@sanlam-fintech-digital/mfe-platform-cli 0.0.1

package/dist/commands/init.js

@@ -0,0 +1,214 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getStoredConfigSource = getStoredConfigSource;
+exports.createInitCommand = createInitCommand;
+const commander_1 = require("commander");
+const loader_js_1 = require("../config/loader.js");
+const manager_js_1 = require("../npmrc/manager.js");
+const orchestrator_js_1 = require("../auth/orchestrator.js");
+const router_js_1 = require("../feed/router.js");
+const manager_js_2 = require("../nuget/manager.js");
+const promises_1 = __importDefault(require("fs/promises"));
+const path_1 = __importDefault(require("path"));
+const os_1 = __importDefault(require("os"));
+const chalk_1 = __importDefault(require("chalk"));
+/**
+ * Store location for tracking initial config source
+ */
+const CONFIG_STORE_PATH = path_1.default.join(os_1.default.homedir(), '.sft-mfe-platform', 'config-source.json');
+/**
+ * Execute init command
+ */
+async function executeInit(options) {
+    try {
+        const isDryRun = options.dryRun === true;
+        console.log(chalk_1.default.bold.cyan(`\n🚀 Initializing Sanlam Platform CLI${isDryRun ? ' (Dry Run)' : ''}\n`));
+        // Step 1: Load and validate configuration
+        console.log(chalk_1.default.blue('Step 1: Loading configuration...'));
+        const config = await (0, loader_js_1.loadConfig)(options.config, buildConfigAuthOptions(options));
+        // Flatten all registries for display and processing
+        const allRegistries = flattenRegistries(config);
+        console.log(chalk_1.default.green(`✓ Loaded ${allRegistries.length} registry/registries\n`));
+        // Step 2: Analyze feed configuration
+        console.log(chalk_1.default.blue('Step 2: Analyzing feed configuration...'));
+        const feedGroups = (0, router_js_1.groupFeedsByType)(allRegistries);
+        console.log(chalk_1.default.green(`✓ Found ${feedGroups.npm.length} npm registries, ${feedGroups.nuget.length} NuGet feeds\n`));
+        // Step 3: Track config source
+        console.log(chalk_1.default.blue('Step 3: Tracking configuration source...'));
+        if (isDryRun) {
+            console.log(chalk_1.default.yellow('⊘ Skipped (dry run): Would track configuration source\n'));
+        }
+        else {
+            await storeConfigSource(options.config, buildConfigAuthOptions(options));
+            console.log(chalk_1.default.green('✓ Configuration source tracked\n'));
+        }
+        // Step 4: Setup authentication (before configuration updates)
+        console.log(chalk_1.default.blue('Step 4: Setting up authentication...'));
+        let tokenMap;
+        if (isDryRun) {
+            console.log(chalk_1.default.yellow('⊘ Skipped (dry run): Would setup authentication for feeds\n'));
+        }
+        else {
+            tokenMap = await (0, orchestrator_js_1.orchestrateAuthentication)(config.authGroups, options.configRedirectUri);
+            console.log(chalk_1.default.green('✓ Authentication configured\n'));
+        }
+        // Step 5: Creating backups
+        console.log(chalk_1.default.blue('Step 5: Creating backups...'));
+        if (isDryRun) {
+            console.log(chalk_1.default.yellow('⊘ Skipped (dry run): Would backup configuration files\n'));
+        }
+        else {
+            const backupPromises = [];
+            if (feedGroups.npm.length > 0) {
+                backupPromises.push((0, manager_js_1.backupNpmrc)());
+            }
+            if (feedGroups.nuget.length > 0) {
+                backupPromises.push((0, manager_js_2.backupNugetConfig)());
+            }
+            await Promise.all(backupPromises);
+            console.log(chalk_1.default.green('✓ Backup completed\n'));
+        }
+        // Step 6: Configuring package feeds
+        console.log(chalk_1.default.blue('Step 6: Configuring package feeds...'));
+        await (0, router_js_1.applyFeeds)(feedGroups, tokenMap || new Map(), isDryRun);
+        if (!isDryRun) {
+            console.log(chalk_1.default.green('✓ Feed configuration updated\n'));
+        }
+        // Success message
+        if (isDryRun) {
+            console.log(chalk_1.default.bold.yellow('✓ Dry run completed successfully!\n'));
+            console.log(chalk_1.default.gray('Run without --dry-run to apply these changes.\n'));
+        }
+        else {
+            console.log(chalk_1.default.bold.green('✅ Initialization complete!\n'));
+            if (feedGroups.npm.length > 0) {
+                const npmScopes = Array.from(new Set(feedGroups.npm.map(r => r.scope)));
+                console.log(chalk_1.default.gray('npm packages can now be installed:'));
+                for (const scope of npmScopes) {
+                    console.log(chalk_1.default.gray(`  npm install ${scope}/some-package`));
+                }
+            }
+            if (feedGroups.nuget.length > 0) {
+                const nugetSources = Array.from(new Set(feedGroups.nuget.map(r => r.scope)));
+                console.log(chalk_1.default.gray('\nNuGet packages can now be installed:'));
+                for (const source of nugetSources) {
+                    console.log(chalk_1.default.gray(`  dotnet add package SomePackage --source ${source}`));
+                }
+            }
+            console.log('');
+        }
+    }
+    catch (error) {
+        console.error(chalk_1.default.red.bold('\n❌ Initialization failed\n'));
+        if (error instanceof Error) {
+            console.error(chalk_1.default.red(`Error: ${error.message}\n`));
+        }
+        else {
+            console.error(chalk_1.default.red(`Unknown error occurred\n`));
+        }
+        // Offer to restore from backup
+        if (error instanceof Error && error.message.includes('Authentication')) {
+            console.log(chalk_1.default.yellow('Restore your .npmrc from backup? Run:'));
+            console.log(chalk_1.default.gray('  sft-mfe-platform restore\n'));
+        }
+        process.exit(2);
+    }
+}
+/**
+ * Store the config source for later updates
+ */
+async function storeConfigSource(source, authOptions) {
+    try {
+        const storeDir = path_1.default.dirname(CONFIG_STORE_PATH);
+        await promises_1.default.mkdir(storeDir, { recursive: true });
+        const configSource = {
+            source,
+            timestamp: Date.now(),
+            type: (0, loader_js_1.isUrlSource)(source) ? 'url' : 'file',
+            authOptions, // Store auth options if provided
+        };
+        await promises_1.default.writeFile(CONFIG_STORE_PATH, JSON.stringify(configSource, null, 2), 'utf-8');
+    }
+    catch (error) {
+        console.warn(chalk_1.default.yellow(`⚠ Warning: Could not store config source: ${error instanceof Error ? error.message : String(error)}`));
+    }
+}
+/**
+ * Flatten registries from authGroups and top-level registries array
+ */
+function flattenRegistries(config) {
+    const allRegistries = [];
+    // Add registries from auth groups
+    if (config.authGroups) {
+        for (const group of config.authGroups) {
+            allRegistries.push(...group.registries);
+        }
+    }
+    // Add top-level public registries
+    if (config.registries) {
+        allRegistries.push(...config.registries);
+    }
+    return allRegistries;
+}
+/**
+ * Get stored config source and auth options for update command
+ */
+async function getStoredConfigSource() {
+    try {
+        const content = await promises_1.default.readFile(CONFIG_STORE_PATH, 'utf-8');
+        const configSource = JSON.parse(content);
+        return configSource;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Create and configure the init command
+ */
+function createInitCommand() {
+    const command = new commander_1.Command('init');
+    command
+        .description('Initialize developer machine with npm registry configuration')
+        .requiredOption('--config <source>', 'Configuration source: URL or file path')
+        .option('--config-auth-endpoint <url>', 'Config URL auth endpoint (device code endpoint)')
+        .option('--config-token-endpoint <url>', 'Config URL token endpoint (optional, derived if omitted)')
+        .option('--config-client-id <id>', 'Config URL OAuth client ID')
+        .option('--config-token-kind <kind>', 'Config URL token to use as bearer (access or id)')
+        .option('--config-auth-scope <scope>', 'Config URL OAuth scope (optional)')
+        .option('--config-redirect-uri <uri>', 'Custom redirect URI for PKCE auth')
+        .option('-i, --interactive', 'Interactive mode', false)
+        .option('-f, --force', 'Skip confirmations', false)
+        .option('--dry-run', 'Preview changes without applying them', false)
+        .action(async (options) => {
+        try {
+            await executeInit(options);
+        }
+        catch (error) {
+            if (!(error instanceof Error && error.message)) {
+                console.error(chalk_1.default.red('Unknown error occurred'));
+            }
+            process.exit(1);
+        }
+    });
+    return command;
+}
+function buildConfigAuthOptions(options) {
+    if (!options.configAuthEndpoint && !options.configClientId && !options.configTokenKind && !options.configTokenEndpoint && !options.configAuthScope) {
+        return undefined;
+    }
+    if (!options.configAuthEndpoint || !options.configClientId) {
+        throw new Error('Config URL auth requires both --config-auth-endpoint and --config-client-id');
+    }
+    return {
+        authEndpoint: options.configAuthEndpoint,
+        tokenEndpoint: options.configTokenEndpoint,
+        clientId: options.configClientId,
+        tokenKind: options.configTokenKind,
+        scope: options.configAuthScope,
+        redirectUri: options.configRedirectUri,
+    };
+}

package/dist/commands/update.d.ts

@@ -0,0 +1,5 @@
+import { Command } from 'commander';
+/**
+ * Create and configure the update command
+ */
+export declare function createUpdateCommand(): Command;

package/dist/commands/update.js

@@ -0,0 +1,199 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createUpdateCommand = createUpdateCommand;
+const commander_1 = require("commander");
+const loader_js_1 = require("../config/loader.js");
+const manager_js_1 = require("../npmrc/manager.js");
+const orchestrator_js_1 = require("../auth/orchestrator.js");
+const init_js_1 = require("./init.js");
+const router_js_1 = require("../feed/router.js");
+const manager_js_2 = require("../nuget/manager.js");
+const chalk_1 = __importDefault(require("chalk"));
+/**
+ * Execute update command
+ */
+async function executeUpdate(options) {
+    try {
+        const isDryRun = options.dryRun === true;
+        console.log(chalk_1.default.bold.cyan(`\n🔄 Updating Sanlam Platform CLI Configuration${isDryRun ? ' (Dry Run)' : ''}\n`));
+        // Step 1: Determine config source and auth options (provided or stored)
+        console.log(chalk_1.default.blue('Step 1: Determining configuration source...'));
+        let configSource;
+        let mergedAuthOptions;
+        if (options.config) {
+            // Use provided config source
+            configSource = options.config;
+            mergedAuthOptions = buildConfigAuthOptions(options);
+            console.log(chalk_1.default.green(`✓ Using provided config: ${configSource}\n`));
+        }
+        else {
+            // Use stored config source and auth options
+            const storedConfig = await (0, init_js_1.getStoredConfigSource)();
+            if (!storedConfig) {
+                throw new Error('No configuration source found.\n' +
+                    'Either provide --config <source> or run "sft-mfe-platform init" first.');
+            }
+            configSource = storedConfig.source;
+            // Merge stored auth options with CLI-provided options (CLI takes precedence)
+            const cliAuthOptions = buildConfigAuthOptions(options);
+            mergedAuthOptions = mergeAuthOptions(storedConfig.authOptions, cliAuthOptions);
+            console.log(chalk_1.default.green(`✓ Using stored config: ${configSource}\n`));
+        }
+        // Step 2: Load and validate configuration
+        console.log(chalk_1.default.blue('Step 2: Loading configuration...'));
+        const config = await (0, loader_js_1.loadConfig)(configSource, mergedAuthOptions);
+        // Flatten all registries for display and processing
+        const allRegistries = flattenRegistries(config);
+        console.log(chalk_1.default.green(`✓ Loaded ${allRegistries.length} registry/registries\n`));
+        // Step 3: Analyze feed configuration
+        console.log(chalk_1.default.blue('Step 3: Analyzing feed configuration...'));
+        const feedGroups = (0, router_js_1.groupFeedsByType)(allRegistries);
+        console.log(chalk_1.default.green(`✓ Found ${feedGroups.npm.length} npm registries, ${feedGroups.nuget.length} NuGet feeds\n`));
+        // Step 4: Setup authentication (before configuration updates)
+        console.log(chalk_1.default.blue('Step 4: Setting up authentication...'));
+        let tokenMap;
+        if (isDryRun) {
+            console.log(chalk_1.default.yellow('⊘ Skipped (dry run): Would setup authentication for feeds\n'));
+        }
+        else {
+            tokenMap = await (0, orchestrator_js_1.orchestrateAuthentication)(config.authGroups, options.configRedirectUri);
+            console.log(chalk_1.default.green('✓ Authentication configured\n'));
+        }
+        // Step 5: Creating backups
+        console.log(chalk_1.default.blue('Step 5: Creating backups...'));
+        if (isDryRun) {
+            console.log(chalk_1.default.yellow('⊘ Skipped (dry run): Would backup configuration files\n'));
+        }
+        else {
+            const backupPromises = [];
+            if (feedGroups.npm.length > 0) {
+                backupPromises.push((0, manager_js_1.backupNpmrc)());
+            }
+            if (feedGroups.nuget.length > 0) {
+                backupPromises.push((0, manager_js_2.backupNugetConfig)());
+            }
+            await Promise.all(backupPromises);
+            console.log(chalk_1.default.green('✓ Backup completed\n'));
+        }
+        // Step 6: Configuring package feeds
+        console.log(chalk_1.default.blue('Step 6: Configuring package feeds...'));
+        await (0, router_js_1.applyFeeds)(feedGroups, tokenMap || new Map(), isDryRun);
+        if (!isDryRun) {
+            console.log(chalk_1.default.green('✓ Feed configuration updated\n'));
+        }
+        // Success message
+        if (isDryRun) {
+            console.log(chalk_1.default.bold.yellow('✓ Dry run completed successfully!\n'));
+            console.log(chalk_1.default.gray('Run without --dry-run to apply these changes.\n'));
+        }
+        else {
+            console.log(chalk_1.default.bold.green('✅ Update complete!\n'));
+            if (feedGroups.npm.length > 0) {
+                const npmScopes = Array.from(new Set(feedGroups.npm.map(r => r.scope)));
+                console.log(chalk_1.default.gray('npm packages can now be installed:'));
+                for (const scope of npmScopes) {
+                    console.log(chalk_1.default.gray(`  npm install ${scope}/some-package`));
+                }
+            }
+            if (feedGroups.nuget.length > 0) {
+                const nugetSources = Array.from(new Set(feedGroups.nuget.map(r => r.scope)));
+                console.log(chalk_1.default.gray('\nNuGet packages can now be installed:'));
+                for (const source of nugetSources) {
+                    console.log(chalk_1.default.gray(`  dotnet add package SomePackage --source ${source}`));
+                }
+            }
+            console.log('');
+        }
+    }
+    catch (error) {
+        console.error(chalk_1.default.red.bold('\n❌ Update failed\n'));
+        if (error instanceof Error) {
+            console.error(chalk_1.default.red(`Error: ${error.message}\n`));
+        }
+        else {
+            console.error(chalk_1.default.red(`Unknown error occurred\n`));
+        }
+        // Offer to restore from backup
+        if (error instanceof Error && error.message.includes('Authentication')) {
+            console.log(chalk_1.default.yellow('Restore your .npmrc from backup? Run:'));
+            console.log(chalk_1.default.gray('  sft-mfe-platform restore\n'));
+        }
+        process.exit(2);
+    }
+}
+/**
+ * Merge stored auth options with CLI-provided options
+ * CLI options take precedence over stored options
+ */
+function mergeAuthOptions(stored, cli) {
+    // If CLI options are provided, use them (they override everything)
+    if (cli) {
+        return cli;
+    }
+    // Otherwise use stored options
+    return stored;
+}
+/**
+ * Flatten registries from authGroups and top-level registries array
+ */
+function flattenRegistries(config) {
+    const allRegistries = [];
+    // Add registries from auth groups
+    if (config.authGroups) {
+        for (const group of config.authGroups) {
+            allRegistries.push(...group.registries);
+        }
+    }
+    // Add top-level public registries
+    if (config.registries) {
+        allRegistries.push(...config.registries);
+    }
+    return allRegistries;
+}
+/**
+ * Create and configure the update command
+ */
+function createUpdateCommand() {
+    const command = new commander_1.Command('update');
+    command
+        .description('Update npm registry configuration (uses stored config source from init)')
+        .option('--config <source>', 'Configuration source: URL or file path (overrides stored source)')
+        .option('--config-auth-endpoint <url>', 'Config URL auth endpoint (device code or authorize endpoint)')
+        .option('--config-token-endpoint <url>', 'Config URL token endpoint (optional, derived if omitted)')
+        .option('--config-client-id <id>', 'Config URL OAuth client ID')
+        .option('--config-token-kind <kind>', 'Config URL token to use as bearer (access or id)')
+        .option('--config-auth-scope <scope>', 'Config URL OAuth scope (optional)')
+        .option('--config-redirect-uri <uri>', 'Custom redirect URI for PKCE auth')
+        .option('--dry-run', 'Preview changes without applying them', false)
+        .action(async (options) => {
+        try {
+            await executeUpdate(options);
+        }
+        catch (error) {
+            if (!(error instanceof Error && error.message)) {
+                console.error(chalk_1.default.red('Unknown error occurred'));
+            }
+            process.exit(1);
+        }
+    });
+    return command;
+}
+function buildConfigAuthOptions(options) {
+    if (!options.configAuthEndpoint && !options.configClientId && !options.configTokenKind && !options.configTokenEndpoint && !options.configAuthScope) {
+        return undefined;
+    }
+    if (!options.configAuthEndpoint || !options.configClientId) {
+        throw new Error('Config URL auth requires both --config-auth-endpoint and --config-client-id');
+    }
+    return {
+        authEndpoint: options.configAuthEndpoint,
+        tokenEndpoint: options.configTokenEndpoint,
+        clientId: options.configClientId,
+        tokenKind: options.configTokenKind,
+        scope: options.configAuthScope,
+        redirectUri: options.configRedirectUri,
+    };
+}

package/dist/config/auth-token-cache.d.ts

@@ -0,0 +1,10 @@
+export interface CachedConfigAuthToken {
+    clientId: string;
+    accessToken?: string;
+    idToken?: string;
+    providerHint: 'github' | 'entra' | 'other';
+    tenantId?: string;
+    scopes?: string[];
+}
+export declare function getCachedConfigAuthToken(): CachedConfigAuthToken | undefined;
+export declare function setCachedConfigAuthToken(token: CachedConfigAuthToken | undefined): void;

package/dist/config/auth-token-cache.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getCachedConfigAuthToken = getCachedConfigAuthToken;
+exports.setCachedConfigAuthToken = setCachedConfigAuthToken;
+let cachedConfigAuthToken;
+function getCachedConfigAuthToken() {
+    return cachedConfigAuthToken;
+}
+function setCachedConfigAuthToken(token) {
+    cachedConfigAuthToken = token;
+}

package/dist/config/loader.d.ts

@@ -0,0 +1,9 @@
+import { RegistryConfig, ConfigAuthOptions } from '../types/config';
+/**
+ * Load registry configuration from URL or local file
+ */
+export declare function loadConfig(source: string, authOptions?: ConfigAuthOptions): Promise<RegistryConfig>;
+/**
+ * Determine if source is URL or file path
+ */
+export declare function isUrlSource(source: string): boolean;

package/dist/config/loader.js

@@ -0,0 +1,214 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadConfig = loadConfig;
+exports.isUrlSource = isUrlSource;
+const ora_1 = __importDefault(require("ora"));
+const promises_1 = __importDefault(require("fs/promises"));
+const path_1 = __importDefault(require("path"));
+const config_1 = require("../types/config");
+const pkce_flow_1 = require("../auth/pkce-flow");
+const device_flow_1 = require("../auth/device-flow");
+const auth_token_cache_1 = require("./auth-token-cache");
+const azure_devops_1 = require("../auth/providers/azure-devops");
+const constants_1 = require("../auth/constants");
+/**
+ * Load registry configuration from URL or local file
+ */
+async function loadConfig(source, authOptions) {
+    const isUrl = source.startsWith('http://') || source.startsWith('https://');
+    let spinner = null;
+    try {
+        let configData;
+        // Check if source is a URL or file path
+        if (isUrl) {
+            const authHeaders = authOptions ? await buildAuthHeaders(authOptions) : {};
+            spinner = (0, ora_1.default)('Loading configuration...').start();
+            configData = await loadConfigFromUrl(source, authHeaders);
+        }
+        else {
+            spinner = (0, ora_1.default)('Loading configuration...').start();
+            configData = await loadConfigFromFile(source);
+        }
+        // Parse and validate (after any auth flow completes)
+        spinner.text = 'Validating configuration...';
+        const parsed = JSON.parse(configData);
+        const validated = config_1.RegistryConfigSchema.parse(parsed);
+        spinner?.succeed('Configuration loaded successfully');
+        return validated;
+    }
+    catch (error) {
+        spinner?.fail('Failed to load configuration');
+        if (error instanceof Error) {
+            throw new Error(`Configuration loading failed: ${error.message}`);
+        }
+        throw error;
+    }
+}
+/**
+ * Load configuration from remote URL
+ */
+async function loadConfigFromUrl(url, headers) {
+    try {
+        const response = await fetch(url, {
+            headers: {
+                'Accept': 'application/octet-stream',
+                ...headers,
+            },
+        });
+        if (!response.ok) {
+            throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+        }
+        return await response.text();
+    }
+    catch (error) {
+        if (error instanceof Error) {
+            throw new Error(`Failed to fetch from ${url}: ${error.message}`);
+        }
+        throw error;
+    }
+}
+async function buildAuthHeaders(options) {
+    if (!options.authEndpoint || !options.clientId) {
+        throw new Error('Config URL auth requires authEndpoint and clientId');
+    }
+    const tokenKind = options.tokenKind ?? getDefaultTokenKind();
+    const scope = options.scope ?? getDefaultScopes(options.authEndpoint);
+    const authorizeEndpoint = options.authEndpoint;
+    const tokenEndpoint = options.tokenEndpoint ?? deriveTokenEndpoint(authorizeEndpoint);
+    const tokenResponse = isDeviceFlowEndpoint(authorizeEndpoint)
+        ? await runDeviceFlow(authorizeEndpoint, tokenEndpoint, options.clientId, scope)
+        : await runAuthorizePkce(authorizeEndpoint, tokenEndpoint, options.clientId, scope, options.redirectUri);
+    const selectedToken = tokenKind === 'id'
+        ? tokenResponse.id_token
+        : tokenResponse.access_token;
+    if (!selectedToken) {
+        throw new Error(`Requested ${tokenKind} token but it was not returned by the auth provider`);
+    }
+    (0, auth_token_cache_1.setCachedConfigAuthToken)({
+        clientId: options.clientId,
+        accessToken: tokenResponse.access_token,
+        idToken: tokenResponse.id_token,
+        providerHint: getProviderHint(options.authEndpoint),
+        tenantId: extractTenantId(options.authEndpoint),
+        scopes: extractScopes(tokenResponse),
+    });
+    return {
+        Authorization: `Bearer ${selectedToken}`,
+    };
+}
+async function runDeviceFlow(deviceAuthEndpoint, tokenEndpoint, clientId, scope) {
+    const deviceAuth = await (0, device_flow_1.initiateDeviceFlow)(deviceAuthEndpoint, clientId, scope);
+    (0, device_flow_1.displayUserInstructions)(deviceAuth.user_code, deviceAuth.verification_uri, 'Config URL');
+    return (0, device_flow_1.pollForToken)(tokenEndpoint, clientId, deviceAuth.device_code, deviceAuth.interval, deviceAuth.expires_in);
+}
+async function runAuthorizePkce(authorizeEndpoint, tokenEndpoint, clientId, scope, redirectUri) {
+    const effectiveRedirectUri = redirectUri || constants_1.DEFAULT_REDIRECT_URI;
+    return (0, pkce_flow_1.runPkceFlow)({
+        authorizeEndpoint,
+        tokenEndpoint,
+        clientId,
+        redirectUri: effectiveRedirectUri,
+        scope,
+        providerName: 'Config URL',
+    });
+}
+function isDeviceFlowEndpoint(authEndpoint) {
+    return authEndpoint.includes('/devicecode') || authEndpoint.includes('/device/code');
+}
+function isGitHubAuthEndpoint(authEndpoint) {
+    try {
+        const url = new URL(authEndpoint);
+        return url.hostname === 'github.com' || url.hostname.endsWith('.github.com');
+    }
+    catch {
+        return false;
+    }
+}
+function getProviderHint(authEndpoint) {
+    if (isGitHubAuthEndpoint(authEndpoint)) {
+        return 'github';
+    }
+    if (isEntraIdAuthEndpoint(authEndpoint)) {
+        return 'entra';
+    }
+    return 'other';
+}
+function getDefaultScopes(authEndpoint) {
+    if (isGitHubAuthEndpoint(authEndpoint)) {
+        return 'repo read:packages';
+    }
+    if (isEntraIdAuthEndpoint(authEndpoint)) {
+        return `openid profile ${azure_devops_1.AZURE_DEVOPS_OAUTH_SCOPE}`;
+    }
+    return 'openid profile';
+}
+function getDefaultTokenKind() {
+    return 'access';
+}
+function deriveTokenEndpoint(authorizeEndpoint) {
+    if (authorizeEndpoint.includes('/authorize')) {
+        return authorizeEndpoint.replace(/\/authorize(\?.*)?$/, '/token');
+    }
+    if (authorizeEndpoint.includes('/devicecode')) {
+        return authorizeEndpoint.replace(/\/devicecode(\?.*)?$/, '/token');
+    }
+    if (authorizeEndpoint.includes('/device/code')) {
+        return authorizeEndpoint.replace(/\/device\/code(\?.*)?$/, '/oauth/access_token');
+    }
+    throw new Error('Config URL auth requires tokenEndpoint when it cannot be derived from authEndpoint');
+}
+function isEntraIdAuthEndpoint(authEndpoint) {
+    try {
+        const url = new URL(authEndpoint);
+        return url.hostname === 'login.microsoftonline.com'
+            || url.hostname === 'login.microsoft.com';
+    }
+    catch {
+        return false;
+    }
+}
+function extractTenantId(authEndpoint) {
+    if (!isEntraIdAuthEndpoint(authEndpoint)) {
+        return undefined;
+    }
+    try {
+        const url = new URL(authEndpoint);
+        const segments = url.pathname.split('/').filter(Boolean);
+        return segments.length > 0 ? segments[0] : undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+function extractScopes(tokenResponse) {
+    const scope = tokenResponse?.scope;
+    if (!scope) {
+        return undefined;
+    }
+    return scope.split(' ').map((s) => s.trim()).filter(Boolean);
+}
+/**
+ * Load configuration from local file
+ */
+async function loadConfigFromFile(filePath) {
+    try {
+        const resolvedPath = path_1.default.resolve(filePath);
+        const content = await promises_1.default.readFile(resolvedPath, 'utf-8');
+        return content;
+    }
+    catch (error) {
+        if (error instanceof Error) {
+            throw new Error(`Failed to read config file at ${filePath}: ${error.message}`);
+        }
+        throw error;
+    }
+}
+/**
+ * Determine if source is URL or file path
+ */
+function isUrlSource(source) {
+    return source.startsWith('http://') || source.startsWith('https://');
+}

package/dist/feed/router.d.ts

@@ -0,0 +1,13 @@
+import { Registry } from '../types/config.js';
+export interface FeedGroup {
+    npm: Registry[];
+    nuget: Registry[];
+}
+/**
+ * Group feeds by type
+ */
+export declare function groupFeedsByType(registries: Registry[]): FeedGroup;
+/**
+ * Apply feeds to respective configuration files
+ */
+export declare function applyFeeds(feedGroups: FeedGroup, tokenMap: Map<string, string>, dryRun: boolean): Promise<void>;