@salesforce/core 8.6.1 → 8.6.3

package/lib/config/ttlConfig.js

@@ -37,6 +37,11 @@ class TTLConfig extends configFile_1.ConfigFile {
         return dateTime - new Date(value.timestamp).getTime() > this.options.ttl.milliseconds;
     }
     async init() {
+        // Normally, this is done in super.init() but we don't call it to prevent
+        // redundant read() calls.
+        if (this.hasEncryption()) {
+            await this.initCrypto();
+        }
         const contents = await this.read(this.options.throwOnNotFound);
         const date = new Date().getTime();
         // delete all the expired entries

package/lib/crypto/crypto.js

@@ -123,7 +123,7 @@ const detectCryptoVersion = (pwd) => {
     }
 };
 ;
-const messages = new messages_1.Messages('@salesforce/core', 'encryption', new Map([["invalidEncryptedFormatError", "The encrypted data is not properly formatted."], ["invalidEncryptedFormatError.actions", ["If attempting to create a scratch org then re-authorize. Otherwise create a new scratch org."]], ["authDecryptError", "Failed to decipher auth data. reason: %s."], ["unsupportedOperatingSystemError", "Unsupported Operating System: %s"], ["missingCredentialProgramError", "Unable to find required security software: %s"], ["credentialProgramAccessError", "Unable to execute security software: %s"], ["passwordRetryError", "Failed to get the password after %i retries."], ["passwordRequiredError", "A password is required."], ["keyChainServiceRequiredError", "Unable to get or set a keychain value without a service name."], ["keyChainAccountRequiredError", "Unable to get or set a keychain value without an account name."], ["keyChainUserCanceledError", "User canceled authentication."], ["keychainPasswordCreationError", "Failed to create a password in the keychain."], ["genericKeychainServiceError", "The service and account specified in %s do not match the version of the toolbelt."], ["genericKeychainServiceError.actions", ["Check your toolbelt version and re-auth."]], ["genericKeychainInvalidPermsError", "Invalid file permissions for secret file"], ["genericKeychainInvalidPermsError.actions", ["Ensure the file %s has the file permission octal value of %s."]], ["passwordNotFoundError", "Could not find password.\n%s"], ["passwordNotFoundError.actions", ["Ensure a valid password is returned with the following command: [%s]"]], ["setCredentialError", "Command failed with response:\n%s"], ["setCredentialError.actions", ["Determine why this command failed to set an encryption key for user %s: [%s]."]], ["macKeychainOutOfSync", "We\u2019ve encountered an error with the Mac keychain being out of sync with your `sfdx` credentials. To fix the problem, sync your credentials by authenticating into your org again using the auth commands."], ["v1CryptoWithV2KeyWarning", "The SF_CRYPTO_V2 environment variable was set to \"false\" but a v2 crypto key was detected. v1 crypto can only be used with a v1 key. Unset the SF_CRYPTO_V2 environment variable."], ["v2CryptoWithV1KeyWarning", "SF_CRYPTO_V2 was set to \"true\" but a v1 crypto key was detected. v2 crypto can only be used with a v2 key. To generate a v2 key:\n\n1. Logout of all orgs: `sf org logout --all`\n2. Delete the sfdx keychain entry (account: local, service: sfdx). If `SF_USE_GENERIC_UNIX_KEYCHAIN=true` env var is set, you can delete the `key.json` file.\n3. Set `SF_CRYPTO_V2=true` env var.\n4. Re-Authenticate with your orgs using the CLI org login commands."]]));
+const messages = new messages_1.Messages('@salesforce/core', 'encryption', new Map([["invalidEncryptedFormatError", "The encrypted data is not properly formatted."], ["invalidEncryptedFormatError.actions", ["If attempting to create a scratch org then re-authorize. Otherwise create a new scratch org."]], ["authDecryptError", "Failed to decipher auth data. reason: %s."], ["unsupportedOperatingSystemError", "Unsupported Operating System: %s"], ["missingCredentialProgramError", "Unable to find required security software: %s"], ["credentialProgramAccessError", "Unable to execute security software: %s"], ["passwordRetryError", "Failed to get the password after %i retries."], ["passwordRequiredError", "A password is required."], ["keyChainServiceRequiredError", "Unable to get or set a keychain value without a service name."], ["keyChainAccountRequiredError", "Unable to get or set a keychain value without an account name."], ["keyChainUserCanceledError", "User canceled authentication."], ["keychainPasswordCreationError", "Failed to create a password in the keychain."], ["genericKeychainServiceError", "The service and account specified in %s do not match the version of the toolbelt."], ["genericKeychainServiceError.actions", ["Check your toolbelt version and re-auth."]], ["genericKeychainInvalidPermsError", "Invalid file permissions for secret file: %s"], ["genericKeychainInvalidPermsError.actions", ["Ensure the file %s has the file permission octal value of %s."]], ["passwordNotFoundError", "Could not find password.\n%s"], ["passwordNotFoundError.actions", ["Ensure a valid password is returned with the following command: [%s]"]], ["setCredentialError", "Command failed with response:\n%s"], ["setCredentialError.actions", ["Determine why this command failed to set an encryption key for user %s: [%s]."]], ["macKeychainOutOfSync", "We\u2019ve encountered an error with the Mac keychain being out of sync with your `sfdx` credentials. To fix the problem, sync your credentials by authenticating into your org again using the auth commands."], ["v1CryptoWithV2KeyWarning", "The SF_CRYPTO_V2 environment variable was set to \"false\" but a v2 crypto key was detected. v1 crypto can only be used with a v1 key. Unset the SF_CRYPTO_V2 environment variable."], ["v2CryptoWithV1KeyWarning", "SF_CRYPTO_V2 was set to \"true\" but a v1 crypto key was detected. v2 crypto can only be used with a v2 key. To generate a v2 key:\n\n1. Logout of all orgs: `sf org logout --all`\n2. Delete the sfdx keychain entry (account: local, service: sfdx). If `SF_USE_GENERIC_UNIX_KEYCHAIN=true` env var is set, you can delete the `key.json` file.\n3. Set `SF_CRYPTO_V2=true` env var.\n4. Re-Authenticate with your orgs using the CLI org login commands."]]));
 const makeSecureBuffer = (password, encoding) => {
     const newSb = new secureBuffer_1.SecureBuffer();
     newSb.consume(Buffer.from(password, encoding));

package/lib/crypto/keyChain.js

@@ -12,7 +12,7 @@ const logger_1 = require("../logger/logger");
 const messages_1 = require("../messages");
 const keyChainImpl_1 = require("./keyChainImpl");
 ;
-const messages = new messages_1.Messages('@salesforce/core', 'encryption', new Map([["invalidEncryptedFormatError", "The encrypted data is not properly formatted."], ["invalidEncryptedFormatError.actions", ["If attempting to create a scratch org then re-authorize. Otherwise create a new scratch org."]], ["authDecryptError", "Failed to decipher auth data. reason: %s."], ["unsupportedOperatingSystemError", "Unsupported Operating System: %s"], ["missingCredentialProgramError", "Unable to find required security software: %s"], ["credentialProgramAccessError", "Unable to execute security software: %s"], ["passwordRetryError", "Failed to get the password after %i retries."], ["passwordRequiredError", "A password is required."], ["keyChainServiceRequiredError", "Unable to get or set a keychain value without a service name."], ["keyChainAccountRequiredError", "Unable to get or set a keychain value without an account name."], ["keyChainUserCanceledError", "User canceled authentication."], ["keychainPasswordCreationError", "Failed to create a password in the keychain."], ["genericKeychainServiceError", "The service and account specified in %s do not match the version of the toolbelt."], ["genericKeychainServiceError.actions", ["Check your toolbelt version and re-auth."]], ["genericKeychainInvalidPermsError", "Invalid file permissions for secret file"], ["genericKeychainInvalidPermsError.actions", ["Ensure the file %s has the file permission octal value of %s."]], ["passwordNotFoundError", "Could not find password.\n%s"], ["passwordNotFoundError.actions", ["Ensure a valid password is returned with the following command: [%s]"]], ["setCredentialError", "Command failed with response:\n%s"], ["setCredentialError.actions", ["Determine why this command failed to set an encryption key for user %s: [%s]."]], ["macKeychainOutOfSync", "We\u2019ve encountered an error with the Mac keychain being out of sync with your `sfdx` credentials. To fix the problem, sync your credentials by authenticating into your org again using the auth commands."], ["v1CryptoWithV2KeyWarning", "The SF_CRYPTO_V2 environment variable was set to \"false\" but a v2 crypto key was detected. v1 crypto can only be used with a v1 key. Unset the SF_CRYPTO_V2 environment variable."], ["v2CryptoWithV1KeyWarning", "SF_CRYPTO_V2 was set to \"true\" but a v1 crypto key was detected. v2 crypto can only be used with a v2 key. To generate a v2 key:\n\n1. Logout of all orgs: `sf org logout --all`\n2. Delete the sfdx keychain entry (account: local, service: sfdx). If `SF_USE_GENERIC_UNIX_KEYCHAIN=true` env var is set, you can delete the `key.json` file.\n3. Set `SF_CRYPTO_V2=true` env var.\n4. Re-Authenticate with your orgs using the CLI org login commands."]]));
+const messages = new messages_1.Messages('@salesforce/core', 'encryption', new Map([["invalidEncryptedFormatError", "The encrypted data is not properly formatted."], ["invalidEncryptedFormatError.actions", ["If attempting to create a scratch org then re-authorize. Otherwise create a new scratch org."]], ["authDecryptError", "Failed to decipher auth data. reason: %s."], ["unsupportedOperatingSystemError", "Unsupported Operating System: %s"], ["missingCredentialProgramError", "Unable to find required security software: %s"], ["credentialProgramAccessError", "Unable to execute security software: %s"], ["passwordRetryError", "Failed to get the password after %i retries."], ["passwordRequiredError", "A password is required."], ["keyChainServiceRequiredError", "Unable to get or set a keychain value without a service name."], ["keyChainAccountRequiredError", "Unable to get or set a keychain value without an account name."], ["keyChainUserCanceledError", "User canceled authentication."], ["keychainPasswordCreationError", "Failed to create a password in the keychain."], ["genericKeychainServiceError", "The service and account specified in %s do not match the version of the toolbelt."], ["genericKeychainServiceError.actions", ["Check your toolbelt version and re-auth."]], ["genericKeychainInvalidPermsError", "Invalid file permissions for secret file: %s"], ["genericKeychainInvalidPermsError.actions", ["Ensure the file %s has the file permission octal value of %s."]], ["passwordNotFoundError", "Could not find password.\n%s"], ["passwordNotFoundError.actions", ["Ensure a valid password is returned with the following command: [%s]"]], ["setCredentialError", "Command failed with response:\n%s"], ["setCredentialError.actions", ["Determine why this command failed to set an encryption key for user %s: [%s]."]], ["macKeychainOutOfSync", "We\u2019ve encountered an error with the Mac keychain being out of sync with your `sfdx` credentials. To fix the problem, sync your credentials by authenticating into your org again using the auth commands."], ["v1CryptoWithV2KeyWarning", "The SF_CRYPTO_V2 environment variable was set to \"false\" but a v2 crypto key was detected. v1 crypto can only be used with a v1 key. Unset the SF_CRYPTO_V2 environment variable."], ["v2CryptoWithV1KeyWarning", "SF_CRYPTO_V2 was set to \"true\" but a v1 crypto key was detected. v2 crypto can only be used with a v2 key. To generate a v2 key:\n\n1. Logout of all orgs: `sf org logout --all`\n2. Delete the sfdx keychain entry (account: local, service: sfdx). If `SF_USE_GENERIC_UNIX_KEYCHAIN=true` env var is set, you can delete the `key.json` file.\n3. Set `SF_CRYPTO_V2=true` env var.\n4. Re-Authenticate with your orgs using the CLI org login commands."]]));
 /**
  * Gets the os level keychain impl.
  *

package/lib/crypto/keyChainImpl.js

@@ -41,7 +41,7 @@ const kit_1 = require("@salesforce/kit");
 const global_1 = require("../global");
 const messages_1 = require("../messages");
 ;
-const messages = new messages_1.Messages('@salesforce/core', 'encryption', new Map([["invalidEncryptedFormatError", "The encrypted data is not properly formatted."], ["invalidEncryptedFormatError.actions", ["If attempting to create a scratch org then re-authorize. Otherwise create a new scratch org."]], ["authDecryptError", "Failed to decipher auth data. reason: %s."], ["unsupportedOperatingSystemError", "Unsupported Operating System: %s"], ["missingCredentialProgramError", "Unable to find required security software: %s"], ["credentialProgramAccessError", "Unable to execute security software: %s"], ["passwordRetryError", "Failed to get the password after %i retries."], ["passwordRequiredError", "A password is required."], ["keyChainServiceRequiredError", "Unable to get or set a keychain value without a service name."], ["keyChainAccountRequiredError", "Unable to get or set a keychain value without an account name."], ["keyChainUserCanceledError", "User canceled authentication."], ["keychainPasswordCreationError", "Failed to create a password in the keychain."], ["genericKeychainServiceError", "The service and account specified in %s do not match the version of the toolbelt."], ["genericKeychainServiceError.actions", ["Check your toolbelt version and re-auth."]], ["genericKeychainInvalidPermsError", "Invalid file permissions for secret file"], ["genericKeychainInvalidPermsError.actions", ["Ensure the file %s has the file permission octal value of %s."]], ["passwordNotFoundError", "Could not find password.\n%s"], ["passwordNotFoundError.actions", ["Ensure a valid password is returned with the following command: [%s]"]], ["setCredentialError", "Command failed with response:\n%s"], ["setCredentialError.actions", ["Determine why this command failed to set an encryption key for user %s: [%s]."]], ["macKeychainOutOfSync", "We\u2019ve encountered an error with the Mac keychain being out of sync with your `sfdx` credentials. To fix the problem, sync your credentials by authenticating into your org again using the auth commands."], ["v1CryptoWithV2KeyWarning", "The SF_CRYPTO_V2 environment variable was set to \"false\" but a v2 crypto key was detected. v1 crypto can only be used with a v1 key. Unset the SF_CRYPTO_V2 environment variable."], ["v2CryptoWithV1KeyWarning", "SF_CRYPTO_V2 was set to \"true\" but a v1 crypto key was detected. v2 crypto can only be used with a v2 key. To generate a v2 key:\n\n1. Logout of all orgs: `sf org logout --all`\n2. Delete the sfdx keychain entry (account: local, service: sfdx). If `SF_USE_GENERIC_UNIX_KEYCHAIN=true` env var is set, you can delete the `key.json` file.\n3. Set `SF_CRYPTO_V2=true` env var.\n4. Re-Authenticate with your orgs using the CLI org login commands."]]));
+const messages = new messages_1.Messages('@salesforce/core', 'encryption', new Map([["invalidEncryptedFormatError", "The encrypted data is not properly formatted."], ["invalidEncryptedFormatError.actions", ["If attempting to create a scratch org then re-authorize. Otherwise create a new scratch org."]], ["authDecryptError", "Failed to decipher auth data. reason: %s."], ["unsupportedOperatingSystemError", "Unsupported Operating System: %s"], ["missingCredentialProgramError", "Unable to find required security software: %s"], ["credentialProgramAccessError", "Unable to execute security software: %s"], ["passwordRetryError", "Failed to get the password after %i retries."], ["passwordRequiredError", "A password is required."], ["keyChainServiceRequiredError", "Unable to get or set a keychain value without a service name."], ["keyChainAccountRequiredError", "Unable to get or set a keychain value without an account name."], ["keyChainUserCanceledError", "User canceled authentication."], ["keychainPasswordCreationError", "Failed to create a password in the keychain."], ["genericKeychainServiceError", "The service and account specified in %s do not match the version of the toolbelt."], ["genericKeychainServiceError.actions", ["Check your toolbelt version and re-auth."]], ["genericKeychainInvalidPermsError", "Invalid file permissions for secret file: %s"], ["genericKeychainInvalidPermsError.actions", ["Ensure the file %s has the file permission octal value of %s."]], ["passwordNotFoundError", "Could not find password.\n%s"], ["passwordNotFoundError.actions", ["Ensure a valid password is returned with the following command: [%s]"]], ["setCredentialError", "Command failed with response:\n%s"], ["setCredentialError.actions", ["Determine why this command failed to set an encryption key for user %s: [%s]."]], ["macKeychainOutOfSync", "We\u2019ve encountered an error with the Mac keychain being out of sync with your `sfdx` credentials. To fix the problem, sync your credentials by authenticating into your org again using the auth commands."], ["v1CryptoWithV2KeyWarning", "The SF_CRYPTO_V2 environment variable was set to \"false\" but a v2 crypto key was detected. v1 crypto can only be used with a v1 key. Unset the SF_CRYPTO_V2 environment variable."], ["v2CryptoWithV1KeyWarning", "SF_CRYPTO_V2 was set to \"true\" but a v1 crypto key was detected. v2 crypto can only be used with a v2 key. To generate a v2 key:\n\n1. Logout of all orgs: `sf org logout --all`\n2. Delete the sfdx keychain entry (account: local, service: sfdx). If `SF_USE_GENERIC_UNIX_KEYCHAIN=true` env var is set, you can delete the `key.json` file.\n3. Set `SF_CRYPTO_V2=true` env var.\n4. Re-Authenticate with your orgs using the CLI org login commands."]]));
 const GET_PASSWORD_RETRY_COUNT = 3;
 /**
  * Helper to reduce an array of cli args down to a presentable string for logging.

package/lib/logger/logger.js

@@ -145,6 +145,7 @@ class Logger {
                     transport: {
                         pipeline: [
                             {
+                                // WARNING: Please make sure to bundle transformStream by referencing the correct path. Reach out to IDEx Foundations Team.
                                 target: path.join('..', '..', 'lib', 'logger', 'transformStream'),
                             },
                             getWriteStream(level),

package/lib/messages.d.ts

@@ -204,6 +204,7 @@ export declare class Messages<T extends string> {
      * @param tokens The values to substitute in the message.
      *
      * **See** https://nodejs.org/api/util.html#util_util_format_format_args
+     * **Note** Unlike util.format(), specifiers are required for a token to be rendered.
      */
     getMessage(key: T, tokens?: Tokens): string;
     /**
@@ -227,6 +228,7 @@ export declare class Messages<T extends string> {
      * @param tokens The values to substitute in the message.
      *
      * **See** https://nodejs.org/api/util.html#util_util_format_format_args
+     * **Note** Unlike util.format(), specifiers are required for a token to be rendered.
      */
     getMessages(key: T, tokens?: Tokens): string[];
     /**

package/lib/messages.js

@@ -37,7 +37,7 @@ const util = __importStar(require("node:util"));
 const node_url_1 = require("node:url");
 const ts_types_1 = require("@salesforce/ts-types");
 const kit_1 = require("@salesforce/kit");
-const lifecycleEvents_1 = require("./lifecycleEvents");
+const logger_1 = require("./logger/logger");
 const sfError_1 = require("./sfError");
 const getKey = (packageName, bundleName) => `${packageName}:${bundleName}`;
 const REGEXP_NO_CONTENT = /^\s*$/g;
@@ -394,6 +394,7 @@ class Messages {
      * @param tokens The values to substitute in the message.
      *
      * **See** https://nodejs.org/api/util.html#util_util_format_format_args
+     * **Note** Unlike util.format(), specifiers are required for a token to be rendered.
      */
     getMessage(key, tokens = []) {
         return this.getMessageWithMap(key, tokens, this.messages).join(os.EOL);
@@ -419,6 +420,7 @@ class Messages {
      * @param tokens The values to substitute in the message.
      *
      * **See** https://nodejs.org/api/util.html#util_util_format_format_args
+     * **Note** Unlike util.format(), specifiers are required for a token to be rendered.
      */
     getMessages(key, tokens = []) {
         return this.getMessageWithMap(key, tokens, this.messages);
@@ -528,21 +530,12 @@ class Messages {
             // https://nodejs.org/api/util.html#utilformatformat-args
             // https://regex101.com/r/8Hf8Z6/1
             const specifierRegex = new RegExp('%[sdifjoO]{1}', 'gm');
-            // NOTE: This is a temporary telemetry event to track down missing specifiers in messages.
-            //       Once we have enough data and correct missing specifiers, we can remove this.
-            //       The followup work is outlined in: W-16197665
-            if (!specifierRegex.test(msgStr) && tokens.length > 0) {
-                void lifecycleEvents_1.Lifecycle.getInstance().emitTelemetry({
-                    eventName: 'missing_message_specifier',
-                    library: 'sfdx-core',
-                    function: 'getMessageWithMap',
-                    messagesLength: messages.length,
-                    message: msgStr,
-                    tokensLength: tokens.length,
-                });
+            const specifierFound = specifierRegex.test(msgStr);
+            if (!specifierFound && tokens.length > 0) {
+                const logger = logger_1.Logger.childFromRoot('core:messages');
+                logger.warn(`Unable to render tokens in message. Ensure a specifier (e.g. %s) exists in the message:\n${msgStr}`);
             }
-            // return specifierRegex.test(msgStr) ? util.format(msgStr, ...tokens) : msgStr;
-            return util.format(msgStr, ...tokens);
+            return specifierFound ? util.format(msgStr, ...tokens) : msgStr;
         });
     }
 }

package/lib/org/authInfo.js

@@ -880,7 +880,7 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
         // Exchange the auth code for an access token and refresh token.
         let authFields;
         try {
-            this.logger.info(`Exchanging auth code for access token using loginUrl: ${options.loginUrl}`);
+            this.logger.debug(`Exchanging auth code for access token using loginUrl: ${options.loginUrl}`);
             authFields = await oauth2.requestToken((0, ts_types_1.ensure)(options.authCode));
         }
         catch (err) {

package/lib/org/scratchOrgCache.d.ts

@@ -14,6 +14,7 @@ export type CachedOptions = {
     tracksSource?: boolean;
 };
 export declare class ScratchOrgCache extends TTLConfig<TTLConfig.Options, CachedOptions> {
+    protected static readonly encryptedKeys: string[];
     static getFileName(): string;
     static getDefaultOptions(): TTLConfig.Options;
     static unset(key: string): Promise<void>;

package/lib/org/scratchOrgCache.js

@@ -11,6 +11,7 @@ const kit_1 = require("@salesforce/kit");
 const global_1 = require("../global");
 const ttlConfig_1 = require("../config/ttlConfig");
 class ScratchOrgCache extends ttlConfig_1.TTLConfig {
+    static encryptedKeys = ['clientSecret'];
     static getFileName() {
         return 'scratch-create-cache.json';
     }
@@ -20,6 +21,7 @@ class ScratchOrgCache extends ttlConfig_1.TTLConfig {
             isState: true,
             filename: ScratchOrgCache.getFileName(),
             stateFolder: global_1.Global.SF_STATE_FOLDER,
+            encryptedKeys: ScratchOrgCache.encryptedKeys,
             ttl: kit_1.Duration.days(1),
         };
     }

package/lib/org/scratchOrgCreate.js

@@ -56,11 +56,15 @@ const scratchOrgResume = async (jobId) => {
         (0, scratchOrgLifecycleEvents_1.emit)({ stage: 'send request' }),
     ]);
     logger.debug(`resuming scratch org creation for jobId: ${jobId}`);
-    const cached = cache.get(jobId);
+    const cached = cache.get(jobId, true);
     if (!cached) {
         throw messages.createError('CacheMissError', [jobId]);
     }
     const { hubUsername, apiVersion, clientSecret, signupTargetLoginUrlConfig, definitionjson, alias, setDefault, tracksSource, } = cached;
+    const signupTargetLoginUrl = signupTargetLoginUrlConfig ?? (await getSignupTargetLoginUrl());
+    if (signupTargetLoginUrl) {
+        logger.debug(`resuming org create with LoginUrl override= ${signupTargetLoginUrl}`);
+    }
     const hubOrg = await org_1.Org.create({ aliasOrUsername: hubUsername });
     const soi = await (0, scratchOrgInfoApi_1.queryScratchOrgInfo)(hubOrg, jobId);
     await (0, scratchOrgErrorCodes_1.validateScratchOrgInfoForResume)({ jobId, scratchOrgInfo: soi, cache, hubUsername });
@@ -75,7 +79,7 @@ const scratchOrgResume = async (jobId) => {
             scratchOrgInfoComplete: soi,
             hubOrg,
             clientSecret,
-            signupTargetLoginUrlConfig,
+            signupTargetLoginUrl,
             retry: 0,
         });
     await setExitCodeIfError(68)(scratchOrgAuthInfo.handleAliasAndDefaultSettings({
@@ -114,7 +118,7 @@ const scratchOrgCreate = async (options) => {
     const logger = await logger_1.Logger.child('scratchOrgCreate');
     /** epoch milliseconds */
     const startTimestamp = Date.now();
-    logger.debug('scratchOrgCreate');
+    logger.debug('preparing scratch org signup request...');
     await (0, scratchOrgLifecycleEvents_1.emit)({ stage: 'prepare request' });
     const { hubOrg, connectedAppConsumerKey, durationDays = 1, nonamespace, noancestors, wait = kit_1.Duration.minutes(exports.DEFAULT_STREAM_TIMEOUT_MINUTES), retry = 0, apiversion, definitionjson, definitionfile, orgConfig, clientSecret = undefined, alias, setDefault = false, tracksSource = true, } = options;
     validateDuration(durationDays);
@@ -141,7 +145,7 @@ const scratchOrgCreate = async (options) => {
     });
     const settings = await settingsGenerator.extract(scratchOrgInfo);
     logger.debug(`the scratch org def file has settings: ${settingsGenerator.hasSettings()}`);
-    const [scratchOrgInfoRequestResult, signupTargetLoginUrlConfig] = await Promise.all([
+    const [scratchOrgInfoRequestResult, signupTargetLoginUrl] = await Promise.all([
         // creates the scratch org info in the devhub
         (0, scratchOrgInfoApi_1.requestScratchOrgCreation)(hubOrg, scratchOrgInfo, settingsGenerator),
         getSignupTargetLoginUrl(),
@@ -174,7 +178,7 @@ const scratchOrgCreate = async (options) => {
         scratchOrgInfoComplete: soi,
         hubOrg,
         clientSecret,
-        signupTargetLoginUrlConfig,
+        signupTargetLoginUrl,
         retry: retry || 0,
     });
     // anything after this point (org is created and auth'd) is potentially recoverable with the resume scratch command.
@@ -216,7 +220,11 @@ const getSignupTargetLoginUrl = async () => {
     try {
         const project = await sfProject_1.SfProject.resolve();
         const projectJson = await project.resolveProjectConfig();
-        return projectJson.signupTargetLoginUrl;
+        const signupTargetLoginUrl = projectJson.signupTargetLoginUrl;
+        if (signupTargetLoginUrl) {
+            logger_1.Logger.childFromRoot('getSignupTargetLoginUrl').debug(`Found signupTargetLoginUrl in project file: ${signupTargetLoginUrl}`);
+            return signupTargetLoginUrl;
+        }
     }
     catch {
         // a project isn't required for org:create

package/lib/org/scratchOrgInfoApi.d.ts

@@ -21,7 +21,7 @@ export declare const queryScratchOrgInfo: (hubOrg: Org, id: string) => Promise<S
  * scratchOrgInfoComplete - The completed ScratchOrgInfo which should contain an access token.
  * hubOrg - the environment hub org
  * clientSecret - The OAuth client secret. May be null for JWT OAuth flow.
- * signupTargetLoginUrlConfig - Login url
+ * signupTargetLoginUrl - Login url override
  * retry - auth retry attempts
  *
  * @returns {Promise<AuthInfo>}
@@ -30,7 +30,7 @@ export declare const authorizeScratchOrg: (options: {
     scratchOrgInfoComplete: ScratchOrgInfo;
     hubOrg: Org;
     clientSecret?: string;
-    signupTargetLoginUrlConfig?: string;
+    signupTargetLoginUrl?: string;
     retry?: number;
 }) => Promise<AuthInfo>;
 /**

package/lib/org/scratchOrgInfoApi.js

@@ -10,6 +10,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.updateRevisionCounterToZero = exports.resolveUrl = exports.deploySettings = exports.pollForScratchOrgInfo = exports.requestScratchOrgCreation = exports.authorizeScratchOrg = exports.queryScratchOrgInfo = void 0;
+const node_util_1 = require("node:util");
 const kit_1 = require("@salesforce/kit");
 const ts_retry_promise_1 = require("ts-retry-promise");
 const logger_1 = require("../logger/logger");
@@ -32,10 +33,10 @@ const errorCodes = new messages_1.Messages('@salesforce/core', 'scratchOrgErrorC
  *
  * @param scratchOrgInfoComplete The completed ScratchOrgInfo
  * @param hubOrgLoginUrl the hun org login url
- * @param signupTargetLoginUrlConfig the login url
+ * @param signupTargetLoginUrl the login url
  * @returns {string}
  */
-const getOrgInstanceAuthority = function (scratchOrgInfoComplete, hubOrgLoginUrl, signupTargetLoginUrlConfig) {
+const getOrgInstanceAuthority = function (scratchOrgInfoComplete, hubOrgLoginUrl, signupTargetLoginUrl) {
     const createdOrgInstance = scratchOrgInfoComplete.SignupInstance;
     if (createdOrgInstance === 'utf8') {
         return hubOrgLoginUrl;
@@ -49,7 +50,7 @@ const getOrgInstanceAuthority = function (scratchOrgInfoComplete, hubOrgLoginUrl
         // For Falcon sandboxes, try the LoginURL instead; createdOrgInstance will not yield a valid URL
         altUrl = scratchOrgInfoComplete.LoginUrl;
     }
-    return signupTargetLoginUrlConfig ?? altUrl;
+    return signupTargetLoginUrl ?? altUrl;
 };
 /**
  * Returns OAuth2Options object
@@ -61,9 +62,10 @@ const buildOAuth2Options = async (options) => {
     const logger = await logger_1.Logger.child('buildOAuth2Options');
     const isJwtFlow = !!options.hubOrg.getConnection().getAuthInfoFields().privateKey;
     const oauth2Options = {
-        loginUrl: getOrgInstanceAuthority(options.scratchOrgInfoComplete, options.hubOrg.getField(org_1.Org.Fields.LOGIN_URL), options.signupTargetLoginUrlConfig),
+        loginUrl: getOrgInstanceAuthority(options.scratchOrgInfoComplete, options.hubOrg.getField(org_1.Org.Fields.LOGIN_URL), options.signupTargetLoginUrl),
     };
     logger.debug(`isJwtFlow: ${isJwtFlow}`);
+    logger.debug(`using resolved loginUrl: ${oauth2Options.loginUrl}`);
     if (isJwtFlow && !process.env.SFDX_CLIENT_SECRET) {
         oauth2Options.privateKeyFile = options.hubOrg.getConnection().getAuthInfoFields().privateKey;
         const retries = options?.retry ?? kit_1.env.getNumber('SFDX_JWT_AUTH_RETRY_ATTEMPTS') ?? 0;
@@ -148,13 +150,13 @@ exports.queryScratchOrgInfo = queryScratchOrgInfo;
  * scratchOrgInfoComplete - The completed ScratchOrgInfo which should contain an access token.
  * hubOrg - the environment hub org
  * clientSecret - The OAuth client secret. May be null for JWT OAuth flow.
- * signupTargetLoginUrlConfig - Login url
+ * signupTargetLoginUrl - Login url override
  * retry - auth retry attempts
  *
  * @returns {Promise<AuthInfo>}
  */
 const authorizeScratchOrg = async (options) => {
-    const { scratchOrgInfoComplete, hubOrg, clientSecret, signupTargetLoginUrlConfig, retry } = options;
+    const { scratchOrgInfoComplete, hubOrg, clientSecret, signupTargetLoginUrl, retry } = options;
     await (0, scratchOrgLifecycleEvents_1.emit)({ stage: 'authenticate', scratchOrgInfo: scratchOrgInfoComplete });
     const logger = await logger_1.Logger.child('authorizeScratchOrg');
     logger.debug(`scratchOrgInfoComplete: ${JSON.stringify(scratchOrgInfoComplete, null, 4)}`);
@@ -167,16 +169,46 @@ const authorizeScratchOrg = async (options) => {
         clientSecret,
         scratchOrgInfoComplete,
         retry,
-        signupTargetLoginUrlConfig,
-    });
-    const authInfo = await getAuthInfo({
-        hubOrg,
-        username: scratchOrgInfoComplete.SignupUsername,
-        oauth2Options: oAuth2Options.options,
-        retries: oAuth2Options.retries,
-        timeout: oAuth2Options.timeout,
-        delay: oAuth2Options.delay,
+        signupTargetLoginUrl,
     });
+    let authInfo;
+    try {
+        // This will use the authCode from the scratch org signup to exchange for an auth token via OAuth.
+        authInfo = await getAuthInfo({
+            hubOrg,
+            username: scratchOrgInfoComplete.SignupUsername,
+            oauth2Options: oAuth2Options.options,
+            retries: oAuth2Options.retries,
+            timeout: oAuth2Options.timeout,
+            delay: oAuth2Options.delay,
+        });
+    }
+    catch (err1) {
+        // If we didn't already try authenticating with the LoginUrl from ScratchOrgInfo object,
+        // try the oauth flow again using it now.
+        if (scratchOrgInfoComplete.LoginUrl && oAuth2Options.options.loginUrl !== scratchOrgInfoComplete.LoginUrl) {
+            logger.debug(`Auth failed with loginUrl ${oAuth2Options.options.loginUrl} so trying with ${scratchOrgInfoComplete.LoginUrl}`);
+            oAuth2Options.options = { ...oAuth2Options.options, ...{ loginUrl: scratchOrgInfoComplete.LoginUrl } };
+            try {
+                authInfo = await getAuthInfo({
+                    hubOrg,
+                    username: scratchOrgInfoComplete.SignupUsername,
+                    oauth2Options: oAuth2Options.options,
+                    retries: oAuth2Options.retries,
+                    timeout: oAuth2Options.timeout,
+                    delay: oAuth2Options.delay,
+                });
+            }
+            catch (err2) {
+                // Log this error but throw the original error
+                logger.debug(`Auth failed with ScratchOrgInfo.LoginUrl ${scratchOrgInfoComplete.LoginUrl}\n${(0, node_util_1.inspect)(err2)}`);
+                throw err1;
+            }
+        }
+        else {
+            throw err1;
+        }
+    }
     await authInfo.save({
         devHubUsername: hubOrg.getUsername(),
         created: new Date(scratchOrgInfoComplete.CreatedDate ?? new Date()).valueOf().toString(),

package/messages/core.md

@@ -36,7 +36,7 @@ Error authenticating with the refresh token due to: %s
 
 # invalidSfdxAuthUrlError
 
-Invalid SFDX authorization URL. Must be in the format "force://<clientId>:<clientSecret>:<refreshToken>@<instanceUrl>". Note that the "instanceUrl" inside the SFDX authorization URL doesn\'t include the protocol ("https://"). Run "org display --target-org" on an org to see an example of an SFDX authorization URL. 
+Invalid SFDX authorization URL. Must be in the format "force://<clientId>:<clientSecret>:<refreshToken>@<instanceUrl>". Note that the "instanceUrl" inside the SFDX authorization URL doesn\'t include the protocol ("https://"). Run "org display --target-org" on an org to see an example of an SFDX authorization URL.
 
 # orgDataNotAvailableError
 

package/messages/encryption.md

@@ -56,7 +56,7 @@ The service and account specified in %s do not match the version of the toolbelt
 
 # genericKeychainInvalidPermsError
 
-Invalid file permissions for secret file
+Invalid file permissions for secret file: %s
 
 # genericKeychainInvalidPermsError.actions
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@salesforce/core",
-  "version": "8.6.1",
+  "version": "8.6.3",
   "description": "Core libraries to interact with SFDX projects, orgs, and APIs.",
   "main": "lib/index",
   "types": "lib/index.d.ts",
@@ -53,7 +53,7 @@
     "messageTransformer/messageTransformer.ts"
   ],
   "dependencies": {
-    "@jsforce/jsforce-node": "^3.4.1",
+    "@jsforce/jsforce-node": "^3.6.1",
     "@salesforce/kit": "^3.2.2",
     "@salesforce/schemas": "^1.9.0",
     "@salesforce/ts-types": "^2.0.10",
@@ -81,6 +81,11 @@
     "@types/proper-lockfile": "^4.1.4",
     "@types/semver": "^7.5.8",
     "benchmark": "^2.1.4",
+    "esbuild": "^0.23.1",
+    "esbuild-plugin-pino": "^2.2.0",
+    "esbuild-plugin-tsc": "^0.4.0",
+    "npm-dts": "^1.3.13",
+    "ts-morph": "^23.0.0",
     "ts-node": "^10.9.2",
     "ts-patch": "^3.2.1",
     "typescript": "^5.5.4"