@p0security/cli 0.26.15 → 0.27.1

package/build/dist/drivers/stdio.d.ts

@@ -8,6 +8,14 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
+import yargs from "yargs";
+/** Log with debugging
+ *
+ * Debug logs are written to stderr
+ */
+export declare function debug(argv: yargs.ArgumentsCamelCase<{
+    debug?: boolean;
+}>, message: string, ...rest: any): void;
 /** Used to output machine-readable text to stdout
  *
  * In general this should not be used for text meant to be consumed

package/build/dist/drivers/stdio.js

@@ -19,7 +19,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.spinUntil = exports.clear2 = exports.reset2 = exports.print2 = exports.print1 = void 0;
+exports.spinUntil = exports.clear2 = exports.reset2 = exports.print2 = exports.print1 = exports.debug = void 0;
 /** Functions to handle stdio
  *
  * These are essentially wrappers around console.foo, but allow for
@@ -29,6 +29,17 @@ exports.spinUntil = exports.clear2 = exports.reset2 = exports.print2 = exports.p
 const util_1 = require("../util");
 const ansi_1 = require("./ansi");
 const process_1 = require("process");
+/** Log with debugging
+ *
+ * Debug logs are written to stderr
+ */
+function debug(argv, message, ...rest) {
+    if (!argv.debug)
+        return;
+    // eslint-disable-next-line no-console
+    console.error(message, ...rest);
+}
+exports.debug = debug;
 /** Used to output machine-readable text to stdout
  *
  * In general this should not be used for text meant to be consumed

package/build/dist/drivers/stdio.js.map

@@ -1 +1 @@
-{"version":3,"file":"stdio.js","sourceRoot":"","sources":["../../../src/drivers/stdio.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;;;;;;;;;;;AAEH;;;;;GAKG;AACH,kCAAgC;AAChC,iCAAuC;AACvC,qCAAiC;AAEjC;;;;GAIG;AACH,SAAgB,MAAM,CAAC,OAAY;IACjC,sCAAsC;IACtC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;AACvB,CAAC;AAHD,wBAGC;AAED;;;GAGG;AACH,SAAgB,MAAM,CAAC,OAAY;IACjC,sCAAsC;IACtC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;AACzB,CAAC;AAHD,wBAGC;AAED,8DAA8D;AAC9D,SAAgB,MAAM;IACpB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,WAAI,EAAC,IAAI,CAAC,CAAC,CAAC;AACnC,CAAC;AAFD,wBAEC;AAED,uCAAuC;AACvC,SAAgB,MAAM;IACpB,4BAA4B;IAC5B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,WAAI,EAAC,IAAI,CAAC,CAAC,CAAC;IACjC,MAAM,EAAE,CAAC;AACX,CAAC;AAJD,wBAIC;AAED,MAAM,IAAI,GAAG;IACX,KAAK,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC;IACrC,OAAO,EAAE,GAAG;CACb,CAAC;AAEF,wDAAwD;AACjD,MAAM,SAAS,GAAG,CAAU,OAAe,EAAE,OAAmB,EAAE,EAAE;IACzE,IAAI,MAAM,GAAG,KAAK,CAAC;IACnB,IAAI,EAAE,GAAG,CAAC,CAAC;IACX,MAAM,QAAQ,GAAG,gBAAM,CAAC,KAAK,CAAC;IAC9B,IAAI,CAAC,QAAQ,EAAE;QACb,MAAM,CAAC,OAAO,CAAC,CAAC;KACjB;IACD,+EAA+E;IAC/E,qBAAqB;IACrB,KAAK,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;IAC5D,OAAO,CAAC,MAAM,EAAE;QACd,MAAM,IAAA,YAAK,EAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC1B,IAAI,MAAM;YAAE,MAAM;QAClB,IAAI,QAAQ,EAAE;YACZ,MAAM,EAAE,CAAC;YACT,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,cAAO,CAAC,KAAK;gBACX,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC;gBAClC,GAAG;gBACH,OAAO;gBACP,cAAO,CAAC,KAAK,CAChB,CAAC;SACH;QACD,EAAE,EAAE,CAAC;KACN;IACD,MAAM,EAAE,CAAC;IACT,OAAO,MAAM,OAAO,CAAC;AACvB,CAAC,CAAA,CAAC;AA3BW,QAAA,SAAS,aA2BpB"}
+{"version":3,"file":"stdio.js","sourceRoot":"","sources":["../../../src/drivers/stdio.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;;;;;;;;;;;AAEH;;;;;GAKG;AACH,kCAAgC;AAChC,iCAAuC;AACvC,qCAAiC;AAGjC;;;GAGG;AACH,SAAgB,KAAK,CACnB,IAAmD,EACnD,OAAe,EACf,GAAG,IAAS;IAEZ,IAAI,CAAC,IAAI,CAAC,KAAK;QAAE,OAAO;IACxB,sCAAsC;IACtC,OAAO,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;AAClC,CAAC;AARD,sBAQC;AAED;;;;GAIG;AACH,SAAgB,MAAM,CAAC,OAAY;IACjC,sCAAsC;IACtC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;AACvB,CAAC;AAHD,wBAGC;AAED;;;GAGG;AACH,SAAgB,MAAM,CAAC,OAAY;IACjC,sCAAsC;IACtC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;AACzB,CAAC;AAHD,wBAGC;AAED,8DAA8D;AAC9D,SAAgB,MAAM;IACpB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,WAAI,EAAC,IAAI,CAAC,CAAC,CAAC;AACnC,CAAC;AAFD,wBAEC;AAED,uCAAuC;AACvC,SAAgB,MAAM;IACpB,4BAA4B;IAC5B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,WAAI,EAAC,IAAI,CAAC,CAAC,CAAC;IACjC,MAAM,EAAE,CAAC;AACX,CAAC;AAJD,wBAIC;AAED,MAAM,IAAI,GAAG;IACX,KAAK,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC;IACrC,OAAO,EAAE,GAAG;CACb,CAAC;AAEF,wDAAwD;AACjD,MAAM,SAAS,GAAG,CAAU,OAAe,EAAE,OAAmB,EAAE,EAAE;IACzE,IAAI,MAAM,GAAG,KAAK,CAAC;IACnB,IAAI,EAAE,GAAG,CAAC,CAAC;IACX,MAAM,QAAQ,GAAG,gBAAM,CAAC,KAAK,CAAC;IAC9B,IAAI,CAAC,QAAQ,EAAE;QACb,MAAM,CAAC,OAAO,CAAC,CAAC;KACjB;IACD,+EAA+E;IAC/E,qBAAqB;IACrB,KAAK,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;IAC5D,OAAO,CAAC,MAAM,EAAE;QACd,MAAM,IAAA,YAAK,EAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC1B,IAAI,MAAM;YAAE,MAAM;QAClB,IAAI,QAAQ,EAAE;YACZ,MAAM,EAAE,CAAC;YACT,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,cAAO,CAAC,KAAK;gBACX,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC;gBAClC,GAAG;gBACH,OAAO;gBACP,cAAO,CAAC,KAAK,CAChB,CAAC;SACH;QACD,EAAE,EAAE,CAAC;KACN;IACD,MAAM,EAAE,CAAC;IACT,OAAO,MAAM,OAAO,CAAC;AACvB,CAAC,CAAA,CAAC;AA3BW,QAAA,SAAS,aA2BpB"}

package/build/dist/plugins/aws/ssh.js

@@ -46,6 +46,7 @@ You should have received a copy of the GNU General Public License along with @p0
 const keys_1 = require("../../common/keys");
 const api_1 = require("../../drivers/api");
 const stdio_1 = require("../../drivers/stdio");
+const delegation_1 = require("../../types/delegation");
 const util_1 = require("../../util");
 const aws_1 = require("../okta/aws");
 const config_1 = require("./config");
@@ -170,14 +171,18 @@ exports.awsSshProvider = {
             : undefined;
     }),
     requestToSsh: (request) => {
-        var _a, _b, _c, _d, _e, _f;
+        var _a, _b, _c, _d;
         const { permission, delegation, generated } = request;
         const { resource, region } = permission;
         const { instanceId } = resource;
         const { linuxUserName, hostKeys } = generated;
+        const awsDelegate = (0, delegation_1.getDelegate)(delegation, "aws");
         // TODO: Update after P0 backend data-model update
-        const { idcId, idcRegion, accountId } = (_b = (_a = delegation === null || delegation === void 0 ? void 0 : delegation.aws) === null || _a === void 0 ? void 0 : _a.permission) !== null && _b !== void 0 ? _b : resource;
-        const name = (_f = (_d = (_c = delegation === null || delegation === void 0 ? void 0 : delegation.aws) === null || _c === void 0 ? void 0 : _c.generated.name) !== null && _d !== void 0 ? _d : (_e = generated === null || generated === void 0 ? void 0 : generated.resource) === null || _e === void 0 ? void 0 : _e.name) !== null && _f !== void 0 ? _f : "";
+        const { idcId, idcRegion, accountId } = (_a = awsDelegate === null || awsDelegate === void 0 ? void 0 : awsDelegate.permission) !== null && _a !== void 0 ? _a : resource;
+        if (!accountId) {
+            throw "Backend did not provide an AWS account ID for SSH session.";
+        }
+        const name = (_d = (_b = awsDelegate === null || awsDelegate === void 0 ? void 0 : awsDelegate.generated.name) !== null && _b !== void 0 ? _b : (_c = generated === null || generated === void 0 ? void 0 : generated.resource) === null || _c === void 0 ? void 0 : _c.name) !== null && _d !== void 0 ? _d : "";
         const common = {
             linuxUserName,
             accountId,

package/build/dist/plugins/aws/ssh.js.map

@@ -1 +1 @@
-{"version":3,"file":"ssh.js","sourceRoot":"","sources":["../../../../src/plugins/aws/ssh.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,4CAI2B;AAC3B,2CAAsE;AACtE,+CAA6C;AAE7C,qCAA0D;AAC1D,qCAAqD;AACrD,qCAAwC;AACxC,+BAA0C;AAC1C,2CAAiD;AAQjD,gDAAkC;AAElC,MAAM,4BAA4B,GAAG,EAAE,GAAG,IAAI,CAAC;AAE/C,iGAAiG;AACjG,MAAM,+BAA+B,GAAG,qBAAqB,CAAC;AAE9D;;;;;;GAMG;AACH,MAAM,2BAA2B,GAAG;IAClC,kFAAkF;IAClF,sFAAsF;IACtF;QACE,OAAO,EACL,wRAAwR;KAC3R;IACD;;;;;;OAMG;IACH;QACE,OAAO,EAAE,kEAAkE;KAC5E;CACO,CAAC;AAEE,QAAA,cAAc,GAKvB;IACF,kBAAkB,EAAE,CAAO,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE;;QAClD,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAA,qBAAY,EAAC,KAAK,EAAE,OAAO,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QACvE,IAAI,CAAC,CAAA,MAAA,MAAM,CAAC,KAAK,0CAAE,IAAI,CAAA,IAAI,CAAA,MAAA,MAAM,CAAC,KAAK,0CAAE,IAAI,MAAK,KAAK,EAAE;YACvD,MAAM,+CAA+C,CAAC;SACvD;QAED,OAAO,CAAA,MAAA,MAAM,CAAC,KAAK,0CAAE,IAAI,MAAK,KAAK;YACjC,CAAC,CAAC,MAAM,IAAA,uBAAiB,EAAC,OAA2B,CAAC;YACtD,CAAC,CAAC,CAAA,MAAA,MAAM,CAAC,KAAK,0CAAE,IAAI,MAAK,WAAW;gBAClC,CAAC,CAAC,MAAM,IAAA,4BAAsB,EAC1B,KAAK,EACL,OAA4B,EAC5B,KAAK,CACN;gBACH,CAAC,CAAC,IAAA,uBAAgB,EAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACvC,CAAC,CAAA;IAED,aAAa,EAAE,CAAO,OAAO,EAAE,EAAE;QAC/B,IAAI,CAAC,CAAC,MAAM,IAAA,0BAAgB,EAAC,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,CAAC,CAAC,EAAE;YAC7C,MAAM,8DAA8D,CAAC;SACtE;IACH,CAAC,CAAA;IAED,YAAY,EAAE,KAAK;IAEnB,oBAAoB,EAAE,4BAA4B;IAElD,4BAA4B,EAAE,GAAG,EAAE,CAAC,SAAS;IAEvC,eAAe,CAAC,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,KAAK;;YAC/D,IAAI,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE;gBAC/B,IAAI,OAAO,CAAC,SAAS,CAAC,SAAS,CAAC,IAAI,EAAE,KAAK,SAAS,CAAC,IAAI,EAAE,EAAE;oBAC3D,MAAM,+DAA+D,CAAC;iBACvE;aACF;iBAAM;gBACL,MAAM,IAAA,qBAAe,EAAC,KAAK,EAAE,EAAE,SAAS,EAAE,SAAS,EAAE,EAAE,KAAK,CAAC,CAAC;aAC/D;QACH,CAAC;KAAA;IAED,YAAY,EAAE,CAAC,OAAO,EAAE,IAAI,EAAE,EAAE;QAC9B,OAAO;YACL,KAAK;YACL,KAAK;YACL,eAAe;YACf,UAAU;YACV,OAAO,CAAC,MAAM;YACd,UAAU;YACV,OAAO,CAAC,EAAE;YACV,iBAAiB;YACjB,+BAA+B;YAC/B,cAAc;YACd,IAAI,CAAC,CAAC,CAAC,cAAc,IAAI,EAAE,CAAC,CAAC,CAAC,eAAe;SAC9C,CAAC;IACJ,CAAC;IAED,aAAa,EAAE,CAAC,OAAO,EAAE,EAAE;QACzB,0CAA0C;QAC1C,IAAI,OAAO,CAAC,MAAM,KAAK,KAAK,EAAE;YAC5B,OAAO;gBACL,UAAU,IAAA,iBAAU,GAAE,oBAAoB,OAAO,CAAC,IAAI,cAAc,OAAO,CAAC,SAAS,gBAAgB;aACtG,CAAC;SACH;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,YAAY,EAAE,GAAS,EAAE;QACvB,OAAO;YACL,cAAc,EAAE,uBAAgB;SACjC,CAAC;IACJ,CAAC,CAAA;IAED,eAAe,EAAE,CAAO,OAAO,EAAE,OAAO,EAAE,EAAE;QAC1C,MAAM,EAAE,EAAE,EAAE,GAAG,OAAO,CAAC;QACvB,MAAM,YAAY,GAAG,IAAA,4BAAqB,EAAC,EAAE,CAAC,CAAC;QAE/C,+BAA+B;QAC/B,IAAI;YACF,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;YACxD,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YACxD,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE;gBAClB,IAAA,cAAM,EAAC,uCAAuC,EAAE,EAAE,CAAC,CAAC;aACrD;YACD,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;SAChD;QAAC,OAAO,KAAK,EAAE;YACd,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE;gBAClB,IAAA,cAAM,EAAC,oCAAoC,EAAE,KAAK,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;aACpE;SACF;QAED,oCAAoC;QACpC,MAAM,MAAM,GAAG,MAAM,IAAA,sBAAgB,EAAC,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,SAAS,EAAE;YACtE,KAAK,EAAE,OAAO,CAAC,KAAK;SACrB,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,IAAA,yBAAkB,EAAC,EAAE,EAAE,MAAM,CAAC,QAAQ,EAAE;YAC7D,KAAK,EAAE,OAAO,CAAC,KAAK;SACrB,CAAC,CAAC;QACH,OAAO,QAAQ;YACb,CAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;YACtD,CAAC,CAAC,SAAS,CAAC;IAChB,CAAC,CAAA;IAED,YAAY,EAAE,CAAC,OAAO,EAAE,EAAE;;QACxB,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;QACtD,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,UAAU,CAAC;QACxC,MAAM,EAAE,UAAU,EAAE,GAAG,QAAQ,CAAC;QAChC,MAAM,EAAE,aAAa,EAAE,QAAQ,EAAE,GAAG,SAAS,CAAC;QAC9C,kDAAkD;QAClD,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,GACnC,MAAA,MAAA,UAAU,aAAV,UAAU,uBAAV,UAAU,CAAE,GAAG,0CAAE,UAAU,mCAAI,QAAQ,CAAC;QAC1C,MAAM,IAAI,GACR,MAAA,MAAA,MAAA,UAAU,aAAV,UAAU,uBAAV,UAAU,CAAE,GAAG,0CAAE,SAAS,CAAC,IAAI,mCAAI,MAAA,SAAS,aAAT,SAAS,uBAAT,SAAS,CAAE,QAAQ,0CAAE,IAAI,mCAAI,EAAE,CAAC;QACrE,MAAM,MAAM,GAAG;YACb,aAAa;YACb,SAAS;YACT,MAAM;YACN,EAAE,EAAE,UAAU;YACd,QAAQ;SACT,CAAC;QACF,OAAO,CAAC,KAAK,IAAI,CAAC,SAAS;YACzB,CAAC,iCAAM,MAAM,KAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,IACtD,CAAC,iCACM,MAAM,KACT,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,EACrC,aAAa,EAAE,IAAI,EACnB,IAAI,EAAE,KAAK,EACX,MAAM,EAAE,KAAK,GACd,CAAC;IACR,CAAC;IAED,YAAY,EAAE,CAAO,OAAO,EAAE,EAAE,kDAAC,OAAA,iCAAM,OAAO,KAAE,YAAY,EAAE,SAAS,IAAG,CAAA,GAAA;IAE1E,2BAA2B;CAC5B,CAAC"}
+{"version":3,"file":"ssh.js","sourceRoot":"","sources":["../../../../src/plugins/aws/ssh.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,4CAI2B;AAC3B,2CAAsE;AACtE,+CAA6C;AAC7C,uDAAqD;AAErD,qCAA0D;AAC1D,qCAAqD;AACrD,qCAAwC;AACxC,+BAA0C;AAC1C,2CAAiD;AAQjD,gDAAkC;AAElC,MAAM,4BAA4B,GAAG,EAAE,GAAG,IAAI,CAAC;AAE/C,iGAAiG;AACjG,MAAM,+BAA+B,GAAG,qBAAqB,CAAC;AAE9D;;;;;;GAMG;AACH,MAAM,2BAA2B,GAAG;IAClC,kFAAkF;IAClF,sFAAsF;IACtF;QACE,OAAO,EACL,wRAAwR;KAC3R;IACD;;;;;;OAMG;IACH;QACE,OAAO,EAAE,kEAAkE;KAC5E;CACO,CAAC;AAEE,QAAA,cAAc,GAKvB;IACF,kBAAkB,EAAE,CAAO,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE;;QAClD,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAA,qBAAY,EAAC,KAAK,EAAE,OAAO,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QACvE,IAAI,CAAC,CAAA,MAAA,MAAM,CAAC,KAAK,0CAAE,IAAI,CAAA,IAAI,CAAA,MAAA,MAAM,CAAC,KAAK,0CAAE,IAAI,MAAK,KAAK,EAAE;YACvD,MAAM,+CAA+C,CAAC;SACvD;QAED,OAAO,CAAA,MAAA,MAAM,CAAC,KAAK,0CAAE,IAAI,MAAK,KAAK;YACjC,CAAC,CAAC,MAAM,IAAA,uBAAiB,EAAC,OAA2B,CAAC;YACtD,CAAC,CAAC,CAAA,MAAA,MAAM,CAAC,KAAK,0CAAE,IAAI,MAAK,WAAW;gBAClC,CAAC,CAAC,MAAM,IAAA,4BAAsB,EAC1B,KAAK,EACL,OAA4B,EAC5B,KAAK,CACN;gBACH,CAAC,CAAC,IAAA,uBAAgB,EAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACvC,CAAC,CAAA;IAED,aAAa,EAAE,CAAO,OAAO,EAAE,EAAE;QAC/B,IAAI,CAAC,CAAC,MAAM,IAAA,0BAAgB,EAAC,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,CAAC,CAAC,EAAE;YAC7C,MAAM,8DAA8D,CAAC;SACtE;IACH,CAAC,CAAA;IAED,YAAY,EAAE,KAAK;IAEnB,oBAAoB,EAAE,4BAA4B;IAElD,4BAA4B,EAAE,GAAG,EAAE,CAAC,SAAS;IAEvC,eAAe,CAAC,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,KAAK;;YAC/D,IAAI,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE;gBAC/B,IAAI,OAAO,CAAC,SAAS,CAAC,SAAS,CAAC,IAAI,EAAE,KAAK,SAAS,CAAC,IAAI,EAAE,EAAE;oBAC3D,MAAM,+DAA+D,CAAC;iBACvE;aACF;iBAAM;gBACL,MAAM,IAAA,qBAAe,EAAC,KAAK,EAAE,EAAE,SAAS,EAAE,SAAS,EAAE,EAAE,KAAK,CAAC,CAAC;aAC/D;QACH,CAAC;KAAA;IAED,YAAY,EAAE,CAAC,OAAO,EAAE,IAAI,EAAE,EAAE;QAC9B,OAAO;YACL,KAAK;YACL,KAAK;YACL,eAAe;YACf,UAAU;YACV,OAAO,CAAC,MAAM;YACd,UAAU;YACV,OAAO,CAAC,EAAE;YACV,iBAAiB;YACjB,+BAA+B;YAC/B,cAAc;YACd,IAAI,CAAC,CAAC,CAAC,cAAc,IAAI,EAAE,CAAC,CAAC,CAAC,eAAe;SAC9C,CAAC;IACJ,CAAC;IAED,aAAa,EAAE,CAAC,OAAO,EAAE,EAAE;QACzB,0CAA0C;QAC1C,IAAI,OAAO,CAAC,MAAM,KAAK,KAAK,EAAE;YAC5B,OAAO;gBACL,UAAU,IAAA,iBAAU,GAAE,oBAAoB,OAAO,CAAC,IAAI,cAAc,OAAO,CAAC,SAAS,gBAAgB;aACtG,CAAC;SACH;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,YAAY,EAAE,GAAS,EAAE;QACvB,OAAO;YACL,cAAc,EAAE,uBAAgB;SACjC,CAAC;IACJ,CAAC,CAAA;IAED,eAAe,EAAE,CAAO,OAAO,EAAE,OAAO,EAAE,EAAE;QAC1C,MAAM,EAAE,EAAE,EAAE,GAAG,OAAO,CAAC;QACvB,MAAM,YAAY,GAAG,IAAA,4BAAqB,EAAC,EAAE,CAAC,CAAC;QAE/C,+BAA+B;QAC/B,IAAI;YACF,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;YACxD,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YACxD,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE;gBAClB,IAAA,cAAM,EAAC,uCAAuC,EAAE,EAAE,CAAC,CAAC;aACrD;YACD,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;SAChD;QAAC,OAAO,KAAK,EAAE;YACd,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE;gBAClB,IAAA,cAAM,EAAC,oCAAoC,EAAE,KAAK,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;aACpE;SACF;QAED,oCAAoC;QACpC,MAAM,MAAM,GAAG,MAAM,IAAA,sBAAgB,EAAC,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,SAAS,EAAE;YACtE,KAAK,EAAE,OAAO,CAAC,KAAK;SACrB,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,IAAA,yBAAkB,EAAC,EAAE,EAAE,MAAM,CAAC,QAAQ,EAAE;YAC7D,KAAK,EAAE,OAAO,CAAC,KAAK;SACrB,CAAC,CAAC;QACH,OAAO,QAAQ;YACb,CAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;YACtD,CAAC,CAAC,SAAS,CAAC;IAChB,CAAC,CAAA;IAED,YAAY,EAAE,CAAC,OAAO,EAAE,EAAE;;QACxB,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;QACtD,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,UAAU,CAAC;QACxC,MAAM,EAAE,UAAU,EAAE,GAAG,QAAQ,CAAC;QAChC,MAAM,EAAE,aAAa,EAAE,QAAQ,EAAE,GAAG,SAAS,CAAC;QAC9C,MAAM,WAAW,GAAG,IAAA,wBAAW,EAAC,UAAU,EAAE,KAAK,CAAC,CAAC;QACnD,kDAAkD;QAClD,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,MAAA,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,UAAU,mCAAI,QAAQ,CAAC;QAC5E,IAAI,CAAC,SAAS,EAAE;YACd,MAAM,4DAA4D,CAAC;SACpE;QACD,MAAM,IAAI,GAAG,MAAA,MAAA,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,SAAS,CAAC,IAAI,mCAAI,MAAA,SAAS,aAAT,SAAS,uBAAT,SAAS,CAAE,QAAQ,0CAAE,IAAI,mCAAI,EAAE,CAAC;QAC5E,MAAM,MAAM,GAAG;YACb,aAAa;YACb,SAAS;YACT,MAAM;YACN,EAAE,EAAE,UAAU;YACd,QAAQ;SACT,CAAC;QACF,OAAO,CAAC,KAAK,IAAI,CAAC,SAAS;YACzB,CAAC,iCAAM,MAAM,KAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,IACtD,CAAC,iCACM,MAAM,KACT,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,EACrC,aAAa,EAAE,IAAI,EACnB,IAAI,EAAE,KAAK,EACX,MAAM,EAAE,KAAK,GACd,CAAC;IACR,CAAC;IAED,YAAY,EAAE,CAAO,OAAO,EAAE,EAAE,kDAAC,OAAA,iCAAM,OAAO,KAAE,YAAY,EAAE,SAAS,IAAG,CAAA,GAAA;IAE1E,2BAA2B;CAC5B,CAAC"}

package/build/dist/plugins/db/types.d.ts

@@ -8,21 +8,24 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
+import { DelegationField } from "../../types/delegation";
 import { AwsResourcePermissionSpec } from "../aws/types";
-export type DbPermissionSpec = {
-    delegation: {
-        "aws-rds": {
-            delegation: {
-                aws: AwsResourcePermissionSpec;
-            };
-            permission: {
-                vpcId: string;
-            };
-        };
+type AwsRdsDelegate = {
+    delegation: DelegationField<{
+        aws: AwsResourcePermissionSpec;
+    }>;
+    permission: {
+        vpcId: string;
     };
+};
+export type DbPermissionSpec = {
+    delegation: DelegationField<{
+        "aws-rds": AwsRdsDelegate;
+    }>;
     generated: object;
     permission: {
         instanceId: string;
     };
     type: "mysql" | "postgres";
 };
+export {};

package/build/dist/plugins/file-transfer/index.d.ts

@@ -0,0 +1,35 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+import { FileTransferCommandArgs } from "../../commands/file-transfer";
+import { Authn } from "../../types/identity";
+import { AwsResourcePermissionSpec } from "../aws/types";
+import { S3Client } from "@aws-sdk/client-s3";
+import yargs from "yargs";
+export declare const provisionTransferRequest: (authn: Authn, args: yargs.ArgumentsCamelCase<FileTransferCommandArgs>) => Promise<{
+    bucket: string;
+    prefix: string;
+    region: string;
+    awsSpec: AwsResourcePermissionSpec;
+}>;
+export declare const generateTransferUrls: (authn: Authn, target: {
+    bucket: string;
+    key: string;
+    region: string;
+    awsSpec: AwsResourcePermissionSpec;
+}, debug?: boolean) => Promise<{
+    s3: S3Client;
+    getUrl: string;
+    deleteUrl: string;
+    expirySeconds: {
+        get: number;
+        delete: number;
+    };
+}>;

package/build/dist/plugins/file-transfer/index.js

@@ -0,0 +1,74 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateTransferUrls = exports.provisionTransferRequest = void 0;
+const request_1 = require("../../commands/shared/request");
+const auth_1 = require("../aws/auth");
+const client_s3_1 = require("@aws-sdk/client-s3");
+const s3_request_presigner_1 = require("@aws-sdk/s3-request-presigner");
+const lodash_1 = require("lodash");
+const GET_EXPIRES_SECONDS = 5 * 60;
+const DELETE_EXPIRES_SECONDS = 60 * 60;
+const provisionTransferRequest = (authn, args) => __awaiter(void 0, void 0, void 0, function* () {
+    const response = yield (0, request_1.request)("request")(Object.assign(Object.assign({}, (0, lodash_1.pick)(args, "$0", "_")), { arguments: [
+            "file-transfer",
+            "session",
+            args.destination,
+            ...(args.reason ? ["--reason", args.reason] : []),
+        ], wait: true }), authn, { message: "approval-required" });
+    if (!response) {
+        throw "Did not receive a response from server";
+    }
+    const awsSpec = response.request.delegation.aws;
+    if (!awsSpec) {
+        throw "Backend granted file-transfer access, but there was an error getting AWS access details";
+    }
+    const { bucketName, bucketRegion, objectPrefix } = response.request.permission.resource;
+    return {
+        bucket: bucketName,
+        prefix: objectPrefix,
+        region: bucketRegion,
+        awsSpec,
+    };
+});
+exports.provisionTransferRequest = provisionTransferRequest;
+const generateTransferUrls = (authn, target, debug) => __awaiter(void 0, void 0, void 0, function* () {
+    const credentials = yield (0, auth_1.awsCloudAuth)(authn, target.awsSpec, debug);
+    const sdkCredentials = {
+        accessKeyId: credentials.AWS_ACCESS_KEY_ID,
+        secretAccessKey: credentials.AWS_SECRET_ACCESS_KEY,
+        sessionToken: credentials.AWS_SESSION_TOKEN,
+    };
+    const s3 = new client_s3_1.S3Client({
+        region: target.region,
+        credentials: sdkCredentials,
+    });
+    const objectArgs = { Bucket: target.bucket, Key: target.key };
+    const [getUrl, deleteUrl] = yield Promise.all([
+        (0, s3_request_presigner_1.getSignedUrl)(s3, new client_s3_1.GetObjectCommand(objectArgs), {
+            expiresIn: GET_EXPIRES_SECONDS,
+        }),
+        (0, s3_request_presigner_1.getSignedUrl)(s3, new client_s3_1.DeleteObjectCommand(objectArgs), {
+            expiresIn: DELETE_EXPIRES_SECONDS,
+        }),
+    ]);
+    return {
+        s3,
+        getUrl,
+        deleteUrl,
+        expirySeconds: {
+            get: GET_EXPIRES_SECONDS,
+            delete: DELETE_EXPIRES_SECONDS,
+        },
+    };
+});
+exports.generateTransferUrls = generateTransferUrls;
+//# sourceMappingURL=index.js.map

package/build/dist/plugins/file-transfer/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/plugins/file-transfer/index.ts"],"names":[],"mappings":";;;;;;;;;;;;AAWA,2DAAwD;AAGxD,sCAA2C;AAG3C,kDAI4B;AAC5B,wEAA6D;AAC7D,mCAA8B;AAG9B,MAAM,mBAAmB,GAAG,CAAC,GAAG,EAAE,CAAC;AACnC,MAAM,sBAAsB,GAAG,EAAE,GAAG,EAAE,CAAC;AAEhC,MAAM,wBAAwB,GAAG,CACtC,KAAY,EACZ,IAAuD,EACvD,EAAE;IACF,MAAM,QAAQ,GAAG,MAAM,IAAA,iBAAO,EAAC,SAAS,CAAC,iCAIlC,IAAA,aAAI,EAAC,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,KACxB,SAAS,EAAE;YACT,eAAe;YACf,SAAS;YACT,IAAI,CAAC,WAAW;YAChB,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;SAClD,EACD,IAAI,EAAE,IAAI,KAEZ,KAAK,EACL,EAAE,OAAO,EAAE,mBAAmB,EAAE,CACjC,CAAC;IAEF,IAAI,CAAC,QAAQ,EAAE;QACb,MAAM,wCAAwC,CAAC;KAChD;IAED,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;IAChD,IAAI,CAAC,OAAO,EAAE;QACZ,MAAM,yFAAyF,CAAC;KACjG;IAED,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,YAAY,EAAE,GAC9C,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC;IAEvC,OAAO;QACL,MAAM,EAAE,UAAU;QAClB,MAAM,EAAE,YAAY;QACpB,MAAM,EAAE,YAAY;QACpB,OAAO;KACR,CAAC;AACJ,CAAC,CAAA,CAAC;AAvCW,QAAA,wBAAwB,4BAuCnC;AAEK,MAAM,oBAAoB,GAAG,CAClC,KAAY,EACZ,MAKC,EACD,KAAe,EAMd,EAAE;IACH,MAAM,WAAW,GAAG,MAAM,IAAA,mBAAY,EAAC,KAAK,EAAE,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAErE,MAAM,cAAc,GAAG;QACrB,WAAW,EAAE,WAAW,CAAC,iBAAiB;QAC1C,eAAe,EAAE,WAAW,CAAC,qBAAqB;QAClD,YAAY,EAAE,WAAW,CAAC,iBAAiB;KAC5C,CAAC;IAEF,MAAM,EAAE,GAAG,IAAI,oBAAQ,CAAC;QACtB,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,WAAW,EAAE,cAAc;KAC5B,CAAC,CAAC;IAEH,MAAM,UAAU,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,CAAC;IAC9D,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QAC5C,IAAA,mCAAY,EAAC,EAAE,EAAE,IAAI,4BAAgB,CAAC,UAAU,CAAC,EAAE;YACjD,SAAS,EAAE,mBAAmB;SAC/B,CAAC;QACF,IAAA,mCAAY,EAAC,EAAE,EAAE,IAAI,+BAAmB,CAAC,UAAU,CAAC,EAAE;YACpD,SAAS,EAAE,sBAAsB;SAClC,CAAC;KACH,CAAC,CAAC;IAEH,OAAO;QACL,EAAE;QACF,MAAM;QACN,SAAS;QACT,aAAa,EAAE;YACb,GAAG,EAAE,mBAAmB;YACxB,MAAM,EAAE,sBAAsB;SAC/B;KACF,CAAC;AACJ,CAAC,CAAA,CAAC;AA/CW,QAAA,oBAAoB,wBA+C/B"}

package/build/dist/plugins/file-transfer/types.d.ts

@@ -0,0 +1,31 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+import { PermissionSpec } from "../../types/request";
+import { AwsResourcePermissionSpec } from "../aws/types";
+export type FileTransferPermission = {
+    resource: {
+        accountId: string;
+        instanceId: string;
+        instanceName: string;
+        arn: string;
+        region: string;
+        bucketName: string;
+        bucketRegion: string;
+        objectPrefix: string;
+    };
+    destination: string;
+    type: "resource";
+};
+export type FileTransferPermissionSpec = PermissionSpec<"file-transfer", FileTransferPermission, Record<string, never>> & {
+    delegation: {
+        aws?: AwsResourcePermissionSpec;
+    };
+};

package/build/dist/plugins/file-transfer/types.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/build/dist/plugins/file-transfer/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../../src/plugins/file-transfer/types.ts"],"names":[],"mappings":""}

package/build/dist/plugins/google/auth.d.ts

@@ -0,0 +1,4 @@
+export declare const getGcloudAccessToken: () => Promise<string>;
+export declare const ensureGcloudLogin: ({ debug, }?: {
+    debug?: boolean | undefined;
+}) => Promise<string>;

package/build/dist/plugins/google/auth.js

@@ -0,0 +1,75 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ensureGcloudLogin = exports.getGcloudAccessToken = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const subprocess_1 = require("../../common/subprocess");
+const stdio_1 = require("../../drivers/stdio");
+const util_1 = require("../../util");
+const util_2 = require("./util");
+const getGcloudAccessToken = () => __awaiter(void 0, void 0, void 0, function* () {
+    const { command, args } = (0, util_2.gcloudCommandArgs)(["auth", "print-access-token"]);
+    // Force debug=false otherwise it prints the access token
+    return yield (0, subprocess_1.asyncSpawn)({ debug: false }, command, args);
+});
+exports.getGcloudAccessToken = getGcloudAccessToken;
+const runGcloudLogin = ({ debug }) => __awaiter(void 0, void 0, void 0, function* () {
+    return new Promise((resolve, reject) => {
+        (0, stdio_1.print2)("Logging in to Google Cloud CLI...");
+        const { command, args } = (0, util_2.gcloudCommandArgs)(["auth", "login"]);
+        const child = (0, util_1.spawnWithCleanEnv)(command, args, {
+            // stdio is [stdin, stdout, stderr]. We send the child's stdout to OUR
+            // stderr instead of inheriting fd 1: `gcloud auth login` writes its
+            // human-readable progress to stdout, but this CLI reserves fd 1 for
+            // machine-readable output (e.g. access tokens, JSON) that callers parse.
+            // Inheriting the child's stdout would interleave gcloud's chatter into
+            // that stream and corrupt it, so we redirect it to stderr — where
+            // human-facing text belongs.
+            stdio: ["inherit", process.stderr, "inherit"],
+        });
+        child.on("error", (error) => reject(`Failed to run 'gcloud auth login': ${error.message}`));
+        child.on("exit", (code) => {
+            if (debug) {
+                (0, stdio_1.print2)(`'gcloud auth login' exited with code ${code}`);
+            }
+            if (code === 0) {
+                resolve();
+            }
+            else {
+                reject("Google Cloud CLI login failed. Please run 'gcloud auth login' and try again.");
+            }
+        });
+    });
+});
+const ensureGcloudLogin = ({ debug, } = {}) => __awaiter(void 0, void 0, void 0, function* () {
+    try {
+        const accessToken = yield (0, exports.getGcloudAccessToken)();
+        if (debug) {
+            (0, stdio_1.print2)("Google Cloud CLI credentials are valid; skipping login.");
+        }
+        return accessToken;
+    }
+    catch (_a) {
+        yield runGcloudLogin({ debug });
+        return yield (0, exports.getGcloudAccessToken)();
+    }
+});
+exports.ensureGcloudLogin = ensureGcloudLogin;
+//# sourceMappingURL=auth.js.map

package/build/dist/plugins/google/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../../src/plugins/google/auth.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,wDAAqD;AACrD,+CAA6C;AAC7C,qCAA+C;AAC/C,iCAA2C;AAEpC,MAAM,oBAAoB,GAAG,GAA0B,EAAE;IAC9D,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,IAAA,wBAAiB,EAAC,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAC,CAAC;IAC5E,yDAAyD;IACzD,OAAO,MAAM,IAAA,uBAAU,EAAC,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;AAC3D,CAAC,CAAA,CAAC;AAJW,QAAA,oBAAoB,wBAI/B;AAEF,MAAM,cAAc,GAAG,CAAO,EAAE,KAAK,EAAuB,EAAE,EAAE;IAC9D,OAAA,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACpC,IAAA,cAAM,EAAC,mCAAmC,CAAC,CAAC;QAC5C,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,IAAA,wBAAiB,EAAC,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;QAC/D,MAAM,KAAK,GAAG,IAAA,wBAAiB,EAAC,OAAO,EAAE,IAAI,EAAE;YAC7C,sEAAsE;YACtE,oEAAoE;YACpE,oEAAoE;YACpE,yEAAyE;YACzE,uEAAuE;YACvE,kEAAkE;YAClE,6BAA6B;YAC7B,KAAK,EAAE,CAAC,SAAS,EAAE,OAAO,CAAC,MAAM,EAAE,SAAS,CAAC;SAC9C,CAAC,CAAC;QACH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE,CAC1B,MAAM,CAAC,sCAAsC,KAAK,CAAC,OAAO,EAAE,CAAC,CAC9D,CAAC;QACF,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;YACxB,IAAI,KAAK,EAAE;gBACT,IAAA,cAAM,EAAC,wCAAwC,IAAI,EAAE,CAAC,CAAC;aACxD;YACD,IAAI,IAAI,KAAK,CAAC,EAAE;gBACd,OAAO,EAAE,CAAC;aACX;iBAAM;gBACL,MAAM,CACJ,8EAA8E,CAC/E,CAAC;aACH;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAA;EAAA,CAAC;AAEE,MAAM,iBAAiB,GAAG,CAAO,EACtC,KAAK,MACkB,EAAE,EAAmB,EAAE;IAC9C,IAAI;QACF,MAAM,WAAW,GAAG,MAAM,IAAA,4BAAoB,GAAE,CAAC;QACjD,IAAI,KAAK,EAAE;YACT,IAAA,cAAM,EAAC,yDAAyD,CAAC,CAAC;SACnE;QACD,OAAO,WAAW,CAAC;KACpB;IAAC,WAAM;QACN,MAAM,cAAc,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;QAChC,OAAO,MAAM,IAAA,4BAAoB,GAAE,CAAC;KACrC;AACH,CAAC,CAAA,CAAC;AAbW,QAAA,iBAAiB,qBAa5B"}

package/build/dist/plugins/google/ssh-key.js

@@ -22,6 +22,7 @@ You should have received a copy of the GNU General Public License along with @p0
 **/
 const subprocess_1 = require("../../common/subprocess");
 const stdio_1 = require("../../drivers/stdio");
+const auth_1 = require("./auth");
 const util_1 = require("./util");
 /**
  * Adds an ssh public key to the user object's sshPublicKeys array in Google Workspace.
@@ -37,9 +38,12 @@ const util_1 = require("./util");
 const importSshKey = (publicKey, options) => __awaiter(void 0, void 0, void 0, function* () {
     var _a;
     const debug = (_a = options === null || options === void 0 ? void 0 : options.debug) !== null && _a !== void 0 ? _a : false;
-    // Force debug=false otherwise it prints the access token
-    const { command: accessTokenCommand, args: accessTokenArgs } = (0, util_1.gcloudCommandArgs)(["auth", "print-access-token"]);
-    const accessToken = yield (0, subprocess_1.asyncSpawn)({ debug: false }, accessTokenCommand, accessTokenArgs);
+    // Ensure the user is logged in to the Google Cloud CLI and return a valid
+    // access token. This is the earliest point a gcloud token is required in the
+    // direct `p0 ssh` and `ssh-resolve` flows (before the cloudProviderLogin hook
+    // runs), so the login must happen here. `gcloud auth login` runs only when
+    // the existing token is invalid.
+    const accessToken = yield (0, auth_1.ensureGcloudLogin)({ debug });
     const { command: accountCommand, args: accountArgs } = (0, util_1.gcloudCommandArgs)([
         "config",
         "get-value",

package/build/dist/plugins/google/ssh-key.js.map

@@ -1 +1 @@
-{"version":3,"file":"ssh-key.js","sourceRoot":"","sources":["../../../../src/plugins/google/ssh-key.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,wDAAqD;AACrD,+CAA6C;AAE7C,iCAA2C;AAE3C;;;;;;;;;;GAUG;AACI,MAAM,YAAY,GAAG,CAC1B,SAAiB,EACjB,OAA6B,EAC7B,EAAE;;IACF,MAAM,KAAK,GAAG,MAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,mCAAI,KAAK,CAAC;IAEtC,yDAAyD;IACzD,MAAM,EAAE,OAAO,EAAE,kBAAkB,EAAE,IAAI,EAAE,eAAe,EAAE,GAC1D,IAAA,wBAAiB,EAAC,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAC,CAAC;IACpD,MAAM,WAAW,GAAG,MAAM,IAAA,uBAAU,EAClC,EAAE,KAAK,EAAE,KAAK,EAAE,EAChB,kBAAkB,EAClB,eAAe,CAChB,CAAC;IAEF,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,IAAI,EAAE,WAAW,EAAE,GAAG,IAAA,wBAAiB,EAAC;QACvE,QAAQ;QACR,WAAW;QACX,SAAS;KACV,CAAC,CAAC;IACH,MAAM,OAAO,GAAG,MAAM,IAAA,uBAAU,EAAC,EAAE,KAAK,EAAE,EAAE,cAAc,EAAE,WAAW,CAAC,CAAC;IAEzE,IAAI,KAAK,EAAE;QACT,IAAA,cAAM,EACJ,0BAA0B,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,mBAAmB,OAAO,EAAE,CAC/E,CAAC;QACF,IAAA,cAAM,EACJ,yBAAyB,SAAS,IAAI,WAAW,gBAAgB,OAAO,EAAE,CAC3E,CAAC;KACH;IAED,IAAI,CAAC,SAAS,EAAE;QACd,MAAM,wCAAwC,CAAC;KAChD;IAED,MAAM,GAAG,GAAG,2CAA2C,OAAO,qBAAqB,CAAC;IACpF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAChC,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,GAAG,EAAE,SAAS;SACf,CAAC;QACF,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,WAAW,EAAE;YACtC,cAAc,EAAE,kBAAkB;SACnC;KACF,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;QAChB,IAAI,KAAK,EAAE;YACT,IAAA,cAAM,EAAC,cAAc,QAAQ,CAAC,MAAM,KAAK,MAAM,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;SACnE;QAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;YAC3B,MAAM,kFAAkF,CAAC;SAC1F;aAAM;YACL,MAAM,kCAAkC,CAAC;SAC1C;KACF;IAED,MAAM,IAAI,GAA+B,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC/D,IAAI,KAAK,EAAE;QACT,IAAA,cAAM,EACJ,sDAAsD,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAC7E,CAAC;KACH;IAED,MAAM,EAAE,YAAY,EAAE,GAAG,IAAI,CAAC;IAE9B,yEAAyE;IACzE,MAAM,aAAa,GAAG,YAAY,CAAC,aAAa,CAAC,MAAM,CACrD,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,mBAAmB,KAAK,OAAO,CACrD,CAAC;IAEF,MAAM,YAAY,GAChB,aAAa,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC;QAChD,YAAY,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;IAEhC,IAAI,KAAK,EAAE;QACT,IAAA,cAAM,EAAC,2BAA2B,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,QAAQ,EAAE,CAAC,CAAC;KAC7D;IAED,IAAI,CAAC,YAAY,EAAE;QACjB,MAAM,2HAA2H,CAAC;KACnI;IAED,OAAO,YAAY,CAAC,QAAQ,CAAC;AAC/B,CAAC,CAAA,CAAC;AAtFW,QAAA,YAAY,gBAsFvB"}
+{"version":3,"file":"ssh-key.js","sourceRoot":"","sources":["../../../../src/plugins/google/ssh-key.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,wDAAqD;AACrD,+CAA6C;AAC7C,iCAA2C;AAE3C,iCAA2C;AAE3C;;;;;;;;;;GAUG;AACI,MAAM,YAAY,GAAG,CAC1B,SAAiB,EACjB,OAA6B,EAC7B,EAAE;;IACF,MAAM,KAAK,GAAG,MAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,mCAAI,KAAK,CAAC;IAEtC,0EAA0E;IAC1E,6EAA6E;IAC7E,8EAA8E;IAC9E,2EAA2E;IAC3E,iCAAiC;IACjC,MAAM,WAAW,GAAG,MAAM,IAAA,wBAAiB,EAAC,EAAE,KAAK,EAAE,CAAC,CAAC;IAEvD,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,IAAI,EAAE,WAAW,EAAE,GAAG,IAAA,wBAAiB,EAAC;QACvE,QAAQ;QACR,WAAW;QACX,SAAS;KACV,CAAC,CAAC;IACH,MAAM,OAAO,GAAG,MAAM,IAAA,uBAAU,EAAC,EAAE,KAAK,EAAE,EAAE,cAAc,EAAE,WAAW,CAAC,CAAC;IAEzE,IAAI,KAAK,EAAE;QACT,IAAA,cAAM,EACJ,0BAA0B,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,mBAAmB,OAAO,EAAE,CAC/E,CAAC;QACF,IAAA,cAAM,EACJ,yBAAyB,SAAS,IAAI,WAAW,gBAAgB,OAAO,EAAE,CAC3E,CAAC;KACH;IAED,IAAI,CAAC,SAAS,EAAE;QACd,MAAM,wCAAwC,CAAC;KAChD;IAED,MAAM,GAAG,GAAG,2CAA2C,OAAO,qBAAqB,CAAC;IACpF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAChC,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,GAAG,EAAE,SAAS;SACf,CAAC;QACF,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,WAAW,EAAE;YACtC,cAAc,EAAE,kBAAkB;SACnC;KACF,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;QAChB,IAAI,KAAK,EAAE;YACT,IAAA,cAAM,EAAC,cAAc,QAAQ,CAAC,MAAM,KAAK,MAAM,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;SACnE;QAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;YAC3B,MAAM,kFAAkF,CAAC;SAC1F;aAAM;YACL,MAAM,kCAAkC,CAAC;SAC1C;KACF;IAED,MAAM,IAAI,GAA+B,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC/D,IAAI,KAAK,EAAE;QACT,IAAA,cAAM,EACJ,sDAAsD,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAC7E,CAAC;KACH;IAED,MAAM,EAAE,YAAY,EAAE,GAAG,IAAI,CAAC;IAE9B,yEAAyE;IACzE,MAAM,aAAa,GAAG,YAAY,CAAC,aAAa,CAAC,MAAM,CACrD,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,mBAAmB,KAAK,OAAO,CACrD,CAAC;IAEF,MAAM,YAAY,GAChB,aAAa,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC;QAChD,YAAY,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;IAEhC,IAAI,KAAK,EAAE;QACT,IAAA,cAAM,EAAC,2BAA2B,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,QAAQ,EAAE,CAAC,CAAC;KAC7D;IAED,IAAI,CAAC,YAAY,EAAE;QACjB,MAAM,2HAA2H,CAAC;KACnI;IAED,OAAO,YAAY,CAAC,QAAQ,CAAC;AAC/B,CAAC,CAAA,CAAC;AApFW,QAAA,YAAY,gBAoFvB"}

package/build/dist/plugins/google/ssh.js

@@ -22,6 +22,7 @@ You should have received a copy of the GNU General Public License along with @p0
 **/
 const ssh_1 = require("../../commands/shared/ssh");
 const keys_1 = require("../../common/keys");
+const auth_1 = require("./auth");
 const install_1 = require("./install");
 const ssh_key_1 = require("./ssh-key");
 const util_1 = require("./util");
@@ -60,8 +61,10 @@ const unprovisionedAccessPatterns = [
     { pattern: /Error while connecting \[4010: 'destination read failed'\]/ },
 ];
 exports.gcpSshProvider = {
-    // TODO support login with Google Cloud
-    cloudProviderLogin: () => __awaiter(void 0, void 0, void 0, function* () { return undefined; }),
+    cloudProviderLogin: (_authn, _request, debug) => __awaiter(void 0, void 0, void 0, function* () {
+        yield (0, auth_1.ensureGcloudLogin)({ debug });
+        return undefined;
+    }),
     ensureInstall: () => __awaiter(void 0, void 0, void 0, function* () {
         if (!(yield (0, install_1.ensureGcpSshInstall)())) {
             throw "Please try again after installing the required GCP utilities";

package/build/dist/plugins/google/ssh.js.map

@@ -1 +1 @@
-{"version":3,"file":"ssh.js","sourceRoot":"","sources":["../../../../src/plugins/google/ssh.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,mDAA0D;AAC1D,4CAAqD;AAErD,uCAAgD;AAChD,uCAAyC;AAEzC,iCAA2C;AAE3C,oGAAoG;AACpG,MAAM,4BAA4B,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAEnD;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,2BAA2B,GAAG;IAClC,EAAE,OAAO,EAAE,iCAAiC,EAAE;IAC9C;QACE,mEAAmE;QACnE,OAAO,EAAE,uCAAuC;KACjD;IACD,EAAE,OAAO,EAAE,mDAAmD,EAAE;IAChE;QACE,OAAO,EAAE,+CAA+C;QACxD,kBAAkB,EAAE,IAAI;KACzB;IACD,EAAE,OAAO,EAAE,4DAA4D,EAAE;CACjE,CAAC;AAEE,QAAA,cAAc,GAIvB;IACF,uCAAuC;IACvC,kBAAkB,EAAE,GAAS,EAAE,kDAAC,OAAA,SAAS,CAAA,GAAA;IAEzC,aAAa,EAAE,GAAS,EAAE;QACxB,IAAI,CAAC,CAAC,MAAM,IAAA,6BAAmB,GAAE,CAAC,EAAE;YAClC,MAAM,8DAA8D,CAAC;SACtE;IACH,CAAC,CAAA;IAED,YAAY,EAAE,cAAc;IAE5B,oBAAoB,EAClB,2DAA2D;IAE7D,oBAAoB,EAAE,sDAAsD;IAE5E,oBAAoB,EAAE,4BAA4B;IAElD,4BAA4B,EAAE,CAAC,OAAO,EAAE,EAAE;QACxC,IAAI,IAAA,mBAAa,EAAC,OAAO,CAAC,EAAE;YAC1B,uCACK,OAAO;gBACV,6GAA6G;gBAC7G,6HAA6H;gBAC7H,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,CAAC,IAAI,CAAC,IACjB;SACH;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,YAAY,EAAE,CAAO,MAAM,EAAE,OAAO,EAAE,EAAE;QACtC,OAAO;YACL,QAAQ,EAAE,OAAO,CAAC,aAAa;YAC/B,cAAc,EAAE,uBAAgB;SACjC,CAAC;IACJ,CAAC,CAAA;IAED,YAAY,EAAE,CAAC,OAAO,EAAE,IAAI,EAAE,EAAE;QAC9B,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,IAAA,wBAAiB,EAAC;YAC1C,SAAS;YACT,kBAAkB;YAClB,OAAO,CAAC,EAAE;YACV,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI;YAClB,kEAAkE;YAClE,oGAAoG;YACpG,oEAAoE;YACpE,kDAAkD;YAClD,mBAAmB;YACnB,UAAU,OAAO,CAAC,IAAI,EAAE;YACxB,aAAa,OAAO,CAAC,SAAS,EAAE;SACjC,CAAC,CAAC;QACH,OAAO,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IAC5B,CAAC;IAED,aAAa,EAAE,GAAG,EAAE,CAAC,SAAS;IAE9B,YAAY,EAAE,CAAC,OAAO,EAAE,EAAE;QACxB,OAAO;YACL,EAAE,EAAE,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,YAAY;YAC5C,SAAS,EAAE,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,SAAS;YAChD,IAAI,EAAE,OAAO,CAAC,UAAU,CAAC,IAAI;YAC7B,aAAa,EAAE,OAAO,CAAC,YAAY,CAAC,aAAa;YACjD,IAAI,EAAE,QAAQ;SACf,CAAC;IACJ,CAAC;IAED,2BAA2B;IAE3B,YAAY,EAAE,CAAO,OAAO,EAAE,OAAO,EAAE,EAAE;QAAC,OAAA,iCACrC,OAAO,KACV,YAAY,EAAE;gBACZ,aAAa,EAAE,MAAM,IAAA,sBAAY,EAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC;aAC9D,IACD,CAAA;MAAA;CACH,CAAC"}
+{"version":3,"file":"ssh.js","sourceRoot":"","sources":["../../../../src/plugins/google/ssh.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,mDAA0D;AAC1D,4CAAqD;AAErD,iCAA2C;AAC3C,uCAAgD;AAChD,uCAAyC;AAEzC,iCAA2C;AAE3C,oGAAoG;AACpG,MAAM,4BAA4B,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAEnD;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,2BAA2B,GAAG;IAClC,EAAE,OAAO,EAAE,iCAAiC,EAAE;IAC9C;QACE,mEAAmE;QACnE,OAAO,EAAE,uCAAuC;KACjD;IACD,EAAE,OAAO,EAAE,mDAAmD,EAAE;IAChE;QACE,OAAO,EAAE,+CAA+C;QACxD,kBAAkB,EAAE,IAAI;KACzB;IACD,EAAE,OAAO,EAAE,4DAA4D,EAAE;CACjE,CAAC;AAEE,QAAA,cAAc,GAIvB;IACF,kBAAkB,EAAE,CAAO,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,EAAE;QACpD,MAAM,IAAA,wBAAiB,EAAC,EAAE,KAAK,EAAE,CAAC,CAAC;QACnC,OAAO,SAAS,CAAC;IACnB,CAAC,CAAA;IAED,aAAa,EAAE,GAAS,EAAE;QACxB,IAAI,CAAC,CAAC,MAAM,IAAA,6BAAmB,GAAE,CAAC,EAAE;YAClC,MAAM,8DAA8D,CAAC;SACtE;IACH,CAAC,CAAA;IAED,YAAY,EAAE,cAAc;IAE5B,oBAAoB,EAClB,2DAA2D;IAE7D,oBAAoB,EAAE,sDAAsD;IAE5E,oBAAoB,EAAE,4BAA4B;IAElD,4BAA4B,EAAE,CAAC,OAAO,EAAE,EAAE;QACxC,IAAI,IAAA,mBAAa,EAAC,OAAO,CAAC,EAAE;YAC1B,uCACK,OAAO;gBACV,6GAA6G;gBAC7G,6HAA6H;gBAC7H,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,CAAC,IAAI,CAAC,IACjB;SACH;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,YAAY,EAAE,CAAO,MAAM,EAAE,OAAO,EAAE,EAAE;QACtC,OAAO;YACL,QAAQ,EAAE,OAAO,CAAC,aAAa;YAC/B,cAAc,EAAE,uBAAgB;SACjC,CAAC;IACJ,CAAC,CAAA;IAED,YAAY,EAAE,CAAC,OAAO,EAAE,IAAI,EAAE,EAAE;QAC9B,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,IAAA,wBAAiB,EAAC;YAC1C,SAAS;YACT,kBAAkB;YAClB,OAAO,CAAC,EAAE;YACV,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI;YAClB,kEAAkE;YAClE,oGAAoG;YACpG,oEAAoE;YACpE,kDAAkD;YAClD,mBAAmB;YACnB,UAAU,OAAO,CAAC,IAAI,EAAE;YACxB,aAAa,OAAO,CAAC,SAAS,EAAE;SACjC,CAAC,CAAC;QACH,OAAO,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IAC5B,CAAC;IAED,aAAa,EAAE,GAAG,EAAE,CAAC,SAAS;IAE9B,YAAY,EAAE,CAAC,OAAO,EAAE,EAAE;QACxB,OAAO;YACL,EAAE,EAAE,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,YAAY;YAC5C,SAAS,EAAE,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,SAAS;YAChD,IAAI,EAAE,OAAO,CAAC,UAAU,CAAC,IAAI;YAC7B,aAAa,EAAE,OAAO,CAAC,YAAY,CAAC,aAAa;YACjD,IAAI,EAAE,QAAQ;SACf,CAAC;IACJ,CAAC;IAED,2BAA2B;IAE3B,YAAY,EAAE,CAAO,OAAO,EAAE,OAAO,EAAE,EAAE;QAAC,OAAA,iCACrC,OAAO,KACV,YAAY,EAAE;gBACZ,aAAa,EAAE,MAAM,IAAA,sBAAY,EAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC;aAC9D,IACD,CAAA;MAAA;CACH,CAAC"}

package/build/dist/plugins/kubeconfig/types.d.ts

@@ -30,11 +30,9 @@ export type K8sClusterConfig = {
 export type K8sConfig = {
     "iam-write": Record<string, K8sClusterConfig>;
 };
-export type K8sPermissionSpec = PermissionSpec<"k8s", K8sResourcePermission, K8sGenerated> & {
-    delegation?: {
-        aws?: AwsResourcePermissionSpec;
-    };
-};
+export type K8sPermissionSpec = PermissionSpec<"k8s", K8sResourcePermission, K8sGenerated, {
+    aws?: AwsResourcePermissionSpec;
+}>;
 export type K8sResourcePermission = {
     resource: {
         name: string;

package/build/dist/plugins/login.d.ts

@@ -2,5 +2,7 @@ import { TokenResponse } from "../types/oidc";
 import { OrgData } from "../types/org";
 declare const loginPlugins: readonly ["google", "okta", "ping", "oidc-pkce", "microsoft", "azure-oidc", "google-oidc", "aws-oidc"];
 export type LoginPluginType = (typeof loginPlugins)[number];
-export declare const pluginLoginMap: Record<string, (org: OrgData) => Promise<TokenResponse>>;
+export declare const pluginLoginMap: Record<string, (org: OrgData, options?: {
+    debug?: boolean;
+}) => Promise<TokenResponse>>;
 export {};

package/build/dist/plugins/login.js

@@ -41,12 +41,12 @@ exports.pluginLoginMap = {
     okta: login_4.oktaLogin,
     ping: login_5.pingLogin,
     "google-oidc": login_3.googleLogin,
-    "oidc-pkce": (org) => __awaiter(void 0, void 0, void 0, function* () {
+    "oidc-pkce": (org, options) => __awaiter(void 0, void 0, void 0, function* () {
         const providerType = (0, authUtils_1.getProviderType)(org);
         if (!providerType) {
             throw "Missing provider type for OIDC PKCE login";
         }
-        return yield exports.pluginLoginMap[providerType](org);
+        return yield exports.pluginLoginMap[providerType](org, options);
     }),
     password: login_2.emailPasswordLogin,
     "azure-oidc": login_1.azureLogin,

package/build/dist/plugins/login.js.map

@@ -1 +1 @@
-{"version":3,"file":"login.js","sourceRoot":"","sources":["../../../src/plugins/login.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,kDAAqD;AAGrD,yCAA2C;AAC3C,yCAAmD;AACnD,0CAA6C;AAC7C,wCAAyC;AACzC,wCAAyC;AAEzC,MAAM,YAAY,GAAG;IACnB,QAAQ;IACR,MAAM;IACN,MAAM;IACN,WAAW;IACX,WAAW;IACX,YAAY;IACZ,aAAa;IACb,UAAU;CACF,CAAC;AAIE,QAAA,cAAc,GAGvB;IACF,MAAM,EAAE,mBAAW;IACnB,IAAI,EAAE,iBAAS;IACf,IAAI,EAAE,iBAAS;IACf,aAAa,EAAE,mBAAW;IAC1B,WAAW,EAAE,CAAO,GAAG,EAAE,EAAE;QACzB,MAAM,YAAY,GAAG,IAAA,2BAAe,EAAC,GAAG,CAAC,CAAC;QAC1C,IAAI,CAAC,YAAY,EAAE;YACjB,MAAM,2CAA2C,CAAC;SACnD;QACD,OAAO,MAAM,sBAAc,CAAC,YAAY,CAAE,CAAC,GAAG,CAAC,CAAC;IAClD,CAAC,CAAA;IACD,QAAQ,EAAE,0BAAkB;IAC5B,YAAY,EAAE,kBAAU;CACzB,CAAC"}
+{"version":3,"file":"login.js","sourceRoot":"","sources":["../../../src/plugins/login.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,kDAAqD;AAGrD,yCAA2C;AAC3C,yCAAmD;AACnD,0CAA6C;AAC7C,wCAAyC;AACzC,wCAAyC;AAEzC,MAAM,YAAY,GAAG;IACnB,QAAQ;IACR,MAAM;IACN,MAAM;IACN,WAAW;IACX,WAAW;IACX,YAAY;IACZ,aAAa;IACb,UAAU;CACF,CAAC;AAIE,QAAA,cAAc,GAGvB;IACF,MAAM,EAAE,mBAAW;IACnB,IAAI,EAAE,iBAAS;IACf,IAAI,EAAE,iBAAS;IACf,aAAa,EAAE,mBAAW;IAC1B,WAAW,EAAE,CAAO,GAAG,EAAE,OAAO,EAAE,EAAE;QAClC,MAAM,YAAY,GAAG,IAAA,2BAAe,EAAC,GAAG,CAAC,CAAC;QAC1C,IAAI,CAAC,YAAY,EAAE;YACjB,MAAM,2CAA2C,CAAC;SACnD;QACD,OAAO,MAAM,sBAAc,CAAC,YAAY,CAAE,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IAC3D,CAAC,CAAA;IACD,QAAQ,EAAE,0BAAkB;IAC5B,YAAY,EAAE,kBAAU;CACzB,CAAC"}

package/build/dist/plugins/okta/login.d.ts

@@ -2,8 +2,16 @@ import { Identity } from "../../types/identity";
 import { TokenResponse } from "../../types/oidc";
 import { OrgData } from "../../types/org";
 import { AwsFederatedLogin } from "../aws/types";
-/** Logs in to Okta via OIDC */
-export declare const oktaLogin: (org: OrgData) => Promise<TokenResponse>;
+/** Logs in to Okta via OIDC.
+ *
+ * Requests `offline_access` so we can silently refresh the access token at TTL.
+ * Some Okta tenants disallow this scope at the app config — in that case
+ * `/device/authorize` returns `invalid_scope`; we retry once without it and
+ * proceed with the legacy device-only flow.
+ */
+export declare const oktaLogin: (org: OrgData, options?: {
+    debug?: boolean;
+}) => Promise<TokenResponse>;
 /**
  * Converts OIDC tokens into a SAML assertion for AWS federated authentication.
  *

package/build/dist/plugins/okta/login.js

@@ -140,18 +140,44 @@ const fetchSamlResponse = (org, { access_token }) => __awaiter(void 0, void 0, v
     const samlInputValue = $('input[name="SAMLResponse"]').val();
     return typeof samlInputValue === "string" ? samlInputValue : undefined;
 });
-/** Logs in to Okta via OIDC */
-const oktaLogin = (org) => __awaiter(void 0, void 0, void 0, function* () {
-    return (0, login_1.oidcLogin)((0, login_1.oidcLoginSteps)(org, "openid email profile okta.apps.sso", () => {
-        const providerType = (0, authUtils_1.getProviderType)(org);
-        const providerDomain = (0, authUtils_1.getProviderDomain)(org);
-        (0, node_assert_1.default)(providerType === "okta", "Invalid provider configuration (expected okta OIDC provider)");
-        (0, node_assert_1.default)(providerDomain, "Invalid provider configuration (missing Okta domain)");
-        return {
-            deviceAuthorizationUrl: `https://${providerDomain}/oauth2/v1/device/authorize`,
-            tokenUrl: `https://${providerDomain}/oauth2/v1/token`,
-        };
-    }));
+const oktaOidcUrls = (org) => () => {
+    const providerType = (0, authUtils_1.getProviderType)(org);
+    const providerDomain = (0, authUtils_1.getProviderDomain)(org);
+    (0, node_assert_1.default)(providerType === "okta", "Invalid provider configuration (expected okta OIDC provider)");
+    (0, node_assert_1.default)(providerDomain, "Invalid provider configuration (missing Okta domain)");
+    return {
+        deviceAuthorizationUrl: `https://${providerDomain}/oauth2/v1/device/authorize`,
+        tokenUrl: `https://${providerDomain}/oauth2/v1/token`,
+    };
+};
+const OKTA_BASE_SCOPE = "openid email profile";
+const OKTA_BROWSER_SCOPE = `${OKTA_BASE_SCOPE} okta.apps.sso`;
+const OKTA_OFFLINE_SCOPE = `${OKTA_BASE_SCOPE} offline_access`;
+/** Logs in to Okta via OIDC.
+ *
+ * Requests `offline_access` so we can silently refresh the access token at TTL.
+ * Some Okta tenants disallow this scope at the app config — in that case
+ * `/device/authorize` returns `invalid_scope`; we retry once without it and
+ * proceed with the legacy device-only flow.
+ */
+const oktaLogin = (org, options) => __awaiter(void 0, void 0, void 0, function* () {
+    const urls = oktaOidcUrls(org);
+    try {
+        const tokenResponse = yield (0, login_1.oidcLogin)((0, login_1.oidcLoginSteps)(org, OKTA_OFFLINE_SCOPE, urls));
+        if (!tokenResponse.refresh_token && (options === null || options === void 0 ? void 0 : options.debug)) {
+            (0, stdio_1.print2)("Okta token response omitted refresh_token; CLI will re-prompt for auth at session TTL.");
+        }
+        return tokenResponse;
+    }
+    catch (e) {
+        const message = e instanceof Error ? e.message : String(e);
+        if (!message.includes("invalid_scope"))
+            throw e;
+        if (options === null || options === void 0 ? void 0 : options.debug) {
+            (0, stdio_1.print2)("Okta tenant rejected offline_access; retrying without it.");
+        }
+        return yield (0, login_1.oidcLogin)((0, login_1.oidcLoginSteps)(org, OKTA_BROWSER_SCOPE, urls));
+    }
 });
 exports.oktaLogin = oktaLogin;
 /**

package/build/dist/plugins/okta/login.js.map

@@ -1 +1 @@
-{"version":3,"file":"login.js","sourceRoot":"","sources":["../../../../src/plugins/okta/login.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,iDAAsD;AACtD,8CAI4B;AAC5B,6CAAoD;AACpD,+CAA6C;AAC7C,qDAI+B;AAK/B,yCAIuB;AACvB,iDAAmC;AACnC,mCAA8B;AAC9B,8DAAiC;AAEjC,MAAM,iBAAiB,GAAG,+CAA+C,CAAC;AAC1E,MAAM,aAAa,GAAG,2CAA2C,CAAC;AAClE,MAAM,mBAAmB,GAAG,iDAAiD,CAAC;AAC9E,MAAM,kBAAkB,GAAG,yCAAyC,CAAC;AAErE,MAAM,uBAAuB,GAAG;IAC9B,8EAA8E;IAC9E,8FAA8F;CAC/F,CAAC;AAEF;;;;;;;GAOG;AACH,MAAM,gBAAgB,GAAG,CACvB,KAAa,EACb,EAAE,GAAG,EAAE,UAAU,EAAY,EAC7B,KAAe,EACf,EAAE;IACF,MAAM,YAAY,GAAG,IAAA,2BAAe,EAAC,GAAG,CAAC,CAAC;IAC1C,MAAM,cAAc,GAAG,IAAA,6BAAiB,EAAC,GAAG,CAAC,CAAC;IAC9C,MAAM,QAAQ,GAAG,IAAA,uBAAW,EAAC,GAAG,CAAC,CAAC;IAElC,IAAI,YAAY,KAAK,MAAM,IAAI,CAAC,cAAc,IAAI,CAAC,QAAQ,EAAE;QAC3D,MAAM,wDAAwD,CAAC;KAChE;IAED,MAAM,IAAI,GAAG;QACX,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,mBAAY;QACrB,IAAI,EAAE,IAAA,iBAAS,EAAC;YACd,QAAQ,EAAE,iBAAiB,KAAK,EAAE;YAClC,SAAS,EAAE,QAAQ;YACnB,WAAW,EAAE,UAAU,CAAC,YAAY;YACpC,gBAAgB,EAAE,iBAAiB;YACnC,aAAa,EAAE,UAAU,CAAC,QAAQ;YAClC,kBAAkB,EAAE,aAAa;YACjC,UAAU,EAAE,mBAAmB;YAC/B,oBAAoB,EAAE,kBAAkB;SACzC,CAAC;KACH,CAAC;IACF,IAAA,8BAAsB,EAAC,GAAG,CAAC,CAAC;IAC5B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,SAAS,cAAc,kBAAkB,EAAE,IAAI,CAAC,CAAC;IAE9E,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;QAChB,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;YAC3B,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnC,IAAI,IAAI,CAAC,KAAK,KAAK,eAAe,EAAE;gBAClC,MAAM,IAAA,qBAAc,GAAE,CAAC;gBACvB,0GAA0G;gBAC1G,IAAI,uBAAuB,CAAC,QAAQ,CAAC,IAAI,CAAC,iBAAiB,CAAC,EAAE;oBAC5D,IAAA,cAAM,EACJ;wGAC4F,CAC7F,CAAC;oBACF,IAAI,KAAK,EAAE;wBACT,IAAA,cAAM,EAAC,yCAAyC,GAAG,IAAI,CAAC,CAAC;qBAC1D;oBACD,MAAM,IAAI,CAAC,iBAAiB,CAAC;iBAC9B;qBAAM;oBACL,MAAM,0HAA0H,CAAC;iBAClI;aACF;YACD,wBAAwB;YACxB,MAAM,IAAI,KAAK,CACb,IAAA,2BAAmB,EACjB,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAC1B,QAAQ,CAAC,MAAM,EACf,QAAQ,CAAC,UAAU,EACnB,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CACrB,CACF,CAAC;SACH;QAED,oCAAoC;QACpC,MAAM,IAAA,wBAAgB,EAAC,QAAQ,CAAC,CAAC;KAClC;IAED,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAkB,CAAC;AAClD,CAAC,CAAA,CAAC;AAEF,4CAA4C;AAC5C,MAAM,iBAAiB,GAAG,CACxB,GAAY,EACZ,EAAE,YAAY,EAAiB,EAC/B,EAAE;IACF,MAAM,YAAY,GAAG,IAAA,2BAAe,EAAC,GAAG,CAAC,CAAC;IAC1C,MAAM,cAAc,GAAG,IAAA,6BAAiB,EAAC,GAAG,CAAC,CAAC;IAE9C,IAAI,YAAY,KAAK,MAAM,IAAI,CAAC,cAAc,EAAE;QAC9C,MAAM,uDAAuD,CAAC;KAC/D;IAED,MAAM,IAAI,GAAG;QACX,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,IAAA,aAAI,EAAC,mBAAY,EAAE,cAAc,CAAC;KAC5C,CAAC;IACF,IAAA,8BAAsB,EAAC,GAAG,CAAC,CAAC;IAC5B,MAAM,GAAG,GAAG,WAAW,cAAc,0BAA0B,kBAAkB,CAAC,YAAY,CAAC,EAAE,CAAC;IAClG,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IACxC,MAAM,IAAA,wBAAgB,EAAC,QAAQ,CAAC,CAAC;IACjC,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,MAAM,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7B,MAAM,cAAc,GAAG,CAAC,CAAC,4BAA4B,CAAC,CAAC,GAAG,EAAE,CAAC;IAC7D,OAAO,OAAO,cAAc,KAAK,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,SAAS,CAAC;AACzE,CAAC,CAAA,CAAC;AAEF,+BAA+B;AACxB,MAAM,SAAS,GAAG,CAAO,GAAY,EAAE,EAAE;IAC9C,OAAA,IAAA,iBAAS,EACP,IAAA,sBAAc,EAAC,GAAG,EAAE,oCAAoC,EAAE,GAAG,EAAE;QAC7D,MAAM,YAAY,GAAG,IAAA,2BAAe,EAAC,GAAG,CAAC,CAAC;QAC1C,MAAM,cAAc,GAAG,IAAA,6BAAiB,EAAC,GAAG,CAAC,CAAC;QAE9C,IAAA,qBAAM,EACJ,YAAY,KAAK,MAAM,EACvB,8DAA8D,CAC/D,CAAC;QACF,IAAA,qBAAM,EACJ,cAAc,EACd,sDAAsD,CACvD,CAAC;QACF,OAAO;YACL,sBAAsB,EAAE,WAAW,cAAc,6BAA6B;YAC9E,QAAQ,EAAE,WAAW,cAAc,kBAAkB;SACtD,CAAC;IACJ,CAAC,CAAC,CACH,CAAA;EAAA,CAAC;AAnBS,QAAA,SAAS,aAmBlB;AAEJ;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAwB;AACjB,MAAM,wBAAwB,GAAG,CACtC,QAAkB,EAClB,MAAyB,EACzB,KAAe,EACE,EAAE;IACnB,MAAM,gBAAgB,GAAG,MAAM,gBAAgB,CAC7C,MAAM,CAAC,QAAQ,CAAC,KAAK,EACrB,QAAQ,EACR,KAAK,CACN,CAAC;IACF,MAAM,YAAY,GAAG,MAAM,iBAAiB,CAAC,QAAQ,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC;IAC7E,IAAI,CAAC,YAAY,EAAE;QACjB,MAAM,uCAAuC,CAAC;KAC/C;IACD,OAAO,YAAY,CAAC;AACtB,CAAC,CAAA,CAAC;AAfW,QAAA,wBAAwB,4BAenC"}
+{"version":3,"file":"login.js","sourceRoot":"","sources":["../../../../src/plugins/okta/login.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,iDAAsD;AACtD,8CAI4B;AAC5B,6CAAoD;AACpD,+CAA6C;AAC7C,qDAI+B;AAK/B,yCAIuB;AACvB,iDAAmC;AACnC,mCAA8B;AAC9B,8DAAiC;AAEjC,MAAM,iBAAiB,GAAG,+CAA+C,CAAC;AAC1E,MAAM,aAAa,GAAG,2CAA2C,CAAC;AAClE,MAAM,mBAAmB,GAAG,iDAAiD,CAAC;AAC9E,MAAM,kBAAkB,GAAG,yCAAyC,CAAC;AAErE,MAAM,uBAAuB,GAAG;IAC9B,8EAA8E;IAC9E,8FAA8F;CAC/F,CAAC;AAEF;;;;;;;GAOG;AACH,MAAM,gBAAgB,GAAG,CACvB,KAAa,EACb,EAAE,GAAG,EAAE,UAAU,EAAY,EAC7B,KAAe,EACf,EAAE;IACF,MAAM,YAAY,GAAG,IAAA,2BAAe,EAAC,GAAG,CAAC,CAAC;IAC1C,MAAM,cAAc,GAAG,IAAA,6BAAiB,EAAC,GAAG,CAAC,CAAC;IAC9C,MAAM,QAAQ,GAAG,IAAA,uBAAW,EAAC,GAAG,CAAC,CAAC;IAElC,IAAI,YAAY,KAAK,MAAM,IAAI,CAAC,cAAc,IAAI,CAAC,QAAQ,EAAE;QAC3D,MAAM,wDAAwD,CAAC;KAChE;IAED,MAAM,IAAI,GAAG;QACX,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,mBAAY;QACrB,IAAI,EAAE,IAAA,iBAAS,EAAC;YACd,QAAQ,EAAE,iBAAiB,KAAK,EAAE;YAClC,SAAS,EAAE,QAAQ;YACnB,WAAW,EAAE,UAAU,CAAC,YAAY;YACpC,gBAAgB,EAAE,iBAAiB;YACnC,aAAa,EAAE,UAAU,CAAC,QAAQ;YAClC,kBAAkB,EAAE,aAAa;YACjC,UAAU,EAAE,mBAAmB;YAC/B,oBAAoB,EAAE,kBAAkB;SACzC,CAAC;KACH,CAAC;IACF,IAAA,8BAAsB,EAAC,GAAG,CAAC,CAAC;IAC5B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,SAAS,cAAc,kBAAkB,EAAE,IAAI,CAAC,CAAC;IAE9E,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;QAChB,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;YAC3B,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnC,IAAI,IAAI,CAAC,KAAK,KAAK,eAAe,EAAE;gBAClC,MAAM,IAAA,qBAAc,GAAE,CAAC;gBACvB,0GAA0G;gBAC1G,IAAI,uBAAuB,CAAC,QAAQ,CAAC,IAAI,CAAC,iBAAiB,CAAC,EAAE;oBAC5D,IAAA,cAAM,EACJ;wGAC4F,CAC7F,CAAC;oBACF,IAAI,KAAK,EAAE;wBACT,IAAA,cAAM,EAAC,yCAAyC,GAAG,IAAI,CAAC,CAAC;qBAC1D;oBACD,MAAM,IAAI,CAAC,iBAAiB,CAAC;iBAC9B;qBAAM;oBACL,MAAM,0HAA0H,CAAC;iBAClI;aACF;YACD,wBAAwB;YACxB,MAAM,IAAI,KAAK,CACb,IAAA,2BAAmB,EACjB,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAC1B,QAAQ,CAAC,MAAM,EACf,QAAQ,CAAC,UAAU,EACnB,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CACrB,CACF,CAAC;SACH;QAED,oCAAoC;QACpC,MAAM,IAAA,wBAAgB,EAAC,QAAQ,CAAC,CAAC;KAClC;IAED,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAkB,CAAC;AAClD,CAAC,CAAA,CAAC;AAEF,4CAA4C;AAC5C,MAAM,iBAAiB,GAAG,CACxB,GAAY,EACZ,EAAE,YAAY,EAAiB,EAC/B,EAAE;IACF,MAAM,YAAY,GAAG,IAAA,2BAAe,EAAC,GAAG,CAAC,CAAC;IAC1C,MAAM,cAAc,GAAG,IAAA,6BAAiB,EAAC,GAAG,CAAC,CAAC;IAE9C,IAAI,YAAY,KAAK,MAAM,IAAI,CAAC,cAAc,EAAE;QAC9C,MAAM,uDAAuD,CAAC;KAC/D;IAED,MAAM,IAAI,GAAG;QACX,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,IAAA,aAAI,EAAC,mBAAY,EAAE,cAAc,CAAC;KAC5C,CAAC;IACF,IAAA,8BAAsB,EAAC,GAAG,CAAC,CAAC;IAC5B,MAAM,GAAG,GAAG,WAAW,cAAc,0BAA0B,kBAAkB,CAAC,YAAY,CAAC,EAAE,CAAC;IAClG,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IACxC,MAAM,IAAA,wBAAgB,EAAC,QAAQ,CAAC,CAAC;IACjC,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,MAAM,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7B,MAAM,cAAc,GAAG,CAAC,CAAC,4BAA4B,CAAC,CAAC,GAAG,EAAE,CAAC;IAC7D,OAAO,OAAO,cAAc,KAAK,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,SAAS,CAAC;AACzE,CAAC,CAAA,CAAC;AAEF,MAAM,YAAY,GAAG,CAAC,GAAY,EAAE,EAAE,CAAC,GAAG,EAAE;IAC1C,MAAM,YAAY,GAAG,IAAA,2BAAe,EAAC,GAAG,CAAC,CAAC;IAC1C,MAAM,cAAc,GAAG,IAAA,6BAAiB,EAAC,GAAG,CAAC,CAAC;IAE9C,IAAA,qBAAM,EACJ,YAAY,KAAK,MAAM,EACvB,8DAA8D,CAC/D,CAAC;IACF,IAAA,qBAAM,EACJ,cAAc,EACd,sDAAsD,CACvD,CAAC;IACF,OAAO;QACL,sBAAsB,EAAE,WAAW,cAAc,6BAA6B;QAC9E,QAAQ,EAAE,WAAW,cAAc,kBAAkB;KACtD,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,eAAe,GAAG,sBAAsB,CAAC;AAE/C,MAAM,kBAAkB,GAAG,GAAG,eAAe,gBAAgB,CAAC;AAC9D,MAAM,kBAAkB,GAAG,GAAG,eAAe,iBAAiB,CAAC;AAE/D;;;;;;GAMG;AACI,MAAM,SAAS,GAAG,CACvB,GAAY,EACZ,OAA6B,EACL,EAAE;IAC1B,MAAM,IAAI,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI;QACF,MAAM,aAAa,GAAG,MAAM,IAAA,iBAAS,EACnC,IAAA,sBAAc,EAAC,GAAG,EAAE,kBAAkB,EAAE,IAAI,CAAC,CAC9C,CAAC;QACF,IAAI,CAAC,aAAa,CAAC,aAAa,KAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,CAAA,EAAE;YAClD,IAAA,cAAM,EACJ,wFAAwF,CACzF,CAAC;SACH;QACD,OAAO,aAAa,CAAC;KACtB;IAAC,OAAO,CAAC,EAAE;QACV,MAAM,OAAO,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAC3D,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC;YAAE,MAAM,CAAC,CAAC;QAChD,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE;YAClB,IAAA,cAAM,EAAC,2DAA2D,CAAC,CAAC;SACrE;QACD,OAAO,MAAM,IAAA,iBAAS,EACpB,IAAA,sBAAc,EAAC,GAAG,EAAE,kBAAkB,EAAE,IAAI,CAAC,CAC9C,CAAC;KACH;AACH,CAAC,CAAA,CAAC;AAzBW,QAAA,SAAS,aAyBpB;AAEF;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAwB;AACjB,MAAM,wBAAwB,GAAG,CACtC,QAAkB,EAClB,MAAyB,EACzB,KAAe,EACE,EAAE;IACnB,MAAM,gBAAgB,GAAG,MAAM,gBAAgB,CAC7C,MAAM,CAAC,QAAQ,CAAC,KAAK,EACrB,QAAQ,EACR,KAAK,CACN,CAAC;IACF,MAAM,YAAY,GAAG,MAAM,iBAAiB,CAAC,QAAQ,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC;IAC7E,IAAI,CAAC,YAAY,EAAE;QACjB,MAAM,uCAAuC,CAAC;KAC/C;IACD,OAAO,YAAY,CAAC;AACtB,CAAC,CAAA,CAAC;AAfW,QAAA,wBAAwB,4BAenC"}