@deque/axe-auth 1.1.0-next.fea0aa8a → 1.1.0-rc.047d31b4

package/dist/oauth/tokenStore.d.ts

@@ -2,8 +2,11 @@ import { type KeyringEntryFactory } from "./keyringBinding";
 import type { TokenSet } from "./tokenResponse";
 /**
  * Whether `KeyringTokenStore` should split the stored blob across
- * multiple keychain entries on this platform. Windows-only because of
- * Credential Manager's 2560 UTF-16 character per-entry cap. Exported
+ * multiple keychain entries on this platform. Windows-only: Credential
+ * Manager has a 2560-byte per-entry cap that large OAuth tokens
+ * routinely exceed. macOS Keychain and Linux libsecret have no
+ * comparable limit, and on macOS each entry is independently lockable
+ * (chunking there would multiply per-entry ACL prompts). Exported
  * (parameterized for tests) so the chunking path can be exercised
  * deterministically.
  */
@@ -109,28 +112,13 @@ export type BlobChainResult = {
  */
 export declare function parseAndMigrateBlob(raw: string | null, expectedVersion?: number, migrators?: ReadonlyMap<number, (old: unknown) => unknown | null>): BlobChainResult;
 /**
- * Builds the user-facing keychain error message. Platform is a
- * parameter (defaulting to `process.platform`) so tests can drive each
- * branch without mocking the runtime; mirrors the pattern in
+ * Builds the user-facing keychain error message: the underlying
+ * cause's text plus a per-platform hint. Platform is a parameter
+ * (defaulting to `process.platform`) so tests can drive each branch
+ * without mocking the runtime; mirrors the pattern in
  * `platformKeyringHint`.
- *
- * The Windows-specific size-limit message is only used when the
- * underlying error matches the binding's "longer than the platform
- * limit" wording AND the runtime is win32 — that combination is the
- * only way the size cap actually manifests in practice. On other
- * platforms (or for any other binding error) we fall back to the
- * generic per-platform hint.
  */
 export declare function keyringErrorMessage(op: string, cause: unknown, platform?: NodeJS.Platform): string;
-/**
- * Detects the `@napi-rs/keyring` error string for "value too large".
- * In practice only Windows Credential Manager triggers this — its
- * stored values are capped at 2560 UTF-16 chars; macOS Keychain and
- * Linux libsecret have no comparable limit. Exported (but not
- * re-exported from the package index) so tests can exercise the
- * detector independently of the wrap path.
- */
-export declare function isKeyringSizeError(cause: unknown): boolean;
 /**
  * Returns a per-platform hint appended to keychain error messages so
  * users see actionable guidance for their OS instead of generic or
@@ -145,8 +133,8 @@ export declare function platformKeyringHint(platform?: NodeJS.Platform): string;
  * Secret Service). On macOS and Linux the blob lives in a single entry
  * keyed by the fixed `credentials` account name. On Windows the blob
  * is split across `credentials.0`, `credentials.1`, … entries to fit
- * under Credential Manager's 2560 UTF-16 character per-entry cap; see
- * `shouldChunkForKeyring`.
+ * under Credential Manager's 2560-byte (1280 UTF-16 char) per-entry
+ * cap; see `shouldChunkForKeyring`.
  *
  * The blob carries its own issuer/client coordinates so verbs can
  * recover full config without per-issuer keying.

package/dist/oauth/tokenStore.js

@@ -4,34 +4,41 @@ exports.KeyringTokenStore = exports.STORED_BLOB_VERSION = void 0;
 exports.shouldChunkForKeyring = shouldChunkForKeyring;
 exports.parseAndMigrateBlob = parseAndMigrateBlob;
 exports.keyringErrorMessage = keyringErrorMessage;
-exports.isKeyringSizeError = isKeyringSizeError;
 exports.platformKeyringHint = platformKeyringHint;
 exports.chunkBlobForKeyring = chunkBlobForKeyring;
 const errors_1 = require("./errors");
 const keyringBinding_1 = require("./keyringBinding");
 const SERVICE_NAME = "axe-auth";
-// On Windows the blob is base64-encoded and split across
-// `credentials.0`, `credentials.1`, … entries (see `CHUNK_LIMIT`); a
-// Windows dev inspecting Credential Manager will see opaque base64.
+/**
+ * Keychain account identifier. On macOS/Linux the entire blob lives at
+ * this single account. On Windows the blob is base64-encoded and split
+ * across `credentials.0`, `credentials.1`, … entries (see `CHUNK_LIMIT`),
+ * so a Windows dev inspecting Credential Manager will see opaque base64.
+ */
 const ACCOUNT_NAME = "credentials";
-// Windows Credential Manager caps stored values at 2560 UTF-16 code
-// units, which large OAuth access-token JWTs (many groups/roles
-// claims) routinely exceed. On Windows we work around this by
-// splitting the JSON blob across multiple entries with account names
-// `credentials.0`, `credentials.1`, … . `CHUNK_LIMIT` leaves margin
-// under the platform cap; `MAX_CHUNKS` is a safety bound — we should
-// never get close in practice, even with maximally-claimed tokens.
-//
-// macOS Keychain and Linux libsecret have no comparable limit, so
-// chunking there would just multiply per-entry ACL prompts (each
-// keychain entry is independently lockable on macOS) for no gain.
-// Chunking is therefore Windows-only, gated by `shouldChunkForKeyring`.
-const CHUNK_LIMIT = 2500;
+/**
+ * Max JS string length per chunk. The limit applies to the full chunk
+ * including chunk 0's `<N>\n` count header, so chunk 0's data slice is
+ * `CHUNK_LIMIT - headerLen`. Windows Credential Manager's per-entry
+ * cap is `CRED_MAX_CREDENTIAL_BLOB_SIZE = 2560` bytes, and the
+ * `@napi-rs/keyring` Windows backend stores strings as UTF-16 (2 bytes
+ * per char), so 1250 chars = 2500 bytes stays safely under the cap.
+ */
+const CHUNK_LIMIT = 1250;
+/**
+ * Cap on chunks per stored blob. A request that would exceed this
+ * raises `TOKEN_TOO_LARGE` so an IDP issuing tokens with extraordinary
+ * claim counts fails with a clear error instead of silently consuming
+ * dozens of keychain entries.
+ */
 const MAX_CHUNKS = 32;
 /**
  * Whether `KeyringTokenStore` should split the stored blob across
- * multiple keychain entries on this platform. Windows-only because of
- * Credential Manager's 2560 UTF-16 character per-entry cap. Exported
+ * multiple keychain entries on this platform. Windows-only: Credential
+ * Manager has a 2560-byte per-entry cap that large OAuth tokens
+ * routinely exceed. macOS Keychain and Linux libsecret have no
+ * comparable limit, and on macOS each entry is independently lockable
+ * (chunking there would multiply per-entry ACL prompts). Exported
  * (parameterized for tests) so the chunking path can be exercised
  * deterministically.
  */
@@ -180,38 +187,16 @@ function wrapKeyringError(op, cause) {
     });
 }
 /**
- * Builds the user-facing keychain error message. Platform is a
- * parameter (defaulting to `process.platform`) so tests can drive each
- * branch without mocking the runtime; mirrors the pattern in
+ * Builds the user-facing keychain error message: the underlying
+ * cause's text plus a per-platform hint. Platform is a parameter
+ * (defaulting to `process.platform`) so tests can drive each branch
+ * without mocking the runtime; mirrors the pattern in
  * `platformKeyringHint`.
- *
- * The Windows-specific size-limit message is only used when the
- * underlying error matches the binding's "longer than the platform
- * limit" wording AND the runtime is win32 — that combination is the
- * only way the size cap actually manifests in practice. On other
- * platforms (or for any other binding error) we fall back to the
- * generic per-platform hint.
  */
 function keyringErrorMessage(op, cause, platform = process.platform) {
-    if (platform === "win32" && isKeyringSizeError(cause)) {
-        return `System keychain ${op} failed: Windows Credential Manager limits stored values to 2560 UTF-16 characters. Large OAuth access-token JWTs (many groups/roles claims) commonly exceed this.`;
-    }
     const causeMessage = cause instanceof Error ? cause.message : String(cause);
     return `System keychain ${op} failed: ${causeMessage}. ${platformKeyringHint(platform)}`;
 }
-/**
- * Detects the `@napi-rs/keyring` error string for "value too large".
- * In practice only Windows Credential Manager triggers this — its
- * stored values are capped at 2560 UTF-16 chars; macOS Keychain and
- * Linux libsecret have no comparable limit. Exported (but not
- * re-exported from the package index) so tests can exercise the
- * detector independently of the wrap path.
- */
-function isKeyringSizeError(cause) {
-    if (!(cause instanceof Error))
-        return false;
-    return /longer than the platform limit/.test(cause.message);
-}
 /**
  * Returns a per-platform hint appended to keychain error messages so
  * users see actionable guidance for their OS instead of generic or
@@ -259,8 +244,8 @@ function parseChunkHeader(first) {
  * Secret Service). On macOS and Linux the blob lives in a single entry
  * keyed by the fixed `credentials` account name. On Windows the blob
  * is split across `credentials.0`, `credentials.1`, … entries to fit
- * under Credential Manager's 2560 UTF-16 character per-entry cap; see
- * `shouldChunkForKeyring`.
+ * under Credential Manager's 2560-byte (1280 UTF-16 char) per-entry
+ * cap; see `shouldChunkForKeyring`.
  *
  * The blob carries its own issuer/client coordinates so verbs can
  * recover full config without per-issuer keying.

package/package.json

@@ -1,8 +1,15 @@
 {
   "name": "@deque/axe-auth",
-  "version": "1.1.0-next.fea0aa8a",
+  "version": "1.1.0-rc.047d31b4",
   "description": "CLI authentication utility for Deque services",
   "license": "SEE LICENSE IN LICENSE",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/dequelabs/axe-mcp-server-public.git"
+  },
+  "bugs": {
+    "url": "https://github.com/dequelabs/axe-mcp-server-public/issues"
+  },
   "type": "commonjs",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -38,6 +45,7 @@
   },
   "scripts": {
     "build": "tsc",
+    "typecheck:scripts": "tsc -p tsconfig.scripts.json",
     "test": "tsx --test \"src/**/*.test.ts\"",
     "coverage": "c8 pnpm test",
     "register-dev-client": "tsx scripts/registerDevClient.ts",