@uipath/auth 1.0.4 → 1.195.0

package/dist/index.js

@@ -728,6 +728,7 @@ var init_open = __esm(() => {
 });
 
 // ../filesystem/src/node.ts
+import { randomUUID } from "node:crypto";
 import { existsSync } from "node:fs";
 import * as fs6 from "node:fs/promises";
 import * as os2 from "node:os";
@@ -809,6 +810,90 @@ class NodeFileSystem {
   async mkdir(dirPath) {
     await fs6.mkdir(dirPath, { recursive: true });
   }
+  async acquireLock(lockPath) {
+    const canonicalPath = await this.canonicalizeLockTarget(lockPath);
+    const lockFile = `${canonicalPath}.lock`;
+    const ownerId = randomUUID();
+    const start = Date.now();
+    while (true) {
+      try {
+        await fs6.writeFile(lockFile, ownerId, { flag: "wx" });
+        return this.createLockRelease(lockFile, ownerId);
+      } catch (error) {
+        if (!this.hasErrnoCode(error, "EEXIST")) {
+          throw error;
+        }
+        const stats = await fs6.stat(lockFile).catch(() => null);
+        if (stats && Date.now() - stats.mtimeMs > LOCK_STALE_MS) {
+          const reclaimed = await fs6.rm(lockFile, { force: true }).then(() => true).catch(() => false);
+          if (reclaimed)
+            continue;
+        }
+        if (Date.now() - start > LOCK_MAX_WAIT_MS) {
+          throw new Error(`ELOCKED: timed out waiting for lock on ${canonicalPath}`);
+        }
+        await new Promise((resolve2) => setTimeout(resolve2, LOCK_RETRY_MIN_MS + Math.random() * LOCK_RETRY_JITTER_MS));
+      }
+    }
+  }
+  async canonicalizeLockTarget(lockPath) {
+    const absolute = path2.resolve(lockPath);
+    const fullReal = await fs6.realpath(absolute).catch(() => null);
+    if (fullReal)
+      return fullReal;
+    const parent = path2.dirname(absolute);
+    const base = path2.basename(absolute);
+    const canonicalParent = await fs6.realpath(parent).catch(() => parent);
+    return path2.join(canonicalParent, base);
+  }
+  createLockRelease(lockFile, ownerId) {
+    const heartbeatStart = Date.now();
+    let heartbeatTimer;
+    let stopped = false;
+    const stopHeartbeat = () => {
+      stopped = true;
+      if (heartbeatTimer)
+        clearTimeout(heartbeatTimer);
+    };
+    const scheduleNextHeartbeat = () => {
+      if (stopped)
+        return;
+      if (Date.now() - heartbeatStart >= LOCK_MAX_HOLD_MS) {
+        stopped = true;
+        return;
+      }
+      heartbeatTimer = setTimeout(() => {
+        runHeartbeat();
+      }, LOCK_HEARTBEAT_MS);
+      heartbeatTimer.unref?.();
+    };
+    const runHeartbeat = async () => {
+      if (stopped)
+        return;
+      const current = await fs6.readFile(lockFile, "utf-8").catch(() => null);
+      if (stopped)
+        return;
+      if (current !== ownerId) {
+        stopped = true;
+        return;
+      }
+      const now = Date.now() / 1000;
+      await fs6.utimes(lockFile, now, now).catch(() => {});
+      scheduleNextHeartbeat();
+    };
+    scheduleNextHeartbeat();
+    let released = false;
+    return async () => {
+      if (released)
+        return;
+      released = true;
+      stopHeartbeat();
+      const current = await fs6.readFile(lockFile, "utf-8").catch(() => null);
+      if (current === ownerId) {
+        await fs6.rm(lockFile, { force: true });
+      }
+    };
+  }
   async rm(filePath) {
     await fs6.rm(filePath, { recursive: true, force: true });
   }
@@ -854,16 +939,18 @@ class NodeFileSystem {
     }
   }
   isEnoent(error) {
-    return typeof error === "object" && error !== null && "code" in error && error.code === "ENOENT";
+    return this.hasErrnoCode(error, "ENOENT");
+  }
+  hasErrnoCode(error, code) {
+    return typeof error === "object" && error !== null && "code" in error && error.code === code;
   }
 }
+var LOCK_HEARTBEAT_MS = 5000, LOCK_STALE_MS = 15000, LOCK_MAX_WAIT_MS = 20000, LOCK_MAX_HOLD_MS = 60000, LOCK_RETRY_MIN_MS = 100, LOCK_RETRY_JITTER_MS = 200;
 var init_node = __esm(() => {
   init_open();
 });
 // ../filesystem/src/index.ts
-var fsInstance, getFileSystem = () => {
-  return fsInstance;
-};
+var fsInstance, getFileSystem = () => fsInstance;
 var init_src = __esm(() => {
   init_node();
   init_node();
@@ -872,7 +959,7 @@ var init_src = __esm(() => {
 
 // ../../node_modules/@uipath/coreipc/index.js
 var require_coreipc = __commonJS((exports, module) => {
-  var __dirname = "/Users/alexandru.oltean/github/cli/node_modules/@uipath/coreipc";
+  var __dirname = "/home/runner/work/cli/cli/node_modules/@uipath/coreipc";
   /*! For license information please see index.js.LICENSE.txt */
   (function(e, t) {
     typeof exports == "object" && typeof module == "object" ? module.exports = t() : typeof define == "function" && define.amd ? define([], t) : typeof exports == "object" ? exports.ipc = t() : e.ipc = t();
@@ -19065,81 +19152,6 @@ var require_dist = __commonJS((exports) => {
   __exportStar(require_agent(), exports);
 });
 
-// src/strategies/browser-strategy.ts
-var exports_browser_strategy = {};
-__export(exports_browser_strategy, {
-  BrowserAuthStrategy: () => BrowserAuthStrategy
-});
-
-class BrowserAuthStrategy {
-  async execute(url, _redirectUri, expectedState) {
-    const global2 = getGlobalThis();
-    if (!global2?.window) {
-      throw new Error("Browser environment required for authentication");
-    }
-    const screenWidth = global2.window.screen?.width ?? 1024;
-    const screenHeight = global2.window.screen?.height ?? 768;
-    const width = 600;
-    const height = 700;
-    const left = screenWidth / 2 - width / 2;
-    const top = screenHeight / 2 - height / 2;
-    if (!global2.window.open) {
-      throw new Error("window.open is not available");
-    }
-    const popupResult = global2.window.open(url, "uip_auth", `width=${width},height=${height},left=${left},top=${top},resizable=yes,scrollbars=yes,status=yes`);
-    const popup = popupResult;
-    if (!popup) {
-      throw new Error(`Authentication popup was blocked by your browser.
-
-` + `To continue:
-` + `1. Look for a popup blocker icon in your address bar
-` + `2. Allow popups for this site
-` + `3. Try logging in again
-
-` + "If using an ad blocker, you may need to temporarily disable it.");
-    }
-    return new Promise((resolve2, reject) => {
-      const messageHandler = (event) => {
-        if (event.data?.type === "UIP_AUTH_CODE" && event.data.code) {
-          if (event.data.state !== expectedState) {
-            cleanup();
-            reject(new Error("OAuth state mismatch — the callback state does not match the expected value. " + "This may indicate a CSRF attack. Please try signing in again."));
-            popup.close();
-            return;
-          }
-          cleanup();
-          resolve2(event.data.code);
-          popup.close();
-        } else if (event.data?.type === "UIP_AUTH_ERROR") {
-          cleanup();
-          const errorMsg = event.data.error || "Authentication failed";
-          reject(new Error(`Authentication failed: ${errorMsg}
-
-` + "Please check your credentials and try again. " + "If the problem persists, verify your UiPath account is active."));
-          popup.close();
-        }
-      };
-      const cleanup = () => {
-        global2.window?.removeEventListener?.("message", messageHandler);
-        if (timer)
-          clearInterval(timer);
-      };
-      if (global2.window?.addEventListener) {
-        global2.window.addEventListener("message", messageHandler);
-      }
-      const timer = setInterval(() => {
-        if (popup.closed) {
-          cleanup();
-          reject(new Error(`Authentication was cancelled.
-
-` + "The authentication popup was closed before completing the login process. " + "Please try again and complete the authentication flow."));
-        }
-      }, 1000);
-    });
-  }
-}
-var init_browser_strategy = () => {};
-
 // src/getBaseHtml.ts
 var getBaseHtml = ({ title, message, type }) => {
   const icon = type === "success" ? "✓" : "✕";
@@ -19286,7 +19298,7 @@ var getBaseHtml = ({ title, message, type }) => {
 };
 
 // src/server.ts
-var startServer = async ({
+var AUTH_TIMEOUT_ERROR_CODE = "EAUTHTIMEOUT", startServer = async ({
   redirectUri,
   timeoutMs = DEFAULT_AUTH_TIMEOUT_MS,
   onListening
@@ -19357,7 +19369,18 @@ var startServer = async ({
       reject(new Error("No authorization code received"));
       return;
     });
-    server.listen(Number(redirectUri.port), redirectUri.hostname, () => {
+    const timeoutHandle = setTimeout(() => {
+      server.close();
+      const err = new Error("Authentication timeout");
+      err.code = AUTH_TIMEOUT_ERROR_CODE;
+      reject(err);
+    }, timeoutMs);
+    const bindHost = redirectUri.hostname === "localhost" ? "127.0.0.1" : redirectUri.hostname;
+    server.on("error", (err) => {
+      clearTimeout(timeoutHandle);
+      reject(err);
+    });
+    server.listen(Number(redirectUri.port), bindHost, () => {
       if (onListening) {
         Promise.resolve(onListening()).catch((err) => {
           server.close();
@@ -19366,10 +19389,6 @@ var startServer = async ({
         });
       }
     });
-    const timeoutHandle = setTimeout(() => {
-      server.close();
-      reject(new Error("Authentication timeout"));
-    }, timeoutMs);
     server.on("close", () => {
       clearTimeout(timeoutHandle);
     });
@@ -19379,6 +19398,81 @@ var init_server = __esm(() => {
   init_constants();
 });
 
+// src/strategies/browser-strategy.ts
+var exports_browser_strategy = {};
+__export(exports_browser_strategy, {
+  BrowserAuthStrategy: () => BrowserAuthStrategy
+});
+
+class BrowserAuthStrategy {
+  async execute(url, _redirectUri, expectedState) {
+    const global2 = getGlobalThis();
+    if (!global2?.window) {
+      throw new Error("Browser environment required for authentication");
+    }
+    const screenWidth = global2.window.screen?.width ?? 1024;
+    const screenHeight = global2.window.screen?.height ?? 768;
+    const width = 600;
+    const height = 700;
+    const left = screenWidth / 2 - width / 2;
+    const top = screenHeight / 2 - height / 2;
+    if (!global2.window.open) {
+      throw new Error("window.open is not available");
+    }
+    const popupResult = global2.window.open(url, "uip_auth", `width=${width},height=${height},left=${left},top=${top},resizable=yes,scrollbars=yes,status=yes`);
+    const popup = popupResult;
+    if (!popup) {
+      throw new Error(`Authentication popup was blocked by your browser.
+
+` + `To continue:
+` + `1. Look for a popup blocker icon in your address bar
+` + `2. Allow popups for this site
+` + `3. Try logging in again
+
+` + "If using an ad blocker, you may need to temporarily disable it.");
+    }
+    return new Promise((resolve2, reject) => {
+      const messageHandler = (event) => {
+        if (event.data?.type === "UIP_AUTH_CODE" && event.data.code) {
+          if (event.data.state !== expectedState) {
+            cleanup();
+            reject(new Error("OAuth state mismatch — the callback state does not match the expected value. " + "This may indicate a CSRF attack. Please try signing in again."));
+            popup.close();
+            return;
+          }
+          cleanup();
+          resolve2(event.data.code);
+          popup.close();
+        } else if (event.data?.type === "UIP_AUTH_ERROR") {
+          cleanup();
+          const errorMsg = event.data.error || "Authentication failed";
+          reject(new Error(`Authentication failed: ${errorMsg}
+
+` + "Please check your credentials and try again. " + "If the problem persists, verify your UiPath account is active."));
+          popup.close();
+        }
+      };
+      const cleanup = () => {
+        global2.window?.removeEventListener?.("message", messageHandler);
+        if (timer)
+          clearInterval(timer);
+      };
+      if (global2.window?.addEventListener) {
+        global2.window.addEventListener("message", messageHandler);
+      }
+      const timer = setInterval(() => {
+        if (popup.closed) {
+          cleanup();
+          reject(new Error(`Authentication was cancelled.
+
+` + "The authentication popup was closed before completing the login process. " + "Please try again and complete the authentication flow."));
+        }
+      }, 1000);
+    });
+  }
+}
+var init_browser_strategy = () => {};
+
 // src/strategies/node-strategy.ts
 var exports_node_strategy = {};
 __export(exports_node_strategy, {
@@ -19457,30 +19551,7 @@ class InvalidBaseUrlError extends Error {
     this.name = "InvalidBaseUrlError";
   }
 }
-var DEFAULT_SCOPES = [
-  "offline_access",
-  "ProcessMining",
-  "OrchestratorApiUserAccess",
-  "StudioWebBackend",
-  "IdentityServerApi",
-  "ConnectionService",
-  "DataService",
-  "DataServiceApiUserAccess",
-  "DocumentUnderstanding",
-  "EnterpriseContextService",
-  "Directory",
-  "JamJamApi",
-  "LLMGateway",
-  "LLMOps",
-  "OMS",
-  "RCS.FolderAuthorization",
-  "RCS.TagsManagement",
-  "TestmanagerApiUserAccess",
-  "AutomationSolutions",
-  "StudioWebTypeCacheService",
-  "Docs.GPT.Search",
-  "Insights"
-];
+var DEFAULT_SCOPES = ["openid", "profile", "offline_access"];
 var normalizeAndValidateBaseUrl = (rawUrl) => {
   let baseUrl = rawUrl;
   if (baseUrl.endsWith("/identity_/")) {
@@ -19530,7 +19601,8 @@ var resolveConfigAsync = async ({
   if (!clientSecret && fileAuth.clientSecret) {
     clientSecret = fileAuth.clientSecret;
   }
-  const scopes = customScopes && customScopes.length > 0 ? customScopes : fileAuth.scopes && fileAuth.scopes.length > 0 ? fileAuth.scopes : DEFAULT_SCOPES;
+  const isExternalAppAuth = clientId !== DEFAULT_CLIENT_ID && Boolean(clientSecret);
+  const scopes = customScopes && customScopes.length > 0 ? customScopes : fileAuth.scopes && fileAuth.scopes.length > 0 ? fileAuth.scopes : isExternalAppAuth ? [] : DEFAULT_SCOPES;
   return {
     clientId,
     clientSecret,
@@ -20250,6 +20322,7 @@ var getTokenExpiration = (accessToken) => {
 
 // src/envAuth.ts
 var ENV_AUTH_ENABLE_VAR = "UIPATH_CLI_ENABLE_ENV_AUTH";
+var ENFORCE_ROBOT_AUTH_VAR = "UIPATH_CLI_ENFORCE_ROBOT_AUTH";
 var ENV_AUTH_VARS = {
   token: "UIPATH_CLI_AUTH_TOKEN",
   organizationName: "UIPATH_CLI_ORGANIZATION_NAME",
@@ -20265,6 +20338,7 @@ class EnvAuthConfigError extends Error {
   }
 }
 var isEnvAuthEnabled = () => process.env[ENV_AUTH_ENABLE_VAR] === "true";
+var isRobotAuthEnforced = () => process.env[ENFORCE_ROBOT_AUTH_VAR] === "true";
 var requireEnv = (name) => {
   const value = process.env[name];
   if (!value) {
@@ -20306,7 +20380,9 @@ var readAuthFromEnv = () => {
     expiration
   };
 };
+
 // src/robotClientFallback.ts
+init_src();
 var DEFAULT_TIMEOUT_MS = 1000;
 var CLOSE_TIMEOUT_MS = 500;
 var NOTICE_SENTINEL = Symbol.for("@uipath/auth/robotFallbackNoticePrinted");
@@ -20318,6 +20394,35 @@ var printNoticeOnce = () => {
   catchError(() => process.stderr.write(`Using UiPath Robot credentials. Run 'uip login' for a dedicated session.
 `));
 };
+var ROBOT_USER_SERVICES_PIPE = "UiPathUserServices";
+var ROBOT_USER_SERVICES_ALTERNATE_PIPE = `${ROBOT_USER_SERVICES_PIPE}Alternate`;
+var PIPE_NAME_MAX_LENGTH = 103;
+var getRobotIpcPipeNames = async () => {
+  const fs7 = getFileSystem();
+  const username = fs7.env.getenv("USER") ?? fs7.env.getenv("USERNAME");
+  if (!username) {
+    throw new Error("Unable to determine current username");
+  }
+  const tempPath = fs7.env.getenv("TMPDIR") ?? "/tmp/";
+  return [ROBOT_USER_SERVICES_PIPE, ROBOT_USER_SERVICES_ALTERNATE_PIPE].map((baseName) => fs7.path.join(tempPath, `${baseName}_${username}`).substring(0, PIPE_NAME_MAX_LENGTH));
+};
+var defaultIsRobotIpcAvailable = async () => {
+  if (process.platform === "win32") {
+    return true;
+  }
+  const [pipeNamesError, pipeNames] = await catchError(getRobotIpcPipeNames());
+  if (pipeNamesError || !pipeNames) {
+    return false;
+  }
+  const fs7 = getFileSystem();
+  for (const pipeName of pipeNames) {
+    const [existsError, exists] = await catchError(fs7.exists(pipeName));
+    if (!existsError && exists === true) {
+      return true;
+    }
+  }
+  return false;
+};
 var withTimeout = (promise, timeoutMs) => new Promise((resolve2, reject) => {
   const timer = setTimeout(() => reject(new Error(`Robot IPC call timed out after ${timeoutMs}ms`)), timeoutMs);
   promise.then((value) => {
@@ -20349,14 +20454,20 @@ var defaultLoadModule = async () => {
 var tryRobotClientFallback = async (options = {}) => {
   if (isBrowser())
     return;
-  if (process.env.CI || process.env.GITHUB_ACTIONS) {
-    return;
-  }
-  if (process.env.UIPATH_URL) {
-    return;
+  if (!options.force) {
+    if (process.env.CI || process.env.GITHUB_ACTIONS) {
+      return;
+    }
+    if (process.env.UIPATH_URL) {
+      return;
+    }
   }
   const timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+  const isRobotIpcAvailable = options.isRobotIpcAvailable ?? defaultIsRobotIpcAvailable;
   const loadModule = options.loadModule ?? defaultLoadModule;
+  if (!await isRobotIpcAvailable()) {
+    return;
+  }
   const mod = await loadModule();
   if (!mod)
     return;
@@ -20629,11 +20740,130 @@ function normalizeTokenRefreshFailure() {
 function normalizeTokenRefreshUnavailableFailure() {
   return "token refresh failed before authentication completed";
 }
-var getLoginStatusWithDeps = async (options = {}, deps = {}) => {
-  if (isEnvAuthEnabled()) {
-    return readAuthFromEnv();
+function errorMessage(error) {
+  return error instanceof Error ? error.message : String(error);
+}
+function computeExpirationThreshold(ensureTokenValidityMinutes) {
+  return new Date(Date.now() + (ensureTokenValidityMinutes ?? 0) * 60 * 1000);
+}
+async function runRefreshLocked(inputs) {
+  const {
+    absolutePath,
+    refreshToken: callerRefreshToken,
+    customAuthority,
+    ensureTokenValidityMinutes,
+    loadEnvFile,
+    saveEnvFile,
+    refreshFn,
+    resolveConfig
+  } = inputs;
+  const expirationThreshold = computeExpirationThreshold(ensureTokenValidityMinutes);
+  let fresh;
+  try {
+    fresh = await loadEnvFile({ envPath: absolutePath });
+  } catch (error) {
+    return {
+      kind: "fail",
+      status: {
+        loginStatus: "Refresh Failed",
+        hint: "Could not read the auth file while refreshing. Retry, or run 'uip login' to re-authenticate.",
+        tokenRefresh: {
+          attempted: false,
+          success: false,
+          errorMessage: `auth file read failed: ${errorMessage(error)}`
+        }
+      }
+    };
   }
-  const { envFilePath = DEFAULT_ENV_FILENAME, ensureTokenValidityMinutes } = options;
+  const freshAccess = fresh.UIPATH_ACCESS_TOKEN;
+  const freshExp = freshAccess ? getTokenExpiration(freshAccess) : undefined;
+  if (freshAccess && freshExp && freshExp > expirationThreshold) {
+    return {
+      kind: "ok",
+      accessToken: freshAccess,
+      refreshToken: fresh.UIPATH_REFRESH_TOKEN ?? callerRefreshToken,
+      expiration: freshExp,
+      tokenRefresh: { attempted: false, success: true }
+    };
+  }
+  const tokenForIdP = fresh.UIPATH_REFRESH_TOKEN ?? callerRefreshToken;
+  let refreshedAccess;
+  let refreshedRefresh;
+  try {
+    const config = await resolveConfig({ customAuthority });
+    const refreshed = await refreshFn({
+      refreshToken: tokenForIdP,
+      tokenEndpoint: config.tokenEndpoint,
+      clientId: config.clientId,
+      expectedAuthority: customAuthority
+    });
+    refreshedAccess = refreshed.accessToken;
+    refreshedRefresh = refreshed.refreshToken;
+  } catch (error) {
+    const isOAuthFailure = isTokenRefreshOAuthFailure(error);
+    const hint = isOAuthFailure ? "Run 'uip login' to re-authenticate — the stored refresh token is invalid or expired." : "Token refresh failed. Check your network connection, then retry or run 'uip login' to re-authenticate.";
+    const message = isOAuthFailure ? normalizeTokenRefreshFailure() : normalizeTokenRefreshUnavailableFailure();
+    return {
+      kind: "fail",
+      status: {
+        loginStatus: "Refresh Failed",
+        hint,
+        tokenRefresh: {
+          attempted: true,
+          success: false,
+          errorMessage: message
+        }
+      }
+    };
+  }
+  const refreshedExp = getTokenExpiration(refreshedAccess);
+  if (!refreshedExp || refreshedExp <= new Date) {
+    return {
+      kind: "fail",
+      status: {
+        loginStatus: "Refresh Failed",
+        hint: "The identity server returned an unusable token. Run 'uip login' to re-authenticate.",
+        tokenRefresh: {
+          attempted: true,
+          success: false,
+          errorMessage: "refreshed token has no valid expiration claim"
+        }
+      }
+    };
+  }
+  try {
+    await saveEnvFile({
+      envPath: absolutePath,
+      data: {
+        UIPATH_ACCESS_TOKEN: refreshedAccess,
+        UIPATH_REFRESH_TOKEN: refreshedRefresh
+      },
+      merge: true
+    });
+    return {
+      kind: "ok",
+      accessToken: refreshedAccess,
+      refreshToken: refreshedRefresh,
+      expiration: refreshedExp,
+      tokenRefresh: { attempted: true, success: true }
+    };
+  } catch (error) {
+    const msg = errorMessage(error);
+    return {
+      kind: "ok",
+      accessToken: refreshedAccess,
+      refreshToken: refreshedRefresh,
+      expiration: refreshedExp,
+      persistenceWarning: `Access token refreshed in memory but could not be written to ${absolutePath}: ${msg}. The next CLI invocation will fail until the file can be updated — run 'uip login' to re-authenticate.`,
+      tokenRefresh: {
+        attempted: true,
+        success: true,
+        errorMessage: `persistence failed: ${msg}`
+      }
+    };
+  }
+}
+var getLoginStatusWithDeps = async (options = {}, deps = {}) => {
   const {
     resolveEnvFilePath = resolveEnvFilePathAsync,
     loadEnvFile = loadEnvFileAsync,
@@ -20643,6 +20873,34 @@ var getLoginStatusWithDeps = async (options = {}, deps = {}) => {
     resolveConfig = resolveConfigAsync,
     robotFallback = tryRobotClientFallback
   } = deps;
+  if (isRobotAuthEnforced()) {
+    if (isEnvAuthEnabled()) {
+      throw new EnvAuthConfigError(`${ENV_AUTH_ENABLE_VAR}=true and ${ENFORCE_ROBOT_AUTH_VAR}=true ` + `are mutually exclusive. Unset one of them and re-run.`);
+    }
+    const robotCreds = await robotFallback({ force: true });
+    if (!robotCreds) {
+      return {
+        loginStatus: "Not logged in",
+        hint: `${ENFORCE_ROBOT_AUTH_VAR}=true but the UiPath Robot ` + `session is unavailable. Start and sign in to the Assistant, ` + `or unset ${ENFORCE_ROBOT_AUTH_VAR} to fall back to file or ` + `env-var authentication.`
+      };
+    }
+    const expiration2 = getTokenExpiration(robotCreds.accessToken);
+    return {
+      loginStatus: "Logged in",
+      accessToken: robotCreds.accessToken,
+      baseUrl: robotCreds.baseUrl,
+      organizationName: robotCreds.organizationName,
+      organizationId: robotCreds.organizationId,
+      tenantName: robotCreds.tenantName,
+      tenantId: robotCreds.tenantId,
+      expiration: expiration2,
+      source: "robot" /* Robot */
+    };
+  }
+  if (isEnvAuthEnabled()) {
+    return readAuthFromEnv();
+  }
+  const { envFilePath = DEFAULT_ENV_FILENAME, ensureTokenValidityMinutes } = options;
   const { absolutePath } = await resolveEnvFilePath(envFilePath);
   if (absolutePath === undefined) {
     const robotCreds = await robotFallback();
@@ -20679,73 +20937,103 @@ var getLoginStatusWithDeps = async (options = {}, deps = {}) => {
   let refreshToken = credentials.UIPATH_REFRESH_TOKEN;
   let expiration = getTokenExpiration(accessToken);
   let persistenceWarning;
+  let lockReleaseFailed = false;
   let tokenRefresh;
-  const expirationThreshold = new Date(Date.now() + (ensureTokenValidityMinutes ?? 0) * 60 * 1000);
-  if (expiration && expiration <= expirationThreshold && refreshToken) {
-    let refreshedAccess;
-    let refreshedRefresh;
+  const outerThreshold = computeExpirationThreshold(ensureTokenValidityMinutes);
+  const tryGlobalCredsHint = async () => {
+    const fs7 = getFs();
+    const globalPath = fs7.path.join(fs7.env.homedir(), envFilePath);
+    if (absolutePath === globalPath)
+      return;
+    if (!await fs7.exists(globalPath))
+      return;
     try {
-      const config = await resolveConfig({
-        customAuthority: credentials.UIPATH_URL
-      });
-      const refreshed = await refreshTokenFn({
-        refreshToken,
-        tokenEndpoint: config.tokenEndpoint,
-        clientId: config.clientId,
-        expectedAuthority: credentials.UIPATH_URL
-      });
-      refreshedAccess = refreshed.accessToken;
-      refreshedRefresh = refreshed.refreshToken;
-    } catch (error) {
-      const isOAuthFailure = isTokenRefreshOAuthFailure(error);
-      const hint = isOAuthFailure ? "Run 'uip login' to re-authenticate — the stored refresh token is invalid or expired." : "Token refresh failed. Check your network connection, then retry or run 'uip login' to re-authenticate.";
-      const errorMessage = isOAuthFailure ? normalizeTokenRefreshFailure() : normalizeTokenRefreshUnavailableFailure();
-      return {
-        loginStatus: "Refresh Failed",
-        hint,
-        tokenRefresh: {
-          attempted: true,
-          success: false,
-          errorMessage
-        }
-      };
+      const globalCreds = await loadEnvFile({ envPath: globalPath });
+      if (!globalCreds.UIPATH_ACCESS_TOKEN)
+        return;
+      const globalExp = getTokenExpiration(globalCreds.UIPATH_ACCESS_TOKEN);
+      if (globalExp && globalExp <= new Date)
+        return;
+      return `Local credentials file at ${absolutePath} has expired credentials. Valid credentials exist in ${globalPath}. Remove the local file or run 'uip login' to re-authenticate.`;
+    } catch {
+      return;
     }
-    const refreshedExp = getTokenExpiration(refreshedAccess);
-    if (!refreshedExp || refreshedExp <= new Date) {
+  };
+  if (expiration && expiration <= outerThreshold && refreshToken) {
+    let release;
+    try {
+      release = await getFs().acquireLock(absolutePath);
+    } catch (error) {
+      const msg = errorMessage(error);
+      const globalHint = await tryGlobalCredsHint();
+      if (globalHint) {
+        return {
+          loginStatus: "Expired",
+          accessToken,
+          refreshToken,
+          baseUrl: credentials.UIPATH_URL,
+          organizationName: credentials.UIPATH_ORGANIZATION_NAME,
+          organizationId: credentials.UIPATH_ORGANIZATION_ID,
+          tenantName: credentials.UIPATH_TENANT_NAME,
+          tenantId: credentials.UIPATH_TENANT_ID,
+          expiration,
+          source: "file" /* File */,
+          hint: globalHint,
+          tokenRefresh: {
+            attempted: false,
+            success: false,
+            errorMessage: `lock acquisition failed: ${msg}`
+          }
+        };
+      }
       return {
         loginStatus: "Refresh Failed",
-        hint: "The identity server returned an unusable token. Run 'uip login' to re-authenticate.",
+        hint: "Could not acquire the auth-file lock — too many concurrent `uip` processes, or a permission issue on the auth directory. Retry, or run 'uip login' to re-authenticate.",
         tokenRefresh: {
-          attempted: true,
+          attempted: false,
           success: false,
-          errorMessage: "refreshed token has no valid expiration claim"
+          errorMessage: `lock acquisition failed: ${msg}`
         }
       };
     }
-    accessToken = refreshedAccess;
-    refreshToken = refreshedRefresh;
-    expiration = refreshedExp;
+    let lockedFailure;
     try {
-      await saveEnvFile({
-        envPath: absolutePath,
-        data: {
-          UIPATH_ACCESS_TOKEN: accessToken,
-          UIPATH_REFRESH_TOKEN: refreshToken
-        },
-        merge: true
+      const outcome = await runRefreshLocked({
+        absolutePath,
+        refreshToken,
+        customAuthority: credentials.UIPATH_URL,
+        ensureTokenValidityMinutes,
+        loadEnvFile,
+        saveEnvFile,
+        refreshFn: refreshTokenFn,
+        resolveConfig
       });
-      tokenRefresh = {
-        attempted: true,
-        success: true
-      };
-    } catch (error) {
-      const msg = error instanceof Error ? error.message : String(error);
-      persistenceWarning = `Access token refreshed in memory but could not be written to ${absolutePath}: ${msg}. The next CLI invocation will fail until the file can be updated — run 'uip login' to re-authenticate.`;
-      tokenRefresh = {
-        attempted: true,
-        success: true,
-        errorMessage: `persistence failed: ${msg}`
-      };
+      if (outcome.kind === "fail") {
+        lockedFailure = outcome.status;
+      } else {
+        accessToken = outcome.accessToken;
+        refreshToken = outcome.refreshToken;
+        expiration = outcome.expiration;
+        tokenRefresh = outcome.tokenRefresh;
+        if (outcome.persistenceWarning) {
+          persistenceWarning = outcome.persistenceWarning;
+        }
+      }
+    } finally {
+      try {
+        await release();
+      } catch {
+        lockReleaseFailed = true;
+      }
+    }
+    if (lockedFailure) {
+      const globalHint = await tryGlobalCredsHint();
+      const base = globalHint ? {
+        ...lockedFailure,
+        loginStatus: "Expired",
+        hint: globalHint
+      } : lockedFailure;
+      return lockReleaseFailed ? { ...base, lockReleaseFailed: true } : base;
     }
   }
   const result = {
@@ -20760,23 +21048,13 @@ var getLoginStatusWithDeps = async (options = {}, deps = {}) => {
     expiration,
     source: "file" /* File */,
     ...persistenceWarning ? { hint: persistenceWarning, persistenceFailed: true } : {},
+    ...lockReleaseFailed ? { lockReleaseFailed: true } : {},
     ...tokenRefresh ? { tokenRefresh } : {}
   };
   if (result.loginStatus === "Expired") {
-    const fs7 = getFs();
-    const globalPath = fs7.path.join(fs7.env.homedir(), envFilePath);
-    if (absolutePath !== globalPath && await fs7.exists(globalPath)) {
-      try {
-        const globalCreds = await loadEnvFile({
-          envPath: globalPath
-        });
-        if (globalCreds.UIPATH_ACCESS_TOKEN) {
-          const globalExp = getTokenExpiration(globalCreds.UIPATH_ACCESS_TOKEN);
-          if (!globalExp || globalExp > new Date) {
-            result.hint = `Local credentials file at ${absolutePath} has expired credentials. Valid credentials exist in ${globalPath}. Remove the local file or run 'uip login' to re-authenticate.`;
-          }
-        }
-      } catch {}
+    const globalHint = await tryGlobalCredsHint();
+    if (globalHint) {
+      result.hint = globalHint;
     }
   }
   return result;
@@ -20809,7 +21087,7 @@ var getAuthContext = async (options = {}) => {
     throw new Error("Tenant ID not available. Ensure UIPATH_TENANT_ID is set.");
   }
   if (options.requireTenantName && tenantName === undefined) {
-    throw new Error("Tenant not provided and UIPATH_TENANT_NAME not set. Please provide a tenant argument or set UIPATH_TENANT_NAME.");
+    throw new Error("Tenant not provided and UIPATH_TENANT_NAME not set. Run 'uip login' to select a tenant, or use 'uip login tenant set <tenant>' to switch tenants.");
   }
   return {
     baseUrl: status.baseUrl,
@@ -20836,9 +21114,11 @@ var clientCredentialsLogin = async ({
   const params = {
     grant_type: "client_credentials",
     client_id: config.clientId,
-    client_secret: config.clientSecret ?? "",
-    scope: config.scopes.join(" ")
+    client_secret: config.clientSecret ?? ""
   };
+  if (config.scopes.length > 0) {
+    params.scope = config.scopes.join(" ");
+  }
   const tokenResponse = await fetch(config.tokenEndpoint, {
     method: "POST",
     headers: {
@@ -21001,29 +21281,24 @@ var interactiveLoginWithDeps = async (options, deps) => {
   try {
     const tokenData = jwtParser(tokens.UIPATH_ACCESS_TOKEN);
     const orgId = tokenData.prtId || tokenData.organizationId || tokenData.prt_id;
-    if (typeof orgId === "string") {
-      credentials.UIPATH_ORGANIZATION_ID = orgId;
-      if (organization) {
-        credentials.UIPATH_ORGANIZATION_NAME = organization;
-      }
-      try {
-        const [tenantName, tenantId, orgName] = await tenantSelector(config.baseUrl, tokens.UIPATH_ACCESS_TOKEN, orgId, tenant, interactive);
-        credentials.UIPATH_ORGANIZATION_NAME = orgName;
-        credentials.UIPATH_TENANT_NAME = tenantName;
-        credentials.UIPATH_TENANT_ID = tenantId;
-      } catch (error) {
-        credentials.UIPATH_TENANT_NAME = undefined;
-        credentials.UIPATH_TENANT_ID = undefined;
-        if (!organization) {
-          credentials.UIPATH_ORGANIZATION_NAME = undefined;
-        }
-        emit({
-          type: "tenant-fetch-failed",
-          message: error instanceof Error ? error.message : String(error)
-        });
-      }
+    if (typeof orgId !== "string" || orgId.length === 0) {
+      throw new Error("Organization ID not available from login token. Cannot establish an active tenant.");
     }
-  } catch {}
+    credentials.UIPATH_ORGANIZATION_ID = orgId;
+    if (organization) {
+      credentials.UIPATH_ORGANIZATION_NAME = organization;
+    }
+    const [tenantName, tenantId, orgName] = await tenantSelector(config.baseUrl, tokens.UIPATH_ACCESS_TOKEN, orgId, tenant, interactive);
+    credentials.UIPATH_ORGANIZATION_NAME = orgName;
+    credentials.UIPATH_TENANT_NAME = tenantName;
+    credentials.UIPATH_TENANT_ID = tenantId;
+  } catch (error) {
+    emit({
+      type: "tenant-fetch-failed",
+      message: error instanceof Error ? error.message : String(error)
+    });
+    throw error;
+  }
   const fs7 = getFs();
   const requestedPath = envFilePath ?? DEFAULT_ENV_FILENAME;
   let savePath = requestedPath;
@@ -21051,11 +21326,25 @@ var interactiveLoginWithDeps = async (options, deps) => {
       searchDir = parentDir;
     }
   }
-  await saveEnvFile({
-    envPath: savePath,
-    data: credentials,
-    merge: true
-  });
+  let saveRelease;
+  try {
+    if (typeof fs7.acquireLock === "function") {
+      saveRelease = await fs7.acquireLock(savePath);
+    }
+  } catch {
+    saveRelease = undefined;
+  }
+  try {
+    await saveEnvFile({
+      envPath: savePath,
+      data: credentials,
+      merge: true
+    });
+  } finally {
+    if (saveRelease) {
+      await saveRelease().catch(() => {});
+    }
+  }
   const reportedPath = fs7.path.isAbsolute(savePath) ? savePath : fs7.path.join(fs7.env.homedir(), savePath);
   emit({
     type: "saved",
@@ -21077,7 +21366,21 @@ async function logoutWithDeps(options, deps = {}) {
   const fs7 = getFs();
   const { absolutePath } = await resolveEnvFilePath(options.file);
   if (absolutePath && await fs7.exists(absolutePath)) {
-    await fs7.rm(absolutePath);
+    let release;
+    try {
+      if (typeof fs7.acquireLock === "function") {
+        release = await fs7.acquireLock(absolutePath);
+      }
+    } catch {
+      release = undefined;
+    }
+    try {
+      await fs7.rm(absolutePath);
+    } finally {
+      if (release) {
+        await release().catch(() => {});
+      }
+    }
     return {
       success: true,
       message: `Logged out successfully. Removed ${absolutePath}`,
@@ -21095,6 +21398,7 @@ async function logout(options) {
 }
 
 // src/index.ts
+init_server();
 var authenticate = async ({
   baseUrl,
   clientId,
@@ -21174,6 +21478,7 @@ export {
   logout,
   loadEnvFileAsync,
   isTokenRefreshOAuthFailure,
+  isRobotAuthEnforced,
   isNode,
   isEnvAuthEnabled,
   isBrowser,
@@ -21191,6 +21496,8 @@ export {
   EnvAuthConfigError,
   ENV_AUTH_VARS,
   ENV_AUTH_ENABLE_VAR,
+  ENFORCE_ROBOT_AUTH_VAR,
   DEFAULT_ENV_FILENAME,
-  DEFAULT_AUTH_FILENAME
+  DEFAULT_AUTH_FILENAME,
+  AUTH_TIMEOUT_ERROR_CODE
 };