guardrail-cli 1.0.5 → 2.0.0

package/dist/runtime/auth-utils.js

@@ -0,0 +1,126 @@
+"use strict";
+/**
+ * Enterprise Auth Utilities
+ * - Key masking for secure display
+ * - Expiry warning calculations
+ * - Cache validity checks
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.maskApiKey = maskApiKey;
+exports.hoursUntilExpiry = hoursUntilExpiry;
+exports.isExpiryWarning = isExpiryWarning;
+exports.formatExpiry = formatExpiry;
+exports.shouldUseCachedEntitlements = shouldUseCachedEntitlements;
+exports.getClientMetadata = getClientMetadata;
+exports.validateApiKeyFormat = validateApiKeyFormat;
+/**
+ * Mask an API key for secure display
+ * Keeps prefix and last 4 characters: gr_pro_****abcd
+ */
+function maskApiKey(apiKey) {
+    if (!apiKey || apiKey.length < 12) {
+        return '****';
+    }
+    // Find the prefix pattern (gr_tier_)
+    const prefixMatch = apiKey.match(/^(gr_[a-z]+_)/);
+    if (prefixMatch) {
+        const prefix = prefixMatch[1];
+        const suffix = apiKey.slice(-4);
+        const maskedLength = apiKey.length - prefix.length - 4;
+        return `${prefix}${'*'.repeat(Math.max(4, maskedLength))}${suffix}`;
+    }
+    // Fallback: show first 3 and last 4
+    const prefix = apiKey.slice(0, 3);
+    const suffix = apiKey.slice(-4);
+    return `${prefix}****${suffix}`;
+}
+/**
+ * Calculate hours until expiry
+ * Returns null if no expiry or already expired
+ */
+function hoursUntilExpiry(expiresAt) {
+    if (!expiresAt)
+        return null;
+    const expiry = new Date(expiresAt);
+    const now = new Date();
+    if (expiry <= now)
+        return 0;
+    const diffMs = expiry.getTime() - now.getTime();
+    return Math.floor(diffMs / (1000 * 60 * 60));
+}
+/**
+ * Check if expiry is within warning threshold (72 hours)
+ */
+function isExpiryWarning(expiresAt, thresholdHours = 72) {
+    const hours = hoursUntilExpiry(expiresAt);
+    if (hours === null)
+        return false;
+    return hours > 0 && hours <= thresholdHours;
+}
+/**
+ * Format expiry for display
+ */
+function formatExpiry(expiresAt) {
+    const hours = hoursUntilExpiry(expiresAt);
+    if (hours === null)
+        return 'No expiry set';
+    if (hours === 0)
+        return 'Expired';
+    if (hours < 24)
+        return `${hours}h`;
+    const days = Math.floor(hours / 24);
+    const remainingHours = hours % 24;
+    if (days === 1)
+        return `1 day ${remainingHours}h`;
+    return `${days} days ${remainingHours}h`;
+}
+/**
+ * Check if cached entitlements should be reused
+ * Returns true if cache is valid and has > 5 minutes remaining
+ */
+function shouldUseCachedEntitlements(expiresAt) {
+    if (!expiresAt)
+        return false;
+    const expiry = new Date(expiresAt);
+    const now = new Date();
+    const fiveMinutesFromNow = new Date(now.getTime() + 5 * 60 * 1000);
+    return expiry > fiveMinutesFromNow;
+}
+/**
+ * Get client metadata for API requests
+ */
+function getClientMetadata() {
+    let version = '1.0.0';
+    try {
+        const pkg = require('../../package.json');
+        version = pkg.version || '1.0.0';
+    }
+    catch {
+        // Use default version
+    }
+    return {
+        version,
+        os: process.platform,
+        arch: process.arch,
+    };
+}
+/**
+ * Validate API key format
+ * Returns error message or null if valid
+ */
+function validateApiKeyFormat(apiKey) {
+    if (!apiKey) {
+        return 'API key is required';
+    }
+    if (!apiKey.startsWith('gr_')) {
+        return 'API key must start with "gr_"';
+    }
+    if (apiKey.length < 20) {
+        return 'API key is too short';
+    }
+    if (!/^gr_[a-z]+_[a-zA-Z0-9]+$/.test(apiKey)) {
+        return 'API key format is invalid';
+    }
+    return null;
+}
+//# sourceMappingURL=auth-utils.js.map

package/dist/runtime/auth-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-utils.js","sourceRoot":"","sources":["../../src/runtime/auth-utils.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAMH,gCAkBC;AAMD,4CAUC;AAKD,0CAIC;AAKD,oCAYC;AAMD,kEAQC;AAKD,8CAcC;AAMD,oDAkBC;AAzHD;;;GAGG;AACH,SAAgB,UAAU,CAAC,MAAc;IACvC,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAClC,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,qCAAqC;IACrC,MAAM,WAAW,GAAG,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;IAClD,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,MAAM,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;QAC9B,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QAChC,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;QACvD,OAAO,GAAG,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC,GAAG,MAAM,EAAE,CAAC;IACtE,CAAC;IAED,oCAAoC;IACpC,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAClC,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAChC,OAAO,GAAG,MAAM,OAAO,MAAM,EAAE,CAAC;AAClC,CAAC;AAED;;;GAGG;AACH,SAAgB,gBAAgB,CAAC,SAA6B;IAC5D,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAE5B,MAAM,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC;IACnC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IAEvB,IAAI,MAAM,IAAI,GAAG;QAAE,OAAO,CAAC,CAAC;IAE5B,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC;IAChD,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC;AAC/C,CAAC;AAED;;GAEG;AACH,SAAgB,eAAe,CAAC,SAA6B,EAAE,iBAAyB,EAAE;IACxF,MAAM,KAAK,GAAG,gBAAgB,CAAC,SAAS,CAAC,CAAC;IAC1C,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IACjC,OAAO,KAAK,GAAG,CAAC,IAAI,KAAK,IAAI,cAAc,CAAC;AAC9C,CAAC;AAED;;GAEG;AACH,SAAgB,YAAY,CAAC,SAA6B;IACxD,MAAM,KAAK,GAAG,gBAAgB,CAAC,SAAS,CAAC,CAAC;IAE1C,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,eAAe,CAAC;IAC3C,IAAI,KAAK,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC;IAClC,IAAI,KAAK,GAAG,EAAE;QAAE,OAAO,GAAG,KAAK,GAAG,CAAC;IAEnC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,EAAE,CAAC,CAAC;IACpC,MAAM,cAAc,GAAG,KAAK,GAAG,EAAE,CAAC;IAElC,IAAI,IAAI,KAAK,CAAC;QAAE,OAAO,SAAS,cAAc,GAAG,CAAC;IAClD,OAAO,GAAG,IAAI,SAAS,cAAc,GAAG,CAAC;AAC3C,CAAC;AAED;;;GAGG;AACH,SAAgB,2BAA2B,CAAC,SAA6B;IACvE,IAAI,CAAC,SAAS;QAAE,OAAO,KAAK,CAAC;IAE7B,MAAM,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC;IACnC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,MAAM,kBAAkB,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAEnE,OAAO,MAAM,GAAG,kBAAkB,CAAC;AACrC,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB;IAC/B,IAAI,OAAO,GAAG,OAAO,CAAC;IACtB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAAC;QAC1C,OAAO,GAAG,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC;IACnC,CAAC;IAAC,MAAM,CAAC;QACP,sBAAsB;IACxB,CAAC;IAED,OAAO;QACL,OAAO;QACP,EAAE,EAAE,OAAO,CAAC,QAAQ;QACpB,IAAI,EAAE,OAAO,CAAC,IAAI;KACnB,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAgB,oBAAoB,CAAC,MAAc;IACjD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,qBAAqB,CAAC;IAC/B,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QAC9B,OAAO,+BAA+B,CAAC;IACzC,CAAC;IAED,IAAI,MAAM,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACvB,OAAO,sBAAsB,CAAC;IAChC,CAAC;IAED,IAAI,CAAC,0BAA0B,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QAC7C,OAAO,2BAA2B,CAAC;IACrC,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/runtime/client.d.ts

@@ -0,0 +1,74 @@
+/**
+ * Enterprise API Client
+ * - Real entitlement validation (no key prefix parsing)
+ * - Proper timeouts and retries with exponential backoff
+ * - User-agent for tracking
+ * - Circuit breaker pattern for resilience
+ */
+import { Tier } from './creds';
+export interface AuthValidateRequest {
+    apiKey: string;
+    client: {
+        version: string;
+        os: string;
+        arch: string;
+    };
+}
+export interface AuthValidateResponse {
+    ok: boolean;
+    tier: Tier;
+    email?: string;
+    entitlements?: string[];
+    expiresAt?: string;
+    issuedAt?: string;
+    reason?: string;
+}
+export interface ValidateResponse {
+    ok: boolean;
+    tier: Tier;
+    email?: string;
+    entitlements?: string[];
+    expiresAt?: string;
+    issuedAt?: string;
+    error?: string;
+}
+export interface ClientOptions {
+    baseUrl?: string;
+    timeout?: number;
+    maxRetries?: number;
+}
+/**
+ * Validate API key against the enterprise auth endpoint
+ * POST /v1/cli/auth/validate with proper request format and retries
+ */
+export declare function validateApiKey(opts: {
+    apiKey: string;
+    baseUrl?: string;
+    timeout?: number;
+    maxRetries?: number;
+}): Promise<ValidateResponse>;
+/**
+ * Legacy validate function - wraps new validateApiKey for backwards compatibility
+ */
+export declare function validateCredentials(opts: {
+    apiKey?: string;
+    accessToken?: string;
+    baseUrl?: string;
+    timeout?: number;
+}): Promise<ValidateResponse>;
+/**
+ * Refresh access token using refresh token
+ */
+export declare function refreshAccessToken(opts: {
+    refreshToken: string;
+    baseUrl?: string;
+}): Promise<{
+    accessToken?: string;
+    expiresIn?: number;
+    error?: string;
+}>;
+/**
+ * Calculate cache expiry (15 minutes from now)
+ */
+export declare function getCacheExpiry(minutes?: number): string;
+//# sourceMappingURL=client.d.ts.map

package/dist/runtime/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/runtime/client.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,SAAS,CAAC;AAG/B,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE;QACN,OAAO,EAAE,MAAM,CAAC;QAChB,EAAE,EAAE,MAAM,CAAC;QACX,IAAI,EAAE,MAAM,CAAC;KACd,CAAC;CACH;AAED,MAAM,WAAW,oBAAoB;IACnC,EAAE,EAAE,OAAO,CAAC;IACZ,IAAI,EAAE,IAAI,CAAC;IACX,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,OAAO,CAAC;IACZ,IAAI,EAAE,IAAI,CAAC;IACX,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAcD;;;GAGG;AACH,wBAAsB,cAAc,CAAC,IAAI,EAAE;IACzC,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CA0G5B;AAED;;GAEG;AACH,wBAAsB,mBAAmB,CAAC,IAAI,EAAE;IAC9C,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAkD5B;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CAAC,IAAI,EAAE;IAC7C,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,GAAG,OAAO,CAAC;IAAE,WAAW,CAAC,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA0BxE;AAcD;;GAEG;AACH,wBAAgB,cAAc,CAAC,OAAO,GAAE,MAAW,GAAG,MAAM,CAI3D"}

package/dist/runtime/client.js

@@ -0,0 +1,222 @@
+"use strict";
+/**
+ * Enterprise API Client
+ * - Real entitlement validation (no key prefix parsing)
+ * - Proper timeouts and retries with exponential backoff
+ * - User-agent for tracking
+ * - Circuit breaker pattern for resilience
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateApiKey = validateApiKey;
+exports.validateCredentials = validateCredentials;
+exports.refreshAccessToken = refreshAccessToken;
+exports.getCacheExpiry = getCacheExpiry;
+const auth_utils_1 = require("./auth-utils");
+const DEFAULT_API_BASE = process.env.GUARDRAIL_API_BASE_URL || 'https://api.guardrail.dev';
+const DEFAULT_TIMEOUT = 10000;
+const DEFAULT_MAX_RETRIES = 3;
+const RETRY_DELAYS = [1000, 2000, 4000]; // Exponential backoff
+/**
+ * Sleep utility for retry delays
+ */
+function sleep(ms) {
+    return new Promise(resolve => setTimeout(resolve, ms));
+}
+/**
+ * Validate API key against the enterprise auth endpoint
+ * POST /v1/cli/auth/validate with proper request format and retries
+ */
+async function validateApiKey(opts) {
+    const baseUrl = opts.baseUrl || DEFAULT_API_BASE;
+    const timeout = opts.timeout || DEFAULT_TIMEOUT;
+    const maxRetries = opts.maxRetries ?? DEFAULT_MAX_RETRIES;
+    const clientMeta = (0, auth_utils_1.getClientMetadata)();
+    const requestBody = {
+        apiKey: opts.apiKey,
+        client: clientMeta,
+    };
+    let lastError = 'Unknown error';
+    for (let attempt = 0; attempt <= maxRetries; attempt++) {
+        const controller = new AbortController();
+        const timeoutId = setTimeout(() => controller.abort(), timeout);
+        try {
+            const res = await fetch(`${baseUrl}/v1/cli/auth/validate`, {
+                method: 'POST',
+                headers: {
+                    'content-type': 'application/json',
+                    'user-agent': `guardrail-cli/${clientMeta.version} (${clientMeta.os}; ${clientMeta.arch}; node ${process.version})`,
+                    'x-client-version': clientMeta.version,
+                },
+                body: JSON.stringify(requestBody),
+                signal: controller.signal,
+            });
+            clearTimeout(timeoutId);
+            if (!res.ok) {
+                const errorBody = await res.text().catch(() => '');
+                let errorMessage;
+                try {
+                    const errorJson = JSON.parse(errorBody);
+                    errorMessage = errorJson.reason || errorJson.message || errorJson.error || `HTTP ${res.status}`;
+                }
+                catch {
+                    errorMessage = `HTTP ${res.status}: ${res.statusText}`;
+                }
+                if (res.status === 401) {
+                    return { ok: false, tier: 'free', error: 'Invalid or expired API key' };
+                }
+                if (res.status === 403) {
+                    return { ok: false, tier: 'free', error: 'Access denied - API key revoked or suspended' };
+                }
+                if (res.status === 429) {
+                    lastError = 'Rate limited - please try again later';
+                    if (attempt < maxRetries) {
+                        await sleep(RETRY_DELAYS[attempt] || 4000);
+                        continue;
+                    }
+                    return { ok: false, tier: 'free', error: lastError };
+                }
+                if (res.status >= 500) {
+                    lastError = `Server error: ${errorMessage}`;
+                    if (attempt < maxRetries) {
+                        await sleep(RETRY_DELAYS[attempt] || 4000);
+                        continue;
+                    }
+                    return { ok: false, tier: 'free', error: lastError };
+                }
+                return { ok: false, tier: 'free', error: errorMessage };
+            }
+            const data = await res.json();
+            if (!data.ok) {
+                return {
+                    ok: false,
+                    tier: 'free',
+                    error: data.reason || 'Validation failed'
+                };
+            }
+            return {
+                ok: true,
+                tier: data.tier || 'free',
+                email: data.email,
+                entitlements: data.entitlements,
+                expiresAt: data.expiresAt,
+                issuedAt: data.issuedAt,
+            };
+        }
+        catch (err) {
+            clearTimeout(timeoutId);
+            if (err.name === 'AbortError') {
+                lastError = 'Request timed out';
+            }
+            else if (err.code === 'ECONNREFUSED' || err.code === 'ENOTFOUND') {
+                lastError = 'Unable to reach Guardrail API - check your network connection';
+            }
+            else {
+                lastError = `Network error: ${err.message}`;
+            }
+            if (attempt < maxRetries) {
+                await sleep(RETRY_DELAYS[attempt] || 4000);
+                continue;
+            }
+        }
+    }
+    return { ok: false, tier: 'free', error: lastError };
+}
+/**
+ * Legacy validate function - wraps new validateApiKey for backwards compatibility
+ */
+async function validateCredentials(opts) {
+    if (!opts.apiKey && !opts.accessToken) {
+        return { ok: false, tier: 'free', error: 'No credentials provided' };
+    }
+    if (opts.apiKey) {
+        return validateApiKey({
+            apiKey: opts.apiKey,
+            baseUrl: opts.baseUrl,
+            timeout: opts.timeout,
+        });
+    }
+    // For access tokens, use the legacy endpoint
+    const baseUrl = opts.baseUrl || DEFAULT_API_BASE;
+    const timeout = opts.timeout || DEFAULT_TIMEOUT;
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), timeout);
+    try {
+        const clientMeta = (0, auth_utils_1.getClientMetadata)();
+        const res = await fetch(`${baseUrl}/v1/cli/validate`, {
+            method: 'POST',
+            headers: {
+                'content-type': 'application/json',
+                'authorization': `Bearer ${opts.accessToken}`,
+                'user-agent': `guardrail-cli/${clientMeta.version} (node ${process.version})`,
+            },
+            body: JSON.stringify({ ts: new Date().toISOString() }),
+            signal: controller.signal,
+        });
+        clearTimeout(timeoutId);
+        if (!res.ok) {
+            if (res.status === 401) {
+                return { ok: false, tier: 'free', error: 'Invalid or expired credentials' };
+            }
+            return { ok: false, tier: 'free', error: `API error: ${res.status}` };
+        }
+        const data = await res.json();
+        return { ...data, ok: true };
+    }
+    catch (err) {
+        clearTimeout(timeoutId);
+        if (err.name === 'AbortError') {
+            return { ok: false, tier: 'free', error: 'Request timed out' };
+        }
+        return { ok: false, tier: 'free', error: `Network error: ${err.message}` };
+    }
+}
+/**
+ * Refresh access token using refresh token
+ */
+async function refreshAccessToken(opts) {
+    const baseUrl = opts.baseUrl || DEFAULT_API_BASE;
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), DEFAULT_TIMEOUT);
+    try {
+        const res = await fetch(`${baseUrl}/v1/cli/refresh`, {
+            method: 'POST',
+            headers: {
+                'content-type': 'application/json',
+                'user-agent': `guardrail-cli/${getVersion()} (node ${process.version})`,
+            },
+            body: JSON.stringify({ refreshToken: opts.refreshToken }),
+            signal: controller.signal,
+        });
+        if (!res.ok) {
+            return { error: `Refresh failed: ${res.status}` };
+        }
+        return await res.json();
+    }
+    catch (err) {
+        return { error: err.message };
+    }
+    finally {
+        clearTimeout(timeoutId);
+    }
+}
+/**
+ * Get CLI version from package.json
+ */
+function getVersion() {
+    try {
+        const pkg = require('../../package.json');
+        return pkg.version || '0.0.0';
+    }
+    catch {
+        return '0.0.0';
+    }
+}
+/**
+ * Calculate cache expiry (15 minutes from now)
+ */
+function getCacheExpiry(minutes = 15) {
+    const expiry = new Date();
+    expiry.setMinutes(expiry.getMinutes() + minutes);
+    return expiry.toISOString();
+}
+//# sourceMappingURL=client.js.map

package/dist/runtime/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/runtime/client.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAwDH,wCA+GC;AAKD,kDAuDC;AAKD,gDA6BC;AAiBD,wCAIC;AAvRD,6CAAiD;AAqCjD,MAAM,gBAAgB,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,IAAI,2BAA2B,CAAC;AAC3F,MAAM,eAAe,GAAG,KAAK,CAAC;AAC9B,MAAM,mBAAmB,GAAG,CAAC,CAAC;AAC9B,MAAM,YAAY,GAAG,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,sBAAsB;AAE/D;;GAEG;AACH,SAAS,KAAK,CAAC,EAAU;IACvB,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AACzD,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,cAAc,CAAC,IAKpC;IACC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,gBAAgB,CAAC;IACjD,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,eAAe,CAAC;IAChD,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,mBAAmB,CAAC;IAE1D,MAAM,UAAU,GAAG,IAAA,8BAAiB,GAAE,CAAC;IACvC,MAAM,WAAW,GAAwB;QACvC,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,MAAM,EAAE,UAAU;KACnB,CAAC;IAEF,IAAI,SAAS,GAAW,eAAe,CAAC;IAExC,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,IAAI,UAAU,EAAE,OAAO,EAAE,EAAE,CAAC;QACvD,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,OAAO,CAAC,CAAC;QAEhE,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,uBAAuB,EAAE;gBACzD,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,kBAAkB;oBAClC,YAAY,EAAE,iBAAiB,UAAU,CAAC,OAAO,KAAK,UAAU,CAAC,EAAE,KAAK,UAAU,CAAC,IAAI,UAAU,OAAO,CAAC,OAAO,GAAG;oBACnH,kBAAkB,EAAE,UAAU,CAAC,OAAO;iBACvC;gBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC;gBACjC,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC,CAAC;YAEH,YAAY,CAAC,SAAS,CAAC,CAAC;YAExB,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,SAAS,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;gBACnD,IAAI,YAAoB,CAAC;gBAEzB,IAAI,CAAC;oBACH,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;oBACxC,YAAY,GAAG,SAAS,CAAC,MAAM,IAAI,SAAS,CAAC,OAAO,IAAI,SAAS,CAAC,KAAK,IAAI,QAAQ,GAAG,CAAC,MAAM,EAAE,CAAC;gBAClG,CAAC;gBAAC,MAAM,CAAC;oBACP,YAAY,GAAG,QAAQ,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,UAAU,EAAE,CAAC;gBACzD,CAAC;gBAED,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBACvB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,4BAA4B,EAAE,CAAC;gBAC1E,CAAC;gBACD,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBACvB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,8CAA8C,EAAE,CAAC;gBAC5F,CAAC;gBACD,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBACvB,SAAS,GAAG,uCAAuC,CAAC;oBACpD,IAAI,OAAO,GAAG,UAAU,EAAE,CAAC;wBACzB,MAAM,KAAK,CAAC,YAAY,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,CAAC;wBAC3C,SAAS;oBACX,CAAC;oBACD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;gBACvD,CAAC;gBACD,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;oBACtB,SAAS,GAAG,iBAAiB,YAAY,EAAE,CAAC;oBAC5C,IAAI,OAAO,GAAG,UAAU,EAAE,CAAC;wBACzB,MAAM,KAAK,CAAC,YAAY,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,CAAC;wBAC3C,SAAS;oBACX,CAAC;oBACD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;gBACvD,CAAC;gBAED,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC;YAC1D,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAA0B,CAAC;YAEtD,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;gBACb,OAAO;oBACL,EAAE,EAAE,KAAK;oBACT,IAAI,EAAE,MAAM;oBACZ,KAAK,EAAE,IAAI,CAAC,MAAM,IAAI,mBAAmB;iBAC1C,CAAC;YACJ,CAAC;YAED,OAAO;gBACL,EAAE,EAAE,IAAI;gBACR,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,MAAM;gBACzB,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,YAAY,EAAE,IAAI,CAAC,YAAY;gBAC/B,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;aACxB,CAAC;QAEJ,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,YAAY,CAAC,SAAS,CAAC,CAAC;YAExB,IAAI,GAAG,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBAC9B,SAAS,GAAG,mBAAmB,CAAC;YAClC,CAAC;iBAAM,IAAI,GAAG,CAAC,IAAI,KAAK,cAAc,IAAI,GAAG,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;gBACnE,SAAS,GAAG,+DAA+D,CAAC;YAC9E,CAAC;iBAAM,CAAC;gBACN,SAAS,GAAG,kBAAkB,GAAG,CAAC,OAAO,EAAE,CAAC;YAC9C,CAAC;YAED,IAAI,OAAO,GAAG,UAAU,EAAE,CAAC;gBACzB,MAAM,KAAK,CAAC,YAAY,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,CAAC;gBAC3C,SAAS;YACX,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;AACvD,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,mBAAmB,CAAC,IAKzC;IACC,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;QACtC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;IACvE,CAAC;IAED,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;QAChB,OAAO,cAAc,CAAC;YACpB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,OAAO,EAAE,IAAI,CAAC,OAAO;SACtB,CAAC,CAAC;IACL,CAAC;IAED,6CAA6C;IAC7C,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,gBAAgB,CAAC;IACjD,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,eAAe,CAAC;IAChD,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;IACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,OAAO,CAAC,CAAC;IAEhE,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,IAAA,8BAAiB,GAAE,CAAC;QACvC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,kBAAkB,EAAE;YACpD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,eAAe,EAAE,UAAU,IAAI,CAAC,WAAW,EAAE;gBAC7C,YAAY,EAAE,iBAAiB,UAAU,CAAC,OAAO,UAAU,OAAO,CAAC,OAAO,GAAG;aAC9E;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC;YACtD,MAAM,EAAE,UAAU,CAAC,MAAM;SAC1B,CAAC,CAAC;QAEH,YAAY,CAAC,SAAS,CAAC,CAAC;QAExB,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBACvB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,gCAAgC,EAAE,CAAC;YAC9E,CAAC;YACD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,cAAc,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC;QACxE,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAsB,CAAC;QAClD,OAAO,EAAE,GAAG,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IAC/B,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,YAAY,CAAC,SAAS,CAAC,CAAC;QACxB,IAAI,GAAG,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;YAC9B,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;QACjE,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,kBAAkB,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;IAC7E,CAAC;AACH,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,kBAAkB,CAAC,IAGxC;IACC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,gBAAgB,CAAC;IACjD,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;IACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,eAAe,CAAC,CAAC;IAExE,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,iBAAiB,EAAE;YACnD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,YAAY,EAAE,iBAAiB,UAAU,EAAE,UAAU,OAAO,CAAC,OAAO,GAAG;aACxE;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,YAAY,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC;YACzD,MAAM,EAAE,UAAU,CAAC,MAAM;SAC1B,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,OAAO,EAAE,KAAK,EAAE,mBAAmB,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC;QACpD,CAAC;QAED,OAAO,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IAC1B,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC;IAChC,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,SAAS,CAAC,CAAC;IAC1B,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,UAAU;IACjB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAAC;QAC1C,OAAO,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC;IAChC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,OAAO,CAAC;IACjB,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAgB,cAAc,CAAC,UAAkB,EAAE;IACjD,MAAM,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;IAC1B,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,UAAU,EAAE,GAAG,OAAO,CAAC,CAAC;IACjD,OAAO,MAAM,CAAC,WAAW,EAAE,CAAC;AAC9B,CAAC"}

package/dist/runtime/creds.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Enterprise Credential Store
+ * - OS keychain first (Keychain/Windows Credential Manager/libsecret)
+ * - Secure fallback with 0600 perms + atomic writes
+ * - Token-first model (short-lived tokens preferred over static API keys)
+ */
+export type Tier = 'free' | 'starter' | 'pro' | 'enterprise';
+export interface AuthState {
+    apiKey?: string;
+    accessToken?: string;
+    refreshToken?: string;
+    tier?: Tier;
+    email?: string;
+    entitlements?: string[];
+    authenticatedAt?: string;
+    cacheUntil?: string;
+    expiresAt?: string;
+    issuedAt?: string;
+}
+/**
+ * Load authentication state
+ * Prefers keychain for sensitive tokens, falls back to disk
+ */
+export declare function loadAuthState(): Promise<AuthState>;
+/**
+ * Save authentication state
+ * Stores sensitive tokens in keychain when available, non-sensitive data on disk
+ */
+export declare function saveAuthState(next: AuthState): Promise<void>;
+/**
+ * Clear all authentication state (logout)
+ */
+export declare function clearAuthState(): Promise<void>;
+/**
+ * Check if cached entitlements are still valid
+ * Uses the shorter of cacheUntil (local) or expiresAt (server)
+ */
+export declare function isCacheValid(state: AuthState): boolean;
+/**
+ * Check if entitlements should be reused from cache
+ * Returns true only if cache is valid AND has > 5 minutes remaining
+ */
+export declare function shouldUseCachedEntitlements(state: AuthState): boolean;
+/**
+ * Get config directory path (for display purposes)
+ */
+export declare function getConfigPath(): string;
+//# sourceMappingURL=creds.d.ts.map

package/dist/runtime/creds.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"creds.d.ts","sourceRoot":"","sources":["../../src/runtime/creds.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAQH,MAAM,MAAM,IAAI,GAAG,MAAM,GAAG,SAAS,GAAG,KAAK,GAAG,YAAY,CAAC;AAE7D,MAAM,WAAW,SAAS;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,IAAI,CAAC,EAAE,IAAI,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAgFD;;;GAGG;AACH,wBAAsB,aAAa,IAAI,OAAO,CAAC,SAAS,CAAC,CAwBxD;AAED;;;GAGG;AACH,wBAAsB,aAAa,CAAC,IAAI,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAuBlE;AAED;;GAEG;AACH,wBAAsB,cAAc,IAAI,OAAO,CAAC,IAAI,CAAC,CAUpD;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,SAAS,GAAG,OAAO,CAmBtD;AAED;;;GAGG;AACH,wBAAgB,2BAA2B,CAAC,KAAK,EAAE,SAAS,GAAG,OAAO,CAoBrE;AAED;;GAEG;AACH,wBAAgB,aAAa,IAAI,MAAM,CAEtC"}