@deque/axe-auth 1.1.0-next.297e118f → 1.1.0-next.2d96b49c

package/credits.json

@@ -1,20 +1,20 @@
 {
-  "@napi-rs/keyring@1.2.0": {
+  "@napi-rs/keyring@1.3.0": {
     "name": "@napi-rs/keyring",
-    "version": "1.2.0",
+    "version": "1.3.0",
     "licenses": "MIT",
-    "path": "/home/runner/work/axe-mcp-server/axe-mcp-server/node_modules/.pnpm/@napi-rs+keyring@1.2.0/node_modules/@napi-rs/keyring",
+    "path": "/home/runner/work/axe-mcp-server/axe-mcp-server/node_modules/.pnpm/@napi-rs+keyring@1.3.0/node_modules/@napi-rs/keyring",
     "licenseText": "MIT License\n\nCopyright (c) 2020 N-API for Rust\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n",
-    "licenseFile": "/home/runner/work/axe-mcp-server/axe-mcp-server/node_modules/.pnpm/@napi-rs+keyring@1.2.0/node_modules/@napi-rs/keyring/LICENSE",
+    "licenseFile": "/home/runner/work/axe-mcp-server/axe-mcp-server/node_modules/.pnpm/@napi-rs+keyring@1.3.0/node_modules/@napi-rs/keyring/LICENSE",
     "copyright": "Copyright (c) 2020 N-API for Rust"
   },
-  "@napi-rs/keyring-linux-x64-gnu@1.2.0": {
+  "@napi-rs/keyring-linux-x64-gnu@1.3.0": {
     "name": "@napi-rs/keyring-linux-x64-gnu",
-    "version": "1.2.0",
+    "version": "1.3.0",
     "licenses": "MIT",
-    "path": "/home/runner/work/axe-mcp-server/axe-mcp-server/node_modules/.pnpm/@napi-rs+keyring-linux-x64-gnu@1.2.0/node_modules/@napi-rs/keyring-linux-x64-gnu",
+    "path": "/home/runner/work/axe-mcp-server/axe-mcp-server/node_modules/.pnpm/@napi-rs+keyring-linux-x64-gnu@1.3.0/node_modules/@napi-rs/keyring-linux-x64-gnu",
     "licenseText": "# `@napi-rs/keyring-linux-x64-gnu`\n\nThis is the **x86_64-unknown-linux-gnu** binary for `@napi-rs/keyring`\n",
-    "licenseFile": "/home/runner/work/axe-mcp-server/axe-mcp-server/node_modules/.pnpm/@napi-rs+keyring-linux-x64-gnu@1.2.0/node_modules/@napi-rs/keyring-linux-x64-gnu/README.md"
+    "licenseFile": "/home/runner/work/axe-mcp-server/axe-mcp-server/node_modules/.pnpm/@napi-rs+keyring-linux-x64-gnu@1.3.0/node_modules/@napi-rs/keyring-linux-x64-gnu/README.md"
   },
   "remove-trailing-slash@0.1.1": {
     "name": "remove-trailing-slash",

package/dist/cli/safeExit.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Force-exit the process to avoid hanging on open connections.
+ *
+ * On Windows, briefly yield first so undici can finish closing pending sockets;
+ * otherwise the process aborts with a libuv UV_HANDLE_CLOSING assertion in
+ * `src\win\async.c`. See https://github.com/nodejs/node/issues/56645.
+ */
+export declare function safeExit(code: number): Promise<never>;

package/dist/cli/safeExit.js

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.safeExit = safeExit;
+/**
+ * Force-exit the process to avoid hanging on open connections.
+ *
+ * On Windows, briefly yield first so undici can finish closing pending sockets;
+ * otherwise the process aborts with a libuv UV_HANDLE_CLOSING assertion in
+ * `src\win\async.c`. See https://github.com/nodejs/node/issues/56645.
+ */
+async function safeExit(code) {
+    if (process.platform === "win32") {
+        await new Promise((resolve) => setTimeout(resolve, 100));
+    }
+    process.exit(code);
+}

package/dist/commands/login.js

@@ -88,7 +88,7 @@ const loginCommand = {
                 scopes: ["offline_access"],
                 allowInsecureIssuer: args.allowInsecureIssuer,
                 tokenStore,
-                onAuthorizationUrl: (url) => {
+                onAuthorizationURL: (url) => {
                     deps.stderr.write(`Authorization URL: ${url}\n`);
                 },
                 onWarning: (msg) => {

package/dist/index.js

@@ -13,6 +13,7 @@ const login_1 = __importDefault(require("./commands/login"));
 const logout_1 = __importDefault(require("./commands/logout"));
 const token_1 = __importDefault(require("./commands/token"));
 const errors_1 = require("./cli/errors");
+const safeExit_1 = require("./cli/safeExit");
 const pkg = JSON.parse((0, node_fs_1.readFileSync)((0, node_path_1.join)(__dirname, "..", "package.json"), "utf-8"));
 const COMMANDS = [
     login_1.default,
@@ -126,7 +127,7 @@ async function dispatch(argv) {
         return 2;
     }
 }
-dispatch(process.argv.slice(2)).then((code) => process.exit(code), (err) => {
+dispatch(process.argv.slice(2)).then((code) => (0, safeExit_1.safeExit)(code), (err) => {
     process.stderr.write(`${err instanceof Error ? (err.stack ?? err.message) : String(err)}\n`);
-    process.exit(1);
+    return (0, safeExit_1.safeExit)(1);
 });

package/dist/oauth/authorizationURL.d.ts

@@ -5,7 +5,7 @@ export interface BuildAuthorizationURLOptions {
     /** OAuth client identifier registered with the authorization server. */
     clientId: string;
     /** Loopback redirect URI the callback server is listening on. */
-    redirectUri: string;
+    redirectURI: string;
     /** PKCE `code_challenge` derived via S256. */
     codeChallenge: string;
     /** CSRF `state` value, echoed by the auth server and validated on callback. */

package/dist/oauth/authorizationURL.js

@@ -39,7 +39,7 @@ function buildAuthorizationURL(options) {
     // `set` just reads more conventionally.
     url.searchParams.set("response_type", "code");
     url.searchParams.set("client_id", options.clientId);
-    url.searchParams.set("redirect_uri", options.redirectUri);
+    url.searchParams.set("redirect_uri", options.redirectURI);
     url.searchParams.set("code_challenge", options.codeChallenge);
     url.searchParams.set("code_challenge_method", "S256");
     url.searchParams.set("state", options.state);

package/dist/oauth/authorize.d.ts

@@ -19,7 +19,7 @@ export interface AuthorizeOptions {
     /** Override for the system browser launcher. Injected for tests. */
     openBrowser?: (url: string) => void;
     /** Called with the authorization URL just before the browser launch. Default prints to stderr only when stderr is a TTY. */
-    onAuthorizationUrl?: (url: string) => void;
+    onAuthorizationURL?: (url: string) => void;
     /**
      * Called for soft warnings (e.g. requested `offline_access` but the
      * server returned no refresh token, or the browser failed to

package/dist/oauth/authorize.js

@@ -9,7 +9,7 @@ const openBrowser_1 = require("./openBrowser");
 const tokenExchange_1 = require("./tokenExchange");
 const tokenStore_1 = require("./tokenStore");
 const errors_1 = require("./errors");
-function defaultOnAuthorizationUrl(url) {
+function defaultOnAuthorizationURL(url) {
     if (process.stderr.isTTY) {
         console.error(`Authorization URL: ${url}`);
     }
@@ -38,7 +38,7 @@ function defaultOnWarning(message) {
  * @throws {OAuthCallbackError} For loopback/callback-server failures.
  */
 async function authorize(options) {
-    const { issuerURL, clientId, walnutURL, scopes, timeoutMs, signal, tokenStore = new tokenStore_1.KeyringTokenStore(), openBrowser = openBrowser_1.openBrowser, onAuthorizationUrl = defaultOnAuthorizationUrl, onWarning = defaultOnWarning, allowInsecureIssuer, } = options;
+    const { issuerURL, clientId, walnutURL, scopes, timeoutMs, signal, tokenStore = new tokenStore_1.KeyringTokenStore(), openBrowser = openBrowser_1.openBrowser, onAuthorizationURL = defaultOnAuthorizationURL, onWarning = defaultOnWarning, allowInsecureIssuer, } = options;
     // Discovery before browser-launch so a bad URL surfaces as a
     // throw rather than a wrong/unreachable browser tab.
     const config = await (0, discoverOIDC_1.discoverOIDC)(issuerURL, {
@@ -57,7 +57,7 @@ async function authorize(options) {
         const authURL = (0, authorizationURL_1.buildAuthorizationURL)({
             authorizationEndpoint: config.authorizationEndpoint,
             clientId,
-            redirectUri: callback.redirectUri,
+            redirectURI: callback.redirectURI,
             codeChallenge,
             state,
             scopes,
@@ -65,13 +65,13 @@ async function authorize(options) {
         // Surface before launch so the URL is always visible even if the
         // browser spawn fails (or never does anything useful, e.g. on a
         // headless box).
-        onAuthorizationUrl(authURL);
+        onAuthorizationURL(authURL);
         try {
             openBrowser(authURL);
         }
         catch (err) {
             // Only swallow the "could not launch browser" case: the URL was
-            // already surfaced via onAuthorizationUrl so the user can
+            // already surfaced via onAuthorizationURL so the user can
             // complete the flow manually. Any other error (a bug in an
             // injected openBrowser, an unexpected throw) must propagate so
             // callers and tests can see it.
@@ -89,7 +89,7 @@ async function authorize(options) {
             clientId,
             code,
             codeVerifier,
-            redirectUri: callback.redirectUri,
+            redirectURI: callback.redirectURI,
             signal,
         });
         // If the caller requested offline_access but no refresh_token

package/dist/oauth/callbackServer.d.ts

@@ -1,23 +1,34 @@
 import { IncomingMessage, Server, ServerResponse } from "node:http";
-export type CallbackServerOptions = {
+/** Configures the loopback callback server. */
+export interface CallbackServerOptions {
     expectedState: string;
     timeoutMs?: number;
     signal?: AbortSignal;
-};
-export type CallbackResult = {
+}
+/** Authorization-code and state pair captured from a successful redirect. */
+export interface CallbackResult {
     code: string;
     state: string;
-};
-export type CallbackServerHandle = {
-    redirectUri: string;
+}
+/** Live handle to a running callback server. */
+export interface CallbackServerHandle {
+    redirectURI: string;
     result: Promise<CallbackResult>;
     close: () => Promise<void>;
-};
+}
 type RequestHandler = (req: IncomingMessage, res: ServerResponse) => void;
 type LoopbackListener = (handler: RequestHandler, host: string) => Promise<Server>;
-export declare const bindLoopback: (handler: RequestHandler, listenFn?: LoopbackListener) => Promise<{
+/**
+ * Binds an HTTP server to the loopback interface, preferring IPv4.
+ *
+ * RFC 8252 §7.3: "use whichever is available". Prefer IPv4; fall back to
+ * IPv6 only when the IPv4 loopback isn't configured on this host. `listenFn`
+ * is an injection seam for tests — production callers use the default.
+ */
+export declare function bindLoopback(handler: RequestHandler, listenFn?: LoopbackListener): Promise<{
     server: Server;
     host: "127.0.0.1" | "::1";
 }>;
-export declare const startCallbackServer: (opts: CallbackServerOptions) => Promise<CallbackServerHandle>;
+/** Starts a loopback HTTP server that captures the OAuth redirect. */
+export declare function startCallbackServer(opts: CallbackServerOptions): Promise<CallbackServerHandle>;
 export {};

package/dist/oauth/callbackServer.js

@@ -1,13 +1,16 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.startCallbackServer = exports.bindLoopback = void 0;
+exports.bindLoopback = bindLoopback;
+exports.startCallbackServer = startCallbackServer;
 const node_events_1 = require("node:events");
 const node_http_1 = require("node:http");
 const errors_1 = require("./errors");
-const renderHtml_1 = require("./renderHtml");
+const renderHTML_1 = require("./renderHTML");
 const DEFAULT_TIMEOUT_MS = 120_000;
 const LOOPBACK_ADDRESSES = new Set(["127.0.0.1", "::1", "::ffff:127.0.0.1"]);
-const isLoopback = (addr) => !!addr && LOOPBACK_ADDRESSES.has(addr);
+function isLoopback(addr) {
+    return !!addr && LOOPBACK_ADDRESSES.has(addr);
+}
 // Errors from bind(2) that mean "this address family isn't configured on this
 // host" — the signal to fall back to the other loopback family rather than
 // fail the caller.
@@ -19,10 +22,14 @@ const listen = async (handler, host) => {
     await (0, node_events_1.once)(server, "listening");
     return server;
 };
-// RFC 8252 §7.3: "use whichever is available". Prefer IPv4; fall back to
-// IPv6 only when the IPv4 loopback isn't configured on this host. `listenFn`
-// is an injection seam for tests — production callers use the default.
-const bindLoopback = async (handler, listenFn = listen) => {
+/**
+ * Binds an HTTP server to the loopback interface, preferring IPv4.
+ *
+ * RFC 8252 §7.3: "use whichever is available". Prefer IPv4; fall back to
+ * IPv6 only when the IPv4 loopback isn't configured on this host. `listenFn`
+ * is an injection seam for tests — production callers use the default.
+ */
+async function bindLoopback(handler, listenFn = listen) {
     try {
         return {
             server: await listenFn(handler, "127.0.0.1"),
@@ -44,32 +51,32 @@ const bindLoopback = async (handler, listenFn = listen) => {
             throw new errors_1.OAuthCallbackError("BIND_FAILED", `Failed to bind loopback server on 127.0.0.1 (${code}) and [::1]: ${ipv6Err.message}`, { cause: ipv6Err });
         }
     }
-};
-exports.bindLoopback = bindLoopback;
-const closeServer = async (server) => {
+}
+async function closeServer(server) {
     if (!server.listening)
         return;
     server.close();
     server.closeAllConnections?.();
     await (0, node_events_1.once)(server, "close");
-};
-const writeHtml = (res, status, html) => {
+}
+function writeHTML(res, status, html) {
     res.writeHead(status, {
         "Content-Type": "text/html; charset=utf-8",
-        "Content-Security-Policy": renderHtml_1.CSP_HEADER,
+        "Content-Security-Policy": renderHTML_1.CSP_HEADER,
         "X-Content-Type-Options": "nosniff",
     });
     res.end(html);
-};
-const writeText = (res, status, body, extraHeaders = {}) => {
+}
+function writeText(res, status, body, extraHeaders = {}) {
     res.writeHead(status, {
         "Content-Type": "text/plain; charset=utf-8",
         "X-Content-Type-Options": "nosniff",
         ...extraHeaders,
     });
     res.end(body + "\n");
-};
-const startCallbackServer = async (opts) => {
+}
+/** Starts a loopback HTTP server that captures the OAuth redirect. */
+async function startCallbackServer(opts) {
     const { expectedState, timeoutMs = DEFAULT_TIMEOUT_MS, signal } = opts;
     if (!Number.isFinite(timeoutMs) || timeoutMs <= 0) {
         throw new TypeError(`timeoutMs must be a positive finite number (received ${timeoutMs}).`);
@@ -164,7 +171,7 @@ const startCallbackServer = async (opts) => {
         // up front means once we start composing the response, no concurrent
         // settlement (timer/abort) can race us into a dropped connection.
         if (!tryConsume()) {
-            writeHtml(res, 409, (0, renderHtml_1.renderHtml)({
+            writeHTML(res, 409, (0, renderHTML_1.renderHTML)({
                 kind: "error",
                 reason: "This callback server has already handled a response.",
             }));
@@ -179,7 +186,7 @@ const startCallbackServer = async (opts) => {
                     : { error: providerError },
             });
             deferSettleOnClose(res, () => rejectResult(error));
-            writeHtml(res, 400, (0, renderHtml_1.renderHtml)({
+            writeHTML(res, 400, (0, renderHTML_1.renderHTML)({
                 kind: "error",
                 reason: providerError,
                 description,
@@ -191,7 +198,7 @@ const startCallbackServer = async (opts) => {
         if (!code) {
             const error = new errors_1.OAuthCallbackError("MISSING_CODE", "Authorization response missing 'code' parameter.");
             deferSettleOnClose(res, () => rejectResult(error));
-            writeHtml(res, 400, (0, renderHtml_1.renderHtml)({
+            writeHTML(res, 400, (0, renderHTML_1.renderHTML)({
                 kind: "error",
                 reason: "The authorization response was missing the 'code' parameter.",
             }));
@@ -200,19 +207,19 @@ const startCallbackServer = async (opts) => {
         if (state !== expectedState) {
             const error = new errors_1.OAuthCallbackError("STATE_MISMATCH", "Authorization response 'state' did not match expected value.");
             deferSettleOnClose(res, () => rejectResult(error));
-            writeHtml(res, 400, (0, renderHtml_1.renderHtml)({
+            writeHTML(res, 400, (0, renderHTML_1.renderHTML)({
                 kind: "error",
                 reason: "The authorization response failed state validation.",
             }));
             return;
         }
         deferSettleOnClose(res, () => resolveResult({ code, state }));
-        writeHtml(res, 200, (0, renderHtml_1.renderHtml)({ kind: "success" }));
+        writeHTML(res, 200, (0, renderHTML_1.renderHTML)({ kind: "success" }));
     };
-    const bound = await (0, exports.bindLoopback)(handler);
+    const bound = await bindLoopback(handler);
     server = bound.server;
     const port = server.address().port;
-    const redirectUri = bound.host === "::1"
+    const redirectURI = bound.host === "::1"
         ? `http://[::1]:${port}/callback`
         : `http://127.0.0.1:${port}/callback`;
     timeoutHandle = setTimeout(() => {
@@ -229,6 +236,5 @@ const startCallbackServer = async (opts) => {
             signal.addEventListener("abort", abortListener, { once: true });
         }
     }
-    return { redirectUri, result, close };
-};
-exports.startCallbackServer = startCallbackServer;
+    return { redirectURI, result, close };
+}

package/dist/oauth/openBrowser.js

@@ -45,7 +45,7 @@ function browserCommand(platform, url, browserOverride) {
             // module deliberately swallows (see `child.once("error", ...)`
             // below); `BROWSER_LAUNCH_FAILED` is only raised for synchronous
             // `spawn()` throws. The caller's fallback is the URL already
-            // surfaced via `onAuthorizationUrl` so the user can finish the
+            // surfaced via `onAuthorizationURL` so the user can finish the
             // flow manually.
             return { command: "xdg-open", args: [url] };
     }

package/dist/oauth/refreshTokens.js

@@ -2,6 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.refreshTokens = refreshTokens;
 const errors_1 = require("./errors");
+const retry_1 = require("./retry");
 const tokenResponse_1 = require("./tokenResponse");
 const userAgent_1 = require("../userAgent");
 /**
@@ -31,11 +32,11 @@ async function refreshTokens(options) {
         grant_type: "refresh_token",
         client_id: options.clientId,
         refresh_token: options.refreshToken,
-    });
+    }).toString();
     const issuedAt = now();
     let response;
     try {
-        response = await fetch(options.tokenEndpoint, {
+        response = await (0, retry_1.fetchWithRetry)(options.tokenEndpoint, {
             method: "POST",
             headers: {
                 "Content-Type": "application/x-www-form-urlencoded",

package/dist/oauth/renderHTML.d.ts

@@ -0,0 +1,12 @@
+/** Discriminates the success vs. error variant of the callback page. */
+export type HTMLInput = {
+    kind: "success";
+} | {
+    kind: "error";
+    reason: string;
+    description?: string;
+};
+/** Content-Security-Policy header value sent with every callback page. */
+export declare const CSP_HEADER: string;
+/** Renders the loopback callback page shown in the user's browser. */
+export declare function renderHTML(input: HTMLInput): string;

package/dist/oauth/{renderHtml.js → renderHTML.js}

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.renderHtml = exports.CSP_HEADER = void 0;
+exports.CSP_HEADER = void 0;
+exports.renderHTML = renderHTML;
 const node_crypto_1 = require("node:crypto");
 const logo_generated_1 = require("./logo.generated");
 const CSS = `:root{--off-black:#666;--off-white:#fdfdfe;--white:#fff;--pink:#d71ef7;--blue:#3c7aae;--space-small:12px;--space-medium:24px;--space-large:36px;--space-huge:48px;--border-radius:3px}
@@ -19,17 +20,21 @@ main{margin:var(--space-huge) auto;padding-left:var(--space-medium);padding-righ
 // 'unsafe-inline'. Any drift between this digest and the rendered <style> tag
 // causes the browser to refuse the stylesheet — see docs/callback-page.md.
 const STYLE_HASH = (0, node_crypto_1.createHash)("sha256").update(CSS, "utf8").digest("base64");
+/** Content-Security-Policy header value sent with every callback page. */
 exports.CSP_HEADER = `default-src 'none'; img-src data:; style-src 'sha256-${STYLE_HASH}'; frame-ancestors 'none'`;
 // OWASP-recommended 5-character set for HTML body/attribute contexts;
 // & must come first to avoid double-escaping. Not safe for JS/CSS/URL contexts.
 // https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-for-html-contexts
-const escape = (s) => s
-    .replace(/&/g, "&amp;")
-    .replace(/</g, "&lt;")
-    .replace(/>/g, "&gt;")
-    .replace(/"/g, "&quot;")
-    .replace(/'/g, "&#39;");
-const page = (title, body) => `<!doctype html>
+function escape(s) {
+    return s
+        .replace(/&/g, "&amp;")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;")
+        .replace(/"/g, "&quot;")
+        .replace(/'/g, "&#39;");
+}
+function page(title, body) {
+    return `<!doctype html>
 <html lang="en">
 <head>
 <meta charset="UTF-8">
@@ -44,7 +49,9 @@ ${body}
 </main>
 </body>
 </html>`;
-const renderHtml = (input) => {
+}
+/** Renders the loopback callback page shown in the user's browser. */
+function renderHTML(input) {
     if (input.kind === "success") {
         return page("Authenticated", `<h1>Authenticated</h1>
 <p class="close">You can close this tab and return to your terminal.</p>`);
@@ -56,5 +63,4 @@ const renderHtml = (input) => {
 <p class="reason">${escape(input.reason)}</p>
 ${descriptionBlock}
 <p class="close">You can close this tab and return to your terminal.</p>`);
-};
-exports.renderHtml = renderHtml;
+}

package/dist/oauth/retry.d.ts

@@ -0,0 +1,2 @@
+/** Wraps `fetch` with bounded retries on transient connection errors. */
+export declare function fetchWithRetry(input: RequestInfo | URL, init?: RequestInit): Promise<Response>;

package/dist/oauth/retry.js

@@ -0,0 +1,50 @@
+"use strict";
+// undici's `RetryAgent` cannot retry POSTs through `fetch()` — its retry
+// handler aborts once the fetch ReadableStream body is consumed. Re-invoking
+// `fetch()` per attempt with a string body sidesteps that. POST replay is
+// safe for our OAuth endpoints by spec: single-use codes (RFC 6749 §4.1.2),
+// refresh requests that never reached the server (§6), no-op revocation
+// (RFC 7009 §2.2).
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fetchWithRetry = fetchWithRetry;
+const promises_1 = require("node:timers/promises");
+const MAX_RETRIES = 3;
+const CONNECTION_ERROR_CODES = new Set([
+    "ECONNRESET",
+    "ECONNREFUSED",
+    "ENOTFOUND",
+    "ENETDOWN",
+    "ENETUNREACH",
+    "EHOSTDOWN",
+    "UND_ERR_SOCKET",
+]);
+function isConnectionError(err) {
+    const seen = new Set();
+    let current = err;
+    while (current && typeof current === "object" && !seen.has(current)) {
+        seen.add(current);
+        const e = current;
+        if (typeof e.code === "string" && CONNECTION_ERROR_CODES.has(e.code)) {
+            return true;
+        }
+        current = e.cause;
+    }
+    return false;
+}
+/** Wraps `fetch` with bounded retries on transient connection errors. */
+async function fetchWithRetry(input, init) {
+    for (let attempt = 0;; attempt++) {
+        try {
+            return await fetch(input, init);
+        }
+        catch (err) {
+            if (attempt >= MAX_RETRIES || !isConnectionError(err)) {
+                throw err;
+            }
+            // Exponential backoff: 500ms, 1s, 2s, capped at 30s.
+            // `sleep` honors `init.signal` so an aborted request interrupts the wait.
+            const delay = Math.min(500 * Math.pow(2, attempt), 30_000);
+            await (0, promises_1.setTimeout)(delay, undefined, { signal: init?.signal ?? undefined });
+        }
+    }
+}

package/dist/oauth/revokeToken.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.revokeRefreshToken = revokeRefreshToken;
+const retry_1 = require("./retry");
 const userAgent_1 = require("../userAgent");
 /**
  * Revokes a refresh token via RFC 7009. Servers SHOULD return 200
@@ -23,10 +24,10 @@ async function revokeRefreshToken(options) {
         token: options.refreshToken,
         token_type_hint: "refresh_token",
         client_id: options.clientId,
-    });
+    }).toString();
     let response;
     try {
-        response = await fetch(options.revocationEndpoint, {
+        response = await (0, retry_1.fetchWithRetry)(options.revocationEndpoint, {
             method: "POST",
             headers: {
                 "Content-Type": "application/x-www-form-urlencoded",

package/dist/oauth/tokenExchange.d.ts

@@ -10,7 +10,7 @@ export interface ExchangeCodeForTokensOptions {
     /** PKCE verifier paired with the `code_challenge` sent at auth time. */
     codeVerifier: string;
     /** Redirect URI originally sent to the authorization endpoint. */
-    redirectUri: string;
+    redirectURI: string;
     /** Source of `now`. Injected for test determinism; defaults to `Date.now`. */
     now?: () => number;
     /** Aborts the underlying fetch when fired. */

package/dist/oauth/tokenExchange.js

@@ -2,6 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.exchangeCodeForTokens = exchangeCodeForTokens;
 const errors_1 = require("./errors");
+const retry_1 = require("./retry");
 const tokenResponse_1 = require("./tokenResponse");
 const userAgent_1 = require("../userAgent");
 /**
@@ -18,12 +19,12 @@ async function exchangeCodeForTokens(options) {
         client_id: options.clientId,
         code: options.code,
         code_verifier: options.codeVerifier,
-        redirect_uri: options.redirectUri,
-    });
+        redirect_uri: options.redirectURI,
+    }).toString();
     const issuedAt = now();
     let response;
     try {
-        response = await fetch(options.tokenEndpoint, {
+        response = await (0, retry_1.fetchWithRetry)(options.tokenEndpoint, {
             method: "POST",
             headers: {
                 "Content-Type": "application/x-www-form-urlencoded",

package/dist/oauth/tokenStore.d.ts

@@ -2,8 +2,11 @@ import { type KeyringEntryFactory } from "./keyringBinding";
 import type { TokenSet } from "./tokenResponse";
 /**
  * Whether `KeyringTokenStore` should split the stored blob across
- * multiple keychain entries on this platform. Windows-only because of
- * Credential Manager's 2560 UTF-16 character per-entry cap. Exported
+ * multiple keychain entries on this platform. Windows-only: Credential
+ * Manager has a 2560-byte per-entry cap that large OAuth tokens
+ * routinely exceed. macOS Keychain and Linux libsecret have no
+ * comparable limit, and on macOS each entry is independently lockable
+ * (chunking there would multiply per-entry ACL prompts). Exported
  * (parameterized for tests) so the chunking path can be exercised
  * deterministically.
  */
@@ -109,28 +112,13 @@ export type BlobChainResult = {
  */
 export declare function parseAndMigrateBlob(raw: string | null, expectedVersion?: number, migrators?: ReadonlyMap<number, (old: unknown) => unknown | null>): BlobChainResult;
 /**
- * Builds the user-facing keychain error message. Platform is a
- * parameter (defaulting to `process.platform`) so tests can drive each
- * branch without mocking the runtime; mirrors the pattern in
+ * Builds the user-facing keychain error message: the underlying
+ * cause's text plus a per-platform hint. Platform is a parameter
+ * (defaulting to `process.platform`) so tests can drive each branch
+ * without mocking the runtime; mirrors the pattern in
  * `platformKeyringHint`.
- *
- * The Windows-specific size-limit message is only used when the
- * underlying error matches the binding's "longer than the platform
- * limit" wording AND the runtime is win32 — that combination is the
- * only way the size cap actually manifests in practice. On other
- * platforms (or for any other binding error) we fall back to the
- * generic per-platform hint.
  */
 export declare function keyringErrorMessage(op: string, cause: unknown, platform?: NodeJS.Platform): string;
-/**
- * Detects the `@napi-rs/keyring` error string for "value too large".
- * In practice only Windows Credential Manager triggers this — its
- * stored values are capped at 2560 UTF-16 chars; macOS Keychain and
- * Linux libsecret have no comparable limit. Exported (but not
- * re-exported from the package index) so tests can exercise the
- * detector independently of the wrap path.
- */
-export declare function isKeyringSizeError(cause: unknown): boolean;
 /**
  * Returns a per-platform hint appended to keychain error messages so
  * users see actionable guidance for their OS instead of generic or
@@ -145,8 +133,8 @@ export declare function platformKeyringHint(platform?: NodeJS.Platform): string;
  * Secret Service). On macOS and Linux the blob lives in a single entry
  * keyed by the fixed `credentials` account name. On Windows the blob
  * is split across `credentials.0`, `credentials.1`, … entries to fit
- * under Credential Manager's 2560 UTF-16 character per-entry cap; see
- * `shouldChunkForKeyring`.
+ * under Credential Manager's 2560-byte (1280 UTF-16 char) per-entry
+ * cap; see `shouldChunkForKeyring`.
  *
  * The blob carries its own issuer/client coordinates so verbs can
  * recover full config without per-issuer keying.

package/dist/oauth/tokenStore.js

@@ -4,34 +4,41 @@ exports.KeyringTokenStore = exports.STORED_BLOB_VERSION = void 0;
 exports.shouldChunkForKeyring = shouldChunkForKeyring;
 exports.parseAndMigrateBlob = parseAndMigrateBlob;
 exports.keyringErrorMessage = keyringErrorMessage;
-exports.isKeyringSizeError = isKeyringSizeError;
 exports.platformKeyringHint = platformKeyringHint;
 exports.chunkBlobForKeyring = chunkBlobForKeyring;
 const errors_1 = require("./errors");
 const keyringBinding_1 = require("./keyringBinding");
 const SERVICE_NAME = "axe-auth";
-// On Windows the blob is base64-encoded and split across
-// `credentials.0`, `credentials.1`, … entries (see `CHUNK_LIMIT`); a
-// Windows dev inspecting Credential Manager will see opaque base64.
+/**
+ * Keychain account identifier. On macOS/Linux the entire blob lives at
+ * this single account. On Windows the blob is base64-encoded and split
+ * across `credentials.0`, `credentials.1`, … entries (see `CHUNK_LIMIT`),
+ * so a Windows dev inspecting Credential Manager will see opaque base64.
+ */
 const ACCOUNT_NAME = "credentials";
-// Windows Credential Manager caps stored values at 2560 UTF-16 code
-// units, which large OAuth access-token JWTs (many groups/roles
-// claims) routinely exceed. On Windows we work around this by
-// splitting the JSON blob across multiple entries with account names
-// `credentials.0`, `credentials.1`, … . `CHUNK_LIMIT` leaves margin
-// under the platform cap; `MAX_CHUNKS` is a safety bound — we should
-// never get close in practice, even with maximally-claimed tokens.
-//
-// macOS Keychain and Linux libsecret have no comparable limit, so
-// chunking there would just multiply per-entry ACL prompts (each
-// keychain entry is independently lockable on macOS) for no gain.
-// Chunking is therefore Windows-only, gated by `shouldChunkForKeyring`.
-const CHUNK_LIMIT = 2500;
+/**
+ * Max JS string length per chunk. The limit applies to the full chunk
+ * including chunk 0's `<N>\n` count header, so chunk 0's data slice is
+ * `CHUNK_LIMIT - headerLen`. Windows Credential Manager's per-entry
+ * cap is `CRED_MAX_CREDENTIAL_BLOB_SIZE = 2560` bytes, and the
+ * `@napi-rs/keyring` Windows backend stores strings as UTF-16 (2 bytes
+ * per char), so 1250 chars = 2500 bytes stays safely under the cap.
+ */
+const CHUNK_LIMIT = 1250;
+/**
+ * Cap on chunks per stored blob. A request that would exceed this
+ * raises `TOKEN_TOO_LARGE` so an IDP issuing tokens with extraordinary
+ * claim counts fails with a clear error instead of silently consuming
+ * dozens of keychain entries.
+ */
 const MAX_CHUNKS = 32;
 /**
  * Whether `KeyringTokenStore` should split the stored blob across
- * multiple keychain entries on this platform. Windows-only because of
- * Credential Manager's 2560 UTF-16 character per-entry cap. Exported
+ * multiple keychain entries on this platform. Windows-only: Credential
+ * Manager has a 2560-byte per-entry cap that large OAuth tokens
+ * routinely exceed. macOS Keychain and Linux libsecret have no
+ * comparable limit, and on macOS each entry is independently lockable
+ * (chunking there would multiply per-entry ACL prompts). Exported
  * (parameterized for tests) so the chunking path can be exercised
  * deterministically.
  */
@@ -180,38 +187,16 @@ function wrapKeyringError(op, cause) {
     });
 }
 /**
- * Builds the user-facing keychain error message. Platform is a
- * parameter (defaulting to `process.platform`) so tests can drive each
- * branch without mocking the runtime; mirrors the pattern in
+ * Builds the user-facing keychain error message: the underlying
+ * cause's text plus a per-platform hint. Platform is a parameter
+ * (defaulting to `process.platform`) so tests can drive each branch
+ * without mocking the runtime; mirrors the pattern in
  * `platformKeyringHint`.
- *
- * The Windows-specific size-limit message is only used when the
- * underlying error matches the binding's "longer than the platform
- * limit" wording AND the runtime is win32 — that combination is the
- * only way the size cap actually manifests in practice. On other
- * platforms (or for any other binding error) we fall back to the
- * generic per-platform hint.
  */
 function keyringErrorMessage(op, cause, platform = process.platform) {
-    if (platform === "win32" && isKeyringSizeError(cause)) {
-        return `System keychain ${op} failed: Windows Credential Manager limits stored values to 2560 UTF-16 characters. Large OAuth access-token JWTs (many groups/roles claims) commonly exceed this.`;
-    }
     const causeMessage = cause instanceof Error ? cause.message : String(cause);
     return `System keychain ${op} failed: ${causeMessage}. ${platformKeyringHint(platform)}`;
 }
-/**
- * Detects the `@napi-rs/keyring` error string for "value too large".
- * In practice only Windows Credential Manager triggers this — its
- * stored values are capped at 2560 UTF-16 chars; macOS Keychain and
- * Linux libsecret have no comparable limit. Exported (but not
- * re-exported from the package index) so tests can exercise the
- * detector independently of the wrap path.
- */
-function isKeyringSizeError(cause) {
-    if (!(cause instanceof Error))
-        return false;
-    return /longer than the platform limit/.test(cause.message);
-}
 /**
  * Returns a per-platform hint appended to keychain error messages so
  * users see actionable guidance for their OS instead of generic or
@@ -259,8 +244,8 @@ function parseChunkHeader(first) {
  * Secret Service). On macOS and Linux the blob lives in a single entry
  * keyed by the fixed `credentials` account name. On Windows the blob
  * is split across `credentials.0`, `credentials.1`, … entries to fit
- * under Credential Manager's 2560 UTF-16 character per-entry cap; see
- * `shouldChunkForKeyring`.
+ * under Credential Manager's 2560-byte (1280 UTF-16 char) per-entry
+ * cap; see `shouldChunkForKeyring`.
  *
  * The blob carries its own issuer/client coordinates so verbs can
  * recover full config without per-issuer keying.

package/docs/callback-page.md

@@ -1,6 +1,6 @@
 # Callback response page
 
-The HTML the browser renders after Keycloak redirects to the loopback URL, produced by `src/oauth/renderHtml.ts`.
+The HTML the browser renders after Keycloak redirects to the loopback URL, produced by `src/oauth/renderHTML.ts`.
 
 ## Approach
 
@@ -17,7 +17,7 @@ Content-Security-Policy: default-src 'none'; img-src data:; style-src 'sha256-<d
 X-Content-Type-Options: nosniff
 ```
 
-`default-src 'none'` blocks everything by default. `img-src data:` allows only the inlined logo. `style-src 'sha256-...'` allows only a `<style>` block whose contents match a digest computed at module load — stricter than `'unsafe-inline'`, and any drift between the rendered CSS and the committed hash causes the browser to refuse the stylesheet. Inline `style=""` attributes are avoided entirely (they require separate `style-src-attr` / `'unsafe-hashes'` machinery). The `renderHtml` test suite asserts the hash matches the rendered `<style>` contents to prevent silent drift.
+`default-src 'none'` blocks everything by default. `img-src data:` allows only the inlined logo. `style-src 'sha256-...'` allows only a `<style>` block whose contents match a digest computed at module load — stricter than `'unsafe-inline'`, and any drift between the rendered CSS and the committed hash causes the browser to refuse the stylesheet. Inline `style=""` attributes are avoided entirely (they require separate `style-src-attr` / `'unsafe-hashes'` machinery). The `renderHTML` test suite asserts the hash matches the rendered `<style>` contents to prevent silent drift.
 
 **Auth code not echoed.** The success page deliberately does not render the received `code` in the HTML (RFC 8252 §8.1 interception mitigation).
 

package/docs/callback-server.md

@@ -4,7 +4,7 @@ The loopback HTTP listener that receives the OAuth authorization code redirect,
 
 ## Loopback bind
 
-RFC 8252 §7.3 says clients SHOULD NOT assume a particular IP version is available and RECOMMENDS trying both. Implementation: bind `127.0.0.1` on an ephemeral port; on `EAFNOSUPPORT` / `EADDRNOTAVAIL` (no IPv4 loopback configured on this host) fall back to `[::1]` on a fresh ephemeral port. The returned `redirectUri` uses whichever literal actually got bound, so the browser connects to exactly what the authorization server redirects it to — no reliance on `localhost` DNS resolution.
+RFC 8252 §7.3 says clients SHOULD NOT assume a particular IP version is available and RECOMMENDS trying both. Implementation: bind `127.0.0.1` on an ephemeral port; on `EAFNOSUPPORT` / `EADDRNOTAVAIL` (no IPv4 loopback configured on this host) fall back to `[::1]` on a fresh ephemeral port. The returned `redirectURI` uses whichever literal actually got bound, so the browser connects to exactly what the authorization server redirects it to — no reliance on `localhost` DNS resolution.
 
 Request handling additionally rejects non-loopback `remoteAddress` values with `403` as defense in depth against DNS-rebinding-style pivots — the listener only binds to a loopback interface, but enforcing it at the handler costs nothing.
 

package/package.json

@@ -1,8 +1,15 @@
 {
   "name": "@deque/axe-auth",
-  "version": "1.1.0-next.297e118f",
+  "version": "1.1.0-next.2d96b49c",
   "description": "CLI authentication utility for Deque services",
   "license": "SEE LICENSE IN LICENSE",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/dequelabs/axe-mcp-server-public.git"
+  },
+  "bugs": {
+    "url": "https://github.com/dequelabs/axe-mcp-server-public/issues"
+  },
   "type": "commonjs",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -20,17 +27,17 @@
     "registry": "https://registry.npmjs.org/"
   },
   "engines": {
-    "node": ">=22.13.0"
+    "node": ">=24.11.0"
   },
   "dependencies": {
-    "@napi-rs/keyring": "^1.2.0",
+    "@napi-rs/keyring": "^1.3.0",
     "remove-trailing-slash": "^0.1.1",
     "shlex": "^3.0.0",
     "ts-dedent": "^2.2.0"
   },
   "devDependencies": {
     "@hono/node-server": "^1.19.14",
-    "@types/node": "^22.13.10",
+    "@types/node": "^24.0.0",
     "c8": "^10.1.3",
     "hono": "^4.12.16",
     "tsx": "^4.20.6",
@@ -38,7 +45,8 @@
   },
   "scripts": {
     "build": "tsc",
-    "test": "tsx --test 'src/**/*.test.ts'",
+    "typecheck:scripts": "tsc -p tsconfig.scripts.json",
+    "test": "tsx --test \"src/**/*.test.ts\"",
     "coverage": "c8 pnpm test",
     "register-dev-client": "tsx scripts/registerDevClient.ts",
     "smoke-authorize": "tsx scripts/smokeAuthorize.ts",

package/dist/oauth/renderHtml.d.ts

@@ -1,9 +0,0 @@
-export type HtmlInput = {
-    kind: "success";
-} | {
-    kind: "error";
-    reason: string;
-    description?: string;
-};
-export declare const CSP_HEADER: string;
-export declare const renderHtml: (input: HtmlInput) => string;