@pleri/olam-cli 0.1.196 → 0.1.198

package/dist/lib/auth-list.js

@@ -0,0 +1,123 @@
+/**
+ * auth-list — testable orchestration for `olam auth list` and `auth list --json`.
+ *
+ * Phase B (cloud-only-vault) Decision D5: `olam auth list` defaults to the
+ * cloud auth-worker (cf. B1 / B2). This module:
+ *
+ *   1. Resolves the backend via B1's `requireBackend`.
+ *   2. Resolves the remote URL via the same precedence used by `auth login`
+ *      (explicit `--remote <url>` > env > file > hard-coded fallback).
+ *   3. Consults the in-process TTL cache (30 s per D5) when backend='remote'
+ *      and `--no-cache` was NOT passed.
+ *   4. Falls back to the stale cache when a fresh fetch fails (offline UX).
+ *   5. Routes to `AuthClient.status()` on the local backend.
+ *
+ * The Commander.js action handler in `packages/cli/src/commands/auth.ts`
+ * binds the IO touchpoints (cache helpers, fetch, AuthClient) via the
+ * `AuthListDeps` struct and consumes the structured `AuthListResult` to
+ * render the table or JSON output.
+ *
+ * Coupling note: the result object holds the raw remote payload (when
+ * backend='remote') OR the AuthAccountSummary[] (when backend='local'). The
+ * caller picks the right renderer (`renderAuthListJson` for local-JSON,
+ * `renderRemoteAuthListJson` for remote-JSON, or a text table for either).
+ * This keeps the IO + presentation concerns out of this module while still
+ * giving the action a single decision-tree entrypoint.
+ */
+import { resolveRemoteUrl } from './auth-login.js';
+import { requireBackend, emitDeprecationWarning, ConflictingBackendFlags, } from './auth-backend.js';
+import { getCachedAuthList, setCachedAuthList, getStaleAuthList, AUTH_LIST_CACHE_TTL_MS, } from './auth-list-cache.js';
+/**
+ * Compose the cache key for a (baseUrl, cookie) pair. The cookie value is
+ * included because two operators on the same host (sharing the CLI process,
+ * unlikely but possible in CI) may target the same baseUrl with different
+ * identities — caching across that boundary would leak one operator's
+ * accounts to the other.
+ */
+export function authListCacheKey(baseUrl, cookie) {
+    const normalisedBase = baseUrl.replace(/\/+$/, '');
+    return cookie ? `${normalisedBase}|${cookie}` : normalisedBase;
+}
+/**
+ * Run the `olam auth list` decision tree. Tests inject `fetchRemoteAccounts`
+ * and `fetchLocalStatus` to capture orchestration.
+ */
+export async function runAuthList(opts, deps) {
+    const stderr = deps.stderr ?? process.stderr;
+    const now = deps.now ?? Date.now;
+    // (1) Backend resolution.
+    let resolution;
+    try {
+        resolution = requireBackend({ local: opts.local, remote: opts.remote });
+    }
+    catch (err) {
+        if (err instanceof ConflictingBackendFlags) {
+            return { mode: 'error', exitCode: 1, message: err.message };
+        }
+        throw err;
+    }
+    // (2) Local opt-out.
+    if (resolution.backend === 'local') {
+        if (resolution.emitDeprecationWarning) {
+            emitDeprecationWarning(stderr);
+        }
+        const status = await deps.fetchLocalStatus();
+        return { mode: 'local', reachable: status.reachable, accounts: status.accounts };
+    }
+    // (3) Remote default path.
+    const baseUrl = resolveRemoteUrl(resolution, {
+        readEnv: deps.readEnv,
+        readAuthWorkerUrlFile: deps.readAuthWorkerUrlFile,
+    });
+    const cacheKey = authListCacheKey(baseUrl, opts.cookie);
+    // (3a) Cache hit (unless --no-cache).
+    if (opts.noCache !== true) {
+        const hit = getCachedAuthList(cacheKey, now());
+        if (hit) {
+            return {
+                mode: 'remote',
+                baseUrl,
+                accounts: hit.result,
+                stale: false,
+                fetchedAt: hit.fetchedAt,
+            };
+        }
+    }
+    // (3b) Fresh fetch attempt.
+    try {
+        const accounts = await deps.fetchRemoteAccounts(baseUrl, opts.cookie);
+        setCachedAuthList(cacheKey, accounts, now());
+        return {
+            mode: 'remote',
+            baseUrl,
+            accounts,
+            stale: false,
+            fetchedAt: now(),
+        };
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        // (3c) Stale fallback when offline / fetch failed.
+        const stale = getStaleAuthList(cacheKey);
+        if (stale) {
+            return {
+                mode: 'remote',
+                baseUrl,
+                accounts: stale.result,
+                stale: true,
+                fetchedAt: stale.fetchedAt,
+                fetchError: message,
+            };
+        }
+        // (3d) No cache, no fresh — surface error.
+        return {
+            mode: 'error',
+            exitCode: 1,
+            message: `Failed to list remote accounts (${baseUrl}): ${message}`,
+        };
+    }
+}
+// Re-export the TTL constant so callers can reference it without importing
+// the cache module directly.
+export { AUTH_LIST_CACHE_TTL_MS };
+//# sourceMappingURL=auth-list.js.map

package/dist/lib/auth-list.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-list.js","sourceRoot":"","sources":["../../src/lib/auth-list.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EACL,cAAc,EACd,sBAAsB,EACtB,uBAAuB,GAExB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,iBAAiB,EACjB,iBAAiB,EACjB,gBAAgB,EAChB,sBAAsB,GACvB,MAAM,sBAAsB,CAAC;AA4E9B;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAe,EAAE,MAAe;IAC/D,MAAM,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACnD,OAAO,MAAM,CAAC,CAAC,CAAC,GAAG,cAAc,IAAI,MAAM,EAAE,CAAC,CAAC,CAAC,cAAc,CAAC;AACjE,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,IAAqB,EACrB,IAAkB;IAElB,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;IAC7C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC;IAEjC,0BAA0B;IAC1B,IAAI,UAA6B,CAAC;IAClC,IAAI,CAAC;QACH,UAAU,GAAG,cAAc,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IAC1E,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,uBAAuB,EAAE,CAAC;YAC3C,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC;QAC9D,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;IAED,qBAAqB;IACrB,IAAI,UAAU,CAAC,OAAO,KAAK,OAAO,EAAE,CAAC;QACnC,IAAI,UAAU,CAAC,sBAAsB,EAAE,CAAC;YACtC,sBAAsB,CAAC,MAAM,CAAC,CAAC;QACjC,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC7C,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC;IACnF,CAAC;IAED,2BAA2B;IAC3B,MAAM,OAAO,GAAG,gBAAgB,CAAC,UAAU,EAAE;QAC3C,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,qBAAqB,EAAE,IAAI,CAAC,qBAAqB;KAClD,CAAC,CAAC;IACH,MAAM,QAAQ,GAAG,gBAAgB,CAAC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;IAExD,sCAAsC;IACtC,IAAI,IAAI,CAAC,OAAO,KAAK,IAAI,EAAE,CAAC;QAC1B,MAAM,GAAG,GAAG,iBAAiB,CAA8B,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;QAC5E,IAAI,GAAG,EAAE,CAAC;YACR,OAAO;gBACL,IAAI,EAAE,QAAQ;gBACd,OAAO;gBACP,QAAQ,EAAE,GAAG,CAAC,MAAM;gBACpB,KAAK,EAAE,KAAK;gBACZ,SAAS,EAAE,GAAG,CAAC,SAAS;aACzB,CAAC;QACJ,CAAC;IACH,CAAC;IAED,4BAA4B;IAC5B,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,mBAAmB,CAAC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;QAC7C,OAAO;YACL,IAAI,EAAE,QAAQ;YACd,OAAO;YACP,QAAQ;YACR,KAAK,EAAE,KAAK;YACZ,SAAS,EAAE,GAAG,EAAE;SACjB,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,mDAAmD;QACnD,MAAM,KAAK,GAAG,gBAAgB,CAA8B,QAAQ,CAAC,CAAC;QACtE,IAAI,KAAK,EAAE,CAAC;YACV,OAAO;gBACL,IAAI,EAAE,QAAQ;gBACd,OAAO;gBACP,QAAQ,EAAE,KAAK,CAAC,MAAM;gBACtB,KAAK,EAAE,IAAI;gBACX,SAAS,EAAE,KAAK,CAAC,SAAS;gBAC1B,UAAU,EAAE,OAAO;aACpB,CAAC;QACJ,CAAC;QACD,2CAA2C;QAC3C,OAAO;YACL,IAAI,EAAE,OAAO;YACb,QAAQ,EAAE,CAAC;YACX,OAAO,EAAE,mCAAmC,OAAO,MAAM,OAAO,EAAE;SACnE,CAAC;IACJ,CAAC;AACH,CAAC;AAED,2EAA2E;AAC3E,6BAA6B;AAC7B,OAAO,EAAE,sBAAsB,EAAE,CAAC"}

package/dist/lib/auth-login.d.ts

@@ -0,0 +1,92 @@
+/**
+ * auth-login — testable extraction of the `olam auth login` action body.
+ *
+ * The Commander action callback in `packages/cli/src/commands/auth.ts` is too
+ * deeply coupled to live IO (browser opener, readline prompts, AuthClient
+ * against 127.0.0.1:9999, remote OAuth start) for direct unit-test mocking.
+ * B2 splits the decision logic out into `runAuthLogin`, which:
+ *
+ *   - Resolves the backend via B1's `requireBackend`.
+ *   - Emits the deprecation warning when --local is the explicit opt-out.
+ *   - Asks the interactive confirm prompt before flipping to remote (skips
+ *     on non-TTY for CI safety; --yes also bypasses).
+ *   - Delegates the actual flow (remote URL print / local PKCE) to injected
+ *     functions, so tests can assert on the orchestration without spawning
+ *     real OAuth round-trips.
+ *
+ * Resolution of the default remote URL:
+ *
+ *   1. `--remote <url>` explicit string form (`resolution.explicitRemoteUrl`).
+ *   2. `OLAM_AUTH_WORKER_URL` env var.
+ *   3. `~/.olam/auth-worker-url` file (trimmed; one URL per file).
+ *   4. Hard-coded fallback `https://auth-worker.kaluga.co`.
+ *
+ * Step (4) matches the canonical Olam zone documented in
+ * `docs/plans/cloud-only-vault/phase-b-tasks.md` B2 acceptance criteria.
+ * Operators with a private deployment override via (2) or (3).
+ */
+import { type BackendResolution } from './auth-backend.js';
+/** Canonical fallback when no other URL source is configured. */
+export declare const DEFAULT_AUTH_WORKER_URL = "https://auth-worker.kaluga.co";
+/**
+ * Options parsed from Commander for `olam auth login`. Mirrors the option
+ * declarations in `auth.ts`; new in B2 are `--local` and `--yes`.
+ */
+export interface AuthLoginOptions {
+    readonly local?: boolean;
+    readonly remote?: boolean | string;
+    readonly label?: string;
+    readonly printUrl?: boolean;
+    readonly serviceToken?: string;
+    /** Skip the first-time interactive confirm prompt. */
+    readonly yes?: boolean;
+}
+/**
+ * Injection seam — every IO touchpoint is funneled through this struct so the
+ * unit tests can assert on orchestration without real OAuth round-trips,
+ * filesystem writes, or stdin reads.
+ */
+export interface AuthLoginDeps {
+    /** Reads the OLAM_AUTH_WORKER_URL env var. Defaults to `process.env`. */
+    readonly readEnv?: (key: string) => string | undefined;
+    /** Reads the home-config file `~/.olam/auth-worker-url`. */
+    readonly readAuthWorkerUrlFile?: () => string | null;
+    /** True when stdin is a TTY (interactive prompt is meaningful). */
+    readonly isTty?: () => boolean;
+    /** Returns `'y'` / `'n'` (case-insensitive) — the operator's answer. */
+    readonly promptConfirm?: (question: string) => Promise<string>;
+    /** Runs the remote OAuth-URL print flow against the resolved URL. */
+    readonly executeRemoteLogin: (baseUrl: string, opts: AuthLoginOptions) => Promise<void>;
+    /** Runs the legacy local PKCE flow against the auth-service container. */
+    readonly executeLocalLogin: (opts: AuthLoginOptions) => Promise<void>;
+    /** Where deprecation + confirm warnings are written. Defaults to process.stderr. */
+    readonly stderr?: NodeJS.WritableStream;
+    /** Where success / banner messages are written. Defaults to process.stdout. */
+    readonly stdout?: NodeJS.WritableStream;
+}
+/** Result of `runAuthLogin` — drives the action's `process.exitCode`. */
+export interface AuthLoginResult {
+    readonly exitCode: 0 | 1;
+    /** Surfaced for tests; not used by the action. */
+    readonly backend?: 'local' | 'remote';
+    /** Surfaced for tests; URL the remote flow was dispatched to. */
+    readonly resolvedRemoteUrl?: string;
+}
+/**
+ * Resolve the remote auth-worker URL the login flow should target. Pure
+ * function modulo the injected `readEnv` + `readAuthWorkerUrlFile`.
+ */
+export declare function resolveRemoteUrl(resolution: BackendResolution, deps: Pick<AuthLoginDeps, 'readEnv' | 'readAuthWorkerUrlFile'>): string;
+/**
+ * Run the `olam auth login` decision tree. Tests inject `executeRemoteLogin`
+ * and `executeLocalLogin` to capture the orchestration without firing real
+ * OAuth.
+ *
+ * Decision tree (high-level):
+ *
+ *   1. requireBackend(opts) — throws ConflictingBackendFlags on dual-flag.
+ *   2. backend = 'local' → optional deprecation warning + local PKCE flow.
+ *   3. backend = 'remote' → resolve URL → optional confirm prompt → remote flow.
+ */
+export declare function runAuthLogin(opts: AuthLoginOptions, deps: AuthLoginDeps): Promise<AuthLoginResult>;
+//# sourceMappingURL=auth-login.d.ts.map

package/dist/lib/auth-login.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-login.d.ts","sourceRoot":"","sources":["../../src/lib/auth-login.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAKH,OAAO,EAIL,KAAK,iBAAiB,EACvB,MAAM,mBAAmB,CAAC;AAE3B,iEAAiE;AACjE,eAAO,MAAM,uBAAuB,kCAAkC,CAAC;AAEvE;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO,CAAC;IACzB,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC;IACnC,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAC;IAC5B,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B,sDAAsD;IACtD,QAAQ,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC;CACxB;AAED;;;;GAIG;AACH,MAAM,WAAW,aAAa;IAC5B,yEAAyE;IACzE,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,CAAC;IACvD,4DAA4D;IAC5D,QAAQ,CAAC,qBAAqB,CAAC,EAAE,MAAM,MAAM,GAAG,IAAI,CAAC;IACrD,mEAAmE;IACnE,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,OAAO,CAAC;IAC/B,wEAAwE;IACxE,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAC/D,qEAAqE;IACrE,QAAQ,CAAC,kBAAkB,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACxF,0EAA0E;IAC1E,QAAQ,CAAC,iBAAiB,EAAE,CAAC,IAAI,EAAE,gBAAgB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACtE,oFAAoF;IACpF,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,cAAc,CAAC;IACxC,+EAA+E;IAC/E,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,cAAc,CAAC;CACzC;AAED,yEAAyE;AACzE,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,QAAQ,EAAE,CAAC,GAAG,CAAC,CAAC;IACzB,kDAAkD;IAClD,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,GAAG,QAAQ,CAAC;IACtC,iEAAiE;IACjE,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;CACrC;AAkBD;;;GAGG;AACH,wBAAgB,gBAAgB,CAC9B,UAAU,EAAE,iBAAiB,EAC7B,IAAI,EAAE,IAAI,CAAC,aAAa,EAAE,SAAS,GAAG,uBAAuB,CAAC,GAC7D,MAAM,CAYR;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,YAAY,CAChC,IAAI,EAAE,gBAAgB,EACtB,IAAI,EAAE,aAAa,GAClB,OAAO,CAAC,eAAe,CAAC,CAuD1B"}

package/dist/lib/auth-login.js

@@ -0,0 +1,124 @@
+/**
+ * auth-login — testable extraction of the `olam auth login` action body.
+ *
+ * The Commander action callback in `packages/cli/src/commands/auth.ts` is too
+ * deeply coupled to live IO (browser opener, readline prompts, AuthClient
+ * against 127.0.0.1:9999, remote OAuth start) for direct unit-test mocking.
+ * B2 splits the decision logic out into `runAuthLogin`, which:
+ *
+ *   - Resolves the backend via B1's `requireBackend`.
+ *   - Emits the deprecation warning when --local is the explicit opt-out.
+ *   - Asks the interactive confirm prompt before flipping to remote (skips
+ *     on non-TTY for CI safety; --yes also bypasses).
+ *   - Delegates the actual flow (remote URL print / local PKCE) to injected
+ *     functions, so tests can assert on the orchestration without spawning
+ *     real OAuth round-trips.
+ *
+ * Resolution of the default remote URL:
+ *
+ *   1. `--remote <url>` explicit string form (`resolution.explicitRemoteUrl`).
+ *   2. `OLAM_AUTH_WORKER_URL` env var.
+ *   3. `~/.olam/auth-worker-url` file (trimmed; one URL per file).
+ *   4. Hard-coded fallback `https://auth-worker.kaluga.co`.
+ *
+ * Step (4) matches the canonical Olam zone documented in
+ * `docs/plans/cloud-only-vault/phase-b-tasks.md` B2 acceptance criteria.
+ * Operators with a private deployment override via (2) or (3).
+ */
+import * as fs from 'node:fs';
+import * as os from 'node:os';
+import * as path from 'node:path';
+import { requireBackend, emitDeprecationWarning, ConflictingBackendFlags, } from './auth-backend.js';
+/** Canonical fallback when no other URL source is configured. */
+export const DEFAULT_AUTH_WORKER_URL = 'https://auth-worker.kaluga.co';
+// ── Defaults for the deps that touch real IO ────────────────────────────────
+function defaultReadAuthWorkerUrlFile() {
+    try {
+        const file = path.join(os.homedir(), '.olam', 'auth-worker-url');
+        const content = fs.readFileSync(file, 'utf-8').trim();
+        return content.length > 0 ? content : null;
+    }
+    catch {
+        return null;
+    }
+}
+function defaultIsTty() {
+    return Boolean(process.stdin.isTTY);
+}
+/**
+ * Resolve the remote auth-worker URL the login flow should target. Pure
+ * function modulo the injected `readEnv` + `readAuthWorkerUrlFile`.
+ */
+export function resolveRemoteUrl(resolution, deps) {
+    if (resolution.explicitRemoteUrl)
+        return resolution.explicitRemoteUrl;
+    const readEnv = deps.readEnv ?? ((k) => process.env[k]);
+    const fromEnv = readEnv('OLAM_AUTH_WORKER_URL');
+    if (fromEnv && fromEnv.length > 0)
+        return fromEnv;
+    const readFile = deps.readAuthWorkerUrlFile ?? defaultReadAuthWorkerUrlFile;
+    const fromFile = readFile();
+    if (fromFile && fromFile.length > 0)
+        return fromFile;
+    return DEFAULT_AUTH_WORKER_URL;
+}
+/**
+ * Run the `olam auth login` decision tree. Tests inject `executeRemoteLogin`
+ * and `executeLocalLogin` to capture the orchestration without firing real
+ * OAuth.
+ *
+ * Decision tree (high-level):
+ *
+ *   1. requireBackend(opts) — throws ConflictingBackendFlags on dual-flag.
+ *   2. backend = 'local' → optional deprecation warning + local PKCE flow.
+ *   3. backend = 'remote' → resolve URL → optional confirm prompt → remote flow.
+ */
+export async function runAuthLogin(opts, deps) {
+    const stderr = deps.stderr ?? process.stderr;
+    const stdout = deps.stdout ?? process.stdout;
+    // (1) Backend resolution.
+    let resolution;
+    try {
+        resolution = requireBackend({ local: opts.local, remote: opts.remote });
+    }
+    catch (err) {
+        if (err instanceof ConflictingBackendFlags) {
+            stderr.write(`error: ${err.message}\n`);
+            return { exitCode: 1 };
+        }
+        throw err;
+    }
+    // (2) Local opt-out path.
+    if (resolution.backend === 'local') {
+        if (resolution.emitDeprecationWarning) {
+            emitDeprecationWarning(stderr);
+        }
+        await deps.executeLocalLogin(opts);
+        return { exitCode: 0, backend: 'local' };
+    }
+    // (3) Remote default path.
+    const remoteUrl = resolveRemoteUrl(resolution, deps);
+    const isTty = (deps.isTty ?? defaultIsTty)();
+    // First-time confirm prompt — only when interactive AND --yes not passed
+    // AND no explicit URL was on the CLI (an explicit URL means the operator
+    // already knows where they're going).
+    const needsConfirm = isTty && opts.yes !== true && resolution.explicitRemoteUrl === undefined;
+    if (needsConfirm) {
+        const prompt = deps.promptConfirm;
+        if (prompt) {
+            const ans = (await prompt(`About to log into cloud auth-worker (${remoteUrl}). Continue? [Y/n] `))
+                .trim()
+                .toLowerCase();
+            if (ans === 'n' || ans === 'no') {
+                stderr.write('Cancelled by operator. Pass --local to opt out, or --yes to skip this prompt.\n');
+                return { exitCode: 1 };
+            }
+        }
+        // If no promptConfirm injected we assume the caller doesn't want a
+        // confirm (the action handler always wires one in production).
+    }
+    stdout.write(`Logging into cloud auth-worker at ${remoteUrl} ...\n`);
+    await deps.executeRemoteLogin(remoteUrl, opts);
+    return { exitCode: 0, backend: 'remote', resolvedRemoteUrl: remoteUrl };
+}
+//# sourceMappingURL=auth-login.js.map

package/dist/lib/auth-login.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-login.js","sourceRoot":"","sources":["../../src/lib/auth-login.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EACL,cAAc,EACd,sBAAsB,EACtB,uBAAuB,GAExB,MAAM,mBAAmB,CAAC;AAE3B,iEAAiE;AACjE,MAAM,CAAC,MAAM,uBAAuB,GAAG,+BAA+B,CAAC;AAiDvE,+EAA+E;AAE/E,SAAS,4BAA4B;IACnC,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,iBAAiB,CAAC,CAAC;QACjE,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QACtD,OAAO,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,YAAY;IACnB,OAAO,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;AACtC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAC9B,UAA6B,EAC7B,IAA8D;IAE9D,IAAI,UAAU,CAAC,iBAAiB;QAAE,OAAO,UAAU,CAAC,iBAAiB,CAAC;IAEtE,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACxD,MAAM,OAAO,GAAG,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAChD,IAAI,OAAO,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,OAAO,CAAC;IAElD,MAAM,QAAQ,GAAG,IAAI,CAAC,qBAAqB,IAAI,4BAA4B,CAAC;IAC5E,MAAM,QAAQ,GAAG,QAAQ,EAAE,CAAC;IAC5B,IAAI,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,QAAQ,CAAC;IAErD,OAAO,uBAAuB,CAAC;AACjC,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,IAAsB,EACtB,IAAmB;IAEnB,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;IAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;IAE7C,0BAA0B;IAC1B,IAAI,UAA6B,CAAC;IAClC,IAAI,CAAC;QACH,UAAU,GAAG,cAAc,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IAC1E,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,uBAAuB,EAAE,CAAC;YAC3C,MAAM,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,OAAO,IAAI,CAAC,CAAC;YACxC,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QACzB,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;IAED,0BAA0B;IAC1B,IAAI,UAAU,CAAC,OAAO,KAAK,OAAO,EAAE,CAAC;QACnC,IAAI,UAAU,CAAC,sBAAsB,EAAE,CAAC;YACtC,sBAAsB,CAAC,MAAM,CAAC,CAAC;QACjC,CAAC;QACD,MAAM,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC;QACnC,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;IAC3C,CAAC;IAED,2BAA2B;IAC3B,MAAM,SAAS,GAAG,gBAAgB,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;IACrD,MAAM,KAAK,GAAG,CAAC,IAAI,CAAC,KAAK,IAAI,YAAY,CAAC,EAAE,CAAC;IAE7C,yEAAyE;IACzE,yEAAyE;IACzE,sCAAsC;IACtC,MAAM,YAAY,GAChB,KAAK,IAAI,IAAI,CAAC,GAAG,KAAK,IAAI,IAAI,UAAU,CAAC,iBAAiB,KAAK,SAAS,CAAC;IAE3E,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC;QAClC,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,GAAG,GAAG,CAAC,MAAM,MAAM,CACvB,wCAAwC,SAAS,qBAAqB,CACvE,CAAC;iBACC,IAAI,EAAE;iBACN,WAAW,EAAE,CAAC;YACjB,IAAI,GAAG,KAAK,GAAG,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;gBAChC,MAAM,CAAC,KAAK,CAAC,iFAAiF,CAAC,CAAC;gBAChG,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;YACzB,CAAC;QACH,CAAC;QACD,mEAAmE;QACnE,+DAA+D;IACjE,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,qCAAqC,SAAS,QAAQ,CAAC,CAAC;IACrE,MAAM,IAAI,CAAC,kBAAkB,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAC/C,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,QAAQ,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC;AAC1E,CAAC"}

package/dist/lib/auth-mutator-backend.d.ts

@@ -0,0 +1,54 @@
+/**
+ * auth-mutator-backend — backend resolver for `olam auth refresh / disable /
+ * enable` under B4 (narrowed scope).
+ *
+ * Phase A6 architecturally ruled out adding `/v1/credentials/*` mutators to
+ * the cloud DO. As a result, refresh / disable / enable currently have ONE
+ * valid backend (local). This helper exists so the three subcommand handlers
+ * share identical flag-parsing + identical "remote-unsupported" exit
+ * semantics:
+ *
+ *   - default (no flag) → proceed (local)
+ *   - --local → proceed (local) — no deprecation warning emitted; warning the
+ *     operator against the only working backend would be hostile until OQ7
+ *     ships a cloud-side equivalent.
+ *   - --remote (any form) → exit code 2 + structured message pointing to OQ7
+ *   - --local --remote → exit code 1 (ConflictingBackendFlags semantic)
+ *
+ * Exit code 2 is the marker callers parse to distinguish "this subcommand
+ * has no cloud equivalent yet" from a generic local failure (exit 1).
+ * Wrapping scripts can branch on it to either fall back to --local or
+ * surface a clear "this needs OQ7" message.
+ *
+ * The message body uses a `%s` placeholder for the subcommand name so the
+ * three callers share one string.
+ */
+/** Discriminant for the mutator-backend resolution outcome. */
+export type MutatorBackendOutcome = {
+    readonly outcome: 'proceed-local';
+} | {
+    readonly outcome: 'conflict';
+    readonly message: string;
+} | {
+    readonly outcome: 'remote-unsupported';
+    readonly message: string;
+    readonly exitCode: 2;
+};
+/** Parsed CLI flags for a mutator subcommand. */
+export interface MutatorBackendArgs {
+    readonly local?: boolean;
+    readonly remote?: boolean | string;
+}
+/** Structured message body for the remote-unsupported path. */
+export declare const REMOTE_MUTATOR_UNSUPPORTED_MESSAGE_TEMPLATE: string;
+/**
+ * Render the remote-unsupported message for a specific subcommand.
+ */
+export declare function renderRemoteUnsupportedMessage(subcommand: string): string;
+/**
+ * Resolve which path a mutator subcommand should take given the operator's
+ * flags. Pure function — caller is responsible for printing the message +
+ * setting the process.exitCode.
+ */
+export declare function resolveMutatorBackend(subcommand: string, args: MutatorBackendArgs): MutatorBackendOutcome;
+//# sourceMappingURL=auth-mutator-backend.d.ts.map

package/dist/lib/auth-mutator-backend.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-mutator-backend.d.ts","sourceRoot":"","sources":["../../src/lib/auth-mutator-backend.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,+DAA+D;AAC/D,MAAM,MAAM,qBAAqB,GAC7B;IAAE,QAAQ,CAAC,OAAO,EAAE,eAAe,CAAA;CAAE,GACrC;IAAE,QAAQ,CAAC,OAAO,EAAE,UAAU,CAAC;IAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GAC1D;IAAE,QAAQ,CAAC,OAAO,EAAE,oBAAoB,CAAC;IAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAA;CAAE,CAAC;AAE/F,iDAAiD;AACjD,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO,CAAC;IACzB,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC;CACpC;AAED,+DAA+D;AAC/D,eAAO,MAAM,2CAA2C,QAKT,CAAC;AAEhD;;GAEG;AACH,wBAAgB,8BAA8B,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAEzE;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,CACnC,UAAU,EAAE,MAAM,EAClB,IAAI,EAAE,kBAAkB,GACvB,qBAAqB,CAoBvB"}

package/dist/lib/auth-mutator-backend.js

@@ -0,0 +1,62 @@
+/**
+ * auth-mutator-backend — backend resolver for `olam auth refresh / disable /
+ * enable` under B4 (narrowed scope).
+ *
+ * Phase A6 architecturally ruled out adding `/v1/credentials/*` mutators to
+ * the cloud DO. As a result, refresh / disable / enable currently have ONE
+ * valid backend (local). This helper exists so the three subcommand handlers
+ * share identical flag-parsing + identical "remote-unsupported" exit
+ * semantics:
+ *
+ *   - default (no flag) → proceed (local)
+ *   - --local → proceed (local) — no deprecation warning emitted; warning the
+ *     operator against the only working backend would be hostile until OQ7
+ *     ships a cloud-side equivalent.
+ *   - --remote (any form) → exit code 2 + structured message pointing to OQ7
+ *   - --local --remote → exit code 1 (ConflictingBackendFlags semantic)
+ *
+ * Exit code 2 is the marker callers parse to distinguish "this subcommand
+ * has no cloud equivalent yet" from a generic local failure (exit 1).
+ * Wrapping scripts can branch on it to either fall back to --local or
+ * surface a clear "this needs OQ7" message.
+ *
+ * The message body uses a `%s` placeholder for the subcommand name so the
+ * three callers share one string.
+ */
+/** Structured message body for the remote-unsupported path. */
+export const REMOTE_MUTATOR_UNSUPPORTED_MESSAGE_TEMPLATE = 'olam auth %s has no cloud equivalent yet.\n' +
+    "Phase A's architectural decision keeps the cloud DO's credential\n" +
+    'surface proxy-only. Tracked follow-up: docs/plans/cloud-only-vault/\n' +
+    'README.md § Open questions → admin mutator UX.\n\n' +
+    'Use --local to operate on the legacy vault.';
+/**
+ * Render the remote-unsupported message for a specific subcommand.
+ */
+export function renderRemoteUnsupportedMessage(subcommand) {
+    return REMOTE_MUTATOR_UNSUPPORTED_MESSAGE_TEMPLATE.replace('%s', subcommand);
+}
+/**
+ * Resolve which path a mutator subcommand should take given the operator's
+ * flags. Pure function — caller is responsible for printing the message +
+ * setting the process.exitCode.
+ */
+export function resolveMutatorBackend(subcommand, args) {
+    const localFlag = args.local === true;
+    const remoteFlag = args.remote === true ||
+        (typeof args.remote === 'string' && args.remote.length > 0);
+    if (localFlag && remoteFlag) {
+        return {
+            outcome: 'conflict',
+            message: 'Cannot specify both --local and --remote. Pick one.',
+        };
+    }
+    if (remoteFlag) {
+        return {
+            outcome: 'remote-unsupported',
+            message: renderRemoteUnsupportedMessage(subcommand),
+            exitCode: 2,
+        };
+    }
+    return { outcome: 'proceed-local' };
+}
+//# sourceMappingURL=auth-mutator-backend.js.map

package/dist/lib/auth-mutator-backend.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-mutator-backend.js","sourceRoot":"","sources":["../../src/lib/auth-mutator-backend.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAcH,+DAA+D;AAC/D,MAAM,CAAC,MAAM,2CAA2C,GACtD,6CAA6C;IAC7C,oEAAoE;IACpE,uEAAuE;IACvE,oDAAoD;IACpD,6CAA6C,CAAC;AAEhD;;GAEG;AACH,MAAM,UAAU,8BAA8B,CAAC,UAAkB;IAC/D,OAAO,2CAA2C,CAAC,OAAO,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;AAC/E,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,qBAAqB,CACnC,UAAkB,EAClB,IAAwB;IAExB,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,KAAK,IAAI,CAAC;IACtC,MAAM,UAAU,GACd,IAAI,CAAC,MAAM,KAAK,IAAI;QACpB,CAAC,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAE9D,IAAI,SAAS,IAAI,UAAU,EAAE,CAAC;QAC5B,OAAO;YACL,OAAO,EAAE,UAAU;YACnB,OAAO,EAAE,qDAAqD;SAC/D,CAAC;IACJ,CAAC;IACD,IAAI,UAAU,EAAE,CAAC;QACf,OAAO;YACL,OAAO,EAAE,oBAAoB;YAC7B,OAAO,EAAE,8BAA8B,CAAC,UAAU,CAAC;YACnD,QAAQ,EAAE,CAAC;SACZ,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC;AACtC,CAAC"}

package/dist/lib/auth-remote.d.ts

@@ -30,11 +30,52 @@ export interface ServiceToken {
     label: string;
     created_at?: string;
 }
+/**
+ * Per-account row returned by the cloud auth-worker's `GET /v1/accounts`
+ * (B4 narrowed). The wire shape MUST stay aligned with the server's
+ * handleListAccounts response in `packages/auth-worker/src/auth-worker-do.ts`.
+ *
+ * Backward-compat fields (`label`, `expiresIn`) are populated by
+ * `remoteListAccounts` from the raw server payload so existing call sites
+ * (pre-B4 `olam auth list --remote <url>` text rendering) keep rendering.
+ */
 export interface AccountEntry {
     id: string;
+    /** Friendly label — accountLabel from server, falling back to id. */
     label?: string;
+    /** 'active' | 'cooldown' | 'disabled' (server-derived). */
     state?: string;
+    /** Pre-B4 free-form expiry hint; populated post-B4 from `expiresAt` epoch ms. */
     expiresIn?: string;
+    /** B4: provider — usually 'claude'. */
+    provider?: string;
+    /** B4: email, may be null. */
+    email?: string | null;
+    /** B4: ISO timestamp the cooldown / rate-limit window resets at. */
+    rateLimitResetsAt?: string | null;
+    /** B4: ISO timestamp the weekly rate-limit window resets at. */
+    weeklyResetsAt?: string | null;
+}
+/** B4: server response wire shape for GET /v1/accounts. */
+export interface ListAccountsResponse {
+    accounts: ReadonlyArray<{
+        id: string;
+        provider: string;
+        email: string | null;
+        accountLabel: string | null;
+        state: 'active' | 'cooldown' | 'disabled';
+        rateLimited: boolean;
+        rateLimitResetsAt: string | null;
+        weeklyResetsAt: string | null;
+        expiresAt: number;
+        addedAt: string;
+        lastRefreshed: string;
+        lastUsed: string | null;
+        plan: string | null;
+        organization: string | null;
+        scopes: ReadonlyArray<string>;
+    }>;
+    count: number;
 }
 export interface AnthropicTokenIssueResponse {
     secret: string;
@@ -78,6 +119,15 @@ export declare function remoteOAuthStart(opts: RemoteClientOptions): Promise<OAu
 export declare function remoteListServiceTokens(opts: RemoteClientOptions): Promise<ServiceToken[]>;
 /**
  * GET /v1/accounts — list registered accounts (Anthropic OAuth sessions).
+ *
+ * B4 (narrowed): the server response is `{accounts, count}`. We map it back to
+ * the AccountEntry[] shape pre-existing call sites expect, and we never trust
+ * the server to omit secret fields — see the explicit field whitelist below.
+ *
+ * Defensive shape handling: the server contract is `{accounts: [...], count}`,
+ * but the legacy pre-B4 mock and older server builds may have returned a bare
+ * array. Both shapes are accepted (array OR envelope) so a partial roll-out
+ * never blocks the CLI from rendering useful output.
  */
 export declare function remoteListAccounts(opts: RemoteClientOptions): Promise<AccountEntry[]>;
 /**

package/dist/lib/auth-remote.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-remote.d.ts","sourceRoot":"","sources":["../../src/lib/auth-remote.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,MAAM,MAAM,OAAO,GAAG,OAAO,KAAK,CAAC;AAEnC,MAAM,WAAW,mBAAmB;IAClC,kEAAkE;IAClE,OAAO,EAAE,MAAM,CAAC;IAChB,8EAA8E;IAC9E,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;;;OAKG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,4EAA4E;IAC5E,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,4DAA4D;IAC5D,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAOD,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,2BAA2B;IAC1C,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,uBAAuB,CAAC,EAAE,MAAM,CAAC;CAClC;AAED,MAAM,WAAW,mBAAmB;IAClC,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,kBAAkB;IACjC,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAsCD;;GAEG;AACH,wBAAsB,YAAY,CAChC,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,cAAc,CAAC,CAWzB;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CACpC,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,kBAAkB,CAAC,CAa7B;AAED;;GAEG;AACH,wBAAsB,uBAAuB,CAC3C,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,YAAY,EAAE,CAAC,CAWzB;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,YAAY,EAAE,CAAC,CAWzB;AAED;;GAEG;AACH,wBAAsB,sBAAsB,CAC1C,IAAI,EAAE,mBAAmB,EACzB,OAAO,EAAE;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GAC5C,OAAO,CAAC;IAAE,EAAE,EAAE,OAAO,CAAA;CAAE,CAAC,CAa1B;AAED;;GAEG;AACH,wBAAsB,wBAAwB,CAC5C,IAAI,EAAE,mBAAmB,EACzB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;IAAE,EAAE,EAAE,OAAO,CAAA;CAAE,CAAC,CAW1B;AAUD;;;GAGG;AACH,wBAAsB,yBAAyB,CAC7C,IAAI,EAAE,mBAAmB,EACzB,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,2BAA2B,CAAC,CAatC;AAED;;GAEG;AACH,wBAAsB,yBAAyB,CAC7C,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,mBAAmB,EAAE,CAAC,CAYhC;AAED;;;GAGG;AACH,wBAAsB,0BAA0B,CAC9C,IAAI,EAAE,mBAAmB,EACzB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,OAAO,CAAC,CAYlB;AAED;;;;;;;;GAQG;AACH,wBAAsB,eAAe,CACnC,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,iBAAiB,EAAE,CAAC,CA2G9B"}
+{"version":3,"file":"auth-remote.d.ts","sourceRoot":"","sources":["../../src/lib/auth-remote.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,MAAM,MAAM,OAAO,GAAG,OAAO,KAAK,CAAC;AAEnC,MAAM,WAAW,mBAAmB;IAClC,kEAAkE;IAClE,OAAO,EAAE,MAAM,CAAC;IAChB,8EAA8E;IAC9E,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;;;OAKG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,4EAA4E;IAC5E,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,4DAA4D;IAC5D,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAOD,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,qEAAqE;IACrE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,2DAA2D;IAC3D,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,iFAAiF;IACjF,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,uCAAuC;IACvC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,8BAA8B;IAC9B,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,oEAAoE;IACpE,iBAAiB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,gEAAgE;IAChE,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAChC;AAED,2DAA2D;AAC3D,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,aAAa,CAAC;QACtB,EAAE,EAAE,MAAM,CAAC;QACX,QAAQ,EAAE,MAAM,CAAC;QACjB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;QACrB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;QAC5B,KAAK,EAAE,QAAQ,GAAG,UAAU,GAAG,UAAU,CAAC;QAC1C,WAAW,EAAE,OAAO,CAAC;QACrB,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;QACjC,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;QAC9B,SAAS,EAAE,MAAM,CAAC;QAClB,OAAO,EAAE,MAAM,CAAC;QAChB,aAAa,EAAE,MAAM,CAAC;QACtB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;QACxB,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;QACpB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;QAC5B,MAAM,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;KAC/B,CAAC,CAAC;IACH,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,2BAA2B;IAC1C,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,uBAAuB,CAAC,EAAE,MAAM,CAAC;CAClC;AAED,MAAM,WAAW,mBAAmB;IAClC,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,kBAAkB;IACjC,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAsCD;;GAEG;AACH,wBAAsB,YAAY,CAChC,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,cAAc,CAAC,CAWzB;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CACpC,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,kBAAkB,CAAC,CAa7B;AAED;;GAEG;AACH,wBAAsB,uBAAuB,CAC3C,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,YAAY,EAAE,CAAC,CAWzB;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,YAAY,EAAE,CAAC,CAmDzB;AAoCD;;GAEG;AACH,wBAAsB,sBAAsB,CAC1C,IAAI,EAAE,mBAAmB,EACzB,OAAO,EAAE;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GAC5C,OAAO,CAAC;IAAE,EAAE,EAAE,OAAO,CAAA;CAAE,CAAC,CAa1B;AAED;;GAEG;AACH,wBAAsB,wBAAwB,CAC5C,IAAI,EAAE,mBAAmB,EACzB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;IAAE,EAAE,EAAE,OAAO,CAAA;CAAE,CAAC,CAW1B;AAUD;;;GAGG;AACH,wBAAsB,yBAAyB,CAC7C,IAAI,EAAE,mBAAmB,EACzB,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,2BAA2B,CAAC,CAatC;AAED;;GAEG;AACH,wBAAsB,yBAAyB,CAC7C,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,mBAAmB,EAAE,CAAC,CAYhC;AAED;;;GAGG;AACH,wBAAsB,0BAA0B,CAC9C,IAAI,EAAE,mBAAmB,EACzB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,OAAO,CAAC,CAYlB;AAED;;;;;;;;GAQG;AACH,wBAAsB,eAAe,CACnC,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,iBAAiB,EAAE,CAAC,CA2G9B"}