@ttctl/core 0.0.0 → 0.1.0-rc.1

package/dist/auth.d.ts

@@ -0,0 +1,192 @@
+import type { AuthCredentials } from "./config.js";
+import type { Credentials } from "./types.js";
+export type SignInErrorCode = "INVALID_CREDENTIALS" | "MFA_REQUIRED" | "NETWORK_ERROR" | "UNKNOWN";
+export declare class SignInError extends Error {
+    readonly code: SignInErrorCode;
+    readonly name = "SignInError";
+    constructor(code: SignInErrorCode, message: string, options?: {
+        cause?: unknown;
+    });
+}
+/**
+ * Collapse the polymorphic credentials value into resolved credentials.
+ *
+ * Form A (string) → `op://[account/]vault/item` → resolved via `op` CLI
+ * Form B (object) → literal `{ username, password }` (username is an email
+ *                   per Toptal's `EmailPasswordSignIn` mutation contract;
+ *                   the YAML field is named `username` to match 1Password's
+ *                   USERNAME purpose semantics)
+ *
+ * Returns the internal `Credentials` shape `{ email, password }` — that's
+ * the GraphQL parameter name for the mutation. The username/email
+ * synonymy is documented and load-bearing.
+ */
+export declare function resolveCredentials(auth: AuthCredentials): Credentials;
+/**
+ * Sign in to Toptal Talent via `EmailPasswordSignIn` GraphQL mutation in
+ * persisted-query mode against the mobile gateway and capture the session
+ * token from the response.
+ *
+ * Returns the captured token. The CLI persists it back to the same YAML
+ * config file (under `auth.token`) via `persistAuthToken` so subsequent
+ * invocations can authenticate via `Authorization: Token token=<X>`
+ * without re-signing-in.
+ *
+ * The next authenticated call (e.g. `auth status`) is the de-facto session
+ * verifier — we do NOT issue a redundant Viewer probe inside `signIn` itself.
+ *
+ * See `hq/engineering/adr/ADR-005-auth-model.md` for the cross-surface
+ * auth model and `research/notes/02-auth-and-clients.md` for the empirical
+ * evidence behind it.
+ *
+ * Throws `SignInError("UNKNOWN", ...)` if the gateway reports `success: true`
+ * but does not return a token — that response shape is malformed and the
+ * caller has nothing useful to persist.
+ */
+export declare function signIn(credentials: Credentials): Promise<{
+    token: string;
+}>;
+/**
+ * Result of a session-validity probe. Three terminal shapes:
+ *
+ *   - `valid` — `Viewer` query returned 2xx with an email; the session is
+ *     active and bound to that account.
+ *   - `invalid` — no token persisted, OR the gateway responded with a
+ *     non-2xx status, OR the response payload lacks `viewer.viewerRole.email`.
+ *     `reason` carries a stable machine-readable code so the CLI can pick the
+ *     right user-facing message without re-classifying the failure.
+ *   - `unreachable` — the transport itself rejected (DNS failure, connect
+ *     refused, TLS handshake timeout, etc.); the gateway was never reached.
+ *     This is distinguished from `invalid` so the CLI can exit 2 (transient,
+ *     retryable) rather than 1 (auth problem, action required).
+ */
+export type AuthStatusResult = {
+    status: "valid";
+    email: string;
+} | {
+    status: "invalid";
+    reason: AuthInvalidReason;
+} | {
+    status: "unreachable";
+    reason: string;
+};
+export type AuthInvalidReason = "no-session" | "session-expired" | "no-email-in-response" | "unexpected-status";
+/**
+ * Probe whether the persisted session token is currently valid.
+ *
+ * Issues a minimal full-doc `Viewer` query against the mobile gateway,
+ * authenticated with `Authorization: Token token=<X>`. The cataloged
+ * persisted `Viewer` query in `research/graphql/gateway/operations/mobile/Viewer.graphql`
+ * does not return `viewerRole.email`, so we can't use APQ here — see
+ * `VIEWER_VERIFY_QUERY` doc.
+ *
+ * Pass `null` (or an empty string) when no token has been persisted yet;
+ * the function short-circuits to `invalid/no-session` without touching the
+ * network. CLI consumers pass `config.auth.token ?? null` from the
+ * already-loaded `TtctlConfig` (no separate token file to read).
+ *
+ * Never throws on auth or network failure; classifies into the three
+ * `AuthStatusResult` shapes so CLI consumers can map cleanly to exit codes
+ * and output messages without re-parsing exceptions.
+ */
+export declare function getAuthStatus(token: string | null): Promise<AuthStatusResult>;
+/**
+ * Stable machine-readable reason codes returned alongside `SignOutResult`'s
+ * `invalid` and `unreachable` branches. The CLI / E2E teardown render
+ * user-facing messages from these — keep the code stable, fold UX shifts
+ * into the renderer.
+ */
+export type SignOutInvalidReason = "no-session" | "session-expired" | "graphql-auth-error";
+export type SignOutUnreachableReason = {
+    kind: "transport";
+    reason: string;
+} | {
+    kind: "http-status";
+    status: number;
+} | {
+    kind: "graphql-error";
+    message: string;
+} | {
+    kind: "payload-missing";
+} | {
+    kind: "success-false";
+};
+/**
+ * Result of a `signOut(token)` call. Three terminal shapes mirror
+ * `AuthStatusResult`'s discriminator so call-sites can pattern-match
+ * uniformly:
+ *
+ *   - `logged-out` — talent-profile responded 2xx and
+ *     `data.logOut.success === true`. The `LogOut` mutation flow on the
+ *     `talent_profile/graphql` surface completed; the server acknowledged
+ *     the signal. **This status name is deliberate** — see the
+ *     "Bearer-invalidation scope" note below. The status does NOT claim
+ *     the captured bearer was revoked for downstream mobile-gateway
+ *     traffic; empirical evidence (issue #180 live discovery, 2026-05-12)
+ *     shows it is NOT. The status only claims the LogOut mutation itself
+ *     was processed.
+ *   - `invalid` — the bearer was ALREADY invalid (401/403 or a GraphQL
+ *     auth-revoke code). Functionally equivalent to "already revoked" from
+ *     the security standpoint — the caller's intent (kill the bearer) is
+ *     satisfied. CLI / teardown should still proceed to clear the local copy.
+ *   - `unreachable` — could not reach the server or could not confirm
+ *     mutation processing. The LogOut signal was not delivered. Caller
+ *     MUST fall through to local clear (per CLI UX recommendation) and
+ *     rely on the 24-72h aging-out as the load-bearing revocation defense.
+ *
+ * **Bearer-invalidation scope** (empirical, 2026-05-12; investigation
+ * captured in `.tmp/180-delayed-probe-report.json`): The `LogOut` mutation
+ * on `talent_profile/graphql` succeeds (`data.logOut.success === true`)
+ * but does NOT propagate to bearer invalidation for subsequent
+ * `mobile-gateway` calls. Probed across t=0/30/60/180/300s; the bearer
+ * remained `{ status: "valid" }` against `getAuthStatus` for the entire
+ * 5-minute window. The 24-72h natural aging-out (documented in CLAUDE.md
+ * § Auth Model) is the load-bearing revocation defense. `signOut()` is
+ * defense-in-depth: audit log + web-session/cookie cleanup on the
+ * talent_profile side + forward-compatible call site if Toptal ever wires
+ * up server-side bearer revocation.
+ *
+ * Never throws — every failure is classified into one of the three shapes.
+ * This matches `getAuthStatus`'s contract so the call-sites that branch on
+ * `result.status` look the same on both paths.
+ */
+export type SignOutResult = {
+    status: "logged-out";
+} | {
+    status: "invalid";
+    reason: SignOutInvalidReason;
+} | {
+    status: "unreachable";
+    reason: SignOutUnreachableReason;
+};
+/**
+ * Issue the `LogOut` mutation server-side against the Cloudflare-protected
+ * `talent_profile/graphql` surface (defense-in-depth audit-log signal +
+ * web-session/cookie cleanup; does NOT revoke the captured bearer for
+ * downstream mobile-gateway calls per empirical scope — see CLAUDE.md §
+ * Auth Model and the `SignOutResult` type docblock above). Authenticates
+ * with `Authorization: Token token=<X>` (same bearer that `signIn`
+ * captured — see ADR-005).
+ *
+ * Pass `null` or an empty string when there's no token to log out; the
+ * function short-circuits to `invalid/no-session` without touching the
+ * network. CLI / teardown call sites that already check for token absence
+ * before invoking this are still safe — the defensive short-circuit just
+ * removes one decision from the call site.
+ *
+ * **Never throws.** Every transport, HTTP, GraphQL-level, or wire-shape
+ * failure is classified into one of the three `SignOutResult` shapes so
+ * call sites can branch on `result.status` without try/catch. The CLI
+ * `runAuthSignOut` and `runGlobalTeardown` rely on this contract to keep
+ * the local-clear path unconditional (the bearer aging out in 24-72h is
+ * the second-line defense if server-side revocation cannot be confirmed).
+ *
+ * Schema/contract status: the operation document and `LogOutPayload` field
+ * shapes are INFERRED — `Unknown` in the SDL. The live wire format is
+ * verified by `packages/e2e/src/97-auth-signout-server-side.e2e.test.ts`
+ * (TTCTL_E2E=1 gate). If the live response surfaces fields not yet
+ * declared here, expand the inline `LogOutPayload` interface — codegen
+ * wiring would produce `unknown`-typed fields and is not currently useful.
+ */
+export declare function signOut(token: string | null): Promise<SignOutResult>;
+//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAKnD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAsD9C,MAAM,MAAM,eAAe,GAAG,qBAAqB,GAAG,cAAc,GAAG,eAAe,GAAG,SAAS,CAAC;AAEnG,qBAAa,WAAY,SAAQ,KAAK;aAGlB,IAAI,EAAE,eAAe;IAFvC,SAAkB,IAAI,iBAAiB;gBAErB,IAAI,EAAE,eAAe,EACrC,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE;CAIhC;AA+BD;;;;;;;;;;;;GAYG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,eAAe,GAAG,WAAW,CAKrE;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,MAAM,CAAC,WAAW,EAAE,WAAW,GAAG,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC,CAcjF;AA4CD;;;;;;;;;;;;;GAaG;AACH,MAAM,MAAM,gBAAgB,GACxB;IAAE,MAAM,EAAE,OAAO,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GAClC;IAAE,MAAM,EAAE,SAAS,CAAC;IAAC,MAAM,EAAE,iBAAiB,CAAA;CAAE,GAChD;IAAE,MAAM,EAAE,aAAa,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAE9C,MAAM,MAAM,iBAAiB,GACzB,YAAY,GACZ,iBAAiB,GACjB,sBAAsB,GACtB,mBAAmB,CAAC;AAExB;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAgCnF;AAED;;;;;GAKG;AACH,MAAM,MAAM,oBAAoB,GAC5B,YAAY,GACZ,iBAAiB,GACjB,oBAAoB,CAAC;AAEzB,MAAM,MAAM,wBAAwB,GAChC;IAAE,IAAI,EAAE,WAAW,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GACrC;IAAE,IAAI,EAAE,aAAa,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GACvC;IAAE,IAAI,EAAE,eAAe,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GAC1C;IAAE,IAAI,EAAE,iBAAiB,CAAA;CAAE,GAC3B;IAAE,IAAI,EAAE,eAAe,CAAA;CAAE,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AACH,MAAM,MAAM,aAAa,GACrB;IAAE,MAAM,EAAE,YAAY,CAAA;CAAE,GACxB;IAAE,MAAM,EAAE,SAAS,CAAC;IAAC,MAAM,EAAE,oBAAoB,CAAA;CAAE,GACnD;IAAE,MAAM,EAAE,aAAa,CAAC;IAAC,MAAM,EAAE,wBAAwB,CAAA;CAAE,CAAC;AAwBhE;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,wBAAsB,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC,CAiE1E"}

package/dist/auth.js

@@ -0,0 +1,294 @@
+// SPDX-License-Identifier: AGPL-3.0-only
+// Copyright (C) 2026 Oleksii PELYKH
+import { resolveOnePasswordReference } from "./onepassword.js";
+import { isAuthRevokedExtensionCode } from "./services/profile/shared.js";
+import { impersonatedTransport, stockTransport } from "./transport.js";
+/**
+ * Persisted-query SHA-256 hash for the `EmailPasswordSignIn` mutation. Sourced
+ * from `research/graphql/derived/operations/gateway-mobile.json` (operation extracted from the mobile
+ * APK at `jadx/sources/fn/t3.java`). Hardcoded because the synthesized SDL has
+ * no client-side queries to feed Apollo APQ codegen — operations live in the
+ * research workspace, not in this repo. Re-extract and bump if the gateway
+ * starts rejecting this hash; track via the operation extraction strategy
+ * (see `research/notes` ADR-004).
+ */
+const EMAIL_PASSWORD_SIGNIN_HASH = "bd8e859a9f0a5c462ceb2ac736648068fa5bcdd874a8a49a460824dd0c5aef51";
+/**
+ * Minimal full-doc Viewer query used to verify a session is live and bound to
+ * the expected user. The cataloged persisted `Viewer` query does not return
+ * `viewerRole.email`, so we cannot use APQ here. The mobile gateway accepts
+ * full-doc queries for non-mutation traffic, which is why this works without
+ * a published persisted hash.
+ */
+const VIEWER_VERIFY_QUERY = "query ViewerVerify { viewer { id viewerRole { email } } }";
+/**
+ * Full-document `LogOut` mutation string. Mirrors
+ * `research/graphql/talent_profile/operations/LogOut.graphql` exactly — the
+ * talent_profile surface does not publish a persisted-query catalog, so
+ * every operation is sent as a full document (same pattern as
+ * `UPDATE_BASIC_INFO_MUTATION` in `services/profile/basic/index.ts`).
+ *
+ * Wire format: `{ operationName: "LogOut", query, variables: { input: {} } }`
+ * — `LogOutInput` is Pattern 7 (trivial empty input, per
+ * `research/notes/10-mutation-input-patterns.md`).
+ *
+ * Schema/contract status: INFERRED. `LogOutPayload` fields are typed as
+ * `Unknown` in the synthesized SDL — the actual wire shape is observed only
+ * via the live integration test in `packages/e2e/src/97-auth-signout-
+ * server-side.e2e.test.ts`. The selection set here is what the bundle-
+ * extracted document selects; if a future capture reveals additional
+ * fields the live API returns, expand the inline `LogOutPayload` interface
+ * (no codegen wiring needed — `Unknown` would map to `unknown` and provide
+ * no narrowing).
+ */
+const LOG_OUT_MUTATION = `mutation LogOut($input: LogOutInput!) {
+  logOut(input: $input) {
+    returnTo
+    errors {
+      key
+      message
+    }
+    notice
+    success
+  }
+}`;
+export class SignInError extends Error {
+    code;
+    name = "SignInError";
+    constructor(code, message, options) {
+        super(message, options);
+        this.code = code;
+    }
+}
+/**
+ * Collapse the polymorphic credentials value into resolved credentials.
+ *
+ * Form A (string) → `op://[account/]vault/item` → resolved via `op` CLI
+ * Form B (object) → literal `{ username, password }` (username is an email
+ *                   per Toptal's `EmailPasswordSignIn` mutation contract;
+ *                   the YAML field is named `username` to match 1Password's
+ *                   USERNAME purpose semantics)
+ *
+ * Returns the internal `Credentials` shape `{ email, password }` — that's
+ * the GraphQL parameter name for the mutation. The username/email
+ * synonymy is documented and load-bearing.
+ */
+export function resolveCredentials(auth) {
+    if (typeof auth === "string") {
+        return resolveOnePasswordReference(auth);
+    }
+    return { email: auth.username, password: auth.password };
+}
+/**
+ * Sign in to Toptal Talent via `EmailPasswordSignIn` GraphQL mutation in
+ * persisted-query mode against the mobile gateway and capture the session
+ * token from the response.
+ *
+ * Returns the captured token. The CLI persists it back to the same YAML
+ * config file (under `auth.token`) via `persistAuthToken` so subsequent
+ * invocations can authenticate via `Authorization: Token token=<X>`
+ * without re-signing-in.
+ *
+ * The next authenticated call (e.g. `auth status`) is the de-facto session
+ * verifier — we do NOT issue a redundant Viewer probe inside `signIn` itself.
+ *
+ * See `hq/engineering/adr/ADR-005-auth-model.md` for the cross-surface
+ * auth model and `research/notes/02-auth-and-clients.md` for the empirical
+ * evidence behind it.
+ *
+ * Throws `SignInError("UNKNOWN", ...)` if the gateway reports `success: true`
+ * but does not return a token — that response shape is malformed and the
+ * caller has nothing useful to persist.
+ */
+export async function signIn(credentials) {
+    const signInResponse = await postSignIn(credentials);
+    const payload = extractPayload(signInResponse.body);
+    if (!payload?.success) {
+        throw mapSignInError(payload);
+    }
+    const token = payload.token;
+    if (typeof token !== "string" || token === "") {
+        throw new SignInError("UNKNOWN", "Sign-in succeeded but no token was returned");
+    }
+    return { token };
+}
+async function postSignIn(credentials) {
+    try {
+        return await stockTransport({
+            surface: "mobile-gateway",
+            body: {
+                operationName: "EmailPasswordSignIn",
+                variables: { email: credentials.email, password: credentials.password },
+                extensions: {
+                    persistedQuery: { version: 1, sha256Hash: EMAIL_PASSWORD_SIGNIN_HASH },
+                },
+            },
+        });
+    }
+    catch (err) {
+        throw new SignInError("NETWORK_ERROR", `Sign-in request failed: ${err.message}`, { cause: err });
+    }
+}
+function extractPayload(body) {
+    if (!body || typeof body !== "object")
+        return null;
+    const response = body;
+    return response.data?.auth?.signIn ?? null;
+}
+function mapSignInError(payload) {
+    if (!payload) {
+        return new SignInError("UNKNOWN", "Sign-in failed: empty or malformed response body");
+    }
+    const errors = payload.errors ?? [];
+    for (const err of errors) {
+        const code = (err.code ?? "").toUpperCase();
+        if (code === "INVALID_CREDENTIALS" || code === "INVALID_EMAIL_OR_PASSWORD") {
+            return new SignInError("INVALID_CREDENTIALS", err.message ?? "Invalid email or password");
+        }
+        if (code === "MFA_REQUIRED" || code === "OTP_REQUIRED" || code === "TWO_FACTOR_REQUIRED") {
+            return new SignInError("MFA_REQUIRED", err.message ?? "Multi-factor authentication required");
+        }
+    }
+    const first = errors[0];
+    const message = first?.message ?? "Sign-in failed for an unknown reason";
+    return new SignInError("UNKNOWN", message);
+}
+/**
+ * Probe whether the persisted session token is currently valid.
+ *
+ * Issues a minimal full-doc `Viewer` query against the mobile gateway,
+ * authenticated with `Authorization: Token token=<X>`. The cataloged
+ * persisted `Viewer` query in `research/graphql/gateway/operations/mobile/Viewer.graphql`
+ * does not return `viewerRole.email`, so we can't use APQ here — see
+ * `VIEWER_VERIFY_QUERY` doc.
+ *
+ * Pass `null` (or an empty string) when no token has been persisted yet;
+ * the function short-circuits to `invalid/no-session` without touching the
+ * network. CLI consumers pass `config.auth.token ?? null` from the
+ * already-loaded `TtctlConfig` (no separate token file to read).
+ *
+ * Never throws on auth or network failure; classifies into the three
+ * `AuthStatusResult` shapes so CLI consumers can map cleanly to exit codes
+ * and output messages without re-parsing exceptions.
+ */
+export async function getAuthStatus(token) {
+    if (token === null || token === "") {
+        return { status: "invalid", reason: "no-session" };
+    }
+    let res;
+    try {
+        res = await stockTransport({
+            surface: "mobile-gateway",
+            authToken: token,
+            body: {
+                operationName: "ViewerVerify",
+                query: VIEWER_VERIFY_QUERY,
+            },
+        });
+    }
+    catch (err) {
+        return { status: "unreachable", reason: err.message };
+    }
+    if (res.status === 401 || res.status === 403) {
+        return { status: "invalid", reason: "session-expired" };
+    }
+    if (res.status < 200 || res.status >= 300) {
+        return { status: "invalid", reason: "unexpected-status" };
+    }
+    const body = res.body;
+    const email = body?.data?.viewer?.viewerRole?.email;
+    if (!email) {
+        return { status: "invalid", reason: "no-email-in-response" };
+    }
+    return { status: "valid", email };
+}
+/**
+ * Issue the `LogOut` mutation server-side against the Cloudflare-protected
+ * `talent_profile/graphql` surface (defense-in-depth audit-log signal +
+ * web-session/cookie cleanup; does NOT revoke the captured bearer for
+ * downstream mobile-gateway calls per empirical scope — see CLAUDE.md §
+ * Auth Model and the `SignOutResult` type docblock above). Authenticates
+ * with `Authorization: Token token=<X>` (same bearer that `signIn`
+ * captured — see ADR-005).
+ *
+ * Pass `null` or an empty string when there's no token to log out; the
+ * function short-circuits to `invalid/no-session` without touching the
+ * network. CLI / teardown call sites that already check for token absence
+ * before invoking this are still safe — the defensive short-circuit just
+ * removes one decision from the call site.
+ *
+ * **Never throws.** Every transport, HTTP, GraphQL-level, or wire-shape
+ * failure is classified into one of the three `SignOutResult` shapes so
+ * call sites can branch on `result.status` without try/catch. The CLI
+ * `runAuthSignOut` and `runGlobalTeardown` rely on this contract to keep
+ * the local-clear path unconditional (the bearer aging out in 24-72h is
+ * the second-line defense if server-side revocation cannot be confirmed).
+ *
+ * Schema/contract status: the operation document and `LogOutPayload` field
+ * shapes are INFERRED — `Unknown` in the SDL. The live wire format is
+ * verified by `packages/e2e/src/97-auth-signout-server-side.e2e.test.ts`
+ * (TTCTL_E2E=1 gate). If the live response surfaces fields not yet
+ * declared here, expand the inline `LogOutPayload` interface — codegen
+ * wiring would produce `unknown`-typed fields and is not currently useful.
+ */
+export async function signOut(token) {
+    if (token === null || token === "") {
+        return { status: "invalid", reason: "no-session" };
+    }
+    let res;
+    try {
+        res = await impersonatedTransport({
+            surface: "talent-profile",
+            authToken: token,
+            body: {
+                operationName: "LogOut",
+                query: LOG_OUT_MUTATION,
+                variables: { input: {} },
+            },
+        });
+    }
+    catch (err) {
+        return {
+            status: "unreachable",
+            reason: { kind: "transport", reason: err.message },
+        };
+    }
+    if (res.status === 401 || res.status === 403) {
+        return { status: "invalid", reason: "session-expired" };
+    }
+    if (res.status < 200 || res.status >= 300) {
+        return {
+            status: "unreachable",
+            reason: { kind: "http-status", status: res.status },
+        };
+    }
+    const body = res.body;
+    // Top-level GraphQL errors[] — talent_profile surface conventionally
+    // surfaces auth-revoke states here (UNAUTHENTICATED / UNAUTHORIZED /
+    // AUTHENTICATION_REQUIRED). Treat those as "bearer already invalid"
+    // (the user's intent is satisfied); any other top-level error is
+    // unreachable (we cannot confirm revocation).
+    if (body && Array.isArray(body.errors) && body.errors.length > 0) {
+        const first = body.errors[0];
+        if (isAuthRevokedExtensionCode(first?.extensions?.code)) {
+            return { status: "invalid", reason: "graphql-auth-error" };
+        }
+        return {
+            status: "unreachable",
+            reason: { kind: "graphql-error", message: first?.message ?? "GraphQL error" },
+        };
+    }
+    const payload = body?.data?.logOut;
+    if (!payload) {
+        return { status: "unreachable", reason: { kind: "payload-missing" } };
+    }
+    if (payload.success === true) {
+        return { status: "logged-out" };
+    }
+    // success: false / null / undefined — server received the mutation but
+    // did not acknowledge the LogOut flow as processed. We don't know whether
+    // the LogOut signal was actually delivered to the audit log / session
+    // store; classify as unreachable so callers fall through to local clear.
+    return { status: "unreachable", reason: { kind: "success-false" } };
+}
+//# sourceMappingURL=auth.js.map

package/dist/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA,yCAAyC;AACzC,oCAAoC;AAGpC,OAAO,EAAE,2BAA2B,EAAE,MAAM,kBAAkB,CAAC;AAC/D,OAAO,EAAE,0BAA0B,EAAE,MAAM,8BAA8B,CAAC;AAC1E,OAAO,EAAE,qBAAqB,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAIvE;;;;;;;;GAQG;AACH,MAAM,0BAA0B,GAAG,kEAAkE,CAAC;AAEtG;;;;;;GAMG;AACH,MAAM,mBAAmB,GAAG,2DAA2D,CAAC;AAExF;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,gBAAgB,GAAG;;;;;;;;;;EAUvB,CAAC;AAIH,MAAM,OAAO,WAAY,SAAQ,KAAK;IAGlB;IAFA,IAAI,GAAG,aAAa,CAAC;IACvC,YACkB,IAAqB,EACrC,OAAe,EACf,OAA6B;QAE7B,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAJR,SAAI,GAAJ,IAAI,CAAiB;IAKvC,CAAC;CACF;AA+BD;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,kBAAkB,CAAC,IAAqB;IACtD,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC7B,OAAO,2BAA2B,CAAC,IAAI,CAAC,CAAC;IAC3C,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,QAAQ,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC;AAC3D,CAAC;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,CAAC,KAAK,UAAU,MAAM,CAAC,WAAwB;IACnD,MAAM,cAAc,GAAG,MAAM,UAAU,CAAC,WAAW,CAAC,CAAC;IAErD,MAAM,OAAO,GAAG,cAAc,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;IACpD,IAAI,CAAC,OAAO,EAAE,OAAO,EAAE,CAAC;QACtB,MAAM,cAAc,CAAC,OAAO,CAAC,CAAC;IAChC,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;IAC5B,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,EAAE,EAAE,CAAC;QAC9C,MAAM,IAAI,WAAW,CAAC,SAAS,EAAE,6CAA6C,CAAC,CAAC;IAClF,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,CAAC;AACnB,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,WAAwB;IAChD,IAAI,CAAC;QACH,OAAO,MAAM,cAAc,CAAC;YAC1B,OAAO,EAAE,gBAAgB;YACzB,IAAI,EAAE;gBACJ,aAAa,EAAE,qBAAqB;gBACpC,SAAS,EAAE,EAAE,KAAK,EAAE,WAAW,CAAC,KAAK,EAAE,QAAQ,EAAE,WAAW,CAAC,QAAQ,EAAE;gBACvE,UAAU,EAAE;oBACV,cAAc,EAAE,EAAE,OAAO,EAAE,CAAC,EAAE,UAAU,EAAE,0BAA0B,EAAE;iBACvE;aACF;SACF,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,WAAW,CAAC,eAAe,EAAE,2BAA4B,GAAa,CAAC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;IAC9G,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,IAAa;IACnC,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACnD,MAAM,QAAQ,GAAG,IAAsB,CAAC;IACxC,OAAO,QAAQ,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,IAAI,IAAI,CAAC;AAC7C,CAAC;AAED,SAAS,cAAc,CAAC,OAA6B;IACnD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,IAAI,WAAW,CAAC,SAAS,EAAE,kDAAkD,CAAC,CAAC;IACxF,CAAC;IACD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC;IACpC,KAAK,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;QAC5C,IAAI,IAAI,KAAK,qBAAqB,IAAI,IAAI,KAAK,2BAA2B,EAAE,CAAC;YAC3E,OAAO,IAAI,WAAW,CAAC,qBAAqB,EAAE,GAAG,CAAC,OAAO,IAAI,2BAA2B,CAAC,CAAC;QAC5F,CAAC;QACD,IAAI,IAAI,KAAK,cAAc,IAAI,IAAI,KAAK,cAAc,IAAI,IAAI,KAAK,qBAAqB,EAAE,CAAC;YACzF,OAAO,IAAI,WAAW,CAAC,cAAc,EAAE,GAAG,CAAC,OAAO,IAAI,sCAAsC,CAAC,CAAC;QAChG,CAAC;IACH,CAAC;IACD,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;IACxB,MAAM,OAAO,GAAG,KAAK,EAAE,OAAO,IAAI,sCAAsC,CAAC;IACzE,OAAO,IAAI,WAAW,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;AAC7C,CAAC;AA2BD;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,KAAoB;IACtD,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,EAAE,EAAE,CAAC;QACnC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC;IACrD,CAAC;IAED,IAAI,GAAsB,CAAC;IAC3B,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,cAAc,CAAC;YACzB,OAAO,EAAE,gBAAgB;YACzB,SAAS,EAAE,KAAK;YAChB,IAAI,EAAE;gBACJ,aAAa,EAAE,cAAc;gBAC7B,KAAK,EAAE,mBAAmB;aAC3B;SACF,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC;IACnE,CAAC;IAED,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC7C,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;IAC1D,CAAC;IACD,IAAI,GAAG,CAAC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;QAC1C,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC;IAC5D,CAAC;IAED,MAAM,IAAI,GAAG,GAAG,CAAC,IAA6B,CAAC;IAC/C,MAAM,KAAK,GAAG,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,KAAK,CAAC;IACpD,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAC;IAC/D,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AACpC,CAAC;AAsFD;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,KAAoB;IAChD,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,EAAE,EAAE,CAAC;QACnC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC;IACrD,CAAC;IAED,IAAI,GAAsB,CAAC;IAC3B,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,qBAAqB,CAAC;YAChC,OAAO,EAAE,gBAAgB;YACzB,SAAS,EAAE,KAAK;YAChB,IAAI,EAAE;gBACJ,aAAa,EAAE,QAAQ;gBACvB,KAAK,EAAE,gBAAgB;gBACvB,SAAS,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE;aACzB;SACF,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,MAAM,EAAE,aAAa;YACrB,MAAM,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,MAAM,EAAG,GAAa,CAAC,OAAO,EAAE;SAC9D,CAAC;IACJ,CAAC;IAED,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC7C,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;IAC1D,CAAC;IACD,IAAI,GAAG,CAAC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;QAC1C,OAAO;YACL,MAAM,EAAE,aAAa;YACrB,MAAM,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE;SACpD,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,GAAG,CAAC,IAA6B,CAAC;IAE/C,qEAAqE;IACrE,qEAAqE;IACrE,oEAAoE;IACpE,iEAAiE;IACjE,8CAA8C;IAC9C,IAAI,IAAI,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjE,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAC7B,IAAI,0BAA0B,CAAC,KAAK,EAAE,UAAU,EAAE,IAAI,CAAC,EAAE,CAAC;YACxD,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,oBAAoB,EAAE,CAAC;QAC7D,CAAC;QACD,OAAO;YACL,MAAM,EAAE,aAAa;YACrB,MAAM,EAAE,EAAE,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,IAAI,eAAe,EAAE;SAC9E,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,EAAE,IAAI,EAAE,MAAM,CAAC;IACnC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,iBAAiB,EAAE,EAAE,CAAC;IACxE,CAAC;IAED,IAAI,OAAO,CAAC,OAAO,KAAK,IAAI,EAAE,CAAC;QAC7B,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC;IAClC,CAAC;IAED,uEAAuE;IACvE,0EAA0E;IAC1E,sEAAsE;IACtE,yEAAyE;IACzE,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,eAAe,EAAE,EAAE,CAAC;AACtE,CAAC"}