fix: ensuring org user has its own setup configured (#482)

* fix: ensuring org user has its own setup configured

* fix: removing unused auth access token from env

* chore: promoting single env var usage for ci tokens

* chore: token provision now accepts either orgId or previousToken

* chore: removing back auth/user-setup feature-flags

Author: v3nant

.envrc.example

@@ -16,17 +16,8 @@ export OAUTH_CLIENT_ID='';
 # export IAM_HOST='https://apps.herodevs.io/api/iam';
 # export IAM_PATH='/graphql';
 
-# Auth toggles (optional; both default false)
-# export ENABLE_AUTH='true';
-# export ENABLE_USER_SETUP='true';
-
-# CI token (for headless flows)
-# HD_ORG_ID: required when using HD_AUTH_TOKEN; also stored when provisioning
-# HD_AUTH_TOKEN: refresh token from provision; exchanged for access token
-# HD_ACCESS_TOKEN: direct access token (skips exchange)
-# export HD_ORG_ID='1234';
-# export HD_AUTH_TOKEN='<long-lived-refresh-token>';
-# export HD_ACCESS_TOKEN='<access-token>';
+# CI credential (for headless flows):
+# export HD_CI_CREDENTIAL='<long-lived-refresh-token>';
 
 # Performance (optional)
 # export CONCURRENT_PAGE_REQUESTS='3';

README.md

@@ -357,32 +357,31 @@ hd auth login
 hd auth provision-ci-token
 ```
 
-Copy the token output, add as CI secrets: `HD_AUTH_TOKEN` and `HD_ORG_ID` (orgId is obtained from user setup and stored at provision time when using locally).
+Copy the token output, add as CI secret: `HD_CI_CREDENTIAL`
 
-**CI pipeline (headless):** Run `hd scan eol` directly with `HD_AUTH_TOKEN` and `HD_ORG_ID` set. The CLI exchanges the token for an access token automatically:
+**CI pipeline (headless):** Run `hd scan eol` directly with `HD_CI_CREDENTIAL` set. The CLI exchanges the token for an access token automatically:
 
 ```bash
-export HD_ORG_ID=<id> HD_AUTH_TOKEN="<token>"
+export HD_CI_CREDENTIAL="<token>"
 hd scan eol --dir .
 ```
 
 | Secret / Env Var | Purpose |
 |------------------|---------|
-| `HD_AUTH_TOKEN` | Long-lived refresh token from provision |
-| `HD_ORG_ID` | Organization ID (required when using HD_AUTH_TOKEN; also stored at provision time when using local file) |
+| `HD_CI_CREDENTIAL` | Refresh token from provision; exchanged for access token |
 
 #### Local testing
 
 Reproduce the CI flow locally:
 
 ```bash
-export HD_ORG_ID=1234 HD_AUTH_TOKEN="eyJ..."
+export HD_CI_CREDENTIAL="<token-from-provision>"
 hd scan eol --dir /path/to/project
 ```
 
 #### GitHub Actions (authenticated scan)
 
-Add secrets `HD_AUTH_TOKEN` and `HD_ORG_ID` in your repository or organization, then:
+Add secret `HD_CI_CREDENTIAL` in your repository or organization, then:
 
 ```yaml
 - uses: actions/checkout@v5
@@ -391,21 +390,19 @@ Add secrets `HD_AUTH_TOKEN` and `HD_ORG_ID` in your repository or organization,
     node-version: '24'
 - name: Run EOL Scan
   env:
-    HD_ORG_ID: ${{ secrets.HD_ORG_ID }}
-    HD_AUTH_TOKEN: ${{ secrets.HD_AUTH_TOKEN }}
+    HD_CI_CREDENTIAL: ${{ secrets.HD_CI_CREDENTIAL }}
   run: npx @herodevs/cli@beta scan eol -s
 ```
 
 #### GitLab CI (authenticated scan)
 
-Add CI/CD variables `HD_AUTH_TOKEN` and `HD_ORG_ID` (masked) in your project:
+Add CI/CD variable `HD_CI_CREDENTIAL` (masked) in your project:
 
 ```yaml
 eol-scan:
   image: node:24
   variables:
-    HD_ORG_ID: $HD_ORG_ID
-    HD_AUTH_TOKEN: $HD_AUTH_TOKEN
+    HD_CI_CREDENTIAL: $HD_CI_CREDENTIAL
   script:
     - npx @herodevs/cli@beta scan eol -s
   artifacts:

src/api/apollo.client.ts

@@ -1,5 +1,4 @@
 import { ApolloClient, HttpLink, InMemoryCache } from '@apollo/client/core';
-import { config } from '../config/constants.ts';
 import { requireAccessTokenForScan } from '../service/auth.svc.ts';
 
 export type TokenProvider = (forceRefresh?: boolean) => Promise<string>;
@@ -28,17 +27,14 @@ const createAuthorizedFetch =
   async (input, init) => {
     const headers = new Headers(init?.headers);
 
-    if (config.enableAuth) {
-      const token = await tokenProvider();
-      if (token) {
-        headers.set('Authorization', `Bearer ${token}`);
-      }
+    const token = await tokenProvider();
+    if (token) {
+      headers.set('Authorization', `Bearer ${token}`);
     }
 
     const response = await fetch(input, { ...init, headers });
 
     if (
-      config.enableAuth &&
       response.status === 401 &&
       !isTokenEndpoint(input) &&
       (init?.method === 'GET' || init?.method === undefined || init?.method === 'POST')

src/api/ci-token.client.ts

@@ -1,7 +1,6 @@
 import type { GraphQLFormattedError } from 'graphql';
 import { config } from '../config/constants.ts';
 import { requireAccessToken } from '../service/auth.svc.ts';
-import { isAccessTokenExpired } from '../service/auth-token.svc.ts';
 import { debugLogger } from '../service/log.svc.ts';
 import { createApollo } from './apollo.client.ts';
 import { ApiError, type ApiErrorCode, isApiErrorCode } from './errors.ts';
@@ -12,26 +11,16 @@ const graphqlUrl = `${config.iamHost}${config.iamPath}`;
 
 const noAuthTokenProvider = async (): Promise<string> => '';
 
-function createOptionalTokenProvider(token?: string) {
-  return async (): Promise<string> => {
-    if (token && !isAccessTokenExpired(token)) {
-      return token;
-    }
-    return '';
-  };
-}
-
-export interface IamAccessOrgTokensInput {
-  orgId: number | null;
-  previousToken: string | null;
-}
+export type IamAccessOrgTokensInput =
+  | { orgId: number; previousToken?: never }
+  | { orgId?: never; previousToken: string };
 
 export interface ProvisionCITokenResponse {
   refresh_token: string;
 }
 
 export interface ProvisionCITokenOptions {
-  orgId?: number | null;
+  orgId?: number;
   previousToken?: string | null;
 }
 
@@ -130,23 +119,25 @@ async function callGetOrgAccessTokensInternal(
 
 export interface ExchangeCITokenOptions {
   refreshToken: string;
-  orgId: number;
-  optionalAccessToken?: string;
 }
 
 export async function exchangeCITokenForAccess(
   options: ExchangeCITokenOptions,
 ): Promise<{ accessToken: string; refreshToken: string }> {
-  const { refreshToken, orgId, optionalAccessToken } = options;
-  const tokenProvider = createOptionalTokenProvider(optionalAccessToken);
-  return callGetOrgAccessTokensInternal({ orgId, previousToken: refreshToken }, tokenProvider);
+  const { refreshToken } = options;
+  return callGetOrgAccessTokensInternal({ previousToken: refreshToken }, noAuthTokenProvider);
 }
 
 export async function provisionCIToken(options: ProvisionCITokenOptions = {}): Promise<ProvisionCITokenResponse> {
-  const { orgId = null, previousToken = null } = options;
-  const result = await getOrgAccessTokens({
-    orgId,
-    previousToken,
-  });
+  const { orgId, previousToken } = options;
+  let input: IamAccessOrgTokensInput;
+  if (previousToken != null && previousToken !== '') {
+    input = { previousToken };
+  } else if (orgId != null) {
+    input = { orgId };
+  } else {
+    throw new Error('Either orgId or previousToken is required to provision a CI token');
+  }
+  const result = await getOrgAccessTokens(input);
   return { refresh_token: result.refreshToken };
 }

src/api/user-setup.client.ts

@@ -38,7 +38,7 @@ function extractErrorCode(errors: ReadonlyArray<GraphQLFormattedError>): ApiErro
 
 function getTokenProvider(preferOAuth?: boolean) {
   if (preferOAuth) return requireAccessToken;
-  if (getCIToken() || config.accessTokenFromEnv) return requireAccessTokenForScan;
+  if (getCIToken()) return requireAccessTokenForScan;
   return requireAccessToken;
 }
 

src/commands/auth/login.ts

@@ -4,7 +4,6 @@ import { createInterface } from 'node:readline';
 import { URL } from 'node:url';
 import { Command } from '@oclif/core';
 import { ensureUserSetup } from '../../api/user-setup.client.ts';
-import { config } from '../../config/constants.ts';
 import { persistTokenResponse } from '../../service/auth.svc.ts';
 import { getClientId, getRealmUrl } from '../../service/auth-config.svc.ts';
 import { debugLogger, getErrorMessage } from '../../service/log.svc.ts';
@@ -49,12 +48,10 @@ export default class AuthLogin extends Command {
       return;
     }
 
-    if (config.enableUserSetup) {
-      try {
-        await ensureUserSetup({ preferOAuth: true });
-      } catch (error) {
-        this.error(`User setup failed. ${getErrorMessage(error)}`);
-      }
+    try {
+      await ensureUserSetup({ preferOAuth: true });
+    } catch (error) {
+      this.error(`User setup failed. ${getErrorMessage(error)}`);
     }
 
     this.log('\nLogin completed successfully.');

src/commands/auth/provision-ci-token.ts

@@ -2,7 +2,7 @@ import { Command } from '@oclif/core';
 import { provisionCIToken } from '../../api/ci-token.client.ts';
 import { ensureUserSetup } from '../../api/user-setup.client.ts';
 import { requireAccessToken } from '../../service/auth.svc.ts';
-import { saveCIOrgId, saveCIToken } from '../../service/ci-token.svc.ts';
+import { saveCIToken } from '../../service/ci-token.svc.ts';
 import { getErrorMessage } from '../../service/log.svc.ts';
 
 export default class AuthProvisionCiToken extends Command {
@@ -19,7 +19,7 @@ export default class AuthProvisionCiToken extends Command {
 
     let orgId: number;
     try {
-      orgId = await ensureUserSetup({ preferOAuth: true });
+      orgId = await ensureUserSetup();
     } catch (error) {
       this.error(`User setup failed. ${getErrorMessage(error)}`);
     }
@@ -28,12 +28,10 @@ export default class AuthProvisionCiToken extends Command {
       const result = await provisionCIToken({ orgId });
       const refreshToken = result.refresh_token;
       saveCIToken(refreshToken);
-      saveCIOrgId(orgId);
       this.log('CI token provisioned and saved locally.');
       this.log('');
-      this.log('For CI/CD, set these environment variables:');
-      this.log(`  HD_ORG_ID=${orgId}`);
-      this.log(`  HD_AUTH_TOKEN=${refreshToken}`);
+      this.log('For CI/CD, set this environment variable:');
+      this.log(`  HD_CI_CREDENTIAL=${refreshToken}`);
     } catch (error) {
       this.error(`CI token provisioning failed. ${getErrorMessage(error)}`);
     }

src/config/constants.ts

@@ -12,8 +12,6 @@ export const GIT_OUTPUT_FORMAT = `"${['%h', '%an', '%ad'].join('|')}"`;
 export const DEFAULT_DATE_FORMAT = 'yyyy-MM-dd';
 export const DEFAULT_DATE_COMMIT_FORMAT = 'MM/dd/yyyy, h:mm:ss a';
 export const DEFAULT_DATE_COMMIT_MONTH_FORMAT = 'MMMM yyyy';
-export const ENABLE_AUTH = false;
-export const ENABLE_USER_SETUP = false;
 
 // Trackers - Constants
 export const DEFAULT_TRACKER_RUN_DATA_FILE = 'data.json';
@@ -31,15 +29,6 @@ if (parsedPageSize > 0) {
   pageSize = parsedPageSize;
 }
 
-const enableAuthEnv = process.env.ENABLE_AUTH;
-const enableAuth = enableAuthEnv === 'true' ? true : enableAuthEnv === 'false' ? false : ENABLE_AUTH;
-const enableUserSetupEnv = process.env.ENABLE_USER_SETUP;
-const enableUserSetup =
-  enableUserSetupEnv === 'true' ? true : enableUserSetupEnv === 'false' ? false : ENABLE_USER_SETUP;
-const orgIdEnv = process.env.HD_ORG_ID?.trim();
-const orgIdParsed = orgIdEnv ? Number.parseInt(orgIdEnv, 10) : NaN;
-const orgIdFromEnv = Number.isInteger(orgIdParsed) && orgIdParsed >= 1 ? orgIdParsed : undefined;
-
 export const config = {
   eolReportUrl: process.env.EOL_REPORT_URL || EOL_REPORT_URL,
   graphqlHost: process.env.GRAPHQL_HOST || GRAPHQL_HOST,
@@ -49,11 +38,7 @@ export const config = {
   analyticsUrl: process.env.ANALYTICS_URL || ANALYTICS_URL,
   concurrentPageRequests,
   pageSize,
-  enableAuth,
-  enableUserSetup,
-  ciTokenFromEnv: process.env.HD_AUTH_TOKEN?.trim() || undefined,
-  orgIdFromEnv,
-  accessTokenFromEnv: process.env.HD_ACCESS_TOKEN?.trim() || undefined,
+  ciTokenFromEnv: process.env.HD_CI_CREDENTIAL?.trim() || undefined,
 };
 
 export const filenamePrefix = 'herodevs';

src/service/auth.svc.ts

@@ -1,4 +1,3 @@
-import { config } from '../config/constants.ts';
 import type { TokenResponse } from '../types/auth.ts';
 import { refreshTokens } from './auth-refresh.svc.ts';
 import { clearStoredTokens, getStoredTokens, isAccessTokenExpired, saveTokens } from './auth-token.svc.ts';
@@ -61,7 +60,7 @@ export async function logoutLocally() {
 }
 
 export async function requireAccessTokenForScan(): Promise<string> {
-  if (getCIToken() || config.accessTokenFromEnv) {
+  if (getCIToken()) {
     return requireCIAccessToken();
   }
 

src/service/ci-auth.svc.ts

@@ -1,17 +1,13 @@
 import { exchangeCITokenForAccess } from '../api/ci-token.client.ts';
 import { config } from '../config/constants.ts';
-import { isAccessTokenExpired } from './auth-token.svc.ts';
-import { getCIOrgId, getCIToken, saveCIToken } from './ci-token.svc.ts';
+import { getCIToken, saveCIToken } from './ci-token.svc.ts';
 import { debugLogger } from './log.svc.ts';
 
 export type CITokenErrorCode = 'CI_TOKEN_INVALID' | 'CI_TOKEN_REFRESH_FAILED' | 'CI_ORG_ID_REQUIRED';
 
 const CITOKEN_ERROR_MESSAGE =
   "CI token is invalid or expired. To provision a new CI token, run 'hd auth provision-ci-token' (after logging in with 'hd auth login').";
 
-const CI_ORG_ID_ERROR_MESSAGE =
-  'Organization ID is required for CI token. When using HD_AUTH_TOKEN, set HD_ORG_ID to your organization ID (e.g. HD_ORG_ID=123). When using a locally stored CI token, re-provision with: hd auth provision-ci-token';
-
 export class CITokenError extends Error {
   readonly code: CITokenErrorCode;
 
@@ -23,25 +19,14 @@ export class CITokenError extends Error {
 }
 
 export async function requireCIAccessToken(): Promise<string> {
-  if (config.accessTokenFromEnv && !isAccessTokenExpired(config.accessTokenFromEnv)) {
-    return config.accessTokenFromEnv;
-  }
-
   const ciToken = getCIToken();
   if (!ciToken) {
     throw new CITokenError(CITOKEN_ERROR_MESSAGE, 'CI_TOKEN_INVALID');
   }
 
-  const orgId = config.ciTokenFromEnv !== undefined ? config.orgIdFromEnv : getCIOrgId();
-  if (orgId === undefined) {
-    throw new CITokenError(CI_ORG_ID_ERROR_MESSAGE, 'CI_ORG_ID_REQUIRED');
-  }
-
   try {
     const result = await exchangeCITokenForAccess({
       refreshToken: ciToken,
-      orgId,
-      optionalAccessToken: config.accessTokenFromEnv,
     });
     if (result.refreshToken && config.ciTokenFromEnv === undefined) {
       saveCIToken(result.refreshToken);