opal-security 3.2.3 → 4.0.2

package/{lib → build}/lib/request/request-utils.js

@@ -1,28 +1,16 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.initEmptyRequestMetadata = initEmptyRequestMetadata;
-exports.setRequestDefaults = setRequestDefaults;
-exports.submitFinalRequest = submitFinalRequest;
-exports.getRequestLink = getRequestLink;
-exports.generateRequestLink = generateRequestLink;
-exports.bypassRequestSelection = bypassRequestSelection;
-exports.bypassDuration = bypassDuration;
-exports.getRequestMessageFromCode = getRequestMessageFromCode;
-exports.duplicateRequestTemplate = duplicateRequestTemplate;
-exports.copyBundleAssets = copyBundleAssets;
-const chalk_1 = require("chalk");
-const graphql_1 = require("../../graphql/graphql");
-const labels_1 = require("../../labels");
-const config_1 = require("../../lib/config");
-const api_1 = require("./api");
-const requests_1 = require("./api/queries/requests");
-const displays_1 = require("./displays");
-const types_1 = require("./types");
+import chalk from "chalk";
+import { EntityType, RequestMessageCode, RequestStatus, ThirdPartyProvider, } from "../../graphql/graphql.js";
+import { connectionTypeLabelByType } from "../../labels.js";
+import { getOrCreateConfigData, urlKey } from "../../lib/config.js";
+import { createRequest, queryCatalogItems, queryRequest, queryRequestDefaults, } from "./api/index.js";
+import { queryBundle } from "./api/queries/requests.js";
+import { displayRequestAgain, formatDuration, getStyledStatus, } from "./displays.js";
+import { entityTypeFromString, } from "./types.js";
 /*
 Init Request Metadata
 This function initializes the request metadata with empty defaults and an empty request map.
 */
-function initEmptyRequestMetadata() {
+export function initEmptyRequestMetadata() {
     // Initialize with empty defaults
     const requestDefaults = {
         durationOptions: [],
@@ -48,7 +36,7 @@ After setting up the request map, this function fetches the request defaults
 from the server based on the requested resources and groups.
 It updates the metadata with the fetched defaults.
 */
-async function setRequestDefaults(cmd, client, metadata) {
+export async function setRequestDefaults(cmd, client, metadata) {
     var _a;
     const requestMap = metadata.requestMap;
     const requestedResources = [];
@@ -62,14 +50,14 @@ async function setRequestDefaults(cmd, client, metadata) {
                 const roleIds = mappedRoles.length ? mappedRoles : [""];
                 for (const roleId of roleIds) {
                     switch (assetNode.type) {
-                        case graphql_1.EntityType.Resource: {
+                        case EntityType.Resource: {
                             requestedResources.push({
                                 resourceId: assetId,
                                 accessLevelRemoteId: roleId,
                             });
                             break;
                         }
-                        case graphql_1.EntityType.Group: {
+                        case EntityType.Group: {
                             requestedGroups.push({
                                 groupId: assetId,
                                 accessLevelRemoteId: roleId,
@@ -82,7 +70,7 @@ async function setRequestDefaults(cmd, client, metadata) {
         }
     }
     try {
-        const requestDefaults = await (0, api_1.queryRequestDefaults)(cmd, client, requestedResources, requestedGroups);
+        const requestDefaults = await queryRequestDefaults(cmd, client, requestedResources, requestedGroups);
         if (requestDefaults !== undefined) {
             metadata.requestDefaults.durationOptions =
                 requestDefaults.durationOptions;
@@ -113,7 +101,7 @@ async function setRequestDefaults(cmd, client, metadata) {
                     }
                 }
                 // Log the request message based on the code
-                cmd.log(chalk_1.default.dim(`\n${chalk_1.default.italic(message.level)}:`), getRequestMessageFromCode(cmd, message.code, connectionName, connectionType));
+                cmd.log(chalk.dim(`\n${chalk.italic(message.level)}:`), getRequestMessageFromCode(cmd, message.code, connectionName, connectionType));
                 if (message.level === "ERROR") {
                     process.exit(1);
                 }
@@ -121,7 +109,7 @@ async function setRequestDefaults(cmd, client, metadata) {
             if (requestDefaults.requireSupportTicket) {
                 cmd.log("\nA support ticket is required for this request. Please submit through the Opal website.");
                 const requestLink = generateRequestLink(cmd, (_a = metadata.requestDefaults.defaultDurationInMinutes) !== null && _a !== void 0 ? _a : 60);
-                cmd.log(`${chalk_1.default.bold("Link:")} ${requestLink}\n`);
+                cmd.log(`${chalk.bold("Link:")} ${requestLink}\n`);
                 process.exit(1);
             }
         }
@@ -130,7 +118,7 @@ async function setRequestDefaults(cmd, client, metadata) {
         cmd.error("Error fetching request defaults.");
     }
 }
-async function submitFinalRequest(cmd, client, metadata) {
+export async function submitFinalRequest(cmd, client, metadata) {
     var _a, _b, _c, _d;
     // Build requested assets lists for the mutation
     const requestedResources = [];
@@ -147,7 +135,7 @@ async function submitFinalRequest(cmd, client, metadata) {
                 const roleIds = mappedRoles.length > 0 ? mappedRoles : [""];
                 for (const roleId of roleIds) {
                     switch (assetNode.type) {
-                        case graphql_1.EntityType.Resource: {
+                        case EntityType.Resource: {
                             requestedResources.push({
                                 resourceId: assetId,
                                 accessLevel: {
@@ -157,7 +145,7 @@ async function submitFinalRequest(cmd, client, metadata) {
                             });
                             break;
                         }
-                        case graphql_1.EntityType.Group: {
+                        case EntityType.Group: {
                             requestedGroups.push({
                                 groupId: assetId,
                                 accessLevel: {
@@ -172,30 +160,30 @@ async function submitFinalRequest(cmd, client, metadata) {
             }
         }
     }
-    const resp = await (0, api_1.createRequest)(cmd, client, requestedResources, requestedGroups, metadata.reason, metadata.durationInMinutes);
+    const resp = await createRequest(cmd, client, requestedResources, requestedGroups, metadata.reason, metadata.durationInMinutes);
     // Build link to request
     if (resp === null || resp === void 0 ? void 0 : resp.id) {
         cmd.log("\n🎉 Your Access Request has been submitted!\n");
-        cmd.log(`${chalk_1.default.bold("ID:")} ${chalk_1.default.cyan(resp.id)}`);
+        cmd.log(`${chalk.bold("ID:")} ${chalk.cyan(resp.id)}`);
         if (resp === null || resp === void 0 ? void 0 : resp.status) {
-            cmd.log((0, displays_1.getStyledStatus)(resp.status));
+            cmd.log(getStyledStatus(resp.status));
         }
         const requestLink = getRequestLink(cmd, resp.id);
-        cmd.log(`${chalk_1.default.bold("Link:")} ${chalk_1.default.underline(requestLink)}\n`);
-        (0, displays_1.displayRequestAgain)(cmd, resp.id);
+        cmd.log(`${chalk.bold("Link:")} ${chalk.underline(requestLink)}\n`);
+        displayRequestAgain(cmd, resp.id);
     }
     return;
 }
-function getRequestLink(cmd, id) {
-    const configData = (0, config_1.getOrCreateConfigData)(cmd.config.configDir);
-    return `${configData[config_1.urlKey]}/requests/sent/${id}`;
+export function getRequestLink(cmd, id) {
+    const configData = getOrCreateConfigData(cmd.config.configDir);
+    return `${configData[urlKey]}/requests/sent/${id}`;
 }
-function generateRequestLink(cmd, defaultDurationInMinutes) {
-    const configData = (0, config_1.getOrCreateConfigData)(cmd.config.configDir);
+export function generateRequestLink(cmd, defaultDurationInMinutes) {
+    const configData = getOrCreateConfigData(cmd.config.configDir);
     // Including the duration in the URL so that the cancel button on the request page works as expected
-    return `${configData[config_1.urlKey]}/request-access?durationInMinutes=${defaultDurationInMinutes}`;
+    return `${configData[urlKey]}/request-access?durationInMinutes=${defaultDurationInMinutes}`;
 }
-async function bypassRequestSelection(cmd, client, flagValue, metadata) {
+export async function bypassRequestSelection(cmd, client, flagValue, metadata) {
     var _a, _b, _c, _d;
     try {
         // Query Catalog Item endpoint to identify what the id belongs to (resource or group)
@@ -203,7 +191,7 @@ async function bypassRequestSelection(cmd, client, flagValue, metadata) {
             const delimiterIndex = val.indexOf(":");
             const assetId = delimiterIndex === -1 ? val : val.substring(0, delimiterIndex);
             const roleName = delimiterIndex === -1 ? "" : val.substring(delimiterIndex + 1);
-            const resp = await (0, api_1.queryCatalogItems)(cmd, client, assetId);
+            const resp = await queryCatalogItems(cmd, client, assetId);
             switch ((_a = resp.data) === null || _a === void 0 ? void 0 : _a.catalogItem.__typename) {
                 case "Group":
                 case "Resource": {
@@ -228,7 +216,7 @@ async function bypassRequestSelection(cmd, client, flagValue, metadata) {
                         metadata.requestMap[appId].assets[assetId] = {
                             assetId: assetId,
                             assetName: assetName,
-                            type: (0, types_1.entityTypeFromString)(item.__typename),
+                            type: entityTypeFromString(item.__typename),
                             roles: {},
                         };
                     }
@@ -262,12 +250,12 @@ async function bypassRequestSelection(cmd, client, flagValue, metadata) {
     }
     return;
 }
-function bypassDuration(cmd, duration, metadata) {
+export function bypassDuration(cmd, duration, metadata) {
     const maxDuration = metadata.requestDefaults.maxDurationInMinutes;
     // Permanent duration is represented by 0, but should not be allowed
     // if a max duration is set.
     if (maxDuration && (duration > maxDuration || duration === 0)) {
-        cmd.error(`The requested duration exceeds the allowed limit of ${(0, displays_1.formatDuration)(maxDuration)}. Please choose a shorter duration.`);
+        cmd.error(`The requested duration exceeds the allowed limit of ${formatDuration(maxDuration)}. Please choose a shorter duration.`);
     }
     if (duration === 0) {
         metadata.durationInMinutes = undefined;
@@ -276,21 +264,21 @@ function bypassDuration(cmd, duration, metadata) {
         metadata.durationInMinutes = duration;
     }
 }
-function getRequestMessageFromCode(cmd, code, connectionName, connectionType, extraParams, 
+export function getRequestMessageFromCode(cmd, code, connectionName, connectionType, extraParams, 
 // sourceGroup?: PropsFor<typeof GroupBindingGroupLabel>["group"];
 sourceGroupRedirect) {
     switch (code) {
-        case graphql_1.RequestMessageCode.RequireUserAuthToken: {
+        case RequestMessageCode.RequireUserAuthToken: {
             if (connectionType) {
-                const connectionLabel = labels_1.connectionTypeLabelByType[connectionType];
+                const connectionLabel = connectionTypeLabelByType[connectionType];
                 // This case the connection has a third party provider such as GitLab,
                 // GitHub that requires the use to create a manual step into the end
                 // system.
-                const isThirdPartyProvider = Object.values(graphql_1.ThirdPartyProvider).find((v) => v === connectionType);
+                const isThirdPartyProvider = Object.values(ThirdPartyProvider).find((v) => v === connectionType);
                 if (isThirdPartyProvider) {
-                    const configData = (0, config_1.getOrCreateConfigData)(cmd.config.configDir);
+                    const configData = getOrCreateConfigData(cmd.config.configDir);
                     return `This item requires you to link your ${connectionLabel} account to Opal before requesting access.
-You can link your ${connectionLabel} account at ${`${configData[config_1.urlKey]}/user/settings/identities`}`;
+You can link your ${connectionLabel} account at ${`${configData[urlKey]}/user/settings/identities`}`;
                 }
                 const name = connectionName !== null && connectionName !== void 0 ? connectionName : connectionLabel;
                 // This case would be hit in case the user is not provisioned onto the end system, such as AWS, GCP, Okta, etc.
@@ -300,9 +288,9 @@ Please contact your Opal admin to provision your user on ${name}.`;
             // This should never happen, but just in case we forgot to pass in the third party provider or the connection type
             return "Your user does not exist on the end system. Please contact your Opal admin to add your user to the end system.";
         }
-        case graphql_1.RequestMessageCode.NestedGroupAccessNotAllowed:
+        case RequestMessageCode.NestedGroupAccessNotAllowed:
             return "You cannot request access to this group because you already have nested access.";
-        case graphql_1.RequestMessageCode.LinkedGroupNotRequestable:
+        case RequestMessageCode.LinkedGroupNotRequestable:
             return "You cannot request access to this group because it is linked to another group";
         default:
             return `Unknown request message code: ${code}`;
@@ -314,7 +302,7 @@ function addRequestedResourcesToMetadata(requestedResources, requestMap) {
         if (!resource)
             continue;
         const { id: assetId, displayName: assetName, connection, connectionId, __typename, } = resource;
-        const type = (0, types_1.entityTypeFromString)(__typename);
+        const type = entityTypeFromString(__typename);
         const roleId = accessLevel.accessLevelRemoteId;
         const roleName = accessLevel.accessLevelName;
         if (!requestMap[connectionId]) {
@@ -346,7 +334,7 @@ function addRequestedGroupsToMetadata(requestedGroups, requestMap) {
         if (!group)
             continue;
         const { id: assetId, name: assetName, connection, connectionId, __typename, } = group;
-        const type = (0, types_1.entityTypeFromString)(__typename);
+        const type = entityTypeFromString(__typename);
         const roleId = accessLevel === null || accessLevel === void 0 ? void 0 : accessLevel.accessLevelRemoteId;
         const roleName = accessLevel === null || accessLevel === void 0 ? void 0 : accessLevel.accessLevelName;
         if (!requestMap[connectionId]) {
@@ -376,7 +364,7 @@ function addRequestedGroupsToMetadata(requestedGroups, requestMap) {
 }
 async function convertRequestToMetadata(cmd, request, metadata) {
     const { status, durationInMinutes, reason, requestedResources, requestedGroups, } = request;
-    if (status === graphql_1.RequestStatus.Pending) {
+    if (status === RequestStatus.Pending) {
         cmd.log("⏳ Request is still in progress");
         return;
     }
@@ -389,16 +377,16 @@ async function convertRequestToMetadata(cmd, request, metadata) {
     addRequestedResourcesToMetadata(requestedResources, metadata.requestMap);
     addRequestedGroupsToMetadata(requestedGroups, metadata.requestMap);
 }
-async function duplicateRequestTemplate(cmd, client, requestId, metadata) {
+export async function duplicateRequestTemplate(cmd, client, requestId, metadata) {
     var _a, _b, _c, _d;
     cmd.log("Loading request template from ID: ", requestId);
-    const resp = await (0, api_1.queryRequest)(client, requestId);
+    const resp = await queryRequest(client, requestId);
     // no fall through doesn't consider process.exit();
     let x;
     switch ((_a = resp.data) === null || _a === void 0 ? void 0 : _a.request.__typename) {
         case "RequestResult": {
             if (((_b = resp.data) === null || _b === void 0 ? void 0 : _b.request.request).status ===
-                graphql_1.RequestStatus.Pending) {
+                RequestStatus.Pending) {
                 cmd.error("⏳ Cannot duplicate a request that is still in progress");
             }
             cmd.log("Creating new request with same configuration...");
@@ -447,10 +435,10 @@ async function convertBundleToMetadata(cmd, bundle, requestMap) {
     }
     cmd.log("Added all requestable items in the bundle");
 }
-async function copyBundleAssets(cmd, client, bundleId, requestMap) {
+export async function copyBundleAssets(cmd, client, bundleId, requestMap) {
     var _a, _b;
     cmd.log("Loading assets from bundle: ", bundleId);
-    const resp = await (0, requests_1.queryBundle)(client, bundleId);
+    const resp = await queryBundle(client, bundleId);
     // no fall through doesn't consider process.exit();
     let x;
     switch ((_a = resp.data) === null || _a === void 0 ? void 0 : _a.bundle.__typename) {

package/{lib → build}/lib/request/types.d.ts

@@ -1,4 +1,4 @@
-import { type ConnectionType, EntityType, type RequestMessageCode, type RequestMessageLevel } from "../../graphql/graphql";
+import { type ConnectionType, EntityType, type RequestMessageCode, type RequestMessageLevel } from "../../graphql/graphql.js";
 type AppNode = {
     appId: string;
     appName: string;

package/build/lib/request/types.js

@@ -0,0 +1,12 @@
+import { EntityType, } from "../../graphql/graphql.js";
+export function entityTypeFromString(str) {
+    const capStr = str === null || str === void 0 ? void 0 : str.toLocaleUpperCase();
+    if (capStr === "RESOURCE") {
+        return EntityType.Resource;
+    }
+    if (capStr === "GROUP") {
+        return EntityType.Group;
+    }
+    // if type unknown, default to resource
+    return EntityType.Resource;
+}

package/{lib → build}/lib/resources.d.ts

@@ -1,5 +1,5 @@
 import type { Command } from "@oclif/core";
-import type { ResourceAccessLevel, ResourceAccessLevelInput } from "../graphql/graphql";
+import type { ResourceAccessLevel, ResourceAccessLevelInput } from "../graphql/graphql.js";
 export type ResourceInfo = {
     id: string;
     name: string;

package/{lib → build}/lib/resources.js

@@ -1,21 +1,18 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.promptUserForAccessLevels = exports.promptUserForResource = exports.filterChoices = exports.DEFAULT_ACCESS_LEVEL = void 0;
-const inquirer = require("inquirer");
-const handler_1 = require("../handler");
-const apollo_1 = require("./apollo");
-exports.DEFAULT_ACCESS_LEVEL = {
+import inquirer from "inquirer";
+import inquirerPrompt from "inquirer-autocomplete-prompt";
+import { runQueryDeprecated } from "../handler.js";
+import { handleError } from "./apollo.js";
+export const DEFAULT_ACCESS_LEVEL = {
     accessLevelName: "",
     accessLevelRemoteId: "",
 };
 // Returns a filtered array of items that match the input
-const filterChoices = (input, choices) => {
+export const filterChoices = (input, choices) => {
     if (!input) {
         return choices;
     }
     return choices.filter((choice) => choice.name.toLowerCase().includes(input.toLowerCase()));
 };
-exports.filterChoices = filterChoices;
 const ListResourcesDocumentTemplate = `
 query ListResources {
   resources(input: {resourceTypes: [RESOURCE_TYPE], onlyMine: true, maxNumEntries: 1000}) {
@@ -35,15 +32,15 @@ query ListResources {
     }
   }
 }`;
-const promptUserForResource = async (command, resourceType, message) => {
+export const promptUserForResource = async (command, resourceType, message) => {
     const listResourcesDocument = ListResourcesDocumentTemplate.replace("RESOURCE_TYPE", resourceType);
-    const { resp, error } = await (0, handler_1.runQueryDeprecated)({
+    const { resp, error } = await runQueryDeprecated({
         command: command,
         query: listResourcesDocument,
         variables: {},
     });
     if (error) {
-        return (0, apollo_1.handleError)(command, error, resp);
+        return handleError(command, error, resp);
     }
     const resourceInfos = resp === null || resp === void 0 ? void 0 : resp.data.resources.resources.map((resource) => {
         let name = resource.name;
@@ -59,25 +56,24 @@ const promptUserForResource = async (command, resourceType, message) => {
         };
     });
     if (resourceInfos.length === 0) {
-        return (0, apollo_1.handleError)(command, "You don't have access to any resources of this type. Please go to Opal to request access.");
+        return handleError(command, "You don't have access to any resources of this type. Please go to Opal to request access.");
     }
     const resourceInfoByName = {};
     // biome-ignore lint/complexity/noForEach: fix it when you get the chance
     resourceInfos.forEach((resourceInfo) => {
         resourceInfoByName[resourceInfo.name] = resourceInfo;
     });
-    inquirer.registerPrompt("autocomplete", require("inquirer-autocomplete-prompt"));
+    inquirer.registerPrompt("autocomplete", inquirerPrompt);
     const selectedResourceInfo = await inquirer.prompt([
         {
             name: "resource",
             message: message,
             type: "autocomplete",
-            source: (answers, input) => (0, exports.filterChoices)(input, resourceInfos),
+            source: (answers, input) => filterChoices(input, resourceInfos),
         },
     ]);
     return resourceInfoByName[selectedResourceInfo.resource];
 };
-exports.promptUserForResource = promptUserForResource;
 const ListAccessLevelsForResource = `
 query ListAccessLevelsForResource($resourceId: ResourceId!) {
   accessLevels(input: {resourceId: $resourceId, onlyMine: true}) {
@@ -90,22 +86,22 @@ query ListAccessLevelsForResource($resourceId: ResourceId!) {
     }
   }
 }`;
-const promptUserForAccessLevels = async (command, resourceId, instanceType, accessLevelRemoteId) => {
+export const promptUserForAccessLevels = async (command, resourceId, instanceType, accessLevelRemoteId) => {
     var _a, _b, _c;
-    const { resp, error } = await (0, handler_1.runQueryDeprecated)({
+    const { resp, error } = await runQueryDeprecated({
         command: command,
         query: ListAccessLevelsForResource,
         variables: { resourceId },
     });
     if (error) {
-        return (0, apollo_1.handleError)(command, error, resp);
+        return handleError(command, error, resp);
     }
     const accessLevelInfos = (_c = (_b = (_a = resp === null || resp === void 0 ? void 0 : resp.data) === null || _a === void 0 ? void 0 : _a.accessLevels) === null || _b === void 0 ? void 0 : _b.accessLevels) === null || _c === void 0 ? void 0 : _c.map((resp) => ({
         id: resp.accessLevelRemoteId,
         name: resp.accessLevelName,
     }));
     if (!accessLevelInfos) {
-        return (0, apollo_1.handleError)(command, "This resource requires an access level, but none have been set up in Opal. Please contact your Opal admin.");
+        return handleError(command, "This resource requires an access level, but none have been set up in Opal. Please contact your Opal admin.");
     }
     const accessLevelInfoByName = {};
     const accessLevelInfoByRemoteId = {};
@@ -120,13 +116,13 @@ const promptUserForAccessLevels = async (command, resourceId, instanceType, acce
     }
     // Prompt user to pick access levels available to them
     if (!selectedAccessLevel) {
-        inquirer.registerPrompt("autocomplete", require("inquirer-autocomplete-prompt"));
+        inquirer.registerPrompt("autocomplete", inquirerPrompt);
         const selectedAccessLevelInfo = await inquirer.prompt([
             {
                 name: "accessLevel",
                 message: `Select an access level to the ${instanceType}`,
                 type: "autocomplete",
-                source: (answers, input) => (0, exports.filterChoices)(input, accessLevelInfos),
+                source: (answers, input) => filterChoices(input, accessLevelInfos),
             },
         ]);
         selectedAccessLevel =
@@ -137,4 +133,3 @@ const promptUserForAccessLevels = async (command, resourceId, instanceType, acce
         accessLevelRemoteId: selectedAccessLevel.id,
     };
 };
-exports.promptUserForAccessLevels = promptUserForAccessLevels;

package/{lib → build}/lib/sessions.d.ts

@@ -1,4 +1,4 @@
 import type { Command } from "@oclif/core";
-import type { ResourceAccessLevelInput } from "../graphql/graphql";
+import type { ResourceAccessLevelInput } from "../graphql/graphql.js";
 export declare const getOrCreateSession: (command: Command, resourceId: string, accessLevel: ResourceAccessLevelInput, sessionId: string | undefined, metadataFragment: string, wantNewSession?: boolean) => Promise<any>;
 export declare const getSessionExpirationMessage: (session: any) => string;

package/{lib → build}/lib/sessions.js

@@ -1,12 +1,11 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.getSessionExpirationMessage = exports.getOrCreateSession = void 0;
-const moment = require("moment");
-const open = require("open");
-const handler_1 = require("../handler");
-const apollo_1 = require("../lib/apollo");
-const config_1 = require("../lib/config");
-const util_1 = require("./util");
+import { ux } from "@oclif/core";
+import inquirer from "inquirer";
+import moment from "moment";
+import open from "open";
+import { runMutation, runQueryDeprecated } from "../handler.js";
+import { handleError } from "./apollo.js";
+import { getOrCreateConfigData, urlKey } from "./config.js";
+import { sleep } from "./util.js";
 const CreateSessionDocument = `
 mutation CreateSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInput!, $sessionId: SessionId) {
   createSession(input: {resourceId: $id, accessLevel: $accessLevel, sessionId: $sessionId}) {
@@ -59,7 +58,7 @@ query ListSessions($id: ResourceId!) {
 }
 `;
 const getSession = async (command, resourceId, accessLevelRemoteId, sessionId, metadataFragment, minCreatedAt) => {
-    const { resp, error } = await (0, handler_1.runQueryDeprecated)({
+    const { resp, error } = await runQueryDeprecated({
         command: command,
         query: ListSessionsDocument.replace("METADATA_FRAGMENT", metadataFragment),
         variables: {
@@ -67,7 +66,7 @@ const getSession = async (command, resourceId, accessLevelRemoteId, sessionId, m
         },
     });
     if (error) {
-        return (0, apollo_1.handleError)(command, error);
+        return handleError(command, error);
     }
     switch (resp === null || resp === void 0 ? void 0 : resp.data.sessions.__typename) {
         case "SessionsResult": {
@@ -94,32 +93,60 @@ const getSession = async (command, resourceId, accessLevelRemoteId, sessionId, m
             return selectedSession;
         }
         default:
-            return (0, apollo_1.handleError)(command, error, resp);
+            return handleError(command, error, resp);
     }
 };
-const openBrowserAndPollForSession = async (command, message, resourceId, accessLevelRemoteId, sessionId, metadataFragment, wantNewSession) => {
+const openBrowserAndPollForSession = async (command, authenticationType, resourceId, accessLevelRemoteId, sessionId, metadataFragment, wantNewSession) => {
     let minCreatedAt;
     if (wantNewSession) {
         // Ensure we poll for a new session rather than get an existing one.
         minCreatedAt = moment();
     }
-    command.log(message);
-    const configData = (0, config_1.getOrCreateConfigData)(command.config.configDir);
-    const url = configData[config_1.urlKey];
-    setTimeout(() => {
-        open(`${url}/resources/${resourceId}?showModal=true&refresh=true`);
-    }, 2000); // Wait before opening the browser to give the user time to read the message
+    const configData = getOrCreateConfigData(command.config.configDir);
+    const urlPrefix = configData[urlKey];
+    const url = `${urlPrefix}/resources/${resourceId}?showModal=true&refresh=true`;
+    command.log(`
+🔐 ${authenticationType} Required
+
+To continue, authenicate in your browser:
+
+⚠️  Security Check:
+  • Verify the URL is exactly: ${url}
+  • Never enter this code on any other website
+`);
+    await inquirer.prompt([
+        {
+            type: "input",
+            name: "continue",
+            message: "Press Enter to open your browser and continue",
+        },
+    ]);
+    open(url);
+    ux.action.start("Waiting for session approval");
+    const timeoutMs = 5 * 60 * 1000; // 5 minutes
+    const startTime = Date.now();
     // biome-ignore lint/suspicious/noImplicitAnyLet: please fix typing for queries
     let session;
-    while (!session) {
-        await (0, util_1.sleep)(2000);
-        session = await getSession(command, resourceId, accessLevelRemoteId, sessionId, metadataFragment, minCreatedAt);
+    try {
+        while (!session) {
+            if (Date.now() - startTime > timeoutMs) {
+                ux.action.stop("✗ Timed out");
+                throw new Error(`Timed out waiting for session after ${timeoutMs / 1000} seconds. Please ensure you've approved the access request in your browser.`);
+            }
+            await sleep(2000);
+            session = await getSession(command, resourceId, accessLevelRemoteId, sessionId, metadataFragment, minCreatedAt);
+        }
+        ux.action.stop("✓ Session approved");
+    }
+    catch (error) {
+        ux.action.stop("✗ Failed");
+        throw error;
     }
     return session;
 };
 const createSession = async (command, resourceId, accessLevel, sessionId, metadataFragment, wantNewSession) => {
     var _a, _b, _c, _d;
-    const { resp, error } = await (0, handler_1.runMutation)({
+    const { resp, error } = await runMutation({
         command: command,
         query: CreateSessionDocument.replace("METADATA_FRAGMENT", metadataFragment),
         variables: {
@@ -129,23 +156,23 @@ const createSession = async (command, resourceId, accessLevel, sessionId, metada
         },
     });
     if (error) {
-        return (0, apollo_1.handleError)(command, error);
+        return handleError(command, error);
     }
     switch ((_b = (_a = resp === null || resp === void 0 ? void 0 : resp.data) === null || _a === void 0 ? void 0 : _a.createSession) === null || _b === void 0 ? void 0 : _b.__typename) {
         case "CreateSessionResult": {
             return (_d = (_c = resp.data) === null || _c === void 0 ? void 0 : _c.createSession) === null || _d === void 0 ? void 0 : _d.session;
         }
         case "MfaInvalidError": {
-            return openBrowserAndPollForSession(command, "❗ MFA validation needed. Please connect via browser. Opening browser and awaiting validation...", resourceId, accessLevel.accessLevelRemoteId, sessionId, metadataFragment, wantNewSession);
+            return openBrowserAndPollForSession(command, "MFA Validation", resourceId, accessLevel.accessLevelRemoteId, sessionId, metadataFragment, wantNewSession);
         }
         case "OidcIDTokenNotFoundError": {
-            return openBrowserAndPollForSession(command, "❗ OIDC authentication needed. Please connect via browser. Opening browser and awaiting authentication...", resourceId, accessLevel.accessLevelRemoteId, sessionId, metadataFragment, wantNewSession);
+            return openBrowserAndPollForSession(command, "OIDC Authenication", resourceId, accessLevel.accessLevelRemoteId, sessionId, metadataFragment, wantNewSession);
         }
         default:
-            return (0, apollo_1.handleError)(command, error, resp);
+            return handleError(command, error, resp);
     }
 };
-const getOrCreateSession = async (command, resourceId, accessLevel, sessionId, metadataFragment, wantNewSession) => {
+export const getOrCreateSession = async (command, resourceId, accessLevel, sessionId, metadataFragment, wantNewSession) => {
     if (!wantNewSession) {
         // Use existing session if it exists
         const existingSession = await getSession(command, resourceId, accessLevel.accessLevelRemoteId, sessionId, metadataFragment);
@@ -154,16 +181,14 @@ const getOrCreateSession = async (command, resourceId, accessLevel, sessionId, m
         }
     }
     if (sessionId) {
-        return (0, apollo_1.handleError)(command, `Session not found for given id: ${sessionId}`);
+        return handleError(command, `Session not found for given id: ${sessionId}`);
     }
     // Create new session
     return createSession(command, resourceId, accessLevel, sessionId, metadataFragment, wantNewSession);
 };
-exports.getOrCreateSession = getOrCreateSession;
-const getSessionExpirationMessage = (session) => {
+export const getSessionExpirationMessage = (session) => {
     const diff = moment(session.endTime).diff(moment(), "minutes");
     const hours = Math.floor(diff / 60);
     const minutes = diff % 60;
     return `${hours}h ${minutes}m`;
 };
-exports.getSessionExpirationMessage = getSessionExpirationMessage;

package/{lib → build}/lib/ssh.d.ts

@@ -1,3 +1,3 @@
 import type { Command } from "@oclif/core";
-export declare const selectComputeInstance: (command: Command, action: string) => Promise<void | import("./resources").ResourceInfo>;
+export declare const selectComputeInstance: (command: Command, action: string) => Promise<void | import("./resources.js").ResourceInfo>;
 export declare const assertSessionManagerPluginExists: () => Promise<boolean>;