npm - workos - Versions diffs - 0.2.0 → 0.3.2 - Mend

workos 0.2.0 → 0.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (401) hide show

package/dist/lib/credential-proxy.js ADDED Viewed

@@ -0,0 +1,298 @@
+/**
+ * Lightweight HTTP proxy that injects credentials from file into requests.
+ * Includes lazy token refresh - refreshes proactively when token is expiring soon.
+ */
+import http from 'node:http';
+import https from 'node:https';
+import { URL } from 'node:url';
+import { logInfo, logError, logWarn } from '../utils/debug.js';
+import { getCredentials, updateTokens } from './credentials.js';
+import { analytics } from '../utils/analytics.js';
+import { refreshAccessToken } from './token-refresh-client.js';
+// Module-level state for lazy refresh
+let refreshPromise = null;
+let refreshConfig = null;
+let consecutiveFailures = 0;
+const MAX_CONSECUTIVE_FAILURES = 3;
+/**
+ * Check if token needs refresh (expires within threshold).
+ */
+function tokenNeedsRefresh(expiresAt, thresholdMs) {
+    return Date.now() + thresholdMs >= expiresAt;
+}
+/**
+ * Perform token refresh, updating credentials file.
+ * Returns true if refresh succeeded.
+ */
+async function doRefresh() {
+    if (!refreshConfig) {
+        logError('[credential-proxy] No refresh config available');
+        return false;
+    }
+    const { authkitDomain, clientId, onRefreshSuccess, onRefreshExpired } = refreshConfig;
+    const startTime = Date.now();
+    logInfo('[credential-proxy] Starting token refresh...');
+    analytics.capture('installer.token.refresh', {
+        action: 'refresh_attempt',
+        trigger: 'lazy',
+    });
+    const result = await refreshAccessToken(authkitDomain, clientId);
+    if (result.success && result.accessToken && result.expiresAt) {
+        // Update credentials file atomically
+        updateTokens(result.accessToken, result.expiresAt, result.refreshToken);
+        consecutiveFailures = 0;
+        const durationMs = Date.now() - startTime;
+        logInfo(`[credential-proxy] Token refreshed in ${durationMs}ms, expires: ${new Date(result.expiresAt).toISOString()}`);
+        analytics.capture('installer.token.refresh', {
+            action: 'refresh_success',
+            duration_ms: durationMs,
+            token_rotated: !!result.refreshToken,
+        });
+        onRefreshSuccess?.();
+        return true;
+    }
+    consecutiveFailures++;
+    logError(`[credential-proxy] Refresh failed: ${result.error}`);
+    analytics.capture('installer.token.refresh', {
+        action: 'refresh_failure',
+        error_type: result.errorType || 'unknown',
+        error_message: result.error || 'Unknown error',
+        consecutive_failures: consecutiveFailures,
+    });
+    // Handle permanent failure
+    if (result.errorType === 'invalid_grant' || consecutiveFailures >= MAX_CONSECUTIVE_FAILURES) {
+        logError('[credential-proxy] Refresh token expired or too many failures');
+        onRefreshExpired?.();
+    }
+    return false;
+}
+/**
+ * Ensure we have valid credentials, refreshing if needed.
+ * Uses a promise-based lock to prevent concurrent refreshes.
+ *
+ * @returns Credentials to use for request, or null if unavailable
+ */
+async function ensureValidCredentials(thresholdMs) {
+    const creds = getCredentials();
+    if (!creds?.accessToken) {
+        return null;
+    }
+    // No refresh token = can't refresh, just use what we have
+    if (!creds.refreshToken || !refreshConfig) {
+        return creds;
+    }
+    const timeUntilExpiry = creds.expiresAt - Date.now();
+    if (timeUntilExpiry <= 0) {
+        // Token expired - must wait for refresh
+        logWarn('[credential-proxy] Token expired, waiting for refresh...');
+        if (!refreshPromise) {
+            refreshPromise = doRefresh()
+                .then(() => { })
+                .finally(() => {
+                refreshPromise = null;
+            });
+        }
+        await refreshPromise;
+        return getCredentials(); // Return fresh credentials
+    }
+    if (timeUntilExpiry < thresholdMs) {
+        // Token expiring soon - trigger background refresh, but use current token
+        logInfo(`[credential-proxy] Token expires in ${Math.round(timeUntilExpiry / 1000)}s, triggering refresh`);
+        if (!refreshPromise) {
+            refreshPromise = doRefresh()
+                .then(() => { })
+                .finally(() => {
+                refreshPromise = null;
+            });
+        }
+        // Don't await - fire and forget, use current (still valid) token
+    }
+    return creds;
+}
+/**
+ * Start the credential injector proxy with optional lazy refresh.
+ */
+export async function startCredentialProxy(options) {
+    const upstream = new URL(options.upstreamUrl);
+    const useHttps = upstream.protocol === 'https:';
+    const thresholdMs = options.refresh?.refreshThresholdMs ?? 60_000;
+    // Store refresh config for lazy refresh
+    refreshConfig = options.refresh ?? null;
+    consecutiveFailures = 0;
+    const server = http.createServer(async (req, res) => {
+        await handleRequest(req, res, upstream, useHttps, thresholdMs);
+    });
+    // Find available port
+    const port = await new Promise((resolve, reject) => {
+        const tryPort = options.port ?? 0; // 0 = random available port
+        let attempts = 0;
+        const maxAttempts = 10;
+        const tryListen = (p) => {
+            server.once('error', (err) => {
+                if (err.code === 'EADDRINUSE' && attempts < maxAttempts) {
+                    attempts++;
+                    tryListen(0); // Try random port
+                }
+                else {
+                    reject(err);
+                }
+            });
+            server.listen(p, '127.0.0.1', () => {
+                const addr = server.address();
+                if (addr && typeof addr === 'object') {
+                    resolve(addr.port);
+                }
+                else {
+                    reject(new Error('Failed to get server address'));
+                }
+            });
+        };
+        tryListen(tryPort);
+    });
+    const url = `http://127.0.0.1:${port}`;
+    logInfo(`[credential-proxy] Started on ${url}, forwarding to ${options.upstreamUrl}`);
+    if (refreshConfig) {
+        logInfo(`[credential-proxy] Lazy refresh enabled, threshold: ${thresholdMs}ms`);
+    }
+    // Telemetry for proxy start
+    analytics.capture('installer.proxy', {
+        action: 'start',
+        port,
+        refresh_enabled: !!refreshConfig,
+    });
+    return {
+        port,
+        url,
+        stop: async () => {
+            // Clear refresh state
+            refreshConfig = null;
+            refreshPromise = null;
+            consecutiveFailures = 0;
+            await stopServer(server);
+        },
+    };
+}
+async function handleRequest(req, res, upstream, useHttps, thresholdMs) {
+    // Get valid credentials, potentially triggering refresh
+    const creds = await ensureValidCredentials(thresholdMs);
+    if (!creds?.accessToken) {
+        logError('[credential-proxy] No credentials available');
+        res.writeHead(401, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({
+            error: 'credentials_unavailable',
+            message: 'Not authenticated. Run `workos login` first.',
+        }));
+        return;
+    }
+    // Build upstream request options
+    // Concatenate paths properly - URL() would replace the base path with absolute paths
+    const requestPath = req.url || '/';
+    const basePath = upstream.pathname.replace(/\/$/, ''); // Remove trailing slash
+    const fullPath = basePath + requestPath;
+    const upstreamUrl = new URL(fullPath, upstream.origin);
+    const headers = {};
+    // Copy headers, excluding hop-by-hop headers
+    const hopByHop = new Set([
+        'connection',
+        'keep-alive',
+        'proxy-authenticate',
+        'proxy-authorization',
+        'te',
+        'trailer',
+        'transfer-encoding',
+        'upgrade',
+    ]);
+    for (const [key, value] of Object.entries(req.headers)) {
+        if (!hopByHop.has(key.toLowerCase()) && value !== undefined) {
+            headers[key] = value;
+        }
+    }
+    // Inject credentials
+    headers['authorization'] = `Bearer ${creds.accessToken}`;
+    headers['host'] = upstream.host;
+    // Strip beta=true query param - WorkOS LLM gateway doesn't support it
+    const searchParams = new URLSearchParams(upstreamUrl.search);
+    searchParams.delete('beta');
+    const queryString = searchParams.toString();
+    const finalPath = upstreamUrl.pathname + (queryString ? `?${queryString}` : '');
+    const requestOptions = {
+        hostname: upstream.hostname,
+        port: upstream.port || (useHttps ? 443 : 80),
+        path: finalPath,
+        method: req.method,
+        headers,
+        timeout: 120_000, // 2 minute timeout
+    };
+    const transport = useHttps ? https : http;
+    const proxyReq = transport.request(requestOptions, (proxyRes) => {
+        // Copy response headers
+        const responseHeaders = {};
+        for (const [key, value] of Object.entries(proxyRes.headers)) {
+            if (!hopByHop.has(key.toLowerCase()) && value !== undefined) {
+                responseHeaders[key] = value;
+            }
+        }
+        res.writeHead(proxyRes.statusCode || 500, responseHeaders);
+        proxyRes.pipe(res);
+    });
+    proxyReq.on('error', (err) => {
+        logError('[credential-proxy] Upstream error:', err.message);
+        if (!res.headersSent) {
+            if (err.code === 'ECONNREFUSED') {
+                res.writeHead(502, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({
+                    error: 'upstream_unavailable',
+                    message: 'Could not connect to upstream server',
+                }));
+            }
+            else if (err.code === 'ETIMEDOUT') {
+                res.writeHead(504, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({
+                    error: 'upstream_timeout',
+                    message: 'Upstream server timed out',
+                }));
+            }
+            else {
+                res.writeHead(502, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({
+                    error: 'proxy_error',
+                    message: err.message,
+                }));
+            }
+        }
+    });
+    proxyReq.on('timeout', () => {
+        proxyReq.destroy();
+        if (!res.headersSent) {
+            res.writeHead(504, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({
+                error: 'upstream_timeout',
+                message: 'Upstream server timed out',
+            }));
+        }
+    });
+    // Stream request body
+    req.pipe(proxyReq);
+}
+function stopServer(server) {
+    return new Promise((resolve, reject) => {
+        // Set a timeout for graceful shutdown
+        const timeout = setTimeout(() => {
+            logInfo('[credential-proxy] Force closing after timeout');
+            server.closeAllConnections?.();
+            resolve();
+        }, 5000);
+        server.close((err) => {
+            clearTimeout(timeout);
+            if (err) {
+                logError('[credential-proxy] Error stopping server:', err);
+                reject(err);
+            }
+            else {
+                logInfo('[credential-proxy] Stopped');
+                resolve();
+            }
+        });
+    });
+}
+//# sourceMappingURL=credential-proxy.js.map

package/dist/lib/credential-proxy.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"credential-proxy.js","sourceRoot":"","sources":["../../src/lib/credential-proxy.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,KAAK,MAAM,YAAY,CAAC;AAC/B,OAAO,EAAE,GAAG,EAAE,MAAM,UAAU,CAAC;AAC/B,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAAE,cAAc,EAAE,YAAY,EAAoB,MAAM,kBAAkB,CAAC;AAClF,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAClD,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAiC/D,sCAAsC;AACtC,IAAI,cAAc,GAAyB,IAAI,CAAC;AAChD,IAAI,aAAa,GAAyB,IAAI,CAAC;AAC/C,IAAI,mBAAmB,GAAG,CAAC,CAAC;AAC5B,MAAM,wBAAwB,GAAG,CAAC,CAAC;AAEnC;;GAEG;AACH,SAAS,iBAAiB,CAAC,SAAiB,EAAE,WAAmB;IAC/D,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,IAAI,SAAS,CAAC;AAC/C,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,SAAS;IACtB,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,QAAQ,CAAC,gDAAgD,CAAC,CAAC;QAC3D,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,EAAE,aAAa,EAAE,QAAQ,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,GAAG,aAAa,CAAC;IACtF,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE7B,OAAO,CAAC,8CAA8C,CAAC,CAAC;IAExD,SAAS,CAAC,OAAO,CAAC,yBAAyB,EAAE;QAC3C,MAAM,EAAE,iBAAiB;QACzB,OAAO,EAAE,MAAM;KAChB,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;IAEjE,IAAI,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,WAAW,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QAC7D,qCAAqC;QACrC,YAAY,CAAC,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;QAExE,mBAAmB,GAAG,CAAC,CAAC;QACxB,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;QAE1C,OAAO,CACL,yCAAyC,UAAU,gBAAgB,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,EAAE,CAC9G,CAAC;QAEF,SAAS,CAAC,OAAO,CAAC,yBAAyB,EAAE;YAC3C,MAAM,EAAE,iBAAiB;YACzB,WAAW,EAAE,UAAU;YACvB,aAAa,EAAE,CAAC,CAAC,MAAM,CAAC,YAAY;SACrC,CAAC,CAAC;QAEH,gBAAgB,EAAE,EAAE,CAAC;QACrB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,mBAAmB,EAAE,CAAC;IAEtB,QAAQ,CAAC,sCAAsC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;IAE/D,SAAS,CAAC,OAAO,CAAC,yBAAyB,EAAE;QAC3C,MAAM,EAAE,iBAAiB;QACzB,UAAU,EAAE,MAAM,CAAC,SAAS,IAAI,SAAS;QACzC,aAAa,EAAE,MAAM,CAAC,KAAK,IAAI,eAAe;QAC9C,oBAAoB,EAAE,mBAAmB;KAC1C,CAAC,CAAC;IAEH,2BAA2B;IAC3B,IAAI,MAAM,CAAC,SAAS,KAAK,eAAe,IAAI,mBAAmB,IAAI,wBAAwB,EAAE,CAAC;QAC5F,QAAQ,CAAC,+DAA+D,CAAC,CAAC;QAC1E,gBAAgB,EAAE,EAAE,CAAC;IACvB,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,sBAAsB,CAAC,WAAmB;IACvD,MAAM,KAAK,GAAG,cAAc,EAAE,CAAC;IAE/B,IAAI,CAAC,KAAK,EAAE,WAAW,EAAE,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,0DAA0D;IAC1D,IAAI,CAAC,KAAK,CAAC,YAAY,IAAI,CAAC,aAAa,EAAE,CAAC;QAC1C,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,eAAe,GAAG,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAErD,IAAI,eAAe,IAAI,CAAC,EAAE,CAAC;QACzB,wCAAwC;QACxC,OAAO,CAAC,0DAA0D,CAAC,CAAC;QAEpE,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,cAAc,GAAG,SAAS,EAAE;iBACzB,IAAI,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC;iBACd,OAAO,CAAC,GAAG,EAAE;gBACZ,cAAc,GAAG,IAAI,CAAC;YACxB,CAAC,CAAC,CAAC;QACP,CAAC;QAED,MAAM,cAAc,CAAC;QACrB,OAAO,cAAc,EAAE,CAAC,CAAC,2BAA2B;IACtD,CAAC;IAED,IAAI,eAAe,GAAG,WAAW,EAAE,CAAC;QAClC,0EAA0E;QAC1E,OAAO,CAAC,uCAAuC,IAAI,CAAC,KAAK,CAAC,eAAe,GAAG,IAAI,CAAC,uBAAuB,CAAC,CAAC;QAE1G,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,cAAc,GAAG,SAAS,EAAE;iBACzB,IAAI,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC;iBACd,OAAO,CAAC,GAAG,EAAE;gBACZ,cAAc,GAAG,IAAI,CAAC;YACxB,CAAC,CAAC,CAAC;QACP,CAAC;QACD,iEAAiE;IACnE,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,OAA+B;IACxE,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAC9C,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAAQ,KAAK,QAAQ,CAAC;IAChD,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,EAAE,kBAAkB,IAAI,MAAM,CAAC;IAElE,wCAAwC;IACxC,aAAa,GAAG,OAAO,CAAC,OAAO,IAAI,IAAI,CAAC;IACxC,mBAAmB,GAAG,CAAC,CAAC;IAExB,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QAClD,MAAM,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,CAAC,CAAC;IACjE,CAAC,CAAC,CAAC;IAEH,sBAAsB;IACtB,MAAM,IAAI,GAAG,MAAM,IAAI,OAAO,CAAS,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACzD,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,4BAA4B;QAC/D,IAAI,QAAQ,GAAG,CAAC,CAAC;QACjB,MAAM,WAAW,GAAG,EAAE,CAAC;QAEvB,MAAM,SAAS,GAAG,CAAC,CAAS,EAAE,EAAE;YAC9B,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,GAA0B,EAAE,EAAE;gBAClD,IAAI,GAAG,CAAC,IAAI,KAAK,YAAY,IAAI,QAAQ,GAAG,WAAW,EAAE,CAAC;oBACxD,QAAQ,EAAE,CAAC;oBACX,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,kBAAkB;gBAClC,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,GAAG,CAAC,CAAC;gBACd,CAAC;YACH,CAAC,CAAC,CAAC;YAEH,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE;gBACjC,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;gBAC9B,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;oBACrC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACrB,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC,CAAC;gBACpD,CAAC;YACH,CAAC,CAAC,CAAC;QACL,CAAC,CAAC;QAEF,SAAS,CAAC,OAAO,CAAC,CAAC;IACrB,CAAC,CAAC,CAAC;IAEH,MAAM,GAAG,GAAG,oBAAoB,IAAI,EAAE,CAAC;IACvC,OAAO,CAAC,iCAAiC,GAAG,mBAAmB,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;IACtF,IAAI,aAAa,EAAE,CAAC;QAClB,OAAO,CAAC,uDAAuD,WAAW,IAAI,CAAC,CAAC;IAClF,CAAC;IAED,4BAA4B;IAC5B,SAAS,CAAC,OAAO,CAAC,iBAAiB,EAAE;QACnC,MAAM,EAAE,OAAO;QACf,IAAI;QACJ,eAAe,EAAE,CAAC,CAAC,aAAa;KACjC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI;QACJ,GAAG;QACH,IAAI,EAAE,KAAK,IAAI,EAAE;YACf,sBAAsB;YACtB,aAAa,GAAG,IAAI,CAAC;YACrB,cAAc,GAAG,IAAI,CAAC;YACtB,mBAAmB,GAAG,CAAC,CAAC;YACxB,MAAM,UAAU,CAAC,MAAM,CAAC,CAAC;QAC3B,CAAC;KACF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,aAAa,CAC1B,GAAyB,EACzB,GAAwB,EACxB,QAAa,EACb,QAAiB,EACjB,WAAmB;IAEnB,wDAAwD;IACxD,MAAM,KAAK,GAAG,MAAM,sBAAsB,CAAC,WAAW,CAAC,CAAC;IAExD,IAAI,CAAC,KAAK,EAAE,WAAW,EAAE,CAAC;QACxB,QAAQ,CAAC,6CAA6C,CAAC,CAAC;QACxD,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;QAC3D,GAAG,CAAC,GAAG,CACL,IAAI,CAAC,SAAS,CAAC;YACb,KAAK,EAAE,yBAAyB;YAChC,OAAO,EAAE,8CAA8C;SACxD,CAAC,CACH,CAAC;QACF,OAAO;IACT,CAAC;IAED,iCAAiC;IACjC,qFAAqF;IACrF,MAAM,WAAW,GAAG,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC;IACnC,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,wBAAwB;IAC/E,MAAM,QAAQ,GAAG,QAAQ,GAAG,WAAW,CAAC;IACxC,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;IAEvD,MAAM,OAAO,GAA6B,EAAE,CAAC;IAE7C,6CAA6C;IAC7C,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC;QACvB,YAAY;QACZ,YAAY;QACZ,oBAAoB;QACpB,qBAAqB;QACrB,IAAI;QACJ,SAAS;QACT,mBAAmB;QACnB,SAAS;KACV,CAAC,CAAC;IAEH,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;QACvD,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YAC5D,OAAO,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACvB,CAAC;IACH,CAAC;IAED,qBAAqB;IACrB,OAAO,CAAC,eAAe,CAAC,GAAG,UAAU,KAAK,CAAC,WAAW,EAAE,CAAC;IACzD,OAAO,CAAC,MAAM,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC;IAEhC,sEAAsE;IACtE,MAAM,YAAY,GAAG,IAAI,eAAe,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;IAC7D,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5B,MAAM,WAAW,GAAG,YAAY,CAAC,QAAQ,EAAE,CAAC;IAC5C,MAAM,SAAS,GAAG,WAAW,CAAC,QAAQ,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAEhF,MAAM,cAAc,GAAwB;QAC1C,QAAQ,EAAE,QAAQ,CAAC,QAAQ;QAC3B,IAAI,EAAE,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5C,IAAI,EAAE,SAAS;QACf,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,OAAO;QACP,OAAO,EAAE,OAAO,EAAE,mBAAmB;KACtC,CAAC;IAEF,MAAM,SAAS,GAAG,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;IAE1C,MAAM,QAAQ,GAAG,SAAS,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC,QAAQ,EAAE,EAAE;QAC9D,wBAAwB;QACxB,MAAM,eAAe,GAA6B,EAAE,CAAC;QACrD,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YAC5D,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;gBAC5D,eAAe,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YAC/B,CAAC;QACH,CAAC;QAED,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,UAAU,IAAI,GAAG,EAAE,eAAe,CAAC,CAAC;QAC3D,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACrB,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;QAC3B,QAAQ,CAAC,oCAAoC,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;QAE5D,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;YACrB,IAAK,GAA6B,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;gBAC3D,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;gBAC3D,GAAG,CAAC,GAAG,CACL,IAAI,CAAC,SAAS,CAAC;oBACb,KAAK,EAAE,sBAAsB;oBAC7B,OAAO,EAAE,sCAAsC;iBAChD,CAAC,CACH,CAAC;YACJ,CAAC;iBAAM,IAAK,GAA6B,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;gBAC/D,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;gBAC3D,GAAG,CAAC,GAAG,CACL,IAAI,CAAC,SAAS,CAAC;oBACb,KAAK,EAAE,kBAAkB;oBACzB,OAAO,EAAE,2BAA2B;iBACrC,CAAC,CACH,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;gBAC3D,GAAG,CAAC,GAAG,CACL,IAAI,CAAC,SAAS,CAAC;oBACb,KAAK,EAAE,aAAa;oBACpB,OAAO,EAAE,GAAG,CAAC,OAAO;iBACrB,CAAC,CACH,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE;QAC1B,QAAQ,CAAC,OAAO,EAAE,CAAC;QACnB,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;YACrB,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;YAC3D,GAAG,CAAC,GAAG,CACL,IAAI,CAAC,SAAS,CAAC;gBACb,KAAK,EAAE,kBAAkB;gBACzB,OAAO,EAAE,2BAA2B;aACrC,CAAC,CACH,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,sBAAsB;IACtB,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AACrB,CAAC;AAED,SAAS,UAAU,CAAC,MAAmB;IACrC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,sCAAsC;QACtC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE;YAC9B,OAAO,CAAC,gDAAgD,CAAC,CAAC;YAC1D,MAAM,CAAC,mBAAmB,EAAE,EAAE,CAAC;YAC/B,OAAO,EAAE,CAAC;QACZ,CAAC,EAAE,IAAI,CAAC,CAAC;QAET,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACnB,YAAY,CAAC,OAAO,CAAC,CAAC;YACtB,IAAI,GAAG,EAAE,CAAC;gBACR,QAAQ,CAAC,2CAA2C,EAAE,GAAG,CAAC,CAAC;gBAC3D,MAAM,CAAC,GAAG,CAAC,CAAC;YACd,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,4BAA4B,CAAC,CAAC;gBACtC,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC","sourcesContent":["/**\n * Lightweight HTTP proxy that injects credentials from file into requests.\n * Includes lazy token refresh - refreshes proactively when token is expiring soon.\n */\n\nimport http from 'node:http';\nimport https from 'node:https';\nimport { URL } from 'node:url';\nimport { logInfo, logError, logWarn } from '../utils/debug.js';\nimport { getCredentials, updateTokens, type Credentials } from './credentials.js';\nimport { analytics } from '../utils/analytics.js';\nimport { refreshAccessToken } from './token-refresh-client.js';\n\nexport interface RefreshConfig {\n /** AuthKit domain for refresh endpoint */\n authkitDomain: string;\n /** OAuth client ID */\n clientId: string;\n /** Threshold in ms - refresh when token expires within this window (default: 60000 = 1 min) */\n refreshThresholdMs?: number;\n /** Callback when refresh succeeds */\n onRefreshSuccess?: () => void;\n /** Callback when refresh fails permanently (token expired, invalid_grant) */\n onRefreshExpired?: () => void;\n}\n\nexport interface CredentialProxyOptions {\n /** Upstream URL to forward requests to */\n upstreamUrl: string;\n /** Optional: specific port to bind (default: random) */\n port?: number;\n /** Optional: refresh configuration for lazy token refresh */\n refresh?: RefreshConfig;\n}\n\nexport interface CredentialProxyHandle {\n /** Port the proxy is listening on */\n port: number;\n /** Full URL for the proxy (e.g., http://localhost:54321) */\n url: string;\n /** Stop the proxy server */\n stop: () => Promise<void>;\n}\n\n// Module-level state for lazy refresh\nlet refreshPromise: Promise<void> | null = null;\nlet refreshConfig: RefreshConfig | null = null;\nlet consecutiveFailures = 0;\nconst MAX_CONSECUTIVE_FAILURES = 3;\n\n/**\n * Check if token needs refresh (expires within threshold).\n */\nfunction tokenNeedsRefresh(expiresAt: number, thresholdMs: number): boolean {\n return Date.now() + thresholdMs >= expiresAt;\n}\n\n/**\n * Perform token refresh, updating credentials file.\n * Returns true if refresh succeeded.\n */\nasync function doRefresh(): Promise<boolean> {\n if (!refreshConfig) {\n logError('[credential-proxy] No refresh config available');\n return false;\n }\n\n const { authkitDomain, clientId, onRefreshSuccess, onRefreshExpired } = refreshConfig;\n const startTime = Date.now();\n\n logInfo('[credential-proxy] Starting token refresh...');\n\n analytics.capture('installer.token.refresh', {\n action: 'refresh_attempt',\n trigger: 'lazy',\n });\n\n const result = await refreshAccessToken(authkitDomain, clientId);\n\n if (result.success && result.accessToken && result.expiresAt) {\n // Update credentials file atomically\n updateTokens(result.accessToken, result.expiresAt, result.refreshToken);\n\n consecutiveFailures = 0;\n const durationMs = Date.now() - startTime;\n\n logInfo(\n `[credential-proxy] Token refreshed in ${durationMs}ms, expires: ${new Date(result.expiresAt).toISOString()}`,\n );\n\n analytics.capture('installer.token.refresh', {\n action: 'refresh_success',\n duration_ms: durationMs,\n token_rotated: !!result.refreshToken,\n });\n\n onRefreshSuccess?.();\n return true;\n }\n\n consecutiveFailures++;\n\n logError(`[credential-proxy] Refresh failed: ${result.error}`);\n\n analytics.capture('installer.token.refresh', {\n action: 'refresh_failure',\n error_type: result.errorType || 'unknown',\n error_message: result.error || 'Unknown error',\n consecutive_failures: consecutiveFailures,\n });\n\n // Handle permanent failure\n if (result.errorType === 'invalid_grant' || consecutiveFailures >= MAX_CONSECUTIVE_FAILURES) {\n logError('[credential-proxy] Refresh token expired or too many failures');\n onRefreshExpired?.();\n }\n\n return false;\n}\n\n/**\n * Ensure we have valid credentials, refreshing if needed.\n * Uses a promise-based lock to prevent concurrent refreshes.\n *\n * @returns Credentials to use for request, or null if unavailable\n */\nasync function ensureValidCredentials(thresholdMs: number): Promise<Credentials | null> {\n const creds = getCredentials();\n\n if (!creds?.accessToken) {\n return null;\n }\n\n // No refresh token = can't refresh, just use what we have\n if (!creds.refreshToken || !refreshConfig) {\n return creds;\n }\n\n const timeUntilExpiry = creds.expiresAt - Date.now();\n\n if (timeUntilExpiry <= 0) {\n // Token expired - must wait for refresh\n logWarn('[credential-proxy] Token expired, waiting for refresh...');\n\n if (!refreshPromise) {\n refreshPromise = doRefresh()\n .then(() => {})\n .finally(() => {\n refreshPromise = null;\n });\n }\n\n await refreshPromise;\n return getCredentials(); // Return fresh credentials\n }\n\n if (timeUntilExpiry < thresholdMs) {\n // Token expiring soon - trigger background refresh, but use current token\n logInfo(`[credential-proxy] Token expires in ${Math.round(timeUntilExpiry / 1000)}s, triggering refresh`);\n\n if (!refreshPromise) {\n refreshPromise = doRefresh()\n .then(() => {})\n .finally(() => {\n refreshPromise = null;\n });\n }\n // Don't await - fire and forget, use current (still valid) token\n }\n\n return creds;\n}\n\n/**\n * Start the credential injector proxy with optional lazy refresh.\n */\nexport async function startCredentialProxy(options: CredentialProxyOptions): Promise<CredentialProxyHandle> {\n const upstream = new URL(options.upstreamUrl);\n const useHttps = upstream.protocol === 'https:';\n const thresholdMs = options.refresh?.refreshThresholdMs ?? 60_000;\n\n // Store refresh config for lazy refresh\n refreshConfig = options.refresh ?? null;\n consecutiveFailures = 0;\n\n const server = http.createServer(async (req, res) => {\n await handleRequest(req, res, upstream, useHttps, thresholdMs);\n });\n\n // Find available port\n const port = await new Promise<number>((resolve, reject) => {\n const tryPort = options.port ?? 0; // 0 = random available port\n let attempts = 0;\n const maxAttempts = 10;\n\n const tryListen = (p: number) => {\n server.once('error', (err: NodeJS.ErrnoException) => {\n if (err.code === 'EADDRINUSE' && attempts < maxAttempts) {\n attempts++;\n tryListen(0); // Try random port\n } else {\n reject(err);\n }\n });\n\n server.listen(p, '127.0.0.1', () => {\n const addr = server.address();\n if (addr && typeof addr === 'object') {\n resolve(addr.port);\n } else {\n reject(new Error('Failed to get server address'));\n }\n });\n };\n\n tryListen(tryPort);\n });\n\n const url = `http://127.0.0.1:${port}`;\n logInfo(`[credential-proxy] Started on ${url}, forwarding to ${options.upstreamUrl}`);\n if (refreshConfig) {\n logInfo(`[credential-proxy] Lazy refresh enabled, threshold: ${thresholdMs}ms`);\n }\n\n // Telemetry for proxy start\n analytics.capture('installer.proxy', {\n action: 'start',\n port,\n refresh_enabled: !!refreshConfig,\n });\n\n return {\n port,\n url,\n stop: async () => {\n // Clear refresh state\n refreshConfig = null;\n refreshPromise = null;\n consecutiveFailures = 0;\n await stopServer(server);\n },\n };\n}\n\nasync function handleRequest(\n req: http.IncomingMessage,\n res: http.ServerResponse,\n upstream: URL,\n useHttps: boolean,\n thresholdMs: number,\n): Promise<void> {\n // Get valid credentials, potentially triggering refresh\n const creds = await ensureValidCredentials(thresholdMs);\n\n if (!creds?.accessToken) {\n logError('[credential-proxy] No credentials available');\n res.writeHead(401, { 'Content-Type': 'application/json' });\n res.end(\n JSON.stringify({\n error: 'credentials_unavailable',\n message: 'Not authenticated. Run `workos login` first.',\n }),\n );\n return;\n }\n\n // Build upstream request options\n // Concatenate paths properly - URL() would replace the base path with absolute paths\n const requestPath = req.url || '/';\n const basePath = upstream.pathname.replace(/\\/$/, ''); // Remove trailing slash\n const fullPath = basePath + requestPath;\n const upstreamUrl = new URL(fullPath, upstream.origin);\n\n const headers: http.OutgoingHttpHeaders = {};\n\n // Copy headers, excluding hop-by-hop headers\n const hopByHop = new Set([\n 'connection',\n 'keep-alive',\n 'proxy-authenticate',\n 'proxy-authorization',\n 'te',\n 'trailer',\n 'transfer-encoding',\n 'upgrade',\n ]);\n\n for (const [key, value] of Object.entries(req.headers)) {\n if (!hopByHop.has(key.toLowerCase()) && value !== undefined) {\n headers[key] = value;\n }\n }\n\n // Inject credentials\n headers['authorization'] = `Bearer ${creds.accessToken}`;\n headers['host'] = upstream.host;\n\n // Strip beta=true query param - WorkOS LLM gateway doesn't support it\n const searchParams = new URLSearchParams(upstreamUrl.search);\n searchParams.delete('beta');\n const queryString = searchParams.toString();\n const finalPath = upstreamUrl.pathname + (queryString ? `?${queryString}` : '');\n\n const requestOptions: http.RequestOptions = {\n hostname: upstream.hostname,\n port: upstream.port || (useHttps ? 443 : 80),\n path: finalPath,\n method: req.method,\n headers,\n timeout: 120_000, // 2 minute timeout\n };\n\n const transport = useHttps ? https : http;\n\n const proxyReq = transport.request(requestOptions, (proxyRes) => {\n // Copy response headers\n const responseHeaders: http.OutgoingHttpHeaders = {};\n for (const [key, value] of Object.entries(proxyRes.headers)) {\n if (!hopByHop.has(key.toLowerCase()) && value !== undefined) {\n responseHeaders[key] = value;\n }\n }\n\n res.writeHead(proxyRes.statusCode || 500, responseHeaders);\n proxyRes.pipe(res);\n });\n\n proxyReq.on('error', (err) => {\n logError('[credential-proxy] Upstream error:', err.message);\n\n if (!res.headersSent) {\n if ((err as NodeJS.ErrnoException).code === 'ECONNREFUSED') {\n res.writeHead(502, { 'Content-Type': 'application/json' });\n res.end(\n JSON.stringify({\n error: 'upstream_unavailable',\n message: 'Could not connect to upstream server',\n }),\n );\n } else if ((err as NodeJS.ErrnoException).code === 'ETIMEDOUT') {\n res.writeHead(504, { 'Content-Type': 'application/json' });\n res.end(\n JSON.stringify({\n error: 'upstream_timeout',\n message: 'Upstream server timed out',\n }),\n );\n } else {\n res.writeHead(502, { 'Content-Type': 'application/json' });\n res.end(\n JSON.stringify({\n error: 'proxy_error',\n message: err.message,\n }),\n );\n }\n }\n });\n\n proxyReq.on('timeout', () => {\n proxyReq.destroy();\n if (!res.headersSent) {\n res.writeHead(504, { 'Content-Type': 'application/json' });\n res.end(\n JSON.stringify({\n error: 'upstream_timeout',\n message: 'Upstream server timed out',\n }),\n );\n }\n });\n\n // Stream request body\n req.pipe(proxyReq);\n}\n\nfunction stopServer(server: http.Server): Promise<void> {\n return new Promise((resolve, reject) => {\n // Set a timeout for graceful shutdown\n const timeout = setTimeout(() => {\n logInfo('[credential-proxy] Force closing after timeout');\n server.closeAllConnections?.();\n resolve();\n }, 5000);\n\n server.close((err) => {\n clearTimeout(timeout);\n if (err) {\n logError('[credential-proxy] Error stopping server:', err);\n reject(err);\n } else {\n logInfo('[credential-proxy] Stopped');\n resolve();\n }\n });\n });\n}\n"]}

package/dist/{src/lib → lib}/credentials.d.ts RENAMED Viewed

@@ -9,6 +9,7 @@ export interface Credentials {
     userId: string;
     email?: string;
     staging?: StagingCache;
+    refreshToken?: string;
 }
 export declare function getCredentialsPath(): string;
 export declare function hasCredentials(): boolean;
@@ -39,3 +40,8 @@ export declare function getStagingCredentials(): {
     clientId: string;
     apiKey: string;
 } | null;
+/**
+ * Atomically update tokens in credentials file.
+ * Uses write-to-temp + rename pattern for atomic updates.
+ */
+export declare function updateTokens(accessToken: string, expiresAt: number, refreshToken?: string): void;

package/dist/{src/lib → lib}/credentials.js RENAMED Viewed

@@ -81,4 +81,37 @@ export function getStagingCredentials() {
         return null;
     return { clientId: creds.staging.clientId, apiKey: creds.staging.apiKey };
 }
+/**
+ * Atomically update tokens in credentials file.
+ * Uses write-to-temp + rename pattern for atomic updates.
+ */
+export function updateTokens(accessToken, expiresAt, refreshToken) {
+    const creds = getCredentials();
+    if (!creds) {
+        throw new Error('No existing credentials to update');
+    }
+    const updated = {
+        ...creds,
+        accessToken,
+        expiresAt,
+        ...(refreshToken && { refreshToken }),
+    };
+    // Atomic write: temp file + rename
+    const credPath = getCredentialsPath();
+    const tempPath = `${credPath}.${crypto.randomUUID()}.tmp`;
+    try {
+        fs.writeFileSync(tempPath, JSON.stringify(updated, null, 2), { mode: 0o600 });
+        fs.renameSync(tempPath, credPath);
+    }
+    catch (error) {
+        // Clean up temp file if rename failed
+        try {
+            fs.unlinkSync(tempPath);
+        }
+        catch {
+            // Ignore cleanup errors
+        }
+        throw error;
+    }
+}
 //# sourceMappingURL=credentials.js.map

package/dist/lib/credentials.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"credentials.js","sourceRoot":"","sources":["../../src/lib/credentials.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,SAAS,CAAC;AAiBzB,SAAS,iBAAiB;IACxB,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,CAAC;AAC5C,CAAC;AAED,MAAM,UAAU,kBAAkB;IAChC,OAAO,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,EAAE,kBAAkB,CAAC,CAAC;AAC5D,CAAC;AAED,MAAM,UAAU,cAAc;IAC5B,OAAO,EAAE,CAAC,UAAU,CAAC,kBAAkB,EAAE,CAAC,CAAC;AAC7C,CAAC;AAED,MAAM,UAAU,cAAc;IAC5B,IAAI,CAAC,cAAc,EAAE;QAAE,OAAO,IAAI,CAAC;IACnC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,kBAAkB,EAAE,EAAE,OAAO,CAAC,CAAC;QAC/D,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,KAAkB;IAChD,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;IAChC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACxB,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACtD,CAAC;IACD,EAAE,CAAC,aAAa,CAAC,kBAAkB,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE;QACrE,IAAI,EAAE,KAAK;KACZ,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,gBAAgB;IAC9B,IAAI,cAAc,EAAE,EAAE,CAAC;QACrB,EAAE,CAAC,UAAU,CAAC,kBAAkB,EAAE,CAAC,CAAC;IACtC,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,KAAkB;IAC/C,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,KAAK,CAAC,SAAS,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc;IAC5B,MAAM,KAAK,GAAG,cAAc,EAAE,CAAC;IAC/B,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,IAAI,cAAc,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACvC,OAAO,KAAK,CAAC,WAAW,CAAC;AAC3B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAA6C;IAClF,MAAM,KAAK,GAAG,cAAc,EAAE,CAAC;IAC/B,IAAI,CAAC,KAAK;QAAE,OAAO;IAEnB,eAAe,CAAC;QACd,GAAG,KAAK;QACR,OAAO,EAAE;YACP,GAAG,OAAO;YACV,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB;KACF,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,qBAAqB;IACnC,MAAM,KAAK,GAAG,cAAc,EAAE,CAAC;IAC/B,IAAI,CAAC,KAAK,EAAE,OAAO;QAAE,OAAO,IAAI,CAAC;IACjC,2DAA2D;IAC3D,IAAI,cAAc,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACvC,OAAO,EAAE,QAAQ,EAAE,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;AAC5E,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,WAAmB,EAAE,SAAiB,EAAE,YAAqB;IACxF,MAAM,KAAK,GAAG,cAAc,EAAE,CAAC;IAC/B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;IACvD,CAAC;IAED,MAAM,OAAO,GAAgB;QAC3B,GAAG,KAAK;QACR,WAAW;QACX,SAAS;QACT,GAAG,CAAC,YAAY,IAAI,EAAE,YAAY,EAAE,CAAC;KACtC,CAAC;IAEF,mCAAmC;IACnC,MAAM,QAAQ,GAAG,kBAAkB,EAAE,CAAC;IACtC,MAAM,QAAQ,GAAG,GAAG,QAAQ,IAAI,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC;IAE1D,IAAI,CAAC;QACH,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC9E,EAAE,CAAC,UAAU,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IACpC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,sCAAsC;QACtC,IAAI,CAAC;YACH,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;QAC1B,CAAC;QAAC,MAAM,CAAC;YACP,wBAAwB;QAC1B,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC","sourcesContent":["import fs from 'node:fs';\nimport path from 'node:path';\nimport os from 'node:os';\n\nexport interface StagingCache {\n clientId: string;\n apiKey: string;\n fetchedAt: number;\n}\n\nexport interface Credentials {\n accessToken: string;\n expiresAt: number;\n userId: string;\n email?: string;\n staging?: StagingCache;\n refreshToken?: string;\n}\n\nfunction getCredentialsDir(): string {\n return path.join(os.homedir(), '.workos');\n}\n\nexport function getCredentialsPath(): string {\n return path.join(getCredentialsDir(), 'credentials.json');\n}\n\nexport function hasCredentials(): boolean {\n return fs.existsSync(getCredentialsPath());\n}\n\nexport function getCredentials(): Credentials | null {\n if (!hasCredentials()) return null;\n try {\n const content = fs.readFileSync(getCredentialsPath(), 'utf-8');\n return JSON.parse(content);\n } catch {\n return null;\n }\n}\n\nexport function saveCredentials(creds: Credentials): void {\n const dir = getCredentialsDir();\n if (!fs.existsSync(dir)) {\n fs.mkdirSync(dir, { recursive: true, mode: 0o700 });\n }\n fs.writeFileSync(getCredentialsPath(), JSON.stringify(creds, null, 2), {\n mode: 0o600,\n });\n}\n\nexport function clearCredentials(): void {\n if (hasCredentials()) {\n fs.unlinkSync(getCredentialsPath());\n }\n}\n\n/**\n * Check if token is actually expired (hard expiry check).\n */\nexport function isTokenExpired(creds: Credentials): boolean {\n return Date.now() >= creds.expiresAt;\n}\n\n/**\n * Get access token if available and not expired.\n */\nexport function getAccessToken(): string | null {\n const creds = getCredentials();\n if (!creds) return null;\n if (isTokenExpired(creds)) return null;\n return creds.accessToken;\n}\n\n/**\n * Save staging credentials to the credential cache.\n * Staging credentials are tied to the access token lifecycle.\n */\nexport function saveStagingCredentials(staging: { clientId: string; apiKey: string }): void {\n const creds = getCredentials();\n if (!creds) return;\n\n saveCredentials({\n ...creds,\n staging: {\n ...staging,\n fetchedAt: Date.now(),\n },\n });\n}\n\n/**\n * Get cached staging credentials if available and access token is still valid.\n * Returns null if no cached credentials or if access token has expired.\n */\nexport function getStagingCredentials(): { clientId: string; apiKey: string } | null {\n const creds = getCredentials();\n if (!creds?.staging) return null;\n // Invalidate staging credentials when access token expires\n if (isTokenExpired(creds)) return null;\n return { clientId: creds.staging.clientId, apiKey: creds.staging.apiKey };\n}\n\n/**\n * Atomically update tokens in credentials file.\n * Uses write-to-temp + rename pattern for atomic updates.\n */\nexport function updateTokens(accessToken: string, expiresAt: number, refreshToken?: string): void {\n const creds = getCredentials();\n if (!creds) {\n throw new Error('No existing credentials to update');\n }\n\n const updated: Credentials = {\n ...creds,\n accessToken,\n expiresAt,\n ...(refreshToken && { refreshToken }),\n };\n\n // Atomic write: temp file + rename\n const credPath = getCredentialsPath();\n const tempPath = `${credPath}.${crypto.randomUUID()}.tmp`;\n\n try {\n fs.writeFileSync(tempPath, JSON.stringify(updated, null, 2), { mode: 0o600 });\n fs.renameSync(tempPath, credPath);\n } catch (error) {\n // Clean up temp file if rename failed\n try {\n fs.unlinkSync(tempPath);\n } catch {\n // Ignore cleanup errors\n }\n throw error;\n }\n}\n"]}

package/dist/{src/lib → lib}/device-auth.d.ts RENAMED Viewed

@@ -26,6 +26,7 @@ export interface DeviceAuthResult {
     expiresAt: number;
     userId: string;
     email?: string;
+    refreshToken?: string;
 }
 export declare class DeviceAuthError extends Error {
     constructor(message: string);

package/dist/{src/lib → lib}/device-auth.js RENAMED Viewed

@@ -12,7 +12,7 @@ export class DeviceAuthError extends Error {
     }
 }
 const DEFAULT_TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes
-const DEFAULT_SCOPES = ['openid', 'email', 'staging-environment:credentials:read'];
+const DEFAULT_SCOPES = ['openid', 'email', 'staging-environment:credentials:read', 'offline_access'];
 function sleep(ms) {
     return new Promise((resolve) => setTimeout(resolve, ms));
 }
@@ -132,6 +132,7 @@ function parseTokenResponse(data) {
         expiresAt: jwtExpiry ?? (data.expires_in ? Date.now() + data.expires_in * 1000 : Date.now() + 15 * 60 * 1000),
         userId: String(idPayload?.sub ?? 'unknown'),
         email: idPayload?.email,
+        refreshToken: data.refresh_token,
     };
 }
 //# sourceMappingURL=device-auth.js.map

package/dist/lib/device-auth.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"device-auth.js","sourceRoot":"","sources":["../../src/lib/device-auth.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAyCtD,MAAM,OAAO,eAAgB,SAAQ,KAAK;IACxC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;IAChC,CAAC;CACF;AAED,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,YAAY;AACtD,MAAM,cAAc,GAAG,CAAC,QAAQ,EAAE,OAAO,EAAE,sCAAsC,EAAE,gBAAgB,CAAC,CAAC;AAErG,SAAS,KAAK,CAAC,EAAU;IACvB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAC3D,CAAC;AAED;;GAEG;AACH,SAAS,QAAQ,CAAC,KAAa;IAC7B,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACpC,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IAC1E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,KAAa;IACjC,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAChC,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC7D,OAAO,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC;AAC5B,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,OAA0B;IAChE,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,cAAc,CAAC;IAChD,MAAM,GAAG,GAAG,GAAG,OAAO,CAAC,aAAa,8BAA8B,CAAC;IAEnE,OAAO,CAAC,4CAA4C,EAAE,GAAG,CAAC,CAAC;IAC3D,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAC3B,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI,EAAE,IAAI,eAAe,CAAC;YACxB,SAAS,EAAE,OAAO,CAAC,QAAQ;YAC3B,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;SACxB,CAAC;KACH,CAAC,CAAC;IAEH,OAAO,CAAC,4CAA4C,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAClE,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,QAAQ,CAAC,4CAA4C,EAAE,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QACzE,MAAM,IAAI,eAAe,CAAC,gCAAgC,GAAG,CAAC,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC;IAClF,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAuB,CAAC;IACtD,OAAO,CAAC,gDAAgD,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;IAC1E,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,UAAkB,EAClB,OAAiD;IAEjD,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,kBAAkB,CAAC;IAC1D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC7B,IAAI,YAAY,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;IAC3C,MAAM,QAAQ,GAAG,GAAG,OAAO,CAAC,aAAa,eAAe,CAAC;IAEzD,OAAO,CAAC,gDAAgD,EAAE,SAAS,CAAC,CAAC;IACrE,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,SAAS,EAAE,CAAC;QAC1C,MAAM,KAAK,CAAC,YAAY,CAAC,CAAC;QAC1B,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;QAEnB,IAAI,GAAa,CAAC;QAClB,IAAI,CAAC;YACH,GAAG,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;gBAC1B,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;gBAChE,IAAI,EAAE,IAAI,eAAe,CAAC;oBACxB,UAAU,EAAE,8CAA8C;oBAC1D,WAAW,EAAE,UAAU;oBACvB,SAAS,EAAE,OAAO,CAAC,QAAQ;iBAC5B,CAAC;aACH,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,kDAAkD,CAAC,CAAC;YAC5D,SAAS;QACX,CAAC;QAED,IAAI,IAAI,CAAC;QACT,IAAI,CAAC;YACH,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC1B,CAAC;QAAC,MAAM,CAAC;YACP,QAAQ,CAAC,sDAAsD,CAAC,CAAC;YACjE,MAAM,IAAI,eAAe,CAAC,mCAAmC,CAAC,CAAC;QACjE,CAAC;QAED,OAAO,CAAC,oCAAoC,EAAE,GAAG,CAAC,MAAM,EAAG,IAA0B,EAAE,KAAK,IAAI,SAAS,CAAC,CAAC;QAC3G,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;YACX,OAAO,CAAC,2CAA2C,CAAC,CAAC;YACrD,OAAO,kBAAkB,CAAC,IAAqB,CAAC,CAAC;QACnD,CAAC;QAED,MAAM,SAAS,GAAG,IAAyB,CAAC;QAE5C,IAAI,SAAS,CAAC,KAAK,KAAK,uBAAuB,EAAE,CAAC;YAChD,SAAS;QACX,CAAC;QAED,IAAI,SAAS,CAAC,KAAK,KAAK,WAAW,EAAE,CAAC;YACpC,YAAY,IAAI,IAAI,CAAC;YACrB,OAAO,CAAC,2CAA2C,EAAE,YAAY,CAAC,CAAC;YACnE,OAAO,CAAC,UAAU,EAAE,CAAC,YAAY,CAAC,CAAC;YACnC,SAAS;QACX,CAAC;QAED,QAAQ,CAAC,4BAA4B,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC;QACxD,MAAM,IAAI,eAAe,CAAC,gBAAgB,SAAS,CAAC,KAAK,EAAE,CAAC,CAAC;IAC/D,CAAC;IAED,QAAQ,CAAC,wCAAwC,CAAC,CAAC;IACnD,MAAM,IAAI,eAAe,CAAC,0CAA0C,CAAC,CAAC;AACxE,CAAC;AAED,SAAS,kBAAkB,CAAC,IAAmB;IAC7C,MAAM,SAAS,GAAG,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC1C,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAElD,OAAO;QACL,WAAW,EAAE,IAAI,CAAC,YAAY;QAC9B,OAAO,EAAE,IAAI,CAAC,QAAQ;QACtB,SAAS,EAAE,SAAS,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QAC7G,MAAM,EAAE,MAAM,CAAC,SAAS,EAAE,GAAG,IAAI,SAAS,CAAC;QAC3C,KAAK,EAAE,SAAS,EAAE,KAA2B;QAC7C,YAAY,EAAE,IAAI,CAAC,aAAa;KACjC,CAAC;AACJ,CAAC","sourcesContent":["/**\n * Device Authorization Flow\n *\n * Implements OAuth 2.0 Device Authorization Grant (RFC 8628) for CLI authentication.\n * Extracted from login.ts for reuse in wizard credential gathering.\n */\n\nimport { logInfo, logError } from '../utils/debug.js';\n\nexport interface DeviceAuthResponse {\n device_code: string;\n user_code: string;\n verification_uri: string;\n verification_uri_complete: string;\n expires_in: number;\n interval: number;\n}\n\nexport interface DeviceAuthOptions {\n clientId: string;\n authkitDomain: string;\n scopes?: string[];\n timeoutMs?: number;\n onPoll?: () => void;\n onSlowDown?: (newIntervalMs: number) => void;\n}\n\nexport interface DeviceAuthResult {\n accessToken: string;\n idToken: string;\n expiresAt: number;\n userId: string;\n email?: string;\n refreshToken?: string;\n}\n\ninterface TokenResponse {\n access_token: string;\n id_token: string;\n token_type: string;\n expires_in: number;\n refresh_token?: string;\n}\n\ninterface AuthErrorResponse {\n error: string;\n}\n\nexport class DeviceAuthError extends Error {\n constructor(message: string) {\n super(message);\n this.name = 'DeviceAuthError';\n }\n}\n\nconst DEFAULT_TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes\nconst DEFAULT_SCOPES = ['openid', 'email', 'staging-environment:credentials:read', 'offline_access'];\n\nfunction sleep(ms: number): Promise<void> {\n return new Promise((resolve) => setTimeout(resolve, ms));\n}\n\n/**\n * Parse JWT payload\n */\nfunction parseJwt(token: string): Record<string, unknown> | null {\n try {\n const parts = token.split('.');\n if (parts.length !== 3) return null;\n return JSON.parse(Buffer.from(parts[1], 'base64url').toString('utf-8'));\n } catch {\n return null;\n }\n}\n\n/**\n * Extract expiry time from JWT token\n */\nfunction getJwtExpiry(token: string): number | null {\n const payload = parseJwt(token);\n if (!payload || typeof payload.exp !== 'number') return null;\n return payload.exp * 1000;\n}\n\n/**\n * Request a device code from the OAuth authorization server.\n * Returns the device code, user code, and verification URIs.\n */\nexport async function requestDeviceCode(options: DeviceAuthOptions): Promise<DeviceAuthResponse> {\n const scopes = options.scopes ?? DEFAULT_SCOPES;\n const url = `${options.authkitDomain}/oauth2/device_authorization`;\n\n logInfo('[device-auth] Requesting device code from:', url);\n const res = await fetch(url, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: new URLSearchParams({\n client_id: options.clientId,\n scope: scopes.join(' '),\n }),\n });\n\n logInfo('[device-auth] Device code response status:', res.status);\n if (!res.ok) {\n const text = await res.text();\n logError('[device-auth] Device authorization failed:', res.status, text);\n throw new DeviceAuthError(`Device authorization failed: ${res.status} ${text}`);\n }\n\n const data = (await res.json()) as DeviceAuthResponse;\n logInfo('[device-auth] Device code received, user_code:', data.user_code);\n return data;\n}\n\n/**\n * Poll for token after user has authorized in the browser.\n * Handles authorization_pending and slow_down responses per RFC 8628.\n */\nexport async function pollForToken(\n deviceCode: string,\n options: DeviceAuthOptions & { interval: number },\n): Promise<DeviceAuthResult> {\n const timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT_MS;\n const startTime = Date.now();\n let pollInterval = options.interval * 1000;\n const tokenUrl = `${options.authkitDomain}/oauth2/token`;\n\n logInfo('[device-auth] Starting token polling, timeout:', timeoutMs);\n while (Date.now() - startTime < timeoutMs) {\n await sleep(pollInterval);\n options.onPoll?.();\n\n let res: Response;\n try {\n res = await fetch(tokenUrl, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: new URLSearchParams({\n grant_type: 'urn:ietf:params:oauth:grant-type:device_code',\n device_code: deviceCode,\n client_id: options.clientId,\n }),\n });\n } catch (err) {\n logInfo('[device-auth] Token poll network error, retrying');\n continue;\n }\n\n let data;\n try {\n data = await res.json();\n } catch {\n logError('[device-auth] Invalid JSON response from auth server');\n throw new DeviceAuthError('Invalid response from auth server');\n }\n\n logInfo('[device-auth] Token poll response:', res.status, (data as AuthErrorResponse)?.error ?? 'success');\n if (res.ok) {\n logInfo('[device-auth] Token received successfully');\n return parseTokenResponse(data as TokenResponse);\n }\n\n const errorData = data as AuthErrorResponse;\n\n if (errorData.error === 'authorization_pending') {\n continue;\n }\n\n if (errorData.error === 'slow_down') {\n pollInterval += 5000;\n logInfo('[device-auth] Slowing down, new interval:', pollInterval);\n options.onSlowDown?.(pollInterval);\n continue;\n }\n\n logError('[device-auth] Token error:', errorData.error);\n throw new DeviceAuthError(`Token error: ${errorData.error}`);\n }\n\n logError('[device-auth] Authentication timed out');\n throw new DeviceAuthError('Authentication timed out after 5 minutes');\n}\n\nfunction parseTokenResponse(data: TokenResponse): DeviceAuthResult {\n const idPayload = parseJwt(data.id_token);\n const jwtExpiry = getJwtExpiry(data.access_token);\n\n return {\n accessToken: data.access_token,\n idToken: data.id_token,\n expiresAt: jwtExpiry ?? (data.expires_in ? Date.now() + data.expires_in * 1000 : Date.now() + 15 * 60 * 1000),\n userId: String(idPayload?.sub ?? 'unknown'),\n email: idPayload?.email as string | undefined,\n refreshToken: data.refresh_token,\n };\n}\n"]}

package/dist/lib/ensure-auth.d.ts ADDED Viewed

@@ -0,0 +1,22 @@
+/**
+ * Startup auth guard - ensures valid authentication before command execution.
+ */
+export interface EnsureAuthResult {
+    /** Whether auth is now valid */
+    authenticated: boolean;
+    /** Whether login flow was triggered */
+    loginTriggered: boolean;
+    /** Whether token was refreshed */
+    tokenRefreshed: boolean;
+}
+/**
+ * Ensure valid authentication before command execution.
+ *
+ * - No credentials: triggers login flow
+ * - Expired access token (valid refresh): silently refreshes
+ * - Expired refresh token: triggers login flow
+ *
+ * @returns Result indicating what actions were taken
+ * @throws Error if login fails or refresh fails unexpectedly
+ */
+export declare function ensureAuthenticated(): Promise<EnsureAuthResult>;

package/dist/lib/ensure-auth.js ADDED Viewed

@@ -0,0 +1,83 @@
+/**
+ * Startup auth guard - ensures valid authentication before command execution.
+ */
+import { getCredentials, updateTokens, hasCredentials, isTokenExpired } from './credentials.js';
+import { refreshAccessToken } from './token-refresh-client.js';
+import { getCliAuthClientId, getAuthkitDomain } from './settings.js';
+import { runLogin } from '../commands/login.js';
+import { logInfo } from '../utils/debug.js';
+/**
+ * Ensure valid authentication before command execution.
+ *
+ * - No credentials: triggers login flow
+ * - Expired access token (valid refresh): silently refreshes
+ * - Expired refresh token: triggers login flow
+ *
+ * @returns Result indicating what actions were taken
+ * @throws Error if login fails or refresh fails unexpectedly
+ */
+export async function ensureAuthenticated() {
+    const result = {
+        authenticated: false,
+        loginTriggered: false,
+        tokenRefreshed: false,
+    };
+    // Case 1: No credentials at all
+    if (!hasCredentials()) {
+        logInfo('[ensure-auth] No credentials found, triggering login');
+        await runLogin();
+        result.loginTriggered = true;
+        result.authenticated = hasCredentials();
+        return result;
+    }
+    const creds = getCredentials();
+    if (!creds) {
+        // Credentials file exists but is invalid/empty
+        logInfo('[ensure-auth] Invalid credentials file, triggering login');
+        await runLogin();
+        result.loginTriggered = true;
+        result.authenticated = hasCredentials();
+        return result;
+    }
+    // Case 2: Access token still valid
+    if (!isTokenExpired(creds)) {
+        result.authenticated = true;
+        return result;
+    }
+    // Case 3: Access token expired, try refresh
+    if (creds.refreshToken) {
+        logInfo('[ensure-auth] Access token expired, attempting refresh');
+        const clientId = getCliAuthClientId();
+        const authkitDomain = getAuthkitDomain();
+        if (clientId && authkitDomain) {
+            const refreshResult = await refreshAccessToken(authkitDomain, clientId);
+            if (refreshResult.success && refreshResult.accessToken && refreshResult.expiresAt) {
+                updateTokens(refreshResult.accessToken, refreshResult.expiresAt, refreshResult.refreshToken);
+                result.tokenRefreshed = true;
+                result.authenticated = true;
+                return result;
+            }
+            // Refresh failed - check if it's recoverable
+            if (refreshResult.errorType === 'invalid_grant') {
+                logInfo('[ensure-auth] Refresh token expired, triggering login');
+                await runLogin();
+                result.loginTriggered = true;
+                result.authenticated = hasCredentials();
+                return result;
+            }
+            // Network or server error - try login as fallback
+            logInfo(`[ensure-auth] Refresh failed (${refreshResult.errorType}), triggering login`);
+            await runLogin();
+            result.loginTriggered = true;
+            result.authenticated = hasCredentials();
+            return result;
+        }
+    }
+    // Case 4: No refresh token available, must login
+    logInfo('[ensure-auth] No refresh token, triggering login');
+    await runLogin();
+    result.loginTriggered = true;
+    result.authenticated = hasCredentials();
+    return result;
+}
+//# sourceMappingURL=ensure-auth.js.map

package/dist/lib/ensure-auth.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"ensure-auth.js","sourceRoot":"","sources":["../../src/lib/ensure-auth.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAChG,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACrE,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAW5C;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB;IACvC,MAAM,MAAM,GAAqB;QAC/B,aAAa,EAAE,KAAK;QACpB,cAAc,EAAE,KAAK;QACrB,cAAc,EAAE,KAAK;KACtB,CAAC;IAEF,gCAAgC;IAChC,IAAI,CAAC,cAAc,EAAE,EAAE,CAAC;QACtB,OAAO,CAAC,sDAAsD,CAAC,CAAC;QAChE,MAAM,QAAQ,EAAE,CAAC;QACjB,MAAM,CAAC,cAAc,GAAG,IAAI,CAAC;QAC7B,MAAM,CAAC,aAAa,GAAG,cAAc,EAAE,CAAC;QACxC,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,KAAK,GAAG,cAAc,EAAE,CAAC;IAC/B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,+CAA+C;QAC/C,OAAO,CAAC,0DAA0D,CAAC,CAAC;QACpE,MAAM,QAAQ,EAAE,CAAC;QACjB,MAAM,CAAC,cAAc,GAAG,IAAI,CAAC;QAC7B,MAAM,CAAC,aAAa,GAAG,cAAc,EAAE,CAAC;QACxC,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,mCAAmC;IACnC,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;QAC3B,MAAM,CAAC,aAAa,GAAG,IAAI,CAAC;QAC5B,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,4CAA4C;IAC5C,IAAI,KAAK,CAAC,YAAY,EAAE,CAAC;QACvB,OAAO,CAAC,wDAAwD,CAAC,CAAC;QAElE,MAAM,QAAQ,GAAG,kBAAkB,EAAE,CAAC;QACtC,MAAM,aAAa,GAAG,gBAAgB,EAAE,CAAC;QAEzC,IAAI,QAAQ,IAAI,aAAa,EAAE,CAAC;YAC9B,MAAM,aAAa,GAAG,MAAM,kBAAkB,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;YAExE,IAAI,aAAa,CAAC,OAAO,IAAI,aAAa,CAAC,WAAW,IAAI,aAAa,CAAC,SAAS,EAAE,CAAC;gBAClF,YAAY,CAAC,aAAa,CAAC,WAAW,EAAE,aAAa,CAAC,SAAS,EAAE,aAAa,CAAC,YAAY,CAAC,CAAC;gBAC7F,MAAM,CAAC,cAAc,GAAG,IAAI,CAAC;gBAC7B,MAAM,CAAC,aAAa,GAAG,IAAI,CAAC;gBAC5B,OAAO,MAAM,CAAC;YAChB,CAAC;YAED,6CAA6C;YAC7C,IAAI,aAAa,CAAC,SAAS,KAAK,eAAe,EAAE,CAAC;gBAChD,OAAO,CAAC,uDAAuD,CAAC,CAAC;gBACjE,MAAM,QAAQ,EAAE,CAAC;gBACjB,MAAM,CAAC,cAAc,GAAG,IAAI,CAAC;gBAC7B,MAAM,CAAC,aAAa,GAAG,cAAc,EAAE,CAAC;gBACxC,OAAO,MAAM,CAAC;YAChB,CAAC;YAED,kDAAkD;YAClD,OAAO,CAAC,iCAAiC,aAAa,CAAC,SAAS,qBAAqB,CAAC,CAAC;YACvF,MAAM,QAAQ,EAAE,CAAC;YACjB,MAAM,CAAC,cAAc,GAAG,IAAI,CAAC;YAC7B,MAAM,CAAC,aAAa,GAAG,cAAc,EAAE,CAAC;YACxC,OAAO,MAAM,CAAC;QAChB,CAAC;IACH,CAAC;IAED,iDAAiD;IACjD,OAAO,CAAC,kDAAkD,CAAC,CAAC;IAC5D,MAAM,QAAQ,EAAE,CAAC;IACjB,MAAM,CAAC,cAAc,GAAG,IAAI,CAAC;IAC7B,MAAM,CAAC,aAAa,GAAG,cAAc,EAAE,CAAC;IACxC,OAAO,MAAM,CAAC;AAChB,CAAC","sourcesContent":["/**\n * Startup auth guard - ensures valid authentication before command execution.\n */\n\nimport { getCredentials, updateTokens, hasCredentials, isTokenExpired } from './credentials.js';\nimport { refreshAccessToken } from './token-refresh-client.js';\nimport { getCliAuthClientId, getAuthkitDomain } from './settings.js';\nimport { runLogin } from '../commands/login.js';\nimport { logInfo } from '../utils/debug.js';\n\nexport interface EnsureAuthResult {\n /** Whether auth is now valid */\n authenticated: boolean;\n /** Whether login flow was triggered */\n loginTriggered: boolean;\n /** Whether token was refreshed */\n tokenRefreshed: boolean;\n}\n\n/**\n * Ensure valid authentication before command execution.\n *\n * - No credentials: triggers login flow\n * - Expired access token (valid refresh): silently refreshes\n * - Expired refresh token: triggers login flow\n *\n * @returns Result indicating what actions were taken\n * @throws Error if login fails or refresh fails unexpectedly\n */\nexport async function ensureAuthenticated(): Promise<EnsureAuthResult> {\n const result: EnsureAuthResult = {\n authenticated: false,\n loginTriggered: false,\n tokenRefreshed: false,\n };\n\n // Case 1: No credentials at all\n if (!hasCredentials()) {\n logInfo('[ensure-auth] No credentials found, triggering login');\n await runLogin();\n result.loginTriggered = true;\n result.authenticated = hasCredentials();\n return result;\n }\n\n const creds = getCredentials();\n if (!creds) {\n // Credentials file exists but is invalid/empty\n logInfo('[ensure-auth] Invalid credentials file, triggering login');\n await runLogin();\n result.loginTriggered = true;\n result.authenticated = hasCredentials();\n return result;\n }\n\n // Case 2: Access token still valid\n if (!isTokenExpired(creds)) {\n result.authenticated = true;\n return result;\n }\n\n // Case 3: Access token expired, try refresh\n if (creds.refreshToken) {\n logInfo('[ensure-auth] Access token expired, attempting refresh');\n\n const clientId = getCliAuthClientId();\n const authkitDomain = getAuthkitDomain();\n\n if (clientId && authkitDomain) {\n const refreshResult = await refreshAccessToken(authkitDomain, clientId);\n\n if (refreshResult.success && refreshResult.accessToken && refreshResult.expiresAt) {\n updateTokens(refreshResult.accessToken, refreshResult.expiresAt, refreshResult.refreshToken);\n result.tokenRefreshed = true;\n result.authenticated = true;\n return result;\n }\n\n // Refresh failed - check if it's recoverable\n if (refreshResult.errorType === 'invalid_grant') {\n logInfo('[ensure-auth] Refresh token expired, triggering login');\n await runLogin();\n result.loginTriggered = true;\n result.authenticated = hasCredentials();\n return result;\n }\n\n // Network or server error - try login as fallback\n logInfo(`[ensure-auth] Refresh failed (${refreshResult.errorType}), triggering login`);\n await runLogin();\n result.loginTriggered = true;\n result.authenticated = hasCredentials();\n return result;\n }\n }\n\n // Case 4: No refresh token available, must login\n logInfo('[ensure-auth] No refresh token, triggering login');\n await runLogin();\n result.loginTriggered = true;\n result.authenticated = hasCredentials();\n return result;\n}\n"]}

package/dist/lib/env-writer.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"env-writer.js","sourceRoot":"","sources":["../../src/lib/env-writer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,IAAI,CAAC;AAC7D,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AAUtD;;;;GAIG;AACH,SAAS,sBAAsB;IAC7B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACjC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAC9B,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AAClF,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,aAAa,CAAC,UAAkB,EAAE,OAAyB;IACzE,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;IAE/C,+BAA+B;IAC/B,IAAI,WAAW,GAA2B,EAAE,CAAC;IAC7C,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QACxB,MAAM,OAAO,GAAG,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAC/C,WAAW,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;IACtC,CAAC;IAED,iDAAiD;IACjD,MAAM,MAAM,GAAG,EAAE,GAAG,WAAW,EAAE,GAAG,OAAO,EAAE,CAAC;IAE9C,2CAA2C;IAC3C,IAAI,CAAC,MAAM,CAAC,sBAAsB,EAAE,CAAC;QACnC,MAAM,CAAC,sBAAsB,GAAG,sBAAsB,EAAE,CAAC;IAC3D,CAAC;IAED,aAAa;IACb,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC;SACnC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,IAAI,KAAK,EAAE,CAAC;SACxC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEd,aAAa,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAAC,CAAC;AACzC,CAAC","sourcesContent":["import { existsSync, readFileSync, writeFileSync } from 'fs';\nimport { join } from 'path';\nimport { parseEnvFile } from '../utils/env-parser.js';\n\ninterface EnvVars {\n WORKOS_API_KEY?: string;\n WORKOS_CLIENT_ID: string;\n WORKOS_REDIRECT_URI?: string;\n NEXT_PUBLIC_WORKOS_REDIRECT_URI?: string;\n WORKOS_COOKIE_PASSWORD?: string;\n}\n\n/**\n * Generate a cryptographically secure cookie password.\n * Returns 32-char hex string (16 random bytes).\n * Uses Web Crypto API available in Node.js 20+\n */\nfunction generateCookiePassword(): string {\n const array = new Uint8Array(16);\n crypto.getRandomValues(array);\n return Array.from(array, (byte) => byte.toString(16).padStart(2, '0')).join('');\n}\n\n/**\n * Write environment variables to .env.local before agent runs.\n * Merges with existing .env.local if present (new vars take precedence).\n * Auto-generates WORKOS_COOKIE_PASSWORD if not provided.\n */\nexport function writeEnvLocal(installDir: string, envVars: Partial<EnvVars>): void {\n const envPath = join(installDir, '.env.local');\n\n // Read existing env if present\n let existingEnv: Record<string, string> = {};\n if (existsSync(envPath)) {\n const content = readFileSync(envPath, 'utf-8');\n existingEnv = parseEnvFile(content);\n }\n\n // Merge with new vars (new vars take precedence)\n const merged = { ...existingEnv, ...envVars };\n\n // Generate cookie password if not provided\n if (!merged.WORKOS_COOKIE_PASSWORD) {\n merged.WORKOS_COOKIE_PASSWORD = generateCookiePassword();\n }\n\n // Write back\n const content = Object.entries(merged)\n .map(([key, value]) => `${key}=${value}`)\n .join('\\n');\n\n writeFileSync(envPath, content + '\\n');\n}\n"]}

package/dist/{src/lib → lib}/events.d.ts RENAMED Viewed

@@ -1,5 +1,5 @@
 import { EventEmitter } from 'events';
-export interface WizardEvents {
+export interface InstallerEvents {
     status: {
         message: string;
     };
@@ -179,11 +179,11 @@ export interface WizardEvents {
         instructions: string;
     };
 }
-export type WizardEventName = keyof WizardEvents;
-export declare class WizardEventEmitter extends EventEmitter {
-    emit<K extends WizardEventName>(event: K, payload: WizardEvents[K]): boolean;
-    on<K extends WizardEventName>(event: K, listener: (payload: WizardEvents[K]) => void): this;
-    off<K extends WizardEventName>(event: K, listener: (payload: WizardEvents[K]) => void): this;
-    once<K extends WizardEventName>(event: K, listener: (payload: WizardEvents[K]) => void): this;
+export type InstallerEventName = keyof InstallerEvents;
+export declare class InstallerEventEmitter extends EventEmitter {
+    emit<K extends InstallerEventName>(event: K, payload: InstallerEvents[K]): boolean;
+    on<K extends InstallerEventName>(event: K, listener: (payload: InstallerEvents[K]) => void): this;
+    off<K extends InstallerEventName>(event: K, listener: (payload: InstallerEvents[K]) => void): this;
+    once<K extends InstallerEventName>(event: K, listener: (payload: InstallerEvents[K]) => void): this;
 }
-export declare function createWizardEventEmitter(): WizardEventEmitter;
+export declare function createInstallerEventEmitter(): InstallerEventEmitter;

package/dist/{src/lib → lib}/events.js RENAMED Viewed

@@ -1,5 +1,5 @@
 import { EventEmitter } from 'events';
-export class WizardEventEmitter extends EventEmitter {
+export class InstallerEventEmitter extends EventEmitter {
     emit(event, payload) {
         return super.emit(event, payload);
     }
@@ -13,7 +13,7 @@ export class WizardEventEmitter extends EventEmitter {
         return super.once(event, listener);
     }
 }
-export function createWizardEventEmitter() {
-    return new WizardEventEmitter();
+export function createInstallerEventEmitter() {
+    return new InstallerEventEmitter();
 }
 //# sourceMappingURL=events.js.map