@m-kopa/launchpad-cli 0.26.1 → 0.27.0

package/CHANGELOG.md

@@ -6,6 +6,51 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html);
 pre-1.0 minor bumps may carry breaking changes per ADR 0005.
 
+## 0.27.0 — 2026-06-12
+
+`launchpad login` moves onto the platform's auth gateway (sp-cli7kq
+Task 3, ADR 0026). Dual-path: gateway first, legacy Cloudflare Access
+as a deprecated fallback for the duration of the dual-auth window.
+
+### Added
+
+- **Gateway login is the default.** `launchpad login` now authenticates
+  against the auth gateway's `cli-session` grant
+  (`auth.launchpad.m-kopa.us`): loopback Authorization-Code + PKCE into
+  the Entra SSO, yielding a short-lived (15-minute) RS256 access token
+  plus an opaque refresh token that **rotates on every refresh**. No
+  discovery, no dynamic client registration — the endpoints are fixed.
+  Sessions persist as a new `version: 2` shape in
+  `~/.launchpad/session.json` (same location, same `0600` mode); the
+  rotated refresh token is persisted atomically (write-rename) **before**
+  the new access token is used, so a crash can never strand the session
+  on a rotated-away token.
+- **Server-side logout.** `launchpad logout` now revokes gateway
+  sessions at the gateway (`POST /__cli_logout`) before clearing the
+  local file: refresh dies immediately; in-flight access tokens expire
+  within 15 minutes. Offline-safe — if the gateway is unreachable the
+  local session is still cleared with a warning, exit code `0`.
+- **Kill-switch.** `LAUNCHPAD_AUTH_LEGACY=1` forces the legacy
+  Cloudflare Access login outright (no gateway attempt).
+  `LAUNCHPAD_AUTH_GATEWAY_URL` overrides the gateway base URL for
+  tests/previews.
+- Gateway `429` rate-limit responses are honoured: short `Retry-After`
+  waits are absorbed with a single retry; longer ones surface a clear
+  "session intact, retry shortly" error without burning the refresh
+  token.
+
+### Changed
+
+- A revoked / idle-expired (7 days) / capped (30 days) gateway session
+  now clears itself locally and prompts ``run `launchpad login` ``;
+  authenticated verbs keep the exact exit-`3` contract for auth
+  failures.
+- The legacy Cloudflare Access login path is **deprecated but intact**
+  — it runs automatically (with a notice) when the gateway flow fails,
+  and will be deleted after the dual-auth window closes (AC-DECOM).
+- `launchpad update`'s installer-bearer channel auth (ADR 0023) is
+  untouched by all of the above.
+
 ## 0.26.1 — 2026-06-11
 
 Two `launchpad status` UX faults found live by the owner (fast-track,

package/dist/auth/flow.d.ts

@@ -1,10 +1,14 @@
-import { type CliSession } from "./session.js";
+import { type AnyCliSession, type CliSession } from "./session.js";
 export declare class LoginRequiredError extends Error {
     readonly code: "login_required";
 }
 /** Refresh-window buffer: refresh `refreshSkewMs` before expiry
  *  so a request fired right at the edge doesn't hit a 401. */
 export declare const REFRESH_SKEW_MS = 30000;
+/** A gateway 429 with Retry-After at or under this is absorbed
+ *  in-process (wait, then retry the refresh ONCE). Anything longer is
+ *  surfaced to the user instead of silently stalling a verb. */
+export declare const MAX_ABSORBED_RETRY_AFTER_SEC = 10;
 export interface LoginOptions {
     readonly botUrl: string;
     readonly sessionPath: string;
@@ -32,8 +36,8 @@ export declare function login(opts: LoginOptions): Promise<CliSession>;
  * `now` is injected for tests so we can simulate expiry without
  * mocking the system clock.
  */
-export declare function getValidAccessToken(sessionPath: string, fetcher?: typeof fetch, now?: () => number): Promise<{
+export declare function getValidAccessToken(sessionPath: string, fetcher?: typeof fetch, now?: () => number, sleep?: (ms: number) => Promise<void>): Promise<{
     accessToken: string;
-    session: CliSession;
+    session: AnyCliSession;
 }>;
 //# sourceMappingURL=flow.d.ts.map

package/dist/auth/flow.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"flow.d.ts","sourceRoot":"","sources":["../../src/auth/flow.ts"],"names":[],"mappings":"AAwCA,OAAO,EAGL,KAAK,UAAU,EAEhB,MAAM,cAAc,CAAC;AAGtB,qBAAa,kBAAmB,SAAQ,KAAK;IAC3C,QAAQ,CAAC,IAAI,EAAG,gBAAgB,CAAU;CAC3C;AAED;8DAC8D;AAC9D,eAAO,MAAM,eAAe,QAAS,CAAC;AAEtC,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B;;sDAEkD;IAClD,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC3C,kCAAkC;IAClC,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,KAAK,CAAC;IAChC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACzD;AAED;;;;GAIG;AACH,wBAAsB,KAAK,CAAC,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,UAAU,CAAC,CA8DnE;AAED;;;;;;;;;GASG;AACH,wBAAsB,mBAAmB,CACvC,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE,OAAO,KAAa,EAC7B,GAAG,GAAE,MAAM,MAAiB,GAC3B,OAAO,CAAC;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,UAAU,CAAA;CAAE,CAAC,CAiDvD"}
+{"version":3,"file":"flow.d.ts","sourceRoot":"","sources":["../../src/auth/flow.ts"],"names":[],"mappings":"AAwCA,OAAO,EAKL,KAAK,aAAa,EAClB,KAAK,UAAU,EAGhB,MAAM,cAAc,CAAC;AAQtB,qBAAa,kBAAmB,SAAQ,KAAK;IAC3C,QAAQ,CAAC,IAAI,EAAG,gBAAgB,CAAU;CAC3C;AAED;8DAC8D;AAC9D,eAAO,MAAM,eAAe,QAAS,CAAC;AAEtC;;gEAEgE;AAChE,eAAO,MAAM,4BAA4B,KAAK,CAAC;AAE/C,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B;;sDAEkD;IAClD,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC3C,kCAAkC;IAClC,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,KAAK,CAAC;IAChC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACzD;AAED;;;;GAIG;AACH,wBAAsB,KAAK,CAAC,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,UAAU,CAAC,CA8DnE;AAED;;;;;;;;;GASG;AACH,wBAAsB,mBAAmB,CACvC,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE,OAAO,KAAa,EAC7B,GAAG,GAAE,MAAM,MAAiB,EAC5B,KAAK,GAAE,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CACI,GACtC,OAAO,CAAC;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,aAAa,CAAA;CAAE,CAAC,CAuD1D"}

package/dist/auth/gateway-flow.d.ts

@@ -0,0 +1,76 @@
+import { type GatewayCliSession } from "./session.js";
+export declare const CLI_SESSION_AUTH_PATH = "/__cli_session_auth";
+export declare const CLI_SESSION_TOKEN_PATH = "/__cli_session_token";
+export declare const CLI_LOGOUT_PATH = "/__cli_logout";
+/** The gateway is unreachable or not serving the cli-session grant
+ *  (404 wrong host / 503 config missing / network error). The login
+ *  command treats this as "fall back to the legacy flow". */
+export declare class GatewayUnavailableError extends Error {
+    readonly code: "gateway_unavailable";
+}
+/** Non-2xx from the session-token or logout endpoint. `httpStatus`
+ *  lets flow.ts distinguish "session dead — re-login" (400/401) from
+ *  transient server trouble (5xx). */
+export declare class GatewayTokenError extends Error {
+    readonly code: "gateway_token_error";
+    readonly httpStatus?: number;
+    constructor(message: string, httpStatus?: number);
+}
+/** 429 from the gateway. The request was rejected BEFORE the body was
+ *  read (the gateway rate-limits pre-parse), so a rate-limited refresh
+ *  has NOT consumed the refresh token — the session is intact and the
+ *  caller must NOT clear it. */
+export declare class GatewayRateLimitError extends Error {
+    readonly code: "gateway_rate_limited";
+    readonly retryAfterSec: number;
+    constructor(retryAfterSec: number);
+}
+export interface GatewayTokenPair {
+    readonly accessToken: string;
+    readonly refreshToken: string;
+    readonly expiresInSec: number;
+}
+export interface GatewayLoginOptions {
+    readonly gatewayUrl: string;
+    readonly sessionPath: string;
+    /** Receives the auth URL once the localhost server is bound — the
+     *  CLI verb prints it so the user can copy-paste if the browser
+     *  doesn't open. */
+    readonly onAuthUrl?: (url: string) => void;
+    /** Injection points for tests. */
+    readonly fetcher?: typeof fetch;
+    readonly browserOpener?: (url: string) => Promise<void>;
+}
+/**
+ * Run the gateway cli-session login and persist the v2 session.
+ *
+ * Probes the gateway FIRST (one cheap GET) so an unreachable gateway
+ * or a host without the grant fails fast with `GatewayUnavailableError`
+ * — before any browser opens — and the verb can fall back to the
+ * legacy flow instead of hanging on a callback that will never come.
+ */
+export declare function gatewayLogin(opts: GatewayLoginOptions): Promise<GatewayCliSession>;
+/**
+ * Refresh-token grant. Returns the new pair — with a ROTATED refresh
+ * token the caller MUST persist before first use of the access token
+ * (flow.ts owns that ordering). Throws:
+ *   * GatewayRateLimitError on 429 (token NOT consumed),
+ *   * GatewayTokenError with httpStatus on any other non-2xx
+ *     (400/401 = session dead; 5xx = transient),
+ *   * GatewayTokenError without httpStatus on network failure.
+ */
+export declare function refreshGatewayTokens(params: {
+    readonly gatewayUrl: string;
+    readonly refreshToken: string;
+}, fetcher?: typeof fetch): Promise<GatewayTokenPair>;
+/**
+ * `POST /__cli_logout` — server-side revocation. 204 = revoked (or
+ * idempotently already-gone). Throws on anything else; `launchpad
+ * logout` catches, warns, and clears the local session anyway (logout
+ * must work offline).
+ */
+export declare function revokeGatewaySession(params: {
+    readonly gatewayUrl: string;
+    readonly refreshToken: string;
+}, fetcher?: typeof fetch): Promise<void>;
+//# sourceMappingURL=gateway-flow.d.ts.map

package/dist/auth/gateway-flow.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gateway-flow.d.ts","sourceRoot":"","sources":["../../src/auth/gateway-flow.ts"],"names":[],"mappings":"AA0CA,OAAO,EAGL,KAAK,iBAAiB,EACvB,MAAM,cAAc,CAAC;AAEtB,eAAO,MAAM,qBAAqB,wBAAwB,CAAC;AAC3D,eAAO,MAAM,sBAAsB,yBAAyB,CAAC;AAC7D,eAAO,MAAM,eAAe,kBAAkB,CAAC;AAE/C;;6DAE6D;AAC7D,qBAAa,uBAAwB,SAAQ,KAAK;IAChD,QAAQ,CAAC,IAAI,EAAG,qBAAqB,CAAU;CAChD;AAED;;sCAEsC;AACtC,qBAAa,iBAAkB,SAAQ,KAAK;IAC1C,QAAQ,CAAC,IAAI,EAAG,qBAAqB,CAAU;IAC/C,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;gBACjB,OAAO,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM;CAKjD;AAED;;;gCAGgC;AAChC,qBAAa,qBAAsB,SAAQ,KAAK;IAC9C,QAAQ,CAAC,IAAI,EAAG,sBAAsB,CAAU;IAChD,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;gBACnB,aAAa,EAAE,MAAM;CAOlC;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;CAC/B;AAED,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B;;wBAEoB;IACpB,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC3C,kCAAkC;IAClC,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,KAAK,CAAC;IAChC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACzD;AAED;;;;;;;GAOG;AACH,wBAAsB,YAAY,CAChC,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,iBAAiB,CAAC,CAkD5B;AAED;;;;;;;;GAQG;AACH,wBAAsB,oBAAoB,CACxC,MAAM,EAAE;IAAE,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAA;CAAE,EACtE,OAAO,GAAE,OAAO,KAAa,GAC5B,OAAO,CAAC,gBAAgB,CAAC,CAS3B;AAED;;;;;GAKG;AACH,wBAAsB,oBAAoB,CACxC,MAAM,EAAE;IAAE,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAA;CAAE,EACtE,OAAO,GAAE,OAAO,KAAa,GAC5B,OAAO,CAAC,IAAI,CAAC,CAsBf"}

package/dist/auth/session.d.ts

@@ -1,4 +1,5 @@
 export declare const SESSION_VERSION = 1;
+export declare const GATEWAY_SESSION_VERSION = 2;
 export interface CliSession {
     readonly version: typeof SESSION_VERSION;
     /** OAuth `access_token`. Sent to the bot as `Authorization: Bearer <accessToken>`. */
@@ -27,6 +28,38 @@ export interface CliSession {
      *  by `whoami` (slice 3) for diagnostic display only. */
     readonly issuedAt: string;
 }
+/** A `version: 2` session minted by the auth gateway's cli-session
+ *  grant (ADR 0026, sp-cli7kq). Differences from the legacy shape:
+ *  no `clientId`/`tokenEndpoint`/`resource` (the gateway endpoints
+ *  are fixed — no discovery, no RFC 7591 registration), and the
+ *  refresh token is OPAQUE and ROTATES on every refresh — a stale
+ *  copy is not just useless, presenting it after rotation revokes
+ *  the whole session server-side (the replay tripwire). That makes
+ *  the write-before-use persistence ordering in `flow.ts`
+ *  load-bearing, not cosmetic. */
+export interface GatewayCliSession {
+    readonly version: typeof GATEWAY_SESSION_VERSION;
+    /** Discriminator for future non-gateway v2 shapes; always "gateway". */
+    readonly kind: "gateway";
+    /** RS256 `typ: cli-session` JWT. Sent to the bot as
+     *  `Authorization: Bearer <accessToken>`. */
+    readonly accessToken: string;
+    /** Opaque rotating refresh token (`<jti>.<random>`). NEVER reuse a
+     *  rotated-away value — the gateway treats reuse as theft. */
+    readonly refreshToken: string;
+    /** Epoch milliseconds at which `accessToken` ceases to be valid. */
+    readonly accessTokenExpiresAt: number;
+    /** Base URL of the auth gateway that minted this session — refresh
+     *  and logout go back to the same issuer. */
+    readonly gatewayUrl: string;
+    /** ISO-8601 UTC timestamp of when this session was written. */
+    readonly issuedAt: string;
+}
+/** Either on-disk session shape. Readers that only need the common
+ *  fields (accessToken / accessTokenExpiresAt / issuedAt) can stay
+ *  agnostic; refresh + logout must dispatch on `isGatewaySession`. */
+export type AnyCliSession = CliSession | GatewayCliSession;
+export declare function isGatewaySession(s: AnyCliSession): s is GatewayCliSession;
 export declare class SessionParseError extends Error {
     readonly code: "session_parse_error";
 }
@@ -37,13 +70,13 @@ export declare class SessionParseError extends Error {
  * than to silently re-prompt for login when the storage is
  * actually broken.
  */
-export declare function readSession(sessionPath: string): Promise<CliSession | null>;
+export declare function readSession(sessionPath: string): Promise<AnyCliSession | null>;
 /**
  * Atomic-ish write: writes to `<path>.tmp` then renames into
  * place. The whole-directory chmod is best-effort (Windows ignores
  * mode bits) — the per-file mode is the load-bearing one.
  */
-export declare function writeSession(sessionPath: string, session: CliSession): Promise<void>;
+export declare function writeSession(sessionPath: string, session: AnyCliSession): Promise<void>;
 /**
  * `launchpad logout`: zero out the session file. Idempotent —
  * already-absent file is a no-op success. Returns whether a

package/dist/auth/session.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../src/auth/session.ts"],"names":[],"mappings":"AA0BA,eAAO,MAAM,eAAe,IAAI,CAAC;AAEjC,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,OAAO,EAAE,OAAO,eAAe,CAAC;IACzC,sFAAsF;IACtF,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B;qDACiD;IACjD,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B;wEACoE;IACpE,QAAQ,CAAC,oBAAoB,EAAE,MAAM,CAAC;IACtC;uCACmC;IACnC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B;6CACyC;IACzC,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B;;;;;;2BAMuB;IACvB,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B;6DACyD;IACzD,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B;AAED,qBAAa,iBAAkB,SAAQ,KAAK;IAC1C,QAAQ,CAAC,IAAI,EAAG,qBAAqB,CAAU;CAChD;AAED;;;;;;GAMG;AACH,wBAAsB,WAAW,CAC/B,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAmD5B;AAED;;;;GAIG;AACH,wBAAsB,YAAY,CAChC,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,UAAU,GAClB,OAAO,CAAC,IAAI,CAAC,CA4Bf;AAED;;;;;GAKG;AACH,wBAAsB,YAAY,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAQxE"}
+{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../src/auth/session.ts"],"names":[],"mappings":"AA2BA,eAAO,MAAM,eAAe,IAAI,CAAC;AACjC,eAAO,MAAM,uBAAuB,IAAI,CAAC;AAEzC,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,OAAO,EAAE,OAAO,eAAe,CAAC;IACzC,sFAAsF;IACtF,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B;qDACiD;IACjD,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B;wEACoE;IACpE,QAAQ,CAAC,oBAAoB,EAAE,MAAM,CAAC;IACtC;uCACmC;IACnC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B;6CACyC;IACzC,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B;;;;;;2BAMuB;IACvB,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B;6DACyD;IACzD,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B;AAED;;;;;;;;kCAQkC;AAClC,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,OAAO,EAAE,OAAO,uBAAuB,CAAC;IACjD,wEAAwE;IACxE,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC;IACzB;iDAC6C;IAC7C,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B;kEAC8D;IAC9D,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,oEAAoE;IACpE,QAAQ,CAAC,oBAAoB,EAAE,MAAM,CAAC;IACtC;iDAC6C;IAC7C,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,+DAA+D;IAC/D,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B;AAED;;sEAEsE;AACtE,MAAM,MAAM,aAAa,GAAG,UAAU,GAAG,iBAAiB,CAAC;AAE3D,wBAAgB,gBAAgB,CAAC,CAAC,EAAE,aAAa,GAAG,CAAC,IAAI,iBAAiB,CAEzE;AAED,qBAAa,iBAAkB,SAAQ,KAAK;IAC1C,QAAQ,CAAC,IAAI,EAAG,qBAAqB,CAAU;CAChD;AAED;;;;;;GAMG;AACH,wBAAsB,WAAW,CAC/B,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAsD/B;AA0BD;;;;GAIG;AACH,wBAAsB,YAAY,CAChC,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,aAAa,GACrB,OAAO,CAAC,IAAI,CAAC,CA4Bf;AAED;;;;;GAKG;AACH,wBAAsB,YAAY,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAQxE"}