@robinmordasiewicz/f5xc-api-mcp 1.0.82-2512312028 → 1.0.82-2601012247

package/README.md

@@ -91,6 +91,8 @@ Add to your MCP settings:
 | `F5XC_P12_FILE` | For cert auth | Path to P12 certificate file |
 | `F5XC_P12_PASSWORD` | For cert auth | Password for P12 certificate |
 | `F5XC_PROFILE` | No | Profile name to use (default: `defaultProfile` from config) |
+| `F5XC_TLS_INSECURE` | No | Disable SSL verification (staging only, set to `true`) |
+| `F5XC_CA_BUNDLE` | No | Path to custom CA certificate bundle |
 | `LOG_LEVEL` | No | Logging verbosity (debug, info, warn, error) |
 
 ## Profile-Based Configuration
@@ -365,6 +367,49 @@ The server automatically normalizes various URL formats:
 | `tenant.console.ves.volterra.io` | `tenant.console.ves.volterra.io/api` |
 | `https://tenant.volterra.us/` | `https://tenant.console.ves.volterra.io/api` |
 
+## SSL/TLS Configuration
+
+### Staging Environment Certificate Issue
+
+F5 XC staging environments use URLs like `tenant.staging.console.ves.volterra.io`, but the SSL
+certificate only covers `*.console.ves.volterra.io`. This causes SSL validation failures because
+wildcards only match a single subdomain level, not two levels (`tenant.staging`).
+
+**Error Example:**
+
+```
+Hostname/IP does not match certificate's altnames:
+Host: tenant.staging.console.ves.volterra.io
+Cert covers: DNS:*.console.ves.volterra.io, DNS:console.ves.volterra.io
+```
+
+### Solutions
+
+#### Option 1: Custom CA Bundle (Recommended)
+
+If your organization uses a custom CA:
+
+```bash
+export F5XC_CA_BUNDLE=/path/to/your/ca-bundle.crt
+```
+
+#### Option 2: Disable Verification (Development Only)
+
+**WARNING: Never use in production!**
+
+```bash
+export F5XC_TLS_INSECURE=true
+```
+
+### Troubleshooting SSL Errors
+
+| Error | Cause | Solution |
+|-------|-------|----------|
+| `Hostname/IP does not match certificate's altnames` | Staging URL mismatch | Use `F5XC_TLS_INSECURE=true` or custom CA |
+| `self signed certificate` | Custom CA not trusted | Set `F5XC_CA_BUNDLE` |
+| `certificate has expired` | Expired certificate | Contact F5 XC admin |
+| `unable to verify the first certificate` | Missing intermediate CA | Add intermediates to CA bundle |
+
 ## Development
 
 ### Prerequisites

package/dist/auth/credential-manager.d.ts

@@ -4,9 +4,10 @@
  * Handles authentication configuration and URL normalization.
  * Supports dual-mode operation:
  * - Documentation mode: No credentials required
- * - Execution mode: API token or P12 certificate authentication
+ * - Execution mode: API token or P12/Certificate authentication
+ *
+ * Cross-compatible with f5xc-xcsh CLI profiles.
  */
-import { ConfigManager } from "../config/index.js";
 /**
  * Authentication modes supported by the server
  */
@@ -20,13 +21,17 @@ export declare enum AuthMode {
 }
 /**
  * Environment variable names for authentication
+ * These take priority over profile settings
  */
 export declare const AUTH_ENV_VARS: {
     readonly API_URL: "F5XC_API_URL";
     readonly API_TOKEN: "F5XC_API_TOKEN";
-    readonly P12_FILE: "F5XC_P12_FILE";
-    readonly P12_PASSWORD: "F5XC_P12_PASSWORD";
-    readonly PROFILE: "F5XC_PROFILE";
+    readonly P12_BUNDLE: "F5XC_P12_BUNDLE";
+    readonly CERT: "F5XC_CERT";
+    readonly KEY: "F5XC_KEY";
+    readonly NAMESPACE: "F5XC_NAMESPACE";
+    readonly TLS_INSECURE: "F5XC_TLS_INSECURE";
+    readonly CA_BUNDLE: "F5XC_CA_BUNDLE";
 };
 /**
  * Credential configuration for API access
@@ -40,8 +45,16 @@ export interface Credentials {
     token: string | null;
     /** P12 certificate buffer (for cert auth) */
     p12Certificate: Buffer | null;
-    /** P12 certificate password */
-    p12Password: string | null;
+    /** Certificate content (for mTLS) */
+    cert: string | null;
+    /** Private key content (for mTLS) */
+    key: string | null;
+    /** Default namespace */
+    namespace: string | null;
+    /** Disable TLS certificate verification (staging/development only) */
+    tlsInsecure: boolean;
+    /** Custom CA bundle for TLS verification */
+    caBundle: Buffer | null;
 }
 /**
  * Normalize F5XC tenant URL to standard API endpoint format
@@ -67,41 +80,37 @@ export declare function extractTenantFromUrl(url: string): string | null;
  * Credential Manager
  *
  * Manages authentication credentials for F5 Distributed Cloud API.
- * Supports dual-layer credential loading with priority:
+ * Supports credential loading with priority:
  * 1. Environment variables (highest priority - overrides all)
- * 2. Named profiles from ~/.f5xc/credentials.json
+ * 2. Active profile from ~/.config/xcsh/ (cross-compatible with xcsh CLI)
  * 3. No credentials (documentation mode - lowest priority)
  */
 export declare class CredentialManager {
     private credentials;
-    private activeProfile;
-    private configManager;
-    constructor(configManager?: ConfigManager);
-    /**
-     * Load credentials from environment variables
-     */
-    private loadFromEnvironment;
+    private activeProfileName;
+    private initialized;
+    constructor();
     /**
-     * Load credentials from configuration file
+     * Initialize credentials asynchronously
+     * Must be called before using credentials
      */
-    private loadFromConfigFile;
+    initialize(): Promise<void>;
     /**
-     * Select which profile to use based on environment or config
+     * Load credentials from environment variables
      */
-    private selectProfile;
+    private loadFromEnvironment;
     /**
-     * Merge raw credentials from environment and config
-     * Environment variables override profile settings
+     * Load credentials from active profile
      */
-    private mergeCredentials;
+    private loadFromProfile;
     /**
-     * Build credentials object from raw credentials
+     * Build credentials object from profile data
      */
     private buildCredentials;
     /**
      * Load credentials with priority order:
      * 1. Environment variables (highest)
-     * 2. Profile from config file
+     * 2. Active profile from ~/.config/xcsh/
      * 3. No credentials - documentation mode (lowest)
      */
     private loadCredentials;
@@ -135,17 +144,34 @@ export declare class CredentialManager {
      */
     getP12Certificate(): Buffer | null;
     /**
-     * Get P12 certificate password
+     * Get certificate content (for mTLS)
+     */
+    getCert(): string | null;
+    /**
+     * Get private key content (for mTLS)
+     */
+    getKey(): string | null;
+    /**
+     * Get default namespace
+     */
+    getNamespace(): string | null;
+    /**
+     * Check if TLS certificate verification is disabled
+     * WARNING: Only use for staging/development environments
+     */
+    getTlsInsecure(): boolean;
+    /**
+     * Get custom CA bundle for TLS verification
      */
-    getP12Password(): string | null;
+    getCaBundle(): Buffer | null;
     /**
      * Get full credentials object
      */
     getCredentials(): Readonly<Credentials>;
     /**
-     * Reload credentials from environment
+     * Reload credentials from environment/profile
      * Useful for testing or when credentials change
      */
-    reload(): void;
+    reload(): Promise<void>;
 }
 //# sourceMappingURL=credential-manager.d.ts.map

package/dist/auth/credential-manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"credential-manager.d.ts","sourceRoot":"","sources":["../../src/auth/credential-manager.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAGnD;;GAEG;AACH,oBAAY,QAAQ;IAClB,kDAAkD;IAClD,IAAI,SAAS;IACb,+BAA+B;IAC/B,KAAK,UAAU;IACf,4CAA4C;IAC5C,WAAW,gBAAgB;CAC5B;AAED;;GAEG;AACH,eAAO,MAAM,aAAa;;;;;;CAMhB,CAAC;AAaX;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,0BAA0B;IAC1B,IAAI,EAAE,QAAQ,CAAC;IACf,yBAAyB;IACzB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,iCAAiC;IACjC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,6CAA6C;IAC7C,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,+BAA+B;IAC/B,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAcD;;;;;;;;;;;GAWG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAsBrD;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAG/D;AAED;;;;;;;;GAQG;AACH,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,WAAW,CAAc;IACjC,OAAO,CAAC,aAAa,CAAuB;IAC5C,OAAO,CAAC,aAAa,CAAgB;gBAEzB,aAAa,CAAC,EAAE,aAAa;IAKzC;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAS3B;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAuC1B;;OAEG;IACH,OAAO,CAAC,aAAa;IAWrB;;;OAGG;IACH,OAAO,CAAC,gBAAgB;IASxB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IA+CxB;;;;;OAKG;IACH,OAAO,CAAC,eAAe;IA0CvB;;;OAGG;IACH,gBAAgB,IAAI,MAAM,GAAG,IAAI;IAIjC;;OAEG;IACH,WAAW,IAAI,QAAQ;IAIvB;;OAEG;IACH,eAAe,IAAI,OAAO;IAI1B;;OAEG;IACH,SAAS,IAAI,MAAM,GAAG,IAAI;IAI1B;;OAEG;IACH,SAAS,IAAI,MAAM,GAAG,IAAI;IAI1B;;OAEG;IACH,QAAQ,IAAI,MAAM,GAAG,IAAI;IAIzB;;OAEG;IACH,iBAAiB,IAAI,MAAM,GAAG,IAAI;IAIlC;;OAEG;IACH,cAAc,IAAI,MAAM,GAAG,IAAI;IAI/B;;OAEG;IACH,cAAc,IAAI,QAAQ,CAAC,WAAW,CAAC;IAIvC;;;OAGG;IACH,MAAM,IAAI,IAAI;CAGf"}
+{"version":3,"file":"credential-manager.d.ts","sourceRoot":"","sources":["../../src/auth/credential-manager.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAMH;;GAEG;AACH,oBAAY,QAAQ;IAClB,kDAAkD;IAClD,IAAI,SAAS;IACb,+BAA+B;IAC/B,KAAK,UAAU;IACf,4CAA4C;IAC5C,WAAW,gBAAgB;CAC5B;AAED;;;GAGG;AACH,eAAO,MAAM,aAAa;;;;;;;;;CAUhB,CAAC;AAEX;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,0BAA0B;IAC1B,IAAI,EAAE,QAAQ,CAAC;IACf,yBAAyB;IACzB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,iCAAiC;IACjC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,6CAA6C;IAC7C,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,qCAAqC;IACrC,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,qCAAqC;IACrC,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,wBAAwB;IACxB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,sEAAsE;IACtE,WAAW,EAAE,OAAO,CAAC;IACrB,4CAA4C;IAC5C,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB;AAcD;;;;;;;;;;;GAWG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAsBrD;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAG/D;AAED;;;;;;;;GAQG;AACH,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,WAAW,CAAc;IACjC,OAAO,CAAC,iBAAiB,CAAuB;IAChD,OAAO,CAAC,WAAW,CAAS;;IAiB5B;;;OAGG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAMjC;;OAEG;IACH,OAAO,CAAC,mBAAmB;IA0B3B;;OAEG;YACW,eAAe;IAmB7B;;OAEG;IACH,OAAO,CAAC,gBAAgB;IA+FxB;;;;;OAKG;YACW,eAAe;IA4C7B;;;OAGG;IACH,gBAAgB,IAAI,MAAM,GAAG,IAAI;IAIjC;;OAEG;IACH,WAAW,IAAI,QAAQ;IAIvB;;OAEG;IACH,eAAe,IAAI,OAAO;IAI1B;;OAEG;IACH,SAAS,IAAI,MAAM,GAAG,IAAI;IAI1B;;OAEG;IACH,SAAS,IAAI,MAAM,GAAG,IAAI;IAI1B;;OAEG;IACH,QAAQ,IAAI,MAAM,GAAG,IAAI;IAIzB;;OAEG;IACH,iBAAiB,IAAI,MAAM,GAAG,IAAI;IAIlC;;OAEG;IACH,OAAO,IAAI,MAAM,GAAG,IAAI;IAIxB;;OAEG;IACH,MAAM,IAAI,MAAM,GAAG,IAAI;IAIvB;;OAEG;IACH,YAAY,IAAI,MAAM,GAAG,IAAI;IAI7B;;;OAGG;IACH,cAAc,IAAI,OAAO;IAIzB;;OAEG;IACH,WAAW,IAAI,MAAM,GAAG,IAAI;IAI5B;;OAEG;IACH,cAAc,IAAI,QAAQ,CAAC,WAAW,CAAC;IAIvC;;;OAGG;IACG,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC;CAK9B"}

package/dist/auth/credential-manager.js

@@ -4,11 +4,13 @@
  * Handles authentication configuration and URL normalization.
  * Supports dual-mode operation:
  * - Documentation mode: No credentials required
- * - Execution mode: API token or P12 certificate authentication
+ * - Execution mode: API token or P12/Certificate authentication
+ *
+ * Cross-compatible with f5xc-xcsh CLI profiles.
  */
 import { readFileSync } from "fs";
 import { logger } from "../utils/logging.js";
-import { ConfigManager } from "../config/index.js";
+import { getProfileManager } from "../profile/index.js";
 /**
  * Authentication modes supported by the server
  */
@@ -23,13 +25,18 @@ export var AuthMode;
 })(AuthMode || (AuthMode = {}));
 /**
  * Environment variable names for authentication
+ * These take priority over profile settings
  */
 export const AUTH_ENV_VARS = {
     API_URL: "F5XC_API_URL",
     API_TOKEN: "F5XC_API_TOKEN",
-    P12_FILE: "F5XC_P12_FILE",
-    P12_PASSWORD: "F5XC_P12_PASSWORD",
-    PROFILE: "F5XC_PROFILE",
+    P12_BUNDLE: "F5XC_P12_BUNDLE",
+    CERT: "F5XC_CERT",
+    KEY: "F5XC_KEY",
+    NAMESPACE: "F5XC_NAMESPACE",
+    // TLS configuration
+    TLS_INSECURE: "F5XC_TLS_INSECURE",
+    CA_BUNDLE: "F5XC_CA_BUNDLE",
 };
 /**
  * URL normalization patterns
@@ -88,118 +95,132 @@ export function extractTenantFromUrl(url) {
  * Credential Manager
  *
  * Manages authentication credentials for F5 Distributed Cloud API.
- * Supports dual-layer credential loading with priority:
+ * Supports credential loading with priority:
  * 1. Environment variables (highest priority - overrides all)
- * 2. Named profiles from ~/.f5xc/credentials.json
+ * 2. Active profile from ~/.config/xcsh/ (cross-compatible with xcsh CLI)
  * 3. No credentials (documentation mode - lowest priority)
  */
 export class CredentialManager {
     credentials;
-    activeProfile = null;
-    configManager;
-    constructor(configManager) {
-        this.configManager = configManager ?? new ConfigManager();
-        this.credentials = this.loadCredentials();
+    activeProfileName = null;
+    initialized = false;
+    constructor() {
+        // Initialize with empty credentials - will be loaded async
+        this.credentials = {
+            mode: AuthMode.NONE,
+            apiUrl: null,
+            token: null,
+            p12Certificate: null,
+            cert: null,
+            key: null,
+            namespace: null,
+            tlsInsecure: false,
+            caBundle: null,
+        };
+    }
+    /**
+     * Initialize credentials asynchronously
+     * Must be called before using credentials
+     */
+    async initialize() {
+        if (this.initialized)
+            return;
+        this.credentials = await this.loadCredentials();
+        this.initialized = true;
     }
     /**
      * Load credentials from environment variables
      */
     loadFromEnvironment() {
+        const apiUrl = process.env[AUTH_ENV_VARS.API_URL];
+        const apiToken = process.env[AUTH_ENV_VARS.API_TOKEN];
+        const p12Bundle = process.env[AUTH_ENV_VARS.P12_BUNDLE];
+        const cert = process.env[AUTH_ENV_VARS.CERT];
+        const key = process.env[AUTH_ENV_VARS.KEY];
+        const defaultNamespace = process.env[AUTH_ENV_VARS.NAMESPACE];
+        const tlsInsecure = process.env[AUTH_ENV_VARS.TLS_INSECURE]?.toLowerCase() === "true";
+        const caBundle = process.env[AUTH_ENV_VARS.CA_BUNDLE];
+        const hasAuth = !!(apiToken || p12Bundle || (cert && key));
         return {
-            apiUrl: process.env[AUTH_ENV_VARS.API_URL],
-            token: process.env[AUTH_ENV_VARS.API_TOKEN],
-            p12File: process.env[AUTH_ENV_VARS.P12_FILE],
-            p12Password: process.env[AUTH_ENV_VARS.P12_PASSWORD],
+            name: "__env__",
+            apiUrl: apiUrl || "",
+            apiToken,
+            p12Bundle,
+            cert,
+            key,
+            defaultNamespace,
+            hasAuth,
+            tlsInsecure,
+            caBundle,
         };
     }
     /**
-     * Load credentials from configuration file
+     * Load credentials from active profile
      */
-    loadFromConfigFile() {
+    async loadFromProfile() {
         try {
-            const config = this.configManager.readSync();
-            if (!config || Object.keys(config.profiles).length === 0) {
-                return null;
-            }
-            const profileName = this.selectProfile(config);
-            if (!profileName) {
-                return null;
-            }
-            const profile = config.profiles[profileName];
-            if (!profile) {
-                return null;
+            const profileManager = getProfileManager();
+            const profile = await profileManager.getActiveProfile();
+            if (profile) {
+                this.activeProfileName = profile.name;
+                return profile;
             }
-            this.activeProfile = profileName;
-            // Touch the profile to update lastUsedAt (async, but don't block)
-            this.configManager.touchProfile(profileName).catch(() => {
-                // Silently ignore touch errors
-            });
-            return {
-                apiUrl: profile.apiUrl,
-                token: profile.apiToken,
-                p12File: profile.p12File,
-                p12Password: profile.p12Password,
-            };
+            return null;
         }
         catch (error) {
-            logger.debug("Failed to load credentials from config file", {
+            logger.debug("Failed to load credentials from profile", {
                 error: error instanceof Error ? error.message : String(error),
             });
             return null;
         }
     }
     /**
-     * Select which profile to use based on environment or config
+     * Build credentials object from profile data
      */
-    selectProfile(config) {
-        // Check if F5XC_PROFILE is explicitly set
-        const envProfile = process.env[AUTH_ENV_VARS.PROFILE];
-        if (envProfile && config.profiles[envProfile]) {
-            return envProfile;
-        }
-        // Fall back to default profile if set
-        return config.defaultProfile ?? null;
-    }
-    /**
-     * Merge raw credentials from environment and config
-     * Environment variables override profile settings
-     */
-    mergeCredentials(envCreds, profileCreds) {
-        return {
-            apiUrl: envCreds.apiUrl ?? profileCreds.apiUrl,
-            token: envCreds.token ?? profileCreds.token,
-            p12File: envCreds.p12File ?? profileCreds.p12File,
-            p12Password: envCreds.p12Password ?? profileCreds.p12Password,
-        };
-    }
-    /**
-     * Build credentials object from raw credentials
-     */
-    buildCredentials(rawCreds) {
-        const apiUrl = rawCreds.apiUrl;
-        const token = rawCreds.token;
-        const p12File = rawCreds.p12File;
-        const p12Password = rawCreds.p12Password;
+    buildCredentials(profile) {
+        const apiUrl = profile.apiUrl;
         // Determine authentication mode
         let mode = AuthMode.NONE;
         let normalizedUrl = null;
         let p12Certificate = null;
+        let cert = null;
+        let key = null;
+        // TLS configuration
+        const tlsInsecure = profile.tlsInsecure ?? false;
+        let caBundle = null;
+        // Load CA bundle if specified
+        if (profile.caBundle) {
+            try {
+                caBundle = readFileSync(profile.caBundle);
+                logger.info("Loaded CA bundle", { file: profile.caBundle });
+            }
+            catch (error) {
+                logger.warn("Failed to load CA bundle", {
+                    file: profile.caBundle,
+                    error: error instanceof Error ? error.message : String(error),
+                });
+            }
+        }
+        // Log TLS insecure mode warning
+        if (tlsInsecure) {
+            logger.warn("TLS certificate verification is DISABLED. This is insecure and should only be used for staging/development environments.");
+        }
         if (apiUrl) {
             normalizedUrl = normalizeApiUrl(apiUrl);
-            if (p12File) {
-                // Certificate authentication takes precedence
+            if (profile.p12Bundle) {
+                // P12 certificate authentication
                 mode = AuthMode.CERTIFICATE;
                 try {
-                    p12Certificate = readFileSync(p12File);
-                    logger.info("Loaded P12 certificate", { file: p12File });
+                    p12Certificate = readFileSync(profile.p12Bundle);
+                    logger.info("Loaded P12 certificate", { file: profile.p12Bundle });
                 }
                 catch (error) {
                     logger.error("Failed to load P12 certificate", {
-                        file: p12File,
+                        file: profile.p12Bundle,
                         error: error instanceof Error ? error.message : String(error),
                     });
                     // Fall back to token auth if certificate load fails
-                    if (token) {
+                    if (profile.apiToken) {
                         mode = AuthMode.TOKEN;
                         logger.info("Falling back to token authentication");
                     }
@@ -208,48 +229,74 @@ export class CredentialManager {
                     }
                 }
             }
-            else if (token) {
+            else if (profile.cert && profile.key) {
+                // Certificate + key authentication
+                mode = AuthMode.CERTIFICATE;
+                try {
+                    cert = readFileSync(profile.cert, "utf-8");
+                    key = readFileSync(profile.key, "utf-8");
+                    logger.info("Loaded certificate and key", {
+                        cert: profile.cert,
+                        key: profile.key,
+                    });
+                }
+                catch (error) {
+                    logger.error("Failed to load certificate/key", {
+                        error: error instanceof Error ? error.message : String(error),
+                    });
+                    if (profile.apiToken) {
+                        mode = AuthMode.TOKEN;
+                        logger.info("Falling back to token authentication");
+                    }
+                    else {
+                        mode = AuthMode.NONE;
+                    }
+                }
+            }
+            else if (profile.apiToken) {
                 mode = AuthMode.TOKEN;
             }
         }
         return {
             mode,
             apiUrl: normalizedUrl,
-            token: token ?? null,
+            token: profile.apiToken ?? null,
             p12Certificate,
-            p12Password: p12Password ?? null,
+            cert,
+            key,
+            namespace: profile.defaultNamespace ?? null,
+            tlsInsecure,
+            caBundle,
         };
     }
     /**
      * Load credentials with priority order:
      * 1. Environment variables (highest)
-     * 2. Profile from config file
+     * 2. Active profile from ~/.config/xcsh/
      * 3. No credentials - documentation mode (lowest)
      */
-    loadCredentials() {
-        // Step 1: Try environment variables first (highest priority)
+    async loadCredentials() {
+        // Step 1: Check environment variables first (highest priority)
         const envCreds = this.loadFromEnvironment();
-        if (envCreds.apiUrl && (envCreds.token || envCreds.p12File)) {
+        if (envCreds.apiUrl && envCreds.hasAuth) {
             const credentials = this.buildCredentials(envCreds);
             const tenant = credentials.apiUrl ? extractTenantFromUrl(credentials.apiUrl) : null;
             logger.info("Credentials loaded from environment variables", {
                 mode: credentials.mode,
                 tenant,
-                profile: this.activeProfile,
             });
             return credentials;
         }
-        // Step 2: Try config file profile (medium priority)
-        const profileCreds = this.loadFromConfigFile();
-        if (profileCreds) {
-            const merged = this.mergeCredentials(envCreds, profileCreds);
-            const credentials = this.buildCredentials(merged);
+        // Step 2: Try active profile from ~/.config/xcsh/
+        const profile = await this.loadFromProfile();
+        if (profile) {
+            const credentials = this.buildCredentials(profile);
             if (credentials.mode !== AuthMode.NONE) {
                 const tenant = credentials.apiUrl ? extractTenantFromUrl(credentials.apiUrl) : null;
-                logger.info("Credentials loaded from config profile", {
+                logger.info("Credentials loaded from profile", {
                     mode: credentials.mode,
                     tenant,
-                    profile: this.activeProfile,
+                    profile: this.activeProfileName,
                 });
                 return credentials;
             }
@@ -261,7 +308,11 @@ export class CredentialManager {
             apiUrl: null,
             token: null,
             p12Certificate: null,
-            p12Password: null,
+            cert: null,
+            key: null,
+            namespace: null,
+            tlsInsecure: false,
+            caBundle: null,
         };
     }
     /**
@@ -269,7 +320,7 @@ export class CredentialManager {
      * Returns null if credentials are from environment variables or no profile is active
      */
     getActiveProfile() {
-        return this.activeProfile;
+        return this.activeProfileName;
     }
     /**
      * Get the current authentication mode
@@ -308,10 +359,35 @@ export class CredentialManager {
         return this.credentials.p12Certificate;
     }
     /**
-     * Get P12 certificate password
+     * Get certificate content (for mTLS)
+     */
+    getCert() {
+        return this.credentials.cert;
+    }
+    /**
+     * Get private key content (for mTLS)
+     */
+    getKey() {
+        return this.credentials.key;
+    }
+    /**
+     * Get default namespace
+     */
+    getNamespace() {
+        return this.credentials.namespace;
+    }
+    /**
+     * Check if TLS certificate verification is disabled
+     * WARNING: Only use for staging/development environments
+     */
+    getTlsInsecure() {
+        return this.credentials.tlsInsecure;
+    }
+    /**
+     * Get custom CA bundle for TLS verification
      */
-    getP12Password() {
-        return this.credentials.p12Password;
+    getCaBundle() {
+        return this.credentials.caBundle;
     }
     /**
      * Get full credentials object
@@ -320,11 +396,13 @@ export class CredentialManager {
         return Object.freeze({ ...this.credentials });
     }
     /**
-     * Reload credentials from environment
+     * Reload credentials from environment/profile
      * Useful for testing or when credentials change
      */
-    reload() {
-        this.credentials = this.loadCredentials();
+    async reload() {
+        this.initialized = false;
+        this.activeProfileName = null;
+        await this.initialize();
     }
 }
 //# sourceMappingURL=credential-manager.js.map