@uipath/auth 1.196.0 → 1.197.0-preview.59

package/dist/index.js

@@ -19153,16 +19153,33 @@ var require_dist = __commonJS((exports) => {
 });
 
 // src/getBaseHtml.ts
-var getBaseHtml = ({ title, message, type }) => {
+var escapeHtml = (value) => value.replace(/[&<>"']/g, (char) => {
+  switch (char) {
+    case "&":
+      return "&amp;";
+    case "<":
+      return "&lt;";
+    case ">":
+      return "&gt;";
+    case '"':
+      return "&quot;";
+    case "'":
+      return "&#39;";
+    default:
+      return char;
+  }
+}), getBaseHtml = ({ title, message, type }) => {
   const icon = type === "success" ? "✓" : "✕";
   const iconClass = type === "success" ? "icon-success" : "icon-error";
+  const safeTitle = escapeHtml(title);
+  const safeMessage = escapeHtml(message);
   return `
 <!DOCTYPE html>
 <html lang="en">
 <head>
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <title>${title} - UiPath CLI</title>
+    <title>${safeTitle} - UiPath CLI</title>
     <link rel="preconnect" href="https://fonts.googleapis.com">
     <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
     <link href="https://fonts.googleapis.com/css2?family=Inter:wght@400&family=Poppins:wght@600&display=swap" rel="stylesheet">
@@ -19288,8 +19305,8 @@ var getBaseHtml = ({ title, message, type }) => {
                 </div>
             </div>
             <div class="icon ${iconClass}">${icon}</div>
-            <h1>${title}</h1>
-            <p>${message}</p>
+            <h1>${safeTitle}</h1>
+            <p>${safeMessage}</p>
             <div class="footer">You can close this window</div>
         </div>
     </div>
@@ -19492,6 +19509,13 @@ class NodeAuthStrategy {
           if (c > 31 && (c < 128 || c > 159))
             safeUrl += ch;
         }
+        if (opts?.noBrowser) {
+          if (!opts.onAuthUrl) {
+            throw new Error("Headless login (noBrowser) requires an onAuthUrl handler " + "to surface the authorize URL, but none was provided.");
+          }
+          opts.onAuthUrl(safeUrl);
+          return;
+        }
         const [openError] = await catchError(fs7.utils.open(url));
         if (!openError)
           return;
@@ -19573,6 +19597,12 @@ var normalizeAndValidateBaseUrl = (rawUrl) => {
   }
   return url.pathname.length > 1 ? url.origin : baseUrl;
 };
+var resolveScopes = (isExternalAppAuth, customScopes, fileScopes) => {
+  const requestedScopes = customScopes?.length ? customScopes : fileScopes ?? [];
+  if (isExternalAppAuth)
+    return requestedScopes;
+  return [...new Set([...DEFAULT_SCOPES, ...requestedScopes])];
+};
 var resolveConfigAsync = async ({
   customAuthority,
   customClientId,
@@ -19603,7 +19633,7 @@ var resolveConfigAsync = async ({
     clientSecret = fileAuth.clientSecret;
   }
   const isExternalAppAuth = clientId !== DEFAULT_CLIENT_ID && Boolean(clientSecret);
-  const scopes = customScopes && customScopes.length > 0 ? customScopes : fileAuth.scopes && fileAuth.scopes.length > 0 ? fileAuth.scopes : isExternalAppAuth ? [] : DEFAULT_SCOPES;
+  const scopes = resolveScopes(isExternalAppAuth, customScopes, fileAuth.scopes);
   return {
     clientId,
     clientSecret,
@@ -20250,6 +20280,105 @@ var exchangeCodeForTokens = async ({
 };
 // src/loginStatus.ts
 init_src();
+
+// src/authProfile.ts
+init_src();
+init_constants();
+var DEFAULT_AUTH_PROFILE = "default";
+var PROFILE_DIR = "profiles";
+var PROFILE_NAME_RE = /^[A-Za-z0-9._-]+$/;
+var ACTIVE_AUTH_PROFILE_KEY = Symbol.for("@uipath/auth/ActiveAuthProfile");
+var AUTH_PROFILE_STORAGE_KEY = Symbol.for("@uipath/auth/ProfileStorage");
+var globalSlot2 = globalThis;
+function isAuthProfileStorage(value) {
+  return value !== null && typeof value === "object" && "getStore" in value && "run" in value;
+}
+function createProfileStorage() {
+  const [error, mod] = catchError(() => __require("node:async_hooks"));
+  if (error || typeof mod?.AsyncLocalStorage !== "function") {
+    return {
+      getStore: () => {
+        return;
+      },
+      run: (_store, fn) => fn()
+    };
+  }
+  return new mod.AsyncLocalStorage;
+}
+function getProfileStorage() {
+  const existing = globalSlot2[AUTH_PROFILE_STORAGE_KEY];
+  if (isAuthProfileStorage(existing)) {
+    return existing;
+  }
+  const storage = createProfileStorage();
+  globalSlot2[AUTH_PROFILE_STORAGE_KEY] = storage;
+  return storage;
+}
+var profileStorage = getProfileStorage();
+
+class AuthProfileValidationError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "AuthProfileValidationError";
+  }
+}
+function normalizeAuthProfileName(profile) {
+  if (profile === undefined || profile === DEFAULT_AUTH_PROFILE) {
+    return;
+  }
+  if (profile.length === 0 || profile === "." || profile === ".." || !PROFILE_NAME_RE.test(profile)) {
+    throw new AuthProfileValidationError(`Invalid profile name "${profile}". Profile names may contain only letters, numbers, '.', '_', and '-'.`);
+  }
+  return profile;
+}
+function setActiveAuthProfile(profile) {
+  const normalized = normalizeAuthProfileName(profile);
+  const scopedState = profileStorage.getStore();
+  if (scopedState !== undefined) {
+    if (normalized === undefined) {
+      delete scopedState.profile;
+      return;
+    }
+    scopedState.profile = normalized;
+    return;
+  }
+  if (normalized === undefined) {
+    delete globalSlot2[ACTIVE_AUTH_PROFILE_KEY];
+    return;
+  }
+  globalSlot2[ACTIVE_AUTH_PROFILE_KEY] = { profile: normalized };
+}
+function clearActiveAuthProfile() {
+  const scopedState = profileStorage.getStore();
+  if (scopedState !== undefined) {
+    delete scopedState.profile;
+    return;
+  }
+  delete globalSlot2[ACTIVE_AUTH_PROFILE_KEY];
+}
+function getActiveAuthProfile() {
+  const scopedState = profileStorage.getStore();
+  if (scopedState !== undefined) {
+    return scopedState.profile;
+  }
+  return globalSlot2[ACTIVE_AUTH_PROFILE_KEY]?.profile;
+}
+function runWithAuthProfile(profile, fn) {
+  const normalized = normalizeAuthProfileName(profile);
+  return profileStorage.run(normalized === undefined ? {} : { profile: normalized }, fn);
+}
+function resolveAuthProfileFilePath(profile) {
+  const normalized = normalizeAuthProfileName(profile);
+  if (normalized === undefined) {
+    throw new AuthProfileValidationError(`"${DEFAULT_AUTH_PROFILE}" is the built-in profile and does not have a profile file path.`);
+  }
+  const fs7 = getFileSystem();
+  return fs7.path.join(fs7.env.homedir(), UIPATH_HOME_DIR, PROFILE_DIR, normalized, AUTH_FILENAME);
+}
+function getActiveAuthProfileFilePath() {
+  const profile = getActiveAuthProfile();
+  return profile ? resolveAuthProfileFilePath(profile) : undefined;
+}
 // src/utils/jwt.ts
 class InvalidIssuerError extends Error {
   expected;
@@ -20378,23 +20507,74 @@ var readAuthFromEnv = () => {
     organizationId,
     tenantName,
     tenantId,
-    expiration
+    expiration,
+    source: "env" /* Env */
   };
 };
 
+// src/refreshCircuitBreaker.ts
+init_src();
+var BREAKER_SUFFIX = ".refresh-state";
+var BACKOFF_BASE_MS = 60000;
+var BACKOFF_CAP_MS = 60 * 60 * 1000;
+var SURFACE_WINDOW_MS = 60 * 60 * 1000;
+async function refreshTokenFingerprint(refreshToken) {
+  const bytes = new TextEncoder().encode(refreshToken);
+  if (globalThis.crypto?.subtle) {
+    const digest = await globalThis.crypto.subtle.digest("SHA-256", bytes);
+    return Array.from(new Uint8Array(digest), (b) => b.toString(16).padStart(2, "0")).join("").slice(0, 16);
+  }
+  const { createHash } = await import("node:crypto");
+  return createHash("sha256").update(refreshToken).digest("hex").slice(0, 16);
+}
+function breakerPathFor(authPath) {
+  return `${authPath}${BREAKER_SUFFIX}`;
+}
+async function loadRefreshBreaker(authPath) {
+  const fs7 = getFileSystem();
+  try {
+    const content = await fs7.readFile(breakerPathFor(authPath), "utf-8");
+    if (!content)
+      return {};
+    const parsed = JSON.parse(content);
+    return parsed && typeof parsed === "object" ? parsed : {};
+  } catch {
+    return {};
+  }
+}
+async function saveRefreshBreaker(authPath, state) {
+  try {
+    const fs7 = getFileSystem();
+    const path3 = breakerPathFor(authPath);
+    await fs7.mkdir(fs7.path.dirname(path3));
+    const tempPath = `${path3}.tmp`;
+    await fs7.writeFile(tempPath, JSON.stringify(state));
+    await fs7.rename(tempPath, path3);
+  } catch {}
+}
+async function clearRefreshBreaker(authPath) {
+  const fs7 = getFileSystem();
+  const path3 = breakerPathFor(authPath);
+  try {
+    if (await fs7.exists(path3)) {
+      await fs7.rm(path3);
+    }
+  } catch {}
+}
+function nextBackoffMs(attempts) {
+  const shift = Math.max(0, attempts - 1);
+  return Math.min(BACKOFF_BASE_MS * 2 ** shift, BACKOFF_CAP_MS);
+}
+function shouldSurface(state, nowMs) {
+  if (state.lastSurfacedAtMs === undefined)
+    return true;
+  return nowMs - state.lastSurfacedAtMs >= SURFACE_WINDOW_MS;
+}
+
 // src/robotClientFallback.ts
 init_src();
 var DEFAULT_TIMEOUT_MS = 1000;
 var CLOSE_TIMEOUT_MS = 500;
-var NOTICE_SENTINEL = Symbol.for("@uipath/auth/robotFallbackNoticePrinted");
-var printNoticeOnce = () => {
-  const slot = globalThis;
-  if (slot[NOTICE_SENTINEL])
-    return;
-  slot[NOTICE_SENTINEL] = true;
-  catchError(() => process.stderr.write(`Using UiPath Robot credentials. Run 'uip login' for a dedicated session.
-`));
-};
 var ROBOT_USER_SERVICES_PIPE = "UiPathUserServices";
 var ROBOT_USER_SERVICES_ALTERNATE_PIPE = `${ROBOT_USER_SERVICES_PIPE}Alternate`;
 var PIPE_NAME_MAX_LENGTH = 103;
@@ -20510,7 +20690,6 @@ var tryRobotClientFallback = async (options = {}) => {
         issuerFromToken = issClaim;
       }
     }
-    printNoticeOnce();
     return {
       accessToken,
       baseUrl: parsedUrl.baseUrl,
@@ -20740,19 +20919,329 @@ var LoginStatusSource;
 ((LoginStatusSource2) => {
   LoginStatusSource2["File"] = "file";
   LoginStatusSource2["Robot"] = "robot";
+  LoginStatusSource2["Env"] = "env";
 })(LoginStatusSource ||= {});
-function normalizeTokenRefreshFailure() {
-  return "stored refresh token is invalid or expired";
+var getLoginStatusAsync = async (options = {}) => {
+  return getLoginStatusWithDeps(options);
+};
+var getLoginStatusWithDeps = async (options = {}, deps = {}) => {
+  const {
+    resolveEnvFilePath = resolveEnvFilePathAsync,
+    loadEnvFile = loadEnvFileAsync,
+    saveEnvFile = saveEnvFileAsync,
+    getFs = getFileSystem,
+    refreshToken: refreshTokenFn = refreshAccessToken,
+    resolveConfig = resolveConfigAsync,
+    robotFallback = tryRobotClientFallback,
+    loadBreaker = loadRefreshBreaker,
+    saveBreaker = saveRefreshBreaker,
+    clearBreaker = clearRefreshBreaker
+  } = deps;
+  if (isRobotAuthEnforced()) {
+    return resolveRobotEnforcedStatus(robotFallback);
+  }
+  if (isEnvAuthEnabled()) {
+    return readAuthFromEnv();
+  }
+  const activeProfile = getActiveAuthProfile();
+  const activeProfileFilePath = getActiveAuthProfileFilePath();
+  const usingActiveProfile = activeProfile !== undefined && (options.envFilePath === undefined || options.envFilePath === activeProfileFilePath);
+  const envFilePath = options.envFilePath ?? activeProfileFilePath ?? DEFAULT_ENV_FILENAME;
+  const { ensureTokenValidityMinutes } = options;
+  const { absolutePath } = await resolveEnvFilePath(envFilePath);
+  if (absolutePath === undefined) {
+    if (usingActiveProfile) {
+      return {
+        loginStatus: "Not logged in",
+        hint: `No credentials found for profile "${activeProfile}". Run 'uip login --profile ${activeProfile}' to authenticate this profile.`
+      };
+    }
+    return resolveBorrowedRobotStatus(robotFallback);
+  }
+  const loaded = await loadFileCredentials(loadEnvFile, absolutePath);
+  if ("status" in loaded) {
+    return loaded.status;
+  }
+  const { credentials } = loaded;
+  const globalHint = () => usingActiveProfile ? Promise.resolve(undefined) : getGlobalCredsHint(getFs, loadEnvFile, absolutePath, envFilePath);
+  const expiration = getTokenExpiration(credentials.UIPATH_ACCESS_TOKEN);
+  const outerThreshold = computeExpirationThreshold(ensureTokenValidityMinutes);
+  let tokens = {
+    accessToken: credentials.UIPATH_ACCESS_TOKEN,
+    refreshToken: credentials.UIPATH_REFRESH_TOKEN,
+    expiration,
+    lockReleaseFailed: false
+  };
+  const refreshToken = credentials.UIPATH_REFRESH_TOKEN;
+  if (expiration && expiration <= outerThreshold && refreshToken) {
+    const refreshed = await attemptRefresh({
+      absolutePath,
+      credentials,
+      accessToken: credentials.UIPATH_ACCESS_TOKEN,
+      refreshToken,
+      expiration,
+      ensureTokenValidityMinutes,
+      getFs,
+      loadEnvFile,
+      saveEnvFile,
+      refreshFn: refreshTokenFn,
+      resolveConfig,
+      loadBreaker,
+      saveBreaker,
+      clearBreaker,
+      globalHint
+    });
+    if (refreshed.kind === "terminal") {
+      return refreshed.status;
+    }
+    tokens = refreshed.tokens;
+  }
+  return buildFileStatus(tokens, credentials, globalHint);
+};
+async function resolveRobotEnforcedStatus(robotFallback) {
+  if (isEnvAuthEnabled()) {
+    throw new EnvAuthConfigError(`${ENV_AUTH_ENABLE_VAR}=true and ${ENFORCE_ROBOT_AUTH_VAR}=true ` + `are mutually exclusive. Unset one of them and re-run.`);
+  }
+  const robotCreds = await robotFallback({ force: true });
+  if (!robotCreds) {
+    return {
+      loginStatus: "Not logged in",
+      hint: `${ENFORCE_ROBOT_AUTH_VAR}=true but the UiPath Robot ` + `session is unavailable. Start and sign in to the Assistant, ` + `or unset ${ENFORCE_ROBOT_AUTH_VAR} to fall back to file or ` + `env-var authentication.`
+    };
+  }
+  return buildRobotStatus(robotCreds);
 }
-function normalizeTokenRefreshUnavailableFailure() {
-  return "token refresh failed before authentication completed";
+async function resolveBorrowedRobotStatus(robotFallback) {
+  const robotCreds = await robotFallback();
+  return robotCreds ? buildRobotStatus(robotCreds) : { loginStatus: "Not logged in" };
 }
-function errorMessage(error) {
-  return error instanceof Error ? error.message : String(error);
+async function loadFileCredentials(loadEnvFile, absolutePath) {
+  let credentials;
+  try {
+    credentials = await loadEnvFile({ envPath: absolutePath });
+  } catch (error) {
+    if (isFileNotFoundError(error)) {
+      return { status: { loginStatus: "Not logged in" } };
+    }
+    throw error;
+  }
+  if (!credentials.UIPATH_ACCESS_TOKEN) {
+    return { status: { loginStatus: "Not logged in" } };
+  }
+  return { credentials };
+}
+async function getGlobalCredsHint(getFs, loadEnvFile, absolutePath, envFilePath) {
+  const fs7 = getFs();
+  const globalPath = fs7.path.join(fs7.env.homedir(), envFilePath);
+  if (absolutePath === globalPath)
+    return;
+  if (!await fs7.exists(globalPath))
+    return;
+  try {
+    const globalCreds = await loadEnvFile({ envPath: globalPath });
+    if (!globalCreds.UIPATH_ACCESS_TOKEN)
+      return;
+    const globalExp = getTokenExpiration(globalCreds.UIPATH_ACCESS_TOKEN);
+    if (globalExp && globalExp <= new Date)
+      return;
+    return `Local credentials file at ${absolutePath} has expired credentials. Valid credentials exist in ${globalPath}. Remove the local file or run 'uip login' to re-authenticate.`;
+  } catch {
+    return;
+  }
 }
 function computeExpirationThreshold(ensureTokenValidityMinutes) {
   return new Date(Date.now() + (ensureTokenValidityMinutes ?? 0) * 60 * 1000);
 }
+async function attemptRefresh(ctx) {
+  const shortCircuit = await circuitBreakerShortCircuit(ctx);
+  if (shortCircuit) {
+    return { kind: "terminal", status: shortCircuit };
+  }
+  let release;
+  try {
+    release = await ctx.getFs().acquireLock(ctx.absolutePath);
+  } catch (error) {
+    return {
+      kind: "terminal",
+      status: await lockAcquireFailureStatus(ctx, error)
+    };
+  }
+  let lockedFailure;
+  let lockReleaseFailed = false;
+  let success;
+  try {
+    const outcome = await runRefreshLocked({
+      absolutePath: ctx.absolutePath,
+      refreshToken: ctx.refreshToken,
+      customAuthority: ctx.credentials.UIPATH_URL,
+      ensureTokenValidityMinutes: ctx.ensureTokenValidityMinutes,
+      loadEnvFile: ctx.loadEnvFile,
+      saveEnvFile: ctx.saveEnvFile,
+      refreshFn: ctx.refreshFn,
+      resolveConfig: ctx.resolveConfig,
+      loadBreaker: ctx.loadBreaker,
+      saveBreaker: ctx.saveBreaker,
+      clearBreaker: ctx.clearBreaker
+    });
+    if (outcome.kind === "fail") {
+      lockedFailure = outcome.status;
+    } else {
+      success = outcome;
+    }
+  } finally {
+    try {
+      await release();
+    } catch {
+      lockReleaseFailed = true;
+    }
+  }
+  if (lockedFailure) {
+    const globalHint = await ctx.globalHint();
+    const base = globalHint ? { ...lockedFailure, loginStatus: "Expired", hint: globalHint } : lockedFailure;
+    return {
+      kind: "terminal",
+      status: lockReleaseFailed ? { ...base, lockReleaseFailed: true } : base
+    };
+  }
+  return {
+    kind: "refreshed",
+    tokens: {
+      accessToken: success?.accessToken,
+      refreshToken: success?.refreshToken,
+      expiration: success?.expiration,
+      tokenRefresh: success?.tokenRefresh,
+      persistenceWarning: success?.persistenceWarning,
+      lockReleaseFailed
+    }
+  };
+}
+async function buildFileStatus(tokens, credentials, globalHint) {
+  const result = {
+    loginStatus: tokens.expiration && tokens.expiration <= new Date ? "Expired" : "Logged in",
+    accessToken: tokens.accessToken,
+    refreshToken: tokens.refreshToken,
+    baseUrl: credentials.UIPATH_URL,
+    organizationName: credentials.UIPATH_ORGANIZATION_NAME,
+    organizationId: credentials.UIPATH_ORGANIZATION_ID,
+    tenantName: credentials.UIPATH_TENANT_NAME,
+    tenantId: credentials.UIPATH_TENANT_ID,
+    expiration: tokens.expiration,
+    source: "file" /* File */,
+    ...tokens.persistenceWarning ? { hint: tokens.persistenceWarning, persistenceFailed: true } : {},
+    ...tokens.lockReleaseFailed ? { lockReleaseFailed: true } : {},
+    ...tokens.tokenRefresh ? { tokenRefresh: tokens.tokenRefresh } : {}
+  };
+  if (result.loginStatus === "Expired") {
+    const hint = await globalHint();
+    if (hint) {
+      result.hint = hint;
+    }
+  }
+  return result;
+}
+function buildRobotStatus(robotCreds) {
+  return {
+    loginStatus: "Logged in",
+    accessToken: robotCreds.accessToken,
+    baseUrl: robotCreds.baseUrl,
+    organizationName: robotCreds.organizationName,
+    organizationId: robotCreds.organizationId,
+    tenantName: robotCreds.tenantName,
+    tenantId: robotCreds.tenantId,
+    issuer: robotCreds.issuer,
+    expiration: getTokenExpiration(robotCreds.accessToken),
+    source: "robot" /* Robot */
+  };
+}
+var isFileNotFoundError = (error) => {
+  if (!(error instanceof Object))
+    return false;
+  return error.code === "ENOENT";
+};
+async function circuitBreakerShortCircuit(ctx) {
+  const {
+    absolutePath,
+    refreshToken,
+    accessToken,
+    credentials,
+    expiration,
+    loadBreaker,
+    saveBreaker,
+    clearBreaker
+  } = ctx;
+  const fingerprint = await refreshTokenFingerprint(refreshToken);
+  const breaker = await loadBreaker(absolutePath).catch(() => ({}));
+  if (breaker.deadTokenFp && breaker.deadTokenFp !== fingerprint) {
+    await clearBreaker(absolutePath);
+    breaker.deadTokenFp = undefined;
+  }
+  const nowMs = Date.now();
+  const tokenIsDead = breaker.deadTokenFp === fingerprint;
+  const inBackoff = breaker.backoffUntilMs !== undefined && nowMs < breaker.backoffUntilMs;
+  if (!tokenIsDead && !inBackoff)
+    return;
+  const globalHint = await ctx.globalHint();
+  const suppressed = !shouldSurface(breaker, nowMs);
+  if (!suppressed) {
+    await saveBreaker(absolutePath, {
+      ...breaker,
+      lastSurfacedAtMs: nowMs
+    });
+  }
+  const deadHint = "Run 'uip login' to re-authenticate — the stored refresh token is invalid or expired. In a non-interactive context, authenticate with: uip login --client-id <id> --client-secret <secret> -t <tenant>.";
+  const backoffHint = "Token refresh is temporarily backed off after a recent network error and will retry automatically once the backoff window elapses.";
+  return {
+    loginStatus: globalHint ? "Expired" : "Refresh Failed",
+    ...globalHint ? {
+      accessToken,
+      refreshToken,
+      baseUrl: credentials.UIPATH_URL,
+      organizationName: credentials.UIPATH_ORGANIZATION_NAME,
+      organizationId: credentials.UIPATH_ORGANIZATION_ID,
+      tenantName: credentials.UIPATH_TENANT_NAME,
+      tenantId: credentials.UIPATH_TENANT_ID,
+      expiration,
+      source: "file" /* File */
+    } : {},
+    hint: globalHint ?? (tokenIsDead ? deadHint : backoffHint),
+    refreshCircuitOpen: true,
+    refreshTelemetrySuppressed: suppressed,
+    tokenRefresh: { attempted: false, success: false }
+  };
+}
+async function lockAcquireFailureStatus(ctx, error) {
+  const msg = errorMessage(error);
+  const globalHint = await ctx.globalHint();
+  if (globalHint) {
+    return {
+      loginStatus: "Expired",
+      accessToken: ctx.accessToken,
+      refreshToken: ctx.refreshToken,
+      baseUrl: ctx.credentials.UIPATH_URL,
+      organizationName: ctx.credentials.UIPATH_ORGANIZATION_NAME,
+      organizationId: ctx.credentials.UIPATH_ORGANIZATION_ID,
+      tenantName: ctx.credentials.UIPATH_TENANT_NAME,
+      tenantId: ctx.credentials.UIPATH_TENANT_ID,
+      expiration: ctx.expiration,
+      source: "file" /* File */,
+      hint: globalHint,
+      tokenRefresh: {
+        attempted: false,
+        success: false,
+        errorMessage: `lock acquisition failed: ${msg}`
+      }
+    };
+  }
+  return {
+    loginStatus: "Refresh Failed",
+    hint: "Could not acquire the auth-file lock — too many concurrent `uip` processes, or a permission issue on the auth directory. Retry, or run 'uip login' to re-authenticate.",
+    tokenRefresh: {
+      attempted: false,
+      success: false,
+      errorMessage: `lock acquisition failed: ${msg}`
+    }
+  };
+}
 async function runRefreshLocked(inputs) {
   const {
     absolutePath,
@@ -20762,7 +21251,10 @@ async function runRefreshLocked(inputs) {
     loadEnvFile,
     saveEnvFile,
     refreshFn,
-    resolveConfig
+    resolveConfig,
+    loadBreaker,
+    saveBreaker,
+    clearBreaker
   } = inputs;
   const expirationThreshold = computeExpirationThreshold(ensureTokenValidityMinutes);
   let fresh;
@@ -20785,6 +21277,7 @@ async function runRefreshLocked(inputs) {
   const freshAccess = fresh.UIPATH_ACCESS_TOKEN;
   const freshExp = freshAccess ? getTokenExpiration(freshAccess) : undefined;
   if (freshAccess && freshExp && freshExp > expirationThreshold) {
+    await clearBreaker(absolutePath);
     return {
       kind: "ok",
       accessToken: freshAccess,
@@ -20808,8 +21301,21 @@ async function runRefreshLocked(inputs) {
     refreshedRefresh = refreshed.refreshToken;
   } catch (error) {
     const isOAuthFailure = isTokenRefreshOAuthFailure(error);
-    const hint = isOAuthFailure ? "Run 'uip login' to re-authenticate — the stored refresh token is invalid or expired." : "Token refresh failed. Check your network connection, then retry or run 'uip login' to re-authenticate.";
+    const hint = isOAuthFailure ? "Run 'uip login' to re-authenticate — the stored refresh token is invalid or expired. In a non-interactive context, authenticate with: uip login --client-id <id> --client-secret <secret> -t <tenant>." : "Token refresh failed. Check your network connection, then retry or run 'uip login' to re-authenticate.";
     const message = isOAuthFailure ? normalizeTokenRefreshFailure() : normalizeTokenRefreshUnavailableFailure();
+    const fp = await refreshTokenFingerprint(tokenForIdP);
+    if (isOAuthFailure) {
+      await saveBreaker(absolutePath, { deadTokenFp: fp });
+    } else {
+      const prior = await loadBreaker(absolutePath).catch(() => ({}));
+      const attempts = (prior.attempts ?? 0) + 1;
+      await saveBreaker(absolutePath, {
+        ...prior,
+        deadTokenFp: undefined,
+        attempts,
+        backoffUntilMs: Date.now() + nextBackoffMs(attempts)
+      });
+    }
     return {
       kind: "fail",
       status: {
@@ -20838,6 +21344,7 @@ async function runRefreshLocked(inputs) {
       }
     };
   }
+  await clearBreaker(absolutePath);
   try {
     await saveEnvFile({
       envPath: absolutePath,
@@ -20870,212 +21377,15 @@ async function runRefreshLocked(inputs) {
     };
   }
 }
-var getLoginStatusWithDeps = async (options = {}, deps = {}) => {
-  const {
-    resolveEnvFilePath = resolveEnvFilePathAsync,
-    loadEnvFile = loadEnvFileAsync,
-    saveEnvFile = saveEnvFileAsync,
-    getFs = getFileSystem,
-    refreshToken: refreshTokenFn = refreshAccessToken,
-    resolveConfig = resolveConfigAsync,
-    robotFallback = tryRobotClientFallback
-  } = deps;
-  if (isRobotAuthEnforced()) {
-    if (isEnvAuthEnabled()) {
-      throw new EnvAuthConfigError(`${ENV_AUTH_ENABLE_VAR}=true and ${ENFORCE_ROBOT_AUTH_VAR}=true ` + `are mutually exclusive. Unset one of them and re-run.`);
-    }
-    const robotCreds = await robotFallback({ force: true });
-    if (!robotCreds) {
-      return {
-        loginStatus: "Not logged in",
-        hint: `${ENFORCE_ROBOT_AUTH_VAR}=true but the UiPath Robot ` + `session is unavailable. Start and sign in to the Assistant, ` + `or unset ${ENFORCE_ROBOT_AUTH_VAR} to fall back to file or ` + `env-var authentication.`
-      };
-    }
-    const expiration2 = getTokenExpiration(robotCreds.accessToken);
-    return {
-      loginStatus: "Logged in",
-      accessToken: robotCreds.accessToken,
-      baseUrl: robotCreds.baseUrl,
-      organizationName: robotCreds.organizationName,
-      organizationId: robotCreds.organizationId,
-      tenantName: robotCreds.tenantName,
-      tenantId: robotCreds.tenantId,
-      issuer: robotCreds.issuer,
-      expiration: expiration2,
-      source: "robot" /* Robot */
-    };
-  }
-  if (isEnvAuthEnabled()) {
-    return readAuthFromEnv();
-  }
-  const { envFilePath = DEFAULT_ENV_FILENAME, ensureTokenValidityMinutes } = options;
-  const { absolutePath } = await resolveEnvFilePath(envFilePath);
-  if (absolutePath === undefined) {
-    const robotCreds = await robotFallback();
-    if (robotCreds) {
-      const expiration2 = getTokenExpiration(robotCreds.accessToken);
-      const status = {
-        loginStatus: "Logged in",
-        accessToken: robotCreds.accessToken,
-        baseUrl: robotCreds.baseUrl,
-        organizationName: robotCreds.organizationName,
-        organizationId: robotCreds.organizationId,
-        tenantName: robotCreds.tenantName,
-        tenantId: robotCreds.tenantId,
-        issuer: robotCreds.issuer,
-        expiration: expiration2,
-        source: "robot" /* Robot */
-      };
-      return status;
-    }
-    return { loginStatus: "Not logged in" };
-  }
-  let credentials;
-  try {
-    credentials = await loadEnvFile({ envPath: absolutePath });
-  } catch (error) {
-    if (isFileNotFoundError(error)) {
-      return { loginStatus: "Not logged in" };
-    }
-    throw error;
-  }
-  if (!credentials.UIPATH_ACCESS_TOKEN) {
-    return { loginStatus: "Not logged in" };
-  }
-  let accessToken = credentials.UIPATH_ACCESS_TOKEN;
-  let refreshToken = credentials.UIPATH_REFRESH_TOKEN;
-  let expiration = getTokenExpiration(accessToken);
-  let persistenceWarning;
-  let lockReleaseFailed = false;
-  let tokenRefresh;
-  const outerThreshold = computeExpirationThreshold(ensureTokenValidityMinutes);
-  const tryGlobalCredsHint = async () => {
-    const fs7 = getFs();
-    const globalPath = fs7.path.join(fs7.env.homedir(), envFilePath);
-    if (absolutePath === globalPath)
-      return;
-    if (!await fs7.exists(globalPath))
-      return;
-    try {
-      const globalCreds = await loadEnvFile({ envPath: globalPath });
-      if (!globalCreds.UIPATH_ACCESS_TOKEN)
-        return;
-      const globalExp = getTokenExpiration(globalCreds.UIPATH_ACCESS_TOKEN);
-      if (globalExp && globalExp <= new Date)
-        return;
-      return `Local credentials file at ${absolutePath} has expired credentials. Valid credentials exist in ${globalPath}. Remove the local file or run 'uip login' to re-authenticate.`;
-    } catch {
-      return;
-    }
-  };
-  if (expiration && expiration <= outerThreshold && refreshToken) {
-    let release;
-    try {
-      release = await getFs().acquireLock(absolutePath);
-    } catch (error) {
-      const msg = errorMessage(error);
-      const globalHint = await tryGlobalCredsHint();
-      if (globalHint) {
-        return {
-          loginStatus: "Expired",
-          accessToken,
-          refreshToken,
-          baseUrl: credentials.UIPATH_URL,
-          organizationName: credentials.UIPATH_ORGANIZATION_NAME,
-          organizationId: credentials.UIPATH_ORGANIZATION_ID,
-          tenantName: credentials.UIPATH_TENANT_NAME,
-          tenantId: credentials.UIPATH_TENANT_ID,
-          expiration,
-          source: "file" /* File */,
-          hint: globalHint,
-          tokenRefresh: {
-            attempted: false,
-            success: false,
-            errorMessage: `lock acquisition failed: ${msg}`
-          }
-        };
-      }
-      return {
-        loginStatus: "Refresh Failed",
-        hint: "Could not acquire the auth-file lock — too many concurrent `uip` processes, or a permission issue on the auth directory. Retry, or run 'uip login' to re-authenticate.",
-        tokenRefresh: {
-          attempted: false,
-          success: false,
-          errorMessage: `lock acquisition failed: ${msg}`
-        }
-      };
-    }
-    let lockedFailure;
-    try {
-      const outcome = await runRefreshLocked({
-        absolutePath,
-        refreshToken,
-        customAuthority: credentials.UIPATH_URL,
-        ensureTokenValidityMinutes,
-        loadEnvFile,
-        saveEnvFile,
-        refreshFn: refreshTokenFn,
-        resolveConfig
-      });
-      if (outcome.kind === "fail") {
-        lockedFailure = outcome.status;
-      } else {
-        accessToken = outcome.accessToken;
-        refreshToken = outcome.refreshToken;
-        expiration = outcome.expiration;
-        tokenRefresh = outcome.tokenRefresh;
-        if (outcome.persistenceWarning) {
-          persistenceWarning = outcome.persistenceWarning;
-        }
-      }
-    } finally {
-      try {
-        await release();
-      } catch {
-        lockReleaseFailed = true;
-      }
-    }
-    if (lockedFailure) {
-      const globalHint = await tryGlobalCredsHint();
-      const base = globalHint ? {
-        ...lockedFailure,
-        loginStatus: "Expired",
-        hint: globalHint
-      } : lockedFailure;
-      return lockReleaseFailed ? { ...base, lockReleaseFailed: true } : base;
-    }
-  }
-  const result = {
-    loginStatus: expiration && expiration <= new Date ? "Expired" : "Logged in",
-    accessToken,
-    refreshToken,
-    baseUrl: credentials.UIPATH_URL,
-    organizationName: credentials.UIPATH_ORGANIZATION_NAME,
-    organizationId: credentials.UIPATH_ORGANIZATION_ID,
-    tenantName: credentials.UIPATH_TENANT_NAME,
-    tenantId: credentials.UIPATH_TENANT_ID,
-    expiration,
-    source: "file" /* File */,
-    ...persistenceWarning ? { hint: persistenceWarning, persistenceFailed: true } : {},
-    ...lockReleaseFailed ? { lockReleaseFailed: true } : {},
-    ...tokenRefresh ? { tokenRefresh } : {}
-  };
-  if (result.loginStatus === "Expired") {
-    const globalHint = await tryGlobalCredsHint();
-    if (globalHint) {
-      result.hint = globalHint;
-    }
-  }
-  return result;
-};
-var isFileNotFoundError = (error) => {
-  if (!(error instanceof Object))
-    return false;
-  return error.code === "ENOENT";
-};
-var getLoginStatusAsync = async (options = {}) => {
-  return getLoginStatusWithDeps(options);
-};
+function normalizeTokenRefreshFailure() {
+  return "stored refresh token is invalid or expired";
+}
+function normalizeTokenRefreshUnavailableFailure() {
+  return "token refresh failed before authentication completed";
+}
+function errorMessage(error) {
+  return error instanceof Error ? error.message : String(error);
+}
 
 // src/authContext.ts
 var getAuthContext = async (options = {}) => {
@@ -21137,6 +21447,14 @@ var getAuthEnv = async (options = {}) => {
   return { authEnv, loginStatus: status };
 };
 // src/clientCredentials.ts
+class ClientCredentialsAuthenticationError extends Error {
+  status;
+  constructor(message, status) {
+    super(message);
+    this.name = "ClientCredentialsAuthenticationError";
+    this.status = status;
+  }
+}
 var clientCredentialsLogin = async ({
   clientId,
   clientSecret,
@@ -21184,9 +21502,9 @@ Troubleshooting:` + `
   • The requested scopes may not be available for your account` + `
   • Try using default scopes or contact your UiPath administrator`;
     }
-    throw new Error(`Client Credentials authentication failed (${tokenResponse.status})
+    throw new ClientCredentialsAuthenticationError(`Client Credentials authentication failed (${tokenResponse.status})
 ` + `Error: ${errorType}
-` + `Details: ${errorDesc}${troubleshooting}`);
+` + `Details: ${errorDesc}${troubleshooting}`, tokenResponse.status);
   }
   return {
     UIPATH_ACCESS_TOKEN: tokenData.access_token,
@@ -21216,6 +21534,49 @@ var fetchTenantsAndOrganizations = async (baseUrl, accessToken, organizationId)
 };
 
 // src/selectTenant.ts
+var TENANT_SELECTION_REQUIRED_CODE = "TENANT_SELECTION_REQUIRED";
+var INVALID_TENANT_CODE = "INVALID_TENANT";
+
+class TenantSelectionError extends Error {
+  availableTenants;
+  organizationName;
+  constructor(message, organizationName, availableTenants) {
+    super(message);
+    this.organizationName = organizationName;
+    this.availableTenants = availableTenants;
+  }
+}
+
+class TenantSelectionRequiredError extends TenantSelectionError {
+  code = TENANT_SELECTION_REQUIRED_CODE;
+  constructor(organizationName, availableTenants) {
+    super(`Multiple tenants available in organization "${organizationName}"; none selected.`, organizationName, availableTenants);
+    this.name = "TenantSelectionRequiredError";
+  }
+}
+
+class InvalidTenantError extends TenantSelectionError {
+  code = INVALID_TENANT_CODE;
+  requestedTenant;
+  constructor(requestedTenant, organizationName, availableTenants) {
+    super(`Invalid tenant requested: "${requestedTenant}"
+` + `Organization: ${organizationName}
+` + `Available tenants: ${availableTenants.join(", ")}`, organizationName, availableTenants);
+    this.name = "InvalidTenantError";
+    this.requestedTenant = requestedTenant;
+  }
+}
+var TENANT_SELECTION_CODES = new Set([
+  TENANT_SELECTION_REQUIRED_CODE,
+  INVALID_TENANT_CODE
+]);
+function isTenantSelectionError(error) {
+  if (!(error instanceof Object) || !("code" in error)) {
+    return false;
+  }
+  const code = error.code;
+  return typeof code === "string" && TENANT_SELECTION_CODES.has(code) && Array.isArray(error.availableTenants);
+}
 var selectTenantWithDeps = async (baseUrl, accessToken, organizationId, targetTenantName, interactive, deps = {}) => {
   const {
     fetchTenantsAndOrgs = fetchTenantsAndOrganizations,
@@ -21228,13 +21589,10 @@ var selectTenantWithDeps = async (baseUrl, accessToken, organizationId, targetTe
   }
   const tenantNames = tenants.map((tenant) => tenant.name);
   let selectedIndex;
-  if (targetTenantName) {
+  if (targetTenantName !== undefined) {
     selectedIndex = tenants.findIndex((tenant) => tenant.name === targetTenantName);
     if (selectedIndex === -1) {
-      const availableTenants = tenants.map((t) => t.name).join(", ");
-      throw new Error(`Invalid tenant requested: "${targetTenantName}"
-` + `Organization: ${organization.name}
-` + `Available tenants: ${availableTenants}`);
+      throw new InvalidTenantError(targetTenantName, organization.name, tenantNames);
     }
   } else if (tenants.length === 1) {
     selectedIndex = 0;
@@ -21244,7 +21602,7 @@ var selectTenantWithDeps = async (baseUrl, accessToken, organizationId, targetTe
     }
     selectedIndex = await selectFromList(tenantNames, "Select a tenant:");
   } else {
-    selectedIndex = 0;
+    throw new TenantSelectionRequiredError(organization.name, tenantNames);
   }
   const selectedTenant = tenants[selectedIndex];
   return [selectedTenant.name, selectedTenant.id, organization.name];
@@ -21273,7 +21631,8 @@ var interactiveLoginWithDeps = async (options, deps) => {
     organization,
     interactive,
     onEvent,
-    timeoutMs
+    timeoutMs,
+    noBrowser
   } = options;
   const emit = (event) => {
     if (!onEvent)
@@ -21282,12 +21641,22 @@ var interactiveLoginWithDeps = async (options, deps) => {
       onEvent(event);
     } catch {}
   };
+  const deliverAuthUrl = (url) => {
+    try {
+      onEvent?.({ type: "auth-url", url });
+    } catch (error) {
+      throw new Error("Failed to deliver the authorize URL to the onEvent subscriber; " + "cannot continue headless login.", { cause: error });
+    }
+  };
   const config = await resolveConfig({
     customAuthority: authority,
     customClientId: clientId,
     customClientSecret: clientSecret
   });
   const { clientSecret: resolvedSecret } = config;
+  if (noBrowser && !resolvedSecret && !onEvent) {
+    throw new Error("noBrowser login requires an onEvent subscriber to receive the " + "auth-url event — the authorize URL is delivered through it.");
+  }
   const authPromise = resolvedSecret ? (async () => {
     return await clientCredentials({
       clientId: config.clientId,
@@ -21302,7 +21671,9 @@ var interactiveLoginWithDeps = async (options, deps) => {
       clientSecret,
       scope,
       organization,
-      timeoutMs
+      timeoutMs,
+      noBrowser,
+      onAuthUrl: noBrowser ? (url) => deliverAuthUrl(url) : undefined
     });
     return {
       UIPATH_ACCESS_TOKEN: authTokens.accessToken,
@@ -21333,10 +21704,12 @@ var interactiveLoginWithDeps = async (options, deps) => {
     credentials.UIPATH_TENANT_NAME = tenantName;
     credentials.UIPATH_TENANT_ID = tenantId;
   } catch (error) {
-    emit({
-      type: "tenant-fetch-failed",
-      message: error instanceof Error ? error.message : String(error)
-    });
+    if (!isTenantSelectionError(error)) {
+      emit({
+        type: "tenant-fetch-failed",
+        message: error instanceof Error ? error.message : String(error)
+      });
+    }
     throw error;
   }
   const fs7 = getFs();
@@ -21401,10 +21774,12 @@ init_src();
 async function logoutWithDeps(options, deps = {}) {
   const {
     resolveEnvFilePath = resolveEnvFilePathAsync,
-    getFileSystem: getFs = getFileSystem
+    getFileSystem: getFs = getFileSystem,
+    clearBreaker = clearRefreshBreaker,
+    getActiveProfileFilePath = getActiveAuthProfileFilePath
   } = deps;
   const fs7 = getFs();
-  const { absolutePath } = await resolveEnvFilePath(options.file);
+  const { absolutePath } = await resolveEnvFilePath(options.file ?? getActiveProfileFilePath());
   if (absolutePath && await fs7.exists(absolutePath)) {
     let release;
     try {
@@ -21416,6 +21791,7 @@ async function logoutWithDeps(options, deps = {}) {
     }
     try {
       await fs7.rm(absolutePath);
+      await clearBreaker(absolutePath);
     } finally {
       if (release) {
         await release().catch(() => {});
@@ -21446,7 +21822,9 @@ var authenticate = async ({
   redirectUri,
   scope,
   organization,
-  timeoutMs
+  timeoutMs,
+  noBrowser,
+  onAuthUrl
 }) => {
   const config = await resolveConfigAsync({
     customAuthority: baseUrl,
@@ -21496,7 +21874,7 @@ var authenticate = async ({
     const { NodeAuthStrategy: NodeAuthStrategy2 } = await Promise.resolve().then(() => (init_node_strategy(), exports_node_strategy));
     strategy = new NodeAuthStrategy2;
   }
-  const code = await strategy.execute(authUrl, effectiveRedirectUriUrl, state, { timeoutMs });
+  const code = await strategy.execute(authUrl, effectiveRedirectUriUrl, state, { timeoutMs, noBrowser, onAuthUrl });
   return await exchangeCodeForTokens({
     code,
     codeVerifier: code_verifier,
@@ -21508,17 +21886,25 @@ var authenticate = async ({
 };
 export {
   setAuthFileConfig,
+  setActiveAuthProfile,
   selectTenantWithDeps,
+  saveRefreshBreaker,
   saveEnvFileAsync,
+  runWithAuthProfile,
   resolveEnvFilePathAsync,
   resolveEnvFileLocationAsync,
+  resolveAuthProfileFilePath,
+  refreshTokenFingerprint,
   refreshAccessToken,
   readAuthFromEnv,
   parseJWT,
+  normalizeAuthProfileName,
   logoutWithDeps,
   logout,
+  loadRefreshBreaker,
   loadEnvFileAsync,
   isTokenRefreshOAuthFailure,
+  isTenantSelectionError,
   isRobotAuthEnforced,
   isNode,
   isEnvAuthEnabled,
@@ -21529,17 +21915,31 @@ export {
   getLoginStatusAsync,
   getAuthEnv,
   getAuthContext,
+  getActiveAuthProfileFilePath,
+  getActiveAuthProfile,
   fetchTenantsAndOrganizations,
   clientCredentialsLogin,
+  clearRefreshBreaker,
+  clearActiveAuthProfile,
   authenticate,
   TokenRefreshOAuthError,
+  TenantSelectionRequiredError,
+  TenantSelectionError,
+  TENANT_SELECTION_REQUIRED_CODE,
   LoginStatusSource,
+  InvalidTenantError,
   InvalidBaseUrlError,
+  INVALID_TENANT_CODE,
   EnvAuthConfigError,
   ENV_AUTH_VARS,
   ENV_AUTH_ENABLE_VAR,
   ENFORCE_ROBOT_AUTH_VAR,
   DEFAULT_ENV_FILENAME,
+  DEFAULT_AUTH_PROFILE,
   DEFAULT_AUTH_FILENAME,
+  ClientCredentialsAuthenticationError,
+  AuthProfileValidationError,
   AUTH_TIMEOUT_ERROR_CODE
 };
+
+//# debugId=B1F2D5989CE27CF464756E2164756E21