newo 1.5.0 → 1.5.2

package/dist/akb.js

@@ -2,8 +2,8 @@ import fs from 'fs-extra';
 /**
  * Parse AKB file and extract articles
  */
-export function parseAkbFile(filePath) {
-    const content = fs.readFileSync(filePath, 'utf8');
+export async function parseAkbFile(filePath) {
+    const content = await fs.readFile(filePath, 'utf8');
     const articles = [];
     // Split by article separators (---)
     const sections = content.split(/^---\s*$/gm).filter(section => section.trim());
@@ -22,27 +22,31 @@ export function parseAkbFile(filePath) {
  * Parse individual article section
  */
 function parseArticleSection(lines) {
-    let topicName = '';
-    let category = '';
-    let summary = '';
-    let keywords = '';
-    let topicSummary = '';
+    const state = {
+        topicName: '',
+        category: '',
+        summary: '',
+        keywords: '',
+        topicSummary: ''
+    };
     // Find topic name (# r001)
     const topicLine = lines.find(line => line.match(/^#\s+r\d+/));
-    if (!topicLine)
+    if (!topicLine) {
+        console.warn('No topic line found in section');
         return null;
-    topicName = topicLine.replace(/^#\s+/, '').trim();
+    }
+    state.topicName = topicLine.replace(/^#\s+/, '').trim();
     // Extract category/subcategory/description (first ## line)
     const categoryLine = lines.find(line => line.startsWith('## ') && line.includes(' / '));
     if (categoryLine) {
-        category = categoryLine.replace(/^##\s+/, '').trim();
+        state.category = categoryLine.replace(/^##\s+/, '').trim();
     }
     // Extract summary (second ## line)
     const summaryLineIndex = lines.findIndex(line => line.startsWith('## ') && line.includes(' / '));
     if (summaryLineIndex >= 0 && summaryLineIndex + 1 < lines.length) {
         const nextLine = lines[summaryLineIndex + 1];
         if (nextLine && nextLine.startsWith('## ') && !nextLine.includes(' / ')) {
-            summary = nextLine.replace(/^##\s+/, '').trim();
+            state.summary = nextLine.replace(/^##\s+/, '').trim();
         }
     }
     // Extract keywords (third ## line)
@@ -50,7 +54,7 @@ function parseArticleSection(lines) {
     if (keywordsLineIndex >= 0) {
         const keywordsLine = lines[keywordsLineIndex];
         if (keywordsLine) {
-            keywords = keywordsLine.replace(/^##\s+/, '').trim();
+            state.keywords = keywordsLine.replace(/^##\s+/, '').trim();
         }
     }
     // Extract category content
@@ -58,17 +62,17 @@ function parseArticleSection(lines) {
     const categoryEndIndex = lines.findIndex(line => line.includes('</Category>'));
     if (categoryStartIndex >= 0 && categoryEndIndex >= 0) {
         const categoryLines = lines.slice(categoryStartIndex, categoryEndIndex + 1);
-        topicSummary = categoryLines.join('\n');
+        state.topicSummary = categoryLines.join('\n');
     }
     // Create topic_facts array
-    const topicFacts = [category, summary, keywords].filter(fact => fact.trim() !== '');
+    const topicFacts = [state.category, state.summary, state.keywords].filter(fact => fact.trim() !== '');
     return {
-        topic_name: category, // Use the descriptive title as topic_name
+        topic_name: state.category, // Use the descriptive title as topic_name
         persona_id: null, // Will be set when importing
-        topic_summary: topicSummary,
+        topic_summary: state.topicSummary,
         topic_facts: topicFacts,
         confidence: 100,
-        source: topicName, // Use the ID (r001) as source
+        source: state.topicName, // Use the ID (r001) as source
         labels: ['rag_context']
     };
 }

package/dist/api.d.ts

@@ -1,6 +1,6 @@
 import { type AxiosInstance } from 'axios';
-import type { ProjectMeta, Agent, Skill, FlowEvent, FlowState, AkbImportArticle } from './types.js';
-export declare function makeClient(verbose?: boolean): Promise<AxiosInstance>;
+import type { ProjectMeta, Agent, Skill, FlowEvent, FlowState, AkbImportArticle, CustomerProfile } from './types.js';
+export declare function makeClient(verbose?: boolean, token?: string): Promise<AxiosInstance>;
 export declare function listProjects(client: AxiosInstance): Promise<ProjectMeta[]>;
 export declare function listAgents(client: AxiosInstance, projectId: string): Promise<Agent[]>;
 export declare function getProjectMeta(client: AxiosInstance, projectId: string): Promise<ProjectMeta>;
@@ -10,4 +10,5 @@ export declare function updateSkill(client: AxiosInstance, skillObject: Skill):
 export declare function listFlowEvents(client: AxiosInstance, flowId: string): Promise<FlowEvent[]>;
 export declare function listFlowStates(client: AxiosInstance, flowId: string): Promise<FlowState[]>;
 export declare function importAkbArticle(client: AxiosInstance, articleData: AkbImportArticle): Promise<unknown>;
+export declare function getCustomerProfile(client: AxiosInstance): Promise<CustomerProfile>;
 //# sourceMappingURL=api.d.ts.map

package/dist/api.js

@@ -1,17 +1,14 @@
-import axios from 'axios';
-import dotenv from 'dotenv';
+import axios, {} from 'axios';
 import { getValidAccessToken, forceReauth } from './auth.js';
-dotenv.config();
-const { NEWO_BASE_URL } = process.env;
-export async function makeClient(verbose = false) {
-    let accessToken = await getValidAccessToken();
+import { ENV } from './env.js';
+// Per-request retry tracking to avoid shared state issues
+const RETRY_SYMBOL = Symbol('retried');
+export async function makeClient(verbose = false, token) {
+    let accessToken = token || await getValidAccessToken();
     if (verbose)
         console.log('✓ Access token obtained');
-    if (!NEWO_BASE_URL) {
-        throw new Error('NEWO_BASE_URL is not set in environment variables');
-    }
     const client = axios.create({
-        baseURL: NEWO_BASE_URL,
+        baseURL: ENV.NEWO_BASE_URL,
         headers: { accept: 'application/json' }
     });
     client.interceptors.request.use(async (config) => {
@@ -26,7 +23,6 @@ export async function makeClient(verbose = false) {
         }
         return config;
     });
-    let retried = false;
     client.interceptors.response.use((response) => {
         if (verbose) {
             console.log(`← ${response.status} ${response.config.method?.toUpperCase()} ${response.config.url}`);
@@ -34,7 +30,8 @@ export async function makeClient(verbose = false) {
                 console.log('  Response:', JSON.stringify(response.data, null, 2));
             }
             else if (response.data) {
-                console.log(`  Response: [${typeof response.data}] ${Array.isArray(response.data) ? response.data.length + ' items' : 'large object'}`);
+                const itemCount = Array.isArray(response.data) ? response.data.length : Object.keys(response.data).length;
+                console.log(`  Response: [${typeof response.data}] ${Array.isArray(response.data) ? itemCount + ' items' : 'large object'}`);
             }
         }
         return response;
@@ -45,15 +42,17 @@ export async function makeClient(verbose = false) {
             if (error.response?.data)
                 console.log('  Error data:', error.response.data);
         }
-        if (status === 401 && !retried) {
-            retried = true;
-            if (verbose)
-                console.log('🔄 Retrying with fresh token...');
-            accessToken = await forceReauth();
-            if (error.config) {
-                error.config.headers = error.config.headers || {};
-                error.config.headers.Authorization = `Bearer ${accessToken}`;
-                return client.request(error.config);
+        // Use per-request retry tracking to avoid shared state issues
+        const config = error.config;
+        if (status === 401 && !config?.[RETRY_SYMBOL]) {
+            if (config) {
+                config[RETRY_SYMBOL] = true;
+                if (verbose)
+                    console.log('🔄 Retrying with fresh token...');
+                accessToken = await forceReauth();
+                config.headers = config.headers || {};
+                config.headers.Authorization = `Bearer ${accessToken}`;
+                return client.request(config);
             }
         }
         throw error;
@@ -97,4 +96,8 @@ export async function importAkbArticle(client, articleData) {
     const response = await client.post('/api/v1/akb/append-manual', articleData);
     return response.data;
 }
+export async function getCustomerProfile(client) {
+    const response = await client.get('/api/v1/customer/profile');
+    return response.data;
+}
 //# sourceMappingURL=api.js.map

package/dist/auth.d.ts

@@ -1,6 +1,6 @@
-import type { StoredTokens } from './types.js';
-export declare function exchangeApiKeyForToken(): Promise<StoredTokens>;
-export declare function refreshWithEndpoint(refreshToken: string): Promise<StoredTokens>;
-export declare function getValidAccessToken(): Promise<string>;
-export declare function forceReauth(): Promise<string>;
+import type { StoredTokens, CustomerConfig } from './types.js';
+export declare function exchangeApiKeyForToken(customer?: CustomerConfig): Promise<StoredTokens>;
+export declare function refreshWithEndpoint(refreshToken: string, customer?: CustomerConfig): Promise<StoredTokens>;
+export declare function getValidAccessToken(customer?: CustomerConfig): Promise<string>;
+export declare function forceReauth(customer?: CustomerConfig): Promise<string>;
 //# sourceMappingURL=auth.d.ts.map

package/dist/auth.js

@@ -1,23 +1,169 @@
 import fs from 'fs-extra';
 import path from 'path';
-import axios from 'axios';
-import dotenv from 'dotenv';
-dotenv.config();
-const { NEWO_BASE_URL, NEWO_API_KEY, NEWO_ACCESS_TOKEN, NEWO_REFRESH_TOKEN, NEWO_REFRESH_URL } = process.env;
+import axios, { AxiosError } from 'axios';
+import { ENV } from './env.js';
+import { customerStateDir } from './fsutil.js';
 const STATE_DIR = path.join(process.cwd(), '.newo');
-const TOKENS_PATH = path.join(STATE_DIR, 'tokens.json');
-async function saveTokens(tokens) {
-    await fs.ensureDir(STATE_DIR);
-    await fs.writeJson(TOKENS_PATH, tokens, { spaces: 2 });
+// Constants for validation and timeouts
+const API_KEY_MIN_LENGTH = 10;
+const TOKEN_MIN_LENGTH = 20;
+const REQUEST_TIMEOUT = 30000; // 30 seconds
+const TOKEN_EXPIRY_BUFFER = 60000; // 1 minute buffer for token expiry
+// Validation functions
+function validateApiKey(apiKey, customerIdn) {
+    if (!apiKey || typeof apiKey !== 'string') {
+        throw new Error(`Invalid API key format${customerIdn ? ` for customer ${customerIdn}` : ''}: must be a non-empty string`);
+    }
+    if (apiKey.length < API_KEY_MIN_LENGTH) {
+        throw new Error(`API key too short${customerIdn ? ` for customer ${customerIdn}` : ''}: minimum ${API_KEY_MIN_LENGTH} characters required`);
+    }
+    if (apiKey.includes(' ') || apiKey.includes('\n') || apiKey.includes('\t')) {
+        throw new Error(`Invalid API key format${customerIdn ? ` for customer ${customerIdn}` : ''}: contains invalid characters`);
+    }
+}
+function validateTokens(tokens) {
+    if (!tokens.access_token || typeof tokens.access_token !== 'string' || tokens.access_token.length < TOKEN_MIN_LENGTH) {
+        throw new Error('Invalid access token format: must be a non-empty string with minimum length');
+    }
+    if (tokens.refresh_token && (typeof tokens.refresh_token !== 'string' || tokens.refresh_token.length < TOKEN_MIN_LENGTH)) {
+        throw new Error('Invalid refresh token format: must be a non-empty string with minimum length');
+    }
+    if (tokens.expires_at && (typeof tokens.expires_at !== 'number' || tokens.expires_at <= 0)) {
+        throw new Error('Invalid token expiry: must be a positive number');
+    }
+}
+function validateUrl(url, name) {
+    if (!url || typeof url !== 'string') {
+        throw new Error(`${name} must be a non-empty string`);
+    }
+    try {
+        new URL(url);
+    }
+    catch {
+        throw new Error(`${name} must be a valid URL format`);
+    }
+    if (!url.startsWith('https://') && !url.startsWith('http://')) {
+        throw new Error(`${name} must use HTTP or HTTPS protocol`);
+    }
+}
+// Enhanced logging function
+function logAuthEvent(level, message, meta) {
+    const timestamp = new Date().toISOString();
+    const logEntry = {
+        timestamp,
+        level,
+        module: 'auth',
+        message,
+        ...meta
+    };
+    // Sanitize sensitive data
+    const sanitized = JSON.parse(JSON.stringify(logEntry, (key, value) => {
+        if (typeof key === 'string' && (key.toLowerCase().includes('key') || key.toLowerCase().includes('token') || key.toLowerCase().includes('secret'))) {
+            return typeof value === 'string' ? `${value.slice(0, 8)}...` : value;
+        }
+        return value;
+    }));
+    if (level === 'error') {
+        console.error(JSON.stringify(sanitized));
+    }
+    else if (level === 'warn') {
+        console.warn(JSON.stringify(sanitized));
+    }
+    else {
+        console.log(JSON.stringify(sanitized));
+    }
+}
+// Enhanced error handling for network requests
+function handleNetworkError(error, operation, customerIdn) {
+    const customerInfo = customerIdn ? ` for customer ${customerIdn}` : '';
+    if (error instanceof AxiosError) {
+        const statusCode = error.response?.status;
+        const responseData = error.response?.data;
+        if (statusCode === 401) {
+            throw new Error(`Authentication failed${customerInfo}: Invalid API key or credentials`);
+        }
+        else if (statusCode === 403) {
+            throw new Error(`Access forbidden${customerInfo}: Insufficient permissions`);
+        }
+        else if (statusCode === 429) {
+            throw new Error(`Rate limit exceeded${customerInfo}: Please try again later`);
+        }
+        else if (statusCode && statusCode >= 500) {
+            throw new Error(`Server error${customerInfo}: The NEWO service is temporarily unavailable (${statusCode})`);
+        }
+        else if (error.code === 'ECONNREFUSED') {
+            throw new Error(`Connection refused${customerInfo}: Cannot reach NEWO service`);
+        }
+        else if (error.code === 'ETIMEDOUT' || error.code === 'ENOTFOUND') {
+            throw new Error(`Network timeout${customerInfo}: Check your internet connection`);
+        }
+        else {
+            throw new Error(`Network error during ${operation}${customerInfo}: ${error.message}${responseData ? ` - ${JSON.stringify(responseData)}` : ''}`);
+        }
+    }
+    throw new Error(`Failed to ${operation}${customerInfo}: ${error instanceof Error ? error.message : String(error)}`);
+}
+function tokensPath(customerIdn) {
+    if (customerIdn) {
+        return path.join(customerStateDir(customerIdn), 'tokens.json');
+    }
+    return path.join(STATE_DIR, 'tokens.json'); // Legacy path
 }
-async function loadTokens() {
-    if (await fs.pathExists(TOKENS_PATH)) {
-        return fs.readJson(TOKENS_PATH);
+async function saveTokens(tokens, customerIdn) {
+    try {
+        validateTokens(tokens);
+        const filePath = tokensPath(customerIdn);
+        await fs.ensureDir(path.dirname(filePath));
+        await fs.writeJson(filePath, tokens, { spaces: 2 });
+        logAuthEvent('info', 'Tokens saved successfully', {
+            customerIdn: customerIdn || 'legacy',
+            expiresAt: tokens.expires_at ? new Date(tokens.expires_at).toISOString() : undefined,
+            hasRefreshToken: !!tokens.refresh_token
+        });
+    }
+    catch (error) {
+        logAuthEvent('error', 'Failed to save tokens', {
+            customerIdn: customerIdn || 'legacy',
+            error: error instanceof Error ? error.message : String(error)
+        });
+        throw new Error(`Failed to save authentication tokens${customerIdn ? ` for customer ${customerIdn}` : ''}: ${error instanceof Error ? error.message : String(error)}`);
     }
-    if (NEWO_ACCESS_TOKEN || NEWO_REFRESH_TOKEN) {
+}
+async function loadTokens(customerIdn) {
+    try {
+        const filePath = tokensPath(customerIdn);
+        if (await fs.pathExists(filePath)) {
+            const tokens = await fs.readJson(filePath);
+            // Validate loaded tokens
+            try {
+                validateTokens(tokens);
+            }
+            catch (validationError) {
+                logAuthEvent('warn', 'Loaded tokens failed validation, will regenerate', {
+                    customerIdn: customerIdn || 'legacy',
+                    error: validationError instanceof Error ? validationError.message : String(validationError)
+                });
+                return null; // Force token regeneration
+            }
+            logAuthEvent('info', 'Tokens loaded successfully', {
+                customerIdn: customerIdn || 'legacy',
+                expiresAt: tokens.expires_at ? new Date(tokens.expires_at).toISOString() : undefined,
+                hasRefreshToken: !!tokens.refresh_token
+            });
+            return tokens;
+        }
+    }
+    catch (error) {
+        logAuthEvent('warn', 'Failed to load tokens from file', {
+            customerIdn: customerIdn || 'legacy',
+            error: error instanceof Error ? error.message : String(error)
+        });
+    }
+    // Fallback to environment tokens for legacy mode or bootstrap
+    if (!customerIdn && (ENV.NEWO_ACCESS_TOKEN || ENV.NEWO_REFRESH_TOKEN)) {
         const tokens = {
-            access_token: NEWO_ACCESS_TOKEN || '',
-            refresh_token: NEWO_REFRESH_TOKEN || '',
+            access_token: ENV.NEWO_ACCESS_TOKEN || '',
+            refresh_token: ENV.NEWO_REFRESH_TOKEN || '',
             expires_at: Date.now() + 10 * 60 * 1000
         };
         await saveTokens(tokens);
@@ -26,79 +172,190 @@ async function loadTokens() {
     return null;
 }
 function isExpired(tokens) {
-    if (!tokens?.expires_at)
-        return false;
-    return Date.now() >= tokens.expires_at - 10_000;
+    if (!tokens?.expires_at) {
+        logAuthEvent('warn', 'Token has no expiry time, treating as expired');
+        return true;
+    }
+    const currentTime = Date.now();
+    const expiryTime = tokens.expires_at;
+    const timeUntilExpiry = expiryTime - currentTime;
+    if (timeUntilExpiry <= TOKEN_EXPIRY_BUFFER) {
+        logAuthEvent('info', 'Token is expired or expires soon', {
+            expiresAt: new Date(expiryTime).toISOString(),
+            timeUntilExpiry: Math.round(timeUntilExpiry / 1000)
+        });
+        return true;
+    }
+    return false;
 }
-export async function exchangeApiKeyForToken() {
-    if (!NEWO_API_KEY) {
-        throw new Error('NEWO_API_KEY not set. Provide an API key in .env');
-    }
-    const url = `${NEWO_BASE_URL}/api/v1/auth/api-key/token`;
-    const response = await axios.post(url, {}, {
-        headers: {
-            'x-api-key': NEWO_API_KEY,
-            'accept': 'application/json'
-        }
-    });
-    const data = response.data;
-    const access = data.access_token || data.token || data.accessToken;
-    const refresh = data.refresh_token || data.refreshToken || '';
-    const expiresInSec = data.expires_in || data.expiresIn || 3600;
+function normalizeTokenResponse(tokenResponse) {
+    const access = tokenResponse.access_token || tokenResponse.token || tokenResponse.accessToken;
+    const refresh = tokenResponse.refresh_token || tokenResponse.refreshToken || '';
+    const expiresInSec = tokenResponse.expires_in || tokenResponse.expiresIn || 3600;
     if (!access) {
-        throw new Error('Failed to get access token from API key exchange');
+        throw new Error('Invalid token response: missing access token');
     }
-    const tokens = {
-        access_token: access,
-        refresh_token: refresh,
-        expires_at: Date.now() + expiresInSec * 1000
-    };
-    await saveTokens(tokens);
-    return tokens;
+    return { access, refresh, expiresInSec };
 }
-export async function refreshWithEndpoint(refreshToken) {
-    if (!NEWO_REFRESH_URL) {
-        throw new Error('NEWO_REFRESH_URL not set');
-    }
-    const response = await axios.post(NEWO_REFRESH_URL, { refresh_token: refreshToken }, { headers: { 'accept': 'application/json' } });
-    const data = response.data;
-    const access = data.access_token || data.token || data.accessToken;
-    const refresh = data.refresh_token ?? refreshToken;
-    const expiresInSec = data.expires_in || 3600;
-    if (!access) {
-        throw new Error('Failed to get access token from refresh');
+export async function exchangeApiKeyForToken(customer) {
+    const apiKey = customer?.apiKey || ENV.NEWO_API_KEY;
+    const customerIdn = customer?.idn;
+    // Validate inputs
+    if (!apiKey) {
+        throw new Error(customer
+            ? `API key not set for customer ${customer.idn}. Set NEWO_CUSTOMER_${customer.idn.toUpperCase()}_API_KEY in your environment`
+            : 'NEWO_API_KEY not set. Provide an API key in .env file');
+    }
+    validateApiKey(apiKey, customerIdn);
+    validateUrl(ENV.NEWO_BASE_URL, 'NEWO_BASE_URL');
+    logAuthEvent('info', 'Exchanging API key for tokens', { customerIdn: customerIdn || 'legacy' });
+    try {
+        const url = `${ENV.NEWO_BASE_URL}/api/v1/auth/api-key/token`;
+        const response = await axios.post(url, {}, {
+            timeout: REQUEST_TIMEOUT,
+            headers: {
+                'x-api-key': apiKey,
+                'accept': 'application/json',
+                'user-agent': 'newo-cli/1.5.0'
+            }
+        });
+        if (!response.data) {
+            throw new Error('Empty response from token exchange endpoint');
+        }
+        const { access, refresh, expiresInSec } = normalizeTokenResponse(response.data);
+        const tokens = {
+            access_token: access,
+            refresh_token: refresh,
+            expires_at: Date.now() + expiresInSec * 1000
+        };
+        // Validate tokens before saving
+        validateTokens(tokens);
+        await saveTokens(tokens, customerIdn);
+        logAuthEvent('info', 'API key exchange completed successfully', {
+            customerIdn: customerIdn || 'legacy',
+            expiresAt: new Date(tokens.expires_at).toISOString()
+        });
+        return tokens;
+    }
+    catch (error) {
+        logAuthEvent('error', 'API key exchange failed', {
+            customerIdn: customerIdn || 'legacy',
+            error: error instanceof Error ? error.message : String(error)
+        });
+        handleNetworkError(error, 'exchange API key for token', customerIdn);
     }
-    const tokens = {
-        access_token: access,
-        refresh_token: refresh,
-        expires_at: Date.now() + expiresInSec * 1000
-    };
-    await saveTokens(tokens);
-    return tokens;
 }
-export async function getValidAccessToken() {
-    let tokens = await loadTokens();
-    if (!tokens || !tokens.access_token) {
-        tokens = await exchangeApiKeyForToken();
-        return tokens.access_token;
+export async function refreshWithEndpoint(refreshToken, customer) {
+    const customerIdn = customer?.idn;
+    // Validate inputs
+    if (!ENV.NEWO_REFRESH_URL) {
+        throw new Error('NEWO_REFRESH_URL not set in environment');
     }
-    if (!isExpired(tokens)) {
-        return tokens.access_token;
+    if (!refreshToken || typeof refreshToken !== 'string' || refreshToken.length < TOKEN_MIN_LENGTH) {
+        throw new Error(`Invalid refresh token${customerIdn ? ` for customer ${customerIdn}` : ''}: must be a non-empty string with minimum length`);
     }
-    if (NEWO_REFRESH_URL && tokens.refresh_token) {
-        try {
-            tokens = await refreshWithEndpoint(tokens.refresh_token);
+    validateUrl(ENV.NEWO_REFRESH_URL, 'NEWO_REFRESH_URL');
+    logAuthEvent('info', 'Refreshing tokens using refresh endpoint', { customerIdn: customerIdn || 'legacy' });
+    try {
+        const response = await axios.post(ENV.NEWO_REFRESH_URL, { refresh_token: refreshToken }, {
+            timeout: REQUEST_TIMEOUT,
+            headers: {
+                'accept': 'application/json',
+                'user-agent': 'newo-cli/1.5.0'
+            }
+        });
+        if (!response.data) {
+            throw new Error('Empty response from token refresh endpoint');
+        }
+        const { access, expiresInSec } = normalizeTokenResponse(response.data);
+        const refresh = response.data.refresh_token || response.data.refreshToken || refreshToken;
+        const tokens = {
+            access_token: access,
+            refresh_token: refresh,
+            expires_at: Date.now() + expiresInSec * 1000
+        };
+        // Validate tokens before saving
+        validateTokens(tokens);
+        await saveTokens(tokens, customerIdn);
+        logAuthEvent('info', 'Token refresh completed successfully', {
+            customerIdn: customerIdn || 'legacy',
+            expiresAt: new Date(tokens.expires_at).toISOString()
+        });
+        return tokens;
+    }
+    catch (error) {
+        logAuthEvent('error', 'Token refresh failed', {
+            customerIdn: customerIdn || 'legacy',
+            error: error instanceof Error ? error.message : String(error)
+        });
+        handleNetworkError(error, 'refresh token', customerIdn);
+    }
+}
+export async function getValidAccessToken(customer) {
+    const customerIdn = customer?.idn;
+    logAuthEvent('info', 'Getting valid access token', { customerIdn: customerIdn || 'legacy' });
+    try {
+        let tokens = await loadTokens(customerIdn);
+        // No tokens found, exchange API key
+        if (!tokens || !tokens.access_token) {
+            logAuthEvent('info', 'No existing tokens found, exchanging API key', { customerIdn: customerIdn || 'legacy' });
+            tokens = await exchangeApiKeyForToken(customer);
             return tokens.access_token;
         }
-        catch (error) {
-            console.warn('Refresh failed, falling back to API key exchange…');
+        // Tokens are valid and not expired
+        if (!isExpired(tokens)) {
+            logAuthEvent('info', 'Using existing valid access token', { customerIdn: customerIdn || 'legacy' });
+            return tokens.access_token;
         }
+        // Try to refresh if refresh URL and token available
+        if (ENV.NEWO_REFRESH_URL && tokens.refresh_token) {
+            try {
+                logAuthEvent('info', 'Attempting to refresh expired token', { customerIdn: customerIdn || 'legacy' });
+                tokens = await refreshWithEndpoint(tokens.refresh_token, customer);
+                return tokens.access_token;
+            }
+            catch (error) {
+                const message = error instanceof Error ? error.message : String(error);
+                logAuthEvent('warn', 'Token refresh failed, falling back to API key exchange', {
+                    customerIdn: customerIdn || 'legacy',
+                    error: message
+                });
+            }
+        }
+        else {
+            logAuthEvent('info', 'No refresh endpoint or refresh token available, using API key exchange', {
+                customerIdn: customerIdn || 'legacy'
+            });
+        }
+        // Fallback to API key exchange
+        tokens = await exchangeApiKeyForToken(customer);
+        return tokens.access_token;
+    }
+    catch (error) {
+        logAuthEvent('error', 'Failed to get valid access token', {
+            customerIdn: customerIdn || 'legacy',
+            error: error instanceof Error ? error.message : String(error)
+        });
+        throw new Error(`Unable to obtain valid access token${customerIdn ? ` for customer ${customerIdn}` : ''}: ${error instanceof Error ? error.message : String(error)}`);
     }
-    tokens = await exchangeApiKeyForToken();
-    return tokens.access_token;
 }
-export async function forceReauth() {
-    const tokens = await exchangeApiKeyForToken();
-    return tokens.access_token;
+export async function forceReauth(customer) {
+    const customerIdn = customer?.idn;
+    logAuthEvent('info', 'Forcing re-authentication', { customerIdn: customerIdn || 'legacy' });
+    try {
+        const tokens = await exchangeApiKeyForToken(customer);
+        logAuthEvent('info', 'Forced re-authentication completed successfully', {
+            customerIdn: customerIdn || 'legacy',
+            expiresAt: new Date(tokens.expires_at).toISOString()
+        });
+        return tokens.access_token;
+    }
+    catch (error) {
+        logAuthEvent('error', 'Forced re-authentication failed', {
+            customerIdn: customerIdn || 'legacy',
+            error: error instanceof Error ? error.message : String(error)
+        });
+        throw error;
+    }
 }
 //# sourceMappingURL=auth.js.map