npm - azdo-cli - Versions diffs - 0.10.0-develop.268 → 0.10.0-develop.317 - Mend

azdo-cli 0.10.0-develop.268 → 0.10.0-develop.317

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/chunk-C7RAZJHV.js +1087 -0
package/dist/index.js +603 -494
package/dist/oauth-token-refresh-PHW66RC4.js +15 -0
package/package.json +1 -1

package/dist/chunk-C7RAZJHV.js ADDED Viewed

@@ -0,0 +1,1087 @@
+#!/usr/bin/env node
+// src/services/oauth-token-refresh.ts
+import { closeSync, mkdirSync, openSync, unlinkSync } from "fs";
+import { homedir } from "os";
+import { join } from "path";
+// src/services/oauth-flow.ts
+import { createServer } from "http";
+// src/lib/pkce.ts
+import { createHash, randomBytes } from "crypto";
+function base64urlNoPad(buf) {
+  return buf.toString("base64url");
+}
+function generateVerifier(byteLen = 32) {
+  if (byteLen < 32 || byteLen > 96) {
+    throw new RangeError("verifier byte length must be in [32, 96]");
+  }
+  return base64urlNoPad(randomBytes(byteLen));
+}
+function challengeForVerifier(verifier) {
+  return base64urlNoPad(createHash("sha256").update(verifier, "ascii").digest());
+}
+function randomState(byteLen = 16) {
+  if (byteLen < 12 || byteLen > 64) {
+    throw new RangeError("state byte length must be in [12, 64]");
+  }
+  return base64urlNoPad(randomBytes(byteLen));
+}
+var CODE_CHALLENGE_METHOD = "S256";
+// src/services/config-store.ts
+import fs from "fs";
+import path from "path";
+import os from "os";
+var SETTINGS = [
+  {
+    key: "org",
+    description: "Azure DevOps organization name",
+    type: "string",
+    example: "mycompany",
+    required: true
+  },
+  {
+    key: "project",
+    description: "Azure DevOps project name",
+    type: "string",
+    example: "MyProject",
+    required: true
+  },
+  {
+    key: "fields",
+    description: "Extra work item fields to include (comma-separated reference names)",
+    type: "string[]",
+    example: "System.Tags,Custom.Priority",
+    required: false
+  },
+  {
+    key: "markdown",
+    description: "Convert rich text fields to markdown on display",
+    type: "boolean",
+    example: "true",
+    required: false
+  }
+];
+var VALID_KEYS = SETTINGS.map((s) => s.key);
+function getConfigPath() {
+  return path.join(os.homedir(), ".azdo", "config.json");
+}
+function loadConfig() {
+  const configPath = getConfigPath();
+  let raw;
+  try {
+    raw = fs.readFileSync(configPath, "utf-8");
+  } catch (err) {
+    if (err.code === "ENOENT") {
+      return {};
+    }
+    throw err;
+  }
+  try {
+    return JSON.parse(raw);
+  } catch {
+    process.stderr.write(`Warning: Config file ${configPath} contains invalid JSON. Using defaults.
+`);
+    return {};
+  }
+}
+function saveConfig(config) {
+  const configPath = getConfigPath();
+  const dir = path.dirname(configPath);
+  fs.mkdirSync(dir, { recursive: true });
+  fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n");
+}
+function validateKey(key) {
+  if (!VALID_KEYS.includes(key)) {
+    throw new Error(`Unknown setting key "${key}". Valid keys: ${VALID_KEYS.join(", ")}`);
+  }
+}
+function getConfigValue(key) {
+  validateKey(key);
+  const config = loadConfig();
+  return config[key];
+}
+function setConfigValue(key, value) {
+  validateKey(key);
+  const config = loadConfig();
+  if (value === "") {
+    delete config[key];
+  } else if (key === "markdown") {
+    if (value !== "true" && value !== "false") {
+      throw new Error(`Invalid value "${value}" for markdown. Must be "true" or "false".`);
+    }
+    config.markdown = value === "true";
+  } else if (key === "fields") {
+    config.fields = value.split(",").map((s) => s.trim());
+  } else {
+    config[key] = value;
+  }
+  saveConfig(config);
+}
+function unsetConfigValue(key) {
+  validateKey(key);
+  const config = loadConfig();
+  delete config[key];
+  saveConfig(config);
+}
+// src/services/oauth-config.ts
+var DEFAULT_OAUTH_CLIENT_ID = "872cd9fa-d31f-45e0-9eab-6e460a02d1f1";
+var DEFAULT_OAUTH_TENANT_ID = "common";
+var AZDO_RESOURCE_ID = "499b84ac-1321-427f-aa17-267ca6975798";
+function defaultScopes() {
+  return [
+    `${AZDO_RESOURCE_ID}/vso.work`,
+    `${AZDO_RESOURCE_ID}/vso.work_write`,
+    `${AZDO_RESOURCE_ID}/vso.code`,
+    "offline_access",
+    "openid"
+  ];
+}
+function firstPartyShippedScopes() {
+  return [`${AZDO_RESOURCE_ID}/.default`, "offline_access", "openid"];
+}
+function resolveOAuthConfig(opts = {}) {
+  const envClientId = opts.envClientId ?? process.env.AZDO_OAUTH_CLIENT_ID;
+  const envTenantId = opts.envTenantId ?? process.env.AZDO_OAUTH_TENANT_ID;
+  const fileConfig = loadConfig();
+  const fileClientId = fileConfig.oauth?.clientId;
+  const fileTenantId = fileConfig.oauth?.tenantId;
+  let clientId;
+  let clientIdSource;
+  if (opts.clientIdOverride && opts.clientIdOverride.length > 0) {
+    clientId = opts.clientIdOverride;
+    clientIdSource = "flag";
+  } else if (envClientId && envClientId.length > 0) {
+    clientId = envClientId;
+    clientIdSource = "env";
+  } else if (fileClientId && fileClientId.length > 0) {
+    clientId = fileClientId;
+    clientIdSource = "config";
+  } else {
+    clientId = DEFAULT_OAUTH_CLIENT_ID;
+    clientIdSource = "default";
+  }
+  const tenantId = opts.tenantIdOverride ?? (envTenantId && envTenantId.length > 0 ? envTenantId : null) ?? (fileTenantId && fileTenantId.length > 0 ? fileTenantId : null) ?? DEFAULT_OAUTH_TENANT_ID;
+  const scopes = (() => {
+    if (opts.scopesOverride && opts.scopesOverride.length > 0) return [...opts.scopesOverride];
+    if (clientIdSource === "default") return [...firstPartyShippedScopes()];
+    return [...defaultScopes()];
+  })();
+  return {
+    clientId,
+    tenantId,
+    scopes,
+    clientIdSource,
+    authorizationEndpoint: `https://login.microsoftonline.com/${encodeURIComponent(tenantId)}/oauth2/v2.0/authorize`,
+    tokenEndpoint: `https://login.microsoftonline.com/${encodeURIComponent(tenantId)}/oauth2/v2.0/token`,
+    deviceCodeEndpoint: `https://login.microsoftonline.com/${encodeURIComponent(tenantId)}/oauth2/v2.0/devicecode`
+  };
+}
+var REDIRECT_URI_PATTERN = /^http:\/\/(?:127\.0\.0\.1|localhost):\d+(?:\/callback)?$/;
+function validateRedirectUri(uri) {
+  return REDIRECT_URI_PATTERN.test(uri);
+}
+function buildScopeString(scopes) {
+  return scopes.join(" ");
+}
+// src/services/browser-open.ts
+import { execFile } from "child_process";
+function isHeadless(platform, hasDisplay) {
+  if (platform === "linux") {
+    return !hasDisplay;
+  }
+  return false;
+}
+function commandForPlatform(platform) {
+  switch (platform) {
+    case "darwin":
+      return { cmd: "open", args: (url) => [url] };
+    case "win32":
+      return { cmd: "rundll32", args: (url) => ["url.dll,FileProtocolHandler", url] };
+    case "linux":
+      return { cmd: "xdg-open", args: (url) => [url] };
+    default:
+      return null;
+  }
+}
+async function openUrl(url, opts = {}) {
+  const platform = opts.platform ?? process.platform;
+  const hasDisplay = opts.hasDisplay ?? (process.env.DISPLAY !== void 0 && process.env.DISPLAY !== "");
+  const forcePrint = opts.forcePrint ?? false;
+  if (forcePrint || isHeadless(platform, hasDisplay)) {
+    process.stderr.write(`Open this URL in your browser: ${url}
+`);
+    return "printed";
+  }
+  const spec = commandForPlatform(platform);
+  if (!spec) {
+    process.stderr.write(`Open this URL in your browser: ${url}
+`);
+    return "printed";
+  }
+  const runner = opts.execFileFn ?? ((cmd, args, cb) => execFile(cmd, args, { timeout: 5e3 }, (err) => cb(err)));
+  return await new Promise((resolve) => {
+    try {
+      runner(spec.cmd, spec.args(url), (err) => {
+        if (err) {
+          process.stderr.write(`Open this URL in your browser: ${url}
+`);
+          resolve("printed");
+        } else {
+          resolve("opened");
+        }
+      });
+    } catch {
+      process.stderr.write(`Open this URL in your browser: ${url}
+`);
+      resolve("printed");
+    }
+  });
+}
+// src/services/oauth-flow.ts
+var OAuthFlowError = class extends Error {
+  reason;
+  /**
+   * Structured IdP error code preserved verbatim from the OAuth error
+   * response (e.g. "invalid_grant", "AADSTS70008", "consent_required").
+   * Populated for `idp-error` reason when the IdP returned a parseable JSON
+   * error body. Undefined for other reasons (state-mismatch, port-conflict,
+   * timeout, etc.) where there is no IdP error code to forward.
+   *
+   * Callers that translate OAuth errors into a finer classification
+   * (e.g. oauth-token-refresh.classifyRefreshFailure) MUST inspect this
+   * field — the formatted .message string is intended for human display
+   * and is NOT a stable parsing surface.
+   */
+  idpErrorCode;
+  idpErrorDescription;
+  constructor(reason, message, cause, idp) {
+    super(message);
+    this.name = "OAuthFlowError";
+    this.reason = reason;
+    if (cause instanceof Error) {
+      this.cause = cause;
+    }
+    if (idp?.error) this.idpErrorCode = idp.error;
+    if (idp?.error_description) this.idpErrorDescription = idp.error_description;
+  }
+};
+var DEFAULT_TIMEOUT_MS = 5 * 60 * 1e3;
+var SHARED_HTML_STYLE = "<style>body{font-family:system-ui,sans-serif;max-width:480px;margin:8em auto;text-align:center;color:#222}p{color:#555}</style>";
+function successHtml(org) {
+  const escapedOrg = escapeHtml(org);
+  return '<!doctype html><html><head><meta charset="utf-8"><title>Login complete</title>' + SHARED_HTML_STYLE + '</head><body><h1 style="color:#107c10">Login complete</h1><p>You can close this tab and return to the terminal.</p><p style="font-size:0.9em">Organization: <code>' + escapedOrg + "</code></p></body></html>";
+}
+function errorHtml(msg) {
+  const escapedMsg = escapeHtml(msg);
+  return '<!doctype html><html><head><meta charset="utf-8"><title>Login failed</title>' + SHARED_HTML_STYLE + '</head><body><h1 style="color:#c50f1f">Login failed</h1><p>' + escapedMsg + '</p><p style="font-size:0.9em">Return to the terminal for details.</p></body></html>';
+}
+function escapeHtml(s) {
+  return s.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll('"', "&quot;").replaceAll("'", "&#39;");
+}
+var LoopbackListenerImpl = class {
+  constructor(server, port) {
+    this.server = server;
+    this.port = port;
+  }
+  active = null;
+  awaitCallback(session, signal) {
+    return new Promise((rResolve, rReject) => {
+      this.active = {
+        session,
+        resolve: (r) => this.finish(rResolve, r),
+        reject: (e) => this.finishError(rReject, e)
+      };
+      signal.addEventListener("abort", () => this.onAbort());
+    });
+  }
+  close() {
+    return new Promise((cResolve) => {
+      this.server.close(() => cResolve());
+    });
+  }
+  finish(rResolve, r) {
+    this.active = null;
+    rResolve(r);
+  }
+  finishError(rReject, e) {
+    this.active = null;
+    rReject(e);
+  }
+  onAbort() {
+    if (!this.active) return;
+    const a = this.active;
+    this.active = null;
+    a.reject(new OAuthFlowError("timeout", "OAuth flow aborted before callback"));
+  }
+};
+function bindLoopbackServer(factory, resolve, reject) {
+  const ref = { listener: null };
+  const server = factory((req, res) => {
+    handleCallback(req, res, ref.listener?.active ?? null);
+  });
+  server.once("error", (err) => {
+    reject(new OAuthFlowError("port-conflict", `failed to bind loopback listener: ${err.message}`, err));
+  });
+  server.listen({ host: "127.0.0.1", port: 0 }, () => {
+    const addr = server.address();
+    if (!addr || typeof addr === "string" || addr.port === 0) {
+      reject(new OAuthFlowError("port-conflict", "loopback listener did not return a numeric port"));
+      return;
+    }
+    ref.listener = new LoopbackListenerImpl(server, addr.port);
+    resolve(ref.listener);
+  });
+}
+async function openLoopbackListener(deps = {}) {
+  const factory = deps.createServer ?? createServer;
+  return new Promise((resolve, reject) => {
+    bindLoopbackServer(factory, resolve, reject);
+  });
+}
+function handleCallback(req, res, active) {
+  if (!req.url) {
+    writeError(res, 400, "missing request URL");
+    return;
+  }
+  const url = new URL(req.url, "http://127.0.0.1");
+  const path3 = url.pathname;
+  const q = url.searchParams;
+  if (path3 !== "/callback" && path3 !== "/") {
+    writeError(res, 404, `unexpected path ${path3}`);
+    if (active) active.reject(new OAuthFlowError("redirect-mismatch", `unexpected callback path "${path3}"`));
+    return;
+  }
+  if (!active) {
+    writeError(res, 503, "no active OAuth flow");
+    return;
+  }
+  const error = q.get("error");
+  if (error) {
+    const rawDesc = q.get("error_description") ?? "";
+    const descSuffix = rawDesc ? `: ${rawDesc}` : "";
+    writeError(res, 400, `IdP error: ${error}`);
+    active.reject(new OAuthFlowError("idp-error", `${error}${descSuffix}`));
+    return;
+  }
+  const state = q.get("state");
+  if (!state || state !== active.session.state) {
+    writeError(res, 400, "state mismatch");
+    active.reject(new OAuthFlowError("state-mismatch", "OAuth state parameter did not match originating session"));
+    return;
+  }
+  const code = q.get("code");
+  if (!code) {
+    writeError(res, 400, "missing authorization code");
+    active.reject(new OAuthFlowError("idp-error", "callback missing authorization code"));
+    return;
+  }
+  writeSuccess(res, active.session.org);
+  active.resolve({ code });
+}
+function writeSuccess(res, org) {
+  res.writeHead(200, { "content-type": "text/html; charset=utf-8" });
+  res.end(successHtml(org));
+}
+function writeError(res, status, msg) {
+  res.writeHead(status, { "content-type": "text/html; charset=utf-8" });
+  res.end(errorHtml(msg));
+}
+function prepareAuthCodeSession(input) {
+  if (!validateRedirectUri(input.redirectUri)) {
+    throw new OAuthFlowError(
+      "redirect-mismatch",
+      `redirect URI must be loopback-only (http://127.0.0.1:<port>/callback): ${input.redirectUri}`
+    );
+  }
+  const verifier = generateVerifier();
+  const challenge = challengeForVerifier(verifier);
+  const state = randomState();
+  return {
+    flow: "auth-code",
+    org: input.org,
+    state,
+    codeVerifier: verifier,
+    codeChallenge: challenge,
+    redirectUri: input.redirectUri,
+    clientId: input.oauthConfig.clientId,
+    tenantId: input.oauthConfig.tenantId,
+    scope: buildScopeString(input.oauthConfig.scopes),
+    startedAt: Math.floor(input.now / 1e3),
+    timeoutAt: Math.floor((input.now + input.timeoutMs) / 1e3)
+  };
+}
+function buildAuthorizationUrl(session, oauthConfig) {
+  const params = new URLSearchParams({
+    client_id: session.clientId,
+    response_type: "code",
+    redirect_uri: session.redirectUri,
+    scope: session.scope,
+    state: session.state,
+    code_challenge: session.codeChallenge,
+    code_challenge_method: CODE_CHALLENGE_METHOD,
+    prompt: "select_account"
+  });
+  return `${oauthConfig.authorizationEndpoint}?${params.toString()}`;
+}
+async function exchangeCodeForToken(code, session, oauthConfig, fetchFn) {
+  const body = new URLSearchParams({
+    grant_type: "authorization_code",
+    code,
+    redirect_uri: session.redirectUri,
+    client_id: session.clientId,
+    code_verifier: session.codeVerifier,
+    scope: session.scope
+  });
+  const response = await fetchFn(oauthConfig.tokenEndpoint, {
+    method: "POST",
+    headers: { "content-type": "application/x-www-form-urlencoded", accept: "application/json" },
+    body: body.toString()
+  });
+  return await readTokenResponse(response);
+}
+async function readTokenResponse(response) {
+  const text = await response.text();
+  let parsed;
+  try {
+    parsed = JSON.parse(text);
+  } catch {
+    throw new OAuthFlowError(
+      "idp-error",
+      `IdP returned non-JSON HTTP ${response.status}: ${text.slice(0, 200)}`
+    );
+  }
+  if (!response.ok) {
+    const err = parsed;
+    const code = err.error ?? "unknown";
+    const desc = err.error_description ? `: ${err.error_description}` : "";
+    throw new OAuthFlowError(
+      "idp-error",
+      `IdP rejected request (${response.status}): ${code}${desc}`,
+      void 0,
+      err
+    );
+  }
+  const ok = parsed;
+  if (typeof ok.access_token !== "string" || ok.access_token.length === 0) {
+    throw new OAuthFlowError("idp-error", "token response missing access_token");
+  }
+  if (typeof ok.expires_in !== "number" || ok.expires_in <= 0) {
+    throw new OAuthFlowError("idp-error", "token response missing valid expires_in");
+  }
+  return ok;
+}
+function decodeIdTokenClaims(idToken) {
+  const parts = idToken.split(".");
+  if (parts.length < 2) return {};
+  try {
+    const payload = Buffer.from(parts[1], "base64url").toString("utf8");
+    return JSON.parse(payload);
+  } catch {
+    return {};
+  }
+}
+function tokenResponseToCredential(org, oauthConfig, token, now) {
+  const claims = token.id_token ? decodeIdTokenClaims(token.id_token) : {};
+  const accountId = claims.oid ?? claims.preferred_username ?? claims.upn ?? claims.email ?? "unknown";
+  const issuedAt = Math.floor(now / 1e3);
+  return {
+    kind: "oauth",
+    accessToken: token.access_token,
+    refreshToken: token.refresh_token ?? null,
+    expiresAt: issuedAt + token.expires_in,
+    issuedAt,
+    accountId,
+    scope: token.scope ?? buildScopeString(oauthConfig.scopes),
+    tenantId: oauthConfig.tenantId
+  };
+}
+async function runAuthCodeFlow(org, oauthConfig, deps = {}) {
+  const fetchFn = deps.fetch ?? fetch;
+  const open = deps.openUrl ?? openUrl;
+  const now = deps.now ?? (() => Date.now());
+  const timeoutMs = deps.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+  const listener = await openLoopbackListener(deps);
+  const redirectUri = oauthConfig.clientIdSource === "default" ? `http://localhost:${listener.port}` : `http://127.0.0.1:${listener.port}/callback`;
+  const session = prepareAuthCodeSession({ org, oauthConfig, redirectUri, now: now(), timeoutMs });
+  const ac = new AbortController();
+  const timer = setTimeout(() => ac.abort(), timeoutMs);
+  try {
+    const authUrl = buildAuthorizationUrl(session, oauthConfig);
+    process.stderr.write(`Opening browser to authorise ${org} (loopback callback at ${redirectUri})\u2026
+`);
+    await open(authUrl);
+    const cb = await listener.awaitCallback(session, ac.signal);
+    const token = await exchangeCodeForToken(cb.code, session, oauthConfig, fetchFn);
+    const credential = tokenResponseToCredential(org, oauthConfig, token, now());
+    return { credential, flowUsed: "auth-code" };
+  } finally {
+    clearTimeout(timer);
+    await listener.close();
+  }
+}
+// src/services/audit-log.ts
+import fs2 from "fs";
+import os2 from "os";
+import path2 from "path";
+function getAuditLogPath() {
+  return path2.join(os2.homedir(), ".azdo", "audit.log");
+}
+function ensureDirWithPerms(dir) {
+  if (!fs2.existsSync(dir)) {
+    fs2.mkdirSync(dir, { recursive: true, mode: 448 });
+    return;
+  }
+  try {
+    fs2.chmodSync(dir, 448);
+  } catch {
+  }
+}
+function ensureFileWithPerms(file) {
+  if (!fs2.existsSync(file)) {
+    fs2.writeFileSync(file, "", { mode: 384 });
+    return;
+  }
+  try {
+    fs2.chmodSync(file, 384);
+  } catch {
+  }
+}
+var FORBIDDEN_FIELDS = /* @__PURE__ */ new Set([
+  "token",
+  "accessToken",
+  "access_token",
+  "refreshToken",
+  "refresh_token",
+  "pat"
+]);
+function stripForbidden(input) {
+  const out = { ...input };
+  for (const key of Object.keys(out)) {
+    if (FORBIDDEN_FIELDS.has(key)) {
+      delete out[key];
+    }
+  }
+  return out;
+}
+function whenSet(value, key) {
+  return value === void 0 ? {} : { [key]: value };
+}
+function appendAuthAuditEvent(input) {
+  const auditLog = getAuditLogPath();
+  const dir = path2.dirname(auditLog);
+  ensureDirWithPerms(dir);
+  ensureFileWithPerms(auditLog);
+  const safe = stripForbidden(input);
+  const record = {
+    ts: (/* @__PURE__ */ new Date()).toISOString(),
+    event: safe.event,
+    org: safe.org,
+    backend: safe.backend,
+    ...whenSet(safe.masked_pat, "masked_pat"),
+    ...whenSet(safe.flow, "flow"),
+    ...whenSet(safe.clientIdSource, "clientIdSource"),
+    ...whenSet(safe.accountId, "accountId"),
+    ...whenSet(safe.scope, "scope"),
+    ...whenSet(safe.tokenLifetimeSec, "tokenLifetimeSec"),
+    ...whenSet(safe.reason, "reason")
+  };
+  fs2.appendFileSync(auditLog, `${JSON.stringify(record)}
+`);
+}
+function readAuditEvents() {
+  const auditLog = getAuditLogPath();
+  if (!fs2.existsSync(auditLog)) {
+    return [];
+  }
+  const contents = fs2.readFileSync(auditLog, "utf8");
+  const out = [];
+  for (const line of contents.split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed) continue;
+    try {
+      const parsed = JSON.parse(trimmed);
+      if (parsed && typeof parsed === "object" && typeof parsed.event === "string") {
+        out.push(parsed);
+      }
+    } catch {
+    }
+  }
+  return out;
+}
+// src/services/credential-store.ts
+import { Entry } from "@napi-rs/keyring";
+// src/types/credential.ts
+var CredentialStoreUnavailableError = class extends Error {
+  backend;
+  constructor(backend, cause) {
+    super(`OS secret backend unavailable (${backend}). Install the platform's credential service and try again.`);
+    this.name = "CredentialStoreUnavailableError";
+    this.backend = backend;
+    if (cause instanceof Error) {
+      this.cause = cause;
+    }
+  }
+};
+var CredentialMissingError = class extends Error {
+  org;
+  constructor(org) {
+    super(`No stored credential for org "${org}". Run \`azdo auth login --org ${org}\` to authenticate.`);
+    this.name = "CredentialMissingError";
+    this.org = org;
+  }
+};
+var CredentialRefreshError = class extends Error {
+  org;
+  reason;
+  userMessage;
+  constructor(org, reason, cause) {
+    const userMessage = reason === "network" ? `OAuth refresh for org \`${org}\` failed (network error); check connectivity and retry the command. The stored credential is preserved.` : `Refresh token rejected for org \`${org}\`; run \`azdo auth login --org ${org}\` to re-authorise. The stored credential is preserved (FR-014) \u2014 inspect it with \`azdo auth status --org ${org}\`.`;
+    super(userMessage);
+    this.name = "CredentialRefreshError";
+    this.org = org;
+    this.reason = reason;
+    this.userMessage = userMessage;
+    if (cause instanceof Error) {
+      this.cause = cause;
+    }
+  }
+};
+// src/services/auth-masking.ts
+var VISIBLE_CHARS = 5;
+function maskedDisplay(pat) {
+  if (pat.length <= VISIBLE_CHARS * 2) {
+    return pat;
+  }
+  const hiddenCount = pat.length - VISIBLE_CHARS * 2;
+  return pat.slice(0, VISIBLE_CHARS) + "*".repeat(hiddenCount) + pat.slice(-VISIBLE_CHARS);
+}
+function normalizePat(rawPat) {
+  const trimmedPat = rawPat.trim();
+  return trimmedPat.length > 0 ? trimmedPat : null;
+}
+// src/services/credential-store.ts
+var SERVICE = "azdo-cli";
+var LEGACY_ACCOUNT = "pat";
+function accountFor(org) {
+  return `pat:${org}`;
+}
+function probeBackend() {
+  switch (process.platform) {
+    case "win32":
+      return "windows-credential-manager";
+    case "darwin":
+      return "macos-keychain";
+    case "linux":
+      return "linux-libsecret";
+    default:
+      return "unknown";
+  }
+}
+function wrapUnavailable(fn) {
+  try {
+    return fn();
+  } catch (err) {
+    throw new CredentialStoreUnavailableError(probeBackend(), err);
+  }
+}
+function entryFor(account) {
+  return wrapUnavailable(() => new Entry(SERVICE, account));
+}
+var legacyUnsetNoticeEmitted = false;
+function emitLegacyUnsetNoticeOnce() {
+  if (legacyUnsetNoticeEmitted) return;
+  legacyUnsetNoticeEmitted = true;
+  process.stderr.write(
+    'A legacy PAT exists in the OS vault from a previous azdo-cli version, but no "org" is set in config. Run `azdo auth --org <name>` to re-store it under the per-org key, then `azdo clear-pat` to remove the legacy slot.\n'
+  );
+}
+function isValidOAuthEnvelope(value) {
+  if (!value || typeof value !== "object") return false;
+  const v = value;
+  if (v.kind !== "oauth") return false;
+  if (typeof v.accessToken !== "string" || v.accessToken.length === 0) return false;
+  if (v.refreshToken !== null && typeof v.refreshToken !== "string") return false;
+  if (typeof v.expiresAt !== "number" || typeof v.issuedAt !== "number") return false;
+  if (v.expiresAt <= v.issuedAt) return false;
+  if (v.expiresAt - v.issuedAt > 24 * 3600) return false;
+  if (typeof v.accountId !== "string" || typeof v.scope !== "string" || typeof v.tenantId !== "string") {
+    return false;
+  }
+  return true;
+}
+function isValidPatEnvelope(value) {
+  if (!value || typeof value !== "object") return false;
+  const v = value;
+  return v.kind === "pat" && typeof v.token === "string" && v.token.length > 0;
+}
+function parseStoredValue(raw) {
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    return { kind: "pat", token: raw };
+  }
+  if (!parsed || typeof parsed !== "object" || !("kind" in parsed)) {
+    return { kind: "pat", token: raw };
+  }
+  if (isValidOAuthEnvelope(parsed)) {
+    return parsed;
+  }
+  if (isValidPatEnvelope(parsed)) {
+    return parsed;
+  }
+  throw new CredentialStoreUnavailableError(
+    probeBackend(),
+    new Error(`unknown or invalid credential envelope kind`)
+  );
+}
+function serializeCredential(cred) {
+  if (cred.kind === "oauth") {
+    if (cred.expiresAt <= cred.issuedAt) {
+      throw new Error("expiresAt must be greater than issuedAt");
+    }
+    if (cred.expiresAt - cred.issuedAt > 24 * 3600) {
+      throw new Error("OAuth access-token lifetime exceeds 24h sanity bound");
+    }
+    if (!cred.accessToken) {
+      throw new Error("OAuth credential missing accessToken");
+    }
+  } else if (!cred.token) {
+    throw new Error("PAT credential missing token");
+  }
+  return JSON.stringify(cred);
+}
+async function maybeMigrateLegacy(targetOrg) {
+  const config = loadConfig();
+  if (!config.org || config.org !== targetOrg) {
+    if (!config.org) {
+      let legacyExists;
+      try {
+        const legacyEntry2 = new Entry(SERVICE, LEGACY_ACCOUNT);
+        legacyExists = legacyEntry2.getPassword() !== null;
+      } catch {
+        legacyExists = false;
+      }
+      if (legacyExists) {
+        emitLegacyUnsetNoticeOnce();
+      }
+    }
+    return null;
+  }
+  const newEntry = entryFor(accountFor(targetOrg));
+  const existingNew = wrapUnavailable(() => newEntry.getPassword());
+  if (existingNew !== null) {
+    return null;
+  }
+  const legacyEntry = entryFor(LEGACY_ACCOUNT);
+  const legacy = wrapUnavailable(() => legacyEntry.getPassword());
+  if (legacy === null) {
+    return null;
+  }
+  wrapUnavailable(() => {
+    newEntry.setPassword(legacy);
+    legacyEntry.deletePassword();
+  });
+  appendAuthAuditEvent({
+    event: "auth.store",
+    org: targetOrg,
+    backend: probeBackend(),
+    masked_pat: maskedDisplay(legacy)
+  });
+  process.stderr.write(`Migrated legacy PAT to org ${targetOrg}.
+`);
+  return legacy;
+}
+async function getPat(org) {
+  const cred = await getStoredCredential(org);
+  if (cred === null) return null;
+  if (cred.kind === "pat") return cred.token;
+  return null;
+}
+async function getStoredCredential(org) {
+  const entry = entryFor(accountFor(org));
+  const value = wrapUnavailable(() => entry.getPassword());
+  if (value === null) {
+    const migrated = await maybeMigrateLegacy(org);
+    if (migrated === null) return null;
+    return parseStoredValue(migrated);
+  }
+  return parseStoredValue(value);
+}
+async function storePat(org, pat) {
+  const cred = { kind: "pat", token: pat };
+  const entry = entryFor(accountFor(org));
+  wrapUnavailable(() => entry.setPassword(serializeCredential(cred)));
+  appendAuthAuditEvent({
+    event: "auth.store",
+    org,
+    backend: probeBackend(),
+    masked_pat: maskedDisplay(pat)
+  });
+}
+async function storeOAuthCredential(org, cred) {
+  const entry = entryFor(accountFor(org));
+  wrapUnavailable(() => entry.setPassword(serializeCredential(cred)));
+}
+async function deletePat(org) {
+  const entry = entryFor(accountFor(org));
+  const existing = wrapUnavailable(() => entry.getPassword());
+  if (existing === null) {
+    return false;
+  }
+  let parsed;
+  try {
+    parsed = parseStoredValue(existing);
+  } catch {
+    parsed = { kind: "pat", token: existing };
+  }
+  wrapUnavailable(() => entry.deletePassword());
+  if (parsed.kind === "oauth") {
+    appendAuthAuditEvent({
+      event: "oauth-logout",
+      org,
+      backend: probeBackend(),
+      accountId: parsed.accountId
+    });
+  } else {
+    appendAuthAuditEvent({
+      event: "auth.delete",
+      org,
+      backend: probeBackend(),
+      masked_pat: maskedDisplay(parsed.token)
+    });
+  }
+  try {
+    const { unlinkSync: unlinkSync2 } = await import("fs");
+    const { lockPath: lockPath2 } = await import("./oauth-token-refresh-PHW66RC4.js");
+    unlinkSync2(lockPath2(org));
+  } catch {
+  }
+  return true;
+}
+async function listOrgsWithStoredPat() {
+  const seen = /* @__PURE__ */ new Set();
+  for (const ev of readAuditEvents()) {
+    if (ev.event === "auth.store" || ev.event === "oauth-login-success") {
+      seen.add(ev.org);
+    } else if (ev.event === "auth.delete" || ev.event === "oauth-logout") {
+      seen.delete(ev.org);
+    }
+  }
+  const present = [];
+  for (const org of seen) {
+    const entry = entryFor(accountFor(org));
+    const value = wrapUnavailable(() => entry.getPassword());
+    if (value !== null) {
+      present.push(org);
+    }
+  }
+  present.sort((a, b) => a.localeCompare(b));
+  return present;
+}
+// src/services/oauth-token-refresh.ts
+var DEFAULT_LOCK_WAIT_MS = 5e3;
+var inFlight = /* @__PURE__ */ new Map();
+function locksDir() {
+  return join(homedir(), ".azdo", ".locks");
+}
+var FILENAME_UNSAFE = /[^A-Za-z0-9_.-]/g;
+function lockPath(org) {
+  const safe = org.replaceAll(FILENAME_UNSAFE, "_");
+  return join(locksDir(), `${safe}.refresh`);
+}
+async function defaultAcquireLock(org, waitMs = DEFAULT_LOCK_WAIT_MS) {
+  const path3 = lockPath(org);
+  mkdirSync(locksDir(), { recursive: true, mode: 448 });
+  const deadline = Date.now() + waitMs;
+  for (; ; ) {
+    try {
+      const fd = openSync(path3, "wx");
+      closeSync(fd);
+      return {
+        release: () => {
+          try {
+            unlinkSync(path3);
+          } catch {
+          }
+        }
+      };
+    } catch (err) {
+      if (err.code !== "EEXIST") throw err;
+      if (Date.now() > deadline) return null;
+      await new Promise((r) => setTimeout(r, 100));
+    }
+  }
+}
+function classifyRefreshFailure(error) {
+  const code = typeof error === "string" ? error : error.error ?? "";
+  switch (code) {
+    case "invalid_grant":
+      return "invalid-grant";
+    case "AADSTS70008":
+    // refresh_token expired
+    case "expired_token":
+      return "window-exceeded";
+    case "AADSTS50173":
+    // Auth method change requires fresh login
+    case "consent_required":
+    case "interaction_required":
+    case "login_required":
+    case "access_denied":
+      return "revoked";
+    case "network":
+      return "network";
+    default:
+      return "unknown";
+  }
+}
+async function performRefresh(org, current, oauthConfig, fetchFn, now, persist) {
+  if (!current.refreshToken) {
+    throw new CredentialRefreshError(org, "invalid-grant");
+  }
+  const body = new URLSearchParams({
+    grant_type: "refresh_token",
+    client_id: oauthConfig.clientId,
+    refresh_token: current.refreshToken,
+    scope: buildScopeString(oauthConfig.scopes)
+  });
+  let response;
+  try {
+    response = await fetchFn(oauthConfig.tokenEndpoint, {
+      method: "POST",
+      headers: { "content-type": "application/x-www-form-urlencoded", accept: "application/json" },
+      body: body.toString()
+    });
+  } catch (err) {
+    appendAuthAuditEvent({
+      event: "oauth-refresh-failed",
+      org,
+      backend: probeBackend(),
+      accountId: current.accountId,
+      reason: "network"
+    });
+    throw new CredentialRefreshError(org, "network", err);
+  }
+  let token;
+  try {
+    token = await readTokenResponse(response);
+  } catch (err) {
+    let reason;
+    if (err instanceof OAuthFlowError && err.idpErrorCode) {
+      reason = classifyRefreshFailure({ error: err.idpErrorCode, error_description: err.idpErrorDescription });
+    } else {
+      reason = classifyRefreshFailure({ error: "unknown" });
+    }
+    appendAuthAuditEvent({
+      event: "oauth-refresh-failed",
+      org,
+      backend: probeBackend(),
+      accountId: current.accountId,
+      reason
+    });
+    throw new CredentialRefreshError(org, reason, err);
+  }
+  const issuedAt = Math.floor(now() / 1e3);
+  const next = {
+    kind: "oauth",
+    accessToken: token.access_token,
+    refreshToken: token.refresh_token ?? current.refreshToken,
+    expiresAt: issuedAt + token.expires_in,
+    issuedAt,
+    accountId: current.accountId,
+    scope: token.scope ?? current.scope,
+    tenantId: current.tenantId
+  };
+  await persist(org, next);
+  appendAuthAuditEvent({
+    event: "oauth-refresh-success",
+    org,
+    backend: probeBackend(),
+    accountId: current.accountId,
+    tokenLifetimeSec: token.expires_in
+  });
+  return next;
+}
+async function refreshIfNeeded(org, current, deps = {}) {
+  const now = deps.now ?? (() => Date.now());
+  const nowSec = Math.floor(now() / 1e3);
+  if (current.expiresAt - nowSec > 60) {
+    return current;
+  }
+  const inProcess = inFlight.get(org);
+  if (inProcess) {
+    return inProcess;
+  }
+  const fetchFn = deps.fetch ?? fetch;
+  const oauthConfig = deps.oauthConfigOverride ?? resolveOAuthConfig({
+    tenantIdOverride: current.tenantId
+  });
+  const acquire = deps.acquireLock ?? ((o) => defaultAcquireLock(o));
+  const persist = deps.persist ?? (async (o, c) => {
+    await storeOAuthCredential(o, c);
+  });
+  const op = (async () => {
+    const lock = await acquire(org);
+    try {
+      return await performRefresh(org, current, oauthConfig, fetchFn, now, persist);
+    } finally {
+      lock?.release();
+    }
+  })();
+  inFlight.set(org, op);
+  try {
+    return await op;
+  } finally {
+    inFlight.delete(org);
+  }
+}
+function _resetInFlight() {
+  inFlight.clear();
+}
+export {
+  CredentialStoreUnavailableError,
+  CredentialMissingError,
+  appendAuthAuditEvent,
+  readAuditEvents,
+  SETTINGS,
+  loadConfig,
+  getConfigValue,
+  setConfigValue,
+  unsetConfigValue,
+  maskedDisplay,
+  normalizePat,
+  AZDO_RESOURCE_ID,
+  defaultScopes,
+  firstPartyShippedScopes,
+  resolveOAuthConfig,
+  buildScopeString,
+  openUrl,
+  readTokenResponse,
+  tokenResponseToCredential,
+  runAuthCodeFlow,
+  locksDir,
+  lockPath,
+  classifyRefreshFailure,
+  refreshIfNeeded,
+  _resetInFlight,
+  probeBackend,
+  getPat,
+  getStoredCredential,
+  storePat,
+  storeOAuthCredential,
+  deletePat,
+  listOrgsWithStoredPat
+};