@deque/axe-auth 1.2.0-rc.cd2af31c → 1.2.1-next.0b5b0847

package/credits.json

@@ -1,20 +1,20 @@
 {
-  "@napi-rs/keyring@1.2.0": {
+  "@napi-rs/keyring@1.3.0": {
     "name": "@napi-rs/keyring",
-    "version": "1.2.0",
+    "version": "1.3.0",
     "licenses": "MIT",
-    "path": "/home/runner/work/axe-mcp-server/axe-mcp-server/node_modules/.pnpm/@napi-rs+keyring@1.2.0/node_modules/@napi-rs/keyring",
+    "path": "/home/runner/work/axe-mcp-server/axe-mcp-server/node_modules/.pnpm/@napi-rs+keyring@1.3.0/node_modules/@napi-rs/keyring",
     "licenseText": "MIT License\n\nCopyright (c) 2020 N-API for Rust\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n",
-    "licenseFile": "/home/runner/work/axe-mcp-server/axe-mcp-server/node_modules/.pnpm/@napi-rs+keyring@1.2.0/node_modules/@napi-rs/keyring/LICENSE",
+    "licenseFile": "/home/runner/work/axe-mcp-server/axe-mcp-server/node_modules/.pnpm/@napi-rs+keyring@1.3.0/node_modules/@napi-rs/keyring/LICENSE",
     "copyright": "Copyright (c) 2020 N-API for Rust"
   },
-  "@napi-rs/keyring-linux-x64-gnu@1.2.0": {
+  "@napi-rs/keyring-linux-x64-gnu@1.3.0": {
     "name": "@napi-rs/keyring-linux-x64-gnu",
-    "version": "1.2.0",
+    "version": "1.3.0",
     "licenses": "MIT",
-    "path": "/home/runner/work/axe-mcp-server/axe-mcp-server/node_modules/.pnpm/@napi-rs+keyring-linux-x64-gnu@1.2.0/node_modules/@napi-rs/keyring-linux-x64-gnu",
+    "path": "/home/runner/work/axe-mcp-server/axe-mcp-server/node_modules/.pnpm/@napi-rs+keyring-linux-x64-gnu@1.3.0/node_modules/@napi-rs/keyring-linux-x64-gnu",
     "licenseText": "# `@napi-rs/keyring-linux-x64-gnu`\n\nThis is the **x86_64-unknown-linux-gnu** binary for `@napi-rs/keyring`\n",
-    "licenseFile": "/home/runner/work/axe-mcp-server/axe-mcp-server/node_modules/.pnpm/@napi-rs+keyring-linux-x64-gnu@1.2.0/node_modules/@napi-rs/keyring-linux-x64-gnu/README.md"
+    "licenseFile": "/home/runner/work/axe-mcp-server/axe-mcp-server/node_modules/.pnpm/@napi-rs+keyring-linux-x64-gnu@1.3.0/node_modules/@napi-rs/keyring-linux-x64-gnu/README.md"
   },
   "remove-trailing-slash@0.1.1": {
     "name": "remove-trailing-slash",

package/dist/cli/safeExit.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Force-exit the process to avoid hanging on open connections.
+ *
+ * On Windows, briefly yield first so undici can finish closing pending sockets;
+ * otherwise the process aborts with a libuv UV_HANDLE_CLOSING assertion in
+ * `src\win\async.c`. See https://github.com/nodejs/node/issues/56645.
+ */
+export declare function safeExit(code: number): Promise<never>;

package/dist/cli/safeExit.js

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.safeExit = safeExit;
+/**
+ * Force-exit the process to avoid hanging on open connections.
+ *
+ * On Windows, briefly yield first so undici can finish closing pending sockets;
+ * otherwise the process aborts with a libuv UV_HANDLE_CLOSING assertion in
+ * `src\win\async.c`. See https://github.com/nodejs/node/issues/56645.
+ */
+async function safeExit(code) {
+    if (process.platform === "win32") {
+        await new Promise((resolve) => setTimeout(resolve, 100));
+    }
+    process.exit(code);
+}

package/dist/commands/login.js

@@ -88,7 +88,7 @@ const loginCommand = {
                 scopes: ["offline_access"],
                 allowInsecureIssuer: args.allowInsecureIssuer,
                 tokenStore,
-                onAuthorizationUrl: (url) => {
+                onAuthorizationURL: (url) => {
                     deps.stderr.write(`Authorization URL: ${url}\n`);
                 },
                 onWarning: (msg) => {

package/dist/index.js

@@ -13,6 +13,7 @@ const login_1 = __importDefault(require("./commands/login"));
 const logout_1 = __importDefault(require("./commands/logout"));
 const token_1 = __importDefault(require("./commands/token"));
 const errors_1 = require("./cli/errors");
+const safeExit_1 = require("./cli/safeExit");
 const pkg = JSON.parse((0, node_fs_1.readFileSync)((0, node_path_1.join)(__dirname, "..", "package.json"), "utf-8"));
 const COMMANDS = [
     login_1.default,
@@ -126,7 +127,7 @@ async function dispatch(argv) {
         return 2;
     }
 }
-dispatch(process.argv.slice(2)).then((code) => process.exit(code), (err) => {
+dispatch(process.argv.slice(2)).then((code) => (0, safeExit_1.safeExit)(code), (err) => {
     process.stderr.write(`${err instanceof Error ? (err.stack ?? err.message) : String(err)}\n`);
-    process.exit(1);
+    return (0, safeExit_1.safeExit)(1);
 });

package/dist/oauth/authorizationURL.d.ts

@@ -5,7 +5,7 @@ export interface BuildAuthorizationURLOptions {
     /** OAuth client identifier registered with the authorization server. */
     clientId: string;
     /** Loopback redirect URI the callback server is listening on. */
-    redirectUri: string;
+    redirectURI: string;
     /** PKCE `code_challenge` derived via S256. */
     codeChallenge: string;
     /** CSRF `state` value, echoed by the auth server and validated on callback. */

package/dist/oauth/authorizationURL.js

@@ -39,7 +39,7 @@ function buildAuthorizationURL(options) {
     // `set` just reads more conventionally.
     url.searchParams.set("response_type", "code");
     url.searchParams.set("client_id", options.clientId);
-    url.searchParams.set("redirect_uri", options.redirectUri);
+    url.searchParams.set("redirect_uri", options.redirectURI);
     url.searchParams.set("code_challenge", options.codeChallenge);
     url.searchParams.set("code_challenge_method", "S256");
     url.searchParams.set("state", options.state);

package/dist/oauth/authorize.d.ts

@@ -19,7 +19,7 @@ export interface AuthorizeOptions {
     /** Override for the system browser launcher. Injected for tests. */
     openBrowser?: (url: string) => void;
     /** Called with the authorization URL just before the browser launch. Default prints to stderr only when stderr is a TTY. */
-    onAuthorizationUrl?: (url: string) => void;
+    onAuthorizationURL?: (url: string) => void;
     /**
      * Called for soft warnings (e.g. requested `offline_access` but the
      * server returned no refresh token, or the browser failed to

package/dist/oauth/authorize.js

@@ -9,7 +9,7 @@ const openBrowser_1 = require("./openBrowser");
 const tokenExchange_1 = require("./tokenExchange");
 const tokenStore_1 = require("./tokenStore");
 const errors_1 = require("./errors");
-function defaultOnAuthorizationUrl(url) {
+function defaultOnAuthorizationURL(url) {
     if (process.stderr.isTTY) {
         console.error(`Authorization URL: ${url}`);
     }
@@ -38,7 +38,7 @@ function defaultOnWarning(message) {
  * @throws {OAuthCallbackError} For loopback/callback-server failures.
  */
 async function authorize(options) {
-    const { issuerURL, clientId, walnutURL, scopes, timeoutMs, signal, tokenStore = new tokenStore_1.KeyringTokenStore(), openBrowser = openBrowser_1.openBrowser, onAuthorizationUrl = defaultOnAuthorizationUrl, onWarning = defaultOnWarning, allowInsecureIssuer, } = options;
+    const { issuerURL, clientId, walnutURL, scopes, timeoutMs, signal, tokenStore = new tokenStore_1.KeyringTokenStore(), openBrowser = openBrowser_1.openBrowser, onAuthorizationURL = defaultOnAuthorizationURL, onWarning = defaultOnWarning, allowInsecureIssuer, } = options;
     // Discovery before browser-launch so a bad URL surfaces as a
     // throw rather than a wrong/unreachable browser tab.
     const config = await (0, discoverOIDC_1.discoverOIDC)(issuerURL, {
@@ -57,7 +57,7 @@ async function authorize(options) {
         const authURL = (0, authorizationURL_1.buildAuthorizationURL)({
             authorizationEndpoint: config.authorizationEndpoint,
             clientId,
-            redirectUri: callback.redirectUri,
+            redirectURI: callback.redirectURI,
             codeChallenge,
             state,
             scopes,
@@ -65,13 +65,13 @@ async function authorize(options) {
         // Surface before launch so the URL is always visible even if the
         // browser spawn fails (or never does anything useful, e.g. on a
         // headless box).
-        onAuthorizationUrl(authURL);
+        onAuthorizationURL(authURL);
         try {
             openBrowser(authURL);
         }
         catch (err) {
             // Only swallow the "could not launch browser" case: the URL was
-            // already surfaced via onAuthorizationUrl so the user can
+            // already surfaced via onAuthorizationURL so the user can
             // complete the flow manually. Any other error (a bug in an
             // injected openBrowser, an unexpected throw) must propagate so
             // callers and tests can see it.
@@ -89,7 +89,7 @@ async function authorize(options) {
             clientId,
             code,
             codeVerifier,
-            redirectUri: callback.redirectUri,
+            redirectURI: callback.redirectURI,
             signal,
         });
         // If the caller requested offline_access but no refresh_token

package/dist/oauth/callbackServer.d.ts

@@ -1,23 +1,34 @@
 import { IncomingMessage, Server, ServerResponse } from "node:http";
-export type CallbackServerOptions = {
+/** Configures the loopback callback server. */
+export interface CallbackServerOptions {
     expectedState: string;
     timeoutMs?: number;
     signal?: AbortSignal;
-};
-export type CallbackResult = {
+}
+/** Authorization-code and state pair captured from a successful redirect. */
+export interface CallbackResult {
     code: string;
     state: string;
-};
-export type CallbackServerHandle = {
-    redirectUri: string;
+}
+/** Live handle to a running callback server. */
+export interface CallbackServerHandle {
+    redirectURI: string;
     result: Promise<CallbackResult>;
     close: () => Promise<void>;
-};
+}
 type RequestHandler = (req: IncomingMessage, res: ServerResponse) => void;
 type LoopbackListener = (handler: RequestHandler, host: string) => Promise<Server>;
-export declare const bindLoopback: (handler: RequestHandler, listenFn?: LoopbackListener) => Promise<{
+/**
+ * Binds an HTTP server to the loopback interface, preferring IPv4.
+ *
+ * RFC 8252 §7.3: "use whichever is available". Prefer IPv4; fall back to
+ * IPv6 only when the IPv4 loopback isn't configured on this host. `listenFn`
+ * is an injection seam for tests — production callers use the default.
+ */
+export declare function bindLoopback(handler: RequestHandler, listenFn?: LoopbackListener): Promise<{
     server: Server;
     host: "127.0.0.1" | "::1";
 }>;
-export declare const startCallbackServer: (opts: CallbackServerOptions) => Promise<CallbackServerHandle>;
+/** Starts a loopback HTTP server that captures the OAuth redirect. */
+export declare function startCallbackServer(opts: CallbackServerOptions): Promise<CallbackServerHandle>;
 export {};

package/dist/oauth/callbackServer.js

@@ -1,13 +1,16 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.startCallbackServer = exports.bindLoopback = void 0;
+exports.bindLoopback = bindLoopback;
+exports.startCallbackServer = startCallbackServer;
 const node_events_1 = require("node:events");
 const node_http_1 = require("node:http");
 const errors_1 = require("./errors");
-const renderHtml_1 = require("./renderHtml");
+const renderHTML_1 = require("./renderHTML");
 const DEFAULT_TIMEOUT_MS = 120_000;
 const LOOPBACK_ADDRESSES = new Set(["127.0.0.1", "::1", "::ffff:127.0.0.1"]);
-const isLoopback = (addr) => !!addr && LOOPBACK_ADDRESSES.has(addr);
+function isLoopback(addr) {
+    return !!addr && LOOPBACK_ADDRESSES.has(addr);
+}
 // Errors from bind(2) that mean "this address family isn't configured on this
 // host" — the signal to fall back to the other loopback family rather than
 // fail the caller.
@@ -19,10 +22,14 @@ const listen = async (handler, host) => {
     await (0, node_events_1.once)(server, "listening");
     return server;
 };
-// RFC 8252 §7.3: "use whichever is available". Prefer IPv4; fall back to
-// IPv6 only when the IPv4 loopback isn't configured on this host. `listenFn`
-// is an injection seam for tests — production callers use the default.
-const bindLoopback = async (handler, listenFn = listen) => {
+/**
+ * Binds an HTTP server to the loopback interface, preferring IPv4.
+ *
+ * RFC 8252 §7.3: "use whichever is available". Prefer IPv4; fall back to
+ * IPv6 only when the IPv4 loopback isn't configured on this host. `listenFn`
+ * is an injection seam for tests — production callers use the default.
+ */
+async function bindLoopback(handler, listenFn = listen) {
     try {
         return {
             server: await listenFn(handler, "127.0.0.1"),
@@ -44,32 +51,32 @@ const bindLoopback = async (handler, listenFn = listen) => {
             throw new errors_1.OAuthCallbackError("BIND_FAILED", `Failed to bind loopback server on 127.0.0.1 (${code}) and [::1]: ${ipv6Err.message}`, { cause: ipv6Err });
         }
     }
-};
-exports.bindLoopback = bindLoopback;
-const closeServer = async (server) => {
+}
+async function closeServer(server) {
     if (!server.listening)
         return;
     server.close();
     server.closeAllConnections?.();
     await (0, node_events_1.once)(server, "close");
-};
-const writeHtml = (res, status, html) => {
+}
+function writeHTML(res, status, html) {
     res.writeHead(status, {
         "Content-Type": "text/html; charset=utf-8",
-        "Content-Security-Policy": renderHtml_1.CSP_HEADER,
+        "Content-Security-Policy": renderHTML_1.CSP_HEADER,
         "X-Content-Type-Options": "nosniff",
     });
     res.end(html);
-};
-const writeText = (res, status, body, extraHeaders = {}) => {
+}
+function writeText(res, status, body, extraHeaders = {}) {
     res.writeHead(status, {
         "Content-Type": "text/plain; charset=utf-8",
         "X-Content-Type-Options": "nosniff",
         ...extraHeaders,
     });
     res.end(body + "\n");
-};
-const startCallbackServer = async (opts) => {
+}
+/** Starts a loopback HTTP server that captures the OAuth redirect. */
+async function startCallbackServer(opts) {
     const { expectedState, timeoutMs = DEFAULT_TIMEOUT_MS, signal } = opts;
     if (!Number.isFinite(timeoutMs) || timeoutMs <= 0) {
         throw new TypeError(`timeoutMs must be a positive finite number (received ${timeoutMs}).`);
@@ -164,7 +171,7 @@ const startCallbackServer = async (opts) => {
         // up front means once we start composing the response, no concurrent
         // settlement (timer/abort) can race us into a dropped connection.
         if (!tryConsume()) {
-            writeHtml(res, 409, (0, renderHtml_1.renderHtml)({
+            writeHTML(res, 409, (0, renderHTML_1.renderHTML)({
                 kind: "error",
                 reason: "This callback server has already handled a response.",
             }));
@@ -179,7 +186,7 @@ const startCallbackServer = async (opts) => {
                     : { error: providerError },
             });
             deferSettleOnClose(res, () => rejectResult(error));
-            writeHtml(res, 400, (0, renderHtml_1.renderHtml)({
+            writeHTML(res, 400, (0, renderHTML_1.renderHTML)({
                 kind: "error",
                 reason: providerError,
                 description,
@@ -191,7 +198,7 @@ const startCallbackServer = async (opts) => {
         if (!code) {
             const error = new errors_1.OAuthCallbackError("MISSING_CODE", "Authorization response missing 'code' parameter.");
             deferSettleOnClose(res, () => rejectResult(error));
-            writeHtml(res, 400, (0, renderHtml_1.renderHtml)({
+            writeHTML(res, 400, (0, renderHTML_1.renderHTML)({
                 kind: "error",
                 reason: "The authorization response was missing the 'code' parameter.",
             }));
@@ -200,19 +207,19 @@ const startCallbackServer = async (opts) => {
         if (state !== expectedState) {
             const error = new errors_1.OAuthCallbackError("STATE_MISMATCH", "Authorization response 'state' did not match expected value.");
             deferSettleOnClose(res, () => rejectResult(error));
-            writeHtml(res, 400, (0, renderHtml_1.renderHtml)({
+            writeHTML(res, 400, (0, renderHTML_1.renderHTML)({
                 kind: "error",
                 reason: "The authorization response failed state validation.",
             }));
             return;
         }
         deferSettleOnClose(res, () => resolveResult({ code, state }));
-        writeHtml(res, 200, (0, renderHtml_1.renderHtml)({ kind: "success" }));
+        writeHTML(res, 200, (0, renderHTML_1.renderHTML)({ kind: "success" }));
     };
-    const bound = await (0, exports.bindLoopback)(handler);
+    const bound = await bindLoopback(handler);
     server = bound.server;
     const port = server.address().port;
-    const redirectUri = bound.host === "::1"
+    const redirectURI = bound.host === "::1"
         ? `http://[::1]:${port}/callback`
         : `http://127.0.0.1:${port}/callback`;
     timeoutHandle = setTimeout(() => {
@@ -229,6 +236,5 @@ const startCallbackServer = async (opts) => {
             signal.addEventListener("abort", abortListener, { once: true });
         }
     }
-    return { redirectUri, result, close };
-};
-exports.startCallbackServer = startCallbackServer;
+    return { redirectURI, result, close };
+}

package/dist/oauth/openBrowser.js

@@ -45,7 +45,7 @@ function browserCommand(platform, url, browserOverride) {
             // module deliberately swallows (see `child.once("error", ...)`
             // below); `BROWSER_LAUNCH_FAILED` is only raised for synchronous
             // `spawn()` throws. The caller's fallback is the URL already
-            // surfaced via `onAuthorizationUrl` so the user can finish the
+            // surfaced via `onAuthorizationURL` so the user can finish the
             // flow manually.
             return { command: "xdg-open", args: [url] };
     }

package/dist/oauth/refreshTokens.js

@@ -2,6 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.refreshTokens = refreshTokens;
 const errors_1 = require("./errors");
+const retry_1 = require("./retry");
 const tokenResponse_1 = require("./tokenResponse");
 const userAgent_1 = require("../userAgent");
 /**
@@ -31,11 +32,11 @@ async function refreshTokens(options) {
         grant_type: "refresh_token",
         client_id: options.clientId,
         refresh_token: options.refreshToken,
-    });
+    }).toString();
     const issuedAt = now();
     let response;
     try {
-        response = await fetch(options.tokenEndpoint, {
+        response = await (0, retry_1.fetchWithRetry)(options.tokenEndpoint, {
             method: "POST",
             headers: {
                 "Content-Type": "application/x-www-form-urlencoded",

package/dist/oauth/renderHTML.d.ts

@@ -0,0 +1,12 @@
+/** Discriminates the success vs. error variant of the callback page. */
+export type HTMLInput = {
+    kind: "success";
+} | {
+    kind: "error";
+    reason: string;
+    description?: string;
+};
+/** Content-Security-Policy header value sent with every callback page. */
+export declare const CSP_HEADER: string;
+/** Renders the loopback callback page shown in the user's browser. */
+export declare function renderHTML(input: HTMLInput): string;

package/dist/oauth/{renderHtml.js → renderHTML.js}

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.renderHtml = exports.CSP_HEADER = void 0;
+exports.CSP_HEADER = void 0;
+exports.renderHTML = renderHTML;
 const node_crypto_1 = require("node:crypto");
 const logo_generated_1 = require("./logo.generated");
 const CSS = `:root{--off-black:#666;--off-white:#fdfdfe;--white:#fff;--pink:#d71ef7;--blue:#3c7aae;--space-small:12px;--space-medium:24px;--space-large:36px;--space-huge:48px;--border-radius:3px}
@@ -19,17 +20,21 @@ main{margin:var(--space-huge) auto;padding-left:var(--space-medium);padding-righ
 // 'unsafe-inline'. Any drift between this digest and the rendered <style> tag
 // causes the browser to refuse the stylesheet — see docs/callback-page.md.
 const STYLE_HASH = (0, node_crypto_1.createHash)("sha256").update(CSS, "utf8").digest("base64");
+/** Content-Security-Policy header value sent with every callback page. */
 exports.CSP_HEADER = `default-src 'none'; img-src data:; style-src 'sha256-${STYLE_HASH}'; frame-ancestors 'none'`;
 // OWASP-recommended 5-character set for HTML body/attribute contexts;
 // & must come first to avoid double-escaping. Not safe for JS/CSS/URL contexts.
 // https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-for-html-contexts
-const escape = (s) => s
-    .replace(/&/g, "&amp;")
-    .replace(/</g, "&lt;")
-    .replace(/>/g, "&gt;")
-    .replace(/"/g, "&quot;")
-    .replace(/'/g, "&#39;");
-const page = (title, body) => `<!doctype html>
+function escape(s) {
+    return s
+        .replace(/&/g, "&amp;")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;")
+        .replace(/"/g, "&quot;")
+        .replace(/'/g, "&#39;");
+}
+function page(title, body) {
+    return `<!doctype html>
 <html lang="en">
 <head>
 <meta charset="UTF-8">
@@ -44,7 +49,9 @@ ${body}
 </main>
 </body>
 </html>`;
-const renderHtml = (input) => {
+}
+/** Renders the loopback callback page shown in the user's browser. */
+function renderHTML(input) {
     if (input.kind === "success") {
         return page("Authenticated", `<h1>Authenticated</h1>
 <p class="close">You can close this tab and return to your terminal.</p>`);
@@ -56,5 +63,4 @@ const renderHtml = (input) => {
 <p class="reason">${escape(input.reason)}</p>
 ${descriptionBlock}
 <p class="close">You can close this tab and return to your terminal.</p>`);
-};
-exports.renderHtml = renderHtml;
+}

package/dist/oauth/retry.d.ts

@@ -0,0 +1,2 @@
+/** Wraps `fetch` with bounded retries on transient connection errors. */
+export declare function fetchWithRetry(input: RequestInfo | URL, init?: RequestInit): Promise<Response>;

package/dist/oauth/retry.js

@@ -0,0 +1,50 @@
+"use strict";
+// undici's `RetryAgent` cannot retry POSTs through `fetch()` — its retry
+// handler aborts once the fetch ReadableStream body is consumed. Re-invoking
+// `fetch()` per attempt with a string body sidesteps that. POST replay is
+// safe for our OAuth endpoints by spec: single-use codes (RFC 6749 §4.1.2),
+// refresh requests that never reached the server (§6), no-op revocation
+// (RFC 7009 §2.2).
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fetchWithRetry = fetchWithRetry;
+const promises_1 = require("node:timers/promises");
+const MAX_RETRIES = 3;
+const CONNECTION_ERROR_CODES = new Set([
+    "ECONNRESET",
+    "ECONNREFUSED",
+    "ENOTFOUND",
+    "ENETDOWN",
+    "ENETUNREACH",
+    "EHOSTDOWN",
+    "UND_ERR_SOCKET",
+]);
+function isConnectionError(err) {
+    const seen = new Set();
+    let current = err;
+    while (current && typeof current === "object" && !seen.has(current)) {
+        seen.add(current);
+        const e = current;
+        if (typeof e.code === "string" && CONNECTION_ERROR_CODES.has(e.code)) {
+            return true;
+        }
+        current = e.cause;
+    }
+    return false;
+}
+/** Wraps `fetch` with bounded retries on transient connection errors. */
+async function fetchWithRetry(input, init) {
+    for (let attempt = 0;; attempt++) {
+        try {
+            return await fetch(input, init);
+        }
+        catch (err) {
+            if (attempt >= MAX_RETRIES || !isConnectionError(err)) {
+                throw err;
+            }
+            // Exponential backoff: 500ms, 1s, 2s, capped at 30s.
+            // `sleep` honors `init.signal` so an aborted request interrupts the wait.
+            const delay = Math.min(500 * Math.pow(2, attempt), 30_000);
+            await (0, promises_1.setTimeout)(delay, undefined, { signal: init?.signal ?? undefined });
+        }
+    }
+}

package/dist/oauth/revokeToken.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.revokeRefreshToken = revokeRefreshToken;
+const retry_1 = require("./retry");
 const userAgent_1 = require("../userAgent");
 /**
  * Revokes a refresh token via RFC 7009. Servers SHOULD return 200
@@ -23,10 +24,10 @@ async function revokeRefreshToken(options) {
         token: options.refreshToken,
         token_type_hint: "refresh_token",
         client_id: options.clientId,
-    });
+    }).toString();
     let response;
     try {
-        response = await fetch(options.revocationEndpoint, {
+        response = await (0, retry_1.fetchWithRetry)(options.revocationEndpoint, {
             method: "POST",
             headers: {
                 "Content-Type": "application/x-www-form-urlencoded",

package/dist/oauth/tokenExchange.d.ts

@@ -10,7 +10,7 @@ export interface ExchangeCodeForTokensOptions {
     /** PKCE verifier paired with the `code_challenge` sent at auth time. */
     codeVerifier: string;
     /** Redirect URI originally sent to the authorization endpoint. */
-    redirectUri: string;
+    redirectURI: string;
     /** Source of `now`. Injected for test determinism; defaults to `Date.now`. */
     now?: () => number;
     /** Aborts the underlying fetch when fired. */

package/dist/oauth/tokenExchange.js

@@ -2,6 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.exchangeCodeForTokens = exchangeCodeForTokens;
 const errors_1 = require("./errors");
+const retry_1 = require("./retry");
 const tokenResponse_1 = require("./tokenResponse");
 const userAgent_1 = require("../userAgent");
 /**
@@ -18,12 +19,12 @@ async function exchangeCodeForTokens(options) {
         client_id: options.clientId,
         code: options.code,
         code_verifier: options.codeVerifier,
-        redirect_uri: options.redirectUri,
-    });
+        redirect_uri: options.redirectURI,
+    }).toString();
     const issuedAt = now();
     let response;
     try {
-        response = await fetch(options.tokenEndpoint, {
+        response = await (0, retry_1.fetchWithRetry)(options.tokenEndpoint, {
             method: "POST",
             headers: {
                 "Content-Type": "application/x-www-form-urlencoded",

package/docs/callback-page.md

@@ -1,6 +1,6 @@
 # Callback response page
 
-The HTML the browser renders after Keycloak redirects to the loopback URL, produced by `src/oauth/renderHtml.ts`.
+The HTML the browser renders after Keycloak redirects to the loopback URL, produced by `src/oauth/renderHTML.ts`.
 
 ## Approach
 
@@ -17,7 +17,7 @@ Content-Security-Policy: default-src 'none'; img-src data:; style-src 'sha256-<d
 X-Content-Type-Options: nosniff
 ```
 
-`default-src 'none'` blocks everything by default. `img-src data:` allows only the inlined logo. `style-src 'sha256-...'` allows only a `<style>` block whose contents match a digest computed at module load — stricter than `'unsafe-inline'`, and any drift between the rendered CSS and the committed hash causes the browser to refuse the stylesheet. Inline `style=""` attributes are avoided entirely (they require separate `style-src-attr` / `'unsafe-hashes'` machinery). The `renderHtml` test suite asserts the hash matches the rendered `<style>` contents to prevent silent drift.
+`default-src 'none'` blocks everything by default. `img-src data:` allows only the inlined logo. `style-src 'sha256-...'` allows only a `<style>` block whose contents match a digest computed at module load — stricter than `'unsafe-inline'`, and any drift between the rendered CSS and the committed hash causes the browser to refuse the stylesheet. Inline `style=""` attributes are avoided entirely (they require separate `style-src-attr` / `'unsafe-hashes'` machinery). The `renderHTML` test suite asserts the hash matches the rendered `<style>` contents to prevent silent drift.
 
 **Auth code not echoed.** The success page deliberately does not render the received `code` in the HTML (RFC 8252 §8.1 interception mitigation).
 

package/docs/callback-server.md

@@ -4,7 +4,7 @@ The loopback HTTP listener that receives the OAuth authorization code redirect,
 
 ## Loopback bind
 
-RFC 8252 §7.3 says clients SHOULD NOT assume a particular IP version is available and RECOMMENDS trying both. Implementation: bind `127.0.0.1` on an ephemeral port; on `EAFNOSUPPORT` / `EADDRNOTAVAIL` (no IPv4 loopback configured on this host) fall back to `[::1]` on a fresh ephemeral port. The returned `redirectUri` uses whichever literal actually got bound, so the browser connects to exactly what the authorization server redirects it to — no reliance on `localhost` DNS resolution.
+RFC 8252 §7.3 says clients SHOULD NOT assume a particular IP version is available and RECOMMENDS trying both. Implementation: bind `127.0.0.1` on an ephemeral port; on `EAFNOSUPPORT` / `EADDRNOTAVAIL` (no IPv4 loopback configured on this host) fall back to `[::1]` on a fresh ephemeral port. The returned `redirectURI` uses whichever literal actually got bound, so the browser connects to exactly what the authorization server redirects it to — no reliance on `localhost` DNS resolution.
 
 Request handling additionally rejects non-loopback `remoteAddress` values with `403` as defense in depth against DNS-rebinding-style pivots — the listener only binds to a loopback interface, but enforcing it at the handler costs nothing.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@deque/axe-auth",
-  "version": "1.2.0-rc.cd2af31c",
+  "version": "1.2.1-next.0b5b0847",
   "description": "CLI authentication utility for Deque services",
   "license": "SEE LICENSE IN LICENSE",
   "repository": {
@@ -27,19 +27,19 @@
     "registry": "https://registry.npmjs.org/"
   },
   "engines": {
-    "node": ">=22.13.0"
+    "node": ">=24.11.0"
   },
   "dependencies": {
-    "@napi-rs/keyring": "^1.2.0",
+    "@napi-rs/keyring": "^1.3.0",
     "remove-trailing-slash": "^0.1.1",
     "shlex": "^3.0.0",
     "ts-dedent": "^2.2.0"
   },
   "devDependencies": {
     "@hono/node-server": "^1.19.14",
-    "@types/node": "^22.13.10",
-    "c8": "^10.1.3",
-    "hono": "^4.12.16",
+    "@types/node": "^24.0.0",
+    "c8": "^11.0.0",
+    "hono": "^4.12.21",
     "tsx": "^4.20.6",
     "typescript": "^6.0.3"
   },

package/dist/oauth/renderHtml.d.ts

@@ -1,9 +0,0 @@
-export type HtmlInput = {
-    kind: "success";
-} | {
-    kind: "error";
-    reason: string;
-    description?: string;
-};
-export declare const CSP_HEADER: string;
-export declare const renderHtml: (input: HtmlInput) => string;