@equinor/fusion-framework-module-msal-node 3.0.2-next.0 → 4.0.0

package/CHANGELOG.md

@@ -1,13 +1,28 @@
 # @equinor/fusion-framework-module-msal-node
 
-## 3.0.2-next.0
+## 4.0.0
 
-### Patch Changes
+### Major Changes
+
+- abffa53: Major version bump for Fusion Framework React 19 release.
+
+  All packages are bumped to the next major version as part of the React 19 upgrade. This release drops support for React versions below 18 and includes breaking changes across the framework.
 
-- [#3820](https://github.com/equinor/fusion-framework/pull/3820) [`f647825`](https://github.com/equinor/fusion-framework/commit/f647825cb5712763b09dafda21fd996211c78b78) Thanks [@odinr](https://github.com/odinr)! - relase next
+  **Breaking changes:**
+  - Peer dependencies now require React 18 or 19 (`^18.0.0 || ^19.0.0`)
+  - React Router upgraded from v6 to v7
+  - Navigation module refactored with new history API
+  - `renderComponent` and `renderApp` now use `createRoot` API
+
+  **Migration:**
+  - Update your React version to 18.0.0 or higher before upgrading
+  - Replace `NavigationProvider.createRouter()` with `@equinor/fusion-framework-react-router`
+  - See individual package changelogs for package-specific migration steps
+
+### Patch Changes
 
-- Updated dependencies [[`f647825`](https://github.com/equinor/fusion-framework/commit/f647825cb5712763b09dafda21fd996211c78b78)]:
-  - @equinor/fusion-framework-module@5.0.7-next.0
+- Updated dependencies [abffa53]
+  - @equinor/fusion-framework-module@6.0.0
 
 ## 3.0.1
 

package/README.md

@@ -1,13 +1,11 @@
-`@equinor/fusion-framework-module-msal-node` provides secure Azure AD authentication for Node.js applications using Microsoft's MSAL (Microsoft Authentication Library). Perfect for CLI tools, background services, and automated processes that need to authenticate with Microsoft services.
+`@equinor/fusion-framework-module-msal-node` provides Azure AD authentication for Node.js applications using Microsoft's MSAL library. It targets CLI tools, background services, and automated pipelines that need to acquire Azure AD access tokens within the Fusion Framework module system.
 
 ## Features
 
-- **Multiple Authentication Modes**: Choose the right auth flow for your use case
-- **Secure Token Storage**: Encrypted credential storage using platform keychains
-- **Easy Integration**: Simple API that works seamlessly with Fusion Framework
-- **Token Management**: Automatic token refresh and caching
-- **Cross-Platform**: Works on Windows, macOS, and Linux
-- **Zero Configuration**: Sensible defaults with optional customization
+- **Three authentication modes** — interactive (browser login), silent (cached credentials), and token-only (static token passthrough)
+- **Secure token storage** — encrypted credential caching via platform keychains (Windows Credential Manager, macOS Keychain, Linux libsecret) using `@azure/msal-node-extensions`
+- **Automatic token refresh** — silent re-acquisition of cached tokens without user interaction
+- **Fusion Framework integration** — registers as the `auth` module and exposes `IAuthProvider` on the module instance
 
 ## Quick Start
 
@@ -23,192 +21,200 @@ const configurator = new ModulesConfigurator();
 
 enableAuthModule(configurator, (builder) => {
   builder.setMode('interactive');
-  builder.setClientId('your-client-id');
-  builder.setTenantId('your-tenant-id');
+  builder.setClientConfig('your-tenant-id', 'your-client-id');
+  builder.setServerPort(3000);
 });
 
-const framework = await initialize();
-const token = await framework.auth.acquireAccessToken({ 
-  scopes: ['https://graph.microsoft.com/.default'] 
+// After initialization the auth provider is available on the module instance
+const token = await modules.auth.acquireAccessToken({
+  request: { scopes: ['https://graph.microsoft.com/.default'] },
 });
 ```
 
-## Authentication Modes
-
-Choose the authentication mode that best fits your application's needs:
-
-| Mode | Description | Best For | User Interaction |
-|------|-------------|----------|------------------|
-| **`token_only`** | Uses a pre-provided access token | CI/CD pipelines, serverless functions | None |
-| **`silent`** | Uses cached credentials for background auth | Background services, scheduled tasks | None |
-| **`interactive`** | Browser-based login with local server | CLI tools, development, user-facing apps | Required |
-
-### When to Use Each Mode
+## Architecture
 
-- **`token_only`**: When you already have a valid access token (e.g., from environment variables, CI/CD secrets)
-- **`silent`**: When you need background authentication without user interaction (e.g., scheduled jobs, background services)
-- **`interactive`**: When you need user login (e.g., CLI tools, development environments, user-facing applications)
+The module registers under the name `auth` and produces an `IAuthProvider` instance during initialization. Which concrete provider class is created depends on the configured mode:
 
-## Secure Token Storage
-
-The module uses `@azure/msal-node-extensions` for enterprise-grade security:
+| Mode | Provider class | Behaviour |
+|------|---------------|-----------|
+| `interactive` | `AuthProviderInteractive` | Opens the default browser for OAuth 2.0 authorization code flow with PKCE, handled by a temporary local HTTP server |
+| `silent` | `AuthProvider` | Acquires tokens silently from the MSAL cache; throws `NoAccountsError` if no cached session exists |
+| `token_only` | `AuthTokenProvider` | Returns a static pre-supplied access token; login/logout are not supported |
 
-- **🔒 Platform Keychains**: Windows Credential Manager, macOS Keychain, Linux libsecret
-- **🔐 Encryption at Rest**: Tokens encrypted using platform-specific mechanisms
-- **🔄 Automatic Refresh**: Seamless token renewal without user intervention
-- **🌐 Cross-Platform**: Consistent security across Windows, macOS, and Linux
+All three implement `IAuthProvider`, so consuming code can call `acquireAccessToken` regardless of mode.
 
-## Usage Examples
+## Authentication Modes
 
-### Token-Only Mode (CI/CD)
+### Interactive — browser-based login
 
-Perfect for automated processes where you already have a valid token:
+Best for CLI tools, developer utilities, and any scenario requiring user sign-in.
 
 ```typescript
-import { enableAuthModule } from '@equinor/fusion-framework-module-msal-node';
-import { ModulesConfigurator } from '@equinor/fusion-framework-module';
-
-const configurator = new ModulesConfigurator();
-
 enableAuthModule(configurator, (builder) => {
-  builder.setMode('token_only');
-  builder.setAccessToken(process.env.ACCESS_TOKEN); // From CI/CD secrets
+  builder.setMode('interactive');
+  builder.setClientConfig('your-tenant-id', 'your-client-id');
+  builder.setServerPort(3000);
+  builder.setServerOnOpen((url) => {
+    console.log(`Open in browser: ${url}`);
+  });
 });
 
-const framework = await initialize();
-const token = await framework.auth.acquireAccessToken({ 
-  scopes: ['https://graph.microsoft.com/.default'] 
+// Login explicitly (opens browser)
+const result = await modules.auth.login({
+  request: { scopes: ['https://graph.microsoft.com/.default'] },
 });
+console.log('Logged in as', result.account?.username);
 ```
 
-### Silent Mode (Background Services)
+### Silent — cached credentials
 
-For background services that need to authenticate without user interaction:
+Best for background services and scheduled tasks where a user has previously authenticated.
 
 ```typescript
-import { enableAuthModule } from '@equinor/fusion-framework-module-msal-node';
-import { ModulesConfigurator } from '@equinor/fusion-framework-module';
-
-const configurator = new ModulesConfigurator();
-
 enableAuthModule(configurator, (builder) => {
   builder.setMode('silent');
-  builder.setClientId(process.env.AZURE_CLIENT_ID);
-  builder.setTenantId(process.env.AZURE_TENANT_ID);
+  builder.setClientConfig(process.env.AZURE_TENANT_ID!, process.env.AZURE_CLIENT_ID!);
 });
 
-const framework = await initialize();
-
-// This will use cached credentials or fail if no valid cache exists
-try {
-  const token = await framework.auth.acquireAccessToken({ 
-    scopes: ['https://graph.microsoft.com/.default'] 
-  });
-  console.log('Authenticated successfully');
-} catch (error) {
-  console.error('Silent authentication failed:', error.message);
-}
+const token = await modules.auth.acquireAccessToken({
+  request: { scopes: ['https://graph.microsoft.com/.default'] },
+});
 ```
 
-### Interactive Mode (CLI Tools)
+### Token-only — static token passthrough
 
-For CLI tools and development environments that require user login:
+Best for CI/CD pipelines and automation where a token is provided externally.
 
 ```typescript
-import { enableAuthModule } from '@equinor/fusion-framework-module-msal-node';
-import { ModulesConfigurator } from '@equinor/fusion-framework-module';
-
-const configurator = new ModulesConfigurator();
-
 enableAuthModule(configurator, (builder) => {
-  builder.setMode('interactive');
-  builder.setClientId(process.env.AZURE_CLIENT_ID);
-  builder.setTenantId(process.env.AZURE_TENANT_ID);
-  builder.setServerPort(3000); // Optional: custom port
-  builder.setServerOnOpen((url) => {
-    console.log(`🌐 Please open your browser and navigate to: ${url}`);
-  });
+  builder.setMode('token_only');
+  builder.setAccessToken(process.env.ACCESS_TOKEN!);
 });
 
-const framework = await initialize();
-
-// This will open a browser for user login
-const result = await framework.auth.login({ 
-  scopes: ['https://graph.microsoft.com/.default'] 
+const token = await modules.auth.acquireAccessToken({
+  request: { scopes: ['https://graph.microsoft.com/.default'] },
 });
-console.log('Login successful:', result.account?.username);
 ```
 
-## Configuration
+## Secure Token Storage
 
-### Required Settings
+When using `setClientConfig`, the module creates a `PublicClientApplication` backed by an encrypted persistence cache from `@azure/msal-node-extensions`:
 
-| Setting | Description | Required For |
-|---------|-------------|--------------|
-| `clientId` | Azure AD application client ID | `silent`, `interactive` |
-| `tenantId` | Azure AD tenant ID | `silent`, `interactive` |
-| `accessToken` | Pre-obtained access token | `token_only` |
+- **Platform keychains** — Windows Credential Manager, macOS Keychain, Linux libsecret
+- **Encryption at rest** — tokens encrypted using platform-specific mechanisms
+- **User-scoped** — cache files are scoped to the current OS user via `DataProtectionScope.CurrentUser`
 
-### Optional Settings
+The `libsecret`  dependency is loaded lazily so environments that use `token_only` mode (such as CI runners) do not need it installed.
 
-| Setting | Description | Default | Mode |
-|---------|-------------|---------|------|
-| `serverPort` | Local server port for auth callbacks | `3000` | `interactive` |
-| `serverOnOpen` | Callback when browser opens | `undefined` | `interactive` |
+## Configuration Reference
 
-### Environment Variables
+### `IAuthConfigurator` methods
 
-```bash
-# Required for silent/interactive modes
-AZURE_CLIENT_ID=your-client-id
-AZURE_TENANT_ID=your-tenant-id
+| Method | Description |
+|--------|-------------|
+| `setMode(mode)` | Set authentication mode: `'interactive'`, `'silent'`, or `'token_only'` |
+| `setClientConfig(tenantId, clientId)` | Create an MSAL client with secure persistence cache |
+| `setClient(client)` | Provide a pre-configured `PublicClientApplication` instance |
+| `setAccessToken(token)` | Set a static access token (`token_only` mode) |
+| `setServerPort(port)` | Set the local callback server port (`interactive` mode) |
+| `setServerOnOpen(callback)` | Callback invoked with the login URL when the server is ready |
 
-# Required for token_only mode
-ACCESS_TOKEN=your-access-token
+### Required settings per mode
+
+| Setting | `interactive` | `silent` | `token_only` |
+|---------|:---:|:---:|:---:|
+| `setClientConfig` or `setClient` | required | required | — |
+| `setAccessToken` | — | — | required |
+| `setServerPort` | required | — | — |
+
+## Error Handling
+
+The module exports dedicated error classes from `@equinor/fusion-framework-module-msal-node/error`:
+
+| Error | Thrown when |
+|-------|-----------|
+| `NoAccountsError` | Silent token acquisition finds no cached accounts |
+| `SilentTokenAcquisitionError` | MSAL fails to acquire a token silently (expired session, network issue) |
+| `AuthServerError` | The local callback server receives no authorization code or token exchange fails |
+| `AuthServerTimeoutError` | The callback server times out (default 5 minutes) waiting for a browser response |
+
+```typescript
+import { NoAccountsError } from '@equinor/fusion-framework-module-msal-node/error';
+
+try {
+  const token = await modules.auth.acquireAccessToken({
+    request: { scopes: ['api://my-api/.default'] },
+  });
+} catch (error) {
+  if (error instanceof NoAccountsError) {
+    console.error('No cached session — run interactive login first');
+  }
+  throw error;
+}
 ```
 
 ## API Reference
 
 ### `enableAuthModule(configurator, configure)`
 
-Enables the MSAL Node module in your Fusion Framework application.
+Registers the MSAL Node module with a Fusion Framework `ModulesConfigurator`.
 
-**Parameters:**
-- `configurator`: `ModulesConfigurator` - The modules configurator instance
-- `configure`: `(builder: IAuthConfigurator) => void` - Configuration function
+- **configurator** — the `IModulesConfigurator` instance
+- **configure** — callback receiving an `IAuthConfigurator` builder
 
 ### `IAuthProvider`
 
-The authentication provider interface available at `framework.auth`:
+Unified provider interface exposed as `modules.auth`:
 
 ```typescript
 interface IAuthProvider {
-  // Acquire an access token for the specified scopes
-  acquireAccessToken(options: { 
-    scopes: string[]; 
-    interactive?: boolean 
+  acquireAccessToken(options: {
+    request: { scopes: string[] };
+    interactive?: boolean;
   }): Promise<string>;
-  
-  // Login (interactive mode only)
-  login(options: { scopes: string[] }): Promise<AuthenticationResult>;
-  
-  // Logout (interactive mode only)
+
+  login(options: { request: { scopes: string[] } }): Promise<AuthenticationResult>;
+
   logout(): Promise<void>;
 }
 ```
 
+`login` and `logout` are only functional in interactive mode. In other modes they throw immediately.
+
 
 ## Troubleshooting
 
 ### Common Issues
 
-| Issue | Solution |
-|-------|----------|
-| **Invalid client/tenant ID** | Verify your Azure AD app registration settings |
-| **Port already in use** | Change the `serverPort` or kill the process using the port |
-| **Silent auth fails** | Ensure you've logged in interactively first to cache credentials |
-| **Token expired** | The module handles refresh automatically; check your scopes |
-| **Credential storage errors** | See our [credential storage guide](docs/libsecret.md) |
+| Issue | Error Class | Solution |
+|-------|------------|----------|
+| **No cached session** | `NoAccountsError` | Run interactive login first to cache credentials, then retry with silent mode |
+| **Silent auth fails** | `SilentTokenAcquisitionError` | Cached session may have expired or network is unavailable; fall back to interactive login |
+| **Callback server fails** | `AuthServerError` | Check that the callback server port is not in use and the browser can reach it |
+| **Callback server timeout** | `AuthServerTimeoutError` | The browser did not complete login within the timeout (default 5 min); retry or check network |
+| **Invalid client/tenant ID** | — | Verify your Azure AD app registration settings |
+| **Port already in use** | — | Change the `serverPort` or kill the process using the port |
+| **Token expired** | — | The module handles refresh automatically; check your scopes |
+| **Credential storage errors** | — | See our [credential storage guide](docs/libsecret.md) |
+
+All error classes are exported from `@equinor/fusion-framework-module-msal-node/error`. A common pattern is to attempt silent token acquisition first and fall back to interactive login on failure:
+
+```typescript
+import { NoAccountsError, SilentTokenAcquisitionError } from '@equinor/fusion-framework-module-msal-node/error';
+
+try {
+  const token = await modules.auth.acquireAccessToken({
+    request: { scopes: ['api://my-api/.default'] },
+  });
+} catch (error) {
+  if (error instanceof NoAccountsError || error instanceof SilentTokenAcquisitionError) {
+    // Fall back to interactive login
+    await modules.auth.login({ request: { scopes: ['api://my-api/.default'] } });
+  } else {
+    throw error;
+  }
+}
+```
 
 ### Getting Help
 

package/dist/esm/AuthConfigurator.js

@@ -17,12 +17,34 @@ export class AuthConfigurator extends BaseConfigBuilder {
         super();
         this.setMode('interactive');
     }
+    /**
+     * Sets the authentication mode for the module.
+     *
+     * @param mode - The authentication mode: `'interactive'`, `'silent'`, or `'token_only'`.
+     */
     setMode(mode) {
         this._set('mode', mode);
     }
+    /**
+     * Sets a pre-configured MSAL `PublicClientApplication` instance.
+     *
+     * Use this when you need full control over the MSAL client configuration.
+     * For most cases, prefer {@link AuthConfigurator.setClientConfig | setClientConfig}.
+     *
+     * @param client - The MSAL `PublicClientApplication` instance.
+     */
     setClient(client) {
         this._set('client', client);
     }
+    /**
+     * Configures the MSAL client using Azure AD tenant and client IDs.
+     *
+     * Lazily creates a `PublicClientApplication` with a secure persistence cache.
+     * The dynamic import avoids requiring `libsecret` in environments that do not need it.
+     *
+     * @param tenantId - Azure AD tenant (directory) ID.
+     * @param clientId - Azure AD application (client) ID.
+     */
     setClientConfig(tenantId, clientId) {
         this._set('client', async () => {
             // Dynamically import the createAuthClient function since the client uses `libsecret``
@@ -32,12 +54,29 @@ export class AuthConfigurator extends BaseConfigBuilder {
             return createAuthClient(tenantId, clientId);
         });
     }
+    /**
+     * Sets the port for the local HTTP callback server used in interactive mode.
+     *
+     * @param port - Port number for the local server.
+     */
     setServerPort(port) {
         this._set('server.port', port);
     }
+    /**
+     * Sets a callback invoked when the login URL is ready in interactive mode.
+     *
+     * Use this to display or log the authentication URL for the user.
+     *
+     * @param onOpen - Callback receiving the authentication URL, or `undefined` to disable.
+     */
     setServerOnOpen(onOpen) {
         this._set('server.onOpen', onOpen);
     }
+    /**
+     * Sets a pre-obtained access token for `token_only` mode.
+     *
+     * @param token - The static access token string.
+     */
     setAccessToken(token) {
         this._set('accessToken', token);
     }

package/dist/esm/AuthConfigurator.js.map

@@ -1 +1 @@
-{"version":3,"file":"AuthConfigurator.js","sourceRoot":"","sources":["../../src/AuthConfigurator.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,uBAAuB,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EACL,iBAAiB,GAGlB,MAAM,kCAAkC,CAAC;AAK1C;;;;;;;;;;;GAWG;AACH,MAAM,OAAO,gBAAiB,SAAQ,iBAA6B;IACjE;QACE,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IAC9B,CAAC;IAED,OAAO,CAAC,IAAwB;QAC9B,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IAC1B,CAAC;IAED,SAAS,CAAC,MAA4B;QACpC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC9B,CAAC;IAED,eAAe,CAAC,QAAgB,EAAE,QAAgB;QAChD,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,IAAI,EAAE;YAC7B,sFAAsF;YACtF,sDAAsD;YACtD,mGAAmG;YACnG,MAAM,EAAE,gBAAgB,EAAE,GAAG,MAAM,MAAM,CAAC,yBAAyB,CAAC,CAAC;YACrE,OAAO,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAC9C,CAAC,CAAC,CAAC;IACL,CAAC;IAED,aAAa,CAAC,IAAY;QACxB,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;IACjC,CAAC;IAED,eAAe,CAAC,MAA2C;QACzD,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IACrC,CAAC;IAED,cAAc,CAAC,KAAa;QAC1B,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,KAAK,CAAC,CAAC;IAClC,CAAC;IAED;;;;;;;;;;;;;;OAcG;IACO,YAAY,CACpB,IAA+B,EAC/B,OAAyC;QAEzC,+EAA+E;QAC/E,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAG,IAAI,CAAC,GAAyC,EAAE,IAAI,CAAC,CAAC;QAC3E,+CAA+C;QAC/C,OAAO,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC3C,CAAC;IAED;;;;;;;;;;;;;;OAcG;IACH,KAAK,CAAC,cAAc,CAAC,MAAkB;QACrC,QAAQ,MAAM,CAAC,IAAI,EAAE,CAAC;YACpB,KAAK,aAAa,CAAC,CAAC,CAAC;gBACnB,yDAAyD;gBACzD,IAAI,MAAM,CAAC,MAAM,YAAY,uBAAuB,KAAK,KAAK,EAAE,CAAC;oBAC/D,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;gBACjE,CAAC;gBACD,uCAAuC;gBACvC,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;oBACnB,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;gBACjE,CAAC;gBACD,+BAA+B;gBAC/B,IAAI,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;oBAC3C,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;gBAC3E,CAAC;gBACD,MAAM;YACR,CAAC;YACD,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,oDAAoD;gBACpD,IAAI,MAAM,CAAC,MAAM,YAAY,uBAAuB,KAAK,KAAK,EAAE,CAAC;oBAC/D,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;gBAC5D,CAAC;gBACD,MAAM;YACR,CAAC;YACD,KAAK,YAAY,CAAC,CAAC,CAAC;gBAClB,iDAAiD;gBACjD,IAAI,OAAO,MAAM,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;oBAC3C,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;gBACtE,CAAC;gBACD,MAAM;YACR,CAAC;YACD,gEAAgE;QAClE,CAAC;QACD,oDAAoD;QACpD,OAAO,MAAM,CAAC;IAChB,CAAC;CACF"}
+{"version":3,"file":"AuthConfigurator.js","sourceRoot":"","sources":["../../src/AuthConfigurator.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,uBAAuB,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EACL,iBAAiB,GAGlB,MAAM,kCAAkC,CAAC;AAK1C;;;;;;;;;;;GAWG;AACH,MAAM,OAAO,gBAAiB,SAAQ,iBAA6B;IACjE;QACE,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IAC9B,CAAC;IAED;;;;OAIG;IACH,OAAO,CAAC,IAAwB;QAC9B,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IAC1B,CAAC;IAED;;;;;;;OAOG;IACH,SAAS,CAAC,MAA4B;QACpC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC9B,CAAC;IAED;;;;;;;;OAQG;IACH,eAAe,CAAC,QAAgB,EAAE,QAAgB;QAChD,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,IAAI,EAAE;YAC7B,sFAAsF;YACtF,sDAAsD;YACtD,mGAAmG;YACnG,MAAM,EAAE,gBAAgB,EAAE,GAAG,MAAM,MAAM,CAAC,yBAAyB,CAAC,CAAC;YACrE,OAAO,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAC9C,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;OAIG;IACH,aAAa,CAAC,IAAY;QACxB,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;IACjC,CAAC;IAED;;;;;;OAMG;IACH,eAAe,CAAC,MAA2C;QACzD,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IACrC,CAAC;IAED;;;;OAIG;IACH,cAAc,CAAC,KAAa;QAC1B,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,KAAK,CAAC,CAAC;IAClC,CAAC;IAED;;;;;;;;;;;;;;OAcG;IACO,YAAY,CACpB,IAA+B,EAC/B,OAAyC;QAEzC,+EAA+E;QAC/E,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAG,IAAI,CAAC,GAAyC,EAAE,IAAI,CAAC,CAAC;QAC3E,+CAA+C;QAC/C,OAAO,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC3C,CAAC;IAED;;;;;;;;;;;;;;OAcG;IACH,KAAK,CAAC,cAAc,CAAC,MAAkB;QACrC,QAAQ,MAAM,CAAC,IAAI,EAAE,CAAC;YACpB,KAAK,aAAa,CAAC,CAAC,CAAC;gBACnB,yDAAyD;gBACzD,IAAI,MAAM,CAAC,MAAM,YAAY,uBAAuB,KAAK,KAAK,EAAE,CAAC;oBAC/D,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;gBACjE,CAAC;gBACD,uCAAuC;gBACvC,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;oBACnB,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;gBACjE,CAAC;gBACD,+BAA+B;gBAC/B,IAAI,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;oBAC3C,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;gBAC3E,CAAC;gBACD,MAAM;YACR,CAAC;YACD,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,oDAAoD;gBACpD,IAAI,MAAM,CAAC,MAAM,YAAY,uBAAuB,KAAK,KAAK,EAAE,CAAC;oBAC/D,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;gBAC5D,CAAC;gBACD,MAAM;YACR,CAAC;YACD,KAAK,YAAY,CAAC,CAAC,CAAC;gBAClB,iDAAiD;gBACjD,IAAI,OAAO,MAAM,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;oBAC3C,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;gBACtE,CAAC;gBACD,MAAM;YACR,CAAC;YACD,gEAAgE;QAClE,CAAC;QACD,oDAAoD;QACpD,OAAO,MAAM,CAAC;IAChB,CAAC;CACF"}

package/dist/esm/index.js

@@ -1,3 +1,24 @@
+/**
+ * `@equinor/fusion-framework-module-msal-node` provides Azure AD authentication
+ * for Node.js applications using Microsoft's MSAL library.
+ *
+ * Supports three authentication modes:
+ * - **interactive** — browser-based login with a local callback server (CLI tools, development)
+ * - **silent** — cached credential reuse without user interaction (background services)
+ * - **token_only** — static pre-obtained token passthrough (CI/CD, automation)
+ *
+ * @example
+ * ```typescript
+ * import { enableAuthModule } from '@equinor/fusion-framework-module-msal-node';
+ *
+ * enableAuthModule(configurator, (builder) => {
+ *   builder.setMode('interactive');
+ *   builder.setClientConfig('your-tenant-id', 'your-client-id');
+ * });
+ * ```
+ *
+ * @packageDocumentation
+ */
 export { AuthProvider } from './AuthProvider.js';
 export { module as authModule } from './module.js';
 export { enableModule as enableAuthModule } from './enable-module.js';

package/dist/esm/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAMjD,OAAO,EAAE,MAAM,IAAI,UAAU,EAAuB,MAAM,aAAa,CAAC;AAExE,OAAO,EAAE,YAAY,IAAI,gBAAgB,EAAE,MAAM,oBAAoB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAMjD,OAAO,EAAE,MAAM,IAAI,UAAU,EAAuB,MAAM,aAAa,CAAC;AAExE,OAAO,EAAE,YAAY,IAAI,gBAAgB,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/esm/version.js

@@ -1,3 +1,3 @@
 // Generated by genversion.
-export const version = '3.0.2-next.0';
+export const version = '4.0.0';
 //# sourceMappingURL=version.js.map

package/dist/esm/version.js.map

@@ -1 +1 @@
-{"version":3,"file":"version.js","sourceRoot":"","sources":["../../src/version.ts"],"names":[],"mappings":"AAAA,2BAA2B;AAC3B,MAAM,CAAC,MAAM,OAAO,GAAG,cAAc,CAAC"}
+{"version":3,"file":"version.js","sourceRoot":"","sources":["../../src/version.ts"],"names":[],"mappings":"AAAA,2BAA2B;AAC3B,MAAM,CAAC,MAAM,OAAO,GAAG,OAAO,CAAC"}