@takodotid/azure-rest 0.1.5 β†’ 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/README.md +74 -0
  2. package/dist/index.cjs +130 -101
  3. package/dist/index.cjs.map +1 -1
  4. package/dist/index.d.cts +53 -35
  5. package/dist/index.d.ts +53 -35
  6. package/dist/index.js +129 -100
  7. package/dist/index.js.map +1 -1
  8. package/package.json +1 -1
package/README.md ADDED
@@ -0,0 +1,74 @@
1
+ # @takodotid/azure-rest
2
+
3
+ Minimal Azure REST client with Entra ID (formerly AAD) authentication. No external dependencies.
4
+
5
+ ## πŸš€ Features
6
+
7
+ - Authenticate to Azure REST APIs using Entra ID (AAD)
8
+ - Supports Azure CLI, Managed Identity, Service Principal, and Workload Identity credentials
9
+ - Zero external dependencies
10
+ - ESM & CommonJS support
11
+
12
+ ## πŸ“¦ Installation
13
+
14
+ > **Requirement:** Node.js 20+ or any runtime with built-in `fetch` (e.g. Bun, Deno).
15
+
16
+ ```sh
17
+ pnpm add @takodotid/azure-rest
18
+ # or
19
+ yarn add @takodotid/azure-rest
20
+ # or
21
+ npm install @takodotid/azure-rest
22
+ ```
23
+
24
+ ## πŸ› οΈ Usage
25
+
26
+ Here's a quick example to get you started:
27
+
28
+ ```ts
29
+ import { AzureClient, ChainedCredential } from "@takodotid/azure-rest";
30
+
31
+ const client = new AzureClient({
32
+ baseUrl: "https://management.azure.com", // Target Azure Management REST API endpoint
33
+ credential: {
34
+ scope: "https://management.azure.com/.default",
35
+ helper: new ChainedCredential(),
36
+ // Optional: you can provide a custom token builder if needed
37
+ // builder: (token) => { Authorization: `Bearer ${token}`; }
38
+ }
39
+ });
40
+
41
+ // Example: Get a list of resource groups
42
+ const response = await client.get("/subscriptions/<my subscription id>/resourcegroups?api-version=2022-09-01");
43
+
44
+ // Get the JSON response data. Full fetch API.
45
+ console.log(await response.json());
46
+ ```
47
+
48
+ > **Note:** Make sure your environment is authenticated (e.g., via Azure CLI, Managed Identity, or Service Principal).
49
+
50
+ ## 🧩 Credential Types Supported
51
+
52
+ You can use any of these credential helpers (just pick one that fits your use case):
53
+
54
+ - **AzureCliCredential** – Uses the token from Azure CLI (`az login`). Great for local dev.
55
+ - **ManagedIdentityCredential** – For apps running on Azure VM, App Service, Container Apps, etc. No secrets required.
56
+ - **ServicePrincipalCredential** – Authenticates using client ID & secret/certificate. Common for CI/CD or automation.
57
+ - **WorkloadIdentityCredential** – For OIDC/OpenID Connect scenarios, e.g., GitHub Actions to Azure and Azure Kubernetes Service (AKS).
58
+ - **ChainedCredential** – (Recommended) Automatically picks the most available one, in this order: Workload Identity β†’ Managed Identity β†’ Service Principal β†’ Azure CLI.
59
+
60
+ > **Recommended:** Just use `ChainedCredential` unless you have a strong reason to pick something else. It’ll do the right thing in most environments.
61
+
62
+ ## πŸ“š API
63
+
64
+ You can explore all available methods and options via JSDoc and TypeScript typings, no need to memorize anything. Just let your editor guide you!
65
+
66
+ ## 🀝 Contributing
67
+ Pull requests are welcome! For major changes, please open an issue first to discuss what you want to change.
68
+
69
+ ## πŸ“„ License
70
+ MIT Β© PT Hobimu Jadi Cuan (Tako)
71
+
72
+ ---
73
+
74
+ Made with ❀️ by Tako Devs.
package/dist/index.cjs CHANGED
@@ -33,7 +33,7 @@ __export(index_exports, {
33
33
  AzureCliCredential: () => AzureCliCredential,
34
34
  AzureClient: () => AzureClient,
35
35
  AzureCredential: () => AzureCredential,
36
- DefaultChainedCredential: () => DefaultChainedCredential,
36
+ ChainedCredential: () => ChainedCredential,
37
37
  ManagedIdentityCredential: () => ManagedIdentityCredential,
38
38
  ServicePrincipalCredential: () => ServicePrincipalCredential,
39
39
  WorkloadIdentityCredential: () => WorkloadIdentityCredential
@@ -51,105 +51,87 @@ var AzureClient = class _AzureClient {
51
51
  }
52
52
  static MAX_TOKEN_RETRIES = 3;
53
53
  token = null;
54
- /**
55
- * Sends a request to the Azure REST API, handling token refresh and retries.
56
- * @param path The API path (relative to baseUrl)
57
- * @param init Optional fetch options
58
- * @returns The fetch Response object
59
- * @throws If token refresh fails after max retries
60
- */
61
- async sendRequest(path, init) {
62
- for (let i = 0; i <= _AzureClient.MAX_TOKEN_RETRIES; i++) {
63
- if (this.token && this.token.expiresAt > /* @__PURE__ */ new Date()) break;
64
- if (i === _AzureClient.MAX_TOKEN_RETRIES) {
65
- throw new Error("Failed to refresh token after multiple attempts");
66
- }
67
- await this.refreshToken();
68
- if (i > 0) await new Promise((res) => setTimeout(res, 100 * i));
69
- }
70
- if (!this.token) throw new Error("Token is unexpectedly null after refresh attempts");
71
- const baseUrl = this.options.baseUrl.replace(/\/+$/, "");
72
- const relPath = path.replace(/^\/+/, "");
73
- const url = `${baseUrl}/${relPath}`;
74
- return fetch(url, {
75
- ...init,
76
- headers: {
77
- ...this.options.credential.builder ? this.options.credential.builder(this.token) : { Authorization: `Bearer ${this.token.accessToken}` },
78
- ...init?.headers
79
- }
80
- });
81
- }
82
54
  /**
83
55
  * Sends a GET request to the Azure REST API.
84
56
  * @param path The API path
85
- * @param init Optional fetch options
57
+ * @param options Fetch options, including headers
86
58
  * @returns The fetch Response object
87
59
  */
88
- get(path, init) {
89
- return this.sendRequest(path, { ...init, method: "GET" });
60
+ get(path, options) {
61
+ return this.request(path, { ...options, method: "GET" });
90
62
  }
91
63
  /**
92
64
  * Sends a POST request with a JSON body to the Azure REST API.
93
65
  * @param path The API path
94
- * @param body The request body (will be JSON.stringified)
95
- * @param init Optional fetch options
66
+ * @param options Fetch options, including body and headers
96
67
  * @returns The fetch Response object
97
68
  */
98
- post(path, body, init) {
99
- return this.sendRequest(path, {
100
- ...init,
101
- method: "POST",
102
- headers: {
103
- "Content-Type": "application/json",
104
- ...init?.headers
105
- },
106
- body
69
+ post(path, options) {
70
+ return this.request(path, {
71
+ ...options,
72
+ method: "POST"
107
73
  });
108
74
  }
109
75
  /**
110
76
  * Sends a PUT request with a JSON body to the Azure REST API.
111
77
  * @param path The API path
112
- * @param body The request body (will be JSON.stringified)
113
- * @param init Optional fetch options
78
+ * @param options Fetch options, including body and headers
114
79
  * @returns The fetch Response object
115
80
  */
116
- put(path, body, init) {
117
- return this.sendRequest(path, {
118
- ...init,
119
- method: "PUT",
120
- headers: {
121
- "Content-Type": "application/json",
122
- ...init?.headers
123
- },
124
- body
81
+ put(path, options) {
82
+ return this.request(path, {
83
+ ...options,
84
+ method: "PUT"
125
85
  });
126
86
  }
127
87
  /**
128
88
  * Sends a PATCH request with a JSON body to the Azure REST API.
129
89
  * @param path The API path
130
- * @param body The request body (will be JSON.stringified)
131
- * @param init Optional fetch options
90
+ * @param options Fetch options, including body and headers
132
91
  * @returns The fetch Response object
133
92
  */
134
- patch(path, body, init) {
135
- return this.sendRequest(path, {
136
- ...init,
137
- method: "PATCH",
138
- headers: {
139
- "Content-Type": "application/json",
140
- ...init?.headers
141
- },
142
- body
93
+ patch(path, options) {
94
+ return this.request(path, {
95
+ ...options,
96
+ method: "PATCH"
143
97
  });
144
98
  }
145
99
  /**
146
100
  * Sends a DELETE request to the Azure REST API.
147
101
  * @param path The API path
148
- * @param init Optional fetch options
102
+ * @param options Fetch options, including body and headers
103
+ * @returns The fetch Response object
104
+ */
105
+ delete(path, options) {
106
+ return this.request(path, { ...options, method: "DELETE" });
107
+ }
108
+ /**
109
+ * Sends a request to the Azure REST API, handling token refresh and retries.
110
+ * @param path The API path (relative to baseUrl)
111
+ * @param options Optional fetch options
149
112
  * @returns The fetch Response object
113
+ * @throws If token refresh fails after max retries
150
114
  */
151
- delete(path, init) {
152
- return this.sendRequest(path, { ...init, method: "DELETE" });
115
+ async request(path, options) {
116
+ for (let i = 0; i <= _AzureClient.MAX_TOKEN_RETRIES; i++) {
117
+ if (this.token && this.token.expiresAt > /* @__PURE__ */ new Date()) break;
118
+ if (i === _AzureClient.MAX_TOKEN_RETRIES) {
119
+ throw new Error("Failed to refresh token after multiple attempts");
120
+ }
121
+ await this.refreshToken();
122
+ if (i > 0) await new Promise((res) => setTimeout(res, 100 * i));
123
+ }
124
+ if (!this.token) throw new Error("Token is unexpectedly null after refresh attempts");
125
+ const baseUrl = this.options.baseUrl.replace(/\/+$/, "");
126
+ const relPath = path.replace(/^\/+/, "");
127
+ const url = `${baseUrl}/${relPath}`;
128
+ return fetch(url, {
129
+ ...options,
130
+ headers: {
131
+ ...this.options.credential.builder ? this.options.credential.builder(this.token) : { Authorization: `Bearer ${this.token.accessToken}` },
132
+ ...options?.headers
133
+ }
134
+ });
153
135
  }
154
136
  /**
155
137
  * Refreshes the Azure access token using the provided credential helper.
@@ -160,52 +142,63 @@ var AzureClient = class _AzureClient {
160
142
  }
161
143
  };
162
144
 
163
- // src/lib/AzureCliCredential.ts
145
+ // src/credentials/AzureCliCredential.ts
164
146
  var import_node_child_process = require("child_process");
165
147
  var import_node_process = __toESM(require("process"), 1);
166
148
  var AzureCliCredential = class _AzureCliCredential {
167
149
  constructor(options) {
168
150
  this.options = options;
169
151
  }
152
+ /**
153
+ * Instantiates AzureCliCredential using the AZURE_TENANT_ID environment variable (if set),
154
+ * or falls back to the current Azure CLI context.
155
+ * @returns AzureCliCredential instance
156
+ */
157
+ static fromEnv() {
158
+ const tenantId = import_node_process.default.env.AZURE_TENANT_ID;
159
+ return new _AzureCliCredential(tenantId ? { tenantId } : {});
160
+ }
170
161
  /**
171
162
  * Gets an Azure access token using the Azure CLI.
172
- * @param scope The resource scope for the token
173
- * @returns An object with token and expiresAt
163
+ * @param scope The resource scope for the token (e.g. 'https://management.azure.com/.default')
164
+ * @returns An object with accessToken, expiresAt, and tokenType
174
165
  * @throws If CLI is not installed or not logged in
175
166
  */
176
167
  async getToken(scope) {
177
168
  try {
178
- const result = await this.getCliToken(scope);
179
- const specificScope = result.stderr.match("(.*)az login --scope(.*)");
180
- const isLoginError = result.stderr.match("(.*)az login(.*)") && !specificScope;
181
- const isNotInstallError = result.stderr.match("az:(.*)not found") ?? result.stderr.startsWith("'az' is not recognized");
182
- if (isNotInstallError) {
183
- throw new Error("Azure CLI not found. Please install");
184
- }
185
- if (isLoginError) {
186
- throw new Error("Please login to Azure CLI");
187
- }
169
+ const tenantId = this.options.tenantId ?? await _AzureCliCredential.getCurrentTenantId();
170
+ const result = await this.getCliToken(scope, tenantId);
188
171
  return this.parseRawOutput(result.stdout);
189
172
  } catch (error) {
190
- throw new Error(`Failed to get token: ${error.stack}`);
173
+ throw new Error(`Failed to get token: ${error.message}`);
191
174
  }
192
175
  }
193
176
  /**
194
- * Runs the Azure CLI to get an access token for the given scope.
177
+ * Runs the Azure CLI to get an access token for the given scope and tenant.
195
178
  * @param scope The resource scope
179
+ * @param tenantId The Azure tenant ID
196
180
  * @returns Promise resolving to CLI stdout and stderr
197
181
  * @private
198
182
  */
199
- async getCliToken(scope) {
183
+ async getCliToken(scope, tenantId) {
200
184
  return new Promise((resolve, reject) => {
201
185
  try {
202
186
  (0, import_node_child_process.execFile)(
203
187
  "az",
204
- ["account", "get-access-token", "--output", "json", "--resource", scope.replace(".default", ""), "--tenant", this.options.tenantId],
188
+ ["account", "get-access-token", "--output", "json", "--resource", scope.replace(".default", ""), "--tenant", tenantId],
205
189
  { cwd: import_node_process.default.cwd(), shell: true, timeout: 3e4 },
206
190
  (error, stdout, stderr) => {
191
+ const { isLoginError, isNotInstallError } = _AzureCliCredential.parseCliLoginError(stderr);
192
+ if (isNotInstallError) {
193
+ reject(new Error("Azure CLI not found. Please install"));
194
+ return;
195
+ }
196
+ if (isLoginError) {
197
+ reject(new Error("Please login to Azure CLI"));
198
+ return;
199
+ }
207
200
  if (error) {
208
- reject(new Error(`Failed to get token: ${error.stack}`));
201
+ reject(new Error(`Failed to get token: ${error.message}`));
209
202
  return;
210
203
  }
211
204
  resolve({ stdout, stderr });
@@ -216,10 +209,40 @@ var AzureCliCredential = class _AzureCliCredential {
216
209
  }
217
210
  });
218
211
  }
212
+ /**
213
+ * Gets the current tenant ID from Azure CLI context.
214
+ * @returns Promise resolving to the current tenant ID string
215
+ * @throws If CLI is not installed or not logged in
216
+ */
217
+ static async getCurrentTenantId() {
218
+ return new Promise((resolve, reject) => {
219
+ (0, import_node_child_process.execFile)("az", ["account", "show", "--query", "tenantId", "--output", "tsv"], { cwd: import_node_process.default.cwd(), shell: true, timeout: 1e4 }, (error, stdout, stderr) => {
220
+ const { isLoginError, isNotInstallError } = _AzureCliCredential.parseCliLoginError(stderr);
221
+ if (isNotInstallError) {
222
+ reject(new Error("Azure CLI not found. Please install"));
223
+ return;
224
+ }
225
+ if (isLoginError) {
226
+ reject(new Error("Please login to Azure CLI"));
227
+ return;
228
+ }
229
+ if (error) {
230
+ reject(new Error(`Failed to detect tenantId from Azure CLI context: ${stderr}`));
231
+ return;
232
+ }
233
+ const tenantId = stdout.trim();
234
+ if (!tenantId) {
235
+ reject(new Error("Could not detect tenantId from Azure CLI context."));
236
+ return;
237
+ }
238
+ resolve(tenantId);
239
+ });
240
+ });
241
+ }
219
242
  /**
220
243
  * Parses the raw CLI output and returns a token + expiry object.
221
244
  * @param output The stdout from Azure CLI
222
- * @returns An object with token and expiresAt
245
+ * @returns An object with accessToken, expiresAt, and tokenType
223
246
  * @private
224
247
  */
225
248
  parseRawOutput(output) {
@@ -240,21 +263,27 @@ var AzureCliCredential = class _AzureCliCredential {
240
263
  };
241
264
  }
242
265
  /**
243
- * Instantiates AzureCliCredential using the AZURE_TENANT_ID environment variable.
244
- * This expects the following environment variable to be set:
245
- * - AZURE_TENANT_ID: The Azure tenant ID to use for authentication.
246
- * @returns AzureCliCredential instance
266
+ * Checks stderr for common Azure CLI login errors.
267
+ * @param stderr The stderr string from CLI
268
+ * @returns Object with isLoginError and isNotInstallError booleans
269
+ * @private
247
270
  */
248
- static fromEnv() {
249
- return new _AzureCliCredential({ tenantId: import_node_process.default.env.AZURE_TENANT_ID });
271
+ static parseCliLoginError(stderr) {
272
+ const specificScope = stderr.match("(.*)az login --scope(.*)");
273
+ const isLoginError = stderr.match("(.*)az login(.*)") && !specificScope;
274
+ const isNotInstallError = stderr.match("az:(.*)not found") ?? stderr.startsWith("'az' is not recognized");
275
+ return {
276
+ isLoginError: Boolean(isLoginError),
277
+ isNotInstallError: Boolean(isNotInstallError)
278
+ };
250
279
  }
251
280
  };
252
281
 
253
- // src/lib/AzureCredential.ts
282
+ // src/credentials/AzureCredential.ts
254
283
  var AzureCredential = class {
255
284
  };
256
285
 
257
- // src/lib/ManagedIdentityCredential.ts
286
+ // src/credentials/ManagedIdentityCredential.ts
258
287
  var ManagedIdentityCredential = class _ManagedIdentityCredential {
259
288
  /**
260
289
  * @param options Managed identity credential options
@@ -325,7 +354,7 @@ var ManagedIdentityCredential = class _ManagedIdentityCredential {
325
354
  }
326
355
  };
327
356
 
328
- // src/lib/ServicePrincipalCredential.ts
357
+ // src/credentials/ServicePrincipalCredential.ts
329
358
  var import_node_url = require("url");
330
359
  var ServicePrincipalCredential = class _ServicePrincipalCredential {
331
360
  /**
@@ -401,7 +430,7 @@ var ServicePrincipalCredential = class _ServicePrincipalCredential {
401
430
  }
402
431
  };
403
432
 
404
- // src/lib/WorkloadIdentityCredential.ts
433
+ // src/credentials/WorkloadIdentityCredential.ts
405
434
  var import_promises = require("fs/promises");
406
435
  var WorkloadIdentityCredential = class _WorkloadIdentityCredential {
407
436
  /**
@@ -447,9 +476,9 @@ var WorkloadIdentityCredential = class _WorkloadIdentityCredential {
447
476
  }
448
477
  };
449
478
 
450
- // src/lib/DefaultChainedCredential.ts
479
+ // src/credentials/ChainedCredential.ts
451
480
  var credentialChain = [WorkloadIdentityCredential, ManagedIdentityCredential, ServicePrincipalCredential, AzureCliCredential];
452
- var DefaultChainedCredential = class {
481
+ var ChainedCredential = class {
453
482
  /**
454
483
  * Attempts to get an Azure access token using the first available credential in the chain.
455
484
  * @param scope The resource scope for the token
@@ -460,7 +489,7 @@ var DefaultChainedCredential = class {
460
489
  const errors = [];
461
490
  const debug = process.env.DEBUG?.includes("tako-azure-rest:credentials") || process.env.DEBUG?.includes("tako-azure-rest:*");
462
491
  for (const Credential of credentialChain) {
463
- const label = `[DefaultChainedCredential] ${Credential.name}`;
492
+ const label = `[ChainedCredential] ${Credential.name}`;
464
493
  let start;
465
494
  if (debug) {
466
495
  start = Date.now();
@@ -490,7 +519,7 @@ ${errors.map((err) => `[${err.name}] ${err.error.message}`).join("\n")}`);
490
519
  AzureCliCredential,
491
520
  AzureClient,
492
521
  AzureCredential,
493
- DefaultChainedCredential,
522
+ ChainedCredential,
494
523
  ManagedIdentityCredential,
495
524
  ServicePrincipalCredential,
496
525
  WorkloadIdentityCredential
package/dist/index.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/index.ts","../src/AzureClient.ts","../src/lib/AzureCliCredential.ts","../src/lib/AzureCredential.ts","../src/lib/ManagedIdentityCredential.ts","../src/lib/ServicePrincipalCredential.ts","../src/lib/WorkloadIdentityCredential.ts","../src/lib/DefaultChainedCredential.ts"],"sourcesContent":["export * from \"./AzureClient.js\";\nexport * from \"./lib/AzureCliCredential.js\";\nexport * from \"./lib/AzureCredential.js\";\nexport * from \"./lib/DefaultChainedCredential.js\";\nexport * from \"./lib/ManagedIdentityCredential.js\";\nexport * from \"./lib/ServicePrincipalCredential.js\";\nexport * from \"./lib/WorkloadIdentityCredential.js\";\n","import type { AzureCredential, Credential } from \"./lib/AzureCredential.js\";\n\n/**\n * Options for configuring the AzureClient instance.\n *\n * @property baseUrl - The base URL for Azure REST API endpoints (e.g. https://management.azure.com)\n * @property credential - Credential configuration for authenticating requests\n * @property helper - An AzureCredential implementation for acquiring tokens\n * @property scope - The Azure resource scope for the token (e.g. https://management.azure.com/.default)\n * @property builder - (Optional) Function to build request headers from a token. If not provided, an Authorization header is set by default.\n */\nexport type AzureClientOptions = {\n\tbaseUrl: string;\n\tcredential: {\n\t\thelper: AzureCredential;\n\t\tscope: string;\n\t\tbuilder?: (token: Credential) => Record<string, string>;\n\t};\n};\n\n/**\n * Azure REST API client with credential refresh and HTTP verb helpers.\n */\nexport class AzureClient {\n\tprivate static readonly MAX_TOKEN_RETRIES = 3;\n\tprivate token: Credential | null = null;\n\n\t/**\n\t * @param options Azure client configuration (baseUrl, credential, etc)\n\t */\n\tconstructor(public options: AzureClientOptions) {\n\t\tObject.defineProperty(this, \"token\", { enumerable: false });\n\t}\n\n\t/**\n\t * Sends a request to the Azure REST API, handling token refresh and retries.\n\t * @param path The API path (relative to baseUrl)\n\t * @param init Optional fetch options\n\t * @returns The fetch Response object\n\t * @throws If token refresh fails after max retries\n\t */\n\tpublic async sendRequest(path: string, init?: RequestInit): Promise<Response> {\n\t\tfor (let i = 0; i <= AzureClient.MAX_TOKEN_RETRIES; i++) {\n\t\t\tif (this.token && this.token.expiresAt > new Date()) break;\n\t\t\tif (i === AzureClient.MAX_TOKEN_RETRIES) {\n\t\t\t\tthrow new Error(\"Failed to refresh token after multiple attempts\");\n\t\t\t}\n\t\t\tawait this.refreshToken();\n\t\t\tif (i > 0) await new Promise(res => setTimeout(res, 100 * i));\n\t\t}\n\n\t\tif (!this.token) throw new Error(\"Token is unexpectedly null after refresh attempts\");\n\n\t\t// Normalize baseUrl and path to avoid double or missing slashes\n\t\tconst baseUrl = this.options.baseUrl.replace(/\\/+$/, \"\");\n\t\tconst relPath = path.replace(/^\\/+/, \"\");\n\t\tconst url = `${baseUrl}/${relPath}`;\n\n\t\treturn fetch(url, {\n\t\t\t...init,\n\t\t\theaders: {\n\t\t\t\t...(this.options.credential.builder ? this.options.credential.builder(this.token) : { Authorization: `Bearer ${this.token.accessToken}` }),\n\t\t\t\t...init?.headers\n\t\t\t}\n\t\t});\n\t}\n\n\t/**\n\t * Sends a GET request to the Azure REST API.\n\t * @param path The API path\n\t * @param init Optional fetch options\n\t * @returns The fetch Response object\n\t */\n\tpublic get(path: string, init?: RequestInit) {\n\t\treturn this.sendRequest(path, { ...init, method: \"GET\" });\n\t}\n\n\t/**\n\t * Sends a POST request with a JSON body to the Azure REST API.\n\t * @param path The API path\n\t * @param body The request body (will be JSON.stringified)\n\t * @param init Optional fetch options\n\t * @returns The fetch Response object\n\t */\n\tpublic post(path: string, body?: any, init?: RequestInit) {\n\t\treturn this.sendRequest(path, {\n\t\t\t...init,\n\t\t\tmethod: \"POST\",\n\t\t\theaders: {\n\t\t\t\t\"Content-Type\": \"application/json\",\n\t\t\t\t...init?.headers\n\t\t\t},\n\t\t\tbody\n\t\t});\n\t}\n\n\t/**\n\t * Sends a PUT request with a JSON body to the Azure REST API.\n\t * @param path The API path\n\t * @param body The request body (will be JSON.stringified)\n\t * @param init Optional fetch options\n\t * @returns The fetch Response object\n\t */\n\tpublic put(path: string, body?: any, init?: RequestInit) {\n\t\treturn this.sendRequest(path, {\n\t\t\t...init,\n\t\t\tmethod: \"PUT\",\n\t\t\theaders: {\n\t\t\t\t\"Content-Type\": \"application/json\",\n\t\t\t\t...init?.headers\n\t\t\t},\n\t\t\tbody\n\t\t});\n\t}\n\n\t/**\n\t * Sends a PATCH request with a JSON body to the Azure REST API.\n\t * @param path The API path\n\t * @param body The request body (will be JSON.stringified)\n\t * @param init Optional fetch options\n\t * @returns The fetch Response object\n\t */\n\tpublic patch(path: string, body?: any, init?: RequestInit) {\n\t\treturn this.sendRequest(path, {\n\t\t\t...init,\n\t\t\tmethod: \"PATCH\",\n\t\t\theaders: {\n\t\t\t\t\"Content-Type\": \"application/json\",\n\t\t\t\t...init?.headers\n\t\t\t},\n\t\t\tbody\n\t\t});\n\t}\n\n\t/**\n\t * Sends a DELETE request to the Azure REST API.\n\t * @param path The API path\n\t * @param init Optional fetch options\n\t * @returns The fetch Response object\n\t */\n\tpublic delete(path: string, init?: RequestInit) {\n\t\treturn this.sendRequest(path, { ...init, method: \"DELETE\" });\n\t}\n\n\t/**\n\t * Refreshes the Azure access token using the provided credential helper.\n\t * @private\n\t */\n\tprivate async refreshToken(): Promise<void> {\n\t\tthis.token = await this.options.credential.helper.getToken(this.options.credential.scope);\n\t}\n}\n","import { execFile } from \"node:child_process\";\nimport process from \"node:process\";\nimport type { AzureCredential } from \"./AzureCredential.js\";\n\n/**\n * The raw response returned by Azure CLI when requesting an access token.\n *\n * @property accessToken - The access token string\n * @property expiresOn - Expiry date in RFC3339 format (legacy)\n * @property expires_on - Expiry as seconds since epoch (preferred)\n * @property subscription - (Optional) Subscription ID, may not be present\n * @property tenant - Tenant ID\n * @property tokenType - Token type (usually 'Bearer')\n */\nexport type CLITokenResponse = {\n\taccessToken: string;\n\texpiresOn: string;\n\texpires_on: string;\n\tsubscription?: string;\n\ttenant: string;\n\ttokenType: string;\n};\n\n/**\n * Options for AzureCliCredential.\n *\n * @property tenantId - The Azure tenant ID to use for authentication.\n */\nexport type AzureCLICredentialOptions = {\n\ttenantId: string;\n};\n\nexport class AzureCliCredential implements AzureCredential {\n\tpublic constructor(public options: AzureCLICredentialOptions) {}\n\n\t/**\n\t * Gets an Azure access token using the Azure CLI.\n\t * @param scope The resource scope for the token\n\t * @returns An object with token and expiresAt\n\t * @throws If CLI is not installed or not logged in\n\t */\n\tpublic async getToken(scope: string) {\n\t\ttry {\n\t\t\tconst result = await this.getCliToken(scope);\n\n\t\t\tconst specificScope = result.stderr.match(\"(.*)az login --scope(.*)\");\n\t\t\tconst isLoginError = result.stderr.match(\"(.*)az login(.*)\") && !specificScope;\n\t\t\tconst isNotInstallError = result.stderr.match(\"az:(.*)not found\") ?? result.stderr.startsWith(\"'az' is not recognized\");\n\n\t\t\tif (isNotInstallError) {\n\t\t\t\tthrow new Error(\"Azure CLI not found. Please install\");\n\t\t\t}\n\t\t\tif (isLoginError) {\n\t\t\t\tthrow new Error(\"Please login to Azure CLI\");\n\t\t\t}\n\n\t\t\treturn this.parseRawOutput(result.stdout);\n\t\t} catch (error) {\n\t\t\tthrow new Error(`Failed to get token: ${(error as Error).stack}`);\n\t\t}\n\t}\n\n\t/**\n\t * Runs the Azure CLI to get an access token for the given scope.\n\t * @param scope The resource scope\n\t * @returns Promise resolving to CLI stdout and stderr\n\t * @private\n\t */\n\tprivate async getCliToken(scope: string) {\n\t\treturn new Promise<{ stderr: string; stdout: string }>((resolve, reject) => {\n\t\t\ttry {\n\t\t\t\texecFile(\n\t\t\t\t\t\"az\",\n\t\t\t\t\t[\"account\", \"get-access-token\", \"--output\", \"json\", \"--resource\", scope.replace(\".default\", \"\"), \"--tenant\", this.options.tenantId],\n\t\t\t\t\t{ cwd: process.cwd(), shell: true, timeout: 30_000 },\n\t\t\t\t\t(error, stdout, stderr) => {\n\t\t\t\t\t\tif (error) {\n\t\t\t\t\t\t\treject(new Error(`Failed to get token: ${error.stack}`));\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tresolve({ stdout, stderr });\n\t\t\t\t\t}\n\t\t\t\t);\n\t\t\t} catch (error) {\n\t\t\t\treject(error as Error);\n\t\t\t}\n\t\t});\n\t}\n\n\t/**\n\t * Parses the raw CLI output and returns a token + expiry object.\n\t * @param output The stdout from Azure CLI\n\t * @returns An object with token and expiresAt\n\t * @private\n\t */\n\tprivate parseRawOutput(output: string) {\n\t\tconst response = JSON.parse(output) as CLITokenResponse;\n\t\tconst token = response.accessToken;\n\n\t\t// if available, expires_on will be a number representing seconds since epoch.\n\t\t// ensure it's a number or NaN\n\t\tconst expiresOnTimestamp = Number.parseInt(response.expires_on, 10) * 1_000;\n\t\tif (!Number.isNaN(expiresOnTimestamp)) {\n\t\t\treturn {\n\t\t\t\taccessToken: token,\n\t\t\t\texpiresAt: new Date(expiresOnTimestamp),\n\t\t\t\ttokenType: response.tokenType\n\t\t\t};\n\t\t}\n\n\t\t// fallback to the older expiresOn - an RFC3339 date string\n\t\treturn {\n\t\t\taccessToken: token,\n\t\t\texpiresAt: new Date(response.expiresOn),\n\t\t\ttokenType: response.tokenType\n\t\t};\n\t}\n\n\t/**\n\t * Instantiates AzureCliCredential using the AZURE_TENANT_ID environment variable.\n\t * This expects the following environment variable to be set:\n\t * - AZURE_TENANT_ID: The Azure tenant ID to use for authentication.\n\t * @returns AzureCliCredential instance\n\t */\n\tpublic static fromEnv() {\n\t\treturn new AzureCliCredential({ tenantId: process.env.AZURE_TENANT_ID });\n\t}\n}\n\ndeclare global {\n\tnamespace NodeJS {\n\t\tinterface ProcessEnv {\n\t\t\tAZURE_TENANT_ID: string;\n\t\t}\n\t}\n}\n","/**\n * Represents an Azure access token and its expiration.\n */\nexport type Credential = { accessToken: string; clientId?: string; expiresAt: Date; tokenType: string };\n\n/**\n * Abstract credential class for acquiring Azure tokens.\n * Implement this to provide custom authentication logic.\n */\nexport abstract class AzureCredential {\n\t/**\n\t * Gets an Azure access token for the given scope.\n\t * @param scope The resource or scope for which the token is requested\n\t * @returns A promise resolving to an AzureToken\n\t */\n\tpublic abstract getToken(scope: string): Promise<Credential>;\n}\n","import type { AzureCredential } from \"./AzureCredential.js\";\nimport type { OAuth2TokenResponse } from \"./ServicePrincipalCredential.js\";\n\n/**\n * Options for configuring ManagedIdentityCredential.\n *\n * @property clientId - (Optional) The user-assigned managed identity client ID.\n * @property timeoutMs - (Optional) Timeout in milliseconds for metadata endpoint fetch. Default: 300ms.\n */\nexport type ManagedIdentityCredentialOptions = {\n\tidentityEndpoint?: string; // Optional: custom endpoint, defaults to Azure's default metadata endpoint\n\tclientId?: string;\n\ttimeoutMs?: number; // Optional: custom timeout for fetch\n};\n\n/**\n * AzureCredential implementation for Azure Managed Identity (MSI).\n *\n * Supports both system-assigned and user-assigned managed identities.\n * Works on Azure VM, App Service, Container Apps, etc.\n */\nexport class ManagedIdentityCredential implements AzureCredential {\n\t/**\n\t * @param options Managed identity credential options\n\t */\n\tpublic constructor(public options: ManagedIdentityCredentialOptions = {}) {}\n\n\t/**\n\t * Gets an Azure access token using the managed identity endpoint.\n\t * @param scope The resource scope for the token\n\t * @returns An object with token and expiresAt\n\t * @throws If the endpoint is unavailable or token request fails\n\t */\n\tpublic async getToken(scope: string) {\n\t\tconst endpoint = this.options.identityEndpoint || \"http://169.254.169.254/metadata/identity/oauth2/token\";\n\t\tconst apiVersion = \"2018-02-01\";\n\t\tconst params = new URLSearchParams();\n\t\tparams.set(\"api-version\", apiVersion);\n\t\tparams.set(\"resource\", scope.replace(\".default\", \"\"));\n\t\tif (this.options.clientId) {\n\t\t\tparams.set(\"client_id\", this.options.clientId);\n\t\t}\n\n\t\tconst url = `${endpoint}?${params.toString()}`;\n\t\tconst headers = { Metadata: \"true\" };\n\n\t\t// Add timeout to fetch (default 500ms, can override via options)\n\t\tconst timeoutMs = this.options.timeoutMs ?? 300;\n\t\tconst controller = new AbortController();\n\n\t\t// Manual timeout fallback: Promise.race to guarantee timeout even if fetch/AbortController fails (e.g., network hang)\n\t\tconst timeoutPromise = new Promise<never>((_, reject) => {\n\t\t\tsetTimeout(() => {\n\t\t\t\tcontroller.abort(); // still try to abort fetch\n\t\t\t\treject(new Error(`ManagedIdentityCredential: Timed out after ${timeoutMs}ms waiting for metadata endpoint (${url})`));\n\t\t\t}, timeoutMs);\n\t\t});\n\n\t\tlet response: Response;\n\t\ttry {\n\t\t\tresponse = await Promise.race([fetch(url, { headers, signal: controller.signal }), timeoutPromise]);\n\t\t} catch (err: any) {\n\t\t\tif (err.name === \"AbortError\" || /Timed out/.test(err.message)) {\n\t\t\t\tthrow new Error(`ManagedIdentityCredential: Timed out after ${timeoutMs}ms waiting for metadata endpoint (${url})`);\n\t\t\t}\n\t\t\tthrow err;\n\t\t}\n\n\t\tif (!response.ok) {\n\t\t\tthrow new Error(`ManagedIdentityCredential: Failed to get token: ${await response.text()}`);\n\t\t}\n\n\t\tconst data = (await response.json()) as OAuth2TokenResponse;\n\t\treturn {\n\t\t\taccessToken: data.access_token,\n\t\t\tclientId: data.client_id,\n\t\t\texpiresAt: new Date(data.expires_on ? Number(data.expires_on) * 1000 : Date.now() + 60 * 60 * 1000), // fallback 1h\n\t\t\ttokenType: data.token_type\n\t\t};\n\t}\n\n\t/**\n\t * Instantiates ManagedIdentityCredential using environment variables.\n\t * This expects the following environment variables to be set:\n\t * - AZURE_CLIENT_ID: The user-assigned managed identity client ID. This is optional for system-assigned identities.\n\t * - AZURE_MANAGED_IDENTITY_ENDPOINT or IDENTITY_ENDPOINT: The managed identity endpoint (optional, defaults to http://169.254.169.254/metadata/identity/oauth2/token)\n\t * - AZURE_MANAGED_IDENTITY_TIMEOUT_MS: Custom timeout for metadata endpoint fetch in milliseconds (optional).\n\t * @returns ManagedIdentityCredential instance\n\t */\n\tpublic static fromEnv() {\n\t\treturn new ManagedIdentityCredential({\n\t\t\tidentityEndpoint: process.env.AZURE_MANAGED_IDENTITY_ENDPOINT || process.env.IDENTITY_ENDPOINT,\n\t\t\tclientId: process.env.AZURE_CLIENT_ID,\n\t\t\ttimeoutMs: process.env.AZURE_MANAGED_IDENTITY_TIMEOUT_MS ? Number.parseInt(process.env.AZURE_MANAGED_IDENTITY_TIMEOUT_MS) : undefined\n\t\t});\n\t}\n}\n\ndeclare global {\n\tnamespace NodeJS {\n\t\tinterface ProcessEnv {\n\t\t\tAZURE_MANAGED_IDENTITY_ENDPOINT?: string;\n\t\t\tAZURE_MANAGED_IDENTITY_TIMEOUT_MS?: string; // Optional: custom timeout for fetch\n\t\t\tIDENTITY_ENDPOINT?: string;\n\t\t}\n\t}\n}\n","import { URLSearchParams } from \"node:url\";\nimport type { AzureCredential } from \"./AzureCredential.js\";\n\n/**\n * The OAuth2 token response returned by Azure AD and Managed Identity endpoints.\n *\n * @property access_token - The access token string\n * @property client_id - The client/application ID (optional, present in MSI)\n * @property expires_in - Seconds until token expiry\n * @property expires_on - Expiry time (epoch seconds, as string)\n * @property ext_expires_in - Extended expiry in seconds\n * @property not_before - Not before time (epoch seconds, as string)\n * @property resource - The resource for which the token is issued\n * @property token_type - The type of token (usually 'Bearer')\n */\nexport type OAuth2TokenResponse = {\n\taccess_token: string;\n\tclient_id?: string;\n\texpires_in: number;\n\texpires_on: string;\n\text_expires_in: number;\n\tnot_before: string;\n\tresource: string;\n\ttoken_type: string;\n};\n\n/**\n * Options for configuring ServicePrincipalCredential.\n *\n * @property clientId - The Azure AD application (client) ID.\n * @property clientSecret - The client secret or JWT assertion (for federated).\n * @property tenantId - The Azure AD tenant ID.\n * @property authorityHost - (Optional) The Azure AD authority host. Defaults to \"https://login.microsoftonline.com\".\n * @property federated - Whether to use federated (JWT) auth. If true, clientSecret is treated as a JWT assertion.\n */\nexport type ServicePrincipalCredentialOption = {\n\tclientId: string;\n\tclientSecret?: string;\n\ttenantId: string;\n\tauthorityHost?: string;\n\tfederated: boolean;\n};\n\n/**\n * AzureCredential implementation for authenticating with a Service Principal (client secret or federated/JWT).\n */\nexport class ServicePrincipalCredential implements AzureCredential {\n\t/**\n\t * @param options Service principal credential options\n\t */\n\tpublic constructor(public options: ServicePrincipalCredentialOption) {}\n\n\t/**\n\t * Gets an Azure access token using the service principal credentials.\n\t * @param scope The resource scope for the token\n\t * @returns An object with token and expiresAt\n\t * @throws If client secret is missing or token request fails\n\t */\n\tpublic async getToken(scope: string) {\n\t\tif (!this.options.clientSecret) throw new Error(\"ServicePrincipalCredential: The client secret is not provided.\");\n\n\t\t// Remove trailing slash from identityAuthorityHost\n\t\tconst url = [this.options.authorityHost?.replace(/\\/$/, \"\") ?? \"https://login.microsoftonline.com\", `${this.options.tenantId}/oauth2/v2.0/token`].join(\"/\");\n\n\t\ttry {\n\t\t\tconst searchParams = {\n\t\t\t\tclient_id: this.options.clientId,\n\t\t\t\tgrant_type: \"client_credentials\",\n\t\t\t\tscope\n\t\t\t};\n\n\t\t\t// If federated, use client_assertion and client_assertion_type\n\t\t\t// Otherwise, use client_secret\n\t\t\tif (this.options.federated) {\n\t\t\t\tObject.assign(searchParams, {\n\t\t\t\t\tclient_assertion: this.options.clientSecret,\n\t\t\t\t\tclient_assertion_type: \"urn:ietf:params:oauth:client-assertion-type:jwt-bearer\"\n\t\t\t\t});\n\t\t\t} else {\n\t\t\t\tObject.assign(searchParams, {\n\t\t\t\t\tclient_secret: this.options.clientSecret\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst response = await fetch(url, {\n\t\t\t\tmethod: \"POST\",\n\t\t\t\theaders: {\n\t\t\t\t\tAccept: \"application/json\",\n\t\t\t\t\t\"Content-Type\": \"application/x-www-form-urlencoded\"\n\t\t\t\t},\n\t\t\t\tbody: new URLSearchParams(searchParams)\n\t\t\t});\n\n\t\t\tif (!response.ok) {\n\t\t\t\tthrow new Error(`Failed to get token: ${await response.text()}`);\n\t\t\t}\n\n\t\t\tconst data = (await response.json()) as OAuth2TokenResponse;\n\n\t\t\treturn {\n\t\t\t\taccessToken: data.access_token,\n\t\t\t\tclientId: data.client_id ?? this.options.clientId,\n\t\t\t\texpiresAt: new Date(Date.now() + data.expires_in * 1_000),\n\t\t\t\ttokenType: data.token_type\n\t\t\t};\n\t\t} catch (error) {\n\t\t\tthrow new Error(`Failed to get token: ${(error as Error).stack}`);\n\t\t}\n\t}\n\n\t/**\n\t * Instantiates ServicePrincipalCredential using environment variables.\n\t * This expects the following environment variables to be set:\n\t * - AZURE_CLIENT_ID: The Azure AD application (client) ID\n\t * - AZURE_CLIENT_SECRET: The client secret\n\t * - AZURE_TENANT_ID: The Azure AD tenant ID\n\t * - AZURE_USE_FEDERATED_AUTH: Optional, if set to \"true\", uses federated authentication (JWT assertion).\n\t * @returns ServicePrincipalCredential instance\n\t */\n\tpublic static fromEnv() {\n\t\treturn new ServicePrincipalCredential({\n\t\t\tauthorityHost: process.env.AZURE_AUTHORITY_HOST,\n\t\t\tclientId: process.env.AZURE_CLIENT_ID,\n\t\t\tclientSecret: process.env.AZURE_CLIENT_SECRET,\n\t\t\ttenantId: process.env.AZURE_TENANT_ID,\n\t\t\tfederated: process.env.AZURE_USE_FEDERATED_AUTH === \"true\"\n\t\t});\n\t}\n}\n\ndeclare global {\n\tnamespace NodeJS {\n\t\tinterface ProcessEnv {\n\t\t\tAZURE_CLIENT_ID: string;\n\t\t\tAZURE_CLIENT_SECRET: string;\n\t\t\tAZURE_TENANT_ID: string;\n\t\t\tAZURE_USE_FEDERATED_AUTH: \"true\" | \"false\"; // Optional, defaults to \"false\"\n\t\t}\n\t}\n}\n","import { readFile } from \"node:fs/promises\";\nimport type { AzureCredential } from \"./AzureCredential.js\";\nimport { ServicePrincipalCredential } from \"./ServicePrincipalCredential.js\";\n\n/**\n * Options for configuring WorkloadIdentityCredential.\n *\n * @property clientId - The Azure AD application (client) ID\n * @property federatedTokenFile - Path to the federated token file (OIDC/JWT)\n * @property tenantId - The Azure AD tenant ID\n * @property authorityHost - (Optional) The Azure AD authority host\n */\nexport type WorkloadIdentityCredentialOption = {\n\tclientId: string;\n\tfederatedTokenFile: string;\n\ttenantId: string;\n\tauthorityHost?: string;\n};\n\n/**\n * AzureCredential implementation for Azure Workload Identity (OIDC federated token).\n *\n * Reads a federated token from file and authenticates as a service principal using JWT assertion.\n */\nexport class WorkloadIdentityCredential implements AzureCredential {\n\t/**\n\t * @param options Workload identity credential options\n\t */\n\tpublic constructor(public options: WorkloadIdentityCredentialOption) {}\n\n\t/**\n\t * Gets an Azure access token using the federated token file.\n\t * @param scope The resource scope for the token\n\t * @returns An object with token and expiresAt\n\t * @throws If the federated token file does not exist\n\t */\n\tpublic async getToken(scope: string) {\n\t\ttry {\n\t\t\tconst token = await readFile(this.options.federatedTokenFile, \"utf-8\");\n\t\t\tconst servicePrincipal = new ServicePrincipalCredential({ ...this.options, clientSecret: token, federated: true });\n\n\t\t\treturn servicePrincipal.getToken(scope);\n\t\t} catch (err) {\n\t\t\tif ((err as NodeJS.ErrnoException).code === \"ENOENT\") {\n\t\t\t\tthrow new Error(`WorkloadIdentityCredential: Federated token file not found at ${this.options.federatedTokenFile}`);\n\t\t\t}\n\t\t\tthrow new Error(`WorkloadIdentityCredential: Failed to get token: ${(err as Error).message}`);\n\t\t}\n\t}\n\n\t/**\n\t * Instantiates WorkloadIdentityCredential using environment variables.\n\t * This expects the following environment variables to be set:\n\t * - AZURE_AUTHORITY_HOST: The Azure AD authority host (optional)\n\t * - AZURE_CLIENT_ID: The Azure AD application (client) ID\n\t * - AZURE_FEDERATED_TOKEN_FILE: Path to the federated token file\n\t * - AZURE_TENANT_ID: The Azure AD tenant ID\n\t * @returns WorkloadIdentityCredential instance\n\t */\n\tpublic static fromEnv() {\n\t\treturn new WorkloadIdentityCredential({\n\t\t\tauthorityHost: process.env.AZURE_AUTHORITY_HOST,\n\t\t\tclientId: process.env.AZURE_CLIENT_ID,\n\t\t\tfederatedTokenFile: process.env.AZURE_FEDERATED_TOKEN_FILE,\n\t\t\ttenantId: process.env.AZURE_TENANT_ID\n\t\t});\n\t}\n}\n\ndeclare global {\n\tnamespace NodeJS {\n\t\tinterface ProcessEnv {\n\t\t\tAZURE_AUTHORITY_HOST: string;\n\t\t\tAZURE_CLIENT_ID: string;\n\t\t\tAZURE_FEDERATED_TOKEN_FILE: string;\n\t\t\tAZURE_TENANT_ID: string;\n\t\t}\n\t}\n}\n","import { AzureCliCredential } from \"./AzureCliCredential.js\";\nimport type { AzureCredential } from \"./AzureCredential.js\";\nimport { ManagedIdentityCredential } from \"./ManagedIdentityCredential.js\";\nimport { ServicePrincipalCredential } from \"./ServicePrincipalCredential.js\";\nimport { WorkloadIdentityCredential } from \"./WorkloadIdentityCredential.js\";\n\nconst credentialChain = [WorkloadIdentityCredential, ManagedIdentityCredential, ServicePrincipalCredential, AzureCliCredential];\n\n/**\n * DefaultChainedCredential tries multiple credential providers in order until one succeeds.\n *\n * The chain is: WorkloadIdentityCredential β†’ ManagedIdentityCredential β†’ ServicePrincipalCredential β†’ AzureCliCredential.\n * Useful for local dev, CI, and cloud environments with minimal config.\n */\nexport class DefaultChainedCredential implements AzureCredential {\n\t/**\n\t * Attempts to get an Azure access token using the first available credential in the chain.\n\t * @param scope The resource scope for the token\n\t * @returns An object with token and expiresAt\n\t * @throws If all credential providers fail\n\t */\n\tpublic async getToken(scope: string) {\n\t\tconst errors: { name: string; error: Error }[] = [];\n\t\tconst debug = process.env.DEBUG?.includes(\"tako-azure-rest:credentials\") || process.env.DEBUG?.includes(\"tako-azure-rest:*\");\n\t\tfor (const Credential of credentialChain) {\n\t\t\tconst label = `[DefaultChainedCredential] ${Credential.name}`;\n\t\t\tlet start: number | undefined;\n\t\t\tif (debug) {\n\t\t\t\tstart = Date.now();\n\t\t\t\tconsole.log(`${label} - trying...`);\n\t\t\t}\n\t\t\ttry {\n\t\t\t\tconst result = await Credential.fromEnv().getToken(scope);\n\t\t\t\tif (debug && start !== undefined) {\n\t\t\t\t\tconst ms = Date.now() - start;\n\t\t\t\t\tconsole.log(`${label} - success in ${ms}ms`);\n\t\t\t\t}\n\t\t\t\treturn result;\n\t\t\t} catch (error) {\n\t\t\t\tif (debug && start !== undefined) {\n\t\t\t\t\tconst ms = Date.now() - start;\n\t\t\t\t\tconsole.log(`${label} - failed in ${ms}ms: ${(error as Error).message}`);\n\t\t\t\t}\n\t\t\t\terrors.push({ error: error as Error, name: Credential.name });\n\t\t\t}\n\t\t}\n\n\t\tthrow new Error(`Failed to get token, errors:\\n${errors.map(err => `[${err.name}] ${err.error.message}`).join(\"\\n\")}`);\n\t}\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACuBO,IAAM,cAAN,MAAM,aAAY;AAAA;AAAA;AAAA;AAAA,EAOxB,YAAmB,SAA6B;AAA7B;AAClB,WAAO,eAAe,MAAM,SAAS,EAAE,YAAY,MAAM,CAAC;AAAA,EAC3D;AAAA,EARA,OAAwB,oBAAoB;AAAA,EACpC,QAA2B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgBnC,MAAa,YAAY,MAAc,MAAuC;AAC7E,aAAS,IAAI,GAAG,KAAK,aAAY,mBAAmB,KAAK;AACxD,UAAI,KAAK,SAAS,KAAK,MAAM,YAAY,oBAAI,KAAK,EAAG;AACrD,UAAI,MAAM,aAAY,mBAAmB;AACxC,cAAM,IAAI,MAAM,iDAAiD;AAAA,MAClE;AACA,YAAM,KAAK,aAAa;AACxB,UAAI,IAAI,EAAG,OAAM,IAAI,QAAQ,SAAO,WAAW,KAAK,MAAM,CAAC,CAAC;AAAA,IAC7D;AAEA,QAAI,CAAC,KAAK,MAAO,OAAM,IAAI,MAAM,mDAAmD;AAGpF,UAAM,UAAU,KAAK,QAAQ,QAAQ,QAAQ,QAAQ,EAAE;AACvD,UAAM,UAAU,KAAK,QAAQ,QAAQ,EAAE;AACvC,UAAM,MAAM,GAAG,OAAO,IAAI,OAAO;AAEjC,WAAO,MAAM,KAAK;AAAA,MACjB,GAAG;AAAA,MACH,SAAS;AAAA,QACR,GAAI,KAAK,QAAQ,WAAW,UAAU,KAAK,QAAQ,WAAW,QAAQ,KAAK,KAAK,IAAI,EAAE,eAAe,UAAU,KAAK,MAAM,WAAW,GAAG;AAAA,QACxI,GAAG,MAAM;AAAA,MACV;AAAA,IACD,CAAC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQO,IAAI,MAAc,MAAoB;AAC5C,WAAO,KAAK,YAAY,MAAM,EAAE,GAAG,MAAM,QAAQ,MAAM,CAAC;AAAA,EACzD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASO,KAAK,MAAc,MAAY,MAAoB;AACzD,WAAO,KAAK,YAAY,MAAM;AAAA,MAC7B,GAAG;AAAA,MACH,QAAQ;AAAA,MACR,SAAS;AAAA,QACR,gBAAgB;AAAA,QAChB,GAAG,MAAM;AAAA,MACV;AAAA,MACA;AAAA,IACD,CAAC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASO,IAAI,MAAc,MAAY,MAAoB;AACxD,WAAO,KAAK,YAAY,MAAM;AAAA,MAC7B,GAAG;AAAA,MACH,QAAQ;AAAA,MACR,SAAS;AAAA,QACR,gBAAgB;AAAA,QAChB,GAAG,MAAM;AAAA,MACV;AAAA,MACA;AAAA,IACD,CAAC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASO,MAAM,MAAc,MAAY,MAAoB;AAC1D,WAAO,KAAK,YAAY,MAAM;AAAA,MAC7B,GAAG;AAAA,MACH,QAAQ;AAAA,MACR,SAAS;AAAA,QACR,gBAAgB;AAAA,QAChB,GAAG,MAAM;AAAA,MACV;AAAA,MACA;AAAA,IACD,CAAC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQO,OAAO,MAAc,MAAoB;AAC/C,WAAO,KAAK,YAAY,MAAM,EAAE,GAAG,MAAM,QAAQ,SAAS,CAAC;AAAA,EAC5D;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,eAA8B;AAC3C,SAAK,QAAQ,MAAM,KAAK,QAAQ,WAAW,OAAO,SAAS,KAAK,QAAQ,WAAW,KAAK;AAAA,EACzF;AACD;;;ACvJA,gCAAyB;AACzB,0BAAoB;AA+Bb,IAAM,qBAAN,MAAM,oBAA8C;AAAA,EACnD,YAAmB,SAAoC;AAApC;AAAA,EAAqC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQ/D,MAAa,SAAS,OAAe;AACpC,QAAI;AACH,YAAM,SAAS,MAAM,KAAK,YAAY,KAAK;AAE3C,YAAM,gBAAgB,OAAO,OAAO,MAAM,0BAA0B;AACpE,YAAM,eAAe,OAAO,OAAO,MAAM,kBAAkB,KAAK,CAAC;AACjE,YAAM,oBAAoB,OAAO,OAAO,MAAM,kBAAkB,KAAK,OAAO,OAAO,WAAW,wBAAwB;AAEtH,UAAI,mBAAmB;AACtB,cAAM,IAAI,MAAM,qCAAqC;AAAA,MACtD;AACA,UAAI,cAAc;AACjB,cAAM,IAAI,MAAM,2BAA2B;AAAA,MAC5C;AAEA,aAAO,KAAK,eAAe,OAAO,MAAM;AAAA,IACzC,SAAS,OAAO;AACf,YAAM,IAAI,MAAM,wBAAyB,MAAgB,KAAK,EAAE;AAAA,IACjE;AAAA,EACD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAc,YAAY,OAAe;AACxC,WAAO,IAAI,QAA4C,CAAC,SAAS,WAAW;AAC3E,UAAI;AACH;AAAA,UACC;AAAA,UACA,CAAC,WAAW,oBAAoB,YAAY,QAAQ,cAAc,MAAM,QAAQ,YAAY,EAAE,GAAG,YAAY,KAAK,QAAQ,QAAQ;AAAA,UAClI,EAAE,KAAK,oBAAAA,QAAQ,IAAI,GAAG,OAAO,MAAM,SAAS,IAAO;AAAA,UACnD,CAAC,OAAO,QAAQ,WAAW;AAC1B,gBAAI,OAAO;AACV,qBAAO,IAAI,MAAM,wBAAwB,MAAM,KAAK,EAAE,CAAC;AACvD;AAAA,YACD;AAEA,oBAAQ,EAAE,QAAQ,OAAO,CAAC;AAAA,UAC3B;AAAA,QACD;AAAA,MACD,SAAS,OAAO;AACf,eAAO,KAAc;AAAA,MACtB;AAAA,IACD,CAAC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQQ,eAAe,QAAgB;AACtC,UAAM,WAAW,KAAK,MAAM,MAAM;AAClC,UAAM,QAAQ,SAAS;AAIvB,UAAM,qBAAqB,OAAO,SAAS,SAAS,YAAY,EAAE,IAAI;AACtE,QAAI,CAAC,OAAO,MAAM,kBAAkB,GAAG;AACtC,aAAO;AAAA,QACN,aAAa;AAAA,QACb,WAAW,IAAI,KAAK,kBAAkB;AAAA,QACtC,WAAW,SAAS;AAAA,MACrB;AAAA,IACD;AAGA,WAAO;AAAA,MACN,aAAa;AAAA,MACb,WAAW,IAAI,KAAK,SAAS,SAAS;AAAA,MACtC,WAAW,SAAS;AAAA,IACrB;AAAA,EACD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,OAAc,UAAU;AACvB,WAAO,IAAI,oBAAmB,EAAE,UAAU,oBAAAA,QAAQ,IAAI,gBAAgB,CAAC;AAAA,EACxE;AACD;;;ACvHO,IAAe,kBAAf,MAA+B;AAOtC;;;ACKO,IAAM,4BAAN,MAAM,2BAAqD;AAAA;AAAA;AAAA;AAAA,EAI1D,YAAmB,UAA4C,CAAC,GAAG;AAAhD;AAAA,EAAiD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQ3E,MAAa,SAAS,OAAe;AACpC,UAAM,WAAW,KAAK,QAAQ,oBAAoB;AAClD,UAAM,aAAa;AACnB,UAAM,SAAS,IAAI,gBAAgB;AACnC,WAAO,IAAI,eAAe,UAAU;AACpC,WAAO,IAAI,YAAY,MAAM,QAAQ,YAAY,EAAE,CAAC;AACpD,QAAI,KAAK,QAAQ,UAAU;AAC1B,aAAO,IAAI,aAAa,KAAK,QAAQ,QAAQ;AAAA,IAC9C;AAEA,UAAM,MAAM,GAAG,QAAQ,IAAI,OAAO,SAAS,CAAC;AAC5C,UAAM,UAAU,EAAE,UAAU,OAAO;AAGnC,UAAM,YAAY,KAAK,QAAQ,aAAa;AAC5C,UAAM,aAAa,IAAI,gBAAgB;AAGvC,UAAM,iBAAiB,IAAI,QAAe,CAAC,GAAG,WAAW;AACxD,iBAAW,MAAM;AAChB,mBAAW,MAAM;AACjB,eAAO,IAAI,MAAM,8CAA8C,SAAS,qCAAqC,GAAG,GAAG,CAAC;AAAA,MACrH,GAAG,SAAS;AAAA,IACb,CAAC;AAED,QAAI;AACJ,QAAI;AACH,iBAAW,MAAM,QAAQ,KAAK,CAAC,MAAM,KAAK,EAAE,SAAS,QAAQ,WAAW,OAAO,CAAC,GAAG,cAAc,CAAC;AAAA,IACnG,SAAS,KAAU;AAClB,UAAI,IAAI,SAAS,gBAAgB,YAAY,KAAK,IAAI,OAAO,GAAG;AAC/D,cAAM,IAAI,MAAM,8CAA8C,SAAS,qCAAqC,GAAG,GAAG;AAAA,MACnH;AACA,YAAM;AAAA,IACP;AAEA,QAAI,CAAC,SAAS,IAAI;AACjB,YAAM,IAAI,MAAM,mDAAmD,MAAM,SAAS,KAAK,CAAC,EAAE;AAAA,IAC3F;AAEA,UAAM,OAAQ,MAAM,SAAS,KAAK;AAClC,WAAO;AAAA,MACN,aAAa,KAAK;AAAA,MAClB,UAAU,KAAK;AAAA,MACf,WAAW,IAAI,KAAK,KAAK,aAAa,OAAO,KAAK,UAAU,IAAI,MAAO,KAAK,IAAI,IAAI,KAAK,KAAK,GAAI;AAAA;AAAA,MAClG,WAAW,KAAK;AAAA,IACjB;AAAA,EACD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,OAAc,UAAU;AACvB,WAAO,IAAI,2BAA0B;AAAA,MACpC,kBAAkB,QAAQ,IAAI,mCAAmC,QAAQ,IAAI;AAAA,MAC7E,UAAU,QAAQ,IAAI;AAAA,MACtB,WAAW,QAAQ,IAAI,oCAAoC,OAAO,SAAS,QAAQ,IAAI,iCAAiC,IAAI;AAAA,IAC7H,CAAC;AAAA,EACF;AACD;;;AChGA,sBAAgC;AA8CzB,IAAM,6BAAN,MAAM,4BAAsD;AAAA;AAAA;AAAA;AAAA,EAI3D,YAAmB,SAA2C;AAA3C;AAAA,EAA4C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQtE,MAAa,SAAS,OAAe;AACpC,QAAI,CAAC,KAAK,QAAQ,aAAc,OAAM,IAAI,MAAM,gEAAgE;AAGhH,UAAM,MAAM,CAAC,KAAK,QAAQ,eAAe,QAAQ,OAAO,EAAE,KAAK,qCAAqC,GAAG,KAAK,QAAQ,QAAQ,oBAAoB,EAAE,KAAK,GAAG;AAE1J,QAAI;AACH,YAAM,eAAe;AAAA,QACpB,WAAW,KAAK,QAAQ;AAAA,QACxB,YAAY;AAAA,QACZ;AAAA,MACD;AAIA,UAAI,KAAK,QAAQ,WAAW;AAC3B,eAAO,OAAO,cAAc;AAAA,UAC3B,kBAAkB,KAAK,QAAQ;AAAA,UAC/B,uBAAuB;AAAA,QACxB,CAAC;AAAA,MACF,OAAO;AACN,eAAO,OAAO,cAAc;AAAA,UAC3B,eAAe,KAAK,QAAQ;AAAA,QAC7B,CAAC;AAAA,MACF;AACA,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QACjC,QAAQ;AAAA,QACR,SAAS;AAAA,UACR,QAAQ;AAAA,UACR,gBAAgB;AAAA,QACjB;AAAA,QACA,MAAM,IAAI,gCAAgB,YAAY;AAAA,MACvC,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AACjB,cAAM,IAAI,MAAM,wBAAwB,MAAM,SAAS,KAAK,CAAC,EAAE;AAAA,MAChE;AAEA,YAAM,OAAQ,MAAM,SAAS,KAAK;AAElC,aAAO;AAAA,QACN,aAAa,KAAK;AAAA,QAClB,UAAU,KAAK,aAAa,KAAK,QAAQ;AAAA,QACzC,WAAW,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,aAAa,GAAK;AAAA,QACxD,WAAW,KAAK;AAAA,MACjB;AAAA,IACD,SAAS,OAAO;AACf,YAAM,IAAI,MAAM,wBAAyB,MAAgB,KAAK,EAAE;AAAA,IACjE;AAAA,EACD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,OAAc,UAAU;AACvB,WAAO,IAAI,4BAA2B;AAAA,MACrC,eAAe,QAAQ,IAAI;AAAA,MAC3B,UAAU,QAAQ,IAAI;AAAA,MACtB,cAAc,QAAQ,IAAI;AAAA,MAC1B,UAAU,QAAQ,IAAI;AAAA,MACtB,WAAW,QAAQ,IAAI,6BAA6B;AAAA,IACrD,CAAC;AAAA,EACF;AACD;;;AC/HA,sBAAyB;AAwBlB,IAAM,6BAAN,MAAM,4BAAsD;AAAA;AAAA;AAAA;AAAA,EAI3D,YAAmB,SAA2C;AAA3C;AAAA,EAA4C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQtE,MAAa,SAAS,OAAe;AACpC,QAAI;AACH,YAAM,QAAQ,UAAM,0BAAS,KAAK,QAAQ,oBAAoB,OAAO;AACrE,YAAM,mBAAmB,IAAI,2BAA2B,EAAE,GAAG,KAAK,SAAS,cAAc,OAAO,WAAW,KAAK,CAAC;AAEjH,aAAO,iBAAiB,SAAS,KAAK;AAAA,IACvC,SAAS,KAAK;AACb,UAAK,IAA8B,SAAS,UAAU;AACrD,cAAM,IAAI,MAAM,iEAAiE,KAAK,QAAQ,kBAAkB,EAAE;AAAA,MACnH;AACA,YAAM,IAAI,MAAM,oDAAqD,IAAc,OAAO,EAAE;AAAA,IAC7F;AAAA,EACD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,OAAc,UAAU;AACvB,WAAO,IAAI,4BAA2B;AAAA,MACrC,eAAe,QAAQ,IAAI;AAAA,MAC3B,UAAU,QAAQ,IAAI;AAAA,MACtB,oBAAoB,QAAQ,IAAI;AAAA,MAChC,UAAU,QAAQ,IAAI;AAAA,IACvB,CAAC;AAAA,EACF;AACD;;;AC7DA,IAAM,kBAAkB,CAAC,4BAA4B,2BAA2B,4BAA4B,kBAAkB;AAQvH,IAAM,2BAAN,MAA0D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOhE,MAAa,SAAS,OAAe;AACpC,UAAM,SAA2C,CAAC;AAClD,UAAM,QAAQ,QAAQ,IAAI,OAAO,SAAS,6BAA6B,KAAK,QAAQ,IAAI,OAAO,SAAS,mBAAmB;AAC3H,eAAW,cAAc,iBAAiB;AACzC,YAAM,QAAQ,8BAA8B,WAAW,IAAI;AAC3D,UAAI;AACJ,UAAI,OAAO;AACV,gBAAQ,KAAK,IAAI;AACjB,gBAAQ,IAAI,GAAG,KAAK,cAAc;AAAA,MACnC;AACA,UAAI;AACH,cAAM,SAAS,MAAM,WAAW,QAAQ,EAAE,SAAS,KAAK;AACxD,YAAI,SAAS,UAAU,QAAW;AACjC,gBAAM,KAAK,KAAK,IAAI,IAAI;AACxB,kBAAQ,IAAI,GAAG,KAAK,iBAAiB,EAAE,IAAI;AAAA,QAC5C;AACA,eAAO;AAAA,MACR,SAAS,OAAO;AACf,YAAI,SAAS,UAAU,QAAW;AACjC,gBAAM,KAAK,KAAK,IAAI,IAAI;AACxB,kBAAQ,IAAI,GAAG,KAAK,gBAAgB,EAAE,OAAQ,MAAgB,OAAO,EAAE;AAAA,QACxE;AACA,eAAO,KAAK,EAAE,OAAuB,MAAM,WAAW,KAAK,CAAC;AAAA,MAC7D;AAAA,IACD;AAEA,UAAM,IAAI,MAAM;AAAA,EAAiC,OAAO,IAAI,SAAO,IAAI,IAAI,IAAI,KAAK,IAAI,MAAM,OAAO,EAAE,EAAE,KAAK,IAAI,CAAC,EAAE;AAAA,EACtH;AACD;","names":["process"]}
1
+ {"version":3,"sources":["../src/index.ts","../src/AzureClient.ts","../src/credentials/AzureCliCredential.ts","../src/credentials/AzureCredential.ts","../src/credentials/ManagedIdentityCredential.ts","../src/credentials/ServicePrincipalCredential.ts","../src/credentials/WorkloadIdentityCredential.ts","../src/credentials/ChainedCredential.ts"],"sourcesContent":["export * from \"./AzureClient.js\";\nexport * from \"./credentials/AzureCliCredential.js\";\nexport * from \"./credentials/AzureCredential.js\";\nexport * from \"./credentials/ChainedCredential.js\";\nexport * from \"./credentials/ManagedIdentityCredential.js\";\nexport * from \"./credentials/ServicePrincipalCredential.js\";\nexport * from \"./credentials/WorkloadIdentityCredential.js\";\n","import type { AzureCredential, Credential } from \"./credentials/AzureCredential.js\";\n\n/**\n * Options for configuring the AzureClient instance.\n *\n * @property baseUrl - The base URL for Azure REST API endpoints (e.g. https://management.azure.com)\n * @property credential - Credential configuration for authenticating requests\n * @property helper - An AzureCredential implementation for acquiring tokens\n * @property scope - The Azure resource scope for the token (e.g. https://management.azure.com/.default)\n * @property builder - (Optional) Function to build request headers from a token. If not provided, an Authorization header is set by default.\n */\nexport type AzureClientOptions = {\n\tbaseUrl: string;\n\tcredential: {\n\t\thelper: AzureCredential;\n\t\tscope: string;\n\t\tbuilder?: (token: Credential) => Record<string, string>;\n\t};\n};\n\n/**\n * Azure REST API client with credential refresh and HTTP verb helpers.\n */\nexport class AzureClient {\n\tprivate static readonly MAX_TOKEN_RETRIES = 3;\n\tprivate token: Credential | null = null;\n\n\t/**\n\t * @param options Azure client configuration (baseUrl, credential, etc)\n\t */\n\tconstructor(public options: AzureClientOptions) {\n\t\tObject.defineProperty(this, \"token\", { enumerable: false });\n\t}\n\n\t/**\n\t * Sends a GET request to the Azure REST API.\n\t * @param path The API path\n\t * @param options Fetch options, including headers\n\t * @returns The fetch Response object\n\t */\n\tpublic get(path: string, options?: Exclude<RequestInit, \"method\">) {\n\t\treturn this.request(path, { ...options, method: \"GET\" });\n\t}\n\n\t/**\n\t * Sends a POST request with a JSON body to the Azure REST API.\n\t * @param path The API path\n\t * @param options Fetch options, including body and headers\n\t * @returns The fetch Response object\n\t */\n\tpublic post(path: string, options?: Exclude<RequestInit, \"method\">) {\n\t\treturn this.request(path, {\n\t\t\t...options,\n\t\t\tmethod: \"POST\"\n\t\t});\n\t}\n\n\t/**\n\t * Sends a PUT request with a JSON body to the Azure REST API.\n\t * @param path The API path\n\t * @param options Fetch options, including body and headers\n\t * @returns The fetch Response object\n\t */\n\tpublic put(path: string, options?: Exclude<RequestInit, \"method\">) {\n\t\treturn this.request(path, {\n\t\t\t...options,\n\t\t\tmethod: \"PUT\"\n\t\t});\n\t}\n\n\t/**\n\t * Sends a PATCH request with a JSON body to the Azure REST API.\n\t * @param path The API path\n\t * @param options Fetch options, including body and headers\n\t * @returns The fetch Response object\n\t */\n\tpublic patch(path: string, options?: Exclude<RequestInit, \"method\">) {\n\t\treturn this.request(path, {\n\t\t\t...options,\n\t\t\tmethod: \"PATCH\"\n\t\t});\n\t}\n\n\t/**\n\t * Sends a DELETE request to the Azure REST API.\n\t * @param path The API path\n\t * @param options Fetch options, including body and headers\n\t * @returns The fetch Response object\n\t */\n\tpublic delete(path: string, options?: Exclude<RequestInit, \"method\">) {\n\t\treturn this.request(path, { ...options, method: \"DELETE\" });\n\t}\n\n\t/**\n\t * Sends a request to the Azure REST API, handling token refresh and retries.\n\t * @param path The API path (relative to baseUrl)\n\t * @param options Optional fetch options\n\t * @returns The fetch Response object\n\t * @throws If token refresh fails after max retries\n\t */\n\tpublic async request(path: string, options?: RequestInit): Promise<Response> {\n\t\tfor (let i = 0; i <= AzureClient.MAX_TOKEN_RETRIES; i++) {\n\t\t\tif (this.token && this.token.expiresAt > new Date()) break;\n\t\t\tif (i === AzureClient.MAX_TOKEN_RETRIES) {\n\t\t\t\tthrow new Error(\"Failed to refresh token after multiple attempts\");\n\t\t\t}\n\t\t\tawait this.refreshToken();\n\t\t\tif (i > 0) await new Promise(res => setTimeout(res, 100 * i));\n\t\t}\n\n\t\tif (!this.token) throw new Error(\"Token is unexpectedly null after refresh attempts\");\n\n\t\t// Normalize baseUrl and path to avoid double or missing slashes\n\t\tconst baseUrl = this.options.baseUrl.replace(/\\/+$/, \"\");\n\t\tconst relPath = path.replace(/^\\/+/, \"\");\n\t\tconst url = `${baseUrl}/${relPath}`;\n\n\t\treturn fetch(url, {\n\t\t\t...options,\n\t\t\theaders: {\n\t\t\t\t...(this.options.credential.builder ? this.options.credential.builder(this.token) : { Authorization: `Bearer ${this.token.accessToken}` }),\n\t\t\t\t...options?.headers\n\t\t\t}\n\t\t});\n\t}\n\n\t/**\n\t * Refreshes the Azure access token using the provided credential helper.\n\t * @private\n\t */\n\tprivate async refreshToken(): Promise<void> {\n\t\tthis.token = await this.options.credential.helper.getToken(this.options.credential.scope);\n\t}\n}\n","import { execFile } from \"node:child_process\";\nimport process from \"node:process\";\nimport type { AzureCredential } from \"./AzureCredential.js\";\n\n/**\n * The raw response returned by Azure CLI when requesting an access token.\n *\n * @property accessToken - The access token string\n * @property expiresOn - Expiry date in RFC3339 format (legacy)\n * @property expires_on - Expiry as seconds since epoch (preferred)\n * @property subscription - (Optional) Subscription ID, may not be present\n * @property tenant - Tenant ID\n * @property tokenType - Token type (usually 'Bearer')\n */\nexport type CLITokenResponse = {\n\taccessToken: string;\n\texpiresOn: string;\n\texpires_on: string;\n\tsubscription?: string;\n\ttenant: string;\n\ttokenType: string;\n};\n\n/**\n * Options for AzureCliCredential.\n *\n * @property tenantId - (Optional) The Azure tenant ID to use for authentication. If not provided, will use the current Azure CLI context.\n */\nexport type AzureCLICredentialOptions = {\n\ttenantId?: string;\n};\n\n/**\n * AzureCliCredential authenticates using the Azure CLI (`az`).\n *\n * - If `tenantId` is provided, uses it for token requests.\n * - If not, will try `AZURE_TENANT_ID` env var, then fall back to the current Azure CLI context.\n *\n * Throws clear errors if the CLI is not installed or not logged in.\n */\nexport class AzureCliCredential implements AzureCredential {\n\tpublic constructor(public options: AzureCLICredentialOptions) {}\n\n\t/**\n\t * Instantiates AzureCliCredential using the AZURE_TENANT_ID environment variable (if set),\n\t * or falls back to the current Azure CLI context.\n\t * @returns AzureCliCredential instance\n\t */\n\tpublic static fromEnv(): AzureCliCredential {\n\t\tconst tenantId = process.env.AZURE_TENANT_ID;\n\t\treturn new AzureCliCredential(tenantId ? { tenantId } : {});\n\t}\n\n\t/**\n\t * Gets an Azure access token using the Azure CLI.\n\t * @param scope The resource scope for the token (e.g. 'https://management.azure.com/.default')\n\t * @returns An object with accessToken, expiresAt, and tokenType\n\t * @throws If CLI is not installed or not logged in\n\t */\n\tpublic async getToken(scope: string): Promise<{ accessToken: string; expiresAt: Date; tokenType: string }> {\n\t\ttry {\n\t\t\tconst tenantId = this.options.tenantId ?? (await AzureCliCredential.getCurrentTenantId());\n\t\t\tconst result = await this.getCliToken(scope, tenantId);\n\t\t\treturn this.parseRawOutput(result.stdout);\n\t\t} catch (error) {\n\t\t\tthrow new Error(`Failed to get token: ${(error as Error).message}`);\n\t\t}\n\t}\n\n\t/**\n\t * Runs the Azure CLI to get an access token for the given scope and tenant.\n\t * @param scope The resource scope\n\t * @param tenantId The Azure tenant ID\n\t * @returns Promise resolving to CLI stdout and stderr\n\t * @private\n\t */\n\tprivate async getCliToken(scope: string, tenantId: string): Promise<{ stderr: string; stdout: string }> {\n\t\treturn new Promise((resolve, reject) => {\n\t\t\ttry {\n\t\t\t\texecFile(\n\t\t\t\t\t\"az\",\n\t\t\t\t\t[\"account\", \"get-access-token\", \"--output\", \"json\", \"--resource\", scope.replace(\".default\", \"\"), \"--tenant\", tenantId],\n\t\t\t\t\t{ cwd: process.cwd(), shell: true, timeout: 30_000 },\n\t\t\t\t\t(error, stdout, stderr) => {\n\t\t\t\t\t\tconst { isLoginError, isNotInstallError } = AzureCliCredential.parseCliLoginError(stderr);\n\t\t\t\t\t\tif (isNotInstallError) {\n\t\t\t\t\t\t\treject(new Error(\"Azure CLI not found. Please install\"));\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (isLoginError) {\n\t\t\t\t\t\t\treject(new Error(\"Please login to Azure CLI\"));\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (error) {\n\t\t\t\t\t\t\treject(new Error(`Failed to get token: ${error.message}`));\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tresolve({ stdout, stderr });\n\t\t\t\t\t}\n\t\t\t\t);\n\t\t\t} catch (error) {\n\t\t\t\treject(error as Error);\n\t\t\t}\n\t\t});\n\t}\n\n\t/**\n\t * Gets the current tenant ID from Azure CLI context.\n\t * @returns Promise resolving to the current tenant ID string\n\t * @throws If CLI is not installed or not logged in\n\t */\n\tprivate static async getCurrentTenantId(): Promise<string> {\n\t\treturn new Promise((resolve, reject) => {\n\t\t\texecFile(\"az\", [\"account\", \"show\", \"--query\", \"tenantId\", \"--output\", \"tsv\"], { cwd: process.cwd(), shell: true, timeout: 10_000 }, (error, stdout, stderr) => {\n\t\t\t\tconst { isLoginError, isNotInstallError } = AzureCliCredential.parseCliLoginError(stderr);\n\t\t\t\tif (isNotInstallError) {\n\t\t\t\t\treject(new Error(\"Azure CLI not found. Please install\"));\n\t\t\t\t\treturn;\n\t\t\t\t}\n\t\t\t\tif (isLoginError) {\n\t\t\t\t\treject(new Error(\"Please login to Azure CLI\"));\n\t\t\t\t\treturn;\n\t\t\t\t}\n\t\t\t\tif (error) {\n\t\t\t\t\treject(new Error(`Failed to detect tenantId from Azure CLI context: ${stderr}`));\n\t\t\t\t\treturn;\n\t\t\t\t}\n\t\t\t\tconst tenantId = stdout.trim();\n\t\t\t\tif (!tenantId) {\n\t\t\t\t\treject(new Error(\"Could not detect tenantId from Azure CLI context.\"));\n\t\t\t\t\treturn;\n\t\t\t\t}\n\t\t\t\tresolve(tenantId);\n\t\t\t});\n\t\t});\n\t}\n\n\t/**\n\t * Parses the raw CLI output and returns a token + expiry object.\n\t * @param output The stdout from Azure CLI\n\t * @returns An object with accessToken, expiresAt, and tokenType\n\t * @private\n\t */\n\tprivate parseRawOutput(output: string): { accessToken: string; expiresAt: Date; tokenType: string } {\n\t\tconst response = JSON.parse(output) as CLITokenResponse;\n\t\tconst token = response.accessToken;\n\t\tconst expiresOnTimestamp = Number.parseInt(response.expires_on, 10) * 1_000;\n\t\tif (!Number.isNaN(expiresOnTimestamp)) {\n\t\t\treturn {\n\t\t\t\taccessToken: token,\n\t\t\t\texpiresAt: new Date(expiresOnTimestamp),\n\t\t\t\ttokenType: response.tokenType\n\t\t\t};\n\t\t}\n\t\treturn {\n\t\t\taccessToken: token,\n\t\t\texpiresAt: new Date(response.expiresOn),\n\t\t\ttokenType: response.tokenType\n\t\t};\n\t}\n\n\t/**\n\t * Checks stderr for common Azure CLI login errors.\n\t * @param stderr The stderr string from CLI\n\t * @returns Object with isLoginError and isNotInstallError booleans\n\t * @private\n\t */\n\tprivate static parseCliLoginError(stderr: string): { isLoginError: boolean; isNotInstallError: boolean } {\n\t\tconst specificScope = stderr.match(\"(.*)az login --scope(.*)\");\n\t\tconst isLoginError = stderr.match(\"(.*)az login(.*)\") && !specificScope;\n\t\tconst isNotInstallError = stderr.match(\"az:(.*)not found\") ?? stderr.startsWith(\"'az' is not recognized\");\n\t\treturn {\n\t\t\tisLoginError: Boolean(isLoginError),\n\t\t\tisNotInstallError: Boolean(isNotInstallError)\n\t\t};\n\t}\n}\n\ndeclare global {\n\tnamespace NodeJS {\n\t\tinterface ProcessEnv {\n\t\t\tAZURE_TENANT_ID: string;\n\t\t}\n\t}\n}\n","/**\n * Represents an Azure access token and its expiration.\n */\nexport type Credential = { accessToken: string; clientId?: string; expiresAt: Date; tokenType: string };\n\n/**\n * Abstract credential class for acquiring Azure tokens.\n * Implement this to provide custom authentication logic.\n */\nexport abstract class AzureCredential {\n\t/**\n\t * Gets an Azure access token for the given scope.\n\t * @param scope The resource or scope for which the token is requested\n\t * @returns A promise resolving to an AzureToken\n\t */\n\tpublic abstract getToken(scope: string): Promise<Credential>;\n}\n","import type { AzureCredential } from \"./AzureCredential.js\";\nimport type { OAuth2TokenResponse } from \"./ServicePrincipalCredential.js\";\n\n/**\n * Options for configuring ManagedIdentityCredential.\n *\n * @property clientId - (Optional) The user-assigned managed identity client ID.\n * @property timeoutMs - (Optional) Timeout in milliseconds for metadata endpoint fetch. Default: 300ms.\n */\nexport type ManagedIdentityCredentialOptions = {\n\tidentityEndpoint?: string; // Optional: custom endpoint, defaults to Azure's default metadata endpoint\n\tclientId?: string;\n\ttimeoutMs?: number; // Optional: custom timeout for fetch\n};\n\n/**\n * AzureCredential implementation for Azure Managed Identity (MSI).\n *\n * Supports both system-assigned and user-assigned managed identities.\n * Works on Azure VM, App Service, Container Apps, etc.\n */\nexport class ManagedIdentityCredential implements AzureCredential {\n\t/**\n\t * @param options Managed identity credential options\n\t */\n\tpublic constructor(public options: ManagedIdentityCredentialOptions = {}) {}\n\n\t/**\n\t * Gets an Azure access token using the managed identity endpoint.\n\t * @param scope The resource scope for the token\n\t * @returns An object with token and expiresAt\n\t * @throws If the endpoint is unavailable or token request fails\n\t */\n\tpublic async getToken(scope: string) {\n\t\tconst endpoint = this.options.identityEndpoint || \"http://169.254.169.254/metadata/identity/oauth2/token\";\n\t\tconst apiVersion = \"2018-02-01\";\n\t\tconst params = new URLSearchParams();\n\t\tparams.set(\"api-version\", apiVersion);\n\t\tparams.set(\"resource\", scope.replace(\".default\", \"\"));\n\t\tif (this.options.clientId) {\n\t\t\tparams.set(\"client_id\", this.options.clientId);\n\t\t}\n\n\t\tconst url = `${endpoint}?${params.toString()}`;\n\t\tconst headers = { Metadata: \"true\" };\n\n\t\t// Add timeout to fetch (default 500ms, can override via options)\n\t\tconst timeoutMs = this.options.timeoutMs ?? 300;\n\t\tconst controller = new AbortController();\n\n\t\t// Manual timeout fallback: Promise.race to guarantee timeout even if fetch/AbortController fails (e.g., network hang)\n\t\tconst timeoutPromise = new Promise<never>((_, reject) => {\n\t\t\tsetTimeout(() => {\n\t\t\t\tcontroller.abort(); // still try to abort fetch\n\t\t\t\treject(new Error(`ManagedIdentityCredential: Timed out after ${timeoutMs}ms waiting for metadata endpoint (${url})`));\n\t\t\t}, timeoutMs);\n\t\t});\n\n\t\tlet response: Response;\n\t\ttry {\n\t\t\tresponse = await Promise.race([fetch(url, { headers, signal: controller.signal }), timeoutPromise]);\n\t\t} catch (err: any) {\n\t\t\tif (err.name === \"AbortError\" || /Timed out/.test(err.message)) {\n\t\t\t\tthrow new Error(`ManagedIdentityCredential: Timed out after ${timeoutMs}ms waiting for metadata endpoint (${url})`);\n\t\t\t}\n\t\t\tthrow err;\n\t\t}\n\n\t\tif (!response.ok) {\n\t\t\tthrow new Error(`ManagedIdentityCredential: Failed to get token: ${await response.text()}`);\n\t\t}\n\n\t\tconst data = (await response.json()) as OAuth2TokenResponse;\n\t\treturn {\n\t\t\taccessToken: data.access_token,\n\t\t\tclientId: data.client_id,\n\t\t\texpiresAt: new Date(data.expires_on ? Number(data.expires_on) * 1000 : Date.now() + 60 * 60 * 1000), // fallback 1h\n\t\t\ttokenType: data.token_type\n\t\t};\n\t}\n\n\t/**\n\t * Instantiates ManagedIdentityCredential using environment variables.\n\t * This expects the following environment variables to be set:\n\t * - AZURE_CLIENT_ID: The user-assigned managed identity client ID. This is optional for system-assigned identities.\n\t * - AZURE_MANAGED_IDENTITY_ENDPOINT or IDENTITY_ENDPOINT: The managed identity endpoint (optional, defaults to http://169.254.169.254/metadata/identity/oauth2/token)\n\t * - AZURE_MANAGED_IDENTITY_TIMEOUT_MS: Custom timeout for metadata endpoint fetch in milliseconds (optional).\n\t * @returns ManagedIdentityCredential instance\n\t */\n\tpublic static fromEnv() {\n\t\treturn new ManagedIdentityCredential({\n\t\t\tidentityEndpoint: process.env.AZURE_MANAGED_IDENTITY_ENDPOINT || process.env.IDENTITY_ENDPOINT,\n\t\t\tclientId: process.env.AZURE_CLIENT_ID,\n\t\t\ttimeoutMs: process.env.AZURE_MANAGED_IDENTITY_TIMEOUT_MS ? Number.parseInt(process.env.AZURE_MANAGED_IDENTITY_TIMEOUT_MS) : undefined\n\t\t});\n\t}\n}\n\ndeclare global {\n\tnamespace NodeJS {\n\t\tinterface ProcessEnv {\n\t\t\tAZURE_MANAGED_IDENTITY_ENDPOINT?: string;\n\t\t\tAZURE_MANAGED_IDENTITY_TIMEOUT_MS?: string; // Optional: custom timeout for fetch\n\t\t\tIDENTITY_ENDPOINT?: string;\n\t\t}\n\t}\n}\n","import { URLSearchParams } from \"node:url\";\nimport type { AzureCredential } from \"./AzureCredential.js\";\n\n/**\n * The OAuth2 token response returned by Azure AD and Managed Identity endpoints.\n *\n * @property access_token - The access token string\n * @property client_id - The client/application ID (optional, present in MSI)\n * @property expires_in - Seconds until token expiry\n * @property expires_on - Expiry time (epoch seconds, as string)\n * @property ext_expires_in - Extended expiry in seconds\n * @property not_before - Not before time (epoch seconds, as string)\n * @property resource - The resource for which the token is issued\n * @property token_type - The type of token (usually 'Bearer')\n */\nexport type OAuth2TokenResponse = {\n\taccess_token: string;\n\tclient_id?: string;\n\texpires_in: number;\n\texpires_on: string;\n\text_expires_in: number;\n\tnot_before: string;\n\tresource: string;\n\ttoken_type: string;\n};\n\n/**\n * Options for configuring ServicePrincipalCredential.\n *\n * @property clientId - The Azure AD application (client) ID.\n * @property clientSecret - The client secret or JWT assertion (for federated).\n * @property tenantId - The Azure AD tenant ID.\n * @property authorityHost - (Optional) The Azure AD authority host. Defaults to \"https://login.microsoftonline.com\".\n * @property federated - Whether to use federated (JWT) auth. If true, clientSecret is treated as a JWT assertion.\n */\nexport type ServicePrincipalCredentialOption = {\n\tclientId: string;\n\tclientSecret?: string;\n\ttenantId: string;\n\tauthorityHost?: string;\n\tfederated: boolean;\n};\n\n/**\n * AzureCredential implementation for authenticating with a Service Principal (client secret or federated/JWT).\n */\nexport class ServicePrincipalCredential implements AzureCredential {\n\t/**\n\t * @param options Service principal credential options\n\t */\n\tpublic constructor(public options: ServicePrincipalCredentialOption) {}\n\n\t/**\n\t * Gets an Azure access token using the service principal credentials.\n\t * @param scope The resource scope for the token\n\t * @returns An object with token and expiresAt\n\t * @throws If client secret is missing or token request fails\n\t */\n\tpublic async getToken(scope: string) {\n\t\tif (!this.options.clientSecret) throw new Error(\"ServicePrincipalCredential: The client secret is not provided.\");\n\n\t\t// Remove trailing slash from identityAuthorityHost\n\t\tconst url = [this.options.authorityHost?.replace(/\\/$/, \"\") ?? \"https://login.microsoftonline.com\", `${this.options.tenantId}/oauth2/v2.0/token`].join(\"/\");\n\n\t\ttry {\n\t\t\tconst searchParams = {\n\t\t\t\tclient_id: this.options.clientId,\n\t\t\t\tgrant_type: \"client_credentials\",\n\t\t\t\tscope\n\t\t\t};\n\n\t\t\t// If federated, use client_assertion and client_assertion_type\n\t\t\t// Otherwise, use client_secret\n\t\t\tif (this.options.federated) {\n\t\t\t\tObject.assign(searchParams, {\n\t\t\t\t\tclient_assertion: this.options.clientSecret,\n\t\t\t\t\tclient_assertion_type: \"urn:ietf:params:oauth:client-assertion-type:jwt-bearer\"\n\t\t\t\t});\n\t\t\t} else {\n\t\t\t\tObject.assign(searchParams, {\n\t\t\t\t\tclient_secret: this.options.clientSecret\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst response = await fetch(url, {\n\t\t\t\tmethod: \"POST\",\n\t\t\t\theaders: {\n\t\t\t\t\tAccept: \"application/json\",\n\t\t\t\t\t\"Content-Type\": \"application/x-www-form-urlencoded\"\n\t\t\t\t},\n\t\t\t\tbody: new URLSearchParams(searchParams)\n\t\t\t});\n\n\t\t\tif (!response.ok) {\n\t\t\t\tthrow new Error(`Failed to get token: ${await response.text()}`);\n\t\t\t}\n\n\t\t\tconst data = (await response.json()) as OAuth2TokenResponse;\n\n\t\t\treturn {\n\t\t\t\taccessToken: data.access_token,\n\t\t\t\tclientId: data.client_id ?? this.options.clientId,\n\t\t\t\texpiresAt: new Date(Date.now() + data.expires_in * 1_000),\n\t\t\t\ttokenType: data.token_type\n\t\t\t};\n\t\t} catch (error) {\n\t\t\tthrow new Error(`Failed to get token: ${(error as Error).stack}`);\n\t\t}\n\t}\n\n\t/**\n\t * Instantiates ServicePrincipalCredential using environment variables.\n\t * This expects the following environment variables to be set:\n\t * - AZURE_CLIENT_ID: The Azure AD application (client) ID\n\t * - AZURE_CLIENT_SECRET: The client secret\n\t * - AZURE_TENANT_ID: The Azure AD tenant ID\n\t * - AZURE_USE_FEDERATED_AUTH: Optional, if set to \"true\", uses federated authentication (JWT assertion).\n\t * @returns ServicePrincipalCredential instance\n\t */\n\tpublic static fromEnv() {\n\t\treturn new ServicePrincipalCredential({\n\t\t\tauthorityHost: process.env.AZURE_AUTHORITY_HOST,\n\t\t\tclientId: process.env.AZURE_CLIENT_ID,\n\t\t\tclientSecret: process.env.AZURE_CLIENT_SECRET,\n\t\t\ttenantId: process.env.AZURE_TENANT_ID,\n\t\t\tfederated: process.env.AZURE_USE_FEDERATED_AUTH === \"true\"\n\t\t});\n\t}\n}\n\ndeclare global {\n\tnamespace NodeJS {\n\t\tinterface ProcessEnv {\n\t\t\tAZURE_CLIENT_ID: string;\n\t\t\tAZURE_CLIENT_SECRET: string;\n\t\t\tAZURE_TENANT_ID: string;\n\t\t\tAZURE_USE_FEDERATED_AUTH: \"true\" | \"false\"; // Optional, defaults to \"false\"\n\t\t}\n\t}\n}\n","import { readFile } from \"node:fs/promises\";\nimport type { AzureCredential } from \"./AzureCredential.js\";\nimport { ServicePrincipalCredential } from \"./ServicePrincipalCredential.js\";\n\n/**\n * Options for configuring WorkloadIdentityCredential.\n *\n * @property clientId - The Azure AD application (client) ID\n * @property federatedTokenFile - Path to the federated token file (OIDC/JWT)\n * @property tenantId - The Azure AD tenant ID\n * @property authorityHost - (Optional) The Azure AD authority host\n */\nexport type WorkloadIdentityCredentialOption = {\n\tclientId: string;\n\tfederatedTokenFile: string;\n\ttenantId: string;\n\tauthorityHost?: string;\n};\n\n/**\n * AzureCredential implementation for Azure Workload Identity (OIDC federated token).\n *\n * Reads a federated token from file and authenticates as a service principal using JWT assertion.\n */\nexport class WorkloadIdentityCredential implements AzureCredential {\n\t/**\n\t * @param options Workload identity credential options\n\t */\n\tpublic constructor(public options: WorkloadIdentityCredentialOption) {}\n\n\t/**\n\t * Gets an Azure access token using the federated token file.\n\t * @param scope The resource scope for the token\n\t * @returns An object with token and expiresAt\n\t * @throws If the federated token file does not exist\n\t */\n\tpublic async getToken(scope: string) {\n\t\ttry {\n\t\t\tconst token = await readFile(this.options.federatedTokenFile, \"utf-8\");\n\t\t\tconst servicePrincipal = new ServicePrincipalCredential({ ...this.options, clientSecret: token, federated: true });\n\n\t\t\treturn servicePrincipal.getToken(scope);\n\t\t} catch (err) {\n\t\t\tif ((err as NodeJS.ErrnoException).code === \"ENOENT\") {\n\t\t\t\tthrow new Error(`WorkloadIdentityCredential: Federated token file not found at ${this.options.federatedTokenFile}`);\n\t\t\t}\n\t\t\tthrow new Error(`WorkloadIdentityCredential: Failed to get token: ${(err as Error).message}`);\n\t\t}\n\t}\n\n\t/**\n\t * Instantiates WorkloadIdentityCredential using environment variables.\n\t * This expects the following environment variables to be set:\n\t * - AZURE_AUTHORITY_HOST: The Azure AD authority host (optional)\n\t * - AZURE_CLIENT_ID: The Azure AD application (client) ID\n\t * - AZURE_FEDERATED_TOKEN_FILE: Path to the federated token file\n\t * - AZURE_TENANT_ID: The Azure AD tenant ID\n\t * @returns WorkloadIdentityCredential instance\n\t */\n\tpublic static fromEnv() {\n\t\treturn new WorkloadIdentityCredential({\n\t\t\tauthorityHost: process.env.AZURE_AUTHORITY_HOST,\n\t\t\tclientId: process.env.AZURE_CLIENT_ID,\n\t\t\tfederatedTokenFile: process.env.AZURE_FEDERATED_TOKEN_FILE,\n\t\t\ttenantId: process.env.AZURE_TENANT_ID\n\t\t});\n\t}\n}\n\ndeclare global {\n\tnamespace NodeJS {\n\t\tinterface ProcessEnv {\n\t\t\tAZURE_AUTHORITY_HOST: string;\n\t\t\tAZURE_CLIENT_ID: string;\n\t\t\tAZURE_FEDERATED_TOKEN_FILE: string;\n\t\t\tAZURE_TENANT_ID: string;\n\t\t}\n\t}\n}\n","import { AzureCliCredential } from \"./AzureCliCredential.js\";\nimport type { AzureCredential } from \"./AzureCredential.js\";\nimport { ManagedIdentityCredential } from \"./ManagedIdentityCredential.js\";\nimport { ServicePrincipalCredential } from \"./ServicePrincipalCredential.js\";\nimport { WorkloadIdentityCredential } from \"./WorkloadIdentityCredential.js\";\n\nconst credentialChain = [WorkloadIdentityCredential, ManagedIdentityCredential, ServicePrincipalCredential, AzureCliCredential];\n\n/**\n * ChainedCredential tries multiple credential providers in order until one succeeds.\n *\n * The chain is: WorkloadIdentityCredential β†’ ManagedIdentityCredential β†’ ServicePrincipalCredential β†’ AzureCliCredential.\n * Useful for local dev, CI, and cloud environments with minimal config.\n */\nexport class ChainedCredential implements AzureCredential {\n\t/**\n\t * Attempts to get an Azure access token using the first available credential in the chain.\n\t * @param scope The resource scope for the token\n\t * @returns An object with token and expiresAt\n\t * @throws If all credential providers fail\n\t */\n\tpublic async getToken(scope: string) {\n\t\tconst errors: { name: string; error: Error }[] = [];\n\t\tconst debug = process.env.DEBUG?.includes(\"tako-azure-rest:credentials\") || process.env.DEBUG?.includes(\"tako-azure-rest:*\");\n\t\tfor (const Credential of credentialChain) {\n\t\t\tconst label = `[ChainedCredential] ${Credential.name}`;\n\t\t\tlet start: number | undefined;\n\t\t\tif (debug) {\n\t\t\t\tstart = Date.now();\n\t\t\t\tconsole.log(`${label} - trying...`);\n\t\t\t}\n\t\t\ttry {\n\t\t\t\tconst result = await Credential.fromEnv().getToken(scope);\n\t\t\t\tif (debug && start !== undefined) {\n\t\t\t\t\tconst ms = Date.now() - start;\n\t\t\t\t\tconsole.log(`${label} - success in ${ms}ms`);\n\t\t\t\t}\n\t\t\t\treturn result;\n\t\t\t} catch (error) {\n\t\t\t\tif (debug && start !== undefined) {\n\t\t\t\t\tconst ms = Date.now() - start;\n\t\t\t\t\tconsole.log(`${label} - failed in ${ms}ms: ${(error as Error).message}`);\n\t\t\t\t}\n\t\t\t\terrors.push({ error: error as Error, name: Credential.name });\n\t\t\t}\n\t\t}\n\n\t\tthrow new Error(`Failed to get token, errors:\\n${errors.map(err => `[${err.name}] ${err.error.message}`).join(\"\\n\")}`);\n\t}\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACuBO,IAAM,cAAN,MAAM,aAAY;AAAA;AAAA;AAAA;AAAA,EAOxB,YAAmB,SAA6B;AAA7B;AAClB,WAAO,eAAe,MAAM,SAAS,EAAE,YAAY,MAAM,CAAC;AAAA,EAC3D;AAAA,EARA,OAAwB,oBAAoB;AAAA,EACpC,QAA2B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAe5B,IAAI,MAAc,SAA0C;AAClE,WAAO,KAAK,QAAQ,MAAM,EAAE,GAAG,SAAS,QAAQ,MAAM,CAAC;AAAA,EACxD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQO,KAAK,MAAc,SAA0C;AACnE,WAAO,KAAK,QAAQ,MAAM;AAAA,MACzB,GAAG;AAAA,MACH,QAAQ;AAAA,IACT,CAAC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQO,IAAI,MAAc,SAA0C;AAClE,WAAO,KAAK,QAAQ,MAAM;AAAA,MACzB,GAAG;AAAA,MACH,QAAQ;AAAA,IACT,CAAC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQO,MAAM,MAAc,SAA0C;AACpE,WAAO,KAAK,QAAQ,MAAM;AAAA,MACzB,GAAG;AAAA,MACH,QAAQ;AAAA,IACT,CAAC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQO,OAAO,MAAc,SAA0C;AACrE,WAAO,KAAK,QAAQ,MAAM,EAAE,GAAG,SAAS,QAAQ,SAAS,CAAC;AAAA,EAC3D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAa,QAAQ,MAAc,SAA0C;AAC5E,aAAS,IAAI,GAAG,KAAK,aAAY,mBAAmB,KAAK;AACxD,UAAI,KAAK,SAAS,KAAK,MAAM,YAAY,oBAAI,KAAK,EAAG;AACrD,UAAI,MAAM,aAAY,mBAAmB;AACxC,cAAM,IAAI,MAAM,iDAAiD;AAAA,MAClE;AACA,YAAM,KAAK,aAAa;AACxB,UAAI,IAAI,EAAG,OAAM,IAAI,QAAQ,SAAO,WAAW,KAAK,MAAM,CAAC,CAAC;AAAA,IAC7D;AAEA,QAAI,CAAC,KAAK,MAAO,OAAM,IAAI,MAAM,mDAAmD;AAGpF,UAAM,UAAU,KAAK,QAAQ,QAAQ,QAAQ,QAAQ,EAAE;AACvD,UAAM,UAAU,KAAK,QAAQ,QAAQ,EAAE;AACvC,UAAM,MAAM,GAAG,OAAO,IAAI,OAAO;AAEjC,WAAO,MAAM,KAAK;AAAA,MACjB,GAAG;AAAA,MACH,SAAS;AAAA,QACR,GAAI,KAAK,QAAQ,WAAW,UAAU,KAAK,QAAQ,WAAW,QAAQ,KAAK,KAAK,IAAI,EAAE,eAAe,UAAU,KAAK,MAAM,WAAW,GAAG;AAAA,QACxI,GAAG,SAAS;AAAA,MACb;AAAA,IACD,CAAC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,eAA8B;AAC3C,SAAK,QAAQ,MAAM,KAAK,QAAQ,WAAW,OAAO,SAAS,KAAK,QAAQ,WAAW,KAAK;AAAA,EACzF;AACD;;;ACrIA,gCAAyB;AACzB,0BAAoB;AAuCb,IAAM,qBAAN,MAAM,oBAA8C;AAAA,EACnD,YAAmB,SAAoC;AAApC;AAAA,EAAqC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAO/D,OAAc,UAA8B;AAC3C,UAAM,WAAW,oBAAAA,QAAQ,IAAI;AAC7B,WAAO,IAAI,oBAAmB,WAAW,EAAE,SAAS,IAAI,CAAC,CAAC;AAAA,EAC3D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAa,SAAS,OAAqF;AAC1G,QAAI;AACH,YAAM,WAAW,KAAK,QAAQ,YAAa,MAAM,oBAAmB,mBAAmB;AACvF,YAAM,SAAS,MAAM,KAAK,YAAY,OAAO,QAAQ;AACrD,aAAO,KAAK,eAAe,OAAO,MAAM;AAAA,IACzC,SAAS,OAAO;AACf,YAAM,IAAI,MAAM,wBAAyB,MAAgB,OAAO,EAAE;AAAA,IACnE;AAAA,EACD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAc,YAAY,OAAe,UAA+D;AACvG,WAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACvC,UAAI;AACH;AAAA,UACC;AAAA,UACA,CAAC,WAAW,oBAAoB,YAAY,QAAQ,cAAc,MAAM,QAAQ,YAAY,EAAE,GAAG,YAAY,QAAQ;AAAA,UACrH,EAAE,KAAK,oBAAAA,QAAQ,IAAI,GAAG,OAAO,MAAM,SAAS,IAAO;AAAA,UACnD,CAAC,OAAO,QAAQ,WAAW;AAC1B,kBAAM,EAAE,cAAc,kBAAkB,IAAI,oBAAmB,mBAAmB,MAAM;AACxF,gBAAI,mBAAmB;AACtB,qBAAO,IAAI,MAAM,qCAAqC,CAAC;AACvD;AAAA,YACD;AACA,gBAAI,cAAc;AACjB,qBAAO,IAAI,MAAM,2BAA2B,CAAC;AAC7C;AAAA,YACD;AACA,gBAAI,OAAO;AACV,qBAAO,IAAI,MAAM,wBAAwB,MAAM,OAAO,EAAE,CAAC;AACzD;AAAA,YACD;AACA,oBAAQ,EAAE,QAAQ,OAAO,CAAC;AAAA,UAC3B;AAAA,QACD;AAAA,MACD,SAAS,OAAO;AACf,eAAO,KAAc;AAAA,MACtB;AAAA,IACD,CAAC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,aAAqB,qBAAsC;AAC1D,WAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACvC,8CAAS,MAAM,CAAC,WAAW,QAAQ,WAAW,YAAY,YAAY,KAAK,GAAG,EAAE,KAAK,oBAAAA,QAAQ,IAAI,GAAG,OAAO,MAAM,SAAS,IAAO,GAAG,CAAC,OAAO,QAAQ,WAAW;AAC9J,cAAM,EAAE,cAAc,kBAAkB,IAAI,oBAAmB,mBAAmB,MAAM;AACxF,YAAI,mBAAmB;AACtB,iBAAO,IAAI,MAAM,qCAAqC,CAAC;AACvD;AAAA,QACD;AACA,YAAI,cAAc;AACjB,iBAAO,IAAI,MAAM,2BAA2B,CAAC;AAC7C;AAAA,QACD;AACA,YAAI,OAAO;AACV,iBAAO,IAAI,MAAM,qDAAqD,MAAM,EAAE,CAAC;AAC/E;AAAA,QACD;AACA,cAAM,WAAW,OAAO,KAAK;AAC7B,YAAI,CAAC,UAAU;AACd,iBAAO,IAAI,MAAM,mDAAmD,CAAC;AACrE;AAAA,QACD;AACA,gBAAQ,QAAQ;AAAA,MACjB,CAAC;AAAA,IACF,CAAC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQQ,eAAe,QAA6E;AACnG,UAAM,WAAW,KAAK,MAAM,MAAM;AAClC,UAAM,QAAQ,SAAS;AACvB,UAAM,qBAAqB,OAAO,SAAS,SAAS,YAAY,EAAE,IAAI;AACtE,QAAI,CAAC,OAAO,MAAM,kBAAkB,GAAG;AACtC,aAAO;AAAA,QACN,aAAa;AAAA,QACb,WAAW,IAAI,KAAK,kBAAkB;AAAA,QACtC,WAAW,SAAS;AAAA,MACrB;AAAA,IACD;AACA,WAAO;AAAA,MACN,aAAa;AAAA,MACb,WAAW,IAAI,KAAK,SAAS,SAAS;AAAA,MACtC,WAAW,SAAS;AAAA,IACrB;AAAA,EACD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,OAAe,mBAAmB,QAAuE;AACxG,UAAM,gBAAgB,OAAO,MAAM,0BAA0B;AAC7D,UAAM,eAAe,OAAO,MAAM,kBAAkB,KAAK,CAAC;AAC1D,UAAM,oBAAoB,OAAO,MAAM,kBAAkB,KAAK,OAAO,WAAW,wBAAwB;AACxG,WAAO;AAAA,MACN,cAAc,QAAQ,YAAY;AAAA,MAClC,mBAAmB,QAAQ,iBAAiB;AAAA,IAC7C;AAAA,EACD;AACD;;;ACvKO,IAAe,kBAAf,MAA+B;AAOtC;;;ACKO,IAAM,4BAAN,MAAM,2BAAqD;AAAA;AAAA;AAAA;AAAA,EAI1D,YAAmB,UAA4C,CAAC,GAAG;AAAhD;AAAA,EAAiD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQ3E,MAAa,SAAS,OAAe;AACpC,UAAM,WAAW,KAAK,QAAQ,oBAAoB;AAClD,UAAM,aAAa;AACnB,UAAM,SAAS,IAAI,gBAAgB;AACnC,WAAO,IAAI,eAAe,UAAU;AACpC,WAAO,IAAI,YAAY,MAAM,QAAQ,YAAY,EAAE,CAAC;AACpD,QAAI,KAAK,QAAQ,UAAU;AAC1B,aAAO,IAAI,aAAa,KAAK,QAAQ,QAAQ;AAAA,IAC9C;AAEA,UAAM,MAAM,GAAG,QAAQ,IAAI,OAAO,SAAS,CAAC;AAC5C,UAAM,UAAU,EAAE,UAAU,OAAO;AAGnC,UAAM,YAAY,KAAK,QAAQ,aAAa;AAC5C,UAAM,aAAa,IAAI,gBAAgB;AAGvC,UAAM,iBAAiB,IAAI,QAAe,CAAC,GAAG,WAAW;AACxD,iBAAW,MAAM;AAChB,mBAAW,MAAM;AACjB,eAAO,IAAI,MAAM,8CAA8C,SAAS,qCAAqC,GAAG,GAAG,CAAC;AAAA,MACrH,GAAG,SAAS;AAAA,IACb,CAAC;AAED,QAAI;AACJ,QAAI;AACH,iBAAW,MAAM,QAAQ,KAAK,CAAC,MAAM,KAAK,EAAE,SAAS,QAAQ,WAAW,OAAO,CAAC,GAAG,cAAc,CAAC;AAAA,IACnG,SAAS,KAAU;AAClB,UAAI,IAAI,SAAS,gBAAgB,YAAY,KAAK,IAAI,OAAO,GAAG;AAC/D,cAAM,IAAI,MAAM,8CAA8C,SAAS,qCAAqC,GAAG,GAAG;AAAA,MACnH;AACA,YAAM;AAAA,IACP;AAEA,QAAI,CAAC,SAAS,IAAI;AACjB,YAAM,IAAI,MAAM,mDAAmD,MAAM,SAAS,KAAK,CAAC,EAAE;AAAA,IAC3F;AAEA,UAAM,OAAQ,MAAM,SAAS,KAAK;AAClC,WAAO;AAAA,MACN,aAAa,KAAK;AAAA,MAClB,UAAU,KAAK;AAAA,MACf,WAAW,IAAI,KAAK,KAAK,aAAa,OAAO,KAAK,UAAU,IAAI,MAAO,KAAK,IAAI,IAAI,KAAK,KAAK,GAAI;AAAA;AAAA,MAClG,WAAW,KAAK;AAAA,IACjB;AAAA,EACD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,OAAc,UAAU;AACvB,WAAO,IAAI,2BAA0B;AAAA,MACpC,kBAAkB,QAAQ,IAAI,mCAAmC,QAAQ,IAAI;AAAA,MAC7E,UAAU,QAAQ,IAAI;AAAA,MACtB,WAAW,QAAQ,IAAI,oCAAoC,OAAO,SAAS,QAAQ,IAAI,iCAAiC,IAAI;AAAA,IAC7H,CAAC;AAAA,EACF;AACD;;;AChGA,sBAAgC;AA8CzB,IAAM,6BAAN,MAAM,4BAAsD;AAAA;AAAA;AAAA;AAAA,EAI3D,YAAmB,SAA2C;AAA3C;AAAA,EAA4C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQtE,MAAa,SAAS,OAAe;AACpC,QAAI,CAAC,KAAK,QAAQ,aAAc,OAAM,IAAI,MAAM,gEAAgE;AAGhH,UAAM,MAAM,CAAC,KAAK,QAAQ,eAAe,QAAQ,OAAO,EAAE,KAAK,qCAAqC,GAAG,KAAK,QAAQ,QAAQ,oBAAoB,EAAE,KAAK,GAAG;AAE1J,QAAI;AACH,YAAM,eAAe;AAAA,QACpB,WAAW,KAAK,QAAQ;AAAA,QACxB,YAAY;AAAA,QACZ;AAAA,MACD;AAIA,UAAI,KAAK,QAAQ,WAAW;AAC3B,eAAO,OAAO,cAAc;AAAA,UAC3B,kBAAkB,KAAK,QAAQ;AAAA,UAC/B,uBAAuB;AAAA,QACxB,CAAC;AAAA,MACF,OAAO;AACN,eAAO,OAAO,cAAc;AAAA,UAC3B,eAAe,KAAK,QAAQ;AAAA,QAC7B,CAAC;AAAA,MACF;AACA,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QACjC,QAAQ;AAAA,QACR,SAAS;AAAA,UACR,QAAQ;AAAA,UACR,gBAAgB;AAAA,QACjB;AAAA,QACA,MAAM,IAAI,gCAAgB,YAAY;AAAA,MACvC,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AACjB,cAAM,IAAI,MAAM,wBAAwB,MAAM,SAAS,KAAK,CAAC,EAAE;AAAA,MAChE;AAEA,YAAM,OAAQ,MAAM,SAAS,KAAK;AAElC,aAAO;AAAA,QACN,aAAa,KAAK;AAAA,QAClB,UAAU,KAAK,aAAa,KAAK,QAAQ;AAAA,QACzC,WAAW,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,aAAa,GAAK;AAAA,QACxD,WAAW,KAAK;AAAA,MACjB;AAAA,IACD,SAAS,OAAO;AACf,YAAM,IAAI,MAAM,wBAAyB,MAAgB,KAAK,EAAE;AAAA,IACjE;AAAA,EACD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,OAAc,UAAU;AACvB,WAAO,IAAI,4BAA2B;AAAA,MACrC,eAAe,QAAQ,IAAI;AAAA,MAC3B,UAAU,QAAQ,IAAI;AAAA,MACtB,cAAc,QAAQ,IAAI;AAAA,MAC1B,UAAU,QAAQ,IAAI;AAAA,MACtB,WAAW,QAAQ,IAAI,6BAA6B;AAAA,IACrD,CAAC;AAAA,EACF;AACD;;;AC/HA,sBAAyB;AAwBlB,IAAM,6BAAN,MAAM,4BAAsD;AAAA;AAAA;AAAA;AAAA,EAI3D,YAAmB,SAA2C;AAA3C;AAAA,EAA4C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQtE,MAAa,SAAS,OAAe;AACpC,QAAI;AACH,YAAM,QAAQ,UAAM,0BAAS,KAAK,QAAQ,oBAAoB,OAAO;AACrE,YAAM,mBAAmB,IAAI,2BAA2B,EAAE,GAAG,KAAK,SAAS,cAAc,OAAO,WAAW,KAAK,CAAC;AAEjH,aAAO,iBAAiB,SAAS,KAAK;AAAA,IACvC,SAAS,KAAK;AACb,UAAK,IAA8B,SAAS,UAAU;AACrD,cAAM,IAAI,MAAM,iEAAiE,KAAK,QAAQ,kBAAkB,EAAE;AAAA,MACnH;AACA,YAAM,IAAI,MAAM,oDAAqD,IAAc,OAAO,EAAE;AAAA,IAC7F;AAAA,EACD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,OAAc,UAAU;AACvB,WAAO,IAAI,4BAA2B;AAAA,MACrC,eAAe,QAAQ,IAAI;AAAA,MAC3B,UAAU,QAAQ,IAAI;AAAA,MACtB,oBAAoB,QAAQ,IAAI;AAAA,MAChC,UAAU,QAAQ,IAAI;AAAA,IACvB,CAAC;AAAA,EACF;AACD;;;AC7DA,IAAM,kBAAkB,CAAC,4BAA4B,2BAA2B,4BAA4B,kBAAkB;AAQvH,IAAM,oBAAN,MAAmD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOzD,MAAa,SAAS,OAAe;AACpC,UAAM,SAA2C,CAAC;AAClD,UAAM,QAAQ,QAAQ,IAAI,OAAO,SAAS,6BAA6B,KAAK,QAAQ,IAAI,OAAO,SAAS,mBAAmB;AAC3H,eAAW,cAAc,iBAAiB;AACzC,YAAM,QAAQ,uBAAuB,WAAW,IAAI;AACpD,UAAI;AACJ,UAAI,OAAO;AACV,gBAAQ,KAAK,IAAI;AACjB,gBAAQ,IAAI,GAAG,KAAK,cAAc;AAAA,MACnC;AACA,UAAI;AACH,cAAM,SAAS,MAAM,WAAW,QAAQ,EAAE,SAAS,KAAK;AACxD,YAAI,SAAS,UAAU,QAAW;AACjC,gBAAM,KAAK,KAAK,IAAI,IAAI;AACxB,kBAAQ,IAAI,GAAG,KAAK,iBAAiB,EAAE,IAAI;AAAA,QAC5C;AACA,eAAO;AAAA,MACR,SAAS,OAAO;AACf,YAAI,SAAS,UAAU,QAAW;AACjC,gBAAM,KAAK,KAAK,IAAI,IAAI;AACxB,kBAAQ,IAAI,GAAG,KAAK,gBAAgB,EAAE,OAAQ,MAAgB,OAAO,EAAE;AAAA,QACxE;AACA,eAAO,KAAK,EAAE,OAAuB,MAAM,WAAW,KAAK,CAAC;AAAA,MAC7D;AAAA,IACD;AAEA,UAAM,IAAI,MAAM;AAAA,EAAiC,OAAO,IAAI,SAAO,IAAI,IAAI,IAAI,KAAK,IAAI,MAAM,OAAO,EAAE,EAAE,KAAK,IAAI,CAAC,EAAE;AAAA,EACtH;AACD;","names":["process"]}