@deque/axe-auth 1.1.0-next.ac35e028 → 1.1.0-next.ace85bdc

package/dist/commands/login.help.d.ts

@@ -1,2 +1,2 @@
 /** Help text for `axe-auth login --help`. */
-export declare const HELP_LOGIN = "axe-auth login\n\nOpen a browser, complete the OAuth 2.0 Authorization Code + PKCE\nflow against your Keycloak realm, and persist the resulting tokens\nto the OS keychain.\n\nUsage:\n  axe-auth login --server <url> --realm <name> --client-id <id> [--force]\n\n  After a first successful login, --server / --realm / --client-id\n  can be omitted; the previously stored values are reused.\n\nOptions:\n  --server <url>           Authorization-server base URL.\n                           Falls back to AXE_OAUTH_SERVER.\n  --realm <name>           Keycloak realm name.\n                           Falls back to AXE_OAUTH_REALM.\n  --client-id <id>         OAuth client ID.\n                           Falls back to AXE_OAUTH_CLIENT_ID.\n  --allow-insecure-issuer  Permit non-loopback http issuers (default\n                           is https only; loopback http is always\n                           allowed).\n  --no-allow-insecure-issuer\n                           Force allowInsecureIssuer=false for this\n                           call, overriding the stored value if any.\n                           Mutually exclusive with\n                           --allow-insecure-issuer.\n  -h, --help               Show this help.\n  --force                  Re-authenticate without prompting even if\n                           a valid token is already stored.\n\nBehavior when already authenticated:\n  axe-auth stores one entry per machine. If a valid entry already\n  exists, an interactive session prompts for confirmation before\n  overwriting it \u2014 even when the new login targets a different\n  issuer or client (logging in to B destroys A's tokens). Pass\n  --force to skip the prompt. In a non-interactive session (no TTY)\n  --force is required; otherwise the command refuses to overwrite\n  stored tokens and exits non-zero.\n\nExit codes:\n  0  Success; tokens persisted to the keychain.\n  2  Configuration error or flow failure.\n  3  Login cancelled at the prompt.";
+export declare const HELP_LOGIN = "axe-auth login\n\nOpen a browser, complete the OAuth 2.0 Authorization Code + PKCE\nflow against the customer's Keycloak realm, and persist the\nresulting tokens to the OS keychain.\n\nThe CLI discovers the OAuth coordinates by calling\n`<server>/api/sso-config` on the axe server, so users only need to\nsupply (or default to) the axe server URL \u2014 never the underlying\nKeycloak URL, realm, or client ID directly.\n\nUsage:\n  axe-auth login [--server <url>] [--force]\n\n  With no flags, the SaaS prod axe server URL (https://axe.deque.com)\n  is used. Customers on other deployments pass --server (or set\n  AXE_SERVER_URL).\n\nOptions:\n  --server <url>           axe server URL. Used by `login` to fetch\n                           /api/sso-config and derive the OAuth\n                           coordinates. Falls back to AXE_SERVER_URL,\n                           then to https://axe.deque.com (SaaS prod).\n  --allow-insecure-issuer  Permit non-loopback http URLs (default is\n                           https only; loopback http is always\n                           allowed). Applies to `login` only;\n                           `token` and `logout` use the policy\n                           persisted at login.\n  --no-allow-insecure-issuer\n                           Force allowInsecureIssuer=false for the new\n                           `login` (and the entry it persists).\n                           Ignored by `token` and `logout`.\n                           Mutually exclusive with\n                           --allow-insecure-issuer.\n  -h, --help               Show this help.\n  --force                  Re-authenticate without prompting even if\n                           a valid token is already stored.\n\nBehavior when already authenticated:\n  axe-auth stores one entry per machine. If a valid entry already\n  exists, an interactive session prompts for confirmation before\n  overwriting it \u2014 even when the new login targets a different\n  issuer or client (logging in to B destroys A's tokens). Pass\n  --force to skip the prompt. In a non-interactive session (no TTY)\n  --force is required; otherwise the command refuses to overwrite\n  stored tokens and exits non-zero.\n\nExit codes:\n  0  Success; tokens persisted to the keychain.\n  2  Configuration error or flow failure.\n  3  Login cancelled at the prompt.";

package/dist/commands/login.help.js

@@ -6,14 +6,20 @@ const commonArgs_help_1 = require("../cli/commonArgs.help");
 exports.HELP_LOGIN = `axe-auth login
 
 Open a browser, complete the OAuth 2.0 Authorization Code + PKCE
-flow against your Keycloak realm, and persist the resulting tokens
-to the OS keychain.
+flow against the customer's Keycloak realm, and persist the
+resulting tokens to the OS keychain.
+
+The CLI discovers the OAuth coordinates by calling
+\`<server>/api/sso-config\` on the axe server, so users only need to
+supply (or default to) the axe server URL — never the underlying
+Keycloak URL, realm, or client ID directly.
 
 Usage:
-  axe-auth login --server <url> --realm <name> --client-id <id> [--force]
+  axe-auth login [--server <url>] [--force]
 
-  After a first successful login, --server / --realm / --client-id
-  can be omitted; the previously stored values are reused.
+  With no flags, the SaaS prod axe server URL (https://axe.deque.com)
+  is used. Customers on other deployments pass --server (or set
+  AXE_SERVER_URL).
 
 Options:
 ${commonArgs_help_1.HELP_COMMON_OPTIONS}

package/dist/commands/login.js

@@ -1,7 +1,12 @@
 "use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 const ts_dedent_1 = require("ts-dedent");
+const remove_trailing_slash_1 = __importDefault(require("remove-trailing-slash"));
 const authorize_1 = require("../oauth/authorize");
+const discoverSSOConfig_1 = require("../oauth/discoverSSOConfig");
 const errors_1 = require("../oauth/errors");
 const tokenStore_1 = require("../oauth/tokenStore");
 const confirm_1 = require("../cli/confirm");
@@ -19,6 +24,7 @@ const loginCommand = {
     async run(args, deps) {
         const isInteractive = deps.isInteractive ?? Boolean(deps.stdin.isTTY);
         const authorizeFn = deps.authorize ?? authorize_1.authorize;
+        const discoverFn = deps.discoverSSOConfig ?? discoverSSOConfig_1.discoverSSOConfig;
         const confirmFn = deps.confirm ??
             ((prompt) => (0, confirm_1.confirm)({
                 question: prompt,
@@ -26,38 +32,44 @@ const loginCommand = {
                 output: deps.stderr,
             }));
         const tokenStore = deps.tokenStore ?? new tokenStore_1.KeyringTokenStore();
+        let ssoConfig;
+        try {
+            ssoConfig = await discoverFn(args.walnutURL, {
+                allowInsecure: args.allowInsecureIssuer,
+            });
+        }
+        catch (err) {
+            if (err instanceof errors_1.OAuthFlowError) {
+                throw new errors_2.CLIError("OAUTH_FAILED", err.message);
+            }
+            throw err;
+        }
+        const issuerURL = `${(0, remove_trailing_slash_1.default)(ssoConfig.url)}/auth/realms/${ssoConfig.realm}`;
+        const clientId = ssoConfig.mcpClientId;
         if (!args.force) {
-            // Prefer the entry the dispatcher already loaded; only fall
-            // back to a fresh read when there isn't one (test path).
             const stored = deps.loadedEntry ?? (await tokenStore.load());
             if (!stored.ok && stored.reason !== "empty") {
-                // Existing entry is unreadable (corrupt or stored under a
-                // schema we can't migrate). authorize() will overwrite it
-                // either way, but the user deserves a breadcrumb for what
-                // disappeared.
+                // authorize() will overwrite either way, but the user
+                // deserves a breadcrumb for what disappeared.
                 deps.stderr.write(`axe-auth: replacing unreadable stored credentials (${stored.reason}).\n`);
             }
             if (stored.ok) {
-                // Two cases: same issuer (re-auth, today's prompt) and
-                // different issuer (overwriting another login's tokens).
-                // Both warrant confirmation; the message text differs so the
-                // user understands what's about to be lost.
-                const sameIssuer = stored.entry.issuerURL === args.issuerURL &&
-                    stored.entry.clientId === args.clientId;
+                const sameIssuer = stored.entry.issuerURL === issuerURL &&
+                    stored.entry.clientId === clientId;
                 if (!isInteractive) {
                     throw new errors_2.CLIError("ALREADY_AUTHENTICATED", sameIssuer
-                        ? `Already authenticated against ${args.issuerURL}. Re-run with --force to override.`
+                        ? `Already authenticated against ${issuerURL}. Re-run with --force to override.`
                         : (0, ts_dedent_1.dedent) `
                   Currently authenticated against ${stored.entry.issuerURL}.
-                  Logging in to ${args.issuerURL} would replace those tokens.
+                  Logging in to ${issuerURL} would replace those tokens.
                   Re-run with --force to override.
                 `);
                 }
                 const prompt = sameIssuer
-                    ? `Already authenticated against ${args.issuerURL}. Re-authenticate? [y/N]`
+                    ? `Already authenticated against ${issuerURL}. Re-authenticate? [y/N]`
                     : (0, ts_dedent_1.dedent) `
               Currently authenticated against ${stored.entry.issuerURL} (client ${stored.entry.clientId}).
-              Logging in to ${args.issuerURL} (client ${args.clientId}) will replace those tokens.
+              Logging in to ${issuerURL} (client ${clientId}) will replace those tokens.
               Continue? [y/N]
             `;
                 const ok = await confirmFn(prompt);
@@ -66,10 +78,13 @@ const loginCommand = {
                 }
             }
         }
+        // `walnutURL` lands in the StoredEntry so future verbs
+        // (re-discovery, revoke) operate without user-supplied flags.
         try {
             await authorizeFn({
-                issuerURL: args.issuerURL,
-                clientId: args.clientId,
+                issuerURL,
+                clientId,
+                walnutURL: args.walnutURL,
                 scopes: ["offline_access"],
                 allowInsecureIssuer: args.allowInsecureIssuer,
                 tokenStore,

package/dist/commands/logout.d.ts

@@ -19,6 +19,6 @@ declare const logoutCommand: {
     helpText: string;
     options: {};
     requiresConfig: false;
-    run(args: CommonArgs, deps: LogoutDeps): Promise<void>;
+    run(_args: CommonArgs, deps: LogoutDeps): Promise<void>;
 };
 export default logoutCommand;

package/dist/commands/logout.help.d.ts

@@ -1,2 +1,2 @@
 /** Help text for `axe-auth logout --help`. */
-export declare const HELP_LOGOUT = "axe-auth logout\n\nRevoke the stored refresh token server-side (best-effort) and clear\nthe local OS keychain entry.\n\nUsage:\n  axe-auth logout\n\n  --server / --realm / --client-id flags are accepted for\n  parity with `login` but are ignored: the stored entry's issuer\n  and client identify what to revoke. Mismatched flags produce a\n  warning on stderr.\n\nOptions:\n  --server <url>           Authorization-server base URL.\n                           Falls back to AXE_OAUTH_SERVER.\n  --realm <name>           Keycloak realm name.\n                           Falls back to AXE_OAUTH_REALM.\n  --client-id <id>         OAuth client ID.\n                           Falls back to AXE_OAUTH_CLIENT_ID.\n  --allow-insecure-issuer  Permit non-loopback http issuers (default\n                           is https only; loopback http is always\n                           allowed).\n  --no-allow-insecure-issuer\n                           Force allowInsecureIssuer=false for this\n                           call, overriding the stored value if any.\n                           Mutually exclusive with\n                           --allow-insecure-issuer.\n  -h, --help               Show this help.\n\nBehavior:\n  - If no tokens are stored, prints a note and exits 0 (logout is\n    idempotent).\n  - If the stored blob is unreadable (corrupt or from an\n    unsupported schema version), the local entry is cleared without\n    attempting server-side revocation, and a warning is printed.\n  - Otherwise: discovers the revocation endpoint at the stored\n    issuer, POSTs the stored refresh token per RFC 7009, then\n    clears the local keychain entry. Revocation failures or a\n    missing revocation endpoint are warned about; the local clear\n    still runs.\n\nExit codes:\n  0  Tokens cleared (server-side revocation may have failed; see\n     stderr for warnings).\n  2  Local clear failure.";
+export declare const HELP_LOGOUT = "axe-auth logout\n\nRevoke the stored refresh token server-side (best-effort) and clear\nthe local OS keychain entry.\n\nUsage:\n  axe-auth logout\n\n  Operates exclusively on the keychain entry written by\n  `axe-auth login`. The --server / --allow-insecure-issuer /\n  --no-allow-insecure-issuer flags are accepted for parity with\n  other commands but ignored; revocation uses the issuer, client,\n  and insecure-issuer policy persisted alongside the tokens at login.\n\nOptions:\n  --server <url>           axe server URL. Used by `login` to fetch\n                           /api/sso-config and derive the OAuth\n                           coordinates. Falls back to AXE_SERVER_URL,\n                           then to https://axe.deque.com (SaaS prod).\n  --allow-insecure-issuer  Permit non-loopback http URLs (default is\n                           https only; loopback http is always\n                           allowed). Applies to `login` only;\n                           `token` and `logout` use the policy\n                           persisted at login.\n  --no-allow-insecure-issuer\n                           Force allowInsecureIssuer=false for the new\n                           `login` (and the entry it persists).\n                           Ignored by `token` and `logout`.\n                           Mutually exclusive with\n                           --allow-insecure-issuer.\n  -h, --help               Show this help.\n\nBehavior:\n  - If no tokens are stored, prints a note and exits 0 (logout is\n    idempotent).\n  - If the stored blob is unreadable (corrupt or from an\n    unsupported schema version), the local entry is cleared without\n    attempting server-side revocation, and a warning is printed.\n  - Otherwise: discovers the revocation endpoint at the stored\n    issuer, POSTs the stored refresh token per RFC 7009, then\n    clears the local keychain entry. Revocation failures or a\n    missing revocation endpoint are warned about; the local clear\n    still runs.\n\nExit codes:\n  0  Tokens cleared (server-side revocation may have failed; see\n     stderr for warnings).\n  2  Local clear failure.";

package/dist/commands/logout.help.js

@@ -11,10 +11,11 @@ the local OS keychain entry.
 Usage:
   axe-auth logout
 
-  --server / --realm / --client-id flags are accepted for
-  parity with \`login\` but are ignored: the stored entry's issuer
-  and client identify what to revoke. Mismatched flags produce a
-  warning on stderr.
+  Operates exclusively on the keychain entry written by
+  \`axe-auth login\`. The --server / --allow-insecure-issuer /
+  --no-allow-insecure-issuer flags are accepted for parity with
+  other commands but ignored; revocation uses the issuer, client,
+  and insecure-issuer policy persisted alongside the tokens at login.
 
 Options:
 ${commonArgs_help_1.HELP_COMMON_OPTIONS}

package/dist/commands/logout.js

@@ -1,6 +1,5 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-const ts_dedent_1 = require("ts-dedent");
 const discoverOIDC_1 = require("../oauth/discoverOIDC");
 const revokeToken_1 = require("../oauth/revokeToken");
 const tokenStore_1 = require("../oauth/tokenStore");
@@ -13,12 +12,10 @@ const logoutCommand = {
     helpText: logout_help_1.HELP_LOGOUT,
     options: {},
     requiresConfig: false,
-    async run(args, deps) {
+    async run(_args, deps) {
         const discoverFn = deps.discoverOIDC ?? discoverOIDC_1.discoverOIDC;
         const revokeFn = deps.revokeRefreshToken ?? revokeToken_1.revokeRefreshToken;
         const tokenStore = deps.tokenStore ?? new tokenStore_1.KeyringTokenStore();
-        // Prefer the entry the dispatcher already loaded; only fall back
-        // to a fresh read when there isn't one (test path).
         const loaded = deps.loadedEntry ?? (await tokenStore.load());
         if (!loaded.ok) {
             if (loaded.reason === "empty") {
@@ -34,20 +31,7 @@ const logoutCommand = {
             deps.stdout.write("✓ Logged out.\n");
             return;
         }
-        // Use the stored entry's metadata for revocation, not args. Under
-        // single-entry keying there's only one set of credentials in the
-        // keychain; trying to revoke A's refresh token at B's revocation
-        // endpoint (because the user passed --server B) would just fail
-        // and leave A's token valid server-side.
         const { issuerURL, clientId, allowInsecureIssuer } = loaded.entry;
-        if (issuerURL !== args.issuerURL ||
-            clientId !== args.clientId ||
-            allowInsecureIssuer !== args.allowInsecureIssuer) {
-            deps.stderr.write((0, ts_dedent_1.dedent) `
-          axe-auth: ignoring --server / --realm / --client-id / --allow-insecure-issuer flags.
-          Logging out of stored issuer ${issuerURL} (client ${clientId}) instead.
-        ` + "\n");
-        }
         // Best-effort server-side revocation. Any failure here is a
         // warning; the local clear runs unconditionally below so the
         // user is "logged out" from this machine regardless.

package/dist/commands/token.d.ts

@@ -6,12 +6,7 @@ import type { CommandDeps } from "../cli/types";
 export interface TokenDeps extends CommandDeps {
     /** Override `getValidAccessToken` so tests don't touch the keychain or network. */
     getToken?: typeof getValidAccessToken;
-    /**
-     * Override the token store. Defaults to a fresh
-     * `KeyringTokenStore()`. Used to detect when caller-supplied flags
-     * mismatch the stored entry's issuer/client so the warning fires
-     * with the same store instance the eventual `getToken` call sees.
-     */
+    /** Override the token store. Defaults to a fresh `KeyringTokenStore()`. */
     tokenStore?: TokenStore;
 }
 /** `axe-auth token` — print a currently-valid access token to stdout. */
@@ -21,6 +16,6 @@ declare const tokenCommand: {
     helpText: string;
     options: {};
     requiresConfig: false;
-    run(args: CommonArgs, deps: TokenDeps): Promise<void>;
+    run(_args: CommonArgs, deps: TokenDeps): Promise<void>;
 };
 export default tokenCommand;

package/dist/commands/token.help.d.ts

@@ -1,2 +1,2 @@
 /** Help text for `axe-auth token --help`. */
-export declare const HELP_TOKEN = "axe-auth token\n\nPrint a currently-valid OAuth access token to stdout, refreshing\nsilently against the stored refresh token if needed.\n\nUsage:\n  axe-auth token\n\n  --server / --realm / --client-id flags are accepted for parity\n  with other commands but are not used to select a different\n  configuration for refresh. The stored entry's issuer and client\n  are always used; if the supplied values differ from what login\n  persisted, they are ignored and a warning is emitted.\n\nOptions:\n  --server <url>           Authorization-server base URL.\n                           Falls back to AXE_OAUTH_SERVER.\n  --realm <name>           Keycloak realm name.\n                           Falls back to AXE_OAUTH_REALM.\n  --client-id <id>         OAuth client ID.\n                           Falls back to AXE_OAUTH_CLIENT_ID.\n  --allow-insecure-issuer  Permit non-loopback http issuers (default\n                           is https only; loopback http is always\n                           allowed).\n  --no-allow-insecure-issuer\n                           Force allowInsecureIssuer=false for this\n                           call, overriding the stored value if any.\n                           Mutually exclusive with\n                           --allow-insecure-issuer.\n  -h, --help               Show this help.\n\nOutput:\n  The access token is written to stdout with a trailing newline so\n  shell substitution (`$(axe-auth token)`) works cleanly. Nothing\n  else is written to stdout.\n\nSecurity note:\n  Using `$(axe-auth token)` in a shell command exposes the access\n  token briefly in the system process-list (observable via `ps` on\n  POSIX, Task Manager on Windows). OAuth access tokens are\n  short-lived (typically minutes), which limits this exposure\n  compared to a static API key, but you should prefer streaming the\n  token into a file or env var on platforms where process listings\n  are sensitive.\n\nExit codes:\n  0  Success; the token was printed.\n  1  Not authenticated; run `axe-auth login` to re-authenticate.\n  2  Configuration error or transient failure (network, server,\n     keychain).";
+export declare const HELP_TOKEN = "axe-auth token\n\nPrint a currently-valid OAuth access token to stdout, refreshing\nsilently against the stored refresh token if needed.\n\nUsage:\n  axe-auth token\n\n  Operates exclusively on the keychain entry written by\n  `axe-auth login`. The --server / --allow-insecure-issuer /\n  --no-allow-insecure-issuer flags are accepted for parity with\n  other commands but ignored here; refresh uses the issuer, client,\n  and insecure-issuer policy persisted alongside the tokens at login.\n\nOptions:\n  --server <url>           axe server URL. Used by `login` to fetch\n                           /api/sso-config and derive the OAuth\n                           coordinates. Falls back to AXE_SERVER_URL,\n                           then to https://axe.deque.com (SaaS prod).\n  --allow-insecure-issuer  Permit non-loopback http URLs (default is\n                           https only; loopback http is always\n                           allowed). Applies to `login` only;\n                           `token` and `logout` use the policy\n                           persisted at login.\n  --no-allow-insecure-issuer\n                           Force allowInsecureIssuer=false for the new\n                           `login` (and the entry it persists).\n                           Ignored by `token` and `logout`.\n                           Mutually exclusive with\n                           --allow-insecure-issuer.\n  -h, --help               Show this help.\n\nOutput:\n  The access token is written to stdout with a trailing newline so\n  shell substitution (`$(axe-auth token)`) works cleanly. Nothing\n  else is written to stdout.\n\nSecurity note:\n  Using `$(axe-auth token)` in a shell command exposes the access\n  token briefly in the system process-list (observable via `ps` on\n  POSIX, Task Manager on Windows). OAuth access tokens are\n  short-lived (typically minutes), which limits this exposure\n  compared to a static API key, but you should prefer streaming the\n  token into a file or env var on platforms where process listings\n  are sensitive.\n\nExit codes:\n  0  Success; the token was printed.\n  1  Not authenticated; run `axe-auth login` to re-authenticate.\n  2  Configuration error or transient failure (network, server,\n     keychain).";

package/dist/commands/token.help.js

@@ -11,11 +11,11 @@ silently against the stored refresh token if needed.
 Usage:
   axe-auth token
 
-  --server / --realm / --client-id flags are accepted for parity
-  with other commands but are not used to select a different
-  configuration for refresh. The stored entry's issuer and client
-  are always used; if the supplied values differ from what login
-  persisted, they are ignored and a warning is emitted.
+  Operates exclusively on the keychain entry written by
+  \`axe-auth login\`. The --server / --allow-insecure-issuer /
+  --no-allow-insecure-issuer flags are accepted for parity with
+  other commands but ignored here; refresh uses the issuer, client,
+  and insecure-issuer policy persisted alongside the tokens at login.
 
 Options:
 ${commonArgs_help_1.HELP_COMMON_OPTIONS}

package/dist/commands/token.js

@@ -12,34 +12,18 @@ const tokenCommand = {
     helpText: token_help_1.HELP_TOKEN,
     options: {},
     requiresConfig: false,
-    async run(args, deps) {
+    async run(_args, deps) {
         const getToken = deps.getToken ?? getValidAccessToken_1.getValidAccessToken;
         const tokenStore = deps.tokenStore ?? new tokenStore_1.KeyringTokenStore();
-        // Prefer the entry the dispatcher already loaded; only fall back
-        // to a fresh read when there isn't one (test path).
         const loaded = deps.loadedEntry ?? (await tokenStore.load());
-        // The stored entry is the source of truth for issuer/client
-        // (single-entry-per-machine model). Refreshing tokens against a
-        // different issuer than the one they were minted at would just
-        // get them rejected, so args.* are advisory at most: we warn on
-        // mismatch and route the refresh to the stored coordinates.
-        let target = args;
-        if (loaded.ok) {
-            if (loaded.entry.issuerURL !== args.issuerURL ||
-                loaded.entry.clientId !== args.clientId ||
-                loaded.entry.allowInsecureIssuer !== args.allowInsecureIssuer) {
-                deps.stderr.write(`axe-auth: ignoring --server / --realm / --client-id / --allow-insecure-issuer flags; using stored issuer ${loaded.entry.issuerURL} (client ${loaded.entry.clientId}).\n`);
-            }
-            target = {
-                issuerURL: loaded.entry.issuerURL,
-                clientId: loaded.entry.clientId,
-                allowInsecureIssuer: loaded.entry.allowInsecureIssuer,
-            };
-        }
         let token;
         try {
             token = await getToken({
-                ...target,
+                issuerURL: loaded.ok ? loaded.entry.issuerURL : "",
+                clientId: loaded.ok ? loaded.entry.clientId : "",
+                allowInsecureIssuer: loaded.ok
+                    ? loaded.entry.allowInsecureIssuer
+                    : false,
                 tokenStore,
                 loadedEntry: loaded,
             });

package/dist/index.js

@@ -7,7 +7,6 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const node_fs_1 = require("node:fs");
 const node_path_1 = require("node:path");
 const node_util_1 = require("node:util");
-const ts_dedent_1 = require("ts-dedent");
 const commonArgs_1 = require("./cli/commonArgs");
 const tokenStore_1 = require("./oauth/tokenStore");
 const login_1 = __importDefault(require("./commands/login"));
@@ -15,7 +14,6 @@ const logout_1 = __importDefault(require("./commands/logout"));
 const token_1 = __importDefault(require("./commands/token"));
 const errors_1 = require("./cli/errors");
 const pkg = JSON.parse((0, node_fs_1.readFileSync)((0, node_path_1.join)(__dirname, "..", "package.json"), "utf-8"));
-// Iteration order is the order verbs appear in `axe-auth --help`.
 const COMMANDS = [
     login_1.default,
     logout_1.default,
@@ -83,64 +81,31 @@ async function dispatch(argv) {
         process.stdout.write(`${command.helpText}\n`);
         return 0;
     }
-    // Best-effort load of the stored config — but only when at least
-    // one common field is unspecified. The dispatcher's fallback is
-    // all-or-nothing (parseCommonArgs ignores defaults if any flag/env
-    // is set), so a fully-flagged invocation gains nothing from a
-    // keychain hit on the hot path.
-    //
-    // The load failure isn't fatal on its own — if the user passed
-    // flags/env, the stored config doesn't matter — but if
-    // `parseCommonArgs` then throws `MissingConfigError`, we surface
-    // this failure alongside it so the user understands the keychain
-    // (not just missing flags) is the proximate cause.
+    // Best-effort load: handed to verbs via `deps.loadedEntry` so a
+    // single CLI invocation hits the keychain once. Read failure is
+    // non-fatal — verbs handle their own empty/corrupt cases.
     let defaults = null;
-    let defaultLoadError = null;
     let loadedEntry;
-    const commonValues = parsed.values;
-    const allFlagsPresent = Boolean(commonValues.server && commonValues.realm && commonValues["client-id"]);
-    if (!allFlagsPresent) {
-        try {
-            loadedEntry = await new tokenStore_1.KeyringTokenStore().load();
-            if (loadedEntry.ok) {
-                defaults = {
-                    issuerURL: loadedEntry.entry.issuerURL,
-                    clientId: loadedEntry.entry.clientId,
-                    allowInsecureIssuer: loadedEntry.entry.allowInsecureIssuer,
-                };
-            }
-        }
-        catch (err) {
-            defaultLoadError = err;
+    try {
+        loadedEntry = await new tokenStore_1.KeyringTokenStore().load();
+        if (loadedEntry.ok) {
+            defaults = {
+                walnutURL: loadedEntry.entry.walnutURL,
+                allowInsecureIssuer: loadedEntry.entry.allowInsecureIssuer,
+            };
         }
     }
+    catch {
+        // Keychain unavailable: leave defaults null. Verbs surface their
+        // own clearer errors at the actual save / read site.
+    }
     let common;
     try {
-        common = (0, commonArgs_1.parseCommonArgs)(commonValues, process.env, defaults);
+        common = (0, commonArgs_1.parseCommonArgs)(parsed.values, process.env, defaults);
     }
     catch (err) {
-        if (err instanceof errors_1.MissingConfigError && !command.requiresConfig) {
-            // The verb operates on the stored entry alone (token,
-            // logout). It has its own handling for the empty / corrupt /
-            // version-mismatch cases, which is friendlier than the
-            // generic "missing required configuration" error
-            // (`No stored credentials. Run \`axe-auth login\` first.` for
-            // token; `Already logged out.` for logout). Pass a
-            // sentinel-empty CommonArgs so the verb runs and decides.
-            common = { issuerURL: "", clientId: "", allowInsecureIssuer: false };
-        }
-        else if (err instanceof errors_1.MissingConfigError && defaultLoadError !== null) {
-            process.stderr.write((0, ts_dedent_1.dedent) `
-        ${err.message}
-        Could not read the stored credentials from the keychain (${(0, errors_1.describeError)(defaultLoadError)});
-        pass the flags explicitly or fix the keychain.
-      ` + "\n");
-            return 2;
-        }
-        else {
-            process.stderr.write(`${(0, errors_1.describeError)(err)}\n`);
-            return 2;
-        }
+        process.stderr.write(`${(0, errors_1.describeError)(err)}\n`);
+        return 2;
     }
     const deps = {
         stdin: process.stdin,

package/dist/oauth/authorizationURL.d.ts

@@ -10,12 +10,7 @@ export interface BuildAuthorizationURLOptions {
     codeChallenge: string;
     /** CSRF `state` value, echoed by the auth server and validated on callback. */
     state: string;
-    /**
-     * OAuth scopes to request. No default — callers must choose explicitly.
-     * Keycloak-idiomatic value for a refresh-token flow is `["offline_access"]`;
-     * Google uses `access_type=offline` (a custom parameter) instead; Auth0
-     * tolerates `offline_access` only with specific audience settings.
-     */
+    /** OAuth scopes to request. No default; callers choose explicitly. */
     scopes: readonly string[];
 }
 /**

package/dist/oauth/authorizationURL.js

@@ -2,12 +2,8 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.buildAuthorizationURL = buildAuthorizationURL;
 const errors_1 = require("./errors");
-// Names of OAuth params we always set. If any of these are already
-// present on the authorization endpoint URL returned by discovery,
-// something is wrong on the server side (or with the caller's
-// endpoint override) and silently keeping both values would be a
-// security trap: the authorization server's disambiguation is
-// unspecified and varies by implementation.
+// Pre-existing values for these on the authorization endpoint are a
+// security trap: the auth server's disambiguation is unspecified.
 const OAUTH_REQUIRED_PARAMS = [
     "response_type",
     "client_id",

package/dist/oauth/authorize.d.ts

@@ -2,65 +2,34 @@ import type { TokenSet } from "./tokenResponse";
 import { type TokenStore } from "./tokenStore";
 /** Options for `authorize`. */
 export interface AuthorizeOptions {
-    /**
-     * Authorization-server URL the discovery document claims as its
-     * `issuer`. For Keycloak, callers build this as
-     * `${serverURL}/realms/${realm}`. For other providers it is the
-     * hostname (or issuer path) advertised in their discovery document.
-     */
+    /** Issuer URL the OIDC discovery document advertises (e.g. `${serverURL}/realms/${realm}` for Keycloak). */
     issuerURL: string;
     /** OAuth client ID registered with the authorization server. */
     clientId: string;
-    /**
-     * OAuth scopes to request. Required — this library has no opinion
-     * about which scopes your provider expects. Keycloak callers who
-     * want a refresh token typically pass `["offline_access"]`; Google
-     * uses `access_type=offline` as a separate query param and
-     * therefore needs an empty scope list plus that param threaded
-     * through elsewhere.
-     */
+    /** Persisted alongside the tokens so future verbs can re-discover `/api/sso-config` without flags. */
+    walnutURL: string;
+    /** OAuth scopes to request. Keycloak callers typically pass `["offline_access"]` for a refresh token. */
     scopes: readonly string[];
     /** Max time to wait for the loopback callback, in milliseconds. */
     timeoutMs?: number;
     /** Aborts the in-flight discovery, callback wait, and token exchange. */
     signal?: AbortSignal;
-    /**
-     * Override for the token persistence layer. Defaults to a fresh
-     * `KeyringTokenStore()` (single keychain entry per machine; the
-     * blob carries its own issuer/client coordinates).
-     */
+    /** Override for the token persistence layer. */
     tokenStore?: TokenStore;
     /** Override for the system browser launcher. Injected for tests. */
     openBrowser?: (url: string) => void;
-    /**
-     * Called with the authorization URL just before the browser launch.
-     * The default prints to stderr only when stderr is a TTY, so a
-     * parent CLI consuming this library as a dependency does not
-     * double-print. Pass a custom handler to route the URL through your
-     * own UI, or `() => {}` to suppress entirely.
-     */
+    /** Called with the authorization URL just before the browser launch. Default prints to stderr only when stderr is a TTY. */
     onAuthorizationUrl?: (url: string) => void;
     /**
-     * Called for soft warnings that are not errors but warrant user
-     * attention (e.g. `offline_access` was requested but the server did
-     * not return a `refresh_token`, or the browser failed to launch).
-     * The default prints to stderr only when stderr is a TTY. Pass a
-     * custom handler to route warnings through your own UI, or `() =>
-     * {}` to suppress entirely.
-     *
-     * Non-TTY callers who want warning visibility (log files, parent
-     * CLIs, background workers) should pass an explicit handler.
-     * Dropped warnings have no visible symptom at the time they fire —
-     * users only discover the consequence later (e.g. being prompted to
-     * re-authenticate at the next session).
+     * Called for soft warnings (e.g. requested `offline_access` but the
+     * server returned no refresh token, or the browser failed to
+     * launch). Default prints to stderr only when stderr is a TTY.
+     * Non-TTY callers who want warning visibility should pass an
+     * explicit handler — dropped warnings have no symptom at the time
+     * they fire; users discover the consequence later.
      */
     onWarning?: (message: string) => void;
-    /**
-     * Forwarded to the discovery step. Loopback hosts (`localhost` /
-     * `127.0.0.1` / `[::1]`) are always permitted over http; this flag
-     * is the opt-in for non-loopback http issuers and for non-loopback
-     * http endpoints returned by discovery. Default `false`.
-     */
+    /** Forwarded to discovery; permits non-loopback http issuers + endpoints. */
     allowInsecureIssuer?: boolean;
 }
 /**

package/dist/oauth/authorize.js

@@ -38,11 +38,9 @@ function defaultOnWarning(message) {
  * @throws {OAuthCallbackError} For loopback/callback-server failures.
  */
 async function authorize(options) {
-    const { issuerURL, clientId, scopes, timeoutMs, signal, tokenStore = new tokenStore_1.KeyringTokenStore(), openBrowser = openBrowser_1.openBrowser, onAuthorizationUrl = defaultOnAuthorizationUrl, onWarning = defaultOnWarning, allowInsecureIssuer, } = options;
-    // Discovery first. If the auth server is unreachable we want to fail
-    // *before* opening a browser — a rejected discovery throw is
-    // strictly more useful than a browser tab pointing at a
-    // wrong/unreachable URL.
+    const { issuerURL, clientId, walnutURL, scopes, timeoutMs, signal, tokenStore = new tokenStore_1.KeyringTokenStore(), openBrowser = openBrowser_1.openBrowser, onAuthorizationUrl = defaultOnAuthorizationUrl, onWarning = defaultOnWarning, allowInsecureIssuer, } = options;
+    // Discovery before browser-launch so a bad URL surfaces as a
+    // throw rather than a wrong/unreachable browser tab.
     const config = await (0, discoverOIDC_1.discoverOIDC)(issuerURL, {
         signal,
         allowInsecureIssuer,
@@ -109,6 +107,7 @@ async function authorize(options) {
             issuerURL,
             clientId,
             allowInsecureIssuer: allowInsecureIssuer ?? false,
+            walnutURL,
         });
         return tokens;
     }

package/dist/oauth/discoverOIDC.d.ts

@@ -15,36 +15,19 @@ export interface OIDCConfiguration {
 export interface DiscoverOIDCOptions {
     /** Aborts the underlying fetch when fired. */
     signal?: AbortSignal;
-    /**
-     * Permit non-HTTPS issuer URLs whose host is not a loopback literal.
-     * Loopback hosts (`localhost`, `127.0.0.1`, `[::1]`) are always
-     * allowed over http since they cannot be intercepted remotely; this
-     * flag is for corporate dev setups or reverse-proxy scenarios where
-     * http is the only available path. Default `false`.
-     */
+    /** Permit non-HTTPS issuer URLs whose host is not a loopback literal. Default `false`. */
     allowInsecureIssuer?: boolean;
 }
 /**
- * Fetches and parses the OpenID Connect discovery document for a given
- * issuer. Fails fast (no retry) so the caller does not open a browser
- * against an unreachable authorization server.
+ * Fetches and parses the OIDC discovery document. Fails fast (no
+ * retry) so the caller does not open a browser against an unreachable
+ * authorization server. Verifies the server's claimed `issuer` matches
+ * the input URL per OIDC Discovery §3 — without this, a hostile
+ * discovery response could redirect the authorization and token
+ * endpoints to attacker hosts.
  *
- * This function uses the OIDC discovery well-known path as a
- * convention — most OAuth 2.0 providers expose it regardless of
- * whether you intend to perform identity validation. This library
- * itself does not perform OIDC identity validation (no id_token /
- * nonce / signature checks); callers needing OIDC-strength identity
- * assurance should layer that on top.
- *
- * Verifies that the server's claimed `issuer` matches the URL the
- * caller passed in, per OIDC Discovery §3 / defence against a hostile
- * discovery response redirecting `authorization_endpoint` and
- * `token_endpoint` to attacker-controlled hosts.
- *
- * @param issuerURL Authorization-server URL the discovery document
- *   claims as its `issuer`. For Keycloak, callers build this as
- *   `${serverURL}/realms/${realm}`. For other providers it is the
- *   hostname (or issuer path) advertised in their discovery document.
- *   Trailing slashes tolerated.
+ * Uses the OIDC well-known path as a convention; does not perform
+ * OIDC-strength identity validation (no id_token / nonce / signature
+ * checks). Callers needing identity assurance should layer that on top.
  */
 export declare function discoverOIDC(issuerURL: string, options?: DiscoverOIDCOptions): Promise<OIDCConfiguration>;