@insureco/cli 0.1.9 → 0.1.11

package/dist/lib/forgejo.js

@@ -1,10 +1,64 @@
 import { homedir } from 'node:os';
 import { join } from 'node:path';
-import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'node:fs';
+import { existsSync, readFileSync, writeFileSync, mkdirSync, unlinkSync } from 'node:fs';
+import { randomBytes, createHash } from 'node:crypto';
 const FORGEJO_URL = 'https://git.insureco.io';
 const FORGEJO_ORG = 'insureco';
+const FORGEJO_OAUTH_CLIENT_ID = '01b2211c-35f9-46a1-b71e-4890bf821055';
 const CONFIG_DIR = join(homedir(), '.iec');
 const CREDENTIALS_FILE = join(CONFIG_DIR, 'forgejo-credentials.json');
+// PKCE utilities for OAuth2 public clients
+export function generateCodeVerifier() {
+    return randomBytes(32).toString('base64url');
+}
+export function generateCodeChallenge(verifier) {
+    return createHash('sha256').update(verifier).digest('base64url');
+}
+export function generateState() {
+    return randomBytes(16).toString('hex');
+}
+export function buildForgejoAuthUrl(codeChallenge, redirectUri, state) {
+    const params = new URLSearchParams({
+        client_id: FORGEJO_OAUTH_CLIENT_ID,
+        redirect_uri: redirectUri,
+        response_type: 'code',
+        code_challenge: codeChallenge,
+        code_challenge_method: 'S256',
+        state,
+    });
+    return `${FORGEJO_URL}/login/oauth/authorize?${params.toString()}`;
+}
+export async function exchangeCodeForToken(code, codeVerifier, redirectUri) {
+    const response = await fetch(`${FORGEJO_URL}/login/oauth/access_token`, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+            'Accept': 'application/json',
+        },
+        body: new URLSearchParams({
+            grant_type: 'authorization_code',
+            client_id: FORGEJO_OAUTH_CLIENT_ID,
+            code,
+            redirect_uri: redirectUri,
+            code_verifier: codeVerifier,
+        }),
+    });
+    if (!response.ok) {
+        const text = await response.text();
+        throw new Error(`Token exchange failed: ${text}`);
+    }
+    const data = (await response.json());
+    if (!data.access_token) {
+        throw new Error('No access token in response');
+    }
+    return {
+        url: FORGEJO_URL,
+        token: data.access_token,
+        tokenType: 'oauth2',
+        refreshToken: data.refresh_token,
+        expiresAt: new Date(Date.now() + data.expires_in * 1000).toISOString(),
+    };
+}
 function loadCredentials() {
     if (!existsSync(CREDENTIALS_FILE)) {
         return null;
@@ -26,33 +80,93 @@ function saveCredentials(credentials) {
 export class ForgejoClient {
     baseUrl;
     token;
-    constructor(url, token) {
+    tokenType;
+    refreshToken;
+    expiresAt;
+    constructor(url, token, tokenType = 'pat', refreshToken, expiresAt) {
         this.baseUrl = url.replace(/\/$/, '');
         this.token = token;
+        this.tokenType = tokenType;
+        this.refreshToken = refreshToken;
+        this.expiresAt = expiresAt;
+    }
+    isExpired() {
+        if (!this.expiresAt)
+            return false;
+        return new Date(this.expiresAt).getTime() < Date.now() - 60_000;
+    }
+    async tryRefresh() {
+        if (this.tokenType !== 'oauth2' || !this.refreshToken) {
+            return false;
+        }
+        try {
+            const response = await fetch(`${this.baseUrl}/login/oauth/access_token`, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/x-www-form-urlencoded',
+                    'Accept': 'application/json',
+                },
+                body: new URLSearchParams({
+                    grant_type: 'refresh_token',
+                    client_id: FORGEJO_OAUTH_CLIENT_ID,
+                    refresh_token: this.refreshToken,
+                }),
+            });
+            if (!response.ok)
+                return false;
+            const data = (await response.json());
+            if (!data.access_token)
+                return false;
+            const newToken = data.access_token;
+            const newRefreshToken = data.refresh_token;
+            const newExpiresAt = new Date(Date.now() + data.expires_in * 1000).toISOString();
+            // Persist to disk first — if this throws, in-memory state stays unchanged
+            saveCredentials({
+                url: this.baseUrl,
+                token: newToken,
+                tokenType: 'oauth2',
+                refreshToken: newRefreshToken,
+                expiresAt: newExpiresAt,
+            });
+            this.token = newToken;
+            this.refreshToken = newRefreshToken;
+            this.expiresAt = newExpiresAt;
+            return true;
+        }
+        catch {
+            return false;
+        }
     }
     static async create() {
         const creds = loadCredentials();
         if (!creds) {
-            throw new Error('Not authenticated with Forgejo. Run: iec git login');
+            throw new Error('Not authenticated with git.insureco.io. Run: iec login');
         }
-        return new ForgejoClient(creds.url, creds.token);
+        return new ForgejoClient(creds.url, creds.token, creds.tokenType || 'pat', creds.refreshToken, creds.expiresAt);
     }
-    static saveCredentials(url, token) {
-        saveCredentials({ url, token });
+    static saveCredentials(url, token, tokenType = 'pat', refreshToken, expiresAt) {
+        saveCredentials({ url, token, tokenType, refreshToken, expiresAt });
     }
     static hasCredentials() {
         return loadCredentials() !== null;
     }
     static clearCredentials() {
         if (existsSync(CREDENTIALS_FILE)) {
-            const { unlinkSync } = require('node:fs');
             unlinkSync(CREDENTIALS_FILE);
         }
     }
     async request(method, path, body) {
+        // Auto-refresh expired OAuth2 tokens before making the request
+        let didRefresh = false;
+        if (this.tokenType === 'oauth2' && this.isExpired()) {
+            didRefresh = await this.tryRefresh();
+        }
+        const authHeader = this.tokenType === 'oauth2'
+            ? `Bearer ${this.token}`
+            : `token ${this.token}`;
         const url = `${this.baseUrl}/api/v1${path}`;
         const headers = {
-            'Authorization': `token ${this.token}`,
+            'Authorization': authHeader,
             'Accept': 'application/json',
         };
         if (body) {
@@ -64,6 +178,27 @@ export class ForgejoClient {
                 headers,
                 body: body ? JSON.stringify(body) : undefined,
             });
+            // If 401 with OAuth2 and we haven't already refreshed, try once
+            if (response.status === 401 && this.tokenType === 'oauth2' && !didRefresh) {
+                const refreshed = await this.tryRefresh();
+                if (refreshed) {
+                    const retryHeaders = {
+                        ...headers,
+                        'Authorization': `Bearer ${this.token}`,
+                    };
+                    const retryResponse = await fetch(url, {
+                        method,
+                        headers: retryHeaders,
+                        body: body ? JSON.stringify(body) : undefined,
+                    });
+                    if (retryResponse.ok) {
+                        if (retryResponse.status === 204)
+                            return { success: true };
+                        const data = (await retryResponse.json());
+                        return { success: true, data };
+                    }
+                }
+            }
             if (!response.ok) {
                 const text = await response.text();
                 let errorMessage = `HTTP ${response.status}`;

package/dist/lib/forgejo.js.map

@@ -1 +1 @@
-{"version":3,"file":"forgejo.js","sourceRoot":"","sources":["../../src/lib/forgejo.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAA;AACjC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAA;AAChC,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,SAAS,CAAA;AA6E5E,MAAM,WAAW,GAAG,yBAAyB,CAAA;AAC7C,MAAM,WAAW,GAAG,UAAU,CAAA;AAC9B,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,MAAM,CAAC,CAAA;AAC1C,MAAM,gBAAgB,GAAG,IAAI,CAAC,UAAU,EAAE,0BAA0B,CAAC,CAAA;AAErE,SAAS,eAAe;IACtB,IAAI,CAAC,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;QAClC,OAAO,IAAI,CAAA;IACb,CAAC;IACD,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,YAAY,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAA;QACpD,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACzB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,WAA+B;IACtD,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;IAC5C,CAAC;IACD,aAAa,CAAC,gBAAgB,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAA;AACxF,CAAC;AAED,MAAM,OAAO,aAAa;IAChB,OAAO,CAAQ;IACf,KAAK,CAAQ;IAErB,YAAY,GAAW,EAAE,KAAa;QACpC,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA;QACrC,IAAI,CAAC,KAAK,GAAG,KAAK,CAAA;IACpB,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,MAAM;QACjB,MAAM,KAAK,GAAG,eAAe,EAAE,CAAA;QAC/B,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CACb,oDAAoD,CACrD,CAAA;QACH,CAAC;QACD,OAAO,IAAI,aAAa,CAAC,KAAK,CAAC,GAAG,EAAE,KAAK,CAAC,KAAK,CAAC,CAAA;IAClD,CAAC;IAED,MAAM,CAAC,eAAe,CAAC,GAAW,EAAE,KAAa;QAC/C,eAAe,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAA;IACjC,CAAC;IAED,MAAM,CAAC,cAAc;QACnB,OAAO,eAAe,EAAE,KAAK,IAAI,CAAA;IACnC,CAAC;IAED,MAAM,CAAC,gBAAgB;QACrB,IAAI,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACjC,MAAM,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC,SAAS,CAAC,CAAA;YACzC,UAAU,CAAC,gBAAgB,CAAC,CAAA;QAC9B,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,OAAO,CACnB,MAAc,EACd,IAAY,EACZ,IAAc;QAEd,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,UAAU,IAAI,EAAE,CAAA;QAC3C,MAAM,OAAO,GAA2B;YACtC,eAAe,EAAE,SAAS,IAAI,CAAC,KAAK,EAAE;YACtC,QAAQ,EAAE,kBAAkB;SAC7B,CAAA;QAED,IAAI,IAAI,EAAE,CAAC;YACT,OAAO,CAAC,cAAc,CAAC,GAAG,kBAAkB,CAAA;QAC9C,CAAC;QAED,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAChC,MAAM;gBACN,OAAO;gBACP,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;aAC9C,CAAC,CAAA;YAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;gBAClC,IAAI,YAAY,GAAG,QAAQ,QAAQ,CAAC,MAAM,EAAE,CAAA;gBAC5C,IAAI,CAAC;oBACH,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;oBAClC,YAAY,GAAG,SAAS,CAAC,OAAO,IAAI,YAAY,CAAA;gBAClD,CAAC;gBAAC,MAAM,CAAC;oBACP,YAAY,GAAG,IAAI,IAAI,YAAY,CAAA;gBACrC,CAAC;gBACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE,EAAE,CAAA;YAC7D,CAAC;YAED,wBAAwB;YACxB,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;YAC1B,CAAC;YAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAM,CAAA;YACzC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAA;QAChC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,EAAE,OAAO,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE;aAC7E,CAAA;QACH,CAAC;IACH,CAAC;IAED,kBAAkB;IAClB,KAAK,CAAC,cAAc;QAClB,OAAO,IAAI,CAAC,OAAO,CAAc,KAAK,EAAE,OAAO,CAAC,CAAA;IAClD,CAAC;IAED,wBAAwB;IACxB,KAAK,CAAC,SAAS;QACb,OAAO,IAAI,CAAC,OAAO,CAAsB,KAAK,EAAE,SAAS,WAAW,QAAQ,CAAC,CAAA;IAC/E,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,IAAY;QACxB,OAAO,IAAI,CAAC,OAAO,CAAoB,KAAK,EAAE,UAAU,WAAW,IAAI,IAAI,EAAE,CAAC,CAAA;IAChF,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,IAA8B;QAC7C,OAAO,IAAI,CAAC,OAAO,CAAoB,MAAM,EAAE,SAAS,WAAW,QAAQ,EAAE;YAC3E,GAAG,IAAI;YACP,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,IAAI;YAC7B,SAAS,EAAE,IAAI,CAAC,SAAS,IAAI,IAAI;YACjC,cAAc,EAAE,IAAI,CAAC,cAAc,IAAI,MAAM;SAC9C,CAAC,CAAA;IACJ,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,IAAY;QAC3B,OAAO,IAAI,CAAC,OAAO,CAAO,QAAQ,EAAE,UAAU,WAAW,IAAI,IAAI,EAAE,CAAC,CAAA;IACtE,CAAC;IAED,qBAAqB;IACrB,KAAK,CAAC,YAAY,CAAC,QAAgB;QACjC,OAAO,IAAI,CAAC,OAAO,CAAmB,KAAK,EAAE,UAAU,WAAW,IAAI,QAAQ,QAAQ,CAAC,CAAA;IACzF,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,QAAgB,EAChB,IAAiC;QAEjC,OAAO,IAAI,CAAC,OAAO,CAAiB,MAAM,EAAE,UAAU,WAAW,IAAI,QAAQ,QAAQ,EAAE,IAAI,CAAC,CAAA;IAC9F,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,QAAgB,EAAE,SAAiB;QACrD,OAAO,IAAI,CAAC,OAAO,CAAO,QAAQ,EAAE,UAAU,WAAW,IAAI,QAAQ,UAAU,SAAS,EAAE,CAAC,CAAA;IAC7F,CAAC;IAED,qBAAqB;IACrB,KAAK,CAAC,WAAW;QACf,OAAO,IAAI,CAAC,OAAO,CAAkB,KAAK,EAAE,YAAY,CAAC,CAAA;IAC3D,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,KAAa,EAAE,GAAW;QACxC,OAAO,IAAI,CAAC,OAAO,CAAgB,MAAM,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAA;IAC1E,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,KAAa;QAC9B,OAAO,IAAI,CAAC,OAAO,CAAO,QAAQ,EAAE,cAAc,KAAK,EAAE,CAAC,CAAA;IAC5D,CAAC;CACF;AAED,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,CAAA"}
+{"version":3,"file":"forgejo.js","sourceRoot":"","sources":["../../src/lib/forgejo.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAA;AACjC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAA;AAChC,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,aAAa,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,SAAS,CAAA;AACxF,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAgFrD,MAAM,WAAW,GAAG,yBAAyB,CAAA;AAC7C,MAAM,WAAW,GAAG,UAAU,CAAA;AAC9B,MAAM,uBAAuB,GAAG,sCAAsC,CAAA;AACtE,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,MAAM,CAAC,CAAA;AAC1C,MAAM,gBAAgB,GAAG,IAAI,CAAC,UAAU,EAAE,0BAA0B,CAAC,CAAA;AAErE,2CAA2C;AAC3C,MAAM,UAAU,oBAAoB;IAClC,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;AAC9C,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,QAAgB;IACpD,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAA;AAClE,CAAC;AAED,MAAM,UAAU,aAAa;IAC3B,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;AACxC,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,aAAqB,EAAE,WAAmB,EAAE,KAAa;IAC3F,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;QACjC,SAAS,EAAE,uBAAuB;QAClC,YAAY,EAAE,WAAW;QACzB,aAAa,EAAE,MAAM;QACrB,cAAc,EAAE,aAAa;QAC7B,qBAAqB,EAAE,MAAM;QAC7B,KAAK;KACN,CAAC,CAAA;IACF,OAAO,GAAG,WAAW,0BAA0B,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAA;AACpE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,IAAY,EACZ,YAAoB,EACpB,WAAmB;IAEnB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,WAAW,2BAA2B,EAAE;QACtE,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,mCAAmC;YACnD,QAAQ,EAAE,kBAAkB;SAC7B;QACD,IAAI,EAAE,IAAI,eAAe,CAAC;YACxB,UAAU,EAAE,oBAAoB;YAChC,SAAS,EAAE,uBAAuB;YAClC,IAAI;YACJ,YAAY,EAAE,WAAW;YACzB,aAAa,EAAE,YAAY;SAC5B,CAAC;KACH,CAAC,CAAA;IAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;QAClC,MAAM,IAAI,KAAK,CAAC,0BAA0B,IAAI,EAAE,CAAC,CAAA;IACnD,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAKlC,CAAA;IAED,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAA;IAChD,CAAC;IAED,OAAO;QACL,GAAG,EAAE,WAAW;QAChB,KAAK,EAAE,IAAI,CAAC,YAAY;QACxB,SAAS,EAAE,QAAQ;QACnB,YAAY,EAAE,IAAI,CAAC,aAAa;QAChC,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;KACvE,CAAA;AACH,CAAC;AAED,SAAS,eAAe;IACtB,IAAI,CAAC,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;QAClC,OAAO,IAAI,CAAA;IACb,CAAC;IACD,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,YAAY,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAA;QACpD,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACzB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,WAA+B;IACtD,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;IAC5C,CAAC;IACD,aAAa,CAAC,gBAAgB,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAA;AACxF,CAAC;AAED,MAAM,OAAO,aAAa;IAChB,OAAO,CAAQ;IACf,KAAK,CAAQ;IACb,SAAS,CAAkB;IAC3B,YAAY,CAAS;IACrB,SAAS,CAAS;IAE1B,YACE,GAAW,EACX,KAAa,EACb,YAA8B,KAAK,EACnC,YAAqB,EACrB,SAAkB;QAElB,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA;QACrC,IAAI,CAAC,KAAK,GAAG,KAAK,CAAA;QAClB,IAAI,CAAC,SAAS,GAAG,SAAS,CAAA;QAC1B,IAAI,CAAC,YAAY,GAAG,YAAY,CAAA;QAChC,IAAI,CAAC,SAAS,GAAG,SAAS,CAAA;IAC5B,CAAC;IAEO,SAAS;QACf,IAAI,CAAC,IAAI,CAAC,SAAS;YAAE,OAAO,KAAK,CAAA;QACjC,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAA;IACjE,CAAC;IAEO,KAAK,CAAC,UAAU;QACtB,IAAI,IAAI,CAAC,SAAS,KAAK,QAAQ,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACtD,OAAO,KAAK,CAAA;QACd,CAAC;QAED,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,2BAA2B,EAAE;gBACvE,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,mCAAmC;oBACnD,QAAQ,EAAE,kBAAkB;iBAC7B;gBACD,IAAI,EAAE,IAAI,eAAe,CAAC;oBACxB,UAAU,EAAE,eAAe;oBAC3B,SAAS,EAAE,uBAAuB;oBAClC,aAAa,EAAE,IAAI,CAAC,YAAY;iBACjC,CAAC;aACH,CAAC,CAAA;YAEF,IAAI,CAAC,QAAQ,CAAC,EAAE;gBAAE,OAAO,KAAK,CAAA;YAE9B,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAIlC,CAAA;YAED,IAAI,CAAC,IAAI,CAAC,YAAY;gBAAE,OAAO,KAAK,CAAA;YAEpC,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAA;YAClC,MAAM,eAAe,GAAG,IAAI,CAAC,aAAa,CAAA;YAC1C,MAAM,YAAY,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAA;YAEhF,0EAA0E;YAC1E,eAAe,CAAC;gBACd,GAAG,EAAE,IAAI,CAAC,OAAO;gBACjB,KAAK,EAAE,QAAQ;gBACf,SAAS,EAAE,QAAQ;gBACnB,YAAY,EAAE,eAAe;gBAC7B,SAAS,EAAE,YAAY;aACxB,CAAC,CAAA;YAEF,IAAI,CAAC,KAAK,GAAG,QAAQ,CAAA;YACrB,IAAI,CAAC,YAAY,GAAG,eAAe,CAAA;YACnC,IAAI,CAAC,SAAS,GAAG,YAAY,CAAA;YAE7B,OAAO,IAAI,CAAA;QACb,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,MAAM;QACjB,MAAM,KAAK,GAAG,eAAe,EAAE,CAAA;QAC/B,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CACb,wDAAwD,CACzD,CAAA;QACH,CAAC;QACD,OAAO,IAAI,aAAa,CACtB,KAAK,CAAC,GAAG,EACT,KAAK,CAAC,KAAK,EACX,KAAK,CAAC,SAAS,IAAI,KAAK,EACxB,KAAK,CAAC,YAAY,EAClB,KAAK,CAAC,SAAS,CAChB,CAAA;IACH,CAAC;IAED,MAAM,CAAC,eAAe,CACpB,GAAW,EACX,KAAa,EACb,YAA8B,KAAK,EACnC,YAAqB,EACrB,SAAkB;QAElB,eAAe,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,SAAS,EAAE,YAAY,EAAE,SAAS,EAAE,CAAC,CAAA;IACrE,CAAC;IAED,MAAM,CAAC,cAAc;QACnB,OAAO,eAAe,EAAE,KAAK,IAAI,CAAA;IACnC,CAAC;IAED,MAAM,CAAC,gBAAgB;QACrB,IAAI,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACjC,UAAU,CAAC,gBAAgB,CAAC,CAAA;QAC9B,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,OAAO,CACnB,MAAc,EACd,IAAY,EACZ,IAAc;QAEd,+DAA+D;QAC/D,IAAI,UAAU,GAAG,KAAK,CAAA;QACtB,IAAI,IAAI,CAAC,SAAS,KAAK,QAAQ,IAAI,IAAI,CAAC,SAAS,EAAE,EAAE,CAAC;YACpD,UAAU,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAA;QACtC,CAAC;QAED,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,KAAK,QAAQ;YAC5C,CAAC,CAAC,UAAU,IAAI,CAAC,KAAK,EAAE;YACxB,CAAC,CAAC,SAAS,IAAI,CAAC,KAAK,EAAE,CAAA;QAEzB,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,UAAU,IAAI,EAAE,CAAA;QAC3C,MAAM,OAAO,GAA2B;YACtC,eAAe,EAAE,UAAU;YAC3B,QAAQ,EAAE,kBAAkB;SAC7B,CAAA;QAED,IAAI,IAAI,EAAE,CAAC;YACT,OAAO,CAAC,cAAc,CAAC,GAAG,kBAAkB,CAAA;QAC9C,CAAC;QAED,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAChC,MAAM;gBACN,OAAO;gBACP,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;aAC9C,CAAC,CAAA;YAEF,gEAAgE;YAChE,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,IAAI,CAAC,SAAS,KAAK,QAAQ,IAAI,CAAC,UAAU,EAAE,CAAC;gBAC1E,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAA;gBACzC,IAAI,SAAS,EAAE,CAAC;oBACd,MAAM,YAAY,GAAG;wBACnB,GAAG,OAAO;wBACV,eAAe,EAAE,UAAU,IAAI,CAAC,KAAK,EAAE;qBACxC,CAAA;oBACD,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;wBACrC,MAAM;wBACN,OAAO,EAAE,YAAY;wBACrB,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;qBAC9C,CAAC,CAAA;oBACF,IAAI,aAAa,CAAC,EAAE,EAAE,CAAC;wBACrB,IAAI,aAAa,CAAC,MAAM,KAAK,GAAG;4BAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;wBAC1D,MAAM,IAAI,GAAG,CAAC,MAAM,aAAa,CAAC,IAAI,EAAE,CAAM,CAAA;wBAC9C,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAA;oBAChC,CAAC;gBACH,CAAC;YACH,CAAC;YAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;gBAClC,IAAI,YAAY,GAAG,QAAQ,QAAQ,CAAC,MAAM,EAAE,CAAA;gBAC5C,IAAI,CAAC;oBACH,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;oBAClC,YAAY,GAAG,SAAS,CAAC,OAAO,IAAI,YAAY,CAAA;gBAClD,CAAC;gBAAC,MAAM,CAAC;oBACP,YAAY,GAAG,IAAI,IAAI,YAAY,CAAA;gBACrC,CAAC;gBACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE,EAAE,CAAA;YAC7D,CAAC;YAED,wBAAwB;YACxB,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;YAC1B,CAAC;YAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAM,CAAA;YACzC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAA;QAChC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,EAAE,OAAO,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE;aAC7E,CAAA;QACH,CAAC;IACH,CAAC;IAED,kBAAkB;IAClB,KAAK,CAAC,cAAc;QAClB,OAAO,IAAI,CAAC,OAAO,CAAc,KAAK,EAAE,OAAO,CAAC,CAAA;IAClD,CAAC;IAED,wBAAwB;IACxB,KAAK,CAAC,SAAS;QACb,OAAO,IAAI,CAAC,OAAO,CAAsB,KAAK,EAAE,SAAS,WAAW,QAAQ,CAAC,CAAA;IAC/E,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,IAAY;QACxB,OAAO,IAAI,CAAC,OAAO,CAAoB,KAAK,EAAE,UAAU,WAAW,IAAI,IAAI,EAAE,CAAC,CAAA;IAChF,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,IAA8B;QAC7C,OAAO,IAAI,CAAC,OAAO,CAAoB,MAAM,EAAE,SAAS,WAAW,QAAQ,EAAE;YAC3E,GAAG,IAAI;YACP,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,IAAI;YAC7B,SAAS,EAAE,IAAI,CAAC,SAAS,IAAI,IAAI;YACjC,cAAc,EAAE,IAAI,CAAC,cAAc,IAAI,MAAM;SAC9C,CAAC,CAAA;IACJ,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,IAAY;QAC3B,OAAO,IAAI,CAAC,OAAO,CAAO,QAAQ,EAAE,UAAU,WAAW,IAAI,IAAI,EAAE,CAAC,CAAA;IACtE,CAAC;IAED,qBAAqB;IACrB,KAAK,CAAC,YAAY,CAAC,QAAgB;QACjC,OAAO,IAAI,CAAC,OAAO,CAAmB,KAAK,EAAE,UAAU,WAAW,IAAI,QAAQ,QAAQ,CAAC,CAAA;IACzF,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,QAAgB,EAChB,IAAiC;QAEjC,OAAO,IAAI,CAAC,OAAO,CAAiB,MAAM,EAAE,UAAU,WAAW,IAAI,QAAQ,QAAQ,EAAE,IAAI,CAAC,CAAA;IAC9F,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,QAAgB,EAAE,SAAiB;QACrD,OAAO,IAAI,CAAC,OAAO,CAAO,QAAQ,EAAE,UAAU,WAAW,IAAI,QAAQ,UAAU,SAAS,EAAE,CAAC,CAAA;IAC7F,CAAC;IAED,qBAAqB;IACrB,KAAK,CAAC,WAAW;QACf,OAAO,IAAI,CAAC,OAAO,CAAkB,KAAK,EAAE,YAAY,CAAC,CAAA;IAC3D,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,KAAa,EAAE,GAAW;QACxC,OAAO,IAAI,CAAC,OAAO,CAAgB,MAAM,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAA;IAC1E,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,KAAa;QAC9B,OAAO,IAAI,CAAC,OAAO,CAAO,QAAQ,EAAE,cAAc,KAAK,EAAE,CAAC,CAAA;IAC5D,CAAC;CACF;AAED,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,CAAA"}

package/dist/lib/watch.d.ts

@@ -0,0 +1,26 @@
+import type { BuilderClient } from './builder.js';
+interface WatchOptions {
+    /** Max consecutive transient errors before giving up (default: 10) */
+    maxRetries?: number;
+    /** Base poll interval in ms (default: 3000) */
+    pollInterval?: number;
+    /** Max poll interval in ms during backoff (default: 15000) */
+    maxPollInterval?: number;
+    /** Max total watch duration in ms (default: 30 minutes) */
+    timeout?: number;
+    /** Stream build logs incrementally (default: true) */
+    streamLogs?: boolean;
+    /** Label for terminal output — e.g. "Build", "Deployment", "Rollback" */
+    label?: string;
+}
+export declare class WatchError extends Error {
+    readonly buildId: string;
+    constructor(message: string, buildId: string);
+}
+/**
+ * Watch a build's progress with retry logic, backoff, and incremental log streaming.
+ * Throws WatchError on timeout, max retries, or build failure.
+ */
+export declare function watchBuild(builder: BuilderClient, buildId: string, options?: WatchOptions): Promise<void>;
+export {};
+//# sourceMappingURL=watch.d.ts.map

package/dist/lib/watch.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"watch.d.ts","sourceRoot":"","sources":["../../src/lib/watch.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,cAAc,CAAA;AAmBjD,UAAU,YAAY;IACpB,sEAAsE;IACtE,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,+CAA+C;IAC/C,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,8DAA8D;IAC9D,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,2DAA2D;IAC3D,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,sDAAsD;IACtD,UAAU,CAAC,EAAE,OAAO,CAAA;IACpB,yEAAyE;IACzE,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AAED,qBAAa,UAAW,SAAQ,KAAK;aACU,OAAO,EAAE,MAAM;gBAAhD,OAAO,EAAE,MAAM,EAAkB,OAAO,EAAE,MAAM;CAI7D;AAMD;;;GAGG;AACH,wBAAsB,UAAU,CAC9B,OAAO,EAAE,aAAa,EACtB,OAAO,EAAE,MAAM,EACf,OAAO,GAAE,YAAiB,GACzB,OAAO,CAAC,IAAI,CAAC,CAgGf"}

package/dist/lib/watch.js

@@ -0,0 +1,136 @@
+import { log } from './output.js';
+const TERMINAL_STATES = ['completed', 'failed', 'cancelled'];
+const STATUS_ICONS = {
+    queued: '\u23f3', // hourglass
+    cloning: '\ud83d\udce5', // inbox
+    building: '\ud83d\udd28', // hammer
+    pushing: '\ud83d\udce4', // outbox
+    deploying: '\ud83d\ude80', // rocket
+    completed: '\u2705', // check
+    failed: '\u274c', // x
+    cancelled: '\u26d4', // no entry
+};
+export class WatchError extends Error {
+    buildId;
+    constructor(message, buildId) {
+        super(message);
+        this.buildId = buildId;
+        this.name = 'WatchError';
+    }
+}
+function isTransientError(code) {
+    return code === 'NON_JSON_RESPONSE' || code === 'HTTP_ERROR';
+}
+/**
+ * Watch a build's progress with retry logic, backoff, and incremental log streaming.
+ * Throws WatchError on timeout, max retries, or build failure.
+ */
+export async function watchBuild(builder, buildId, options = {}) {
+    const { maxRetries = 10, pollInterval = 3000, maxPollInterval = 15000, timeout = 30 * 60 * 1000, streamLogs = true, label = 'Build', } = options;
+    let lastStatus = '';
+    let consecutiveErrors = 0;
+    let currentInterval = pollInterval;
+    let logLinesSeen = 0;
+    const startTime = Date.now();
+    while (true) {
+        // Timeout guard
+        if (Date.now() - startTime > timeout) {
+            log.error(`${label} watch timed out after ${Math.round(timeout / 60000)} minutes`);
+            log.dim(`  The build may still be running. Check status with:`);
+            log.dim(`  iec status --build ${buildId}`);
+            throw new WatchError('Watch timed out', buildId);
+        }
+        const result = await builder.getBuild(buildId);
+        if (!result.success || !result.data) {
+            consecutiveErrors++;
+            const errMsg = result.error?.message || 'Unknown error';
+            if (consecutiveErrors >= maxRetries) {
+                log.error(`${label} watch failed after ${maxRetries} consecutive errors`);
+                log.dim(`  Last error: ${errMsg}`);
+                log.dim(`  The build may still be running. Check status with:`);
+                log.dim(`  iec status --build ${buildId}`);
+                throw new WatchError(`Failed after ${maxRetries} consecutive errors: ${errMsg}`, buildId);
+            }
+            if (isTransientError(result.error?.code)) {
+                // Backoff on transient errors (Cloudflare HTML pages, 502s, etc.)
+                currentInterval = Math.min(currentInterval * 1.5, maxPollInterval);
+                log.warning(`${label} status unavailable (${consecutiveErrors}/${maxRetries}), retrying...`);
+                log.dim(`  ${errMsg}`);
+            }
+            else {
+                throw new WatchError(`Failed to get build status: ${errMsg}`, buildId);
+            }
+            await delay(currentInterval);
+            continue;
+        }
+        // Successful response — reset error state and interval
+        consecutiveErrors = 0;
+        currentInterval = pollInterval;
+        const build = result.data;
+        // Print status transition
+        if (build.status !== lastStatus) {
+            lastStatus = build.status;
+            const icon = STATUS_ICONS[build.status] || '\u2022';
+            log.info(`${icon} ${build.status}`);
+        }
+        // Stream incremental logs
+        if (streamLogs) {
+            logLinesSeen = await printNewLogs(builder, buildId, logLinesSeen);
+        }
+        // Check for terminal state
+        if (TERMINAL_STATES.includes(build.status)) {
+            log.info('');
+            if (build.status === 'completed') {
+                log.success(`${label} completed successfully!`);
+                if (build.imageTag) {
+                    log.dim(`  Image: ${build.imageTag}`);
+                }
+                return;
+            }
+            else if (build.status === 'cancelled') {
+                log.warning(`${label} was cancelled`);
+                return;
+            }
+            else {
+                log.error(`${label} failed`);
+                if (build.error) {
+                    log.dim(`  Error: ${build.error}`);
+                }
+                log.info('');
+                log.info('View full logs:');
+                log.dim(`  iec logs --build ${buildId}`);
+                throw new WatchError(`${label} failed: ${build.error || 'Unknown error'}`, buildId);
+            }
+        }
+        await delay(currentInterval);
+    }
+}
+async function printNewLogs(builder, buildId, linesSeen) {
+    try {
+        const result = await builder.getBuildLogs(buildId);
+        if (!result.success || !result.data) {
+            return linesSeen;
+        }
+        const logs = Array.isArray(result.data.logs)
+            ? result.data.logs
+            : typeof result.data.logs === 'string'
+                ? result.data.logs.split('\n')
+                : [];
+        if (logs.length > linesSeen) {
+            const newLines = logs.slice(linesSeen);
+            for (const line of newLines) {
+                log.dim(`  ${line}`);
+            }
+            return logs.length;
+        }
+        return linesSeen;
+    }
+    catch {
+        // Log fetching is best-effort, don't interrupt the watch
+        return linesSeen;
+    }
+}
+function delay(ms) {
+    return new Promise(resolve => setTimeout(resolve, ms));
+}
+//# sourceMappingURL=watch.js.map

package/dist/lib/watch.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"watch.js","sourceRoot":"","sources":["../../src/lib/watch.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,GAAG,EAAE,MAAM,aAAa,CAAA;AAIjC,MAAM,eAAe,GAAkB,CAAC,WAAW,EAAE,QAAQ,EAAE,WAAW,CAAC,CAAA;AAE3E,MAAM,YAAY,GAA2B;IAC3C,MAAM,EAAE,QAAQ,EAAQ,YAAY;IACpC,OAAO,EAAE,cAAc,EAAM,QAAQ;IACrC,QAAQ,EAAE,cAAc,EAAK,SAAS;IACtC,OAAO,EAAE,cAAc,EAAM,SAAS;IACtC,SAAS,EAAE,cAAc,EAAI,SAAS;IACtC,SAAS,EAAE,QAAQ,EAAK,QAAQ;IAChC,MAAM,EAAE,QAAQ,EAAQ,IAAI;IAC5B,SAAS,EAAE,QAAQ,EAAK,WAAW;CACpC,CAAA;AAiBD,MAAM,OAAO,UAAW,SAAQ,KAAK;IACU;IAA7C,YAAY,OAAe,EAAkB,OAAe;QAC1D,KAAK,CAAC,OAAO,CAAC,CAAA;QAD6B,YAAO,GAAP,OAAO,CAAQ;QAE1D,IAAI,CAAC,IAAI,GAAG,YAAY,CAAA;IAC1B,CAAC;CACF;AAED,SAAS,gBAAgB,CAAC,IAAwB;IAChD,OAAO,IAAI,KAAK,mBAAmB,IAAI,IAAI,KAAK,YAAY,CAAA;AAC9D,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,OAAsB,EACtB,OAAe,EACf,UAAwB,EAAE;IAE1B,MAAM,EACJ,UAAU,GAAG,EAAE,EACf,YAAY,GAAG,IAAI,EACnB,eAAe,GAAG,KAAK,EACvB,OAAO,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,EACxB,UAAU,GAAG,IAAI,EACjB,KAAK,GAAG,OAAO,GAChB,GAAG,OAAO,CAAA;IAEX,IAAI,UAAU,GAAqB,EAAE,CAAA;IACrC,IAAI,iBAAiB,GAAG,CAAC,CAAA;IACzB,IAAI,eAAe,GAAG,YAAY,CAAA;IAClC,IAAI,YAAY,GAAG,CAAC,CAAA;IACpB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;IAE5B,OAAO,IAAI,EAAE,CAAC;QACZ,gBAAgB;QAChB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,OAAO,EAAE,CAAC;YACrC,GAAG,CAAC,KAAK,CAAC,GAAG,KAAK,0BAA0B,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,KAAK,CAAC,UAAU,CAAC,CAAA;YAClF,GAAG,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAA;YAC/D,GAAG,CAAC,GAAG,CAAC,wBAAwB,OAAO,EAAE,CAAC,CAAA;YAC1C,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAA;QAClD,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAA;QAE9C,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YACpC,iBAAiB,EAAE,CAAA;YACnB,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,EAAE,OAAO,IAAI,eAAe,CAAA;YAEvD,IAAI,iBAAiB,IAAI,UAAU,EAAE,CAAC;gBACpC,GAAG,CAAC,KAAK,CAAC,GAAG,KAAK,uBAAuB,UAAU,qBAAqB,CAAC,CAAA;gBACzE,GAAG,CAAC,GAAG,CAAC,iBAAiB,MAAM,EAAE,CAAC,CAAA;gBAClC,GAAG,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAA;gBAC/D,GAAG,CAAC,GAAG,CAAC,wBAAwB,OAAO,EAAE,CAAC,CAAA;gBAC1C,MAAM,IAAI,UAAU,CAAC,gBAAgB,UAAU,wBAAwB,MAAM,EAAE,EAAE,OAAO,CAAC,CAAA;YAC3F,CAAC;YAED,IAAI,gBAAgB,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,EAAE,CAAC;gBACzC,kEAAkE;gBAClE,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC,eAAe,GAAG,GAAG,EAAE,eAAe,CAAC,CAAA;gBAClE,GAAG,CAAC,OAAO,CAAC,GAAG,KAAK,wBAAwB,iBAAiB,IAAI,UAAU,gBAAgB,CAAC,CAAA;gBAC5F,GAAG,CAAC,GAAG,CAAC,KAAK,MAAM,EAAE,CAAC,CAAA;YACxB,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,UAAU,CAAC,+BAA+B,MAAM,EAAE,EAAE,OAAO,CAAC,CAAA;YACxE,CAAC;YAED,MAAM,KAAK,CAAC,eAAe,CAAC,CAAA;YAC5B,SAAQ;QACV,CAAC;QAED,uDAAuD;QACvD,iBAAiB,GAAG,CAAC,CAAA;QACrB,eAAe,GAAG,YAAY,CAAA;QAE9B,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAA;QAEzB,0BAA0B;QAC1B,IAAI,KAAK,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;YAChC,UAAU,GAAG,KAAK,CAAC,MAAM,CAAA;YACzB,MAAM,IAAI,GAAG,YAAY,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,QAAQ,CAAA;YACnD,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC,CAAA;QACrC,CAAC;QAED,0BAA0B;QAC1B,IAAI,UAAU,EAAE,CAAC;YACf,YAAY,GAAG,MAAM,YAAY,CAAC,OAAO,EAAE,OAAO,EAAE,YAAY,CAAC,CAAA;QACnE,CAAC;QAED,2BAA2B;QAC3B,IAAI,eAAe,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;YAC3C,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;YACZ,IAAI,KAAK,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;gBACjC,GAAG,CAAC,OAAO,CAAC,GAAG,KAAK,0BAA0B,CAAC,CAAA;gBAC/C,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;oBACnB,GAAG,CAAC,GAAG,CAAC,YAAY,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAA;gBACvC,CAAC;gBACD,OAAM;YACR,CAAC;iBAAM,IAAI,KAAK,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;gBACxC,GAAG,CAAC,OAAO,CAAC,GAAG,KAAK,gBAAgB,CAAC,CAAA;gBACrC,OAAM;YACR,CAAC;iBAAM,CAAC;gBACN,GAAG,CAAC,KAAK,CAAC,GAAG,KAAK,SAAS,CAAC,CAAA;gBAC5B,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;oBAChB,GAAG,CAAC,GAAG,CAAC,YAAY,KAAK,CAAC,KAAK,EAAE,CAAC,CAAA;gBACpC,CAAC;gBACD,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;gBACZ,GAAG,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;gBAC3B,GAAG,CAAC,GAAG,CAAC,sBAAsB,OAAO,EAAE,CAAC,CAAA;gBACxC,MAAM,IAAI,UAAU,CAAC,GAAG,KAAK,YAAY,KAAK,CAAC,KAAK,IAAI,eAAe,EAAE,EAAE,OAAO,CAAC,CAAA;YACrF,CAAC;QACH,CAAC;QAED,MAAM,KAAK,CAAC,eAAe,CAAC,CAAA;IAC9B,CAAC;AACH,CAAC;AAED,KAAK,UAAU,YAAY,CACzB,OAAsB,EACtB,OAAe,EACf,SAAiB;IAEjB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,OAAO,CAAC,CAAA;QAClD,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YACpC,OAAO,SAAS,CAAA;QAClB,CAAC;QAED,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC;YAC1C,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI;YAClB,CAAC,CAAC,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,KAAK,QAAQ;gBACpC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;gBAC9B,CAAC,CAAC,EAAE,CAAA;QAER,IAAI,IAAI,CAAC,MAAM,GAAG,SAAS,EAAE,CAAC;YAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAA;YACtC,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;gBAC5B,GAAG,CAAC,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC,CAAA;YACtB,CAAC;YACD,OAAO,IAAI,CAAC,MAAM,CAAA;QACpB,CAAC;QAED,OAAO,SAAS,CAAA;IAClB,CAAC;IAAC,MAAM,CAAC;QACP,yDAAyD;QACzD,OAAO,SAAS,CAAA;IAClB,CAAC;AACH,CAAC;AAED,SAAS,KAAK,CAAC,EAAU;IACvB,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAA;AACxD,CAAC"}

package/dist/templates/nextjs-oauth/.env.example

@@ -0,0 +1,14 @@
+# Next.js Configuration
+NEXT_PUBLIC_APP_NAME={{name}}
+
+# Bio-id OAuth2 Configuration
+# Register an OAuth2 app at https://bio-id.tawa.insureco.io/admin/oauth
+# Set redirect URI to: http://localhost:3000/api/auth/callback (dev)
+BIO_ID_URL=https://bio-id.tawa.insureco.io
+APP_URL=http://localhost:3000
+OAUTH_CLIENT_ID=your-client-id
+OAUTH_CLIENT_SECRET=your-client-secret
+JWT_SECRET=your-jwt-secret
+
+# API Configuration
+# NEXT_PUBLIC_API_URL=https://api.example.com

package/dist/templates/nextjs-oauth/Dockerfile

@@ -0,0 +1,51 @@
+FROM node:22-alpine AS base
+
+# Install dependencies only when needed
+FROM base AS deps
+RUN apk add --no-cache libc6-compat
+WORKDIR /app
+
+COPY package*.json ./
+RUN npm ci
+
+# Build the application
+FROM base AS builder
+WORKDIR /app
+COPY --from=deps /app/node_modules ./node_modules
+COPY . .
+
+ENV NEXT_TELEMETRY_DISABLED 1
+
+RUN npm run build
+
+# Production image
+FROM base AS runner
+WORKDIR /app
+
+ENV NODE_ENV production
+ENV NEXT_TELEMETRY_DISABLED 1
+
+RUN addgroup --system --gid 1001 nodejs
+RUN adduser --system --uid 1001 nextjs
+
+COPY --from=builder /app/public ./public
+
+# Set correct permissions for prerender cache
+RUN mkdir .next
+RUN chown nextjs:nodejs .next
+
+# Automatically leverage output traces to reduce image size
+COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
+COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
+
+USER nextjs
+
+EXPOSE 3000
+
+ENV PORT 3000
+ENV HOSTNAME "0.0.0.0"
+
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+  CMD wget --no-verbose --tries=1 --spider http://localhost:3000/api/health || exit 1
+
+CMD ["node", "server.js"]

package/dist/templates/nextjs-oauth/README.md

@@ -0,0 +1,128 @@
+# {{name}}
+
+{{description}}
+
+## Getting Started
+
+### Prerequisites
+
+- Node.js 20+
+- npm or pnpm
+- A Bio-id OAuth2 application (see Setup below)
+
+### OAuth Setup
+
+1. Register an OAuth2 app at `https://bio-id.tawa.insureco.io/admin/oauth`
+   - Name: `{{name}}`
+   - Redirect URI: `http://localhost:3000/api/auth/callback`
+   - Copy the **Client ID** and **Client Secret**
+
+2. Create `.env` from the example:
+   ```bash
+   cp .env.example .env
+   ```
+
+3. Fill in the OAuth values in `.env`:
+   ```
+   OAUTH_CLIENT_ID=your-client-id
+   OAUTH_CLIENT_SECRET=your-client-secret
+   JWT_SECRET=your-jwt-secret
+   ```
+
+### Installation
+
+```bash
+npm install
+```
+
+### Development
+
+```bash
+npm run dev
+```
+
+Open [http://localhost:3000](http://localhost:3000) in your browser.
+
+### Production Build
+
+```bash
+npm run build
+npm start
+```
+
+## Authentication Flow
+
+This app uses Bio-id OAuth2 with PKCE for authentication:
+
+1. User clicks **Sign In** on the home page
+2. Redirected to Bio-id authorization page
+3. After consent, redirected back to `/api/auth/callback`
+4. Tokens stored in httpOnly cookies
+5. Protected routes check cookies via middleware + server components
+
+### Auth Routes
+
+| Route | Method | Description |
+|-------|--------|-------------|
+| `/api/auth/login` | GET | Initiates OAuth flow (redirects to Bio-id) |
+| `/api/auth/callback` | GET | Handles OAuth callback, sets cookies |
+| `/api/auth/logout` | GET/POST | Clears auth cookies |
+| `/api/auth/session` | GET | Returns current user as JSON |
+
+### Route Protection
+
+- **Middleware** (`src/middleware.ts`): Redirects unauthenticated users to login for `/dashboard` routes
+- **Server components**: Use `getCurrentUser()` from `@/lib/auth` for server-side auth checks
+
+## Project Structure
+
+```
+{{name}}/
+├── src/
+│   ├── lib/
+│   │   └── auth.ts           # OAuth2 library (PKCE, tokens, cookies)
+│   ├── middleware.ts          # Route protection middleware
+│   └── app/
+│       ├── layout.tsx         # Root layout
+│       ├── page.tsx           # Home page (login/logout UI)
+│       ├── dashboard/
+│       │   └── page.tsx       # Protected dashboard
+│       └── api/
+│           ├── health/        # Health check endpoint
+│           │   └── route.ts
+│           ├── example/       # Example API route
+│           │   └── route.ts
+│           └── auth/          # OAuth2 routes
+│               ├── login/route.ts
+│               ├── callback/route.ts
+│               ├── logout/route.ts
+│               └── session/route.ts
+├── public/
+├── helm/
+│   └── {{name}}/             # Kubernetes Helm chart
+├── next.config.js
+├── Dockerfile
+└── catalog-info.yaml         # Backstage service catalog
+```
+
+## Deployment
+
+### Using iec-cli
+
+```bash
+# Link repository for auto-deploy
+iec link
+
+# Manual deploy to sandbox
+iec deploy
+
+# Deploy to production
+iec deploy --prod
+```
+
+When deploying, set the OAuth environment variables in your Helm values or via `iec env set`.
+
+## Learn More
+
+- [Next.js Documentation](https://nextjs.org/docs)
+- [Tawa Platform Docs](https://docs.tawa.insureco.io)

package/dist/templates/nextjs-oauth/catalog-info.yaml

@@ -0,0 +1,17 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: {{name}}
+  description: {{description}}
+  tags:
+    - tawa
+    - frontend
+    - nextjs
+  annotations:
+    insureco.io/framework: nextjs
+    insureco.io/language: typescript
+    insureco.io/auth: bio-id
+spec:
+  type: service
+  lifecycle: experimental
+  owner: team-platform

package/dist/templates/nextjs-oauth/helm/{{name}}/Chart.yaml

@@ -0,0 +1,9 @@
+apiVersion: v2
+name: {{name}}
+description: Helm chart for {{name}} (Next.js)
+type: application
+version: 0.1.0
+appVersion: "0.1.0"
+maintainers:
+  - name: team-platform
+    email: platform@insureco.io