@kidd-cli/core 0.2.0 → 0.4.0

package/dist/middleware/auth.js

@@ -1,40 +1,18 @@
-import { n as decorateContext, t as middleware } from "../middleware-BFBKNSPQ.js";
-import "../project-DuXgjaa_.js";
-import { t as createStore } from "../create-store-D-fQpCql.js";
-import { t as createHttpClient } from "../create-http-client-tZJWlWp1.js";
+import { n as decorateContext, t as middleware } from "../middleware-BWnPSRWR.js";
+import "../project-D0g84bZY.js";
+import { t as createStore } from "../create-store-OHdkm_Yt.js";
 import { join } from "node:path";
-import { ok } from "@kidd-cli/utils/fp";
+import { attempt, attemptAsync, isPlainObject, match, ok } from "@kidd-cli/utils/fp";
+import { z } from "zod";
 import { match as match$1 } from "ts-pattern";
 import { platform } from "node:os";
 import { readFileSync } from "node:fs";
-import { Buffer } from "node:buffer";
 import { execFile } from "node:child_process";
 import { createServer } from "node:http";
 import { parse } from "dotenv";
 import { attempt as attempt$1 } from "es-toolkit";
-import { z } from "zod";
 import { createHash, randomBytes } from "node:crypto";
-
-//#region src/middleware/http/build-auth-headers.ts
-/**
-* Convert auth credentials into HTTP headers.
-*
-* Uses exhaustive pattern matching to map each credential variant to
-* the appropriate header format.
-*
-* @module
-*/
-/**
-* Convert an auth credential into HTTP headers.
-*
-* @param credential - The credential to convert.
-* @returns A record of header name to header value.
-*/
-function buildAuthHeaders(credential) {
-	return match$1(credential).with({ type: "bearer" }, (c) => ({ Authorization: `Bearer ${c.token}` })).with({ type: "basic" }, (c) => ({ Authorization: `Basic ${Buffer.from(`${c.username}:${c.password}`).toString("base64")}` })).with({ type: "api-key" }, (c) => ({ [c.headerName]: c.key })).with({ type: "custom" }, (c) => ({ ...c.headers })).exhaustive();
-}
-
-//#endregion
+import { Buffer } from "node:buffer";
 //#region src/middleware/auth/constants.ts
 /**
 * Default filename for file-based credential storage.
@@ -45,10 +23,6 @@ const DEFAULT_AUTH_FILENAME = "auth.json";
 */
 const TOKEN_VAR_SUFFIX = "_TOKEN";
 /**
-* Default port for the local OAuth callback server (`0` = ephemeral).
-*/
-const DEFAULT_OAUTH_PORT = 0;
-/**
 * Default callback path for the local OAuth server.
 */
 const DEFAULT_OAUTH_CALLBACK_PATH = "/callback";
@@ -76,7 +50,6 @@ const DEFAULT_DEVICE_CODE_TIMEOUT = 3e5;
 function deriveTokenVar(cliName) {
 	return `${cliName.replaceAll("-", "_").toUpperCase()}${TOKEN_VAR_SUFFIX}`;
 }
-
 //#endregion
 //#region src/middleware/auth/credential.ts
 /**
@@ -119,18 +92,15 @@ function createBearerCredential(token) {
 * @returns The fetch Response on success, null on failure.
 */
 async function postFormEncoded(url, params, signal) {
-	try {
-		return await fetch(url, {
-			body: params.toString(),
-			headers: { "Content-Type": "application/x-www-form-urlencoded" },
-			method: "POST",
-			signal
-		});
-	} catch {
-		return null;
-	}
+	const [fetchError, response] = await attemptAsync(() => fetch(url, {
+		body: params.toString(),
+		headers: { "Content-Type": "application/x-www-form-urlencoded" },
+		method: "POST",
+		signal
+	}));
+	if (fetchError) return null;
+	return response;
 }
-
 //#endregion
 //#region src/middleware/auth/oauth-server.ts
 /**
@@ -245,14 +215,11 @@ function sendSuccessPage(res) {
 * @returns True when the URL uses HTTPS or HTTP on a loopback address.
 */
 function isSecureAuthUrl(url) {
-	try {
-		const parsed = new URL(url);
-		if (parsed.protocol === "https:") return true;
-		if (parsed.protocol !== "http:") return false;
-		return isLoopbackHost(parsed.hostname);
-	} catch {
-		return false;
-	}
+	const [error, parsed] = attempt(() => new URL(url));
+	if (error || !parsed) return false;
+	if (parsed.protocol === "https:") return true;
+	if (parsed.protocol !== "http:") return false;
+	return isLoopbackHost(parsed.hostname);
 }
 /**
 * Open a URL in the user's default browser using a platform-specific command.
@@ -269,7 +236,7 @@ function isSecureAuthUrl(url) {
 */
 function openBrowser(url) {
 	if (!isHttpUrl(url)) return;
-	const { command, args } = match$1(platform()).with("darwin", () => ({
+	const { command, args } = match(platform()).with("darwin", () => ({
 		args: [url],
 		command: "open"
 	})).with("win32", () => ({
@@ -330,12 +297,9 @@ function startLocalServer(options) {
 * @returns True when the URL uses http: or https: protocol.
 */
 function isHttpUrl(url) {
-	try {
-		const parsed = new URL(url);
-		return parsed.protocol === "https:" || parsed.protocol === "http:";
-	} catch {
-		return false;
-	}
+	const [error, parsed] = attempt(() => new URL(url));
+	if (error || !parsed) return false;
+	return parsed.protocol === "https:" || parsed.protocol === "http:";
 }
 /**
 * Check whether a hostname is a loopback address.
@@ -364,7 +328,6 @@ function isLoopbackHost(hostname) {
 function escapeCmdMeta(url) {
 	return url.replaceAll(/[&|<>^]/g, "^$&");
 }
-
 //#endregion
 //#region src/middleware/auth/strategies/device-code.ts
 /**
@@ -432,11 +395,9 @@ async function requestDeviceAuth(options) {
 	const response = await postFormEncoded(options.deviceAuthUrl, body, options.signal);
 	if (!response) return null;
 	if (!response.ok) return null;
-	try {
-		return parseDeviceAuthResponse(await response.json());
-	} catch {
-		return null;
-	}
+	const [parseError, data] = await attemptAsync(() => response.json());
+	if (parseError) return null;
+	return parseDeviceAuthResponse(data);
 }
 /**
 * Parse a device authorization response body.
@@ -446,17 +407,16 @@ async function requestDeviceAuth(options) {
 * @returns The parsed response, or null if required fields are missing.
 */
 function parseDeviceAuthResponse(data) {
-	if (typeof data !== "object" || data === null) return null;
-	const record = data;
-	if (typeof record.device_code !== "string" || record.device_code === "") return null;
-	if (typeof record.user_code !== "string" || record.user_code === "") return null;
-	if (typeof record.verification_uri !== "string" || record.verification_uri === "") return null;
-	const interval = resolveServerInterval(record.interval);
+	if (!isPlainObject(data)) return null;
+	if (typeof data.device_code !== "string" || data.device_code === "") return null;
+	if (typeof data.user_code !== "string" || data.user_code === "") return null;
+	if (typeof data.verification_uri !== "string" || data.verification_uri === "") return null;
+	const interval = resolveServerInterval(data.interval);
 	return {
-		deviceCode: record.device_code,
+		deviceCode: data.device_code,
 		interval,
-		userCode: record.user_code,
-		verificationUri: record.verification_uri
+		userCode: data.user_code,
+		verificationUri: data.verification_uri
 	};
 }
 /**
@@ -471,12 +431,10 @@ function parseDeviceAuthResponse(data) {
 * @param userCode - The code the user should enter.
 */
 async function displayUserCode(prompts, verificationUri, userCode) {
-	try {
-		await prompts.text({
-			defaultValue: "",
-			message: `Open ${verificationUri} and enter code: ${userCode} (press Enter to continue)`
-		});
-	} catch {}
+	await attemptAsync(() => prompts.text({
+		defaultValue: "",
+		message: `Open ${verificationUri} and enter code: ${userCode} (press Enter to continue)`
+	}));
 }
 /**
 * Resolve the poll interval, preferring server-provided value.
@@ -507,7 +465,7 @@ async function pollForToken(options) {
 	if (Date.now() >= options.deadline) return null;
 	await sleep(options.interval);
 	if (Date.now() >= options.deadline) return null;
-	return match$1(await requestToken({
+	return match(await requestToken({
 		clientId: options.clientId,
 		deviceCode: options.deviceCode,
 		signal: options.signal,
@@ -555,24 +513,19 @@ async function requestToken(options) {
 	});
 	const response = await postFormEncoded(options.tokenUrl, body, options.signal);
 	if (!response) return { status: "error" };
-	try {
-		const data = await response.json();
-		if (typeof data !== "object" || data === null) return { status: "error" };
-		const record = data;
-		if (response.ok && typeof record.access_token === "string" && record.access_token !== "") {
-			if (typeof record.token_type === "string" && record.token_type.toLowerCase() !== "bearer") return { status: "error" };
-			return {
-				credential: createBearerCredential(record.access_token),
-				status: "success"
-			};
-		}
-		if (typeof record.error !== "string") return { status: "error" };
-		return match$1(record.error).with("authorization_pending", () => ({ status: "pending" })).with("slow_down", () => ({ status: "slow_down" })).with("expired_token", () => ({ status: "expired" })).with("access_denied", () => ({ status: "denied" })).otherwise(() => ({ status: "error" }));
-	} catch {
-		return { status: "error" };
+	const [parseError, data] = await attemptAsync(() => response.json());
+	if (parseError) return { status: "error" };
+	if (!isPlainObject(data)) return { status: "error" };
+	if (response.ok && typeof data.access_token === "string" && data.access_token !== "") {
+		if (typeof data.token_type === "string" && data.token_type.toLowerCase() !== "bearer") return { status: "error" };
+		return {
+			credential: createBearerCredential(data.access_token),
+			status: "success"
+		};
 	}
+	if (typeof data.error !== "string") return { status: "error" };
+	return match(data.error).with("authorization_pending", () => ({ status: "pending" })).with("slow_down", () => ({ status: "slow_down" })).with("expired_token", () => ({ status: "expired" })).with("access_denied", () => ({ status: "denied" })).otherwise(() => ({ status: "error" }));
 }
-
 //#endregion
 //#region src/middleware/auth/strategies/dotenv.ts
 /**
@@ -594,7 +547,6 @@ function resolveFromDotenv(options) {
 	if (!isValidToken(token)) return null;
 	return createBearerCredential(token);
 }
-
 //#endregion
 //#region src/middleware/auth/strategies/env.ts
 /**
@@ -608,7 +560,6 @@ function resolveFromEnv(options) {
 	if (!isValidToken(token)) return null;
 	return createBearerCredential(token);
 }
-
 //#endregion
 //#region src/middleware/auth/schema.ts
 /**
@@ -651,7 +602,6 @@ const authCredentialSchema = z.discriminatedUnion("type", [
 	apiKeyCredentialSchema,
 	customCredentialSchema
 ]);
-
 //#endregion
 //#region src/middleware/auth/strategies/file.ts
 /**
@@ -671,7 +621,6 @@ function resolveFromFile(options) {
 	if (!result.success) return null;
 	return result.data;
 }
-
 //#endregion
 //#region src/middleware/auth/strategies/oauth.ts
 /**
@@ -867,18 +816,13 @@ async function exchangeCodeForToken(options) {
 	const response = await postFormEncoded(options.tokenUrl, body);
 	if (!response) return null;
 	if (!response.ok) return null;
-	try {
-		const data = await response.json();
-		if (typeof data !== "object" || data === null) return null;
-		const record = data;
-		if (typeof record.access_token !== "string" || record.access_token === "") return null;
-		if (typeof record.token_type === "string" && record.token_type.toLowerCase() !== "bearer") return null;
-		return createBearerCredential(record.access_token);
-	} catch {
-		return null;
-	}
+	const [parseError, data] = await attemptAsync(() => response.json());
+	if (parseError) return null;
+	if (!isPlainObject(data)) return null;
+	if (typeof data.access_token !== "string" || data.access_token === "") return null;
+	if (typeof data.token_type === "string" && data.token_type.toLowerCase() !== "bearer") return null;
+	return createBearerCredential(data.access_token);
 }
-
 //#endregion
 //#region src/middleware/auth/strategies/token.ts
 /**
@@ -893,31 +837,27 @@ async function exchangeCodeForToken(options) {
 * @returns A bearer credential on input, null on cancellation.
 */
 async function resolveFromToken(options) {
-	try {
-		const token = await options.prompts.password({ message: options.message });
-		if (!isValidToken(token)) return null;
-		return createBearerCredential(token);
-	} catch {
-		return null;
-	}
+	const [promptError, token] = await attemptAsync(() => options.prompts.password({ message: options.message }));
+	if (promptError) return null;
+	if (!isValidToken(token)) return null;
+	return createBearerCredential(token);
 }
-
 //#endregion
 //#region src/middleware/auth/chain.ts
 const DEFAULT_PROMPT_MESSAGE = "Enter your API key";
 /**
-* Chain credential resolvers, returning the first non-null result.
+* Chain credential strategies, returning the first non-null result.
 *
-* Walks the resolver list in order, dispatching each config to the
-* appropriate resolver function via pattern matching. Short-circuits
+* Walks the strategy list in order, dispatching each config to the
+* appropriate strategy function via pattern matching. Short-circuits
 * on the first successful resolution.
 *
-* @param options - Options with resolvers, CLI name, and prompts instance.
-* @returns The first resolved credential, or null if all resolvers fail.
+* @param options - Options with strategies, CLI name, and prompts instance.
+* @returns The first resolved credential, or null if all strategies fail.
 */
 async function runStrategyChain(options) {
 	const defaultTokenVar = deriveTokenVar(options.cliName);
-	return tryResolvers(options.resolvers, 0, defaultTokenVar, options);
+	return tryStrategies(options.strategies, 0, defaultTokenVar, options);
 }
 /**
 * Return the given value when defined, otherwise the fallback.
@@ -931,33 +871,33 @@ function withDefault(value, fallback) {
 	return fallback;
 }
 /**
-* Recursively try resolvers until one returns a credential or the list is exhausted.
+* Recursively try strategies until one returns a credential or the list is exhausted.
 *
 * @private
-* @param configs - The resolver configs.
+* @param configs - The strategy configs.
 * @param index - The current index.
 * @param defaultTokenVar - The derived default token env var name.
 * @param context - The resolve options for prompts access.
 * @returns The first resolved credential, or null.
 */
-async function tryResolvers(configs, index, defaultTokenVar, context) {
+async function tryStrategies(configs, index, defaultTokenVar, context) {
 	if (index >= configs.length) return null;
 	const config = configs[index];
 	if (config === void 0) return null;
-	const credential = await dispatchResolver(config, defaultTokenVar, context);
+	const credential = await dispatchStrategy(config, defaultTokenVar, context);
 	if (credential) return credential;
-	return tryResolvers(configs, index + 1, defaultTokenVar, context);
+	return tryStrategies(configs, index + 1, defaultTokenVar, context);
 }
 /**
-* Dispatch a single resolver config to its implementation.
+* Dispatch a single strategy config to its implementation.
 *
 * @private
-* @param config - The resolver config to dispatch.
+* @param config - The strategy config to dispatch.
 * @param defaultTokenVar - The derived default token env var name.
 * @param context - The resolve options for prompts access.
 * @returns The resolved credential, or null.
 */
-async function dispatchResolver(config, defaultTokenVar, context) {
+async function dispatchStrategy(config, defaultTokenVar, context) {
 	return match$1(config).with({ source: "env" }, (c) => resolveFromEnv({ tokenVar: withDefault(c.tokenVar, defaultTokenVar) })).with({ source: "dotenv" }, (c) => resolveFromDotenv({
 		path: withDefault(c.path, join(process.cwd(), ".env")),
 		tokenVar: withDefault(c.tokenVar, defaultTokenVar)
@@ -968,7 +908,7 @@ async function dispatchResolver(config, defaultTokenVar, context) {
 		authUrl: c.authUrl,
 		callbackPath: withDefault(c.callbackPath, DEFAULT_OAUTH_CALLBACK_PATH),
 		clientId: c.clientId,
-		port: withDefault(c.port, DEFAULT_OAUTH_PORT),
+		port: withDefault(c.port, 0),
 		scopes: withDefault(c.scopes, []),
 		timeout: withDefault(c.timeout, DEFAULT_OAUTH_TIMEOUT),
 		tokenUrl: c.tokenUrl
@@ -986,7 +926,6 @@ async function dispatchResolver(config, defaultTokenVar, context) {
 		prompts: context.prompts
 	})).with({ source: "custom" }, (c) => c.resolver()).exhaustive();
 }
-
 //#endregion
 //#region src/middleware/auth/context.ts
 /**
@@ -994,14 +933,14 @@ async function dispatchResolver(config, defaultTokenVar, context) {
 *
 * No credential data is stored on the returned object. `credential()`
 * resolves passively on every call, `authenticated()` checks existence,
-* `login()` runs the configured interactive resolvers, saves the
+* `login()` runs the configured interactive strategies, saves the
 * credential to the global file store, and `logout()` removes it.
 *
 * @param options - Factory options.
 * @returns An AuthContext instance.
 */
 function createAuthContext(options) {
-	const { resolvers, cliName, prompts, resolveCredential } = options;
+	const { strategies, cliName, prompts, resolveCredential, validate } = options;
 	/**
 	* Resolve the current credential from passive sources (file, env).
 	*
@@ -1021,27 +960,33 @@ function createAuthContext(options) {
 		return resolveCredential() !== null;
 	}
 	/**
-	* Run configured resolvers interactively and persist the credential.
+	* Run configured strategies interactively and persist the credential.
+	*
+	* When `loginOptions.strategies` is provided, those strategies are used
+	* instead of the default configured list.
 	*
 	* @private
+	* @param loginOptions - Optional overrides for the login attempt.
 	* @returns A Result with the credential on success or an AuthError on failure.
 	*/
-	async function login() {
+	async function login(loginOptions) {
 		const resolved = await runStrategyChain({
 			cliName,
 			prompts,
-			resolvers
+			strategies: resolveLoginStrategies(loginOptions, strategies)
 		});
 		if (resolved === null) return authError({
 			message: "No credential resolved from any source",
 			type: "no_credential"
 		});
-		const [saveError] = createStore({ dirName: `.${cliName}` }).save(DEFAULT_AUTH_FILENAME, resolved);
+		const [validationError, validatedCredential] = await runValidation(resolveLoginValidate(loginOptions, validate), resolved);
+		if (validationError) return [validationError, null];
+		const [saveError] = createStore({ dirName: `.${cliName}` }).save(DEFAULT_AUTH_FILENAME, validatedCredential);
 		if (saveError) return authError({
 			message: `Failed to save credential: ${saveError.message}`,
 			type: "save_failed"
 		});
-		return ok(resolved);
+		return ok(validatedCredential);
 	}
 	/**
 	* Remove the stored credential from disk.
@@ -1074,15 +1019,157 @@ function createAuthContext(options) {
 function authError(error) {
 	return [error, null];
 }
-
+/**
+* Resolve the active strategies for a login attempt.
+*
+* Returns the override strategies from login options when provided,
+* otherwise falls back to the configured strategies.
+*
+* @private
+* @param loginOptions - Optional login overrides.
+* @param configured - The default configured strategies.
+* @returns The strategies to use for the login attempt.
+*/
+function resolveLoginStrategies(loginOptions, configured) {
+	if (loginOptions !== void 0 && loginOptions.strategies !== void 0) return loginOptions.strategies;
+	return configured;
+}
+/**
+* Resolve the active validate callback for a login attempt.
+*
+* Returns the override from login options when provided,
+* otherwise falls back to the configured validate callback.
+*
+* @private
+* @param loginOptions - Optional login overrides.
+* @param configured - The default configured validate callback.
+* @returns The validate callback to use, or undefined.
+*/
+function resolveLoginValidate(loginOptions, configured) {
+	if (loginOptions !== void 0 && loginOptions.validate !== void 0) return loginOptions.validate;
+	return configured;
+}
+/**
+* Run the validate callback against a resolved credential.
+*
+* When no validate callback is provided, returns the credential as-is.
+* When validation fails, returns the error Result.
+* When validation succeeds, returns the (possibly transformed) credential.
+*
+* @private
+* @param validateFn - The validate callback, or undefined.
+* @param credential - The resolved credential to validate.
+* @returns A Result with the validated credential or an AuthError.
+*/
+async function runValidation(validateFn, credential) {
+	if (validateFn === void 0) return ok(credential);
+	const [validationError, validatedCredential] = await validateFn(credential);
+	if (validationError) return authError({
+		message: validationError.message,
+		type: "validation_failed"
+	});
+	return ok(validatedCredential);
+}
+//#endregion
+//#region src/middleware/http/build-auth-headers.ts
+/**
+* Convert auth credentials into HTTP headers.
+*
+* Uses exhaustive pattern matching to map each credential variant to
+* the appropriate header format.
+*
+* @module
+*/
+/**
+* Convert an auth credential into HTTP headers.
+*
+* @param credential - The credential to convert.
+* @returns A record of header name to header value.
+*/
+function buildAuthHeaders(credential) {
+	return match$1(credential).with({ type: "bearer" }, (c) => ({ Authorization: `Bearer ${c.token}` })).with({ type: "basic" }, (c) => ({ Authorization: `Basic ${Buffer.from(`${c.username}:${c.password}`).toString("base64")}` })).with({ type: "api-key" }, (c) => ({ [c.headerName]: c.key })).with({ type: "custom" }, (c) => ({ ...c.headers })).exhaustive();
+}
+//#endregion
+//#region src/middleware/auth/headers.ts
+/**
+* Create a function that resolves auth credentials from `ctx.auth` into HTTP headers.
+*
+* The returned function reads `ctx.auth.credential()` and converts the credential
+* into the appropriate header format using `buildAuthHeaders()`. Returns an empty
+* record when no auth middleware is present or no credential exists.
+*
+* @returns A function that takes a Context and returns auth headers.
+*/
+function createAuthHeaders() {
+	return function resolveHeaders(ctx) {
+		if (!("auth" in ctx)) return {};
+		const credential = ctx.auth.credential();
+		if (credential === null) return {};
+		return buildAuthHeaders(credential);
+	};
+}
+//#endregion
+//#region src/middleware/auth/require.ts
+/**
+* Enforcement gate middleware that requires authentication.
+*
+* @module
+*/
+const DEFAULT_MESSAGE = "Authentication required.";
+/**
+* Create an enforcement middleware that gates on authentication.
+*
+* When `ctx.auth.authenticated()` returns true, the middleware calls
+* `next()`. When not authenticated, it calls `ctx.fail()` with the
+* provided (or default) message. When `ctx.auth` is absent (auth
+* middleware not configured), it calls `ctx.fail()` with an
+* `AUTH_MIDDLEWARE_MISSING` code.
+*
+* @param options - Optional configuration for the require gate.
+* @returns A Middleware that enforces authentication.
+*/
+function createAuthRequire(options) {
+	const message = resolveMessage(options);
+	return middleware((ctx, next) => {
+		if (!hasProperty(ctx, "auth")) ctx.fail("auth.require() must run after auth() middleware", { code: "AUTH_MIDDLEWARE_MISSING" });
+		if (!ctx.auth.authenticated()) ctx.fail(message, { code: "AUTH_REQUIRED" });
+		return next();
+	});
+}
+/**
+* Runtime property check that avoids TypeScript's `in` narrowing.
+*
+* The `Context` interface declares `auth` via module augmentation,
+* so `!('auth' in ctx)` narrows to `never`. This function uses an
+* `unknown` cast to bypass the narrowing and perform a pure runtime
+* check.
+*
+* @private
+* @param obj - The object to inspect.
+* @param key - The property name to check.
+* @returns True when the property exists on the object.
+*/
+function hasProperty(obj, key) {
+	return typeof obj === "object" && obj !== null && key in obj;
+}
+/**
+* Resolve the failure message from optional require options.
+*
+* @private
+* @param options - Optional require gate options.
+* @returns The resolved message string.
+*/
+function resolveMessage(options) {
+	if (options !== void 0 && options.message !== void 0) return options.message;
+	return DEFAULT_MESSAGE;
+}
 //#endregion
 //#region src/middleware/auth/auth.ts
 /**
-* Auth middleware factory with resolver builder functions.
+* Auth middleware factory with strategy builder functions.
 *
 * Decorates `ctx.auth` with functions to resolve credentials on demand
-* and run interactive authentication. Also supports creating authenticated
-* HTTP clients via the `http` option.
+* and run interactive authentication.
 *
 * @module
 */
@@ -1095,44 +1182,32 @@ function authError(error) {
 * 2. Dotenv — `.env` file (when configured)
 * 3. Env — `CLI_NAME_TOKEN`
 *
-* Interactive resolvers (OAuth, prompt, custom) only run when the
+* Interactive strategies (OAuth, device-code, token, custom) only run when the
 * command handler explicitly calls `ctx.auth.login()`.
 *
-* When `options.http` is provided, the middleware also creates HTTP
-* client(s) with automatic credential header injection and decorates
-* them onto `ctx[namespace]`.
-*
 * @param options - Auth middleware configuration.
-* @returns A Middleware that decorates ctx.auth (and optionally HTTP clients).
+* @returns A Middleware that decorates ctx.auth.
 */
 function createAuth(options) {
-	const { resolvers } = options;
+	const { strategies, validate } = options;
 	return middleware((ctx, next) => {
 		const cliName = ctx.meta.name;
-		const authContext = createAuthContext({
+		decorateContext(ctx, "auth", createAuthContext({
 			cliName,
 			prompts: ctx.prompts,
-			resolveCredential: () => resolveStoredCredential(cliName, resolvers),
-			resolvers
-		});
-		decorateContext(ctx, "auth", authContext);
-		if (options.http !== void 0) normalizeHttpOptions(options.http).reduce((context, httpConfig) => {
-			const client = createHttpClient({
-				baseUrl: httpConfig.baseUrl,
-				defaultHeaders: httpConfig.headers,
-				resolveHeaders: () => credentialToHeaders(authContext.credential())
-			});
-			return decorateContext(context, httpConfig.namespace, client);
-		}, ctx);
+			resolveCredential: () => resolveStoredCredential(cliName, strategies),
+			strategies,
+			validate
+		}));
 		return next();
 	});
 }
 /**
-* Auth middleware factory with resolver builder methods.
+* Auth middleware factory with strategy builder methods.
 *
-* Use as `auth({ resolvers: [...] })` to create middleware, or use
+* Use as `auth({ strategies: [...] })` to create middleware, or use
 * the builder methods (`auth.env()`, `auth.oauth()`, etc.) to construct
-* resolver configs with a cleaner API.
+* strategy configs with a cleaner API.
 */
 const auth = Object.assign(createAuth, {
 	apiKey: buildToken,
@@ -1141,142 +1216,121 @@ const auth = Object.assign(createAuth, {
 	dotenv: buildDotenv,
 	env: buildEnv,
 	file: buildFile,
+	headers: createAuthHeaders,
 	oauth: buildOAuth,
+	require: createAuthRequire,
 	token: buildToken
 });
 /**
-* Build an env resolver config.
+* Build an env strategy config.
 *
 * @private
-* @param options - Optional env resolver options.
+* @param options - Optional env strategy options.
 * @returns An EnvSourceConfig with `source: 'env'`.
 */
 function buildEnv(options) {
 	return {
-		source: "env",
-		...options
+		...options,
+		source: "env"
 	};
 }
 /**
-* Build a dotenv resolver config.
+* Build a dotenv strategy config.
 *
 * @private
-* @param options - Optional dotenv resolver options.
+* @param options - Optional dotenv strategy options.
 * @returns A DotenvSourceConfig with `source: 'dotenv'`.
 */
 function buildDotenv(options) {
 	return {
-		source: "dotenv",
-		...options
+		...options,
+		source: "dotenv"
 	};
 }
 /**
-* Build a file resolver config.
+* Build a file strategy config.
 *
 * @private
-* @param options - Optional file resolver options.
+* @param options - Optional file strategy options.
 * @returns A FileSourceConfig with `source: 'file'`.
 */
 function buildFile(options) {
 	return {
-		source: "file",
-		...options
+		...options,
+		source: "file"
 	};
 }
 /**
-* Build an OAuth resolver config.
+* Build an OAuth strategy config.
 *
 * @private
-* @param options - OAuth resolver options (clientId, authUrl, tokenUrl required).
+* @param options - OAuth strategy options (clientId, authUrl, tokenUrl required).
 * @returns An OAuthSourceConfig with `source: 'oauth'`.
 */
 function buildOAuth(options) {
 	return {
-		source: "oauth",
-		...options
+		...options,
+		source: "oauth"
 	};
 }
 /**
-* Build a device code resolver config.
+* Build a device code strategy config.
 *
 * @private
-* @param options - Device code resolver options (clientId, deviceAuthUrl, tokenUrl required).
+* @param options - Device code strategy options (clientId, deviceAuthUrl, tokenUrl required).
 * @returns A DeviceCodeSourceConfig with `source: 'device-code'`.
 */
 function buildDeviceCode(options) {
 	return {
-		source: "device-code",
-		...options
+		...options,
+		source: "device-code"
 	};
 }
 /**
-* Build a token resolver config.
+* Build a token strategy config.
 *
 * Prompts the user for a token interactively. Aliased as `auth.apiKey()`.
 *
 * @private
-* @param options - Optional token resolver options.
+* @param options - Optional token strategy options.
 * @returns A TokenSourceConfig with `source: 'token'`.
 */
 function buildToken(options) {
 	return {
-		source: "token",
-		...options
+		...options,
+		source: "token"
 	};
 }
 /**
-* Build a custom resolver config from a resolver function.
+* Build a custom strategy config from a strategy function.
 *
 * @private
-* @param resolver - The custom resolver function.
+* @param fn - The custom strategy function.
 * @returns A CustomSourceConfig with `source: 'custom'`.
 */
-function buildCustom(resolver) {
+function buildCustom(fn) {
 	return {
-		resolver,
+		resolver: fn,
 		source: "custom"
 	};
 }
 /**
-* Normalize the `http` option into an array of configs.
-*
-* @private
-* @param http - A single config or array of configs.
-* @returns An array of AuthHttpOptions.
-*/
-function normalizeHttpOptions(http) {
-	if ("baseUrl" in http) return [http];
-	return http;
-}
-/**
-* Convert a credential into auth headers, returning an empty record
-* when no credential is available.
-*
-* @private
-* @param credential - The credential or null.
-* @returns A record of auth headers.
-*/
-function credentialToHeaders(credential) {
-	if (credential === null) return {};
-	return buildAuthHeaders(credential);
-}
-/**
 * Attempt to resolve a credential from stored (non-interactive) sources.
 *
 * Checks the file store first, then dotenv, then falls back to the
-* environment variable. Scans the resolver list for `file`, `dotenv`,
+* environment variable. Scans the strategy list for `file`, `dotenv`,
 * and `env` source configs to respect user-configured overrides
 * (e.g. a custom `tokenVar`, `dirName`, or dotenv `path`).
 *
 * @private
 * @param cliName - The CLI name, used to derive paths and env var names.
-* @param resolvers - The configured resolver list for extracting overrides.
+* @param strategies - The configured strategy list for extracting overrides.
 * @returns The resolved credential, or null.
 */
-function resolveStoredCredential(cliName, resolvers) {
-	const fileConfig = findResolverBySource(resolvers, "file");
-	const dotenvConfig = findResolverBySource(resolvers, "dotenv");
-	const envConfig = findResolverBySource(resolvers, "env");
+function resolveStoredCredential(cliName, strategies) {
+	const fileConfig = findStrategyBySource(strategies, "file");
+	const dotenvConfig = findStrategyBySource(strategies, "dotenv");
+	const envConfig = findStrategyBySource(strategies, "env");
 	const defaultTokenVar = deriveTokenVar(cliName);
 	const fromFile = resolveFromFile({
 		dirName: withDefault(extractProp(fileConfig, "dirName"), `.${cliName}`),
@@ -1293,15 +1347,15 @@ function resolveStoredCredential(cliName, resolvers) {
 	return resolveFromEnv({ tokenVar: withDefault(extractProp(envConfig, "tokenVar"), defaultTokenVar) });
 }
 /**
-* Find the first resolver config matching a given source type.
+* Find the first strategy config matching a given source type.
 *
 * @private
-* @param resolvers - The resolver config list.
+* @param strategies - The strategy config list.
 * @param source - The source type to find.
 * @returns The matching config, or undefined.
 */
-function findResolverBySource(resolvers, source) {
-	return resolvers.find((r) => r.source === source);
+function findStrategyBySource(strategies, source) {
+	return strategies.find((r) => r.source === source);
 }
 /**
 * Safely extract a property from an optional config object.
@@ -1318,7 +1372,7 @@ function extractProp(config, key) {
 	if (config === void 0) return;
 	return config[key];
 }
-
 //#endregion
-export { auth };
+export { auth, createAuthHeaders, createAuthRequire };
+
 //# sourceMappingURL=auth.js.map