@doist/twist-cli 2.39.0 → 2.40.0

package/CHANGELOG.md

@@ -1,3 +1,9 @@
+## [2.40.0](https://github.com/Doist/twist-cli/compare/v2.39.0...v2.40.0) (2026-05-17)
+
+### Features
+
+- **auth:** schema v2 + multi-account migration foundation ([#232](https://github.com/Doist/twist-cli/issues/232)) ([8ca3382](https://github.com/Doist/twist-cli/commit/8ca3382378506ddb27cdcb521103d06bd567a3fb))
+
 ## [2.39.0](https://github.com/Doist/twist-cli/compare/v2.38.0...v2.39.0) (2026-05-16)
 
 ### Features

package/dist/commands/auth/helpers.d.ts

@@ -1,4 +1,4 @@
-import type { TokenStorageResult } from '../../lib/auth.js';
+import type { TokenStorageResult } from '@doist/cli-core/auth';
 /**
  * Surface a `TokenStorageResult` from a save/clear operation: the
  * human-readable confirmation goes to stdout, any keyring-fallback warning

package/dist/commands/auth/helpers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../../src/commands/auth/helpers.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAA;AAE3D;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CACjC,MAAM,EAAE,kBAAkB,EAC1B,kBAAkB,EAAE,MAAM,EAC1B,eAAe,UAAQ,GACxB,IAAI,CAON"}
+{"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../../src/commands/auth/helpers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAA;AAG9D;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CACjC,MAAM,EAAE,kBAAkB,EAC1B,kBAAkB,EAAE,MAAM,EAC1B,eAAe,UAAQ,GACxB,IAAI,CAON"}

package/dist/commands/auth/helpers.js.map

@@ -1 +1 @@
-{"version":3,"file":"helpers.js","sourceRoot":"","sources":["../../../src/commands/auth/helpers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAA;AAGzB;;;;;;GAMG;AACH,MAAM,UAAU,qBAAqB,CACjC,MAA0B,EAC1B,kBAA0B,EAC1B,eAAe,GAAG,KAAK;IAEvB,IAAI,CAAC,eAAe,IAAI,MAAM,CAAC,OAAO,KAAK,cAAc,EAAE,CAAC;QACxD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC,CAAA;IAC9C,CAAC;IACD,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACjB,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC,OAAO,CAAC,CAAA;IAC3D,CAAC;AACL,CAAC"}
+{"version":3,"file":"helpers.js","sourceRoot":"","sources":["../../../src/commands/auth/helpers.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,MAAM,OAAO,CAAA;AAEzB;;;;;;GAMG;AACH,MAAM,UAAU,qBAAqB,CACjC,MAA0B,EAC1B,kBAA0B,EAC1B,eAAe,GAAG,KAAK;IAEvB,IAAI,CAAC,eAAe,IAAI,MAAM,CAAC,OAAO,KAAK,cAAc,EAAE,CAAC;QACxD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC,CAAA;IAC9C,CAAC;IACD,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACjB,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC,OAAO,CAAC,CAAA;IAC3D,CAAC;AACL,CAAC"}

package/dist/commands/auth/store-wrap.d.ts

@@ -1,4 +1,4 @@
 import type { AccountRef } from '@doist/cli-core/auth';
-import type { TwistTokenStore } from '../../lib/auth-provider.js';
+import { type TwistTokenStore } from '../../lib/auth-provider.js';
 export declare function withUserRefAware(store: TwistTokenStore, requestedRef: AccountRef | undefined): TwistTokenStore;
 //# sourceMappingURL=store-wrap.d.ts.map

package/dist/commands/auth/store-wrap.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"store-wrap.d.ts","sourceRoot":"","sources":["../../../src/commands/auth/store-wrap.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAA;AACtD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAA;AAKjE,wBAAgB,gBAAgB,CAC5B,KAAK,EAAE,eAAe,EACtB,YAAY,EAAE,UAAU,GAAG,SAAS,GACrC,eAAe,CAKjB"}
+{"version":3,"file":"store-wrap.d.ts","sourceRoot":"","sources":["../../../src/commands/auth/store-wrap.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAA;AACtD,OAAO,EAAqB,KAAK,eAAe,EAAE,MAAM,4BAA4B,CAAA;AAapF,wBAAgB,gBAAgB,CAC5B,KAAK,EAAE,eAAe,EACtB,YAAY,EAAE,UAAU,GAAG,SAAS,GACrC,eAAe,CAgBjB"}

package/dist/commands/auth/store-wrap.js

@@ -1,10 +1,27 @@
+import { matchTwistAccount } from '../../lib/auth-provider.js';
+import { CliError } from '../../lib/errors.js';
 // Bridge the global `tw --user <ref>` (stripped by `src/index.ts`) into
 // cli-core's attachers, which only see per-command `--user`. Explicit ref
 // passed by commander wins over the captured global ref.
+//
+// `active()` passes the substituted ref straight through — cli-core's
+// `KeyringTokenStore.active` returns `null` on a miss, which the attachers
+// surface via `onNotAuthenticated` (status / token view). `clear()` does the
+// extra existence check first, because cli-core's `KeyringTokenStore.clear`
+// is a silent no-op on a non-matching ref and would otherwise let
+// `tw --user <wrong> auth logout` print `✓ Logged out`.
 export function withUserRefAware(store, requestedRef) {
     return Object.assign(Object.create(store), {
         active: (ref) => store.active(ref ?? requestedRef),
-        clear: (ref) => store.clear(ref ?? requestedRef),
+        clear: async (ref) => {
+            if (ref === undefined && requestedRef !== undefined) {
+                const records = await store.list();
+                if (!records.some(({ account }) => matchTwistAccount(account, requestedRef))) {
+                    throw new CliError('ACCOUNT_NOT_FOUND', `No stored account matches "${requestedRef}".`);
+                }
+            }
+            await store.clear(ref ?? requestedRef);
+        },
     });
 }
 //# sourceMappingURL=store-wrap.js.map

package/dist/commands/auth/store-wrap.js.map

@@ -1 +1 @@
-{"version":3,"file":"store-wrap.js","sourceRoot":"","sources":["../../../src/commands/auth/store-wrap.ts"],"names":[],"mappings":"AAGA,wEAAwE;AACxE,0EAA0E;AAC1E,yDAAyD;AACzD,MAAM,UAAU,gBAAgB,CAC5B,KAAsB,EACtB,YAAoC;IAEpC,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAoB,EAAE;QAC1D,MAAM,EAAE,CAAC,GAAgB,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,IAAI,YAAY,CAAC;QAC/D,KAAK,EAAE,CAAC,GAAgB,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,IAAI,YAAY,CAAC;KAChE,CAAC,CAAA;AACN,CAAC"}
+{"version":3,"file":"store-wrap.js","sourceRoot":"","sources":["../../../src/commands/auth/store-wrap.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,iBAAiB,EAAwB,MAAM,4BAA4B,CAAA;AACpF,OAAO,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAA;AAE9C,wEAAwE;AACxE,0EAA0E;AAC1E,yDAAyD;AACzD,EAAE;AACF,sEAAsE;AACtE,2EAA2E;AAC3E,6EAA6E;AAC7E,4EAA4E;AAC5E,kEAAkE;AAClE,wDAAwD;AACxD,MAAM,UAAU,gBAAgB,CAC5B,KAAsB,EACtB,YAAoC;IAEpC,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAoB,EAAE;QAC1D,MAAM,EAAE,CAAC,GAAgB,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,IAAI,YAAY,CAAC;QAC/D,KAAK,EAAE,KAAK,EAAE,GAAgB,EAAE,EAAE;YAC9B,IAAI,GAAG,KAAK,SAAS,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;gBAClD,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,IAAI,EAAE,CAAA;gBAClC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC,iBAAiB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,EAAE,CAAC;oBAC3E,MAAM,IAAI,QAAQ,CACd,mBAAmB,EACnB,8BAA8B,YAAY,IAAI,CACjD,CAAA;gBACL,CAAC;YACL,CAAC;YACD,MAAM,KAAK,CAAC,KAAK,CAAC,GAAG,IAAI,YAAY,CAAC,CAAA;QAC1C,CAAC;KACJ,CAAC,CAAA;AACN,CAAC"}

package/dist/commands/auth/token.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"token.d.ts","sourceRoot":"","sources":["../../../src/commands/auth/token.ts"],"names":[],"mappings":"AA6BA,wBAAsB,cAAc,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAoBlE"}
+{"version":3,"file":"token.d.ts","sourceRoot":"","sources":["../../../src/commands/auth/token.ts"],"names":[],"mappings":"AA6BA,wBAAsB,cAAc,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CA6BlE"}

package/dist/commands/auth/token.js

@@ -1,6 +1,6 @@
 import { createInterface } from 'node:readline';
 import chalk from 'chalk';
-import { saveApiToken } from '../../lib/auth.js';
+import { createTwistTokenStore } from '../../lib/auth-provider.js';
 import { CliError } from '../../lib/errors.js';
 import { isNonInteractive } from '../../lib/global-args.js';
 import { logTokenStorageResult } from './helpers.js';
@@ -30,16 +30,25 @@ export async function loginWithToken(token) {
             throw new CliError('NO_TOKEN', 'Cannot prompt for token in non-interactive mode. Set the TWIST_API_TOKEN environment variable instead.');
         }
         token = await promptHiddenInput('API token: ');
-        if (!token.trim()) {
-            throw new CliError('NO_TOKEN', 'No token provided', [
-                'Run: tw auth token (interactive prompt)',
-                'Or set TWIST_API_TOKEN environment variable',
-                'Or use OAuth: tw auth login',
-            ]);
-        }
     }
-    const saveResult = await saveApiToken(token.trim(), { authMode: 'unknown' });
+    const trimmed = token.trim();
+    if (!trimmed) {
+        throw new CliError('NO_TOKEN', 'No token provided', [
+            'Run: tw auth token (interactive prompt)',
+            'Or set TWIST_API_TOKEN environment variable',
+            'Or use OAuth: tw auth login',
+        ]);
+    }
+    // Manual token entry has no identity (no API call to resolve the user).
+    // Persist the empty-id account; `UserRecordStore.upsert` writes
+    // `authUserId: undefined` for it and the synthesised record is what later
+    // `active()` / `list()` reads will return.
+    const store = createTwistTokenStore();
+    await store.set({ id: '', label: '', authMode: 'unknown', authScope: '' }, trimmed);
     console.log(chalk.green('✓'), 'API token saved successfully!');
-    logTokenStorageResult(saveResult, 'Token stored securely in the system credential manager');
+    const result = store.getLastStorageResult();
+    if (result) {
+        logTokenStorageResult(result, 'Token stored securely in the system credential manager');
+    }
 }
 //# sourceMappingURL=token.js.map

package/dist/commands/auth/token.js.map

@@ -1 +1 @@
-{"version":3,"file":"token.js","sourceRoot":"","sources":["../../../src/commands/auth/token.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAA;AAC/C,OAAO,KAAK,MAAM,OAAO,CAAA;AACzB,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAA;AAChD,OAAO,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAA;AAC9C,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAA;AAC3D,OAAO,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAA;AAEpD,SAAS,iBAAiB,CAAC,MAAc;IACrC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC3B,MAAM,EAAE,GAAG,eAAe,CAAC;YACvB,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,MAAM,EAAE,OAAO,CAAC,MAAM;SACzB,CAAC,CAAA;QACF,kFAAkF;QAClF,MAAM,SAAS,GAAI,EAAU,CAAC,cAAc,CAE3C;QAAC,EAAU,CAAC,cAAc,GAAG,CAAC,GAAW,EAAE,EAAE;YAC1C,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;gBACvB,SAAS,CAAC,IAAI,CAAC,EAAE,EAAE,MAAM,CAAC,CAAA;YAC9B,CAAC;QACL,CAAC,CAAA;QACD,EAAE,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,MAAM,EAAE,EAAE;YAC3B,EAAE,CAAC,KAAK,EAAE,CAAA;YACV,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;YAC1B,OAAO,CAAC,MAAM,CAAC,CAAA;QACnB,CAAC,CAAC,CAAA;IACN,CAAC,CAAC,CAAA;AACN,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,KAAc;IAC/C,IAAI,CAAC,KAAK,EAAE,CAAC;QACT,IAAI,gBAAgB,EAAE,EAAE,CAAC;YACrB,MAAM,IAAI,QAAQ,CACd,UAAU,EACV,wGAAwG,CAC3G,CAAA;QACL,CAAC;QACD,KAAK,GAAG,MAAM,iBAAiB,CAAC,aAAa,CAAC,CAAA;QAC9C,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC;YAChB,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,mBAAmB,EAAE;gBAChD,yCAAyC;gBACzC,6CAA6C;gBAC7C,6BAA6B;aAChC,CAAC,CAAA;QACN,CAAC;IACL,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,YAAY,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAA;IAC5E,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,+BAA+B,CAAC,CAAA;IAC9D,qBAAqB,CAAC,UAAU,EAAE,wDAAwD,CAAC,CAAA;AAC/F,CAAC"}
+{"version":3,"file":"token.js","sourceRoot":"","sources":["../../../src/commands/auth/token.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAA;AAC/C,OAAO,KAAK,MAAM,OAAO,CAAA;AACzB,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAA;AAClE,OAAO,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAA;AAC9C,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAA;AAC3D,OAAO,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAA;AAEpD,SAAS,iBAAiB,CAAC,MAAc;IACrC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC3B,MAAM,EAAE,GAAG,eAAe,CAAC;YACvB,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,MAAM,EAAE,OAAO,CAAC,MAAM;SACzB,CAAC,CAAA;QACF,kFAAkF;QAClF,MAAM,SAAS,GAAI,EAAU,CAAC,cAAc,CAE3C;QAAC,EAAU,CAAC,cAAc,GAAG,CAAC,GAAW,EAAE,EAAE;YAC1C,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;gBACvB,SAAS,CAAC,IAAI,CAAC,EAAE,EAAE,MAAM,CAAC,CAAA;YAC9B,CAAC;QACL,CAAC,CAAA;QACD,EAAE,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,MAAM,EAAE,EAAE;YAC3B,EAAE,CAAC,KAAK,EAAE,CAAA;YACV,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;YAC1B,OAAO,CAAC,MAAM,CAAC,CAAA;QACnB,CAAC,CAAC,CAAA;IACN,CAAC,CAAC,CAAA;AACN,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,KAAc;IAC/C,IAAI,CAAC,KAAK,EAAE,CAAC;QACT,IAAI,gBAAgB,EAAE,EAAE,CAAC;YACrB,MAAM,IAAI,QAAQ,CACd,UAAU,EACV,wGAAwG,CAC3G,CAAA;QACL,CAAC;QACD,KAAK,GAAG,MAAM,iBAAiB,CAAC,aAAa,CAAC,CAAA;IAClD,CAAC;IACD,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAA;IAC5B,IAAI,CAAC,OAAO,EAAE,CAAC;QACX,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,mBAAmB,EAAE;YAChD,yCAAyC;YACzC,6CAA6C;YAC7C,6BAA6B;SAChC,CAAC,CAAA;IACN,CAAC;IACD,wEAAwE;IACxE,gEAAgE;IAChE,0EAA0E;IAC1E,2CAA2C;IAC3C,MAAM,KAAK,GAAG,qBAAqB,EAAE,CAAA;IACrC,MAAM,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,CAAA;IACnF,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,+BAA+B,CAAC,CAAA;IAC9D,MAAM,MAAM,GAAG,KAAK,CAAC,oBAAoB,EAAE,CAAA;IAC3C,IAAI,MAAM,EAAE,CAAC;QACT,qBAAqB,CAAC,MAAM,EAAE,wDAAwD,CAAC,CAAA;IAC3F,CAAC;AACL,CAAC"}

package/dist/lib/auth-constants.d.ts

@@ -0,0 +1,9 @@
+/** OS keyring `service` identifier for every twist-cli secret. */
+export declare const SECURE_STORE_SERVICE = "twist-cli";
+/**
+ * Legacy single-user keyring slot. `migrateLegacyAuth` deletes it after a
+ * successful migration; the runtime token store reads it as a last resort
+ * when migration can't complete (e.g. offline `identifyAccount`).
+ */
+export declare const LEGACY_KEYRING_ACCOUNT = "api-token";
+//# sourceMappingURL=auth-constants.d.ts.map

package/dist/lib/auth-constants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-constants.d.ts","sourceRoot":"","sources":["../../src/lib/auth-constants.ts"],"names":[],"mappings":"AAAA,kEAAkE;AAClE,eAAO,MAAM,oBAAoB,cAAc,CAAA;AAE/C;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,cAAc,CAAA"}

package/dist/lib/auth-constants.js

@@ -0,0 +1,9 @@
+/** OS keyring `service` identifier for every twist-cli secret. */
+export const SECURE_STORE_SERVICE = 'twist-cli';
+/**
+ * Legacy single-user keyring slot. `migrateLegacyAuth` deletes it after a
+ * successful migration; the runtime token store reads it as a last resort
+ * when migration can't complete (e.g. offline `identifyAccount`).
+ */
+export const LEGACY_KEYRING_ACCOUNT = 'api-token';
+//# sourceMappingURL=auth-constants.js.map

package/dist/lib/auth-constants.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-constants.js","sourceRoot":"","sources":["../../src/lib/auth-constants.ts"],"names":[],"mappings":"AAAA,kEAAkE;AAClE,MAAM,CAAC,MAAM,oBAAoB,GAAG,WAAW,CAAA;AAE/C;;;;GAIG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAG,WAAW,CAAA"}

package/dist/lib/auth-provider.d.ts

@@ -1,6 +1,5 @@
-import { type AuthAccount, type AuthProvider, type TokenStore } from '@doist/cli-core/auth';
-import { type TokenStorageResult } from './auth.js';
-import type { AuthMode } from './config.js';
+import { type AccountRef, type AuthAccount, type AuthProvider, type KeyringTokenStore } from '@doist/cli-core/auth';
+import { type AuthMode } from './config.js';
 export declare const AUTHORIZATION_URL = "https://twist.com/oauth/authorize";
 export declare const TOKEN_URL = "https://twist.com/oauth/access_token";
 export declare const REGISTRATION_URL = "https://twist.com/oauth/register";
@@ -19,10 +18,30 @@ export type TwistAccount = AuthAccount & {
     authMode: AuthMode;
     authScope: string;
 };
+export type TwistTokenStore = KeyringTokenStore<TwistAccount>;
 export declare function createTwistAuthProvider(): AuthProvider<TwistAccount>;
-export type TwistTokenStore = TokenStore<TwistAccount> & {
-    getLastStorageResult(): TokenStorageResult | undefined;
-    getLastClearResult(): TokenStorageResult | undefined;
-};
+/**
+ * Accepts `42`, `id:42`, and case-insensitive labels — `parseRef` normalises
+ * the numeric forms. Broader than cli-core's default strict-equality matcher.
+ */
+export declare function matchTwistAccount(account: TwistAccount, ref: AccountRef): boolean;
+/**
+ * `TWIST_API_TOKEN` short-circuits `active()` only when no explicit ref is
+ * supplied — cli-core's `KeyringTokenStore` doesn't know about the env var,
+ * and an explicit ref means the caller targets a specific stored account.
+ *
+ * `ensureMigrated()` runs on every stored-state op so `--ignore-scripts`
+ * installs still migrate on first command. When migration isn't conclusive:
+ *  - `active()` falls back to the legacy snapshot, honouring `ref` so it
+ *    can't resolve to a different account than the caller asked for.
+ *  - `set()` / `clear()` discharge legacy state on disk first so v2 writes
+ *    aren't shadowed by a stale v1 token on the next read.
+ */
 export declare function createTwistTokenStore(): TwistTokenStore;
+/**
+ * Where the currently-active token lives. Returns `'config-file'` whenever
+ * a plaintext token is on disk — including the legacy `config.token` slot —
+ * so doctor/config-view reports the security-relevant state accurately.
+ */
+export declare function getActiveTokenSource(): Promise<'env' | 'secure-store' | 'config-file'>;
 //# sourceMappingURL=auth-provider.d.ts.map

package/dist/lib/auth-provider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-provider.d.ts","sourceRoot":"","sources":["../../src/lib/auth-provider.ts"],"names":[],"mappings":"AAAA,OAAO,EAEH,KAAK,WAAW,EAChB,KAAK,YAAY,EAIjB,KAAK,UAAU,EAClB,MAAM,sBAAsB,CAAA;AAE7B,OAAO,EAKH,KAAK,kBAAkB,EAC1B,MAAM,WAAW,CAAA;AAClB,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAA;AAI3C,eAAO,MAAM,iBAAiB,sCAAsC,CAAA;AACpE,eAAO,MAAM,SAAS,yCAAyC,CAAA;AAC/D,eAAO,MAAM,gBAAgB,qCAAqC,CAAA;AAKlE,eAAO,MAAM,iBAAiB,UAkB7B,CAAA;AAED,eAAO,MAAM,gBAAgB,UAW5B,CAAA;AAID;;;;;;GAMG;AACH,MAAM,MAAM,YAAY,GAAG,WAAW,GAAG;IACrC,EAAE,EAAE,MAAM,CAAA;IACV,KAAK,EAAE,MAAM,CAAA;IACb,QAAQ,EAAE,QAAQ,CAAA;IAClB,SAAS,EAAE,MAAM,CAAA;CACpB,CAAA;AAsED,wBAAgB,uBAAuB,IAAI,YAAY,CAAC,YAAY,CAAC,CA2HpE;AAED,MAAM,MAAM,eAAe,GAAG,UAAU,CAAC,YAAY,CAAC,GAAG;IACrD,oBAAoB,IAAI,kBAAkB,GAAG,SAAS,CAAA;IACtD,kBAAkB,IAAI,kBAAkB,GAAG,SAAS,CAAA;CACvD,CAAA;AAED,wBAAgB,qBAAqB,IAAI,eAAe,CAuHvD"}
+{"version":3,"file":"auth-provider.d.ts","sourceRoot":"","sources":["../../src/lib/auth-provider.ts"],"names":[],"mappings":"AAAA,OAAO,EACH,KAAK,UAAU,EACf,KAAK,WAAW,EAChB,KAAK,YAAY,EAKjB,KAAK,iBAAiB,EAEzB,MAAM,sBAAsB,CAAA;AAG7B,OAAO,EAAE,KAAK,QAAQ,EAA0C,MAAM,aAAa,CAAA;AAOnF,eAAO,MAAM,iBAAiB,sCAAsC,CAAA;AACpE,eAAO,MAAM,SAAS,yCAAyC,CAAA;AAC/D,eAAO,MAAM,gBAAgB,qCAAqC,CAAA;AAKlE,eAAO,MAAM,iBAAiB,UAkB7B,CAAA;AAED,eAAO,MAAM,gBAAgB,UAW5B,CAAA;AAID;;;;;;GAMG;AACH,MAAM,MAAM,YAAY,GAAG,WAAW,GAAG;IACrC,EAAE,EAAE,MAAM,CAAA;IACV,KAAK,EAAE,MAAM,CAAA;IACb,QAAQ,EAAE,QAAQ,CAAA;IAClB,SAAS,EAAE,MAAM,CAAA;CACpB,CAAA;AAED,MAAM,MAAM,eAAe,GAAG,iBAAiB,CAAC,YAAY,CAAC,CAAA;AAsE7D,wBAAgB,uBAAuB,IAAI,YAAY,CAAC,YAAY,CAAC,CAsHpE;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,EAAE,UAAU,GAAG,OAAO,CAKjF;AA8ED;;;;;;;;;;;GAWG;AACH,wBAAgB,qBAAqB,IAAI,eAAe,CAkDvD;AAED;;;;GAIG;AACH,wBAAsB,oBAAoB,IAAI,OAAO,CAAC,KAAK,GAAG,cAAc,GAAG,aAAa,CAAC,CAQ5F"}

package/dist/lib/auth-provider.js

@@ -1,8 +1,12 @@
-import { deriveChallenge, generateVerifier, SecureStoreUnavailableError, } from '@doist/cli-core/auth';
+import { createKeyringTokenStore, createSecureStore, deriveChallenge, generateVerifier, } from '@doist/cli-core/auth';
 import { createWrappedTwistClient } from './api.js';
-import { clearApiToken, NoTokenError, probeApiToken, saveApiToken, } from './auth.js';
+import { LEGACY_KEYRING_ACCOUNT, SECURE_STORE_SERVICE } from './auth-constants.js';
+import { getConfig, getConfigPath, updateConfig } from './config.js';
 import { CliError } from './errors.js';
+import { runMigrateLegacyAuth } from './migrate-auth.js';
 import { parseRef } from './refs.js';
+import { makeTwistAccount, toTwistAccount } from './twist-account.js';
+import { createTwistUserRecordStore, getDefaultUserRecord } from './user-records.js';
 export const AUTHORIZATION_URL = 'https://twist.com/oauth/authorize';
 export const TOKEN_URL = 'https://twist.com/oauth/access_token';
 export const REGISTRATION_URL = 'https://twist.com/oauth/register';
@@ -170,129 +174,168 @@ export function createTwistAuthProvider() {
             const hs = asHandshake(handshake);
             const client = createWrappedTwistClient(token);
             const user = await client.users.getSessionUser();
-            return {
-                id: String(user.id),
-                label: user.name,
-                authMode: hs.authMode ?? 'unknown',
-                authScope: hs.authScope ?? '',
-            };
+            return toTwistAccount(user, { authMode: hs.authMode, authScope: hs.authScope });
         },
     };
 }
-export function createTwistTokenStore() {
-    let lastStorageResult;
-    let lastClearResult;
-    /**
-     * Read the stored credential. By default `NoTokenError` collapses to
-     * `null` (i.e. "nothing stored" is not an exception), while
-     * `SecureStoreUnavailableError` propagates so callers see a keyring
-     * outage as distinct from "no account". The legacy `active()` no-ref
-     * path opts in to also tolerate the outage so headless / keyring-less
-     * hosts keep falling through to the standard `NoTokenError` envelope
-     * (matching the historical `getApiToken` → `showStatus()` behaviour).
-     */
-    async function loadStoredSnapshot(options = {}) {
-        try {
-            const { token, metadata } = await probeApiToken();
-            return {
-                token,
-                account: {
-                    id: metadata.authUserId !== undefined ? String(metadata.authUserId) : '',
-                    label: metadata.authUserName ?? '',
-                    authMode: metadata.authMode,
-                    authScope: metadata.authScope ?? '',
-                },
-            };
-        }
-        catch (error) {
-            if (error instanceof NoTokenError)
-                return null;
-            if (error instanceof SecureStoreUnavailableError) {
-                if (options.tolerateOutage)
-                    return null;
-                throw error;
-            }
-            throw error;
-        }
-    }
-    /**
-     * Match the stored account against the user-supplied `--user <ref>`,
-     * normalising through `parseRef` so `id:42`, `42`, and a case-insensitive
-     * label all resolve consistently with the rest of the CLI. URL refs
-     * never apply to accounts — fall through to "no match" instead of
-     * silently accepting one.
-     */
-    function matchesRef(account, ref) {
-        const parsed = parseRef(ref);
-        if (parsed.type === 'id')
-            return Number(account.id) === parsed.id;
-        if (parsed.type === 'name') {
-            return account.label.toLowerCase() === parsed.name.toLowerCase();
-        }
-        return false;
+/**
+ * Accepts `42`, `id:42`, and case-insensitive labels — `parseRef` normalises
+ * the numeric forms. Broader than cli-core's default strict-equality matcher.
+ */
+export function matchTwistAccount(account, ref) {
+    const parsed = parseRef(ref);
+    if (parsed.type === 'id')
+        return Number(account.id) === parsed.id;
+    if (parsed.type === 'name')
+        return account.label.toLowerCase() === parsed.name.toLowerCase();
+    return false;
+}
+const TOKEN_ENV_VAR = 'TWIST_API_TOKEN';
+/** True when the v2 store is the authoritative source. */
+function migrationIsConclusive(result) {
+    return (result.status === 'migrated' ||
+        result.status === 'already-migrated' ||
+        result.status === 'no-legacy-state');
+}
+/**
+ * Synthesise a snapshot from v1 state still on disk (legacy keyring slot,
+ * then plaintext `config.token`). Fallback for when migration can't complete.
+ * Token-only users with no `authUserId` get `account.id = ''`.
+ */
+async function readLegacyTokenSnapshot() {
+    const fromKeyring = await createSecureStore({
+        serviceName: SECURE_STORE_SERVICE,
+        account: LEGACY_KEYRING_ACCOUNT,
+    })
+        .getSecret()
+        .catch(() => null);
+    const config = await getConfig();
+    const token = fromKeyring || config.token?.trim() || null;
+    if (!token)
+        return null;
+    return {
+        token,
+        account: makeTwistAccount({
+            id: config.authUserId !== undefined ? String(config.authUserId) : '',
+            label: config.authUserName ?? '',
+            authMode: config.authMode,
+            authScope: config.authScope,
+        }),
+    };
+}
+/**
+ * Clear the legacy keyring slot + v1 flat config fields. Runs before a
+ * write/clear when migration is inconclusive so v2 writes aren't shadowed
+ * by a stale legacy token. Best-effort — failures leave legacy in place.
+ */
+async function dischargeLegacyState() {
+    await Promise.allSettled([
+        createSecureStore({
+            serviceName: SECURE_STORE_SERVICE,
+            account: LEGACY_KEYRING_ACCOUNT,
+        }).deleteSecret(),
+        updateConfig({
+            token: undefined,
+            authMode: undefined,
+            authScope: undefined,
+            authUserId: undefined,
+            authUserName: undefined,
+            pendingSecureStoreClear: undefined,
+        }),
+    ]);
+}
+/**
+ * Memoised one-shot migration trigger. Resolves with `null` on rejection
+ * so the CLI never fails to start because of a migration error — the
+ * legacy snapshot fallback below handles that case. Tests reset the memo
+ * with `vi.resetModules()` + a dynamic re-import.
+ */
+let migrationPromise;
+function ensureMigrated() {
+    if (!migrationPromise) {
+        migrationPromise = runMigrateLegacyAuth({ silent: true }).catch(() => null);
     }
-    /**
-     * Single source of truth for ref-aware lookups. Returns the snapshot
-     * when `ref` matches the stored account, throws `ACCOUNT_NOT_FOUND`
-     * otherwise (including when nothing is stored). Storage outages
-     * propagate so the caller sees the underlying failure rather than
-     * a misleading "account not found".
-     */
-    async function resolveByRef(ref) {
-        const snapshot = await loadStoredSnapshot();
-        if (!snapshot || !matchesRef(snapshot.account, ref)) {
-            throw new CliError('ACCOUNT_NOT_FOUND', `No stored account matches "${ref}".`);
+    return migrationPromise;
+}
+/**
+ * `TWIST_API_TOKEN` short-circuits `active()` only when no explicit ref is
+ * supplied — cli-core's `KeyringTokenStore` doesn't know about the env var,
+ * and an explicit ref means the caller targets a specific stored account.
+ *
+ * `ensureMigrated()` runs on every stored-state op so `--ignore-scripts`
+ * installs still migrate on first command. When migration isn't conclusive:
+ *  - `active()` falls back to the legacy snapshot, honouring `ref` so it
+ *    can't resolve to a different account than the caller asked for.
+ *  - `set()` / `clear()` discharge legacy state on disk first so v2 writes
+ *    aren't shadowed by a stale v1 token on the next read.
+ */
+export function createTwistTokenStore() {
+    const inner = createKeyringTokenStore({
+        serviceName: SECURE_STORE_SERVICE,
+        userRecords: createTwistUserRecordStore(),
+        recordsLocation: getConfigPath(),
+        matchAccount: matchTwistAccount,
+    });
+    async function maybeDischargeLegacy() {
+        const result = await ensureMigrated();
+        if (result === null || !migrationIsConclusive(result)) {
+            await dischargeLegacyState();
         }
-        return snapshot;
     }
-    return {
+    return Object.assign(Object.create(inner), {
         async active(ref) {
-            // No-ref legacy path — tolerate missing keyring / no token and
-            // return null so downstream callers (status's `fetchLive`,
-            // login's pre-flight, etc.) keep falling through to their own
-            // `NoTokenError` envelope rather than seeing a raw keyring
-            // error. Returning a snapshot whenever a token resolves — even
-            // when the persisted identity is empty (env var, manual
-            // `tw auth token`, pre-upgrade config) — also avoids a second
-            // credential read downstream.
             if (ref === undefined) {
-                return loadStoredSnapshot({ tolerateOutage: true });
+                const envToken = process.env[TOKEN_ENV_VAR];
+                if (envToken) {
+                    return {
+                        token: envToken,
+                        account: { id: '', label: '', authMode: 'unknown', authScope: '' },
+                    };
+                }
+            }
+            const result = await ensureMigrated();
+            if (result === null || !migrationIsConclusive(result)) {
+                const legacy = await readLegacyTokenSnapshot();
+                if (legacy && (ref === undefined || matchTwistAccount(legacy.account, ref))) {
+                    return legacy;
+                }
             }
-            return resolveByRef(ref);
+            return inner.active(ref);
         },
         async set(account, token) {
-            const userId = Number(account.id);
-            lastStorageResult = await saveApiToken(token, {
-                authMode: account.authMode,
-                authScope: account.authScope,
-                authUserId: Number.isFinite(userId) ? userId : undefined,
-                authUserName: account.label,
-            });
+            await maybeDischargeLegacy();
+            return inner.set(account, token);
         },
         async clear(ref) {
-            // With `ref`, validate before touching storage so a mismatch is
-            // an `ACCOUNT_NOT_FOUND` error rather than a silent
-            // ✓ Logged out — the upstream `attachLogoutCommand` treats any
-            // non-throwing `clear()` as success.
-            if (ref !== undefined) {
-                await resolveByRef(ref);
-            }
-            lastClearResult = await clearApiToken();
+            await maybeDischargeLegacy();
+            return inner.clear(ref);
         },
         async list() {
-            const snapshot = await loadStoredSnapshot();
-            return snapshot ? [{ account: snapshot.account, isDefault: true }] : [];
+            await ensureMigrated();
+            return inner.list();
         },
         async setDefault(ref) {
-            await resolveByRef(ref);
-            // Single-user store — already the default once `ref` matches.
-        },
-        getLastStorageResult() {
-            return lastStorageResult;
+            await ensureMigrated();
+            return inner.setDefault(ref);
         },
-        getLastClearResult() {
-            return lastClearResult;
-        },
-    };
+    });
+}
+/**
+ * Where the currently-active token lives. Returns `'config-file'` whenever
+ * a plaintext token is on disk — including the legacy `config.token` slot —
+ * so doctor/config-view reports the security-relevant state accurately.
+ */
+export async function getActiveTokenSource() {
+    if (process.env[TOKEN_ENV_VAR])
+        return 'env';
+    const config = await getConfig();
+    const record = getDefaultUserRecord(config);
+    if (record?.fallbackToken)
+        return 'config-file';
+    if (record)
+        return 'secure-store';
+    if (config.token?.trim())
+        return 'config-file';
+    return 'secure-store';
 }
 //# sourceMappingURL=auth-provider.js.map

package/dist/lib/auth-provider.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth-provider.js","sourceRoot":"","sources":["../../src/lib/auth-provider.ts"],"names":[],"mappings":"AAAA,OAAO,EAIH,eAAe,EACf,gBAAgB,EAChB,2BAA2B,GAE9B,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EAAE,wBAAwB,EAAE,MAAM,UAAU,CAAA;AACnD,OAAO,EACH,aAAa,EACb,YAAY,EACZ,aAAa,EACb,YAAY,GAEf,MAAM,WAAW,CAAA;AAElB,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAA;AACtC,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAA;AAEpC,MAAM,CAAC,MAAM,iBAAiB,GAAG,mCAAmC,CAAA;AACpE,MAAM,CAAC,MAAM,SAAS,GAAG,sCAAsC,CAAA;AAC/D,MAAM,CAAC,MAAM,gBAAgB,GAAG,kCAAkC,CAAA;AAElE,MAAM,QAAQ,GACV,gHAAgH,CAAA;AAEpH,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC7B,WAAW;IACX,YAAY;IACZ,iBAAiB;IACjB,eAAe;IACf,cAAc;IACd,eAAe;IACf,eAAe;IACf,gBAAgB;IAChB,eAAe;IACf,gBAAgB;IAChB,gBAAgB;IAChB,iBAAiB;IACjB,aAAa;IACb,cAAc;IACd,eAAe;IACf,aAAa;IACb,oBAAoB;CACvB,CAAA;AAED,MAAM,CAAC,MAAM,gBAAgB,GAAG;IAC5B,WAAW;IACX,iBAAiB;IACjB,eAAe;IACf,cAAc;IACd,eAAe;IACf,eAAe;IACf,gBAAgB;IAChB,aAAa;IACb,aAAa;IACb,oBAAoB;CACvB,CAAA;AAED,MAAM,UAAU,GAAG,CAAC,0BAA0B,EAAE,6CAA6C,CAAC,CAAA;AAwB9F,SAAS,WAAW,CAAC,KAA8B;IAC/C,OAAO,KAAuB,CAAA;AAClC,CAAC;AAED,SAAS,UAAU,CAAC,OAAe,EAAE,KAAe;IAChD,MAAM,MAAM,GAAG,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;IAClF,OAAO,IAAI,QAAQ,CAAC,aAAa,EAAE,GAAG,OAAO,GAAG,MAAM,EAAE,EAAE,UAAU,CAAC,CAAA;AACzE,CAAC;AAED,KAAK,UAAU,qBAAqB,CAChC,WAAmB;IAEnB,IAAI,QAAkB,CAAA;IACtB,IAAI,CAAC;QACD,QAAQ,GAAG,MAAM,KAAK,CAAC,gBAAgB,EAAE;YACrC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,EAAE,kBAAkB,EAAE;YAC3E,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACjB,WAAW,EAAE,WAAW;gBACxB,UAAU,EAAE,oCAAoC;gBAChD,aAAa,EAAE,CAAC,WAAW,CAAC;gBAC5B,WAAW,EAAE,CAAC,oBAAoB,CAAC;gBACnC,cAAc,EAAE,CAAC,MAAM,CAAC;gBACxB,0BAA0B,EAAE,qBAAqB;gBACjD,gBAAgB,EAAE,QAAQ;gBAC1B,QAAQ,EAAE,QAAQ;aACrB,CAAC;SACL,CAAC,CAAA;IACN,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACb,IAAI,KAAK,YAAY,QAAQ;YAAE,MAAM,KAAK,CAAA;QAC1C,MAAM,UAAU,CAAC,iCAAiC,EAAE,KAAK,CAAC,CAAA;IAC9D,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACf,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAA;QACvD,MAAM,IAAI,QAAQ,CACd,aAAa,EACb,+BAA+B,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,MAAM,SAAS,EAAE,EACtF,UAAU,CACb,CAAA;IACL,CAAC;IAED,IAAI,MAAsD,CAAA;IAC1D,IAAI,CAAC;QACD,MAAM,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAmD,CAAA;IACtF,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACb,MAAM,UAAU,CAAC,sCAAsC,EAAE,KAAK,CAAC,CAAA;IACnE,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;QAC7C,MAAM,IAAI,QAAQ,CACd,aAAa,EACb,0EAA0E,EAC1E,UAAU,CACb,CAAA;IACL,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,SAAS,EAAE,YAAY,EAAE,MAAM,CAAC,aAAa,EAAE,CAAA;AAC7E,CAAC;AAED,MAAM,UAAU,uBAAuB;IACnC,OAAO;QACH,KAAK,CAAC,OAAO,CAAC,EAAE,WAAW,EAAE;YACzB,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,MAAM,qBAAqB,CAAC,WAAW,CAAC,CAAA;YAC3E,MAAM,SAAS,GAAmB,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAA;YAC5D,OAAO,EAAE,SAAS,EAAE,CAAA;QACxB,CAAC;QAED,KAAK,CAAC,SAAS,CAAC,EAAE,WAAW,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE;YAC/D,MAAM,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC,CAAA;YACjC,MAAM,YAAY,GAAG,gBAAgB,EAAE,CAAA;YACvC,MAAM,aAAa,GAAG,eAAe,CAAC,YAAY,CAAC,CAAA;YACnD,MAAM,QAAQ,GAAa,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,YAAY,CAAA;YAChE,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;YAElC,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;gBAC/B,SAAS,EAAE,EAAE,CAAC,QAAQ;gBACtB,aAAa,EAAE,MAAM;gBACrB,YAAY,EAAE,WAAW;gBACzB,KAAK,EAAE,SAAS;gBAChB,KAAK;gBACL,cAAc,EAAE,aAAa;gBAC7B,qBAAqB,EAAE,MAAM;aAChC,CAAC,CAAA;YAEF,MAAM,aAAa,GAAmB;gBAClC,GAAG,EAAE;gBACL,YAAY;gBACZ,QAAQ;gBACR,SAAS;aACZ,CAAA;YACD,OAAO;gBACH,YAAY,EAAE,GAAG,iBAAiB,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE;gBACzD,SAAS,EAAE,aAAa;aAC3B,CAAA;QACL,CAAC;QAED,KAAK,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,SAAS,EAAE;YAC/C,MAAM,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC,CAAA;YACjC,IAAI,CAAC,EAAE,CAAC,YAAY,EAAE,CAAC;gBACnB,MAAM,IAAI,QAAQ,CACd,aAAa,EACb,gDAAgD,EAChD,UAAU,CACb,CAAA;YACL,CAAC;YAED,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;gBAC7B,UAAU,EAAE,oBAAoB;gBAChC,IAAI;gBACJ,YAAY,EAAE,WAAW;gBACzB,aAAa,EAAE,EAAE,CAAC,YAAY;aACjC,CAAC,CAAA;YAEF,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,QAAQ,IAAI,EAAE,CAAC,YAAY,EAAE,CAAC,CAAA;YAE7D,IAAI,QAAkB,CAAA;YACtB,IAAI,CAAC;gBACD,QAAQ,GAAG,MAAM,KAAK,CAAC,SAAS,EAAE;oBAC9B,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE;wBACL,cAAc,EAAE,mCAAmC;wBACnD,MAAM,EAAE,kBAAkB;wBAC1B,aAAa,EAAE,SAAS,WAAW,EAAE;qBACxC;oBACD,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;iBACxB,CAAC,CAAA;YACN,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACb,IAAI,KAAK,YAAY,QAAQ;oBAAE,MAAM,KAAK,CAAA;gBAC1C,MAAM,UAAU,CAAC,mCAAmC,EAAE,KAAK,CAAC,CAAA;YAChE,CAAC;YAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACf,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAA;gBACvD,MAAM,IAAI,QAAQ,CACd,aAAa,EACb,0BAA0B,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,MAAM,SAAS,EAAE,EACjF,UAAU,CACb,CAAA;YACL,CAAC;YAED,IAAI,IAIH,CAAA;YACD,IAAI,CAAC;gBACD,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAgB,CAAA;YACjD,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACb,MAAM,UAAU,CAAC,iCAAiC,EAAE,KAAK,CAAC,CAAA;YAC9D,CAAC;YAED,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;gBACb,MAAM,IAAI,QAAQ,CACd,aAAa,EACb,gBAAgB,IAAI,CAAC,KAAK,MAAM,IAAI,CAAC,iBAAiB,IAAI,eAAe,EAAE,EAC3E,UAAU,CACb,CAAA;YACL,CAAC;YAED,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;gBACrB,MAAM,IAAI,QAAQ,CACd,aAAa,EACb,4CAA4C,EAC5C,UAAU,CACb,CAAA;YACL,CAAC;YAED,OAAO,EAAE,WAAW,EAAE,IAAI,CAAC,YAAY,EAAE,CAAA;QAC7C,CAAC;QAED,KAAK,CAAC,aAAa,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE;YACpC,MAAM,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC,CAAA;YACjC,MAAM,MAAM,GAAG,wBAAwB,CAAC,KAAK,CAAC,CAAA;YAC9C,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,KAAK,CAAC,cAAc,EAAE,CAAA;YAChD,OAAO;gBACH,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;gBACnB,KAAK,EAAE,IAAI,CAAC,IAAI;gBAChB,QAAQ,EAAE,EAAE,CAAC,QAAQ,IAAI,SAAS;gBAClC,SAAS,EAAE,EAAE,CAAC,SAAS,IAAI,EAAE;aAChC,CAAA;QACL,CAAC;KACJ,CAAA;AACL,CAAC;AAOD,MAAM,UAAU,qBAAqB;IACjC,IAAI,iBAAiD,CAAA;IACrD,IAAI,eAA+C,CAAA;IAEnD;;;;;;;;OAQG;IACH,KAAK,UAAU,kBAAkB,CAC7B,UAAwC,EAAE;QAE1C,IAAI,CAAC;YACD,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,MAAM,aAAa,EAAE,CAAA;YACjD,OAAO;gBACH,KAAK;gBACL,OAAO,EAAE;oBACL,EAAE,EAAE,QAAQ,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE;oBACxE,KAAK,EAAE,QAAQ,CAAC,YAAY,IAAI,EAAE;oBAClC,QAAQ,EAAE,QAAQ,CAAC,QAAQ;oBAC3B,SAAS,EAAE,QAAQ,CAAC,SAAS,IAAI,EAAE;iBACtC;aACJ,CAAA;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,IAAI,KAAK,YAAY,YAAY;gBAAE,OAAO,IAAI,CAAA;YAC9C,IAAI,KAAK,YAAY,2BAA2B,EAAE,CAAC;gBAC/C,IAAI,OAAO,CAAC,cAAc;oBAAE,OAAO,IAAI,CAAA;gBACvC,MAAM,KAAK,CAAA;YACf,CAAC;YACD,MAAM,KAAK,CAAA;QACf,CAAC;IACL,CAAC;IAED;;;;;;OAMG;IACH,SAAS,UAAU,CAAC,OAAqB,EAAE,GAAe;QACtD,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAA;QAC5B,IAAI,MAAM,CAAC,IAAI,KAAK,IAAI;YAAE,OAAO,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC,KAAK,MAAM,CAAC,EAAE,CAAA;QACjE,IAAI,MAAM,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YACzB,OAAO,OAAO,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAA;QACpE,CAAC;QACD,OAAO,KAAK,CAAA;IAChB,CAAC;IAED;;;;;;OAMG;IACH,KAAK,UAAU,YAAY,CACvB,GAAe;QAEf,MAAM,QAAQ,GAAG,MAAM,kBAAkB,EAAE,CAAA;QAC3C,IAAI,CAAC,QAAQ,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE,CAAC;YAClD,MAAM,IAAI,QAAQ,CAAC,mBAAmB,EAAE,8BAA8B,GAAG,IAAI,CAAC,CAAA;QAClF,CAAC;QACD,OAAO,QAAQ,CAAA;IACnB,CAAC;IAED,OAAO;QACH,KAAK,CAAC,MAAM,CAAC,GAAgB;YACzB,+DAA+D;YAC/D,2DAA2D;YAC3D,8DAA8D;YAC9D,2DAA2D;YAC3D,+DAA+D;YAC/D,wDAAwD;YACxD,8DAA8D;YAC9D,8BAA8B;YAC9B,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;gBACpB,OAAO,kBAAkB,CAAC,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC,CAAA;YACvD,CAAC;YACD,OAAO,YAAY,CAAC,GAAG,CAAC,CAAA;QAC5B,CAAC;QACD,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK;YACpB,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;YACjC,iBAAiB,GAAG,MAAM,YAAY,CAAC,KAAK,EAAE;gBAC1C,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,UAAU,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;gBACxD,YAAY,EAAE,OAAO,CAAC,KAAK;aAC9B,CAAC,CAAA;QACN,CAAC;QACD,KAAK,CAAC,KAAK,CAAC,GAAgB;YACxB,gEAAgE;YAChE,oDAAoD;YACpD,+DAA+D;YAC/D,qCAAqC;YACrC,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;gBACpB,MAAM,YAAY,CAAC,GAAG,CAAC,CAAA;YAC3B,CAAC;YACD,eAAe,GAAG,MAAM,aAAa,EAAE,CAAA;QAC3C,CAAC;QACD,KAAK,CAAC,IAAI;YACN,MAAM,QAAQ,GAAG,MAAM,kBAAkB,EAAE,CAAA;YAC3C,OAAO,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,QAAQ,CAAC,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;QAC3E,CAAC;QACD,KAAK,CAAC,UAAU,CAAC,GAAe;YAC5B,MAAM,YAAY,CAAC,GAAG,CAAC,CAAA;YACvB,8DAA8D;QAClE,CAAC;QACD,oBAAoB;YAChB,OAAO,iBAAiB,CAAA;QAC5B,CAAC;QACD,kBAAkB;YACd,OAAO,eAAe,CAAA;QAC1B,CAAC;KACJ,CAAA;AACL,CAAC"}
+{"version":3,"file":"auth-provider.js","sourceRoot":"","sources":["../../src/lib/auth-provider.ts"],"names":[],"mappings":"AAAA,OAAO,EAIH,uBAAuB,EACvB,iBAAiB,EACjB,eAAe,EACf,gBAAgB,GAGnB,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EAAE,wBAAwB,EAAE,MAAM,UAAU,CAAA;AACnD,OAAO,EAAE,sBAAsB,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAA;AAClF,OAAO,EAAiB,SAAS,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AACnF,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAA;AACtC,OAAO,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAA;AACxD,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAA;AACpC,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;AACrE,OAAO,EAAE,0BAA0B,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAA;AAEpF,MAAM,CAAC,MAAM,iBAAiB,GAAG,mCAAmC,CAAA;AACpE,MAAM,CAAC,MAAM,SAAS,GAAG,sCAAsC,CAAA;AAC/D,MAAM,CAAC,MAAM,gBAAgB,GAAG,kCAAkC,CAAA;AAElE,MAAM,QAAQ,GACV,gHAAgH,CAAA;AAEpH,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC7B,WAAW;IACX,YAAY;IACZ,iBAAiB;IACjB,eAAe;IACf,cAAc;IACd,eAAe;IACf,eAAe;IACf,gBAAgB;IAChB,eAAe;IACf,gBAAgB;IAChB,gBAAgB;IAChB,iBAAiB;IACjB,aAAa;IACb,cAAc;IACd,eAAe;IACf,aAAa;IACb,oBAAoB;CACvB,CAAA;AAED,MAAM,CAAC,MAAM,gBAAgB,GAAG;IAC5B,WAAW;IACX,iBAAiB;IACjB,eAAe;IACf,cAAc;IACd,eAAe;IACf,eAAe;IACf,gBAAgB;IAChB,aAAa;IACb,aAAa;IACb,oBAAoB;CACvB,CAAA;AAED,MAAM,UAAU,GAAG,CAAC,0BAA0B,EAAE,6CAA6C,CAAC,CAAA;AA0B9F,SAAS,WAAW,CAAC,KAA8B;IAC/C,OAAO,KAAuB,CAAA;AAClC,CAAC;AAED,SAAS,UAAU,CAAC,OAAe,EAAE,KAAe;IAChD,MAAM,MAAM,GAAG,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;IAClF,OAAO,IAAI,QAAQ,CAAC,aAAa,EAAE,GAAG,OAAO,GAAG,MAAM,EAAE,EAAE,UAAU,CAAC,CAAA;AACzE,CAAC;AAED,KAAK,UAAU,qBAAqB,CAChC,WAAmB;IAEnB,IAAI,QAAkB,CAAA;IACtB,IAAI,CAAC;QACD,QAAQ,GAAG,MAAM,KAAK,CAAC,gBAAgB,EAAE;YACrC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,EAAE,kBAAkB,EAAE;YAC3E,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACjB,WAAW,EAAE,WAAW;gBACxB,UAAU,EAAE,oCAAoC;gBAChD,aAAa,EAAE,CAAC,WAAW,CAAC;gBAC5B,WAAW,EAAE,CAAC,oBAAoB,CAAC;gBACnC,cAAc,EAAE,CAAC,MAAM,CAAC;gBACxB,0BAA0B,EAAE,qBAAqB;gBACjD,gBAAgB,EAAE,QAAQ;gBAC1B,QAAQ,EAAE,QAAQ;aACrB,CAAC;SACL,CAAC,CAAA;IACN,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACb,IAAI,KAAK,YAAY,QAAQ;YAAE,MAAM,KAAK,CAAA;QAC1C,MAAM,UAAU,CAAC,iCAAiC,EAAE,KAAK,CAAC,CAAA;IAC9D,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACf,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAA;QACvD,MAAM,IAAI,QAAQ,CACd,aAAa,EACb,+BAA+B,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,MAAM,SAAS,EAAE,EACtF,UAAU,CACb,CAAA;IACL,CAAC;IAED,IAAI,MAAsD,CAAA;IAC1D,IAAI,CAAC;QACD,MAAM,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAmD,CAAA;IACtF,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACb,MAAM,UAAU,CAAC,sCAAsC,EAAE,KAAK,CAAC,CAAA;IACnE,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;QAC7C,MAAM,IAAI,QAAQ,CACd,aAAa,EACb,0EAA0E,EAC1E,UAAU,CACb,CAAA;IACL,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,SAAS,EAAE,YAAY,EAAE,MAAM,CAAC,aAAa,EAAE,CAAA;AAC7E,CAAC;AAED,MAAM,UAAU,uBAAuB;IACnC,OAAO;QACH,KAAK,CAAC,OAAO,CAAC,EAAE,WAAW,EAAE;YACzB,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,MAAM,qBAAqB,CAAC,WAAW,CAAC,CAAA;YAC3E,MAAM,SAAS,GAAmB,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAA;YAC5D,OAAO,EAAE,SAAS,EAAE,CAAA;QACxB,CAAC;QAED,KAAK,CAAC,SAAS,CAAC,EAAE,WAAW,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE;YAC/D,MAAM,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC,CAAA;YACjC,MAAM,YAAY,GAAG,gBAAgB,EAAE,CAAA;YACvC,MAAM,aAAa,GAAG,eAAe,CAAC,YAAY,CAAC,CAAA;YACnD,MAAM,QAAQ,GAAa,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,YAAY,CAAA;YAChE,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;YAElC,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;gBAC/B,SAAS,EAAE,EAAE,CAAC,QAAQ;gBACtB,aAAa,EAAE,MAAM;gBACrB,YAAY,EAAE,WAAW;gBACzB,KAAK,EAAE,SAAS;gBAChB,KAAK;gBACL,cAAc,EAAE,aAAa;gBAC7B,qBAAqB,EAAE,MAAM;aAChC,CAAC,CAAA;YAEF,MAAM,aAAa,GAAmB;gBAClC,GAAG,EAAE;gBACL,YAAY;gBACZ,QAAQ;gBACR,SAAS;aACZ,CAAA;YACD,OAAO;gBACH,YAAY,EAAE,GAAG,iBAAiB,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE;gBACzD,SAAS,EAAE,aAAa;aAC3B,CAAA;QACL,CAAC;QAED,KAAK,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,SAAS,EAAE;YAC/C,MAAM,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC,CAAA;YACjC,IAAI,CAAC,EAAE,CAAC,YAAY,EAAE,CAAC;gBACnB,MAAM,IAAI,QAAQ,CACd,aAAa,EACb,gDAAgD,EAChD,UAAU,CACb,CAAA;YACL,CAAC;YAED,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;gBAC7B,UAAU,EAAE,oBAAoB;gBAChC,IAAI;gBACJ,YAAY,EAAE,WAAW;gBACzB,aAAa,EAAE,EAAE,CAAC,YAAY;aACjC,CAAC,CAAA;YAEF,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,QAAQ,IAAI,EAAE,CAAC,YAAY,EAAE,CAAC,CAAA;YAE7D,IAAI,QAAkB,CAAA;YACtB,IAAI,CAAC;gBACD,QAAQ,GAAG,MAAM,KAAK,CAAC,SAAS,EAAE;oBAC9B,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE;wBACL,cAAc,EAAE,mCAAmC;wBACnD,MAAM,EAAE,kBAAkB;wBAC1B,aAAa,EAAE,SAAS,WAAW,EAAE;qBACxC;oBACD,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;iBACxB,CAAC,CAAA;YACN,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACb,IAAI,KAAK,YAAY,QAAQ;oBAAE,MAAM,KAAK,CAAA;gBAC1C,MAAM,UAAU,CAAC,mCAAmC,EAAE,KAAK,CAAC,CAAA;YAChE,CAAC;YAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACf,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAA;gBACvD,MAAM,IAAI,QAAQ,CACd,aAAa,EACb,0BAA0B,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,MAAM,SAAS,EAAE,EACjF,UAAU,CACb,CAAA;YACL,CAAC;YAED,IAAI,IAIH,CAAA;YACD,IAAI,CAAC;gBACD,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAgB,CAAA;YACjD,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACb,MAAM,UAAU,CAAC,iCAAiC,EAAE,KAAK,CAAC,CAAA;YAC9D,CAAC;YAED,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;gBACb,MAAM,IAAI,QAAQ,CACd,aAAa,EACb,gBAAgB,IAAI,CAAC,KAAK,MAAM,IAAI,CAAC,iBAAiB,IAAI,eAAe,EAAE,EAC3E,UAAU,CACb,CAAA;YACL,CAAC;YAED,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;gBACrB,MAAM,IAAI,QAAQ,CACd,aAAa,EACb,4CAA4C,EAC5C,UAAU,CACb,CAAA;YACL,CAAC;YAED,OAAO,EAAE,WAAW,EAAE,IAAI,CAAC,YAAY,EAAE,CAAA;QAC7C,CAAC;QAED,KAAK,CAAC,aAAa,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE;YACpC,MAAM,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC,CAAA;YACjC,MAAM,MAAM,GAAG,wBAAwB,CAAC,KAAK,CAAC,CAAA;YAC9C,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,KAAK,CAAC,cAAc,EAAE,CAAA;YAChD,OAAO,cAAc,CAAC,IAAI,EAAE,EAAE,QAAQ,EAAE,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,EAAE,CAAC,SAAS,EAAE,CAAC,CAAA;QACnF,CAAC;KACJ,CAAA;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,OAAqB,EAAE,GAAe;IACpE,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAA;IAC5B,IAAI,MAAM,CAAC,IAAI,KAAK,IAAI;QAAE,OAAO,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC,KAAK,MAAM,CAAC,EAAE,CAAA;IACjE,IAAI,MAAM,CAAC,IAAI,KAAK,MAAM;QAAE,OAAO,OAAO,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAA;IAC5F,OAAO,KAAK,CAAA;AAChB,CAAC;AAED,MAAM,aAAa,GAAG,iBAAiB,CAAA;AAEvC,0DAA0D;AAC1D,SAAS,qBAAqB,CAAC,MAAuC;IAClE,OAAO,CACH,MAAM,CAAC,MAAM,KAAK,UAAU;QAC5B,MAAM,CAAC,MAAM,KAAK,kBAAkB;QACpC,MAAM,CAAC,MAAM,KAAK,iBAAiB,CACtC,CAAA;AACL,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,uBAAuB;IAIlC,MAAM,WAAW,GAAG,MAAM,iBAAiB,CAAC;QACxC,WAAW,EAAE,oBAAoB;QACjC,OAAO,EAAE,sBAAsB;KAClC,CAAC;SACG,SAAS,EAAE;SACX,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAA;IACtB,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAA;IAChC,MAAM,KAAK,GAAG,WAAW,IAAI,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,IAAI,CAAA;IACzD,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAA;IACvB,OAAO;QACH,KAAK;QACL,OAAO,EAAE,gBAAgB,CAAC;YACtB,EAAE,EAAE,MAAM,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE;YACpE,KAAK,EAAE,MAAM,CAAC,YAAY,IAAI,EAAE;YAChC,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,SAAS,EAAE,MAAM,CAAC,SAAS;SAC9B,CAAC;KACL,CAAA;AACL,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,oBAAoB;IAC/B,MAAM,OAAO,CAAC,UAAU,CAAC;QACrB,iBAAiB,CAAC;YACd,WAAW,EAAE,oBAAoB;YACjC,OAAO,EAAE,sBAAsB;SAClC,CAAC,CAAC,YAAY,EAAE;QACjB,YAAY,CAAC;YACT,KAAK,EAAE,SAAS;YAChB,QAAQ,EAAE,SAAS;YACnB,SAAS,EAAE,SAAS;YACpB,UAAU,EAAE,SAAS;YACrB,YAAY,EAAE,SAAS;YACvB,uBAAuB,EAAE,SAAS;SACrC,CAAC;KACL,CAAC,CAAA;AACN,CAAC;AAED;;;;;GAKG;AACH,IAAI,gBAA6E,CAAA;AACjF,SAAS,cAAc;IACnB,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACpB,gBAAgB,GAAG,oBAAoB,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAA;IAC/E,CAAC;IACD,OAAO,gBAAgB,CAAA;AAC3B,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,qBAAqB;IACjC,MAAM,KAAK,GAAG,uBAAuB,CAAe;QAChD,WAAW,EAAE,oBAAoB;QACjC,WAAW,EAAE,0BAA0B,EAAE;QACzC,eAAe,EAAE,aAAa,EAAE;QAChC,YAAY,EAAE,iBAAiB;KAClC,CAAC,CAAA;IACF,KAAK,UAAU,oBAAoB;QAC/B,MAAM,MAAM,GAAG,MAAM,cAAc,EAAE,CAAA;QACrC,IAAI,MAAM,KAAK,IAAI,IAAI,CAAC,qBAAqB,CAAC,MAAM,CAAC,EAAE,CAAC;YACpD,MAAM,oBAAoB,EAAE,CAAA;QAChC,CAAC;IACL,CAAC;IACD,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAoB,EAAE;QAC1D,KAAK,CAAC,MAAM,CAAC,GAAgB;YACzB,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;gBACpB,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAA;gBAC3C,IAAI,QAAQ,EAAE,CAAC;oBACX,OAAO;wBACH,KAAK,EAAE,QAAQ;wBACf,OAAO,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,EAAE,EAAE;qBACrE,CAAA;gBACL,CAAC;YACL,CAAC;YACD,MAAM,MAAM,GAAG,MAAM,cAAc,EAAE,CAAA;YACrC,IAAI,MAAM,KAAK,IAAI,IAAI,CAAC,qBAAqB,CAAC,MAAM,CAAC,EAAE,CAAC;gBACpD,MAAM,MAAM,GAAG,MAAM,uBAAuB,EAAE,CAAA;gBAC9C,IAAI,MAAM,IAAI,CAAC,GAAG,KAAK,SAAS,IAAI,iBAAiB,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,EAAE,CAAC;oBAC1E,OAAO,MAAM,CAAA;gBACjB,CAAC;YACL,CAAC;YACD,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;QAC5B,CAAC;QACD,KAAK,CAAC,GAAG,CAAC,OAAqB,EAAE,KAAa;YAC1C,MAAM,oBAAoB,EAAE,CAAA;YAC5B,OAAO,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;QACpC,CAAC;QACD,KAAK,CAAC,KAAK,CAAC,GAAgB;YACxB,MAAM,oBAAoB,EAAE,CAAA;YAC5B,OAAO,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QAC3B,CAAC;QACD,KAAK,CAAC,IAAI;YACN,MAAM,cAAc,EAAE,CAAA;YACtB,OAAO,KAAK,CAAC,IAAI,EAAE,CAAA;QACvB,CAAC;QACD,KAAK,CAAC,UAAU,CAAC,GAAe;YAC5B,MAAM,cAAc,EAAE,CAAA;YACtB,OAAO,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAA;QAChC,CAAC;KACJ,CAAC,CAAA;AACN,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB;IACtC,IAAI,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;QAAE,OAAO,KAAK,CAAA;IAC5C,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAA;IAChC,MAAM,MAAM,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAA;IAC3C,IAAI,MAAM,EAAE,aAAa;QAAE,OAAO,aAAa,CAAA;IAC/C,IAAI,MAAM;QAAE,OAAO,cAAc,CAAA;IACjC,IAAI,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE;QAAE,OAAO,aAAa,CAAA;IAC9C,OAAO,cAAc,CAAA;AACzB,CAAC"}

package/dist/lib/auth.d.ts

@@ -1,21 +1,14 @@
+import { SecureStoreUnavailableError } from '@doist/cli-core/auth';
 import { type AuthMode } from './config.js';
 import { CliError } from './errors.js';
-export declare const SECURE_STORE_DESCRIPTION = "system credential manager";
-export declare class NoTokenError extends CliError {
-    constructor();
-}
+export { SecureStoreUnavailableError };
 export declare const TOKEN_ENV_VAR = "TWIST_API_TOKEN";
+export declare const SECURE_STORE_DESCRIPTION = "system credential manager";
 export type TokenStorageLocation = 'secure-store' | 'config-file';
 export type TokenStorageResult = {
     storage: TokenStorageLocation;
     warning?: string;
 };
-export type SaveApiTokenOptions = {
-    authMode?: AuthMode;
-    authScope?: string;
-    authUserId?: number;
-    authUserName?: string;
-};
 export type AuthMetadata = {
     authMode: AuthMode;
     authScope?: string;
@@ -34,9 +27,17 @@ export type AuthProbeResult = {
     token: string;
     metadata: AuthProbeMetadata;
 };
+export declare class NoTokenError extends CliError {
+    constructor();
+}
+/** Read the active token. The store wraps env-var precedence internally. */
 export declare function getApiToken(): Promise<string>;
+/** Token + metadata in one round-trip for `tw config view` / `tw doctor`. */
 export declare function probeApiToken(): Promise<AuthProbeResult>;
+/**
+ * Auth metadata for `tw auth status` and `ensureWriteAllowed`. Falls back
+ * to v1 flat fields when no v2 record exists so a legacy `read-only` token
+ * isn't reported as `'unknown'` — that would skip the local READ_ONLY guard.
+ */
 export declare function getAuthMetadata(): Promise<AuthMetadata>;
-export declare function saveApiToken(token: string, options?: SaveApiTokenOptions): Promise<TokenStorageResult>;
-export declare function clearApiToken(): Promise<TokenStorageResult>;
 //# sourceMappingURL=auth.d.ts.map