@portaidentity/sdk 0.1.0

package/dist/auth/cli-auth.js

@@ -0,0 +1,188 @@
+/**
+ * CliAuth — reuse Porta CLI stored credentials as an authentication provider.
+ *
+ * Reads credentials from `~/.porta/credentials.json` (the file created by
+ * `porta login`) and uses them for API authentication. Handles token expiry
+ * detection and automatic refresh via the refresh_token grant.
+ *
+ * Key behaviors:
+ * - Reads credentials file on first `getToken()` call, caches in memory
+ * - Checks `expiresAt` with 60s safety buffer to detect near-expired tokens
+ * - `refreshToken()` re-reads the file (CLI may have refreshed) then
+ *   POSTs refresh_token grant to the token endpoint
+ * - Does NOT write back to the credentials file — only the CLI writes
+ *
+ * @example
+ * ```typescript
+ * import { createCliAuth } from '@portaidentity/sdk';
+ *
+ * // Uses default ~/.porta/credentials.json
+ * const auth = createCliAuth();
+ * const client = createPortaClient({ baseUrl: '...', auth });
+ *
+ * // Custom path for testing
+ * const auth2 = createCliAuth({ credentialsPath: '/tmp/test-creds.json' });
+ * ```
+ *
+ * @module auth/cli-auth
+ */
+import { readFile } from 'node:fs/promises';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+import { PortaAuthenticationError } from '../errors/index.js';
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+/** Default path to the credentials file */
+const DEFAULT_CREDENTIALS_DIR = '.porta';
+const DEFAULT_CREDENTIALS_FILE = 'credentials.json';
+/**
+ * Safety buffer (in seconds) for token expiry checks.
+ * Matches the CLI's 60-second buffer to avoid clock skew issues.
+ */
+const EXPIRY_BUFFER_SECONDS = 60;
+// ---------------------------------------------------------------------------
+// Factory
+// ---------------------------------------------------------------------------
+/**
+ * Creates a CLI credentials authentication provider.
+ *
+ * Returns an {@link AuthProvider} that reads the Porta CLI's stored
+ * credentials file and uses them for API authentication. The provider
+ * caches credentials in memory and handles token refresh transparently.
+ *
+ * **Important:** This provider does NOT write back to the credentials file.
+ * Only the CLI (`porta login`, `porta logout`) manages the file. The SDK
+ * refreshes tokens in-memory only.
+ *
+ * @param options - Optional configuration (credentials file path)
+ * @returns An AuthProvider backed by CLI stored credentials
+ */
+export function createCliAuth(options = {}) {
+    const credentialsPath = options.credentialsPath ??
+        join(homedir(), DEFAULT_CREDENTIALS_DIR, DEFAULT_CREDENTIALS_FILE);
+    /** In-memory cached credentials — null until first read */
+    let cached = null;
+    /**
+     * Reads and parses the credentials file from disk.
+     *
+     * @throws PortaAuthenticationError if file not found or unreadable
+     */
+    async function readCredentialsFile() {
+        try {
+            const content = await readFile(credentialsPath, 'utf-8');
+            const parsed = JSON.parse(content);
+            // Validate minimum required fields
+            if (!parsed.accessToken || !parsed.server || !parsed.orgSlug) {
+                throw new PortaAuthenticationError({
+                    message: `Invalid credentials file at ${credentialsPath}: missing required fields. Run 'porta login' to re-authenticate.`,
+                });
+            }
+            return parsed;
+        }
+        catch (error) {
+            // File not found — user hasn't logged in yet
+            if (error.code === 'ENOENT') {
+                throw new PortaAuthenticationError({
+                    message: `Credentials file not found at ${credentialsPath}. Run 'porta login' first.`,
+                });
+            }
+            // Re-throw PortaAuthenticationError (from validation above or nested)
+            if (error instanceof PortaAuthenticationError) {
+                throw error;
+            }
+            // JSON parse error or other read failure
+            throw new PortaAuthenticationError({
+                message: `Failed to read credentials file at ${credentialsPath}: ${error.message}`,
+            });
+        }
+    }
+    /**
+     * Checks whether the access token is expired or about to expire.
+     * Uses a 60-second safety buffer matching the CLI's behavior.
+     */
+    function isTokenExpired(creds) {
+        if (!creds.expiresAt)
+            return false;
+        const expiresAtMs = new Date(creds.expiresAt).getTime();
+        return Date.now() >= expiresAtMs - EXPIRY_BUFFER_SECONDS * 1000;
+    }
+    /**
+     * Refreshes the access token using the refresh_token grant.
+     *
+     * POSTs to the OIDC token endpoint (`/{orgSlug}/token`) with
+     * grant_type=refresh_token. Updates the in-memory cache but does
+     * NOT write back to the credentials file.
+     *
+     * @throws PortaAuthenticationError if refresh fails or missing refresh_token
+     */
+    async function refreshWithGrant(creds) {
+        if (!creds.refreshToken) {
+            throw new PortaAuthenticationError({
+                message: "Cannot refresh token: no refresh_token available. Run 'porta login' again.",
+            });
+        }
+        // Construct token endpoint from server URL and org slug
+        const tokenUrl = `${creds.server}/${creds.orgSlug}/token`;
+        const body = new URLSearchParams({
+            grant_type: 'refresh_token',
+            client_id: creds.clientId,
+            refresh_token: creds.refreshToken,
+        });
+        let response;
+        try {
+            response = await fetch(tokenUrl, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+                body: body.toString(),
+            });
+        }
+        catch (error) {
+            throw new PortaAuthenticationError({
+                message: `Token refresh request failed: ${error.message}. Run 'porta login' again.`,
+            });
+        }
+        if (!response.ok) {
+            throw new PortaAuthenticationError({
+                message: `Token refresh failed (${response.status}). Run 'porta login' again.`,
+            });
+        }
+        const data = (await response.json());
+        if (!data.access_token) {
+            throw new PortaAuthenticationError({
+                message: "Token refresh response missing access_token. Run 'porta login' again.",
+            });
+        }
+        // Update in-memory cache with new tokens (don't write to file)
+        cached = {
+            ...creds,
+            accessToken: data.access_token,
+            // Preserve existing tokens if server doesn't rotate them
+            refreshToken: data.refresh_token ?? creds.refreshToken,
+            idToken: data.id_token ?? creds.idToken,
+            expiresAt: data.expires_in
+                ? new Date(Date.now() + data.expires_in * 1000).toISOString()
+                : creds.expiresAt,
+        };
+        return data.access_token;
+    }
+    return {
+        async getToken() {
+            // Read from file on first call
+            if (!cached) {
+                cached = await readCredentialsFile();
+            }
+            // If expired, try to refresh using the refresh_token grant
+            if (isTokenExpired(cached)) {
+                return refreshWithGrant(cached);
+            }
+            return cached.accessToken;
+        },
+        async refreshToken() {
+            // Re-read from file — the CLI may have refreshed since we last read
+            cached = await readCredentialsFile();
+            return refreshWithGrant(cached);
+        },
+    };
+}
+//# sourceMappingURL=cli-auth.js.map

package/dist/auth/cli-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli-auth.js","sourceRoot":"","sources":["../../src/auth/cli-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAElC,OAAO,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AAwD9D,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E,2CAA2C;AAC3C,MAAM,uBAAuB,GAAG,QAAQ,CAAC;AACzC,MAAM,wBAAwB,GAAG,kBAAkB,CAAC;AAEpD;;;GAGG;AACH,MAAM,qBAAqB,GAAG,EAAE,CAAC;AAEjC,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,aAAa,CAAC,UAA0B,EAAE;IACxD,MAAM,eAAe,GACnB,OAAO,CAAC,eAAe;QACvB,IAAI,CAAC,OAAO,EAAE,EAAE,uBAAuB,EAAE,wBAAwB,CAAC,CAAC;IAErE,2DAA2D;IAC3D,IAAI,MAAM,GAA6B,IAAI,CAAC;IAE5C;;;;OAIG;IACH,KAAK,UAAU,mBAAmB;QAChC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;YACzD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAsB,CAAC;YAExD,mCAAmC;YACnC,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBAC7D,MAAM,IAAI,wBAAwB,CAAC;oBACjC,OAAO,EAAE,+BAA+B,eAAe,kEAAkE;iBAC1H,CAAC,CAAC;YACL,CAAC;YAED,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,6CAA6C;YAC7C,IAAK,KAA+B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACvD,MAAM,IAAI,wBAAwB,CAAC;oBACjC,OAAO,EAAE,iCAAiC,eAAe,4BAA4B;iBACtF,CAAC,CAAC;YACL,CAAC;YAED,sEAAsE;YACtE,IAAI,KAAK,YAAY,wBAAwB,EAAE,CAAC;gBAC9C,MAAM,KAAK,CAAC;YACd,CAAC;YAED,yCAAyC;YACzC,MAAM,IAAI,wBAAwB,CAAC;gBACjC,OAAO,EAAE,sCAAsC,eAAe,KAAM,KAAe,CAAC,OAAO,EAAE;aAC9F,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,SAAS,cAAc,CAAC,KAAwB;QAC9C,IAAI,CAAC,KAAK,CAAC,SAAS;YAAE,OAAO,KAAK,CAAC;QACnC,MAAM,WAAW,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC;QACxD,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,WAAW,GAAG,qBAAqB,GAAG,IAAI,CAAC;IAClE,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,UAAU,gBAAgB,CAC7B,KAAwB;QAExB,IAAI,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC;YACxB,MAAM,IAAI,wBAAwB,CAAC;gBACjC,OAAO,EAAE,4EAA4E;aACtF,CAAC,CAAC;QACL,CAAC;QAED,wDAAwD;QACxD,MAAM,QAAQ,GAAG,GAAG,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,OAAO,QAAQ,CAAC;QAE1D,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;YAC/B,UAAU,EAAE,eAAe;YAC3B,SAAS,EAAE,KAAK,CAAC,QAAQ;YACzB,aAAa,EAAE,KAAK,CAAC,YAAY;SAClC,CAAC,CAAC;QAEH,IAAI,QAAkB,CAAC;QACvB,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;gBAC/B,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;gBAChE,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;aACtB,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,wBAAwB,CAAC;gBACjC,OAAO,EAAE,iCAAkC,KAAe,CAAC,OAAO,4BAA4B;aAC/F,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,wBAAwB,CAAC;gBACjC,OAAO,EAAE,yBAAyB,QAAQ,CAAC,MAAM,6BAA6B;aAC/E,CAAC,CAAC;QACL,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAyB,CAAC;QAE7D,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,MAAM,IAAI,wBAAwB,CAAC;gBACjC,OAAO,EAAE,uEAAuE;aACjF,CAAC,CAAC;QACL,CAAC;QAED,+DAA+D;QAC/D,MAAM,GAAG;YACP,GAAG,KAAK;YACR,WAAW,EAAE,IAAI,CAAC,YAAY;YAC9B,yDAAyD;YACzD,YAAY,EAAE,IAAI,CAAC,aAAa,IAAI,KAAK,CAAC,YAAY;YACtD,OAAO,EAAE,IAAI,CAAC,QAAQ,IAAI,KAAK,CAAC,OAAO;YACvC,SAAS,EAAE,IAAI,CAAC,UAAU;gBACxB,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;gBAC7D,CAAC,CAAC,KAAK,CAAC,SAAS;SACpB,CAAC;QAEF,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;IAED,OAAO;QACL,KAAK,CAAC,QAAQ;YACZ,+BAA+B;YAC/B,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,GAAG,MAAM,mBAAmB,EAAE,CAAC;YACvC,CAAC;YAED,2DAA2D;YAC3D,IAAI,cAAc,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC3B,OAAO,gBAAgB,CAAC,MAAM,CAAC,CAAC;YAClC,CAAC;YAED,OAAO,MAAM,CAAC,WAAW,CAAC;QAC5B,CAAC;QAED,KAAK,CAAC,YAAY;YAChB,oEAAoE;YACpE,MAAM,GAAG,MAAM,mBAAmB,EAAE,CAAC;YACrC,OAAO,gBAAgB,CAAC,MAAM,CAAC,CAAC;QAClC,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/auth/client-credentials-auth.d.ts

@@ -0,0 +1,54 @@
+/**
+ * ClientCredentialsAuth — OIDC client_credentials flow authentication provider.
+ *
+ * Implements the OAuth2 Client Credentials grant for machine-to-machine
+ * authentication. Fetches access tokens from the OIDC token endpoint,
+ * caches them with expiry awareness, and deduplicates concurrent requests.
+ *
+ * Key behaviors:
+ * - Caches token and serves from cache until near-expiry (30s safety margin)
+ * - Concurrent `getToken()` calls share a single in-flight fetch (dedup)
+ * - `refreshToken()` clears cache and forces a new token fetch
+ * - Uses native `fetch` — no `openid-client` dependency
+ *
+ * @example
+ * ```typescript
+ * import { createClientCredentialsAuth } from '@portaidentity/sdk';
+ *
+ * const auth = createClientCredentialsAuth({
+ *   tokenEndpoint: 'https://porta.example.com/super-admin/token',
+ *   clientId: 'my-service',
+ *   clientSecret: 'secret123',
+ * });
+ * const client = createPortaClient({ baseUrl: '...', auth });
+ * ```
+ *
+ * @module auth/client-credentials-auth
+ */
+import type { AuthProvider } from './types.js';
+/**
+ * Options for creating a client credentials auth provider.
+ */
+export interface ClientCredentialsAuthOptions {
+    /** Token endpoint URL (e.g., 'https://porta.example.com/super-admin/token') */
+    tokenEndpoint: string;
+    /** Client ID */
+    clientId: string;
+    /** Client secret */
+    clientSecret: string;
+    /** Scopes to request (default: 'openid') */
+    scope?: string;
+}
+/**
+ * Creates a client credentials authentication provider.
+ *
+ * Returns an {@link AuthProvider} that fetches tokens from the OIDC token
+ * endpoint using the `client_credentials` grant. Tokens are cached and
+ * reused until near-expiry. Concurrent `getToken()` calls are deduplicated
+ * to avoid redundant token requests.
+ *
+ * @param options - Client credentials configuration
+ * @returns An AuthProvider with automatic token management
+ */
+export declare function createClientCredentialsAuth(options: ClientCredentialsAuthOptions): AuthProvider;
+//# sourceMappingURL=client-credentials-auth.d.ts.map

package/dist/auth/client-credentials-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client-credentials-auth.d.ts","sourceRoot":"","sources":["../../src/auth/client-credentials-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAO/C;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC3C,+EAA+E;IAC/E,aAAa,EAAE,MAAM,CAAC;IACtB,gBAAgB;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,oBAAoB;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,4CAA4C;IAC5C,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AA4CD;;;;;;;;;;GAUG;AACH,wBAAgB,2BAA2B,CACzC,OAAO,EAAE,4BAA4B,GACpC,YAAY,CA0Gd"}

package/dist/auth/client-credentials-auth.js

@@ -0,0 +1,147 @@
+/**
+ * ClientCredentialsAuth — OIDC client_credentials flow authentication provider.
+ *
+ * Implements the OAuth2 Client Credentials grant for machine-to-machine
+ * authentication. Fetches access tokens from the OIDC token endpoint,
+ * caches them with expiry awareness, and deduplicates concurrent requests.
+ *
+ * Key behaviors:
+ * - Caches token and serves from cache until near-expiry (30s safety margin)
+ * - Concurrent `getToken()` calls share a single in-flight fetch (dedup)
+ * - `refreshToken()` clears cache and forces a new token fetch
+ * - Uses native `fetch` — no `openid-client` dependency
+ *
+ * @example
+ * ```typescript
+ * import { createClientCredentialsAuth } from '@portaidentity/sdk';
+ *
+ * const auth = createClientCredentialsAuth({
+ *   tokenEndpoint: 'https://porta.example.com/super-admin/token',
+ *   clientId: 'my-service',
+ *   clientSecret: 'secret123',
+ * });
+ * const client = createPortaClient({ baseUrl: '...', auth });
+ * ```
+ *
+ * @module auth/client-credentials-auth
+ */
+import { PortaAuthenticationError } from '../errors/index.js';
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+/**
+ * Safety margin before token expiry (in milliseconds).
+ * Tokens are refreshed 30 seconds before their actual expiry to prevent
+ * race conditions with in-flight requests.
+ */
+const EXPIRY_SAFETY_MARGIN_MS = 30_000;
+/**
+ * Default token lifetime (in seconds) if the token endpoint doesn't
+ * return an `expires_in` value. One hour matches common OIDC defaults.
+ */
+const DEFAULT_EXPIRES_IN_SECONDS = 3600;
+// ---------------------------------------------------------------------------
+// Factory
+// ---------------------------------------------------------------------------
+/**
+ * Creates a client credentials authentication provider.
+ *
+ * Returns an {@link AuthProvider} that fetches tokens from the OIDC token
+ * endpoint using the `client_credentials` grant. Tokens are cached and
+ * reused until near-expiry. Concurrent `getToken()` calls are deduplicated
+ * to avoid redundant token requests.
+ *
+ * @param options - Client credentials configuration
+ * @returns An AuthProvider with automatic token management
+ */
+export function createClientCredentialsAuth(options) {
+    const { tokenEndpoint, clientId, clientSecret, scope = 'openid' } = options;
+    /** Cached token — null when no valid token is available */
+    let cachedToken = null;
+    /**
+     * In-flight token request promise — used for concurrent dedup.
+     * When multiple getToken() calls happen simultaneously, they all
+     * await the same promise instead of firing multiple HTTP requests.
+     */
+    let inFlightRequest = null;
+    /**
+     * Fetches a new access token from the token endpoint.
+     * POSTs with grant_type=client_credentials and caches the result.
+     *
+     * @throws PortaAuthenticationError on non-OK response or missing access_token
+     */
+    async function fetchToken() {
+        const body = new URLSearchParams({
+            grant_type: 'client_credentials',
+            client_id: clientId,
+            client_secret: clientSecret,
+            scope,
+        });
+        const response = await fetch(tokenEndpoint, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+            body: body.toString(),
+        });
+        if (!response.ok) {
+            // Try to extract error details from the response body
+            const errorBody = await response.text().catch(() => '');
+            throw new PortaAuthenticationError({
+                message: `Token endpoint returned ${response.status}: ${errorBody || response.statusText}`,
+            });
+        }
+        const data = (await response.json());
+        if (!data.access_token) {
+            throw new PortaAuthenticationError({
+                message: 'Token endpoint response missing access_token',
+            });
+        }
+        // Cache the token with computed expiry (actual expiry minus safety margin)
+        const expiresInMs = (data.expires_in ?? DEFAULT_EXPIRES_IN_SECONDS) * 1000;
+        cachedToken = {
+            accessToken: data.access_token,
+            expiresAt: Date.now() + expiresInMs - EXPIRY_SAFETY_MARGIN_MS,
+        };
+        return data.access_token;
+    }
+    /**
+     * Returns true if the cached token exists and hasn't expired
+     * (accounting for the safety margin).
+     */
+    function isTokenValid() {
+        return cachedToken !== null && Date.now() < cachedToken.expiresAt;
+    }
+    /**
+     * Gets a valid token, with concurrent request deduplication.
+     *
+     * If a valid cached token exists, returns it immediately.
+     * If another getToken() call is already fetching, waits for that result.
+     * Otherwise, initiates a new fetch.
+     */
+    async function getTokenWithDedup() {
+        // Return cached token if still valid
+        if (isTokenValid()) {
+            return cachedToken.accessToken;
+        }
+        // Concurrent dedup: reuse the in-flight request if one exists
+        if (inFlightRequest) {
+            return inFlightRequest;
+        }
+        // Start a new token fetch and track it for dedup
+        inFlightRequest = fetchToken().finally(() => {
+            inFlightRequest = null;
+        });
+        return inFlightRequest;
+    }
+    return {
+        async getToken() {
+            return getTokenWithDedup();
+        },
+        async refreshToken() {
+            // Clear cached state to force a fresh fetch
+            cachedToken = null;
+            inFlightRequest = null;
+            return getTokenWithDedup();
+        },
+    };
+}
+//# sourceMappingURL=client-credentials-auth.js.map

package/dist/auth/client-credentials-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client-credentials-auth.js","sourceRoot":"","sources":["../../src/auth/client-credentials-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAGH,OAAO,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AAyC9D,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E;;;;GAIG;AACH,MAAM,uBAAuB,GAAG,MAAM,CAAC;AAEvC;;;GAGG;AACH,MAAM,0BAA0B,GAAG,IAAI,CAAC;AAExC,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E;;;;;;;;;;GAUG;AACH,MAAM,UAAU,2BAA2B,CACzC,OAAqC;IAErC,MAAM,EAAE,aAAa,EAAE,QAAQ,EAAE,YAAY,EAAE,KAAK,GAAG,QAAQ,EAAE,GAAG,OAAO,CAAC;IAE5E,2DAA2D;IAC3D,IAAI,WAAW,GAAuB,IAAI,CAAC;IAE3C;;;;OAIG;IACH,IAAI,eAAe,GAA2B,IAAI,CAAC;IAEnD;;;;;OAKG;IACH,KAAK,UAAU,UAAU;QACvB,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;YAC/B,UAAU,EAAE,oBAAoB;YAChC,SAAS,EAAE,QAAQ;YACnB,aAAa,EAAE,YAAY;YAC3B,KAAK;SACN,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,aAAa,EAAE;YAC1C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;YAChE,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;SACtB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,sDAAsD;YACtD,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;YACxD,MAAM,IAAI,wBAAwB,CAAC;gBACjC,OAAO,EAAE,2BAA2B,QAAQ,CAAC,MAAM,KAAK,SAAS,IAAI,QAAQ,CAAC,UAAU,EAAE;aAC3F,CAAC,CAAC;QACL,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAkB,CAAC;QAEtD,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,MAAM,IAAI,wBAAwB,CAAC;gBACjC,OAAO,EAAE,8CAA8C;aACxD,CAAC,CAAC;QACL,CAAC;QAED,2EAA2E;QAC3E,MAAM,WAAW,GACf,CAAC,IAAI,CAAC,UAAU,IAAI,0BAA0B,CAAC,GAAG,IAAI,CAAC;QACzD,WAAW,GAAG;YACZ,WAAW,EAAE,IAAI,CAAC,YAAY;YAC9B,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,GAAG,uBAAuB;SAC9D,CAAC;QAEF,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;IAED;;;OAGG;IACH,SAAS,YAAY;QACnB,OAAO,WAAW,KAAK,IAAI,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC;IACpE,CAAC;IAED;;;;;;OAMG;IACH,KAAK,UAAU,iBAAiB;QAC9B,qCAAqC;QACrC,IAAI,YAAY,EAAE,EAAE,CAAC;YACnB,OAAO,WAAY,CAAC,WAAW,CAAC;QAClC,CAAC;QAED,8DAA8D;QAC9D,IAAI,eAAe,EAAE,CAAC;YACpB,OAAO,eAAe,CAAC;QACzB,CAAC;QAED,iDAAiD;QACjD,eAAe,GAAG,UAAU,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE;YAC1C,eAAe,GAAG,IAAI,CAAC;QACzB,CAAC,CAAC,CAAC;QAEH,OAAO,eAAe,CAAC;IACzB,CAAC;IAED,OAAO;QACL,KAAK,CAAC,QAAQ;YACZ,OAAO,iBAAiB,EAAE,CAAC;QAC7B,CAAC;QAED,KAAK,CAAC,YAAY;YAChB,4CAA4C;YAC5C,WAAW,GAAG,IAAI,CAAC;YACnB,eAAe,GAAG,IAAI,CAAC;YACvB,OAAO,iBAAiB,EAAE,CAAC;QAC7B,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/auth/index.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Authentication providers for the Porta SDK.
+ *
+ * Three auth providers are available for server-side (Node.js) transports:
+ * - {@link createTokenAuth} — Static Bearer token (simplest)
+ * - {@link createClientCredentialsAuth} — OIDC client_credentials grant (M2M)
+ * - {@link createCliAuth} — Reads Porta CLI stored credentials
+ *
+ * Browser transports use cookie-based auth and don't need auth providers.
+ *
+ * @module auth
+ */
+export type { AuthProvider } from './types.js';
+export { createTokenAuth } from './token-auth.js';
+export type { TokenAuthOptions } from './token-auth.js';
+export { createClientCredentialsAuth } from './client-credentials-auth.js';
+export type { ClientCredentialsAuthOptions } from './client-credentials-auth.js';
+export { createCliAuth } from './cli-auth.js';
+export type { CliAuthOptions, StoredCredentials } from './cli-auth.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,YAAY,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC/C,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,YAAY,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACxD,OAAO,EAAE,2BAA2B,EAAE,MAAM,8BAA8B,CAAC;AAC3E,YAAY,EAAE,4BAA4B,EAAE,MAAM,8BAA8B,CAAC;AACjF,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,YAAY,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC"}

package/dist/auth/index.js

@@ -0,0 +1,16 @@
+/**
+ * Authentication providers for the Porta SDK.
+ *
+ * Three auth providers are available for server-side (Node.js) transports:
+ * - {@link createTokenAuth} — Static Bearer token (simplest)
+ * - {@link createClientCredentialsAuth} — OIDC client_credentials grant (M2M)
+ * - {@link createCliAuth} — Reads Porta CLI stored credentials
+ *
+ * Browser transports use cookie-based auth and don't need auth providers.
+ *
+ * @module auth
+ */
+export { createTokenAuth } from './token-auth.js';
+export { createClientCredentialsAuth } from './client-credentials-auth.js';
+export { createCliAuth } from './cli-auth.js';
+//# sourceMappingURL=index.js.map

package/dist/auth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAElD,OAAO,EAAE,2BAA2B,EAAE,MAAM,8BAA8B,CAAC;AAE3E,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC"}

package/dist/auth/token-auth.d.ts

@@ -0,0 +1,40 @@
+/**
+ * TokenAuth — static Bearer token authentication provider.
+ *
+ * The simplest auth provider: takes a pre-obtained Bearer token
+ * and returns it on every `getToken()` call. No refresh support —
+ * if the token expires, the consumer must create a new provider.
+ *
+ * Suitable for scripts, CI/CD pipelines, AI agents, and one-off
+ * automation where the token is obtained out-of-band.
+ *
+ * @example
+ * ```typescript
+ * import { createTokenAuth } from '@portaidentity/sdk';
+ *
+ * const auth = createTokenAuth({ token: 'eyJhbGciOi...' });
+ * const client = createPortaClient({ baseUrl: '...', auth });
+ * ```
+ *
+ * @module auth/token-auth
+ */
+import type { AuthProvider } from './types.js';
+/**
+ * Options for creating a static token auth provider.
+ */
+export interface TokenAuthOptions {
+    /** Static Bearer token to use for all requests */
+    token: string;
+}
+/**
+ * Creates a static token authentication provider.
+ *
+ * Returns an {@link AuthProvider} that always returns the provided token.
+ * No `refreshToken()` is defined — on 401 responses, the transport will
+ * throw a `PortaAuthenticationError` immediately.
+ *
+ * @param options - Token auth configuration
+ * @returns An AuthProvider that returns the static token
+ */
+export declare function createTokenAuth(options: TokenAuthOptions): AuthProvider;
+//# sourceMappingURL=token-auth.d.ts.map

package/dist/auth/token-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-auth.d.ts","sourceRoot":"","sources":["../../src/auth/token-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAM/C;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,kDAAkD;IAClD,KAAK,EAAE,MAAM,CAAC;CACf;AAMD;;;;;;;;;GASG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,gBAAgB,GAAG,YAAY,CAUvE"}

package/dist/auth/token-auth.js

@@ -0,0 +1,44 @@
+/**
+ * TokenAuth — static Bearer token authentication provider.
+ *
+ * The simplest auth provider: takes a pre-obtained Bearer token
+ * and returns it on every `getToken()` call. No refresh support —
+ * if the token expires, the consumer must create a new provider.
+ *
+ * Suitable for scripts, CI/CD pipelines, AI agents, and one-off
+ * automation where the token is obtained out-of-band.
+ *
+ * @example
+ * ```typescript
+ * import { createTokenAuth } from '@portaidentity/sdk';
+ *
+ * const auth = createTokenAuth({ token: 'eyJhbGciOi...' });
+ * const client = createPortaClient({ baseUrl: '...', auth });
+ * ```
+ *
+ * @module auth/token-auth
+ */
+// ---------------------------------------------------------------------------
+// Factory
+// ---------------------------------------------------------------------------
+/**
+ * Creates a static token authentication provider.
+ *
+ * Returns an {@link AuthProvider} that always returns the provided token.
+ * No `refreshToken()` is defined — on 401 responses, the transport will
+ * throw a `PortaAuthenticationError` immediately.
+ *
+ * @param options - Token auth configuration
+ * @returns An AuthProvider that returns the static token
+ */
+export function createTokenAuth(options) {
+    const { token } = options;
+    return {
+        async getToken() {
+            return token;
+        },
+        // No refreshToken — 401 errors propagate immediately to the caller.
+        // The consumer must create a new TokenAuth with a fresh token.
+    };
+}
+//# sourceMappingURL=token-auth.js.map

package/dist/auth/token-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-auth.js","sourceRoot":"","sources":["../../src/auth/token-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAgBH,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E;;;;;;;;;GASG;AACH,MAAM,UAAU,eAAe,CAAC,OAAyB;IACvD,MAAM,EAAE,KAAK,EAAE,GAAG,OAAO,CAAC;IAE1B,OAAO;QACL,KAAK,CAAC,QAAQ;YACZ,OAAO,KAAK,CAAC;QACf,CAAC;QACD,oEAAoE;QACpE,+DAA+D;KAChE,CAAC;AACJ,CAAC"}

package/dist/auth/types.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Authentication provider interface for the Porta SDK.
+ *
+ * Auth providers handle token management for server-side transports.
+ * Three implementations are available:
+ * - TokenAuth: static token (simplest, no refresh)
+ * - ClientCredentialsAuth: OAuth2 client credentials flow
+ * - CliAuth: reads from Porta CLI credentials file
+ */
+/**
+ * Authentication provider that supplies access tokens to the transport.
+ *
+ * Implementations must provide `getToken()` to return a valid access token.
+ * Optionally, `refreshToken()` can be implemented to support automatic
+ * token refresh on 401 responses.
+ */
+export interface AuthProvider {
+    /** Returns a valid access token for API requests */
+    getToken(): Promise<string>;
+    /**
+     * Attempts to refresh the access token.
+     * Called by NodeTransport on 401 responses for automatic retry.
+     * Returns the new access token, or throws if refresh fails.
+     * Optional — if not provided, 401 errors throw immediately.
+     */
+    refreshToken?(): Promise<string>;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/auth/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH;;;;;;GAMG;AACH,MAAM,WAAW,YAAY;IAC3B,oDAAoD;IACpD,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;IAE5B;;;;;OAKG;IACH,YAAY,CAAC,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;CAClC"}

package/dist/auth/types.js

@@ -0,0 +1,11 @@
+/**
+ * Authentication provider interface for the Porta SDK.
+ *
+ * Auth providers handle token management for server-side transports.
+ * Three implementations are available:
+ * - TokenAuth: static token (simplest, no refresh)
+ * - ClientCredentialsAuth: OAuth2 client credentials flow
+ * - CliAuth: reads from Porta CLI credentials file
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/auth/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG"}

package/dist/browser.d.ts

@@ -0,0 +1,12 @@
+/**
+ * @portaidentity/sdk/browser — Browser entrypoint.
+ *
+ * Exports the browser (fetch-based) transport.
+ *
+ * @module @portaidentity/sdk/browser
+ */
+export { createBrowserTransport } from './transport/browser-transport.js';
+export type { BrowserTransportOptions } from './transport/browser-transport.js';
+export { createTokenAuth } from './auth/index.js';
+export type { AuthProvider } from './auth/index.js';
+//# sourceMappingURL=browser.d.ts.map

package/dist/browser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"browser.d.ts","sourceRoot":"","sources":["../src/browser.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAE,sBAAsB,EAAE,MAAM,kCAAkC,CAAC;AAC1E,YAAY,EAAE,uBAAuB,EAAE,MAAM,kCAAkC,CAAC;AAGhF,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,YAAY,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/browser.js

@@ -0,0 +1,12 @@
+/**
+ * @portaidentity/sdk/browser — Browser entrypoint.
+ *
+ * Exports the browser (fetch-based) transport.
+ *
+ * @module @portaidentity/sdk/browser
+ */
+// Browser transport
+export { createBrowserTransport } from './transport/browser-transport.js';
+// Auth providers usable in browser
+export { createTokenAuth } from './auth/index.js';
+//# sourceMappingURL=browser.js.map

package/dist/browser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"browser.js","sourceRoot":"","sources":["../src/browser.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,oBAAoB;AACpB,OAAO,EAAE,sBAAsB,EAAE,MAAM,kCAAkC,CAAC;AAG1E,mCAAmC;AACnC,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC"}