@everywheredev/cli 0.0.5 → 0.0.7

package/dist/auth/device-flow.js

@@ -1,141 +0,0 @@
-// Device Authorization Grant (RFC 8628) + PKCE helper.
-//
-// SRP: this module performs the OAuth2 device flow against Ory Hydra and nothing else — discovery,
-// device-authorization request, and polling the token endpoint. It returns a `TokenSet`; it does not
-// store tokens, build headers, or know about the transport. The HydraOAuthAuthProvider orchestrates
-// it and persists results in the Keychain.
-import { CliError } from "../core/errors.js";
-import { createPkcePair } from "./pkce.js";
-export class DeviceFlow {
-    cfg;
-    fetchImpl;
-    sleep;
-    constructor(cfg, fetchImpl = fetch, sleep = defaultSleep) {
-        this.cfg = cfg;
-        this.fetchImpl = fetchImpl;
-        this.sleep = sleep;
-    }
-    /** Discover the OIDC endpoints via /.well-known/openid-configuration. */
-    async discover() {
-        const url = `${trimSlash(this.cfg.oidcIssuer)}/.well-known/openid-configuration`;
-        const res = await this.fetchImpl(url, { headers: { accept: "application/json" } });
-        if (!res.ok) {
-            throw CliError.auth(`OIDC discovery failed (${res.status}).`, `Check the profile's oidcIssuer (${this.cfg.oidcIssuer}).`);
-        }
-        return (await res.json());
-    }
-    /**
-     * Run the full grant: discover → request device code (with PKCE challenge) → prompt → poll.
-     * Resolves with a TokenSet (access + optional refresh/id tokens) on user approval.
-     */
-    async authorize(prompt) {
-        const disc = await this.discover();
-        const pkce = await createPkcePair();
-        // Device authorization request (PKCE challenge bound here, verifier sent at token time).
-        const authBody = new URLSearchParams({
-            client_id: this.cfg.clientId,
-            scope: this.cfg.scopes.join(" "),
-            code_challenge: pkce.codeChallenge,
-            code_challenge_method: pkce.method,
-        });
-        const authRes = await this.fetchImpl(disc.device_authorization_endpoint, {
-            method: "POST",
-            headers: form(),
-            body: authBody.toString(),
-        });
-        if (!authRes.ok) {
-            throw CliError.auth(`Device authorization request failed (${authRes.status}).`);
-        }
-        const device = (await authRes.json());
-        prompt({
-            userCode: device.user_code,
-            verificationUri: device.verification_uri,
-            verificationUriComplete: device.verification_uri_complete,
-            expiresIn: device.expires_in,
-        });
-        return this.poll(disc, device, pkce.codeVerifier);
-    }
-    /** Refresh an access token using a refresh_token grant. */
-    async refresh(refreshToken) {
-        const disc = await this.discover();
-        const body = new URLSearchParams({
-            grant_type: "refresh_token",
-            client_id: this.cfg.clientId,
-            refresh_token: refreshToken,
-        });
-        const res = await this.fetchImpl(disc.token_endpoint, {
-            method: "POST",
-            headers: form(),
-            body: body.toString(),
-        });
-        if (!res.ok) {
-            throw CliError.auth("Token refresh failed.", "Run `pocketdev login` to re-authenticate.");
-        }
-        return stamp((await res.json()));
-    }
-    /** Revoke a token (refresh or access) at logout, if the issuer exposes a revocation endpoint. */
-    async revoke(token) {
-        const disc = await this.discover();
-        if (!disc.revocation_endpoint)
-            return;
-        const body = new URLSearchParams({ client_id: this.cfg.clientId, token });
-        await this.fetchImpl(disc.revocation_endpoint, {
-            method: "POST",
-            headers: form(),
-            body: body.toString(),
-        }).catch(() => undefined);
-    }
-    // ── polling loop (handles authorization_pending / slow_down per RFC 8628 §3.5) ──
-    async poll(disc, device, codeVerifier) {
-        let intervalMs = (device.interval ?? 5) * 1000;
-        const deadline = Date.now() + device.expires_in * 1000;
-        while (Date.now() < deadline) {
-            await this.sleep(intervalMs);
-            const body = new URLSearchParams({
-                grant_type: "urn:ietf:params:oauth:grant-type:device_code",
-                client_id: this.cfg.clientId,
-                device_code: device.device_code,
-                code_verifier: codeVerifier,
-            });
-            const res = await this.fetchImpl(disc.token_endpoint, {
-                method: "POST",
-                headers: form(),
-                body: body.toString(),
-            });
-            if (res.ok) {
-                return stamp((await res.json()));
-            }
-            const err = (await res.json().catch(() => ({})));
-            switch (err.error) {
-                case "authorization_pending":
-                    continue; // keep polling at the current interval
-                case "slow_down":
-                    intervalMs += 5000; // RFC 8628: back off by 5s
-                    continue;
-                case "access_denied":
-                    throw CliError.auth("Authorization was denied.");
-                case "expired_token":
-                    throw CliError.auth("The device code expired.", "Run `pocketdev login` again.");
-                default:
-                    throw CliError.auth(`Device token poll failed: ${err.error ?? res.status}.`);
-            }
-        }
-        throw CliError.auth("Timed out waiting for device authorization.", "Run `pocketdev login` again.");
-    }
-}
-function stamp(t) {
-    if (t.expires_in && !t.expiresAt) {
-        return { ...t, expiresAt: Date.now() + t.expires_in * 1000 };
-    }
-    return t;
-}
-function form() {
-    return { "content-type": "application/x-www-form-urlencoded", accept: "application/json" };
-}
-function trimSlash(s) {
-    return s.endsWith("/") ? s.slice(0, -1) : s;
-}
-function defaultSleep(ms) {
-    return new Promise((r) => setTimeout(r, ms));
-}
-//# sourceMappingURL=device-flow.js.map

package/dist/auth/device-flow.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"device-flow.js","sourceRoot":"","sources":["../../src/auth/device-flow.ts"],"names":[],"mappings":"AAAA,uDAAuD;AACvD,EAAE;AACF,mGAAmG;AACnG,qGAAqG;AACrG,oGAAoG;AACpG,2CAA2C;AAE3C,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAC7C,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAkD3C,MAAM,OAAO,UAAU;IAEF;IACA;IACA;IAHnB,YACmB,GAAqB,EACrB,YAAmB,KAAK,EACxB,QAAuC,YAAY;QAFnD,QAAG,GAAH,GAAG,CAAkB;QACrB,cAAS,GAAT,SAAS,CAAe;QACxB,UAAK,GAAL,KAAK,CAA8C;IACnE,CAAC;IAEJ,yEAAyE;IACzE,KAAK,CAAC,QAAQ;QACZ,MAAM,GAAG,GAAG,GAAG,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,mCAAmC,CAAC;QACjF,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE,EAAE,CAAC,CAAC;QACnF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,QAAQ,CAAC,IAAI,CACjB,0BAA0B,GAAG,CAAC,MAAM,IAAI,EACxC,mCAAmC,IAAI,CAAC,GAAG,CAAC,UAAU,IAAI,CAC3D,CAAC;QACJ,CAAC;QACD,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAkB,CAAC;IAC7C,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,SAAS,CAAC,MAAoB;QAClC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;QACnC,MAAM,IAAI,GAAG,MAAM,cAAc,EAAE,CAAC;QAEpC,yFAAyF;QACzF,MAAM,QAAQ,GAAG,IAAI,eAAe,CAAC;YACnC,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,QAAQ;YAC5B,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;YAChC,cAAc,EAAE,IAAI,CAAC,aAAa;YAClC,qBAAqB,EAAE,IAAI,CAAC,MAAM;SACnC,CAAC,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,6BAA6B,EAAE;YACvE,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,IAAI,EAAE;YACf,IAAI,EAAE,QAAQ,CAAC,QAAQ,EAAE;SAC1B,CAAC,CAAC;QACH,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC;YAChB,MAAM,QAAQ,CAAC,IAAI,CAAC,wCAAwC,OAAO,CAAC,MAAM,IAAI,CAAC,CAAC;QAClF,CAAC;QACD,MAAM,MAAM,GAAG,CAAC,MAAM,OAAO,CAAC,IAAI,EAAE,CAAuB,CAAC;QAE5D,MAAM,CAAC;YACL,QAAQ,EAAE,MAAM,CAAC,SAAS;YAC1B,eAAe,EAAE,MAAM,CAAC,gBAAgB;YACxC,uBAAuB,EAAE,MAAM,CAAC,yBAAyB;YACzD,SAAS,EAAE,MAAM,CAAC,UAAU;SAC7B,CAAC,CAAC;QAEH,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;IACpD,CAAC;IAED,2DAA2D;IAC3D,KAAK,CAAC,OAAO,CAAC,YAAoB;QAChC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;QACnC,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;YAC/B,UAAU,EAAE,eAAe;YAC3B,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,QAAQ;YAC5B,aAAa,EAAE,YAAY;SAC5B,CAAC,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,cAAc,EAAE;YACpD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,IAAI,EAAE;YACf,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;SACtB,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,QAAQ,CAAC,IAAI,CAAC,uBAAuB,EAAE,2CAA2C,CAAC,CAAC;QAC5F,CAAC;QACD,OAAO,KAAK,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAa,CAAC,CAAC;IAC/C,CAAC;IAED,iGAAiG;IACjG,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;QACnC,IAAI,CAAC,IAAI,CAAC,mBAAmB;YAAE,OAAO;QACtC,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC;QAC1E,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,mBAAmB,EAAE;YAC7C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,IAAI,EAAE;YACf,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;SACtB,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;IAC5B,CAAC;IAED,mFAAmF;IAC3E,KAAK,CAAC,IAAI,CAChB,IAAmB,EACnB,MAA0B,EAC1B,YAAoB;QAEpB,IAAI,UAAU,GAAG,CAAC,MAAM,CAAC,QAAQ,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC;QAC/C,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC;QAEvD,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;YAC7B,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;YAC7B,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;gBAC/B,UAAU,EAAE,8CAA8C;gBAC1D,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,QAAQ;gBAC5B,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,aAAa,EAAE,YAAY;aAC5B,CAAC,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,cAAc,EAAE;gBACpD,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,IAAI,EAAE;gBACf,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;aACtB,CAAC,CAAC;YACH,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;gBACX,OAAO,KAAK,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAa,CAAC,CAAC;YAC/C,CAAC;YACD,MAAM,GAAG,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAuB,CAAC;YACvE,QAAQ,GAAG,CAAC,KAAK,EAAE,CAAC;gBAClB,KAAK,uBAAuB;oBAC1B,SAAS,CAAC,uCAAuC;gBACnD,KAAK,WAAW;oBACd,UAAU,IAAI,IAAI,CAAC,CAAC,2BAA2B;oBAC/C,SAAS;gBACX,KAAK,eAAe;oBAClB,MAAM,QAAQ,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;gBACnD,KAAK,eAAe;oBAClB,MAAM,QAAQ,CAAC,IAAI,CAAC,0BAA0B,EAAE,8BAA8B,CAAC,CAAC;gBAClF;oBACE,MAAM,QAAQ,CAAC,IAAI,CAAC,6BAA6B,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;YACjF,CAAC;QACH,CAAC;QACD,MAAM,QAAQ,CAAC,IAAI,CAAC,6CAA6C,EAAE,8BAA8B,CAAC,CAAC;IACrG,CAAC;CACF;AAED,SAAS,KAAK,CAAC,CAAW;IACxB,IAAI,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC;QACjC,OAAO,EAAE,GAAG,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,UAAU,GAAG,IAAI,EAAE,CAAC;IAC/D,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAS,IAAI;IACX,OAAO,EAAE,cAAc,EAAE,mCAAmC,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC;AAC7F,CAAC;AAED,SAAS,SAAS,CAAC,CAAS;IAC1B,OAAO,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC9C,CAAC;AAED,SAAS,YAAY,CAAC,EAAU;IAC9B,OAAO,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;AAC/C,CAAC"}

package/dist/auth/hydra-oauth-auth-provider.d.ts

@@ -1,35 +0,0 @@
-import type { ConfigStore } from "../config/ports.js";
-import { DeviceFlow, type DevicePrompt } from "./device-flow.js";
-import type { Keychain } from "./keychain.js";
-import type { AuthProvider, BearerSource } from "./ports.js";
-export declare class HydraOAuthAuthProvider implements AuthProvider, BearerSource {
-    private readonly config;
-    private readonly keychain;
-    /** Surfaces the device code/URL to the user; injected so this stays renderer-agnostic. */
-    private readonly devicePrompt;
-    /** Allows tests to inject a stubbed DeviceFlow. */
-    private readonly makeFlow;
-    private tokens?;
-    private loaded;
-    constructor(config: ConfigStore, keychain: Keychain, 
-    /** Surfaces the device code/URL to the user; injected so this stays renderer-agnostic. */
-    devicePrompt?: DevicePrompt, 
-    /** Allows tests to inject a stubbed DeviceFlow. */
-    makeFlow?: (cfg: ConfigStore) => DeviceFlow);
-    getAuthHeader(): Promise<string>;
-    bearerToken(): Promise<string>;
-    /** Interactive sign-in via the device grant; persists the TokenSet to the keychain. */
-    login(): Promise<void>;
-    /** Revoke (best-effort) and clear cached + persisted credentials. */
-    logout(): Promise<void>;
-    /** Proactive/forced refresh. Returns false when no refresh token is available. */
-    refresh(): Promise<boolean>;
-    /** Stable subject id from the access token's `sub` claim (for transcript attribution). */
-    subject(): string;
-    private ensureValidToken;
-    private isExpiring;
-    private load;
-    private store;
-    private account;
-}
-//# sourceMappingURL=hydra-oauth-auth-provider.d.ts.map

package/dist/auth/hydra-oauth-auth-provider.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"hydra-oauth-auth-provider.d.ts","sourceRoot":"","sources":["../../src/auth/hydra-oauth-auth-provider.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAEtD,OAAO,EAAE,UAAU,EAAE,KAAK,YAAY,EAAiB,MAAM,kBAAkB,CAAC;AAChF,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,KAAK,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAQ7D,qBAAa,sBAAuB,YAAW,YAAY,EAAE,YAAY;IAKrE,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,QAAQ;IACzB,0FAA0F;IAC1F,OAAO,CAAC,QAAQ,CAAC,YAAY;IAC7B,mDAAmD;IACnD,OAAO,CAAC,QAAQ,CAAC,QAAQ;IAT3B,OAAO,CAAC,MAAM,CAAC,CAAW;IAC1B,OAAO,CAAC,MAAM,CAAS;gBAGJ,MAAM,EAAE,WAAW,EACnB,QAAQ,EAAE,QAAQ;IACnC,0FAA0F;IACzE,YAAY,GAAE,YAA4B;IAC3D,mDAAmD;IAClC,QAAQ,GAAE,CAAC,GAAG,EAAE,WAAW,KAAK,UAA4B;IAGzE,aAAa,IAAI,OAAO,CAAC,MAAM,CAAC;IAKhC,WAAW,IAAI,OAAO,CAAC,MAAM,CAAC;IAKpC,uFAAuF;IACjF,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAM5B,qEAAqE;IAC/D,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC;IAU7B,kFAAkF;IAC5E,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC;IAejC,0FAA0F;IAC1F,OAAO,IAAI,MAAM;YAYH,gBAAgB;IAiB9B,OAAO,CAAC,UAAU;YAKJ,IAAI;YAaJ,KAAK;IAMnB,OAAO,CAAC,OAAO;CAGhB"}

package/dist/auth/hydra-oauth-auth-provider.js

@@ -1,153 +0,0 @@
-// HydraOAuthAuthProvider — FULL-REMOTE authentication.
-//
-// SRP: orchestrates the OAuth2 Device Authorization Grant + PKCE (via DeviceFlow), caches the
-// resulting TokenSet, persists it in the Keychain, refreshes proactively before expiry, and yields a
-// `Bearer <access_jwt>` header. It owns token lifecycle and nothing else (the device-flow HTTP lives
-// in device-flow.ts; storage in keychain.ts).
-//
-// DIP: depends on the `Keychain` interface and a `DevicePrompt` callback, never on a concrete
-// keyring or the renderer.
-import { decodeJwt } from "jose";
-import { CliError } from "../core/errors.js";
-import { DeviceFlow } from "./device-flow.js";
-/** Keychain account under which the serialized TokenSet is stored, namespaced per profile. */
-const ACCOUNT_PREFIX = "hydra-tokens";
-/** Refresh this many ms before the access token's stated expiry to avoid mid-request 401s. */
-const REFRESH_SKEW_MS = 60_000;
-export class HydraOAuthAuthProvider {
-    config;
-    keychain;
-    devicePrompt;
-    makeFlow;
-    tokens;
-    loaded = false;
-    constructor(config, keychain, 
-    /** Surfaces the device code/URL to the user; injected so this stays renderer-agnostic. */
-    devicePrompt = defaultPrompt, 
-    /** Allows tests to inject a stubbed DeviceFlow. */
-    makeFlow = makeDefaultFlow) {
-        this.config = config;
-        this.keychain = keychain;
-        this.devicePrompt = devicePrompt;
-        this.makeFlow = makeFlow;
-    }
-    async getAuthHeader() {
-        const t = await this.ensureValidToken();
-        return `Bearer ${t.access_token}`;
-    }
-    async bearerToken() {
-        const t = await this.ensureValidToken();
-        return t.access_token;
-    }
-    /** Interactive sign-in via the device grant; persists the TokenSet to the keychain. */
-    async login() {
-        const flow = this.makeFlow(this.config);
-        const tokens = await flow.authorize(this.devicePrompt);
-        await this.store(tokens);
-    }
-    /** Revoke (best-effort) and clear cached + persisted credentials. */
-    async logout() {
-        await this.load();
-        const refresh = this.tokens?.refresh_token;
-        if (refresh) {
-            await this.makeFlow(this.config).revoke(refresh).catch(() => undefined);
-        }
-        this.tokens = undefined;
-        await this.keychain.delete(this.account());
-    }
-    /** Proactive/forced refresh. Returns false when no refresh token is available. */
-    async refresh() {
-        await this.load();
-        const refresh = this.tokens?.refresh_token;
-        if (!refresh)
-            return false;
-        try {
-            const next = await this.makeFlow(this.config).refresh(refresh);
-            // Hydra may not re-issue a refresh token; keep the prior one if absent.
-            if (!next.refresh_token)
-                next.refresh_token = refresh;
-            await this.store(next);
-            return true;
-        }
-        catch {
-            return false;
-        }
-    }
-    /** Stable subject id from the access token's `sub` claim (for transcript attribution). */
-    subject() {
-        if (!this.tokens?.access_token)
-            return "remote";
-        try {
-            const claims = decodeJwt(this.tokens.access_token);
-            return typeof claims.sub === "string" ? claims.sub : "remote";
-        }
-        catch {
-            return "remote";
-        }
-    }
-    // ── internals ───────────────────────────────────────────────────────────────
-    async ensureValidToken() {
-        await this.load();
-        if (!this.tokens?.access_token) {
-            throw CliError.auth("Not signed in.", "Run `pocketdev login`.");
-        }
-        if (this.isExpiring(this.tokens)) {
-            const ok = await this.refresh();
-            if (!ok) {
-                throw CliError.auth("Session expired and could not be refreshed.", "Run `pocketdev login`.");
-            }
-        }
-        return this.tokens;
-    }
-    isExpiring(t) {
-        if (!t.expiresAt)
-            return false; // no stated expiry → trust until the host returns 401
-        return Date.now() >= t.expiresAt - REFRESH_SKEW_MS;
-    }
-    async load() {
-        if (this.loaded)
-            return;
-        this.loaded = true;
-        const raw = await this.keychain.get(this.account());
-        if (raw) {
-            try {
-                this.tokens = JSON.parse(raw);
-            }
-            catch {
-                this.tokens = undefined;
-            }
-        }
-    }
-    async store(tokens) {
-        this.tokens = tokens;
-        this.loaded = true;
-        await this.keychain.set(this.account(), JSON.stringify(tokens));
-    }
-    account() {
-        return `${ACCOUNT_PREFIX}:${this.config.profile().name}`;
-    }
-}
-function makeDefaultFlow(config) {
-    const profile = config.profile();
-    const resolved = config.resolve();
-    const issuer = resolved.oidcIssuer ?? profile.oidcIssuer;
-    if (!issuer) {
-        throw CliError.config(`Remote profile "${profile.name}" has no OIDC issuer.`, "Set OIDC_ISSUER or add oidcIssuer to the profile in ~/.pocketdev/config.json.");
-    }
-    if (!profile.clientId) {
-        throw CliError.config(`Remote profile "${profile.name}" has no clientId.`);
-    }
-    return new DeviceFlow({
-        oidcIssuer: issuer,
-        clientId: profile.clientId,
-        scopes: profile.scopes ?? [],
-    });
-}
-/** Default prompt prints the device instructions to stderr so it works even in pipe mode. */
-const defaultPrompt = (info) => {
-    const target = info.verificationUriComplete ?? info.verificationUri;
-    process.stderr.write(`\nTo sign in, open:\n  ${target}\n` +
-        (info.verificationUriComplete ? "" : `and enter the code: ${info.userCode}\n`) +
-        `(expires in ${Math.floor(info.expiresIn / 60)}m)\n\n`);
-};
-//# sourceMappingURL=hydra-oauth-auth-provider.js.map

package/dist/auth/hydra-oauth-auth-provider.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"hydra-oauth-auth-provider.js","sourceRoot":"","sources":["../../src/auth/hydra-oauth-auth-provider.ts"],"names":[],"mappings":"AAAA,uDAAuD;AACvD,EAAE;AACF,8FAA8F;AAC9F,qGAAqG;AACrG,qGAAqG;AACrG,8CAA8C;AAC9C,EAAE;AACF,8FAA8F;AAC9F,2BAA2B;AAE3B,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAEjC,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAoC,MAAM,kBAAkB,CAAC;AAIhF,8FAA8F;AAC9F,MAAM,cAAc,GAAG,cAAc,CAAC;AAEtC,8FAA8F;AAC9F,MAAM,eAAe,GAAG,MAAM,CAAC;AAE/B,MAAM,OAAO,sBAAsB;IAKd;IACA;IAEA;IAEA;IATX,MAAM,CAAY;IAClB,MAAM,GAAG,KAAK,CAAC;IAEvB,YACmB,MAAmB,EACnB,QAAkB;IACnC,0FAA0F;IACzE,eAA6B,aAAa;IAC3D,mDAAmD;IAClC,WAA6C,eAAe;QAL5D,WAAM,GAAN,MAAM,CAAa;QACnB,aAAQ,GAAR,QAAQ,CAAU;QAElB,iBAAY,GAAZ,YAAY,CAA8B;QAE1C,aAAQ,GAAR,QAAQ,CAAoD;IAC5E,CAAC;IAEJ,KAAK,CAAC,aAAa;QACjB,MAAM,CAAC,GAAG,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACxC,OAAO,UAAU,CAAC,CAAC,YAAY,EAAE,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,WAAW;QACf,MAAM,CAAC,GAAG,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACxC,OAAO,CAAC,CAAC,YAAY,CAAC;IACxB,CAAC;IAED,uFAAuF;IACvF,KAAK,CAAC,KAAK;QACT,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACxC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACvD,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAC3B,CAAC;IAED,qEAAqE;IACrE,KAAK,CAAC,MAAM;QACV,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAClB,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,EAAE,aAAa,CAAC;QAC3C,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;QAC1E,CAAC;QACD,IAAI,CAAC,MAAM,GAAG,SAAS,CAAC;QACxB,MAAM,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;IAC7C,CAAC;IAED,kFAAkF;IAClF,KAAK,CAAC,OAAO;QACX,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAClB,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,EAAE,aAAa,CAAC;QAC3C,IAAI,CAAC,OAAO;YAAE,OAAO,KAAK,CAAC;QAC3B,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;YAC/D,wEAAwE;YACxE,IAAI,CAAC,IAAI,CAAC,aAAa;gBAAE,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC;YACtD,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACvB,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,0FAA0F;IAC1F,OAAO;QACL,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,YAAY;YAAE,OAAO,QAAQ,CAAC;QAChD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;YACnD,OAAO,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC;QAChE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,QAAQ,CAAC;QAClB,CAAC;IACH,CAAC;IAED,+EAA+E;IAEvE,KAAK,CAAC,gBAAgB;QAC5B,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,YAAY,EAAE,CAAC;YAC/B,MAAM,QAAQ,CAAC,IAAI,CAAC,gBAAgB,EAAE,wBAAwB,CAAC,CAAC;QAClE,CAAC;QACD,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YACjC,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;YAChC,IAAI,CAAC,EAAE,EAAE,CAAC;gBACR,MAAM,QAAQ,CAAC,IAAI,CACjB,6CAA6C,EAC7C,wBAAwB,CACzB,CAAC;YACJ,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAEO,UAAU,CAAC,CAAW;QAC5B,IAAI,CAAC,CAAC,CAAC,SAAS;YAAE,OAAO,KAAK,CAAC,CAAC,sDAAsD;QACtF,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,SAAS,GAAG,eAAe,CAAC;IACrD,CAAC;IAEO,KAAK,CAAC,IAAI;QAChB,IAAI,IAAI,CAAC,MAAM;YAAE,OAAO;QACxB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACnB,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;QACpD,IAAI,GAAG,EAAE,CAAC;YACR,IAAI,CAAC;gBACH,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAa,CAAC;YAC5C,CAAC;YAAC,MAAM,CAAC;gBACP,IAAI,CAAC,MAAM,GAAG,SAAS,CAAC;YAC1B,CAAC;QACH,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,KAAK,CAAC,MAAgB;QAClC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACnB,MAAM,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IAClE,CAAC;IAEO,OAAO;QACb,OAAO,GAAG,cAAc,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,CAAC;IAC3D,CAAC;CACF;AAED,SAAS,eAAe,CAAC,MAAmB;IAC1C,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;IACjC,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;IAClC,MAAM,MAAM,GAAG,QAAQ,CAAC,UAAU,IAAI,OAAO,CAAC,UAAU,CAAC;IACzD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,QAAQ,CAAC,MAAM,CACnB,mBAAmB,OAAO,CAAC,IAAI,uBAAuB,EACtD,+EAA+E,CAChF,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;QACtB,MAAM,QAAQ,CAAC,MAAM,CAAC,mBAAmB,OAAO,CAAC,IAAI,oBAAoB,CAAC,CAAC;IAC7E,CAAC;IACD,OAAO,IAAI,UAAU,CAAC;QACpB,UAAU,EAAE,MAAM;QAClB,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,EAAE;KAC7B,CAAC,CAAC;AACL,CAAC;AAED,6FAA6F;AAC7F,MAAM,aAAa,GAAiB,CAAC,IAAI,EAAE,EAAE;IAC3C,MAAM,MAAM,GAAG,IAAI,CAAC,uBAAuB,IAAI,IAAI,CAAC,eAAe,CAAC;IACpE,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,0BAA0B,MAAM,IAAI;QAClC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,uBAAuB,IAAI,CAAC,QAAQ,IAAI,CAAC;QAC9E,eAAe,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,GAAG,EAAE,CAAC,QAAQ,CACzD,CAAC;AACJ,CAAC,CAAC"}

package/dist/auth/keychain.d.ts

@@ -1,42 +0,0 @@
-/** Narrow port: get/set/delete a secret by account. Service name is fixed per Keychain instance. */
-export interface Keychain {
-    get(account: string): Promise<string | null>;
-    set(account: string, secret: string): Promise<void>;
-    delete(account: string): Promise<boolean>;
-}
-/**
- * OS-keychain-first Keychain with a 0600 file fallback.
- *
- * keytar is loaded lazily because it is a native module that may be absent on minimal CI images;
- * when it cannot load we transparently use the file store. This keeps `pocketdev login` working in
- * a pipeline pod without a desktop keyring.
- */
-export declare class OsKeychain implements Keychain {
-    private readonly service;
-    private keytar?;
-    private readonly fallback;
-    constructor(service?: string);
-    get(account: string): Promise<string | null>;
-    set(account: string, secret: string): Promise<void>;
-    delete(account: string): Promise<boolean>;
-    private loadKeytar;
-}
-/**
- * Plain-file credential store with restrictive permissions.
- *
- * Stores a JSON map { account: secret } at ~/.pocketdev/credentials.json with mode 0600. This is the
- * documented fallback for headless/CI; secrets here should be short-lived (refresh tokens, ideally
- * env-injected for non-interactive runs).
- */
-export declare class FileKeychain implements Keychain {
-    private readonly service;
-    private readonly file;
-    constructor(service?: string);
-    get(account: string): Promise<string | null>;
-    set(account: string, secret: string): Promise<void>;
-    delete(account: string): Promise<boolean>;
-    private key;
-    private read;
-    private write;
-}
-//# sourceMappingURL=keychain.d.ts.map

package/dist/auth/keychain.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"keychain.d.ts","sourceRoot":"","sources":["../../src/auth/keychain.ts"],"names":[],"mappings":"AAcA,oGAAoG;AACpG,MAAM,WAAW,QAAQ;IACvB,GAAG,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC7C,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpD,MAAM,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CAC3C;AAWD;;;;;;GAMG;AACH,qBAAa,UAAW,YAAW,QAAQ;IAI7B,OAAO,CAAC,QAAQ,CAAC,OAAO;IAHpC,OAAO,CAAC,MAAM,CAAC,CAAoB;IACnC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAe;gBAEX,OAAO,GAAE,MAAgB;IAIhD,GAAG,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAY5C,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAanD,MAAM,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;YAcjC,UAAU;CAUzB;AAED;;;;;;GAMG;AACH,qBAAa,YAAa,YAAW,QAAQ;IAG/B,OAAO,CAAC,QAAQ,CAAC,OAAO;IAFpC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAS;gBAED,OAAO,GAAE,MAAgB;IAIhD,GAAG,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAM5C,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAMnD,MAAM,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAS/C,OAAO,CAAC,GAAG;IAIX,OAAO,CAAC,IAAI;IAUZ,OAAO,CAAC,KAAK;CAQd"}

package/dist/auth/keychain.js

@@ -1,138 +0,0 @@
-// Keychain — credential storage at rest.
-//
-// SRP: this module's single job is "persist/retrieve a secret string under (service, account)".
-// It prefers the OS keychain (macOS Keychain / libsecret / Windows Credential Manager via `keytar`)
-// and falls back to a chmod-0600 file under ~/.pocketdev for headless/CI machines where no keyring
-// daemon is available (docs §11/§15). The HydraOAuthAuthProvider depends on the `Keychain` interface
-// only — DIP — so tests substitute an in-memory fake.
-import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
-import { chmod } from "node:fs/promises";
-import { homedir } from "node:os";
-import { dirname, join } from "node:path";
-import { USER_DIR_NAME } from "../config/defaults.js";
-const SERVICE = "com.pocketdev.cli";
-/**
- * OS-keychain-first Keychain with a 0600 file fallback.
- *
- * keytar is loaded lazily because it is a native module that may be absent on minimal CI images;
- * when it cannot load we transparently use the file store. This keeps `pocketdev login` working in
- * a pipeline pod without a desktop keyring.
- */
-export class OsKeychain {
-    service;
-    keytar; // undefined = not tried, null = unavailable
-    fallback;
-    constructor(service = SERVICE) {
-        this.service = service;
-        this.fallback = new FileKeychain(service);
-    }
-    async get(account) {
-        const kt = await this.loadKeytar();
-        if (kt) {
-            try {
-                return await kt.getPassword(this.service, account);
-            }
-            catch {
-                // fall through to file store
-            }
-        }
-        return this.fallback.get(account);
-    }
-    async set(account, secret) {
-        const kt = await this.loadKeytar();
-        if (kt) {
-            try {
-                await kt.setPassword(this.service, account, secret);
-                return;
-            }
-            catch {
-                // fall through to file store
-            }
-        }
-        await this.fallback.set(account, secret);
-    }
-    async delete(account) {
-        const kt = await this.loadKeytar();
-        let removed = false;
-        if (kt) {
-            try {
-                removed = await kt.deletePassword(this.service, account);
-            }
-            catch {
-                // ignore; also try file store
-            }
-        }
-        const fileRemoved = await this.fallback.delete(account);
-        return removed || fileRemoved;
-    }
-    async loadKeytar() {
-        if (this.keytar !== undefined)
-            return this.keytar;
-        try {
-            const mod = (await import("keytar"));
-            this.keytar = mod.default ?? mod;
-        }
-        catch {
-            this.keytar = null; // native module unavailable → use file fallback
-        }
-        return this.keytar;
-    }
-}
-/**
- * Plain-file credential store with restrictive permissions.
- *
- * Stores a JSON map { account: secret } at ~/.pocketdev/credentials.json with mode 0600. This is the
- * documented fallback for headless/CI; secrets here should be short-lived (refresh tokens, ideally
- * env-injected for non-interactive runs).
- */
-export class FileKeychain {
-    service;
-    file;
-    constructor(service = SERVICE) {
-        this.service = service;
-        this.file = join(homedir(), USER_DIR_NAME, "credentials.json");
-    }
-    async get(account) {
-        const map = this.read();
-        const v = map[this.key(account)];
-        return v ?? null;
-    }
-    async set(account, secret) {
-        const map = this.read();
-        map[this.key(account)] = secret;
-        this.write(map);
-    }
-    async delete(account) {
-        const map = this.read();
-        const k = this.key(account);
-        if (!(k in map))
-            return false;
-        delete map[k];
-        this.write(map);
-        return true;
-    }
-    key(account) {
-        return `${this.service}:${account}`;
-    }
-    read() {
-        if (!existsSync(this.file))
-            return {};
-        try {
-            const parsed = JSON.parse(readFileSync(this.file, "utf8"));
-            return parsed && typeof parsed === "object" ? parsed : {};
-        }
-        catch {
-            return {};
-        }
-    }
-    write(map) {
-        const dir = dirname(this.file);
-        if (!existsSync(dir))
-            mkdirSync(dir, { recursive: true, mode: 0o700 });
-        // Write then tighten perms; { mode } on write does not lower an existing file's mode.
-        writeFileSync(this.file, JSON.stringify(map, null, 2), { encoding: "utf8", mode: 0o600 });
-        // Best-effort enforce 0600 even if the file pre-existed with looser perms.
-        void chmod(this.file, 0o600).catch(() => undefined);
-    }
-}
-//# sourceMappingURL=keychain.js.map

package/dist/auth/keychain.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"keychain.js","sourceRoot":"","sources":["../../src/auth/keychain.ts"],"names":[],"mappings":"AAAA,yCAAyC;AACzC,EAAE;AACF,gGAAgG;AAChG,oGAAoG;AACpG,mGAAmG;AACnG,qGAAqG;AACrG,sDAAsD;AAEtD,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAC7E,OAAO,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAgBtD,MAAM,OAAO,GAAG,mBAAmB,CAAC;AAEpC;;;;;;GAMG;AACH,MAAM,OAAO,UAAU;IAIQ;IAHrB,MAAM,CAAqB,CAAC,4CAA4C;IAC/D,QAAQ,CAAe;IAExC,YAA6B,UAAkB,OAAO;QAAzB,YAAO,GAAP,OAAO,CAAkB;QACpD,IAAI,CAAC,QAAQ,GAAG,IAAI,YAAY,CAAC,OAAO,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,OAAe;QACvB,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACnC,IAAI,EAAE,EAAE,CAAC;YACP,IAAI,CAAC;gBACH,OAAO,MAAM,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YACrD,CAAC;YAAC,MAAM,CAAC;gBACP,6BAA6B;YAC/B,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,OAAe,EAAE,MAAc;QACvC,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACnC,IAAI,EAAE,EAAE,CAAC;YACP,IAAI,CAAC;gBACH,MAAM,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;gBACpD,OAAO;YACT,CAAC;YAAC,MAAM,CAAC;gBACP,6BAA6B;YAC/B,CAAC;QACH,CAAC;QACD,MAAM,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC3C,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe;QAC1B,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACnC,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,IAAI,EAAE,EAAE,CAAC;YACP,IAAI,CAAC;gBACH,OAAO,GAAG,MAAM,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YAC3D,CAAC;YAAC,MAAM,CAAC;gBACP,8BAA8B;YAChC,CAAC;QACH,CAAC;QACD,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACxD,OAAO,OAAO,IAAI,WAAW,CAAC;IAChC,CAAC;IAEO,KAAK,CAAC,UAAU;QACtB,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS;YAAE,OAAO,IAAI,CAAC,MAAM,CAAC;QAClD,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,CAAC,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAqD,CAAC;YACzF,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC;QACnC,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,gDAAgD;QACtE,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;CACF;AAED;;;;;;GAMG;AACH,MAAM,OAAO,YAAY;IAGM;IAFZ,IAAI,CAAS;IAE9B,YAA6B,UAAkB,OAAO;QAAzB,YAAO,GAAP,OAAO,CAAkB;QACpD,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,aAAa,EAAE,kBAAkB,CAAC,CAAC;IACjE,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,OAAe;QACvB,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QACxB,MAAM,CAAC,GAAG,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;QACjC,OAAO,CAAC,IAAI,IAAI,CAAC;IACnB,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,OAAe,EAAE,MAAc;QACvC,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QACxB,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,GAAG,MAAM,CAAC;QAChC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClB,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe;QAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QACxB,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC5B,IAAI,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;QAC9B,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC;QACd,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAChB,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,GAAG,CAAC,OAAe;QACzB,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,OAAO,EAAE,CAAC;IACtC,CAAC;IAEO,IAAI;QACV,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,OAAO,EAAE,CAAC;QACtC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAY,CAAC;YACtE,OAAO,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAE,MAAiC,CAAC,CAAC,CAAC,EAAE,CAAC;QACxF,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,GAA2B;QACvC,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACvE,sFAAsF;QACtF,aAAa,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC1F,2EAA2E;QAC3E,KAAK,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;IACtD,CAAC;CACF"}

package/dist/auth/pkce.d.ts

@@ -1,20 +0,0 @@
-/** A PKCE pair: the secret verifier (sent at token time) and the S256 challenge (sent at auth time). */
-export interface PkcePair {
-    codeVerifier: string;
-    codeChallenge: string;
-    /** Always "S256" — plain is not used. */
-    method: "S256";
-}
-/** base64url-encode raw bytes without padding (RFC 4648 §5). */
-export declare function base64UrlEncode(bytes: Uint8Array): string;
-/** Generate `length` cryptographically-random bytes. */
-export declare function randomBytes(length: number): Uint8Array;
-/** Create a high-entropy code verifier (43–128 chars per RFC 7636 §4.1). */
-export declare function createCodeVerifier(): string;
-/** Compute the S256 code challenge for a verifier. */
-export declare function createCodeChallenge(verifier: string): Promise<string>;
-/** Convenience: generate a full PKCE pair. */
-export declare function createPkcePair(): Promise<PkcePair>;
-/** Opaque anti-CSRF state value. */
-export declare function createState(): string;
-//# sourceMappingURL=pkce.d.ts.map

package/dist/auth/pkce.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../../src/auth/pkce.ts"],"names":[],"mappings":"AAMA,wGAAwG;AACxG,MAAM,WAAW,QAAQ;IACvB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,yCAAyC;IACzC,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,gEAAgE;AAChE,wBAAgB,eAAe,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAQzD;AAED,wDAAwD;AACxD,wBAAgB,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,CAItD;AAED,4EAA4E;AAC5E,wBAAgB,kBAAkB,IAAI,MAAM,CAG3C;AAED,sDAAsD;AACtD,wBAAsB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAI3E;AAED,8CAA8C;AAC9C,wBAAsB,cAAc,IAAI,OAAO,CAAC,QAAQ,CAAC,CAIxD;AAED,oCAAoC;AACpC,wBAAgB,WAAW,IAAI,MAAM,CAEpC"}

package/dist/auth/pkce.js

@@ -1,44 +0,0 @@
-// PKCE (RFC 7636) helpers for the device-authorization grant.
-//
-// SRP: this module only mints a `code_verifier`/`code_challenge` pair and the random `state`. No HTTP,
-// no storage. Used by device-flow.ts. We use Node's WebCrypto (`globalThis.crypto`) for SHA-256 and
-// CSPRNG bytes so there is no extra dependency.
-/** base64url-encode raw bytes without padding (RFC 4648 §5). */
-export function base64UrlEncode(bytes) {
-    let bin = "";
-    for (const b of bytes)
-        bin += String.fromCharCode(b);
-    return Buffer.from(bin, "binary")
-        .toString("base64")
-        .replace(/\+/g, "-")
-        .replace(/\//g, "_")
-        .replace(/=+$/, "");
-}
-/** Generate `length` cryptographically-random bytes. */
-export function randomBytes(length) {
-    const out = new Uint8Array(length);
-    globalThis.crypto.getRandomValues(out);
-    return out;
-}
-/** Create a high-entropy code verifier (43–128 chars per RFC 7636 §4.1). */
-export function createCodeVerifier() {
-    // 32 random bytes → 43 base64url chars, comfortably within the allowed range.
-    return base64UrlEncode(randomBytes(32));
-}
-/** Compute the S256 code challenge for a verifier. */
-export async function createCodeChallenge(verifier) {
-    const data = new TextEncoder().encode(verifier);
-    const digest = await globalThis.crypto.subtle.digest("SHA-256", data);
-    return base64UrlEncode(new Uint8Array(digest));
-}
-/** Convenience: generate a full PKCE pair. */
-export async function createPkcePair() {
-    const codeVerifier = createCodeVerifier();
-    const codeChallenge = await createCodeChallenge(codeVerifier);
-    return { codeVerifier, codeChallenge, method: "S256" };
-}
-/** Opaque anti-CSRF state value. */
-export function createState() {
-    return base64UrlEncode(randomBytes(16));
-}
-//# sourceMappingURL=pkce.js.map

package/dist/auth/pkce.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../../src/auth/pkce.ts"],"names":[],"mappings":"AAAA,8DAA8D;AAC9D,EAAE;AACF,uGAAuG;AACvG,oGAAoG;AACpG,gDAAgD;AAUhD,gEAAgE;AAChE,MAAM,UAAU,eAAe,CAAC,KAAiB;IAC/C,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,MAAM,CAAC,IAAI,KAAK;QAAE,GAAG,IAAI,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACrD,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC;SAC9B,QAAQ,CAAC,QAAQ,CAAC;SAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACxB,CAAC;AAED,wDAAwD;AACxD,MAAM,UAAU,WAAW,CAAC,MAAc;IACxC,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IACnC,UAAU,CAAC,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;IACvC,OAAO,GAAG,CAAC;AACb,CAAC;AAED,4EAA4E;AAC5E,MAAM,UAAU,kBAAkB;IAChC,8EAA8E;IAC9E,OAAO,eAAe,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;AAC1C,CAAC;AAED,sDAAsD;AACtD,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,QAAgB;IACxD,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChD,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IACtE,OAAO,eAAe,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;AACjD,CAAC;AAED,8CAA8C;AAC9C,MAAM,CAAC,KAAK,UAAU,cAAc;IAClC,MAAM,YAAY,GAAG,kBAAkB,EAAE,CAAC;IAC1C,MAAM,aAAa,GAAG,MAAM,mBAAmB,CAAC,YAAY,CAAC,CAAC;IAC9D,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;AACzD,CAAC;AAED,oCAAoC;AACpC,MAAM,UAAU,WAAW;IACzB,OAAO,eAAe,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;AAC1C,CAAC"}

package/dist/auth/ports.d.ts

@@ -1,25 +0,0 @@
-export interface AuthProvider {
-    /**
-     * Returns the full `Authorization` header value, e.g. "Bearer eyJ…".
-     * Refreshes proactively if the token is near expiry.
-     */
-    getAuthHeader(): Promise<string>;
-    /** Interactive sign-in: the OAuth2 Device Authorization Grant + PKCE against Ory Hydra (RFC 8628). */
-    login(): Promise<void>;
-    /** Drop cached credentials: keychain entry + in-memory tokens. */
-    logout(): Promise<void>;
-    /**
-     * Force a refresh (called once on a 401 before falling back to re-login).
-     * Returns false when refresh is impossible (no refresh token).
-     */
-    refresh(): Promise<boolean>;
-    /** Stable subject id for transcript attribution: the `sub` claim. */
-    subject(): string;
-}
-/** Optional capability some providers expose for the WS handshake (token, not just header). */
-export interface BearerSource {
-    /** Raw bearer token (without the "Bearer " prefix) for `?token=` / handshake header reuse. */
-    bearerToken(): Promise<string>;
-}
-export declare function hasBearerSource(p: AuthProvider): p is AuthProvider & BearerSource;
-//# sourceMappingURL=ports.d.ts.map

package/dist/auth/ports.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"ports.d.ts","sourceRoot":"","sources":["../../src/auth/ports.ts"],"names":[],"mappings":"AAKA,MAAM,WAAW,YAAY;IAC3B;;;OAGG;IACH,aAAa,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;IAEjC,sGAAsG;IACtG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAEvB,kEAAkE;IAClE,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAExB;;;OAGG;IACH,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;IAE5B,qEAAqE;IACrE,OAAO,IAAI,MAAM,CAAC;CACnB;AAED,+FAA+F;AAC/F,MAAM,WAAW,YAAY;IAC3B,8FAA8F;IAC9F,WAAW,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;CAChC;AAED,wBAAgB,eAAe,CAAC,CAAC,EAAE,YAAY,GAAG,CAAC,IAAI,YAAY,GAAG,YAAY,CAEjF"}