@ritualai/cli 0.7.3 → 0.7.6

package/dist/lib/credentials-backup.js

@@ -0,0 +1,282 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports._writeFileSyncForFallback = void 0;
+exports.backupCredentials = backupCredentials;
+exports.getInitLockPath = getInitLockPath;
+exports.acquireInitLock = acquireInitLock;
+exports.beginCredentialSwap = beginCredentialSwap;
+exports.writeFileMode0600 = writeFileMode0600;
+const node_fs_1 = require("node:fs");
+Object.defineProperty(exports, "_writeFileSyncForFallback", { enumerable: true, get: function () { return node_fs_1.writeFileSync; } });
+const node_crypto_1 = require("node:crypto");
+const node_path_1 = require("node:path");
+const config_1 = require("./config");
+/**
+ * Create an atomic backup of the live credentials file.
+ *
+ * If no live credentials exist, returns a handle whose `created` is
+ * false — `restore()` will then delete any newly-written credentials
+ * file instead of restoring a non-existent backup.
+ *
+ * Caller MUST invoke either `commit()` or `restore()` on the returned
+ * handle exactly once.
+ */
+function backupCredentials() {
+    const credsPath = (0, config_1.getCredentialsPath)();
+    const liveExists = (0, node_fs_1.existsSync)(credsPath);
+    const backupPath = liveExists ? mintBackupPath(credsPath) : null;
+    if (backupPath) {
+        // copyFileSync preserves mode bits from source on POSIX, but
+        // `saveCredentials` should always have written 0o600. We also
+        // recheck below in safe-mode tests.
+        (0, node_fs_1.copyFileSync)(credsPath, backupPath);
+    }
+    let settled = false;
+    const finalize = () => {
+        settled = true;
+        process.removeListener('SIGINT', sigintHandler);
+    };
+    const handle = {
+        created: liveExists,
+        backupPath,
+        commit() {
+            if (settled)
+                return;
+            if (backupPath && (0, node_fs_1.existsSync)(backupPath)) {
+                try {
+                    (0, node_fs_1.unlinkSync)(backupPath);
+                }
+                catch {
+                    // Best-effort. A stray backup file on disk is annoying
+                    // but not catastrophic — the user can rm it manually
+                    // or the next backup will create a new one with a
+                    // different random suffix.
+                }
+            }
+            finalize();
+        },
+        restore() {
+            if (settled)
+                return;
+            try {
+                if (backupPath && (0, node_fs_1.existsSync)(backupPath)) {
+                    // Atomic move on the same filesystem. Even if a brand-new
+                    // credentials file was just written, this rename clobbers
+                    // it with the backup in a single syscall.
+                    (0, node_fs_1.renameSync)(backupPath, credsPath);
+                }
+                else if (!liveExists && (0, node_fs_1.existsSync)(credsPath)) {
+                    // No backup existed, but a fresh credentials file was
+                    // written during the failed flow. Remove it so the user
+                    // ends up in the same "no creds" state they started in.
+                    (0, node_fs_1.unlinkSync)(credsPath);
+                }
+            }
+            catch {
+                // Restore failed — usually a file-permissions / disk-full
+                // problem. Surface a clear error rather than silently leaving
+                // the user with no creds.
+                const target = backupPath ?? '(none)';
+                throw new Error(`failed to restore credentials backup from ${target}; ` +
+                    `run \`ritual login\` to re-authenticate, then \`rm -f ${target}\` to clean up`);
+            }
+            finalize();
+        },
+    };
+    // SIGINT trap. If the user Ctrl-C's mid-flow, treat it as the
+    // failure path. Only fires while the handle is unsettled.
+    const sigintHandler = () => {
+        if (settled)
+            return;
+        try {
+            handle.restore();
+        }
+        catch {
+            // Surface restore failure to stderr — we're already on the
+            // exit path so the error message is the most useful thing
+            // to show.
+        }
+        // Exit with the conventional Ctrl-C status code. Don't let the
+        // process linger — if anything else is holding the event loop
+        // open (e.g. the loopback HTTP server) it would otherwise.
+        process.exit(130);
+    };
+    process.once('SIGINT', sigintHandler);
+    return handle;
+}
+/**
+ * Generate a unique backup file path for the given credentials path.
+ *
+ * Shape: `credentials.json.bak.<pid>.<unix-ms>.<8-byte-random-hex>`.
+ * The random suffix prevents collision if a previous run crashed
+ * mid-backup. PID and timestamp let ops humans triage orphaned
+ * backups.
+ */
+function mintBackupPath(credsPath) {
+    const pid = process.pid;
+    const ts = Date.now();
+    const rand = (0, node_crypto_1.randomBytes)(8).toString('hex');
+    return `${credsPath}.bak.${pid}.${ts}.${rand}`;
+}
+/**
+ * Path of the advisory lock file used to prevent two concurrent
+ * `ritual init` runs from clobbering each other's credential files.
+ * Exposed for tests.
+ */
+function getInitLockPath() {
+    return (0, node_path_1.join)((0, node_path_1.dirname)((0, config_1.getCredentialsPath)()), 'init.lock');
+}
+/**
+ * Try to acquire the `ritual init` advisory lock. Returns a release
+ * function on success. Throws if another `ritual init` is already
+ * running.
+ *
+ * The lock is a plain text file containing the holder's PID. On
+ * acquisition we read any existing lock file and check whether the
+ * recorded PID is still alive — if it isn't (process crashed, machine
+ * rebooted, etc.) the lock is considered stale and we steal it.
+ *
+ * This is advisory only — it doesn't prevent direct manipulation of
+ * the credentials file, just two cooperating `ritual init` runs from
+ * racing each other.
+ */
+function acquireInitLock() {
+    const lockPath = getInitLockPath();
+    if ((0, node_fs_1.existsSync)(lockPath)) {
+        let recordedPid;
+        try {
+            const raw = (0, node_fs_1.statSync)(lockPath).isFile() ? readLockFile(lockPath) : null;
+            if (raw)
+                recordedPid = Number.parseInt(raw, 10);
+        }
+        catch {
+            // Unreadable lock file — treat as stale.
+        }
+        const stale = !recordedPid ||
+            Number.isNaN(recordedPid) ||
+            !isProcessAlive(recordedPid) ||
+            recordedPid === process.pid;
+        if (!stale) {
+            throw new Error(`another \`ritual init\` is already running (pid ${recordedPid}); ` +
+                `if you believe that's wrong, remove the stale lock at ${lockPath}`);
+        }
+        // Stale — fall through and overwrite.
+        try {
+            (0, node_fs_1.unlinkSync)(lockPath);
+        }
+        catch {
+            /* ignore — the writeFileSync below will clobber */
+        }
+    }
+    // Create-with-mode 0600 so the lock file isn't world-readable.
+    const fd = (0, node_fs_1.openSync)(lockPath, 'w', 0o600);
+    try {
+        (0, node_fs_1.writeSync)(fd, String(process.pid));
+    }
+    finally {
+        (0, node_fs_1.closeSync)(fd);
+    }
+    let released = false;
+    return () => {
+        if (released)
+            return;
+        released = true;
+        try {
+            (0, node_fs_1.unlinkSync)(lockPath);
+        }
+        catch {
+            /* ignore */
+        }
+    };
+}
+/**
+ * Cross-platform "is this PID alive" probe. Uses signal-0 which on
+ * POSIX checks permission/existence without sending an actual signal.
+ * On Windows kill(0) behaves similarly via libuv.
+ */
+function isProcessAlive(pid) {
+    try {
+        process.kill(pid, 0);
+        return true;
+    }
+    catch (err) {
+        // ESRCH = no such process. EPERM = process exists but we don't
+        // have permission to signal it (i.e. it IS alive).
+        const code = err.code;
+        if (code === 'EPERM')
+            return true;
+        return false;
+    }
+}
+function readLockFile(path) {
+    try {
+        // Defer to writeFileSync's mirror — synchronous read is the
+        // simplest correct option here.
+        return require('node:fs').readFileSync(path, 'utf-8').trim();
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Convenience helper: combine lock-acquire + backup into one call.
+ * The returned `release()` releases the lock; the returned handle is
+ * the backup handle.
+ *
+ * Typical usage:
+ *
+ *   const { release, backup } = beginCredentialSwap();
+ *   try {
+ *     // ... attempt fresh sign-in ...
+ *     backup.commit();
+ *   } catch (err) {
+ *     backup.restore();
+ *     throw err;
+ *   } finally {
+ *     release();
+ *   }
+ */
+function beginCredentialSwap() {
+    const release = acquireInitLock();
+    let backup;
+    try {
+        backup = backupCredentials();
+    }
+    catch (err) {
+        release();
+        throw err;
+    }
+    return { release, backup };
+}
+/**
+ * Internal test helper. Forcefully writes a file with mode 0o600 via
+ * create-with-mode. Used by saveCredentials() in lib/config.ts to
+ * replace the chmod-after pattern that has a permission-race window.
+ *
+ * Exposed from this module so the backup/save code lives next to the
+ * credentials-locking code that depends on it.
+ */
+function writeFileMode0600(path, contents) {
+    // Open with O_WRONLY | O_CREAT | O_TRUNC (Node's 'w' flag) plus
+    // explicit mode. On macOS / Linux the file is created with 0o600
+    // from the start, eliminating the chmod-after window.
+    const fd = (0, node_fs_1.openSync)(path, 'w', 0o600);
+    try {
+        (0, node_fs_1.writeSync)(fd, contents);
+    }
+    finally {
+        (0, node_fs_1.closeSync)(fd);
+    }
+    // On a pre-existing file `openSync('w', 0o600)` doesn't change mode.
+    // Belt-and-braces: chmod sync afterward. Best-effort, no-op on
+    // platforms that don't support chmod.
+    try {
+        // eslint-disable-next-line @typescript-eslint/no-require-imports
+        const { chmodSync } = require('node:fs');
+        chmodSync(path, 0o600);
+    }
+    catch {
+        /* ignore */
+    }
+}
+//# sourceMappingURL=credentials-backup.js.map

package/dist/lib/credentials-backup.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials-backup.js","sourceRoot":"","sources":["../../src/lib/credentials-backup.ts"],"names":[],"mappings":";;;AAiGA,8CAmFC;AAsBD,0CAEC;AAgBD,0CAiDC;AAgDD,kDAaC;AAUD,8CAoBC;AAxWD,qCAUiB;AAiWS,0GAnWzB,uBAAa,OAmWqC;AAhWnD,6CAA0C;AAC1C,yCAA0C;AAC1C,qCAA8C;AA0E9C;;;;;;;;;GASG;AACH,SAAgB,iBAAiB;IAChC,MAAM,SAAS,GAAG,IAAA,2BAAkB,GAAE,CAAC;IACvC,MAAM,UAAU,GAAG,IAAA,oBAAU,EAAC,SAAS,CAAC,CAAC;IAEzC,MAAM,UAAU,GAAG,UAAU,CAAC,CAAC,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACjE,IAAI,UAAU,EAAE,CAAC;QAChB,6DAA6D;QAC7D,8DAA8D;QAC9D,oCAAoC;QACpC,IAAA,sBAAY,EAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IACrC,CAAC;IAED,IAAI,OAAO,GAAG,KAAK,CAAC;IAEpB,MAAM,QAAQ,GAAG,GAAG,EAAE;QACrB,OAAO,GAAG,IAAI,CAAC;QACf,OAAO,CAAC,cAAc,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;IACjD,CAAC,CAAC;IAEF,MAAM,MAAM,GAAiB;QAC5B,OAAO,EAAE,UAAU;QACnB,UAAU;QACV,MAAM;YACL,IAAI,OAAO;gBAAE,OAAO;YACpB,IAAI,UAAU,IAAI,IAAA,oBAAU,EAAC,UAAU,CAAC,EAAE,CAAC;gBAC1C,IAAI,CAAC;oBACJ,IAAA,oBAAU,EAAC,UAAU,CAAC,CAAC;gBACxB,CAAC;gBAAC,MAAM,CAAC;oBACR,uDAAuD;oBACvD,qDAAqD;oBACrD,kDAAkD;oBAClD,2BAA2B;gBAC5B,CAAC;YACF,CAAC;YACD,QAAQ,EAAE,CAAC;QACZ,CAAC;QACD,OAAO;YACN,IAAI,OAAO;gBAAE,OAAO;YACpB,IAAI,CAAC;gBACJ,IAAI,UAAU,IAAI,IAAA,oBAAU,EAAC,UAAU,CAAC,EAAE,CAAC;oBAC1C,0DAA0D;oBAC1D,0DAA0D;oBAC1D,0CAA0C;oBAC1C,IAAA,oBAAU,EAAC,UAAU,EAAE,SAAS,CAAC,CAAC;gBACnC,CAAC;qBAAM,IAAI,CAAC,UAAU,IAAI,IAAA,oBAAU,EAAC,SAAS,CAAC,EAAE,CAAC;oBACjD,sDAAsD;oBACtD,wDAAwD;oBACxD,wDAAwD;oBACxD,IAAA,oBAAU,EAAC,SAAS,CAAC,CAAC;gBACvB,CAAC;YACF,CAAC;YAAC,MAAM,CAAC;gBACR,0DAA0D;gBAC1D,8DAA8D;gBAC9D,0BAA0B;gBAC1B,MAAM,MAAM,GAAG,UAAU,IAAI,QAAQ,CAAC;gBACtC,MAAM,IAAI,KAAK,CACd,6CAA6C,MAAM,IAAI;oBACtD,yDAAyD,MAAM,gBAAgB,CAChF,CAAC;YACH,CAAC;YACD,QAAQ,EAAE,CAAC;QACZ,CAAC;KACD,CAAC;IAEF,8DAA8D;IAC9D,0DAA0D;IAC1D,MAAM,aAAa,GAAG,GAAG,EAAE;QAC1B,IAAI,OAAO;YAAE,OAAO;QACpB,IAAI,CAAC;YACJ,MAAM,CAAC,OAAO,EAAE,CAAC;QAClB,CAAC;QAAC,MAAM,CAAC;YACR,2DAA2D;YAC3D,0DAA0D;YAC1D,WAAW;QACZ,CAAC;QACD,+DAA+D;QAC/D,8DAA8D;QAC9D,2DAA2D;QAC3D,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnB,CAAC,CAAC;IACF,OAAO,CAAC,IAAI,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;IAEtC,OAAO,MAAM,CAAC;AACf,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,cAAc,CAAC,SAAiB;IACxC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;IACxB,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACtB,MAAM,IAAI,GAAG,IAAA,yBAAW,EAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC5C,OAAO,GAAG,SAAS,QAAQ,GAAG,IAAI,EAAE,IAAI,IAAI,EAAE,CAAC;AAChD,CAAC;AAED;;;;GAIG;AACH,SAAgB,eAAe;IAC9B,OAAO,IAAA,gBAAI,EAAC,IAAA,mBAAO,EAAC,IAAA,2BAAkB,GAAE,CAAC,EAAE,WAAW,CAAC,CAAC;AACzD,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,SAAgB,eAAe;IAC9B,MAAM,QAAQ,GAAG,eAAe,EAAE,CAAC;IAEnC,IAAI,IAAA,oBAAU,EAAC,QAAQ,CAAC,EAAE,CAAC;QAC1B,IAAI,WAA+B,CAAC;QACpC,IAAI,CAAC;YACJ,MAAM,GAAG,GAAG,IAAA,kBAAQ,EAAC,QAAQ,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YACxE,IAAI,GAAG;gBAAE,WAAW,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QACjD,CAAC;QAAC,MAAM,CAAC;YACR,yCAAyC;QAC1C,CAAC;QAED,MAAM,KAAK,GACV,CAAC,WAAW;YACZ,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC;YACzB,CAAC,cAAc,CAAC,WAAW,CAAC;YAC5B,WAAW,KAAK,OAAO,CAAC,GAAG,CAAC;QAC7B,IAAI,CAAC,KAAK,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACd,mDAAmD,WAAW,KAAK;gBAClE,yDAAyD,QAAQ,EAAE,CACpE,CAAC;QACH,CAAC;QACD,sCAAsC;QACtC,IAAI,CAAC;YACJ,IAAA,oBAAU,EAAC,QAAQ,CAAC,CAAC;QACtB,CAAC;QAAC,MAAM,CAAC;YACR,mDAAmD;QACpD,CAAC;IACF,CAAC;IAED,+DAA+D;IAC/D,MAAM,EAAE,GAAG,IAAA,kBAAQ,EAAC,QAAQ,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;IAC1C,IAAI,CAAC;QACJ,IAAA,mBAAS,EAAC,EAAE,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;IACpC,CAAC;YAAS,CAAC;QACV,IAAA,mBAAS,EAAC,EAAE,CAAC,CAAC;IACf,CAAC;IAED,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,OAAO,GAAG,EAAE;QACX,IAAI,QAAQ;YAAE,OAAO;QACrB,QAAQ,GAAG,IAAI,CAAC;QAChB,IAAI,CAAC;YACJ,IAAA,oBAAU,EAAC,QAAQ,CAAC,CAAC;QACtB,CAAC;QAAC,MAAM,CAAC;YACR,YAAY;QACb,CAAC;IACF,CAAC,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,cAAc,CAAC,GAAW;IAClC,IAAI,CAAC;QACJ,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QACrB,OAAO,IAAI,CAAC;IACb,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACd,+DAA+D;QAC/D,mDAAmD;QACnD,MAAM,IAAI,GAAI,GAA6B,CAAC,IAAI,CAAC;QACjD,IAAI,IAAI,KAAK,OAAO;YAAE,OAAO,IAAI,CAAC;QAClC,OAAO,KAAK,CAAC;IACd,CAAC;AACF,CAAC;AAED,SAAS,YAAY,CAAC,IAAY;IACjC,IAAI,CAAC;QACJ,4DAA4D;QAC5D,gCAAgC;QAChC,OAAO,OAAO,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;IAC9D,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,IAAI,CAAC;IACb,CAAC;AACF,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,SAAgB,mBAAmB;IAIlC,MAAM,OAAO,GAAG,eAAe,EAAE,CAAC;IAClC,IAAI,MAAoB,CAAC;IACzB,IAAI,CAAC;QACJ,MAAM,GAAG,iBAAiB,EAAE,CAAC;IAC9B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACd,OAAO,EAAE,CAAC;QACV,MAAM,GAAG,CAAC;IACX,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;AAC5B,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,iBAAiB,CAAC,IAAY,EAAE,QAAgB;IAC/D,gEAAgE;IAChE,iEAAiE;IACjE,sDAAsD;IACtD,MAAM,EAAE,GAAG,IAAA,kBAAQ,EAAC,IAAI,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;IACtC,IAAI,CAAC;QACJ,IAAA,mBAAS,EAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;IACzB,CAAC;YAAS,CAAC;QACV,IAAA,mBAAS,EAAC,EAAE,CAAC,CAAC;IACf,CAAC;IACD,qEAAqE;IACrE,+DAA+D;IAC/D,sCAAsC;IACtC,IAAI,CAAC;QACJ,iEAAiE;QACjE,MAAM,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;QACzC,SAAS,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACR,YAAY;IACb,CAAC;AACF,CAAC"}

package/dist/lib/identity-banner.js

@@ -0,0 +1,88 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.identityFromCreds = identityFromCreds;
+exports.printIdentityBanner = printIdentityBanner;
+const oidc_1 = require("./oidc");
+/**
+ * Derive printable identity info from a credentials record.
+ *
+ * The refresh-token expiry is best-effort — Keycloak's refresh
+ * tokens are JWTs and carry an `exp` claim, but the spec doesn't
+ * mandate it (some IdPs use opaque refresh tokens). When we can't
+ * decode an `exp`, `refreshExpiresAt` is undefined and the banner
+ * falls back to "auto-refreshes automatically" without a horizon.
+ */
+function identityFromCreds(creds) {
+    const refreshExpiresAt = creds.tokenSet.refresh_token
+        ? (0, oidc_1.decodeJwtPayloadUnsafe)(creds.tokenSet.refresh_token)?.exp
+        : undefined;
+    return {
+        email: creds.user?.email,
+        sub: creds.user?.sub,
+        issuer: creds.issuer,
+        clientId: creds.clientId,
+        accessExpiresAt: creds.tokenSet.expires_at,
+        refreshExpiresAt,
+        canRefresh: !!creds.tokenSet.refresh_token,
+    };
+}
+/** Format a future unix-seconds timestamp as a humanish duration. */
+function formatDuration(targetUnixSec, nowUnixSec) {
+    const dt = Math.max(0, targetUnixSec - nowUnixSec);
+    if (dt < 60)
+        return `${dt}s`;
+    if (dt < 60 * 60)
+        return `${Math.floor(dt / 60)}m`;
+    if (dt < 60 * 60 * 24) {
+        const h = Math.floor(dt / 3600);
+        const m = Math.floor((dt % 3600) / 60);
+        return m === 0 ? `${h}h` : `${h}h ${m}m`;
+    }
+    const d = Math.floor(dt / 86_400);
+    const h = Math.floor((dt % 86_400) / 3600);
+    return h === 0 ? `${d}d` : `${d}d ${h}h`;
+}
+/**
+ * Emit the identity banner. Routes to stderr (human) or stdout (JSON)
+ * based on `opts.json`. Safe to call multiple times.
+ */
+function printIdentityBanner(identity, opts = {}) {
+    if (opts.json) {
+        const payload = {
+            email: identity.email ?? null,
+            sub: identity.sub ?? null,
+            issuer: identity.issuer,
+            clientId: identity.clientId,
+            accessExpiresAt: identity.accessExpiresAt,
+            refreshExpiresAt: identity.refreshExpiresAt ?? null,
+            canRefresh: identity.canRefresh,
+        };
+        process.stdout.write(JSON.stringify(payload) + '\n');
+        return;
+    }
+    const indent = opts.indent ?? '  ';
+    const nowSec = Math.floor(Date.now() / 1000);
+    const accessIn = formatDuration(identity.accessExpiresAt, nowSec);
+    const refreshIn = identity.refreshExpiresAt
+        ? formatDuration(identity.refreshExpiresAt, nowSec)
+        : null;
+    const lines = [];
+    lines.push(`${indent}Signed in as ${identity.email ?? identity.sub ?? '(unknown)'}`);
+    lines.push(`${indent}  Access token expires in ${accessIn}`);
+    if (identity.canRefresh) {
+        if (refreshIn) {
+            lines.push(`${indent}  Refresh token valid for ${refreshIn}; access refreshes automatically`);
+        }
+        else {
+            lines.push(`${indent}  Access refreshes automatically via stored refresh token`);
+        }
+    }
+    else {
+        lines.push(`${indent}  No refresh token stored — sign in again when access expires`);
+    }
+    if (opts.includeSwitchHint !== false) {
+        lines.push(`${indent}  To switch accounts: ritual init --switch-account`);
+    }
+    process.stderr.write(lines.join('\n') + '\n');
+}
+//# sourceMappingURL=identity-banner.js.map

package/dist/lib/identity-banner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-banner.js","sourceRoot":"","sources":["../../src/lib/identity-banner.ts"],"names":[],"mappings":";;AAqDA,8CAaC;AAiCD,kDA2CC;AA7ID,iCAAgD;AA2ChD;;;;;;;;GAQG;AACH,SAAgB,iBAAiB,CAAC,KAAqB;IACtD,MAAM,gBAAgB,GAAG,KAAK,CAAC,QAAQ,CAAC,aAAa;QACpD,CAAC,CAAC,IAAA,6BAAsB,EAAmB,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,GAAG;QAC7E,CAAC,CAAC,SAAS,CAAC;IACb,OAAO;QACN,KAAK,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK;QACxB,GAAG,EAAE,KAAK,CAAC,IAAI,EAAE,GAAG;QACpB,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,eAAe,EAAE,KAAK,CAAC,QAAQ,CAAC,UAAU;QAC1C,gBAAgB;QAChB,UAAU,EAAE,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,aAAa;KAC1C,CAAC;AACH,CAAC;AAED,qEAAqE;AACrE,SAAS,cAAc,CAAC,aAAqB,EAAE,UAAkB;IAChE,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,aAAa,GAAG,UAAU,CAAC,CAAC;IACnD,IAAI,EAAE,GAAG,EAAE;QAAE,OAAO,GAAG,EAAE,GAAG,CAAC;IAC7B,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE;QAAE,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC;IACnD,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC;QACvB,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC;QAChC,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QACvC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC;IAC1C,CAAC;IACD,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,MAAM,CAAC,CAAC;IAClC,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC;IAC3C,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC;AAC1C,CAAC;AAcD;;;GAGG;AACH,SAAgB,mBAAmB,CAClC,QAAsB,EACtB,OAAmC,EAAE;IAErC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACf,MAAM,OAAO,GAAG;YACf,KAAK,EAAE,QAAQ,CAAC,KAAK,IAAI,IAAI;YAC7B,GAAG,EAAE,QAAQ,CAAC,GAAG,IAAI,IAAI;YACzB,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,QAAQ,EAAE,QAAQ,CAAC,QAAQ;YAC3B,eAAe,EAAE,QAAQ,CAAC,eAAe;YACzC,gBAAgB,EAAE,QAAQ,CAAC,gBAAgB,IAAI,IAAI;YACnD,UAAU,EAAE,QAAQ,CAAC,UAAU;SAC/B,CAAC;QACF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC;QACrD,OAAO;IACR,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC;IACnC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC7C,MAAM,QAAQ,GAAG,cAAc,CAAC,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IAClE,MAAM,SAAS,GAAG,QAAQ,CAAC,gBAAgB;QAC1C,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;QACnD,CAAC,CAAC,IAAI,CAAC;IAER,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,GAAG,MAAM,gBAAgB,QAAQ,CAAC,KAAK,IAAI,QAAQ,CAAC,GAAG,IAAI,WAAW,EAAE,CAAC,CAAC;IACrF,KAAK,CAAC,IAAI,CAAC,GAAG,MAAM,6BAA6B,QAAQ,EAAE,CAAC,CAAC;IAC7D,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;QACzB,IAAI,SAAS,EAAE,CAAC;YACf,KAAK,CAAC,IAAI,CACT,GAAG,MAAM,6BAA6B,SAAS,kCAAkC,CACjF,CAAC;QACH,CAAC;aAAM,CAAC;YACP,KAAK,CAAC,IAAI,CAAC,GAAG,MAAM,2DAA2D,CAAC,CAAC;QAClF,CAAC;IACF,CAAC;SAAM,CAAC;QACP,KAAK,CAAC,IAAI,CAAC,GAAG,MAAM,+DAA+D,CAAC,CAAC;IACtF,CAAC;IACD,IAAI,IAAI,CAAC,iBAAiB,KAAK,KAAK,EAAE,CAAC;QACtC,KAAK,CAAC,IAAI,CAAC,GAAG,MAAM,oDAAoD,CAAC,CAAC;IAC3E,CAAC;IACD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC;AAC/C,CAAC"}

package/dist/lib/oidc.js

@@ -4,6 +4,7 @@ exports.RefreshTokenError = void 0;
 exports.performLoginFlow = performLoginFlow;
 exports.refreshTokens = refreshTokens;
 exports.decodeJwtPayloadUnsafe = decodeJwtPayloadUnsafe;
+exports.buildLogoutUrl = buildLogoutUrl;
 const node_crypto_1 = require("node:crypto");
 const node_http_1 = require("node:http");
 const node_url_1 = require("node:url");
@@ -118,6 +119,17 @@ async function performLoginFlow(cfg, openBrowser, log) {
     authorizeUrl.searchParams.set('state', state);
     authorizeUrl.searchParams.set('code_challenge', challenge);
     authorizeUrl.searchParams.set('code_challenge_method', 'S256');
+    if (cfg.forceLogin) {
+        // OIDC Core §3.1.2.1: `prompt=login` MUST cause the authorization
+        // server to reauthenticate the user, even if they already have an
+        // active SSO session in the browser. Used by --switch-account so
+        // users aren't silently re-signed-in as the previous Keycloak
+        // account from the SSO cookie. Brokered IdPs (Google, SAML) are
+        // expected to propagate this as `max_age=0` or equivalent — we
+        // document that as part of the PR's manual test plan since
+        // Keycloak's downstream-prompt behavior depends on broker config.
+        authorizeUrl.searchParams.set('prompt', 'login');
+    }
     log(`Opening browser to ${cfg.issuer.replace(/^https?:\/\//, '')}…`);
     log(`If the browser doesn't open, visit:\n  ${authorizeUrl.toString()}\n`);
     await openBrowser(authorizeUrl.toString()).catch(() => {
@@ -252,6 +264,49 @@ function cliSuccessFallbackUrl(issuer) {
         return 'https://app.ritualapp.cloud/auth/signin?source=cli';
     }
 }
+/**
+ * Build a Keycloak RP-initiated logout URL per OIDC Session
+ * Management spec (OpenID Connect RP-Initiated Logout 1.0).
+ *
+ * Keycloak's endpoint is `<issuer>/protocol/openid-connect/logout`.
+ * Accepted parameters (we use a subset):
+ *
+ *   - `id_token_hint`            : recommended by spec — lets the OP
+ *                                   skip the "are you sure?" confirm
+ *                                   page since it can identify the
+ *                                   session from the token.
+ *   - `client_id`                : the OIDC client requesting logout.
+ *   - `post_logout_redirect_uri` : **intentionally omitted**. Keycloak
+ *                                   requires registered redirect URIs
+ *                                   for this parameter, and we don't
+ *                                   want to couple this CLI logout
+ *                                   feature to the realm-import path
+ *                                   that defines those URIs. Users see
+ *                                   Keycloak's default post-logout
+ *                                   landing page (which says "you've
+ *                                   been signed out") and close the
+ *                                   tab.
+ *   - `state`                    : not used (no redirect to validate).
+ *
+ * Limitation we're explicit about in the surrounding `ritual logout
+ * --all` copy: this clears the LOCAL credentials + the Keycloak SSO
+ * cookie. It does NOT revoke minted Personal Access Tokens, refresh
+ * tokens already stored in agent MCP configs, or other server-side
+ * session artifacts. Users who want those revoked too should visit
+ * the manage-tokens UI surfaced in the message.
+ *
+ * Spec references:
+ *   - OpenID Connect RP-Initiated Logout 1.0 §2
+ *   - Keycloak docs: "Securing Apps · OIDC layers · Logout endpoint"
+ */
+function buildLogoutUrl(args) {
+    const url = new node_url_1.URL(`${args.issuer}/protocol/openid-connect/logout`);
+    url.searchParams.set('client_id', args.clientId);
+    if (args.idToken) {
+        url.searchParams.set('id_token_hint', args.idToken);
+    }
+    return url.toString();
+}
 // ─── small html helpers for the loopback browser response ──────────────────
 function htmlPage(title, body) {
     return `<!doctype html><html><head><meta charset="utf-8"><title>${escapeHtml(title)}</title>

package/dist/lib/oidc.js.map

@@ -1 +1 @@
-{"version":3,"file":"oidc.js","sourceRoot":"","sources":["../../src/lib/oidc.ts"],"names":[],"mappings":";;;AAsKA,4CA8DC;AAYD,sCA0BC;AAyBD,wDAQC;AA3SD,6CAAsD;AACtD,yCAAiG;AACjG,uCAA+B;AA6C/B,MAAM,SAAS,GAAG,CAAC,GAAW,EAAU,EAAE,CACzC,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AAEnF,SAAS,YAAY;IACpB,MAAM,QAAQ,GAAG,SAAS,CAAC,IAAA,yBAAW,EAAC,EAAE,CAAC,CAAC,CAAC;IAC5C,MAAM,SAAS,GAAG,SAAS,CAAC,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;IAC5E,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;AAChC,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,SAAS,0BAA0B,CAClC,MAAc,EACd,SAAS,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI;IAMzB,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,IAAI,SAAkB,CAAC;IAEvB,MAAM,OAAO,GAAG,IAAI,OAAO,CAAsB,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACpE,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC7B,SAAS,CAAC,KAAK,EAAE,CAAC;YAClB,MAAM,QAAQ,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;YAC/C,MAAM,CACL,IAAI,KAAK,CACR,4DAA4D;gBAC3D,8EAA8E;gBAC9E,sEAAsE;gBACtE,6EAA6E;gBAC7E,+BAA+B,QAAQ,2BAA2B;gBAClE,+EAA+E,CAChF,CACD,CAAC;QACH,CAAC,EAAE,SAAS,CAAC,CAAC;QAEd,MAAM,MAAM,GAAG,IAAA,wBAAY,EAAC,CAAC,GAAoB,EAAE,GAAmB,EAAE,EAAE;YACzE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;gBACd,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC;gBACzB,OAAO;YACR,CAAC;YACD,MAAM,GAAG,GAAG,IAAI,cAAG,CAAC,GAAG,CAAC,GAAG,EAAE,oBAAoB,IAAI,EAAE,CAAC,CAAC;YACzD,IAAI,GAAG,CAAC,QAAQ,KAAK,GAAG,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;gBAC1D,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC;gBACzB,OAAO;YACR,CAAC;YACD,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAC5C,MAAM,UAAU,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAEjD,IAAI,UAAU,EAAE,CAAC;gBAChB,MAAM,WAAW,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,EAAE,CAAC;gBACpE,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC,GAAG,CACtD,QAAQ,CACP,gBAAgB,EAChB,4BAA4B,UAAU,CAAC,UAAU,CAAC,KAAK,UAAU,CAAC,WAAW,CAAC,MAAM,CACpF,CACD,CAAC;gBACF,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,SAAS,CAAC,KAAK,EAAE,CAAC;gBAClB,MAAM,CAAC,IAAI,KAAK,CAAC,gBAAgB,UAAU,KAAK,WAAW,EAAE,CAAC,CAAC,CAAC;gBAChE,OAAO;YACR,CAAC;YACD,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;gBACrB,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;gBAChD,OAAO;YACR,CAAC;YAED,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC,GAAG,CACtD,QAAQ,CACP,kBAAkB,EAClB,4DAA4D,CAC5D,CACD,CAAC;YACF,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,SAAS,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC1B,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE;YAClC,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;YAC9B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,EAAE,CAAC;gBACtC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;YAClB,CAAC;iBAAM,CAAC;gBACP,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,MAAM,CAAC,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC,CAAC;YACrD,CAAC;QACF,CAAC,CAAC,CAAC;QACH,SAAS,GAAG,MAAM,CAAC;IACpB,CAAC,CAAC,CAAC;IAEH,mEAAmE;IACnE,gDAAgD;IAChD,OAAO,EAAE,MAAM,EAAE,SAAU,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAC9C,CAAC;AAED;;;;GAIG;AACI,KAAK,UAAU,gBAAgB,CACrC,GAAe,EACf,WAA8C,EAC9C,GAA0B;IAE1B,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,YAAY,EAAE,CAAC;IAC/C,MAAM,KAAK,GAAG,SAAS,CAAC,IAAA,yBAAW,EAAC,EAAE,CAAC,CAAC,CAAC;IAEzC,iEAAiE;IACjE,wDAAwD;IACxD,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,0BAA0B,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACnE,qDAAqD;IACrD,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC;IAC1C,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;IAC9B,MAAM,IAAI,GAAG,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IAC9D,IAAI,CAAC,IAAI;QAAE,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;IAC7D,MAAM,WAAW,GAAG,oBAAoB,IAAI,WAAW,CAAC;IAExD,2BAA2B;IAC3B,MAAM,YAAY,GAAG,IAAI,cAAG,CAAC,GAAG,GAAG,CAAC,MAAM,+BAA+B,CAAC,CAAC;IAC3E,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IACvD,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC;IACzD,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;IAC3D,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC;IAClD,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAC9C,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,SAAS,CAAC,CAAC;IAC3D,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;IAE/D,GAAG,CAAC,sBAAsB,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC;IACrE,GAAG,CAAC,0CAA0C,YAAY,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IAC3E,MAAM,WAAW,CAAC,YAAY,CAAC,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;QACrD,6CAA6C;IAC9C,CAAC,CAAC,CAAC;IAEH,2CAA2C;IAC3C,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC;IAC7B,IAAI,MAAM,CAAC,KAAK,KAAK,KAAK,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CACd,gFAAgF,CAChF,CAAC;IACH,CAAC;IAED,2BAA2B;IAC3B,MAAM,QAAQ,GAAG,GAAG,GAAG,CAAC,MAAM,gCAAgC,CAAC;IAC/D,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAChC,UAAU,EAAE,oBAAoB;QAChC,SAAS,EAAE,GAAG,CAAC,QAAQ;QACvB,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,YAAY,EAAE,WAAW;QACzB,aAAa,EAAE,QAAQ;KACvB,CAAC,CAAC;IACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;QACjC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI;KACJ,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACb,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,+BAA+B,GAAG,CAAC,MAAM,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IACrF,CAAC;IACD,MAAM,QAAQ,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAa,CAAC;IAChD,OAAO,QAAQ,CAAC;AACjB,CAAC;AAED;;;;;;;;;GASG;AACI,KAAK,UAAU,aAAa,CAClC,GAA4C,EAC5C,YAAoB;IAEpB,MAAM,QAAQ,GAAG,GAAG,GAAG,CAAC,MAAM,gCAAgC,CAAC;IAC/D,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAChC,UAAU,EAAE,eAAe;QAC3B,SAAS,EAAE,GAAG,CAAC,QAAQ;QACvB,aAAa,EAAE,YAAY;KAC3B,CAAC,CAAC;IACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;QACjC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI;KACJ,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACb,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,+DAA+D;QAC/D,8DAA8D;QAC9D,gDAAgD;QAChD,MAAM,IAAI,iBAAiB,CAC1B,wBAAwB,GAAG,CAAC,MAAM,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,EAC3D,GAAG,CAAC,MAAM,CACV,CAAC;IACH,CAAC;IACD,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAa,CAAC;AACvC,CAAC;AAED;;;;;GAKG;AACH,MAAa,iBAAkB,SAAQ,KAAK;IAG1B;IAFjB,YACC,OAAe,EACC,MAAc;QAE9B,KAAK,CAAC,OAAO,CAAC,CAAC;QAFC,WAAM,GAAN,MAAM,CAAQ;QAG9B,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;IACjC,CAAC;CACD;AARD,8CAQC;AAED;;;;;;GAMG;AACH,SAAgB,sBAAsB,CAA8B,KAAa;IAChF,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,IAAI,CAAC;QACJ,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAM,CAAC;IAC9E,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,IAAI,CAAC;IACb,CAAC;AACF,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,SAAS,qBAAqB,CAAC,MAAc;IAC5C,IAAI,CAAC;QACJ,MAAM,CAAC,GAAG,IAAI,cAAG,CAAC,MAAM,CAAC,CAAC;QAC1B,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC;QACpB,IAAI,OAAe,CAAC;QACpB,IAAI,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;YAClC,OAAO,GAAG,qBAAqB,CAAC;QACjC,CAAC;aAAM,IAAI,IAAI,KAAK,sBAAsB,EAAE,CAAC;YAC5C,OAAO,GAAG,qBAAqB,CAAC;QACjC,CAAC;aAAM,CAAC;YACP,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QAC3C,CAAC;QACD,OAAO,WAAW,OAAO,yBAAyB,CAAC;IACpD,CAAC;IAAC,MAAM,CAAC;QACR,2DAA2D;QAC3D,8DAA8D;QAC9D,oBAAoB;QACpB,OAAO,oDAAoD,CAAC;IAC7D,CAAC;AACF,CAAC;AAED,8EAA8E;AAE9E,SAAS,QAAQ,CAAC,KAAa,EAAE,IAAY;IAC5C,OAAO,2DAA2D,UAAU,CAAC,KAAK,CAAC;;;YAGxE,UAAU,CAAC,KAAK,CAAC,QAAQ,IAAI,gBAAgB,CAAC;AAC1D,CAAC;AAED,SAAS,UAAU,CAAC,CAAS;IAC5B,OAAO,CAAC;SACN,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC;SACvB,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;AAC1B,CAAC"}
+{"version":3,"file":"oidc.js","sourceRoot":"","sources":["../../src/lib/oidc.ts"],"names":[],"mappings":";;;AA0LA,4CAyEC;AAYD,sCA0BC;AAyBD,wDAQC;AA0ED,wCAWC;AA/ZD,6CAAsD;AACtD,yCAAiG;AACjG,uCAA+B;AAiE/B,MAAM,SAAS,GAAG,CAAC,GAAW,EAAU,EAAE,CACzC,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AAEnF,SAAS,YAAY;IACpB,MAAM,QAAQ,GAAG,SAAS,CAAC,IAAA,yBAAW,EAAC,EAAE,CAAC,CAAC,CAAC;IAC5C,MAAM,SAAS,GAAG,SAAS,CAAC,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;IAC5E,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;AAChC,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,SAAS,0BAA0B,CAClC,MAAc,EACd,SAAS,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI;IAMzB,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,IAAI,SAAkB,CAAC;IAEvB,MAAM,OAAO,GAAG,IAAI,OAAO,CAAsB,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACpE,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC7B,SAAS,CAAC,KAAK,EAAE,CAAC;YAClB,MAAM,QAAQ,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;YAC/C,MAAM,CACL,IAAI,KAAK,CACR,4DAA4D;gBAC3D,8EAA8E;gBAC9E,sEAAsE;gBACtE,6EAA6E;gBAC7E,+BAA+B,QAAQ,2BAA2B;gBAClE,+EAA+E,CAChF,CACD,CAAC;QACH,CAAC,EAAE,SAAS,CAAC,CAAC;QAEd,MAAM,MAAM,GAAG,IAAA,wBAAY,EAAC,CAAC,GAAoB,EAAE,GAAmB,EAAE,EAAE;YACzE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;gBACd,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC;gBACzB,OAAO;YACR,CAAC;YACD,MAAM,GAAG,GAAG,IAAI,cAAG,CAAC,GAAG,CAAC,GAAG,EAAE,oBAAoB,IAAI,EAAE,CAAC,CAAC;YACzD,IAAI,GAAG,CAAC,QAAQ,KAAK,GAAG,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;gBAC1D,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC;gBACzB,OAAO;YACR,CAAC;YACD,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAC5C,MAAM,UAAU,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAEjD,IAAI,UAAU,EAAE,CAAC;gBAChB,MAAM,WAAW,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,EAAE,CAAC;gBACpE,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC,GAAG,CACtD,QAAQ,CACP,gBAAgB,EAChB,4BAA4B,UAAU,CAAC,UAAU,CAAC,KAAK,UAAU,CAAC,WAAW,CAAC,MAAM,CACpF,CACD,CAAC;gBACF,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,SAAS,CAAC,KAAK,EAAE,CAAC;gBAClB,MAAM,CAAC,IAAI,KAAK,CAAC,gBAAgB,UAAU,KAAK,WAAW,EAAE,CAAC,CAAC,CAAC;gBAChE,OAAO;YACR,CAAC;YACD,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;gBACrB,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;gBAChD,OAAO;YACR,CAAC;YAED,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC,GAAG,CACtD,QAAQ,CACP,kBAAkB,EAClB,4DAA4D,CAC5D,CACD,CAAC;YACF,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,SAAS,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC1B,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE;YAClC,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;YAC9B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,EAAE,CAAC;gBACtC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;YAClB,CAAC;iBAAM,CAAC;gBACP,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,MAAM,CAAC,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC,CAAC;YACrD,CAAC;QACF,CAAC,CAAC,CAAC;QACH,SAAS,GAAG,MAAM,CAAC;IACpB,CAAC,CAAC,CAAC;IAEH,mEAAmE;IACnE,gDAAgD;IAChD,OAAO,EAAE,MAAM,EAAE,SAAU,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAC9C,CAAC;AAED;;;;GAIG;AACI,KAAK,UAAU,gBAAgB,CACrC,GAAe,EACf,WAA8C,EAC9C,GAA0B;IAE1B,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,YAAY,EAAE,CAAC;IAC/C,MAAM,KAAK,GAAG,SAAS,CAAC,IAAA,yBAAW,EAAC,EAAE,CAAC,CAAC,CAAC;IAEzC,iEAAiE;IACjE,wDAAwD;IACxD,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,0BAA0B,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACnE,qDAAqD;IACrD,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC;IAC1C,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;IAC9B,MAAM,IAAI,GAAG,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IAC9D,IAAI,CAAC,IAAI;QAAE,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;IAC7D,MAAM,WAAW,GAAG,oBAAoB,IAAI,WAAW,CAAC;IAExD,2BAA2B;IAC3B,MAAM,YAAY,GAAG,IAAI,cAAG,CAAC,GAAG,GAAG,CAAC,MAAM,+BAA+B,CAAC,CAAC;IAC3E,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IACvD,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC;IACzD,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;IAC3D,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC;IAClD,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAC9C,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,SAAS,CAAC,CAAC;IAC3D,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;IAC/D,IAAI,GAAG,CAAC,UAAU,EAAE,CAAC;QACpB,kEAAkE;QAClE,kEAAkE;QAClE,iEAAiE;QACjE,8DAA8D;QAC9D,gEAAgE;QAChE,+DAA+D;QAC/D,2DAA2D;QAC3D,kEAAkE;QAClE,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAClD,CAAC;IAED,GAAG,CAAC,sBAAsB,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC;IACrE,GAAG,CAAC,0CAA0C,YAAY,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IAC3E,MAAM,WAAW,CAAC,YAAY,CAAC,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;QACrD,6CAA6C;IAC9C,CAAC,CAAC,CAAC;IAEH,2CAA2C;IAC3C,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC;IAC7B,IAAI,MAAM,CAAC,KAAK,KAAK,KAAK,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CACd,gFAAgF,CAChF,CAAC;IACH,CAAC;IAED,2BAA2B;IAC3B,MAAM,QAAQ,GAAG,GAAG,GAAG,CAAC,MAAM,gCAAgC,CAAC;IAC/D,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAChC,UAAU,EAAE,oBAAoB;QAChC,SAAS,EAAE,GAAG,CAAC,QAAQ;QACvB,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,YAAY,EAAE,WAAW;QACzB,aAAa,EAAE,QAAQ;KACvB,CAAC,CAAC;IACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;QACjC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI;KACJ,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACb,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,+BAA+B,GAAG,CAAC,MAAM,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IACrF,CAAC;IACD,MAAM,QAAQ,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAa,CAAC;IAChD,OAAO,QAAQ,CAAC;AACjB,CAAC;AAED;;;;;;;;;GASG;AACI,KAAK,UAAU,aAAa,CAClC,GAA4C,EAC5C,YAAoB;IAEpB,MAAM,QAAQ,GAAG,GAAG,GAAG,CAAC,MAAM,gCAAgC,CAAC;IAC/D,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAChC,UAAU,EAAE,eAAe;QAC3B,SAAS,EAAE,GAAG,CAAC,QAAQ;QACvB,aAAa,EAAE,YAAY;KAC3B,CAAC,CAAC;IACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;QACjC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI;KACJ,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACb,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,+DAA+D;QAC/D,8DAA8D;QAC9D,gDAAgD;QAChD,MAAM,IAAI,iBAAiB,CAC1B,wBAAwB,GAAG,CAAC,MAAM,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,EAC3D,GAAG,CAAC,MAAM,CACV,CAAC;IACH,CAAC;IACD,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAa,CAAC;AACvC,CAAC;AAED;;;;;GAKG;AACH,MAAa,iBAAkB,SAAQ,KAAK;IAG1B;IAFjB,YACC,OAAe,EACC,MAAc;QAE9B,KAAK,CAAC,OAAO,CAAC,CAAC;QAFC,WAAM,GAAN,MAAM,CAAQ;QAG9B,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;IACjC,CAAC;CACD;AARD,8CAQC;AAED;;;;;;GAMG;AACH,SAAgB,sBAAsB,CAA8B,KAAa;IAChF,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,IAAI,CAAC;QACJ,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAM,CAAC;IAC9E,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,IAAI,CAAC;IACb,CAAC;AACF,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,SAAS,qBAAqB,CAAC,MAAc;IAC5C,IAAI,CAAC;QACJ,MAAM,CAAC,GAAG,IAAI,cAAG,CAAC,MAAM,CAAC,CAAC;QAC1B,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC;QACpB,IAAI,OAAe,CAAC;QACpB,IAAI,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;YAClC,OAAO,GAAG,qBAAqB,CAAC;QACjC,CAAC;aAAM,IAAI,IAAI,KAAK,sBAAsB,EAAE,CAAC;YAC5C,OAAO,GAAG,qBAAqB,CAAC;QACjC,CAAC;aAAM,CAAC;YACP,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QAC3C,CAAC;QACD,OAAO,WAAW,OAAO,yBAAyB,CAAC;IACpD,CAAC;IAAC,MAAM,CAAC;QACR,2DAA2D;QAC3D,8DAA8D;QAC9D,oBAAoB;QACpB,OAAO,oDAAoD,CAAC;IAC7D,CAAC;AACF,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AACH,SAAgB,cAAc,CAAC,IAI9B;IACA,MAAM,GAAG,GAAG,IAAI,cAAG,CAAC,GAAG,IAAI,CAAC,MAAM,iCAAiC,CAAC,CAAC;IACrE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;IACjD,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;QAClB,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;IACrD,CAAC;IACD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACvB,CAAC;AAED,8EAA8E;AAE9E,SAAS,QAAQ,CAAC,KAAa,EAAE,IAAY;IAC5C,OAAO,2DAA2D,UAAU,CAAC,KAAK,CAAC;;;YAGxE,UAAU,CAAC,KAAK,CAAC,QAAQ,IAAI,gBAAgB,CAAC;AAC1D,CAAC;AAED,SAAS,UAAU,CAAC,CAAS;IAC5B,OAAO,CAAC;SACN,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC;SACvB,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;AAC1B,CAAC"}

package/dist/lib/package-info.js

@@ -0,0 +1,76 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.readPackageVersionSafe = readPackageVersionSafe;
+const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
+/**
+ * Read the CLI package version at runtime so banners + headers
+ * always match the installed package. Shared between `src/index.ts`
+ * (for `ritual --version`) and the welcome banner header.
+ *
+ * Looks for `package.json` relative to the running script's
+ * directory. After build the CLI ships as `dist/index.js`, so
+ * `__dirname/../package.json` resolves correctly both for the
+ * published package and for `pnpm dev` (where `tsx` runs from
+ * `src/`).
+ *
+ * Returns `'0.0.0-unknown'` if every candidate path fails — never
+ * throws, since this is purely cosmetic UI state.
+ */
+function readPackageVersionSafe() {
+    const candidates = [
+        path.join(__dirname, '..', '..', 'package.json'),
+        path.join(__dirname, '..', 'package.json'),
+        path.join(__dirname, '..', '..', '..', 'package.json'),
+    ];
+    for (const candidate of candidates) {
+        try {
+            const raw = fs.readFileSync(candidate, 'utf-8');
+            const parsed = JSON.parse(raw);
+            if (typeof parsed.version === 'string' &&
+                parsed.version.length > 0 &&
+                typeof parsed.name === 'string' &&
+                parsed.name.includes('cli')) {
+                return parsed.version;
+            }
+        }
+        catch {
+            // try next candidate
+        }
+    }
+    return '0.0.0-unknown';
+}
+//# sourceMappingURL=package-info.js.map

package/dist/lib/package-info.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"package-info.js","sourceRoot":"","sources":["../../src/lib/package-info.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiBA,wDAuBC;AAxCD,4CAA8B;AAC9B,gDAAkC;AAElC;;;;;;;;;;;;;GAaG;AACH,SAAgB,sBAAsB;IACrC,MAAM,UAAU,GAAG;QAClB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC;QAChD,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,cAAc,CAAC;QAC1C,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC;KACtD,CAAC;IACF,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACpC,IAAI,CAAC;YACJ,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;YAChD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAwC,CAAC;YACtE,IACC,OAAO,MAAM,CAAC,OAAO,KAAK,QAAQ;gBAClC,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC;gBACzB,OAAO,MAAM,CAAC,IAAI,KAAK,QAAQ;gBAC/B,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAC1B,CAAC;gBACF,OAAO,MAAM,CAAC,OAAO,CAAC;YACvB,CAAC;QACF,CAAC;QAAC,MAAM,CAAC;YACR,qBAAqB;QACtB,CAAC;IACF,CAAC;IACD,OAAO,eAAe,CAAC;AACxB,CAAC"}