAM,IAAI,mBAAmB,CAAC,oBAAoB,EAAE,sBAAsB,CAAC,CAAC;IAC9E,CAAC;IACD,IAAI,OAAO,CAAC,YAAY,KAAK,EAAE,EAAE,CAAC;QAChC,MAAM,IAAI,mBAAmB,CAC3B,wBAAwB,EACxB,0BAA0B,CAC3B,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,CAAC,IAAI,KAAK,EAAE,EAAE,CAAC;QACxB,MAAM,IAAI,mBAAmB,CAAC,eAAe,EAAE,kBAAkB,CAAC,CAAC;IACrE,CAAC;IAED,MAAM,MAAM,GACV,OAAO,CAAC,MAAM,KAAK,SAAS,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC;QACvD,CAAC,CAAC,OAAO,CAAC,MAAM;QAChB,CAAC,CAAC,cAAc,CAAC;IAErB,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,UAAU,EAAE,oBAAoB;QAChC,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;KACxB,CAAC,CAAC,QAAQ,EAAE,CAAC;IAEd,qEAAqE;IACrE,wEAAwE;IACxE,mCAAmC;IACnC,MAAM,SAAS,GAAG,IAAI,CACpB,GAAG,kBAAkB,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,kBAAkB,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CACtF,CAAC;IAEF,IAAI,mBAAuC,CAAC;IAC5C,MAAM,gBAAgB,GAAG,KAAK,IAAqB,EAAE;QACnD,IAAI,mBAAmB,KAAK,SAAS,EAAE,CAAC;YACtC,IAAI,CAAC;gBACH,mBAAmB,GAAG,MAAM,oBAAoB,CAC9C,OAAO,CAAC,IAAI,EACZ,OAAO,CAAC,SAAS,CAClB,CAAC;YACJ,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,MAAM,IAAI,mBAAmB,CAC3B,kBAAkB,EAClB,sCAAsC,cAAc,CAAC,CAAC,CAAC,EAAE,CAC1D,CAAC;YACJ,CAAC;QACH,CAAC;QACD,OAAO,mBAAmB,CAAC;IAC7B,CAAC,CAAC;IAEF,MAAM,QAAQ,GAAG,eAAe,CAAC,KAAK,IAAI,EAAE;QAC1C,MAAM,aAAa,GAAG,MAAM,gBAAgB,EAAE,CAAC;QAC/C,OAAO,gBAAgB,CAAC,aAAa,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,OAAO,mBAAmB,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;AACpD,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,aAAqB,EACrB,SAAiB,EACjB,IAAY;IAEZ,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,aAAa,EAAE;QAC1C,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,aAAa,EAAE,SAAS,SAAS,EAAE;YACnC,cAAc,EAAE,mCAAmC;SACpD;QACD,IAAI;KACL,CAAC,CAAC;IACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnC,MAAM,IAAI,mBAAmB,CAC3B,sBAAsB,EACtB,oCAAoC,QAAQ,CAAC,MAAM,CAAC,QAAQ,EAAE,KAAK,IAAI,EAAE,CAC1E,CAAC;IACJ,CAAC;IACD,MAAM,MAAM,GAAG,mBAAmB,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;IAChE,MAAM,MAAM,GACV,MAAM,CAAC,UAAU,KAAK,SAAS;QAC7B,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC;QACjD,CAAC,CAAC,SAAS,CAAC;IAChB,OAAO;QACL,KAAK,EAAE,MAAM,CAAC,YAAY;QAC1B,GAAG,CAAC,MAAM,CAAC,UAAU,KAAK,SAAS,IAAI,EAAC,IAAI,EAAE,MAAM,CAAC,UAAU,EAAC,CAAC;QACjE,GAAG,CAAC,MAAM,KAAK,SAAS,IAAI,EAAC,MAAM,EAAC,CAAC;KACtC,CAAC;AACJ,CAAC;AAED,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC;IACnC,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE;IACxB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAClC,CAAC,CAAC;AAEH,SAAS,cAAc,CAAC,CAAU;IAChC,IAAI,CAAC,YAAY,KAAK,EAAE,CAAC;QACvB,OAAO,CAAC,CAAC,OAAO,CAAC;IACnB,CAAC;IACD,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC;AACnB,CAAC"}

package/dist/credentials/pat.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Personal Access Token (PAT) credentials for the Databricks SDK.
+ */
+import type { Credentials } from '../auth';
+/**
+ * Creates a Credentials that can be used to authenticate with a Personal
+ * Access Token.
+ *
+ * @param token - The personal access token.
+ * @returns Credentials for PAT authentication.
+ * @throws TokenRequiredError if token is empty.
+ */
+export declare function newPatCredentials(token: string): Credentials;
+//# sourceMappingURL=pat.d.ts.map

package/dist/credentials/pat.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pat.d.ts","sourceRoot":"","sources":["../../src/credentials/pat.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAC,WAAW,EAAS,MAAM,SAAS,CAAC;AAYjD;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,WAAW,CAK5D"}

package/dist/credentials/pat.js

@@ -0,0 +1,41 @@
+/**
+ * Personal Access Token (PAT) credentials for the Databricks SDK.
+ */
+/**
+ * Error thrown when a token is required but not provided.
+ */
+class TokenRequiredError extends Error {
+    constructor() {
+        super('token is required');
+        this.name = 'TokenRequiredError';
+    }
+}
+/**
+ * Creates a Credentials that can be used to authenticate with a Personal
+ * Access Token.
+ *
+ * @param token - The personal access token.
+ * @returns Credentials for PAT authentication.
+ * @throws TokenRequiredError if token is empty.
+ */
+export function newPatCredentials(token) {
+    if (token === '') {
+        throw new TokenRequiredError();
+    }
+    return new PatCredentials(token);
+}
+class PatCredentials {
+    token;
+    constructor(token) {
+        this.token = token;
+    }
+    name() {
+        return 'pat';
+    }
+    authHeaders() {
+        return Promise.resolve([
+            { key: 'Authorization', value: `Bearer ${this.token}` },
+        ]);
+    }
+}
+//# sourceMappingURL=pat.js.map

package/dist/credentials/pat.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pat.js","sourceRoot":"","sources":["../../src/credentials/pat.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH;;GAEG;AACH,MAAM,kBAAmB,SAAQ,KAAK;IACpC;QACE,KAAK,CAAC,mBAAmB,CAAC,CAAC;QAC3B,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;IACnC,CAAC;CACF;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAa;IAC7C,IAAI,KAAK,KAAK,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,kBAAkB,EAAE,CAAC;IACjC,CAAC;IACD,OAAO,IAAI,cAAc,CAAC,KAAK,CAAC,CAAC;AACnC,CAAC;AAED,MAAM,cAAc;IACW;IAA7B,YAA6B,KAAa;QAAb,UAAK,GAAL,KAAK,CAAQ;IAAG,CAAC;IAE9C,IAAI;QACF,OAAO,KAAK,CAAC;IACf,CAAC;IAED,WAAW;QACT,OAAO,OAAO,CAAC,OAAO,CAAC;YACrB,EAAC,GAAG,EAAE,eAAe,EAAE,KAAK,EAAE,UAAU,IAAI,CAAC,KAAK,EAAE,EAAC;SACtD,CAAC,CAAC;IACL,CAAC;CACF"}

package/dist/credentials/u2m.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Databricks CLI ("U2M") credentials. Obtains access tokens by shelling out
+ * to the `databricks` CLI binary (>= 0.100.0). The CLI must have been logged
+ * in ahead of time via `databricks auth login`.
+ *
+ * Node.js only. Not exported from the browser entry point.
+ */
+import type { TokenCredentials } from '../auth';
+/** Options for the Databricks CLI auth strategy. */
+export interface U2mCredentialsOptions {
+    /**
+     * The Databricks CLI profile name, as configured via `databricks auth
+     * login`.
+     */
+    profile: string;
+    /**
+     * Path to the `databricks` CLI binary. If omitted, the binary is searched
+     * for in `PATH`.
+     */
+    cliPath?: string;
+}
+/**
+ * Creates a TokenCredentials that obtains Databricks access tokens by
+ * shelling out to the Databricks CLI.
+ *
+ * @param options - CLI profile (required) and optional CLI binary path.
+ * @throws U2mCredentialsError when `profile` is empty, or when the CLI cannot
+ * be located, is out of date, or fails to return a usable token.
+ */
+export declare function newU2mCredentials(options: U2mCredentialsOptions): TokenCredentials;
+//# sourceMappingURL=u2m.d.ts.map

package/dist/credentials/u2m.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"u2m.d.ts","sourceRoot":"","sources":["../../src/credentials/u2m.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAUH,OAAO,KAAK,EAAQ,gBAAgB,EAAC,MAAM,SAAS,CAAC;AAarD,oDAAoD;AACpD,MAAM,WAAW,qBAAqB;IACpC;;;OAGG;IACH,OAAO,EAAE,MAAM,CAAC;IAEhB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,qBAAqB,GAC7B,gBAAgB,CAMlB"}

package/dist/credentials/u2m.js

@@ -0,0 +1,157 @@
+/**
+ * Databricks CLI ("U2M") credentials. Obtains access tokens by shelling out
+ * to the `databricks` CLI binary (>= 0.100.0). The CLI must have been logged
+ * in ahead of time via `databricks auth login`.
+ *
+ * Node.js only. Not exported from the browser entry point.
+ */
+import { execFile } from 'node:child_process';
+import { stat } from 'node:fs/promises';
+import { join, sep } from 'node:path';
+import { env, platform } from 'node:process';
+import { promisify } from 'node:util';
+import { z } from 'zod';
+import { newTokenCredentials, tokenProviderFn } from '../auth';
+import { U2mCredentialsError } from './errors';
+const execFileAsync = promisify(execFile);
+/**
+ * Distinguishes the modern Go-based Databricks CLI (>= 0.100.0) from the
+ * legacy Python CLI by minimum file size.
+ */
+const DATABRICKS_CLI_MIN_SIZE = 1024 * 1024;
+/**
+ * Creates a TokenCredentials that obtains Databricks access tokens by
+ * shelling out to the Databricks CLI.
+ *
+ * @param options - CLI profile (required) and optional CLI binary path.
+ * @throws U2mCredentialsError when `profile` is empty, or when the CLI cannot
+ * be located, is out of date, or fails to return a usable token.
+ */
+export function newU2mCredentials(options) {
+    if (options.profile === '') {
+        throw new U2mCredentialsError('PROFILE_REQUIRED', 'profile is required');
+    }
+    const provider = tokenProviderFn(() => fetchCliToken(options));
+    return newTokenCredentials('databricks-cli', provider);
+}
+async function fetchCliToken(options) {
+    const cliPath = await findDatabricksCli(options.cliPath);
+    return execCliCommand([
+        cliPath,
+        'auth',
+        'token',
+        '--profile',
+        options.profile,
+    ]);
+}
+const cliTokenResponseSchema = z.object({
+    access_token: z.string().min(1),
+    token_type: z.string().optional(),
+    expiry: z.string(),
+});
+async function execCliCommand(args) {
+    const [cliPath, ...rest] = args;
+    let stdout;
+    try {
+        const result = await execFileAsync(cliPath, rest);
+        stdout = result.stdout;
+    }
+    catch (e) {
+        throw new U2mCredentialsError('TOKEN_FETCH_FAILED', `cannot get access token: ${cliErrorMessage(e)}`);
+    }
+    let raw;
+    try {
+        raw = JSON.parse(stdout);
+    }
+    catch (e) {
+        const cause = e instanceof Error ? e.message : String(e);
+        throw new U2mCredentialsError('INVALID_RESPONSE', `cannot parse CLI response: ${cause}`);
+    }
+    const result = cliTokenResponseSchema.safeParse(raw);
+    if (!result.success) {
+        throw new U2mCredentialsError('INVALID_RESPONSE', `invalid CLI response: ${result.error.message}`);
+    }
+    const parsed = result.data;
+    const expiry = new Date(parsed.expiry);
+    if (Number.isNaN(expiry.getTime())) {
+        throw new U2mCredentialsError('INVALID_RESPONSE', `cannot parse token expiry: ${parsed.expiry}`);
+    }
+    return {
+        value: parsed.access_token,
+        ...(parsed.token_type !== undefined && { type: parsed.token_type }),
+        expiry,
+    };
+}
+function cliErrorMessage(e) {
+    if (typeof e === 'object' && e !== null) {
+        const err = e;
+        if (err.stderr !== undefined) {
+            return err.stderr.toString().trim();
+        }
+        return err.message;
+    }
+    return String(e);
+}
+/**
+ * Locates the `databricks` CLI binary, either at `cliPath` (if provided) or
+ * by searching `PATH`. Validates that the binary is the modern Go CLI and
+ * not the legacy Python one, via a minimum-size check.
+ */
+async function findDatabricksCli(cliPath) {
+    if (cliPath !== undefined) {
+        if (cliPath.includes(sep) || cliPath.includes('/')) {
+            return validateCliPath(cliPath);
+        }
+        return findInPath(cliPath);
+    }
+    try {
+        return await findInPath('databricks');
+    }
+    catch (e) {
+        if (platform === 'win32') {
+            return findInPath('databricks.exe');
+        }
+        throw e;
+    }
+}
+async function findInPath(name) {
+    const pathEnv = env.PATH ?? '';
+    if (pathEnv === '') {
+        throw new U2mCredentialsError('CLI_NOT_FOUND', 'databricks CLI not found');
+    }
+    const delim = platform === 'win32' ? ';' : ':';
+    let legacyError;
+    for (const dir of pathEnv.split(delim)) {
+        if (dir === '') {
+            continue;
+        }
+        try {
+            return await validateCliPath(join(dir, name));
+        }
+        catch (e) {
+            if (e instanceof U2mCredentialsError &&
+                e.code === 'LEGACY_CLI_DETECTED') {
+                legacyError = e;
+            }
+        }
+    }
+    throw (legacyError ??
+        new U2mCredentialsError('CLI_NOT_FOUND', 'databricks CLI not found'));
+}
+async function validateCliPath(path) {
+    let info;
+    try {
+        info = await stat(path);
+    }
+    catch {
+        throw new U2mCredentialsError('CLI_NOT_FOUND', 'databricks CLI not found');
+    }
+    if (info.isDirectory()) {
+        throw new U2mCredentialsError('CLI_NOT_FOUND', 'databricks CLI not found');
+    }
+    if (info.size < DATABRICKS_CLI_MIN_SIZE) {
+        throw new U2mCredentialsError('LEGACY_CLI_DETECTED', 'legacy databricks CLI detected; upgrade to >= 0.100.0');
+    }
+    return path;
+}
+//# sourceMappingURL=u2m.js.map