@deque/axe-auth 1.1.0-next.5c407e02 → 1.1.0-next.6820fe60

package/dist/index.js

@@ -1,47 +1,167 @@
 #!/usr/bin/env node
 "use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
-const node_util_1 = require("node:util");
 const node_fs_1 = require("node:fs");
 const node_path_1 = require("node:path");
+const node_util_1 = require("node:util");
+const ts_dedent_1 = require("ts-dedent");
+const commonArgs_1 = require("./cli/commonArgs");
+const tokenStore_1 = require("./oauth/tokenStore");
+const login_1 = __importDefault(require("./commands/login"));
+const logout_1 = __importDefault(require("./commands/logout"));
+const token_1 = __importDefault(require("./commands/token"));
+const errors_1 = require("./cli/errors");
 const pkg = JSON.parse((0, node_fs_1.readFileSync)((0, node_path_1.join)(__dirname, "..", "package.json"), "utf-8"));
-const helpText = `${pkg.name} v${pkg.version}
+// Iteration order is the order verbs appear in `axe-auth --help`.
+const COMMANDS = [
+    login_1.default,
+    logout_1.default,
+    token_1.default,
+];
+function findCommand(verb) {
+    return COMMANDS.find((c) => c.name === verb);
+}
+function topLevelHelp() {
+    const width = Math.max(...COMMANDS.map((c) => c.name.length));
+    const verbList = COMMANDS.map((c) => `  ${c.name.padEnd(width)}  ${c.summary}`).join("\n");
+    return `${pkg.name} v${pkg.version}
 
 ${pkg.description}
 
 Usage:
-  axe-auth [options]
+  axe-auth <command> [options]
+
+Commands:
+${verbList}
+
+Run \`axe-auth <command> --help\` for command-specific options.
 
-Options:
-  -v, --version  Show version number
-  -h, --help     Show this help message`;
-const main = async () => {
-    let values;
+Top-level options:
+  -v, --version  Show version number.
+  -h, --help     Show this help.`;
+}
+async function dispatch(argv) {
+    const [first, ...rest] = argv;
+    if (first === undefined || first === "-h" || first === "--help") {
+        process.stdout.write(`${topLevelHelp()}\n`);
+        return 0;
+    }
+    if (first === "-v" || first === "--version") {
+        process.stdout.write(`${pkg.version}\n`);
+        return 0;
+    }
+    if (first.startsWith("-")) {
+        process.stderr.write(`Unknown option: ${first}. Run \`axe-auth --help\` for usage.\n`);
+        return 2;
+    }
+    const command = findCommand(first);
+    if (!command) {
+        process.stderr.write(`Unknown command: ${first}. Run \`axe-auth --help\` for usage.\n`);
+        return 2;
+    }
+    let parsed;
     try {
-        ({ values } = (0, node_util_1.parseArgs)({
+        parsed = (0, node_util_1.parseArgs)({
+            args: rest,
             options: {
-                version: { type: "boolean", short: "v" },
+                ...commonArgs_1.COMMON_OPTIONS,
+                ...command.options,
                 help: { type: "boolean", short: "h" },
             },
             strict: true,
-        }));
+            allowPositionals: false,
+        });
     }
     catch (err) {
-        console.error(err.message);
-        return 1;
+        process.stderr.write(`${(0, errors_1.describeError)(err)}\n`);
+        return 2;
     }
-    if (values.version) {
-        console.log(pkg.version);
+    if (parsed.values.help) {
+        process.stdout.write(`${command.helpText}\n`);
         return 0;
     }
-    if (values.help) {
-        console.log(helpText);
+    // Best-effort load of the stored config — but only when at least
+    // one common field is unspecified. The dispatcher's fallback is
+    // all-or-nothing (parseCommonArgs ignores defaults if any flag/env
+    // is set), so a fully-flagged invocation gains nothing from a
+    // keychain hit on the hot path.
+    //
+    // The load failure isn't fatal on its own — if the user passed
+    // flags/env, the stored config doesn't matter — but if
+    // `parseCommonArgs` then throws `MissingConfigError`, we surface
+    // this failure alongside it so the user understands the keychain
+    // (not just missing flags) is the proximate cause.
+    let defaults = null;
+    let defaultLoadError = null;
+    let loadedEntry;
+    const commonValues = parsed.values;
+    const allFlagsPresent = Boolean(commonValues.server && commonValues.realm && commonValues["client-id"]);
+    if (!allFlagsPresent) {
+        try {
+            loadedEntry = await new tokenStore_1.KeyringTokenStore().load();
+            if (loadedEntry.ok) {
+                defaults = {
+                    issuerURL: loadedEntry.entry.issuerURL,
+                    clientId: loadedEntry.entry.clientId,
+                    allowInsecureIssuer: loadedEntry.entry.allowInsecureIssuer,
+                };
+            }
+        }
+        catch (err) {
+            defaultLoadError = err;
+        }
+    }
+    let common;
+    try {
+        common = (0, commonArgs_1.parseCommonArgs)(commonValues, process.env, defaults);
+    }
+    catch (err) {
+        if (err instanceof errors_1.MissingConfigError && !command.requiresConfig) {
+            // The verb operates on the stored entry alone (token,
+            // logout). It has its own handling for the empty / corrupt /
+            // version-mismatch cases, which is friendlier than the
+            // generic "missing required configuration" error
+            // (`No stored credentials. Run \`axe-auth login\` first.` for
+            // token; `Already logged out.` for logout). Pass a
+            // sentinel-empty CommonArgs so the verb runs and decides.
+            common = { issuerURL: "", clientId: "", allowInsecureIssuer: false };
+        }
+        else if (err instanceof errors_1.MissingConfigError && defaultLoadError !== null) {
+            process.stderr.write((0, ts_dedent_1.dedent) `
+        ${err.message}
+        Could not read the stored credentials from the keychain (${(0, errors_1.describeError)(defaultLoadError)});
+        pass the flags explicitly or fix the keychain.
+      ` + "\n");
+            return 2;
+        }
+        else {
+            process.stderr.write(`${(0, errors_1.describeError)(err)}\n`);
+            return 2;
+        }
+    }
+    const deps = {
+        stdin: process.stdin,
+        stdout: process.stdout,
+        stderr: process.stderr,
+        loadedEntry,
+    };
+    try {
+        await command.run({ ...common, ...parsed.values }, deps);
         return 0;
     }
-    console.log("No arguments provided. Use --help for usage information.");
-    return 1;
-};
-main().then((code) => process.exit(code), (err) => {
-    console.error(err);
+    catch (err) {
+        if (err instanceof errors_1.CLIError) {
+            process.stderr.write(`${err.message}\n`);
+            return err.exitCode;
+        }
+        process.stderr.write(`${(0, errors_1.describeError)(err)}\n`);
+        return 2;
+    }
+}
+dispatch(process.argv.slice(2)).then((code) => process.exit(code), (err) => {
+    process.stderr.write(`${err instanceof Error ? (err.stack ?? err.message) : String(err)}\n`);
     process.exit(1);
 });

package/dist/oauth/authorize.d.ts

@@ -25,8 +25,9 @@ export interface AuthorizeOptions {
     /** Aborts the in-flight discovery, callback wait, and token exchange. */
     signal?: AbortSignal;
     /**
-     * Override for the token persistence layer. Defaults to
-     * `KeyringTokenStore` keyed by the normalized issuer URL.
+     * Override for the token persistence layer. Defaults to a fresh
+     * `KeyringTokenStore()` (single keychain entry per machine; the
+     * blob carries its own issuer/client coordinates).
      */
     tokenStore?: TokenStore;
     /** Override for the system browser launcher. Injected for tests. */

package/dist/oauth/authorize.js

@@ -38,7 +38,7 @@ function defaultOnWarning(message) {
  * @throws {OAuthCallbackError} For loopback/callback-server failures.
  */
 async function authorize(options) {
-    const { issuerURL, clientId, scopes, timeoutMs, signal, tokenStore = new tokenStore_1.KeyringTokenStore(issuerURL), openBrowser = openBrowser_1.openBrowser, onAuthorizationUrl = defaultOnAuthorizationUrl, onWarning = defaultOnWarning, allowInsecureIssuer, } = options;
+    const { issuerURL, clientId, scopes, timeoutMs, signal, tokenStore = new tokenStore_1.KeyringTokenStore(), openBrowser = openBrowser_1.openBrowser, onAuthorizationUrl = defaultOnAuthorizationUrl, onWarning = defaultOnWarning, allowInsecureIssuer, } = options;
     // Discovery first. If the auth server is unreachable we want to fail
     // *before* opening a browser — a rejected discovery throw is
     // strictly more useful than a browser tab pointing at a
@@ -98,14 +98,18 @@ async function authorize(options) {
         // came back, warn. Prefer the server's reported `grantedScope`
         // when present (RFC 6749 §5.1) since the provider's consent
         // screen may have dropped the scope.
-        if (scopes.includes("offline_access") &&
-            tokens.refreshToken === undefined) {
+        if (scopes.includes("offline_access") && !tokens.refreshToken) {
             const grantedSuffix = tokens.grantedScope
                 ? ` (server granted: ${tokens.grantedScope})`
                 : "";
             onWarning(`'offline_access' was requested but no refresh_token was returned${grantedSuffix}. Cross-session refresh will not be available.`);
         }
-        await tokenStore.save(tokens);
+        await tokenStore.save({
+            tokens,
+            issuerURL,
+            clientId,
+            allowInsecureIssuer: allowInsecureIssuer ?? false,
+        });
         return tokens;
     }
     finally {

package/dist/oauth/getValidAccessToken.d.ts

@@ -1,9 +1,18 @@
-import { type TokenStore } from "./tokenStore";
+import { type LoadResult, type TokenStore } from "./tokenStore";
 /** Options for `getValidAccessToken`. */
 export interface GetValidAccessTokenOptions {
-    /** OIDC issuer URL (same value passed to `authorize`). */
+    /**
+     * OIDC issuer URL (same value passed to `authorize`). Must match
+     * the stored entry's `issuerURL`; mismatch throws
+     * `OAuthFlowError("NOT_AUTHENTICATED", ...)` rather than refreshing
+     * the wrong issuer's tokens at the requested endpoint.
+     */
     issuerURL: string;
-    /** OAuth client identifier. */
+    /**
+     * OAuth client identifier. Must match the stored entry's
+     * `clientId`; see the note on `issuerURL` for the mismatch
+     * behavior.
+     */
     clientId: string;
     /**
      * How close to expiry we start preemptively refreshing, in
@@ -17,10 +26,20 @@ export interface GetValidAccessTokenOptions {
      */
     expiryBufferMs?: number;
     /**
-     * Override for the token store. Defaults to `KeyringTokenStore`
-     * keyed by `issuerURL`.
+     * Override for the token store. Defaults to a fresh
+     * `KeyringTokenStore()` (single keychain entry per machine).
      */
     tokenStore?: TokenStore;
+    /**
+     * Pre-loaded result of `tokenStore.load()`. When provided, the
+     * function skips its own keychain read and uses this value
+     * instead — lets a caller that already loaded the entry (the CLI
+     * dispatcher does, to derive `parseCommonArgs` defaults) avoid a
+     * redundant second read on the hot path. The same `tokenStore` is
+     * still used for the post-refresh `save()` and the
+     * `invalid_grant` `clear()`.
+     */
+    loadedEntry?: LoadResult;
     /** Aborts discovery + the refresh POST when fired. */
     signal?: AbortSignal;
     /**

package/dist/oauth/getValidAccessToken.js

@@ -47,24 +47,36 @@ function notAuthenticated(message, cause) {
  * keyed by issuer.
  */
 async function getValidAccessToken(options) {
-    const { issuerURL, clientId, expiryBufferMs = DEFAULT_EXPIRY_BUFFER_MS, tokenStore = new tokenStore_1.KeyringTokenStore(issuerURL), signal, allowInsecureIssuer, onWarning = defaultOnWarning, now = Date.now, } = options;
-    const loaded = await tokenStore.load();
+    const { issuerURL, clientId, expiryBufferMs = DEFAULT_EXPIRY_BUFFER_MS, tokenStore = new tokenStore_1.KeyringTokenStore(), loadedEntry, signal, allowInsecureIssuer, onWarning = defaultOnWarning, now = Date.now, } = options;
+    const loaded = loadedEntry ?? (await tokenStore.load());
     if (!loaded.ok) {
         switch (loaded.reason) {
             case "empty":
-                throw notAuthenticated(`No stored credentials for ${issuerURL}. Run \`axe-auth login\` first.`);
+                throw notAuthenticated("No stored credentials. Run `axe-auth login` first.");
             case "corrupt":
                 throw notAuthenticated("Stored credentials are unreadable. Run `axe-auth login` to re-authenticate.");
             case "version-mismatch":
                 throw notAuthenticated(`Stored credentials are from an unsupported schema version (v:${loaded.storedVersion}). Run \`axe-auth login\` to re-authenticate.`);
         }
     }
-    const tokens = loaded.tokens;
+    // Guard against a mismatch between the requested issuer/client and
+    // the stored entry's. Under single-entry storage, the keychain
+    // holds one set of tokens minted against one (issuer, client)
+    // pair. Refreshing those tokens against a different
+    // discovery/token endpoint would land an unrelated refresh token
+    // at the wrong server and leak it. Refuse rather than silently
+    // proceed so direct library callers (the CLI's verbs warn + route
+    // before getting here) get a clear signal.
+    if (loaded.entry.issuerURL !== issuerURL ||
+        loaded.entry.clientId !== clientId) {
+        throw notAuthenticated(`Stored credentials are for issuer ${loaded.entry.issuerURL} (client ${loaded.entry.clientId}), but the requested issuer is ${issuerURL} (client ${clientId}). Run \`axe-auth login\` to re-authenticate.`);
+    }
+    const tokens = loaded.entry.tokens;
     if (now() + expiryBufferMs < tokens.expiresAt) {
         // Still fresh — no network call, no store write.
         return tokens.accessToken;
     }
-    if (tokens.refreshToken === undefined) {
+    if (!tokens.refreshToken) {
         throw notAuthenticated("Access token has expired and no refresh token is available. Run `axe-auth login` to re-authenticate.");
     }
     const config = await (0, discoverOIDC_1.discoverOIDC)(issuerURL, {
@@ -113,7 +125,12 @@ async function getValidAccessToken(options) {
     // useful, and warn the caller so "why does the next run need me to
     // log in again?" has a breadcrumb.
     try {
-        await tokenStore.save(fresh);
+        await tokenStore.save({
+            tokens: fresh,
+            issuerURL: loaded.entry.issuerURL,
+            clientId: loaded.entry.clientId,
+            allowInsecureIssuer: loaded.entry.allowInsecureIssuer,
+        });
     }
     catch (err) {
         onWarning(`Refreshed tokens could not be saved: ${err instanceof Error ? err.message : String(err)}. The current call will succeed, but the next invocation will require re-authentication.`);

package/dist/oauth/index.d.ts

@@ -10,6 +10,7 @@ export { refreshTokens } from "./refreshTokens";
 export type { RefreshTokensOptions } from "./refreshTokens";
 export type { TokenSet } from "./tokenResponse";
 export { KeyringTokenStore, STORED_BLOB_VERSION } from "./tokenStore";
-export type { TokenStore, LoadResult, KeyringEntry, KeyringEntryFactory, } from "./tokenStore";
+export type { LoadResult, StoredEntry, TokenStore } from "./tokenStore";
+export type { KeyringEntry, KeyringEntryFactory } from "./keyringBinding";
 export { discoverOIDC } from "./discoverOIDC";
 export type { OIDCConfiguration, DiscoverOIDCOptions } from "./discoverOIDC";

package/dist/oauth/keyringBinding.d.ts

@@ -0,0 +1,22 @@
+/** Minimal keyring-entry surface consumed by the package's stores. */
+export interface KeyringEntry {
+    /** Writes the password for this entry. */
+    setPassword(password: string): void;
+    /** Reads the current password, or returns `null` if none is set. */
+    getPassword(): string | null;
+    /** Deletes the password and returns `true` if one existed. */
+    deletePassword(): boolean;
+}
+/**
+ * Factory for `KeyringEntry` values. Injection seam for tests;
+ * production callers use the default that constructs
+ * `@napi-rs/keyring` entries lazily.
+ */
+export type KeyringEntryFactory = (service: string, account: string) => KeyringEntry;
+/**
+ * Default `KeyringEntryFactory`. Resolves `@napi-rs/keyring` lazily
+ * so platforms without a prebuilt binding only see a
+ * `KEYRING_UNAVAILABLE` on first store construction, not on module
+ * import.
+ */
+export declare const defaultEntryFactory: KeyringEntryFactory;

package/dist/oauth/keyringBinding.js

@@ -0,0 +1,41 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.defaultEntryFactory = void 0;
+const node_module_1 = require("node:module");
+const errors_1 = require("./errors");
+const requireFromHere = (0, node_module_1.createRequire)(__filename);
+// Lazy-resolved Entry constructor. Importing @napi-rs/keyring at the
+// top of this module would run its native binding loader at
+// module-load time, throwing before any of our OAuthFlowError code
+// catches it and preventing the module from being imported at all on
+// platforms without a prebuilt. We defer the require into
+// `defaultEntryFactory`, which turns that import-time failure into a
+// `KEYRING_UNAVAILABLE` surfaced on the first store construction —
+// not on first save/load/clear, since callers construct stores
+// eagerly as default-arg expressions. Runtime keychain errors
+// (missing D-Bus Secret Service, macOS Keychain denial, etc.) are a
+// separate concern and surface later, inside save/load/clear.
+let cachedEntryCtor = null;
+function resolveEntryCtor() {
+    if (cachedEntryCtor)
+        return cachedEntryCtor;
+    try {
+        const mod = requireFromHere("@napi-rs/keyring");
+        cachedEntryCtor = mod.Entry;
+        return cachedEntryCtor;
+    }
+    catch (cause) {
+        throw new errors_1.OAuthFlowError("KEYRING_UNAVAILABLE", `Could not load @napi-rs/keyring. A prebuilt native binding for this platform may be missing.`, { cause });
+    }
+}
+/**
+ * Default `KeyringEntryFactory`. Resolves `@napi-rs/keyring` lazily
+ * so platforms without a prebuilt binding only see a
+ * `KEYRING_UNAVAILABLE` on first store construction, not on module
+ * import.
+ */
+const defaultEntryFactory = (service, account) => {
+    const Ctor = resolveEntryCtor();
+    return new Ctor(service, account);
+};
+exports.defaultEntryFactory = defaultEntryFactory;

package/dist/oauth/revokeToken.d.ts

@@ -0,0 +1,28 @@
+/** Options for `revokeRefreshToken`. */
+export interface RevokeRefreshTokenOptions {
+    /** Revocation endpoint resolved from OIDC discovery. */
+    revocationEndpoint: string;
+    /** OAuth client ID. */
+    clientId: string;
+    /** The refresh token to revoke server-side. */
+    refreshToken: string;
+    /** Aborts the underlying fetch when fired. */
+    signal?: AbortSignal;
+}
+/**
+ * Revokes a refresh token via RFC 7009. Servers SHOULD return 200
+ * regardless of whether the token was valid (the spec doesn't want
+ * revocation to be a probing oracle for token existence). In
+ * practice this helper still surfaces network errors and any
+ * non-2xx response from the revocation endpoint, on the assumption
+ * that a 4xx is more likely a misconfiguration the user should hear
+ * about than a routine condition to swallow.
+ *
+ * Throws a plain `Error` rather than `OAuthFlowError`: revocation
+ * is best-effort cleanup invoked from `axe-auth logout`, and the
+ * caller already handles failure by warning + continuing with the
+ * local clear. Adding a dedicated `OAuthFlowError` code for this
+ * one shallow operation is more bloat than the discrimination is
+ * worth.
+ */
+export declare function revokeRefreshToken(options: RevokeRefreshTokenOptions): Promise<void>;

package/dist/oauth/revokeToken.js

@@ -0,0 +1,59 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.revokeRefreshToken = revokeRefreshToken;
+/**
+ * Revokes a refresh token via RFC 7009. Servers SHOULD return 200
+ * regardless of whether the token was valid (the spec doesn't want
+ * revocation to be a probing oracle for token existence). In
+ * practice this helper still surfaces network errors and any
+ * non-2xx response from the revocation endpoint, on the assumption
+ * that a 4xx is more likely a misconfiguration the user should hear
+ * about than a routine condition to swallow.
+ *
+ * Throws a plain `Error` rather than `OAuthFlowError`: revocation
+ * is best-effort cleanup invoked from `axe-auth logout`, and the
+ * caller already handles failure by warning + continuing with the
+ * local clear. Adding a dedicated `OAuthFlowError` code for this
+ * one shallow operation is more bloat than the discrimination is
+ * worth.
+ */
+async function revokeRefreshToken(options) {
+    const body = new URLSearchParams({
+        token: options.refreshToken,
+        token_type_hint: "refresh_token",
+        client_id: options.clientId,
+    });
+    let response;
+    try {
+        response = await fetch(options.revocationEndpoint, {
+            method: "POST",
+            headers: { "Content-Type": "application/x-www-form-urlencoded" },
+            body,
+            signal: options.signal,
+        });
+    }
+    catch (cause) {
+        const reason = cause instanceof Error ? cause.message : String(cause);
+        throw new Error(`Could not reach the revocation endpoint at ${options.revocationEndpoint}: ${reason}`, { cause });
+    }
+    if (!response.ok) {
+        // Deliberately do NOT include the response body. The request
+        // body we POSTed contains the refresh token; some Keycloak
+        // custom error templates and many WAFs / reverse proxies echo
+        // request fields back into 4xx pages, which would land the
+        // refresh token on stderr (the caller's `describeError(err)`
+        // path is `axe-auth: server-side revocation failed (...)`). Status
+        // alone is enough for the user to act on; if more detail is
+        // needed they can hit the revocation endpoint directly.
+        //
+        // We also drain the body so the underlying connection isn't
+        // held open by the unread stream.
+        try {
+            await response.text();
+        }
+        catch {
+            // ignore — body is purely diagnostic
+        }
+        throw new Error(`Revocation endpoint at ${options.revocationEndpoint} returned HTTP ${response.status}`);
+    }
+}

package/dist/oauth/tokenStore.d.ts

@@ -1,3 +1,4 @@
+import { type KeyringEntryFactory } from "./keyringBinding";
 import type { TokenSet } from "./tokenResponse";
 /**
  * Current on-disk blob schema version. Exported so consumers can
@@ -5,6 +6,22 @@ import type { TokenSet } from "./tokenResponse";
  * a `version-mismatch` result.
  */
 export declare const STORED_BLOB_VERSION = 1;
+/**
+ * What `KeyringTokenStore` persists: the OAuth tokens plus the
+ * issuer/client coordinates they were minted against. Carrying the
+ * coordinates inside the entry means a verb can recover its full
+ * config from the keychain alone, with no separate "default issuer"
+ * pointer.
+ */
+export interface StoredEntry {
+    tokens: TokenSet;
+    /** OIDC issuer URL the tokens were minted against. */
+    issuerURL: string;
+    /** OAuth client ID used at login. */
+    clientId: string;
+    /** Whether the original login allowed a non-loopback http issuer. */
+    allowInsecureIssuer: boolean;
+}
 /**
  * Outcome of a `TokenStore.load()` call.
  *
@@ -19,7 +36,7 @@ export declare const STORED_BLOB_VERSION = 1;
  */
 export type LoadResult = {
     ok: true;
-    tokens: TokenSet;
+    entry: StoredEntry;
 } | {
     ok: false;
     reason: "empty";
@@ -31,48 +48,64 @@ export type LoadResult = {
     reason: "version-mismatch";
     storedVersion: number;
 };
-/** Persistence layer for an OAuth `TokenSet`. */
+/** Persistence layer for an OAuth `StoredEntry`. */
 export interface TokenStore {
-    /** Write-through save. Replaces any previously stored tokens. */
-    save(tokens: TokenSet): Promise<void>;
+    /** Write-through save. Replaces any previously stored entry. */
+    save(entry: StoredEntry): Promise<void>;
     /**
-     * Reads the stored tokens and returns a structured result.
+     * Reads the stored entry and returns a structured result.
      *
      * Callers should branch on `result.ok` first. When `ok` is `false`,
-     * `reason` tells them *why* there is no usable `TokenSet`: `empty`
+     * `reason` tells them *why* there is no usable entry: `empty`
      * (nothing stored), `corrupt` (unparseable or shape-invalid), or
      * `version-mismatch` (stored under a schema we cannot migrate from).
      * The library does not emit output on these cases — surfacing them
      * to the user is the caller's responsibility.
      */
     load(): Promise<LoadResult>;
-    /** Removes any stored tokens. No-op if none are present. */
+    /** Removes any stored entry. No-op if none is present. */
     clear(): Promise<void>;
 }
-/** Minimal keyring-entry surface consumed by `KeyringTokenStore`. */
-export interface KeyringEntry {
-    /** Writes the password for this entry. */
-    setPassword(password: string): void;
-    /** Reads the current password, or returns `null` if none is set. */
-    getPassword(): string | null;
-    /** Deletes the password and returns `true` if one existed. */
-    deletePassword(): boolean;
-}
 /**
- * Factory for `KeyringEntry` values. Injection seam for tests;
- * production callers use the default that constructs
- * `@napi-rs/keyring` entries lazily.
+ * Outcome of `parseAndMigrateBlob`: same set of failure reasons as
+ * `LoadResult`, but on success carries the post-migration blob as an
+ * unknown payload. The caller is responsible for shape-validating
+ * that payload against the latest schema.
+ */
+export type BlobChainResult = {
+    ok: true;
+    blob: unknown;
+} | {
+    ok: false;
+    reason: "empty";
+} | {
+    ok: false;
+    reason: "corrupt";
+} | {
+    ok: false;
+    reason: "version-mismatch";
+    storedVersion: number;
+};
+/**
+ * JSON-parses the raw keychain password and walks the migrator chain
+ * until it reaches `expectedVersion`. Exported with `expectedVersion`
+ * and `migrators` parameters only for testing the chain mechanics
+ * against synthetic versions / migrators; production callers use
+ * `KeyringTokenStore.load()`, which feeds in `STORED_BLOB_VERSION`
+ * and `MIGRATORS` and applies the latest-shape check on top.
  */
-export type KeyringEntryFactory = (service: string, account: string) => KeyringEntry;
+export declare function parseAndMigrateBlob(raw: string | null, expectedVersion?: number, migrators?: ReadonlyMap<number, (old: unknown) => unknown | null>): BlobChainResult;
 /**
  * `TokenStore` backed by the operating system's native keychain via
  * `@napi-rs/keyring` (macOS Keychain, Windows Credential Manager, Linux
- * Secret Service). Account is keyed by the normalized issuer URL.
+ * Secret Service). One entry per machine, keyed by a fixed account
+ * name; the blob carries its own issuer/client coordinates so verbs
+ * can recover full config without per-issuer keying.
  */
 export declare class KeyringTokenStore implements TokenStore {
     #private;
-    constructor(issuerURL: string, entryFactory?: KeyringEntryFactory);
-    save(tokens: TokenSet): Promise<void>;
+    constructor(entryFactory?: KeyringEntryFactory);
+    save(entry: StoredEntry): Promise<void>;
     load(): Promise<LoadResult>;
     clear(): Promise<void>;
 }