npm - @saptools/sharepoint-excel - Versions diffs - 0.1.0 - Mend

@saptools/sharepoint-excel 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/cli.js ADDED Viewed

@@ -0,0 +1,1365 @@
+#!/usr/bin/env node
+// src/cli/index.ts
+import process6 from "process";
+import { Command } from "commander";
+// src/cli/commands.ts
+import process5 from "process";
+// src/config/resolve.ts
+import process3 from "process";
+// src/credentials/profile-store.ts
+import { chmod, mkdir, readFile, writeFile } from "fs/promises";
+import { dirname } from "path";
+// src/config/paths.ts
+import { homedir } from "os";
+import { join } from "path";
+import process from "process";
+// src/types.ts
+var DEFAULT_PROFILE_NAME = "default";
+var DEFAULT_AUTH_BASE = "https://login.microsoftonline.com";
+var DEFAULT_GRAPH_BASE = "https://graph.microsoft.com/v1.0";
+var ENV_TENANT = "SHAREPOINT_EXCEL_TENANT_ID";
+var ENV_CLIENT_ID = "SHAREPOINT_EXCEL_CLIENT_ID";
+var ENV_CLIENT_SECRET = "SHAREPOINT_EXCEL_CLIENT_SECRET";
+var ENV_SITE = "SHAREPOINT_EXCEL_SITE";
+var ENV_DRIVE = "SHAREPOINT_EXCEL_DRIVE";
+var ENV_PROFILE = "SHAREPOINT_EXCEL_PROFILE";
+var ENV_AUTH_BASE = "SHAREPOINT_EXCEL_AUTH_BASE";
+var ENV_GRAPH_BASE = "SHAREPOINT_EXCEL_GRAPH_BASE";
+var ENV_HOME = "SAPTOOLS_SHAREPOINT_EXCEL_HOME";
+var ENV_ALLOW_PLAINTEXT = "SAPTOOLS_SHAREPOINT_EXCEL_ALLOW_PLAINTEXT";
+var FALLBACK_ENV_TENANT = "SHAREPOINT_TENANT_ID";
+var FALLBACK_ENV_CLIENT_ID = "SHAREPOINT_CLIENT_ID";
+var FALLBACK_ENV_CLIENT_SECRET = "SHAREPOINT_CLIENT_SECRET";
+var FALLBACK_ENV_SITE = "SHAREPOINT_SITE";
+var FALLBACK_ENV_DRIVE = "SHAREPOINT_DRIVE";
+// src/config/paths.ts
+var SAPTOOLS_DIR_NAME = ".saptools";
+var PACKAGE_DIR_NAME = "sharepoint-excel";
+var PROFILES_FILENAME = "profiles.json";
+var FILE_SECRETS_FILENAME = "secrets.json";
+function packageDataDir(env = process.env) {
+  const override = env[ENV_HOME];
+  if (override !== void 0 && override.length > 0) {
+    return override;
+  }
+  return join(homedir(), SAPTOOLS_DIR_NAME, PACKAGE_DIR_NAME);
+}
+function profilesPath(env = process.env) {
+  return join(packageDataDir(env), PROFILES_FILENAME);
+}
+function fileSecretsPath(env = process.env) {
+  return join(packageDataDir(env), FILE_SECRETS_FILENAME);
+}
+// src/credentials/profile-store.ts
+var PROFILE_FILE_MODE = 384;
+var EMPTY_PROFILE_FILE = { version: 1, profiles: [] };
+function isMissingFileError(err) {
+  return err instanceof Error && "code" in err && err.code === "ENOENT";
+}
+function isSecretStoreKind(value) {
+  return value === "keyring" || value === "file";
+}
+function toStoredProfile(value) {
+  if (typeof value !== "object" || value === null) {
+    return void 0;
+  }
+  const raw = value;
+  const name = raw["name"];
+  const tenantId = raw["tenantId"];
+  const clientId = raw["clientId"];
+  const site = raw["site"];
+  const drive = raw["drive"];
+  const secretStore = raw["secretStore"];
+  const updatedAt = raw["updatedAt"];
+  if (typeof name !== "string" || typeof tenantId !== "string" || typeof clientId !== "string" || typeof site !== "string" || typeof updatedAt !== "string" || !isSecretStoreKind(secretStore)) {
+    return void 0;
+  }
+  return {
+    name,
+    tenantId,
+    clientId,
+    site,
+    ...typeof drive === "string" ? { drive } : {},
+    secretStore,
+    updatedAt
+  };
+}
+function isStoredProfile(value) {
+  return value !== void 0;
+}
+async function readProfileFile(path) {
+  try {
+    const raw = await readFile(path, "utf8");
+    const parsed = JSON.parse(raw);
+    if (parsed.version !== 1 || !Array.isArray(parsed.profiles)) {
+      return EMPTY_PROFILE_FILE;
+    }
+    return { version: 1, profiles: parsed.profiles.map(toStoredProfile).filter(isStoredProfile) };
+  } catch (err) {
+    if (isMissingFileError(err)) {
+      return EMPTY_PROFILE_FILE;
+    }
+    throw err;
+  }
+}
+async function writeProfileFile(path, value) {
+  await mkdir(dirname(path), { recursive: true });
+  await writeFile(path, `${JSON.stringify(value, null, 2)}
+`, {
+    encoding: "utf8",
+    mode: PROFILE_FILE_MODE
+  });
+  await chmod(path, PROFILE_FILE_MODE);
+}
+function createProfileStore(path = profilesPath()) {
+  return {
+    async readProfiles() {
+      return (await readProfileFile(path)).profiles;
+    },
+    async writeProfiles(profiles) {
+      await writeProfileFile(path, { version: 1, profiles });
+    }
+  };
+}
+function findProfile(profiles, name = DEFAULT_PROFILE_NAME) {
+  return profiles.find((profile) => profile.name === name);
+}
+async function upsertProfile(store, vault, input) {
+  const name = input.name ?? DEFAULT_PROFILE_NAME;
+  const stored = {
+    name,
+    tenantId: input.tenantId,
+    clientId: input.clientId,
+    site: input.site,
+    ...input.drive === void 0 || input.drive.length === 0 ? {} : { drive: input.drive },
+    secretStore: input.secretStore,
+    updatedAt: (input.updatedAt ?? /* @__PURE__ */ new Date()).toISOString()
+  };
+  const profiles = await store.readProfiles();
+  const nextProfiles = profiles.some((profile) => profile.name === name) ? profiles.map((profile) => profile.name === name ? stored : profile) : [...profiles, stored];
+  await vault.setSecret(name, input.clientSecret);
+  await store.writeProfiles(nextProfiles);
+  return stored;
+}
+async function removeProfile(store, vault, name = DEFAULT_PROFILE_NAME) {
+  const profiles = await store.readProfiles();
+  const nextProfiles = profiles.filter((profile) => profile.name !== name);
+  await vault.deleteSecret(name);
+  if (nextProfiles.length === profiles.length) {
+    return false;
+  }
+  await store.writeProfiles(nextProfiles);
+  return true;
+}
+async function redactProfile(profile, vault) {
+  const secret = await vault.getSecret(profile.name);
+  return {
+    ...profile,
+    clientId: `${profile.clientId.slice(0, 4)}...${profile.clientId.slice(-4)}`,
+    hasClientSecret: secret !== void 0
+  };
+}
+// src/credentials/secret-vault.ts
+import { chmod as chmod2, mkdir as mkdir2, readFile as readFile2, writeFile as writeFile2 } from "fs/promises";
+import { dirname as dirname2 } from "path";
+import { Entry } from "@napi-rs/keyring";
+var SERVICE_NAME = "saptools-sharepoint-excel";
+var SECRET_FILE_MODE = 384;
+var EMPTY_SECRET_FILE = { version: 1, entries: {} };
+function isMissingFileError2(err) {
+  return err instanceof Error && "code" in err && err.code === "ENOENT";
+}
+async function readSecretFile(path) {
+  try {
+    const raw = await readFile2(path, "utf8");
+    const parsed = JSON.parse(raw);
+    if (parsed.version !== 1 || typeof parsed.entries !== "object" || parsed.entries === null) {
+      return EMPTY_SECRET_FILE;
+    }
+    const entries = {};
+    for (const [key, value] of Object.entries(parsed.entries)) {
+      if (typeof value === "string") {
+        entries[key] = value;
+      }
+    }
+    return { version: 1, entries };
+  } catch (err) {
+    if (isMissingFileError2(err)) {
+      return EMPTY_SECRET_FILE;
+    }
+    throw err;
+  }
+}
+async function writeSecretFile(path, value) {
+  await mkdir2(dirname2(path), { recursive: true });
+  await writeFile2(path, `${JSON.stringify(value, null, 2)}
+`, {
+    encoding: "utf8",
+    mode: SECRET_FILE_MODE
+  });
+  await chmod2(path, SECRET_FILE_MODE);
+}
+function createKeyringSecretVault(serviceName = SERVICE_NAME) {
+  return {
+    getSecret(profileName) {
+      const password = new Entry(serviceName, profileName).getPassword();
+      return Promise.resolve(password === null || password.length === 0 ? void 0 : password);
+    },
+    setSecret(profileName, secret) {
+      new Entry(serviceName, profileName).setPassword(secret);
+      return Promise.resolve();
+    },
+    deleteSecret(profileName) {
+      try {
+        new Entry(serviceName, profileName).deletePassword();
+      } catch (err) {
+        if (err instanceof Error && /not found|no entry|missing/i.test(err.message)) {
+          return Promise.resolve();
+        }
+        return Promise.reject(err instanceof Error ? err : new Error(String(err)));
+      }
+      return Promise.resolve();
+    }
+  };
+}
+function createFileSecretVault(path = fileSecretsPath()) {
+  return {
+    async getSecret(profileName) {
+      const file = await readSecretFile(path);
+      return file.entries[profileName];
+    },
+    async setSecret(profileName, secret) {
+      const file = await readSecretFile(path);
+      await writeSecretFile(path, {
+        version: 1,
+        entries: { ...file.entries, [profileName]: secret }
+      });
+    },
+    async deleteSecret(profileName) {
+      const file = await readSecretFile(path);
+      const remaining = Object.fromEntries(
+        Object.entries(file.entries).filter(([entryName]) => entryName !== profileName)
+      );
+      await writeSecretFile(path, { version: 1, entries: remaining });
+    }
+  };
+}
+// src/graph/client.ts
+import process2 from "process";
+var RETRYABLE_STATUSES = /* @__PURE__ */ new Set([429, 503]);
+var DEFAULT_MAX_RETRIES = 2;
+var DEFAULT_BASE_DELAY_MS = 500;
+function defaultSleep(ms) {
+  return new Promise((resolve) => {
+    setTimeout(resolve, ms);
+  });
+}
+function parseRetryAfter(header) {
+  if (header === null || header.length === 0) {
+    return void 0;
+  }
+  const seconds = Number.parseFloat(header);
+  if (Number.isFinite(seconds) && seconds >= 0) {
+    return Math.ceil(seconds * 1e3);
+  }
+  const dateMs = Date.parse(header);
+  return Number.isNaN(dateMs) ? void 0 : Math.max(0, dateMs - Date.now());
+}
+function resolveBaseUrl(options) {
+  if (options.baseUrl !== void 0 && options.baseUrl.length > 0) {
+    return options.baseUrl.replace(/\/+$/, "");
+  }
+  const fromEnv = (options.env ?? process2.env)[ENV_GRAPH_BASE];
+  return fromEnv === void 0 || fromEnv.length === 0 ? DEFAULT_GRAPH_BASE : fromEnv.replace(/\/+$/, "");
+}
+function resolveUrl(base, path) {
+  if (/^https?:\/\//i.test(path)) {
+    return path;
+  }
+  return `${base}${path.startsWith("/") ? path : `/${path}`}`;
+}
+var GraphHttpError = class extends Error {
+  status;
+  code;
+  detail;
+  constructor(status, code, detail) {
+    super(
+      `Microsoft Graph request failed (${status.toString()}${code === void 0 ? "" : ` ${code}`}): ${detail}`
+    );
+    this.name = "GraphHttpError";
+    this.status = status;
+    this.code = code;
+    this.detail = detail;
+  }
+};
+async function extractErrorDetail(response) {
+  const text = await response.text().catch(() => "");
+  if (text.length === 0) {
+    return { code: void 0, detail: response.statusText };
+  }
+  try {
+    const body = JSON.parse(text);
+    const code = typeof body.error?.code === "string" ? body.error.code : void 0;
+    const detail = typeof body.error?.message === "string" && body.error.message.length > 0 ? body.error.message : response.statusText;
+    return { code, detail };
+  } catch {
+    return { code: void 0, detail: text };
+  }
+}
+function buildInit(accessToken, options) {
+  const headers = {
+    Authorization: `Bearer ${accessToken}`,
+    Accept: "application/json",
+    ...options.headers
+  };
+  const init = { method: options.method ?? "GET", headers };
+  if (options.rawBody !== void 0) {
+    init.body = rawBodyToBodyInit(options.rawBody);
+    return init;
+  }
+  if (options.body !== void 0) {
+    headers["Content-Type"] = headers["Content-Type"] ?? "application/json";
+    init.body = typeof options.body === "string" ? options.body : JSON.stringify(options.body);
+  }
+  return init;
+}
+function rawBodyToBodyInit(rawBody) {
+  if (typeof rawBody === "string") {
+    return rawBody;
+  }
+  const copy = new ArrayBuffer(rawBody.byteLength);
+  new Uint8Array(copy).set(rawBody);
+  return copy;
+}
+async function discardBody(response) {
+  if (response.body === null) {
+    return;
+  }
+  await response.body.cancel().catch(() => {
+  });
+}
+function createGraphClient(options) {
+  const baseUrl = resolveBaseUrl(options);
+  const fetchFn = options.fetchFn ?? fetch;
+  const maxRetries = options.retry?.maxRetries ?? DEFAULT_MAX_RETRIES;
+  const baseDelayMs = options.retry?.baseDelayMs ?? DEFAULT_BASE_DELAY_MS;
+  const sleepFn = options.retry?.sleepFn ?? defaultSleep;
+  async function execute(path, requestOptions) {
+    const url = resolveUrl(baseUrl, path);
+    const init = buildInit(options.accessToken, requestOptions);
+    let attempt = 0;
+    let response = await fetchFn(url, init);
+    while (!response.ok && RETRYABLE_STATUSES.has(response.status) && attempt < maxRetries) {
+      const retryAfterMs = parseRetryAfter(response.headers.get("retry-after")) ?? baseDelayMs * 2 ** attempt;
+      await discardBody(response);
+      await sleepFn(retryAfterMs);
+      attempt += 1;
+      response = await fetchFn(url, init);
+    }
+    if (!response.ok) {
+      const { code, detail } = await extractErrorDetail(response);
+      throw new GraphHttpError(response.status, code, detail);
+    }
+    return response;
+  }
+  async function requestJson(path, requestOptions = {}) {
+    const response = await execute(path, requestOptions);
+    if (response.status === 204) {
+      return void 0;
+    }
+    const contentType = response.headers.get("content-type")?.toLowerCase() ?? "";
+    if (!contentType.includes("application/json")) {
+      return void 0;
+    }
+    return await response.json();
+  }
+  async function requestBytes(path, requestOptions = {}) {
+    const response = await execute(path, requestOptions);
+    return new Uint8Array(await response.arrayBuffer());
+  }
+  async function requestNoContent(path, requestOptions = {}) {
+    await execute(path, requestOptions);
+  }
+  return { baseUrl, requestJson, requestBytes, requestNoContent };
+}
+// src/graph/site.ts
+function asString(value, fallback = "") {
+  return typeof value === "string" ? value : fallback;
+}
+function stripQueryAndHash(value) {
+  const markerIndex = value.search(/[?#]/);
+  return markerIndex === -1 ? value : value.slice(0, markerIndex);
+}
+function decodeSitePath(sitePath, input) {
+  return sitePath.split("/").map((segment) => {
+    try {
+      return decodeURIComponent(segment);
+    } catch (err) {
+      throw new Error(`Invalid site reference "${input}". Site path has invalid encoding`, {
+        cause: err
+      });
+    }
+  }).join("/");
+}
+function parseSiteInput(trimmed) {
+  if (/^https?:\/\//i.test(trimmed)) {
+    const url = new URL(trimmed);
+    return { hostname: url.hostname, rawPath: url.pathname };
+  }
+  const withoutQuery = stripQueryAndHash(trimmed);
+  const firstSlash = withoutQuery.indexOf("/");
+  if (firstSlash === -1) {
+    throw new Error(`Invalid site reference "${trimmed}". Expected host/sites/<name> or full URL`);
+  }
+  return { hostname: withoutQuery.slice(0, firstSlash), rawPath: withoutQuery.slice(firstSlash + 1) };
+}
+function parseSiteRef(input) {
+  const trimmed = input.trim();
+  if (trimmed.length === 0) {
+    throw new Error("Site reference is empty");
+  }
+  const { hostname, rawPath } = parseSiteInput(trimmed);
+  const sitePath = decodeSitePath(rawPath.replace(/^\/+|\/+$/g, ""), trimmed);
+  if (hostname.length === 0 || sitePath.length === 0) {
+    throw new Error(`Invalid site reference "${trimmed}". Missing hostname or site path`);
+  }
+  return { hostname, sitePath };
+}
+function encodeSitePath(sitePath) {
+  return sitePath.split("/").map((segment) => encodeURIComponent(segment)).join("/");
+}
+async function resolveSite(client, ref) {
+  const path = `/sites/${encodeURIComponent(ref.hostname)}:/${encodeSitePath(ref.sitePath)}`;
+  let raw;
+  try {
+    raw = await client.requestJson(path);
+  } catch (err) {
+    if (err instanceof GraphHttpError && err.status === 404) {
+      throw new Error(`SharePoint site not found at ${ref.hostname}/${ref.sitePath}`, {
+        cause: err
+      });
+    }
+    throw err;
+  }
+  const id = asString(raw.id);
+  if (id.length === 0) {
+    throw new Error(`Site response missing id for ${ref.hostname}/${ref.sitePath}`);
+  }
+  return {
+    id,
+    name: asString(raw.name, ref.sitePath),
+    displayName: asString(raw.displayName, asString(raw.name, ref.sitePath)),
+    webUrl: asString(raw.webUrl)
+  };
+}
+// src/config/resolve.ts
+function pickEnv(env, primary, fallback) {
+  const value = env[primary] ?? env[fallback];
+  return value === void 0 || value.length === 0 ? void 0 : value;
+}
+function pickValue(override, envValue, profileValue) {
+  if (override !== void 0 && override.length > 0) {
+    return override;
+  }
+  return envValue ?? profileValue;
+}
+function vaultForProfile(profile, options) {
+  if (profile?.secretStore === "file") {
+    return options.fileVault ?? createFileSecretVault();
+  }
+  return options.keyringVault ?? createKeyringSecretVault();
+}
+async function resolveClientSecret(override, envValue, profile, options) {
+  if (override !== void 0 && override.length > 0) {
+    return override;
+  }
+  if (envValue !== void 0) {
+    return envValue;
+  }
+  return profile === void 0 ? void 0 : await vaultForProfile(profile, options).getSecret(profile.name);
+}
+function requireValue(value, humanName) {
+  if (value === void 0 || value.length === 0) {
+    throw new Error(`${humanName} is required (pass a flag, set env, or run config set)`);
+  }
+  return value;
+}
+async function resolveRuntime(options = {}) {
+  const env = options.env ?? process3.env;
+  const overrides = options.overrides ?? {};
+  const profileName = overrides.profile ?? env[ENV_PROFILE] ?? DEFAULT_PROFILE_NAME;
+  const store = options.profileStore ?? createProfileStore();
+  const profile = findProfile(await store.readProfiles(), profileName);
+  const tenantId = pickValue(
+    overrides.tenant,
+    pickEnv(env, ENV_TENANT, FALLBACK_ENV_TENANT),
+    profile?.tenantId
+  );
+  const clientId = pickValue(
+    overrides.clientId,
+    pickEnv(env, ENV_CLIENT_ID, FALLBACK_ENV_CLIENT_ID),
+    profile?.clientId
+  );
+  const site = pickValue(overrides.site, pickEnv(env, ENV_SITE, FALLBACK_ENV_SITE), profile?.site);
+  const drive = pickValue(overrides.drive, pickEnv(env, ENV_DRIVE, FALLBACK_ENV_DRIVE), profile?.drive);
+  const clientSecret = await resolveClientSecret(
+    overrides.clientSecret,
+    pickEnv(env, ENV_CLIENT_SECRET, FALLBACK_ENV_CLIENT_SECRET),
+    profile,
+    options
+  );
+  return {
+    target: {
+      credentials: {
+        tenantId: requireValue(tenantId, "Tenant ID"),
+        clientId: requireValue(clientId, "Client ID"),
+        clientSecret: requireValue(clientSecret, "Client secret")
+      },
+      site: parseSiteRef(requireValue(site, "SharePoint site"))
+    },
+    ...drive === void 0 ? {} : { drive },
+    profileName,
+    source: profile === void 0 ? "env" : "profile"
+  };
+}
+function parseSecretStoreKind(value) {
+  if (value === void 0 || value === "keyring") {
+    return "keyring";
+  }
+  if (value === "file") {
+    return "file";
+  }
+  throw new Error(`Invalid secret store "${value}". Expected keyring or file`);
+}
+// src/output/format.ts
+function formatDriveList(drives) {
+  if (drives.length === 0) {
+    return "(no drives found)";
+  }
+  return drives.map((drive) => `- ${drive.name} [${drive.driveType}] (${drive.id})`).join("\n");
+}
+function formatTestResult(site, drives) {
+  return [
+    `Authenticated and resolved site: ${site.displayName} (${site.id})`,
+    `Document libraries: ${drives.length.toString()}`,
+    formatDriveList(drives)
+  ].join("\n");
+}
+function formatProfile(profile) {
+  return [
+    `Profile: ${profile.name}`,
+    `Tenant: ${profile.tenantId}`,
+    `Client: ${profile.clientId}`,
+    `Site: ${profile.site}`,
+    `Drive: ${profile.drive ?? "(first available)"}`,
+    `Secret store: ${profile.secretStore}`,
+    `Client secret: ${profile.hasClientSecret ? "stored" : "missing"}`
+  ].join("\n");
+}
+function formatCreateResult(result) {
+  return `Created ${result.path} in ${result.driveName} (${result.item.id})`;
+}
+function formatMutationResult(action, result) {
+  return `${action} ${result.path} in ${result.driveName}; sheet ${result.mutation.sheetName} now has ${result.mutation.rowCount.toString()} row(s)`;
+}
+function formatWorkbookRead(result) {
+  return formatWorkbookSheets(result.workbook);
+}
+function formatWorkbookSheets(workbook) {
+  return workbook.sheets.map((sheet) => `${sheet.name}: ${sheet.rowCount.toString()} row(s), ${sheet.columnCount.toString()} column(s)`).join("\n");
+}
+// src/auth/token.ts
+import process4 from "process";
+var DEFAULT_SCOPE = "https://graph.microsoft.com/.default";
+function resolveAuthBase(options) {
+  if (options.authBase !== void 0 && options.authBase.length > 0) {
+    return options.authBase.replace(/\/+$/, "");
+  }
+  const fromEnv = (options.env ?? process4.env)[ENV_AUTH_BASE];
+  return fromEnv === void 0 || fromEnv.length === 0 ? DEFAULT_AUTH_BASE : fromEnv.replace(/\/+$/, "");
+}
+function assertString(value, field) {
+  if (typeof value !== "string" || value.length === 0) {
+    throw new Error(`Token response missing field: ${field}`);
+  }
+  return value;
+}
+function assertNumber(value, field) {
+  if (typeof value !== "number" || !Number.isFinite(value)) {
+    throw new Error(`Token response missing numeric field: ${field}`);
+  }
+  return value;
+}
+function parseTokenResponse(text, status) {
+  try {
+    return JSON.parse(text);
+  } catch (err) {
+    throw new Error(`Failed to parse token response (HTTP ${status.toString()})`, { cause: err });
+  }
+}
+function throwIfTokenError(response, parsed) {
+  if (response.ok && typeof parsed.error !== "string") {
+    return;
+  }
+  const code = typeof parsed.error === "string" ? parsed.error : "unknown_error";
+  const description = typeof parsed.error_description === "string" && parsed.error_description.length > 0 ? parsed.error_description : response.statusText;
+  throw new Error(
+    `Azure AD token request failed (HTTP ${response.status.toString()} ${code}): ${description}`
+  );
+}
+async function acquireAppToken(credentials, options = {}) {
+  if (credentials.tenantId.length === 0) {
+    throw new Error("tenantId is required");
+  }
+  if (credentials.clientId.length === 0) {
+    throw new Error("clientId is required");
+  }
+  if (credentials.clientSecret.length === 0) {
+    throw new Error("clientSecret is required");
+  }
+  const authBase = resolveAuthBase(options);
+  const fetchFn = options.fetchFn ?? fetch;
+  const url = `${authBase}/${encodeURIComponent(credentials.tenantId)}/oauth2/v2.0/token`;
+  const form = new URLSearchParams({
+    grant_type: "client_credentials",
+    client_id: credentials.clientId,
+    client_secret: credentials.clientSecret,
+    scope: options.scope ?? DEFAULT_SCOPE
+  });
+  const response = await fetchFn(url, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded", Accept: "application/json" },
+    body: form.toString()
+  });
+  const parsed = parseTokenResponse(await response.text(), response.status);
+  throwIfTokenError(response, parsed);
+  const scopeValue = typeof parsed.scope === "string" ? parsed.scope : void 0;
+  const base = {
+    accessToken: assertString(parsed.access_token, "access_token"),
+    tokenType: assertString(parsed.token_type, "token_type"),
+    expiresOn: Math.floor(Date.now() / 1e3) + assertNumber(parsed.expires_in, "expires_in")
+  };
+  return scopeValue === void 0 ? base : { ...base, scope: scopeValue };
+}
+// src/graph/drive.ts
+var XLSX_CONTENT_TYPE = "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet";
+function asString2(value, fallback = "") {
+  return typeof value === "string" ? value : fallback;
+}
+function asNumber(value, fallback = 0) {
+  return typeof value === "number" && Number.isFinite(value) ? value : fallback;
+}
+function encodeDrivePath(relativePath) {
+  return relativePath.split("/").filter((segment) => segment.length > 0).map((segment) => encodeURIComponent(segment)).join("/");
+}
+function toDrive(raw) {
+  return {
+    id: asString2(raw.id),
+    name: asString2(raw.name),
+    driveType: asString2(raw.driveType, "documentLibrary"),
+    webUrl: asString2(raw.webUrl)
+  };
+}
+function toDriveItem(raw) {
+  const base = {
+    id: asString2(raw.id),
+    name: asString2(raw.name),
+    isFolder: raw.folder !== void 0 && raw.folder !== null,
+    size: asNumber(raw.size)
+  };
+  return {
+    ...base,
+    ...typeof raw.eTag === "string" ? { eTag: raw.eTag } : {},
+    ...typeof raw.cTag === "string" ? { cTag: raw.cTag } : {},
+    ...typeof raw.webUrl === "string" ? { webUrl: raw.webUrl } : {}
+  };
+}
+async function listDrives(client, siteId) {
+  const response = await client.requestJson(`/sites/${encodeURIComponent(siteId)}/drives`);
+  if (!Array.isArray(response.value)) {
+    return [];
+  }
+  return response.value.filter((entry) => typeof entry === "object" && entry !== null).map(toDrive);
+}
+function selectDrive(drives, driveHint) {
+  if (drives.length === 0) {
+    throw new Error("SharePoint site has no drives (document libraries)");
+  }
+  if (driveHint === void 0 || driveHint.length === 0) {
+    const first = drives[0];
+    if (first === void 0) {
+      throw new Error("No drives available");
+    }
+    return first;
+  }
+  const match = drives.find((drive) => drive.id === driveHint || drive.name === driveHint);
+  if (match === void 0) {
+    throw new Error(`Drive "${driveHint}" not found. Available: ${drives.map((d) => d.name).join(", ")}`);
+  }
+  return match;
+}
+async function getDriveItemByPath(client, driveId, relativePath) {
+  const normalized = relativePath.replace(/^\/+|\/+$/g, "");
+  const path = normalized.length === 0 ? `/drives/${encodeURIComponent(driveId)}/root` : `/drives/${encodeURIComponent(driveId)}/root:/${encodeDrivePath(normalized)}`;
+  try {
+    return toDriveItem(await client.requestJson(path));
+  } catch (err) {
+    if (err instanceof GraphHttpError && err.status === 404) {
+      return null;
+    }
+    throw err;
+  }
+}
+async function downloadDriveFile(client, driveId, relativePath) {
+  const encodedPath = encodeDrivePath(relativePath.replace(/^\/+|\/+$/g, ""));
+  return await client.requestBytes(`/drives/${encodeURIComponent(driveId)}/root:/${encodedPath}:/content`, {
+    headers: { Accept: XLSX_CONTENT_TYPE }
+  });
+}
+async function createUploadSession(client, driveId, relativePath) {
+  const encodedPath = encodeDrivePath(relativePath.replace(/^\/+|\/+$/g, ""));
+  const response = await client.requestJson(
+    `/drives/${encodeURIComponent(driveId)}/root:/${encodedPath}:/createUploadSession`,
+    {
+      method: "POST",
+      body: { item: { "@microsoft.graph.conflictBehavior": "fail" } }
+    }
+  );
+  if (typeof response.uploadUrl !== "string" || response.uploadUrl.length === 0) {
+    throw new Error("Graph upload session response missing uploadUrl");
+  }
+  return response.uploadUrl;
+}
+async function uploadNewDriveFile(client, driveId, relativePath, bytes) {
+  const existing = await getDriveItemByPath(client, driveId, relativePath);
+  if (existing !== null) {
+    throw new Error(`Refusing to overwrite existing SharePoint file: ${relativePath}`);
+  }
+  const uploadUrl = await createUploadSession(client, driveId, relativePath);
+  const lastByte = bytes.byteLength - 1;
+  const raw = await client.requestJson(uploadUrl, {
+    method: "PUT",
+    rawBody: bytes,
+    headers: {
+      "Content-Length": bytes.byteLength.toString(),
+      "Content-Range": `bytes 0-${lastByte.toString()}/${bytes.byteLength.toString()}`,
+      "Content-Type": XLSX_CONTENT_TYPE
+    }
+  });
+  return toDriveItem(raw);
+}
+async function replaceDriveFile(client, driveId, relativePath, eTag, bytes) {
+  const encodedPath = encodeDrivePath(relativePath.replace(/^\/+|\/+$/g, ""));
+  const raw = await client.requestJson(
+    `/drives/${encodeURIComponent(driveId)}/root:/${encodedPath}:/content`,
+    {
+      method: "PUT",
+      rawBody: bytes,
+      headers: {
+        "Content-Type": XLSX_CONTENT_TYPE,
+        "If-Match": eTag
+      }
+    }
+  );
+  return toDriveItem(raw);
+}
+// src/session.ts
+async function openSession(target, options = {}) {
+  const tokenOptions = {
+    ...options.authBase === void 0 ? {} : { authBase: options.authBase },
+    ...options.fetchFn === void 0 ? {} : { fetchFn: options.fetchFn }
+  };
+  const token = await acquireAppToken(target.credentials, tokenOptions);
+  const client = createGraphClient({
+    accessToken: token.accessToken,
+    ...options.graphBase === void 0 ? {} : { baseUrl: options.graphBase },
+    ...options.fetchFn === void 0 ? {} : { fetchFn: options.fetchFn },
+    ...options.retry === void 0 ? {} : { retry: options.retry }
+  });
+  const site = await resolveSite(client, target.site);
+  const drives = await listDrives(client, site.id);
+  return { token, client, site, drives };
+}
+// src/workbook/json.ts
+import { z } from "zod";
+var JsonCellValueSchema = z.union([z.string(), z.number(), z.boolean(), z.null()]);
+var JsonRowSchema = z.array(JsonCellValueSchema);
+var JsonRecordSchema = z.record(z.string(), JsonCellValueSchema);
+function parseHeaders(input) {
+  if (input === void 0 || input.trim().length === 0) {
+    return [];
+  }
+  return input.split(",").map((entry) => entry.trim()).filter((entry) => entry.length > 0);
+}
+function parseJson(input, label) {
+  try {
+    return JSON.parse(input);
+  } catch (err) {
+    throw new Error(`Invalid JSON for ${label}`, { cause: err });
+  }
+}
+function parseCellValue(input) {
+  const trimmed = input.trim();
+  if (trimmed.length === 0) {
+    return "";
+  }
+  let parsed;
+  try {
+    parsed = parseJson(trimmed, "cell value");
+  } catch {
+    return input;
+  }
+  const result = JsonCellValueSchema.safeParse(parsed);
+  if (!result.success) {
+    return input;
+  }
+  return result.data;
+}
+function parseWorkbookRows(input) {
+  if (input === void 0 || input.trim().length === 0) {
+    return [];
+  }
+  const parsed = parseJson(input, "rows");
+  const rowResult = JsonRowSchema.safeParse(parsed);
+  if (rowResult.success) {
+    return [rowResult.data];
+  }
+  const recordResult = JsonRecordSchema.safeParse(parsed);
+  if (recordResult.success) {
+    return [recordResult.data];
+  }
+  if (Array.isArray(parsed)) {
+    return parsed.map(parseWorkbookRow);
+  }
+  throw new Error(`Rows JSON must be an object, row array, or array of rows/objects`);
+}
+function parseWorkbookRow(value) {
+  const rowResult = JsonRowSchema.safeParse(value);
+  if (rowResult.success) {
+    return rowResult.data;
+  }
+  const recordResult = JsonRecordSchema.safeParse(value);
+  if (recordResult.success) {
+    return recordResult.data;
+  }
+  throw new Error(`Rows JSON must be an object, row array, or array of rows/objects`);
+}
+// src/workbook/excel.ts
+import ExcelJS from "exceljs";
+// src/workbook/a1.ts
+var CELL_REF_PATTERN = /^([A-Za-z]+)([1-9]\d*)$/;
+function columnNameToNumber(columnName) {
+  const normalized = columnName.trim().toUpperCase();
+  if (!/^[A-Z]+$/.test(normalized)) {
+    throw new Error(`Invalid column name "${columnName}"`);
+  }
+  let total = 0;
+  for (const char of normalized) {
+    total = total * 26 + char.charCodeAt(0) - 64;
+  }
+  return total;
+}
+function parseA1Cell(input) {
+  const trimmed = input.trim();
+  const match = CELL_REF_PATTERN.exec(trimmed);
+  if (match === null) {
+    throw new Error(`Invalid A1 cell reference "${input}"`);
+  }
+  const columnName = match[1];
+  const rowValue = match[2];
+  if (columnName === void 0 || rowValue === void 0) {
+    throw new Error(`Invalid A1 cell reference "${input}"`);
+  }
+  return {
+    row: Number.parseInt(rowValue, 10),
+    column: columnNameToNumber(columnName)
+  };
+}
+function orderRange(start, end) {
+  return {
+    start: {
+      row: Math.min(start.row, end.row),
+      column: Math.min(start.column, end.column)
+    },
+    end: {
+      row: Math.max(start.row, end.row),
+      column: Math.max(start.column, end.column)
+    }
+  };
+}
+function parseA1Range(input) {
+  const parts = input.split(":").map((part) => part.trim());
+  if (parts.length === 1) {
+    const cell = parseA1Cell(parts[0] ?? "");
+    return { start: cell, end: cell };
+  }
+  if (parts.length !== 2) {
+    throw new Error(`Invalid A1 range "${input}"`);
+  }
+  return orderRange(parseA1Cell(parts[0] ?? ""), parseA1Cell(parts[1] ?? ""));
+}
+// src/workbook/excel.ts
+var INVALID_SHEET_CHARS = /[\][:*?/\\]/;
+function validateSheetName(sheetName) {
+  const trimmed = sheetName.trim();
+  if (trimmed.length === 0 || trimmed.length > 31 || INVALID_SHEET_CHARS.test(trimmed)) {
+    throw new Error(`Invalid Excel sheet name "${sheetName}"`);
+  }
+  return trimmed;
+}
+function isRecord(row) {
+  return !Array.isArray(row);
+}
+function deriveHeaders(headers, rows) {
+  if (headers.length > 0) {
+    return headers;
+  }
+  const firstRecord = rows.find(isRecord);
+  return firstRecord === void 0 ? [] : Object.keys(firstRecord);
+}
+function rowToValues(row, headers) {
+  if (!isRecord(row)) {
+    return [...row];
+  }
+  const record = row;
+  if (headers.length === 0) {
+    return Object.keys(record).map((key) => record[key] ?? null);
+  }
+  return headers.map((header) => record[header] ?? null);
+}
+function addRows(sheet, headers, rows) {
+  if (headers.length > 0) {
+    sheet.addRow([...headers]);
+  }
+  for (const row of rows) {
+    sheet.addRow([...rowToValues(row, headers)]);
+  }
+}
+function addTable(sheet, tableName, headers, rows) {
+  sheet.addTable({
+    name: tableName,
+    ref: "A1",
+    headerRow: true,
+    totalsRow: false,
+    style: { theme: "TableStyleMedium2", showRowStripes: true },
+    columns: headers.map((name) => ({ name })),
+    rows: rows.map((row) => [...rowToValues(row, headers)])
+  });
+}
+async function workbookToBytes(workbook) {
+  const buffer = await workbook.xlsx.writeBuffer();
+  return new Uint8Array(buffer);
+}
+async function loadWorkbook(bytes) {
+  const workbook = new ExcelJS.Workbook();
+  await workbook.xlsx.load(uint8ArrayToArrayBuffer(bytes));
+  return workbook;
+}
+function uint8ArrayToArrayBuffer(bytes) {
+  const copy = new ArrayBuffer(bytes.byteLength);
+  new Uint8Array(copy).set(bytes);
+  return copy;
+}
+function getWorksheet(workbook, sheetName) {
+  const sheet = workbook.getWorksheet(sheetName);
+  if (sheet === void 0) {
+    throw new Error(`Sheet "${sheetName}" not found`);
+  }
+  return sheet;
+}
+function serializeCellValue(value) {
+  if (value === null || value === void 0) {
+    return null;
+  }
+  if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
+    return value;
+  }
+  if (value instanceof Date) {
+    return value.toISOString();
+  }
+  if (typeof value === "object" && "result" in value) {
+    return serializeCellValue(value.result);
+  }
+  return JSON.stringify(value);
+}
+function readRow(sheet, rowNumber, startColumn, endColumn) {
+  const row = sheet.getRow(rowNumber);
+  const columnCount = endColumn - startColumn + 1;
+  return Array.from(
+    { length: columnCount },
+    (_value, index) => serializeCellValue(row.getCell(startColumn + index).value)
+  );
+}
+function readHeaderRow(sheet) {
+  if (sheet.actualRowCount === 0) {
+    return [];
+  }
+  return readRow(sheet, 1, 1, Math.max(1, sheet.actualColumnCount)).map((value) => String(value ?? ""));
+}
+function readSheet(sheet, options) {
+  const range = options.range === void 0 ? void 0 : parseA1Range(options.range);
+  const startRow = range?.start.row ?? 1;
+  const endRow = range?.end.row ?? Math.max(1, sheet.actualRowCount);
+  const startColumn = range?.start.column ?? 1;
+  const endColumn = range?.end.column ?? Math.max(1, sheet.actualColumnCount);
+  const rows = [];
+  for (let row = startRow; row <= endRow; row += 1) {
+    rows.push(readRow(sheet, row, startColumn, endColumn));
+  }
+  return { name: sheet.name, rowCount: rows.length, columnCount: endColumn - startColumn + 1, rows };
+}
+async function createWorkbookBytes(input) {
+  const workbook = new ExcelJS.Workbook();
+  const sheet = workbook.addWorksheet(validateSheetName(input.sheetName));
+  const headers = deriveHeaders(input.headers, input.rows);
+  if (input.tableName !== void 0 && input.tableName.length > 0 && headers.length > 0) {
+    addTable(sheet, input.tableName, headers, input.rows);
+  } else {
+    addRows(sheet, headers, input.rows);
+  }
+  return await workbookToBytes(workbook);
+}
+async function readWorkbookBytes(bytes, options = {}) {
+  const workbook = await loadWorkbook(bytes);
+  const sheets = options.sheetName === void 0 ? workbook.worksheets : [getWorksheet(workbook, validateSheetName(options.sheetName))];
+  return { sheets: sheets.map((sheet) => readSheet(sheet, options)) };
+}
+async function appendWorkbookRows(bytes, sheetName, rows, matchHeader) {
+  const workbook = await loadWorkbook(bytes);
+  const sheet = getWorksheet(workbook, validateSheetName(sheetName));
+  const headers = matchHeader ? readHeaderRow(sheet) : deriveHeaders([], rows);
+  for (const row of rows) {
+    sheet.addRow([...rowToValues(row, headers)]);
+  }
+  return {
+    bytes: await workbookToBytes(workbook),
+    sheetName: sheet.name,
+    rowCount: sheet.actualRowCount,
+    columnCount: sheet.actualColumnCount
+  };
+}
+async function updateWorkbookCell(bytes, sheetName, cellRef, value) {
+  const workbook = await loadWorkbook(bytes);
+  const sheet = getWorksheet(workbook, validateSheetName(sheetName));
+  const cell = parseA1Cell(cellRef);
+  sheet.getCell(cell.row, cell.column).value = value;
+  return {
+    bytes: await workbookToBytes(workbook),
+    sheetName: sheet.name,
+    rowCount: sheet.actualRowCount,
+    columnCount: sheet.actualColumnCount
+  };
+}
+async function addWorkbookSheet(bytes, sheetName, headers) {
+  const workbook = await loadWorkbook(bytes);
+  const normalized = validateSheetName(sheetName);
+  if (workbook.getWorksheet(normalized) !== void 0) {
+    throw new Error(`Sheet "${normalized}" already exists`);
+  }
+  const sheet = workbook.addWorksheet(normalized);
+  if (headers.length > 0) {
+    sheet.addRow([...headers]);
+  }
+  return {
+    bytes: await workbookToBytes(workbook),
+    sheetName: sheet.name,
+    rowCount: sheet.actualRowCount,
+    columnCount: sheet.actualColumnCount
+  };
+}
+// src/workbook/service.ts
+function normalizeWorkbookPath(path) {
+  const normalized = path.trim().replace(/^\/+|\/+$/g, "");
+  if (normalized.length === 0) {
+    throw new Error("Workbook path is required");
+  }
+  if (!normalized.toLowerCase().endsWith(".xlsx")) {
+    throw new Error(`Workbook path must end with .xlsx: ${path}`);
+  }
+  return normalized;
+}
+function requireEtag(item, path) {
+  if (item.eTag === void 0 || item.eTag.length === 0) {
+    throw new Error(`Cannot update ${path}: SharePoint item is missing an ETag`);
+  }
+  return item.eTag;
+}
+async function downloadExistingWorkbook(target, path) {
+  const drive = selectDrive(target.session.drives, target.driveHint);
+  const item = await getDriveItemByPath(target.session.client, drive.id, path);
+  if (item === null || item.isFolder) {
+    throw new Error(`Workbook not found: ${path}`);
+  }
+  const bytes = await downloadDriveFile(target.session.client, drive.id, path);
+  return { bytes, item, driveId: drive.id, driveName: drive.name };
+}
+async function createRemoteWorkbook(target, path, input) {
+  const normalizedPath = normalizeWorkbookPath(path);
+  const drive = selectDrive(target.session.drives, target.driveHint);
+  const bytes = await createWorkbookBytes(input);
+  const item = await uploadNewDriveFile(target.session.client, drive.id, normalizedPath, bytes);
+  return { driveId: drive.id, driveName: drive.name, path: normalizedPath, item };
+}
+async function readRemoteWorkbook(target, path, options = {}) {
+  const normalizedPath = normalizeWorkbookPath(path);
+  const downloaded = await downloadExistingWorkbook(target, normalizedPath);
+  const workbook = await readWorkbookBytes(downloaded.bytes, options);
+  return { ...downloaded, path: normalizedPath, workbook };
+}
+async function appendRemoteWorkbookRows(target, path, sheetName, rows, matchHeader) {
+  const normalizedPath = normalizeWorkbookPath(path);
+  const downloaded = await downloadExistingWorkbook(target, normalizedPath);
+  const mutation = await appendWorkbookRows(downloaded.bytes, sheetName, rows, matchHeader);
+  const item = await replaceDriveFile(
+    target.session.client,
+    downloaded.driveId,
+    normalizedPath,
+    requireEtag(downloaded.item, normalizedPath),
+    mutation.bytes
+  );
+  return { ...downloaded, item, path: normalizedPath, mutation };
+}
+async function updateRemoteWorkbookCell(target, path, sheetName, cellRef, value) {
+  const normalizedPath = normalizeWorkbookPath(path);
+  const downloaded = await downloadExistingWorkbook(target, normalizedPath);
+  const mutation = await updateWorkbookCell(downloaded.bytes, sheetName, cellRef, value);
+  const item = await replaceDriveFile(
+    target.session.client,
+    downloaded.driveId,
+    normalizedPath,
+    requireEtag(downloaded.item, normalizedPath),
+    mutation.bytes
+  );
+  return { ...downloaded, item, path: normalizedPath, mutation };
+}
+async function addRemoteWorkbookSheet(target, path, sheetName, headers) {
+  const normalizedPath = normalizeWorkbookPath(path);
+  const downloaded = await downloadExistingWorkbook(target, normalizedPath);
+  const mutation = await addWorkbookSheet(downloaded.bytes, sheetName, headers);
+  const item = await replaceDriveFile(
+    target.session.client,
+    downloaded.driveId,
+    normalizedPath,
+    requireEtag(downloaded.item, normalizedPath),
+    mutation.bytes
+  );
+  return { ...downloaded, item, path: normalizedPath, mutation };
+}
+// src/cli/options.ts
+function addCommonOptions(cmd) {
+  return cmd.option("--profile <name>", "Stored profile name").option("--tenant <id>", "Azure AD tenant ID").option("--client-id <id>", "App registration client ID").option("--client-secret <secret>", "App registration client secret").option("--site <ref>", "SharePoint site, e.g. contoso.sharepoint.com/sites/demo").option("--drive <nameOrId>", "Document library name or ID").option("--json", "Emit JSON output", false);
+}
+function toRuntimeOverrides(flags) {
+  return {
+    profile: flags.profile,
+    tenant: flags.tenant,
+    clientId: flags.clientId,
+    clientSecret: flags.clientSecret,
+    site: flags.site,
+    drive: flags.drive
+  };
+}
+function requireFlag(value, flagName) {
+  if (value === void 0 || value.trim().length === 0) {
+    throw new Error(`${flagName} is required`);
+  }
+  return value;
+}
+// src/cli/commands.ts
+function writeJson(value) {
+  process5.stdout.write(`${JSON.stringify(value, null, 2)}
+`);
+}
+function writeOutput(json, jsonValue, textValue) {
+  if (json === true) {
+    writeJson(jsonValue);
+    return;
+  }
+  process5.stdout.write(`${textValue}
+`);
+}
+function getSecretVault(storeKind) {
+  return storeKind === "keyring" ? createKeyringSecretVault() : createFileSecretVault();
+}
+async function openRuntime(flags) {
+  const runtime = await resolveRuntime({ overrides: toRuntimeOverrides(flags) });
+  const session = await openSession(runtime.target);
+  return { runtime, session };
+}
+function toServiceTarget(session, runtime, flags) {
+  const driveHint = flags.drive ?? runtime.drive;
+  return driveHint === void 0 ? { session } : { session, driveHint };
+}
+function toReadOptions(flags) {
+  return {
+    ...flags.sheet === void 0 ? {} : { sheetName: flags.sheet },
+    ...flags.range === void 0 ? {} : { range: flags.range }
+  };
+}
+function assertPlaintextAllowed(flags) {
+  if (flags.store !== "file") {
+    return;
+  }
+  if (flags.allowPlaintextSecret === true || process5.env[ENV_ALLOW_PLAINTEXT] === "1") {
+    return;
+  }
+  throw new Error(
+    `Plaintext secret file store requires --allow-plaintext-secret or ${ENV_ALLOW_PLAINTEXT}=1`
+  );
+}
+async function handleConfigSet(flags) {
+  assertPlaintextAllowed(flags);
+  const secretStore = parseSecretStoreKind(flags.store);
+  const input = {
+    name: flags.profile ?? DEFAULT_PROFILE_NAME,
+    tenantId: requireFlag(flags.tenant, "--tenant"),
+    clientId: requireFlag(flags.clientId, "--client-id"),
+    clientSecret: requireFlag(flags.clientSecret, "--client-secret"),
+    site: requireFlag(flags.site, "--site"),
+    secretStore,
+    ...flags.drive === void 0 ? {} : { drive: flags.drive }
+  };
+  const profile = await upsertProfile(createProfileStore(), getSecretVault(secretStore), input);
+  const redacted = await redactProfile(profile, getSecretVault(secretStore));
+  writeOutput(flags.json, redacted, formatProfile(redacted));
+}
+async function handleConfigGet(flags) {
+  const name = flags.profile ?? DEFAULT_PROFILE_NAME;
+  const profile = findProfile(await createProfileStore().readProfiles(), name);
+  if (profile === void 0) {
+    throw new Error(`Profile "${name}" not found`);
+  }
+  const redacted = await redactProfile(profile, getSecretVault(profile.secretStore));
+  writeOutput(flags.json, redacted, formatProfile(redacted));
+}
+async function handleConfigRemove(flags) {
+  const name = flags.profile ?? DEFAULT_PROFILE_NAME;
+  const profile = findProfile(await createProfileStore().readProfiles(), name);
+  const secretStore = profile?.secretStore ?? "keyring";
+  const removed = await removeProfile(createProfileStore(), getSecretVault(secretStore), name);
+  const output = { profile: name, removed };
+  writeOutput(flags.json, output, `Removed profile ${name}: ${String(removed)}`);
+}
+async function handleTest(flags) {
+  const { session } = await openRuntime(flags);
+  const output = { site: session.site, drives: session.drives, tokenType: session.token.tokenType };
+  writeOutput(flags.json, output, formatTestResult(session.site, session.drives));
+}
+async function handleDrives(flags) {
+  const { session } = await openRuntime(flags);
+  writeOutput(flags.json, session.drives, formatDriveList(session.drives));
+}
+async function handleCreate(flags) {
+  const { runtime, session } = await openRuntime(flags);
+  const result = await createRemoteWorkbook(
+    toServiceTarget(session, runtime, flags),
+    requireFlag(flags.path, "--path"),
+    {
+      sheetName: requireFlag(flags.sheet, "--sheet"),
+      headers: parseHeaders(flags.headers),
+      rows: parseWorkbookRows(flags.rows),
+      ...flags.table === void 0 ? {} : { tableName: flags.table }
+    }
+  );
+  writeOutput(flags.json, result, formatCreateResult(result));
+}
+async function handleRead(flags) {
+  const { runtime, session } = await openRuntime(flags);
+  const result = await readRemoteWorkbook(
+    toServiceTarget(session, runtime, flags),
+    requireFlag(flags.path, "--path"),
+    toReadOptions(flags)
+  );
+  writeOutput(flags.json, result, formatWorkbookRead(result));
+}
+async function handleAppend(flags) {
+  const { runtime, session } = await openRuntime(flags);
+  const result = await appendRemoteWorkbookRows(
+    toServiceTarget(session, runtime, flags),
+    requireFlag(flags.path, "--path"),
+    requireFlag(flags.sheet, "--sheet"),
+    parseWorkbookRows(requireFlag(flags.record, "--record")),
+    flags.matchHeader !== false
+  );
+  writeOutput(flags.json, result, formatMutationResult("Updated", result));
+}
+async function handleUpdateCell(flags) {
+  const { runtime, session } = await openRuntime(flags);
+  const result = await updateRemoteWorkbookCell(
+    toServiceTarget(session, runtime, flags),
+    requireFlag(flags.path, "--path"),
+    requireFlag(flags.sheet, "--sheet"),
+    requireFlag(flags.cell, "--cell"),
+    parseCellValue(requireFlag(flags.value, "--value"))
+  );
+  writeOutput(flags.json, result, formatMutationResult("Updated", result));
+}
+async function handleAddSheet(flags) {
+  const { runtime, session } = await openRuntime(flags);
+  const result = await addRemoteWorkbookSheet(
+    toServiceTarget(session, runtime, flags),
+    requireFlag(flags.path, "--path"),
+    requireFlag(flags.sheet, "--sheet"),
+    parseHeaders(flags.headers)
+  );
+  writeOutput(flags.json, result, formatMutationResult("Updated", result));
+}
+function registerConfigCommands(program) {
+  const config = program.command("config").description("Manage local SharePoint Excel profiles");
+  config.command("set").description("Store a SharePoint app-only profile").option("--profile <name>", "Profile name", DEFAULT_PROFILE_NAME).requiredOption("--tenant <id>", "Azure AD tenant ID").requiredOption("--client-id <id>", "App registration client ID").requiredOption("--client-secret <secret>", "App registration client secret").requiredOption("--site <ref>", "SharePoint site").option("--drive <nameOrId>", "Default document library").option("--store <keyring|file>", "Secret store", "keyring").option("--allow-plaintext-secret", "Allow plaintext file secret storage", false).option("--json", "Emit JSON output", false).action(handleConfigSet);
+  config.command("get").description("Read a stored profile without printing secrets").option("--profile <name>", "Profile name", DEFAULT_PROFILE_NAME).option("--json", "Emit JSON output", false).action(handleConfigGet);
+  config.command("remove").description("Remove a stored profile").option("--profile <name>", "Profile name", DEFAULT_PROFILE_NAME).option("--json", "Emit JSON output", false).action(handleConfigRemove);
+}
+function registerCommands(program) {
+  registerConfigCommands(program);
+  addCommonOptions(program.command("test").description("Authenticate, resolve site, and list drives")).action(handleTest);
+  addCommonOptions(program.command("drives").description("List SharePoint document libraries")).action(handleDrives);
+  addCommonOptions(program.command("create").description("Create a new .xlsx file without overwriting")).requiredOption("--path <xlsxPath>", "SharePoint path for the new workbook").requiredOption("--sheet <name>", "Initial sheet name").option("--headers <csv>", "Comma-separated header row").option("--rows <json>", "JSON row/object or array of rows/objects").option("--table <name>", "Optional Excel table name").action(handleCreate);
+  addCommonOptions(program.command("read").description("Read workbook sheets or a range")).requiredOption("--path <xlsxPath>", "SharePoint workbook path").option("--sheet <name>", "Sheet to read").option("--range <a1Range>", "A1 range, e.g. A1:C10").action(handleRead);
+  addCommonOptions(program.command("append").description("Append one or more records to a sheet")).requiredOption("--path <xlsxPath>", "SharePoint workbook path").requiredOption("--sheet <name>", "Sheet to append").requiredOption("--record <json>", "JSON row/object or array of rows/objects").option("--no-match-header", "Append object values by key order instead of row 1 headers").action(handleAppend);
+  addCommonOptions(program.command("update-cell").description("Update one cell in a workbook")).requiredOption("--path <xlsxPath>", "SharePoint workbook path").requiredOption("--sheet <name>", "Sheet name").requiredOption("--cell <a1Cell>", "A1 cell reference, e.g. B2").requiredOption("--value <jsonOrString>", "JSON scalar or raw string").action(handleUpdateCell);
+  addCommonOptions(program.command("add-sheet").description("Add a new sheet to an existing workbook")).requiredOption("--path <xlsxPath>", "SharePoint workbook path").requiredOption("--sheet <name>", "New sheet name").option("--headers <csv>", "Optional comma-separated header row").action(handleAddSheet);
+}
+// src/cli/index.ts
+async function main(argv) {
+  const program = new Command();
+  program.name("saptools-sharepoint-excel").description("Create, read, and update SharePoint-hosted Excel workbooks");
+  registerCommands(program);
+  await program.parseAsync([...argv]);
+}
+try {
+  await main(process6.argv);
+} catch (err) {
+  const message = err instanceof Error ? err.message : String(err);
+  process6.stderr.write(`Error: ${message}
+`);
+  process6.exit(1);
+}
+export {
+  main
+};
+//# sourceMappingURL=cli.js.map