feat: adds long lived refresh token feature for ci

.envrc.example

@@ -9,6 +9,19 @@ export ANALYTICS_URL='https://eol-api.herodevs.com/track';
 export OAUTH_CONNECT_URL='';
 export OAUTH_CLIENT_ID='';
 
+# IAM (for CI token provisioning)
+# export IAM_HOST='https://apps.herodevs.io/api/iam';
+# export IAM_PATH='/graphql';
+
+# Auth / User setup (optional)
+# export ENABLE_AUTH='true';
+# export ENABLE_USER_SETUP='true';
+
+# CI token (for headless auth - set when testing CI flow locally)
+# export HD_ORG_ID='1234';
+# export HD_AUTH_TOKEN='<long-lived-refresh-token>';
+# export HD_ACCESS_TOKEN='<access-token-from-auth-ci-login>';
+
 # Performance tuning (optional)
 # export CONCURRENT_PAGE_REQUESTS='3';
 # export PAGE_SIZE='500';

README.md

@@ -81,13 +81,73 @@ USAGE
 <!-- usagestop -->
 ## Commands
 <!-- commands -->
+* [`hd auth-ci login`](#hd-auth-ci-login)
+* [`hd auth-ci provision`](#hd-auth-ci-provision)
+* [`hd auth login`](#hd-auth-login)
+* [`hd auth logout`](#hd-auth-logout)
 * [`hd help [COMMAND]`](#hd-help-command)
 * [`hd report committers`](#hd-report-committers)
 * [`hd scan eol`](#hd-scan-eol)
 * [`hd tracker init`](#hd-tracker-init)
 * [`hd tracker run`](#hd-tracker-run)
 * [`hd update [CHANNEL]`](#hd-update-channel)
-  * **NOTE:** Only applies to [binary installation method](#binary-installation). NPM users should use [`npm install`](#global-npm-installation) to update to the latest version.
+
+## `hd auth-ci login`
+
+Obtain an access token for CI scans (outputs export HD_ACCESS_TOKEN=... for eval)
+
+```
+USAGE
+  $ hd auth-ci login
+
+DESCRIPTION
+  Obtain an access token for CI scans (outputs export HD_ACCESS_TOKEN=... for eval)
+```
+
+_See code: [src/commands/auth-ci/login.ts](https://github.com/herodevs/cli/blob/v2.0.0-beta.14/src/commands/auth-ci/login.ts)_
+
+## `hd auth-ci provision`
+
+Provision a CI/CD long-lived refresh token for headless auth
+
+```
+USAGE
+  $ hd auth-ci provision --orgId <value>
+
+FLAGS
+  --orgId=<value>  (required) Organization ID for the CI token (required)
+
+DESCRIPTION
+  Provision a CI/CD long-lived refresh token for headless auth
+```
+
+## `hd auth login`
+
+OAuth CLI login
+
+```
+USAGE
+  $ hd auth login
+
+DESCRIPTION
+  OAuth CLI login
+```
+
+_See code: [src/commands/auth/login.ts](https://github.com/herodevs/cli/blob/v2.0.0-beta.14/src/commands/auth/login.ts)_
+
+## `hd auth logout`
+
+Logs out of HeroDevs OAuth and clears stored tokens
+
+```
+USAGE
+  $ hd auth logout
+
+DESCRIPTION
+  Logs out of HeroDevs OAuth and clears stored tokens
+```
+
+_See code: [src/commands/auth/logout.ts](https://github.com/herodevs/cli/blob/v2.0.0-beta.14/src/commands/auth/logout.ts)_
 
 ## `hd help [COMMAND]`
 
@@ -121,10 +181,10 @@ USAGE
 FLAGS
   -c, --csv                 Output in CSV format
   -d, --directory=<value>   Directory to search
-  -e, --afterDate=<value>   [default: 2025-02-02] Start date (format: yyyy-MM-dd)
+  -e, --afterDate=<value>   [default: 2025-02-13] Start date (format: yyyy-MM-dd)
   -m, --months=<value>      [default: 12] The number of months of git history to review. Cannot be used along beforeDate
                             and afterDate
-  -s, --beforeDate=<value>  [default: 2026-02-02] End date (format: yyyy-MM-dd)
+  -s, --beforeDate=<value>  [default: 2026-02-13] End date (format: yyyy-MM-dd)
   -s, --save                Save the committers report as herodevs.committers.<output>
   -x, --exclude=<value>...  Path Exclusions (eg -x="./src/bin" -x="./dist")
       --json                Output to JSON format
@@ -260,8 +320,6 @@ _See code: [src/commands/tracker/run.ts](https://github.com/herodevs/cli/blob/ma
 
 update the hd CLI
 
-* **NOTE:** Only applies to [binary installation method](#binary-installation). NPM users should use [`npm install`](#global-npm-installation) to update to the latest version.
-
 ```
 USAGE
   $ hd update [CHANNEL] [--force |  | [-a | -v <value> | -i]] [-b ]
@@ -301,6 +359,76 @@ _See code: [@oclif/plugin-update](https://github.com/oclif/plugin-update/blob/4.
 
 You can use `@herodevs/cli` in your CI/CD pipelines to automate EOL scanning.
 
+### CI/CD authentication
+
+For headless use in CI/CD (e.g. GitHub Actions, GitLab CI), the CLI supports long-lived organization-scoped refresh tokens. You do not need to run an interactive login in the pipeline.
+
+**One-time setup (interactive):**
+
+```bash
+hd auth login
+hd auth-ci provision --org-id <your-org-id>
+```
+
+Copy the token and org ID, add as CI secrets: `HD_AUTH_TOKEN` and `HD_ORG_ID`.
+
+**CI pipeline (headless):** Run `hd auth-ci login` to exchange the refresh token for an access token; use `eval` to export it before the scan:
+
+```bash
+export HD_ORG_ID=<id> HD_AUTH_TOKEN="<token>"
+eval $(hd auth-ci login) && hd scan eol --dir .
+```
+
+| Secret / Env Var | Purpose |
+|------------------|---------|
+| `HD_AUTH_TOKEN` | Long-lived refresh token from provision |
+| `HD_ORG_ID` | Organization ID (required when using HD_AUTH_TOKEN) |
+
+#### Local testing
+
+Reproduce the CI flow locally:
+
+```bash
+export HD_ORG_ID=1234 HD_AUTH_TOKEN="eyJ..."
+eval $(hd auth-ci login) && hd scan eol --dir /path/to/project
+```
+
+#### GitHub Actions (authenticated scan)
+
+Add secrets `HD_AUTH_TOKEN` and `HD_ORG_ID` in your repository or organization, then:
+
+```yaml
+- uses: actions/checkout@v5
+- uses: actions/setup-node@v6
+  with:
+    node-version: '24'
+- name: Run EOL Scan
+  env:
+    HD_ORG_ID: ${{ secrets.HD_ORG_ID }}
+    HD_AUTH_TOKEN: ${{ secrets.HD_AUTH_TOKEN }}
+  run: |
+    eval $(npx @herodevs/cli@beta auth-ci login)
+    npx @herodevs/cli@beta scan eol -s
+```
+
+#### GitLab CI (authenticated scan)
+
+Add CI/CD variables `HD_AUTH_TOKEN` and `HD_ORG_ID` (masked) in your project:
+
+```yaml
+eol-scan:
+  image: node:24
+  variables:
+    HD_ORG_ID: $HD_ORG_ID
+    HD_AUTH_TOKEN: $HD_AUTH_TOKEN
+  script:
+    - eval $(npx @herodevs/cli@beta auth-ci login)
+    - npx @herodevs/cli@beta scan eol -s
+  artifacts:
+    paths:
+      - herodevs.report.json
+```
+
 ### Using the Docker Image (Recommended)
 
 We provide a Docker image that's pre-configured to run EOL scans. Based on [`cdxgen`](https://github.com/CycloneDX/cdxgen),

package.json

@@ -53,6 +53,7 @@
     "@oclif/plugin-update": "^4.7.16",
     "@oclif/table": "^0.5.1",
     "cli-progress": "^3.12.0",
+    "conf": "^15.1.0",
     "date-fns": "^4.1.0",
     "glob": "^13.0.0",
     "graphql": "^16.11.0",