chore: update package version to 0.8.1.

Update: devops submodule convertion to new simpler auth model.
fix: missed incorrect AI autocomplete.
2026-03-11 13:00:09 +01:00 · 2026-03-11 12:59:00 +01:00 · 2026-03-11 12:12:36 +01:00 · 2026-03-11 12:11:30 +01:00 · 2026-03-11 11:59:24 +01:00 · 2026-03-11 11:59:20 +01:00
23 changed files with 307 additions and 351 deletions
--- a/docs/Commands.md
+++ b/docs/Commands.md
@@ -26,14 +26,14 @@ Note: `rest --header` is a command-specific HTTP header option and is unrelated

 **Command name:** `login`

-**Usage:** `sk-az-tools login [--resources <csv>] [--use-device-code] [--no-browser] [--browser <name>] [--browser-profile <profile>] [global options]`
+**Usage:** `sk-az-tools login [resource...] [--use-device-code] [--no-browser] [--browser-name <name>] [--browser-profile <profile>] [global options]`

 **Options:**

- `--resources` <csv> - Comma-separated resources to authenticate. Allowed values: `graph`, `devops`, `arm`. Default is all three.
+- `[resource...]` - One or more resources to authenticate. Allowed values: `graph`, `devops`, `azurerm`. Default is `azurerm`.
 - `--use-device-code` - Use device code flow instead of browser-based interactive flow.
 - `--no-browser` - Do not launch browser automatically. Print the sign-in URL to stderr.
- `--browser` <name> - Browser keyword used for interactive sign-in. Allowed values: `brave`, `browser`, `browserPrivate`, `chrome`, `edge`, `firefox`.
+- `--browser-name` <name> - Browser keyword used for interactive sign-in. Allowed values: `brave`, `browser`, `browserPrivate`, `chrome`, `edge`, `firefox`.
 - `--browser-profile` <name> - Chromium profile name (for example: `Default`, `Profile 1`).

 **Description:** The `login` command authenticates user sign-in for selected resource audiences and caches tokens for subsequent commands.
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,19 +1,19 @@
 {
    "name": "@slawek/sk-az-tools",
-    "version": "0.6.0",
+    "version": "0.8.1",
    "lockfileVersion": 3,
    "requires": true,
    "packages": {
        "": {
            "name": "@slawek/sk-az-tools",
-            "version": "0.6.0",
+            "version": "0.8.1",
            "license": "MIT",
            "dependencies": {
                "@azure/identity": "^4.13.0",
                "@azure/msal-node": "^5.0.3",
                "@azure/msal-node-extensions": "^1.2.0",
                "@microsoft/microsoft-graph-client": "^3.0.7",
-                "@slawek/sk-tools": ">=0.2.0",
+                "@slawek/sk-tools": "^0.4.1",
                "azure-devops-node-api": "^15.1.2",
                "commander": "^14.0.3",
                "minimatch": "^10.1.2",
@@ -291,11 +291,12 @@
            }
        },
        "node_modules/@slawek/sk-tools": {
-            "version": "0.3.0",
-            "resolved": "https://gitea.koszewscy.waw.pl/api/packages/slawek/npm/%40slawek%2Fsk-tools/-/0.3.0/sk-tools-0.3.0.tgz",
-            "integrity": "sha512-DqcpCwsH0noRNxq9lIwOLn9pmu6LNB6NSmXBe3r0CIMP+NW88iYwgvDeALWxLZbb1pN6rHc1R/ea+fjVW0Bkgw==",
+            "version": "0.4.1",
+            "resolved": "https://gitea.koszewscy.waw.pl/api/packages/slawek/npm/%40slawek%2Fsk-tools/-/0.4.1/sk-tools-0.4.1.tgz",
+            "integrity": "sha512-rTw/m6ZK72HGELcCC+ze1sNcqt4LM5dBUdJ3c5UsOT95qTZAGauVBKsslpVd4Kotf24vNlGFQ1fpVDcT5sluwQ==",
            "license": "MIT",
            "dependencies": {
+                "commander": "^14.0.3",
                "d3-dsv": "^3.0.1",
                "jmespath": "^0.16.0",
                "semver": "^7.7.4",
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
    "name": "@slawek/sk-az-tools",
-    "version": "0.7.0",
+    "version": "0.8.1",
    "type": "module",
    "files": [
        "dist",
@@ -24,7 +24,7 @@
        "@azure/msal-node": "^5.0.3",
        "@azure/msal-node-extensions": "^1.2.0",
        "@microsoft/microsoft-graph-client": "^3.0.7",
-        "@slawek/sk-tools": ">=0.2.0",
+        "@slawek/sk-tools": "^0.4.1",
        "azure-devops-node-api": "^15.1.2",
        "commander": "^14.0.3",
        "minimatch": "^10.1.2",
--- a/scripts/check-package-version.mjs
+++ b/scripts/check-package-version.mjs
@@ -0,0 +1,60 @@
+#!/usr/bin/env node
+
+import { readFileSync, writeFileSync } from "node:fs";
+import { spawnSync } from "node:child_process";
+import { resolve } from "node:path";
+import { parseArgs } from "node:util";
+import { inc } from "semver";
+
+const skAzToolsPackagePath = resolve("package.json");
+const skAzToolsPackageLockPath = resolve("package-lock.json");
+const skToolsPackagePath = resolve("../sk-tools", "package.json");
+
+const skAzToolsPackage = JSON.parse(readFileSync(skAzToolsPackagePath, "utf-8"));
+const skAzToolsPackageLock = JSON.parse(readFileSync(skAzToolsPackageLockPath, "utf-8"));
+const skToolsPackage = JSON.parse(readFileSync(skToolsPackagePath, "utf-8"));
+
+const { values } = parseArgs({
+    options: {
+        update: { type: "boolean", short: "u", description: "Update @slawek/sk-tools to the latest version." },
+        bump: { type: "string", short: "b", description: "Bump the version of @slawek/sk-az-tools in package.json. Allowed values: major, minor, patch." }
+    }
+});
+
+if (values.bump !== undefined && !["major", "minor", "patch"].includes(values.bump)) {
+    console.error(`Invalid bump type: ${values.bump}. Allowed values are: major, minor, patch.`);
+    process.exit(1);
+}
+
+// Package versions
+console.log(`SK Tools version:       ${skToolsPackage.version}`);
+console.log(`SK Azure Tools version: ${skAzToolsPackage.version}\n`);
+
+if (values.bump) {
+    const newVersion = inc(skAzToolsPackage.version, values.bump);
+    if (!newVersion) {
+        console.error(`Failed to bump version: ${skAzToolsPackage.version}`);
+        process.exit(1);
+    }
+    skAzToolsPackage.version = newVersion;
+    writeFileSync(skAzToolsPackagePath, JSON.stringify(skAzToolsPackage, null, 4));
+    console.log(`Bumped SK Azure Tools version to: ${newVersion}`);
+}
+
+console.log(`SK Azure Tools Locked version: ${skAzToolsPackageLock.version}`);
+
+// Update package.json if --update flag is set
+// or if the version of @slawek/sk-az-tools in package.json
+// is different than the version in package-lock.json.
+if (values.update || skAzToolsPackage.version !== skAzToolsPackageLock.version) {
+    console.log(`Updating package.json...`);
+    skAzToolsPackage.dependencies["@slawek/sk-tools"] = `>=${skToolsPackage.version}`;
+    writeFileSync(skAzToolsPackagePath, JSON.stringify(skAzToolsPackage, null, 4));
+    // Install and link the updated package
+    spawnSync("npm", ["install", "@slawek/sk-tools"], { stdio: "inherit" });
+    spawnSync("npm", ["link", "@slawek/sk-tools"], { stdio: "inherit" });
+    // Show the updated dependency tree
+    spawnSync("npm", ["ls"], { stdio: "inherit" });
+} else {
+    console.log(`\nSK Tools version requested: ${skAzToolsPackage.dependencies["@slawek/sk-tools"] ?? "not found"}`);
+}
--- a/scripts/make-mermaid-func-deps.mjs
+++ b/scripts/make-mermaid-func-deps.mjs
--- a/scripts/sample-az-graph-devops.sh
+++ b/scripts/sample-az-graph-devops.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+# Hardcode variables.
+SUBSCRIPTION_ID="c885a276-c882-483f-b216-42f73715161d"
+
+ACCESS_TOKEN=$(sk-az-tools get-token graph)
+
+
+# List Azure resource groups via Azure Resource Manager API
+echo "Azure Resource Groups in subscription '$SUBSCRIPTION_ID':"
+curl -sSL -H "Authorization: Bearer $ACCESS_TOKEN" \
+  "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourcegroups?api-version=2021-04-01" |
+  jq '.value[] | {id, name, location}'
+
+echo "---"
+
+# Get current user ('me') via Microsoft Graph
+echo "Current User (me):"
+curl -sSL -H "Authorization: Bearer $ACCESS_TOKEN" \
+  "https://graph.microsoft.com/v1.0/me" |
+  jq '{id, displayName, userPrincipalName}'
+
+echo "---"
+
+# List Azure DevOps projects in the given org
+echo "Azure DevOps Projects in org 'skoszewski':"
+curl -sSL -H "Authorization: Bearer $ACCESS_TOKEN" \
+  "https://dev.azure.com/skoszewski/_apis/projects?api-version=7.1" |
+  jq '.value[] | {id, name, state}'
--- a/src/azure/index.ts
+++ b/src/azure/index.ts
@@ -8,7 +8,10 @@

 import { getTokenUsingMsal } from "./pca-auth.ts";
 import { getTokenUsingAzureIdentity } from "./client-auth.ts";
-import { loadConfig } from "../index.ts";
+import { loadAuthConfig, loadConfig } from "../index.ts";
+import { SkAzureCredential } from "./sk-credential.ts";
+import { DefaultAzureCredential } from "@azure/identity";
+import type { TokenCredential } from "@azure/core-auth";

 // Reexporting functions and types from submodules
 export {
@@ -24,21 +27,42 @@ export { getCredential } from "./client-auth.ts";
 export const RESOURCE_SCOPE_BY_NAME = {
  graph: "https://graph.microsoft.com/.default",
  devops: "499b84ac-1321-427f-aa17-267ca6975798/.default",
-  arm: "https://management.azure.com/.default",
+  azurerm: "https://management.azure.com/.default",
  openai: "https://cognitiveservices.azure.com/.default",
 } as const;

 export type ResourceName = keyof typeof RESOURCE_SCOPE_BY_NAME;
-export const DEFAULT_RESOURCES: ResourceName[] = ["graph", "devops", "arm"];
+export const DEFAULT_RESOURCES: ResourceName[] = ["graph", "devops", "azurerm"];

 // A helper function to translate short resource names to their corresponding scopes
 export function translateResourceNamesToScopes(resourceNames: string[]): string[] {
  return resourceNames.map((name) => RESOURCE_SCOPE_BY_NAME[name as ResourceName]);
 }

+export function supportedResourceNames(): ResourceName[] {
+  return Object.keys(RESOURCE_SCOPE_BY_NAME) as ResourceName[];
+}
+
 // Generic utility functions
 export type AuthMode = "azure-identity" | "msal";

+export async function getTokenCredential(
+  tenantId?: string,
+  clientId?: string,
+): Promise<TokenCredential> {
+  const config = await loadConfig();
+
+  if (config.authMode === "azure-identity") {
+    return new DefaultAzureCredential();
+  }
+
+  const authConfig = await loadAuthConfig("public-config");
+  return new SkAzureCredential(
+    tenantId || authConfig.tenantId,
+    clientId || authConfig.clientId,
+  );
+}
+
 export async function getAccessToken(
  tenantId: string,
  clientId: string,
@@ -55,24 +79,3 @@ export async function getAccessToken(
    return getTokenUsingAzureIdentity(tenantId, clientId, resources);
  }
 }
-
-// export function getAzureIdentityGraphAuthProvider(
-//   tenantId: string,
-//   clientId: string,
-// ) {
-//   const credential = new DefaultAzureCredential({
-//     tenantId,
-//     managedIdentityClientId: clientId,
-//   });
-
-//   const getBearerToken = getBearerTokenProvider(
-//     credential,
-//     "https://graph.microsoft.com/.default",
-//   );
-
-//   return (done: (error: Error | null, accessToken: string | null) => void) => {
-//     void getBearerToken()
-//       .then((token) => done(null, token))
-//       .catch((err) => done(err as Error, null));
-//   };
-// }
--- a/src/azure/pca-auth.ts
+++ b/src/azure/pca-auth.ts
@@ -22,14 +22,14 @@ const LOGIN_REQUIRED_MESSAGE = "Login required. Run: sk-az-tools login";
 const BROWSER_KEYWORDS = Object.keys(apps).sort();
 const OPEN_APPS = apps as Record<string, string | readonly string[]>;
 const CHROMIUM_BROWSERS = new Set(["edge", "chrome", "brave"]);
-const CONFIG_FILE_NAME = "config";
+const SESSION_STATE_NAME = "session-state";

 type SessionState = {
  activeAccountUpn: string | null;
 };

 async function readSessionState(): Promise<SessionState> {
-  const parsed = (await getConfig("sk-az-tools", CONFIG_FILE_NAME)) as { activeAccountUpn?: unknown };
+  const parsed = (await getConfig("sk-az-tools", SESSION_STATE_NAME)) as { activeAccountUpn?: unknown };
  return {
    activeAccountUpn:
      typeof parsed?.activeAccountUpn === "string"
@@ -39,14 +39,14 @@ async function readSessionState(): Promise<SessionState> {
 }

 async function writeSessionState(state: SessionState): Promise<void> {
-  const sessionPath = path.join(getConfigDir("sk-az-tools"), `${CONFIG_FILE_NAME}.json`);
+  const sessionPath = path.join(getConfigDir("sk-az-tools"), `${SESSION_STATE_NAME}.json`);
  await mkdir(path.dirname(sessionPath), { recursive: true });
  await writeFile(sessionPath, JSON.stringify(state, null, 2), "utf8");
 }

 async function clearSessionState(): Promise<void> {
  try {
-    const sessionPath = path.join(getConfigDir("sk-az-tools"), `${CONFIG_FILE_NAME}.json`);
+    const sessionPath = path.join(getConfigDir("sk-az-tools"), `${SESSION_STATE_NAME}.json`);
    await unlink(sessionPath);
  } catch (err) {
    if ((err as { code?: string } | null)?.code !== "ENOENT") {
@@ -104,12 +104,12 @@ function getBrowserOpenOptions(browser?: string, browserProfile?: string): Param
  const browserKeyword = getBrowserKeyword(browser);
  if (!CHROMIUM_BROWSERS.has(browserKeyword)) {
    throw new Error(
-      "--browser-profile is supported only with --browser edge|chrome|brave",
+      "--browser-profile is supported only with --browser-name edge|chrome|brave",
    );
  }

  if (!browserName) {
-    throw new Error("--browser-profile requires --browser");
+    throw new Error("--browser-profile requires --browser-name");
  }

  return {
@@ -130,19 +130,18 @@ function validateBrowserOptions(browser?: string, browserProfile?: string): void
    const browserKeyword = getBrowserKeyword(browser);
    if (!CHROMIUM_BROWSERS.has(browserKeyword)) {
      throw new Error(
-        "--browser-profile is supported only with --browser edge|chrome|brave",
+        "--browser-profile is supported only with --browser-name edge|chrome|brave",
      );
    }
  }
 }

-export function parseResources(resourcesCsv?: string): ResourceName[] {
-  if (!resourcesCsv || resourcesCsv.trim() === "") {
+export function parseResources(resourcesInput?: string[]): ResourceName[] {
+  if (!resourcesInput || resourcesInput.length === 0) {
    return [...DEFAULT_RESOURCES];
  }

-  const resources = resourcesCsv
-    .split(",")
+  const resources = resourcesInput
    .map((item) => item.trim().toLowerCase())
    .filter(Boolean);

@@ -317,7 +316,7 @@ export async function loginDeviceCode(
 export async function login(
  tenantId: string,
  clientId: string,
-  resourcesCsv?: string,
+  resourcesInput?: string[],
  useDeviceCode = false,
  noBrowser = false,
  browser?: string,
@@ -332,8 +331,8 @@ export async function login(
  if (!clientId) throw new Error("clientId is required");
  validateBrowserOptions(browser, browserProfile);

-  const resources = parseResources(resourcesCsv);
-  const scopes = translateResourceNamesToScopes(resources);
+  const resources = parseResources(resourcesInput);
+  const scopes = translateResourceNamesToScopes(resources) as string[];
  const pca = await createPca(tenantId, clientId);
  const session = await readSessionState();
  const preferredAccount = session.activeAccountUpn
@@ -344,6 +343,10 @@ export async function login(
  let selectedAccount: AccountInfo | null = preferredAccount;
  let token = await acquireTokenWithCache(pca, scopes, selectedAccount);

+  if (token?.account) {
+    selectedAccount = token.account;
+  }
+
  if (!token) {
    if (useDeviceCode) {
      token = await pca.acquireTokenByDeviceCode({
@@ -378,6 +381,11 @@ export async function login(
    });
  }

+  if (!selectedAccount) {
+    const accounts = await pca.getTokenCache().getAllAccounts();
+    selectedAccount = accounts[0] ?? null;
+  }
+
  const activeAccountUpn = selectedAccount?.username ?? null;
  if (activeAccountUpn) {
    await writeSessionState({ activeAccountUpn });
--- a/src/cli.ts
+++ b/src/cli.ts
@@ -1,8 +1,9 @@
 #!/usr/bin/env node
 // SPDX-License-Identifier: MIT

-import { Command, Option } from "commander";
+import { Argument, Command, Option } from "commander";
 import { renderCliOutput } from "@slawek/sk-tools";
+import { supportedResourceNames, ResourceName } from "./azure/index.ts";

 // Commands
 import { runGetTokenCommand } from "./cli/commands/get-token.ts";
@@ -13,6 +14,7 @@ import { runListResourcePermissionsCommand } from "./cli/commands/list-resource-
 import { runLoginCommand } from "./cli/commands/login.ts";
 import { runLogoutCommand } from "./cli/commands/logout.ts";
 import { runRestCommand } from "./cli/commands/rest.ts";
+import { runTestCommand } from "./cli/commands/test-command.ts";

 import pkg from "../package.json" with { type: "json" };
 const { version: packageVersion } = pkg;
@@ -33,33 +35,28 @@ async function main(): Promise<void> {
  skAzTools
    .command("login")
    .description("Authenticate selected resources")
-    .option("--resources <csv>", "Comma-separated resources: graph,devops,arm")
+    .addArgument(
+      new Argument("[resource...]", "Resources: graph|devops|azurerm")
+        .choices(supportedResourceNames())
+        .default(["azurerm"]),
+    )
    .option("--use-device-code", "Use device code flow")
    .option("--no-browser", "Do not launch browser")
-    .option("--browser <name>", "Browser keyword: brave|browser|browserPrivate|chrome|edge|firefox")
+    .option("--browser-name <name>", "Browser keyword: brave|browser|browserPrivate|chrome|edge|firefox")
    .option("--browser-profile <name>", "Chromium profile name")
-    .action(async (options) => {
-      const output = await runLoginCommand(options);
-      renderCliOutput(output, skAzTools.opts().output, skAzTools.opts().query, skAzTools.opts().columns);
-    });
+    .action(runLoginCommand);

  skAzTools
    .command("logout")
    .description("Sign out and clear login state")
    .option("--all", "Clear login state and remove all cached accounts")
-    .action(async (options) => {
-      const output = await runLogoutCommand(options);
-      renderCliOutput(output, skAzTools.opts().output, skAzTools.opts().query, skAzTools.opts().columns);
-    });
+    .action(runLogoutCommand);

  skAzTools
    .command("get-token")
-    .description("Get access token (azurerm|devops)")
-    .addOption(new Option("-t, --type <value>", "Token type").choices(["azurerm", "devops"]))
-    .action(async (options) => {
-      const output = await runGetTokenCommand(options);
-      renderCliOutput(output, skAzTools.opts().output, skAzTools.opts().query, skAzTools.opts().columns);
-    });
+    .description("Get an access token for a resource or resources.")
+    .addArgument(new Argument("<type>", "Token type.").choices(supportedResourceNames()))
+    .action(runGetTokenCommand);

  skAzTools
    .command("rest")
@@ -71,10 +68,14 @@ async function main(): Promise<void> {
    .addHelpText("after", `
 Authorization is added automatically for:
  management.azure.com       Uses azurerm token
-  dev.azure.com              Uses devops token`)
-    .action(async (url, options) => {
+  dev.azure.com              Uses devops token
+  graph.microsoft.com        Uses graph token
+  cognitiveservices.azure.com Uses openai token
+  *.openai.azure.com         Uses openai token`)
+    .action(async (url, options, command) => {
      const output = await runRestCommand(url, options);
-      renderCliOutput(output, skAzTools.opts().output, skAzTools.opts().query, skAzTools.opts().columns);
+      const allOptions = command.optsWithGlobals();
+      renderCliOutput(output, allOptions.output, allOptions.query, allOptions.columns);
    });

  skAzTools
@@ -83,9 +84,10 @@ Authorization is added automatically for:
    .option("-n, --display-name <name>", "Get app by display name")
    .option("-i, --app-id <id>", "Get app by id")
    .option("-f, --filter <pattern>", "Filter display name glob")
-    .action(async (options) => {
+    .action(async (options, command) => {
      const output = await runListAppsCommand(options);
-      renderCliOutput(output, skAzTools.opts().output, skAzTools.opts().query, skAzTools.opts().columns);
+      const allOptions = command.optsWithGlobals();
+      renderCliOutput(output, allOptions.output, allOptions.query, allOptions.columns);
    });

  skAzTools
@@ -95,18 +97,20 @@ Authorization is added automatically for:
    .option("-r, --resolve", "Resolve permission GUIDs to human-readable values")
    .option("-s, --short", "Makes output more compact")
    .option("-f, --filter <glob>", "Filter by permission name glob")
-    .action(async (options) => {
+    .action(async (options, command) => {
      const output = await runListAppPermissionsCommand(options);
-      renderCliOutput(output, skAzTools.opts().output, skAzTools.opts().query, skAzTools.opts().columns);
+      const allOptions = command.optsWithGlobals();
+      renderCliOutput(output, allOptions.output, allOptions.query, allOptions.columns);
    });

  skAzTools
    .command("list-app-grants")
    .description("List OAuth2 grants for an app")
    .option("-i, --app-id <appId>", "Application (client) ID")
-    .action(async (options) => {
+    .action(async (options, command) => {
      const output = await runListAppGrantsCommand(options);
-      renderCliOutput(output, skAzTools.opts().output, skAzTools.opts().query, skAzTools.opts().columns);
+      const allOptions = command.optsWithGlobals();
+      renderCliOutput(output, allOptions.output, allOptions.query, allOptions.columns);
    });

  skAzTools
@@ -115,19 +119,23 @@ Authorization is added automatically for:
    .option("-i, --app-id <appId>", "Resource app ID")
    .option("-n, --display-name <name>", "Resource app display name")
    .option("-f, --filter <glob>", "Filter by permission name glob")
-    .action(async (options) => {
+    .action(async (options, command) => {
      const output = await runListResourcePermissionsCommand(options);
-      renderCliOutput(output, skAzTools.opts().output, skAzTools.opts().query, skAzTools.opts().columns);
+      const allOptions = command.optsWithGlobals();
+      renderCliOutput(output, allOptions.output, allOptions.query, allOptions.columns);
    });

+  // Hidden test command for development purposes
+  skAzTools
+    .command("test", { hidden: true })
+    .description("Test command for development")
+    .action(runTestCommand);

-  // Parse arguments
  await skAzTools.parseAsync();
 }

 main().catch((err: unknown) => {
  const error = err as Error;
  console.error(`Error: ${error.message}`);
-  //console.error(usage());
  process.exit(1);
 });
--- a/src/cli/commands/auth.ts
+++ b/src/cli/commands/auth.ts
@@ -1 +0,0 @@
-// SPDX-License-Identifier: MIT
--- a/src/cli/commands/get-token.ts
+++ b/src/cli/commands/get-token.ts
@@ -1,55 +1,21 @@
 // SPDX-License-Identifier: MIT

-import { getAccessToken } from "../../azure/index.ts";
-import { getDevOpsApiToken } from "../../devops/index.ts";
-import { loadAuthConfig } from "../../index.ts";
-
-type GetTokenOptions = {
-  type?: string;
-};
-
-export function usageGetToken(): string {
-  return `Usage: sk-az-tools get-token --type|-t <azurerm|devops> [global options]
-
-Options:
-  --type, -t <value>         Token type: azurerm|devops`;
-}
+import { RESOURCE_SCOPE_BY_NAME, ResourceName, supportedResourceNames, getTokenCredential } from "../../azure/index.ts";

 export async function runGetTokenCommand(
-  options: GetTokenOptions,
-): Promise<unknown> {
-  const tokenType = (options.type ?? "").toString().trim().toLowerCase();
-  if (!tokenType) {
-    throw new Error(
-      "--type is required for get-token (allowed: azurerm, devops)",
-    );
+  type: ResourceName,
+): Promise<void> {
+  if (!type || !supportedResourceNames().includes(type)) {
+    throw new Error(`Token type is required for get-token (allowed: ${supportedResourceNames().join(", ")})`);
  }

-  const config = await loadAuthConfig("public-config");
-
-  if (tokenType === "azurerm") {
-    const accessToken = await getAccessToken(config.tenantId, config.clientId, ["arm"]);
+  const credential = await getTokenCredential();

+  const accessToken = await credential.getToken(RESOURCE_SCOPE_BY_NAME[type]);
  if (!accessToken) {
-      throw new Error("Failed to obtain AzureRM token");
+      throw new Error("Failed to obtain access token.");
  }

-    return {
-      tokenType,
-      accessToken,
-    };
-  }
-
-  if (tokenType === "devops") {
-    const accessToken = await getDevOpsApiToken(
-      config.tenantId,
-      config.clientId,
-    );
-    return {
-      tokenType,
-      accessToken,
-    };
-  }
-
-  throw new Error(`Invalid --type '${options.type}'. Allowed: azurerm, devops`);
+  // Output only the token string for easy consumption in scripts
+  console.log(accessToken.token);
 }
--- a/src/cli/commands/list-app-grants.ts
+++ b/src/cli/commands/list-app-grants.ts
@@ -7,13 +7,6 @@ type ListAppGrantsOptions = {
  appId?: string;
 };

-export function usageListAppGrants(): string {
-  return `Usage: sk-az-tools list-app-grants --app-id|-i <appId> [global options]
-
-Options:
-  --app-id, -i <appId>       Application (client) ID (required)`;
-}
-
 export async function runListAppGrantsCommand(options: ListAppGrantsOptions): Promise<unknown> {
  if (!options.appId) {
    throw new Error("--app-id is required for list-app-grants");
--- a/src/cli/commands/list-app-permissions.ts
+++ b/src/cli/commands/list-app-permissions.ts
@@ -29,16 +29,6 @@ function omitColumns(input: unknown, names: string[]): unknown {
  );
 }

-export function usageListAppPermissions(): string {
-  return `Usage: sk-az-tools list-app-permissions --app-id|-i <appId> [--resolve|-r] [--short|-s] [--filter|-f <glob>] [global options]
-
-Options:
-  --app-id, -i <appId>       Application (client) ID (required)
-  --resolve, -r              Resolve permission GUIDs to human-readable values
-  --short, -s                Makes output more compact
-  --filter, -f <glob>        Filter by permission name glob`;
-}
-
 export async function runListAppPermissionsCommand(options: ListAppPermissionsOptions): Promise<unknown> {
  if (!options.appId) {
    throw new Error("--app-id is required for list-app-permissions");
--- a/src/cli/commands/list-resource-permissions.ts
+++ b/src/cli/commands/list-resource-permissions.ts
@@ -10,15 +10,6 @@ type ListResourcePermissionsOptions = {
  filter?: string;
 };

-export function usageListResourcePermissions(): string {
-  return `Usage: sk-az-tools list-resource-permissions [--app-id|-i <appId> | --display-name|-n <name>] [--filter|-f <glob>] [global options]
-
-Options:
-  --app-id, -i <appId>       Resource app ID
-  --display-name, -n <name>  Resource app display name
-  --filter, -f <glob>        Filter by permission name glob`;
-}
-
 export async function runListResourcePermissionsCommand(options: ListResourcePermissionsOptions): Promise<unknown> {
  if (!options.appId && !options.displayName) {
    throw new Error("--app-id or --display-name is required for list-resource-permissions");
--- a/src/cli/commands/login.ts
+++ b/src/cli/commands/login.ts
@@ -1,36 +1,35 @@
 // SPDX-License-Identifier: MIT

 import { login } from "../../azure/index.ts";
+import type { ResourceName } from "../../azure/index.ts";
 import { loadAuthConfig } from "../../index.ts";

 type LoginOptions = {
-  resources?: string;
  useDeviceCode?: boolean;
  noBrowser?: boolean;
-  browser?: string;
+  browserName?: string;
  browserProfile?: string;
 };

-export function usageLogin(): string {
-  return `Usage: sk-az-tools login [--resources <csv>] [--use-device-code] [--no-browser] [--browser <name>] [--browser-profile <profile>] [global options]
+type LoginResult = {
+  accountUpn: string | null;
+  resources: Array<{ resource: string; expiresOn: string | null }>;
+  flow: "device-code" | "interactive";
+  browserLaunchAttempted: boolean;
+};

-Options:
-  --resources <csv>         Comma-separated resources: graph,devops,arm (default: all)
-  --use-device-code         Use device code flow instead of interactive flow
-  --no-browser              Do not launch browser; print interactive URL to stderr
-  --browser <name>          Browser keyword: brave|browser|browserPrivate|chrome|edge|firefox
-  --browser-profile <name>  Chromium profile name (e.g. Default, "Profile 1")`;
-}
-
-export async function runLoginCommand(options: LoginOptions): Promise<unknown> {
+export async function runLoginCommand(resources: ResourceName[], options: LoginOptions): Promise<void> {
  const config = await loadAuthConfig("public-config");
-  return login(
+
+  const result = await login(
    config.tenantId,
    config.clientId,
-    options.resources,
+    resources,
    Boolean(options.useDeviceCode),
    Boolean(options.noBrowser),
-    options.browser,
+    options.browserName,
    options.browserProfile,
-  );
+  ) as LoginResult;
+
+  console.log(`Logged in as ${result.accountUpn ?? "<unknown>"} using ${result.flow} flow for resources: ${resources.join(",")}`);
 }
--- a/src/cli/commands/logout.ts
+++ b/src/cli/commands/logout.ts
@@ -7,14 +7,28 @@ type LogoutOptions = {
  all?: boolean;
 };

-export function usageLogout(): string {
-  return `Usage: sk-az-tools logout [--all] [global options]
+type LogoutResult = {
+  clearedAll: boolean;
+  signedOut: string[];
+};

-Options:
-  --all                     Clear login state and remove all cached accounts`;
-}
-
-export async function runLogoutCommand(options: LogoutOptions): Promise<unknown> {
+export async function runLogoutCommand(options: LogoutOptions): Promise<void> {
  const config = await loadAuthConfig("public-config");
-  return logout(config.tenantId, config.clientId, Boolean(options.all));
+  const result = await logout(config.tenantId, config.clientId, Boolean(options.all)) as LogoutResult;
+
+  if (result.signedOut.length === 0) {
+    console.log(
+      result.clearedAll
+        ? "Cleared all cached accounts."
+        : "No active account to sign out.",
+    );
+    return;
+  }
+
+  if (result.clearedAll) {
+    console.log(`Cleared all cached accounts: ${result.signedOut.join(", ")}`);
+    return;
+  }
+
+  console.log(`Signed out: ${result.signedOut.join(", ")}`);
 }
--- a/src/cli/commands/rest.ts
+++ b/src/cli/commands/rest.ts
@@ -1,8 +1,6 @@
 // SPDX-License-Identifier: MIT

-import { getAccessToken } from "../../azure/index.ts";
-import { getDevOpsApiToken } from "../../devops/index.ts";
-import { loadAuthConfig } from "../../index.ts";
+import { RESOURCE_SCOPE_BY_NAME, ResourceName, getTokenCredential } from "../../azure/index.ts";

 function parseHeaderLine(
  header?: string,
@@ -35,24 +33,39 @@ function hasAuthorizationHeader(headers: Headers): boolean {
  return false;
 }

+function resolveResourceNameForHost(host: string): ResourceName | null {
+  switch (host) {
+    case "management.azure.com":
+      return "azurerm";
+    case "dev.azure.com":
+      return "devops";
+    case "graph.microsoft.com":
+      return "graph";
+    case "cognitiveservices.azure.com":
+      return "openai";
+    default:
+      if (host.endsWith(".openai.azure.com")) {
+        return "openai";
+      }
+      return null;
+  }
+}
+
 async function getAutoAuthorizationHeader(url: URL): Promise<string | null> {
  const host = url.hostname.toLowerCase();
-  if (host !== "management.azure.com" && host !== "dev.azure.com") {
+  const resourceName = resolveResourceNameForHost(host);
+  if (!resourceName) {
    return null;
  }

-  const config = await loadAuthConfig("public-config");
+  const credential = await getTokenCredential();

-  if (host === "management.azure.com") {
-    const accessToken = await getAccessToken(config.tenantId, config.clientId, ["arm"]);
-    if (!accessToken) {
-      throw new Error("Failed to obtain AzureRM token");
-    }
-    return `Bearer ${accessToken}`;
+  const accessToken = await credential.getToken(RESOURCE_SCOPE_BY_NAME[resourceName]);
+  if (!accessToken?.token) {
+    throw new Error(`Failed to obtain ${resourceName} token`);
  }

-  const accessToken = await getDevOpsApiToken(config.tenantId, config.clientId);
-  return `Bearer ${accessToken}`;
+  return `Bearer ${accessToken.token}`;
 }

 type httpMethod = "GET" | "POST" | "PUT" | "PATCH" | "DELETE";
--- a/src/cli/commands/test-command.ts
+++ b/src/cli/commands/test-command.ts
@@ -0,0 +1,6 @@
+// SPDX-License-Identifier: MIT
+
+// Hidden test command for development purposes
+export async function runTestCommand(): Promise<void> {
+  console.log("Test command executed.");
+}
--- a/src/cli/commands/types.ts
+++ b/src/cli/commands/types.ts
@@ -1,19 +0,0 @@
-// SPDX-License-Identifier: MIT
-
-export type CommandValues = {
-  [key: string]: string | boolean | undefined;
-  type?: string;
-  method?: string;
-  url?: string;
-  header?: string;
-  resources?: string;
-  "use-device-code"?: boolean;
-  "no-browser"?: boolean;
-  browser?: string;
-  "browser-profile"?: string;
-  all?: boolean;
-  "display-name"?: string;
-  "app-id"?: string;
-  filter?: string;
-  resolve?: boolean;
-};
--- a/src/create-pca.ts
+++ b/src/create-pca.ts
@@ -6,7 +6,7 @@ import os from "node:os";
 import path from "node:path";
 import readline from "node:readline";
 import { spawnSync } from "node:child_process";
-import { parseArgs } from "node:util";
+import { Command } from "commander";

 type RunAzResult = {
  status: number;
@@ -40,50 +40,17 @@ function runAz(args: string[], quiet = false, allowFailure = false): RunAzResult
 }

 async function main(): Promise<void> {
-  const usageText = `Usage: ${path.basename(process.argv[1])} [options] <app-name>
-Options:
-  -c, --config <path>    Write JSON config to file (optional)
-  -h, --help             Show this help message and exit`;
+  const program = new Command(path.basename(process.argv[1]));
+  program
+    .description("Create or update public client app and print config template")
+    .argument("<app-name>", "Application name")
+    .option("-c, --config <path>", "Write JSON config to file (optional)")
+    .allowExcessArguments(false)
+    .parse(process.argv);

-  let values: Record<string, string | boolean | undefined>;
-  let positionals: string[];
-  try {
-    ({ values, positionals } = parseArgs({
-      args: process.argv.slice(2),
-      options: {
-        help: { type: "boolean", short: "h" },
-        config: { type: "string", short: "c" },
-      },
-      strict: true,
-      allowPositionals: true,
-    }));
-  } catch (err) {
-    console.error(`Error: ${(err as Error).message}`);
-    console.error(usageText);
-    process.exit(1);
-  }
-
-  if (values.help) {
-    console.log(usageText);
-    process.exit(0);
-  }
-
-  if (positionals.length > 1) {
-    console.error(
-      "Error: Too many positional arguments. Only one app name positional argument is allowed.",
-    );
-    console.error(usageText);
-    process.exit(1);
-  }
-
-  const appName = positionals[0] || "";
-  const configPath = typeof values.config === "string" ? values.config : "";
-
-  if (!appName) {
-    console.error("Error: Application name is required.");
-    console.error(usageText);
-    process.exit(1);
-  }
+  const appName = program.args[0] as string;
+  const options = program.opts<{ config?: string }>();
+  const configPath = options.config ?? "";

  let appId = runAz([
    "ad",
--- a/src/devops/index.ts
+++ b/src/devops/index.ts
@@ -4,39 +4,27 @@
 * A DevOps helpers module.
 */

-import { loginInteractive } from "../azure/index.ts";
+import { RESOURCE_SCOPE_BY_NAME, getTokenCredential } from "../azure/index.ts";
 import * as azdev from "azure-devops-node-api";

-const AZURE_DEVOPS_SCOPES = ["https://app.vssps.visualstudio.com/.default"];
-
-type LoginInteractiveResult = {
-  accessToken?: string;
+export type DevOpsClients = {
+  coreClient: Awaited<ReturnType<azdev.WebApi["getCoreApi"]>>;
+  gitClient: Awaited<ReturnType<azdev.WebApi["getGitApi"]>>;
 };

-export async function getDevOpsApiToken(tenantId: string, clientId: string): Promise<string> {
-  const result = await loginInteractive(
-    tenantId,
-    clientId,
-    AZURE_DEVOPS_SCOPES,
-  ) as LoginInteractiveResult;
-
-  const accessToken = result?.accessToken;
-
-  if (!accessToken) {
+export async function getDevOpsClients(orgUrl: string, tenantId?: string, clientId?: string): Promise<DevOpsClients> {
+  return getTokenCredential(tenantId, clientId)
+    .then((credential) => credential.getToken(RESOURCE_SCOPE_BY_NAME.devops))
+    .then(async (accessToken) => {
+      if (!accessToken?.token) {
        throw new Error("Failed to obtain Azure DevOps API token");
      }

-  return accessToken;
-}
-
-export async function getDevOpsClients(orgUrl: string, tenantId: string, clientId: string): Promise<{ coreClient: unknown; gitClient: unknown }> {
-  const accessToken = await getDevOpsApiToken(tenantId, clientId);
-
-  const authHandler = azdev.getBearerHandler(accessToken);
-  const connection = new azdev.WebApi(orgUrl, authHandler);
-
-  const coreClient = await connection.getCoreApi();
-  const gitClient = await connection.getGitApi();
-
+      const connection = new azdev.WebApi(orgUrl, azdev.getBearerHandler(accessToken.token));
+      const [coreClient, gitClient] = await Promise.all([
+        connection.getCoreApi(),
+        connection.getGitApi(),
+      ]);
      return { coreClient, gitClient };
+    });
 }
--- a/src/graph/auth.ts
+++ b/src/graph/auth.ts
@@ -1,54 +0,0 @@
-// SPDX-License-Identifier: MIT
-
-import { Client } from "@microsoft/microsoft-graph-client";
-import { getAccessToken } from "../azure/index.ts";
-import { DefaultAzureCredential, getBearerTokenProvider } from "@azure/identity";
-
-// export async function getGraphClientUsingMsal(
-//   tenantId: string,
-//   clientId: string,
-// ): Promise<Client> {
-//   const graphApiToken = await getAccessToken(tenantId, clientId, ["graph"]);
-
-//   return Client.init({
-//     authProvider: (done) => {
-//       done(null, graphApiToken);
-//     },
-//   });
-// }
-
-type GraphAuthProvider = (
-  done: (error: Error | null, accessToken: string | null) => void
-) => void;
-
-export function getMsalAuthProvider(
-  tenantId: string,
-  clientId: string,
-): GraphAuthProvider {
-  return (done) => {
-    void getAccessToken(tenantId, clientId, ["graph"])
-      .then((accessToken) => done(null, accessToken))
-      .catch((err) => done(err as Error, null));
-  };
-}
-
-export function getAzureIdentityAuthProvider(
-  tenantId: string,
-  clientId: string,
-) {
-  const credential = new DefaultAzureCredential({
-    tenantId,
-    managedIdentityClientId: clientId,
-  });
-
-  const getBearerToken = getBearerTokenProvider(
-    credential,
-    "https://graph.microsoft.com/.default",
-  );
-
-  return (done: (error: Error | null, accessToken: string | null) => void) => {
-    void getBearerToken()
-      .then((token) => done(null, token))
-      .catch((err) => done(err as Error, null));
-  };
-}
--- a/src/graph/index.ts
+++ b/src/graph/index.ts
@@ -1,24 +1,18 @@
 // SPDX-License-Identifier: MIT

-export * from "./auth.ts";
 export * from "./app.ts";
 export * from "./sp.ts";

-import { loadAuthConfig, loadConfig } from "../index.ts";
 import { Client } from "@microsoft/microsoft-graph-client";
-
-import { getMsalAuthProvider, getAzureIdentityAuthProvider } from "./auth.ts";
+import { RESOURCE_SCOPE_BY_NAME, getTokenCredential } from "../azure/index.ts";

 export async function getGraphClient(): Promise<Client> {
-  const config = await loadConfig();
-
-  const authConfig = await loadAuthConfig("public-config");
-  const authProvider =
-    config.authMode === "azure-identity"
-      ? getAzureIdentityAuthProvider(authConfig.tenantId, authConfig.clientId)
-      : getMsalAuthProvider(authConfig.tenantId, authConfig.clientId);
-
  return Client.init({
-    authProvider: authProvider,
+    authProvider: (done) => {
+      void getTokenCredential()
+        .then((credential) => credential.getToken(RESOURCE_SCOPE_BY_NAME.graph))
+        .then((accessToken) => done(null, accessToken?.token ?? null))
+        .catch((err) => done(err as Error, null));
+    },
  });
 }
Author	SHA1	Message	Date
Slawomir Koszewski	6fc99f62c3	chore: update package version to 0.8.1. All checks were successful build / build (push) Successful in 15s Details	2026-03-11 13:00:09 +01:00
Slawomir Koszewski	d6adb5a3ba	Update: devops submodule convertion to new simpler auth model.	2026-03-11 12:59:00 +01:00
Slawomir Koszewski	4dd3056b2f	fix: missed incorrect AI autocomplete.	2026-03-11 12:12:36 +01:00
Slawomir Koszewski	3e2b54ba3c	fix: validation for bump type in check-package-version script	2026-03-11 12:11:30 +01:00
Slawomir Koszewski	0269313516	chore: update package version to 0.8.0 in package.json and package-lock.json All checks were successful build / build (push) Successful in 15s Details	2026-03-11 11:59:24 +01:00
Slawomir Koszewski	ade8f065e0	feat: enhance package version management in check-package-version script	2026-03-11 11:59:20 +01:00
Slawomir Koszewski	1bae7d8f85	chore: update @slawek/sk-tools version to ^0.4.1 in package.json and package-lock.json	2026-03-11 11:48:09 +01:00
Slawomir Koszewski	0714fc5c1b	feat: add script to check and update package versions for sk-tools	2026-03-11 11:48:00 +01:00
Slawomir Koszewski	d8d72be7e9	chore: update file permissions for make-mermaid-func-deps.mjs	2026-03-11 11:47:53 +01:00
Slawomir Koszewski	b678dd5ace	Authentication refactoring.	2026-03-11 10:41:42 +01:00
Slawomir Koszewski	d69402a33d	Updated package versions. All checks were successful build / build (push) Successful in 22s Details	2026-03-10 20:36:01 +01:00
Slawomir Koszewski	2fa8fcfc3c	Fix: Do not require PCA to be configured for Azure Identity default authentication.	2026-03-10 20:31:09 +01:00
Slawomir Koszewski	059fc3c1da	fix: update getAzureIdentityAuthProvider and make tenant id and client id optional.	2026-03-10 20:28:41 +01:00
Slawomir Koszewski	97f7011f97	Fix: dependencies. All checks were successful build / build (push) Successful in 14s Details	2026-03-10 19:52:24 +01:00
Slawomir Koszewski	dda13b7e2a	chore: bump version to 0.7.1 in package.json All checks were successful build / build (push) Successful in 14s Details	2026-03-10 19:49:26 +01:00
Slawomir Koszewski	5265e5300c	refactor: remove unused usage functions and migrate argument parsing to commander.js	2026-03-10 19:48:02 +01:00