opal-security 4.0.4 → 5.0.0

package/build/graphql/graphql.js

@@ -23,6 +23,7 @@ export var AccessOption;
 export var AccessReviewAction;
 (function (AccessReviewAction) {
     AccessReviewAction["Accept"] = "ACCEPT";
+    AccessReviewAction["AdminRevoke"] = "ADMIN_REVOKE";
     AccessReviewAction["NoAction"] = "NO_ACTION";
     AccessReviewAction["Revoke"] = "REVOKE";
     AccessReviewAction["Update"] = "UPDATE";
@@ -128,12 +129,6 @@ export var AccessRuleStatus;
     AccessRuleStatus["Paused"] = "PAUSED";
     AccessRuleStatus["PausedByFailsafe"] = "PAUSED_BY_FAILSAFE";
 })(AccessRuleStatus || (AccessRuleStatus = {}));
-export var AccessType;
-(function (AccessType) {
-    AccessType["Birthright"] = "BIRTHRIGHT";
-    AccessType["Expiring"] = "EXPIRING";
-    AccessType["Longstanding"] = "LONGSTANDING";
-})(AccessType || (AccessType = {}));
 export var AldwinRole;
 (function (AldwinRole) {
     AldwinRole["Admin"] = "ADMIN";
@@ -215,37 +210,11 @@ export var AuthSessionStatus;
     AuthSessionStatus["SessionNotFound"] = "SESSION_NOT_FOUND";
     AuthSessionStatus["SessionValid"] = "SESSION_VALID";
 })(AuthSessionStatus || (AuthSessionStatus = {}));
-export var AuthType;
-(function (AuthType) {
-    AuthType["ActiveDirectory"] = "ACTIVE_DIRECTORY";
-    AuthType["Aws"] = "AWS";
-    AuthType["AwsSso"] = "AWS_SSO";
-    AuthType["AzureAd"] = "AZURE_AD";
-    AuthType["Coupa"] = "COUPA";
-    AuthType["Custom"] = "CUSTOM";
-    AuthType["CustomConnector"] = "CUSTOM_CONNECTOR";
-    AuthType["Databricks"] = "DATABRICKS";
-    AuthType["DatastaxAstra"] = "DATASTAX_ASTRA";
-    AuthType["Duo"] = "DUO";
-    AuthType["Gcp"] = "GCP";
-    AuthType["GitHub"] = "GIT_HUB";
-    AuthType["GitLab"] = "GIT_LAB";
-    AuthType["GoogleGroups"] = "GOOGLE_GROUPS";
-    AuthType["GoogleWorkspace"] = "GOOGLE_WORKSPACE";
-    AuthType["Ilevel"] = "ILEVEL";
-    AuthType["Ldap"] = "LDAP";
-    AuthType["Mongo"] = "MONGO";
-    AuthType["MongoAtlas"] = "MONGO_ATLAS";
-    AuthType["Mysqlmariadb"] = "MYSQLMARIADB";
-    AuthType["OktaDirectory"] = "OKTA_DIRECTORY";
-    AuthType["Pagerduty"] = "PAGERDUTY";
-    AuthType["Postgres"] = "POSTGRES";
-    AuthType["Salesforce"] = "SALESFORCE";
-    AuthType["Snowflake"] = "SNOWFLAKE";
-    AuthType["Tailscale"] = "TAILSCALE";
-    AuthType["Teleport"] = "TELEPORT";
-    AuthType["Workday"] = "WORKDAY";
-})(AuthType || (AuthType = {}));
+export var AzureAdCloudType;
+(function (AzureAdCloudType) {
+    AzureAdCloudType["Global"] = "GLOBAL";
+    AzureAdCloudType["UsGovernment"] = "US_GOVERNMENT";
+})(AzureAdCloudType || (AzureAdCloudType = {}));
 export var BundleItemsSortByField;
 (function (BundleItemsSortByField) {
     BundleItemsSortByField["CreatedAt"] = "CREATED_AT";
@@ -261,6 +230,7 @@ export var BundlesSortByField;
 export var ConnectionType;
 (function (ConnectionType) {
     ConnectionType["ActiveDirectory"] = "ACTIVE_DIRECTORY";
+    ConnectionType["Anthropic"] = "ANTHROPIC";
     /**
      * Deprecated. Legacy integration no longer offered - use AWS_SSO instead.
      * @deprecated Legacy integration no longer offered - use AWS_SSO instead.
@@ -269,6 +239,7 @@ export var ConnectionType;
     ConnectionType["AwsSso"] = "AWS_SSO";
     ConnectionType["AzureAd"] = "AZURE_AD";
     ConnectionType["Coupa"] = "COUPA";
+    ConnectionType["Cursor"] = "CURSOR";
     ConnectionType["Custom"] = "CUSTOM";
     ConnectionType["CustomConnector"] = "CUSTOM_CONNECTOR";
     ConnectionType["Databricks"] = "DATABRICKS";
@@ -287,6 +258,8 @@ export var ConnectionType;
     ConnectionType["Mysql"] = "MYSQL";
     ConnectionType["OktaDirectory"] = "OKTA_DIRECTORY";
     ConnectionType["Opal"] = "OPAL";
+    ConnectionType["OpenaiPlatform"] = "OPENAI_PLATFORM";
+    ConnectionType["OracleFusion"] = "ORACLE_FUSION";
     ConnectionType["Pagerduty"] = "PAGERDUTY";
     ConnectionType["Postgres"] = "POSTGRES";
     ConnectionType["Salesforce"] = "SALESFORCE";
@@ -438,6 +411,9 @@ export var EventType;
     EventType["BundleGroupsRemoved"] = "BUNDLE_GROUPS_REMOVED";
     EventType["BundleResourcesAdded"] = "BUNDLE_RESOURCES_ADDED";
     EventType["BundleResourcesRemoved"] = "BUNDLE_RESOURCES_REMOVED";
+    EventType["CatalogItemHidden"] = "CATALOG_ITEM_HIDDEN";
+    EventType["CatalogItemUnhidden"] = "CATALOG_ITEM_UNHIDDEN";
+    EventType["CatalogUpdated"] = "CATALOG_UPDATED";
     EventType["ConfigurationTemplateAdminOwnerUpdated"] = "CONFIGURATION_TEMPLATE_ADMIN_OWNER_UPDATED";
     EventType["ConfigurationTemplateAuditMessageChannelUpdated"] = "CONFIGURATION_TEMPLATE_AUDIT_MESSAGE_CHANNEL_UPDATED";
     EventType["ConfigurationTemplateBreakGlassUsersUpdated"] = "CONFIGURATION_TEMPLATE_BREAK_GLASS_USERS_UPDATED";
@@ -769,6 +745,7 @@ export var GeneralSettingType;
     GeneralSettingType["DisableRequestDelegation"] = "DISABLE_REQUEST_DELEGATION";
     GeneralSettingType["GlobalRequesterRole"] = "GLOBAL_REQUESTER_ROLE";
     GeneralSettingType["NestedGroups"] = "NESTED_GROUPS";
+    GeneralSettingType["OnlyAllowDelegationToActiveUsers"] = "ONLY_ALLOW_DELEGATION_TO_ACTIVE_USERS";
     GeneralSettingType["RequireManagerCc"] = "REQUIRE_MANAGER_CC";
     GeneralSettingType["RequireOpalMfaForLogins"] = "REQUIRE_OPAL_MFA_FOR_LOGINS";
     GeneralSettingType["RequireSupportTicket"] = "REQUIRE_SUPPORT_TICKET";
@@ -953,6 +930,7 @@ export var PropagationStatusCode;
     PropagationStatusCode["ErrRemoteProvisioningViaIdpFailed"] = "ERR_REMOTE_PROVISIONING_VIA_IDP_FAILED";
     PropagationStatusCode["ErrRemoteResourceNotFound"] = "ERR_REMOTE_RESOURCE_NOT_FOUND";
     PropagationStatusCode["ErrRemoteThrottle"] = "ERR_REMOTE_THROTTLE";
+    PropagationStatusCode["ErrRemoteTicketNotFound"] = "ERR_REMOTE_TICKET_NOT_FOUND";
     PropagationStatusCode["ErrRemoteUnrecoverableError"] = "ERR_REMOTE_UNRECOVERABLE_ERROR";
     PropagationStatusCode["ErrRemoteUserNotFound"] = "ERR_REMOTE_USER_NOT_FOUND";
     PropagationStatusCode["ErrRemoteUserNotLinked"] = "ERR_REMOTE_USER_NOT_LINKED";
@@ -1091,6 +1069,7 @@ export var RequestApprovalType;
     RequestApprovalType["Manager"] = "MANAGER";
     RequestApprovalType["Owner"] = "OWNER";
     RequestApprovalType["SkipManager"] = "SKIP_MANAGER";
+    RequestApprovalType["User"] = "USER";
 })(RequestApprovalType || (RequestApprovalType = {}));
 export var RequestMessageCode;
 (function (RequestMessageCode) {
@@ -1113,6 +1092,13 @@ export var RequestReviewerDelegationsSortByField;
     RequestReviewerDelegationsSortByField["EndTime"] = "END_TIME";
     RequestReviewerDelegationsSortByField["StartTime"] = "START_TIME";
 })(RequestReviewerDelegationsSortByField || (RequestReviewerDelegationsSortByField = {}));
+export var RequestSource;
+(function (RequestSource) {
+    RequestSource["Api"] = "API";
+    RequestSource["Cli"] = "CLI";
+    RequestSource["Slack"] = "SLACK";
+    RequestSource["Web"] = "WEB";
+})(RequestSource || (RequestSource = {}));
 export var RequestStatus;
 (function (RequestStatus) {
     RequestStatus["Approved"] = "APPROVED";
@@ -1142,6 +1128,7 @@ export var RequestsSortByField;
 })(RequestsSortByField || (RequestsSortByField = {}));
 export var ResourceType;
 (function (ResourceType) {
+    ResourceType["AnthropicWorkspace"] = "ANTHROPIC_WORKSPACE";
     ResourceType["AwsAccount"] = "AWS_ACCOUNT";
     ResourceType["AwsEc2Instance"] = "AWS_EC2_INSTANCE";
     ResourceType["AwsEksCluster"] = "AWS_EKS_CLUSTER";
@@ -1166,6 +1153,7 @@ export var ResourceType;
     ResourceType["AzureUserAssignedManagedIdentity"] = "AZURE_USER_ASSIGNED_MANAGED_Identity";
     ResourceType["AzureVirtualMachine"] = "AZURE_VIRTUAL_MACHINE";
     ResourceType["CoupaRole"] = "COUPA_ROLE";
+    ResourceType["CursorOrganization"] = "CURSOR_ORGANIZATION";
     ResourceType["Custom"] = "CUSTOM";
     ResourceType["CustomConnector"] = "CUSTOM_CONNECTOR";
     ResourceType["DatabricksAccountServicePrincipal"] = "DATABRICKS_ACCOUNT_SERVICE_PRINCIPAL";
@@ -1181,6 +1169,7 @@ export var ResourceType;
     ResourceType["GcpOrganization"] = "GCP_ORGANIZATION";
     ResourceType["GcpProject"] = "GCP_PROJECT";
     ResourceType["GcpServiceAccount"] = "GCP_SERVICE_ACCOUNT";
+    ResourceType["GitHubOrg"] = "GIT_HUB_ORG";
     ResourceType["GitHubOrgRole"] = "GIT_HUB_ORG_ROLE";
     ResourceType["GitHubRepo"] = "GIT_HUB_REPO";
     ResourceType["GitLabProject"] = "GIT_LAB_PROJECT";
@@ -1194,6 +1183,9 @@ export var ResourceType;
     ResourceType["OktaRole"] = "OKTA_ROLE";
     ResourceType["OpalRole"] = "OPAL_ROLE";
     ResourceType["OpalScopedRole"] = "OPAL_SCOPED_ROLE";
+    ResourceType["OpenaiPlatformProject"] = "OPENAI_PLATFORM_PROJECT";
+    ResourceType["OpenaiPlatformServiceAccount"] = "OPENAI_PLATFORM_SERVICE_ACCOUNT";
+    ResourceType["OracleFusionRole"] = "ORACLE_FUSION_ROLE";
     ResourceType["PagerdutyRole"] = "PAGERDUTY_ROLE";
     ResourceType["PostgresInstance"] = "POSTGRES_INSTANCE";
     ResourceType["SalesforcePermissionSet"] = "SALESFORCE_PERMISSION_SET";
@@ -1236,6 +1228,8 @@ export var ReviewerAction;
 export var ReviewerUserStatus;
 (function (ReviewerUserStatus) {
     ReviewerUserStatus["Accepted"] = "ACCEPTED";
+    ReviewerUserStatus["AdminNeedsEndSystemRevocation"] = "ADMIN_NEEDS_END_SYSTEM_REVOCATION";
+    ReviewerUserStatus["AdminRevoked"] = "ADMIN_REVOKED";
     ReviewerUserStatus["NeedsEndSystemRevocation"] = "NEEDS_END_SYSTEM_REVOCATION";
     ReviewerUserStatus["NeedsUpdateRequestApproval"] = "NEEDS_UPDATE_REQUEST_APPROVAL";
     ReviewerUserStatus["NotRequired"] = "NOT_REQUIRED";
@@ -1286,11 +1280,13 @@ export var RolePermission;
     RolePermission["EditSettings"] = "EDIT_SETTINGS";
     RolePermission["EditSyncSettings"] = "EDIT_SYNC_SETTINGS";
     RolePermission["EditTags"] = "EDIT_TAGS";
+    RolePermission["EditTokens"] = "EDIT_TOKENS";
     RolePermission["Export"] = "EXPORT";
     RolePermission["Import"] = "IMPORT";
     RolePermission["Read"] = "READ";
     RolePermission["ReadAssignments"] = "READ_ASSIGNMENTS";
     RolePermission["ReadSettings"] = "READ_SETTINGS";
+    RolePermission["ReadTokens"] = "READ_TOKENS";
     RolePermission["RequestOnBehalf"] = "REQUEST_ON_BEHALF";
     RolePermission["ResetMfa"] = "RESET_MFA";
     RolePermission["SendReminders"] = "SEND_REMINDERS";
@@ -1306,8 +1302,8 @@ export var RolePermissionTargetType;
     RolePermissionTargetType["Connection"] = "CONNECTION";
     RolePermissionTargetType["EventStream"] = "EVENT_STREAM";
     RolePermissionTargetType["Group"] = "GROUP";
+    RolePermissionTargetType["Owner"] = "OWNER";
     RolePermissionTargetType["PubsubPublishConnection"] = "PUBSUB_PUBLISH_CONNECTION";
-    RolePermissionTargetType["PubsubPublishMessage"] = "PUBSUB_PUBLISH_MESSAGE";
     RolePermissionTargetType["RequestTemplate"] = "REQUEST_TEMPLATE";
     RolePermissionTargetType["Resource"] = "RESOURCE";
     RolePermissionTargetType["User"] = "USER";
@@ -1320,10 +1316,12 @@ export var SearchType;
 export var ServiceType;
 (function (ServiceType) {
     ServiceType["ActiveDirectory"] = "ACTIVE_DIRECTORY";
+    ServiceType["Anthropic"] = "ANTHROPIC";
     ServiceType["AwsIam"] = "AWS_IAM";
     ServiceType["AwsSso"] = "AWS_SSO";
     ServiceType["AzureAd"] = "AZURE_AD";
     ServiceType["Coupa"] = "COUPA";
+    ServiceType["Cursor"] = "CURSOR";
     ServiceType["Custom"] = "CUSTOM";
     ServiceType["CustomConnector"] = "CUSTOM_CONNECTOR";
     ServiceType["Databricks"] = "DATABRICKS";
@@ -1344,6 +1342,8 @@ export var ServiceType;
     ServiceType["Mysql"] = "MYSQL";
     ServiceType["OktaDirectory"] = "OKTA_DIRECTORY";
     ServiceType["Opal"] = "OPAL";
+    ServiceType["OpenaiPlatform"] = "OPENAI_PLATFORM";
+    ServiceType["OracleFusion"] = "ORACLE_FUSION";
     ServiceType["Pagerduty"] = "PAGERDUTY";
     ServiceType["Postgres"] = "POSTGRES";
     ServiceType["Salesforce"] = "SALESFORCE";
@@ -1354,6 +1354,14 @@ export var ServiceType;
     ServiceType["Unknown"] = "UNKNOWN";
     ServiceType["Workday"] = "WORKDAY";
 })(ServiceType || (ServiceType = {}));
+export var ServiceUserAutomationStrategy;
+(function (ServiceUserAutomationStrategy) {
+    ServiceUserAutomationStrategy["Webhook"] = "WEBHOOK";
+})(ServiceUserAutomationStrategy || (ServiceUserAutomationStrategy = {}));
+export var ServiceUserAutomationTrigger;
+(function (ServiceUserAutomationTrigger) {
+    ServiceUserAutomationTrigger["RequestCreatedForReviewer"] = "REQUEST_CREATED_FOR_REVIEWER";
+})(ServiceUserAutomationTrigger || (ServiceUserAutomationTrigger = {}));
 export var SortDirection;
 (function (SortDirection) {
     SortDirection["Asc"] = "ASC";
@@ -1451,6 +1459,7 @@ export var TaskTrigger;
 export var ThirdPartyProvider;
 (function (ThirdPartyProvider) {
     ThirdPartyProvider["Auth0"] = "AUTH0";
+    ThirdPartyProvider["FreshService"] = "FRESH_SERVICE";
     ThirdPartyProvider["GitHub"] = "GIT_HUB";
     ThirdPartyProvider["GitHubConnection"] = "GIT_HUB_CONNECTION";
     ThirdPartyProvider["GitHubRegistration"] = "GIT_HUB_REGISTRATION";
@@ -1459,6 +1468,7 @@ export var ThirdPartyProvider;
     ThirdPartyProvider["GoogleChat"] = "GOOGLE_CHAT";
     ThirdPartyProvider["Jira"] = "JIRA";
     ThirdPartyProvider["Linear"] = "LINEAR";
+    ThirdPartyProvider["Notion"] = "NOTION";
     ThirdPartyProvider["Opsgenie"] = "OPSGENIE";
     ThirdPartyProvider["PagerDuty"] = "PAGER_DUTY";
     ThirdPartyProvider["ServiceNow"] = "SERVICE_NOW";
@@ -2059,6 +2069,67 @@ export const CheckAuthSessionQueryDocument = {
         },
     ],
 };
+export const GetLastMfaAtDocument = {
+    kind: "Document",
+    definitions: [
+        {
+            kind: "OperationDefinition",
+            operation: "query",
+            name: { kind: "Name", value: "GetLastMfaAt" },
+            selectionSet: {
+                kind: "SelectionSet",
+                selections: [
+                    { kind: "Field", name: { kind: "Name", value: "lastMfaAt" } },
+                ],
+            },
+        },
+    ],
+};
+export const HasValidOidcIdTokenDocument = {
+    kind: "Document",
+    definitions: [
+        {
+            kind: "OperationDefinition",
+            operation: "query",
+            name: { kind: "Name", value: "HasValidOidcIdToken" },
+            variableDefinitions: [
+                {
+                    kind: "VariableDefinition",
+                    variable: {
+                        kind: "Variable",
+                        name: { kind: "Name", value: "oidcProviderType" },
+                    },
+                    type: {
+                        kind: "NonNullType",
+                        type: {
+                            kind: "NamedType",
+                            name: { kind: "Name", value: "OIDCProviderType" },
+                        },
+                    },
+                },
+            ],
+            selectionSet: {
+                kind: "SelectionSet",
+                selections: [
+                    {
+                        kind: "Field",
+                        name: { kind: "Name", value: "hasValidOidcToken" },
+                        arguments: [
+                            {
+                                kind: "Argument",
+                                name: { kind: "Name", value: "oidcProviderType" },
+                                value: {
+                                    kind: "Variable",
+                                    name: { kind: "Name", value: "oidcProviderType" },
+                                },
+                            },
+                        ],
+                    },
+                ],
+            },
+        },
+    ],
+};
 export const CreateRequestDocument = {
     kind: "Document",
     definitions: [

package/build/labels.js

@@ -30,6 +30,10 @@ export const connectionTypeLabelByType = {
     [ConnectionType.Coupa]: "Coupa",
     [ConnectionType.DatastaxAstra]: "DataStax Astra",
     [ConnectionType.Ilevel]: "iLEVEL",
+    [ConnectionType.Anthropic]: "Anthropic",
+    [ConnectionType.Cursor]: "Cursor",
+    [ConnectionType.OpenaiPlatform]: "OpenAI Platform",
+    [ConnectionType.OracleFusion]: "Oracle Fusion",
 };
 export const DisplayLabels = {
     [EntityType.Resource]: "Resource",

package/build/lib/apollo.d.ts

@@ -3,6 +3,6 @@ import type { Command } from "@oclif/core";
 export declare let client: ApolloClient | null;
 export declare let cookieStr: string;
 export declare const printResponse: (command: Command, resp?: ApolloClient.QueryResult) => void;
-export declare const handleError: (command: Command, err: unknown, resp?: ApolloClient.QueryResult) => void;
+export declare const handleError: (command: Command, err: unknown, resp?: ApolloClient.QueryResult) => undefined;
 export declare const initClient: (command: Command, fetchAccessToken?: boolean) => Promise<void>;
 export declare function getClient(command: Command, fetchAccessToken?: boolean): Promise<ApolloClient>;

package/build/lib/apollo.js

@@ -36,7 +36,7 @@ export const handleError = (command, err, resp) => {
         typeof err.networkError === "object" &&
         "statusCode" in err.networkError) {
         // Status code errors are already handled in the global Apollo handler, so we can just return here.
-        return;
+        return undefined;
     }
     let errorMsg;
     if (!err) {

package/build/lib/config.js

@@ -42,5 +42,6 @@ export const isProduction = (configDir) => {
     return (configData[urlKey] !== "https://dev.opal.dev" &&
         configData[urlKey] !== "https://demo.opal.dev" &&
         configData[urlKey] !== "https://staging.opal.dev" &&
+        !configData[urlKey].match(/https:\/\/.*\.testing\.opal\.dev$/) &&
         !configData[urlKey].match(/https?:\/\/localhost/));
 };

package/build/lib/flags.d.ts

@@ -2,6 +2,4 @@ export declare const SHARED_FLAGS: {
     help: import("@oclif/core/lib/interfaces").BooleanFlag<void>;
     id: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
     accessLevelRemoteId: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
-    sessionId: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
-    refresh: import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
 };

package/build/lib/flags.js

@@ -11,13 +11,4 @@ export const SHARED_FLAGS = {
         char: "a",
         description: "The remote ID of the access level with which to access the resource.",
     }),
-    sessionId: Flags.string({
-        multiple: false,
-        char: "s",
-        description: "The Opal ID of the session to connect to. Uses an existing session that was created via the web flow.",
-    }),
-    refresh: Flags.boolean({
-        char: "r",
-        description: "Starts a new session even if one already exists. Useful if a session is about to expire.",
-    }),
 };

package/build/lib/local-auth-server.d.ts

@@ -1,5 +1,9 @@
 /**
- * Starts a local HTTP server on port 8080 to handle OAuth callback.
- * Returns a promise that resolves with the full callback URL when authentication succeeds.
+ * Starts a local HTTP server to handle OAuth callback.
+ * Tries ports in order: 49152, 49153, 49154
+ * Returns a promise that resolves with the actual port and a promise for the callback URL.
  */
-export declare function startLocalServer(): Promise<string>;
+export declare function startLocalServer(): Promise<{
+    port: number;
+    urlPromise: Promise<string>;
+}>;

package/build/lib/local-auth-server.js

@@ -1,14 +1,29 @@
 import * as http from "node:http";
 import { authErrorHtml, authMissingCodeHtml, authSuccessHtml, } from "./auth-success-template.js";
 /**
- * Starts a local HTTP server on port 8080 to handle OAuth callback.
- * Returns a promise that resolves with the full callback URL when authentication succeeds.
+ * Starts a local HTTP server to handle OAuth callback.
+ * Tries ports in order: 49152, 49153, 49154
+ * Returns a promise that resolves with the actual port and a promise for the callback URL.
  */
 export function startLocalServer() {
-    return new Promise((resolve, reject) => {
+    const portsToTry = [49152, 49153, 49154];
+    return tryPorts(portsToTry, 0);
+}
+function tryPorts(ports, index) {
+    if (index >= ports.length) {
+        return Promise.reject(new Error(`Failed to start server: all ports (${ports.join(", ")}) are occupied`));
+    }
+    const port = ports[index];
+    return new Promise((resolveServer, rejectServer) => {
+        let resolveUrl;
+        let rejectUrl;
+        const urlPromise = new Promise((resolve, reject) => {
+            resolveUrl = resolve;
+            rejectUrl = reject;
+        });
         const server = http.createServer(async (req, res) => {
             try {
-                const url = new URL(req.url || "", "http://127.0.0.1:8080");
+                const url = new URL(req.url || "", `http://127.0.0.1:${port}`);
                 if (url.pathname === "/callback") {
                     const error = url.searchParams.get("error");
                     if (error) {
@@ -16,17 +31,17 @@ export function startLocalServer() {
                         res.end(authErrorHtml(error));
                         server.closeAllConnections();
                         server.close(() => {
-                            reject(new Error(`Authentication failed: ${error}`));
+                            rejectUrl(new Error(`Authentication failed: ${error}`));
                         });
                         return;
                     }
                     if (req.url) {
                         res.writeHead(200, { "Content-Type": "text/html" });
                         res.end(authSuccessHtml);
-                        const fullUrl = `http://127.0.0.1:8080${req.url}`;
+                        const fullUrl = `http://127.0.0.1:${port}${req.url}`;
                         server.closeAllConnections();
                         server.close(() => {
-                            resolve(fullUrl);
+                            resolveUrl(fullUrl);
                         });
                     }
                     else {
@@ -34,7 +49,7 @@ export function startLocalServer() {
                         res.end(authMissingCodeHtml);
                         server.closeAllConnections();
                         server.close(() => {
-                            reject(new Error("Missing authorization code"));
+                            rejectUrl(new Error("Missing authorization code"));
                         });
                     }
                 }
@@ -48,21 +63,31 @@ export function startLocalServer() {
                 res.end();
                 server.closeAllConnections();
                 server.close(() => {
-                    reject(err);
+                    rejectUrl(err);
                 });
             }
         });
-        server.listen(8080, "127.0.0.1", () => {
-            console.log("Local server started on http://127.0.0.1:8080");
+        server.listen(port, "127.0.0.1", () => {
+            console.log(`Local server started on http://127.0.0.1:${port}`);
+            // Server successfully bound to port, resolve with port and urlPromise
+            resolveServer({ port, urlPromise });
         });
         server.on("error", (err) => {
-            reject(err);
+            // If port is occupied, try the next one
+            if (err.code === "EADDRINUSE") {
+                tryPorts(ports, index + 1)
+                    .then(resolveServer)
+                    .catch(rejectServer);
+            }
+            else {
+                rejectServer(err);
+            }
         });
         // Timeout after 5 minutes
         setTimeout(() => {
             server.closeAllConnections();
             server.close(() => {
-                reject(new Error("Authentication timeout"));
+                rejectUrl(new Error("Authentication timeout"));
             });
         }, 5 * 60 * 1000);
     });

package/build/lib/mfa.d.ts

@@ -0,0 +1,2 @@
+import { type Command } from "@oclif/core";
+export declare const waitForMfa: (command: Command) => Promise<void>;

package/build/lib/mfa.js

@@ -0,0 +1,62 @@
+import { ux } from "@oclif/core";
+import inquirer from "inquirer";
+import open from "open";
+import { graphql } from "../graphql/index.js";
+import { getClient } from "./apollo.js";
+import { getOrCreateConfigData, urlKey } from "./config.js";
+const MFA_TIMEOUT_MS = 5 * 60 * 1000;
+const getLastMfaAt = async (command) => {
+    var _a;
+    const client = await getClient(command);
+    const response = await client.query({
+        query: graphql(`
+      query GetLastMfaAt {
+        lastMfaAt
+      }
+    `),
+    });
+    return (_a = response.data) === null || _a === void 0 ? void 0 : _a.lastMfaAt;
+};
+export const waitForMfa = async (command) => {
+    const configData = getOrCreateConfigData(command.config.configDir);
+    const baseUrl = configData[urlKey];
+    const url = `${baseUrl}/browser-mfa/begin`;
+    console.log(`
+⚡ MFA Required
+
+To continue, validate your identity:
+
+⚠️  Security Check:
+• Verify the URL starts with: ${url}
+• You should see the Opal logo and a device activation dialog
+`);
+    await inquirer.prompt([
+        {
+            type: "input",
+            name: "continue",
+            message: "Press Enter to open your browser and continue",
+        },
+    ]);
+    console.log(`
+If your browser doesn't open automatically, go to:
+
+${url}
+`);
+    ux.action.start("Waiting for MFA validation...");
+    try {
+        open(url);
+        const lastMfaAt = await getLastMfaAt(command);
+        const startTime = Date.now();
+        while ((await getLastMfaAt(command)) === lastMfaAt) {
+            if (Date.now() - startTime > MFA_TIMEOUT_MS) {
+                ux.action.stop("✗ Timed out");
+                throw new Error(`Timed out waiting for MFA validation after ${MFA_TIMEOUT_MS / 1000} seconds. Please ensure you've completed the MFA flow in your browser.`);
+            }
+            await new Promise((resolve) => setTimeout(resolve, 2000));
+        }
+        ux.action.stop("✓ Completed");
+    }
+    catch (error) {
+        ux.action.stop("✗ Failed");
+    }
+};

package/build/lib/oidc.d.ts

@@ -0,0 +1,3 @@
+import { type Command } from "@oclif/core";
+import type { OidcProviderType } from "../graphql/graphql.js";
+export declare const waitForValidOidcToken: (command: Command, oidcProviderType: OidcProviderType) => Promise<void>;

package/build/lib/oidc.js

@@ -0,0 +1,64 @@
+import { ux } from "@oclif/core";
+import inquirer from "inquirer";
+import open from "open";
+import { graphql } from "../graphql/index.js";
+import { getClient } from "./apollo.js";
+import { getOrCreateConfigData, urlKey } from "./config.js";
+const OIDC_TIMEOUT_MS = 5 * 60 * 1000;
+const hasValidOidcToken = async (command, oidcProviderType) => {
+    var _a, _b;
+    const client = await getClient(command);
+    const response = await client.query({
+        query: graphql(`
+      query HasValidOidcIdToken($oidcProviderType: OIDCProviderType!) {
+        hasValidOidcToken(oidcProviderType: $oidcProviderType)
+      }
+    `),
+        variables: {
+            oidcProviderType,
+        },
+    });
+    return (_b = (_a = response.data) === null || _a === void 0 ? void 0 : _a.hasValidOidcToken) !== null && _b !== void 0 ? _b : false;
+};
+export const waitForValidOidcToken = async (command, oidcProviderType) => {
+    const configData = getOrCreateConfigData(command.config.configDir);
+    const baseUrl = configData[urlKey];
+    const url = `${baseUrl}/browser-oidc/begin?oidc_provider_type=${oidcProviderType}`;
+    console.log(`
+🔑 OIDC Authentication Required
+
+To continue, validate your identity with your AWS OIDC provider:
+
+⚠️  Security Check:
+• Verify the URL starts with: ${url}
+• You should see the Opal logo and a device activation dialog
+`);
+    await inquirer.prompt([
+        {
+            type: "input",
+            name: "continue",
+            message: "Press Enter to open your browser and continue",
+        },
+    ]);
+    console.log(`
+If your browser doesn't open automatically, go to:
+
+${url}
+`);
+    ux.action.start("Waiting for OIDC authentication...");
+    try {
+        open(url);
+        const startTime = Date.now();
+        while (!(await hasValidOidcToken(command, oidcProviderType))) {
+            if (Date.now() - startTime > OIDC_TIMEOUT_MS) {
+                ux.action.stop("✗ Timed out");
+                throw new Error(`Timed out waiting for OIDC validation after ${OIDC_TIMEOUT_MS / 1000} seconds. Please ensure you've completed the OIDC flow in your browser.`);
+            }
+            await new Promise((resolve) => setTimeout(resolve, 2000));
+        }
+        ux.action.stop("✓ Completed");
+    }
+    catch (error) {
+        ux.action.stop("✗ Failed");
+    }
+};

package/build/lib/sessions.d.ts

@@ -1,4 +1,4 @@
 import type { Command } from "@oclif/core";
-import type { ResourceAccessLevelInput } from "../graphql/graphql.js";
-export declare const getOrCreateSession: (command: Command, resourceId: string, accessLevel: ResourceAccessLevelInput, sessionId: string | undefined, metadataFragment: string, wantNewSession?: boolean) => Promise<any>;
-export declare const getSessionExpirationMessage: (session: any) => string;
+import type { CreateSessionResult, ResourceAccessLevelInput, Session } from "../graphql/graphql.js";
+export declare const createSession: (command: Command, resourceId: string, accessLevel: ResourceAccessLevelInput, sessionId: string | undefined, metadataFragment: string) => Promise<CreateSessionResult | undefined>;
+export declare const getSessionExpirationMessage: (session: Session) => string;