@vltpkg/registry-client 1.0.0-rc.3 → 1.0.0-rc.30

package/dist/{esm/add-header.d.ts → add-header.d.ts}

@@ -1,2 +1 @@
 export declare const addHeader: <H extends [string, string[] | string][] | Iterable<[string, string[] | string | undefined]> | Record<string, string[] | string | undefined> | string[]>(headers: H | null | undefined, key: string, value?: string) => H;
-//# sourceMappingURL=add-header.d.ts.map

package/dist/{esm/add-header.js → add-header.js}

@@ -24,4 +24,3 @@ export const addHeader = (headers, key, value) => {
         return headers;
     }
 };
-//# sourceMappingURL=add-header.js.map

package/dist/auth.d.ts

@@ -0,0 +1,44 @@
+import { Keychain } from '@vltpkg/keychain';
+export type Token = `Bearer ${string}` | `Basic ${string}`;
+/**
+ * Normalize a registry URL into a stable key that preserves the
+ * path prefix.  The result is `origin + pathname` with trailing
+ * slashes stripped so that
+ *   `https://r.io/luke/`  and  `https://r.io/luke`
+ * both produce the same key.
+ *
+ * For plain-origin registries the result is identical to the old
+ * `new URL(url).origin` behaviour (e.g. `https://registry.npmjs.org`).
+ */
+export declare const normalizeRegistryKey: (url: string) => string;
+/**
+ * Ensure a registry URL ends with `/` so that `new URL(path, base)`
+ * appends under the full path instead of replacing the last segment.
+ *
+ *   registryBase('https://r.io/scope/name')
+ *   // → 'https://r.io/scope/name/'
+ */
+export declare const registryBase: (url: string) => string;
+export declare const keychains: Map<string, Keychain<Token>>;
+/**
+ * In-memory token store for OIDC-exchanged tokens.
+ * These take precedence over env vars and keychain.
+ */
+export declare const runtimeTokens: Map<string, Token>;
+export declare const setRuntimeToken: (registry: string, token: Token) => void;
+export declare const clearRuntimeTokens: () => void;
+export declare const getKC: (identity: string) => Keychain<Token>;
+export declare const isToken: (t: any) => t is Token;
+export declare const deleteToken: (registry: string, identity: string) => Promise<void>;
+export declare const setToken: (registry: string, token: Token, identity: string) => Promise<void>;
+export declare const getToken: (registry: string, identity: string) => Promise<Token | undefined>;
+/**
+ * Find the best matching token for a request URL by performing a
+ * longest-prefix match against all known registry keys (runtime
+ * tokens, env-var registries, and keychain entries).
+ *
+ * This is used by `RegistryClient.request()` which only has the
+ * full request URL — not the configured registry URL that was used
+ * to construct it.
+ */
+export declare const getTokenByURL: (requestUrl: string, identity: string) => Promise<Token | undefined>;

package/dist/auth.js

@@ -0,0 +1,118 @@
+import { Keychain } from '@vltpkg/keychain';
+/**
+ * Normalize a registry URL into a stable key that preserves the
+ * path prefix.  The result is `origin + pathname` with trailing
+ * slashes stripped so that
+ *   `https://r.io/luke/`  and  `https://r.io/luke`
+ * both produce the same key.
+ *
+ * For plain-origin registries the result is identical to the old
+ * `new URL(url).origin` behaviour (e.g. `https://registry.npmjs.org`).
+ */
+export const normalizeRegistryKey = (url) => {
+    const u = new URL(url);
+    return (u.origin + u.pathname).replace(/\/+$/, '');
+};
+/**
+ * Ensure a registry URL ends with `/` so that `new URL(path, base)`
+ * appends under the full path instead of replacing the last segment.
+ *
+ *   registryBase('https://r.io/scope/name')
+ *   // → 'https://r.io/scope/name/'
+ */
+export const registryBase = (url) => url.endsWith('/') ? url : url + '/';
+// just exported for testing
+export const keychains = new Map();
+/**
+ * In-memory token store for OIDC-exchanged tokens.
+ * These take precedence over env vars and keychain.
+ */
+export const runtimeTokens = new Map();
+export const setRuntimeToken = (registry, token) => {
+    runtimeTokens.set(normalizeRegistryKey(registry), token);
+};
+export const clearRuntimeTokens = () => {
+    runtimeTokens.clear();
+};
+export const getKC = (identity) => {
+    const kc = keychains.get(identity);
+    if (kc)
+        return kc;
+    const i = identity ? `vlt/auth/${identity}` : 'vlt/auth';
+    const nkc = new Keychain(i);
+    keychains.set(identity, nkc);
+    return nkc;
+};
+export const isToken = (t) => typeof t === 'string' &&
+    (t.startsWith('Bearer ') || t.startsWith('Basic '));
+export const deleteToken = async (registry, identity) => {
+    const kc = getKC(identity);
+    await kc.load();
+    kc.delete(normalizeRegistryKey(registry));
+    await kc.save();
+};
+export const setToken = async (registry, token, identity) => {
+    const kc = getKC(identity);
+    await kc.load();
+    kc.set(normalizeRegistryKey(registry), token);
+    await kc.save();
+};
+export const getToken = async (registry, identity) => {
+    const kc = getKC(identity);
+    const key = normalizeRegistryKey(registry);
+    // Runtime tokens (e.g. from OIDC exchange) take precedence
+    const rt = runtimeTokens.get(key);
+    if (rt)
+        return rt;
+    const envReg = process.env.VLT_REGISTRY;
+    if (envReg && key === normalizeRegistryKey(envReg)) {
+        const envTok = process.env.VLT_TOKEN;
+        if (envTok)
+            return `Bearer ${envTok}`;
+    }
+    const tok = process.env[`VLT_TOKEN_${key.replace(/[^a-zA-Z0-9]+/g, '_')}`];
+    if (tok)
+        return `Bearer ${tok}`;
+    return kc.get(key);
+};
+/**
+ * Find the best matching token for a request URL by performing a
+ * longest-prefix match against all known registry keys (runtime
+ * tokens, env-var registries, and keychain entries).
+ *
+ * This is used by `RegistryClient.request()` which only has the
+ * full request URL — not the configured registry URL that was used
+ * to construct it.
+ */
+export const getTokenByURL = async (requestUrl, identity) => {
+    const normalized = normalizeRegistryKey(requestUrl);
+    // Collect all known registry keys.
+    const candidates = [...runtimeTokens.keys()];
+    const envReg = process.env.VLT_REGISTRY;
+    if (envReg) {
+        candidates.push(normalizeRegistryKey(envReg));
+    }
+    const kc = getKC(identity);
+    // Keychain entries
+    for (const k of await kc.keys()) {
+        candidates.push(k);
+    }
+    // Find the longest candidate key that is a prefix of the
+    // normalized request URL.
+    let bestKey;
+    let bestLen = 0;
+    for (const candidate of candidates) {
+        if (candidate.length > bestLen &&
+            (normalized === candidate ||
+                normalized.startsWith(candidate + '/'))) {
+            bestKey = candidate;
+            bestLen = candidate.length;
+        }
+    }
+    if (bestKey) {
+        return getToken(bestKey, identity);
+    }
+    // Fall back to origin-only match (handles VLT_TOKEN_* env vars
+    // which we can't enumerate by URL).
+    return getToken(requestUrl, identity);
+};

package/dist/{esm/cache-entry.d.ts → cache-entry.d.ts}

@@ -138,4 +138,3 @@ export declare class CacheEntry {
     encode(): Buffer;
 }
 export {};
-//# sourceMappingURL=cache-entry.d.ts.map

package/dist/{esm/cache-entry.js → cache-entry.js}

@@ -515,4 +515,3 @@ export class CacheEntry {
     }
 }
 const emptyCacheEntry = new CacheEntry(0, [], { contentLength: 0 });
-//# sourceMappingURL=cache-entry.js.map

package/dist/{esm/cache-revalidate.d.ts → cache-revalidate.d.ts}

@@ -1,2 +1 @@
 export declare const register: (path: string, method: "HEAD" | "GET", url: string | URL) => void;
-//# sourceMappingURL=cache-revalidate.d.ts.map

package/dist/{esm/cache-revalidate.js → cache-revalidate.js}

@@ -1,6 +1,5 @@
 import { spawn } from 'node:child_process';
 import { __CODE_SPLIT_SCRIPT_NAME } from "./revalidate.js";
-import { pathToFileURL } from 'node:url';
 const isDeno = globalThis.Deno != undefined;
 let didProcessBeforeExitHook = false;
 const registered = new Map();
@@ -22,22 +21,14 @@ const handleBeforeExit = () => {
         const env = { ...process.env };
         const args = [];
         /* c8 ignore start */
-        // When compiled the script to be run is passed as an
-        // environment variable and then routed by the main entry point
-        if (process.env.__VLT_INTERNAL_COMPILED) {
-            env.__VLT_INTERNAL_MAIN = pathToFileURL(__CODE_SPLIT_SCRIPT_NAME).toString();
-            args.push(path);
-        }
-        else {
-            // If we are running deno from source we need to add the
-            // unstable flags we need. The '-A' flag does not need
-            // to be passed in as Deno supplies that automatically.
-            if (isDeno) {
-                args.push('--unstable-node-globals', '--unstable-bare-node-builtins');
-            }
-            /* c8 ignore stop */
-            args.push(__CODE_SPLIT_SCRIPT_NAME, path);
+        // If we are running deno from source we need to add the
+        // unstable flags we need. The '-A' flag does not need
+        // to be passed in as Deno supplies that automatically.
+        if (isDeno) {
+            args.push('--unstable-node-globals', '--unstable-bare-node-builtins');
         }
+        /* c8 ignore stop */
+        args.push(__CODE_SPLIT_SCRIPT_NAME, path);
         registered.delete(path);
         // Deno on Windows does not support detached processes
         // https://github.com/denoland/deno/issues/25867
@@ -63,4 +54,3 @@ const handleBeforeExit = () => {
         }
     }
 };
-//# sourceMappingURL=cache-revalidate.js.map

package/dist/{esm/delete-header.d.ts → delete-header.d.ts}

@@ -1,2 +1 @@
 export declare const deleteHeader: <H extends [string, string[] | string][] | Iterable<[string, string[] | string | undefined]> | Record<string, string[] | string | undefined> | string[]>(headers: H | null | undefined, key: string) => H;
-//# sourceMappingURL=delete-header.d.ts.map

package/dist/{esm/delete-header.js → delete-header.js}

@@ -29,4 +29,3 @@ export const deleteHeader = (headers, key) => {
         return headers;
     }
 };
-//# sourceMappingURL=delete-header.js.map

package/dist/{esm/env.d.ts → env.d.ts}

@@ -4,4 +4,3 @@ export declare const isNode: boolean;
 export declare const bun: string | undefined;
 export declare const deno: string | undefined;
 export declare const node: string | undefined;
-//# sourceMappingURL=env.d.ts.map

package/dist/{esm/env.js → env.js}

@@ -10,4 +10,3 @@ export const isNode = !isDeno && !isBun && 'node' in proc.versions;
 export const bun = isBun ? proc.versions.bun : undefined;
 export const deno = isDeno ? proc.versions.deno : undefined;
 export const node = isNode ? proc.versions.node : undefined;
-//# sourceMappingURL=env.js.map

package/dist/{esm/get-header.d.ts → get-header.d.ts}

@@ -1,2 +1 @@
 export declare const getHeader: (headers: Iterable<[string, string[] | string | undefined]> | Record<string, string[] | string | undefined> | string[] | null | undefined, key: string) => string[] | string | undefined;
-//# sourceMappingURL=get-header.d.ts.map

package/dist/{esm/get-header.js → get-header.js}

@@ -34,4 +34,3 @@ export const getHeader = (headers, key) => {
         }
     }
 };
-//# sourceMappingURL=get-header.js.map

package/dist/handle-304-response.d.ts

@@ -0,0 +1,3 @@
+import type { Dispatcher } from 'undici';
+import type { CacheEntry } from './cache-entry.ts';
+export declare const handleCacheHitResponse: (resp: Dispatcher.ResponseData, entry?: CacheEntry) => entry is CacheEntry;

package/dist/handle-304-response.js

@@ -0,0 +1,8 @@
+export const handleCacheHitResponse = (resp, entry) => {
+    if ((resp.statusCode !== 304 && resp.statusCode !== 412) || !entry)
+        return false;
+    const d = String(resp.headers.date ?? '') || new Date().toUTCString();
+    entry.setHeader('date', d);
+    resp.body.resume();
+    return true;
+};

package/dist/{esm/index.d.ts → index.d.ts}

@@ -3,12 +3,14 @@ import type { Integrity } from '@vltpkg/types';
 import type { Dispatcher } from 'undici';
 import { RetryAgent } from 'undici';
 import type { Token } from './auth.ts';
-import { deleteToken, getKC, isToken, keychains, setToken } from './auth.ts';
+import { clearRuntimeTokens, deleteToken, getKC, getToken, getTokenByURL, isToken, keychains, normalizeRegistryKey, registryBase, runtimeTokens, setRuntimeToken, setToken } from './auth.ts';
 import type { JSONObj } from './cache-entry.ts';
 import { CacheEntry } from './cache-entry.ts';
 import type { TokenResponse } from './token-response.ts';
 import type { WebAuthChallenge } from './web-auth-challenge.ts';
-export { CacheEntry, deleteToken, getKC, isToken, keychains, setToken, type JSONObj, type Token, type TokenResponse, type WebAuthChallenge, };
+import { oidc } from './oidc.ts';
+import type { OidcOptions } from './oidc.ts';
+export { CacheEntry, clearRuntimeTokens, deleteToken, getKC, getToken, getTokenByURL, isToken, keychains, normalizeRegistryKey, oidc, registryBase, runtimeTokens, setRuntimeToken, setToken, type JSONObj, type OidcOptions, type Token, type TokenResponse, type WebAuthChallenge, };
 export type CacheableMethod = 'GET' | 'HEAD';
 export declare const isCacheableMethod: (m: unknown) => m is CacheableMethod;
 export type RegistryClientOptions = {
@@ -141,4 +143,3 @@ export declare class RegistryClient {
     webAuthOpener({ doneUrl, authUrl }: WebAuthChallenge): Promise<TokenResponse>;
     request(url: URL | string, options?: RegistryClientRequestOptions): Promise<CacheEntry>;
 }
-//# sourceMappingURL=index.d.ts.map

package/dist/{esm/index.js → index.js}

@@ -10,18 +10,19 @@ import { setTimeout } from 'node:timers/promises';
 import { loadPackageJson } from 'package-json-from-dist';
 import { Agent, RetryAgent } from 'undici';
 import { addHeader } from "./add-header.js";
-import { deleteToken, getKC, getToken, isToken, keychains, setToken, } from "./auth.js";
+import { clearRuntimeTokens, deleteToken, getKC, getToken, getTokenByURL, isToken, keychains, normalizeRegistryKey, registryBase, runtimeTokens, setRuntimeToken, setToken, } from "./auth.js";
 import { CacheEntry } from "./cache-entry.js";
 import { register } from "./cache-revalidate.js";
 import { bun, deno, node } from "./env.js";
-import { handle304Response } from "./handle-304-response.js";
+import { handleCacheHitResponse } from "./handle-304-response.js";
 import { otplease } from "./otplease.js";
 import { isRedirect, redirect } from "./redirect.js";
 import { setCacheHeaders } from "./set-cache-headers.js";
 import { getTokenResponse } from "./token-response.js";
 import { getWebAuthChallenge } from "./web-auth-challenge.js";
 import { getEncondedValue } from "./string-encoding.js";
-export { CacheEntry, deleteToken, getKC, isToken, keychains, setToken, };
+import { oidc } from "./oidc.js";
+export { CacheEntry, clearRuntimeTokens, deleteToken, getKC, getToken, getTokenByURL, isToken, keychains, normalizeRegistryKey, oidc, registryBase, runtimeTokens, setRuntimeToken, setToken, };
 export const isCacheableMethod = (m) => m === 'GET' || m === 'HEAD';
 const { version } = loadPackageJson(import.meta.filename, process.env.__VLT_INTERNAL_REGISTRY_CLIENT_PACKAGE_JSON);
 const nua = globalThis.navigator?.userAgent ??
@@ -52,7 +53,8 @@ export class RegistryClient {
     identity;
     staleWhileRevalidateFactor;
     constructor(options) {
-        const { cache = xdg.cache(), 'fetch-retry-factor': timeoutFactor = 2, 'fetch-retry-mintimeout': minTimeout = 0, 'fetch-retry-maxtimeout': maxTimeout = 30_000, 'fetch-retries': maxRetries = 3, identity = '', 'stale-while-revalidate-factor': staleWhileRevalidateFactor = 60, } = options;
+        const { cache = xdg.cache(), 'fetch-retry-factor': timeoutFactor = 2, 'fetch-retry-mintimeout': minTimeout = 0, 'fetch-retry-maxtimeout': maxTimeout = 30_000, 'fetch-retries': maxRetries = 3, identity = '', 'stale-while-revalidate-factor': staleWhileRevalidateFactor = 576, // 48h for a 5min cache
+         } = options;
         this.identity = identity;
         this.staleWhileRevalidateFactor = staleWhileRevalidateFactor;
         const path = resolve(cache, 'registry-client');
@@ -110,13 +112,14 @@ export class RegistryClient {
         if (!tok)
             return;
         const s = tok.replace(/^(Bearer|Basic) /i, '');
-        const tokensUrl = new URL('-/npm/v1/tokens', registry);
+        const base = registryBase(registry);
+        const tokensUrl = new URL('-/npm/v1/tokens', base);
         const record = await this.seek(tokensUrl, ({ token }) => s.startsWith(token), {
             useCache: false,
         }).catch(() => undefined);
         if (record) {
             const { key } = record;
-            await this.request(new URL(`-/npm/v1/tokens/token/${key}`, registry), { useCache: false, method: 'DELETE' });
+            await this.request(new URL(`-/npm/v1/tokens/token/${key}`, base), { useCache: false, method: 'DELETE' });
         }
         await deleteToken(registry, this.identity);
     }
@@ -134,7 +137,7 @@ export class RegistryClient {
         // - hang on the doneUrl until done
         //
         // if that fails: fall back to couchdb login
-        const webLoginURL = new URL('-/v1/login', registry);
+        const webLoginURL = new URL('-/v1/login', registryBase(registry));
         const response = await this.request(webLoginURL, {
             method: 'POST',
             useCache: false,
@@ -211,7 +214,6 @@ export class RegistryClient {
         const { useCache = !!m } = options;
         signal?.throwIfAborted();
         // first, try to get from the cache before making any request.
-        const { origin } = u;
         const key = `${method !== 'GET' ? method + ' ' : ''}${u}`;
         const buffer = useCache ?
             await this.cache.fetch(key, { context: { integrity } })
@@ -245,7 +247,7 @@ export class RegistryClient {
         }
         options.method = options.method ?? 'GET';
         // will remove if we don't have a token.
-        options.headers = addHeader(options.headers, 'authorization', await getToken(origin, this.identity));
+        options.headers = addHeader(options.headers, 'authorization', await getTokenByURL(String(u), this.identity));
         let response = null;
         try {
             response = await this.agent.request(options);
@@ -278,12 +280,17 @@ export class RegistryClient {
         return result;
     }
     async #handleResponse(url, options, response, entry) {
-        if (handle304Response(response, entry))
+        if (handleCacheHitResponse(response, entry))
             return entry;
+        let consumedBody;
         if (response.statusCode === 401) {
-            const repeatRequest = await otplease(this, options, response);
-            if (repeatRequest)
-                return await this.request(url, repeatRequest);
+            const otpResult = await otplease(this, options, response);
+            if (otpResult && 'retry' in otpResult) {
+                return await this.request(url, otpResult.retry);
+            }
+            if (otpResult && 'bodyConsumed' in otpResult) {
+                consumedBody = otpResult.bodyConsumed;
+            }
         }
         const h = [];
         for (const [key, value] of Object.entries(response.headers)) {
@@ -297,15 +304,20 @@ export class RegistryClient {
             }
         }
         const { integrity, trustIntegrity } = options;
+        // When otplease already consumed the body, use its length
+        // instead of the Content-Length header to size the CacheEntry
+        // buffer correctly.
+        const contentLength = consumedBody !== undefined ? consumedBody.length
+            : response.headers['content-length'] ?
+                Number(response.headers['content-length'])
+                : /* c8 ignore next */ undefined;
         const result = new CacheEntry(
         /* c8 ignore next - should always have a status code */
         response.statusCode || 200, h, {
             integrity,
             trustIntegrity,
             'stale-while-revalidate-factor': this.staleWhileRevalidateFactor,
-            contentLength: response.headers['content-length'] ?
-                Number(response.headers['content-length'])
-                : /* c8 ignore next */ undefined,
+            contentLength,
         });
         if (isRedirect(result)) {
             response.body.resume();
@@ -315,6 +327,15 @@ export class RegistryClient {
             }
             return result;
         }
+        // If otplease already consumed the body (e.g. checking for OTP
+        // prompt on a plain 401), use the text it read rather than trying
+        // to re-read from the already-drained stream.
+        if (consumedBody !== undefined) {
+            if (consumedBody.length > 0) {
+                result.addBody(new TextEncoder().encode(consumedBody));
+            }
+            return result;
+        }
         response.body.on('data', (chunk) => result.addBody(chunk));
         return await new Promise((res, rej) => {
             response.body.on('error', rej);
@@ -322,4 +343,3 @@ export class RegistryClient {
         });
     }
 }
-//# sourceMappingURL=index.js.map

package/dist/{esm/is-cacheable.d.ts → is-cacheable.d.ts}

@@ -2,4 +2,3 @@
  * Determine whether we're allowed to cache it, based on status code
  */
 export declare const isCacheable: (statusCode: number) => boolean;
-//# sourceMappingURL=is-cacheable.d.ts.map

package/dist/{esm/is-cacheable.js → is-cacheable.js}

@@ -7,4 +7,3 @@ export const isCacheable = (statusCode) => statusCode < 200 ? false
             : statusCode === 308 ? true
                 : statusCode === 410 ? true
                     : false;
-//# sourceMappingURL=is-cacheable.js.map

package/dist/{esm/is-iterable.d.ts → is-iterable.d.ts}

@@ -1,2 +1 @@
 export declare const isIterable: <T>(o: unknown) => o is Iterable<T>;
-//# sourceMappingURL=is-iterable.d.ts.map

package/dist/{esm/is-iterable.js → is-iterable.js}

@@ -1,2 +1 @@
 export const isIterable = (o) => !!o && typeof o === 'object' && Symbol.iterator in o;
-//# sourceMappingURL=is-iterable.js.map

package/dist/oidc.d.ts

@@ -0,0 +1,17 @@
+import type { Token } from './auth.ts';
+export type OidcOptions = {
+    /** The package name being published, e.g. `@scope/name` */
+    packageName: string;
+    /** The full registry URL, e.g. `https://registry.npmjs.org/` */
+    registry: string;
+};
+/**
+ * Detect CI environment and exchange an OIDC ID token for a
+ * registry auth token. Sets the token into the runtime token
+ * store so subsequent requests are authenticated.
+ *
+ * This function **never throws**. OIDC is always optional — if
+ * it is unavailable or any step fails the function returns
+ * `undefined` silently.
+ */
+export declare const oidc: (opts: OidcOptions) => Promise<Token | undefined>;

package/dist/oidc.js

@@ -0,0 +1,150 @@
+import { request } from 'undici';
+import { setRuntimeToken } from "./auth.js";
+const log = (...args) => 
+// eslint-disable-next-line no-console
+console.error('[vlt:oidc]', ...args);
+/**
+ * Safely parse a JSON response body, returning undefined on failure.
+ */
+const safeJson = async (res) => {
+    try {
+        return (await res.body.json());
+        /* c8 ignore next 3 - defensive: non-JSON response body */
+    }
+    catch {
+        return undefined;
+    }
+};
+/**
+ * Keys that are always replaced with '[REDACTED]' before logging.
+ */
+const SENSITIVE_KEYS = new Set(['token', 'value', 'secret', 'key']);
+/**
+ * Recursively redact sensitive fields from a value before logging.
+ * Works as a JSON.stringify replacer so nested objects are handled
+ * automatically — no sensitive value is ever serialised.
+ */
+const redact = (obj) => JSON.parse(JSON.stringify(obj, (k, v) => SENSITIVE_KEYS.has(k) ? '[REDACTED]' : v));
+/**
+ * Detect CI environment and exchange an OIDC ID token for a
+ * registry auth token. Sets the token into the runtime token
+ * store so subsequent requests are authenticated.
+ *
+ * This function **never throws**. OIDC is always optional — if
+ * it is unavailable or any step fails the function returns
+ * `undefined` silently.
+ */
+export const oidc = async (opts) => {
+    try {
+        return await _oidc(opts);
+    }
+    catch (err) /* c8 ignore start - defensive */ {
+        log('Unexpected error:', err instanceof Error ? err.message : String(err));
+        return undefined;
+    } /* c8 ignore stop */
+};
+const _oidc = async ({ packageName, registry, }) => {
+    const isGitHub = process.env.GITHUB_ACTIONS === 'true';
+    const isGitLab = process.env.GITLAB_CI === 'true';
+    const isCircle = process.env.CIRCLECI === 'true';
+    if (!isGitHub && !isGitLab && !isCircle) {
+        return undefined;
+    }
+    log(`CI detected: github=${isGitHub} gitlab=${isGitLab} circle=${isCircle}`);
+    // NPM_ID_TOKEN is supported as an override in all CI environments
+    let idToken = process.env.NPM_ID_TOKEN;
+    log(`NPM_ID_TOKEN: ${idToken ? `set (length=${idToken.length})` : 'not set'}`);
+    if (!idToken && isGitHub) {
+        idToken = await fetchGitHubIdToken(registry);
+    }
+    if (!idToken) {
+        log('No ID token available — skipping');
+        return undefined;
+    }
+    const token = await exchangeToken(idToken, packageName, registry);
+    if (token) {
+        setRuntimeToken(registry, token);
+        log(`Token set for registry ${registry}`);
+    }
+    else {
+        log('Token exchange did not return a token');
+    }
+    return token;
+};
+/**
+ * Fetch an OIDC ID token from GitHub Actions.
+ * Requires `id-token: write` permission in the workflow.
+ */
+const fetchGitHubIdToken = async (registry) => {
+    const requestUrl = process.env.ACTIONS_ID_TOKEN_REQUEST_URL;
+    const requestToken = process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN;
+    log(`ACTIONS_ID_TOKEN_REQUEST_URL: ${requestUrl ? `set (length=${requestUrl.length})` : 'not set — skipping (missing id-token permissions?)'}`);
+    log(`ACTIONS_ID_TOKEN_REQUEST_TOKEN: ${requestToken ? 'set' : 'not set'}`);
+    if (!requestUrl || !requestToken) {
+        return undefined;
+    }
+    const audience = `npm:${new URL(registry).hostname}`;
+    const url = new URL(requestUrl);
+    url.searchParams.append('audience', audience);
+    log(`Fetching GitHub ID token with audience ${audience}`);
+    try {
+        const res = await request(url, {
+            method: 'GET',
+            headers: {
+                accept: 'application/json',
+                authorization: `Bearer ${requestToken}`,
+            },
+        });
+        log(`GitHub ID token response: status=${res.statusCode}`);
+        if (res.statusCode < 200 || res.statusCode >= 300) {
+            const body = await safeJson(res);
+            log(`GitHub ID token error body: ${body ? JSON.stringify(redact(body)) : '(non-JSON response)'}`);
+            return undefined;
+        }
+        const json = await safeJson(res);
+        const value = json?.value;
+        log(`GitHub ID token: hasValue=${!!value}`);
+        return value || undefined;
+    }
+    catch (err) /* c8 ignore start - network error */ {
+        log('GitHub ID token fetch error:', err instanceof Error ? err.message : String(err));
+        return undefined;
+    } /* c8 ignore stop */
+};
+/**
+ * Exchange an OIDC ID token for an npm auth token via the
+ * registry token exchange endpoint.
+ */
+const exchangeToken = async (idToken, packageName, registry) => {
+    // npm escaping: @scope/name → @scope%2Fname
+    const escapedName = packageName.replace('/', '%2F');
+    const exchangeUrl = new URL(`/-/npm/v1/oidc/token/exchange/package/${escapedName}`, registry);
+    log(`Exchanging token for package: ${packageName}`);
+    log(`Exchange URL: ${exchangeUrl.href}`);
+    try {
+        const res = await request(exchangeUrl, {
+            method: 'POST',
+            headers: {
+                'content-type': 'application/json',
+                authorization: `Bearer ${idToken}`,
+            },
+        });
+        log(`Exchange response: status=${res.statusCode}`);
+        if (res.statusCode < 200 || res.statusCode >= 300) {
+            const body = await safeJson(res);
+            log(`Exchange error body: ${body ? JSON.stringify(redact(body)) : '(non-JSON response)'}`);
+            return undefined;
+        }
+        const json = await safeJson(res);
+        const hasToken = !!json?.token;
+        log(`Exchange result: hasToken=${hasToken}`);
+        if (!json?.token || typeof json.token !== 'string') {
+            return undefined;
+        }
+        return `Bearer ${json.token}`;
+    }
+    catch (err) /* c8 ignore start - network error */ {
+        log('Exchange request error:', err instanceof Error ? err.message : String(err));
+        return undefined;
+    } /* c8 ignore stop */
+};

package/dist/{esm/otplease.d.ts → otplease.d.ts}

@@ -1,4 +1,8 @@
 import type { Dispatcher } from 'undici';
 import type { RegistryClient, RegistryClientRequestOptions } from './index.ts';
-export declare const otplease: (client: RegistryClient, options: RegistryClientRequestOptions, response: Dispatcher.ResponseData) => Promise<RegistryClientRequestOptions | undefined>;
-//# sourceMappingURL=otplease.d.ts.map
+export type OtpResult = {
+    retry: RegistryClientRequestOptions;
+} | {
+    bodyConsumed: string;
+} | undefined;
+export declare const otplease: (client: RegistryClient, options: RegistryClientRequestOptions, response: Dispatcher.ResponseData) => Promise<OtpResult>;