@dishantlangayan/sc-cli-core 0.1.2 → 0.3.0

package/README.md

@@ -20,6 +20,9 @@ The ScCommand abstract class extends [@oclif/core's Command class](https://githu
 ## ScConnection Class
 The ScConnection class provide abstraction functions for Solace Cloud API REST calls. It handles the access token and base URL for each REST call, avoiding the need to set these on each Command.
 
+## BrokerAuthManager
+The BrokerAuthManager class provides utility functions to store and retrieve broker SEMP management authentication information from user's home directory: `~/.sf/` or `%USERPROFILE%\sf\`. The implementation uses AES-256-GCM for authenticated encryption and provides machine-bound encryption that combines OS-level security (keychain) with machine-specific identifiers, making credentials non-transferable between machines.
+
 # Contributing
 Contributions are encouraged! Please read [CONTRIBUTING.md](CONTRIBUTING.md) for details on our code of conduct, and the process for submitting pull requests to us.
 

package/lib/auth/auth-encryption.d.ts

@@ -0,0 +1,40 @@
+import { type BrokerAuthStorage, type EncryptedData } from './auth-types.js';
+/**
+ * Encryption utility for broker authentication storage
+ * Uses AES-256-GCM for authenticated encryption
+ */
+export declare class BrokerAuthEncryption {
+    private static readonly ALGORITHM;
+    private static readonly DIGEST;
+    private static readonly ITERATIONS;
+    private static readonly IV_LENGTH;
+    private static readonly KEY_LENGTH;
+    private static readonly SALT_LENGTH;
+    private static readonly TAG_LENGTH;
+    /**
+     * Decrypt broker storage data
+     * @param encryptedData - Encrypted data to decrypt
+     * @param key - Decryption key
+     * @returns Decrypted broker storage
+     */
+    static decrypt(encryptedData: EncryptedData, key: Buffer): Promise<BrokerAuthStorage>;
+    /**
+     * Derive encryption key from password using PBKDF2
+     * @param password - User password
+     * @param salt - Salt for key derivation
+     * @returns Derived encryption key
+     */
+    static deriveKey(password: string, salt: Buffer): Promise<Buffer>;
+    /**
+     * Encrypt broker storage data
+     * @param data - Broker storage to encrypt
+     * @param key - Encryption key
+     * @returns Encrypted data with metadata
+     */
+    static encrypt(data: BrokerAuthStorage, key: Buffer): Promise<EncryptedData>;
+    /**
+     * Generate cryptographically secure random salt
+     * @returns Random salt buffer
+     */
+    static generateSalt(): Buffer;
+}

package/lib/auth/auth-encryption.js

@@ -0,0 +1,106 @@
+import { createCipheriv, createDecipheriv, pbkdf2, randomBytes } from 'node:crypto';
+import { promisify } from 'node:util';
+import { BrokerAuthError, BrokerAuthErrorCode } from './auth-types.js';
+const pbkdf2Async = promisify(pbkdf2);
+/**
+ * Encryption utility for broker authentication storage
+ * Uses AES-256-GCM for authenticated encryption
+ */
+export class BrokerAuthEncryption {
+    static ALGORITHM = 'aes-256-gcm';
+    static DIGEST = 'sha256';
+    static ITERATIONS = 100_000; // OWASP recommended minimum for PBKDF2
+    static IV_LENGTH = 16;
+    static KEY_LENGTH = 32; // 256 bits
+    static SALT_LENGTH = 32;
+    static TAG_LENGTH = 16;
+    /**
+     * Decrypt broker storage data
+     * @param encryptedData - Encrypted data to decrypt
+     * @param key - Decryption key
+     * @returns Decrypted broker storage
+     */
+    static async decrypt(encryptedData, key) {
+        try {
+            // Parse metadata and buffers
+            const iv = Buffer.from(encryptedData.iv, 'base64');
+            const authTag = Buffer.from(encryptedData.authTag, 'base64');
+            // Create decipher
+            const decipher = createDecipheriv(this.ALGORITHM, key, iv);
+            decipher.setAuthTag(authTag);
+            // Decrypt data
+            let decrypted = decipher.update(encryptedData.encryptedContent, 'base64', 'utf8');
+            decrypted += decipher.final('utf8');
+            // Parse JSON
+            const storage = JSON.parse(decrypted);
+            return storage;
+        }
+        catch (error) {
+            throw new BrokerAuthError('Failed to decrypt broker storage. The password may be incorrect or the file may be corrupted.', BrokerAuthErrorCode.DECRYPTION_FAILED, error);
+        }
+    }
+    /**
+     * Derive encryption key from password using PBKDF2
+     * @param password - User password
+     * @param salt - Salt for key derivation
+     * @returns Derived encryption key
+     */
+    static async deriveKey(password, salt) {
+        try {
+            if (!password || password.length === 0) {
+                throw new BrokerAuthError('Password cannot be empty', BrokerAuthErrorCode.INVALID_PASSWORD);
+            }
+            return await pbkdf2Async(password, salt, this.ITERATIONS, this.KEY_LENGTH, this.DIGEST);
+        }
+        catch (error) {
+            if (error instanceof BrokerAuthError) {
+                throw error;
+            }
+            throw new BrokerAuthError('Failed to derive encryption key', BrokerAuthErrorCode.ENCRYPTION_FAILED, error);
+        }
+    }
+    /**
+     * Encrypt broker storage data
+     * @param data - Broker storage to encrypt
+     * @param key - Encryption key
+     * @returns Encrypted data with metadata
+     */
+    static async encrypt(data, key) {
+        try {
+            // Generate random IV
+            const iv = randomBytes(this.IV_LENGTH);
+            // Create cipher
+            const cipher = createCipheriv(this.ALGORITHM, key, iv);
+            // Encrypt data
+            const plaintext = JSON.stringify(data);
+            let encrypted = cipher.update(plaintext, 'utf8', 'base64');
+            encrypted += cipher.final('base64');
+            // Get authentication tag
+            const authTag = cipher.getAuthTag();
+            // Generate new salt for next key derivation
+            const salt = this.generateSalt();
+            return {
+                authTag: authTag.toString('base64'),
+                encryptedContent: encrypted,
+                iv: iv.toString('base64'),
+                metadata: {
+                    algorithm: this.ALGORITHM,
+                    iterations: this.ITERATIONS,
+                    keyDerivation: 'pbkdf2',
+                    saltLength: this.SALT_LENGTH,
+                },
+                salt: salt.toString('base64'),
+            };
+        }
+        catch (error) {
+            throw new BrokerAuthError('Failed to encrypt broker storage', BrokerAuthErrorCode.ENCRYPTION_FAILED, error);
+        }
+    }
+    /**
+     * Generate cryptographically secure random salt
+     * @returns Random salt buffer
+     */
+    static generateSalt() {
+        return randomBytes(this.SALT_LENGTH);
+    }
+}

package/lib/auth/auth-manager.d.ts

@@ -0,0 +1,98 @@
+import { ScConnection } from '../util/sc-connection.js';
+import { type BrokerAuth } from './auth-types.js';
+import { KeychainService } from './keychain.js';
+/**
+ * Manager for broker authentication storage
+ * Handles encrypted storage of broker credentials
+ */
+export declare class BrokerAuthManager {
+    private static instance;
+    private readonly configDir;
+    private readonly configFile;
+    private encryptionKey;
+    private readonly keychainService;
+    private machineId;
+    private masterKey;
+    private storage;
+    private constructor();
+    /**
+     * Get singleton instance
+     * @param keychainService - Optional keychain service for testing
+     */
+    static getInstance(keychainService?: KeychainService): BrokerAuthManager;
+    /**
+     * Add a new broker configuration
+     * @param broker - Broker authentication configuration
+     */
+    addBroker(broker: BrokerAuth): Promise<void>;
+    /**
+     * Check if broker exists
+     * @param name - Broker name
+     * @returns true if broker exists
+     */
+    brokerExists(name: string): Promise<boolean>;
+    /**
+     * Clear all broker configurations
+     */
+    clearAll(): Promise<void>;
+    /**
+     * Create ScConnection instance from stored broker config
+     * @param brokerName - Name of the broker to connect to
+     * @param timeout - Optional timeout override
+     * @returns Configured ScConnection instance
+     */
+    createConnection(brokerName: string, timeout?: number): Promise<ScConnection>;
+    /**
+     * Get all broker configurations
+     * @returns Array of all broker configurations
+     */
+    getAllBrokers(): Promise<BrokerAuth[]>;
+    /**
+     * Get broker configuration by name
+     * @param name - Broker name/alias
+     * @returns Broker configuration or null if not found
+     */
+    getBroker(name: string): Promise<BrokerAuth | null>;
+    /**
+     * Initialize the auth manager with encryption key derived from OS keychain and machine ID
+     */
+    initialize(): Promise<void>;
+    /**
+     * List all broker names
+     * @returns Array of broker names
+     */
+    listBrokers(): Promise<string[]>;
+    /**
+     * Remove broker configuration
+     * @param name - Broker name to remove
+     */
+    removeBroker(name: string): Promise<void>;
+    /**
+     * Update existing broker configuration
+     * @param name - Broker name to update
+     * @param updates - Partial updates to apply
+     */
+    updateBroker(name: string, updates: Partial<Omit<BrokerAuth, 'name'>>): Promise<void>;
+    /**
+     * Ensure manager is initialized
+     */
+    private ensureInitialized;
+    /**
+     * Check if config file exists
+     */
+    private fileExists;
+    /**
+     * Load storage from encrypted file
+     * @param combinedKey - Combined master key and machine ID for decryption
+     */
+    private loadStorage;
+    /**
+     * Save storage to encrypted file
+     */
+    private saveStorage;
+    /**
+     * Validate broker configuration
+     * @param broker - Broker to validate
+     */
+    private validateBroker;
+}

package/lib/auth/auth-manager.js

@@ -0,0 +1,309 @@
+import { mkdir, readFile, rename, unlink, writeFile } from 'node:fs/promises';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+import { ScConnection } from '../util/sc-connection.js';
+import { BrokerAuthEncryption } from './auth-encryption.js';
+import { AuthType, BrokerAuthError, BrokerAuthErrorCode, } from './auth-types.js';
+import { KeychainService } from './keychain.js';
+const SERVICE_NAME = 'local';
+const KEY_NAME = 'sc-cli';
+/**
+ * Manager for broker authentication storage
+ * Handles encrypted storage of broker credentials
+ */
+export class BrokerAuthManager {
+    static instance = null;
+    configDir;
+    configFile;
+    encryptionKey = null;
+    keychainService;
+    machineId = null;
+    masterKey = null;
+    storage = null;
+    constructor(keychainService) {
+        const homeDirectory = homedir();
+        this.configDir = join(homeDirectory, '.sc');
+        this.configFile = join(this.configDir, 'brokers.json');
+        this.keychainService = keychainService ?? new KeychainService();
+    }
+    /**
+     * Get singleton instance
+     * @param keychainService - Optional keychain service for testing
+     */
+    static getInstance(keychainService) {
+        if (!BrokerAuthManager.instance) {
+            BrokerAuthManager.instance = new BrokerAuthManager(keychainService);
+        }
+        return BrokerAuthManager.instance;
+    }
+    /**
+     * Add a new broker configuration
+     * @param broker - Broker authentication configuration
+     */
+    async addBroker(broker) {
+        this.ensureInitialized();
+        // Validate broker
+        this.validateBroker(broker);
+        // Check if broker already exists
+        const existing = this.storage.brokers.find((b) => b.name === broker.name);
+        if (existing) {
+            throw new BrokerAuthError(`Broker '${broker.name}' already exists`, BrokerAuthErrorCode.BROKER_ALREADY_EXISTS);
+        }
+        // Add broker
+        this.storage.brokers.push(broker);
+        // Save to file
+        await this.saveStorage();
+    }
+    /**
+     * Check if broker exists
+     * @param name - Broker name
+     * @returns true if broker exists
+     */
+    async brokerExists(name) {
+        this.ensureInitialized();
+        return this.storage.brokers.some((b) => b.name === name);
+    }
+    /**
+     * Clear all broker configurations
+     */
+    async clearAll() {
+        this.ensureInitialized();
+        this.storage.brokers = [];
+        await this.saveStorage();
+    }
+    /**
+     * Create ScConnection instance from stored broker config
+     * @param brokerName - Name of the broker to connect to
+     * @param timeout - Optional timeout override
+     * @returns Configured ScConnection instance
+     */
+    async createConnection(brokerName, timeout = 10_000) {
+        this.ensureInitialized();
+        const broker = await this.getBroker(brokerName);
+        if (!broker) {
+            throw new BrokerAuthError(`Broker '${brokerName}' not found`, BrokerAuthErrorCode.BROKER_NOT_FOUND);
+        }
+        const baseURL = `${broker.sempEndpoint}:${broker.sempPort}`;
+        const accessToken = broker.authType === AuthType.OAUTH ? broker.accessToken : broker.encodedCredentials;
+        const isBasic = broker.authType === AuthType.BASIC;
+        return new ScConnection(baseURL, accessToken, timeout, isBasic);
+    }
+    /**
+     * Get all broker configurations
+     * @returns Array of all broker configurations
+     */
+    async getAllBrokers() {
+        this.ensureInitialized();
+        return [...this.storage.brokers];
+    }
+    /**
+     * Get broker configuration by name
+     * @param name - Broker name/alias
+     * @returns Broker configuration or null if not found
+     */
+    async getBroker(name) {
+        this.ensureInitialized();
+        const broker = this.storage.brokers.find((b) => b.name === name);
+        return broker ?? null;
+    }
+    /**
+     * Initialize the auth manager with encryption key derived from OS keychain and machine ID
+     */
+    async initialize() {
+        try {
+            // Get machine ID
+            this.machineId = this.keychainService.getMachineId();
+            // Get or create master key from OS keychain
+            this.masterKey = await this.keychainService.getPassword(KEY_NAME, SERVICE_NAME);
+            if (!this.masterKey) {
+                // Generate new master key and store in OS keychain
+                this.masterKey = this.keychainService.generateMasterKey();
+                await this.keychainService.setPassword(KEY_NAME, SERVICE_NAME, this.masterKey);
+            }
+            // Combine master key with machine ID for encryption
+            const combinedKey = `${this.masterKey}:${this.machineId}`;
+            // Try to load existing storage
+            const fileExists = await this.fileExists();
+            if (fileExists) {
+                // Load existing file and derive key from stored salt
+                await this.loadStorage(combinedKey);
+            }
+            else {
+                // Create new storage with new salt
+                const salt = BrokerAuthEncryption.generateSalt();
+                this.encryptionKey = await BrokerAuthEncryption.deriveKey(combinedKey, salt);
+                this.storage = {
+                    brokers: [],
+                    version: '1.0.0',
+                };
+            }
+        }
+        catch (error) {
+            if (error instanceof BrokerAuthError) {
+                throw error;
+            }
+            throw new BrokerAuthError('Failed to initialize broker auth manager', BrokerAuthErrorCode.NOT_INITIALIZED, error);
+        }
+    }
+    /**
+     * List all broker names
+     * @returns Array of broker names
+     */
+    async listBrokers() {
+        this.ensureInitialized();
+        return this.storage.brokers.map((b) => b.name);
+    }
+    /**
+     * Remove broker configuration
+     * @param name - Broker name to remove
+     */
+    async removeBroker(name) {
+        this.ensureInitialized();
+        const index = this.storage.brokers.findIndex((b) => b.name === name);
+        if (index === -1) {
+            throw new BrokerAuthError(`Broker '${name}' not found`, BrokerAuthErrorCode.BROKER_NOT_FOUND);
+        }
+        // Remove broker
+        this.storage.brokers.splice(index, 1);
+        // Save to file
+        await this.saveStorage();
+    }
+    /**
+     * Update existing broker configuration
+     * @param name - Broker name to update
+     * @param updates - Partial updates to apply
+     */
+    async updateBroker(name, updates) {
+        this.ensureInitialized();
+        const index = this.storage.brokers.findIndex((b) => b.name === name);
+        if (index === -1) {
+            throw new BrokerAuthError(`Broker '${name}' not found`, BrokerAuthErrorCode.BROKER_NOT_FOUND);
+        }
+        // Merge updates
+        const updated = {
+            ...this.storage.brokers[index],
+            ...updates,
+            name, // Ensure name doesn't change
+        };
+        // Validate updated broker
+        this.validateBroker(updated);
+        // Update broker
+        this.storage.brokers[index] = updated;
+        // Save to file
+        await this.saveStorage();
+    }
+    /**
+     * Ensure manager is initialized
+     */
+    ensureInitialized() {
+        if (!this.encryptionKey || !this.storage) {
+            throw new BrokerAuthError('BrokerAuthManager not initialized. Call initialize() first.', BrokerAuthErrorCode.NOT_INITIALIZED);
+        }
+    }
+    /**
+     * Check if config file exists
+     */
+    async fileExists() {
+        try {
+            await readFile(this.configFile);
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Load storage from encrypted file
+     * @param combinedKey - Combined master key and machine ID for decryption
+     */
+    async loadStorage(combinedKey) {
+        try {
+            const fileContent = await readFile(this.configFile, 'utf8');
+            const encryptedData = JSON.parse(fileContent);
+            // Derive key from combined key and stored salt
+            const salt = Buffer.from(encryptedData.salt, 'base64');
+            this.encryptionKey = await BrokerAuthEncryption.deriveKey(combinedKey, salt);
+            // Decrypt storage
+            this.storage = await BrokerAuthEncryption.decrypt(encryptedData, this.encryptionKey);
+        }
+        catch (error) {
+            if (error instanceof BrokerAuthError) {
+                throw error;
+            }
+            throw new BrokerAuthError('Failed to load broker storage', BrokerAuthErrorCode.FILE_READ_ERROR, error);
+        }
+    }
+    /**
+     * Save storage to encrypted file
+     */
+    async saveStorage() {
+        try {
+            if (!this.masterKey || !this.machineId) {
+                throw new BrokerAuthError('Auth manager not initialized', BrokerAuthErrorCode.NOT_INITIALIZED);
+            }
+            // Ensure directory exists
+            await mkdir(this.configDir, { mode: 0o700, recursive: true });
+            // Encrypt data
+            const encrypted = await BrokerAuthEncryption.encrypt(this.storage, this.encryptionKey);
+            // Re-derive key with new salt for next save
+            const combinedKey = `${this.masterKey}:${this.machineId}`;
+            const newSalt = Buffer.from(encrypted.salt, 'base64');
+            this.encryptionKey = await BrokerAuthEncryption.deriveKey(combinedKey, newSalt);
+            // Write to temp file first (atomic write)
+            const jsonData = JSON.stringify(encrypted, null, 2);
+            const tempFile = `${this.configFile}.tmp`;
+            await writeFile(tempFile, jsonData, { mode: 0o600 });
+            // Atomic rename
+            await rename(tempFile, this.configFile);
+            // Set restrictive permissions (Unix only)
+            if (process.platform !== 'win32') {
+                // Already set via writeFile mode option
+            }
+        }
+        catch (error) {
+            // Clean up temp file if it exists
+            try {
+                await unlink(`${this.configFile}.tmp`);
+            }
+            catch {
+                // Ignore cleanup errors
+            }
+            if (error instanceof BrokerAuthError) {
+                throw error;
+            }
+            throw new BrokerAuthError('Failed to save broker storage', BrokerAuthErrorCode.FILE_WRITE_ERROR, error);
+        }
+    }
+    /**
+     * Validate broker configuration
+     * @param broker - Broker to validate
+     */
+    validateBroker(broker) {
+        // Validate name
+        if (!broker.name || broker.name.trim() === '') {
+            throw new BrokerAuthError('Broker name is required', BrokerAuthErrorCode.INVALID_NAME);
+        }
+        // Validate endpoint
+        if (!broker.sempEndpoint || !(broker.sempEndpoint.startsWith('http://') || broker.sempEndpoint.startsWith('https://'))) {
+            throw new BrokerAuthError('SEMP endpoint must start with http:// or https://', BrokerAuthErrorCode.INVALID_ENDPOINT);
+        }
+        // Validate port
+        if (broker.sempPort < 1 || broker.sempPort > 65_535) {
+            throw new BrokerAuthError('SEMP port must be between 1 and 65535', BrokerAuthErrorCode.INVALID_PORT);
+        }
+        // Validate auth-specific fields
+        if (broker.authType === AuthType.OAUTH) {
+            if (!broker.accessToken || !broker.clientId) {
+                throw new BrokerAuthError('OAuth brokers require accessToken and clientId', BrokerAuthErrorCode.INVALID_OAUTH_CONFIG);
+            }
+        }
+        else if (broker.authType === AuthType.BASIC) {
+            if (!broker.encodedCredentials) {
+                throw new BrokerAuthError('Basic auth brokers require encodedCredentials', BrokerAuthErrorCode.INVALID_BASIC_CONFIG);
+            }
+        }
+        else {
+            throw new BrokerAuthError('Invalid auth type', BrokerAuthErrorCode.INVALID_AUTH_TYPE);
+        }
+    }
+}

package/lib/auth/auth-types.d.ts

@@ -0,0 +1,89 @@
+/**
+ * Authentication types supported by the broker auth system
+ */
+export declare enum AuthType {
+    BASIC = "basic",
+    OAUTH = "oauth"
+}
+/**
+ * Base broker authentication configuration
+ */
+export interface BrokerAuthBase {
+    authType: AuthType;
+    name: string;
+    sempEndpoint: string;
+    sempPort: number;
+}
+/**
+ * OAuth broker authentication configuration
+ */
+export interface OAuthBrokerAuth extends BrokerAuthBase {
+    accessToken: string;
+    authType: AuthType.OAUTH;
+    clientId: string;
+    refreshToken: string;
+}
+/**
+ * Basic authentication broker configuration
+ */
+export interface BasicBrokerAuth extends BrokerAuthBase {
+    authType: AuthType.BASIC;
+    encodedCredentials: string;
+}
+/**
+ * Union type for broker authentication
+ */
+export type BrokerAuth = BasicBrokerAuth | OAuthBrokerAuth;
+/**
+ * Storage format for broker configurations
+ */
+export interface BrokerAuthStorage {
+    brokers: BrokerAuth[];
+    version: string;
+}
+/**
+ * Encryption metadata stored alongside encrypted data
+ */
+export interface EncryptionMetadata {
+    algorithm: string;
+    iterations: number;
+    keyDerivation: string;
+    saltLength: number;
+}
+/**
+ * Encrypted data structure
+ */
+export interface EncryptedData {
+    authTag: string;
+    encryptedContent: string;
+    iv: string;
+    metadata: EncryptionMetadata;
+    salt: string;
+}
+/**
+ * Error codes for broker auth operations
+ */
+export declare enum BrokerAuthErrorCode {
+    BROKER_ALREADY_EXISTS = "BROKER_ALREADY_EXISTS",
+    BROKER_NOT_FOUND = "BROKER_NOT_FOUND",
+    DECRYPTION_FAILED = "DECRYPTION_FAILED",
+    ENCRYPTION_FAILED = "ENCRYPTION_FAILED",
+    FILE_READ_ERROR = "FILE_READ_ERROR",
+    FILE_WRITE_ERROR = "FILE_WRITE_ERROR",
+    INVALID_AUTH_TYPE = "INVALID_AUTH_TYPE",
+    INVALID_BASIC_CONFIG = "INVALID_BASIC_CONFIG",
+    INVALID_ENDPOINT = "INVALID_ENDPOINT",
+    INVALID_NAME = "INVALID_NAME",
+    INVALID_OAUTH_CONFIG = "INVALID_OAUTH_CONFIG",
+    INVALID_PASSWORD = "INVALID_PASSWORD",
+    INVALID_PORT = "INVALID_PORT",
+    NOT_INITIALIZED = "NOT_INITIALIZED"
+}
+/**
+ * Custom error class for broker authentication operations
+ */
+export declare class BrokerAuthError extends Error {
+    readonly code: BrokerAuthErrorCode;
+    readonly cause?: Error | undefined;
+    constructor(message: string, code: BrokerAuthErrorCode, cause?: Error | undefined);
+}

package/lib/auth/auth-types.js

@@ -0,0 +1,41 @@
+/**
+ * Authentication types supported by the broker auth system
+ */
+export var AuthType;
+(function (AuthType) {
+    AuthType["BASIC"] = "basic";
+    AuthType["OAUTH"] = "oauth";
+})(AuthType || (AuthType = {}));
+/**
+ * Error codes for broker auth operations
+ */
+export var BrokerAuthErrorCode;
+(function (BrokerAuthErrorCode) {
+    BrokerAuthErrorCode["BROKER_ALREADY_EXISTS"] = "BROKER_ALREADY_EXISTS";
+    BrokerAuthErrorCode["BROKER_NOT_FOUND"] = "BROKER_NOT_FOUND";
+    BrokerAuthErrorCode["DECRYPTION_FAILED"] = "DECRYPTION_FAILED";
+    BrokerAuthErrorCode["ENCRYPTION_FAILED"] = "ENCRYPTION_FAILED";
+    BrokerAuthErrorCode["FILE_READ_ERROR"] = "FILE_READ_ERROR";
+    BrokerAuthErrorCode["FILE_WRITE_ERROR"] = "FILE_WRITE_ERROR";
+    BrokerAuthErrorCode["INVALID_AUTH_TYPE"] = "INVALID_AUTH_TYPE";
+    BrokerAuthErrorCode["INVALID_BASIC_CONFIG"] = "INVALID_BASIC_CONFIG";
+    BrokerAuthErrorCode["INVALID_ENDPOINT"] = "INVALID_ENDPOINT";
+    BrokerAuthErrorCode["INVALID_NAME"] = "INVALID_NAME";
+    BrokerAuthErrorCode["INVALID_OAUTH_CONFIG"] = "INVALID_OAUTH_CONFIG";
+    BrokerAuthErrorCode["INVALID_PASSWORD"] = "INVALID_PASSWORD";
+    BrokerAuthErrorCode["INVALID_PORT"] = "INVALID_PORT";
+    BrokerAuthErrorCode["NOT_INITIALIZED"] = "NOT_INITIALIZED";
+})(BrokerAuthErrorCode || (BrokerAuthErrorCode = {}));
+/**
+ * Custom error class for broker authentication operations
+ */
+export class BrokerAuthError extends Error {
+    code;
+    cause;
+    constructor(message, code, cause) {
+        super(message);
+        this.code = code;
+        this.cause = cause;
+        this.name = 'BrokerAuthError';
+    }
+}

package/lib/auth/index.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Broker authentication management module
+ * Provides encrypted storage for SEMP broker credentials
+ */
+export { BrokerAuthEncryption } from './auth-encryption.js';
+export { BrokerAuthManager } from './auth-manager.js';
+export { AuthType, type BasicBrokerAuth, type BrokerAuth, type BrokerAuthBase, BrokerAuthError, BrokerAuthErrorCode, type BrokerAuthStorage, type EncryptedData, type EncryptionMetadata, type OAuthBrokerAuth, } from './auth-types.js';

package/lib/auth/index.js

@@ -0,0 +1,7 @@
+/**
+ * Broker authentication management module
+ * Provides encrypted storage for SEMP broker credentials
+ */
+export { BrokerAuthEncryption } from './auth-encryption.js';
+export { BrokerAuthManager } from './auth-manager.js';
+export { AuthType, BrokerAuthError, BrokerAuthErrorCode, } from './auth-types.js';

package/lib/auth/keychain.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Keychain service for storing and retrieving encryption keys
+ * This abstraction allows for easier testing and mocking
+ */
+export declare class KeychainService {
+    /**
+     * Delete a password from the keychain
+     * @param service - Service name
+     * @param account - Account name
+     * @returns True if deleted, false if not found
+     */
+    deletePassword(service: string, account: string): Promise<boolean>;
+    /**
+     * Generate a random master key
+     * @returns Base64-encoded random key
+     */
+    generateMasterKey(): string;
+    /**
+     * Get unique machine identifier
+     * @returns Machine ID string
+     */
+    getMachineId(): string;
+    /**
+     * Get a password from the keychain
+     * @param service - Service name
+     * @param account - Account name
+     * @returns Password string or null if not found
+     */
+    getPassword(service: string, account: string): Promise<null | string>;
+    /**
+     * Set a password in the keychain
+     * @param service - Service name
+     * @param account - Account name
+     * @param password - Password to store
+     */
+    setPassword(service: string, account: string, password: string): Promise<void>;
+    /**
+     * Lazy load keytar module
+     * @returns keytar module
+     */
+    private loadKeytar;
+    /**
+     * Lazy load node-machine-id module
+     * @returns node-machine-id module
+     */
+    private loadMachineId;
+}

package/lib/auth/keychain.js

@@ -0,0 +1,71 @@
+import { randomBytes } from 'node:crypto';
+import { createRequire } from 'node:module';
+const require = createRequire(import.meta.url);
+/**
+ * Keychain service for storing and retrieving encryption keys
+ * This abstraction allows for easier testing and mocking
+ */
+export class KeychainService {
+    /**
+     * Delete a password from the keychain
+     * @param service - Service name
+     * @param account - Account name
+     * @returns True if deleted, false if not found
+     */
+    async deletePassword(service, account) {
+        const keytar = await this.loadKeytar();
+        return keytar.deletePassword(service, account);
+    }
+    /**
+     * Generate a random master key
+     * @returns Base64-encoded random key
+     */
+    generateMasterKey() {
+        return randomBytes(32).toString('base64');
+    }
+    /**
+     * Get unique machine identifier
+     * @returns Machine ID string
+     */
+    getMachineId() {
+        const machineIdPkg = this.loadMachineId();
+        return machineIdPkg.machineIdSync();
+    }
+    /**
+     * Get a password from the keychain
+     * @param service - Service name
+     * @param account - Account name
+     * @returns Password string or null if not found
+     */
+    async getPassword(service, account) {
+        const keytar = await this.loadKeytar();
+        return keytar.getPassword(service, account);
+    }
+    /**
+     * Set a password in the keychain
+     * @param service - Service name
+     * @param account - Account name
+     * @param password - Password to store
+     */
+    async setPassword(service, account, password) {
+        const keytar = await this.loadKeytar();
+        return keytar.setPassword(service, account, password);
+    }
+    /**
+     * Lazy load keytar module
+     * @returns keytar module
+     */
+    async loadKeytar() {
+        const keytar = await import('keytar');
+        return keytar.default;
+    }
+    /**
+     * Lazy load node-machine-id module
+     * @returns node-machine-id module
+     */
+    loadMachineId() {
+        // Use require for CommonJS module (node-machine-id)
+        // eslint-disable-next-line @typescript-eslint/no-require-imports
+        return require('node-machine-id');
+    }
+}

package/lib/exported.d.ts

@@ -1,3 +1,4 @@
+export { AuthType, type BasicBrokerAuth, type BrokerAuth, BrokerAuthError, BrokerAuthErrorCode, BrokerAuthManager, type OAuthBrokerAuth, } from './auth/index.js';
 export { EnvironmentVariable, envVars } from './config/env-vars.js';
 export { ScCommand } from './sc-command.js';
 export { ScConnection } from './util/sc-connection.js';

package/lib/exported.js

@@ -1,3 +1,4 @@
+export { AuthType, BrokerAuthError, BrokerAuthErrorCode, BrokerAuthManager, } from './auth/index.js';
 export { EnvironmentVariable, envVars } from './config/env-vars.js';
 export { ScCommand } from './sc-command.js';
 export { ScConnection } from './util/sc-connection.js';

package/lib/util/sc-connection.d.ts

@@ -2,7 +2,7 @@ import { AxiosRequestConfig } from 'axios';
 export declare class ScConnection {
     private axiosInstance;
     private endpointUrl;
-    constructor(baseURL?: string, accessToken?: string, timeout?: number, semp?: boolean);
+    constructor(baseURL?: string, accessToken?: string, timeout?: number, basic?: boolean);
     delete<T>(url: string, config?: AxiosRequestConfig): Promise<T>;
     get<T>(url: string, config?: AxiosRequestConfig): Promise<T>;
     patch<T>(url: string, data?: unknown, config?: AxiosRequestConfig): Promise<T>;

package/lib/util/sc-connection.js

@@ -3,16 +3,16 @@ import { DefaultBaseUrl, EnvironmentVariable, envVars } from '../config/env-vars
 export class ScConnection {
     axiosInstance;
     endpointUrl = '';
-    constructor(baseURL = envVars.getString(EnvironmentVariable.SC_BASE_URL, DefaultBaseUrl), accessToken = envVars.getString(EnvironmentVariable.SC_ACCESS_TOKEN, ''), timeout = 10_000, semp = false) {
+    constructor(baseURL = envVars.getString(EnvironmentVariable.SC_BASE_URL, DefaultBaseUrl), accessToken = envVars.getString(EnvironmentVariable.SC_ACCESS_TOKEN, ''), timeout = 10_000, basic = false) {
         const apiVersion = envVars.getString(EnvironmentVariable.SC_API_VERSION, 'v2');
         const sempApiVersion = envVars.getString(EnvironmentVariable.SEMP_API_VERSION, 'v2');
-        this.endpointUrl = semp
+        this.endpointUrl = basic
             ? this.joinPaths(baseURL, `/SEMP/${sempApiVersion}`)
             : this.joinPaths(baseURL, `/api/${apiVersion}`);
         this.axiosInstance = axios.create({
             baseURL: this.endpointUrl,
             headers: {
-                Authorization: semp ? `Basic ${accessToken}` : `Bearer ${accessToken}`,
+                Authorization: basic ? `Basic ${accessToken}` : `Bearer ${accessToken}`,
                 'Content-Type': 'application/json',
             },
             timeout,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dishantlangayan/sc-cli-core",
-  "version": "0.1.2",
+  "version": "0.3.0",
   "description": "Base library for the Solace Cloud CLI and plugins",
   "license": "Apache-2.0",
   "author": "Dishant Langayan",
@@ -34,10 +34,12 @@
     "@oclif/prettier-config": "^0.2.1",
     "@oclif/test": "^4.1.16",
     "@types/chai": "^5.2.3",
+    "@types/chai-as-promised": "^8.0.2",
     "@types/mocha": "^10.0.10",
     "@types/node": "^25.0.3",
     "@types/sinon": "^21.0.0",
     "chai": "^6.2.2",
+    "chai-as-promised": "^8.0.2",
     "eslint": "^9",
     "eslint-config-oclif": "^6.0.137",
     "eslint-config-prettier": "^10",
@@ -52,6 +54,8 @@
   "dependencies": {
     "@oclif/core": "^4.8.0",
     "axios": "^1.13.2",
+    "keytar": "^7.9.0",
+    "node-machine-id": "^1.1.12",
     "table": "^6.9.0"
   }
 }