langsmith 0.5.26 → 0.6.1

package/dist/client.js

@@ -12,8 +12,15 @@ import { raiseForStatus, isLangSmithNotFoundError, isLangSmithConflictError, } f
 import { promptCacheSingleton, } from "./utils/prompt_cache/index.js";
 import * as fsUtils from "./utils/fs.js";
 import { _shouldStreamForGlobalFetchImplementation, _getFetchImplementation, } from "./singletons/fetch.js";
+import { DEFAULT_API_URL, hasValue, loadProfileClientConfig, } from "./utils/profiles.js";
 import { serialize as serializePayloadForTracing, estimateSerializedSize, } from "./utils/fast-safe-stringify/index.js";
 import { getSharedSerializeWorker, hasLargeString, } from "./utils/serialize_worker.js";
+function assertPullPublicPromptAllowed(promptIdentifier, dangerouslyPullPublicPrompt) {
+    const [owner] = parseHubIdentifier(promptIdentifier);
+    if (owner !== "-" && !dangerouslyPullPublicPrompt) {
+        throw new Error("Pulling a public prompt by owner/name is disabled by default because prompts may contain untrusted serialized LangChain objects. If you trust this prompt, set `dangerouslyPullPublicPrompt: true` to acknowledge the risk.");
+    }
+}
 /**
  * Catches timestamps without a timezone suffix.
  */
@@ -120,7 +127,6 @@ export const DEFAULT_MAX_SIZE_BYTES = 1024 * 1024 * 1024; // 1GB
 const SERVER_INFO_REQUEST_TIMEOUT_MS = 10000;
 /** Maximum number of operations to batch in a single request. */
 const DEFAULT_BATCH_SIZE_LIMIT = 100;
-const DEFAULT_API_URL = "https://api.smith.langchain.com";
 export class AutoBatchQueue {
     constructor(maxSizeBytes) {
         Object.defineProperty(this, "items", {
@@ -153,19 +159,11 @@ export class AutoBatchQueue {
             // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise/Promise
             itemPromiseResolve = resolve;
         });
-        // By default we compute the exact serialized size here by stringifying
-        // the payload. This is expensive: JSON.stringify on large payloads
-        // blocks the event loop on the user's hot path.
-        //
-        // Opting into LANGSMITH_PERF_OPTIMIZATION=true switches to a cheap
-        // structural estimate instead. The estimate is only used for soft
-        // memory accounting (queue size limit and downstream async caller
-        // memory tracking), never for anything correctness-critical -- the
-        // real serialization still happens later, off the hot path, when the
-        // batch is assembled for sending.
-        const size = getLangSmithEnvironmentVariable("PERF_OPTIMIZATION") === "true"
-            ? estimateSerializedSize(item.item).size
-            : serializePayloadForTracing(item.item, `Serializing run with id: ${item.item.id}`).length;
+        // Use a cheap structural estimate for soft memory accounting (queue size
+        // limit and downstream async caller memory tracking). The exact
+        // serialization still happens later, off the hot path, when the batch is
+        // assembled for sending.
+        const size = estimateSerializedSize(item.item).size;
         // Check if adding this item would exceed the size limit
         // Allow the run if the queue is empty (to support large single traces)
         if (this.sizeBytes + size > this.maxSizeBytes && this.items.length > 0) {
@@ -232,15 +230,145 @@ export class Client {
         return this._tracingMode;
     }
     get _fetch() {
-        return this.fetchImplementation || _getFetchImplementation(this.debug);
+        const fetchImplementation = this.fetchImplementation || _getFetchImplementation(this.debug);
+        return (async (input, init) => {
+            let authHeader;
+            const profileManagedAuthorization = this.getProfileManagedAuthorizationHeader(init);
+            if (this.apiKey !== undefined) {
+                authHeader = { name: "x-api-key", value: `${this.apiKey}` };
+            }
+            else if (!this.hasExplicitAuthHeader(init, profileManagedAuthorization)) {
+                authHeader = await this.profileAuth?.getAuthHeader(fetchImplementation, init?.signal);
+            }
+            return fetchImplementation(input, this.applyCurrentAuthHeaders(init, authHeader, profileManagedAuthorization));
+        });
+    }
+    getProfileManagedAuthorizationHeader(init) {
+        if (!init?.headers || !this.profileAuth) {
+            return undefined;
+        }
+        const authorization = new Headers(init.headers).get("Authorization");
+        if (!hasValue(authorization)) {
+            return undefined;
+        }
+        return this.profileAuth.isProfileAuthorizationHeader(authorization ?? "")
+            ? (authorization ?? undefined)
+            : undefined;
+    }
+    isProfileManagedAuthorizationHeader(value, profileManagedAuthorization) {
+        return (value === profileManagedAuthorization ||
+            this.profileAuth?.isProfileAuthorizationHeader(value) === true);
+    }
+    hasExplicitAuthHeader(init, profileManagedAuthorization) {
+        if (!init?.headers) {
+            return false;
+        }
+        const headers = new Headers(init.headers);
+        if (hasValue(headers.get("x-api-key"))) {
+            return true;
+        }
+        const authorization = headers.get("Authorization");
+        if (!hasValue(authorization)) {
+            return false;
+        }
+        return !this.isProfileManagedAuthorizationHeader(authorization ?? "", profileManagedAuthorization);
+    }
+    applyCurrentAuthHeaders(init, authHeader, profileManagedAuthorization) {
+        if (!authHeader) {
+            return init;
+        }
+        const applyAuth = (headers) => {
+            if (this.apiKey !== undefined && authHeader.name === "x-api-key") {
+                headers.delete("Authorization");
+                if (!headers.has("x-api-key")) {
+                    headers.set("x-api-key", authHeader.value);
+                }
+                return headers;
+            }
+            if (authHeader.name === "Authorization") {
+                if (hasValue(headers.get("x-api-key"))) {
+                    return headers;
+                }
+                const authorization = headers.get("Authorization");
+                if (hasValue(authorization) &&
+                    !this.isProfileManagedAuthorizationHeader(authorization ?? "", profileManagedAuthorization)) {
+                    return headers;
+                }
+                headers.set("Authorization", authHeader.value);
+                return headers;
+            }
+            const authorization = headers.get("Authorization");
+            if (hasValue(authorization) &&
+                !this.isProfileManagedAuthorizationHeader(authorization ?? "", profileManagedAuthorization)) {
+                return headers;
+            }
+            if (hasValue(authorization)) {
+                headers.delete("Authorization");
+            }
+            if (!headers.has("x-api-key")) {
+                headers.set("x-api-key", authHeader.value);
+            }
+            return headers;
+        };
+        if (!init) {
+            return {
+                headers: { [authHeader.name]: authHeader.value },
+            };
+        }
+        if (init.headers instanceof Headers) {
+            return { ...init, headers: applyAuth(new Headers(init.headers)) };
+        }
+        if (Array.isArray(init.headers)) {
+            return { ...init, headers: applyAuth(new Headers(init.headers)) };
+        }
+        const headers = {
+            ...(init.headers ?? {}),
+        };
+        const getHeaderKey = (name) => Object.keys(headers).find((key) => key.toLowerCase() === name);
+        const getHeader = (name) => {
+            const key = getHeaderKey(name);
+            return key ? headers[key] : undefined;
+        };
+        const hasApiKey = hasValue(getHeader("x-api-key"));
+        const authorization = getHeader("authorization");
+        const hasExplicitAuthorization = hasValue(authorization) &&
+            !this.isProfileManagedAuthorizationHeader(authorization ?? "", profileManagedAuthorization);
+        if (this.apiKey !== undefined && authHeader.name === "x-api-key") {
+            const authorizationKey = getHeaderKey("authorization");
+            if (authorizationKey) {
+                delete headers[authorizationKey];
+            }
+            if (!hasApiKey) {
+                headers["x-api-key"] = authHeader.value;
+            }
+            return { ...init, headers };
+        }
+        if (authHeader.name === "Authorization") {
+            if (!hasApiKey && !hasExplicitAuthorization) {
+                const authorizationKey = getHeaderKey("authorization");
+                if (authorizationKey && authorizationKey !== "Authorization") {
+                    delete headers[authorizationKey];
+                }
+                headers.Authorization = authHeader.value;
+            }
+            return { ...init, headers };
+        }
+        if (!hasExplicitAuthorization) {
+            const authorizationKey = getHeaderKey("authorization");
+            if (authorizationKey) {
+                delete headers[authorizationKey];
+            }
+            if (!hasApiKey) {
+                headers["x-api-key"] = authHeader.value;
+            }
+        }
+        return { ...init, headers };
     }
     /**
      * Serialize a payload for tracing, optionally offloading the work to a
-     * Node worker thread when LANGSMITH_PERF_OPTIMIZATION=true and the runtime
-     * supports worker_threads.
+     * Node worker thread when the runtime supports worker_threads.
      *
      * Falls back to synchronous serialization when:
-     *  - the perf flag is off
      *  - manualFlushMode is enabled (serverless: worker boot cost > benefit)
      *  - worker_threads is unavailable (non-Node runtimes)
      *  - the payload contains values that can't be structured-cloned across
@@ -256,8 +384,7 @@ export class Client {
         });
     }
     async _serializeBody(payload, errorContext) {
-        const perfOptIn = getLangSmithEnvironmentVariable("PERF_OPTIMIZATION") === "true";
-        if (!perfOptIn || this.manualFlushMode) {
+        if (this.manualFlushMode) {
             return serializePayloadForTracing(payload, errorContext);
         }
         // Shape-aware gate: worker offload pays for itself only when the
@@ -500,6 +627,12 @@ export class Client {
             writable: true,
             value: void 0
         });
+        Object.defineProperty(this, "profileAuth", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
         Object.defineProperty(this, "multipartStreamingDisabled", {
             enumerable: true,
             configurable: true,
@@ -548,12 +681,15 @@ export class Client {
         if (this.apiUrl.endsWith("/")) {
             this.apiUrl = this.apiUrl.slice(0, -1);
         }
-        this.apiKey = trimQuotes(config.apiKey ?? defaultConfig.apiKey);
+        const configuredApiKey = trimQuotes(config.apiKey ?? defaultConfig.apiKey);
+        this.apiKey = hasValue(configuredApiKey) ? configuredApiKey : undefined;
+        this.profileAuth =
+            this.apiKey !== undefined ? undefined : defaultConfig.profileAuth;
         this.webUrl = trimQuotes(config.webUrl ?? defaultConfig.webUrl);
         if (this.webUrl?.endsWith("/")) {
             this.webUrl = this.webUrl.slice(0, -1);
         }
-        this.workspaceId = trimQuotes(config.workspaceId ?? getLangSmithEnvironmentVariable("WORKSPACE_ID"));
+        this.workspaceId = trimQuotes(config.workspaceId ?? defaultConfig.workspaceId);
         this.timeout_ms = config.timeout_ms ?? 90_000;
         this.caller = new AsyncCaller({
             ...(config.callerOptions ?? {}),
@@ -638,18 +774,31 @@ export class Client {
         this._customHeaders = config.headers ?? {};
     }
     static getDefaultClientConfig() {
-        const apiKey = getLangSmithEnvironmentVariable("API_KEY");
-        const apiUrl = getLangSmithEnvironmentVariable("ENDPOINT") ?? DEFAULT_API_URL;
+        const profileConfig = loadProfileClientConfig();
+        const envApiKey = getLangSmithEnvironmentVariable("API_KEY");
+        const envApiUrl = getLangSmithEnvironmentVariable("ENDPOINT");
+        const envWorkspaceId = getLangSmithEnvironmentVariable("WORKSPACE_ID");
+        const envAuthSet = hasValue(envApiKey);
+        const apiUrl = envApiUrl ?? profileConfig.apiUrl ?? DEFAULT_API_URL;
+        const workspaceId = envWorkspaceId ?? profileConfig.workspaceId;
         const hideInputs = getLangSmithEnvironmentVariable("HIDE_INPUTS") === "true";
         const hideOutputs = getLangSmithEnvironmentVariable("HIDE_OUTPUTS") === "true";
         const hideMetadata = getLangSmithEnvironmentVariable("HIDE_METADATA") === "true";
         return {
             apiUrl: apiUrl,
-            apiKey: apiKey,
+            apiKey: envApiKey,
             webUrl: undefined,
             hideInputs: hideInputs,
             hideOutputs: hideOutputs,
             hideMetadata: hideMetadata,
+            workspaceId: workspaceId,
+            oauthAccessToken: !envAuthSet
+                ? profileConfig.oauthAccessToken
+                : undefined,
+            oauthRefreshToken: !envAuthSet
+                ? profileConfig.oauthRefreshToken
+                : undefined,
+            profileAuth: !envAuthSet ? profileConfig.profileAuth : undefined,
         };
     }
     getHostUrl() {
@@ -701,9 +850,15 @@ export class Client {
             ...this._customHeaders,
         };
         // Required headers that should not be overridden
-        if (this.apiKey) {
+        if (this.apiKey !== undefined) {
             headers["x-api-key"] = `${this.apiKey}`;
         }
+        else {
+            const profileAuthHeader = this.profileAuth?.currentAuthHeader();
+            if (profileAuthHeader) {
+                headers[profileAuthHeader.name] = profileAuthHeader.value;
+            }
+        }
         if (this.workspaceId) {
             headers["x-tenant-id"] = this.workspaceId;
         }
@@ -4460,7 +4615,24 @@ export class Client {
             hub_model_provider: result.model_provider,
         };
     }
+    /**
+     * Pull a prompt commit from the LangSmith API.
+     *
+     * Public prompts referenced by owner/name cross a trust boundary because the
+     * prompt manifest may contain serialized LangChain objects and configuration
+     * that affect runtime behavior. For example, a prompt can intentionally
+     * configure a model with a custom base URL, headers, model name, or other
+     * constructor arguments. These are supported features, but they also mean the
+     * prompt contents should be treated as executable configuration rather than
+     * plain text.
+     *
+     * Set `dangerouslyPullPublicPrompt: true` only after reviewing and trusting
+     * the prompt contents, not merely the publishing account. Prompts from your
+     * own or your organization's account can still be unsafe if that account or
+     * prompt was compromised.
+     */
     async pullPromptCommit(promptIdentifier, options) {
+        assertPullPublicPromptAllowed(promptIdentifier, options?.dangerouslyPullPublicPrompt);
         // Check cache first if not skipped
         const refreshFunc = this._fetchPromptFromApi.bind(this, promptIdentifier, options);
         if (!options?.skipCache && this._promptCache) {
@@ -4480,12 +4652,26 @@ export class Client {
     /**
      * This method should not be used directly, use `import { pull } from "langchain/hub"` instead.
      * Using this method directly returns the JSON string of the prompt rather than a LangChain object.
+     *
+     * Public prompts referenced by owner/name cross a trust boundary because the
+     * prompt manifest may contain serialized LangChain objects and configuration
+     * that affect runtime behavior. For example, a prompt can intentionally
+     * configure a model with a custom base URL, headers, model name, or other
+     * constructor arguments. These are supported features, but they also mean the
+     * prompt contents should be treated as executable configuration rather than
+     * plain text.
+     *
+     * Set `dangerouslyPullPublicPrompt: true` only after reviewing and trusting
+     * the prompt contents, not merely the publishing account. Prompts from your
+     * own or your organization's account can still be unsafe if that account or
+     * prompt was compromised.
      * @private
      */
     async _pullPrompt(promptIdentifier, options) {
         const promptObject = await this.pullPromptCommit(promptIdentifier, {
             includeModel: options?.includeModel,
             skipCache: options?.skipCache,
+            dangerouslyPullPublicPrompt: options?.dangerouslyPullPublicPrompt,
         });
         const prompt = JSON.stringify(promptObject.manifest);
         return prompt;

package/dist/index.cjs

@@ -18,4 +18,4 @@ Object.defineProperty(exports, "PromptCache", { enumerable: true, get: function
 Object.defineProperty(exports, "configureGlobalPromptCache", { enumerable: true, get: function () { return index_js_1.configureGlobalPromptCache; } });
 Object.defineProperty(exports, "promptCacheSingleton", { enumerable: true, get: function () { return index_js_1.promptCacheSingleton; } });
 // Update using pnpm bump-version
-exports.__version__ = "0.5.26";
+exports.__version__ = "0.6.1";

package/dist/index.d.ts

@@ -5,4 +5,4 @@ export { overrideFetchImplementation } from "./singletons/fetch.js";
 export { getDefaultProjectName } from "./utils/project.js";
 export { uuid7, uuid7FromTime } from "./uuid.js";
 export { Cache, PromptCache, type CacheConfig, type CacheMetrics, configureGlobalPromptCache, promptCacheSingleton, } from "./utils/prompt_cache/index.js";
-export declare const __version__ = "0.5.26";
+export declare const __version__ = "0.6.1";

package/dist/index.js

@@ -5,4 +5,4 @@ export { getDefaultProjectName } from "./utils/project.js";
 export { uuid7, uuid7FromTime } from "./uuid.js";
 export { Cache, PromptCache, configureGlobalPromptCache, promptCacheSingleton, } from "./utils/prompt_cache/index.js";
 // Update using pnpm bump-version
-export const __version__ = "0.5.26";
+export const __version__ = "0.6.1";

package/dist/utils/env.cjs

@@ -94,6 +94,7 @@ function getLangSmithEnvVarsMetadata() {
         "LANGSMITH_API_KEY",
         "LANGSMITH_ENDPOINT",
         "LANGSMITH_TRACING_V2",
+        "LANGSMITH_CONFIG_FILE",
         "LANGSMITH_PROJECT",
         "LANGSMITH_SESSION",
     ];

package/dist/utils/env.js

@@ -76,6 +76,7 @@ export function getLangSmithEnvVarsMetadata() {
         "LANGSMITH_API_KEY",
         "LANGSMITH_ENDPOINT",
         "LANGSMITH_TRACING_V2",
+        "LANGSMITH_CONFIG_FILE",
         "LANGSMITH_PROJECT",
         "LANGSMITH_SESSION",
     ];

package/dist/utils/profiles.cjs

@@ -0,0 +1,292 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ProfileAuth = exports.DEFAULT_API_URL = void 0;
+exports.hasValue = hasValue;
+exports.loadProfileClientConfig = loadProfileClientConfig;
+const env_js_1 = require("./env.cjs");
+const fsUtils = __importStar(require("./fs.cjs"));
+exports.DEFAULT_API_URL = "https://api.smith.langchain.com";
+const OAUTH_CLIENT_ID = "langsmith-cli";
+const TOKEN_REFRESH_LEEWAY_MS = 60_000;
+const TOKEN_REFRESH_TIMEOUT_MS = 10_000;
+function isBrowserLikeRuntime() {
+    const env = (0, env_js_1.getEnv)();
+    return env === "browser" || env === "webworker";
+}
+function getProfileConfigPath() {
+    const explicitPath = (0, env_js_1.getEnvironmentVariable)("LANGSMITH_CONFIG_FILE");
+    if (explicitPath) {
+        return explicitPath;
+    }
+    const home = (0, env_js_1.getEnvironmentVariable)("HOME") ?? (0, env_js_1.getEnvironmentVariable)("USERPROFILE");
+    if (!home) {
+        return undefined;
+    }
+    return fsUtils.path.join(home, ".langsmith", "config.json");
+}
+function resolveProfileName(config) {
+    const envProfile = (0, env_js_1.getEnvironmentVariable)("LANGSMITH_PROFILE");
+    if (envProfile) {
+        return envProfile;
+    }
+    if (config.current_profile) {
+        return config.current_profile;
+    }
+    if (config.profiles?.default) {
+        return "default";
+    }
+    return undefined;
+}
+function loadProfileState() {
+    if (isBrowserLikeRuntime()) {
+        return undefined;
+    }
+    const configPath = getProfileConfigPath();
+    if (!configPath || !fsUtils.existsSync(configPath)) {
+        return undefined;
+    }
+    try {
+        const config = JSON.parse(fsUtils.readFileSync(configPath));
+        const profileName = resolveProfileName(config);
+        const profile = profileName ? config.profiles?.[profileName] : undefined;
+        if (!profileName || !profile) {
+            return undefined;
+        }
+        return { configPath, config, profileName, profile };
+    }
+    catch {
+        return undefined;
+    }
+}
+function hasValue(value) {
+    return value !== undefined && value !== null && value.trim() !== "";
+}
+function trimConfigValue(value) {
+    return value?.trim().replace(/^["']|["']$/g, "");
+}
+function shouldRefreshProfileToken(profile) {
+    const oauth = profile.oauth;
+    if (!oauth?.refresh_token) {
+        return false;
+    }
+    if (!oauth.access_token) {
+        return true;
+    }
+    if (!oauth.expires_at) {
+        return false;
+    }
+    const expiresAt = Date.parse(oauth.expires_at);
+    if (Number.isNaN(expiresAt)) {
+        return false;
+    }
+    return expiresAt <= Date.now() + TOKEN_REFRESH_LEEWAY_MS;
+}
+function normalizeConfigUrl(apiUrl) {
+    let normalized = apiUrl;
+    while (normalized.endsWith("/")) {
+        normalized = normalized.slice(0, -1);
+    }
+    const apiV1Suffix = "/api/v1";
+    return normalized.endsWith(apiV1Suffix)
+        ? normalized.slice(0, -apiV1Suffix.length)
+        : normalized;
+}
+function applyTokenResponse(profile, token) {
+    profile.oauth ??= {};
+    if (token.access_token) {
+        profile.oauth.access_token = token.access_token;
+    }
+    if (token.refresh_token) {
+        profile.oauth.refresh_token = token.refresh_token;
+    }
+    if (typeof token.expires_in === "number" && token.expires_in > 0) {
+        profile.oauth.expires_at = new Date(Date.now() + token.expires_in * 1000).toISOString();
+    }
+}
+function getAbortReason(signal) {
+    return (signal.reason ??
+        new Error("The operation was aborted."));
+}
+async function waitForAbortSignal(promise, signal) {
+    if (!signal) {
+        return promise;
+    }
+    if (signal.aborted) {
+        throw getAbortReason(signal);
+    }
+    let cleanup;
+    const abortPromise = new Promise((_, reject) => {
+        const onAbort = () => {
+            reject(getAbortReason(signal));
+        };
+        signal.addEventListener("abort", onAbort, { once: true });
+        cleanup = () => {
+            signal.removeEventListener("abort", onAbort);
+        };
+    });
+    try {
+        return await Promise.race([promise, abortPromise]);
+    }
+    finally {
+        cleanup?.();
+    }
+}
+function loadProfileClientConfig() {
+    const state = loadProfileState();
+    const profile = state?.profile;
+    if (!state || !profile) {
+        return {};
+    }
+    const apiKey = trimConfigValue(profile.api_key);
+    const oauthAccessToken = trimConfigValue(profile.oauth?.access_token);
+    const oauthRefreshToken = trimConfigValue(profile.oauth?.refresh_token);
+    return {
+        apiUrl: profile.api_url,
+        apiKey,
+        workspaceId: profile.workspace_id,
+        oauthAccessToken,
+        oauthRefreshToken,
+        profileAuth: apiKey || oauthAccessToken || oauthRefreshToken
+            ? new ProfileAuth(state)
+            : undefined,
+    };
+}
+class ProfileAuth {
+    constructor(state) {
+        Object.defineProperty(this, "state", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: state
+        });
+        Object.defineProperty(this, "refreshPromise", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        Object.defineProperty(this, "managedAuthorizationValue", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        this.rememberProfileAuthHeader(this.currentAuthHeader());
+    }
+    currentAuthHeader() {
+        const header = currentAuthHeaderFromProfile(this.state.profile);
+        this.rememberProfileAuthHeader(header);
+        return header;
+    }
+    async getAuthHeader(fetchImplementation, signal) {
+        if (shouldRefreshProfileToken(this.state.profile)) {
+            if (!this.refreshPromise) {
+                this.refreshPromise = this.refreshOAuthToken(fetchImplementation).finally(() => {
+                    this.refreshPromise = undefined;
+                });
+            }
+            await waitForAbortSignal(this.refreshPromise, signal);
+        }
+        const header = authHeaderFromProfile(this.state.profile);
+        this.rememberProfileAuthHeader(header);
+        return header;
+    }
+    isProfileAuthorizationHeader(value) {
+        return value === this.managedAuthorizationValue;
+    }
+    async refreshOAuthToken(fetchImplementation) {
+        const refreshToken = this.state.profile.oauth?.refresh_token;
+        if (!refreshToken) {
+            return;
+        }
+        const refreshApiUrl = trimConfigValue(this.state.profile.api_url) ?? exports.DEFAULT_API_URL;
+        try {
+            const body = new URLSearchParams({
+                grant_type: "refresh_token",
+                client_id: OAUTH_CLIENT_ID,
+                refresh_token: refreshToken,
+            });
+            const response = await fetchImplementation(`${normalizeConfigUrl(refreshApiUrl)}/oauth/token`, {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/x-www-form-urlencoded",
+                },
+                body: body.toString(),
+                signal: AbortSignal.timeout(TOKEN_REFRESH_TIMEOUT_MS),
+            });
+            if (!response.ok) {
+                return;
+            }
+            const token = (await response.json());
+            if (!token.access_token) {
+                return;
+            }
+            applyTokenResponse(this.state.profile, token);
+            this.state.config.profiles ??= {};
+            this.state.config.profiles[this.state.profileName] = this.state.profile;
+            await fsUtils.writeFileAtomic(this.state.configPath, `${JSON.stringify(this.state.config, null, 2)}\n`);
+        }
+        catch {
+            return;
+        }
+    }
+    rememberProfileAuthHeader(header) {
+        this.managedAuthorizationValue =
+            header?.name === "Authorization" ? header.value : undefined;
+    }
+}
+exports.ProfileAuth = ProfileAuth;
+function currentAuthHeaderFromProfile(profile) {
+    const oauthAccessToken = trimConfigValue(profile.oauth?.access_token);
+    if (oauthAccessToken) {
+        return { name: "Authorization", value: `Bearer ${oauthAccessToken}` };
+    }
+    if (trimConfigValue(profile.oauth?.refresh_token)) {
+        return undefined;
+    }
+    return authHeaderFromProfile(profile);
+}
+function authHeaderFromProfile(profile) {
+    const oauthAccessToken = trimConfigValue(profile.oauth?.access_token);
+    if (oauthAccessToken) {
+        return { name: "Authorization", value: `Bearer ${oauthAccessToken}` };
+    }
+    const apiKey = trimConfigValue(profile.api_key);
+    if (apiKey) {
+        return { name: "x-api-key", value: apiKey };
+    }
+    return undefined;
+}