Store auth restructure

[dmerand]

What

Restructure shopify store auth under packages/cli/src/cli/services/store/auth/ and split the main auth responsibilities into explicit auth-domain seams.

This keeps the command contract the same while making auth ownership easier to review and build on.

Why

The store auth fast-follow landed quickly and left auth responsibilities spread across a few files with blurry ownership.

That made it harder to reason about:

• local session bucket storage
• expiry / refresh / invalidation policy
• auth-related HTTP
• current-user selection semantics

It also made the execute-side follow-up harder to stage cleanly.

The goal here is to make the auth domain legible on its own before building the execute-side cleanup on top.

How

This PR moves auth code under services/store/auth/ and separates:

• auth/index.ts — auth orchestration
• auth/session-store.ts — local session bucket storage and current-user selection
• auth/session-lifecycle.ts — expiry / refresh / invalidation policy
• auth/token-client.ts — auth-related HTTP
• auth/config.ts / auth/recovery.ts — shared auth support code

It also:

• renames the stored-session getter to getCurrentStoredStoreAppSession(...) so current-user semantics are explicit
• updates existing auth consumers to use the new auth seams
• keeps malformed local session state from leaking past the storage boundary

High-level ownership after this PR:

command -> auth/index.ts -> session-store / session-lifecycle / token-client

This PR is intentionally auth-only. The execute-side folder move and full execute-context cleanup stay in the next stacked PR.

Testing

Manual checks:

pnpm run shopify store auth --store donaldmerand.myshopify.com --scopes read_products
pnpm run shopify store execute --store donaldmerand.myshopify.com --query 'query { shop { name id } }'
node packages/cli/bin/run.js store auth --help
node packages/cli/bin/run.js store execute --help

Verify that:

• store auth still authenticates and persists store auth successfully
• store execute still reuses stored auth successfully
• help/runtime wiring still works after the auth file move

Considered

• Fold execute into this PR: deferred so auth ownership can be reviewed on its own.
• Introduce generic persistence / transport folders: rejected in favor of domain-first store/auth ownership.
• Keep the old stored-session getter naming: renamed now so current-user semantics are explicit before we build on them.

Measuring impact

• n/a - this doesn't need measurement, e.g. a linting rule or a bug-fix
• Existing analytics will cater for this addition
• PR includes analytics changes to measure impact

Checklist

• I've considered possible cross-platform impacts (Mac, Linux, Windows)
• I've considered possible documentation changes

[dmerand]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• Add/enforce --json and output boundary for store commands #7190
• Store execute restructure #7188
• Store auth restructure #7187 👈 (View in Graphite)
• Make store auth scopes additive #7172 : 1 other dependent PR (#7184 )
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

We detected some changes at packages/*/src and there are no updates in the .changeset.
If the changes are user-facing, run pnpm changeset add to track your changes and include them in the next release CHANGELOG.

Caution

DO NOT create changesets for features which you do not wish to be included in the public changelog of the next CLI release.

[ryancbahan]

total nit from me: i am very against index files. they obscure intent and become a dumping ground, plus barrel files cause circular deps and tree shaking issues in many cases

[ryancbahan]

nit: have a views dir?

[ryancbahan]

odd to create a dedicated server as a closure in a callback, no?

[ryancbahan]

odd to create a dedicated server as a closure in a callback, no?

[ryancbahan]

I like the direction of this pr, but the seams still seem a little unclear to me. I wonder if we can invert the order of initialization a bit -- especially in callback and pkce files -- so that we first initialize the server explicitly, initialize the persistence stores, establish the dynamic route(s) that need to be hit, and then let the callback chain(s) flow.

[ryancbahan]

I don't know that the DI pattern here is particularly serving us