@deque/axe-auth 1.1.0-next.5c407e02 → 1.1.0-next.689a4b1a

package/dist/oauth/authorize.d.ts

@@ -2,64 +2,34 @@ import type { TokenSet } from "./tokenResponse";
 import { type TokenStore } from "./tokenStore";
 /** Options for `authorize`. */
 export interface AuthorizeOptions {
-    /**
-     * Authorization-server URL the discovery document claims as its
-     * `issuer`. For Keycloak, callers build this as
-     * `${serverURL}/realms/${realm}`. For other providers it is the
-     * hostname (or issuer path) advertised in their discovery document.
-     */
+    /** Issuer URL the OIDC discovery document advertises (e.g. `${serverURL}/realms/${realm}` for Keycloak). */
     issuerURL: string;
     /** OAuth client ID registered with the authorization server. */
     clientId: string;
-    /**
-     * OAuth scopes to request. Required — this library has no opinion
-     * about which scopes your provider expects. Keycloak callers who
-     * want a refresh token typically pass `["offline_access"]`; Google
-     * uses `access_type=offline` as a separate query param and
-     * therefore needs an empty scope list plus that param threaded
-     * through elsewhere.
-     */
+    /** Persisted alongside the tokens so future verbs can re-discover `/api/sso-config` without flags. */
+    walnutURL: string;
+    /** OAuth scopes to request. Keycloak callers typically pass `["offline_access"]` for a refresh token. */
     scopes: readonly string[];
     /** Max time to wait for the loopback callback, in milliseconds. */
     timeoutMs?: number;
     /** Aborts the in-flight discovery, callback wait, and token exchange. */
     signal?: AbortSignal;
-    /**
-     * Override for the token persistence layer. Defaults to
-     * `KeyringTokenStore` keyed by the normalized issuer URL.
-     */
+    /** Override for the token persistence layer. */
     tokenStore?: TokenStore;
     /** Override for the system browser launcher. Injected for tests. */
     openBrowser?: (url: string) => void;
-    /**
-     * Called with the authorization URL just before the browser launch.
-     * The default prints to stderr only when stderr is a TTY, so a
-     * parent CLI consuming this library as a dependency does not
-     * double-print. Pass a custom handler to route the URL through your
-     * own UI, or `() => {}` to suppress entirely.
-     */
+    /** Called with the authorization URL just before the browser launch. Default prints to stderr only when stderr is a TTY. */
     onAuthorizationUrl?: (url: string) => void;
     /**
-     * Called for soft warnings that are not errors but warrant user
-     * attention (e.g. `offline_access` was requested but the server did
-     * not return a `refresh_token`, or the browser failed to launch).
-     * The default prints to stderr only when stderr is a TTY. Pass a
-     * custom handler to route warnings through your own UI, or `() =>
-     * {}` to suppress entirely.
-     *
-     * Non-TTY callers who want warning visibility (log files, parent
-     * CLIs, background workers) should pass an explicit handler.
-     * Dropped warnings have no visible symptom at the time they fire —
-     * users only discover the consequence later (e.g. being prompted to
-     * re-authenticate at the next session).
+     * Called for soft warnings (e.g. requested `offline_access` but the
+     * server returned no refresh token, or the browser failed to
+     * launch). Default prints to stderr only when stderr is a TTY.
+     * Non-TTY callers who want warning visibility should pass an
+     * explicit handler — dropped warnings have no symptom at the time
+     * they fire; users discover the consequence later.
      */
     onWarning?: (message: string) => void;
-    /**
-     * Forwarded to the discovery step. Loopback hosts (`localhost` /
-     * `127.0.0.1` / `[::1]`) are always permitted over http; this flag
-     * is the opt-in for non-loopback http issuers and for non-loopback
-     * http endpoints returned by discovery. Default `false`.
-     */
+    /** Forwarded to discovery; permits non-loopback http issuers + endpoints. */
     allowInsecureIssuer?: boolean;
 }
 /**

package/dist/oauth/authorize.js

@@ -38,11 +38,9 @@ function defaultOnWarning(message) {
  * @throws {OAuthCallbackError} For loopback/callback-server failures.
  */
 async function authorize(options) {
-    const { issuerURL, clientId, scopes, timeoutMs, signal, tokenStore = new tokenStore_1.KeyringTokenStore(issuerURL), openBrowser = openBrowser_1.openBrowser, onAuthorizationUrl = defaultOnAuthorizationUrl, onWarning = defaultOnWarning, allowInsecureIssuer, } = options;
-    // Discovery first. If the auth server is unreachable we want to fail
-    // *before* opening a browser — a rejected discovery throw is
-    // strictly more useful than a browser tab pointing at a
-    // wrong/unreachable URL.
+    const { issuerURL, clientId, walnutURL, scopes, timeoutMs, signal, tokenStore = new tokenStore_1.KeyringTokenStore(), openBrowser = openBrowser_1.openBrowser, onAuthorizationUrl = defaultOnAuthorizationUrl, onWarning = defaultOnWarning, allowInsecureIssuer, } = options;
+    // Discovery before browser-launch so a bad URL surfaces as a
+    // throw rather than a wrong/unreachable browser tab.
     const config = await (0, discoverOIDC_1.discoverOIDC)(issuerURL, {
         signal,
         allowInsecureIssuer,
@@ -98,14 +96,19 @@ async function authorize(options) {
         // came back, warn. Prefer the server's reported `grantedScope`
         // when present (RFC 6749 §5.1) since the provider's consent
         // screen may have dropped the scope.
-        if (scopes.includes("offline_access") &&
-            tokens.refreshToken === undefined) {
+        if (scopes.includes("offline_access") && !tokens.refreshToken) {
             const grantedSuffix = tokens.grantedScope
                 ? ` (server granted: ${tokens.grantedScope})`
                 : "";
             onWarning(`'offline_access' was requested but no refresh_token was returned${grantedSuffix}. Cross-session refresh will not be available.`);
         }
-        await tokenStore.save(tokens);
+        await tokenStore.save({
+            tokens,
+            issuerURL,
+            clientId,
+            allowInsecureIssuer: allowInsecureIssuer ?? false,
+            walnutURL,
+        });
         return tokens;
     }
     finally {

package/dist/oauth/discoverOIDC.d.ts

@@ -15,36 +15,19 @@ export interface OIDCConfiguration {
 export interface DiscoverOIDCOptions {
     /** Aborts the underlying fetch when fired. */
     signal?: AbortSignal;
-    /**
-     * Permit non-HTTPS issuer URLs whose host is not a loopback literal.
-     * Loopback hosts (`localhost`, `127.0.0.1`, `[::1]`) are always
-     * allowed over http since they cannot be intercepted remotely; this
-     * flag is for corporate dev setups or reverse-proxy scenarios where
-     * http is the only available path. Default `false`.
-     */
+    /** Permit non-HTTPS issuer URLs whose host is not a loopback literal. Default `false`. */
     allowInsecureIssuer?: boolean;
 }
 /**
- * Fetches and parses the OpenID Connect discovery document for a given
- * issuer. Fails fast (no retry) so the caller does not open a browser
- * against an unreachable authorization server.
+ * Fetches and parses the OIDC discovery document. Fails fast (no
+ * retry) so the caller does not open a browser against an unreachable
+ * authorization server. Verifies the server's claimed `issuer` matches
+ * the input URL per OIDC Discovery §3 — without this, a hostile
+ * discovery response could redirect the authorization and token
+ * endpoints to attacker hosts.
  *
- * This function uses the OIDC discovery well-known path as a
- * convention — most OAuth 2.0 providers expose it regardless of
- * whether you intend to perform identity validation. This library
- * itself does not perform OIDC identity validation (no id_token /
- * nonce / signature checks); callers needing OIDC-strength identity
- * assurance should layer that on top.
- *
- * Verifies that the server's claimed `issuer` matches the URL the
- * caller passed in, per OIDC Discovery §3 / defence against a hostile
- * discovery response redirecting `authorization_endpoint` and
- * `token_endpoint` to attacker-controlled hosts.
- *
- * @param issuerURL Authorization-server URL the discovery document
- *   claims as its `issuer`. For Keycloak, callers build this as
- *   `${serverURL}/realms/${realm}`. For other providers it is the
- *   hostname (or issuer path) advertised in their discovery document.
- *   Trailing slashes tolerated.
+ * Uses the OIDC well-known path as a convention; does not perform
+ * OIDC-strength identity validation (no id_token / nonce / signature
+ * checks). Callers needing identity assurance should layer that on top.
  */
 export declare function discoverOIDC(issuerURL: string, options?: DiscoverOIDCOptions): Promise<OIDCConfiguration>;

package/dist/oauth/discoverOIDC.js

@@ -4,17 +4,12 @@ exports.discoverOIDC = discoverOIDC;
 const errors_1 = require("./errors");
 const issuerURL_1 = require("./issuerURL");
 const predicates_1 = require("./predicates");
+const userAgent_1 = require("../userAgent");
 const LOOPBACK_HOSTS = new Set(["localhost", "127.0.0.1", "[::1]"]);
 function optionalString(v) {
     return (0, predicates_1.isNonEmptyString)(v) ? v : undefined;
 }
-/**
- * Throws `DISCOVERY_FAILED` if `url` is not safe to transmit OAuth
- * secrets over. `https:` is always fine; `http:` is only fine for
- * loopback hosts, or for any host when `allowInsecurePermitted` is
- * `true`. `label` describes the URL being checked ("issuer URL",
- * "token_endpoint", etc.) and appears in the error message.
- */
+/** Throws `DISCOVERY_FAILED` if `url` is not safe to transmit OAuth secrets over. */
 function assertSecureURL(url, label, allowInsecurePermitted) {
     let parsed;
     try {
@@ -39,10 +34,9 @@ function assertSecureURL(url, label, allowInsecurePermitted) {
     throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `Unsupported ${label} scheme '${parsed.protocol}'; expected https: or http: (loopback only).`);
 }
 function buildDiscoveryURL(issuerURL) {
-    // Use URL parsing (rather than string concat) so the discovery path
-    // lands on the URL's pathname, not accidentally after a query string
-    // or fragment. `normalizeIssuerURL` already strips those, but
-    // defense in depth keeps the contract obvious from the code.
+    // URL parsing (rather than concat) so the path lands on `pathname`
+    // even if the input has a query string or fragment. `normalizeIssuerURL`
+    // strips those, but defense in depth.
     const normalized = new URL((0, issuerURL_1.normalizeIssuerURL)(issuerURL));
     normalized.search = "";
     normalized.hash = "";
@@ -70,27 +64,30 @@ function parseConfiguration(body, url) {
     };
 }
 /**
- * Fetches and parses the OpenID Connect discovery document for a given
- * issuer. Fails fast (no retry) so the caller does not open a browser
- * against an unreachable authorization server.
- *
- * This function uses the OIDC discovery well-known path as a
- * convention — most OAuth 2.0 providers expose it regardless of
- * whether you intend to perform identity validation. This library
- * itself does not perform OIDC identity validation (no id_token /
- * nonce / signature checks); callers needing OIDC-strength identity
- * assurance should layer that on top.
- *
- * Verifies that the server's claimed `issuer` matches the URL the
- * caller passed in, per OIDC Discovery §3 / defence against a hostile
- * discovery response redirecting `authorization_endpoint` and
- * `token_endpoint` to attacker-controlled hosts.
+ * `code_challenge_methods_supported` is OPTIONAL in OIDC discovery —
+ * absence is fine (older providers don't advertise). But when the
+ * list is present and excludes `S256` (the only method this CLI
+ * uses, per RFC 7636), fail fast with an actionable message.
+ */
+function assertPKCESupport(body, url) {
+    const methods = body.code_challenge_methods_supported;
+    if (!Array.isArray(methods))
+        return;
+    if (methods.includes("S256"))
+        return;
+    throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `OpenID configuration at ${url} advertises code_challenge_methods_supported = ${JSON.stringify(methods)}, but axe-auth requires S256 (PKCE per RFC 7636). The OAuth client used by axe-auth needs PKCE enabled, or you may be on an axe server version that predates OAuth-based MCP authentication.`);
+}
+/**
+ * Fetches and parses the OIDC discovery document. Fails fast (no
+ * retry) so the caller does not open a browser against an unreachable
+ * authorization server. Verifies the server's claimed `issuer` matches
+ * the input URL per OIDC Discovery §3 — without this, a hostile
+ * discovery response could redirect the authorization and token
+ * endpoints to attacker hosts.
  *
- * @param issuerURL Authorization-server URL the discovery document
- *   claims as its `issuer`. For Keycloak, callers build this as
- *   `${serverURL}/realms/${realm}`. For other providers it is the
- *   hostname (or issuer path) advertised in their discovery document.
- *   Trailing slashes tolerated.
+ * Uses the OIDC well-known path as a convention; does not perform
+ * OIDC-strength identity validation (no id_token / nonce / signature
+ * checks). Callers needing identity assurance should layer that on top.
  */
 async function discoverOIDC(issuerURL, options = {}) {
     const allowInsecure = options.allowInsecureIssuer ?? false;
@@ -98,7 +95,10 @@ async function discoverOIDC(issuerURL, options = {}) {
     const url = buildDiscoveryURL(issuerURL);
     let response;
     try {
-        response = await fetch(url, { signal: options.signal });
+        response = await fetch(url, {
+            headers: { "User-Agent": userAgent_1.USER_AGENT },
+            signal: options.signal,
+        });
     }
     catch (cause) {
         throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `Could not reach the authentication server at ${url}. Check the URL and your network connection.`, { cause });
@@ -139,5 +139,6 @@ async function discoverOIDC(issuerURL, options = {}) {
     if (config.endSessionEndpoint) {
         assertSecureURL(config.endSessionEndpoint, "end_session_endpoint", allowInsecure);
     }
+    assertPKCESupport(body, url);
     return config;
 }

package/dist/oauth/discoverSSOConfig.d.ts

@@ -0,0 +1,37 @@
+/** Subset of `/api/sso-config` this package consumes. */
+export interface SSOConfig {
+    /** Keycloak base URL, e.g. `https://auth.example.com`. */
+    url: string;
+    /** Keycloak realm name. */
+    realm: string;
+    /** OAuth client ID for the axe-auth CLI. */
+    mcpClientId: string;
+}
+/** Options for `discoverSSOConfig`. */
+export interface DiscoverSSOConfigOptions {
+    /** Aborts the underlying fetch when fired. */
+    signal?: AbortSignal;
+    /** Permit non-HTTPS axe server URLs whose host is not a loopback literal. Default `false`. */
+    allowInsecure?: boolean;
+}
+/**
+ * Fetches and parses the axe server's `/api/sso-config` discovery
+ * endpoint. Used by `axe-auth login` to derive the OAuth issuer URL,
+ * realm, and CLI-specific client ID from the axe server URL the user
+ * supplied (or the SaaS prod default), so users no longer have to know
+ * the underlying Keycloak coordinates.
+ *
+ * Distinguishes three failure shapes for the operator-relevant cases:
+ *
+ * - `mcpClientId` field absent: the axe server deployment predates the
+ *   field entirely. Surfaces as "needs upgrading".
+ * - `mcpClientId` is `null`: the axe server version supports the field
+ *   but the operator has not configured `KEYCLOAK_MCP_PUBLIC_CLIENT_ID`.
+ *   Surfaces as "ask the operator to configure".
+ * - any non-empty string: returned as-is.
+ *
+ * Other failure modes (unreachable, non-2xx, malformed JSON, missing
+ * `url` / `realm`) all map to `DISCOVERY_FAILED` with a descriptive
+ * message. The caller is expected to surface these errors verbatim.
+ */
+export declare function discoverSSOConfig(serverURL: string, options?: DiscoverSSOConfigOptions): Promise<SSOConfig>;

package/dist/oauth/discoverSSOConfig.js

@@ -0,0 +1,105 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.discoverSSOConfig = discoverSSOConfig;
+const errors_1 = require("./errors");
+const predicates_1 = require("./predicates");
+const userAgent_1 = require("../userAgent");
+const LOOPBACK_HOSTS = new Set(["localhost", "127.0.0.1", "[::1]"]);
+function assertSecureServerURL(serverURL, allowInsecure) {
+    let parsed;
+    try {
+        parsed = new URL(serverURL);
+    }
+    catch {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `axe server URL is not a valid URL: ${serverURL}`);
+    }
+    if (parsed.protocol === "https:")
+        return parsed;
+    if (parsed.protocol === "http:") {
+        const hostname = parsed.host.toLowerCase().replace(/:\d+$/, "");
+        if (LOOPBACK_HOSTS.has(hostname))
+            return parsed;
+        if (allowInsecure)
+            return parsed;
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `Refusing to use axe server URL over http:// against non-loopback host ${parsed.host}. Use https:// or pass --allow-insecure-issuer to override (only do this on trusted networks).`);
+    }
+    throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `Unsupported axe server URL scheme '${parsed.protocol}'; expected https: or http: (loopback only).`);
+}
+function buildSSOConfigURL(parsed) {
+    const copy = new URL(parsed.toString());
+    copy.search = "";
+    copy.hash = "";
+    copy.pathname = `${copy.pathname.replace(/\/+$/, "")}/api/sso-config`;
+    return copy.toString();
+}
+/**
+ * Fetches and parses the axe server's `/api/sso-config` discovery
+ * endpoint. Used by `axe-auth login` to derive the OAuth issuer URL,
+ * realm, and CLI-specific client ID from the axe server URL the user
+ * supplied (or the SaaS prod default), so users no longer have to know
+ * the underlying Keycloak coordinates.
+ *
+ * Distinguishes three failure shapes for the operator-relevant cases:
+ *
+ * - `mcpClientId` field absent: the axe server deployment predates the
+ *   field entirely. Surfaces as "needs upgrading".
+ * - `mcpClientId` is `null`: the axe server version supports the field
+ *   but the operator has not configured `KEYCLOAK_MCP_PUBLIC_CLIENT_ID`.
+ *   Surfaces as "ask the operator to configure".
+ * - any non-empty string: returned as-is.
+ *
+ * Other failure modes (unreachable, non-2xx, malformed JSON, missing
+ * `url` / `realm`) all map to `DISCOVERY_FAILED` with a descriptive
+ * message. The caller is expected to surface these errors verbatim.
+ */
+async function discoverSSOConfig(serverURL, options = {}) {
+    const allowInsecure = options.allowInsecure ?? false;
+    const parsed = assertSecureServerURL(serverURL, allowInsecure);
+    const url = buildSSOConfigURL(parsed);
+    let response;
+    try {
+        response = await fetch(url, {
+            headers: { "User-Agent": userAgent_1.USER_AGENT },
+            signal: options.signal,
+        });
+    }
+    catch (cause) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `Could not reach the axe server at ${url}. Check the --server URL and your network connection.`, { cause });
+    }
+    if (!response.ok) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `axe server at ${url} responded with HTTP ${response.status}. Check the --server URL.`);
+    }
+    let body;
+    try {
+        body = await response.json();
+    }
+    catch (cause) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `axe server at ${url} did not return valid JSON.`, { cause });
+    }
+    if (body === null || typeof body !== "object" || Array.isArray(body)) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `axe server at ${url} returned a non-object response body.`);
+    }
+    const raw = body;
+    const missing = [];
+    if (!(0, predicates_1.isNonEmptyString)(raw.url))
+        missing.push("url");
+    if (!(0, predicates_1.isNonEmptyString)(raw.realm))
+        missing.push("realm");
+    if (missing.length > 0) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `${url} is missing required field(s): ${missing.join(", ")}`);
+    }
+    if (!("mcpClientId" in raw)) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `axe server at ${serverURL} does not advertise OAuth-based MCP authentication. The deployment may need to be upgraded to a version that supports the axe-auth CLI.`);
+    }
+    if (raw.mcpClientId === null) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `axe server at ${serverURL} has not been configured for OAuth-based MCP authentication. Ask your operator to set the KEYCLOAK_MCP_PUBLIC_CLIENT_ID environment variable on the axe server.`);
+    }
+    if (!(0, predicates_1.isNonEmptyString)(raw.mcpClientId)) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `axe server at ${serverURL} returned a malformed mcpClientId (expected a non-empty string).`);
+    }
+    return {
+        url: raw.url,
+        realm: raw.realm,
+        mcpClientId: raw.mcpClientId,
+    };
+}

package/dist/oauth/errors.d.ts

@@ -41,6 +41,8 @@ export type OAuthFlowErrorCode =
  | "TOKEN_EXCHANGE_FAILED"
 /** System keychain is unavailable (e.g. no D-Bus secret service on Linux). */
  | "KEYRING_UNAVAILABLE"
+/** OAuth blob is too large for the OS keystore (Windows Credential Manager: 2560 UTF-16 chars per entry, MAX_CHUNKS chunks max). The keystore itself is healthy; the IDP is issuing tokens with too many claims. */
+ | "TOKEN_TOO_LARGE"
 /** Authorization endpoint returned by discovery cannot be used (e.g. already carries an OAuth-required param). Server misconfiguration. */
  | "INVALID_AUTHORIZATION_ENDPOINT"
 /** No usable stored credentials; the user needs to run `login` to re-authenticate. Covers empty / corrupt / version-mismatched store and refresh tokens the authorization server has revoked. */

package/dist/oauth/getValidAccessToken.d.ts

@@ -1,41 +1,25 @@
-import { type TokenStore } from "./tokenStore";
+import { type LoadResult, type TokenStore } from "./tokenStore";
 /** Options for `getValidAccessToken`. */
 export interface GetValidAccessTokenOptions {
-    /** OIDC issuer URL (same value passed to `authorize`). */
+    /** OIDC issuer URL. Must match the stored entry's `issuerURL`; mismatch throws NOT_AUTHENTICATED. */
     issuerURL: string;
-    /** OAuth client identifier. */
+    /** OAuth client identifier. Must match the stored entry's `clientId`; same mismatch behavior as `issuerURL`. */
     clientId: string;
     /**
-     * How close to expiry we start preemptively refreshing, in
-     * milliseconds. Defaults to 60_000 (60s). The buffer gives headroom
-     * between our "still fresh enough" check and the server's view of
-     * expiry (which may differ by a few seconds of clock skew) and
-     * prevents a token from expiring mid-request after we hand it out.
-     *
-     * Assumes the access-token TTL is much larger than the buffer. With
-     * TTLs ≤ `expiryBufferMs`, every call will trigger a refresh.
+     * How close to expiry preemptive refresh kicks in, in ms. Default
+     * 60_000. Buffer covers clock skew vs. the server. Assumes
+     * access-token TTL ≫ this; otherwise every call refreshes.
      */
     expiryBufferMs?: number;
-    /**
-     * Override for the token store. Defaults to `KeyringTokenStore`
-     * keyed by `issuerURL`.
-     */
+    /** Override for the token store. */
     tokenStore?: TokenStore;
+    /** Pre-loaded `tokenStore.load()` result so the dispatcher's keychain read isn't repeated. */
+    loadedEntry?: LoadResult;
     /** Aborts discovery + the refresh POST when fired. */
     signal?: AbortSignal;
-    /**
-     * Forwarded to discovery. Loopback issuers are always permitted
-     * over http; this flag is the opt-in for non-loopback http.
-     */
+    /** Forwarded to discovery; permits non-loopback http. */
     allowInsecureIssuer?: boolean;
-    /**
-     * Called for soft warnings that are not errors but warrant user
-     * attention (e.g. a fresh `TokenSet` could not be written to the
-     * keychain, stranding the rotated refresh token — see the hazard
-     * note in the body of `getValidAccessToken`). The default prints
-     * to stderr only when stderr is a TTY. Pass a custom handler to
-     * route warnings through your own UI, or `() => {}` to suppress.
-     */
+    /** Called for soft warnings (e.g. rotated tokens couldn't be persisted — see HAZARD note in the body). Default prints to stderr only when stderr is a TTY. */
     onWarning?: (message: string) => void;
     /** Source of `now`. Defaults to `Date.now`. Injected for test determinism. */
     now?: () => number;

package/dist/oauth/getValidAccessToken.js

@@ -47,24 +47,30 @@ function notAuthenticated(message, cause) {
  * keyed by issuer.
  */
 async function getValidAccessToken(options) {
-    const { issuerURL, clientId, expiryBufferMs = DEFAULT_EXPIRY_BUFFER_MS, tokenStore = new tokenStore_1.KeyringTokenStore(issuerURL), signal, allowInsecureIssuer, onWarning = defaultOnWarning, now = Date.now, } = options;
-    const loaded = await tokenStore.load();
+    const { issuerURL, clientId, expiryBufferMs = DEFAULT_EXPIRY_BUFFER_MS, tokenStore = new tokenStore_1.KeyringTokenStore(), loadedEntry, signal, allowInsecureIssuer, onWarning = defaultOnWarning, now = Date.now, } = options;
+    const loaded = loadedEntry ?? (await tokenStore.load());
     if (!loaded.ok) {
         switch (loaded.reason) {
             case "empty":
-                throw notAuthenticated(`No stored credentials for ${issuerURL}. Run \`axe-auth login\` first.`);
+                throw notAuthenticated("No stored credentials. Run `axe-auth login` first.");
             case "corrupt":
                 throw notAuthenticated("Stored credentials are unreadable. Run `axe-auth login` to re-authenticate.");
             case "version-mismatch":
                 throw notAuthenticated(`Stored credentials are from an unsupported schema version (v:${loaded.storedVersion}). Run \`axe-auth login\` to re-authenticate.`);
         }
     }
-    const tokens = loaded.tokens;
+    // Refuse on issuer/client mismatch: refreshing tokens at a
+    // different endpoint would leak the refresh token to the wrong
+    // server.
+    if (loaded.entry.issuerURL !== issuerURL ||
+        loaded.entry.clientId !== clientId) {
+        throw notAuthenticated(`Stored credentials are for issuer ${loaded.entry.issuerURL} (client ${loaded.entry.clientId}), but the requested issuer is ${issuerURL} (client ${clientId}). Run \`axe-auth login\` to re-authenticate.`);
+    }
+    const tokens = loaded.entry.tokens;
     if (now() + expiryBufferMs < tokens.expiresAt) {
-        // Still fresh — no network call, no store write.
         return tokens.accessToken;
     }
-    if (tokens.refreshToken === undefined) {
+    if (!tokens.refreshToken) {
         throw notAuthenticated("Access token has expired and no refresh token is available. Run `axe-auth login` to re-authenticate.");
     }
     const config = await (0, discoverOIDC_1.discoverOIDC)(issuerURL, {
@@ -83,13 +89,10 @@ async function getValidAccessToken(options) {
     }
     catch (err) {
         if (isInvalidGrant(err)) {
-            // Refresh token revoked / expired server-side. Best-effort
-            // clear of the stored tokens so the next run starts clean —
-            // but if the clear itself fails (e.g. KEYRING_UNAVAILABLE),
-            // prefer surfacing NOT_AUTHENTICATED so the user still gets
-            // the actionable "please run login" signal. Note the clear
-            // failure via onWarning; the next run will see the stale
-            // tokens, try to refresh, and land back here.
+            // Best-effort clear: if the clear itself fails, still surface
+            // NOT_AUTHENTICATED so the user gets the "please run login"
+            // signal — the next run will refresh, land back here, and
+            // retry the clear.
             try {
                 await tokenStore.clear();
             }
@@ -113,7 +116,13 @@ async function getValidAccessToken(options) {
     // useful, and warn the caller so "why does the next run need me to
     // log in again?" has a breadcrumb.
     try {
-        await tokenStore.save(fresh);
+        await tokenStore.save({
+            tokens: fresh,
+            issuerURL: loaded.entry.issuerURL,
+            clientId: loaded.entry.clientId,
+            allowInsecureIssuer: loaded.entry.allowInsecureIssuer,
+            walnutURL: loaded.entry.walnutURL,
+        });
     }
     catch (err) {
         onWarning(`Refreshed tokens could not be saved: ${err instanceof Error ? err.message : String(err)}. The current call will succeed, but the next invocation will require re-authentication.`);

package/dist/oauth/index.d.ts

@@ -10,6 +10,7 @@ export { refreshTokens } from "./refreshTokens";
 export type { RefreshTokensOptions } from "./refreshTokens";
 export type { TokenSet } from "./tokenResponse";
 export { KeyringTokenStore, STORED_BLOB_VERSION } from "./tokenStore";
-export type { TokenStore, LoadResult, KeyringEntry, KeyringEntryFactory, } from "./tokenStore";
+export type { LoadResult, StoredEntry, TokenStore } from "./tokenStore";
+export type { KeyringEntry, KeyringEntryFactory } from "./keyringBinding";
 export { discoverOIDC } from "./discoverOIDC";
 export type { OIDCConfiguration, DiscoverOIDCOptions } from "./discoverOIDC";

package/dist/oauth/keyringBinding.d.ts

@@ -0,0 +1,22 @@
+/** Minimal keyring-entry surface consumed by the package's stores. */
+export interface KeyringEntry {
+    /** Writes the password for this entry. */
+    setPassword(password: string): void;
+    /** Reads the current password, or returns `null` if none is set. */
+    getPassword(): string | null;
+    /** Deletes the password and returns `true` if one existed. */
+    deletePassword(): boolean;
+}
+/**
+ * Factory for `KeyringEntry` values. Injection seam for tests;
+ * production callers use the default that constructs
+ * `@napi-rs/keyring` entries lazily.
+ */
+export type KeyringEntryFactory = (service: string, account: string) => KeyringEntry;
+/**
+ * Default `KeyringEntryFactory`. Resolves `@napi-rs/keyring` lazily
+ * so platforms without a prebuilt binding only see a
+ * `KEYRING_UNAVAILABLE` on first store construction, not on module
+ * import.
+ */
+export declare const defaultEntryFactory: KeyringEntryFactory;

package/dist/oauth/keyringBinding.js

@@ -0,0 +1,41 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.defaultEntryFactory = void 0;
+const node_module_1 = require("node:module");
+const errors_1 = require("./errors");
+const requireFromHere = (0, node_module_1.createRequire)(__filename);
+// Lazy-resolved Entry constructor. Importing @napi-rs/keyring at the
+// top of this module would run its native binding loader at
+// module-load time, throwing before any of our OAuthFlowError code
+// catches it and preventing the module from being imported at all on
+// platforms without a prebuilt. We defer the require into
+// `defaultEntryFactory`, which turns that import-time failure into a
+// `KEYRING_UNAVAILABLE` surfaced on the first store construction —
+// not on first save/load/clear, since callers construct stores
+// eagerly as default-arg expressions. Runtime keychain errors
+// (missing D-Bus Secret Service, macOS Keychain denial, etc.) are a
+// separate concern and surface later, inside save/load/clear.
+let cachedEntryCtor = null;
+function resolveEntryCtor() {
+    if (cachedEntryCtor)
+        return cachedEntryCtor;
+    try {
+        const mod = requireFromHere("@napi-rs/keyring");
+        cachedEntryCtor = mod.Entry;
+        return cachedEntryCtor;
+    }
+    catch (cause) {
+        throw new errors_1.OAuthFlowError("KEYRING_UNAVAILABLE", `Could not load @napi-rs/keyring. A prebuilt native binding for this platform may be missing.`, { cause });
+    }
+}
+/**
+ * Default `KeyringEntryFactory`. Resolves `@napi-rs/keyring` lazily
+ * so platforms without a prebuilt binding only see a
+ * `KEYRING_UNAVAILABLE` on first store construction, not on module
+ * import.
+ */
+const defaultEntryFactory = (service, account) => {
+    const Ctor = resolveEntryCtor();
+    return new Ctor(service, account);
+};
+exports.defaultEntryFactory = defaultEntryFactory;