@testany/hephos 0.3.18 → 0.4.0-dev.4

package/README.md

@@ -34,6 +34,35 @@ agent-chatter
 agent-chatter config-example
 ```
 
+## Authentication
+
+Login to HephOS cloud to access team sync and cloud features:
+
+```bash
+# Login via CLI command
+hephos --login cn   # Login to CN region (authing.cn)
+hephos --login us   # Login to US region (us.authing.co)
+
+# Check authentication status
+hephos --auth-status
+
+# Logout
+hephos --logout     # Logout from active region
+hephos --logout cn  # Logout from specific region
+```
+
+Or use REPL commands:
+
+```bash
+hephos              # Start REPL
+/login cn           # Login to CN region
+/login us           # Login to US region
+/login status       # Check auth status
+/login logout       # Logout
+```
+
+Tokens are cached at `~/.agent-chatter/auth/token-cache.json` with 0600 permissions.
+
 ## Features
 
 - Multi-agent conversation orchestration

package/out/auth/AuthConfig.d.ts

@@ -0,0 +1,54 @@
+/**
+ * Authentication configuration for US and CN regions
+ */
+import type { AuthRegion, AuthEnvironment } from './types.js';
+/** Region-specific configuration */
+export interface RegionConfig {
+    /** Authing application host URL */
+    appHost: string;
+    /** Authing application ID (audience for JWT) */
+    appId: string;
+    /** HephOS backend API base URLs by environment */
+    apiBaseUrls: Record<AuthEnvironment, string>;
+    /** Display name for UI */
+    displayName: string;
+}
+/** Authentication configuration by region */
+export declare const AUTH_CONFIG: Record<AuthRegion, RegionConfig>;
+/** OAuth redirect URI - fixed localhost port */
+export declare const REDIRECT_URI = "http://127.0.0.1:8400/callback";
+/** Callback server port */
+export declare const CALLBACK_PORT = 8400;
+/** OAuth scopes required for login */
+export declare const SCOPES = "openid profile email offline_access";
+/** Login timeout in milliseconds (5 minutes) */
+export declare const LOGIN_TIMEOUT_MS: number;
+/** Token refresh threshold - refresh when less than 5 minutes remaining */
+export declare const REFRESH_THRESHOLD_MS: number;
+/** Token cache file version */
+export declare const TOKEN_CACHE_VERSION = 1;
+/** Default environment */
+export declare const DEFAULT_ENVIRONMENT: AuthEnvironment;
+/**
+ * Get OIDC endpoints for a region
+ */
+export declare function getOIDCEndpoints(region: AuthRegion): {
+    authorization: string;
+    token: string;
+    userInfo: string;
+    logout: string;
+    jwks: string;
+};
+/**
+ * Validate region string
+ */
+export declare function isValidRegion(region: string): region is AuthRegion;
+/**
+ * Validate environment string
+ */
+export declare function isValidEnvironment(env: string): env is AuthEnvironment;
+/**
+ * Resolve API base URL by region/environment
+ */
+export declare function getApiBaseUrl(region: AuthRegion, env: AuthEnvironment): string;
+//# sourceMappingURL=AuthConfig.d.ts.map

package/out/auth/AuthConfig.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthConfig.d.ts","sourceRoot":"","sources":["../../src/auth/AuthConfig.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAE9D,oCAAoC;AACpC,MAAM,WAAW,YAAY;IAC3B,mCAAmC;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,gDAAgD;IAChD,KAAK,EAAE,MAAM,CAAC;IACd,kDAAkD;IAClD,WAAW,EAAE,MAAM,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IAC7C,0BAA0B;IAC1B,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,6CAA6C;AAC7C,eAAO,MAAM,WAAW,EAAE,MAAM,CAAC,UAAU,EAAE,YAAY,CAmB/C,CAAC;AAEX,gDAAgD;AAChD,eAAO,MAAM,YAAY,mCAAmC,CAAC;AAE7D,2BAA2B;AAC3B,eAAO,MAAM,aAAa,OAAO,CAAC;AAElC,sCAAsC;AACtC,eAAO,MAAM,MAAM,wCAAwC,CAAC;AAE5D,gDAAgD;AAChD,eAAO,MAAM,gBAAgB,QAAgB,CAAC;AAE9C,2EAA2E;AAC3E,eAAO,MAAM,oBAAoB,QAAgB,CAAC;AAElD,+BAA+B;AAC/B,eAAO,MAAM,mBAAmB,IAAI,CAAC;AAErC,0BAA0B;AAC1B,eAAO,MAAM,mBAAmB,EAAE,eAAwB,CAAC;AAE3D;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,UAAU;;;;;;EASlD;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,IAAI,UAAU,CAElE;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,IAAI,eAAe,CAEtE;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,UAAU,EAAE,GAAG,EAAE,eAAe,GAAG,MAAM,CAE9E"}

package/out/auth/AuthConfig.js

@@ -0,0 +1,70 @@
+/**
+ * Authentication configuration for US and CN regions
+ */
+/** Authentication configuration by region */
+export const AUTH_CONFIG = {
+    cn: {
+        appHost: 'https://hephos-cn.authing.cn',
+        appId: '69452ae6e3adaa39789bf1a2',
+        apiBaseUrls: {
+            prod: 'https://api-cn.hephos.testany.com.cn',
+            staging: 'https://api-cn-staging.hephos.testany.com.cn',
+        },
+        displayName: 'CN (China)',
+    },
+    us: {
+        appHost: 'https://hephos-us.us.authing.co',
+        appId: '6948c9d11aa104ecec25d599',
+        apiBaseUrls: {
+            prod: 'https://api.hephos.ai',
+            staging: 'https://api-staging.hephos.ai',
+        },
+        displayName: 'US (International)',
+    },
+};
+/** OAuth redirect URI - fixed localhost port */
+export const REDIRECT_URI = 'http://127.0.0.1:8400/callback';
+/** Callback server port */
+export const CALLBACK_PORT = 8400;
+/** OAuth scopes required for login */
+export const SCOPES = 'openid profile email offline_access';
+/** Login timeout in milliseconds (5 minutes) */
+export const LOGIN_TIMEOUT_MS = 5 * 60 * 1000;
+/** Token refresh threshold - refresh when less than 5 minutes remaining */
+export const REFRESH_THRESHOLD_MS = 5 * 60 * 1000;
+/** Token cache file version */
+export const TOKEN_CACHE_VERSION = 1;
+/** Default environment */
+export const DEFAULT_ENVIRONMENT = 'prod';
+/**
+ * Get OIDC endpoints for a region
+ */
+export function getOIDCEndpoints(region) {
+    const { appHost } = AUTH_CONFIG[region];
+    return {
+        authorization: `${appHost}/oidc/auth`,
+        token: `${appHost}/oidc/token`,
+        userInfo: `${appHost}/oidc/me`,
+        logout: `${appHost}/oidc/session/end`,
+        jwks: `${appHost}/oidc/.well-known/jwks.json`,
+    };
+}
+/**
+ * Validate region string
+ */
+export function isValidRegion(region) {
+    return region === 'cn' || region === 'us';
+}
+/**
+ * Validate environment string
+ */
+export function isValidEnvironment(env) {
+    return env === 'prod' || env === 'staging';
+}
+/**
+ * Resolve API base URL by region/environment
+ */
+export function getApiBaseUrl(region, env) {
+    return AUTH_CONFIG[region].apiBaseUrls[env];
+}
+//# sourceMappingURL=AuthConfig.js.map

package/out/auth/AuthConfig.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthConfig.js","sourceRoot":"","sources":["../../src/auth/AuthConfig.ts"],"names":[],"mappings":"AAAA;;GAEG;AAgBH,6CAA6C;AAC7C,MAAM,CAAC,MAAM,WAAW,GAAqC;IAC3D,EAAE,EAAE;QACF,OAAO,EAAE,8BAA8B;QACvC,KAAK,EAAE,0BAA0B;QACjC,WAAW,EAAE;YACX,IAAI,EAAE,sCAAsC;YAC5C,OAAO,EAAE,8CAA8C;SACxD;QACD,WAAW,EAAE,YAAY;KAC1B;IACD,EAAE,EAAE;QACF,OAAO,EAAE,iCAAiC;QAC1C,KAAK,EAAE,0BAA0B;QACjC,WAAW,EAAE;YACX,IAAI,EAAE,uBAAuB;YAC7B,OAAO,EAAE,+BAA+B;SACzC;QACD,WAAW,EAAE,oBAAoB;KAClC;CACO,CAAC;AAEX,gDAAgD;AAChD,MAAM,CAAC,MAAM,YAAY,GAAG,gCAAgC,CAAC;AAE7D,2BAA2B;AAC3B,MAAM,CAAC,MAAM,aAAa,GAAG,IAAI,CAAC;AAElC,sCAAsC;AACtC,MAAM,CAAC,MAAM,MAAM,GAAG,qCAAqC,CAAC;AAE5D,gDAAgD;AAChD,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAE9C,2EAA2E;AAC3E,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAElD,+BAA+B;AAC/B,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,CAAC;AAErC,0BAA0B;AAC1B,MAAM,CAAC,MAAM,mBAAmB,GAAoB,MAAM,CAAC;AAE3D;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAkB;IACjD,MAAM,EAAE,OAAO,EAAE,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;IACxC,OAAO;QACL,aAAa,EAAE,GAAG,OAAO,YAAY;QACrC,KAAK,EAAE,GAAG,OAAO,aAAa;QAC9B,QAAQ,EAAE,GAAG,OAAO,UAAU;QAC9B,MAAM,EAAE,GAAG,OAAO,mBAAmB;QACrC,IAAI,EAAE,GAAG,OAAO,6BAA6B;KAC9C,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,MAAc;IAC1C,OAAO,MAAM,KAAK,IAAI,IAAI,MAAM,KAAK,IAAI,CAAC;AAC5C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAW;IAC5C,OAAO,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,SAAS,CAAC;AAC7C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,MAAkB,EAAE,GAAoB;IACpE,OAAO,WAAW,CAAC,MAAM,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;AAC9C,CAAC"}

package/out/auth/AuthService.d.ts

@@ -0,0 +1,74 @@
+/**
+ * Authentication service implementing PKCE OAuth flow with Authing
+ */
+import type { AuthRegion, AuthEnvironment, AuthUrlResult, TokenSet, UserInfo, LoginResult } from './types.js';
+export declare class AuthService {
+    private region;
+    private environment;
+    private endpoints;
+    private config;
+    private apiBaseUrl;
+    constructor(region: AuthRegion, environment?: AuthEnvironment);
+    /**
+     * Generate PKCE parameters (code_verifier, code_challenge, state)
+     */
+    private generatePKCE;
+    /**
+     * Build authorization URL with PKCE
+     */
+    buildAuthUrl(): AuthUrlResult;
+    /**
+     * Exchange authorization code for tokens
+     */
+    exchangeCodeForTokens(code: string, verifier: string): Promise<TokenSet>;
+    /**
+     * Refresh tokens using refresh_token
+     */
+    refreshTokens(refreshToken: string): Promise<TokenSet>;
+    /**
+     * Get user info from Authing userInfo endpoint
+     */
+    getUserInfo(accessToken: string): Promise<UserInfo>;
+    /**
+     * Sync user with HephOS backend
+     */
+    syncUser(accessToken: string): Promise<void>;
+    /**
+     * Open browser for login
+     */
+    private openBrowser;
+    /**
+     * Complete login flow
+     */
+    login(): Promise<LoginResult>;
+    /**
+     * Logout - clear tokens and optionally call logout endpoint
+     * For CLI, we just clear local tokens. Browser session cleanup at Authing is optional.
+     */
+    logout(): Promise<void>;
+    /**
+     * Refresh token if needed
+     */
+    refreshIfNeeded(): Promise<boolean>;
+    /**
+     * Get valid access token (refreshing if needed)
+     */
+    getValidAccessToken(): Promise<string | null>;
+    /**
+     * Check if user is logged in
+     */
+    isLoggedIn(): boolean;
+    /**
+     * Get current user info (from cache)
+     */
+    getCurrentUser(): UserInfo | null;
+}
+/**
+ * Create auth service for a region
+ */
+export declare function createAuthService(region: AuthRegion, environment?: AuthEnvironment): AuthService;
+/**
+ * Mask sensitive token for logging
+ */
+export declare function maskToken(token: string): string;
+//# sourceMappingURL=AuthService.d.ts.map

package/out/auth/AuthService.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthService.d.ts","sourceRoot":"","sources":["../../src/auth/AuthService.ts"],"names":[],"mappings":"AAAA;;GAEG;AAeH,OAAO,KAAK,EACV,UAAU,EACV,eAAe,EAEf,aAAa,EACb,QAAQ,EACR,QAAQ,EACR,WAAW,EACZ,MAAM,YAAY,CAAC;AAEpB,qBAAa,WAAW;IACtB,OAAO,CAAC,MAAM,CAAa;IAC3B,OAAO,CAAC,WAAW,CAAkB;IACrC,OAAO,CAAC,SAAS,CAAsC;IACvD,OAAO,CAAC,MAAM,CAAiC;IAC/C,OAAO,CAAC,UAAU,CAAS;gBAEf,MAAM,EAAE,UAAU,EAAE,WAAW,GAAE,eAAqC;IAQlF;;OAEG;IACH,OAAO,CAAC,YAAY;IAkBpB;;OAEG;IACH,YAAY,IAAI,aAAa;IAuB7B;;OAEG;IACG,qBAAqB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IA+B9E;;OAEG;IACG,aAAa,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IAyB5D;;OAEG;IACG,WAAW,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IAiBzD;;OAEG;IACG,QAAQ,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAuBlD;;OAEG;YACW,WAAW;IAYzB;;OAEG;IACG,KAAK,IAAI,OAAO,CAAC,WAAW,CAAC;IA4DnC;;;OAGG;IACG,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC;IAM7B;;OAEG;IACG,eAAe,IAAI,OAAO,CAAC,OAAO,CAAC;IAqBzC;;OAEG;IACG,mBAAmB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAQnD;;OAEG;IACH,UAAU,IAAI,OAAO;IAIrB;;OAEG;IACH,cAAc,IAAI,QAAQ,GAAG,IAAI;CAGlC;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,UAAU,EAAE,WAAW,GAAE,eAAqC,GAAG,WAAW,CAErH;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAG/C"}

package/out/auth/AuthService.js

@@ -0,0 +1,275 @@
+/**
+ * Authentication service implementing PKCE OAuth flow with Authing
+ */
+import * as crypto from 'crypto';
+import open from 'open';
+import { AUTH_CONFIG, REDIRECT_URI, SCOPES, getOIDCEndpoints, getApiBaseUrl, DEFAULT_ENVIRONMENT, } from './AuthConfig.js';
+import { startCallbackServer } from './CallbackServer.js';
+import { tokenCache } from './TokenCache.js';
+import { AuthError } from './types.js';
+export class AuthService {
+    region;
+    environment;
+    endpoints;
+    config;
+    apiBaseUrl;
+    constructor(region, environment = DEFAULT_ENVIRONMENT) {
+        this.region = region;
+        this.environment = environment;
+        this.endpoints = getOIDCEndpoints(region);
+        this.config = AUTH_CONFIG[region];
+        this.apiBaseUrl = getApiBaseUrl(region, environment);
+    }
+    /**
+     * Generate PKCE parameters (code_verifier, code_challenge, state)
+     */
+    generatePKCE() {
+        // Generate code_verifier: 64 bytes of random data as hex (128 chars)
+        const verifier = crypto.randomBytes(64).toString('hex');
+        // Generate code_challenge: SHA-256 of verifier, base64url encoded
+        const hash = crypto.createHash('sha256').update(verifier).digest();
+        const challenge = hash
+            .toString('base64')
+            .replace(/\+/g, '-')
+            .replace(/\//g, '_')
+            .replace(/=/g, '');
+        // Generate state: 16 bytes of random data as hex (32 chars)
+        const state = crypto.randomBytes(16).toString('hex');
+        return { verifier, challenge, state };
+    }
+    /**
+     * Build authorization URL with PKCE
+     */
+    buildAuthUrl() {
+        const pkce = this.generatePKCE();
+        const params = new URLSearchParams({
+            client_id: this.config.appId,
+            redirect_uri: REDIRECT_URI,
+            response_type: 'code',
+            scope: SCOPES,
+            code_challenge: pkce.challenge,
+            code_challenge_method: 'S256',
+            state: pkce.state,
+            prompt: 'consent', // Required to get refresh_token with offline_access scope
+        });
+        const url = `${this.endpoints.authorization}?${params.toString()}`;
+        return {
+            url,
+            state: pkce.state,
+            verifier: pkce.verifier,
+        };
+    }
+    /**
+     * Exchange authorization code for tokens
+     */
+    async exchangeCodeForTokens(code, verifier) {
+        const body = new URLSearchParams({
+            grant_type: 'authorization_code',
+            client_id: this.config.appId,
+            code,
+            redirect_uri: REDIRECT_URI,
+            code_verifier: verifier,
+        });
+        const response = await fetch(this.endpoints.token, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+            },
+            body: body.toString(),
+        });
+        if (!response.ok) {
+            const errorData = await response.json().catch(() => ({}));
+            const errorMessage = errorData.error_description
+                || errorData.error
+                || 'Token exchange failed';
+            throw new AuthError('AUTH_TOKEN_EXCHANGE_FAILED', `Failed to exchange code for tokens: ${errorMessage}`);
+        }
+        return await response.json();
+    }
+    /**
+     * Refresh tokens using refresh_token
+     */
+    async refreshTokens(refreshToken) {
+        const body = new URLSearchParams({
+            grant_type: 'refresh_token',
+            client_id: this.config.appId,
+            refresh_token: refreshToken,
+        });
+        const response = await fetch(this.endpoints.token, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+            },
+            body: body.toString(),
+        });
+        if (!response.ok) {
+            throw new AuthError('AUTH_REFRESH_FAILED', 'Failed to refresh token. Please login again.');
+        }
+        return await response.json();
+    }
+    /**
+     * Get user info from Authing userInfo endpoint
+     */
+    async getUserInfo(accessToken) {
+        const response = await fetch(this.endpoints.userInfo, {
+            headers: {
+                Authorization: `Bearer ${accessToken}`,
+            },
+        });
+        if (!response.ok) {
+            throw new AuthError('AUTH_TOKEN_EXCHANGE_FAILED', 'Failed to fetch user info');
+        }
+        return await response.json();
+    }
+    /**
+     * Sync user with HephOS backend
+     */
+    async syncUser(accessToken) {
+        const response = await fetch(`${this.apiBaseUrl}/users/sync`, {
+            method: 'POST',
+            headers: {
+                'Authorization': `Bearer ${accessToken}`,
+                'Content-Type': 'application/json',
+            },
+            body: '{}',
+        });
+        if (!response.ok) {
+            // 404 means user hasn't completed onboarding on web
+            if (response.status === 404) {
+                throw new AuthError('AUTH_USER_SYNC_FAILED', 'User not found. Please complete onboarding on the HephOS website first.');
+            }
+            // Other errors - warn but don't block
+            console.warn(`Warning: User sync failed (${response.status}), but login succeeded.`);
+        }
+    }
+    /**
+     * Open browser for login
+     */
+    async openBrowser(url) {
+        try {
+            await open(url);
+        }
+        catch {
+            // Browser failed to open - user will need to manually open URL
+            throw new AuthError('AUTH_BROWSER_FAILED', `Failed to open browser. Please visit this URL manually:\n${url}`);
+        }
+    }
+    /**
+     * Complete login flow
+     */
+    async login() {
+        // Build auth URL with PKCE
+        const { url, state, verifier } = this.buildAuthUrl();
+        // Start callback server
+        const callbackPromise = startCallbackServer();
+        // Open browser (with fallback message)
+        let browserError = null;
+        try {
+            await this.openBrowser(url);
+        }
+        catch (err) {
+            if (err instanceof AuthError) {
+                browserError = err;
+            }
+        }
+        // If browser failed, show URL but continue waiting for callback
+        if (browserError) {
+            console.log(`\nPlease open this URL in your browser:\n${url}\n`);
+        }
+        // Wait for callback
+        const callback = await callbackPromise;
+        // Validate state
+        if (callback.state !== state) {
+            throw new AuthError('AUTH_STATE_MISMATCH', 'Security validation failed. Please try again.');
+        }
+        // Exchange code for tokens
+        const tokens = await this.exchangeCodeForTokens(callback.code, verifier);
+        // Get user info
+        const userInfo = await this.getUserInfo(tokens.access_token);
+        // Save tokens to cache
+        tokenCache.save(this.region, tokens, userInfo, this.environment);
+        // Try to sync user (non-blocking)
+        try {
+            await this.syncUser(tokens.access_token);
+        }
+        catch (err) {
+            if (err instanceof AuthError && err.code === 'AUTH_USER_SYNC_FAILED') {
+                console.warn(`\nWarning: ${err.message}`);
+            }
+            // Continue - token is saved, user can retry sync later
+        }
+        return {
+            tokens,
+            userInfo,
+            region: this.region,
+            environment: this.environment,
+        };
+    }
+    /**
+     * Logout - clear tokens and optionally call logout endpoint
+     * For CLI, we just clear local tokens. Browser session cleanup at Authing is optional.
+     */
+    async logout() {
+        tokenCache.clear(this.region);
+        // Note: We don't open browser to Authing logout endpoint for CLI.
+        // Local token cleanup is sufficient. User can manually logout from Authing if needed.
+    }
+    /**
+     * Refresh token if needed
+     */
+    async refreshIfNeeded() {
+        if (!tokenCache.needsRefresh(this.region)) {
+            return false;
+        }
+        const refreshToken = tokenCache.getRefreshToken(this.region);
+        if (!refreshToken) {
+            return false;
+        }
+        try {
+            const tokens = await this.refreshTokens(refreshToken);
+            const userInfo = await this.getUserInfo(tokens.access_token);
+            tokenCache.save(this.region, tokens, userInfo, this.environment);
+            return true;
+        }
+        catch {
+            // Refresh failed - token will expire and user will need to re-login
+            return false;
+        }
+    }
+    /**
+     * Get valid access token (refreshing if needed)
+     */
+    async getValidAccessToken() {
+        // Try to refresh if needed
+        await this.refreshIfNeeded();
+        // Return token if valid
+        return tokenCache.getAccessToken(this.region);
+    }
+    /**
+     * Check if user is logged in
+     */
+    isLoggedIn() {
+        return tokenCache.isValid(this.region);
+    }
+    /**
+     * Get current user info (from cache)
+     */
+    getCurrentUser() {
+        return tokenCache.getUserInfo(this.region);
+    }
+}
+/**
+ * Create auth service for a region
+ */
+export function createAuthService(region, environment = DEFAULT_ENVIRONMENT) {
+    return new AuthService(region, environment);
+}
+/**
+ * Mask sensitive token for logging
+ */
+export function maskToken(token) {
+    if (token.length <= 10)
+        return '***';
+    return `${token.slice(0, 5)}...${token.slice(-5)}`;
+}
+//# sourceMappingURL=AuthService.js.map

package/out/auth/AuthService.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthService.js","sourceRoot":"","sources":["../../src/auth/AuthService.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,MAAM,MAAM,QAAQ,CAAC;AACjC,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EACL,WAAW,EACX,YAAY,EACZ,MAAM,EACN,gBAAgB,EAChB,aAAa,EACb,mBAAmB,GACpB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAWvC,MAAM,OAAO,WAAW;IACd,MAAM,CAAa;IACnB,WAAW,CAAkB;IAC7B,SAAS,CAAsC;IAC/C,MAAM,CAAiC;IACvC,UAAU,CAAS;IAE3B,YAAY,MAAkB,EAAE,cAA+B,mBAAmB;QAChF,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,SAAS,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;QAC1C,IAAI,CAAC,MAAM,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;QAClC,IAAI,CAAC,UAAU,GAAG,aAAa,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IACvD,CAAC;IAED;;OAEG;IACK,YAAY;QAClB,qEAAqE;QACrE,MAAM,QAAQ,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAExD,kEAAkE;QAClE,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,EAAE,CAAC;QACnE,MAAM,SAAS,GAAG,IAAI;aACnB,QAAQ,CAAC,QAAQ,CAAC;aAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;aACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;aACnB,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QAErB,4DAA4D;QAC5D,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAErD,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;IACxC,CAAC;IAED;;OAEG;IACH,YAAY;QACV,MAAM,IAAI,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;QAEjC,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK;YAC5B,YAAY,EAAE,YAAY;YAC1B,aAAa,EAAE,MAAM;YACrB,KAAK,EAAE,MAAM;YACb,cAAc,EAAE,IAAI,CAAC,SAAS;YAC9B,qBAAqB,EAAE,MAAM;YAC7B,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,MAAM,EAAE,SAAS,EAAE,0DAA0D;SAC9E,CAAC,CAAC;QAEH,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,aAAa,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;QAEnE,OAAO;YACL,GAAG;YACH,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,QAAQ,EAAE,IAAI,CAAC,QAAQ;SACxB,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,qBAAqB,CAAC,IAAY,EAAE,QAAgB;QACxD,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;YAC/B,UAAU,EAAE,oBAAoB;YAChC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK;YAC5B,IAAI;YACJ,YAAY,EAAE,YAAY;YAC1B,aAAa,EAAE,QAAQ;SACxB,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;YACjD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,mCAAmC;aACpD;YACD,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;SACtB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YAC1D,MAAM,YAAY,GAAI,SAA4C,CAAC,iBAAiB;mBAC9E,SAAgC,CAAC,KAAK;mBACvC,uBAAuB,CAAC;YAC7B,MAAM,IAAI,SAAS,CACjB,4BAA4B,EAC5B,uCAAuC,YAAY,EAAE,CACtD,CAAC;QACJ,CAAC;QAED,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAc,CAAC;IAC3C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CAAC,YAAoB;QACtC,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;YAC/B,UAAU,EAAE,eAAe;YAC3B,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK;YAC5B,aAAa,EAAE,YAAY;SAC5B,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;YACjD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,mCAAmC;aACpD;YACD,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;SACtB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,SAAS,CACjB,qBAAqB,EACrB,8CAA8C,CAC/C,CAAC;QACJ,CAAC;QAED,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAc,CAAC;IAC3C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW,CAAC,WAAmB;QACnC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE;YACpD,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,WAAW,EAAE;aACvC;SACF,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,SAAS,CACjB,4BAA4B,EAC5B,2BAA2B,CAC5B,CAAC;QACJ,CAAC;QAED,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAc,CAAC;IAC3C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,QAAQ,CAAC,WAAmB;QAChC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,UAAU,aAAa,EAAE;YAC5D,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,eAAe,EAAE,UAAU,WAAW,EAAE;gBACxC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI;SACX,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,oDAAoD;YACpD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,MAAM,IAAI,SAAS,CACjB,uBAAuB,EACvB,yEAAyE,CAC1E,CAAC;YACJ,CAAC;YACD,sCAAsC;YACtC,OAAO,CAAC,IAAI,CAAC,8BAA8B,QAAQ,CAAC,MAAM,yBAAyB,CAAC,CAAC;QACvF,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,WAAW,CAAC,GAAW;QACnC,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,GAAG,CAAC,CAAC;QAClB,CAAC;QAAC,MAAM,CAAC;YACP,+DAA+D;YAC/D,MAAM,IAAI,SAAS,CACjB,qBAAqB,EACrB,4DAA4D,GAAG,EAAE,CAClE,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,KAAK;QACT,2BAA2B;QAC3B,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;QAErD,wBAAwB;QACxB,MAAM,eAAe,GAAG,mBAAmB,EAAE,CAAC;QAE9C,uCAAuC;QACvC,IAAI,YAAY,GAAqB,IAAI,CAAC;QAC1C,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QAC9B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,SAAS,EAAE,CAAC;gBAC7B,YAAY,GAAG,GAAG,CAAC;YACrB,CAAC;QACH,CAAC;QAED,gEAAgE;QAChE,IAAI,YAAY,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CAAC,4CAA4C,GAAG,IAAI,CAAC,CAAC;QACnE,CAAC;QAED,oBAAoB;QACpB,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC;QAEvC,iBAAiB;QACjB,IAAI,QAAQ,CAAC,KAAK,KAAK,KAAK,EAAE,CAAC;YAC7B,MAAM,IAAI,SAAS,CACjB,qBAAqB,EACrB,+CAA+C,CAChD,CAAC;QACJ,CAAC;QAED,2BAA2B;QAC3B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QAEzE,gBAAgB;QAChB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QAE7D,uBAAuB;QACvB,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;QAEjE,kCAAkC;QAClC,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QAC3C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,SAAS,IAAI,GAAG,CAAC,IAAI,KAAK,uBAAuB,EAAE,CAAC;gBACrE,OAAO,CAAC,IAAI,CAAC,cAAc,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;YAC5C,CAAC;YACD,uDAAuD;QACzD,CAAC;QAED,OAAO;YACL,MAAM;YACN,QAAQ;YACR,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,WAAW,EAAE,IAAI,CAAC,WAAW;SAC9B,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,MAAM;QACV,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC9B,kEAAkE;QAClE,sFAAsF;IACxF,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,eAAe;QACnB,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YAC1C,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,YAAY,GAAG,UAAU,CAAC,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC7D,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC;YACtD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;YAC7D,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;YACjE,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,oEAAoE;YACpE,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,mBAAmB;QACvB,2BAA2B;QAC3B,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;QAE7B,wBAAwB;QACxB,OAAO,UAAU,CAAC,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAChD,CAAC;IAED;;OAEG;IACH,UAAU;QACR,OAAO,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACzC,CAAC;IAED;;OAEG;IACH,cAAc;QACZ,OAAO,UAAU,CAAC,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC7C,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAkB,EAAE,cAA+B,mBAAmB;IACtG,OAAO,IAAI,WAAW,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;AAC9C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,IAAI,KAAK,CAAC,MAAM,IAAI,EAAE;QAAE,OAAO,KAAK,CAAC;IACrC,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;AACrD,CAAC"}

package/out/auth/CallbackServer.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Local HTTP server to receive OAuth callback
+ * Listens on 127.0.0.1:8400 for security (localhost only)
+ */
+import type { CallbackResult } from './types.js';
+/**
+ * Start a local HTTP server to receive OAuth callback
+ * Returns a promise that resolves with the authorization code and state
+ */
+export declare function startCallbackServer(): Promise<CallbackResult>;
+/**
+ * Check if port is available
+ */
+export declare function isPortAvailable(port?: number): Promise<boolean>;
+//# sourceMappingURL=CallbackServer.d.ts.map

package/out/auth/CallbackServer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"CallbackServer.d.ts","sourceRoot":"","sources":["../../src/auth/CallbackServer.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAMH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAkLjD;;;GAGG;AACH,wBAAgB,mBAAmB,IAAI,OAAO,CAAC,cAAc,CAAC,CAoG7D;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,IAAI,GAAE,MAAsB,GAAG,OAAO,CAAC,OAAO,CAAC,CAY9E"}