@salesforce/b2c-cli 0.8.0 → 0.10.0

package/dist/commands/auth/client/index.d.ts

@@ -0,0 +1,32 @@
+import { BaseCommand } from '@salesforce/b2c-tooling-sdk/cli';
+/**
+ * Authenticate an API client (client_credentials or password grant) and persist the session.
+ * Mirrors sfcc-ci `client:auth` command behavior. Uses the same stateful store so tokens
+ * are shared with sfcc-ci, b2c auth:login, and subsequent CLI commands.
+ *
+ * Grant type is auto-detected based on credentials provided:
+ *   - client_credentials: when only --client-id + --client-secret are given
+ *   - password: when --user + --user-password are also provided
+ *
+ * Use --renew to enable automatic token renewal for later use with `auth client renew`.
+ */
+export default class AuthClient extends BaseCommand<typeof AuthClient> {
+    static hiddenAliases: string[];
+    static description: string;
+    static examples: string[];
+    static flags: {
+        'client-id': import("@oclif/core/interfaces").OptionFlag<string, import("@oclif/core/interfaces").CustomOptions>;
+        'client-secret': import("@oclif/core/interfaces").OptionFlag<string, import("@oclif/core/interfaces").CustomOptions>;
+        'account-manager-host': import("@oclif/core/interfaces").OptionFlag<string, import("@oclif/core/interfaces").CustomOptions>;
+        'auth-scope': import("@oclif/core/interfaces").OptionFlag<string[] | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        renew: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        'grant-type': import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        user: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        'user-password': import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+    };
+    protected loadConfiguration(): Promise<import("@salesforce/b2c-tooling-sdk").ResolvedB2CConfig>;
+    run(): Promise<void>;
+    private extractUser;
+    private parseErrorMessage;
+    private resolveGrantType;
+}

package/dist/commands/auth/client/index.js

@@ -0,0 +1,181 @@
+/*
+ * Copyright (c) 2025, Salesforce, Inc.
+ * SPDX-License-Identifier: Apache-2
+ * For full license text, see the license.txt file in the repo root or http://www.apache.org/licenses/LICENSE-2.0
+ */
+import { Flags } from '@oclif/core';
+import { BaseCommand, loadConfig } from '@salesforce/b2c-tooling-sdk/cli';
+import { setStoredSession, decodeJWT } from '@salesforce/b2c-tooling-sdk/auth';
+import { DEFAULT_ACCOUNT_MANAGER_HOST } from '@salesforce/b2c-tooling-sdk';
+import { t } from '../../../i18n/index.js';
+/**
+ * Authenticate an API client (client_credentials or password grant) and persist the session.
+ * Mirrors sfcc-ci `client:auth` command behavior. Uses the same stateful store so tokens
+ * are shared with sfcc-ci, b2c auth:login, and subsequent CLI commands.
+ *
+ * Grant type is auto-detected based on credentials provided:
+ *   - client_credentials: when only --client-id + --client-secret are given
+ *   - password: when --user + --user-password are also provided
+ *
+ * Use --renew to enable automatic token renewal for later use with `auth client renew`.
+ */
+export default class AuthClient extends BaseCommand {
+    static hiddenAliases = ['client:auth'];
+    static description = t('commands.auth.client.description', 'Authenticate an API client and save session');
+    static examples = [
+        '<%= config.bin %> <%= command.id %> --client-id <id> --client-secret <secret>',
+        '<%= config.bin %> <%= command.id %> --client-id <id> --client-secret <secret> --renew',
+        '<%= config.bin %> <%= command.id %> --client-id <id> --client-secret <secret> --user <email> --user-password <pwd>',
+        '<%= config.bin %> <%= command.id %> --client-id <id> --client-secret <secret> --grant-type client_credentials',
+    ];
+    static flags = {
+        'client-id': Flags.string({
+            description: 'Client ID for OAuth',
+            env: 'SFCC_CLIENT_ID',
+            default: async () => process.env.SFCC_OAUTH_CLIENT_ID || undefined,
+            helpGroup: 'AUTH',
+        }),
+        'client-secret': Flags.string({
+            description: 'Client secret for OAuth',
+            env: 'SFCC_CLIENT_SECRET',
+            default: async () => process.env.SFCC_OAUTH_CLIENT_SECRET || undefined,
+            helpGroup: 'AUTH',
+        }),
+        'account-manager-host': Flags.string({
+            description: `Account Manager hostname for OAuth (default: ${DEFAULT_ACCOUNT_MANAGER_HOST})`,
+            env: 'SFCC_ACCOUNT_MANAGER_HOST',
+            default: async () => process.env.SFCC_LOGIN_URL || undefined,
+            helpGroup: 'AUTH',
+        }),
+        'auth-scope': Flags.string({
+            description: 'OAuth scopes to request (comma-separated)',
+            env: 'SFCC_OAUTH_SCOPES',
+            multiple: true,
+            multipleNonGreedy: true,
+            delimiter: ',',
+            helpGroup: 'AUTH',
+        }),
+        renew: Flags.boolean({
+            char: 'r',
+            description: 'Enable automatic token renewal (stores credentials for later refresh)',
+            default: false,
+        }),
+        'grant-type': Flags.string({
+            char: 't',
+            description: 'OAuth grant type (default: auto-detect based on provided credentials)',
+            options: ['client_credentials', 'password'],
+        }),
+        user: Flags.string({
+            description: 'Username for resource owner password credentials grant',
+            env: 'SFCC_OAUTH_USER_NAME',
+        }),
+        'user-password': Flags.string({
+            description: 'Password for resource owner password credentials grant',
+            env: 'SFCC_OAUTH_USER_PASSWORD',
+        }),
+    };
+    loadConfiguration() {
+        const scopes = this.flags['auth-scope'];
+        return loadConfig({
+            clientId: this.flags['client-id'],
+            clientSecret: this.flags['client-secret'],
+            accountManagerHost: this.flags['account-manager-host'],
+            scopes: scopes && scopes.length > 0 ? scopes : undefined,
+        }, this.getBaseConfigOptions());
+    }
+    async run() {
+        const clientId = this.resolvedConfig.values.clientId;
+        const clientSecret = this.resolvedConfig.values.clientSecret;
+        if (!clientId || !clientSecret) {
+            this.error(t('commands.auth.client.credentialsRequired', 'Client ID and client secret are required. Provide --client-id and --client-secret or set SFCC_CLIENT_ID and SFCC_CLIENT_SECRET.'));
+        }
+        const user = this.flags.user;
+        const userPassword = this.flags['user-password'];
+        const grantType = this.resolveGrantType(this.flags['grant-type'], user);
+        const autoRenew = this.flags.renew;
+        if (grantType === 'password' && (!user || !userPassword)) {
+            this.error(t('commands.auth.client.userRequired', 'Username and password are required for password grant. Provide --user and --user-password.'));
+        }
+        const accountManagerHost = this.resolvedConfig.values.accountManagerHost ?? DEFAULT_ACCOUNT_MANAGER_HOST;
+        const scopes = this.resolvedConfig.values.scopes;
+        const grantPayload = { grant_type: grantType };
+        if (grantType === 'password') {
+            grantPayload.username = user;
+            grantPayload.password = userPassword;
+        }
+        if (scopes && scopes.length > 0) {
+            grantPayload.scope = scopes.join(' ');
+        }
+        const credentials = Buffer.from(`${clientId}:${clientSecret}`).toString('base64');
+        const url = `https://${accountManagerHost}/dwsso/oauth2/access_token`;
+        const method = 'POST';
+        const body = new URLSearchParams(grantPayload).toString();
+        this.logger.debug({ grantType, clientId }, `[StatefulAuth] Using OAuth ${grantType} grant for client: ${clientId}`);
+        this.logger.debug({ method, url }, `[StatefulAuth REQ] ${method} ${url}`);
+        this.logger.trace({ method, url, body }, `[StatefulAuth REQ BODY] ${method} ${url}`);
+        const startTime = Date.now();
+        const response = await fetch(url, {
+            method,
+            headers: {
+                Authorization: `Basic ${credentials}`,
+                'Content-Type': 'application/x-www-form-urlencoded',
+            },
+            body,
+        });
+        const duration = Date.now() - startTime;
+        this.logger.debug({ method, url, status: response.status, duration }, `[StatefulAuth RESP] ${method} ${url} ${response.status} ${duration}ms`);
+        if (!response.ok) {
+            const errorText = await response.text();
+            this.logger.trace({ method, url, body: errorText }, `[StatefulAuth RESP BODY] ${method} ${url}`);
+            this.error(t('commands.auth.client.failed', 'Authentication failed: {{error}}', {
+                error: this.parseErrorMessage(errorText),
+            }));
+        }
+        const data = (await response.json());
+        this.logger.trace({ method, url, body: data }, `[StatefulAuth RESP BODY] ${method} ${url}`);
+        try {
+            const decoded = decodeJWT(data.access_token);
+            this.logger.trace({ jwt: decoded.payload }, '[StatefulAuth] JWT payload');
+        }
+        catch {
+            // not a JWT; ignore
+        }
+        setStoredSession({
+            clientId,
+            accessToken: data.access_token,
+            refreshToken: data.refresh_token ?? null,
+            renewBase: autoRenew ? credentials : null,
+            user: this.extractUser(data.id_token),
+        });
+        const renewMsg = autoRenew ? ' Auto-renewal enabled.' : '';
+        this.log(t('commands.auth.client.success', 'Authentication succeeded.{{renewMsg}}', { renewMsg }));
+    }
+    extractUser(idToken) {
+        if (!idToken)
+            return null;
+        try {
+            const decoded = decodeJWT(idToken);
+            return typeof decoded.payload.sub === 'string' ? decoded.payload.sub : null;
+        }
+        catch {
+            return null;
+        }
+    }
+    parseErrorMessage(errorText) {
+        try {
+            const parsed = JSON.parse(errorText);
+            return parsed.error_description ?? errorText;
+        }
+        catch {
+            return errorText;
+        }
+    }
+    resolveGrantType(grantTypeFlag, user) {
+        if (grantTypeFlag)
+            return grantTypeFlag;
+        if (user)
+            return 'password';
+        return 'client_credentials';
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/commands/auth/client/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/commands/auth/client/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAC,KAAK,EAAC,MAAM,aAAa,CAAC;AAClC,OAAO,EAAC,WAAW,EAAE,UAAU,EAAC,MAAM,iCAAiC,CAAC;AACxE,OAAO,EAAC,gBAAgB,EAAE,SAAS,EAAC,MAAM,kCAAkC,CAAC;AAC7E,OAAO,EAAC,4BAA4B,EAAC,MAAM,6BAA6B,CAAC;AACzE,OAAO,EAAC,CAAC,EAAC,MAAM,wBAAwB,CAAC;AAEzC;;;;;;;;;;GAUG;AACH,MAAM,CAAC,OAAO,OAAO,UAAW,SAAQ,WAA8B;IACpE,MAAM,CAAC,aAAa,GAAG,CAAC,aAAa,CAAC,CAAC;IAEvC,MAAM,CAAC,WAAW,GAAG,CAAC,CAAC,kCAAkC,EAAE,6CAA6C,CAAC,CAAC;IAE1G,MAAM,CAAC,QAAQ,GAAG;QAChB,+EAA+E;QAC/E,uFAAuF;QACvF,oHAAoH;QACpH,+GAA+G;KAChH,CAAC;IAEF,MAAM,CAAC,KAAK,GAAG;QACb,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC;YACxB,WAAW,EAAE,qBAAqB;YAClC,GAAG,EAAE,gBAAgB;YACrB,OAAO,EAAE,KAAK,IAAI,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,SAAS;YAClE,SAAS,EAAE,MAAM;SAClB,CAAC;QACF,eAAe,EAAE,KAAK,CAAC,MAAM,CAAC;YAC5B,WAAW,EAAE,yBAAyB;YACtC,GAAG,EAAE,oBAAoB;YACzB,OAAO,EAAE,KAAK,IAAI,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,wBAAwB,IAAI,SAAS;YACtE,SAAS,EAAE,MAAM;SAClB,CAAC;QACF,sBAAsB,EAAE,KAAK,CAAC,MAAM,CAAC;YACnC,WAAW,EAAE,gDAAgD,4BAA4B,GAAG;YAC5F,GAAG,EAAE,2BAA2B;YAChC,OAAO,EAAE,KAAK,IAAI,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,SAAS;YAC5D,SAAS,EAAE,MAAM;SAClB,CAAC;QACF,YAAY,EAAE,KAAK,CAAC,MAAM,CAAC;YACzB,WAAW,EAAE,2CAA2C;YACxD,GAAG,EAAE,mBAAmB;YACxB,QAAQ,EAAE,IAAI;YACd,iBAAiB,EAAE,IAAI;YACvB,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,MAAM;SAClB,CAAC;QACF,KAAK,EAAE,KAAK,CAAC,OAAO,CAAC;YACnB,IAAI,EAAE,GAAG;YACT,WAAW,EAAE,uEAAuE;YACpF,OAAO,EAAE,KAAK;SACf,CAAC;QACF,YAAY,EAAE,KAAK,CAAC,MAAM,CAAC;YACzB,IAAI,EAAE,GAAG;YACT,WAAW,EAAE,uEAAuE;YACpF,OAAO,EAAE,CAAC,oBAAoB,EAAE,UAAU,CAAC;SAC5C,CAAC;QACF,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC;YACjB,WAAW,EAAE,wDAAwD;YACrE,GAAG,EAAE,sBAAsB;SAC5B,CAAC;QACF,eAAe,EAAE,KAAK,CAAC,MAAM,CAAC;YAC5B,WAAW,EAAE,wDAAwD;YACrE,GAAG,EAAE,0BAA0B;SAChC,CAAC;KACH,CAAC;IAEiB,iBAAiB;QAClC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAyB,CAAC;QAChE,OAAO,UAAU,CACf;YACE,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,WAAW,CAAuB;YACvD,YAAY,EAAE,IAAI,CAAC,KAAK,CAAC,eAAe,CAAuB;YAC/D,kBAAkB,EAAE,IAAI,CAAC,KAAK,CAAC,sBAAsB,CAAuB;YAC5E,MAAM,EAAE,MAAM,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;SACzD,EACD,IAAI,CAAC,oBAAoB,EAAE,CAC5B,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,GAAG;QACP,MAAM,QAAQ,GAAG,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,QAAQ,CAAC;QACrD,MAAM,YAAY,GAAG,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,YAAY,CAAC;QAE7D,IAAI,CAAC,QAAQ,IAAI,CAAC,YAAY,EAAE,CAAC;YAC/B,IAAI,CAAC,KAAK,CACR,CAAC,CACC,0CAA0C,EAC1C,iIAAiI,CAClI,CACF,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;QAC7B,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;QACjD,MAAM,SAAS,GAAG,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,EAAE,IAAI,CAAC,CAAC;QACxE,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC;QAEnC,IAAI,SAAS,KAAK,UAAU,IAAI,CAAC,CAAC,IAAI,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;YACzD,IAAI,CAAC,KAAK,CACR,CAAC,CACC,mCAAmC,EACnC,4FAA4F,CAC7F,CACF,CAAC;QACJ,CAAC;QAED,MAAM,kBAAkB,GAAG,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,kBAAkB,IAAI,4BAA4B,CAAC;QACzG,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,MAAM,CAAC;QAEjD,MAAM,YAAY,GAA2B,EAAC,UAAU,EAAE,SAAS,EAAC,CAAC;QACrE,IAAI,SAAS,KAAK,UAAU,EAAE,CAAC;YAC7B,YAAY,CAAC,QAAQ,GAAG,IAAK,CAAC;YAC9B,YAAY,CAAC,QAAQ,GAAG,YAAa,CAAC;QACxC,CAAC;QACD,IAAI,MAAM,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAChC,YAAY,CAAC,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACxC,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,QAAQ,IAAI,YAAY,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAClF,MAAM,GAAG,GAAG,WAAW,kBAAkB,4BAA4B,CAAC;QAEtE,MAAM,MAAM,GAAG,MAAM,CAAC;QACtB,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC,YAAY,CAAC,CAAC,QAAQ,EAAE,CAAC;QAE1D,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAC,SAAS,EAAE,QAAQ,EAAC,EAAE,8BAA8B,SAAS,sBAAsB,QAAQ,EAAE,CAAC,CAAC;QAClH,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAC,MAAM,EAAE,GAAG,EAAC,EAAE,sBAAsB,MAAM,IAAI,GAAG,EAAE,CAAC,CAAC;QACxE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAC,MAAM,EAAE,GAAG,EAAE,IAAI,EAAC,EAAE,2BAA2B,MAAM,IAAI,GAAG,EAAE,CAAC,CAAC;QAEnF,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM;YACN,OAAO,EAAE;gBACP,aAAa,EAAE,SAAS,WAAW,EAAE;gBACrC,cAAc,EAAE,mCAAmC;aACpD;YACD,IAAI;SACL,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;QAExC,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,EAAC,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,QAAQ,EAAC,EAChD,uBAAuB,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,MAAM,IAAI,QAAQ,IAAI,CACxE,CAAC;QAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACxC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAC,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,SAAS,EAAC,EAAE,4BAA4B,MAAM,IAAI,GAAG,EAAE,CAAC,CAAC;YAC/F,IAAI,CAAC,KAAK,CACR,CAAC,CAAC,6BAA6B,EAAE,kCAAkC,EAAE;gBACnE,KAAK,EAAE,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC;aACzC,CAAC,CACH,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAMlC,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAC,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,EAAC,EAAE,4BAA4B,MAAM,IAAI,GAAG,EAAE,CAAC,CAAC;QAE1F,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YAC7C,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAC,GAAG,EAAE,OAAO,CAAC,OAAO,EAAC,EAAE,4BAA4B,CAAC,CAAC;QAC1E,CAAC;QAAC,MAAM,CAAC;YACP,oBAAoB;QACtB,CAAC;QAED,gBAAgB,CAAC;YACf,QAAQ;YACR,WAAW,EAAE,IAAI,CAAC,YAAY;YAC9B,YAAY,EAAE,IAAI,CAAC,aAAa,IAAI,IAAI;YACxC,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI;YACzC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC;SACtC,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,SAAS,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC,CAAC,EAAE,CAAC;QAC3D,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,8BAA8B,EAAE,uCAAuC,EAAE,EAAC,QAAQ,EAAC,CAAC,CAAC,CAAC;IACnG,CAAC;IAEO,WAAW,CAAC,OAA2B;QAC7C,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC;QAC1B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,SAAS,CAAC,OAAO,CAAC,CAAC;YACnC,OAAO,OAAO,OAAO,CAAC,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;QAC9E,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAEO,iBAAiB,CAAC,SAAiB;QACzC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAiC,CAAC;YACrE,OAAO,MAAM,CAAC,iBAAiB,IAAI,SAAS,CAAC;QAC/C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAEO,gBAAgB,CAAC,aAAiC,EAAE,IAAwB;QAClF,IAAI,aAAa;YAAE,OAAO,aAAa,CAAC;QACxC,IAAI,IAAI;YAAE,OAAO,UAAU,CAAC;QAC5B,OAAO,oBAAoB,CAAC;IAC9B,CAAC"}

package/dist/commands/auth/client/renew.d.ts

@@ -0,0 +1,20 @@
+import { BaseCommand } from '@salesforce/b2c-tooling-sdk/cli';
+/**
+ * Renew the client authentication token using stored credentials.
+ * Mirrors sfcc-ci `client:auth:renew` command behavior. Requires that the initial
+ * authentication was done with the --renew flag (which stores the credentials needed
+ * for renewal).
+ *
+ * Uses refresh_token grant when a refresh token is stored, otherwise falls back
+ * to client_credentials grant using the stored base64-encoded client:secret.
+ */
+export default class AuthClientRenew extends BaseCommand<typeof AuthClientRenew> {
+    static hiddenAliases: string[];
+    static description: string;
+    static examples: string[];
+    static flags: {
+        'account-manager-host': import("@oclif/core/interfaces").OptionFlag<string, import("@oclif/core/interfaces").CustomOptions>;
+    };
+    protected loadConfiguration(): Promise<import("@salesforce/b2c-tooling-sdk").ResolvedB2CConfig>;
+    run(): Promise<void>;
+}

package/dist/commands/auth/client/renew.js

@@ -0,0 +1,88 @@
+/*
+ * Copyright (c) 2025, Salesforce, Inc.
+ * SPDX-License-Identifier: Apache-2
+ * For full license text, see the license.txt file in the repo root or http://www.apache.org/licenses/LICENSE-2.0
+ */
+import { Flags } from '@oclif/core';
+import { BaseCommand, loadConfig } from '@salesforce/b2c-tooling-sdk/cli';
+import { getStoredSession, setStoredSession } from '@salesforce/b2c-tooling-sdk/auth';
+import { DEFAULT_ACCOUNT_MANAGER_HOST } from '@salesforce/b2c-tooling-sdk';
+import { t } from '../../../i18n/index.js';
+/**
+ * Renew the client authentication token using stored credentials.
+ * Mirrors sfcc-ci `client:auth:renew` command behavior. Requires that the initial
+ * authentication was done with the --renew flag (which stores the credentials needed
+ * for renewal).
+ *
+ * Uses refresh_token grant when a refresh token is stored, otherwise falls back
+ * to client_credentials grant using the stored base64-encoded client:secret.
+ */
+export default class AuthClientRenew extends BaseCommand {
+    static hiddenAliases = ['client:auth:renew'];
+    static description = t('commands.auth.client.renew.description', 'Renew the client authentication token');
+    static examples = ['<%= config.bin %> <%= command.id %>'];
+    static flags = {
+        'account-manager-host': Flags.string({
+            description: `Account Manager hostname for OAuth (default: ${DEFAULT_ACCOUNT_MANAGER_HOST})`,
+            env: 'SFCC_ACCOUNT_MANAGER_HOST',
+            default: async () => process.env.SFCC_LOGIN_URL || undefined,
+            helpGroup: 'AUTH',
+        }),
+    };
+    loadConfiguration() {
+        return loadConfig({ accountManagerHost: this.flags['account-manager-host'] }, this.getBaseConfigOptions());
+    }
+    async run() {
+        const session = getStoredSession();
+        if (!session?.renewBase) {
+            this.error(t('commands.auth.client.renew.notRenewable', 'Authentication renewal not possible. Ensure initial authentication is done with --renew flag.'));
+        }
+        const accountManagerHost = this.resolvedConfig.values.accountManagerHost ?? DEFAULT_ACCOUNT_MANAGER_HOST;
+        const url = `https://${accountManagerHost}/dwsso/oauth2/access_token`;
+        // Use refresh_token grant if available, otherwise client_credentials
+        const grantPayload = session.refreshToken !== null && session.refreshToken !== undefined && session.refreshToken !== ''
+            ? { grant_type: 'refresh_token', refresh_token: session.refreshToken }
+            : { grant_type: 'client_credentials' };
+        const method = 'POST';
+        const body = new URLSearchParams(grantPayload).toString();
+        this.logger.debug({ grantType: grantPayload.grant_type, clientId: session.clientId }, `[StatefulAuth] Renewing token using OAuth ${grantPayload.grant_type} grant for client: ${session.clientId}`);
+        this.logger.debug({ method, url }, `[StatefulAuth REQ] ${method} ${url}`);
+        this.logger.trace({ method, url, body }, `[StatefulAuth REQ BODY] ${method} ${url}`);
+        const startTime = Date.now();
+        const response = await fetch(url, {
+            method,
+            headers: {
+                Authorization: `Basic ${session.renewBase}`,
+                'Content-Type': 'application/x-www-form-urlencoded',
+            },
+            body,
+        });
+        const duration = Date.now() - startTime;
+        this.logger.debug({ method, url, status: response.status, duration }, `[StatefulAuth RESP] ${method} ${url} ${response.status} ${duration}ms`);
+        if (!response.ok) {
+            const errorText = await response.text();
+            this.logger.trace({ method, url, body: errorText }, `[StatefulAuth RESP BODY] ${method} ${url}`);
+            let errorMsg;
+            try {
+                const parsed = JSON.parse(errorText);
+                errorMsg = parsed.error_description ?? errorText;
+            }
+            catch {
+                errorMsg = errorText;
+            }
+            this.error(t('commands.auth.client.renew.failed', 'Authentication renewal failed: {{error}}', { error: errorMsg }));
+        }
+        const data = (await response.json());
+        this.logger.trace({ method, url, body: data }, `[StatefulAuth RESP BODY] ${method} ${url}`);
+        // Update stored session with new token (server may issue a new refresh token)
+        setStoredSession({
+            clientId: session.clientId,
+            accessToken: data.access_token,
+            refreshToken: data.refresh_token ?? session.refreshToken ?? null,
+            renewBase: session.renewBase,
+            user: session.user ?? null,
+        });
+        this.log(t('commands.auth.client.renew.success', 'Authentication renewal succeeded.'));
+    }
+}
+//# sourceMappingURL=renew.js.map

package/dist/commands/auth/client/renew.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"renew.js","sourceRoot":"","sources":["../../../../src/commands/auth/client/renew.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAC,KAAK,EAAC,MAAM,aAAa,CAAC;AAClC,OAAO,EAAC,WAAW,EAAE,UAAU,EAAC,MAAM,iCAAiC,CAAC;AACxE,OAAO,EAAC,gBAAgB,EAAE,gBAAgB,EAAC,MAAM,kCAAkC,CAAC;AACpF,OAAO,EAAC,4BAA4B,EAAC,MAAM,6BAA6B,CAAC;AACzE,OAAO,EAAC,CAAC,EAAC,MAAM,wBAAwB,CAAC;AAEzC;;;;;;;;GAQG;AACH,MAAM,CAAC,OAAO,OAAO,eAAgB,SAAQ,WAAmC;IAC9E,MAAM,CAAC,aAAa,GAAG,CAAC,mBAAmB,CAAC,CAAC;IAE7C,MAAM,CAAC,WAAW,GAAG,CAAC,CAAC,wCAAwC,EAAE,uCAAuC,CAAC,CAAC;IAE1G,MAAM,CAAC,QAAQ,GAAG,CAAC,qCAAqC,CAAC,CAAC;IAE1D,MAAM,CAAC,KAAK,GAAG;QACb,sBAAsB,EAAE,KAAK,CAAC,MAAM,CAAC;YACnC,WAAW,EAAE,gDAAgD,4BAA4B,GAAG;YAC5F,GAAG,EAAE,2BAA2B;YAChC,OAAO,EAAE,KAAK,IAAI,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,SAAS;YAC5D,SAAS,EAAE,MAAM;SAClB,CAAC;KACH,CAAC;IAEiB,iBAAiB;QAClC,OAAO,UAAU,CACf,EAAC,kBAAkB,EAAE,IAAI,CAAC,KAAK,CAAC,sBAAsB,CAAuB,EAAC,EAC9E,IAAI,CAAC,oBAAoB,EAAE,CAC5B,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,GAAG;QACP,MAAM,OAAO,GAAG,gBAAgB,EAAE,CAAC;QAEnC,IAAI,CAAC,OAAO,EAAE,SAAS,EAAE,CAAC;YACxB,IAAI,CAAC,KAAK,CACR,CAAC,CACC,yCAAyC,EACzC,+FAA+F,CAChG,CACF,CAAC;QACJ,CAAC;QAED,MAAM,kBAAkB,GAAG,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,kBAAkB,IAAI,4BAA4B,CAAC;QACzG,MAAM,GAAG,GAAG,WAAW,kBAAkB,4BAA4B,CAAC;QAEtE,qEAAqE;QACrE,MAAM,YAAY,GAChB,OAAO,CAAC,YAAY,KAAK,IAAI,IAAI,OAAO,CAAC,YAAY,KAAK,SAAS,IAAI,OAAO,CAAC,YAAY,KAAK,EAAE;YAChG,CAAC,CAAC,EAAC,UAAU,EAAE,eAAe,EAAE,aAAa,EAAE,OAAO,CAAC,YAAY,EAAC;YACpE,CAAC,CAAC,EAAC,UAAU,EAAE,oBAAoB,EAAC,CAAC;QAEzC,MAAM,MAAM,GAAG,MAAM,CAAC;QACtB,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC,YAAY,CAAC,CAAC,QAAQ,EAAE,CAAC;QAE1D,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,EAAC,SAAS,EAAE,YAAY,CAAC,UAAU,EAAE,QAAQ,EAAE,OAAO,CAAC,QAAQ,EAAC,EAChE,6CAA6C,YAAY,CAAC,UAAU,sBAAsB,OAAO,CAAC,QAAQ,EAAE,CAC7G,CAAC;QACF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAC,MAAM,EAAE,GAAG,EAAC,EAAE,sBAAsB,MAAM,IAAI,GAAG,EAAE,CAAC,CAAC;QACxE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAC,MAAM,EAAE,GAAG,EAAE,IAAI,EAAC,EAAE,2BAA2B,MAAM,IAAI,GAAG,EAAE,CAAC,CAAC;QAEnF,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM;YACN,OAAO,EAAE;gBACP,aAAa,EAAE,SAAS,OAAO,CAAC,SAAS,EAAE;gBAC3C,cAAc,EAAE,mCAAmC;aACpD;YACD,IAAI;SACL,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;QAExC,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,EAAC,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,QAAQ,EAAC,EAChD,uBAAuB,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,MAAM,IAAI,QAAQ,IAAI,CACxE,CAAC;QAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACxC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAC,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,SAAS,EAAC,EAAE,4BAA4B,MAAM,IAAI,GAAG,EAAE,CAAC,CAAC;YAC/F,IAAI,QAAgB,CAAC;YACrB,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAiC,CAAC;gBACrE,QAAQ,GAAG,MAAM,CAAC,iBAAiB,IAAI,SAAS,CAAC;YACnD,CAAC;YAAC,MAAM,CAAC;gBACP,QAAQ,GAAG,SAAS,CAAC;YACvB,CAAC;YACD,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,mCAAmC,EAAE,0CAA0C,EAAE,EAAC,KAAK,EAAE,QAAQ,EAAC,CAAC,CAAC,CAAC;QACpH,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAKlC,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAC,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,EAAC,EAAE,4BAA4B,MAAM,IAAI,GAAG,EAAE,CAAC,CAAC;QAE1F,8EAA8E;QAC9E,gBAAgB,CAAC;YACf,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,WAAW,EAAE,IAAI,CAAC,YAAY;YAC9B,YAAY,EAAE,IAAI,CAAC,aAAa,IAAI,OAAO,CAAC,YAAY,IAAI,IAAI;YAChE,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,IAAI;SAC3B,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,oCAAoC,EAAE,mCAAmC,CAAC,CAAC,CAAC;IACzF,CAAC"}

package/dist/commands/auth/client/token.d.ts

@@ -0,0 +1,24 @@
+import { BaseCommand } from '@salesforce/b2c-tooling-sdk/cli';
+/**
+ * JSON output structure for the auth client token command.
+ */
+interface AuthClientTokenOutput {
+    accessToken: string;
+    clientId: string;
+    expires: string;
+    renewable: boolean;
+    scopes: string[];
+    user: null | string;
+}
+/**
+ * Return the current authentication token from the stateful store.
+ * Mirrors sfcc-ci `client:auth:token` command behavior.
+ */
+export default class AuthClientToken extends BaseCommand<typeof AuthClientToken> {
+    static hiddenAliases: string[];
+    static description: string;
+    static enableJsonFlag: boolean;
+    static examples: string[];
+    run(): Promise<AuthClientTokenOutput>;
+}
+export {};

package/dist/commands/auth/client/token.js

@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 2025, Salesforce, Inc.
+ * SPDX-License-Identifier: Apache-2
+ * For full license text, see the license.txt file in the repo root or http://www.apache.org/licenses/LICENSE-2.0
+ */
+import { ux } from '@oclif/core';
+import { BaseCommand } from '@salesforce/b2c-tooling-sdk/cli';
+import { getStoredSession, isStatefulTokenValid, decodeJWT } from '@salesforce/b2c-tooling-sdk/auth';
+import { t } from '../../../i18n/index.js';
+/**
+ * Return the current authentication token from the stateful store.
+ * Mirrors sfcc-ci `client:auth:token` command behavior.
+ */
+export default class AuthClientToken extends BaseCommand {
+    static hiddenAliases = ['client:auth:token'];
+    static description = t('commands.auth.client.token.description', 'Return the current authentication token (stateful)');
+    static enableJsonFlag = true;
+    static examples = ['<%= config.bin %> <%= command.id %>', '<%= config.bin %> <%= command.id %> --json'];
+    async run() {
+        this.logger.debug('[StatefulAuth] Reading stored session from stateful store');
+        const session = getStoredSession();
+        if (!session?.accessToken) {
+            this.logger.debug('[StatefulAuth] No stored session found');
+            this.error(t('commands.auth.client.token.noToken', 'No authentication token found. Run `auth client` to authenticate first.'));
+        }
+        this.logger.debug({ clientId: session.clientId, user: session.user }, `[StatefulAuth] Found session for client: ${session.clientId}`);
+        // Decode JWT to extract metadata
+        let expires = '';
+        let scopes = [];
+        try {
+            const decoded = decodeJWT(session.accessToken);
+            const exp = decoded.payload.exp;
+            if (typeof exp === 'number') {
+                expires = new Date(exp * 1000).toISOString();
+            }
+            const scope = decoded.payload.scope;
+            scopes = scope === null || scope === undefined ? [] : Array.isArray(scope) ? scope : scope.split(' ');
+            this.logger.debug({ expires, scopes }, '[StatefulAuth] Decoded JWT claims');
+            this.logger.trace({ jwt: decoded.payload }, '[StatefulAuth] JWT payload');
+        }
+        catch {
+            this.logger.debug('[StatefulAuth] Token is not a valid JWT; returning raw token');
+        }
+        const valid = isStatefulTokenValid(session);
+        const renewable = session.renewBase !== null && session.renewBase !== undefined && session.renewBase !== '';
+        this.logger.debug({ valid, renewable }, `[StatefulAuth] Token valid: ${valid}, renewable: ${renewable}`);
+        const output = {
+            accessToken: session.accessToken,
+            clientId: session.clientId,
+            expires,
+            renewable,
+            scopes,
+            user: session.user ?? null,
+        };
+        if (this.jsonEnabled()) {
+            if (!valid) {
+                this.warn(t('commands.auth.client.token.expired', 'Token is expired or invalid. Run `auth client renew` or `auth client` to refresh.'));
+            }
+            return output;
+        }
+        // In normal mode, output just the raw token to stdout (matches sfcc-ci behavior)
+        ux.stdout(session.accessToken);
+        return output;
+    }
+}
+//# sourceMappingURL=token.js.map

package/dist/commands/auth/client/token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.js","sourceRoot":"","sources":["../../../../src/commands/auth/client/token.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAC/B,OAAO,EAAC,WAAW,EAAC,MAAM,iCAAiC,CAAC;AAC5D,OAAO,EAAC,gBAAgB,EAAE,oBAAoB,EAAE,SAAS,EAAC,MAAM,kCAAkC,CAAC;AACnG,OAAO,EAAC,CAAC,EAAC,MAAM,wBAAwB,CAAC;AAczC;;;GAGG;AACH,MAAM,CAAC,OAAO,OAAO,eAAgB,SAAQ,WAAmC;IAC9E,MAAM,CAAC,aAAa,GAAG,CAAC,mBAAmB,CAAC,CAAC;IAE7C,MAAM,CAAC,WAAW,GAAG,CAAC,CACpB,wCAAwC,EACxC,oDAAoD,CACrD,CAAC;IAEF,MAAM,CAAC,cAAc,GAAG,IAAI,CAAC;IAE7B,MAAM,CAAC,QAAQ,GAAG,CAAC,qCAAqC,EAAE,4CAA4C,CAAC,CAAC;IAExG,KAAK,CAAC,GAAG;QACP,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,2DAA2D,CAAC,CAAC;QAE/E,MAAM,OAAO,GAAG,gBAAgB,EAAE,CAAC;QAEnC,IAAI,CAAC,OAAO,EAAE,WAAW,EAAE,CAAC;YAC1B,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;YAC5D,IAAI,CAAC,KAAK,CACR,CAAC,CACC,oCAAoC,EACpC,yEAAyE,CAC1E,CACF,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,EAAC,QAAQ,EAAE,OAAO,CAAC,QAAQ,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAC,EAChD,4CAA4C,OAAO,CAAC,QAAQ,EAAE,CAC/D,CAAC;QAEF,iCAAiC;QACjC,IAAI,OAAO,GAAG,EAAE,CAAC;QACjB,IAAI,MAAM,GAAa,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,SAAS,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;YAC/C,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,GAAyB,CAAC;YACtD,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBAC5B,OAAO,GAAG,IAAI,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;YAC/C,CAAC;YACD,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,KAAsC,CAAC;YACrE,MAAM,GAAG,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACtG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAC,OAAO,EAAE,MAAM,EAAC,EAAE,mCAAmC,CAAC,CAAC;YAC1E,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAC,GAAG,EAAE,OAAO,CAAC,OAAO,EAAC,EAAE,4BAA4B,CAAC,CAAC;QAC1E,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,8DAA8D,CAAC,CAAC;QACpF,CAAC;QAED,MAAM,KAAK,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;QAC5C,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,KAAK,IAAI,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS,IAAI,OAAO,CAAC,SAAS,KAAK,EAAE,CAAC;QAE5G,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAC,KAAK,EAAE,SAAS,EAAC,EAAE,+BAA+B,KAAK,gBAAgB,SAAS,EAAE,CAAC,CAAC;QAEvG,MAAM,MAAM,GAA0B;YACpC,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,OAAO;YACP,SAAS;YACT,MAAM;YACN,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,IAAI;SAC3B,CAAC;QAEF,IAAI,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;YACvB,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,IAAI,CAAC,IAAI,CACP,CAAC,CACC,oCAAoC,EACpC,mFAAmF,CACpF,CACF,CAAC;YACJ,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,iFAAiF;QACjF,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;QAE/B,OAAO,MAAM,CAAC;IAChB,CAAC"}

package/dist/commands/auth/login.d.ts

@@ -0,0 +1,20 @@
+import { BaseCommand } from '@salesforce/b2c-tooling-sdk/cli';
+/**
+ * Log in via browser (implicit OAuth) and persist the session for stateful auth.
+ * Uses the same storage as sfcc-ci; when valid, subsequent commands use this token
+ * until it expires or you run auth:logout.
+ */
+export default class AuthLogin extends BaseCommand<typeof AuthLogin> {
+    static hiddenAliases: string[];
+    static args: {
+        clientId: import("@oclif/core/interfaces").Arg<string | undefined, Record<string, unknown>>;
+    };
+    static description: string;
+    static examples: string[];
+    static flags: {
+        'account-manager-host': import("@oclif/core/interfaces").OptionFlag<string, import("@oclif/core/interfaces").CustomOptions>;
+        'auth-scope': import("@oclif/core/interfaces").OptionFlag<string[] | undefined, import("@oclif/core/interfaces").CustomOptions>;
+    };
+    protected loadConfiguration(): Promise<import("@salesforce/b2c-tooling-sdk").ResolvedB2CConfig>;
+    run(): Promise<void>;
+}

package/dist/commands/auth/login.js

@@ -0,0 +1,83 @@
+/*
+ * Copyright (c) 2025, Salesforce, Inc.
+ * SPDX-License-Identifier: Apache-2
+ * For full license text, see the license.txt file in the repo root or http://www.apache.org/licenses/LICENSE-2.0
+ */
+import { Args, Flags } from '@oclif/core';
+import { BaseCommand, loadConfig } from '@salesforce/b2c-tooling-sdk/cli';
+import { ImplicitOAuthStrategy, setStoredSession, decodeJWT } from '@salesforce/b2c-tooling-sdk/auth';
+import { DEFAULT_ACCOUNT_MANAGER_HOST } from '@salesforce/b2c-tooling-sdk';
+import { t, withDocs } from '../../i18n/index.js';
+/**
+ * Log in via browser (implicit OAuth) and persist the session for stateful auth.
+ * Uses the same storage as sfcc-ci; when valid, subsequent commands use this token
+ * until it expires or you run auth:logout.
+ */
+export default class AuthLogin extends BaseCommand {
+    static hiddenAliases = ['auth:login'];
+    static args = {
+        clientId: Args.string({
+            description: 'Client ID for OAuth (falls back to SFCC_CLIENT_ID env var)',
+            required: false,
+        }),
+    };
+    static description = withDocs(t('commands.auth.login.description', 'Log in via browser and save session (stateful auth)'), '/cli/auth.html#b2c-auth-login');
+    static examples = ['<%= config.bin %> <%= command.id %>', '<%= config.bin %> <%= command.id %> your-client-id'];
+    static flags = {
+        'account-manager-host': Flags.string({
+            description: `Account Manager hostname for OAuth (default: ${DEFAULT_ACCOUNT_MANAGER_HOST})`,
+            env: 'SFCC_ACCOUNT_MANAGER_HOST',
+            default: async () => process.env.SFCC_LOGIN_URL || undefined,
+            helpGroup: 'AUTH',
+        }),
+        'auth-scope': Flags.string({
+            description: 'OAuth scopes to request (comma-separated)',
+            env: 'SFCC_OAUTH_SCOPES',
+            multiple: true,
+            multipleNonGreedy: true,
+            delimiter: ',',
+            helpGroup: 'AUTH',
+        }),
+    };
+    loadConfiguration() {
+        const scopes = this.flags['auth-scope'];
+        return loadConfig({
+            clientId: this.args.clientId ?? process.env.SFCC_CLIENT_ID,
+            accountManagerHost: this.flags['account-manager-host'],
+            scopes: scopes && scopes.length > 0 ? scopes : undefined,
+        }, this.getBaseConfigOptions());
+    }
+    async run() {
+        const clientId = this.resolvedConfig.values.clientId;
+        if (!clientId) {
+            this.error(t('error.oauthClientIdRequired', 'OAuth client ID required. Provide a client ID argument or set SFCC_CLIENT_ID.'));
+        }
+        const accountManagerHost = this.resolvedConfig.values.accountManagerHost ?? DEFAULT_ACCOUNT_MANAGER_HOST;
+        const scopes = this.resolvedConfig.values.scopes;
+        const strategy = new ImplicitOAuthStrategy({
+            clientId,
+            scopes,
+            accountManagerHost,
+        });
+        const tokenResponse = await strategy.getTokenResponse();
+        let user = null;
+        try {
+            const decoded = decodeJWT(tokenResponse.accessToken);
+            if (typeof decoded.payload.sub === 'string') {
+                user = decoded.payload.sub;
+            }
+        }
+        catch {
+            // ignore
+        }
+        setStoredSession({
+            clientId,
+            accessToken: tokenResponse.accessToken,
+            refreshToken: null,
+            renewBase: null,
+            user,
+        });
+        this.log(t('commands.auth.login.success', 'Login succeeded. Session saved for stateful auth.'));
+    }
+}
+//# sourceMappingURL=login.js.map

package/dist/commands/auth/login.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"login.js","sourceRoot":"","sources":["../../../src/commands/auth/login.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAC,IAAI,EAAE,KAAK,EAAC,MAAM,aAAa,CAAC;AACxC,OAAO,EAAC,WAAW,EAAE,UAAU,EAAC,MAAM,iCAAiC,CAAC;AACxE,OAAO,EAAC,qBAAqB,EAAE,gBAAgB,EAAE,SAAS,EAAC,MAAM,kCAAkC,CAAC;AACpG,OAAO,EAAC,4BAA4B,EAAC,MAAM,6BAA6B,CAAC;AACzE,OAAO,EAAC,CAAC,EAAE,QAAQ,EAAC,MAAM,qBAAqB,CAAC;AAEhD;;;;GAIG;AACH,MAAM,CAAC,OAAO,OAAO,SAAU,SAAQ,WAA6B;IAClE,MAAM,CAAC,aAAa,GAAG,CAAC,YAAY,CAAC,CAAC;IAEtC,MAAM,CAAC,IAAI,GAAG;QACZ,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC;YACpB,WAAW,EAAE,4DAA4D;YACzE,QAAQ,EAAE,KAAK;SAChB,CAAC;KACH,CAAC;IAEF,MAAM,CAAC,WAAW,GAAG,QAAQ,CAC3B,CAAC,CAAC,iCAAiC,EAAE,qDAAqD,CAAC,EAC3F,+BAA+B,CAChC,CAAC;IAEF,MAAM,CAAC,QAAQ,GAAG,CAAC,qCAAqC,EAAE,oDAAoD,CAAC,CAAC;IAEhH,MAAM,CAAC,KAAK,GAAG;QACb,sBAAsB,EAAE,KAAK,CAAC,MAAM,CAAC;YACnC,WAAW,EAAE,gDAAgD,4BAA4B,GAAG;YAC5F,GAAG,EAAE,2BAA2B;YAChC,OAAO,EAAE,KAAK,IAAI,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,SAAS;YAC5D,SAAS,EAAE,MAAM;SAClB,CAAC;QACF,YAAY,EAAE,KAAK,CAAC,MAAM,CAAC;YACzB,WAAW,EAAE,2CAA2C;YACxD,GAAG,EAAE,mBAAmB;YACxB,QAAQ,EAAE,IAAI;YACd,iBAAiB,EAAE,IAAI;YACvB,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,MAAM;SAClB,CAAC;KACH,CAAC;IAEiB,iBAAiB;QAClC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAyB,CAAC;QAChE,OAAO,UAAU,CACf;YACE,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc;YAC1D,kBAAkB,EAAE,IAAI,CAAC,KAAK,CAAC,sBAAsB,CAAuB;YAC5E,MAAM,EAAE,MAAM,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;SACzD,EACD,IAAI,CAAC,oBAAoB,EAAE,CAC5B,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,GAAG;QACP,MAAM,QAAQ,GAAG,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,QAAQ,CAAC;QACrD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,IAAI,CAAC,KAAK,CACR,CAAC,CACC,6BAA6B,EAC7B,+EAA+E,CAChF,CACF,CAAC;QACJ,CAAC;QAED,MAAM,kBAAkB,GAAG,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,kBAAkB,IAAI,4BAA4B,CAAC;QACzG,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,MAAM,CAAC;QAEjD,MAAM,QAAQ,GAAG,IAAI,qBAAqB,CAAC;YACzC,QAAQ;YACR,MAAM;YACN,kBAAkB;SACnB,CAAC,CAAC;QAEH,MAAM,aAAa,GAAG,MAAM,QAAQ,CAAC,gBAAgB,EAAE,CAAC;QAExD,IAAI,IAAI,GAAkB,IAAI,CAAC;QAC/B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,SAAS,CAAC,aAAa,CAAC,WAAW,CAAC,CAAC;YACrD,IAAI,OAAO,OAAO,CAAC,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;gBAC5C,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC;YAC7B,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QAED,gBAAgB,CAAC;YACf,QAAQ;YACR,WAAW,EAAE,aAAa,CAAC,WAAW;YACtC,YAAY,EAAE,IAAI;YAClB,SAAS,EAAE,IAAI;YACf,IAAI;SACL,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,6BAA6B,EAAE,mDAAmD,CAAC,CAAC,CAAC;IAClG,CAAC"}

package/dist/commands/auth/logout.d.ts

@@ -0,0 +1,12 @@
+import { BaseCommand } from '@salesforce/b2c-tooling-sdk/cli';
+/**
+ * Clear the stored OAuth session (stateful auth).
+ * Uses the same storage as sfcc-ci; after logout, commands use stateless auth
+ * (client credentials or implicit) when configured.
+ */
+export default class AuthLogout extends BaseCommand<typeof AuthLogout> {
+    static hiddenAliases: string[];
+    static description: string;
+    static examples: string[];
+    run(): Promise<void>;
+}

package/dist/commands/auth/logout.js

@@ -0,0 +1,23 @@
+/*
+ * Copyright (c) 2025, Salesforce, Inc.
+ * SPDX-License-Identifier: Apache-2
+ * For full license text, see the license.txt file in the repo root or http://www.apache.org/licenses/LICENSE-2.0
+ */
+import { BaseCommand } from '@salesforce/b2c-tooling-sdk/cli';
+import { clearStoredSession } from '@salesforce/b2c-tooling-sdk/auth';
+import { t, withDocs } from '../../i18n/index.js';
+/**
+ * Clear the stored OAuth session (stateful auth).
+ * Uses the same storage as sfcc-ci; after logout, commands use stateless auth
+ * (client credentials or implicit) when configured.
+ */
+export default class AuthLogout extends BaseCommand {
+    static hiddenAliases = ['auth:logout'];
+    static description = withDocs(t('commands.auth.logout.description', 'Clear stored session (stateful auth)'), '/cli/auth.html#b2c-auth-logout');
+    static examples = ['<%= config.bin %> <%= command.id %>'];
+    async run() {
+        clearStoredSession();
+        this.log(t('commands.auth.logout.success', 'Logged out. Stored session cleared.'));
+    }
+}
+//# sourceMappingURL=logout.js.map

package/dist/commands/auth/logout.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logout.js","sourceRoot":"","sources":["../../../src/commands/auth/logout.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAC,WAAW,EAAC,MAAM,iCAAiC,CAAC;AAC5D,OAAO,EAAC,kBAAkB,EAAC,MAAM,kCAAkC,CAAC;AACpE,OAAO,EAAC,CAAC,EAAE,QAAQ,EAAC,MAAM,qBAAqB,CAAC;AAEhD;;;;GAIG;AACH,MAAM,CAAC,OAAO,OAAO,UAAW,SAAQ,WAA8B;IACpE,MAAM,CAAC,aAAa,GAAG,CAAC,aAAa,CAAC,CAAC;IAEvC,MAAM,CAAC,WAAW,GAAG,QAAQ,CAC3B,CAAC,CAAC,kCAAkC,EAAE,sCAAsC,CAAC,EAC7E,gCAAgC,CACjC,CAAC;IAEF,MAAM,CAAC,QAAQ,GAAG,CAAC,qCAAqC,CAAC,CAAC;IAE1D,KAAK,CAAC,GAAG;QACP,kBAAkB,EAAE,CAAC;QACrB,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,8BAA8B,EAAE,qCAAqC,CAAC,CAAC,CAAC;IACrF,CAAC"}

package/dist/commands/cip/describe.d.ts

@@ -22,14 +22,14 @@ export default class CipDescribe extends CipCommand<typeof CipDescribe> {
         staging: import("@oclif/core/interfaces").BooleanFlag<boolean>;
         format: import("@oclif/core/interfaces").OptionFlag<string, import("@oclif/core/interfaces").CustomOptions>;
         'fetch-size': import("@oclif/core/interfaces").OptionFlag<number, import("@oclif/core/interfaces").CustomOptions>;
-        'client-id': import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
-        'client-secret': import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        'client-id': import("@oclif/core/interfaces").OptionFlag<string, import("@oclif/core/interfaces").CustomOptions>;
+        'client-secret': import("@oclif/core/interfaces").OptionFlag<string, import("@oclif/core/interfaces").CustomOptions>;
         'auth-scope': import("@oclif/core/interfaces").OptionFlag<string[] | undefined, import("@oclif/core/interfaces").CustomOptions>;
         'short-code': import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
         'tenant-id': import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
         'auth-methods': import("@oclif/core/interfaces").OptionFlag<string[] | undefined, import("@oclif/core/interfaces").CustomOptions>;
         'user-auth': import("@oclif/core/interfaces").BooleanFlag<boolean>;
-        'account-manager-host': import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        'account-manager-host': import("@oclif/core/interfaces").OptionFlag<string, import("@oclif/core/interfaces").CustomOptions>;
         'log-level': import("@oclif/core/interfaces").OptionFlag<"trace" | "debug" | "info" | "warn" | "error" | "silent" | undefined, import("@oclif/core/interfaces").CustomOptions>;
         debug: import("@oclif/core/interfaces").BooleanFlag<boolean>;
         json: import("@oclif/core/interfaces").BooleanFlag<boolean>;