@pagopa/dx-cli 0.21.1 → 0.21.3

package/dist/adapters/pagopa-technology/azure-authorization.js

@@ -0,0 +1,239 @@
+/**
+ * PagoPA Technology Azure Authorization Adapter
+ *
+ * Implements the AuthorizationService interface for the PagoPA Azure
+ * authorization workflow. Encapsulates all platform-specific details:
+ * the target GitHub repository, file paths, branch naming, JSON file
+ * parsing, and pull request creation.
+ */
+import { getLogger } from "@logtape/logtape";
+import { err, errAsync, ok, okAsync, ResultAsync } from "neverthrow";
+import { z } from "zod";
+import { AuthorizationError, AuthorizationResult, InvalidAuthorizationFileFormatError, } from "../../domain/authorization.js";
+import { DEFAULT_GROUP_SPECS, makeAzureAdGroupName, } from "./azure-authorization-config.js";
+const azureAuthorizationFileSchema = z
+    .object({
+    directory_readers: z
+        .object({
+        service_principals_name: z.array(z.string()),
+    })
+        .loose(),
+    groups: z
+        .array(z
+        .object({
+        members: z.array(z.string()),
+        name: z.string(),
+        roles: z.array(z.string()),
+    })
+        .loose())
+        .optional(),
+})
+    .loose();
+/**
+ * Checks if two role arrays are equivalent (same roles, order-independent).
+ */
+const rolesAreEqual = (roles1, roles2) => {
+    if (roles1.length !== roles2.length) {
+        return false;
+    }
+    const sorted1 = [...roles1].sort();
+    const sorted2 = [...roles2].sort();
+    return sorted1.every((role, idx) => role === sorted2[idx]);
+};
+/**
+ * Adds or updates the AD groups array in the parsed authorization JSON.
+ * - Missing default groups are added with empty members.
+ * - Existing groups with wrong roles have their roles updated; members are preserved.
+ * - Custom (non-default) groups are preserved unchanged.
+ * Returns the updated JSON along with a flag indicating whether anything changed.
+ */
+const upsertGroups = (jsonContent, prefix, envShort) => {
+    const expectedByName = new Map(DEFAULT_GROUP_SPECS.map((spec) => [
+        makeAzureAdGroupName(prefix, envShort, spec.groupName),
+        spec,
+    ]));
+    const existingGroups = jsonContent.groups ?? [];
+    const seenDefaults = new Set();
+    // Walk existing groups in their original order, updating roles where needed
+    const finalGroups = [];
+    let groupsChanged = false;
+    for (const existing of existingGroups) {
+        const spec = expectedByName.get(existing.name);
+        if (!spec) {
+            // Custom group — preserve as-is
+            finalGroups.push(existing);
+        }
+        else {
+            seenDefaults.add(existing.name);
+            if (!rolesAreEqual(existing.roles, spec.roles)) {
+                // Roles differ — update roles, preserve members and any extra fields
+                finalGroups.push({ ...existing, roles: [...spec.roles] });
+                groupsChanged = true;
+            }
+            else {
+                finalGroups.push(existing);
+            }
+        }
+    }
+    // Append missing default groups at the end
+    for (const spec of DEFAULT_GROUP_SPECS) {
+        const name = makeAzureAdGroupName(prefix, envShort, spec.groupName);
+        if (!seenDefaults.has(name)) {
+            finalGroups.push({ members: [], name, roles: [...spec.roles] });
+            groupsChanged = true;
+        }
+    }
+    return { groupsChanged, json: { ...jsonContent, groups: finalGroups } };
+};
+/**
+ * Parses and validates the authorization file content (JSON parsing + schema validation).
+ */
+const parseAuthorizationFile = (content) => {
+    let parsed;
+    try {
+        parsed = JSON.parse(content);
+    }
+    catch {
+        return err(new InvalidAuthorizationFileFormatError("File content is not valid JSON"));
+    }
+    const result = azureAuthorizationFileSchema.safeParse(parsed);
+    if (!result.success) {
+        return err(new InvalidAuthorizationFileFormatError("Could not find directory_readers.service_principals_name list"));
+    }
+    return ok(result.data);
+};
+/**
+ * Produces commit message, PR title, and PR body tailored to what actually changed.
+ */
+const makeChangeDescription = (subscriptionName, bootstrapIdentityId, identityAdded, groupsChanged) => {
+    if (identityAdded && groupsChanged) {
+        const title = `Add bootstrap identity and AD groups for ${subscriptionName}`;
+        return {
+            body: `This PR adds the bootstrap identity \`${bootstrapIdentityId}\` to the directory readers and configures AD groups for subscription \`${subscriptionName}\`.`,
+            message: title,
+            title,
+        };
+    }
+    if (identityAdded) {
+        const title = `Add bootstrap identity for ${subscriptionName}`;
+        return {
+            body: `This PR adds the bootstrap identity \`${bootstrapIdentityId}\` to the directory readers for subscription \`${subscriptionName}\`.`,
+            message: title,
+            title,
+        };
+    }
+    const title = `Configure AD groups for ${subscriptionName}`;
+    return {
+        body: `This PR configures AD groups for subscription \`${subscriptionName}\`.`,
+        message: title,
+        title,
+    };
+};
+/**
+ * Ensures the given identity is present in the service_principals_name list.
+ * Returns the (possibly updated) JSON and whether the identity was newly added.
+ * Never fails: if the identity already exists it is a no-op with identityAdded = false.
+ */
+const ensureIdentity = (jsonContent, identityId) => {
+    if (jsonContent.directory_readers.service_principals_name.includes(identityId)) {
+        return { identityAdded: false, json: jsonContent };
+    }
+    return {
+        identityAdded: true,
+        json: {
+            ...jsonContent,
+            directory_readers: {
+                ...jsonContent.directory_readers,
+                service_principals_name: [
+                    ...jsonContent.directory_readers.service_principals_name,
+                    identityId,
+                ],
+            },
+        },
+    };
+};
+const REPO_OWNER = "pagopa";
+const REPO_NAME = "eng-azure-authorization";
+const BASE_BRANCH = "main";
+export const makeAzureAuthorizationService = (gitHubService) => ({
+    requestAuthorization(input) {
+        const logger = getLogger(["dx-cli", "pagopa-azure-authorization"]);
+        const { bootstrapIdentityId, envShort, prefix, repoName, subscriptionName, } = input;
+        const filePath = `src/azure-subscriptions/subscriptions/${subscriptionName}/terraform.tfvars.json`;
+        const branchName = `feats/add-${repoName}-${subscriptionName}-bootstrap-identity`;
+        return (
+        // Step 1: Read file from main to determine if changes are needed
+        ResultAsync.fromPromise(gitHubService.getFileContent({
+            owner: REPO_OWNER,
+            path: filePath,
+            ref: BASE_BRANCH,
+            repo: REPO_NAME,
+        }), () => new AuthorizationError(`Unable to get ${filePath} in ${REPO_OWNER}/${REPO_NAME}`))
+            .orTee((error) => {
+            logger.error(error.message);
+        })
+            // Step 2: Parse file, ensure identity, upsert groups, detect no-op
+            .andThen(({ content, sha }) => {
+            const parseResult = parseAuthorizationFile(content);
+            if (parseResult.isErr()) {
+                logger.error("Failed to modify tfvars", {
+                    error: parseResult.error.message,
+                });
+                return errAsync(parseResult.error);
+            }
+            const parsed = parseResult.value;
+            const { identityAdded, json: withIdentity } = ensureIdentity(parsed, bootstrapIdentityId);
+            if (!identityAdded) {
+                logger.warn("Identity already exists, checking groups", {
+                    identityId: bootstrapIdentityId,
+                    subscription: subscriptionName,
+                });
+            }
+            const { groupsChanged, json: updatedJson } = upsertGroups(withIdentity, prefix, envShort);
+            if (!identityAdded && !groupsChanged) {
+                // Nothing to do — no branch created, no PR needed.
+                logger.info("No changes needed, skipping PR", {
+                    subscription: subscriptionName,
+                });
+                return okAsync(new AuthorizationResult());
+            }
+            const { body, message, title } = makeChangeDescription(subscriptionName, bootstrapIdentityId, identityAdded, groupsChanged);
+            // Step 3: Create branch only when changes are needed
+            return (ResultAsync.fromPromise(gitHubService.createBranch({
+                branchName,
+                fromRef: BASE_BRANCH,
+                owner: REPO_OWNER,
+                repo: REPO_NAME,
+            }), () => new AuthorizationError(`Unable to create branch ${branchName} in ${REPO_OWNER}/${REPO_NAME}`))
+                .orTee((error) => {
+                logger.error(error.message);
+            })
+                // Step 4: Update file on the branch using the SHA read from main
+                .andThen(() => ResultAsync.fromPromise(gitHubService.updateFile({
+                branch: branchName,
+                content: JSON.stringify(updatedJson, null, 2),
+                message,
+                owner: REPO_OWNER,
+                path: filePath,
+                repo: REPO_NAME,
+                sha,
+            }), () => new AuthorizationError(`Unable to update ${filePath} on branch ${branchName} in ${REPO_OWNER}/${REPO_NAME}`)))
+                .orTee((error) => {
+                logger.error(error.message);
+            })
+                // Step 5: Create PR
+                .andThen(() => ResultAsync.fromPromise(gitHubService.createPullRequest({
+                base: BASE_BRANCH,
+                body,
+                head: branchName,
+                owner: REPO_OWNER,
+                repo: REPO_NAME,
+                title,
+            }), () => new AuthorizationError(`Unable to create pull request from ${branchName} to ${BASE_BRANCH} in ${REPO_OWNER}/${REPO_NAME}`)))
+                .orTee((error) => {
+                logger.error(error.message);
+            })
+                .map((pr) => new AuthorizationResult(pr.url)));
+        }));
+    },
+});

package/dist/adapters/plop/actions/__tests__/init-cloud-accounts.test.js

@@ -36,6 +36,7 @@ const createMockPayload = (overrides = {}) => ({
     init: {
         cloudAccountsToInitialize: [],
         runnerAppCredentials: {
+            clientId: "test-app-client-id",
             id: "test-app-id",
             installationId: "test-installation-id",
             key: "test-private-key",
@@ -67,6 +68,7 @@ describe("initCloudAccounts", () => {
             init: {
                 cloudAccountsToInitialize: [cloudAccount1, cloudAccount2],
                 runnerAppCredentials: {
+                    clientId: "test-app-client-id",
                     id: "test-app-id",
                     installationId: "test-installation-id",
                     key: "test-private-key",
@@ -79,6 +81,7 @@ describe("initCloudAccounts", () => {
         await initCloudAccounts(payload, mockService, createMockGitHubService());
         expect(initializeMock).toHaveBeenCalledTimes(2);
         expect(initializeMock).toHaveBeenCalledWith(cloudAccount1, expect.objectContaining({ name: "prod", prefix: "io" }), {
+            clientId: "test-app-client-id",
             id: "test-app-id",
             installationId: "test-installation-id",
             key: "test-private-key",
@@ -87,6 +90,7 @@ describe("initCloudAccounts", () => {
             repo: "dx",
         }, expect.any(Object), {});
         expect(initializeMock).toHaveBeenCalledWith(cloudAccount2, expect.objectContaining({ name: "prod", prefix: "io" }), {
+            clientId: "test-app-client-id",
             id: "test-app-id",
             installationId: "test-installation-id",
             key: "test-private-key",
@@ -104,6 +108,7 @@ describe("initCloudAccounts", () => {
             init: {
                 cloudAccountsToInitialize: [],
                 runnerAppCredentials: {
+                    clientId: "test-app-client-id",
                     id: "test-app-id",
                     installationId: "test-installation-id",
                     key: "test-private-key",
@@ -142,6 +147,7 @@ describe("initCloudAccounts", () => {
             init: {
                 cloudAccountsToInitialize: [cloudAccount],
                 runnerAppCredentials: {
+                    clientId: "test-app-client-id",
                     id: "test-app-id",
                     installationId: "test-installation-id",
                     key: "test-private-key",
@@ -153,6 +159,7 @@ describe("initCloudAccounts", () => {
         });
         await initCloudAccounts(payload, mockService, createMockGitHubService());
         expect(initializeMock).toHaveBeenCalledWith(cloudAccount, expect.objectContaining({ name: "uat", prefix: "pagopa" }), {
+            clientId: "test-app-client-id",
             id: "test-app-id",
             installationId: "test-installation-id",
             key: "test-private-key",

package/dist/adapters/plop/actions/__tests__/provision-terraform-backend.test.js

@@ -35,6 +35,7 @@ const createMockPayload = (overrides = {}) => ({
     init: {
         cloudAccountsToInitialize: [],
         runnerAppCredentials: {
+            clientId: "test-app-client-id",
             id: "test-app-id",
             installationId: "test-installation-id",
             key: "test-private-key",
@@ -77,6 +78,7 @@ describe("provisionTerraformBackend", () => {
             init: {
                 cloudAccountsToInitialize: [],
                 runnerAppCredentials: {
+                    clientId: "test-app-client-id",
                     id: "test-app-id",
                     installationId: "test-installation-id",
                     key: "test-private-key",
@@ -116,6 +118,7 @@ describe("provisionTerraformBackend", () => {
             init: {
                 cloudAccountsToInitialize: [],
                 runnerAppCredentials: {
+                    clientId: "test-app-client-id",
                     id: "test-app-id",
                     installationId: "test-installation-id",
                     key: "test-private-key",

package/dist/adapters/plop/generators/environment/__tests__/actions.test.js

@@ -26,6 +26,7 @@ export const getPayload = (includeInit = false) => {
         payload.init = {
             cloudAccountsToInitialize: [cloudAccount],
             runnerAppCredentials: {
+                clientId: "test-app-client-id",
                 id: "test-app-id",
                 installationId: "test-installation-id",
                 key: "test-private-key",

package/dist/adapters/plop/generators/environment/__tests__/prompts.test.js

@@ -1,6 +1,7 @@
 // Tests for workspaceSchema transforms (lowercase and trim on domain).
-import { describe, expect, it } from "vitest";
-import { workspaceSchema } from "../prompts.js";
+import inquirer from "inquirer";
+import { describe, expect, it, vi } from "vitest";
+import prompts, { formatInitializationDetails, workspaceSchema, } from "../prompts.js";
 describe("workspaceSchema — domain transforms", () => {
     it("lowercases an uppercase domain", () => {
         const result = workspaceSchema.safeParse({ domain: "API" });
@@ -23,3 +24,156 @@ describe("workspaceSchema — domain transforms", () => {
         expect(result.success && result.data.domain).toBe("");
     });
 });
+describe("formatInitializationDetails", () => {
+    const account = (overrides = {}) => ({
+        csp: "azure",
+        defaultLocation: "italynorth",
+        displayName: "DEV-FooBar",
+        id: "sub-123",
+        ...overrides,
+    });
+    const notInitializedStatus = (issues) => ({
+        initialized: false,
+        issues,
+    });
+    it("lists each uninitialized cloud account by displayName", () => {
+        const status = notInitializedStatus([
+            {
+                cloudAccount: account({ displayName: "DEV-A" }),
+                type: "CLOUD_ACCOUNT_NOT_INITIALIZED",
+            },
+            {
+                cloudAccount: account({ displayName: "DEV-B" }),
+                type: "CLOUD_ACCOUNT_NOT_INITIALIZED",
+            },
+        ]);
+        const output = formatInitializationDetails(status);
+        expect(output).toContain('Azure subscription "DEV-A"');
+        expect(output).toContain('Azure subscription "DEV-B"');
+        expect(output).toContain("managed identity");
+        expect(output).toContain("OIDC");
+        expect(output).toContain("ARM_CLIENT_ID");
+        expect(output).toContain("ARM_SUBSCRIPTION_ID");
+        expect(output).not.toContain("ARM_TENANT_ID");
+        expect(output).toContain("Key Vault");
+    });
+    it("includes the Terraform backend section when MISSING_REMOTE_BACKEND issue is present", () => {
+        const status = notInitializedStatus([
+            { cloudAccount: account(), type: "CLOUD_ACCOUNT_NOT_INITIALIZED" },
+            { type: "MISSING_REMOTE_BACKEND" },
+        ]);
+        const output = formatInitializationDetails(status);
+        expect(output).toContain("Terraform remote backend");
+        expect(output).toContain("Storage Account");
+    });
+    it("omits the Terraform backend section when no MISSING_REMOTE_BACKEND issue is present", () => {
+        const status = notInitializedStatus([
+            { cloudAccount: account(), type: "CLOUD_ACCOUNT_NOT_INITIALIZED" },
+        ]);
+        const output = formatInitializationDetails(status);
+        expect(output).not.toContain("Terraform remote backend");
+    });
+    it("omits the cloud account section when no CLOUD_ACCOUNT_NOT_INITIALIZED issues are present", () => {
+        const status = notInitializedStatus([{ type: "MISSING_REMOTE_BACKEND" }]);
+        const output = formatInitializationDetails(status);
+        expect(output).not.toContain("Azure subscription");
+        expect(output).toContain("Terraform remote backend");
+    });
+    it("returns an empty string when there are no relevant issues", () => {
+        const status = notInitializedStatus([]);
+        expect(formatInitializationDetails(status)).toBe("");
+    });
+});
+describe("prompts", () => {
+    it("prompts for the GitHub runner app client ID when initialization is required", async () => {
+        const cloudAccount = {
+            csp: "azure",
+            defaultLocation: "italynorth",
+            displayName: "DEV-FooBar",
+            id: "sub-123",
+        };
+        const cloudAccountRepository = {
+            list: vi.fn().mockResolvedValue([cloudAccount]),
+        };
+        const cloudAccountService = {
+            getTerraformBackend: vi.fn().mockResolvedValue(undefined),
+            hasUserPermissionToInitialize: vi.fn().mockResolvedValue(true),
+            initialize: vi.fn().mockResolvedValue(undefined),
+            isInitialized: vi.fn().mockResolvedValue(false),
+            provisionTerraformBackend: vi.fn().mockResolvedValue(undefined),
+        };
+        const promptSpy = vi.spyOn(inquirer, "prompt");
+        const consoleLogSpy = vi
+            .spyOn(console, "log")
+            .mockImplementation(() => undefined);
+        promptSpy
+            .mockResolvedValueOnce({
+            env: {
+                cloudAccounts: [cloudAccount],
+                name: "dev",
+                prefix: "dx",
+            },
+            tags: {
+                BusinessUnit: "Platform",
+                CostCenter: "TS000",
+                ManagementTeam: "Engineering",
+            },
+            workspace: {
+                domain: "payments",
+            },
+        })
+            .mockResolvedValueOnce({
+            [cloudAccount.id]: "italynorth",
+        })
+            .mockResolvedValueOnce({
+            init: true,
+        })
+            .mockResolvedValueOnce({
+            runnerAppCredentials: {
+                clientId: "app-client-id",
+                id: "app-id",
+                installationId: "installation-id",
+                key: "private-key",
+            },
+        });
+        try {
+            const result = await prompts({
+                cloudAccountRepository,
+                cloudAccountService,
+                github: {
+                    owner: "pagopa",
+                    repo: "dx",
+                },
+            })(inquirer);
+            const runnerCredentialQuestions = promptSpy.mock.calls[3]?.[0];
+            expect(runnerCredentialQuestions).toEqual(expect.arrayContaining([
+                expect.objectContaining({
+                    message: "GitHub Runner App ID",
+                    name: "runnerAppCredentials.id",
+                }),
+                expect.objectContaining({
+                    message: "GitHub Runner App Client ID",
+                    name: "runnerAppCredentials.clientId",
+                }),
+                expect.objectContaining({
+                    message: "GitHub Runner App Installation ID",
+                    name: "runnerAppCredentials.installationId",
+                }),
+                expect.objectContaining({
+                    message: "GitHub Runner App Private Key",
+                    name: "runnerAppCredentials.key",
+                }),
+            ]));
+            expect(result.init?.runnerAppCredentials).toEqual({
+                clientId: "app-client-id",
+                id: "app-id",
+                installationId: "installation-id",
+                key: "private-key",
+            });
+        }
+        finally {
+            promptSpy.mockRestore();
+            consoleLogSpy.mockRestore();
+        }
+    });
+});

package/dist/adapters/plop/generators/environment/prompts.d.ts

@@ -42,6 +42,7 @@ export declare const payloadSchema: z.ZodObject<{
             id: z.ZodString;
         }, z.core.$strip>>;
         runnerAppCredentials: z.ZodOptional<z.ZodObject<{
+            clientId: z.ZodString;
             id: z.ZodString;
             installationId: z.ZodString;
             key: z.ZodString;
@@ -79,4 +80,13 @@ export declare const getCloudAccountToInitialize: (initStatus: EnvironmentInitSt
     displayName: string;
     id: string;
 }[];
+/**
+ * Build a human-readable description of the resources that will be created
+ * when initializing an environment, so users see the side effects before
+ * confirming. The exact resource names are intentionally omitted to avoid
+ * coupling the prompt copy to internal naming conventions.
+ */
+export declare const formatInitializationDetails: (initStatus: EnvironmentInitStatus & {
+    initialized: false;
+}) => string;
 export default prompts;

package/dist/adapters/plop/generators/environment/prompts.js

@@ -1,3 +1,4 @@
+import chalk from "chalk";
 import * as assert from "node:assert/strict";
 import { cloudAccountSchema, } from "../../../../domain/cloud-account.js";
 import { environmentSchema, getInitializationStatus, hasUserPermissionToInitialize, } from "../../../../domain/environment.js";
@@ -126,9 +127,10 @@ const prompts = (deps) => async (inquirer) => {
     if (initStatus.initialized) {
         return payload;
     }
+    console.log(formatInitializationDetails(initStatus));
     const initConfirm = await inquirer.prompt({
         default: true,
-        message: "The environment is not initialized. Do you want to initialize it now?",
+        message: `The environment "${payload.env.name}" is not initialized. Proceed with the setup above?`,
         name: "init",
         type: "confirm",
     });
@@ -161,6 +163,12 @@ const prompts = (deps) => async (inquirer) => {
             name: "runnerAppCredentials.id",
             type: "input",
             validate: (value) => value.length > 0,
+        }, {
+            filter: (value) => value.trim(),
+            message: "GitHub Runner App Client ID",
+            name: "runnerAppCredentials.clientId",
+            type: "input",
+            validate: (value) => value.length > 0,
         }, {
             filter: (value) => value.trim(),
             message: "GitHub Runner App Installation ID",
@@ -198,4 +206,40 @@ export const getCloudLocationChoices = (regions) => regions.map((r) => ({ name:
 export const getCloudAccountToInitialize = (initStatus) => initStatus.issues
     .filter((issue) => issue.type === "CLOUD_ACCOUNT_NOT_INITIALIZED")
     .map((issue) => issue.cloudAccount);
+/**
+ * Build a human-readable description of the resources that will be created
+ * when initializing an environment, so users see the side effects before
+ * confirming. The exact resource names are intentionally omitted to avoid
+ * coupling the prompt copy to internal naming conventions.
+ */
+export const formatInitializationDetails = (initStatus) => {
+    const accountsToInit = getCloudAccountToInitialize(initStatus);
+    const missingBackend = initStatus.issues.some((issue) => issue.type === "MISSING_REMOTE_BACKEND");
+    const sections = [];
+    for (const account of accountsToInit) {
+        sections.push([
+            chalk.bold.cyan(`  Azure subscription "${account.displayName}":`),
+            `    • Bootstrap resource group and managed identity with subscription-scoped roles`,
+            `    • GitHub OIDC federated identity credential`,
+            `    • GitHub environment secrets (ARM_CLIENT_ID, ARM_SUBSCRIPTION_ID)`,
+            `    • Common Key Vault storing the GitHub runner app credentials`,
+        ].join("\n"));
+    }
+    if (missingBackend) {
+        sections.push([
+            chalk.bold.cyan(`  Terraform remote backend:`),
+            `    • Azure resource group and Storage Account for the Terraform state`,
+        ].join("\n"));
+    }
+    if (sections.length === 0) {
+        return "";
+    }
+    return [
+        "",
+        chalk.bold("The following resources will be created:"),
+        "",
+        ...sections,
+        "",
+    ].join("\n");
+};
 export default prompts;

package/dist/domain/authorization.d.ts

@@ -8,10 +8,12 @@
 import { ResultAsync } from "neverthrow";
 import { z } from "zod/v4";
 /**
- * Input validation schema for the request authorization use case.
+ * Input validation schema for the authorization workflow.
  */
 export declare const requestAuthorizationInputSchema: z.ZodObject<{
     bootstrapIdentityId: z.core.$ZodBranded<z.ZodString, "BootstrapIdentityId", "out">;
+    envShort: z.core.$ZodBranded<z.ZodString, "EnvShort", "out">;
+    prefix: z.core.$ZodBranded<z.ZodString, "ResourcePrefix", "out">;
     repoName: z.ZodString;
     subscriptionName: z.core.$ZodBranded<z.ZodString, "SubscriptionName", "out">;
 }, z.core.$strip>;
@@ -31,16 +33,11 @@ export declare class AuthorizationError extends Error {
 }
 /**
  * Result returned by a successful authorization request.
+ * When url is undefined, the workflow was a no-op (nothing changed, no PR created).
  */
 export declare class AuthorizationResult {
-    readonly url: string;
-    constructor(url: string);
-}
-/**
- * Error thrown when attempting to add an identity that already exists.
- */
-export declare class IdentityAlreadyExistsError extends AuthorizationError {
-    constructor(identityId: string);
+    readonly url?: string | undefined;
+    constructor(url?: string | undefined);
 }
 /**
  * Error thrown when the authorization configuration format is invalid or cannot be parsed.

package/dist/domain/authorization.js

@@ -29,10 +29,35 @@ const BootstrapIdentityId = z
 })
     .brand();
 /**
- * Input validation schema for the request authorization use case.
+ * Branded type for resource prefix (e.g., "dx", "io").
+ * Validates that the prefix contains only lowercase letters to prevent injection.
+ */
+const ResourcePrefix = z
+    .string()
+    .min(1)
+    .regex(/^[a-z]+$/, {
+    message: "Resource prefix may contain only lowercase letters",
+})
+    .brand();
+/**
+ * Branded type for environment short name (e.g., "d", "u", "p").
+ * Validates single lowercase letter for environment.
+ */
+const EnvShort = z
+    .string()
+    .min(1)
+    .max(1)
+    .regex(/^[a-z]$/, {
+    message: "Environment short name must be a single lowercase letter",
+})
+    .brand();
+/**
+ * Input validation schema for the authorization workflow.
  */
 export const requestAuthorizationInputSchema = z.object({
     bootstrapIdentityId: BootstrapIdentityId,
+    envShort: EnvShort,
+    prefix: ResourcePrefix,
     repoName: z.string().min(1),
     subscriptionName: SubscriptionName,
 });
@@ -47,6 +72,7 @@ export class AuthorizationError extends Error {
 }
 /**
  * Result returned by a successful authorization request.
+ * When url is undefined, the workflow was a no-op (nothing changed, no PR created).
  */
 export class AuthorizationResult {
     url;
@@ -54,15 +80,6 @@ export class AuthorizationResult {
         this.url = url;
     }
 }
-/**
- * Error thrown when attempting to add an identity that already exists.
- */
-export class IdentityAlreadyExistsError extends AuthorizationError {
-    constructor(identityId) {
-        super(`Identity "${identityId}" already exists`);
-        this.name = "IdentityAlreadyExistsError";
-    }
-}
 /**
  * Error thrown when the authorization configuration format is invalid or cannot be parsed.
  */