@sanlam-fintech-digital/mfe-platform-cli 0.0.1

package/dist/feed/router.js

@@ -0,0 +1,58 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.groupFeedsByType = groupFeedsByType;
+exports.applyFeeds = applyFeeds;
+const manager_js_1 = require("../npmrc/manager.js");
+const manager_js_2 = require("../nuget/manager.js");
+const chalk_1 = __importDefault(require("chalk"));
+/**
+ * Group feeds by type
+ */
+function groupFeedsByType(registries) {
+    const npm = [];
+    const nuget = [];
+    for (const registry of registries) {
+        const feedType = registry.feedType || 'npm'; // Default to npm for backward compatibility
+        if (feedType === 'npm') {
+            npm.push(registry);
+        }
+        else if (feedType === 'nuget') {
+            nuget.push(registry);
+        }
+    }
+    return { npm, nuget };
+}
+/**
+ * Apply feeds to respective configuration files
+ */
+async function applyFeeds(feedGroups, tokenMap, dryRun) {
+    // Apply npm registries
+    if (feedGroups.npm.length > 0) {
+        if (dryRun) {
+            console.log(chalk_1.default.yellow('⊘ Skipped (dry run): Would configure npm registries (.npmrc):'));
+            for (const reg of feedGroups.npm) {
+                console.log(chalk_1.default.gray(`  ${reg.scope}:registry=${reg.url}`));
+            }
+            console.log('');
+        }
+        else {
+            await (0, manager_js_1.addRegistries)(feedGroups.npm, tokenMap);
+        }
+    }
+    // Apply NuGet feeds
+    if (feedGroups.nuget.length > 0) {
+        if (dryRun) {
+            console.log(chalk_1.default.yellow('⊘ Skipped (dry run): Would configure NuGet feeds (nuget.config):'));
+            for (const feed of feedGroups.nuget) {
+                console.log(chalk_1.default.gray(`  <add key="${feed.scope}" value="${feed.url}" />`));
+            }
+            console.log('');
+        }
+        else {
+            await (0, manager_js_2.addNuGetFeeds)(feedGroups.nuget, tokenMap);
+        }
+    }
+}

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/index.js

@@ -0,0 +1,49 @@
+#!/usr/bin/env node
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const commander_1 = require("commander");
+const init_js_1 = require("./commands/init.js");
+const update_js_1 = require("./commands/update.js");
+const chalk_1 = __importDefault(require("chalk"));
+const program = new commander_1.Command();
+program
+    .name('sft-mfe-platform')
+    .description('Sanlam Platform CLI - Bootstrap and orchestration tool')
+    .version('0.0.1');
+/**
+ * Init command - Bootstrap developer machine with npm registry configuration
+ */
+program.addCommand((0, init_js_1.createInitCommand)());
+/**
+ * Update command - Refresh npm registry configuration using stored config source
+ */
+program.addCommand((0, update_js_1.createUpdateCommand)());
+/**
+ * Help and version
+ */
+program
+    .on('--help', () => {
+    console.log('');
+    console.log(chalk_1.default.cyan('Examples:'));
+    console.log('');
+    console.log('  # Global install');
+    console.log('  npm install -g @sanlam-fintech-digital/mfe-platform-cli');
+    console.log('  sft-mfe-platform init --config https://example.com/registry-config.json');
+    console.log('');
+    console.log('  # Update registry configuration (uses stored config from init)');
+    console.log('  sft-mfe-platform update');
+    console.log('');
+    console.log('  # Update with a different config source');
+    console.log('  sft-mfe-platform update --config https://example.com/new-config.json');
+    console.log('');
+    console.log('  # One-off with npx');
+    console.log('  npx @sanlam-fintech-digital/mfe-platform-cli init --config ./local-config.json');
+    console.log('');
+});
+program.parse(process.argv);
+if (!process.argv.slice(2).length) {
+    program.outputHelp();
+}

package/dist/npmrc/manager.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Backup existing .npmrc before modifications
+ */
+export declare function backupNpmrc(npmrcPath?: string): Promise<string>;
+/**
+ * Read and parse .npmrc file
+ */
+export declare function readNpmrc(npmrcPath?: string): Promise<Map<string, string>>;
+/**
+ * Add or update registry entries with authentication tokens
+ */
+export declare function addRegistries(registries: Array<{
+    scope: string;
+    url: string;
+}>, tokenMap?: Map<string, string>, npmrcPath?: string): Promise<void>;
+/**
+ * Restore from backup
+ */
+export declare function restoreFromBackup(backupPath: string, npmrcPath?: string): Promise<void>;

package/dist/npmrc/manager.js

@@ -0,0 +1,142 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.backupNpmrc = backupNpmrc;
+exports.readNpmrc = readNpmrc;
+exports.addRegistries = addRegistries;
+exports.restoreFromBackup = restoreFromBackup;
+const promises_1 = __importDefault(require("fs/promises"));
+const path_1 = __importDefault(require("path"));
+const os_1 = __importDefault(require("os"));
+const ora_1 = __importDefault(require("ora"));
+/**
+ * Backup existing .npmrc before modifications
+ */
+async function backupNpmrc(npmrcPath) {
+    const resolvedPath = npmrcPath || path_1.default.join(os_1.default.homedir(), '.npmrc');
+    const spinner = (0, ora_1.default)('Backing up existing .npmrc...').start();
+    try {
+        try {
+            await promises_1.default.access(resolvedPath);
+        }
+        catch {
+            spinner.succeed('No existing .npmrc to backup');
+            return '';
+        }
+        const content = await promises_1.default.readFile(resolvedPath, 'utf-8');
+        const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
+        const backupPath = `${resolvedPath}.backup.${timestamp}`;
+        await promises_1.default.writeFile(backupPath, content, 'utf-8');
+        spinner.succeed(`Backed up to ${backupPath}`);
+        return backupPath;
+    }
+    catch (error) {
+        spinner.fail('Backup failed');
+        throw new Error(`Failed to backup .npmrc: ${error instanceof Error ? error.message : String(error)}`);
+    }
+}
+/**
+ * Read and parse .npmrc file
+ */
+async function readNpmrc(npmrcPath) {
+    const resolvedPath = npmrcPath || path_1.default.join(os_1.default.homedir(), '.npmrc');
+    try {
+        try {
+            await promises_1.default.access(resolvedPath);
+        }
+        catch {
+            return new Map();
+        }
+        const content = await promises_1.default.readFile(resolvedPath, 'utf-8');
+        return parseNpmrc(content);
+    }
+    catch (error) {
+        throw new Error(`Failed to read .npmrc: ${error instanceof Error ? error.message : String(error)}`);
+    }
+}
+/**
+ * Parse .npmrc content into key-value map, preserving non-registry entries
+ */
+function parseNpmrc(content) {
+    const lines = content.split('\n');
+    const entries = new Map();
+    for (const line of lines) {
+        const trimmed = line.trim();
+        // Skip empty lines and comments
+        if (!trimmed || trimmed.startsWith(';') || trimmed.startsWith('#')) {
+            continue;
+        }
+        const [key, ...valueParts] = trimmed.split('=');
+        if (key && valueParts.length > 0) {
+            entries.set(key.trim(), valueParts.join('=').trim());
+        }
+    }
+    return entries;
+}
+/**
+ * Add or update registry entries with authentication tokens
+ */
+async function addRegistries(registries, tokenMap, npmrcPath) {
+    const spinner = (0, ora_1.default)('Adding registry entries...').start();
+    try {
+        const entries = await readNpmrc(npmrcPath);
+        // Add registry entries
+        for (const registry of registries) {
+            const key = `${registry.scope}:registry`;
+            entries.set(key, registry.url);
+            // Set auth token if available
+            const authKey = `//${registry.url.replace(/https?:\/\//, '')}/:_authToken`;
+            const token = tokenMap?.get(registry.url);
+            if (token) {
+                // Write actual token
+                entries.set(authKey, token);
+            }
+            else if (!entries.has(authKey)) {
+                // No token provided and no existing token - set placeholder
+                entries.set(authKey, '${NPM_TOKEN}');
+            }
+            // If token exists already and no new token, preserve existing
+        }
+        await writeNpmrc(entries, npmrcPath);
+        spinner.succeed('Registry entries added');
+    }
+    catch (error) {
+        spinner.fail('Failed to add registry entries');
+        throw error;
+    }
+}
+/**
+ * Write entries back to .npmrc file
+ */
+function writeNpmrc(entries, npmrcPath) {
+    const resolvedPath = npmrcPath || path_1.default.join(os_1.default.homedir(), '.npmrc');
+    const lines = [];
+    // Add comment header
+    lines.push('# Configured by @sanlam-fintech-digital/mfe-platform-cli');
+    lines.push(`# Generated at ${new Date().toISOString()}`);
+    lines.push('');
+    // Add entries
+    for (const [key, value] of entries) {
+        lines.push(`${key}=${value}`);
+    }
+    const content = lines.join('\n') + '\n';
+    return promises_1.default.writeFile(resolvedPath, content, 'utf-8');
+}
+/**
+ * Restore from backup
+ */
+async function restoreFromBackup(backupPath, npmrcPath) {
+    const resolvedPath = npmrcPath || path_1.default.join(os_1.default.homedir(), '.npmrc');
+    const spinner = (0, ora_1.default)('Restoring from backup...').start();
+    try {
+        const content = await promises_1.default.readFile(backupPath, 'utf-8');
+        await promises_1.default.writeFile(resolvedPath, content, 'utf-8');
+        spinner.succeed('Restored from backup');
+    }
+    catch (error) {
+        spinner.fail('Restore failed');
+        throw new Error(`Failed to restore from backup: ${error instanceof Error ? error.message : String(error)}`);
+    }
+}

package/dist/nuget/manager.d.ts

@@ -0,0 +1,40 @@
+/**
+ * NuGet configuration structure
+ */
+interface NuGetConfig {
+    configuration: {
+        packageSources?: {
+            add?: Array<{
+                '@_key': string;
+                '@_value': string;
+            }>;
+        };
+        packageSourceCredentials?: Record<string, {
+            add?: Array<{
+                '@_key': string;
+                '@_value': string;
+            }>;
+        }>;
+        [key: string]: any;
+    };
+}
+/**
+ * Backup existing NuGet.config
+ */
+export declare function backupNugetConfig(configPath?: string): Promise<string>;
+/**
+ * Read and parse NuGet.config
+ */
+export declare function readNugetConfig(configPath?: string): Promise<NuGetConfig>;
+/**
+ * Add or update NuGet feeds
+ */
+export declare function addNuGetFeeds(feeds: Array<{
+    scope: string;
+    url: string;
+}>, tokenMap?: Map<string, string>, configPath?: string): Promise<void>;
+/**
+ * Restore from backup
+ */
+export declare function restoreNugetFromBackup(backupPath: string, configPath?: string): Promise<void>;
+export {};

package/dist/nuget/manager.js

@@ -0,0 +1,145 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.backupNugetConfig = backupNugetConfig;
+exports.readNugetConfig = readNugetConfig;
+exports.addNuGetFeeds = addNuGetFeeds;
+exports.restoreNugetFromBackup = restoreNugetFromBackup;
+const promises_1 = __importDefault(require("fs/promises"));
+const path_1 = __importDefault(require("path"));
+const os_1 = __importDefault(require("os"));
+const chalk_1 = __importDefault(require("chalk"));
+const fast_xml_parser_1 = require("fast-xml-parser");
+/**
+ * Get platform-specific NuGet config path
+ */
+function getNugetConfigPath(configPath) {
+    if (configPath)
+        return configPath;
+    const platform = process.platform;
+    if (platform === 'win32') {
+        const appData = process.env.APPDATA || path_1.default.join(os_1.default.homedir(), 'AppData', 'Roaming');
+        return path_1.default.join(appData, 'NuGet', 'NuGet.Config');
+    }
+    else {
+        return path_1.default.join(os_1.default.homedir(), '.config', 'NuGet', 'NuGet.Config');
+    }
+}
+/**
+ * Backup existing NuGet.config
+ */
+async function backupNugetConfig(configPath) {
+    const nugetPath = getNugetConfigPath(configPath);
+    const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
+    const backupPath = `${nugetPath}.backup.${timestamp}`;
+    try {
+        await promises_1.default.access(nugetPath);
+        await promises_1.default.copyFile(nugetPath, backupPath);
+        console.log(chalk_1.default.gray(`Backed up: ${backupPath}`));
+        return backupPath;
+    }
+    catch {
+        // File doesn't exist, no backup needed
+        return '';
+    }
+}
+/**
+ * Read and parse NuGet.config
+ */
+async function readNugetConfig(configPath) {
+    const nugetPath = getNugetConfigPath(configPath);
+    try {
+        const content = await promises_1.default.readFile(nugetPath, 'utf-8');
+        const parser = new fast_xml_parser_1.XMLParser({
+            ignoreAttributes: false,
+            attributeNamePrefix: '@_',
+        });
+        return parser.parse(content);
+    }
+    catch {
+        // Return default structure if file doesn't exist
+        return {
+            configuration: {
+                packageSources: { add: [] },
+                packageSourceCredentials: {},
+            }
+        };
+    }
+}
+/**
+ * Add or update NuGet feeds
+ */
+async function addNuGetFeeds(feeds, tokenMap, configPath) {
+    const config = await readNugetConfig(configPath);
+    // Ensure structure exists
+    if (!config.configuration.packageSources) {
+        config.configuration.packageSources = { add: [] };
+    }
+    if (!config.configuration.packageSources.add) {
+        config.configuration.packageSources.add = [];
+    }
+    if (!config.configuration.packageSourceCredentials) {
+        config.configuration.packageSourceCredentials = {};
+    }
+    // Normalize 'add' to always be an array (XML parser may return object for single item)
+    let sources = config.configuration.packageSources.add;
+    if (!Array.isArray(sources)) {
+        sources = sources ? [sources] : [];
+        config.configuration.packageSources.add = sources;
+    }
+    const credentials = config.configuration.packageSourceCredentials;
+    for (const feed of feeds) {
+        const sourceName = feed.scope;
+        // Add or update package source
+        const existingSourceIndex = sources.findIndex(s => s['@_key'] === sourceName);
+        if (existingSourceIndex >= 0) {
+            sources[existingSourceIndex]['@_value'] = feed.url;
+        }
+        else {
+            sources.push({ '@_key': sourceName, '@_value': feed.url });
+        }
+        // Add credentials if token provided
+        const token = tokenMap?.get(feed.url);
+        if (token) {
+            // Normalize credential key (replace invalid XML chars)
+            const credKey = sourceName.replace(/[^a-zA-Z0-9_]/g, '_');
+            credentials[credKey] = {
+                add: [
+                    { '@_key': 'Username', '@_value': 'PersonalAccessToken' },
+                    { '@_key': 'ClearTextPassword', '@_value': token }
+                ]
+            };
+        }
+    }
+    await writeNugetConfig(config, configPath);
+}
+/**
+ * Write NuGet.config
+ */
+async function writeNugetConfig(config, configPath) {
+    const nugetPath = getNugetConfigPath(configPath);
+    const dir = path_1.default.dirname(nugetPath);
+    // Ensure directory exists
+    await promises_1.default.mkdir(dir, { recursive: true });
+    const builder = new fast_xml_parser_1.XMLBuilder({
+        ignoreAttributes: false,
+        attributeNamePrefix: '@_',
+        format: true,
+        indentBy: '  ',
+    });
+    let xml = builder.build(config);
+    // Only add XML declaration if not already present
+    if (!xml.startsWith('<?xml')) {
+        xml = '<?xml version="1.0" encoding="utf-8"?>\n' + xml;
+    }
+    await promises_1.default.writeFile(nugetPath, xml, 'utf-8');
+}
+/**
+ * Restore from backup
+ */
+async function restoreNugetFromBackup(backupPath, configPath) {
+    const nugetPath = getNugetConfigPath(configPath);
+    await promises_1.default.copyFile(backupPath, nugetPath);
+}

package/dist/types/config.d.ts

@@ -0,0 +1,150 @@
+import { z } from 'zod';
+/**
+ * Package feed type
+ */
+declare const FeedTypeSchema: z.ZodDefault<z.ZodEnum<{
+    npm: "npm";
+    nuget: "nuget";
+}>>;
+export type FeedType = z.infer<typeof FeedTypeSchema>;
+/**
+ * Individual registry entry (npm or NuGet feed)
+ */
+declare const RegistryEntrySchema: z.ZodObject<{
+    scope: z.ZodString;
+    url: z.ZodURL;
+    feedType: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
+        npm: "npm";
+        nuget: "nuget";
+    }>>>;
+}, z.core.$strip>;
+/**
+ * Auth group - discriminated union of provider-specific schemas
+ */
+declare const AuthGroupSchema: z.ZodUnion<readonly [z.ZodObject<{
+    provider: z.ZodLiteral<"azure-devops">;
+    clientId: z.ZodString;
+    tenantId: z.ZodString;
+    registries: z.ZodArray<z.ZodObject<{
+        scope: z.ZodString;
+        url: z.ZodURL;
+        feedType: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
+            npm: "npm";
+            nuget: "nuget";
+        }>>>;
+    }, z.core.$strip>>;
+    redirectUri: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>, z.ZodObject<{
+    provider: z.ZodLiteral<"github">;
+    clientId: z.ZodString;
+    tenantId: z.ZodOptional<z.ZodNever>;
+    registries: z.ZodArray<z.ZodObject<{
+        scope: z.ZodString;
+        url: z.ZodURL;
+        feedType: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
+            npm: "npm";
+            nuget: "nuget";
+        }>>>;
+    }, z.core.$strip>>;
+}, z.core.$strip>]>;
+/**
+ * Configuration schema for npm registries
+ * Loaded from URL or local file
+ */
+export declare const RegistryConfigSchema: z.ZodObject<{
+    authGroups: z.ZodOptional<z.ZodArray<z.ZodUnion<readonly [z.ZodObject<{
+        provider: z.ZodLiteral<"azure-devops">;
+        clientId: z.ZodString;
+        tenantId: z.ZodString;
+        registries: z.ZodArray<z.ZodObject<{
+            scope: z.ZodString;
+            url: z.ZodURL;
+            feedType: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
+                npm: "npm";
+                nuget: "nuget";
+            }>>>;
+        }, z.core.$strip>>;
+        redirectUri: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>, z.ZodObject<{
+        provider: z.ZodLiteral<"github">;
+        clientId: z.ZodString;
+        tenantId: z.ZodOptional<z.ZodNever>;
+        registries: z.ZodArray<z.ZodObject<{
+            scope: z.ZodString;
+            url: z.ZodURL;
+            feedType: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
+                npm: "npm";
+                nuget: "nuget";
+            }>>>;
+        }, z.core.$strip>>;
+    }, z.core.$strip>]>>>;
+    registries: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        scope: z.ZodString;
+        url: z.ZodURL;
+        feedType: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
+            npm: "npm";
+            nuget: "nuget";
+        }>>>;
+    }, z.core.$strip>>>;
+}, z.core.$strip>;
+export type RegistryConfig = z.infer<typeof RegistryConfigSchema>;
+export type AuthGroup = z.infer<typeof AuthGroupSchema>;
+export type Registry = z.infer<typeof RegistryEntrySchema>;
+/**
+ * Configuration source tracking
+ */
+export interface ConfigSource {
+    source: string;
+    timestamp: number;
+    type: 'url' | 'file';
+    authOptions?: ConfigAuthOptions;
+}
+/**
+ * Config URL authentication options
+ */
+export interface ConfigAuthOptions {
+    authEndpoint: string;
+    tokenEndpoint?: string;
+    clientId: string;
+    tokenKind?: 'access' | 'id';
+    scope?: string;
+    redirectUri?: string;
+}
+/**
+ * Init command options
+ */
+export interface InitOptions {
+    config: string;
+    configAuthEndpoint?: string;
+    configTokenEndpoint?: string;
+    configClientId?: string;
+    configTokenKind?: 'access' | 'id';
+    configAuthScope?: string;
+    configRedirectUri?: string;
+    interactive?: boolean;
+    force?: boolean;
+    dryRun?: boolean;
+}
+/**
+ * Update command options
+ */
+export interface UpdateOptions {
+    config?: string;
+    configAuthEndpoint?: string;
+    configTokenEndpoint?: string;
+    configClientId?: string;
+    configTokenKind?: 'access' | 'id';
+    configAuthScope?: string;
+    configRedirectUri?: string;
+    dryRun?: boolean;
+}
+/**
+ * Authentication result
+ */
+export interface AuthResult {
+    scope: string;
+    authenticated: boolean;
+    method: 'oauth' | 'token';
+    error?: string;
+}
+export {};

package/dist/types/config.js

@@ -0,0 +1,63 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RegistryConfigSchema = void 0;
+const zod_1 = require("zod");
+/**
+ * Package feed type
+ */
+const FeedTypeSchema = zod_1.z.enum(['npm', 'nuget']).default('npm');
+/**
+ * Individual registry entry (npm or NuGet feed)
+ */
+const RegistryEntrySchema = zod_1.z.object({
+    scope: zod_1.z.string().describe('npm scope (e.g., "@org/package") or NuGet source name'),
+    url: zod_1.z.url().describe('Registry/Feed URL (Azure DevOps, GitHub, or public)'),
+    feedType: FeedTypeSchema.optional().describe('Package feed type (defaults to npm for backward compatibility)'),
+});
+/**
+ * Azure DevOps auth group (requires tenantId)
+ */
+const AzureDevOpsAuthGroupSchema = zod_1.z.object({
+    provider: zod_1.z.literal('azure-devops').describe('Registry provider type'),
+    clientId: zod_1.z.string().describe('OAuth client ID for PKCE authentication'),
+    tenantId: zod_1.z.string().describe('Azure AD tenant ID (required for azure-devops)'),
+    registries: zod_1.z.array(RegistryEntrySchema).min(1).describe('Registries sharing this authentication'),
+    redirectUri: zod_1.z.string().optional().describe('Custom redirect URI for PKCE auth (relay support)'),
+});
+/**
+ * GitHub auth group (no tenantId required)
+ * Note: redirectUri is intentionally omitted because GitHub uses OAuth device flow,
+ * which does not require redirect URIs (it uses device codes instead).
+ */
+const GitHubAuthGroupSchema = zod_1.z.object({
+    provider: zod_1.z.literal('github').describe('Registry provider type'),
+    clientId: zod_1.z.string().describe('OAuth client ID for device flow authentication'),
+    tenantId: zod_1.z.never().optional().describe('Not used for GitHub'),
+    registries: zod_1.z.array(RegistryEntrySchema).min(1).describe('Registries sharing this authentication'),
+});
+/**
+ * Auth group - discriminated union of provider-specific schemas
+ */
+const AuthGroupSchema = zod_1.z.union([AzureDevOpsAuthGroupSchema, GitHubAuthGroupSchema]);
+/**
+ * Configuration schema for npm registries
+ * Loaded from URL or local file
+ */
+exports.RegistryConfigSchema = zod_1.z.object({
+    authGroups: zod_1.z.array(AuthGroupSchema).optional().describe('Registries requiring authentication'),
+    registries: zod_1.z.array(RegistryEntrySchema).optional().describe('Public registries without authentication'),
+}).refine((data) => {
+    if (!data.authGroups)
+        return true;
+    // GitHub npm feeds: still limited to one auth group (single token for npm.pkg.github.com)
+    const githubGroups = data.authGroups.filter(group => group.provider === 'github');
+    if (githubGroups.length > 1) {
+        const hasNpmFeeds = githubGroups.some(group => group.registries.some(r => (r.feedType || 'npm') === 'npm'));
+        if (hasNpmFeeds) {
+            return false;
+        }
+    }
+    return true;
+}, {
+    message: 'Only one GitHub auth group is allowed for npm feeds (GitHub uses a single token for npm.pkg.github.com). NuGet feeds can use separate groups.',
+});