berget 2.2.6 → 2.2.7

package/dist/src/commands/code/__tests__/auth-sync.test.js

@@ -0,0 +1,348 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const auth_sync_1 = require("../auth-sync");
+const fake_file_store_1 = require("./fake-file-store");
+const fake_prompter_1 = require("./fake-prompter");
+const fake_auth_service_1 = require("./fake-auth-service");
+const fake_api_key_service_1 = require("./fake-api-key-service");
+function base64urlEncode(data) {
+    return Buffer.from(data).toString("base64url");
+}
+function makeJwt(payload) {
+    const header = base64urlEncode(JSON.stringify({ alg: "none", typ: "JWT" }));
+    const body = base64urlEncode(JSON.stringify(payload));
+    return `${header}.${body}.signature`;
+}
+const HOME = "/home/user";
+const fakeCliAuth = (overrides = {}) => (Object.assign({ access_token: makeJwt({
+        realm_access: { roles: ["default-roles-berget"] },
+        exp: 9999999999999, // JWT exp in seconds (different from expires_at in ms)
+    }), refresh_token: "refreshtoken", expires_at: 9999999999999 }, overrides));
+(0, vitest_1.describe)("readCliAuth", () => {
+    (0, vitest_1.it)("returns null when auth file does not exist", () => __awaiter(void 0, void 0, void 0, function* () {
+        const files = new fake_file_store_1.FakeFileStore();
+        const result = yield (0, auth_sync_1.readCliAuth)(files, HOME);
+        (0, vitest_1.expect)(result).toBeNull();
+    }));
+    (0, vitest_1.it)("parses valid auth file", () => __awaiter(void 0, void 0, void 0, function* () {
+        const files = new fake_file_store_1.FakeFileStore();
+        const auth = fakeCliAuth();
+        files.seed(HOME + "/.berget/auth.json", JSON.stringify(auth));
+        const result = yield (0, auth_sync_1.readCliAuth)(files, HOME);
+        // The JWT's exp claim should be extracted and converted to milliseconds
+        const jwtPayload = JSON.parse(Buffer.from(auth.access_token.split(".")[1], "base64url").toString());
+        const expectedAuth = {
+            access_token: auth.access_token,
+            refresh_token: auth.refresh_token,
+            expires_at: jwtPayload.exp * 1000,
+        };
+        (0, vitest_1.expect)(result).toEqual(expectedAuth);
+    }));
+    (0, vitest_1.it)("returns null for malformed JSON", () => __awaiter(void 0, void 0, void 0, function* () {
+        const files = new fake_file_store_1.FakeFileStore();
+        files.seed(HOME + "/.berget/auth.json", "not json");
+        const result = yield (0, auth_sync_1.readCliAuth)(files, HOME);
+        (0, vitest_1.expect)(result).toBeNull();
+    }));
+    (0, vitest_1.it)("returns null when fields are missing", () => __awaiter(void 0, void 0, void 0, function* () {
+        const files = new fake_file_store_1.FakeFileStore();
+        files.seed(HOME + "/.berget/auth.json", JSON.stringify({ access_token: "only" }));
+        const result = yield (0, auth_sync_1.readCliAuth)(files, HOME);
+        (0, vitest_1.expect)(result).toBeNull();
+    }));
+});
+(0, vitest_1.describe)("isToolAuthenticated", () => {
+    (0, vitest_1.it)("returns false when auth file does not exist", () => __awaiter(void 0, void 0, void 0, function* () {
+        const files = new fake_file_store_1.FakeFileStore();
+        const result = yield (0, auth_sync_1.isToolAuthenticated)(files, HOME, "opencode");
+        (0, vitest_1.expect)(result).toBe(false);
+    }));
+    (0, vitest_1.it)("returns true when berget entry exists", () => __awaiter(void 0, void 0, void 0, function* () {
+        const files = new fake_file_store_1.FakeFileStore();
+        files.seed(HOME + "/.local/share/opencode/auth.json", JSON.stringify({ berget: { type: "oauth", access: "tok" } }));
+        const result = yield (0, auth_sync_1.isToolAuthenticated)(files, HOME, "opencode");
+        (0, vitest_1.expect)(result).toBe(true);
+    }));
+    (0, vitest_1.it)("returns false when berget entry is missing", () => __awaiter(void 0, void 0, void 0, function* () {
+        const files = new fake_file_store_1.FakeFileStore();
+        files.seed(HOME + "/.local/share/opencode/auth.json", JSON.stringify({ openai: { type: "api" } }));
+        const result = yield (0, auth_sync_1.isToolAuthenticated)(files, HOME, "opencode");
+        (0, vitest_1.expect)(result).toBe(false);
+    }));
+    (0, vitest_1.it)("checks correct path for pi", () => __awaiter(void 0, void 0, void 0, function* () {
+        const files = new fake_file_store_1.FakeFileStore();
+        files.seed(HOME + "/.pi/agent/auth.json", JSON.stringify({ berget: { type: "oauth" } }));
+        const result = yield (0, auth_sync_1.isToolAuthenticated)(files, HOME, "pi");
+        (0, vitest_1.expect)(result).toBe(true);
+    }));
+});
+(0, vitest_1.describe)("decodeJwtPayload", () => {
+    (0, vitest_1.it)("decodes a valid JWT payload", () => {
+        const payload = { sub: "123", realm_access: { roles: ["admin"] } };
+        const jwt = makeJwt(payload);
+        (0, vitest_1.expect)((0, auth_sync_1.decodeJwtPayload)(jwt)).toEqual(payload);
+    });
+    (0, vitest_1.it)("returns null for invalid format", () => {
+        (0, vitest_1.expect)((0, auth_sync_1.decodeJwtPayload)("not.a")).toBeNull();
+        (0, vitest_1.expect)((0, auth_sync_1.decodeJwtPayload)("onlyOnePart")).toBeNull();
+    });
+    (0, vitest_1.it)("returns null for invalid base64", () => {
+        (0, vitest_1.expect)((0, auth_sync_1.decodeJwtPayload)("header.bad\.base64.signature")).toBeNull();
+    });
+});
+(0, vitest_1.describe)("hasBergetCodeSeat", () => {
+    (0, vitest_1.it)("returns true when berget_code_seat is present", () => {
+        const token = makeJwt({
+            realm_access: { roles: ["berget_code_seat", "default-roles-berget"] },
+        });
+        (0, vitest_1.expect)((0, auth_sync_1.hasBergetCodeSeat)(token)).toBe(true);
+    });
+    (0, vitest_1.it)("returns false when role is missing", () => {
+        const token = makeJwt({
+            realm_access: { roles: ["default-roles-berget"] },
+        });
+        (0, vitest_1.expect)((0, auth_sync_1.hasBergetCodeSeat)(token)).toBe(false);
+    });
+    (0, vitest_1.it)("returns false when realm_access is missing", () => {
+        const token = makeJwt({ sub: "123" });
+        (0, vitest_1.expect)((0, auth_sync_1.hasBergetCodeSeat)(token)).toBe(false);
+    });
+    (0, vitest_1.it)("returns false for invalid JWT", () => {
+        (0, vitest_1.expect)((0, auth_sync_1.hasBergetCodeSeat)("invalid")).toBe(false);
+    });
+});
+(0, vitest_1.describe)("syncOAuthToTool", () => {
+    (0, vitest_1.it)("writes oauth tokens to opencode auth file", () => __awaiter(void 0, void 0, void 0, function* () {
+        const files = new fake_file_store_1.FakeFileStore();
+        const auth = fakeCliAuth();
+        yield (0, auth_sync_1.syncOAuthToTool)(files, HOME, "opencode", auth);
+        const written = files.getWrittenFiles();
+        const content = written.get(HOME + "/.local/share/opencode/auth.json");
+        const parsed = JSON.parse(content);
+        // The expires field should now use the JWT's exp claim (converted to milliseconds)
+        const jwtPayload = JSON.parse(Buffer.from(auth.access_token.split(".")[1], "base64url").toString());
+        (0, vitest_1.expect)(parsed.berget).toEqual({
+            type: "oauth",
+            access: auth.access_token,
+            refresh: auth.refresh_token,
+            expires: jwtPayload.exp * 1000,
+        });
+    }));
+    (0, vitest_1.it)("writes oauth tokens to pi auth file", () => __awaiter(void 0, void 0, void 0, function* () {
+        const files = new fake_file_store_1.FakeFileStore();
+        const auth = fakeCliAuth();
+        yield (0, auth_sync_1.syncOAuthToTool)(files, HOME, "pi", auth);
+        const written = files.getWrittenFiles();
+        const content = written.get(HOME + "/.pi/agent/auth.json");
+        const parsed = JSON.parse(content);
+        (0, vitest_1.expect)(parsed.berget.type).toBe("oauth");
+    }));
+    (0, vitest_1.it)("merges with existing providers", () => __awaiter(void 0, void 0, void 0, function* () {
+        const files = new fake_file_store_1.FakeFileStore();
+        files.seed(HOME + "/.local/share/opencode/auth.json", JSON.stringify({ openai: { type: "api", key: "sk-openai" } }));
+        const auth = fakeCliAuth();
+        yield (0, auth_sync_1.syncOAuthToTool)(files, HOME, "opencode", auth);
+        const written = files.getWrittenFiles();
+        const parsed = JSON.parse(written.get(HOME + "/.local/share/opencode/auth.json"));
+        (0, vitest_1.expect)(parsed.openai).toEqual({ type: "api", key: "sk-openai" });
+        (0, vitest_1.expect)(parsed.berget.type).toBe("oauth");
+    }));
+    (0, vitest_1.it)("sets 0o600 permissions on the auth file", () => __awaiter(void 0, void 0, void 0, function* () {
+        const files = new fake_file_store_1.FakeFileStore();
+        const auth = fakeCliAuth();
+        yield (0, auth_sync_1.syncOAuthToTool)(files, HOME, "opencode", auth);
+        const chmodCalls = files.getChmodCalls();
+        (0, vitest_1.expect)(chmodCalls).toHaveLength(1);
+        (0, vitest_1.expect)(chmodCalls[0]).toEqual({
+            path: HOME + "/.local/share/opencode/auth.json",
+            mode: 0o600,
+        });
+    }));
+});
+(0, vitest_1.describe)("syncApiKeyToTool", () => {
+    (0, vitest_1.it)('writes api key to opencode auth file with type "api"', () => __awaiter(void 0, void 0, void 0, function* () {
+        const files = new fake_file_store_1.FakeFileStore();
+        yield (0, auth_sync_1.syncApiKeyToTool)(files, HOME, "opencode", "sk_ber_test");
+        const written = files.getWrittenFiles();
+        const content = written.get(HOME + "/.local/share/opencode/auth.json");
+        const parsed = JSON.parse(content);
+        (0, vitest_1.expect)(parsed.berget).toEqual({
+            type: "api",
+            key: "sk_ber_test",
+        });
+    }));
+    (0, vitest_1.it)('writes api key to pi auth file with type "api_key"', () => __awaiter(void 0, void 0, void 0, function* () {
+        const files = new fake_file_store_1.FakeFileStore();
+        yield (0, auth_sync_1.syncApiKeyToTool)(files, HOME, "pi", "sk_ber_pi");
+        const written = files.getWrittenFiles();
+        const content = written.get(HOME + "/.pi/agent/auth.json");
+        const parsed = JSON.parse(content);
+        (0, vitest_1.expect)(parsed.berget).toEqual({
+            type: "api_key",
+            key: "sk_ber_pi",
+        });
+    }));
+    (0, vitest_1.it)("merges with existing providers", () => __awaiter(void 0, void 0, void 0, function* () {
+        const files = new fake_file_store_1.FakeFileStore();
+        files.seed(HOME + "/.local/share/opencode/auth.json", JSON.stringify({ anthropic: { type: "api", key: "sk-ant" } }));
+        yield (0, auth_sync_1.syncApiKeyToTool)(files, HOME, "opencode", "sk_ber_test");
+        const written = files.getWrittenFiles();
+        const parsed = JSON.parse(written.get(HOME + "/.local/share/opencode/auth.json"));
+        (0, vitest_1.expect)(parsed.anthropic).toEqual({ type: "api", key: "sk-ant" });
+    }));
+    (0, vitest_1.it)("sets 0o600 permissions on the auth file", () => __awaiter(void 0, void 0, void 0, function* () {
+        const files = new fake_file_store_1.FakeFileStore();
+        yield (0, auth_sync_1.syncApiKeyToTool)(files, HOME, "opencode", "sk_ber_test");
+        const chmodCalls = files.getChmodCalls();
+        (0, vitest_1.expect)(chmodCalls).toHaveLength(1);
+        (0, vitest_1.expect)(chmodCalls[0]).toEqual({
+            path: HOME + "/.local/share/opencode/auth.json",
+            mode: 0o600,
+        });
+    }));
+});
+(0, vitest_1.describe)("configureAuth", () => {
+    const makeAuthDeps = (overrides = {}) => (Object.assign({ prompter: new fake_prompter_1.FakePrompter([]), files: new fake_file_store_1.FakeFileStore(), authService: new fake_auth_service_1.FakeAuthService(true), apiKeyService: new fake_api_key_service_1.FakeApiKeyService("sk_ber_test"), homeDir: HOME }, overrides));
+    (0, vitest_1.it)("Case A: already authenticated — chooses keep → skips flow", () => __awaiter(void 0, void 0, void 0, function* () {
+        const files = new fake_file_store_1.FakeFileStore();
+        files.seed(HOME + "/.local/share/opencode/auth.json", JSON.stringify({ berget: { type: "oauth" } }));
+        const prompter = new fake_prompter_1.FakePrompter([(0, fake_prompter_1.select)("keep")]);
+        const deps = makeAuthDeps({ files, prompter });
+        const result = yield (0, auth_sync_1.configureAuth)(deps, "opencode");
+        (0, vitest_1.expect)(result.authenticated).toBe(true);
+        (0, vitest_1.expect)(deps.prompter.calls.length).toBe(1); // Only the select prompt
+    }));
+    (0, vitest_1.it)("Case A reconfigure: already authenticated — reconfigure with fresh browser login", () => __awaiter(void 0, void 0, void 0, function* () {
+        const files = new fake_file_store_1.FakeFileStore();
+        files.seed(HOME + "/.local/share/opencode/auth.json", JSON.stringify({ berget: { type: "oauth" } }));
+        const prompter = new fake_prompter_1.FakePrompter([(0, fake_prompter_1.select)("reconfigure"), (0, fake_prompter_1.select)("subscription")]);
+        const deps = makeAuthDeps({ files, prompter });
+        const authService = deps.authService;
+        const result = yield (0, auth_sync_1.configureAuth)(deps, "opencode");
+        (0, vitest_1.expect)(result.authenticated).toBe(true);
+        // Should have called loginInteractive (no token reuse since no ~/.berget/auth.json seeded)
+        (0, vitest_1.expect)(authService.loginInteractiveCallCount).toBeGreaterThanOrEqual(1);
+    }));
+    (0, vitest_1.it)("Case A reconfigure: already authenticated — reconfigure with valid CLI token → skips browser", () => __awaiter(void 0, void 0, void 0, function* () {
+        const farFuture = Date.now() + 365 * 24 * 60 * 60 * 1000; // 1 year from now
+        const files = new fake_file_store_1.FakeFileStore();
+        files.seed(HOME + "/.local/share/opencode/auth.json", JSON.stringify({ berget: { type: "oauth" } }));
+        files.seed(HOME + "/.berget/auth.json", JSON.stringify({
+            access_token: makeJwt({ realm_access: { roles: ["berget_code_seat"] }, exp: farFuture }),
+            refresh_token: "ref",
+            expires_at: farFuture,
+        }));
+        const prompter = new fake_prompter_1.FakePrompter([(0, fake_prompter_1.select)("reconfigure"), (0, fake_prompter_1.select)("subscription")]);
+        const authService = new fake_auth_service_1.FakeAuthService(true);
+        const deps = makeAuthDeps({ files, prompter, authService });
+        const result = yield (0, auth_sync_1.configureAuth)(deps, "opencode");
+        (0, vitest_1.expect)(result.authenticated).toBe(true);
+        // Should NOT have called loginInteractive since token was reused
+        (0, vitest_1.expect)(authService.loginInteractiveCallCount).toBe(0);
+    }));
+    (0, vitest_1.it)("Case B: login success + berget_code_seat → chooses subscription", () => __awaiter(void 0, void 0, void 0, function* () {
+        const files = new fake_file_store_1.FakeFileStore();
+        const jwt = makeJwt({
+            realm_access: { roles: ["berget_code_seat"] },
+            exp: 9999999999999,
+        });
+        files.seed(HOME + "/.berget/auth.json", JSON.stringify({
+            access_token: jwt,
+            refresh_token: "ref",
+            expires_at: 9999999999999,
+        }));
+        const prompter = new fake_prompter_1.FakePrompter([(0, fake_prompter_1.select)("subscription")]);
+        const deps = makeAuthDeps({ files, prompter });
+        const result = yield (0, auth_sync_1.configureAuth)(deps, "opencode");
+        (0, vitest_1.expect)(result.authenticated).toBe(true);
+        const written = files.getWrittenFiles();
+        (0, vitest_1.expect)(written.has(HOME + "/.local/share/opencode/auth.json")).toBe(true);
+        const parsed = JSON.parse(written.get(HOME + "/.local/share/opencode/auth.json"));
+        (0, vitest_1.expect)(parsed.berget.type).toBe("oauth");
+    }));
+    (0, vitest_1.it)("Case B variant: login success + seat → chooses api_key", () => __awaiter(void 0, void 0, void 0, function* () {
+        const files = new fake_file_store_1.FakeFileStore();
+        const jwt = makeJwt({
+            realm_access: { roles: ["berget_code_seat"] },
+            exp: 9999999999999,
+        });
+        files.seed(HOME + "/.berget/auth.json", JSON.stringify({
+            access_token: jwt,
+            refresh_token: "ref",
+            expires_at: 9999999999999,
+        }));
+        const prompter = new fake_prompter_1.FakePrompter([(0, fake_prompter_1.select)("api_key")]);
+        const deps = makeAuthDeps({ files, prompter });
+        const result = yield (0, auth_sync_1.configureAuth)(deps, "opencode");
+        (0, vitest_1.expect)(result.authenticated).toBe(true);
+        const written = files.getWrittenFiles();
+        const parsed = JSON.parse(written.get(HOME + "/.local/share/opencode/auth.json"));
+        (0, vitest_1.expect)(parsed.berget.type).toBe("api");
+        (0, vitest_1.expect)(parsed.berget.key).toBe("sk_ber_test");
+    }));
+    (0, vitest_1.it)("Case C: login success + no seat → creates api key", () => __awaiter(void 0, void 0, void 0, function* () {
+        const files = new fake_file_store_1.FakeFileStore();
+        const prompter = new fake_prompter_1.FakePrompter([(0, fake_prompter_1.confirm)(true)]);
+        const deps = makeAuthDeps({ files, prompter, authService: new fake_auth_service_1.FakeAuthService(true, false) });
+        const result = yield (0, auth_sync_1.configureAuth)(deps, "opencode");
+        (0, vitest_1.expect)(result.authenticated).toBe(true);
+        const written = files.getWrittenFiles();
+        const parsed = JSON.parse(written.get(HOME + "/.local/share/opencode/auth.json"));
+        (0, vitest_1.expect)(parsed.berget.type).toBe("api");
+        (0, vitest_1.expect)(parsed.berget.key).toBe("sk_ber_test");
+    }));
+    (0, vitest_1.it)("Case D: login success + no seat → declines api key", () => __awaiter(void 0, void 0, void 0, function* () {
+        const files = new fake_file_store_1.FakeFileStore();
+        const prompter = new fake_prompter_1.FakePrompter([(0, fake_prompter_1.confirm)(false)]);
+        const deps = makeAuthDeps({ files, prompter, authService: new fake_auth_service_1.FakeAuthService(true, false) });
+        const result = yield (0, auth_sync_1.configureAuth)(deps, "opencode");
+        (0, vitest_1.expect)(result.authenticated).toBe(false);
+        (0, vitest_1.expect)(files.getWrittenFiles().has(HOME + "/.local/share/opencode/auth.json")).toBe(false);
+    }));
+    (0, vitest_1.it)("Case E: login fails", () => __awaiter(void 0, void 0, void 0, function* () {
+        const files = new fake_file_store_1.FakeFileStore();
+        const authService = new fake_auth_service_1.FakeAuthService(false);
+        const deps = makeAuthDeps({ files, authService });
+        const result = yield (0, auth_sync_1.configureAuth)(deps, "opencode");
+        (0, vitest_1.expect)(result.authenticated).toBe(false);
+    }));
+    (0, vitest_1.it)("fails authentication when jwt decode fails", () => __awaiter(void 0, void 0, void 0, function* () {
+        const prompter = new fake_prompter_1.FakePrompter([]);
+        const deps = makeAuthDeps({
+            prompter,
+            authService: new fake_auth_service_1.FakeAuthService(true, true, false), // valid login, has seat, but invalid token
+        });
+        const result = yield (0, auth_sync_1.configureAuth)(deps, "opencode");
+        (0, vitest_1.expect)(result.authenticated).toBe(false); // Should fail due to invalid JWT
+        const written = deps.files.getWrittenFiles();
+        (0, vitest_1.expect)(written.size).toBe(0); // No files should be written
+    }));
+    (0, vitest_1.it)("preserves existing providers during sync", () => __awaiter(void 0, void 0, void 0, function* () {
+        const files = new fake_file_store_1.FakeFileStore();
+        files.seed(HOME + "/.local/share/opencode/auth.json", JSON.stringify({ openai: { type: "api", key: "sk-openai" } }));
+        files.seed(HOME + "/.berget/auth.json", JSON.stringify({
+            access_token: makeJwt({
+                realm_access: { roles: ["berget_code_seat"], exp: 9999999999999 },
+            }),
+            refresh_token: "ref",
+            expires_at: 9999999999999,
+        }));
+        const prompter = new fake_prompter_1.FakePrompter([(0, fake_prompter_1.select)("subscription")]);
+        const deps = makeAuthDeps({ files, prompter });
+        yield (0, auth_sync_1.configureAuth)(deps, "opencode");
+        const written = files.getWrittenFiles();
+        const parsed = JSON.parse(written.get(HOME + "/.local/share/opencode/auth.json"));
+        (0, vitest_1.expect)(parsed.openai).toEqual({ type: "api", key: "sk-openai" });
+        (0, vitest_1.expect)(parsed.berget).toBeDefined();
+    }));
+});

package/dist/src/commands/code/__tests__/fake-api-key-service.js

@@ -0,0 +1,23 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FakeApiKeyService = void 0;
+class FakeApiKeyService {
+    constructor(key) {
+        this._key = key;
+    }
+    create(_options) {
+        return __awaiter(this, void 0, void 0, function* () {
+            return { key: this._key };
+        });
+    }
+}
+exports.FakeApiKeyService = FakeApiKeyService;

package/dist/src/commands/code/__tests__/fake-auth-service.js

@@ -0,0 +1,55 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FakeAuthService = void 0;
+function base64urlEncode(data) {
+    return Buffer.from(data).toString("base64url");
+}
+function makeJwt(payload) {
+    const header = base64urlEncode(JSON.stringify({ alg: "none", typ: "JWT" }));
+    const body = base64urlEncode(JSON.stringify(payload));
+    return `${header}.${body}.signature`;
+}
+class FakeAuthService {
+    constructor(_shouldSucceed, _hasSeat = true, _validToken = true) {
+        this._shouldSucceed = _shouldSucceed;
+        this._hasSeat = _hasSeat;
+        this._validToken = _validToken;
+        this.loginCallCount = 0;
+        this.loginInteractiveCallCount = 0;
+    }
+    login() {
+        return __awaiter(this, void 0, void 0, function* () {
+            this.loginCallCount++;
+            return this._shouldSucceed;
+        });
+    }
+    loginInteractive() {
+        this.loginInteractiveCallCount++;
+        if (!this._shouldSucceed) {
+            return Promise.resolve({ success: false, error: "Login failed" });
+        }
+        const farFuture = Math.floor(Date.now() / 1000) + 3600 * 24 * 365; // 1 year from now in seconds
+        const accessToken = this._validToken
+            ? makeJwt({
+                realm_access: { roles: this._hasSeat ? ["berget_code_seat"] : ["default-roles-berget"] },
+                exp: farFuture,
+            })
+            : "invalid.token.here";
+        return Promise.resolve({
+            success: true,
+            accessToken,
+            refreshToken: "refresh",
+            expiresIn: 3600,
+        });
+    }
+}
+exports.FakeAuthService = FakeAuthService;

package/dist/src/commands/code/__tests__/fake-command-runner.js

@@ -18,8 +18,8 @@ class FakeCommandRunner {
     handle(match, response) {
         this.handlers.push({
             match: (cmd, args) => {
-                const full = `${cmd} ${args.join(' ')}`;
-                if (typeof match === 'string')
+                const full = `${cmd} ${args.join(" ")}`;
+                if (typeof match === "string")
                     return full.startsWith(match);
                 return match.test(full);
             },
@@ -29,17 +29,15 @@ class FakeCommandRunner {
     }
     checkInstalled(binary) {
         this._calls.push({ command: `check:${binary}`, args: [] });
-        return Promise.resolve(this.handlers.some(h => h.match(binary, ['--version'])) || false);
+        return Promise.resolve(this.handlers.some(h => h.match(binary, ["--version"])) || false);
     }
     run(command, args, options) {
         return __awaiter(this, void 0, void 0, function* () {
             this._calls.push({ command, args: [...args], options });
             const handler = this.handlers.find(h => h.match(command, args));
             if (!handler)
-                throw new Error(`Unexpected command: ${command} ${args.join(' ')}`);
-            const result = typeof handler.response === 'function'
-                ? handler.response(command, args)
-                : handler.response;
+                throw new Error(`Unexpected command: ${command} ${args.join(" ")}`);
+            const result = typeof handler.response === "function" ? handler.response(command, args) : handler.response;
             if (result instanceof Error)
                 throw result;
             return result;

package/dist/src/commands/code/__tests__/fake-file-store.js

@@ -14,6 +14,7 @@ class FakeFileStore {
     constructor() {
         this.files = new Map();
         this.dirs = new Set();
+        this._chmodCalls = [];
     }
     seed(path, content) {
         this.files.set(path, content);
@@ -39,8 +40,16 @@ class FakeFileStore {
             this.dirs.add(path);
         });
     }
+    chmod(path, mode) {
+        return __awaiter(this, void 0, void 0, function* () {
+            this._chmodCalls.push({ path, mode });
+        });
+    }
     getWrittenFiles() {
         return new Map(this.files);
     }
+    getChmodCalls() {
+        return this._chmodCalls;
+    }
 }
 exports.FakeFileStore = FakeFileStore;

package/dist/src/commands/code/__tests__/fake-prompter.js

@@ -9,21 +9,33 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.FakePrompter = exports.confirm = exports.select = exports.CANCEL = void 0;
+exports.FakePrompter = exports.multiselect = exports.confirm = exports.text = exports.select = exports.CANCEL = void 0;
 const errors_1 = require("../errors");
-exports.CANCEL = Symbol('cancel');
+exports.CANCEL = Symbol("cancel");
 const select = (value, match) => ({
-    kind: 'select',
-    match: typeof match === 'string' ? new RegExp(match) : match,
-    response: typeof value === 'symbol' ? value : String(value),
+    kind: "select",
+    match: typeof match === "string" ? new RegExp(match) : match,
+    response: typeof value === "symbol" ? value : String(value),
 });
 exports.select = select;
+const text = (value, match) => ({
+    kind: "text",
+    match: typeof match === "string" ? new RegExp(match) : match,
+    response: value,
+});
+exports.text = text;
 const confirm = (value, match) => ({
-    kind: 'confirm',
-    match: typeof match === 'string' ? new RegExp(match) : match,
+    kind: "confirm",
+    match: typeof match === "string" ? new RegExp(match) : match,
     response: value,
 });
 exports.confirm = confirm;
+const multiselect = (values, match) => ({
+    kind: "multiselect",
+    match: typeof match === "string" ? new RegExp(match) : match,
+    response: values === exports.CANCEL ? [exports.CANCEL] : values.map(v => String(v)),
+});
+exports.multiselect = multiselect;
 class FakePrompter {
     constructor(_script) {
         this._script = _script;
@@ -31,32 +43,32 @@ class FakePrompter {
         this._cursor = 0;
     }
     intro(message) {
-        this._calls.push({ method: 'intro', args: { message } });
+        this._calls.push({ method: "intro", args: { message } });
     }
     outro(message) {
-        this._calls.push({ method: 'outro', args: { message } });
+        this._calls.push({ method: "outro", args: { message } });
     }
     note(message, title) {
-        this._calls.push({ method: 'note', args: { message, title } });
+        this._calls.push({ method: "note", args: { message, title } });
     }
     spinner() {
         return {
             start: (msg) => {
-                this._calls.push({ method: 'spinner.start', args: { message: msg } });
+                this._calls.push({ method: "spinner.start", args: { message: msg } });
             },
             stop: (msg) => {
-                this._calls.push({ method: 'spinner.stop', args: { message: msg } });
+                this._calls.push({ method: "spinner.stop", args: { message: msg } });
             },
         };
     }
     select(opts) {
         return __awaiter(this, void 0, void 0, function* () {
-            this._calls.push({ method: 'select', args: opts });
+            this._calls.push({ method: "select", args: opts });
             const entry = this._script[this._cursor++];
             if (!entry)
                 throw new Error(`No script entry for select #${this._cursor} (${opts.message})`);
-            if (entry.kind !== 'select')
-                throw new Error(`Expected confirm, got select for ${opts.message}`);
+            if (entry.kind !== "select")
+                throw new Error(`Expected select, got ${entry.kind} for ${opts.message}`);
             if (entry.match && !entry.match.test(opts.message))
                 throw new Error(`Message mismatch: got "${opts.message}"`);
             if (entry.response === exports.CANCEL)
@@ -66,12 +78,27 @@ class FakePrompter {
     }
     confirm(opts) {
         return __awaiter(this, void 0, void 0, function* () {
-            this._calls.push({ method: 'confirm', args: opts });
+            this._calls.push({ method: "confirm", args: opts });
             const entry = this._script[this._cursor++];
             if (!entry)
                 throw new Error(`No script entry for confirm #${this._cursor} (${opts.message})`);
-            if (entry.kind !== 'confirm')
-                throw new Error(`Expected select, got confirm for ${opts.message}`);
+            if (entry.kind !== "confirm")
+                throw new Error(`Expected confirm, got ${entry.kind} for ${opts.message}`);
+            if (entry.match && !entry.match.test(opts.message))
+                throw new Error(`Message mismatch: got "${opts.message}"`);
+            if (entry.response === exports.CANCEL)
+                throw new errors_1.CancelledError();
+            return entry.response;
+        });
+    }
+    text(opts) {
+        return __awaiter(this, void 0, void 0, function* () {
+            this._calls.push({ method: "text", args: opts });
+            const entry = this._script[this._cursor++];
+            if (!entry)
+                throw new Error(`No script entry for text #${this._cursor} (${opts.message})`);
+            if (entry.kind !== "text")
+                throw new Error(`Expected text, got ${entry.kind} for ${opts.message}`);
             if (entry.match && !entry.match.test(opts.message))
                 throw new Error(`Message mismatch: got "${opts.message}"`);
             if (entry.response === exports.CANCEL)
@@ -79,6 +106,21 @@ class FakePrompter {
             return entry.response;
         });
     }
+    multiselect(opts) {
+        return __awaiter(this, void 0, void 0, function* () {
+            this._calls.push({ method: "multiselect", args: opts });
+            const entry = this._script[this._cursor++];
+            if (!entry)
+                throw new Error(`No script entry for multiselect #${this._cursor} (${opts.message})`);
+            if (entry.kind !== "multiselect")
+                throw new Error(`Expected multiselect, got ${entry.kind} for ${opts.message}`);
+            if (entry.match && !entry.match.test(opts.message))
+                throw new Error(`Message mismatch: got "${opts.message}"`);
+            if (entry.response.includes(exports.CANCEL))
+                throw new errors_1.CancelledError();
+            return entry.response;
+        });
+    }
     get calls() {
         return this._calls;
     }