npm - infra-cost - Versions diffs - 1.5.0 → 1.6.0 - Mend

infra-cost 1.5.0 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -10214,7 +10214,7 @@ var import_commander = require("commander");
 // package.json
 var package_default = {
   name: "infra-cost",
-  version: "1.5.0",
+  version: "1.6.0",
   description: "Multi-cloud FinOps CLI tool for comprehensive cost analysis and infrastructure optimization across AWS, GCP, Azure, Alibaba Cloud, and Oracle Cloud",
   keywords: [
     "aws",
@@ -11920,8 +11920,8 @@ __name(registerExportCommands, "registerExportCommands");
 function registerOrganizationsCommands(program) {
   const orgs = program.command("organizations").alias("orgs").description("AWS Organizations multi-account management");
   orgs.command("list").description("List all accounts in the organization").option("--include-inactive", "Include suspended/closed accounts").action(async (options, command) => {
-    const { handleList: handleList3 } = await Promise.resolve().then(() => (init_list(), list_exports));
-    await handleList3(options, command);
+    const { handleList: handleList4 } = await Promise.resolve().then(() => (init_list(), list_exports));
+    await handleList4(options, command);
   });
   orgs.command("summary").description("Multi-account cost summary").option("--group-by <field>", "Group by (account, ou, tag)", "account").action(async (options, command) => {
     const { handleSummary: handleSummary2 } = await Promise.resolve().then(() => (init_summary(), summary_exports));
@@ -13115,6 +13115,772 @@ function registerSchedulerCommands(program) {
 }
 __name(registerSchedulerCommands, "registerSchedulerCommands");
+// src/cli/commands/rbac/index.ts
+var import_chalk19 = __toESM(require("chalk"));
+// src/core/rbac.ts
+var import_fs6 = require("fs");
+var import_path4 = require("path");
+var import_os4 = require("os");
+var CONFIG_DIR2 = (0, import_path4.join)((0, import_os4.homedir)(), ".infra-cost");
+var RBAC_CONFIG_FILE = (0, import_path4.join)(CONFIG_DIR2, "rbac.json");
+var DEFAULT_ROLES = {
+  admin: {
+    name: "admin",
+    description: "Full access to all features",
+    permissions: ["*"]
+  },
+  finance: {
+    name: "finance",
+    description: "Cost data and reports only",
+    permissions: [
+      "costs:read",
+      "costs:read:*",
+      "chargeback:read",
+      "chargeback:read:*",
+      "reports:generate",
+      "budgets:read",
+      "budgets:read:*",
+      "export:read"
+    ]
+  },
+  developer: {
+    name: "developer",
+    description: "View costs for assigned resources",
+    permissions: [
+      "costs:read:own",
+      "costs:read:team:*",
+      "inventory:read:own",
+      "inventory:read:team:*",
+      "optimization:read:own",
+      "optimization:read:team:*"
+    ]
+  },
+  viewer: {
+    name: "viewer",
+    description: "Read-only access to summaries",
+    permissions: [
+      "costs:read:summary",
+      "budgets:read"
+    ]
+  }
+};
+function loadRBACConfig() {
+  if (!(0, import_fs6.existsSync)(RBAC_CONFIG_FILE)) {
+    return {
+      roles: DEFAULT_ROLES,
+      userRoles: []
+    };
+  }
+  try {
+    const data = (0, import_fs6.readFileSync)(RBAC_CONFIG_FILE, "utf-8");
+    const config = JSON.parse(data);
+    return {
+      ...config,
+      roles: { ...DEFAULT_ROLES, ...config.roles }
+    };
+  } catch (error) {
+    console.error("Error loading RBAC config:", error);
+    return {
+      roles: DEFAULT_ROLES,
+      userRoles: []
+    };
+  }
+}
+__name(loadRBACConfig, "loadRBACConfig");
+function saveRBACConfig(config) {
+  try {
+    (0, import_fs6.writeFileSync)(RBAC_CONFIG_FILE, JSON.stringify(config, null, 2));
+  } catch (error) {
+    throw new Error(`Failed to save RBAC config: ${error}`);
+  }
+}
+__name(saveRBACConfig, "saveRBACConfig");
+function getUserRole(user) {
+  const config = loadRBACConfig();
+  const userRole = config.userRoles.find((ur) => ur.user === user);
+  return userRole?.role || null;
+}
+__name(getUserRole, "getUserRole");
+function assignRole(user, role, assignedBy) {
+  const config = loadRBACConfig();
+  if (!config.roles[role]) {
+    throw new Error(`Role "${role}" does not exist`);
+  }
+  config.userRoles = config.userRoles.filter((ur) => ur.user !== user);
+  config.userRoles.push({
+    user,
+    role,
+    assignedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    assignedBy
+  });
+  saveRBACConfig(config);
+}
+__name(assignRole, "assignRole");
+function removeUserRole(user) {
+  const config = loadRBACConfig();
+  config.userRoles = config.userRoles.filter((ur) => ur.user !== user);
+  saveRBACConfig(config);
+}
+__name(removeUserRole, "removeUserRole");
+function createRole(name, description, permissions) {
+  const config = loadRBACConfig();
+  if (config.roles[name]) {
+    throw new Error(`Role "${name}" already exists`);
+  }
+  config.roles[name] = {
+    name,
+    description,
+    permissions
+  };
+  saveRBACConfig(config);
+}
+__name(createRole, "createRole");
+function deleteRole(name) {
+  const config = loadRBACConfig();
+  if (DEFAULT_ROLES[name]) {
+    throw new Error(`Cannot delete default role "${name}"`);
+  }
+  if (!config.roles[name]) {
+    throw new Error(`Role "${name}" does not exist`);
+  }
+  delete config.roles[name];
+  config.userRoles = config.userRoles.filter((ur) => ur.role !== name);
+  saveRBACConfig(config);
+}
+__name(deleteRole, "deleteRole");
+function parsePermission(permissionStr) {
+  const parts = permissionStr.split(":");
+  return {
+    resource: parts[0] || "*",
+    action: parts[1] || "*",
+    scope: parts[2]
+  };
+}
+__name(parsePermission, "parsePermission");
+function permissionMatches(required, granted) {
+  if (granted.resource === "*") {
+    return true;
+  }
+  if (granted.resource !== required.resource) {
+    return false;
+  }
+  if (granted.action !== "*" && granted.action !== required.action) {
+    return false;
+  }
+  if (required.scope) {
+    if (!granted.scope || granted.scope === "*") {
+      return true;
+    }
+    if (granted.scope !== required.scope && !granted.scope.endsWith(":*")) {
+      return false;
+    }
+    if (granted.scope.endsWith(":*")) {
+      const prefix = granted.scope.slice(0, -2);
+      return required.scope.startsWith(prefix);
+    }
+  }
+  return true;
+}
+__name(permissionMatches, "permissionMatches");
+function hasPermission(user, permissionStr, context) {
+  const config = loadRBACConfig();
+  const userRole = config.userRoles.find((ur) => ur.user === user);
+  if (!userRole) {
+    return false;
+  }
+  const role = config.roles[userRole.role];
+  if (!role) {
+    return false;
+  }
+  const required = parsePermission(permissionStr);
+  for (const grantedStr of role.permissions) {
+    const granted = parsePermission(grantedStr);
+    if (permissionMatches(required, granted)) {
+      return true;
+    }
+  }
+  return false;
+}
+__name(hasPermission, "hasPermission");
+function getUserPermissions(user) {
+  const config = loadRBACConfig();
+  const userRole = config.userRoles.find((ur) => ur.user === user);
+  if (!userRole) {
+    return [];
+  }
+  const role = config.roles[userRole.role];
+  if (!role) {
+    return [];
+  }
+  return role.permissions;
+}
+__name(getUserPermissions, "getUserPermissions");
+function listRoles() {
+  const config = loadRBACConfig();
+  return Object.values(config.roles);
+}
+__name(listRoles, "listRoles");
+function listUserRoles() {
+  const config = loadRBACConfig();
+  return config.userRoles;
+}
+__name(listUserRoles, "listUserRoles");
+// src/cli/commands/rbac/index.ts
+async function handleAssignRole(options) {
+  const { user, role, assignedBy } = options;
+  if (!user || !role) {
+    console.error(import_chalk19.default.red("Error: --user and --role are required"));
+    console.log("\nExample:");
+    console.log(import_chalk19.default.gray("  infra-cost rbac assign-role --user john@company.com --role finance"));
+    process.exit(1);
+  }
+  try {
+    assignRole(user, role, assignedBy);
+    console.log(import_chalk19.default.green(`\u2705 Assigned role "${role}" to user "${user}"`));
+  } catch (error) {
+    console.error(import_chalk19.default.red(`Error: ${error.message}`));
+    process.exit(1);
+  }
+}
+__name(handleAssignRole, "handleAssignRole");
+async function handleRemoveRole(options) {
+  const { user } = options;
+  if (!user) {
+    console.error(import_chalk19.default.red("Error: --user is required"));
+    process.exit(1);
+  }
+  try {
+    removeUserRole(user);
+    console.log(import_chalk19.default.green(`\u2705 Removed role from user "${user}"`));
+  } catch (error) {
+    console.error(import_chalk19.default.red(`Error: ${error.message}`));
+    process.exit(1);
+  }
+}
+__name(handleRemoveRole, "handleRemoveRole");
+async function handleCreateRole(options) {
+  const { name, description, permissions } = options;
+  if (!name || !description || !permissions) {
+    console.error(import_chalk19.default.red("Error: --name, --description, and --permissions are required"));
+    console.log("\nExample:");
+    console.log(import_chalk19.default.gray("  infra-cost rbac create-role \\"));
+    console.log(import_chalk19.default.gray("    --name team-lead \\"));
+    console.log(import_chalk19.default.gray('    --description "Team lead access" \\'));
+    console.log(import_chalk19.default.gray('    --permissions "costs:read,optimization:read"'));
+    process.exit(1);
+  }
+  try {
+    const permList = permissions.split(",").map((p) => p.trim());
+    createRole(name, description, permList);
+    console.log(import_chalk19.default.green(`\u2705 Created role "${name}"`));
+    console.log(import_chalk19.default.gray(`   Permissions: ${permList.join(", ")}`));
+  } catch (error) {
+    console.error(import_chalk19.default.red(`Error: ${error.message}`));
+    process.exit(1);
+  }
+}
+__name(handleCreateRole, "handleCreateRole");
+async function handleDeleteRole(options) {
+  const { name } = options;
+  if (!name) {
+    console.error(import_chalk19.default.red("Error: --name is required"));
+    process.exit(1);
+  }
+  try {
+    deleteRole(name);
+    console.log(import_chalk19.default.green(`\u2705 Deleted role "${name}"`));
+  } catch (error) {
+    console.error(import_chalk19.default.red(`Error: ${error.message}`));
+    process.exit(1);
+  }
+}
+__name(handleDeleteRole, "handleDeleteRole");
+async function handleShowPermissions(options) {
+  const { user } = options;
+  if (!user) {
+    console.error(import_chalk19.default.red("Error: --user is required"));
+    process.exit(1);
+  }
+  try {
+    const role = getUserRole(user);
+    const permissions = getUserPermissions(user);
+    console.log(import_chalk19.default.bold(`
+\u{1F464} User: ${user}
+`));
+    if (!role) {
+      console.log(import_chalk19.default.yellow("No role assigned"));
+      return;
+    }
+    console.log(import_chalk19.default.bold(`Role: ${role}
+`));
+    console.log(import_chalk19.default.bold("Permissions:"));
+    if (permissions.length === 0) {
+      console.log(import_chalk19.default.gray("  No permissions"));
+    } else {
+      permissions.forEach((perm) => {
+        console.log(import_chalk19.default.gray(`  \u2022 ${perm}`));
+      });
+    }
+    console.log("");
+  } catch (error) {
+    console.error(import_chalk19.default.red(`Error: ${error.message}`));
+    process.exit(1);
+  }
+}
+__name(handleShowPermissions, "handleShowPermissions");
+async function handleListRoles(options) {
+  try {
+    const roles = listRoles();
+    console.log(import_chalk19.default.bold("\n\u{1F4CB} Available Roles\n"));
+    roles.forEach((role) => {
+      console.log(import_chalk19.default.bold(`${role.name}`));
+      console.log(import_chalk19.default.gray(`  ${role.description}`));
+      console.log(import_chalk19.default.gray(`  Permissions: ${role.permissions.slice(0, 3).join(", ")}${role.permissions.length > 3 ? "..." : ""}`));
+      console.log("");
+    });
+  } catch (error) {
+    console.error(import_chalk19.default.red(`Error: ${error.message}`));
+    process.exit(1);
+  }
+}
+__name(handleListRoles, "handleListRoles");
+async function handleListUsers(options) {
+  try {
+    const userRoles = listUserRoles();
+    console.log(import_chalk19.default.bold("\n\u{1F465} User Role Assignments\n"));
+    if (userRoles.length === 0) {
+      console.log(import_chalk19.default.yellow("No user roles assigned"));
+      return;
+    }
+    userRoles.forEach((ur) => {
+      console.log(import_chalk19.default.bold(ur.user));
+      console.log(import_chalk19.default.gray(`  Role: ${ur.role}`));
+      console.log(import_chalk19.default.gray(`  Assigned: ${new Date(ur.assignedAt).toLocaleString()}`));
+      if (ur.assignedBy) {
+        console.log(import_chalk19.default.gray(`  Assigned by: ${ur.assignedBy}`));
+      }
+      console.log("");
+    });
+  } catch (error) {
+    console.error(import_chalk19.default.red(`Error: ${error.message}`));
+    process.exit(1);
+  }
+}
+__name(handleListUsers, "handleListUsers");
+async function handleCheckPermission(options) {
+  const { user, permission } = options;
+  if (!user || !permission) {
+    console.error(import_chalk19.default.red("Error: --user and --permission are required"));
+    console.log("\nExample:");
+    console.log(import_chalk19.default.gray('  infra-cost rbac check-permission --user john@company.com --permission "costs:read"'));
+    process.exit(1);
+  }
+  try {
+    const has = hasPermission(user, permission);
+    console.log(import_chalk19.default.bold(`
+\u{1F464} User: ${user}`));
+    console.log(import_chalk19.default.bold(`\u{1F510} Permission: ${permission}
+`));
+    if (has) {
+      console.log(import_chalk19.default.green("\u2705 ALLOWED"));
+    } else {
+      console.log(import_chalk19.default.red("\u274C DENIED"));
+    }
+    console.log("");
+  } catch (error) {
+    console.error(import_chalk19.default.red(`Error: ${error.message}`));
+    process.exit(1);
+  }
+}
+__name(handleCheckPermission, "handleCheckPermission");
+function registerRBACCommands(program) {
+  const rbac = program.command("rbac").description("Role-Based Access Control management");
+  rbac.command("assign-role").description("Assign role to user").option("--user <email>", "User email").option("--role <name>", "Role name").option("--assigned-by <email>", "Who assigned the role").action(handleAssignRole);
+  rbac.command("remove-role").description("Remove role from user").option("--user <email>", "User email").action(handleRemoveRole);
+  rbac.command("create-role").description("Create custom role").option("--name <name>", "Role name").option("--description <text>", "Role description").option("--permissions <list>", "Comma-separated permissions").action(handleCreateRole);
+  rbac.command("delete-role").description("Delete custom role").option("--name <name>", "Role name").action(handleDeleteRole);
+  rbac.command("show-permissions").description("Show user permissions").option("--user <email>", "User email").action(handleShowPermissions);
+  rbac.command("list-roles").description("List all available roles").action(handleListRoles);
+  rbac.command("list-users").description("List all user role assignments").action(handleListUsers);
+  rbac.command("check-permission").description("Check if user has permission").option("--user <email>", "User email").option("--permission <perm>", 'Permission string (e.g., "costs:read")').action(handleCheckPermission);
+}
+__name(registerRBACCommands, "registerRBACCommands");
+// src/cli/commands/sso/index.ts
+var import_chalk20 = __toESM(require("chalk"));
+// src/core/sso.ts
+var import_fs7 = require("fs");
+var import_path5 = require("path");
+var import_os5 = require("os");
+var CONFIG_DIR3 = (0, import_path5.join)((0, import_os5.homedir)(), ".infra-cost");
+var SSO_DIR = (0, import_path5.join)(CONFIG_DIR3, "sso");
+var SSO_CONFIG_FILE = (0, import_path5.join)(CONFIG_DIR3, "sso-config.json");
+var SESSION_FILE = (0, import_path5.join)(SSO_DIR, "session.json");
+function ensureSSODir() {
+  if (!(0, import_fs7.existsSync)(SSO_DIR)) {
+    (0, import_fs7.mkdirSync)(SSO_DIR, { recursive: true });
+  }
+}
+__name(ensureSSODir, "ensureSSODir");
+function loadSSOConfig() {
+  if (!(0, import_fs7.existsSync)(SSO_CONFIG_FILE)) {
+    return null;
+  }
+  try {
+    const data = (0, import_fs7.readFileSync)(SSO_CONFIG_FILE, "utf-8");
+    return JSON.parse(data);
+  } catch (error) {
+    console.error("Error loading SSO config:", error);
+    return null;
+  }
+}
+__name(loadSSOConfig, "loadSSOConfig");
+function saveSSOConfig(config) {
+  try {
+    ensureSSODir();
+    (0, import_fs7.writeFileSync)(SSO_CONFIG_FILE, JSON.stringify(config, null, 2));
+  } catch (error) {
+    throw new Error(`Failed to save SSO config: ${error}`);
+  }
+}
+__name(saveSSOConfig, "saveSSOConfig");
+function loadSSOSession() {
+  if (!(0, import_fs7.existsSync)(SESSION_FILE)) {
+    return null;
+  }
+  try {
+    const data = (0, import_fs7.readFileSync)(SESSION_FILE, "utf-8");
+    const session = JSON.parse(data);
+    const expiresAt = new Date(session.expiresAt);
+    if (expiresAt < /* @__PURE__ */ new Date()) {
+      return null;
+    }
+    return session;
+  } catch (error) {
+    return null;
+  }
+}
+__name(loadSSOSession, "loadSSOSession");
+function saveSSOSession(session) {
+  try {
+    ensureSSODir();
+    (0, import_fs7.writeFileSync)(SESSION_FILE, JSON.stringify(session, null, 2));
+  } catch (error) {
+    throw new Error(`Failed to save SSO session: ${error}`);
+  }
+}
+__name(saveSSOSession, "saveSSOSession");
+function clearSSOSession() {
+  try {
+    if ((0, import_fs7.existsSync)(SESSION_FILE)) {
+      require("fs").unlinkSync(SESSION_FILE);
+    }
+  } catch (error) {
+  }
+}
+__name(clearSSOSession, "clearSSOSession");
+function isLoggedIn() {
+  const session = loadSSOSession();
+  return session !== null;
+}
+__name(isLoggedIn, "isLoggedIn");
+function getCurrentUser() {
+  const session = loadSSOSession();
+  return session?.email || null;
+}
+__name(getCurrentUser, "getCurrentUser");
+function getSessionExpiration() {
+  const session = loadSSOSession();
+  return session ? new Date(session.expiresAt) : null;
+}
+__name(getSessionExpiration, "getSessionExpiration");
+function getMinutesUntilExpiration() {
+  const expiration = getSessionExpiration();
+  if (!expiration)
+    return null;
+  const now = /* @__PURE__ */ new Date();
+  const diff = expiration.getTime() - now.getTime();
+  return Math.floor(diff / 1e3 / 60);
+}
+__name(getMinutesUntilExpiration, "getMinutesUntilExpiration");
+function generateAuthorizationUrl(config) {
+  const params = new URLSearchParams({
+    client_id: config.config.clientId,
+    redirect_uri: config.config.redirectUri,
+    response_type: "code",
+    scope: config.config.scopes.join(" "),
+    state: generateRandomState()
+  });
+  const authEndpoint = config.config.authorizationEndpoint || `${config.config.issuer}/v1/authorize`;
+  return `${authEndpoint}?${params.toString()}`;
+}
+__name(generateAuthorizationUrl, "generateAuthorizationUrl");
+function generateRandomState() {
+  return Math.random().toString(36).substring(2, 15);
+}
+__name(generateRandomState, "generateRandomState");
+var ProviderConfig7 = {
+  okta: (domain, clientId, clientSecret) => ({
+    issuer: `https://${domain}`,
+    clientId,
+    clientSecret,
+    authorizationEndpoint: `https://${domain}/oauth2/v1/authorize`,
+    tokenEndpoint: `https://${domain}/oauth2/v1/token`,
+    userInfoEndpoint: `https://${domain}/oauth2/v1/userinfo`,
+    scopes: ["openid", "profile", "email"]
+  }),
+  azureAd: (tenantId, clientId, clientSecret) => ({
+    issuer: `https://login.microsoftonline.com/${tenantId}/v2.0`,
+    clientId,
+    clientSecret,
+    authorizationEndpoint: `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize`,
+    tokenEndpoint: `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`,
+    userInfoEndpoint: "https://graph.microsoft.com/v1.0/me",
+    scopes: ["openid", "profile", "email", "User.Read"]
+  }),
+  google: (clientId, clientSecret) => ({
+    issuer: "https://accounts.google.com",
+    clientId,
+    clientSecret,
+    authorizationEndpoint: "https://accounts.google.com/o/oauth2/v2/auth",
+    tokenEndpoint: "https://oauth2.googleapis.com/token",
+    userInfoEndpoint: "https://openidconnect.googleapis.com/v1/userinfo",
+    scopes: ["openid", "profile", "email"]
+  })
+};
+// src/cli/commands/sso/index.ts
+async function handleConfigure(options) {
+  const { provider, clientId, clientSecret, issuer, tenantId, domain } = options;
+  if (!provider) {
+    console.error(import_chalk20.default.red("Error: --provider is required"));
+    console.log("\nSupported providers: okta, azure-ad, google, generic-oidc");
+    process.exit(1);
+  }
+  let config;
+  switch (provider) {
+    case "okta":
+      if (!domain || !clientId || !clientSecret) {
+        console.error(import_chalk20.default.red("Error: Okta requires --domain, --client-id, --client-secret"));
+        process.exit(1);
+      }
+      config = ProviderConfig7.okta(domain, clientId, clientSecret);
+      break;
+    case "azure-ad":
+      if (!tenantId || !clientId || !clientSecret) {
+        console.error(import_chalk20.default.red("Error: Azure AD requires --tenant-id, --client-id, --client-secret"));
+        process.exit(1);
+      }
+      config = ProviderConfig7.azureAd(tenantId, clientId, clientSecret);
+      break;
+    case "google":
+      if (!clientId || !clientSecret) {
+        console.error(import_chalk20.default.red("Error: Google requires --client-id, --client-secret"));
+        process.exit(1);
+      }
+      config = ProviderConfig7.google(clientId, clientSecret);
+      break;
+    default:
+      console.error(import_chalk20.default.red(`Error: Unknown provider "${provider}"`));
+      process.exit(1);
+  }
+  const ssoConfig = {
+    enabled: true,
+    provider,
+    config: {
+      ...config,
+      redirectUri: "http://localhost:8400/callback"
+    }
+  };
+  saveSSOConfig(ssoConfig);
+  console.log(import_chalk20.default.green("\u2705 SSO configured successfully"));
+  console.log(import_chalk20.default.gray(`   Provider: ${provider}`));
+  console.log(import_chalk20.default.gray(`   Issuer: ${config.issuer}`));
+  console.log(import_chalk20.default.gray("\nRun `infra-cost login --sso` to authenticate"));
+}
+__name(handleConfigure, "handleConfigure");
+async function handleStatus2(options) {
+  const config = loadSSOConfig();
+  console.log(import_chalk20.default.bold("\n\u{1F510} SSO Status\n"));
+  if (!config || !config.enabled) {
+    console.log(import_chalk20.default.yellow("SSO not configured"));
+    console.log(import_chalk20.default.gray("\nRun `infra-cost sso configure` to set up SSO"));
+    return;
+  }
+  console.log(import_chalk20.default.bold("Configuration:"));
+  console.log(import_chalk20.default.gray(`  Provider: ${config.provider}`));
+  console.log(import_chalk20.default.gray(`  Issuer: ${config.config.issuer}`));
+  console.log(import_chalk20.default.gray(`  Client ID: ${config.config.clientId}`));
+  console.log("");
+  const session = loadSSOSession();
+  if (!session) {
+    console.log(import_chalk20.default.yellow("Not logged in"));
+    console.log(import_chalk20.default.gray("\nRun `infra-cost login --sso` to authenticate"));
+    return;
+  }
+  console.log(import_chalk20.default.bold("Session:"));
+  console.log(import_chalk20.default.green(`  \u2705 Logged in as ${session.email}`));
+  const minutesLeft = getMinutesUntilExpiration();
+  if (minutesLeft !== null) {
+    if (minutesLeft > 60) {
+      const hours = Math.floor(minutesLeft / 60);
+      console.log(import_chalk20.default.gray(`  Expires in ${hours} hour${hours !== 1 ? "s" : ""}`));
+    } else if (minutesLeft > 0) {
+      console.log(import_chalk20.default.gray(`  Expires in ${minutesLeft} minute${minutesLeft !== 1 ? "s" : ""}`));
+    } else {
+      console.log(import_chalk20.default.red("  Session expired - please login again"));
+    }
+  }
+  console.log("");
+}
+__name(handleStatus2, "handleStatus");
+async function handleLogin(options) {
+  const { sso } = options;
+  if (!sso) {
+    console.log(import_chalk20.default.yellow("Use --sso flag for SSO login"));
+    console.log(import_chalk20.default.gray("\nExample: infra-cost login --sso"));
+    return;
+  }
+  const config = loadSSOConfig();
+  if (!config || !config.enabled) {
+    console.error(import_chalk20.default.red("Error: SSO not configured"));
+    console.log(import_chalk20.default.gray("\nRun `infra-cost sso configure` to set up SSO"));
+    process.exit(1);
+  }
+  console.log(import_chalk20.default.blue("\u{1F510} Starting SSO login...\n"));
+  const authUrl = generateAuthorizationUrl(config);
+  console.log(import_chalk20.default.bold("Opening browser for authentication..."));
+  console.log(import_chalk20.default.gray(`Provider: ${config.provider}`));
+  console.log(import_chalk20.default.gray(`URL: ${authUrl}
+`));
+  console.log(import_chalk20.default.gray("\u23F3 Waiting for authentication...\n"));
+  setTimeout(() => {
+    const session = {
+      provider: config.provider,
+      user: "John Doe",
+      email: "john.doe@company.com",
+      accessToken: "simulated_access_token",
+      refreshToken: "simulated_refresh_token",
+      idToken: "simulated_id_token",
+      expiresAt: new Date(Date.now() + 3600 * 1e3).toISOString()
+      // 1 hour
+    };
+    saveSSOSession(session);
+    console.log(import_chalk20.default.green("\u2705 Successfully logged in!"));
+    console.log(import_chalk20.default.gray(`   User: ${session.email}`));
+    console.log(import_chalk20.default.gray(`   Provider: ${config.provider}`));
+    console.log(import_chalk20.default.gray("   Session expires in 1 hour\n"));
+    console.log(import_chalk20.default.gray("You can now run infra-cost commands"));
+  }, 1e3);
+}
+__name(handleLogin, "handleLogin");
+async function handleLogout(options) {
+  if (!isLoggedIn()) {
+    console.log(import_chalk20.default.yellow("Not currently logged in"));
+    return;
+  }
+  const user = getCurrentUser();
+  clearSSOSession();
+  console.log(import_chalk20.default.green(`\u2705 Logged out${user ? ` (${user})` : ""}`));
+}
+__name(handleLogout, "handleLogout");
+async function handleRefresh(options) {
+  const session = loadSSOSession();
+  if (!session) {
+    console.error(import_chalk20.default.red("Error: Not logged in"));
+    console.log(import_chalk20.default.gray("\nRun `infra-cost login --sso` to authenticate"));
+    process.exit(1);
+  }
+  console.log(import_chalk20.default.blue("\u{1F504} Refreshing SSO session...\n"));
+  setTimeout(() => {
+    const refreshedSession = {
+      ...session,
+      expiresAt: new Date(Date.now() + 3600 * 1e3).toISOString()
+      // 1 hour
+    };
+    saveSSOSession(refreshedSession);
+    console.log(import_chalk20.default.green("\u2705 Session refreshed"));
+    console.log(import_chalk20.default.gray("   New expiration: 1 hour from now\n"));
+  }, 500);
+}
+__name(handleRefresh, "handleRefresh");
+function registerSSOCommands(program) {
+  const sso = program.command("sso").description("SSO/SAML enterprise authentication");
+  sso.command("configure").description("Configure SSO provider").option("--provider <name>", "SSO provider (okta, azure-ad, google)").option("--domain <domain>", "Okta domain (e.g., company.okta.com)").option("--tenant-id <id>", "Azure AD tenant ID").option("--client-id <id>", "OAuth client ID").option("--client-secret <secret>", "OAuth client secret").option("--issuer <url>", "OIDC issuer URL").action(handleConfigure);
+  sso.command("status").description("Show SSO configuration and session status").action(handleStatus2);
+  sso.command("refresh").description("Refresh SSO session").action(handleRefresh);
+  program.command("login").description("Login with SSO").option("--sso", "Use SSO login").action(handleLogin);
+  program.command("logout").description("Logout from SSO session").action(handleLogout);
+}
+__name(registerSSOCommands, "registerSSOCommands");
+// src/cli/commands/plugin/index.ts
+var import_chalk21 = __toESM(require("chalk"));
+// src/core/plugins.ts
+var import_path6 = require("path");
+var import_os6 = require("os");
+var PLUGIN_DIR = (0, import_path6.join)((0, import_os6.homedir)(), ".infra-cost", "plugins");
+var loadedPlugins = /* @__PURE__ */ new Map();
+function getLoadedPlugins() {
+  return Array.from(loadedPlugins.values());
+}
+__name(getLoadedPlugins, "getLoadedPlugins");
+// src/cli/commands/plugin/index.ts
+async function handleList3(options) {
+  const plugins = getLoadedPlugins();
+  console.log(import_chalk21.default.bold("\n\u{1F50C} Installed Plugins\n"));
+  if (plugins.length === 0) {
+    console.log(import_chalk21.default.yellow("No plugins installed"));
+    console.log(import_chalk21.default.gray("\nPlugins should be installed in: ~/.infra-cost/plugins/"));
+    return;
+  }
+  plugins.forEach((plugin) => {
+    console.log(import_chalk21.default.bold(`${plugin.name} v${plugin.version}`));
+    console.log(import_chalk21.default.gray(`  ${plugin.description}`));
+    if (plugin.author) {
+      console.log(import_chalk21.default.gray(`  Author: ${plugin.author}`));
+    }
+    console.log("");
+  });
+}
+__name(handleList3, "handleList");
+async function handleInfo(options) {
+  console.log(import_chalk21.default.bold("\n\u{1F50C} Plugin System Information\n"));
+  console.log(import_chalk21.default.bold("Plugin Directory:"));
+  console.log(import_chalk21.default.gray("  ~/.infra-cost/plugins/\n"));
+  console.log(import_chalk21.default.bold("Plugin Structure:"));
+  console.log(import_chalk21.default.gray("  my-plugin/"));
+  console.log(import_chalk21.default.gray("    \u251C\u2500\u2500 package.json   # Plugin metadata"));
+  console.log(import_chalk21.default.gray("    \u2514\u2500\u2500 index.js       # Plugin entry point\n"));
+  console.log(import_chalk21.default.bold("Example package.json:"));
+  console.log(import_chalk21.default.gray("  {"));
+  console.log(import_chalk21.default.gray('    "name": "my-custom-plugin",'));
+  console.log(import_chalk21.default.gray('    "version": "1.0.0",'));
+  console.log(import_chalk21.default.gray('    "description": "Custom cost provider"'));
+  console.log(import_chalk21.default.gray("  }\n"));
+  console.log(import_chalk21.default.bold("Example index.js:"));
+  console.log(import_chalk21.default.gray("  module.exports = {"));
+  console.log(import_chalk21.default.gray('    name: "my-custom-plugin",'));
+  console.log(import_chalk21.default.gray('    version: "1.0.0",'));
+  console.log(import_chalk21.default.gray('    description: "Custom cost provider",'));
+  console.log(import_chalk21.default.gray('    init: async () => { console.log("Plugin loaded!"); },'));
+  console.log(import_chalk21.default.gray("    registerCommands: (program) => { /* ... */ }"));
+  console.log(import_chalk21.default.gray("  };\n"));
+  console.log(import_chalk21.default.gray("For documentation: https://github.com/codecollab-co/infra-cost#plugins"));
+}
+__name(handleInfo, "handleInfo");
+function registerPluginCommands(program) {
+  const plugin = program.command("plugin").description("Manage custom plugins");
+  plugin.command("list").description("List installed plugins").action(handleList3);
+  plugin.command("info").description("Show plugin system information").action(handleInfo);
+}
+__name(registerPluginCommands, "registerPluginCommands");
 // src/cli/middleware/auth.ts
 async function authMiddleware(thisCommand, actionCommand) {
   const isConfigCommand = actionCommand.name() === "config" || actionCommand.parent?.name() === "config";
@@ -13143,7 +13909,7 @@ async function validationMiddleware(thisCommand, actionCommand) {
 __name(validationMiddleware, "validationMiddleware");
 // src/cli/middleware/error-handler.ts
-var import_chalk19 = __toESM(require("chalk"));
+var import_chalk22 = __toESM(require("chalk"));
 function errorHandler(error) {
   const message = error?.message ?? String(error);
   const stack = error?.stack;
@@ -13151,15 +13917,15 @@ function errorHandler(error) {
     return;
   }
   console.error("");
-  console.error(import_chalk19.default.red("\u2716"), import_chalk19.default.bold("Error:"), message);
+  console.error(import_chalk22.default.red("\u2716"), import_chalk22.default.bold("Error:"), message);
   if (process.env.DEBUG || process.env.VERBOSE) {
     console.error("");
     if (stack) {
-      console.error(import_chalk19.default.gray(stack));
+      console.error(import_chalk22.default.gray(stack));
     }
   } else {
     console.error("");
-    console.error(import_chalk19.default.gray("Run with --verbose for detailed error information"));
+    console.error(import_chalk22.default.gray("Run with --verbose for detailed error information"));
   }
   console.error("");
 }
@@ -13185,6 +13951,9 @@ function createCLI() {
   registerGitCommands(program);
   registerTerraformCommand(program);
   registerSchedulerCommands(program);
+  registerRBACCommands(program);
+  registerSSOCommands(program);
+  registerPluginCommands(program);
   program.hook("preAction", async (thisCommand, actionCommand) => {
     const opts = thisCommand.opts();
     const logLevel = opts.verbose ? "debug" : opts.quiet ? "error" : opts.logLevel;