sfdx-hardis 7.15.0 → 7.16.0

package/lib/commands/hardis/org/diagnose/mfa.d.ts

@@ -0,0 +1,14 @@
+import { SfCommand } from '@salesforce/sf-plugins-core';
+import { AnyJson } from '@salesforce/ts-types';
+export default class DiagnoseMfa extends SfCommand<any> {
+    static title: string;
+    static description: string;
+    static examples: string[];
+    static flags: any;
+    static requiresProject: boolean;
+    protected static triggerNotification: boolean;
+    protected debugMode: boolean;
+    protected outputFile: any;
+    protected outputFilesRes: any;
+    run(): Promise<AnyJson>;
+}

package/lib/commands/hardis/org/diagnose/mfa.js

@@ -0,0 +1,261 @@
+/* jscpd:ignore-start */
+import { SfCommand, Flags, requiredOrgFlagWithDeprecations } from '@salesforce/sf-plugins-core';
+import { Messages } from '@salesforce/core';
+import c from 'chalk';
+import { uxLog, uxLogTable } from '../../../../common/utils/index.js';
+import { generateCsvFile, generateReportPath } from '../../../../common/utils/filesUtils.js';
+import { getNotificationButtons, getOrgMarkdown } from '../../../../common/utils/notifUtils.js';
+import { NotifProvider } from '../../../../common/notifProvider/index.js';
+import { setConnectionVariables } from '../../../../common/utils/orgUtils.js';
+import { CONSTANTS, getConfig, getEnvVarList } from '../../../../config/index.js';
+import { DEFAULT_PRIVILEGED_PERM_FIELDS, diagnoseMfa, } from '../../../../common/utils/mfaDiagnoseUtils.js';
+import { t } from '../../../../common/utils/i18n.js';
+Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
+const messages = Messages.loadMessages('sfdx-hardis', 'org');
+export default class DiagnoseMfa extends SfCommand {
+    static title = 'Diagnose MFA configuration';
+    static description = `
+## Command Behavior
+
+**Audits the org's Multi-Factor Authentication (MFA) configuration and reports gaps that violate the Salesforce MFA requirement.**
+
+This monitoring command runs five independent checks against the target org and emits a single \`MFA_CONFIG\` notification with the consolidated findings.
+
+Key checks:
+
+- **Org-wide MFA enforcement.** Reads \`SecuritySettings.Metadata.sessionSettings\` via the Tooling API to inspect the \`enableMFADirectUILoginOptIn\` and \`skipSFAWhenMFADirectUILogin\` flags, and scans recent \`LoginHistory\` for at least one \`Status = 'Multi-factor required'\` event to detect platform-level enforcement. Weak identity methods (\`enableSMSIdentity\`, \`canConfirmIdentityBySmsOnly\`) downgrade the result to a warning.
+- **Users with the MFA-bypass permission.** Queries Profiles and Permission Sets where \`PermissionsBypassMFAForUiLogins = true\` and lists every active Standard user assigned to them.
+- **Privileged users coverage.** For users assigned to any Profile or Permission Set granting \`ModifyAllData\`, \`ViewAllData\`, \`CustomizeApplication\`, or \`AuthorApex\` (configurable), the report shows whether each privileged user also holds the MFA-bypass permission (error) or lacks the API MFA permission \`PermissionsTwoFactorApi\` (warning).
+- **SSO presence.** Detects SAML SSO via \`singleSignOnSettings.enableSamlLogin\` in the same SecuritySettings metadata. When SSO is on the report adds an informational reminder to verify MFA at the IdP, which sfdx-hardis cannot introspect.
+- **Non-MFA direct UI logins.** Scans \`LoginHistory\` over the configurable lookback window (default 30 days) for \`LoginType = 'Application'\` successes whose \`AuthMethodReference\` contains no strong-auth token (\`mfa\`, \`swk\`, \`fido\`, \`wia\`, \`hwk\`, \`face\`, \`fpt\`, \`otp\`). Records with a null \`AuthMethodReference\` are skipped (genuinely unknown), so this check only fires on confirmed non-MFA sessions.
+
+The severity rollup is:
+
+- **error** if org-wide MFA enforcement is missing, any privileged user has the bypass permission, or any non-MFA direct UI login was detected.
+- **warning** if any other finding is present (non-privileged bypass user, privileged users missing API MFA, weak identity setting, or SSO is enabled without an asserted IdP MFA policy).
+- **log** when every check passes.
+
+Exclusions:
+
+- Users listed in the project config key \`monitoringMfaIgnoreUsers\` or the env var \`MONITORING_MFA_IGNORE_USERS\` (comma-separated) are skipped from checks #2, #3 (only for ignore-overlapping cases) and #5.
+- Users with \`UserType != 'Standard'\` (integration users, Chatter Only, etc.) are not flagged in any per-user check.
+
+This command is part of [sfdx-hardis Monitoring](${CONSTANTS.DOC_URL_ROOT}/salesforce-monitoring-home/) and produces Grafana, Slack, Microsoft Teams, Google Chat, and email notifications.
+
+### Agent Mode
+
+Supports non-interactive execution with \`--agent\`:
+
+\`\`\`sh
+sf hardis:org:diagnose:mfa --agent --target-org myorg@example.com
+\`\`\`
+
+In agent mode the command is fully non-interactive (there is no prompt in the happy path); the flag exists for consistency with the rest of the monitoring suite.
+
+<details markdown="1">
+<summary>Technical explanations</summary>
+
+The command's implementation:
+
+- Tooling API: \`SELECT Id, Metadata FROM SecuritySettings LIMIT 1\` to retrieve session and SSO settings.
+- SOQL: \`PermissionSet\` and \`Profile\` filtered on \`PermissionsBypassMFAForUiLogins\`, \`PermissionsTwoFactorApi\`, and the configured privileged permission fields; \`PermissionSetAssignment\` joined with \`User\` to resolve assignees; \`User\` filtered by \`ProfileId\` for profile-based grants.
+- SOQL: \`LoginHistory\` over \`LAST_N_DAYS:N\` with client-side filtering on \`Status\`, \`LoginType\` and \`AuthMethodReference\` because \`Status\` cannot be filtered in a WHERE clause.
+- TwoFactorMethodsInfo is intentionally not queried: Salesforce does not allow runtime SOQL access to it from a CLI session, so per-user method registration cannot be introspected.
+- Reports: a single CSV / XLSX (\`mfa-config-<date>\`) listing every check row and a per-check summary table in the console.
+
+Reference: [Salesforce MFA Requirement](https://help.salesforce.com/s/articleView?id=005321563&type=1).
+</details>
+`;
+    static examples = [
+        '$ sf hardis:org:diagnose:mfa',
+        '$ sf hardis:org:diagnose:mfa --target-org myorg@example.com',
+        '$ sf hardis:org:diagnose:mfa --lookback-days 60',
+        "$ sf hardis:org:diagnose:mfa --ignore-users 'integration@x.com,break-glass@x.com'",
+        '$ sf hardis:org:diagnose:mfa --agent',
+    ];
+    static flags = {
+        'lookback-days': Flags.integer({
+            description: 'Number of days back to scan LoginHistory for non-MFA direct UI logins. Overrides monitoringMfaLoginHistoryLookbackDays from config.',
+        }),
+        'phishing-resistant-lookback-days': Flags.integer({
+            description: 'Number of days back to scan VerificationHistory for phishing-resistant MFA registration / usage per privileged user. Overrides monitoringMfaPhishingResistantLookbackDays from config (default: 180).',
+        }),
+        'ignore-users': Flags.string({
+            description: 'Comma-separated list of usernames to exclude from MFA checks (merged with monitoringMfaIgnoreUsers config and MONITORING_MFA_IGNORE_USERS env var).',
+        }),
+        'privileged-permissions': Flags.string({
+            description: 'Comma-separated list of PermissionSet/Profile permission API names that define a privileged user. Defaults to PermissionsModifyAllData,PermissionsViewAllData,PermissionsCustomizeApplication,PermissionsAuthorApex.',
+        }),
+        agent: Flags.boolean({
+            default: false,
+            description: 'Run in non-interactive mode for agents and automation',
+        }),
+        debug: Flags.boolean({
+            char: 'd',
+            default: false,
+            description: messages.getMessage('debugMode'),
+        }),
+        websocket: Flags.string({
+            description: messages.getMessage('websocket'),
+        }),
+        skipauth: Flags.boolean({
+            description: 'Skip authentication check when a default username is required',
+        }),
+        'target-org': requiredOrgFlagWithDeprecations,
+    };
+    static requiresProject = false;
+    static triggerNotification = true;
+    debugMode = false;
+    outputFile;
+    outputFilesRes = {};
+    /* jscpd:ignore-end */
+    async run() {
+        const { flags } = await this.parse(DiagnoseMfa);
+        this.debugMode = flags.debug || false;
+        const conn = flags['target-org'].getConnection();
+        const config = await getConfig('project');
+        const lookbackDays = flags['lookback-days'] ?? config.monitoringMfaLoginHistoryLookbackDays ?? 30;
+        const phishingResistantLookbackDays = flags['phishing-resistant-lookback-days'] ?? config.monitoringMfaPhishingResistantLookbackDays ?? 180;
+        const ignoreFromFlag = flags['ignore-users']
+            ? flags['ignore-users'].split(',').map((u) => u.trim()).filter(Boolean)
+            : [];
+        const ignoreFromEnv = getEnvVarList('MONITORING_MFA_IGNORE_USERS') || [];
+        const ignoreFromConfig = config.monitoringMfaIgnoreUsers || [];
+        const ignoreUsers = Array.from(new Set([...ignoreFromFlag, ...ignoreFromEnv, ...ignoreFromConfig]));
+        const privilegedPermFields = flags['privileged-permissions']
+            ? flags['privileged-permissions'].split(',').map((p) => p.trim()).filter(Boolean)
+            : DEFAULT_PRIVILEGED_PERM_FIELDS;
+        if (ignoreUsers.length > 0) {
+            uxLog('action', this, c.yellow(t('mfaIgnoreListInUse', { count: ignoreUsers.length })));
+            for (const u of ignoreUsers) {
+                uxLog('log', this, `- ${u}`);
+            }
+        }
+        uxLog('action', this, c.cyan(t('mfaQueryingSecuritySettings')));
+        uxLog('action', this, c.cyan(t('mfaQueryingPermissionEntities')));
+        uxLog('action', this, c.cyan(t('mfaQueryingLoginHistory', { days: lookbackDays })));
+        const result = await diagnoseMfa({
+            conn,
+            lookbackDays,
+            phishingResistantLookbackDays,
+            ignoreUsers,
+            privilegedPermFields,
+            debug: this.debugMode,
+        });
+        /* Per-check detail tables - only print rows that have a finding so the console stays readable */
+        for (const ck of result.checks) {
+            const findingRows = ck.rows.filter((r) => r.Severity !== 'success');
+            if (findingRows.length === 0)
+                continue;
+            uxLog('action', this, c.cyan(`${ck.title} (${ck.status})`));
+            uxLogTable(this, findingRows.map((r) => ({
+                Item: r.Item,
+                'What is wrong': r.Details,
+                Recommendation: r.Recommendation,
+            })));
+        }
+        /* Generate report file from the unified-column rows - one row per finding */
+        this.outputFile = await generateReportPath('mfa-config', this.outputFile);
+        this.outputFilesRes = await generateCsvFile(result.reportRows, this.outputFile, {
+            fileTitle: t('mfaConfigReportFileTitle'),
+        });
+        /* Summary section: per-check overview table, then Actions to take as plain lines */
+        uxLog('action', this, c.cyan(t('mfaSummaryHeader')));
+        const severityIcon = {
+            success: '✅',
+            info: 'ℹ️',
+            warning: '⚠️',
+            error: '❌',
+        };
+        const summaryRows = result.checks.map((ck) => ({
+            Check: ck.title,
+            Severity: `${severityIcon[ck.status] || ''} ${ck.status}`.trim(),
+            Detail: ck.detail,
+            Findings: ck.metric,
+        }));
+        uxLogTable(this, summaryRows);
+        if (result.actionItems.length === 0) {
+            uxLog('success', this, c.green(t('mfaActionItemsNone')));
+        }
+        else {
+            /* Sub-heading inside the Summary section - not a new "action" log so we don't break the section grouping */
+            uxLog('log', this, c.cyan.bold(t('mfaActionItemsHeader')));
+            for (const group of result.actionItems) {
+                const sevLabel = t(group.severity === 'error'
+                    ? 'mfaSeverityError'
+                    : group.severity === 'warning'
+                        ? 'mfaSeverityWarning'
+                        : 'mfaSeverityInfo');
+                const colorFn = group.severity === 'error' ? c.red : group.severity === 'warning' ? c.yellow : c.cyan;
+                const heads = group.items.map((it) => it.split(' - ')[0]);
+                const preview = heads.slice(0, 5).join(', ');
+                const more = heads.length > 5 ? `, +${heads.length - 5} ${t('mfaActionItemsMore')}` : '';
+                uxLog('warning', this, colorFn(`[${sevLabel}] (${heads.length}) ${group.recommendation}`));
+                uxLog('log', this, c.grey(`  ${t('mfaActionItemsAffected')}: ${preview}${more}`));
+            }
+            uxLog('log', this, c.grey(t('mfaActionItemsSeeCsv')));
+        }
+        /* Final summary line */
+        if (result.severity === 'log') {
+            uxLog('success', this, c.green(t('mfaSummaryOk')));
+        }
+        else if (result.severity === 'warning') {
+            uxLog('warning', this, c.yellow(t('mfaSummaryWarning')));
+        }
+        else {
+            uxLog('error', this, c.red(t('mfaSummaryError')));
+        }
+        /* Build notification */
+        const orgMarkdown = await getOrgMarkdown(conn?.instanceUrl);
+        const notifButtons = await getNotificationButtons();
+        const notifSeverity = result.severity;
+        const checksFailed = result.checks.filter((ck) => ck.status === 'error' || ck.status === 'warning').length;
+        const notifText = t('mfaNotificationText', {
+            orgMarkdown,
+            checksFailed,
+            nonMfaLogins: result.metrics.NonMfaLogins,
+            bypassUsers: result.metrics.MfaBypassUsers,
+        });
+        /*
+         * Notification body is intentionally terse: one line per failing check, nothing more.
+         * Passing checks are omitted (the headline already says "X check(s) flagged"). The full
+         * recommendations, affected-user lists, and action items live in the attached XLSX report.
+         */
+        const notifIcon = { success: '✅', info: 'ℹ️', warning: '⚠️', error: '❌' };
+        const failingChecks = result.checks.filter((ck) => ck.status === 'error' || ck.status === 'warning');
+        let notifDetailText = '';
+        for (const ck of failingChecks) {
+            notifDetailText += `${notifIcon[ck.status] || ''} **${ck.title}**: ${ck.detail}\n`;
+        }
+        if (failingChecks.length === 0) {
+            notifDetailText = t('mfaSummaryOk');
+        }
+        const notifAttachments = [{ text: notifDetailText }];
+        await setConnectionVariables(conn);
+        await NotifProvider.postNotifications({
+            type: 'MFA_CONFIG',
+            text: notifText,
+            attachments: notifAttachments,
+            buttons: notifButtons,
+            severity: notifSeverity,
+            attachedFiles: this.outputFilesRes.xlsxFile ? [this.outputFilesRes.xlsxFile] : [],
+            logElements: result.reportRows,
+            data: { metric: checksFailed },
+            metrics: result.metrics,
+        });
+        return {
+            orgId: flags['target-org'].getOrgId(),
+            severity: result.severity,
+            metrics: result.metrics,
+            checks: result.checks.map((ck) => ({
+                key: ck.key,
+                status: ck.status,
+                title: ck.title,
+                detail: ck.detail,
+                metric: ck.metric,
+            })),
+            outputString: notifText,
+        };
+    }
+}
+//# sourceMappingURL=mfa.js.map

package/lib/commands/hardis/org/diagnose/mfa.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mfa.js","sourceRoot":"","sources":["../../../../../src/commands/hardis/org/diagnose/mfa.ts"],"names":[],"mappings":"AAAA,wBAAwB;AACxB,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,+BAA+B,EAAE,MAAM,6BAA6B,CAAC;AAChG,OAAO,EAAc,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAExD,OAAO,CAAC,MAAM,OAAO,CAAC;AACtB,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,mCAAmC,CAAC;AACtE,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,wCAAwC,CAAC;AAC7F,OAAO,EAAE,sBAAsB,EAAE,cAAc,EAAE,MAAM,wCAAwC,CAAC;AAChG,OAAO,EAAE,aAAa,EAAiB,MAAM,2CAA2C,CAAC;AACzF,OAAO,EAAE,sBAAsB,EAAE,MAAM,sCAAsC,CAAC;AAC9E,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AAClF,OAAO,EACL,8BAA8B,EAC9B,WAAW,GACZ,MAAM,8CAA8C,CAAC;AACtD,OAAO,EAAE,CAAC,EAAE,MAAM,kCAAkC,CAAC;AAErD,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,aAAa,EAAE,KAAK,CAAC,CAAC;AAE7D,MAAM,CAAC,OAAO,OAAO,WAAY,SAAQ,SAAc;IAC9C,MAAM,CAAC,KAAK,GAAG,4BAA4B,CAAC;IAE5C,MAAM,CAAC,WAAW,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;mDA0BqB,SAAS,CAAC,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;CAyBxE,CAAC;IAEO,MAAM,CAAC,QAAQ,GAAG;QACvB,8BAA8B;QAC9B,6DAA6D;QAC7D,iDAAiD;QACjD,mFAAmF;QACnF,sCAAsC;KACvC,CAAC;IAEK,MAAM,CAAC,KAAK,GAAQ;QACzB,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC;YAC7B,WAAW,EACT,qIAAqI;SACxI,CAAC;QACF,kCAAkC,EAAE,KAAK,CAAC,OAAO,CAAC;YAChD,WAAW,EACT,uMAAuM;SAC1M,CAAC;QACF,cAAc,EAAE,KAAK,CAAC,MAAM,CAAC;YAC3B,WAAW,EACT,qJAAqJ;SACxJ,CAAC;QACF,wBAAwB,EAAE,KAAK,CAAC,MAAM,CAAC;YACrC,WAAW,EACT,sNAAsN;SACzN,CAAC;QACF,KAAK,EAAE,KAAK,CAAC,OAAO,CAAC;YACnB,OAAO,EAAE,KAAK;YACd,WAAW,EAAE,uDAAuD;SACrE,CAAC;QACF,KAAK,EAAE,KAAK,CAAC,OAAO,CAAC;YACnB,IAAI,EAAE,GAAG;YACT,OAAO,EAAE,KAAK;YACd,WAAW,EAAE,QAAQ,CAAC,UAAU,CAAC,WAAW,CAAC;SAC9C,CAAC;QACF,SAAS,EAAE,KAAK,CAAC,MAAM,CAAC;YACtB,WAAW,EAAE,QAAQ,CAAC,UAAU,CAAC,WAAW,CAAC;SAC9C,CAAC;QACF,QAAQ,EAAE,KAAK,CAAC,OAAO,CAAC;YACtB,WAAW,EAAE,+DAA+D;SAC7E,CAAC;QACF,YAAY,EAAE,+BAA+B;KAC9C,CAAC;IAEK,MAAM,CAAC,eAAe,GAAG,KAAK,CAAC;IAE5B,MAAM,CAAC,mBAAmB,GAAG,IAAI,CAAC;IAElC,SAAS,GAAG,KAAK,CAAC;IAClB,UAAU,CAAC;IACX,cAAc,GAAQ,EAAE,CAAC;IAEnC,sBAAsB;IAEf,KAAK,CAAC,GAAG;QACd,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QAChD,IAAI,CAAC,SAAS,GAAG,KAAK,CAAC,KAAK,IAAI,KAAK,CAAC;QACtC,MAAM,IAAI,GAAe,KAAK,CAAC,YAAY,CAAC,CAAC,aAAa,EAAE,CAAC;QAE7D,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,SAAS,CAAC,CAAC;QAC1C,MAAM,YAAY,GAChB,KAAK,CAAC,eAAe,CAAC,IAAI,MAAM,CAAC,qCAAqC,IAAI,EAAE,CAAC;QAC/E,MAAM,6BAA6B,GACjC,KAAK,CAAC,kCAAkC,CAAC,IAAI,MAAM,CAAC,0CAA0C,IAAI,GAAG,CAAC;QAExG,MAAM,cAAc,GAAG,KAAK,CAAC,cAAc,CAAC;YAC1C,CAAC,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;YAC/E,CAAC,CAAC,EAAE,CAAC;QACP,MAAM,aAAa,GAAG,aAAa,CAAC,6BAA6B,CAAC,IAAI,EAAE,CAAC;QACzE,MAAM,gBAAgB,GAAG,MAAM,CAAC,wBAAwB,IAAI,EAAE,CAAC;QAC/D,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAC5B,IAAI,GAAG,CAAS,CAAC,GAAG,cAAc,EAAE,GAAG,aAAa,EAAE,GAAG,gBAAgB,CAAC,CAAC,CAC5E,CAAC;QAEF,MAAM,oBAAoB,GAAG,KAAK,CAAC,wBAAwB,CAAC;YAC1D,CAAC,CAAC,KAAK,CAAC,wBAAwB,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;YACzF,CAAC,CAAC,8BAA8B,CAAC;QAEnC,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC3B,KAAK,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,oBAAoB,EAAE,EAAE,KAAK,EAAE,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC;YACxF,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;gBAC5B,KAAK,CAAC,KAAK,EAAE,IAAI,EAAE,KAAK,CAAC,EAAE,CAAC,CAAC;YAC/B,CAAC;QACH,CAAC;QAED,KAAK,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,6BAA6B,CAAC,CAAC,CAAC,CAAC;QAChE,KAAK,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,+BAA+B,CAAC,CAAC,CAAC,CAAC;QAClE,KAAK,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,yBAAyB,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC,CAAC;QAEpF,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC;YAC/B,IAAI;YACJ,YAAY;YACZ,6BAA6B;YAC7B,WAAW;YACX,oBAAoB;YACpB,KAAK,EAAE,IAAI,CAAC,SAAS;SACtB,CAAC,CAAC;QAEH,iGAAiG;QACjG,KAAK,MAAM,EAAE,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAC/B,MAAM,WAAW,GAAG,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC;YACpE,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YACvC,KAAK,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,KAAK,KAAK,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;YAC5D,UAAU,CACR,IAAI,EACJ,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBACtB,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,eAAe,EAAE,CAAC,CAAC,OAAO;gBAC1B,cAAc,EAAE,CAAC,CAAC,cAAc;aACjC,CAAC,CAAC,CACJ,CAAC;QACJ,CAAC;QAED,6EAA6E;QAC7E,IAAI,CAAC,UAAU,GAAG,MAAM,kBAAkB,CAAC,YAAY,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QAC1E,IAAI,CAAC,cAAc,GAAG,MAAM,eAAe,CAAC,MAAM,CAAC,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE;YAC9E,SAAS,EAAE,CAAC,CAAC,0BAA0B,CAAC;SACzC,CAAC,CAAC;QAEH,oFAAoF;QACpF,KAAK,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC;QACrD,MAAM,YAAY,GAA2B;YAC3C,OAAO,EAAE,GAAG;YACZ,IAAI,EAAE,IAAI;YACV,OAAO,EAAE,IAAI;YACb,KAAK,EAAE,GAAG;SACX,CAAC;QACF,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;YAC7C,KAAK,EAAE,EAAE,CAAC,KAAK;YACf,QAAQ,EAAE,GAAG,YAAY,CAAC,EAAE,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE;YAChE,MAAM,EAAE,EAAE,CAAC,MAAM;YACjB,QAAQ,EAAE,EAAE,CAAC,MAAM;SACpB,CAAC,CAAC,CAAC;QACJ,UAAU,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;QAE9B,IAAI,MAAM,CAAC,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACpC,KAAK,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,CAAC;QAC3D,CAAC;aAAM,CAAC;YACN,4GAA4G;YAC5G,KAAK,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;YAC3D,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;gBACvC,MAAM,QAAQ,GAAG,CAAC,CAChB,KAAK,CAAC,QAAQ,KAAK,OAAO;oBACxB,CAAC,CAAC,kBAAkB;oBACpB,CAAC,CAAC,KAAK,CAAC,QAAQ,KAAK,SAAS;wBAC5B,CAAC,CAAC,oBAAoB;wBACtB,CAAC,CAAC,iBAAiB,CACxB,CAAC;gBACF,MAAM,OAAO,GACX,KAAK,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;gBACxF,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC1D,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAC7C,MAAM,IAAI,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,CAAC,oBAAoB,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACzF,KAAK,CAAC,SAAS,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,QAAQ,MAAM,KAAK,CAAC,MAAM,KAAK,KAAK,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC;gBAC3F,KAAK,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,wBAAwB,CAAC,KAAK,OAAO,GAAG,IAAI,EAAE,CAAC,CAAC,CAAC;YACpF,CAAC;YACD,KAAK,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;QACxD,CAAC;QAED,wBAAwB;QACxB,IAAI,MAAM,CAAC,QAAQ,KAAK,KAAK,EAAE,CAAC;YAC9B,KAAK,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC;QACrD,CAAC;aAAM,IAAI,MAAM,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;YACzC,KAAK,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,CAAC;QAC3D,CAAC;aAAM,CAAC;YACN,KAAK,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC;QACpD,CAAC;QAED,wBAAwB;QACxB,MAAM,WAAW,GAAG,MAAM,cAAc,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;QAC5D,MAAM,YAAY,GAAG,MAAM,sBAAsB,EAAE,CAAC;QACpD,MAAM,aAAa,GAAkB,MAAM,CAAC,QAAQ,CAAC;QAErD,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CACvC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,MAAM,KAAK,OAAO,IAAI,EAAE,CAAC,MAAM,KAAK,SAAS,CACzD,CAAC,MAAM,CAAC;QACT,MAAM,SAAS,GAAG,CAAC,CAAC,qBAAqB,EAAE;YACzC,WAAW;YACX,YAAY;YACZ,YAAY,EAAE,MAAM,CAAC,OAAO,CAAC,YAAY;YACzC,WAAW,EAAE,MAAM,CAAC,OAAO,CAAC,cAAc;SAC3C,CAAC,CAAC;QAEH;;;;WAIG;QACH,MAAM,SAAS,GAA2B,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;QAClG,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,MAAM,KAAK,OAAO,IAAI,EAAE,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC;QACrG,IAAI,eAAe,GAAG,EAAE,CAAC;QACzB,KAAK,MAAM,EAAE,IAAI,aAAa,EAAE,CAAC;YAC/B,eAAe,IAAI,GAAG,SAAS,CAAC,EAAE,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC,KAAK,OAAO,EAAE,CAAC,MAAM,IAAI,CAAC;QACrF,CAAC;QACD,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/B,eAAe,GAAG,CAAC,CAAC,cAAc,CAAC,CAAC;QACtC,CAAC;QACD,MAAM,gBAAgB,GAAG,CAAC,EAAE,IAAI,EAAE,eAAe,EAAE,CAAC,CAAC;QAErD,MAAM,sBAAsB,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,aAAa,CAAC,iBAAiB,CAAC;YACpC,IAAI,EAAE,YAAY;YAClB,IAAI,EAAE,SAAS;YACf,WAAW,EAAE,gBAAgB;YAC7B,OAAO,EAAE,YAAY;YACrB,QAAQ,EAAE,aAAa;YACvB,aAAa,EAAE,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE;YACjF,WAAW,EAAE,MAAM,CAAC,UAAU;YAC9B,IAAI,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE;YAC9B,OAAO,EAAE,MAAM,CAAC,OAAO;SACxB,CAAC,CAAC;QAEH,OAAO;YACL,KAAK,EAAE,KAAK,CAAC,YAAY,CAAC,CAAC,QAAQ,EAAE;YACrC,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;gBACjC,GAAG,EAAE,EAAE,CAAC,GAAG;gBACX,MAAM,EAAE,EAAE,CAAC,MAAM;gBACjB,KAAK,EAAE,EAAE,CAAC,KAAK;gBACf,MAAM,EAAE,EAAE,CAAC,MAAM;gBACjB,MAAM,EAAE,EAAE,CAAC,MAAM;aAClB,CAAC,CAAC;YACH,YAAY,EAAE,SAAS;SACjB,CAAC;IACX,CAAC"}

package/lib/commands/hardis/org/user/unlink-security-key.d.ts

@@ -0,0 +1,12 @@
+import { SfCommand } from '@salesforce/sf-plugins-core';
+import { AnyJson } from '@salesforce/ts-types';
+export default class OrgUserUnlinkSecurityKey extends SfCommand<any> {
+    static title: string;
+    static description: string;
+    static examples: string[];
+    static flags: any;
+    static requiresProject: boolean;
+    protected debugMode: boolean;
+    protected agentMode: boolean;
+    run(): Promise<AnyJson>;
+}

package/lib/commands/hardis/org/user/unlink-security-key.js

@@ -0,0 +1,248 @@
+/* jscpd:ignore-start */
+import { SfCommand, Flags, requiredOrgFlagWithDeprecations } from '@salesforce/sf-plugins-core';
+import { Messages, SfError } from '@salesforce/core';
+import c from 'chalk';
+import { generateReports, isCI, uxLog, uxLogTable } from '../../../../common/utils/index.js';
+import { prompts } from '../../../../common/utils/prompts.js';
+import { soqlQuery } from '../../../../common/utils/apiUtils.js';
+import { MFA_METHODS, unlinkUserSecurityKeys, } from '../../../../common/utils/orgUserUnlinkUtils.js';
+import { t } from '../../../../common/utils/i18n.js';
+Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
+const messages = Messages.loadMessages('sfdx-hardis', 'org');
+export default class OrgUserUnlinkSecurityKey extends SfCommand {
+    static title = 'Unlink user security keys / MFA methods';
+    static description = `
+## Command Behavior
+
+**Disconnects MFA registrations (default: Security Key / U2F + WebAuthn) from selected Salesforce users by driving a real browser session against Salesforce Setup.**
+
+This command automates the manual admin procedure documented at https://help.salesforce.com/s/articleView?id=xcloud.security_u2f_remove_users_security_key.htm so administrators can revoke a lost or compromised security key for multiple users at once.
+
+Key functionalities:
+
+- **User selection:** Provide a comma-separated list of usernames via \`--usernames\`. In interactive mode, you will be prompted if the flag is missing.
+- **Method selection (opt-in):** Security Key (U2F + WebAuthn combined) is removed by default. Use \`--include-salesforce-authenticator\` or \`--include-totp\` to also disconnect those methods. Use \`--no-include-security-key\` to skip the security-key removal when combining with other methods.
+- **Inactive users are skipped:** Inactive users (\`IsActive = false\`) are reported with status \`inactive\` and no browser action is attempted for them.
+- **Per-user result:** Each username receives one of the following statuses: \`unlinked\`, \`notLinked\`, \`notFound\`, \`inactive\`, or \`error\`.
+- **Locale-independent detection:** Disconnect links are located by the brand / spec tokens (\`U2F\`, \`WebAuthn\`, \`Salesforce Authenticator\`, \`One-Time Password Authenticator\`, \`TOTP\`) that Salesforce does not translate. On non-English orgs, you can extend the matching set with \`--text-markers\`.
+- **Reporting:** A console table summarises the run, and CSV / XLSX reports are generated for audit trails.
+
+### Agent Mode
+
+Supports non-interactive execution with \`--agent\`:
+
+\`\`\`sh
+sf hardis:org:user:unlink-security-key --agent --usernames 'a@x.com,b@x.com' --target-org my-admin@myorg.com
+\`\`\`
+
+In agent mode:
+
+- The confirmation prompt is skipped and the unlink procedure starts immediately.
+- You must provide \`--usernames\` (the interactive prompt is not available).
+- Method selection flags default to Security Key only unless you opt in.
+
+<details markdown="1">
+<summary>Technical explanations</summary>
+
+The command's technical implementation involves:
+
+- **SOQL Pre-query:** Runs \`SELECT Id, Username, IsActive, Name FROM User WHERE Username IN (...)\` to resolve each username to a User Id. Missing rows produce \`notFound\`; inactive rows are short-circuited to \`inactive\` without launching the browser.
+- **Puppeteer automation:** Reuses \`puppeteer-core\` with the chrome path resolved by \`getChromeExecutablePath()\` and logs in to the org via \`secur/frontdoor.jsp?sid=<accessToken>\`, identical to the existing \`hardis:org:fix:listviewmine\` flow.
+- **Locale-independent row matching:** For each MFA method the command navigates to the user detail page (\`/lightning/setup/ManageUsers/page?address=%2F<USER_ID>%3Fnoredirect%3D1%26isUserEntityOverride%3D1\`), waits for the inner Classic-style iframe, scans rows for a brand / spec marker (\`U2F\`, \`WebAuthn\`, \`Salesforce Authenticator\`, \`One-Time Password Authenticator\`, \`TOTP\`, etc.) and clicks the single link in that row. URL-based \`href\` patterns are used as a fallback if no row marker is found.
+- **Salesforce labels reference:** The verbatim Setup labels are \`Security Key (U2F or WebAuthn)\` (Delete link), \`App Registration: Salesforce Authenticator\` (Disconnect), \`App Registration: One-Time Password Authenticator\` (Disconnect).
+- **Reporting:** Generates CSV and XLSX files (\`users-security-key-unlink-<date>\`) via \`generateReports\` and prints a console table via \`uxLogTable\`.
+
+Reference: [Salesforce Help - Remove a user's security key](https://help.salesforce.com/s/articleView?id=xcloud.security_u2f_remove_users_security_key.htm).
+</details>
+`;
+    static examples = [
+        "$ sf hardis:org:user:unlink-security-key",
+        "$ sf hardis:org:user:unlink-security-key --usernames 'a@x.com,b@x.com'",
+        "$ sf hardis:org:user:unlink-security-key --usernames 'a@x.com' --include-salesforce-authenticator --include-totp",
+        "$ sf hardis:org:user:unlink-security-key --usernames 'a@x.com' --no-include-security-key --include-totp",
+        "$ sf hardis:org:user:unlink-security-key --agent --usernames 'a@x.com,b@x.com'",
+        "$ sf hardis:org:user:unlink-security-key --usernames 'a@x.com' --text-markers '{\"salesforceAuthenticator\":[\"Authentificateur Salesforce\"]}'",
+    ];
+    static flags = {
+        usernames: Flags.string({
+            char: 'u',
+            description: 'Comma-separated list of Salesforce usernames whose security keys should be unlinked',
+        }),
+        'include-security-key': Flags.boolean({
+            default: true,
+            allowNo: true,
+            description: 'Unlink the Security Key (U2F + WebAuthn combined) registration (default: true). Use --no-include-security-key to skip.',
+        }),
+        'include-salesforce-authenticator': Flags.boolean({
+            default: false,
+            description: 'Also unlink the Salesforce Authenticator mobile app registration',
+        }),
+        'include-totp': Flags.boolean({
+            default: false,
+            description: 'Also unlink the One-Time Password Authenticator (TOTP) registration',
+        }),
+        'text-markers': Flags.string({
+            description: 'JSON object adding text markers per method, useful on non-English orgs. Example: --text-markers \'{"salesforceAuthenticator":["Authentificateur Salesforce"]}\'',
+        }),
+        'dump-anchors': Flags.boolean({
+            default: false,
+            description: 'Diagnostic: print every anchor found on each user detail page (use with --debug to refine markers)',
+        }),
+        agent: Flags.boolean({
+            default: false,
+            description: 'Run in non-interactive mode for agents and automation',
+        }),
+        debug: Flags.boolean({
+            char: 'd',
+            default: false,
+            description: messages.getMessage('debugMode'),
+        }),
+        websocket: Flags.string({
+            description: messages.getMessage('websocket'),
+        }),
+        skipauth: Flags.boolean({
+            description: 'Skip authentication check when a default username is required',
+        }),
+        'target-org': requiredOrgFlagWithDeprecations,
+    };
+    static requiresProject = false;
+    debugMode = false;
+    agentMode = false;
+    /* jscpd:ignore-end */
+    async run() {
+        const { flags } = await this.parse(OrgUserUnlinkSecurityKey);
+        this.debugMode = flags.debug || false;
+        this.agentMode = flags.agent === true;
+        let usernameList = flags.usernames
+            ? flags.usernames.split(',').map((u) => u.trim()).filter((u) => u)
+            : [];
+        if (usernameList.length === 0) {
+            if (isCI || this.agentMode) {
+                throw new SfError(c.red('In agent/CI mode, the --usernames flag is required for unlink-security-key operation.'));
+            }
+            const promptRes = await prompts({
+                type: 'text',
+                name: 'value',
+                message: t('enterUsernamesToUnlink'),
+                description: t('unlinkSecurityKeyConfirmDescription'),
+            });
+            usernameList = (promptRes.value || '')
+                .split(',')
+                .map((u) => u.trim())
+                .filter((u) => u);
+            if (usernameList.length === 0) {
+                const outputString = 'No usernames provided. Script cancelled.';
+                uxLog('warning', this, c.yellow(outputString));
+                return { outputString };
+            }
+        }
+        /* Parse optional --text-markers override (extra markers merged per method) */
+        let extraMarkers = {};
+        if (flags['text-markers']) {
+            try {
+                const parsed = JSON.parse(flags['text-markers']);
+                if (parsed && typeof parsed === 'object') {
+                    extraMarkers = parsed;
+                }
+            }
+            catch (e) {
+                throw new SfError(c.red(`Invalid --text-markers JSON: ${e.message}`));
+            }
+        }
+        const requestedMethodKeys = [];
+        if (flags['include-security-key'])
+            requestedMethodKeys.push('securityKey');
+        if (flags['include-salesforce-authenticator'])
+            requestedMethodKeys.push('salesforceAuthenticator');
+        if (flags['include-totp'])
+            requestedMethodKeys.push('totp');
+        if (requestedMethodKeys.length === 0) {
+            throw new SfError(c.red('At least one MFA method must be selected (use --include-security-key or one of the --include-* flags).'));
+        }
+        const methods = requestedMethodKeys.map((k) => {
+            const base = MFA_METHODS[k];
+            const extras = extraMarkers[k] || [];
+            return extras.length > 0
+                ? { ...base, sectionTextMarkers: [...base.sectionTextMarkers, ...extras] }
+                : base;
+        });
+        const conn = flags['target-org'].getConnection();
+        uxLog('action', this, c.cyan(t('unlinkSecurityKeyQueryingUsers', { count: c.bold(usernameList.length) })));
+        const usernamesConstraint = usernameList.map((u) => `'${u}'`).join(',');
+        const userQuery = `SELECT Id,Name,Username,IsActive FROM User WHERE Username IN (${usernamesConstraint})`;
+        const userQueryRes = await soqlQuery(userQuery, conn);
+        const foundByUsername = {};
+        for (const rec of userQueryRes.records) {
+            foundByUsername[rec.Username] = rec;
+        }
+        const targets = usernameList.map((username) => {
+            const rec = foundByUsername[username];
+            if (!rec) {
+                return { username, userId: null, isActive: false, preStatus: 'notFound' };
+            }
+            if (rec.IsActive === false) {
+                return { username, userId: rec.Id, isActive: false, name: rec.Name, preStatus: 'inactive' };
+            }
+            return { username, userId: rec.Id, isActive: true, name: rec.Name, preStatus: 'pending' };
+        });
+        uxLogTable(this, targets.map((t2) => ({
+            Username: t2.username,
+            UserId: t2.userId || '',
+            IsActive: t2.isActive ? 'true' : 'false',
+            PreStatus: t2.preStatus,
+        })));
+        if (!isCI && !this.agentMode) {
+            const confirmRes = await prompts({
+                type: 'confirm',
+                name: 'value',
+                initial: true,
+                message: c.cyanBright(t('confirmUnlinkSecurityKey', {
+                    count: targets.length,
+                    orgUsername: flags['target-org'].getUsername(),
+                })),
+                description: t('unlinkSecurityKeyConfirmDescription'),
+            });
+            if (confirmRes.value !== true) {
+                const outputString = 'Script cancelled by user.';
+                uxLog('warning', this, c.yellow(outputString));
+                return { outputString };
+            }
+        }
+        uxLog('action', this, c.cyan(t('unlinkSecurityKeyLaunchingBrowser')));
+        const results = await unlinkUserSecurityKeys(targets, conn, methods, {
+            debug: this.debugMode,
+            dumpAnchors: flags['dump-anchors'] === true,
+        });
+        const summary = {
+            unlinked: 0,
+            notLinked: 0,
+            notFound: 0,
+            inactive: 0,
+            error: 0,
+        };
+        for (const r of results) {
+            summary[r.status] = (summary[r.status] || 0) + 1;
+        }
+        const tableRows = results.map((r) => ({
+            Username: r.username,
+            UserId: r.userId || '',
+            Status: r.status,
+            Unlinked: r.methodsUnlinked.join(', '),
+            NotLinked: r.methodsNotLinked.join(', '),
+            Message: r.message,
+        }));
+        uxLogTable(this, tableRows);
+        uxLog('success', this, c.green(t('unlinkSecurityKeySummary', summary)));
+        await generateReports(tableRows, ['Username', 'UserId', 'Status', 'Unlinked', 'NotLinked', 'Message'], this, {
+            logFileName: 'users-security-key-unlink',
+            logLabel: 'Unlink security key report',
+        });
+        return {
+            orgId: flags['target-org'].getOrgId(),
+            results: results,
+            summary,
+            outputString: t('unlinkSecurityKeySummary', summary),
+        };
+    }
+}
+//# sourceMappingURL=unlink-security-key.js.map

package/lib/commands/hardis/org/user/unlink-security-key.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"unlink-security-key.js","sourceRoot":"","sources":["../../../../../src/commands/hardis/org/user/unlink-security-key.ts"],"names":[],"mappings":"AAAA,wBAAwB;AACxB,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,+BAA+B,EAAE,MAAM,6BAA6B,CAAC;AAChG,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAErD,OAAO,CAAC,MAAM,OAAO,CAAC;AACtB,OAAO,EAAE,eAAe,EAAE,IAAI,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,mCAAmC,CAAC;AAC7F,OAAO,EAAE,OAAO,EAAE,MAAM,qCAAqC,CAAC;AAC9D,OAAO,EAAE,SAAS,EAAE,MAAM,sCAAsC,CAAC;AACjE,OAAO,EACL,WAAW,EAIX,sBAAsB,GACvB,MAAM,gDAAgD,CAAC;AACxD,OAAO,EAAE,CAAC,EAAE,MAAM,kCAAkC,CAAC;AAErD,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,aAAa,EAAE,KAAK,CAAC,CAAC;AAE7D,MAAM,CAAC,OAAO,OAAO,wBAAyB,SAAQ,SAAc;IAC3D,MAAM,CAAC,KAAK,GAAG,yCAAyC,CAAC;IAEzD,MAAM,CAAC,WAAW,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA2C7B,CAAC;IAEO,MAAM,CAAC,QAAQ,GAAG;QACvB,0CAA0C;QAC1C,wEAAwE;QACxE,kHAAkH;QAClH,yGAAyG;QACzG,gFAAgF;QAChF,iJAAiJ;KAClJ,CAAC;IAEK,MAAM,CAAC,KAAK,GAAQ;QACzB,SAAS,EAAE,KAAK,CAAC,MAAM,CAAC;YACtB,IAAI,EAAE,GAAG;YACT,WAAW,EAAE,qFAAqF;SACnG,CAAC;QACF,sBAAsB,EAAE,KAAK,CAAC,OAAO,CAAC;YACpC,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,IAAI;YACb,WAAW,EACT,wHAAwH;SAC3H,CAAC;QACF,kCAAkC,EAAE,KAAK,CAAC,OAAO,CAAC;YAChD,OAAO,EAAE,KAAK;YACd,WAAW,EAAE,kEAAkE;SAChF,CAAC;QACF,cAAc,EAAE,KAAK,CAAC,OAAO,CAAC;YAC5B,OAAO,EAAE,KAAK;YACd,WAAW,EAAE,qEAAqE;SACnF,CAAC;QACF,cAAc,EAAE,KAAK,CAAC,MAAM,CAAC;YAC3B,WAAW,EACT,iKAAiK;SACpK,CAAC;QACF,cAAc,EAAE,KAAK,CAAC,OAAO,CAAC;YAC5B,OAAO,EAAE,KAAK;YACd,WAAW,EAAE,oGAAoG;SAClH,CAAC;QACF,KAAK,EAAE,KAAK,CAAC,OAAO,CAAC;YACnB,OAAO,EAAE,KAAK;YACd,WAAW,EAAE,uDAAuD;SACrE,CAAC;QACF,KAAK,EAAE,KAAK,CAAC,OAAO,CAAC;YACnB,IAAI,EAAE,GAAG;YACT,OAAO,EAAE,KAAK;YACd,WAAW,EAAE,QAAQ,CAAC,UAAU,CAAC,WAAW,CAAC;SAC9C,CAAC;QACF,SAAS,EAAE,KAAK,CAAC,MAAM,CAAC;YACtB,WAAW,EAAE,QAAQ,CAAC,UAAU,CAAC,WAAW,CAAC;SAC9C,CAAC;QACF,QAAQ,EAAE,KAAK,CAAC,OAAO,CAAC;YACtB,WAAW,EAAE,+DAA+D;SAC7E,CAAC;QACF,YAAY,EAAE,+BAA+B;KAC9C,CAAC;IAEK,MAAM,CAAC,eAAe,GAAG,KAAK,CAAC;IAE5B,SAAS,GAAG,KAAK,CAAC;IAClB,SAAS,GAAG,KAAK,CAAC;IAE5B,sBAAsB;IAEf,KAAK,CAAC,GAAG;QACd,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,wBAAwB,CAAC,CAAC;QAC7D,IAAI,CAAC,SAAS,GAAG,KAAK,CAAC,KAAK,IAAI,KAAK,CAAC;QACtC,IAAI,CAAC,SAAS,GAAG,KAAK,CAAC,KAAK,KAAK,IAAI,CAAC;QAEtC,IAAI,YAAY,GAAa,KAAK,CAAC,SAAS;YAC1C,CAAC,CAAC,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC;YAClF,CAAC,CAAC,EAAE,CAAC;QAEP,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC9B,IAAI,IAAI,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBAC3B,MAAM,IAAI,OAAO,CACf,CAAC,CAAC,GAAG,CAAC,uFAAuF,CAAC,CAC/F,CAAC;YACJ,CAAC;YACD,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC;gBAC9B,IAAI,EAAE,MAAM;gBACZ,IAAI,EAAE,OAAO;gBACb,OAAO,EAAE,CAAC,CAAC,wBAAwB,CAAC;gBACpC,WAAW,EAAE,CAAC,CAAC,qCAAqC,CAAC;aACtD,CAAC,CAAC;YACH,YAAY,GAAG,CAAC,SAAS,CAAC,KAAK,IAAI,EAAE,CAAC;iBACnC,KAAK,CAAC,GAAG,CAAC;iBACV,GAAG,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;iBAC5B,MAAM,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC;YAC5B,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC9B,MAAM,YAAY,GAAG,0CAA0C,CAAC;gBAChE,KAAK,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC;gBAC/C,OAAO,EAAE,YAAY,EAAE,CAAC;YAC1B,CAAC;QACH,CAAC;QAED,8EAA8E;QAC9E,IAAI,YAAY,GAA6B,EAAE,CAAC;QAChD,IAAI,KAAK,CAAC,cAAc,CAAC,EAAE,CAAC;YAC1B,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC;gBACjD,IAAI,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;oBACzC,YAAY,GAAG,MAAkC,CAAC;gBACpD,CAAC;YACH,CAAC;YAAC,OAAO,CAAM,EAAE,CAAC;gBAChB,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;YACxE,CAAC;QACH,CAAC;QAED,MAAM,mBAAmB,GAAsB,EAAE,CAAC;QAClD,IAAI,KAAK,CAAC,sBAAsB,CAAC;YAAE,mBAAmB,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC3E,IAAI,KAAK,CAAC,kCAAkC,CAAC;YAAE,mBAAmB,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;QACnG,IAAI,KAAK,CAAC,cAAc,CAAC;YAAE,mBAAmB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAE5D,IAAI,mBAAmB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACrC,MAAM,IAAI,OAAO,CACf,CAAC,CAAC,GAAG,CAAC,wGAAwG,CAAC,CAChH,CAAC;QACJ,CAAC;QAED,MAAM,OAAO,GAAuB,mBAAmB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;YAChE,MAAM,IAAI,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;YAC5B,MAAM,MAAM,GAAG,YAAY,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACrC,OAAO,MAAM,CAAC,MAAM,GAAG,CAAC;gBACtB,CAAC,CAAC,EAAE,GAAG,IAAI,EAAE,kBAAkB,EAAE,CAAC,GAAG,IAAI,CAAC,kBAAkB,EAAE,GAAG,MAAM,CAAC,EAAE;gBAC1E,CAAC,CAAC,IAAI,CAAC;QACX,CAAC,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,KAAK,CAAC,YAAY,CAAC,CAAC,aAAa,EAAE,CAAC;QACjD,KAAK,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,gCAAgC,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC3G,MAAM,mBAAmB,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACxE,MAAM,SAAS,GAAG,iEAAiE,mBAAmB,GAAG,CAAC;QAC1G,MAAM,YAAY,GAAG,MAAM,SAAS,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;QACtD,MAAM,eAAe,GAAwB,EAAE,CAAC;QAChD,KAAK,MAAM,GAAG,IAAI,YAAY,CAAC,OAAgB,EAAE,CAAC;YAChD,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,GAAG,CAAC;QACtC,CAAC;QAED,MAAM,OAAO,GAAmB,YAAY,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE;YAC5D,MAAM,GAAG,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;YACtC,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,SAAS,EAAE,UAAmB,EAAE,CAAC;YACrF,CAAC;YACD,IAAI,GAAG,CAAC,QAAQ,KAAK,KAAK,EAAE,CAAC;gBAC3B,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,SAAS,EAAE,UAAmB,EAAE,CAAC;YACvG,CAAC;YACD,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,SAAS,EAAE,SAAkB,EAAE,CAAC;QACrG,CAAC,CAAC,CAAC;QAEH,UAAU,CACR,IAAI,EACJ,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;YACnB,QAAQ,EAAE,EAAE,CAAC,QAAQ;YACrB,MAAM,EAAE,EAAE,CAAC,MAAM,IAAI,EAAE;YACvB,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO;YACxC,SAAS,EAAE,EAAE,CAAC,SAAS;SACxB,CAAC,CAAC,CACJ,CAAC;QAEF,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YAC7B,MAAM,UAAU,GAAG,MAAM,OAAO,CAAC;gBAC/B,IAAI,EAAE,SAAS;gBACf,IAAI,EAAE,OAAO;gBACb,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE,CAAC,CAAC,UAAU,CACnB,CAAC,CAAC,0BAA0B,EAAE;oBAC5B,KAAK,EAAE,OAAO,CAAC,MAAM;oBACrB,WAAW,EAAE,KAAK,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE;iBAC/C,CAAC,CACH;gBACD,WAAW,EAAE,CAAC,CAAC,qCAAqC,CAAC;aACtD,CAAC,CAAC;YACH,IAAI,UAAU,CAAC,KAAK,KAAK,IAAI,EAAE,CAAC;gBAC9B,MAAM,YAAY,GAAG,2BAA2B,CAAC;gBACjD,KAAK,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC;gBAC/C,OAAO,EAAE,YAAY,EAAE,CAAC;YAC1B,CAAC;QACH,CAAC;QAED,KAAK,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,mCAAmC,CAAC,CAAC,CAAC,CAAC;QACtE,MAAM,OAAO,GAAG,MAAM,sBAAsB,CAAC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE;YACnE,KAAK,EAAE,IAAI,CAAC,SAAS;YACrB,WAAW,EAAE,KAAK,CAAC,cAAc,CAAC,KAAK,IAAI;SAC5C,CAAC,CAAC;QAEH,MAAM,OAAO,GAAG;YACd,QAAQ,EAAE,CAAC;YACX,SAAS,EAAE,CAAC;YACZ,QAAQ,EAAE,CAAC;YACX,QAAQ,EAAE,CAAC;YACX,KAAK,EAAE,CAAC;SACT,CAAC;QACF,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YACxB,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;QACnD,CAAC;QAED,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACpC,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,EAAE;YACtB,MAAM,EAAE,CAAC,CAAC,MAAM;YAChB,QAAQ,EAAE,CAAC,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC;YACtC,SAAS,EAAE,CAAC,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC;YACxC,OAAO,EAAE,CAAC,CAAC,OAAO;SACnB,CAAC,CAAC,CAAC;QACJ,UAAU,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;QAC5B,KAAK,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,0BAA0B,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC;QAExE,MAAM,eAAe,CAAC,SAAS,EAAE,CAAC,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,SAAS,CAAC,EAAE,IAAI,EAAE;YAC3G,WAAW,EAAE,2BAA2B;YACxC,QAAQ,EAAE,4BAA4B;SACvC,CAAC,CAAC;QAEH,OAAO;YACL,KAAK,EAAE,KAAK,CAAC,YAAY,CAAC,CAAC,QAAQ,EAAE;YACrC,OAAO,EAAE,OAAc;YACvB,OAAO;YACP,YAAY,EAAE,CAAC,CAAC,0BAA0B,EAAE,OAAO,CAAC;SAC9C,CAAC;IACX,CAAC"}

package/lib/common/gitProvider/azureDevops.js

@@ -99,10 +99,13 @@ export class AzureDevopsProvider extends GitProviderRoot {
                 }
                 uxLog("log", AzureDevopsProvider, c.grey("[Azure DevOps] " + t("autoDetectProviderJenkinsMapping", { provider: "Azure DevOps" })));
             }
-            uxLog("log", AzureDevopsProvider, c.grey("[Azure DevOps] " + t("autoDetectProviderSuccess", {
-                provider: "Azure DevOps",
-                details: `server=${process.env.SYSTEM_COLLECTIONURI}, project=${process.env.SYSTEM_TEAMPROJECT || "unknown"}`,
-            })));
+            /* Only log the success summary when Jenkins is involved - on native CI providers this is just noise */
+            if (isJenkins()) {
+                uxLog("log", AzureDevopsProvider, c.grey("[Azure DevOps] " + t("autoDetectProviderSuccess", {
+                    provider: "Azure DevOps",
+                    details: `server=${process.env.SYSTEM_COLLECTIONURI}, project=${process.env.SYSTEM_TEAMPROJECT || "unknown"}`,
+                })));
+            }
         }
         catch (e) {
             uxLog("warning", AzureDevopsProvider, c.yellow("[Azure DevOps] " + t("autoDetectProviderFailed", { provider: "Azure DevOps", message: e.message })));