cleargate 0.1.0-alpha.1

package/dist/admin-api/index.js

@@ -0,0 +1,313 @@
+#!/usr/bin/env node
+
+// src/admin-api/errors.ts
+var AdminApiError = class extends Error {
+  constructor(kind, status, details, message) {
+    super(message);
+    this.kind = kind;
+    this.status = status;
+    this.details = details;
+    this.name = "AdminApiError";
+  }
+  kind;
+  status;
+  details;
+};
+
+// src/admin-api/responses.ts
+import { z } from "zod";
+var ProjectSchema = z.object({
+  id: z.string(),
+  name: z.string(),
+  created_by: z.string(),
+  created_at: z.string(),
+  deleted_at: z.string().nullable()
+}).strict();
+var MemberSchema = z.object({
+  id: z.string(),
+  project_id: z.string(),
+  email: z.string(),
+  role: z.string(),
+  display_name: z.string().nullable().optional(),
+  created_at: z.string(),
+  status: z.enum(["pending", "active"])
+}).strict();
+var InviteCreatedSchema = z.object({
+  member: MemberSchema,
+  invite_url: z.string(),
+  invite_token: z.string(),
+  invite_expires_in: z.number().int()
+}).strict();
+var TokenMetaSchema = z.object({
+  id: z.string(),
+  member_id: z.string(),
+  name: z.string(),
+  created_at: z.string(),
+  expires_at: z.string().nullable().optional(),
+  last_used_at: z.string().nullable().optional(),
+  revoked_at: z.string().nullable().optional()
+}).strict();
+var TokenIssuedSchema = z.object({
+  id: z.string(),
+  member_id: z.string(),
+  name: z.string(),
+  created_at: z.string(),
+  expires_at: z.string().nullable().optional(),
+  last_used_at: z.string().nullable().optional(),
+  revoked_at: z.string().nullable().optional(),
+  token: z.string()
+}).strict();
+var ErrorBodySchema = z.object({
+  error: z.string(),
+  details: z.record(z.string(), z.unknown()).optional()
+}).strict();
+
+// src/admin-api/redact.ts
+var SENSITIVE_KEYS = /* @__PURE__ */ new Set(["token", "refresh_token", "invite_token"]);
+function redactSensitive(obj) {
+  if (Array.isArray(obj)) {
+    return obj.map((item) => redactSensitive(item));
+  }
+  if (obj !== null && typeof obj === "object") {
+    const result = {};
+    for (const [key, value] of Object.entries(obj)) {
+      if (SENSITIVE_KEYS.has(key)) {
+        result[key] = "<redacted>";
+      } else {
+        result[key] = redactSensitive(value);
+      }
+    }
+    return result;
+  }
+  return obj;
+}
+
+// src/admin-api/client.ts
+function defaultWarn(msg) {
+  process.stderr.write(msg + "\n");
+}
+var AdminApiClientImpl = class {
+  baseUrl;
+  token;
+  fetchFn;
+  warn;
+  userAgent;
+  constructor(opts) {
+    this.baseUrl = opts.baseUrl.replace(/\/$/, "");
+    this.token = opts.token;
+    this.fetchFn = opts.fetch ?? globalThis.fetch;
+    this.warn = opts.warn ?? defaultWarn;
+    this.userAgent = opts.userAgent ?? `cleargate`;
+  }
+  debugLog(method, path2, status, body) {
+    if (process.env["CLEARGATE_LOG_LEVEL"] === "debug") {
+      const redacted = redactSensitive(body);
+      this.warn(`[admin-api] ${method} ${path2} \u2192 ${status} ${JSON.stringify(redacted)}`);
+    }
+  }
+  async request(method, urlPath, body) {
+    const url = `${this.baseUrl}/admin-api/v1${urlPath}`;
+    const headers = {
+      Authorization: `Bearer ${this.token}`,
+      "User-Agent": this.userAgent,
+      Accept: "application/json"
+    };
+    if (body !== void 0) {
+      headers["Content-Type"] = "application/json";
+    }
+    let response;
+    try {
+      response = await this.fetchFn(url, {
+        method,
+        headers,
+        body: body !== void 0 ? JSON.stringify(body) : void 0
+      });
+    } catch (err) {
+      throw new AdminApiError(
+        "network",
+        null,
+        err,
+        `cannot reach ${this.baseUrl} (${err instanceof Error ? err.message : String(err)})`
+      );
+    }
+    let responseBody = null;
+    const contentType = response.headers.get("content-type") ?? "";
+    if (contentType.includes("application/json")) {
+      try {
+        responseBody = await response.json();
+      } catch {
+        responseBody = null;
+      }
+    }
+    this.debugLog(method, urlPath, response.status, responseBody);
+    if (!response.ok) {
+      const errBody = responseBody;
+      if (response.status === 401) {
+        throw new AdminApiError("auth", 401, responseBody, "Admin token rejected.");
+      }
+      if (response.status === 403) {
+        throw new AdminApiError("forbidden", 403, responseBody, "Token is not admin-role.");
+      }
+      if (response.status === 404) {
+        throw new AdminApiError("not_found", 404, responseBody, "Not found.");
+      }
+      if (response.status === 400 || response.status === 409) {
+        throw new AdminApiError(
+          "invalid_request",
+          response.status,
+          errBody?.details ?? responseBody,
+          `Invalid request: ${errBody?.error ?? "unknown"}`
+        );
+      }
+      if (response.status >= 500) {
+        throw new AdminApiError(
+          "server",
+          response.status,
+          responseBody,
+          `Server error ${response.status}.`
+        );
+      }
+      throw new AdminApiError(
+        "server",
+        response.status,
+        responseBody,
+        `Unexpected status ${response.status}.`
+      );
+    }
+    return responseBody;
+  }
+  async createProject(input) {
+    const raw = await this.request("POST", "/projects", { name: input.name });
+    const parsed = ProjectSchema.safeParse(raw);
+    if (!parsed.success) {
+      throw new AdminApiError(
+        "response_shape",
+        null,
+        parsed.error,
+        "Server returned unexpected response shape (CLI may be out of date)."
+      );
+    }
+    return parsed.data;
+  }
+  async inviteMember(input) {
+    const body = {
+      email: input.email,
+      role: input.role
+    };
+    if (input.displayName !== void 0) {
+      body["display_name"] = input.displayName;
+    }
+    const raw = await this.request(
+      "POST",
+      `/projects/${input.projectId}/members`,
+      body
+    );
+    const parsed = InviteCreatedSchema.safeParse(raw);
+    if (!parsed.success) {
+      throw new AdminApiError(
+        "response_shape",
+        null,
+        parsed.error,
+        "Server returned unexpected response shape (CLI may be out of date)."
+      );
+    }
+    return parsed.data;
+  }
+  async issueToken(input) {
+    const body = {
+      member_id: input.memberId,
+      name: input.name
+    };
+    if (input.expiresAt !== void 0) {
+      body["expires_at"] = input.expiresAt;
+    }
+    const raw = await this.request(
+      "POST",
+      `/projects/${input.projectId}/tokens`,
+      body
+    );
+    const parsed = TokenIssuedSchema.safeParse(raw);
+    if (!parsed.success) {
+      throw new AdminApiError(
+        "response_shape",
+        null,
+        parsed.error,
+        "Server returned unexpected response shape (CLI may be out of date)."
+      );
+    }
+    return parsed.data;
+  }
+  async revokeToken(input) {
+    await this.request("DELETE", `/tokens/${input.tokenId}`, void 0);
+  }
+};
+function createAdminApiClient(opts) {
+  return new AdminApiClientImpl(opts);
+}
+
+// src/admin-api/admin-auth.ts
+import * as fs from "fs";
+import * as os from "os";
+import * as path from "path";
+import { z as z2 } from "zod";
+var AdminAuthFileSchema = z2.object({
+  version: z2.literal(1),
+  token: z2.string().min(1)
+}).strict();
+var MISSING_TOKEN_ERROR = "No admin token. Set CLEARGATE_ADMIN_TOKEN or write ~/.cleargate/admin-auth.json (chmod 600). See README \xA7admin-jwt.";
+function loadAdminAuth(opts) {
+  const env = opts?.env ?? process.env;
+  const warn = opts?.warn ?? ((msg) => process.stderr.write(msg + "\n"));
+  const envToken = env["CLEARGATE_ADMIN_TOKEN"];
+  if (envToken) {
+    return { token: envToken, source: "env" };
+  }
+  const homedirFn = opts?.homedir ?? os.homedir;
+  const filePath = opts?.filePath ?? path.join(homedirFn(), ".cleargate", "admin-auth.json");
+  let raw;
+  try {
+    raw = fs.readFileSync(filePath, "utf8");
+  } catch (err) {
+    if (err instanceof Error && "code" in err && err.code === "ENOENT") {
+      throw new Error(MISSING_TOKEN_ERROR);
+    }
+    throw new Error(`Failed to read admin-auth file at ${filePath}: ${String(err)}`);
+  }
+  try {
+    const stat = fs.statSync(filePath);
+    const mode = stat.mode & 511;
+    if (mode & 63) {
+      warn(
+        `cleargate-admin: warning: ${filePath} is group/world readable (mode ${mode.toString(8).padStart(3, "0")}). Run: chmod 600 ${filePath}`
+      );
+    }
+  } catch {
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    throw new Error(`Failed to parse admin-auth file at ${filePath}: invalid JSON`);
+  }
+  const result = AdminAuthFileSchema.safeParse(parsed);
+  if (!result.success) {
+    throw new Error(
+      `Invalid admin-auth file at ${filePath}: ${result.error.message}`
+    );
+  }
+  return { token: result.data.token, source: "file" };
+}
+export {
+  AdminApiError,
+  AdminAuthFileSchema,
+  ErrorBodySchema,
+  InviteCreatedSchema,
+  MemberSchema,
+  ProjectSchema,
+  TokenIssuedSchema,
+  TokenMetaSchema,
+  createAdminApiClient,
+  loadAdminAuth,
+  redactSensitive
+};
+//# sourceMappingURL=index.js.map

package/dist/admin-api/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/admin-api/errors.ts","../../src/admin-api/responses.ts","../../src/admin-api/redact.ts","../../src/admin-api/client.ts","../../src/admin-api/admin-auth.ts"],"sourcesContent":["/**\n * Typed error class for all admin API failures.\n * kind → exit code mapping lives in mcp/scripts/commands/_render-error.ts\n */\nexport class AdminApiError extends Error {\n  constructor(\n    public readonly kind:\n      | 'network'\n      | 'auth'\n      | 'forbidden'\n      | 'not_found'\n      | 'invalid_request'\n      | 'server'\n      | 'response_shape',\n    public readonly status: number | null,\n    public readonly details: unknown,\n    message: string,\n  ) {\n    super(message);\n    this.name = 'AdminApiError';\n  }\n}\n","/**\n * Vendored Zod response schemas — hand-authored from\n * mcp/src/admin-api/__snapshots__/openapi.test.ts.snap\n *\n * Snapshot drift is detected by cleargate-cli/test/admin-api/snapshot-drift.test.ts,\n * which reads the snapshot file at runtime and asserts field-set equality.\n */\nimport { z } from 'zod';\n\nexport const ProjectSchema = z\n  .object({\n    id: z.string(),\n    name: z.string(),\n    created_by: z.string(),\n    created_at: z.string(),\n    deleted_at: z.string().nullable(),\n  })\n  .strict();\n\nexport type Project = z.infer<typeof ProjectSchema>;\n\nexport const MemberSchema = z\n  .object({\n    id: z.string(),\n    project_id: z.string(),\n    email: z.string(),\n    role: z.string(),\n    display_name: z.string().nullable().optional(),\n    created_at: z.string(),\n    status: z.enum(['pending', 'active']),\n  })\n  .strict();\n\nexport type Member = z.infer<typeof MemberSchema>;\n\nexport const InviteCreatedSchema = z\n  .object({\n    member: MemberSchema,\n    invite_url: z.string(),\n    invite_token: z.string(),\n    invite_expires_in: z.number().int(),\n  })\n  .strict();\n\nexport type InviteCreated = z.infer<typeof InviteCreatedSchema>;\n\nexport const TokenMetaSchema = z\n  .object({\n    id: z.string(),\n    member_id: z.string(),\n    name: z.string(),\n    created_at: z.string(),\n    expires_at: z.string().nullable().optional(),\n    last_used_at: z.string().nullable().optional(),\n    revoked_at: z.string().nullable().optional(),\n  })\n  .strict();\n\nexport type TokenMeta = z.infer<typeof TokenMetaSchema>;\n\n// TokenIssued = TokenMeta + plaintext token field (returned exactly once)\nexport const TokenIssuedSchema = z\n  .object({\n    id: z.string(),\n    member_id: z.string(),\n    name: z.string(),\n    created_at: z.string(),\n    expires_at: z.string().nullable().optional(),\n    last_used_at: z.string().nullable().optional(),\n    revoked_at: z.string().nullable().optional(),\n    token: z.string(),\n  })\n  .strict();\n\nexport type TokenIssued = z.infer<typeof TokenIssuedSchema>;\n\nexport const ErrorBodySchema = z\n  .object({\n    error: z.string(),\n    details: z.record(z.string(), z.unknown()).optional(),\n  })\n  .strict();\n\nexport type ErrorBody = z.infer<typeof ErrorBodySchema>;\n","/**\n * Recursively replaces sensitive key values with '<redacted>'.\n * Used in debug log paths — never in success output.\n * Keys stripped: token, refresh_token, invite_token\n */\nconst SENSITIVE_KEYS = new Set(['token', 'refresh_token', 'invite_token']);\n\nexport function redactSensitive(obj: unknown): unknown {\n  if (Array.isArray(obj)) {\n    return obj.map((item) => redactSensitive(item));\n  }\n  if (obj !== null && typeof obj === 'object') {\n    const result: Record<string, unknown> = {};\n    for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\n      if (SENSITIVE_KEYS.has(key)) {\n        result[key] = '<redacted>';\n      } else {\n        result[key] = redactSensitive(value);\n      }\n    }\n    return result;\n  }\n  return obj;\n}\n","/**\n * AdminApiClient — typed HTTP client for the ClearGate admin API.\n *\n * Key implementation notes:\n * - CLI method args are camelCase; wire bodies are snake_case (converted internally)\n * - DELETE requests MUST omit Content-Type (Fastify 5 FST_ERR_CTP_EMPTY_JSON_BODY)\n * - All 2xx responses are validated through vendored Zod schemas\n * - Errors map to AdminApiError with kind → exit code table in D6\n */\nimport { AdminApiError } from './errors.js';\nimport {\n  ProjectSchema,\n  InviteCreatedSchema,\n  TokenIssuedSchema,\n  type Project,\n  type InviteCreated,\n  type TokenIssued,\n} from './responses.js';\nimport { redactSensitive } from './redact.js';\n\nexport interface AdminApiClientOptions {\n  baseUrl: string;\n  token: string;\n  fetch?: typeof globalThis.fetch;\n  warn?: (msg: string) => void;\n  userAgent?: string;\n}\n\nexport interface AdminApiClient {\n  createProject(input: { name: string }): Promise<Project>;\n  inviteMember(input: {\n    projectId: string;\n    email: string;\n    role: 'user' | 'service';\n    displayName?: string;\n  }): Promise<InviteCreated>;\n  issueToken(input: {\n    projectId: string;\n    memberId: string;\n    name: string;\n    expiresAt?: string;\n  }): Promise<TokenIssued>;\n  revokeToken(input: { tokenId: string }): Promise<void>;\n}\n\nfunction defaultWarn(msg: string): void {\n  process.stderr.write(msg + '\\n');\n}\n\nclass AdminApiClientImpl implements AdminApiClient {\n  private readonly baseUrl: string;\n  private readonly token: string;\n  private readonly fetchFn: typeof globalThis.fetch;\n  private readonly warn: (msg: string) => void;\n  private readonly userAgent: string;\n\n  constructor(opts: AdminApiClientOptions) {\n    this.baseUrl = opts.baseUrl.replace(/\\/$/, '');\n    this.token = opts.token;\n    this.fetchFn = opts.fetch ?? globalThis.fetch;\n    this.warn = opts.warn ?? defaultWarn;\n    this.userAgent = opts.userAgent ?? `cleargate`;\n  }\n\n  private debugLog(method: string, path: string, status: number, body: unknown): void {\n    if (process.env['CLEARGATE_LOG_LEVEL'] === 'debug') {\n      const redacted = redactSensitive(body);\n      this.warn(`[admin-api] ${method} ${path} → ${status} ${JSON.stringify(redacted)}`);\n    }\n  }\n\n  private async request<T>(\n    method: string,\n    urlPath: string,\n    body?: Record<string, unknown>,\n  ): Promise<T> {\n    const url = `${this.baseUrl}/admin-api/v1${urlPath}`;\n    const headers: Record<string, string> = {\n      Authorization: `Bearer ${this.token}`,\n      'User-Agent': this.userAgent,\n      Accept: 'application/json',\n    };\n\n    // CRITICAL: omit Content-Type on requests without body (DELETE)\n    // Fastify 5 throws FST_ERR_CTP_EMPTY_JSON_BODY if Content-Type is set with empty body\n    if (body !== undefined) {\n      headers['Content-Type'] = 'application/json';\n    }\n\n    let response: Response;\n    try {\n      response = await this.fetchFn(url, {\n        method,\n        headers,\n        body: body !== undefined ? JSON.stringify(body) : undefined,\n      });\n    } catch (err) {\n      throw new AdminApiError(\n        'network',\n        null,\n        err,\n        `cannot reach ${this.baseUrl} (${err instanceof Error ? err.message : String(err)})`,\n      );\n    }\n\n    // Parse response body when present\n    let responseBody: unknown = null;\n    const contentType = response.headers.get('content-type') ?? '';\n    if (contentType.includes('application/json')) {\n      try {\n        responseBody = await response.json();\n      } catch {\n        responseBody = null;\n      }\n    }\n\n    this.debugLog(method, urlPath, response.status, responseBody);\n\n    // Map HTTP status to AdminApiError kinds\n    if (!response.ok) {\n      const errBody = responseBody as { error?: string; details?: unknown } | null;\n      if (response.status === 401) {\n        throw new AdminApiError('auth', 401, responseBody, 'Admin token rejected.');\n      }\n      if (response.status === 403) {\n        throw new AdminApiError('forbidden', 403, responseBody, 'Token is not admin-role.');\n      }\n      if (response.status === 404) {\n        throw new AdminApiError('not_found', 404, responseBody, 'Not found.');\n      }\n      if (response.status === 400 || response.status === 409) {\n        throw new AdminApiError(\n          'invalid_request',\n          response.status,\n          errBody?.details ?? responseBody,\n          `Invalid request: ${errBody?.error ?? 'unknown'}`,\n        );\n      }\n      if (response.status >= 500) {\n        throw new AdminApiError(\n          'server',\n          response.status,\n          responseBody,\n          `Server error ${response.status}.`,\n        );\n      }\n      throw new AdminApiError(\n        'server',\n        response.status,\n        responseBody,\n        `Unexpected status ${response.status}.`,\n      );\n    }\n\n    return responseBody as T;\n  }\n\n  async createProject(input: { name: string }): Promise<Project> {\n    const raw = await this.request<unknown>('POST', '/projects', { name: input.name });\n    const parsed = ProjectSchema.safeParse(raw);\n    if (!parsed.success) {\n      throw new AdminApiError(\n        'response_shape',\n        null,\n        parsed.error,\n        'Server returned unexpected response shape (CLI may be out of date).',\n      );\n    }\n    return parsed.data;\n  }\n\n  async inviteMember(input: {\n    projectId: string;\n    email: string;\n    role: 'user' | 'service';\n    displayName?: string;\n  }): Promise<InviteCreated> {\n    const body: Record<string, unknown> = {\n      email: input.email,\n      role: input.role,\n    };\n    if (input.displayName !== undefined) {\n      body['display_name'] = input.displayName;\n    }\n    const raw = await this.request<unknown>(\n      'POST',\n      `/projects/${input.projectId}/members`,\n      body,\n    );\n    const parsed = InviteCreatedSchema.safeParse(raw);\n    if (!parsed.success) {\n      // Try MemberSchema in case the server returned a member-only response\n      throw new AdminApiError(\n        'response_shape',\n        null,\n        parsed.error,\n        'Server returned unexpected response shape (CLI may be out of date).',\n      );\n    }\n    return parsed.data;\n  }\n\n  async issueToken(input: {\n    projectId: string;\n    memberId: string;\n    name: string;\n    expiresAt?: string;\n  }): Promise<TokenIssued> {\n    const body: Record<string, unknown> = {\n      member_id: input.memberId,\n      name: input.name,\n    };\n    if (input.expiresAt !== undefined) {\n      body['expires_at'] = input.expiresAt;\n    }\n    const raw = await this.request<unknown>(\n      'POST',\n      `/projects/${input.projectId}/tokens`,\n      body,\n    );\n    const parsed = TokenIssuedSchema.safeParse(raw);\n    if (!parsed.success) {\n      throw new AdminApiError(\n        'response_shape',\n        null,\n        parsed.error,\n        'Server returned unexpected response shape (CLI may be out of date).',\n      );\n    }\n    return parsed.data;\n  }\n\n  async revokeToken(input: { tokenId: string }): Promise<void> {\n    // No body — Content-Type must be omitted (Fastify 5 CTP quirk)\n    await this.request<unknown>('DELETE', `/tokens/${input.tokenId}`, undefined);\n  }\n}\n\nexport function createAdminApiClient(opts: AdminApiClientOptions): AdminApiClient {\n  return new AdminApiClientImpl(opts);\n}\n","/**\n * Loads an admin JWT for use with cleargate-admin CLI commands.\n *\n * Load order:\n *  1. CLEARGATE_ADMIN_TOKEN env var (wins immediately — file is not read)\n *  2. ~/.cleargate/admin-auth.json (shape: { version: 1, token: string })\n *\n * DISTINCT from FileTokenStore: that file holds user profile → refresh-token maps.\n * This file holds a single admin JWT acquired out-of-band via dev-issue-token.\n */\nimport * as fs from 'node:fs';\nimport * as os from 'node:os';\nimport * as path from 'node:path';\nimport { z } from 'zod';\n\nexport const AdminAuthFileSchema = z\n  .object({\n    version: z.literal(1),\n    token: z.string().min(1),\n  })\n  .strict();\n\nexport interface LoadAdminAuthOptions {\n  env?: NodeJS.ProcessEnv;\n  filePath?: string;\n  homedir?: () => string;\n  warn?: (msg: string) => void;\n}\n\nexport interface AdminAuth {\n  token: string;\n  source: 'env' | 'file';\n}\n\nconst MISSING_TOKEN_ERROR =\n  'No admin token. Set CLEARGATE_ADMIN_TOKEN or write ~/.cleargate/admin-auth.json (chmod 600). See README §admin-jwt.';\n\nexport function loadAdminAuth(opts?: LoadAdminAuthOptions): AdminAuth {\n  const env = opts?.env ?? process.env;\n  const warn = opts?.warn ?? ((msg: string) => process.stderr.write(msg + '\\n'));\n\n  // Env wins — file is not read at all when env is set\n  const envToken = env['CLEARGATE_ADMIN_TOKEN'];\n  if (envToken) {\n    return { token: envToken, source: 'env' };\n  }\n\n  // Resolve file path\n  const homedirFn = opts?.homedir ?? os.homedir;\n  const filePath =\n    opts?.filePath ?? path.join(homedirFn(), '.cleargate', 'admin-auth.json');\n\n  // Try file\n  let raw: string;\n  try {\n    raw = fs.readFileSync(filePath, 'utf8');\n  } catch (err) {\n    if (err instanceof Error && 'code' in err && (err as NodeJS.ErrnoException).code === 'ENOENT') {\n      throw new Error(MISSING_TOKEN_ERROR);\n    }\n    throw new Error(`Failed to read admin-auth file at ${filePath}: ${String(err)}`);\n  }\n\n  // Check file permissions (warn if too permissive)\n  try {\n    const stat = fs.statSync(filePath);\n    const mode = stat.mode & 0o777;\n    if (mode & 0o077) {\n      warn(\n        `cleargate-admin: warning: ${filePath} is group/world readable (mode ${(mode).toString(8).padStart(3, '0')}). Run: chmod 600 ${filePath}`,\n      );\n    }\n  } catch {\n    // If we can't stat the file, ignore — the read already succeeded\n  }\n\n  // Parse JSON\n  let parsed: unknown;\n  try {\n    parsed = JSON.parse(raw);\n  } catch {\n    throw new Error(`Failed to parse admin-auth file at ${filePath}: invalid JSON`);\n  }\n\n  // Validate with strict schema\n  const result = AdminAuthFileSchema.safeParse(parsed);\n  if (!result.success) {\n    throw new Error(\n      `Invalid admin-auth file at ${filePath}: ${result.error.message}`,\n    );\n  }\n\n  return { token: result.data.token, source: 'file' };\n}\n"],"mappings":";;;AAIO,IAAM,gBAAN,cAA4B,MAAM;AAAA,EACvC,YACkB,MAQA,QACA,SAChB,SACA;AACA,UAAM,OAAO;AAZG;AAQA;AACA;AAIhB,SAAK,OAAO;AAAA,EACd;AAAA,EAdkB;AAAA,EAQA;AAAA,EACA;AAMpB;;;ACdA,SAAS,SAAS;AAEX,IAAM,gBAAgB,EAC1B,OAAO;AAAA,EACN,IAAI,EAAE,OAAO;AAAA,EACb,MAAM,EAAE,OAAO;AAAA,EACf,YAAY,EAAE,OAAO;AAAA,EACrB,YAAY,EAAE,OAAO;AAAA,EACrB,YAAY,EAAE,OAAO,EAAE,SAAS;AAClC,CAAC,EACA,OAAO;AAIH,IAAM,eAAe,EACzB,OAAO;AAAA,EACN,IAAI,EAAE,OAAO;AAAA,EACb,YAAY,EAAE,OAAO;AAAA,EACrB,OAAO,EAAE,OAAO;AAAA,EAChB,MAAM,EAAE,OAAO;AAAA,EACf,cAAc,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC7C,YAAY,EAAE,OAAO;AAAA,EACrB,QAAQ,EAAE,KAAK,CAAC,WAAW,QAAQ,CAAC;AACtC,CAAC,EACA,OAAO;AAIH,IAAM,sBAAsB,EAChC,OAAO;AAAA,EACN,QAAQ;AAAA,EACR,YAAY,EAAE,OAAO;AAAA,EACrB,cAAc,EAAE,OAAO;AAAA,EACvB,mBAAmB,EAAE,OAAO,EAAE,IAAI;AACpC,CAAC,EACA,OAAO;AAIH,IAAM,kBAAkB,EAC5B,OAAO;AAAA,EACN,IAAI,EAAE,OAAO;AAAA,EACb,WAAW,EAAE,OAAO;AAAA,EACpB,MAAM,EAAE,OAAO;AAAA,EACf,YAAY,EAAE,OAAO;AAAA,EACrB,YAAY,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC3C,cAAc,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC7C,YAAY,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAC7C,CAAC,EACA,OAAO;AAKH,IAAM,oBAAoB,EAC9B,OAAO;AAAA,EACN,IAAI,EAAE,OAAO;AAAA,EACb,WAAW,EAAE,OAAO;AAAA,EACpB,MAAM,EAAE,OAAO;AAAA,EACf,YAAY,EAAE,OAAO;AAAA,EACrB,YAAY,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC3C,cAAc,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC7C,YAAY,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC3C,OAAO,EAAE,OAAO;AAClB,CAAC,EACA,OAAO;AAIH,IAAM,kBAAkB,EAC5B,OAAO;AAAA,EACN,OAAO,EAAE,OAAO;AAAA,EAChB,SAAS,EAAE,OAAO,EAAE,OAAO,GAAG,EAAE,QAAQ,CAAC,EAAE,SAAS;AACtD,CAAC,EACA,OAAO;;;AC5EV,IAAM,iBAAiB,oBAAI,IAAI,CAAC,SAAS,iBAAiB,cAAc,CAAC;AAElE,SAAS,gBAAgB,KAAuB;AACrD,MAAI,MAAM,QAAQ,GAAG,GAAG;AACtB,WAAO,IAAI,IAAI,CAAC,SAAS,gBAAgB,IAAI,CAAC;AAAA,EAChD;AACA,MAAI,QAAQ,QAAQ,OAAO,QAAQ,UAAU;AAC3C,UAAM,SAAkC,CAAC;AACzC,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,GAA8B,GAAG;AACzE,UAAI,eAAe,IAAI,GAAG,GAAG;AAC3B,eAAO,GAAG,IAAI;AAAA,MAChB,OAAO;AACL,eAAO,GAAG,IAAI,gBAAgB,KAAK;AAAA,MACrC;AAAA,IACF;AACA,WAAO;AAAA,EACT;AACA,SAAO;AACT;;;ACsBA,SAAS,YAAY,KAAmB;AACtC,UAAQ,OAAO,MAAM,MAAM,IAAI;AACjC;AAEA,IAAM,qBAAN,MAAmD;AAAA,EAChC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEjB,YAAY,MAA6B;AACvC,SAAK,UAAU,KAAK,QAAQ,QAAQ,OAAO,EAAE;AAC7C,SAAK,QAAQ,KAAK;AAClB,SAAK,UAAU,KAAK,SAAS,WAAW;AACxC,SAAK,OAAO,KAAK,QAAQ;AACzB,SAAK,YAAY,KAAK,aAAa;AAAA,EACrC;AAAA,EAEQ,SAAS,QAAgBA,OAAc,QAAgB,MAAqB;AAClF,QAAI,QAAQ,IAAI,qBAAqB,MAAM,SAAS;AAClD,YAAM,WAAW,gBAAgB,IAAI;AACrC,WAAK,KAAK,eAAe,MAAM,IAAIA,KAAI,WAAM,MAAM,IAAI,KAAK,UAAU,QAAQ,CAAC,EAAE;AAAA,IACnF;AAAA,EACF;AAAA,EAEA,MAAc,QACZ,QACA,SACA,MACY;AACZ,UAAM,MAAM,GAAG,KAAK,OAAO,gBAAgB,OAAO;AAClD,UAAM,UAAkC;AAAA,MACtC,eAAe,UAAU,KAAK,KAAK;AAAA,MACnC,cAAc,KAAK;AAAA,MACnB,QAAQ;AAAA,IACV;AAIA,QAAI,SAAS,QAAW;AACtB,cAAQ,cAAc,IAAI;AAAA,IAC5B;AAEA,QAAI;AACJ,QAAI;AACF,iBAAW,MAAM,KAAK,QAAQ,KAAK;AAAA,QACjC;AAAA,QACA;AAAA,QACA,MAAM,SAAS,SAAY,KAAK,UAAU,IAAI,IAAI;AAAA,MACpD,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA;AAAA,QACA,gBAAgB,KAAK,OAAO,KAAK,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,MACnF;AAAA,IACF;AAGA,QAAI,eAAwB;AAC5B,UAAM,cAAc,SAAS,QAAQ,IAAI,cAAc,KAAK;AAC5D,QAAI,YAAY,SAAS,kBAAkB,GAAG;AAC5C,UAAI;AACF,uBAAe,MAAM,SAAS,KAAK;AAAA,MACrC,QAAQ;AACN,uBAAe;AAAA,MACjB;AAAA,IACF;AAEA,SAAK,SAAS,QAAQ,SAAS,SAAS,QAAQ,YAAY;AAG5D,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,UAAU;AAChB,UAAI,SAAS,WAAW,KAAK;AAC3B,cAAM,IAAI,cAAc,QAAQ,KAAK,cAAc,uBAAuB;AAAA,MAC5E;AACA,UAAI,SAAS,WAAW,KAAK;AAC3B,cAAM,IAAI,cAAc,aAAa,KAAK,cAAc,0BAA0B;AAAA,MACpF;AACA,UAAI,SAAS,WAAW,KAAK;AAC3B,cAAM,IAAI,cAAc,aAAa,KAAK,cAAc,YAAY;AAAA,MACtE;AACA,UAAI,SAAS,WAAW,OAAO,SAAS,WAAW,KAAK;AACtD,cAAM,IAAI;AAAA,UACR;AAAA,UACA,SAAS;AAAA,UACT,SAAS,WAAW;AAAA,UACpB,oBAAoB,SAAS,SAAS,SAAS;AAAA,QACjD;AAAA,MACF;AACA,UAAI,SAAS,UAAU,KAAK;AAC1B,cAAM,IAAI;AAAA,UACR;AAAA,UACA,SAAS;AAAA,UACT;AAAA,UACA,gBAAgB,SAAS,MAAM;AAAA,QACjC;AAAA,MACF;AACA,YAAM,IAAI;AAAA,QACR;AAAA,QACA,SAAS;AAAA,QACT;AAAA,QACA,qBAAqB,SAAS,MAAM;AAAA,MACtC;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,cAAc,OAA2C;AAC7D,UAAM,MAAM,MAAM,KAAK,QAAiB,QAAQ,aAAa,EAAE,MAAM,MAAM,KAAK,CAAC;AACjF,UAAM,SAAS,cAAc,UAAU,GAAG;AAC1C,QAAI,CAAC,OAAO,SAAS;AACnB,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA,OAAO;AAAA,QACP;AAAA,MACF;AAAA,IACF;AACA,WAAO,OAAO;AAAA,EAChB;AAAA,EAEA,MAAM,aAAa,OAKQ;AACzB,UAAM,OAAgC;AAAA,MACpC,OAAO,MAAM;AAAA,MACb,MAAM,MAAM;AAAA,IACd;AACA,QAAI,MAAM,gBAAgB,QAAW;AACnC,WAAK,cAAc,IAAI,MAAM;AAAA,IAC/B;AACA,UAAM,MAAM,MAAM,KAAK;AAAA,MACrB;AAAA,MACA,aAAa,MAAM,SAAS;AAAA,MAC5B;AAAA,IACF;AACA,UAAM,SAAS,oBAAoB,UAAU,GAAG;AAChD,QAAI,CAAC,OAAO,SAAS;AAEnB,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA,OAAO;AAAA,QACP;AAAA,MACF;AAAA,IACF;AACA,WAAO,OAAO;AAAA,EAChB;AAAA,EAEA,MAAM,WAAW,OAKQ;AACvB,UAAM,OAAgC;AAAA,MACpC,WAAW,MAAM;AAAA,MACjB,MAAM,MAAM;AAAA,IACd;AACA,QAAI,MAAM,cAAc,QAAW;AACjC,WAAK,YAAY,IAAI,MAAM;AAAA,IAC7B;AACA,UAAM,MAAM,MAAM,KAAK;AAAA,MACrB;AAAA,MACA,aAAa,MAAM,SAAS;AAAA,MAC5B;AAAA,IACF;AACA,UAAM,SAAS,kBAAkB,UAAU,GAAG;AAC9C,QAAI,CAAC,OAAO,SAAS;AACnB,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA,OAAO;AAAA,QACP;AAAA,MACF;AAAA,IACF;AACA,WAAO,OAAO;AAAA,EAChB;AAAA,EAEA,MAAM,YAAY,OAA2C;AAE3D,UAAM,KAAK,QAAiB,UAAU,WAAW,MAAM,OAAO,IAAI,MAAS;AAAA,EAC7E;AACF;AAEO,SAAS,qBAAqB,MAA6C;AAChF,SAAO,IAAI,mBAAmB,IAAI;AACpC;;;ACtOA,YAAY,QAAQ;AACpB,YAAY,QAAQ;AACpB,YAAY,UAAU;AACtB,SAAS,KAAAC,UAAS;AAEX,IAAM,sBAAsBA,GAChC,OAAO;AAAA,EACN,SAASA,GAAE,QAAQ,CAAC;AAAA,EACpB,OAAOA,GAAE,OAAO,EAAE,IAAI,CAAC;AACzB,CAAC,EACA,OAAO;AAcV,IAAM,sBACJ;AAEK,SAAS,cAAc,MAAwC;AACpE,QAAM,MAAM,MAAM,OAAO,QAAQ;AACjC,QAAM,OAAO,MAAM,SAAS,CAAC,QAAgB,QAAQ,OAAO,MAAM,MAAM,IAAI;AAG5E,QAAM,WAAW,IAAI,uBAAuB;AAC5C,MAAI,UAAU;AACZ,WAAO,EAAE,OAAO,UAAU,QAAQ,MAAM;AAAA,EAC1C;AAGA,QAAM,YAAY,MAAM,WAAc;AACtC,QAAM,WACJ,MAAM,YAAiB,UAAK,UAAU,GAAG,cAAc,iBAAiB;AAG1E,MAAI;AACJ,MAAI;AACF,UAAS,gBAAa,UAAU,MAAM;AAAA,EACxC,SAAS,KAAK;AACZ,QAAI,eAAe,SAAS,UAAU,OAAQ,IAA8B,SAAS,UAAU;AAC7F,YAAM,IAAI,MAAM,mBAAmB;AAAA,IACrC;AACA,UAAM,IAAI,MAAM,qCAAqC,QAAQ,KAAK,OAAO,GAAG,CAAC,EAAE;AAAA,EACjF;AAGA,MAAI;AACF,UAAM,OAAU,YAAS,QAAQ;AACjC,UAAM,OAAO,KAAK,OAAO;AACzB,QAAI,OAAO,IAAO;AAChB;AAAA,QACE,6BAA6B,QAAQ,kCAAmC,KAAM,SAAS,CAAC,EAAE,SAAS,GAAG,GAAG,CAAC,qBAAqB,QAAQ;AAAA,MACzI;AAAA,IACF;AAAA,EACF,QAAQ;AAAA,EAER;AAGA,MAAI;AACJ,MAAI;AACF,aAAS,KAAK,MAAM,GAAG;AAAA,EACzB,QAAQ;AACN,UAAM,IAAI,MAAM,sCAAsC,QAAQ,gBAAgB;AAAA,EAChF;AAGA,QAAM,SAAS,oBAAoB,UAAU,MAAM;AACnD,MAAI,CAAC,OAAO,SAAS;AACnB,UAAM,IAAI;AAAA,MACR,8BAA8B,QAAQ,KAAK,OAAO,MAAM,OAAO;AAAA,IACjE;AAAA,EACF;AAEA,SAAO,EAAE,OAAO,OAAO,KAAK,OAAO,QAAQ,OAAO;AACpD;","names":["path","z"]}

package/dist/auth/factory.cjs

@@ -0,0 +1,198 @@
+#!/usr/bin/env node
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/auth/factory.ts
+var factory_exports = {};
+__export(factory_exports, {
+  createTokenStore: () => createTokenStore
+});
+module.exports = __toCommonJS(factory_exports);
+var os = __toESM(require("os"), 1);
+var path2 = __toESM(require("path"), 1);
+
+// src/auth/keychain-store.ts
+var import_keyring = require("@napi-rs/keyring");
+var KeychainTokenStore = class {
+  constructor(service) {
+    this.service = service;
+  }
+  service;
+  backend = "keychain";
+  async save(profile, token) {
+    new import_keyring.Entry(this.service, profile).setPassword(token);
+  }
+  async load(profile) {
+    try {
+      const result = new import_keyring.Entry(this.service, profile).getPassword();
+      return result ?? null;
+    } catch {
+      return null;
+    }
+  }
+  async remove(profile) {
+    try {
+      new import_keyring.Entry(this.service, profile).deletePassword();
+    } catch {
+    }
+  }
+};
+
+// src/auth/file-store.ts
+var fs = __toESM(require("fs/promises"), 1);
+var path = __toESM(require("path"), 1);
+var import_zod = require("zod");
+var ProfileEntrySchema = import_zod.z.object({ refreshToken: import_zod.z.string().min(1) }).strict();
+var AuthFileSchema = import_zod.z.object({
+  version: import_zod.z.literal(1),
+  profiles: import_zod.z.record(import_zod.z.string().min(1), ProfileEntrySchema)
+}).strict();
+var EMPTY_AUTH_FILE = { version: 1, profiles: {} };
+var FileTokenStore = class {
+  constructor(filePath) {
+    this.filePath = filePath;
+  }
+  filePath;
+  backend = "file";
+  async save(profile, token) {
+    const current = await this.readFile();
+    const updated = {
+      ...current,
+      profiles: {
+        ...current.profiles,
+        [profile]: { refreshToken: token }
+      }
+    };
+    await this.writeFile(updated);
+  }
+  async load(profile) {
+    const data = await this.readFile();
+    return data.profiles[profile]?.refreshToken ?? null;
+  }
+  async remove(profile) {
+    let current;
+    try {
+      current = await this.readFile();
+    } catch {
+      return;
+    }
+    if (!(profile in current.profiles)) {
+      return;
+    }
+    const { [profile]: _removed, ...rest } = current.profiles;
+    const updated = { ...current, profiles: rest };
+    await this.writeFile(updated);
+  }
+  async readFile() {
+    let raw;
+    try {
+      raw = await fs.readFile(this.filePath, "utf8");
+    } catch (err) {
+      if (err.code === "ENOENT") {
+        return EMPTY_AUTH_FILE;
+      }
+      throw err;
+    }
+    let parsed;
+    try {
+      parsed = JSON.parse(raw);
+    } catch {
+      throw new Error(
+        `Failed to parse auth file at ${this.filePath}: invalid JSON`
+      );
+    }
+    const result = AuthFileSchema.safeParse(parsed);
+    if (!result.success) {
+      const versionCheck = parsed?.["version"];
+      if (versionCheck !== 1) {
+        throw new Error(
+          `Invalid auth file at ${this.filePath}: unsupported version ${String(versionCheck)}. Please upgrade \`cleargate\` to read this file.`
+        );
+      }
+      throw new Error(
+        `Invalid auth file at ${this.filePath}: ${result.error.message}`
+      );
+    }
+    return result.data;
+  }
+  async writeFile(data) {
+    const dir = path.dirname(this.filePath);
+    await fs.mkdir(dir, { recursive: true, mode: 448 });
+    await fs.chmod(dir, 448).catch(() => {
+    });
+    const json = JSON.stringify(data, null, 2);
+    const tmpPath = path.join(dir, ".auth.json.tmp");
+    await fs.writeFile(tmpPath, json, { mode: 384 });
+    await fs.chmod(tmpPath, 384);
+    await fs.rename(tmpPath, this.filePath);
+    await fs.chmod(this.filePath, 384);
+  }
+};
+
+// src/auth/factory.ts
+var DEFAULT_KEYCHAIN_SERVICE = "cleargate";
+function resolveFilePath(opts) {
+  if (opts.filePath) return opts.filePath;
+  const home = os.homedir();
+  if (!home) {
+    throw new Error(
+      "Cannot determine home directory. Set opts.filePath explicitly or ensure os.homedir() returns a non-empty string."
+    );
+  }
+  return path2.join(home, ".cleargate", "auth.json");
+}
+function defaultWarn(msg) {
+  process.stderr.write(msg + "\n");
+}
+async function createTokenStore(opts = {}) {
+  const filePath = resolveFilePath(opts);
+  const service = opts.keychainService ?? DEFAULT_KEYCHAIN_SERVICE;
+  const warn = opts.warn ?? defaultWarn;
+  if (opts.forceBackend === "file") {
+    return new FileTokenStore(filePath);
+  }
+  if (opts.forceBackend === "keychain") {
+    return new KeychainTokenStore(service);
+  }
+  try {
+    const { Entry: Entry2 } = await import("@napi-rs/keyring");
+    new Entry2(service, "__cleargate_probe__").getPassword();
+    return new KeychainTokenStore(service);
+  } catch {
+    warn(
+      `cleargate: OS keychain unavailable, falling back to file storage at ${filePath}. Run with --log-level=debug for details.`
+    );
+    return new FileTokenStore(filePath);
+  }
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createTokenStore
+});
+//# sourceMappingURL=factory.cjs.map

package/dist/auth/factory.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/auth/factory.ts","../../src/auth/keychain-store.ts","../../src/auth/file-store.ts"],"sourcesContent":["import * as os from 'node:os';\nimport * as path from 'node:path';\nimport { KeychainTokenStore } from './keychain-store.js';\nimport { FileTokenStore } from './file-store.js';\nimport type { TokenStore, TokenStoreFactoryOptions } from './token-store.js';\n\nconst DEFAULT_KEYCHAIN_SERVICE = 'cleargate';\n\nfunction resolveFilePath(opts: TokenStoreFactoryOptions): string {\n  if (opts.filePath) return opts.filePath;\n  const home = os.homedir();\n  if (!home) {\n    throw new Error(\n      'Cannot determine home directory. Set opts.filePath explicitly or ensure os.homedir() returns a non-empty string.',\n    );\n  }\n  return path.join(home, '.cleargate', 'auth.json');\n}\n\nfunction defaultWarn(msg: string): void {\n  process.stderr.write(msg + '\\n');\n}\n\n/**\n * Creates a TokenStore, selecting the keychain backend when available and\n * falling back to file storage with a stderr warning when the OS keychain\n * cannot be accessed.\n */\nexport async function createTokenStore(\n  opts: TokenStoreFactoryOptions = {},\n): Promise<TokenStore> {\n  const filePath = resolveFilePath(opts);\n  const service = opts.keychainService ?? DEFAULT_KEYCHAIN_SERVICE;\n  const warn = opts.warn ?? defaultWarn;\n\n  // Short-circuit if backend is forced (test seam, skips probe)\n  if (opts.forceBackend === 'file') {\n    return new FileTokenStore(filePath);\n  }\n  if (opts.forceBackend === 'keychain') {\n    return new KeychainTokenStore(service);\n  }\n\n  // Probe the keychain to determine availability\n  try {\n    const { Entry } = await import('@napi-rs/keyring');\n    new Entry(service, '__cleargate_probe__').getPassword();\n    // Probe succeeded (returned string | null cleanly) — use keychain\n    return new KeychainTokenStore(service);\n  } catch {\n    // Constructor threw (native module load failed, libsecret missing on Linux)\n    // OR getPassword() threw (dbus not running, prompt cancelled)\n    // Either way, keychain is unavailable for this CLI invocation\n    warn(\n      `cleargate: OS keychain unavailable, falling back to file storage at ${filePath}. Run with --log-level=debug for details.`,\n    );\n    return new FileTokenStore(filePath);\n  }\n}\n","import { Entry } from '@napi-rs/keyring';\nimport type { TokenStore } from './token-store.js';\n\nexport class KeychainTokenStore implements TokenStore {\n  readonly backend = 'keychain' as const;\n\n  constructor(private readonly service: string) {}\n\n  async save(profile: string, token: string): Promise<void> {\n    new Entry(this.service, profile).setPassword(token);\n  }\n\n  async load(profile: string): Promise<string | null> {\n    try {\n      const result = new Entry(this.service, profile).getPassword();\n      // getPassword() returns string | null per @napi-rs/keyring@1.2.0 index.d.ts:124\n      // Despite the docstring claiming it throws NoEntry, the return type wins.\n      // Handle both: null return AND potential thrown NoEntry (platform-specific).\n      return result ?? null;\n    } catch {\n      // NoEntry or other keychain error — treat as absent\n      return null;\n    }\n  }\n\n  async remove(profile: string): Promise<void> {\n    try {\n      new Entry(this.service, profile).deletePassword();\n    } catch {\n      // Entry didn't exist or other keychain error — idempotent, swallow\n    }\n  }\n}\n","import * as fs from 'node:fs/promises';\nimport * as path from 'node:path';\nimport { z } from 'zod';\nimport type { TokenStore } from './token-store.js';\n\nconst ProfileEntrySchema = z.object({ refreshToken: z.string().min(1) }).strict();\n\nexport const AuthFileSchema = z\n  .object({\n    version: z.literal(1),\n    profiles: z.record(z.string().min(1), ProfileEntrySchema),\n  })\n  .strict();\n\ntype AuthFile = z.infer<typeof AuthFileSchema>;\n\nconst EMPTY_AUTH_FILE: AuthFile = { version: 1, profiles: {} };\n\nexport class FileTokenStore implements TokenStore {\n  readonly backend = 'file' as const;\n\n  constructor(private readonly filePath: string) {}\n\n  async save(profile: string, token: string): Promise<void> {\n    const current = await this.readFile();\n    const updated: AuthFile = {\n      ...current,\n      profiles: {\n        ...current.profiles,\n        [profile]: { refreshToken: token },\n      },\n    };\n    await this.writeFile(updated);\n  }\n\n  async load(profile: string): Promise<string | null> {\n    const data = await this.readFile();\n    return data.profiles[profile]?.refreshToken ?? null;\n  }\n\n  async remove(profile: string): Promise<void> {\n    let current: AuthFile;\n    try {\n      current = await this.readFile();\n    } catch {\n      // File doesn't exist or unreadable — no-op since there's nothing to remove\n      return;\n    }\n    if (!(profile in current.profiles)) {\n      return; // Profile doesn't exist — idempotent\n    }\n    const { [profile]: _removed, ...rest } = current.profiles;\n    const updated: AuthFile = { ...current, profiles: rest };\n    await this.writeFile(updated);\n  }\n\n  private async readFile(): Promise<AuthFile> {\n    let raw: string;\n    try {\n      raw = await fs.readFile(this.filePath, 'utf8');\n    } catch (err) {\n      if ((err as NodeJS.ErrnoException).code === 'ENOENT') {\n        return EMPTY_AUTH_FILE;\n      }\n      throw err;\n    }\n\n    let parsed: unknown;\n    try {\n      parsed = JSON.parse(raw);\n    } catch {\n      throw new Error(\n        `Failed to parse auth file at ${this.filePath}: invalid JSON`,\n      );\n    }\n\n    const result = AuthFileSchema.safeParse(parsed);\n    if (!result.success) {\n      // Check for version mismatch specifically\n      const versionCheck = (parsed as Record<string, unknown>)?.['version'];\n      if (versionCheck !== 1) {\n        throw new Error(\n          `Invalid auth file at ${this.filePath}: unsupported version ${String(versionCheck)}. Please upgrade \\`cleargate\\` to read this file.`,\n        );\n      }\n      throw new Error(\n        `Invalid auth file at ${this.filePath}: ${result.error.message}`,\n      );\n    }\n\n    return result.data;\n  }\n\n  private async writeFile(data: AuthFile): Promise<void> {\n    const dir = path.dirname(this.filePath);\n    await fs.mkdir(dir, { recursive: true, mode: 0o700 });\n    // Explicit chmod after mkdir — mkdir only sets mode on newly created dirs\n    await fs.chmod(dir, 0o700).catch(() => {\n      // If chmod fails on existing dir, that's acceptable — we don't want to\n      // surprise users who have set custom modes on ~/.cleargate/\n    });\n\n    const json = JSON.stringify(data, null, 2);\n    const tmpPath = path.join(dir, '.auth.json.tmp');\n\n    // Atomic write: write to tmp then rename to avoid partial-write corruption\n    await fs.writeFile(tmpPath, json, { mode: 0o600 });\n    // Explicit chmod after writeFile — writeFile only sets mode on file creation\n    await fs.chmod(tmpPath, 0o600);\n    await fs.rename(tmpPath, this.filePath);\n    // After rename, chmod the final path to ensure it stays 0600\n    await fs.chmod(this.filePath, 0o600);\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAAoB;AACpB,IAAAA,QAAsB;;;ACDtB,qBAAsB;AAGf,IAAM,qBAAN,MAA+C;AAAA,EAGpD,YAA6B,SAAiB;AAAjB;AAAA,EAAkB;AAAA,EAAlB;AAAA,EAFpB,UAAU;AAAA,EAInB,MAAM,KAAK,SAAiB,OAA8B;AACxD,QAAI,qBAAM,KAAK,SAAS,OAAO,EAAE,YAAY,KAAK;AAAA,EACpD;AAAA,EAEA,MAAM,KAAK,SAAyC;AAClD,QAAI;AACF,YAAM,SAAS,IAAI,qBAAM,KAAK,SAAS,OAAO,EAAE,YAAY;AAI5D,aAAO,UAAU;AAAA,IACnB,QAAQ;AAEN,aAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEA,MAAM,OAAO,SAAgC;AAC3C,QAAI;AACF,UAAI,qBAAM,KAAK,SAAS,OAAO,EAAE,eAAe;AAAA,IAClD,QAAQ;AAAA,IAER;AAAA,EACF;AACF;;;AChCA,SAAoB;AACpB,WAAsB;AACtB,iBAAkB;AAGlB,IAAM,qBAAqB,aAAE,OAAO,EAAE,cAAc,aAAE,OAAO,EAAE,IAAI,CAAC,EAAE,CAAC,EAAE,OAAO;AAEzE,IAAM,iBAAiB,aAC3B,OAAO;AAAA,EACN,SAAS,aAAE,QAAQ,CAAC;AAAA,EACpB,UAAU,aAAE,OAAO,aAAE,OAAO,EAAE,IAAI,CAAC,GAAG,kBAAkB;AAC1D,CAAC,EACA,OAAO;AAIV,IAAM,kBAA4B,EAAE,SAAS,GAAG,UAAU,CAAC,EAAE;AAEtD,IAAM,iBAAN,MAA2C;AAAA,EAGhD,YAA6B,UAAkB;AAAlB;AAAA,EAAmB;AAAA,EAAnB;AAAA,EAFpB,UAAU;AAAA,EAInB,MAAM,KAAK,SAAiB,OAA8B;AACxD,UAAM,UAAU,MAAM,KAAK,SAAS;AACpC,UAAM,UAAoB;AAAA,MACxB,GAAG;AAAA,MACH,UAAU;AAAA,QACR,GAAG,QAAQ;AAAA,QACX,CAAC,OAAO,GAAG,EAAE,cAAc,MAAM;AAAA,MACnC;AAAA,IACF;AACA,UAAM,KAAK,UAAU,OAAO;AAAA,EAC9B;AAAA,EAEA,MAAM,KAAK,SAAyC;AAClD,UAAM,OAAO,MAAM,KAAK,SAAS;AACjC,WAAO,KAAK,SAAS,OAAO,GAAG,gBAAgB;AAAA,EACjD;AAAA,EAEA,MAAM,OAAO,SAAgC;AAC3C,QAAI;AACJ,QAAI;AACF,gBAAU,MAAM,KAAK,SAAS;AAAA,IAChC,QAAQ;AAEN;AAAA,IACF;AACA,QAAI,EAAE,WAAW,QAAQ,WAAW;AAClC;AAAA,IACF;AACA,UAAM,EAAE,CAAC,OAAO,GAAG,UAAU,GAAG,KAAK,IAAI,QAAQ;AACjD,UAAM,UAAoB,EAAE,GAAG,SAAS,UAAU,KAAK;AACvD,UAAM,KAAK,UAAU,OAAO;AAAA,EAC9B;AAAA,EAEA,MAAc,WAA8B;AAC1C,QAAI;AACJ,QAAI;AACF,YAAM,MAAS,YAAS,KAAK,UAAU,MAAM;AAAA,IAC/C,SAAS,KAAK;AACZ,UAAK,IAA8B,SAAS,UAAU;AACpD,eAAO;AAAA,MACT;AACA,YAAM;AAAA,IACR;AAEA,QAAI;AACJ,QAAI;AACF,eAAS,KAAK,MAAM,GAAG;AAAA,IACzB,QAAQ;AACN,YAAM,IAAI;AAAA,QACR,gCAAgC,KAAK,QAAQ;AAAA,MAC/C;AAAA,IACF;AAEA,UAAM,SAAS,eAAe,UAAU,MAAM;AAC9C,QAAI,CAAC,OAAO,SAAS;AAEnB,YAAM,eAAgB,SAAqC,SAAS;AACpE,UAAI,iBAAiB,GAAG;AACtB,cAAM,IAAI;AAAA,UACR,wBAAwB,KAAK,QAAQ,yBAAyB,OAAO,YAAY,CAAC;AAAA,QACpF;AAAA,MACF;AACA,YAAM,IAAI;AAAA,QACR,wBAAwB,KAAK,QAAQ,KAAK,OAAO,MAAM,OAAO;AAAA,MAChE;AAAA,IACF;AAEA,WAAO,OAAO;AAAA,EAChB;AAAA,EAEA,MAAc,UAAU,MAA+B;AACrD,UAAM,MAAW,aAAQ,KAAK,QAAQ;AACtC,UAAS,SAAM,KAAK,EAAE,WAAW,MAAM,MAAM,IAAM,CAAC;AAEpD,UAAS,SAAM,KAAK,GAAK,EAAE,MAAM,MAAM;AAAA,IAGvC,CAAC;AAED,UAAM,OAAO,KAAK,UAAU,MAAM,MAAM,CAAC;AACzC,UAAM,UAAe,UAAK,KAAK,gBAAgB;AAG/C,UAAS,aAAU,SAAS,MAAM,EAAE,MAAM,IAAM,CAAC;AAEjD,UAAS,SAAM,SAAS,GAAK;AAC7B,UAAS,UAAO,SAAS,KAAK,QAAQ;AAEtC,UAAS,SAAM,KAAK,UAAU,GAAK;AAAA,EACrC;AACF;;;AF3GA,IAAM,2BAA2B;AAEjC,SAAS,gBAAgB,MAAwC;AAC/D,MAAI,KAAK,SAAU,QAAO,KAAK;AAC/B,QAAM,OAAU,WAAQ;AACxB,MAAI,CAAC,MAAM;AACT,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,SAAY,WAAK,MAAM,cAAc,WAAW;AAClD;AAEA,SAAS,YAAY,KAAmB;AACtC,UAAQ,OAAO,MAAM,MAAM,IAAI;AACjC;AAOA,eAAsB,iBACpB,OAAiC,CAAC,GACb;AACrB,QAAM,WAAW,gBAAgB,IAAI;AACrC,QAAM,UAAU,KAAK,mBAAmB;AACxC,QAAM,OAAO,KAAK,QAAQ;AAG1B,MAAI,KAAK,iBAAiB,QAAQ;AAChC,WAAO,IAAI,eAAe,QAAQ;AAAA,EACpC;AACA,MAAI,KAAK,iBAAiB,YAAY;AACpC,WAAO,IAAI,mBAAmB,OAAO;AAAA,EACvC;AAGA,MAAI;AACF,UAAM,EAAE,OAAAC,OAAM,IAAI,MAAM,OAAO,kBAAkB;AACjD,QAAIA,OAAM,SAAS,qBAAqB,EAAE,YAAY;AAEtD,WAAO,IAAI,mBAAmB,OAAO;AAAA,EACvC,QAAQ;AAIN;AAAA,MACE,uEAAuE,QAAQ;AAAA,IACjF;AACA,WAAO,IAAI,eAAe,QAAQ;AAAA,EACpC;AACF;","names":["path","Entry"]}

package/dist/auth/factory.d.cts

@@ -0,0 +1,10 @@
+import { TokenStoreFactoryOptions, TokenStore } from './token-store.cjs';
+
+/**
+ * Creates a TokenStore, selecting the keychain backend when available and
+ * falling back to file storage with a stderr warning when the OS keychain
+ * cannot be accessed.
+ */
+declare function createTokenStore(opts?: TokenStoreFactoryOptions): Promise<TokenStore>;
+
+export { createTokenStore };

package/dist/auth/factory.d.ts

@@ -0,0 +1,10 @@
+import { TokenStoreFactoryOptions, TokenStore } from './token-store.js';
+
+/**
+ * Creates a TokenStore, selecting the keychain backend when available and
+ * falling back to file storage with a stderr warning when the OS keychain
+ * cannot be accessed.
+ */
+declare function createTokenStore(opts?: TokenStoreFactoryOptions): Promise<TokenStore>;
+
+export { createTokenStore };

package/dist/auth/factory.js

@@ -0,0 +1,8 @@
+#!/usr/bin/env node
+import {
+  createTokenStore
+} from "../chunk-4V4QABOJ.js";
+export {
+  createTokenStore
+};
+//# sourceMappingURL=factory.js.map

package/dist/auth/factory.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/dist/auth/require-token.cjs

@@ -0,0 +1,40 @@
+#!/usr/bin/env node
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/auth/require-token.ts
+var require_token_exports = {};
+__export(require_token_exports, {
+  requireToken: () => requireToken
+});
+module.exports = __toCommonJS(require_token_exports);
+async function requireToken(profile, store) {
+  const token = await store.load(profile);
+  if (token === null) {
+    throw new Error(
+      `No refresh token for profile "${profile}". Run \`cleargate join <invite-url>\` first.`
+    );
+  }
+  return token;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  requireToken
+});
+//# sourceMappingURL=require-token.cjs.map

package/dist/auth/require-token.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/auth/require-token.ts"],"sourcesContent":["import type { TokenStore } from './token-store.js';\n\n/**\n * Asserts a refresh token is present for the given profile.\n * Throws a user-friendly error if the token is missing.\n *\n * Mirrors requireMcpUrl from config.ts — single throw site for \"missing token\".\n */\nexport async function requireToken(\n  profile: string,\n  store: TokenStore,\n): Promise<string> {\n  const token = await store.load(profile);\n  if (token === null) {\n    throw new Error(\n      `No refresh token for profile \"${profile}\". Run \\`cleargate join <invite-url>\\` first.`,\n    );\n  }\n  return token;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAQA,eAAsB,aACpB,SACA,OACiB;AACjB,QAAM,QAAQ,MAAM,MAAM,KAAK,OAAO;AACtC,MAAI,UAAU,MAAM;AAClB,UAAM,IAAI;AAAA,MACR,iCAAiC,OAAO;AAAA,IAC1C;AAAA,EACF;AACA,SAAO;AACT;","names":[]}

package/dist/auth/require-token.d.cts

@@ -0,0 +1,11 @@
+import { TokenStore } from './token-store.cjs';
+
+/**
+ * Asserts a refresh token is present for the given profile.
+ * Throws a user-friendly error if the token is missing.
+ *
+ * Mirrors requireMcpUrl from config.ts — single throw site for "missing token".
+ */
+declare function requireToken(profile: string, store: TokenStore): Promise<string>;
+
+export { requireToken };