@portaidentity/sdk 0.1.0

package/README.md

@@ -0,0 +1,224 @@
+# @portaidentity/sdk
+
+Universal TypeScript SDK for the Porta Admin API — works in **browsers**, **Node.js**, and **AI agents**.
+
+## Features
+
+- **Transport abstraction** — `BrowserTransport` (CSRF cookies) and `NodeTransport` (Bearer tokens) with pluggable auth
+- **19 domain namespaces** — Organizations, Applications, Clients, Users, Roles, Permissions, Custom Claims, Config, Keys, Audit, Stats, Sessions, Bulk, Branding, Exports, Two-Factor, Imports, User Roles, User Claims
+- **Full TypeScript types** — SDK-owned type definitions for all entities, inputs, and responses
+- **Pagination helpers** — `listAll()` auto-pagination and cursor-based support
+- **Error hierarchy** — Typed errors (`PortaNotFoundError`, `PortaConflictError`, etc.) with HTTP status mapping
+- **AI agent integration** — Tool definitions and `executeTool()` dispatcher for MCP/LLM integration
+- **Zero runtime dependencies** — Uses only `fetch` (built into Node 22+ and browsers)
+
+## Installation
+
+```bash
+# From the Porta project root (workspace dependency)
+yarn add @portaidentity/sdk
+
+# Or reference as file dependency
+"@portaidentity/sdk": "file:../packages/porta-sdk"
+```
+
+## Quick Start
+
+### Browser (Admin GUI / BFF)
+
+```typescript
+import { createPortaClient, createBrowserTransport } from '@portaidentity/sdk/browser';
+
+const transport = createBrowserTransport({
+  baseUrl: '/api/admin',    // BFF proxy path
+  csrfCookieName: '_csrf',  // CSRF cookie name
+  csrfHeaderName: 'x-csrf-token',
+  on401: () => window.location.href = '/login',
+});
+
+const client = createPortaClient(transport);
+
+// List organizations
+const orgs = await client.organizations.list({ page: 1, pageSize: 20 });
+
+// Create a user
+const user = await client.users.create('org-id', {
+  email: 'user@example.com',
+  givenName: 'Jane',
+  familyName: 'Doe',
+});
+```
+
+### Node.js (Automation / CLI)
+
+```typescript
+import { createPortaClient, createNodeTransport, createTokenAuth } from '@portaidentity/sdk/node';
+
+const auth = createTokenAuth('your-bearer-token');
+
+const transport = createNodeTransport({
+  baseUrl: 'https://porta.local:3443/api/admin',
+  auth,
+});
+
+const client = createPortaClient(transport);
+
+// List all organizations (auto-pagination)
+const allOrgs = await client.organizations.listAll();
+
+// Suspend a user
+await client.users.suspend('org-id', 'user-id');
+
+// Assign a role
+await client.userRoles.assign('org-id', 'user-id', { roleId: 'role-id' });
+```
+
+### Client Credentials (Server-to-Server)
+
+```typescript
+import { createPortaClient, createNodeTransport, createClientCredentialsAuth } from '@portaidentity/sdk/node';
+
+const auth = createClientCredentialsAuth({
+  tokenUrl: 'https://porta.local:3443/super-admin/oidc/token',
+  clientId: 'my-service',
+  clientSecret: 'my-secret',
+  scope: 'openid',
+});
+
+const transport = createNodeTransport({
+  baseUrl: 'https://porta.local:3443/api/admin',
+  auth,
+});
+
+const client = createPortaClient(transport);
+```
+
+### AI Agent Integration
+
+```typescript
+import { createPortaClient, getToolDefinitions, executeTool } from '@portaidentity/sdk/agent';
+import { createNodeTransport, createTokenAuth } from '@portaidentity/sdk/node';
+
+// Get tool definitions for LLM function calling
+const tools = getToolDefinitions();
+// → [{ name: 'organizations.list', description: '...', parameters: [...] }, ...]
+
+// Execute a tool call from an AI agent
+const client = createPortaClient(
+  createNodeTransport({ baseUrl: '...', auth: createTokenAuth('...') })
+);
+
+const result = await executeTool(client, 'organizations.list', { page: 1 });
+```
+
+## Domain Namespaces
+
+| Namespace | Methods | Description |
+|-----------|---------|-------------|
+| `organizations` | 12 | CRUD, status lifecycle, slug validation, history |
+| `applications` | 13 | CRUD, status, modules management, history |
+| `clients` | 12 | CRUD, status, secret management, history |
+| `users` | 19 | CRUD, 6 status transitions, password, email, export, purge |
+| `roles` | 9 | CRUD, archive, permission assignment |
+| `permissions` | 6 | CRUD, archive |
+| `userRoles` | 3 | List, assign, remove role assignments |
+| `userClaims` | 3 | List, set, remove claim values |
+| `customClaims` | 6 | Claim definitions CRUD, archive |
+| `config` | 3 | System configuration get/set/list |
+| `keys` | 3 | Signing key list/generate/rotate |
+| `audit` | 1 | Audit log listing with filters |
+| `stats` | 1 | Dashboard statistics |
+| `sessions` | 3 | Session listing and revocation |
+| `bulk` | 1 | Bulk status operations |
+| `branding` | 5 | Org branding settings and asset management |
+| `exports` | 1 | CSV/JSON data export |
+| `twoFactor` | 3 | 2FA status, disable, reset |
+| `imports` | 1 | Declarative provisioning |
+
+## Auth Providers
+
+| Provider | Use Case |
+|----------|----------|
+| `createTokenAuth(token)` | Static Bearer token (scripts, testing) |
+| `createClientCredentialsAuth(opts)` | Server-to-server OAuth2 (with caching and concurrent dedup) |
+| `createCliAuth(opts)` | CLI credentials file (`~/.porta/credentials.json`) with auto-refresh |
+
+## Error Handling
+
+```typescript
+import { PortaNotFoundError, PortaConflictError, PortaHttpError } from '@portaidentity/sdk';
+
+try {
+  await client.organizations.get('nonexistent');
+} catch (err) {
+  if (err instanceof PortaNotFoundError) {
+    console.log('Not found:', err.message);
+  } else if (err instanceof PortaConflictError) {
+    console.log('Conflict — ETag mismatch?');
+  } else if (err instanceof PortaHttpError) {
+    console.log(`HTTP ${err.status}:`, err.details);
+  }
+}
+```
+
+## Pagination
+
+```typescript
+// Manual pagination
+const page1 = await client.users.list('org-id', { page: 1, pageSize: 50 });
+// → { data: User[], total: number, page: number, pageSize: number }
+
+// Auto-pagination (fetches all pages)
+const allUsers = await client.users.listAll('org-id');
+// → User[]
+```
+
+## Architecture
+
+```
+@portaidentity/sdk
+├── transport/          # HTTP abstraction layer
+│   ├── types.ts        # HttpTransport, TransportRequest, TransportResponse
+│   ├── browser-transport.ts  # Fetch + CSRF cookies + 401 redirect
+│   └── node-transport.ts     # Fetch + Bearer auth + 401 retry
+├── auth/               # Authentication providers
+│   ├── token-auth.ts   # Static token
+│   ├── client-credentials-auth.ts  # OAuth2 client_credentials
+│   └── cli-auth.ts     # File-based CLI credentials
+├── types/              # SDK-owned entity type definitions
+├── domains/            # 19 domain API namespaces
+├── errors/             # Typed error hierarchy
+├── pagination/         # Pagination types and helpers
+├── agent/              # AI agent tool definitions + executor
+├── client.ts           # createPortaClient() factory
+├── index.ts            # Main entrypoint
+├── browser.ts          # Browser-specific entrypoint
+├── node.ts             # Node.js-specific entrypoint
+└── agent.ts            # Agent-specific entrypoint
+```
+
+## Entrypoints
+
+| Import Path | Includes | Excludes |
+|------------|----------|----------|
+| `@portaidentity/sdk` | Types, errors, pagination, client factory | Transport, auth (bring your own) |
+| `@portaidentity/sdk/browser` | + BrowserTransport | NodeTransport, auth providers |
+| `@portaidentity/sdk/node` | + NodeTransport, all auth providers | BrowserTransport |
+| `@portaidentity/sdk/agent` | + Tool definitions, executeTool | Transports, auth |
+
+## Testing
+
+```bash
+# Run all SDK tests (352 tests)
+cd packages/porta-sdk && yarn test
+
+# Type checking
+yarn typecheck
+
+# Full verify (lint + typecheck + test + build)
+yarn verify
+```
+
+## License
+
+MIT — See [LICENSE](../../LICENSE) for details.

package/dist/agent.d.ts

@@ -0,0 +1,42 @@
+/**
+ * @portaidentity/sdk/agent — AI Agent entrypoint.
+ *
+ * Provides tool definitions for all Porta SDK operations and an executor
+ * that maps tool names + arguments to PortaClient method calls.
+ *
+ * @module @portaidentity/sdk/agent
+ */
+import type { PortaClient } from './client.js';
+export interface ToolParameter {
+    name: string;
+    type: 'string' | 'number' | 'boolean' | 'object';
+    description: string;
+    required: boolean;
+    enum?: string[];
+}
+export interface ToolDefinition {
+    name: string;
+    description: string;
+    parameters: ToolParameter[];
+    returns: string;
+}
+export interface ToolResult {
+    success: boolean;
+    data?: unknown;
+    error?: string;
+}
+/**
+ * Returns tool definitions for all Porta SDK operations.
+ * AI agents use these to discover available tools and their parameters.
+ */
+export declare function getToolDefinitions(): ToolDefinition[];
+/**
+ * Executes a tool by name with the given arguments against a PortaClient.
+ *
+ * @param client - A configured PortaClient instance
+ * @param toolName - Dot-notation tool name (e.g., 'organizations.list')
+ * @param args - Arguments matching the tool's parameter definitions
+ * @returns ToolResult with success/data or error
+ */
+export declare function executeTool(client: PortaClient, toolName: string, args: Record<string, unknown>): Promise<ToolResult>;
+//# sourceMappingURL=agent.d.ts.map

package/dist/agent.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent.d.ts","sourceRoot":"","sources":["../src/agent.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAM/C,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,QAAQ,GAAG,QAAQ,GAAG,SAAS,GAAG,QAAQ,CAAC;IACjD,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,OAAO,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;CACjB;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,aAAa,EAAE,CAAC;IAC5B,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAmHD;;;GAGG;AACH,wBAAgB,kBAAkB,IAAI,cAAc,EAAE,CAErD;AAED;;;;;;;GAOG;AACH,wBAAsB,WAAW,CAC/B,MAAM,EAAE,WAAW,EACnB,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC5B,OAAO,CAAC,UAAU,CAAC,CAkCrB"}

package/dist/agent.js

@@ -0,0 +1,146 @@
+/**
+ * @portaidentity/sdk/agent — AI Agent entrypoint.
+ *
+ * Provides tool definitions for all Porta SDK operations and an executor
+ * that maps tool names + arguments to PortaClient method calls.
+ *
+ * @module @portaidentity/sdk/agent
+ */
+// ---------------------------------------------------------------------------
+// Parameter helpers
+// ---------------------------------------------------------------------------
+function param(name, type, description, required = true, enumValues) {
+    return { name, type, description, required, ...(enumValues ? { enum: enumValues } : {}) };
+}
+const ID = (name, desc) => param(name, 'string', desc);
+const OPT_STR = (name, desc) => param(name, 'string', desc, false);
+const OPT_NUM = (name, desc) => param(name, 'number', desc, false);
+const OPT_OBJ = (name, desc) => param(name, 'object', desc, false);
+const OBJ = (name, desc) => param(name, 'object', desc, true);
+// Standard list params
+const LIST_PARAMS = [
+    OPT_NUM('page', 'Page number'),
+    OPT_NUM('pageSize', 'Items per page'),
+    OPT_STR('search', 'Search query'),
+    OPT_STR('sort', 'Sort field'),
+    OPT_STR('order', 'Sort order (asc/desc)'),
+];
+// ---------------------------------------------------------------------------
+// Tool Definitions
+// ---------------------------------------------------------------------------
+const TOOL_DEFINITIONS = [
+    // Organizations
+    { name: 'organizations.list', description: 'List organizations with pagination', parameters: [...LIST_PARAMS], returns: 'PaginatedResponse<Organization>' },
+    { name: 'organizations.get', description: 'Get an organization by ID or slug', parameters: [ID('idOrSlug', 'Organization ID or slug')], returns: '{ data: Organization, etag: string | null }' },
+    { name: 'organizations.create', description: 'Create a new organization', parameters: [OBJ('input', 'CreateOrganizationInput')], returns: 'Organization' },
+    { name: 'organizations.update', description: 'Update an organization', parameters: [ID('idOrSlug', 'Organization ID or slug'), OBJ('input', 'UpdateOrganizationInput'), OPT_STR('etag', 'ETag for concurrency')], returns: 'Organization' },
+    { name: 'organizations.suspend', description: 'Suspend an organization', parameters: [ID('idOrSlug', 'Organization ID or slug')], returns: 'void' },
+    { name: 'organizations.activate', description: 'Activate an organization', parameters: [ID('idOrSlug', 'Organization ID or slug')], returns: 'void' },
+    { name: 'organizations.archive', description: 'Archive an organization', parameters: [ID('idOrSlug', 'Organization ID or slug')], returns: 'void' },
+    { name: 'organizations.destroy', description: 'Permanently delete an organization', parameters: [ID('idOrSlug', 'Organization ID or slug')], returns: 'DestroyResult' },
+    // Applications
+    { name: 'applications.list', description: 'List applications', parameters: [...LIST_PARAMS], returns: 'PaginatedResponse<Application>' },
+    { name: 'applications.get', description: 'Get an application by ID or slug', parameters: [ID('idOrSlug', 'Application ID or slug')], returns: '{ data: Application, etag: string | null }' },
+    { name: 'applications.create', description: 'Create a new application', parameters: [OBJ('input', 'CreateApplicationInput')], returns: 'Application' },
+    { name: 'applications.update', description: 'Update an application', parameters: [ID('idOrSlug', 'Application ID or slug'), OBJ('input', 'UpdateApplicationInput'), OPT_STR('etag', 'ETag')], returns: 'Application' },
+    // Clients
+    { name: 'clients.list', description: 'List clients', parameters: [...LIST_PARAMS], returns: 'PaginatedResponse<Client>' },
+    { name: 'clients.get', description: 'Get a client by ID', parameters: [ID('idOrClientId', 'Client ID or clientId')], returns: '{ data: Client, etag: string | null }' },
+    { name: 'clients.create', description: 'Create a new client', parameters: [OBJ('input', 'CreateClientInput')], returns: 'Client' },
+    { name: 'clients.update', description: 'Update a client', parameters: [ID('idOrClientId', 'Client ID'), OBJ('input', 'UpdateClientInput'), OPT_STR('etag', 'ETag')], returns: 'Client' },
+    { name: 'clients.generateSecret', description: 'Generate a new secret for a client', parameters: [ID('clientId', 'Client ID'), OPT_OBJ('input', 'GenerateSecretInput')], returns: 'GeneratedSecret' },
+    // Users
+    { name: 'users.list', description: 'List users in an organization', parameters: [ID('orgId', 'Organization ID'), ...LIST_PARAMS], returns: 'PaginatedResponse<User>' },
+    { name: 'users.get', description: 'Get a user by ID', parameters: [ID('orgId', 'Organization ID'), ID('userId', 'User ID')], returns: '{ data: User, etag: string | null }' },
+    { name: 'users.create', description: 'Create a new user', parameters: [OBJ('input', 'CreateUserInput')], returns: 'User' },
+    { name: 'users.invite', description: 'Invite a user', parameters: [OBJ('input', 'InviteUserInput')], returns: 'User' },
+    { name: 'users.suspend', description: 'Suspend a user', parameters: [ID('orgId', 'Organization ID'), ID('userId', 'User ID')], returns: 'void' },
+    { name: 'users.activate', description: 'Activate a user', parameters: [ID('orgId', 'Organization ID'), ID('userId', 'User ID')], returns: 'void' },
+    // Roles
+    { name: 'roles.list', description: 'List roles for an application', parameters: [ID('appId', 'Application ID'), ...LIST_PARAMS], returns: 'PaginatedResponse<Role>' },
+    { name: 'roles.get', description: 'Get a role with permissions', parameters: [ID('appId', 'Application ID'), ID('roleId', 'Role ID')], returns: 'RoleWithPermissions' },
+    { name: 'roles.create', description: 'Create a role', parameters: [ID('appId', 'Application ID'), OBJ('input', 'CreateRoleInput')], returns: 'Role' },
+    // Permissions
+    { name: 'permissions.list', description: 'List permissions for an application', parameters: [ID('appId', 'Application ID'), ...LIST_PARAMS], returns: 'PaginatedResponse<Permission>' },
+    { name: 'permissions.create', description: 'Create a permission', parameters: [ID('appId', 'Application ID'), OBJ('input', 'CreatePermissionInput')], returns: 'Permission' },
+    // User Roles
+    { name: 'userRoles.list', description: 'List role assignments for a user', parameters: [ID('orgId', 'Organization ID'), ID('userId', 'User ID')], returns: 'UserRoleAssignment[]' },
+    { name: 'userRoles.assign', description: 'Assign a role to a user', parameters: [ID('orgId', 'Organization ID'), ID('userId', 'User ID'), ID('roleId', 'Role ID')], returns: 'void' },
+    { name: 'userRoles.remove', description: 'Remove a role from a user', parameters: [ID('orgId', 'Organization ID'), ID('userId', 'User ID'), ID('roleId', 'Role ID')], returns: 'void' },
+    // Custom Claims
+    { name: 'customClaims.list', description: 'List claim definitions for an application', parameters: [ID('appId', 'Application ID'), ...LIST_PARAMS], returns: 'PaginatedResponse<ClaimDefinition>' },
+    { name: 'customClaims.create', description: 'Create a claim definition', parameters: [ID('appId', 'Application ID'), OBJ('input', 'CreateClaimDefinitionInput')], returns: 'ClaimDefinition' },
+    // Config
+    { name: 'config.list', description: 'List all system configuration entries', parameters: [], returns: 'ConfigEntry[]' },
+    { name: 'config.get', description: 'Get a config entry', parameters: [ID('key', 'Configuration key')], returns: 'ConfigEntry' },
+    { name: 'config.set', description: 'Set a config entry value', parameters: [ID('key', 'Configuration key'), ID('value', 'New value')], returns: 'ConfigEntry' },
+    // Keys
+    { name: 'keys.list', description: 'List signing keys', parameters: [], returns: 'SigningKey[]' },
+    { name: 'keys.generate', description: 'Generate a new signing key', parameters: [], returns: 'SigningKey' },
+    { name: 'keys.rotate', description: 'Rotate signing keys', parameters: [], returns: 'SigningKey' },
+    // Audit
+    { name: 'audit.list', description: 'List audit log entries', parameters: [...LIST_PARAMS, OPT_STR('eventType', 'Filter by event type'), OPT_STR('organizationId', 'Filter by org')], returns: 'PaginatedResponse<AuditEntry>' },
+    // Stats
+    { name: 'stats.get', description: 'Get dashboard statistics', parameters: [], returns: 'DashboardStats' },
+    // Sessions
+    { name: 'sessions.list', description: 'List active sessions', parameters: [OPT_NUM('page', 'Page'), OPT_NUM('pageSize', 'Page size'), OPT_STR('userId', 'Filter by user')], returns: 'PaginatedResponse<AdminSession>' },
+    { name: 'sessions.revoke', description: 'Revoke a session', parameters: [ID('sessionId', 'Session ID')], returns: 'void' },
+    { name: 'sessions.revokeForUser', description: 'Revoke all sessions for a user', parameters: [ID('userId', 'User ID')], returns: 'void' },
+    // Bulk
+    { name: 'bulk.execute', description: 'Execute a bulk status operation', parameters: [OBJ('input', 'BulkOperationInput')], returns: 'BulkOperationResult' },
+    // Two-Factor
+    { name: 'twoFactor.getStatus', description: 'Get 2FA status for a user', parameters: [ID('orgId', 'Organization ID'), ID('userId', 'User ID')], returns: 'TwoFactorStatus' },
+    { name: 'twoFactor.disable', description: 'Disable 2FA for a user', parameters: [ID('orgId', 'Organization ID'), ID('userId', 'User ID')], returns: 'void' },
+    // Imports
+    { name: 'imports.provision', description: 'Import/provision data declaratively', parameters: [OBJ('manifest', 'ImportManifest')], returns: 'ImportResult' },
+];
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+/**
+ * Returns tool definitions for all Porta SDK operations.
+ * AI agents use these to discover available tools and their parameters.
+ */
+export function getToolDefinitions() {
+    return TOOL_DEFINITIONS;
+}
+/**
+ * Executes a tool by name with the given arguments against a PortaClient.
+ *
+ * @param client - A configured PortaClient instance
+ * @param toolName - Dot-notation tool name (e.g., 'organizations.list')
+ * @param args - Arguments matching the tool's parameter definitions
+ * @returns ToolResult with success/data or error
+ */
+export async function executeTool(client, toolName, args) {
+    try {
+        const [domain, method] = toolName.split('.');
+        if (!domain || !method) {
+            return { success: false, error: `Invalid tool name: ${toolName}. Expected format: domain.method` };
+        }
+        // eslint-disable-next-line @typescript-eslint/no-unsafe-function-type
+        const domainObj = client[domain];
+        if (!domainObj) {
+            return { success: false, error: `Unknown domain: ${domain}` };
+        }
+        const fn = domainObj[method];
+        if (typeof fn !== 'function') {
+            return { success: false, error: `Unknown method: ${method} on domain ${domain}` };
+        }
+        // Build arguments array based on tool definition
+        const toolDef = TOOL_DEFINITIONS.find((t) => t.name === toolName);
+        if (!toolDef) {
+            return { success: false, error: `No tool definition found for: ${toolName}` };
+        }
+        const callArgs = toolDef.parameters
+            .filter((p) => p.required || args[p.name] !== undefined)
+            .map((p) => args[p.name]);
+        const result = await fn.call(domainObj, ...callArgs);
+        return { success: true, data: result };
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        return { success: false, error: message };
+    }
+}
+//# sourceMappingURL=agent.js.map

package/dist/agent.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent.js","sourceRoot":"","sources":["../src/agent.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AA6BH,8EAA8E;AAC9E,oBAAoB;AACpB,8EAA8E;AAE9E,SAAS,KAAK,CAAC,IAAY,EAAE,IAA2B,EAAE,WAAmB,EAAE,QAAQ,GAAG,IAAI,EAAE,UAAqB;IACnH,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAE,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;AAC5F,CAAC;AAED,MAAM,EAAE,GAAG,CAAC,IAAY,EAAE,IAAY,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;AACvE,MAAM,OAAO,GAAG,CAAC,IAAY,EAAE,IAAY,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;AACnF,MAAM,OAAO,GAAG,CAAC,IAAY,EAAE,IAAY,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;AACnF,MAAM,OAAO,GAAG,CAAC,IAAY,EAAE,IAAY,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;AACnF,MAAM,GAAG,GAAG,CAAC,IAAY,EAAE,IAAY,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;AAE9E,uBAAuB;AACvB,MAAM,WAAW,GAAoB;IACnC,OAAO,CAAC,MAAM,EAAE,aAAa,CAAC;IAC9B,OAAO,CAAC,UAAU,EAAE,gBAAgB,CAAC;IACrC,OAAO,CAAC,QAAQ,EAAE,cAAc,CAAC;IACjC,OAAO,CAAC,MAAM,EAAE,YAAY,CAAC;IAC7B,OAAO,CAAC,OAAO,EAAE,uBAAuB,CAAC;CAC1C,CAAC;AAEF,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E,MAAM,gBAAgB,GAAqB;IACzC,gBAAgB;IAChB,EAAE,IAAI,EAAE,oBAAoB,EAAE,WAAW,EAAE,oCAAoC,EAAE,UAAU,EAAE,CAAC,GAAG,WAAW,CAAC,EAAE,OAAO,EAAE,iCAAiC,EAAE;IAC3J,EAAE,IAAI,EAAE,mBAAmB,EAAE,WAAW,EAAE,mCAAmC,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,UAAU,EAAE,yBAAyB,CAAC,CAAC,EAAE,OAAO,EAAE,6CAA6C,EAAE;IAChM,EAAE,IAAI,EAAE,sBAAsB,EAAE,WAAW,EAAE,2BAA2B,EAAE,UAAU,EAAE,CAAC,GAAG,CAAC,OAAO,EAAE,yBAAyB,CAAC,CAAC,EAAE,OAAO,EAAE,cAAc,EAAE;IAC1J,EAAE,IAAI,EAAE,sBAAsB,EAAE,WAAW,EAAE,wBAAwB,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,UAAU,EAAE,yBAAyB,CAAC,EAAE,GAAG,CAAC,OAAO,EAAE,yBAAyB,CAAC,EAAE,OAAO,CAAC,MAAM,EAAE,sBAAsB,CAAC,CAAC,EAAE,OAAO,EAAE,cAAc,EAAE;IAC3O,EAAE,IAAI,EAAE,uBAAuB,EAAE,WAAW,EAAE,yBAAyB,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,UAAU,EAAE,yBAAyB,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE;IACnJ,EAAE,IAAI,EAAE,wBAAwB,EAAE,WAAW,EAAE,0BAA0B,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,UAAU,EAAE,yBAAyB,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE;IACrJ,EAAE,IAAI,EAAE,uBAAuB,EAAE,WAAW,EAAE,yBAAyB,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,UAAU,EAAE,yBAAyB,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE;IACnJ,EAAE,IAAI,EAAE,uBAAuB,EAAE,WAAW,EAAE,oCAAoC,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,UAAU,EAAE,yBAAyB,CAAC,CAAC,EAAE,OAAO,EAAE,eAAe,EAAE;IAEvK,eAAe;IACf,EAAE,IAAI,EAAE,mBAAmB,EAAE,WAAW,EAAE,mBAAmB,EAAE,UAAU,EAAE,CAAC,GAAG,WAAW,CAAC,EAAE,OAAO,EAAE,gCAAgC,EAAE;IACxI,EAAE,IAAI,EAAE,kBAAkB,EAAE,WAAW,EAAE,kCAAkC,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,UAAU,EAAE,wBAAwB,CAAC,CAAC,EAAE,OAAO,EAAE,4CAA4C,EAAE;IAC5L,EAAE,IAAI,EAAE,qBAAqB,EAAE,WAAW,EAAE,0BAA0B,EAAE,UAAU,EAAE,CAAC,GAAG,CAAC,OAAO,EAAE,wBAAwB,CAAC,CAAC,EAAE,OAAO,EAAE,aAAa,EAAE;IACtJ,EAAE,IAAI,EAAE,qBAAqB,EAAE,WAAW,EAAE,uBAAuB,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,UAAU,EAAE,wBAAwB,CAAC,EAAE,GAAG,CAAC,OAAO,EAAE,wBAAwB,CAAC,EAAE,OAAO,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,EAAE,OAAO,EAAE,aAAa,EAAE;IAEtN,UAAU;IACV,EAAE,IAAI,EAAE,cAAc,EAAE,WAAW,EAAE,cAAc,EAAE,UAAU,EAAE,CAAC,GAAG,WAAW,CAAC,EAAE,OAAO,EAAE,2BAA2B,EAAE;IACzH,EAAE,IAAI,EAAE,aAAa,EAAE,WAAW,EAAE,oBAAoB,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,cAAc,EAAE,uBAAuB,CAAC,CAAC,EAAE,OAAO,EAAE,uCAAuC,EAAE;IACvK,EAAE,IAAI,EAAE,gBAAgB,EAAE,WAAW,EAAE,qBAAqB,EAAE,UAAU,EAAE,CAAC,GAAG,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC,EAAE,OAAO,EAAE,QAAQ,EAAE;IAClI,EAAE,IAAI,EAAE,gBAAgB,EAAE,WAAW,EAAE,iBAAiB,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,cAAc,EAAE,WAAW,CAAC,EAAE,GAAG,CAAC,OAAO,EAAE,mBAAmB,CAAC,EAAE,OAAO,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,EAAE,OAAO,EAAE,QAAQ,EAAE;IACxL,EAAE,IAAI,EAAE,wBAAwB,EAAE,WAAW,EAAE,oCAAoC,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,UAAU,EAAE,WAAW,CAAC,EAAE,OAAO,CAAC,OAAO,EAAE,qBAAqB,CAAC,CAAC,EAAE,OAAO,EAAE,iBAAiB,EAAE;IAErM,QAAQ;IACR,EAAE,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,+BAA+B,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,iBAAiB,CAAC,EAAE,GAAG,WAAW,CAAC,EAAE,OAAO,EAAE,yBAAyB,EAAE;IACtK,EAAE,IAAI,EAAE,WAAW,EAAE,WAAW,EAAE,kBAAkB,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,iBAAiB,CAAC,EAAE,EAAE,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC,EAAE,OAAO,EAAE,qCAAqC,EAAE;IAC7K,EAAE,IAAI,EAAE,cAAc,EAAE,WAAW,EAAE,mBAAmB,EAAE,UAAU,EAAE,CAAC,GAAG,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE;IAC1H,EAAE,IAAI,EAAE,cAAc,EAAE,WAAW,EAAE,eAAe,EAAE,UAAU,EAAE,CAAC,GAAG,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE;IACtH,EAAE,IAAI,EAAE,eAAe,EAAE,WAAW,EAAE,gBAAgB,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,iBAAiB,CAAC,EAAE,EAAE,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE;IAChJ,EAAE,IAAI,EAAE,gBAAgB,EAAE,WAAW,EAAE,iBAAiB,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,iBAAiB,CAAC,EAAE,EAAE,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE;IAElJ,QAAQ;IACR,EAAE,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,+BAA+B,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,gBAAgB,CAAC,EAAE,GAAG,WAAW,CAAC,EAAE,OAAO,EAAE,yBAAyB,EAAE;IACrK,EAAE,IAAI,EAAE,WAAW,EAAE,WAAW,EAAE,6BAA6B,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,gBAAgB,CAAC,EAAE,EAAE,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC,EAAE,OAAO,EAAE,qBAAqB,EAAE;IACvK,EAAE,IAAI,EAAE,cAAc,EAAE,WAAW,EAAE,eAAe,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,gBAAgB,CAAC,EAAE,GAAG,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE;IAErJ,cAAc;IACd,EAAE,IAAI,EAAE,kBAAkB,EAAE,WAAW,EAAE,qCAAqC,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,gBAAgB,CAAC,EAAE,GAAG,WAAW,CAAC,EAAE,OAAO,EAAE,+BAA+B,EAAE;IACvL,EAAE,IAAI,EAAE,oBAAoB,EAAE,WAAW,EAAE,qBAAqB,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,gBAAgB,CAAC,EAAE,GAAG,CAAC,OAAO,EAAE,uBAAuB,CAAC,CAAC,EAAE,OAAO,EAAE,YAAY,EAAE;IAE7K,aAAa;IACb,EAAE,IAAI,EAAE,gBAAgB,EAAE,WAAW,EAAE,kCAAkC,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,iBAAiB,CAAC,EAAE,EAAE,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC,EAAE,OAAO,EAAE,sBAAsB,EAAE;IACnL,EAAE,IAAI,EAAE,kBAAkB,EAAE,WAAW,EAAE,yBAAyB,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,iBAAiB,CAAC,EAAE,EAAE,CAAC,QAAQ,EAAE,SAAS,CAAC,EAAE,EAAE,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE;IACrL,EAAE,IAAI,EAAE,kBAAkB,EAAE,WAAW,EAAE,2BAA2B,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,iBAAiB,CAAC,EAAE,EAAE,CAAC,QAAQ,EAAE,SAAS,CAAC,EAAE,EAAE,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE;IAEvL,gBAAgB;IAChB,EAAE,IAAI,EAAE,mBAAmB,EAAE,WAAW,EAAE,2CAA2C,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,gBAAgB,CAAC,EAAE,GAAG,WAAW,CAAC,EAAE,OAAO,EAAE,oCAAoC,EAAE;IACnM,EAAE,IAAI,EAAE,qBAAqB,EAAE,WAAW,EAAE,2BAA2B,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,gBAAgB,CAAC,EAAE,GAAG,CAAC,OAAO,EAAE,4BAA4B,CAAC,CAAC,EAAE,OAAO,EAAE,iBAAiB,EAAE;IAE9L,SAAS;IACT,EAAE,IAAI,EAAE,aAAa,EAAE,WAAW,EAAE,uCAAuC,EAAE,UAAU,EAAE,EAAE,EAAE,OAAO,EAAE,eAAe,EAAE;IACvH,EAAE,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,oBAAoB,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC,EAAE,OAAO,EAAE,aAAa,EAAE;IAC/H,EAAE,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,0BAA0B,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,KAAK,EAAE,mBAAmB,CAAC,EAAE,EAAE,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,aAAa,EAAE;IAE/J,OAAO;IACP,EAAE,IAAI,EAAE,WAAW,EAAE,WAAW,EAAE,mBAAmB,EAAE,UAAU,EAAE,EAAE,EAAE,OAAO,EAAE,cAAc,EAAE;IAChG,EAAE,IAAI,EAAE,eAAe,EAAE,WAAW,EAAE,4BAA4B,EAAE,UAAU,EAAE,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE;IAC3G,EAAE,IAAI,EAAE,aAAa,EAAE,WAAW,EAAE,qBAAqB,EAAE,UAAU,EAAE,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE;IAElG,QAAQ;IACR,EAAE,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,wBAAwB,EAAE,UAAU,EAAE,CAAC,GAAG,WAAW,EAAE,OAAO,CAAC,WAAW,EAAE,sBAAsB,CAAC,EAAE,OAAO,CAAC,gBAAgB,EAAE,eAAe,CAAC,CAAC,EAAE,OAAO,EAAE,+BAA+B,EAAE;IAE/N,QAAQ;IACR,EAAE,IAAI,EAAE,WAAW,EAAE,WAAW,EAAE,0BAA0B,EAAE,UAAU,EAAE,EAAE,EAAE,OAAO,EAAE,gBAAgB,EAAE;IAEzG,WAAW;IACX,EAAE,IAAI,EAAE,eAAe,EAAE,WAAW,EAAE,sBAAsB,EAAE,UAAU,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,CAAC,UAAU,EAAE,WAAW,CAAC,EAAE,OAAO,CAAC,QAAQ,EAAE,gBAAgB,CAAC,CAAC,EAAE,OAAO,EAAE,iCAAiC,EAAE;IACxN,EAAE,IAAI,EAAE,iBAAiB,EAAE,WAAW,EAAE,kBAAkB,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE;IAC1H,EAAE,IAAI,EAAE,wBAAwB,EAAE,WAAW,EAAE,gCAAgC,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE;IAEzI,OAAO;IACP,EAAE,IAAI,EAAE,cAAc,EAAE,WAAW,EAAE,iCAAiC,EAAE,UAAU,EAAE,CAAC,GAAG,CAAC,OAAO,EAAE,oBAAoB,CAAC,CAAC,EAAE,OAAO,EAAE,qBAAqB,EAAE;IAE1J,aAAa;IACb,EAAE,IAAI,EAAE,qBAAqB,EAAE,WAAW,EAAE,2BAA2B,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,iBAAiB,CAAC,EAAE,EAAE,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC,EAAE,OAAO,EAAE,iBAAiB,EAAE;IAC5K,EAAE,IAAI,EAAE,mBAAmB,EAAE,WAAW,EAAE,wBAAwB,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,iBAAiB,CAAC,EAAE,EAAE,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE;IAE5J,UAAU;IACV,EAAE,IAAI,EAAE,mBAAmB,EAAE,WAAW,EAAE,qCAAqC,EAAE,UAAU,EAAE,CAAC,GAAG,CAAC,UAAU,EAAE,gBAAgB,CAAC,CAAC,EAAE,OAAO,EAAE,cAAc,EAAE;CAC5J,CAAC;AAEF,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E;;;GAGG;AACH,MAAM,UAAU,kBAAkB;IAChC,OAAO,gBAAgB,CAAC;AAC1B,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,MAAmB,EACnB,QAAgB,EAChB,IAA6B;IAE7B,IAAI,CAAC;QACH,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC7C,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC;YACvB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,sBAAsB,QAAQ,kCAAkC,EAAE,CAAC;QACrG,CAAC;QAED,sEAAsE;QACtE,MAAM,SAAS,GAAI,MAA8D,CAAC,MAAM,CAAC,CAAC;QAC1F,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,mBAAmB,MAAM,EAAE,EAAE,CAAC;QAChE,CAAC;QAED,MAAM,EAAE,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC;QAC7B,IAAI,OAAO,EAAE,KAAK,UAAU,EAAE,CAAC;YAC7B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,mBAAmB,MAAM,cAAc,MAAM,EAAE,EAAE,CAAC;QACpF,CAAC;QAED,iDAAiD;QACjD,MAAM,OAAO,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC;QAClE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,iCAAiC,QAAQ,EAAE,EAAE,CAAC;QAChF,CAAC;QAED,MAAM,QAAQ,GAAG,OAAO,CAAC,UAAU;aAChC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,SAAS,CAAC;aACvD,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;QAE5B,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,QAAQ,CAAC,CAAC;QACrD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;IACzC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;IAC5C,CAAC;AACH,CAAC"}

package/dist/auth/cli-auth.d.ts

@@ -0,0 +1,83 @@
+/**
+ * CliAuth — reuse Porta CLI stored credentials as an authentication provider.
+ *
+ * Reads credentials from `~/.porta/credentials.json` (the file created by
+ * `porta login`) and uses them for API authentication. Handles token expiry
+ * detection and automatic refresh via the refresh_token grant.
+ *
+ * Key behaviors:
+ * - Reads credentials file on first `getToken()` call, caches in memory
+ * - Checks `expiresAt` with 60s safety buffer to detect near-expired tokens
+ * - `refreshToken()` re-reads the file (CLI may have refreshed) then
+ *   POSTs refresh_token grant to the token endpoint
+ * - Does NOT write back to the credentials file — only the CLI writes
+ *
+ * @example
+ * ```typescript
+ * import { createCliAuth } from '@portaidentity/sdk';
+ *
+ * // Uses default ~/.porta/credentials.json
+ * const auth = createCliAuth();
+ * const client = createPortaClient({ baseUrl: '...', auth });
+ *
+ * // Custom path for testing
+ * const auth2 = createCliAuth({ credentialsPath: '/tmp/test-creds.json' });
+ * ```
+ *
+ * @module auth/cli-auth
+ */
+import type { AuthProvider } from './types.js';
+/**
+ * Options for creating a CLI auth provider.
+ */
+export interface CliAuthOptions {
+    /** Path to credentials file (default: '~/.porta/credentials.json') */
+    credentialsPath?: string;
+}
+/**
+ * Shape of the credentials file written by `porta login`.
+ *
+ * This matches the `StoredCredentials` interface from the CLI's token-store
+ * module. The SDK only reads these fields — it never writes them.
+ */
+export interface StoredCredentials {
+    /** Porta server URL (e.g., 'https://porta.local:3443') */
+    server: string;
+    /** Organization slug for the admin org (e.g., 'porta-admin') */
+    orgSlug: string;
+    /** OIDC client_id used for the login flow */
+    clientId: string;
+    /** JWT access token for API requests */
+    accessToken: string;
+    /** Refresh token for obtaining new access tokens */
+    refreshToken: string;
+    /** OIDC ID token containing user identity claims */
+    idToken: string;
+    /** ISO 8601 datetime when the access token expires */
+    expiresAt: string;
+    /** Decoded user identity from the ID token */
+    userInfo: {
+        /** OIDC subject identifier (user ID) */
+        sub: string;
+        /** User email address */
+        email: string;
+        /** User display name */
+        name?: string;
+    };
+}
+/**
+ * Creates a CLI credentials authentication provider.
+ *
+ * Returns an {@link AuthProvider} that reads the Porta CLI's stored
+ * credentials file and uses them for API authentication. The provider
+ * caches credentials in memory and handles token refresh transparently.
+ *
+ * **Important:** This provider does NOT write back to the credentials file.
+ * Only the CLI (`porta login`, `porta logout`) manages the file. The SDK
+ * refreshes tokens in-memory only.
+ *
+ * @param options - Optional configuration (credentials file path)
+ * @returns An AuthProvider backed by CLI stored credentials
+ */
+export declare function createCliAuth(options?: CliAuthOptions): AuthProvider;
+//# sourceMappingURL=cli-auth.d.ts.map

package/dist/auth/cli-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli-auth.d.ts","sourceRoot":"","sources":["../../src/auth/cli-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAKH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAO/C;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,sEAAsE;IACtE,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED;;;;;GAKG;AACH,MAAM,WAAW,iBAAiB;IAChC,0DAA0D;IAC1D,MAAM,EAAE,MAAM,CAAC;IACf,gEAAgE;IAChE,OAAO,EAAE,MAAM,CAAC;IAChB,6CAA6C;IAC7C,QAAQ,EAAE,MAAM,CAAC;IACjB,wCAAwC;IACxC,WAAW,EAAE,MAAM,CAAC;IACpB,oDAAoD;IACpD,YAAY,EAAE,MAAM,CAAC;IACrB,oDAAoD;IACpD,OAAO,EAAE,MAAM,CAAC;IAChB,sDAAsD;IACtD,SAAS,EAAE,MAAM,CAAC;IAClB,8CAA8C;IAC9C,QAAQ,EAAE;QACR,wCAAwC;QACxC,GAAG,EAAE,MAAM,CAAC;QACZ,yBAAyB;QACzB,KAAK,EAAE,MAAM,CAAC;QACd,wBAAwB;QACxB,IAAI,CAAC,EAAE,MAAM,CAAC;KACf,CAAC;CACH;AA8BD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,aAAa,CAAC,OAAO,GAAE,cAAmB,GAAG,YAAY,CAkJxE"}