@pagopa/dx-cli 0.21.2 → 0.21.4

package/dist/adapters/pagopa-technology/azure-authorization-config.js

@@ -0,0 +1,43 @@
+/**
+ * Azure authorization group configuration
+ *
+ * Defines the default Azure AD groups that the PagoPA Technology adapter
+ * keeps aligned inside the subscription authorization repository.
+ */
+export const DEFAULT_GROUP_SPECS = [
+    { groupName: "admin", roles: ["Owner"] },
+    { groupName: "developers", roles: ["Owner"] },
+    {
+        groupName: "operations",
+        roles: [
+            "Reader",
+            "Monitoring Contributor",
+            "Support Request Contributor",
+            "Storage Blob Data Reader",
+            "Storage Queue Data Reader",
+            "Cosmos DB Account Reader Role",
+        ],
+    },
+    { groupName: "security", roles: ["Reader", "Support Request Contributor"] },
+    {
+        groupName: "technical-project-managers",
+        roles: ["Reader", "Monitoring Contributor", "Support Request Contributor"],
+    },
+    {
+        groupName: "product-owners",
+        roles: ["Reader", "Support Request Contributor"],
+    },
+    { groupName: "externals", roles: ["Owner"] },
+    {
+        groupName: "oncall",
+        roles: [
+            "Reader",
+            "Monitoring Contributor",
+            "Support Request Contributor",
+            "Storage Blob Data Reader",
+            "Storage Queue Data Reader",
+            "Cosmos DB Account Reader Role",
+        ],
+    },
+];
+export const makeAzureAdGroupName = (prefix, envShort, groupName) => `${prefix}-${envShort}-adgroup-${groupName}`;

package/dist/adapters/pagopa-technology/{authorization.d.ts → azure-authorization.d.ts}

@@ -1,5 +1,5 @@
 /**
- * PagoPA Technology Authorization Adapter
+ * PagoPA Technology Azure Authorization Adapter
  *
  * Implements the AuthorizationService interface for the PagoPA Azure
  * authorization workflow. Encapsulates all platform-specific details:
@@ -8,4 +8,4 @@
  */
 import { AuthorizationService } from "../../domain/authorization.js";
 import { GitHubService } from "../../domain/github.js";
-export declare const makeAuthorizationService: (gitHubService: GitHubService) => AuthorizationService;
+export declare const makeAzureAuthorizationService: (gitHubService: GitHubService) => AuthorizationService;

package/dist/adapters/pagopa-technology/azure-authorization.js

@@ -0,0 +1,239 @@
+/**
+ * PagoPA Technology Azure Authorization Adapter
+ *
+ * Implements the AuthorizationService interface for the PagoPA Azure
+ * authorization workflow. Encapsulates all platform-specific details:
+ * the target GitHub repository, file paths, branch naming, JSON file
+ * parsing, and pull request creation.
+ */
+import { getLogger } from "@logtape/logtape";
+import { err, errAsync, ok, okAsync, ResultAsync } from "neverthrow";
+import { z } from "zod";
+import { AuthorizationError, AuthorizationResult, InvalidAuthorizationFileFormatError, } from "../../domain/authorization.js";
+import { DEFAULT_GROUP_SPECS, makeAzureAdGroupName, } from "./azure-authorization-config.js";
+const azureAuthorizationFileSchema = z
+    .object({
+    directory_readers: z
+        .object({
+        service_principals_name: z.array(z.string()),
+    })
+        .loose(),
+    groups: z
+        .array(z
+        .object({
+        members: z.array(z.string()),
+        name: z.string(),
+        roles: z.array(z.string()),
+    })
+        .loose())
+        .optional(),
+})
+    .loose();
+/**
+ * Checks if two role arrays are equivalent (same roles, order-independent).
+ */
+const rolesAreEqual = (roles1, roles2) => {
+    if (roles1.length !== roles2.length) {
+        return false;
+    }
+    const sorted1 = [...roles1].sort();
+    const sorted2 = [...roles2].sort();
+    return sorted1.every((role, idx) => role === sorted2[idx]);
+};
+/**
+ * Adds or updates the AD groups array in the parsed authorization JSON.
+ * - Missing default groups are added with empty members.
+ * - Existing groups with wrong roles have their roles updated; members are preserved.
+ * - Custom (non-default) groups are preserved unchanged.
+ * Returns the updated JSON along with a flag indicating whether anything changed.
+ */
+const upsertGroups = (jsonContent, prefix, envShort) => {
+    const expectedByName = new Map(DEFAULT_GROUP_SPECS.map((spec) => [
+        makeAzureAdGroupName(prefix, envShort, spec.groupName),
+        spec,
+    ]));
+    const existingGroups = jsonContent.groups ?? [];
+    const seenDefaults = new Set();
+    // Walk existing groups in their original order, updating roles where needed
+    const finalGroups = [];
+    let groupsChanged = false;
+    for (const existing of existingGroups) {
+        const spec = expectedByName.get(existing.name);
+        if (!spec) {
+            // Custom group — preserve as-is
+            finalGroups.push(existing);
+        }
+        else {
+            seenDefaults.add(existing.name);
+            if (!rolesAreEqual(existing.roles, spec.roles)) {
+                // Roles differ — update roles, preserve members and any extra fields
+                finalGroups.push({ ...existing, roles: [...spec.roles] });
+                groupsChanged = true;
+            }
+            else {
+                finalGroups.push(existing);
+            }
+        }
+    }
+    // Append missing default groups at the end
+    for (const spec of DEFAULT_GROUP_SPECS) {
+        const name = makeAzureAdGroupName(prefix, envShort, spec.groupName);
+        if (!seenDefaults.has(name)) {
+            finalGroups.push({ members: [], name, roles: [...spec.roles] });
+            groupsChanged = true;
+        }
+    }
+    return { groupsChanged, json: { ...jsonContent, groups: finalGroups } };
+};
+/**
+ * Parses and validates the authorization file content (JSON parsing + schema validation).
+ */
+const parseAuthorizationFile = (content) => {
+    let parsed;
+    try {
+        parsed = JSON.parse(content);
+    }
+    catch {
+        return err(new InvalidAuthorizationFileFormatError("File content is not valid JSON"));
+    }
+    const result = azureAuthorizationFileSchema.safeParse(parsed);
+    if (!result.success) {
+        return err(new InvalidAuthorizationFileFormatError("Could not find directory_readers.service_principals_name list"));
+    }
+    return ok(result.data);
+};
+/**
+ * Produces commit message, PR title, and PR body tailored to what actually changed.
+ */
+const makeChangeDescription = (subscriptionName, bootstrapIdentityId, identityAdded, groupsChanged) => {
+    if (identityAdded && groupsChanged) {
+        const title = `Add bootstrap identity and AD groups for ${subscriptionName}`;
+        return {
+            body: `This PR adds the bootstrap identity \`${bootstrapIdentityId}\` to the directory readers and configures AD groups for subscription \`${subscriptionName}\`.`,
+            message: title,
+            title,
+        };
+    }
+    if (identityAdded) {
+        const title = `Add bootstrap identity for ${subscriptionName}`;
+        return {
+            body: `This PR adds the bootstrap identity \`${bootstrapIdentityId}\` to the directory readers for subscription \`${subscriptionName}\`.`,
+            message: title,
+            title,
+        };
+    }
+    const title = `Configure AD groups for ${subscriptionName}`;
+    return {
+        body: `This PR configures AD groups for subscription \`${subscriptionName}\`.`,
+        message: title,
+        title,
+    };
+};
+/**
+ * Ensures the given identity is present in the service_principals_name list.
+ * Returns the (possibly updated) JSON and whether the identity was newly added.
+ * Never fails: if the identity already exists it is a no-op with identityAdded = false.
+ */
+const ensureIdentity = (jsonContent, identityId) => {
+    if (jsonContent.directory_readers.service_principals_name.includes(identityId)) {
+        return { identityAdded: false, json: jsonContent };
+    }
+    return {
+        identityAdded: true,
+        json: {
+            ...jsonContent,
+            directory_readers: {
+                ...jsonContent.directory_readers,
+                service_principals_name: [
+                    ...jsonContent.directory_readers.service_principals_name,
+                    identityId,
+                ],
+            },
+        },
+    };
+};
+const REPO_OWNER = "pagopa";
+const REPO_NAME = "eng-azure-authorization";
+const BASE_BRANCH = "main";
+export const makeAzureAuthorizationService = (gitHubService) => ({
+    requestAuthorization(input) {
+        const logger = getLogger(["dx-cli", "pagopa-azure-authorization"]);
+        const { bootstrapIdentityId, envShort, prefix, repoName, subscriptionName, } = input;
+        const filePath = `src/azure-subscriptions/subscriptions/${subscriptionName}/terraform.tfvars.json`;
+        const branchName = `feats/add-${repoName}-${subscriptionName}-bootstrap-identity`;
+        return (
+        // Step 1: Read file from main to determine if changes are needed
+        ResultAsync.fromPromise(gitHubService.getFileContent({
+            owner: REPO_OWNER,
+            path: filePath,
+            ref: BASE_BRANCH,
+            repo: REPO_NAME,
+        }), () => new AuthorizationError(`Unable to get ${filePath} in ${REPO_OWNER}/${REPO_NAME}`))
+            .orTee((error) => {
+            logger.error(error.message);
+        })
+            // Step 2: Parse file, ensure identity, upsert groups, detect no-op
+            .andThen(({ content, sha }) => {
+            const parseResult = parseAuthorizationFile(content);
+            if (parseResult.isErr()) {
+                logger.error("Failed to modify tfvars", {
+                    error: parseResult.error.message,
+                });
+                return errAsync(parseResult.error);
+            }
+            const parsed = parseResult.value;
+            const { identityAdded, json: withIdentity } = ensureIdentity(parsed, bootstrapIdentityId);
+            if (!identityAdded) {
+                logger.warn("Identity already exists, checking groups", {
+                    identityId: bootstrapIdentityId,
+                    subscription: subscriptionName,
+                });
+            }
+            const { groupsChanged, json: updatedJson } = upsertGroups(withIdentity, prefix, envShort);
+            if (!identityAdded && !groupsChanged) {
+                // Nothing to do — no branch created, no PR needed.
+                logger.info("No changes needed, skipping PR", {
+                    subscription: subscriptionName,
+                });
+                return okAsync(new AuthorizationResult());
+            }
+            const { body, message, title } = makeChangeDescription(subscriptionName, bootstrapIdentityId, identityAdded, groupsChanged);
+            // Step 3: Create branch only when changes are needed
+            return (ResultAsync.fromPromise(gitHubService.createBranch({
+                branchName,
+                fromRef: BASE_BRANCH,
+                owner: REPO_OWNER,
+                repo: REPO_NAME,
+            }), () => new AuthorizationError(`Unable to create branch ${branchName} in ${REPO_OWNER}/${REPO_NAME}`))
+                .orTee((error) => {
+                logger.error(error.message);
+            })
+                // Step 4: Update file on the branch using the SHA read from main
+                .andThen(() => ResultAsync.fromPromise(gitHubService.updateFile({
+                branch: branchName,
+                content: JSON.stringify(updatedJson, null, 2),
+                message,
+                owner: REPO_OWNER,
+                path: filePath,
+                repo: REPO_NAME,
+                sha,
+            }), () => new AuthorizationError(`Unable to update ${filePath} on branch ${branchName} in ${REPO_OWNER}/${REPO_NAME}`)))
+                .orTee((error) => {
+                logger.error(error.message);
+            })
+                // Step 5: Create PR
+                .andThen(() => ResultAsync.fromPromise(gitHubService.createPullRequest({
+                base: BASE_BRANCH,
+                body,
+                head: branchName,
+                owner: REPO_OWNER,
+                repo: REPO_NAME,
+                title,
+            }), () => new AuthorizationError(`Unable to create pull request from ${branchName} to ${BASE_BRANCH} in ${REPO_OWNER}/${REPO_NAME}`)))
+                .orTee((error) => {
+                logger.error(error.message);
+            })
+                .map((pr) => new AuthorizationResult(pr.url)));
+        }));
+    },
+});

package/dist/adapters/plop/actions/__tests__/init-cloud-accounts.test.js

@@ -36,6 +36,7 @@ const createMockPayload = (overrides = {}) => ({
     init: {
         cloudAccountsToInitialize: [],
         runnerAppCredentials: {
+            clientId: "test-app-client-id",
             id: "test-app-id",
             installationId: "test-installation-id",
             key: "test-private-key",
@@ -67,6 +68,7 @@ describe("initCloudAccounts", () => {
             init: {
                 cloudAccountsToInitialize: [cloudAccount1, cloudAccount2],
                 runnerAppCredentials: {
+                    clientId: "test-app-client-id",
                     id: "test-app-id",
                     installationId: "test-installation-id",
                     key: "test-private-key",
@@ -79,6 +81,7 @@ describe("initCloudAccounts", () => {
         await initCloudAccounts(payload, mockService, createMockGitHubService());
         expect(initializeMock).toHaveBeenCalledTimes(2);
         expect(initializeMock).toHaveBeenCalledWith(cloudAccount1, expect.objectContaining({ name: "prod", prefix: "io" }), {
+            clientId: "test-app-client-id",
             id: "test-app-id",
             installationId: "test-installation-id",
             key: "test-private-key",
@@ -87,6 +90,7 @@ describe("initCloudAccounts", () => {
             repo: "dx",
         }, expect.any(Object), {});
         expect(initializeMock).toHaveBeenCalledWith(cloudAccount2, expect.objectContaining({ name: "prod", prefix: "io" }), {
+            clientId: "test-app-client-id",
             id: "test-app-id",
             installationId: "test-installation-id",
             key: "test-private-key",
@@ -104,6 +108,7 @@ describe("initCloudAccounts", () => {
             init: {
                 cloudAccountsToInitialize: [],
                 runnerAppCredentials: {
+                    clientId: "test-app-client-id",
                     id: "test-app-id",
                     installationId: "test-installation-id",
                     key: "test-private-key",
@@ -142,6 +147,7 @@ describe("initCloudAccounts", () => {
             init: {
                 cloudAccountsToInitialize: [cloudAccount],
                 runnerAppCredentials: {
+                    clientId: "test-app-client-id",
                     id: "test-app-id",
                     installationId: "test-installation-id",
                     key: "test-private-key",
@@ -153,6 +159,7 @@ describe("initCloudAccounts", () => {
         });
         await initCloudAccounts(payload, mockService, createMockGitHubService());
         expect(initializeMock).toHaveBeenCalledWith(cloudAccount, expect.objectContaining({ name: "uat", prefix: "pagopa" }), {
+            clientId: "test-app-client-id",
             id: "test-app-id",
             installationId: "test-installation-id",
             key: "test-private-key",

package/dist/adapters/plop/actions/__tests__/provision-terraform-backend.test.js

@@ -35,6 +35,7 @@ const createMockPayload = (overrides = {}) => ({
     init: {
         cloudAccountsToInitialize: [],
         runnerAppCredentials: {
+            clientId: "test-app-client-id",
             id: "test-app-id",
             installationId: "test-installation-id",
             key: "test-private-key",
@@ -77,6 +78,7 @@ describe("provisionTerraformBackend", () => {
             init: {
                 cloudAccountsToInitialize: [],
                 runnerAppCredentials: {
+                    clientId: "test-app-client-id",
                     id: "test-app-id",
                     installationId: "test-installation-id",
                     key: "test-private-key",
@@ -116,6 +118,7 @@ describe("provisionTerraformBackend", () => {
             init: {
                 cloudAccountsToInitialize: [],
                 runnerAppCredentials: {
+                    clientId: "test-app-client-id",
                     id: "test-app-id",
                     installationId: "test-installation-id",
                     key: "test-private-key",

package/dist/adapters/plop/generators/environment/__tests__/actions.test.js

@@ -26,6 +26,7 @@ export const getPayload = (includeInit = false) => {
         payload.init = {
             cloudAccountsToInitialize: [cloudAccount],
             runnerAppCredentials: {
+                clientId: "test-app-client-id",
                 id: "test-app-id",
                 installationId: "test-installation-id",
                 key: "test-private-key",

package/dist/adapters/plop/generators/environment/__tests__/prompts.test.js

@@ -1,6 +1,7 @@
 // Tests for workspaceSchema transforms (lowercase and trim on domain).
-import { describe, expect, it } from "vitest";
-import { formatInitializationDetails, workspaceSchema } from "../prompts.js";
+import inquirer from "inquirer";
+import { describe, expect, it, vi } from "vitest";
+import prompts, { formatInitializationDetails, workspaceSchema, } from "../prompts.js";
 describe("workspaceSchema — domain transforms", () => {
     it("lowercases an uppercase domain", () => {
         const result = workspaceSchema.safeParse({ domain: "API" });
@@ -83,3 +84,96 @@ describe("formatInitializationDetails", () => {
         expect(formatInitializationDetails(status)).toBe("");
     });
 });
+describe("prompts", () => {
+    it("prompts for the GitHub runner app client ID when initialization is required", async () => {
+        const cloudAccount = {
+            csp: "azure",
+            defaultLocation: "italynorth",
+            displayName: "DEV-FooBar",
+            id: "sub-123",
+        };
+        const cloudAccountRepository = {
+            list: vi.fn().mockResolvedValue([cloudAccount]),
+        };
+        const cloudAccountService = {
+            getTerraformBackend: vi.fn().mockResolvedValue(undefined),
+            hasUserPermissionToInitialize: vi.fn().mockResolvedValue(true),
+            initialize: vi.fn().mockResolvedValue(undefined),
+            isInitialized: vi.fn().mockResolvedValue(false),
+            provisionTerraformBackend: vi.fn().mockResolvedValue(undefined),
+        };
+        const promptSpy = vi.spyOn(inquirer, "prompt");
+        const consoleLogSpy = vi
+            .spyOn(console, "log")
+            .mockImplementation(() => undefined);
+        promptSpy
+            .mockResolvedValueOnce({
+            env: {
+                cloudAccounts: [cloudAccount],
+                name: "dev",
+                prefix: "dx",
+            },
+            tags: {
+                BusinessUnit: "Platform",
+                CostCenter: "TS000",
+                ManagementTeam: "Engineering",
+            },
+            workspace: {
+                domain: "payments",
+            },
+        })
+            .mockResolvedValueOnce({
+            [cloudAccount.id]: "italynorth",
+        })
+            .mockResolvedValueOnce({
+            init: true,
+        })
+            .mockResolvedValueOnce({
+            runnerAppCredentials: {
+                clientId: "app-client-id",
+                id: "app-id",
+                installationId: "installation-id",
+                key: "private-key",
+            },
+        });
+        try {
+            const result = await prompts({
+                cloudAccountRepository,
+                cloudAccountService,
+                github: {
+                    owner: "pagopa",
+                    repo: "dx",
+                },
+            })(inquirer);
+            const runnerCredentialQuestions = promptSpy.mock.calls[3]?.[0];
+            expect(runnerCredentialQuestions).toEqual(expect.arrayContaining([
+                expect.objectContaining({
+                    message: "GitHub Runner App ID",
+                    name: "runnerAppCredentials.id",
+                }),
+                expect.objectContaining({
+                    message: "GitHub Runner App Client ID",
+                    name: "runnerAppCredentials.clientId",
+                }),
+                expect.objectContaining({
+                    message: "GitHub Runner App Installation ID",
+                    name: "runnerAppCredentials.installationId",
+                }),
+                expect.objectContaining({
+                    message: "GitHub Runner App Private Key",
+                    name: "runnerAppCredentials.key",
+                }),
+            ]));
+            expect(result.init?.runnerAppCredentials).toEqual({
+                clientId: "app-client-id",
+                id: "app-id",
+                installationId: "installation-id",
+                key: "private-key",
+            });
+        }
+        finally {
+            promptSpy.mockRestore();
+            consoleLogSpy.mockRestore();
+        }
+    });
+});

package/dist/adapters/plop/generators/environment/prompts.d.ts

@@ -42,6 +42,7 @@ export declare const payloadSchema: z.ZodObject<{
             id: z.ZodString;
         }, z.core.$strip>>;
         runnerAppCredentials: z.ZodOptional<z.ZodObject<{
+            clientId: z.ZodString;
             id: z.ZodString;
             installationId: z.ZodString;
             key: z.ZodString;

package/dist/adapters/plop/generators/environment/prompts.js

@@ -163,6 +163,12 @@ const prompts = (deps) => async (inquirer) => {
             name: "runnerAppCredentials.id",
             type: "input",
             validate: (value) => value.length > 0,
+        }, {
+            filter: (value) => value.trim(),
+            message: "GitHub Runner App Client ID",
+            name: "runnerAppCredentials.clientId",
+            type: "input",
+            validate: (value) => value.length > 0,
         }, {
             filter: (value) => value.trim(),
             message: "GitHub Runner App Installation ID",

package/dist/domain/authorization.d.ts

@@ -8,10 +8,12 @@
 import { ResultAsync } from "neverthrow";
 import { z } from "zod/v4";
 /**
- * Input validation schema for the request authorization use case.
+ * Input validation schema for the authorization workflow.
  */
 export declare const requestAuthorizationInputSchema: z.ZodObject<{
     bootstrapIdentityId: z.core.$ZodBranded<z.ZodString, "BootstrapIdentityId", "out">;
+    envShort: z.core.$ZodBranded<z.ZodString, "EnvShort", "out">;
+    prefix: z.core.$ZodBranded<z.ZodString, "ResourcePrefix", "out">;
     repoName: z.ZodString;
     subscriptionName: z.core.$ZodBranded<z.ZodString, "SubscriptionName", "out">;
 }, z.core.$strip>;
@@ -31,16 +33,11 @@ export declare class AuthorizationError extends Error {
 }
 /**
  * Result returned by a successful authorization request.
+ * When url is undefined, the workflow was a no-op (nothing changed, no PR created).
  */
 export declare class AuthorizationResult {
-    readonly url: string;
-    constructor(url: string);
-}
-/**
- * Error thrown when attempting to add an identity that already exists.
- */
-export declare class IdentityAlreadyExistsError extends AuthorizationError {
-    constructor(identityId: string);
+    readonly url?: string | undefined;
+    constructor(url?: string | undefined);
 }
 /**
  * Error thrown when the authorization configuration format is invalid or cannot be parsed.

package/dist/domain/authorization.js

@@ -29,10 +29,35 @@ const BootstrapIdentityId = z
 })
     .brand();
 /**
- * Input validation schema for the request authorization use case.
+ * Branded type for resource prefix (e.g., "dx", "io").
+ * Validates that the prefix contains only lowercase letters to prevent injection.
+ */
+const ResourcePrefix = z
+    .string()
+    .min(1)
+    .regex(/^[a-z]+$/, {
+    message: "Resource prefix may contain only lowercase letters",
+})
+    .brand();
+/**
+ * Branded type for environment short name (e.g., "d", "u", "p").
+ * Validates single lowercase letter for environment.
+ */
+const EnvShort = z
+    .string()
+    .min(1)
+    .max(1)
+    .regex(/^[a-z]$/, {
+    message: "Environment short name must be a single lowercase letter",
+})
+    .brand();
+/**
+ * Input validation schema for the authorization workflow.
  */
 export const requestAuthorizationInputSchema = z.object({
     bootstrapIdentityId: BootstrapIdentityId,
+    envShort: EnvShort,
+    prefix: ResourcePrefix,
     repoName: z.string().min(1),
     subscriptionName: SubscriptionName,
 });
@@ -47,6 +72,7 @@ export class AuthorizationError extends Error {
 }
 /**
  * Result returned by a successful authorization request.
+ * When url is undefined, the workflow was a no-op (nothing changed, no PR created).
  */
 export class AuthorizationResult {
     url;
@@ -54,15 +80,6 @@ export class AuthorizationResult {
         this.url = url;
     }
 }
-/**
- * Error thrown when attempting to add an identity that already exists.
- */
-export class IdentityAlreadyExistsError extends AuthorizationError {
-    constructor(identityId) {
-        super(`Identity "${identityId}" already exists`);
-        this.name = "IdentityAlreadyExistsError";
-    }
-}
 /**
  * Error thrown when the authorization configuration format is invalid or cannot be parsed.
  */

package/dist/domain/github.d.ts

@@ -94,6 +94,7 @@ export declare class RepositoryNotFoundError extends Error {
     constructor(owner: string, name: string);
 }
 export declare const githubAppCredentialsSchema: z.ZodObject<{
+    clientId: z.ZodString;
     id: z.ZodString;
     installationId: z.ZodString;
     key: z.ZodString;

package/dist/domain/github.js

@@ -38,6 +38,7 @@ export class RepositoryNotFoundError extends Error {
     }
 }
 export const githubAppCredentialsSchema = z.object({
+    clientId: z.string().nonempty(),
     id: z.string().nonempty(),
     installationId: z.string().nonempty(),
     key: z.string().nonempty(),

package/dist/index.js

@@ -8,7 +8,7 @@ import { makeValidationReporter } from "./adapters/logtape/validation-reporter.j
 import { makePackageJsonReader } from "./adapters/node/package-json.js";
 import { makeRepositoryReader } from "./adapters/node/repository.js";
 import { getGitHubPAT, OctokitGitHubService, } from "./adapters/octokit/index.js";
-import { makeAuthorizationService } from "./adapters/pagopa-technology/authorization.js";
+import { makeAzureAuthorizationService } from "./adapters/pagopa-technology/azure-authorization.js";
 import { getConfig } from "./config.js";
 import { getInfo } from "./domain/info.js";
 import { applyCodemodById } from "./use-cases/apply-codemod.js";
@@ -60,7 +60,7 @@ export const runCli = async (version) => {
         auth,
     });
     const gitHubService = new OctokitGitHubService(octokit);
-    const authorizationService = makeAuthorizationService(gitHubService);
+    const authorizationService = makeAzureAuthorizationService(gitHubService);
     const deps = {
         authorizationService,
         gitHubService,

package/dist/use-cases/__tests__/request-authorization.test.js

@@ -4,10 +4,12 @@
 import { errAsync, okAsync } from "neverthrow";
 import { describe, expect, it } from "vitest";
 import { mock } from "vitest-mock-extended";
-import { AuthorizationError, AuthorizationResult, IdentityAlreadyExistsError, requestAuthorizationInputSchema, } from "../../domain/authorization.js";
+import { AuthorizationError, AuthorizationResult, requestAuthorizationInputSchema, } from "../../domain/authorization.js";
 import { requestAuthorization } from "../request-authorization.js";
 const makeSampleInput = () => requestAuthorizationInputSchema.parse({
     bootstrapIdentityId: "test-bootstrap-identity-id",
+    envShort: "d",
+    prefix: "test",
     repoName: "test-repo",
     subscriptionName: "test-subscription",
 });
@@ -25,10 +27,10 @@ describe("requestAuthorization", () => {
     it("should propagate errors from the authorization service", async () => {
         const authorizationService = mock();
         const input = makeSampleInput();
-        authorizationService.requestAuthorization.mockReturnValue(errAsync(new IdentityAlreadyExistsError("test-bootstrap-identity-id")));
+        authorizationService.requestAuthorization.mockReturnValue(errAsync(new AuthorizationError("Unable to update file")));
         const result = await requestAuthorization(authorizationService)(input);
         expect(result.isErr()).toBe(true);
-        expect(result._unsafeUnwrapErr()).toBeInstanceOf(IdentityAlreadyExistsError);
+        expect(result._unsafeUnwrapErr()).toBeInstanceOf(AuthorizationError);
     });
     it("should propagate generic authorization errors", async () => {
         const authorizationService = mock();