@dataflint/mcp-server 1.0.17 → 1.0.21

package/dist/standalone/config.js

@@ -75,6 +75,127 @@ var require_types = __commonJS({
   }
 });
 
+// dist/auth/errors.js
+var require_errors = __commonJS({
+  "dist/auth/errors.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.NetworkError = exports2.ConfigError = exports2.AuthError = exports2.DataFlintError = exports2.ErrorCode = void 0;
+    var ErrorCode;
+    (function(ErrorCode2) {
+      ErrorCode2["AUTH_NOT_INITIALIZED"] = "AUTH_NOT_INITIALIZED";
+      ErrorCode2["AUTH_TOKEN_EXPIRED"] = "AUTH_TOKEN_EXPIRED";
+      ErrorCode2["AUTH_TOKEN_INVALID"] = "AUTH_TOKEN_INVALID";
+      ErrorCode2["AUTH_REFRESH_FAILED"] = "AUTH_REFRESH_FAILED";
+      ErrorCode2["AUTH_LOGIN_REQUIRED"] = "AUTH_LOGIN_REQUIRED";
+      ErrorCode2["AUTH_TIMEOUT"] = "AUTH_TIMEOUT";
+      ErrorCode2["CONFIG_MISSING"] = "CONFIG_MISSING";
+      ErrorCode2["CONFIG_INVALID"] = "CONFIG_INVALID";
+      ErrorCode2["CONFIG_DOMAIN_NOT_FOUND"] = "CONFIG_DOMAIN_NOT_FOUND";
+      ErrorCode2["NETWORK_UNAVAILABLE"] = "NETWORK_UNAVAILABLE";
+      ErrorCode2["NETWORK_TIMEOUT"] = "NETWORK_TIMEOUT";
+      ErrorCode2["NETWORK_DNS_FAILED"] = "NETWORK_DNS_FAILED";
+      ErrorCode2["API_UNAUTHORIZED"] = "API_UNAUTHORIZED";
+      ErrorCode2["API_FORBIDDEN"] = "API_FORBIDDEN";
+      ErrorCode2["API_NOT_FOUND"] = "API_NOT_FOUND";
+      ErrorCode2["API_RATE_LIMITED"] = "API_RATE_LIMITED";
+      ErrorCode2["API_SERVER_ERROR"] = "API_SERVER_ERROR";
+      ErrorCode2["API_BAD_REQUEST"] = "API_BAD_REQUEST";
+      ErrorCode2["SERVICE_NOT_STARTED"] = "SERVICE_NOT_STARTED";
+      ErrorCode2["SERVICE_UNAVAILABLE"] = "SERVICE_UNAVAILABLE";
+      ErrorCode2["UNKNOWN"] = "UNKNOWN";
+    })(ErrorCode || (exports2.ErrorCode = ErrorCode = {}));
+    var DataFlintError = class extends Error {
+      cause;
+      constructor(message, cause) {
+        super(message);
+        this.cause = cause;
+        this.name = this.constructor.name;
+        if (Error.captureStackTrace) {
+          Error.captureStackTrace(this, this.constructor);
+        }
+      }
+      /**
+       * Get a user-friendly error message with action
+       */
+      getUserMessage() {
+        return `${this.message}. ${this.userAction}`;
+      }
+    };
+    exports2.DataFlintError = DataFlintError;
+    var AuthError = class _AuthError extends DataFlintError {
+      code;
+      isRetryable;
+      userAction;
+      constructor(code, message, userAction, isRetryable = false, cause) {
+        super(message, cause);
+        this.code = code;
+        this.isRetryable = isRetryable;
+        this.userAction = userAction;
+      }
+      static tokenExpired(cause) {
+        return new _AuthError(ErrorCode.AUTH_TOKEN_EXPIRED, "Your session has expired", 'Please click "Login" to authenticate again.', false, cause);
+      }
+      static tokenInvalid(cause) {
+        return new _AuthError(ErrorCode.AUTH_TOKEN_INVALID, "Authentication token is invalid", 'Please click "Login" to authenticate again.', false, cause);
+      }
+      static refreshFailed(cause) {
+        return new _AuthError(ErrorCode.AUTH_REFRESH_FAILED, "Failed to refresh authentication", 'Please click "Login" to authenticate again.', false, cause);
+      }
+      static loginRequired() {
+        return new _AuthError(ErrorCode.AUTH_LOGIN_REQUIRED, "Authentication required", 'Please run "DataFlint: Login" from the command palette.', false);
+      }
+      static timeout(cause) {
+        return new _AuthError(ErrorCode.AUTH_TIMEOUT, "Authentication timed out", "Please check your internet connection and try again.", true, cause);
+      }
+      static notInitialized() {
+        return new _AuthError(ErrorCode.AUTH_NOT_INITIALIZED, "Authentication service not initialized", 'Please run "DataFlint: Restart Server" to reinitialize.', true);
+      }
+    };
+    exports2.AuthError = AuthError;
+    var ConfigError = class _ConfigError extends DataFlintError {
+      code;
+      isRetryable = false;
+      userAction;
+      constructor(code, message, userAction, cause) {
+        super(message, cause);
+        this.code = code;
+        this.userAction = userAction;
+      }
+      static missing(field) {
+        return new _ConfigError(ErrorCode.CONFIG_MISSING, `Missing required configuration: ${field}`, 'Please check your DataFlint settings. Run "DataFlint: Show Debug Information" for details.');
+      }
+      static invalid(field, value, expected) {
+        return new _ConfigError(ErrorCode.CONFIG_INVALID, `Invalid configuration for ${field}: "${value}"`, `Expected ${expected}. Please check your DataFlint settings.`);
+      }
+      static customerDomainNotFound(domain) {
+        return new _ConfigError(ErrorCode.CONFIG_DOMAIN_NOT_FOUND, `Customer domain "${domain}" is not configured`, "Please contact support to set up your organization's domain, or remove the customer domain setting.");
+      }
+    };
+    exports2.ConfigError = ConfigError;
+    var NetworkError = class _NetworkError extends DataFlintError {
+      code;
+      isRetryable = true;
+      userAction;
+      constructor(code, message, userAction, cause) {
+        super(message, cause);
+        this.code = code;
+        this.userAction = userAction;
+      }
+      static unavailable(cause) {
+        return new _NetworkError(ErrorCode.NETWORK_UNAVAILABLE, "Cannot connect to server", "Please check your internet connection and try again.", cause);
+      }
+      static timeout(cause) {
+        return new _NetworkError(ErrorCode.NETWORK_TIMEOUT, "Request timed out", "The server took too long to respond. Please check your connection and try again.", cause);
+      }
+      static dnsFailed(host, cause) {
+        return new _NetworkError(ErrorCode.NETWORK_DNS_FAILED, `Cannot resolve hostname: ${host}`, "Please check your internet connection and DNS settings.", cause);
+      }
+    };
+    exports2.NetworkError = NetworkError;
+  }
+});
+
 // dist/auth/auth0-service.js
 var require_auth0_service = __commonJS({
   "dist/auth/auth0-service.js"(exports2) {
@@ -121,6 +242,7 @@ var require_auth0_service = __commonJS({
     var http = __importStar2(require("http"));
     var openid_client_1 = require("openid-client");
     var url_1 = require("url");
+    var errors_1 = require_errors();
     var AUTH_DISCOVERY_TIMEOUT_MS = 1e4;
     openid_client_1.custom.setHttpOptionsDefaults({
       timeout: AUTH_DISCOVERY_TIMEOUT_MS
@@ -184,13 +306,21 @@ var require_auth0_service = __commonJS({
           this.logger.error(`Client ID: ${this.config.clientId}`);
           this.logger.error(`Constructed issuer URL: ${this.config.domain.startsWith("http") ? this.config.domain : `https://${this.config.domain}`}`);
           if (error instanceof Error) {
-            if (error.message.includes("404") || error.message.includes("Not Found")) {
-              throw new Error(`Auth0 domain '${this.config.domain}' not found. Please verify your Auth0 domain configuration. The discovery endpoint ${this.config.domain} returned 404.`);
-            } else if (error.message.includes("ENOTFOUND") || error.message.includes("getaddrinfo")) {
-              throw new Error(`Cannot connect to Auth0 domain '${this.config.domain}'. Please check your internet connection and verify the domain is correct.`);
+            const message = error.message.toLowerCase();
+            if (message.includes("404") || message.includes("not found")) {
+              throw errors_1.ConfigError.invalid("Auth0 domain", this.config.domain, "a valid Auth0 domain (e.g., your-tenant.auth0.com)");
+            }
+            if (message.includes("enotfound") || message.includes("getaddrinfo")) {
+              throw errors_1.NetworkError.dnsFailed(this.config.domain, error);
+            }
+            if (message.includes("timeout") || message.includes("etimedout")) {
+              throw errors_1.AuthError.timeout(error);
+            }
+            if (message.includes("econnrefused") || message.includes("econnreset")) {
+              throw errors_1.NetworkError.unavailable(error);
             }
           }
-          throw new Error(`Auth0 initialization failed: ${error}`);
+          throw new errors_1.AuthError("AUTH_NOT_INITIALIZED", `Auth0 initialization failed: ${error instanceof Error ? error.message : String(error)}`, "Please check your internet connection and Auth0 configuration.", false, error instanceof Error ? error : void 0);
         }
       }
       /**
@@ -201,7 +331,7 @@ var require_auth0_service = __commonJS({
           await this.initialize();
         }
         if (!this.client) {
-          throw new Error("Auth0 client not initialized");
+          throw errors_1.AuthError.notInitialized();
         }
         const codeVerifier = openid_client_1.generators.codeVerifier();
         const codeChallenge = openid_client_1.generators.codeChallenge(codeVerifier);
@@ -270,7 +400,7 @@ var require_auth0_service = __commonJS({
           });
           setTimeout(() => {
             server.close();
-            reject(new Error("Authentication timeout - no response received within 5 minutes"));
+            reject(errors_1.AuthError.timeout());
           }, 3e5);
         });
       }
@@ -279,7 +409,7 @@ var require_auth0_service = __commonJS({
        */
       async getUserInfo(accessToken) {
         if (!this.client) {
-          throw new Error("Auth0 client not initialized");
+          throw errors_1.AuthError.notInitialized();
         }
         try {
           this.logger.info("Fetching user information...");
@@ -297,7 +427,7 @@ var require_auth0_service = __commonJS({
        */
       async refreshToken(refreshToken) {
         if (!this.client) {
-          throw new Error("Auth0 client not initialized");
+          throw errors_1.AuthError.notInitialized();
         }
         try {
           this.logger.info("Refreshing access token...");
@@ -354,7 +484,7 @@ var require_auth0_service = __commonJS({
        */
       async logout(accessToken) {
         if (!this.client) {
-          throw new Error("Auth0 client not initialized");
+          throw errors_1.AuthError.notInitialized();
         }
         try {
           await this.client.revoke(accessToken);
@@ -374,7 +504,7 @@ var require_auth0_m2m_service = __commonJS({
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.Auth0M2MService = void 0;
-    var types_1 = require_types();
+    var types_12 = require_types();
     var noopLogger = {
       info: () => {
       },
@@ -407,7 +537,7 @@ var require_auth0_m2m_service = __commonJS({
        * Get the strategy type identifier
        */
       getType() {
-        return types_1.AuthStrategyType.AUTH0_M2M;
+        return types_12.AuthStrategyType.AUTH0_M2M;
       }
       /**
        * Initialize the M2M service
@@ -578,7 +708,7 @@ var require_service_account_service = __commonJS({
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.ServiceAccountService = void 0;
     var fs2 = __importStar2(require("fs"));
-    var types_1 = require_types();
+    var types_12 = require_types();
     var noopLogger = {
       info: () => {
       },
@@ -603,7 +733,7 @@ var require_service_account_service = __commonJS({
        * Get the strategy type identifier
        */
       getType() {
-        return types_1.AuthStrategyType.SERVICE_ACCOUNT;
+        return types_12.AuthStrategyType.SERVICE_ACCOUNT;
       }
       /**
        * Initialize the service account strategy
@@ -1071,7 +1201,7 @@ var require_auth_strategy_factory = __commonJS({
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.AuthStrategyFactory = void 0;
-    var types_1 = require_types();
+    var types_12 = require_types();
     var service_account_service_1 = require_service_account_service();
     var auth0_m2m_service_1 = require_auth0_m2m_service();
     var secrets_1 = require_secrets();
@@ -1095,15 +1225,15 @@ var require_auth_strategy_factory = __commonJS({
       async createStrategy() {
         const m2mMode = this.configProvider.getM2MMode();
         switch (m2mMode.type) {
-          case types_1.M2MType.SERVICE_ACCOUNT:
+          case types_12.M2MType.SERVICE_ACCOUNT:
             return this.buildServiceAccountStrategy(m2mMode);
-          case types_1.M2MType.AUTH0_M2M:
+          case types_12.M2MType.AUTH0_M2M:
             return await this.buildAuth0M2MStrategy(m2mMode);
           default:
             this.logger.info("Using interactive OAuth flow");
             return {
               strategy: null,
-              strategyType: types_1.AuthStrategyType.AUTH0_USER
+              strategyType: types_12.AuthStrategyType.AUTH0_USER
             };
         }
       }
@@ -1111,7 +1241,7 @@ var require_auth_strategy_factory = __commonJS({
         this.logger.info(`Service Account mode: ${mode.tokenPath}`);
         return {
           strategy: new service_account_service_1.ServiceAccountService(mode.tokenPath, mode.tenantId, this.logger),
-          strategyType: types_1.AuthStrategyType.SERVICE_ACCOUNT
+          strategyType: types_12.AuthStrategyType.SERVICE_ACCOUNT
         };
       }
       async buildAuth0M2MStrategy(mode) {
@@ -1126,15 +1256,15 @@ var require_auth_strategy_factory = __commonJS({
         this.logger.info(`Auth0 M2M mode: ${mode.secretName}`);
         return {
           strategy: new auth0_m2m_service_1.Auth0M2MService(credentials, mode.tenantId, this.logger),
-          strategyType: types_1.AuthStrategyType.AUTH0_M2M
+          strategyType: types_12.AuthStrategyType.AUTH0_M2M
         };
       }
       async isM2MAvailable() {
         const mode = this.configProvider.getM2MMode();
-        if (mode.type === types_1.M2MType.SERVICE_ACCOUNT) {
+        if (mode.type === types_12.M2MType.SERVICE_ACCOUNT) {
           return true;
         }
-        if (mode.type === types_1.M2MType.AUTH0_M2M) {
+        if (mode.type === types_12.M2MType.AUTH0_M2M) {
           const secretsProvider = new secrets_1.SecretsProvider(this.configProvider.getEnvironment(), this.logger);
           return secretsProvider.isAvailable();
         }
@@ -1187,7 +1317,7 @@ var require_auth = __commonJS({
       };
     })();
     Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.SecretsProvider = exports2.LocalFileSecretsProvider = exports2.AWSSecretsProvider = exports2.AuthStrategyFactory = exports2.ServiceAccountService = exports2.Auth0M2MService = exports2.Auth0Service = exports2.M2MType = exports2.AuthStrategyType = exports2.customerAuthConfigs = void 0;
+    exports2.NetworkError = exports2.ConfigError = exports2.AuthError = exports2.DataFlintError = exports2.ErrorCode = exports2.SecretsProvider = exports2.LocalFileSecretsProvider = exports2.AWSSecretsProvider = exports2.AuthStrategyFactory = exports2.ServiceAccountService = exports2.Auth0M2MService = exports2.Auth0Service = exports2.M2MType = exports2.AuthStrategyType = exports2.customerAuthConfigs = void 0;
     exports2.getCustomerAuthConfig = getCustomerAuthConfig;
     var crypto2 = __importStar2(require("node:crypto"));
     var customer_auth_configs_1 = require_customer_auth_configs();
@@ -1212,12 +1342,12 @@ var require_auth = __commonJS({
         serverUrl: `https://api.${customerDomain}.dataflint.io`
       };
     }
-    var types_1 = require_types();
+    var types_12 = require_types();
     Object.defineProperty(exports2, "AuthStrategyType", { enumerable: true, get: function() {
-      return types_1.AuthStrategyType;
+      return types_12.AuthStrategyType;
     } });
     Object.defineProperty(exports2, "M2MType", { enumerable: true, get: function() {
-      return types_1.M2MType;
+      return types_12.M2MType;
     } });
     var auth0_service_1 = require_auth0_service();
     Object.defineProperty(exports2, "Auth0Service", { enumerable: true, get: function() {
@@ -1245,6 +1375,64 @@ var require_auth = __commonJS({
     Object.defineProperty(exports2, "SecretsProvider", { enumerable: true, get: function() {
       return secrets_1.SecretsProvider;
     } });
+    var errors_1 = require_errors();
+    Object.defineProperty(exports2, "ErrorCode", { enumerable: true, get: function() {
+      return errors_1.ErrorCode;
+    } });
+    Object.defineProperty(exports2, "DataFlintError", { enumerable: true, get: function() {
+      return errors_1.DataFlintError;
+    } });
+    Object.defineProperty(exports2, "AuthError", { enumerable: true, get: function() {
+      return errors_1.AuthError;
+    } });
+    Object.defineProperty(exports2, "ConfigError", { enumerable: true, get: function() {
+      return errors_1.ConfigError;
+    } });
+    Object.defineProperty(exports2, "NetworkError", { enumerable: true, get: function() {
+      return errors_1.NetworkError;
+    } });
+  }
+});
+
+// dist/types.js
+var require_types2 = __commonJS({
+  "dist/types.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.M2MType = exports2.AuthStrategyType = void 0;
+    var index_12 = require_auth();
+    Object.defineProperty(exports2, "AuthStrategyType", { enumerable: true, get: function() {
+      return index_12.AuthStrategyType;
+    } });
+    Object.defineProperty(exports2, "M2MType", { enumerable: true, get: function() {
+      return index_12.M2MType;
+    } });
+  }
+});
+
+// dist/logger.js
+var require_logger = __commonJS({
+  "dist/logger.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.Logger = void 0;
+    var LOGGER_KEY = "__dataflint_mcp_logger__";
+    var Logger = class {
+      static setInstance(logger) {
+        globalThis[LOGGER_KEY] = logger;
+      }
+      static getInstance() {
+        const instance = globalThis[LOGGER_KEY];
+        if (!instance) {
+          throw new Error("Logger not initialized. Call Logger.setInstance() first.");
+        }
+        return instance;
+      }
+      static clear() {
+        globalThis[LOGGER_KEY] = void 0;
+      }
+    };
+    exports2.Logger = Logger;
   }
 });
 
@@ -1288,28 +1476,96 @@ var __importStar = exports && exports.__importStar || /* @__PURE__ */ (function(
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.StandaloneConfigService = void 0;
-var fs = __importStar(require("fs"));
-var path = __importStar(require("path"));
-var os = __importStar(require("os"));
-var crypto = __importStar(require("crypto"));
-var index_js_1 = require_auth();
+var fs = __importStar(require("node:fs"));
+var fsPromises = __importStar(require("node:fs/promises"));
+var path = __importStar(require("node:path"));
+var os = __importStar(require("node:os"));
+var crypto = __importStar(require("node:crypto"));
+var zod_1 = require("zod");
+var types_1 = require_types2();
+var index_1 = require_auth();
+var logger_1 = require_logger();
+var DEFAULT_CLIENT_ID_FOR_HASH = "default";
+var HASH_PREFIX_LENGTH = 8;
+var DEFAULT_ADMIN_COMPANY_DOMAIN = "none";
+var DEFAULT_SERVER_URL = "https://api.dataflint.io";
+var DEFAULT_AUTH_DOMAIN = "https://dataflint.us.auth0.com/";
+var DEFAULT_AUDIENCE = "https://api.dataflint.io";
+var DEFAULT_SCOPE = "openid profile email offline_access";
+var DEFAULT_PUBLIC_CLIENT_ID = "1NdbhkYoLyqQWtevBNal1BozB9pSZe3g";
+var CREDENTIALS_DIR_MODE = 448;
+var CREDENTIALS_FILE_MODE = 384;
+var StandaloneConfigSchema = zod_1.z.object({
+  serverUrl: zod_1.z.string().url().optional(),
+  authDomain: zod_1.z.string().optional(),
+  clientId: zod_1.z.string().optional(),
+  audience: zod_1.z.string().optional(),
+  scope: zod_1.z.string().optional(),
+  credentialsPath: zod_1.z.string().optional(),
+  adminCompanyDomain: zod_1.z.string().optional(),
+  customerDomain: zod_1.z.string().optional(),
+  m2mTokenPath: zod_1.z.string().optional(),
+  m2mSecretName: zod_1.z.string().optional(),
+  tenantId: zod_1.z.string().optional()
+}).strict();
 var StandaloneConfigService = class {
   config;
   credentialsPath;
+  m2mMode;
   constructor(config = {}) {
     this.config = this.mergeWithDefaults(config);
-    if (config.credentialsPath) {
-      this.credentialsPath = config.credentialsPath;
-    } else {
-      const clientIdHash = crypto.createHash("sha256").update(this.config.clientId).digest("hex").substring(0, 8);
-      this.credentialsPath = path.join(os.homedir(), ".dataflint", `credentials-${clientIdHash}.json`);
-    }
+    this.m2mMode = this.detectM2MMode();
+    this.validateM2MConfig();
+    this.credentialsPath = config.credentialsPath || this.defaultCredentialsPath();
     this.ensureDataflintDirectory();
   }
+  defaultCredentialsPath() {
+    const hash = crypto.createHash("sha256").update(this.config.clientId || DEFAULT_CLIENT_ID_FOR_HASH).digest("hex").substring(0, HASH_PREFIX_LENGTH);
+    return path.join(os.homedir(), ".dataflint", `credentials-${hash}.json`);
+  }
   ensureDataflintDirectory() {
-    const dataflintDir = path.dirname(this.credentialsPath);
-    if (!fs.existsSync(dataflintDir)) {
-      fs.mkdirSync(dataflintDir, { recursive: true, mode: 448 });
+    const dir = path.dirname(this.credentialsPath);
+    if (!fs.existsSync(dir)) {
+      fs.mkdirSync(dir, { recursive: true, mode: CREDENTIALS_DIR_MODE });
+    }
+  }
+  detectM2MMode() {
+    const tokenPath = this.config.m2mTokenPath;
+    const secretName = this.config.m2mSecretName;
+    const tenantId = this.config.tenantId;
+    const logger = logger_1.Logger.getInstance();
+    if (tokenPath) {
+      logger.info("M2M mode: Service Account");
+      return { type: types_1.M2MType.SERVICE_ACCOUNT, tokenPath, tenantId };
+    }
+    if (secretName) {
+      logger.info("M2M mode: Auth0 M2M");
+      return { type: types_1.M2MType.AUTH0_M2M, secretName, tenantId };
+    }
+    return { type: types_1.M2MType.NONE };
+  }
+  validateM2MConfig() {
+    if (this.m2mMode.type !== types_1.M2MType.NONE && !this.config.serverUrl) {
+      throw new Error("DATAFLINT_SERVER_URL is required in M2M mode");
+    }
+  }
+  loadFileConfig() {
+    const configFilePath = path.join(os.homedir(), ".dataflint", "config.json");
+    if (!fs.existsSync(configFilePath)) {
+      return {};
+    }
+    const logger = logger_1.Logger.getInstance();
+    try {
+      const rawContent = JSON.parse(fs.readFileSync(configFilePath, "utf8"));
+      const result = StandaloneConfigSchema.safeParse(rawContent);
+      if (!result.success) {
+        logger.warn(`Invalid config file format at ${configFilePath}: ${result.error.issues.map((i) => i.message).join(", ")}`);
+        return {};
+      }
+      return result.data;
+    } catch (error) {
+      logger.warn(`Failed to parse config file at ${configFilePath}: ${error instanceof Error ? error.message : String(error)}`);
+      return {};
     }
   }
   mergeWithDefaults(config) {
@@ -1320,105 +1576,129 @@ var StandaloneConfigService = class {
       audience: process.env.DATAFLINT_AUDIENCE,
       scope: process.env.DATAFLINT_SCOPE,
       adminCompanyDomain: process.env.DATAFLINT_ADMIN_COMPANY_DOMAIN,
-      customerDomain: process.env.DATAFLINT_CUSTOMER_DOMAIN
+      customerDomain: process.env.DATAFLINT_CUSTOMER_DOMAIN,
+      m2mTokenPath: process.env.M2M_SA_TOKEN_PATH,
+      m2mSecretName: process.env.M2M_AUTH0_SECRET_NAME,
+      tenantId: process.env.TENANT_ID
     };
-    const configFilePath = path.join(os.homedir(), ".dataflint", "config.json");
-    let fileConfig = {};
-    if (fs.existsSync(configFilePath)) {
-      try {
-        const fileContent = fs.readFileSync(configFilePath, "utf8");
-        fileConfig = JSON.parse(fileContent);
-      } catch (error) {
-      }
-    }
+    const fileConfig = this.loadFileConfig();
+    const logger = logger_1.Logger.getInstance();
     const customerDomain = config.customerDomain || envConfig.customerDomain || fileConfig.customerDomain;
     if (customerDomain) {
-      console.error(`[CONFIG] Customer domain detected: ${customerDomain}`);
-      const customerConfig = (0, index_js_1.getCustomerAuthConfig)(customerDomain);
+      logger.info(`Customer domain detected: ${customerDomain}`);
+      const customerConfig = (0, index_1.getCustomerAuthConfig)(customerDomain);
       if (!customerConfig) {
-        console.error(`[CONFIG] ERROR: Unknown customer domain: ${customerDomain}`);
+        logger.error(`Unknown customer domain: ${customerDomain}`);
         throw new Error(`Unknown customer domain: "${customerDomain}". This customer is not registered in the system. Please check the domain name or contact support.`);
       }
-      console.error(`[CONFIG] Using customer-specific configuration:`);
-      console.error(`[CONFIG]   - Server URL: ${customerConfig.serverUrl}`);
-      console.error(`[CONFIG]   - Auth0 Domain: ${customerConfig.domain}`);
-      console.error(`[CONFIG]   - Client ID: ${customerConfig.clientId.substring(0, 8)}...`);
+      logger.info(`Using customer-specific configuration:`);
+      logger.info(`Server URL: ${customerConfig.serverUrl}`);
+      logger.info(`Auth0 Domain: ${customerConfig.domain}`);
+      logger.info(`Client ID: ${customerConfig.clientId.substring(0, 8)}...`);
       return {
         serverUrl: customerConfig.serverUrl,
         authDomain: customerConfig.domain,
         clientId: customerConfig.clientId,
         audience: customerConfig.audience,
-        scope: "openid profile email offline_access",
+        scope: DEFAULT_SCOPE,
         // Credentials path only configurable via CLI argument for security
         credentialsPath: config.credentialsPath,
-        adminCompanyDomain: config.adminCompanyDomain || envConfig.adminCompanyDomain || fileConfig.adminCompanyDomain || "none",
-        customerDomain
+        adminCompanyDomain: config.adminCompanyDomain || envConfig.adminCompanyDomain || fileConfig.adminCompanyDomain || DEFAULT_ADMIN_COMPANY_DOMAIN,
+        customerDomain,
+        m2mTokenPath: config.m2mTokenPath || envConfig.m2mTokenPath || fileConfig.m2mTokenPath,
+        m2mSecretName: config.m2mSecretName || envConfig.m2mSecretName || fileConfig.m2mSecretName,
+        tenantId: config.tenantId || envConfig.tenantId || fileConfig.tenantId
       };
     }
-    console.error(`[CONFIG] No customer domain - using default/explicit configuration`);
+    logger.info(`No customer domain - using default/explicit configuration`);
     return {
-      serverUrl: config.serverUrl || envConfig.serverUrl || fileConfig.serverUrl || "https://api.dataflint.io",
-      authDomain: config.authDomain || envConfig.authDomain || fileConfig.authDomain || "https://dataflint.us.auth0.com/",
-      clientId: config.clientId || envConfig.clientId || fileConfig.clientId || "1NdbhkYoLyqQWtevBNal1BozB9pSZe3g",
-      audience: config.audience || envConfig.audience || fileConfig.audience || "https://api.dataflint.io",
-      scope: config.scope || envConfig.scope || fileConfig.scope || "openid profile email offline_access",
-      adminCompanyDomain: config.adminCompanyDomain || envConfig.adminCompanyDomain || fileConfig.adminCompanyDomain || "none",
+      serverUrl: config.serverUrl || envConfig.serverUrl || fileConfig.serverUrl || DEFAULT_SERVER_URL,
+      authDomain: config.authDomain || envConfig.authDomain || fileConfig.authDomain || DEFAULT_AUTH_DOMAIN,
+      clientId: config.clientId || envConfig.clientId || fileConfig.clientId || DEFAULT_PUBLIC_CLIENT_ID,
+      audience: config.audience || envConfig.audience || fileConfig.audience || DEFAULT_AUDIENCE,
+      scope: config.scope || envConfig.scope || fileConfig.scope || DEFAULT_SCOPE,
+      adminCompanyDomain: config.adminCompanyDomain || envConfig.adminCompanyDomain || fileConfig.adminCompanyDomain || DEFAULT_ADMIN_COMPANY_DOMAIN,
       // Credentials path only configurable via CLI argument for security
       credentialsPath: config.credentialsPath,
-      customerDomain: void 0
+      customerDomain: void 0,
+      m2mTokenPath: config.m2mTokenPath || envConfig.m2mTokenPath || fileConfig.m2mTokenPath,
+      m2mSecretName: config.m2mSecretName || envConfig.m2mSecretName || fileConfig.m2mSecretName,
+      tenantId: config.tenantId || envConfig.tenantId || fileConfig.tenantId
     };
   }
   // IConfigService interface implementation
   getServerUrl() {
+    if (!this.config.serverUrl) {
+      throw new Error("Server URL not configured. Set DATAFLINT_SERVER_URL environment variable or configure in ~/.dataflint/config.json");
+    }
     return this.config.serverUrl;
   }
   getEnvironment() {
     return "prod";
   }
   getCustomerDomain() {
-    return this.config.customerDomain || null;
+    return this.config.customerDomain ?? null;
   }
   getAdminCompanyDomain() {
-    return this.config.adminCompanyDomain || "none";
+    return this.config.adminCompanyDomain ?? DEFAULT_ADMIN_COMPANY_DOMAIN;
   }
   getAuthConfig() {
+    if (!this.config.authDomain) {
+      throw new Error("Auth domain not configured. Set DATAFLINT_AUTH_DOMAIN environment variable or configure in ~/.dataflint/config.json");
+    }
+    if (!this.config.clientId) {
+      throw new Error("Client ID not configured. Set DATAFLINT_CLIENT_ID environment variable or configure in ~/.dataflint/config.json");
+    }
+    if (!this.config.audience) {
+      throw new Error("Audience not configured. Set DATAFLINT_AUDIENCE environment variable or configure in ~/.dataflint/config.json");
+    }
     return {
       domain: this.config.authDomain,
       clientId: this.config.clientId,
       audience: this.config.audience,
-      scope: this.config.scope || "openid profile email offline_access"
+      scope: this.config.scope ?? DEFAULT_SCOPE
     };
   }
   async getAuthSecret() {
     try {
-      if (fs.existsSync(this.credentialsPath)) {
-        const content = fs.readFileSync(this.credentialsPath, "utf8");
-        return content;
-      }
-      return void 0;
+      return await fsPromises.readFile(this.credentialsPath, "utf8");
     } catch (error) {
+      const nodeError = error;
+      if (nodeError.code === "ENOENT") {
+        return void 0;
+      }
+      logger_1.Logger.getInstance().warn(`Failed to read credentials from ${this.credentialsPath}: ${nodeError.message}`);
       return void 0;
     }
   }
   async setAuthSecret(value) {
     this.ensureDataflintDirectory();
-    fs.writeFileSync(this.credentialsPath, value, {
-      mode: 384,
+    await fsPromises.writeFile(this.credentialsPath, value, {
+      mode: CREDENTIALS_FILE_MODE,
       encoding: "utf8"
     });
   }
   async deleteAuthSecret() {
     try {
-      if (fs.existsSync(this.credentialsPath)) {
-        fs.unlinkSync(this.credentialsPath);
-      }
+      await fsPromises.unlink(this.credentialsPath);
     } catch (error) {
+      const nodeError = error;
+      if (nodeError.code === "ENOENT") {
+        return;
+      }
+      logger_1.Logger.getInstance().warn(`Failed to delete credentials at ${this.credentialsPath}: ${nodeError.message}`);
     }
   }
   getSendSourceCode() {
     const envValue = process.env.DATAFLINT_SEND_SOURCE_CODE;
     return (envValue == null ? void 0 : envValue.toLowerCase()) === "true";
   }
+  getM2MMode() {
+    return this.m2mMode;
+  }
+  getTenantId() {
+    return this.config.tenantId;
+  }
 };
 exports.StandaloneConfigService = StandaloneConfigService;
 //# sourceMappingURL=config.js.map