@agent-relay/cloud 2.0.23 → 6.0.4

package/dist/api-client.d.ts

@@ -0,0 +1,33 @@
+export type CloudApiClientOptions = {
+    apiUrl: string;
+    accessToken: string;
+    refreshToken: string;
+    accessTokenExpiresAt: string;
+    refreshTokenExpiresAt?: string;
+};
+export type CloudApiClientSnapshot = {
+    apiUrl: string;
+    accessToken: string;
+    refreshToken: string;
+    accessTokenExpiresAt: string;
+    refreshTokenExpiresAt?: string;
+};
+export declare function buildApiUrl(apiUrl: string, p: string): URL;
+export declare class CloudApiClient {
+    private readonly options;
+    private accessToken;
+    private refreshToken;
+    private accessTokenExpiresAt;
+    private refreshTokenExpiresAt?;
+    private refreshPromise;
+    constructor(options: CloudApiClientOptions);
+    static fromEnv(env: NodeJS.ProcessEnv): CloudApiClient | null;
+    snapshot(): CloudApiClientSnapshot;
+    fetch(p: string, init?: RequestInit): Promise<Response>;
+    revoke(): Promise<void>;
+    private refresh;
+    private doRefresh;
+    private buildHeaders;
+    private shouldRefresh;
+}
+//# sourceMappingURL=api-client.d.ts.map

package/dist/api-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-client.d.ts","sourceRoot":"","sources":["../src/api-client.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,qBAAqB,GAAG;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,qBAAqB,CAAC,EAAE,MAAM,CAAC;CAChC,CAAC;AAEF,MAAM,MAAM,sBAAsB,GAAG;IACnC,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,qBAAqB,CAAC,EAAE,MAAM,CAAC;CAChC,CAAC;AAUF,wBAAgB,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,GAAG,CAE1D;AAED,qBAAa,cAAc;IAOb,OAAO,CAAC,QAAQ,CAAC,OAAO;IANpC,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,oBAAoB,CAAS;IACrC,OAAO,CAAC,qBAAqB,CAAC,CAAS;IACvC,OAAO,CAAC,cAAc,CAA8B;gBAEvB,OAAO,EAAE,qBAAqB;IAO3D,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC,UAAU,GAAG,cAAc,GAAG,IAAI;IAoB7D,QAAQ,IAAI,sBAAsB;IAU5B,KAAK,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,GAAE,WAAgB,GAAG,OAAO,CAAC,QAAQ,CAAC;IAoB3D,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC;YAcf,OAAO;YAgBP,SAAS;IA8BvB,OAAO,CAAC,YAAY;IAMpB,OAAO,CAAC,aAAa;CAQtB"}

package/dist/api-client.js

@@ -0,0 +1,123 @@
+import { REFRESH_WINDOW_MS } from "./types.js";
+function trimLeadingSlash(p) {
+    return p.replace(/^\/+/, "");
+}
+function withTrailingSlash(p) {
+    return p.endsWith("/") ? p : `${p}/`;
+}
+export function buildApiUrl(apiUrl, p) {
+    return new URL(trimLeadingSlash(p), withTrailingSlash(apiUrl));
+}
+export class CloudApiClient {
+    options;
+    accessToken;
+    refreshToken;
+    accessTokenExpiresAt;
+    refreshTokenExpiresAt;
+    refreshPromise = null;
+    constructor(options) {
+        this.options = options;
+        this.accessToken = options.accessToken;
+        this.refreshToken = options.refreshToken;
+        this.accessTokenExpiresAt = options.accessTokenExpiresAt;
+        this.refreshTokenExpiresAt = options.refreshTokenExpiresAt;
+    }
+    static fromEnv(env) {
+        const apiUrl = env.CLOUD_API_URL?.trim();
+        const accessToken = env.CLOUD_API_ACCESS_TOKEN?.trim();
+        const refreshToken = env.CLOUD_API_REFRESH_TOKEN?.trim();
+        const accessTokenExpiresAt = env.CLOUD_API_ACCESS_TOKEN_EXPIRES_AT?.trim();
+        const refreshTokenExpiresAt = env.CLOUD_API_REFRESH_TOKEN_EXPIRES_AT?.trim();
+        if (!apiUrl || !accessToken || !refreshToken || !accessTokenExpiresAt) {
+            return null;
+        }
+        return new CloudApiClient({
+            apiUrl,
+            accessToken,
+            refreshToken,
+            accessTokenExpiresAt,
+            refreshTokenExpiresAt,
+        });
+    }
+    snapshot() {
+        return {
+            apiUrl: this.options.apiUrl,
+            accessToken: this.accessToken,
+            refreshToken: this.refreshToken,
+            accessTokenExpiresAt: this.accessTokenExpiresAt,
+            ...(this.refreshTokenExpiresAt ? { refreshTokenExpiresAt: this.refreshTokenExpiresAt } : {}),
+        };
+    }
+    async fetch(p, init = {}) {
+        await this.refresh();
+        const response = await fetch(buildApiUrl(this.options.apiUrl, p), {
+            ...init,
+            headers: this.buildHeaders(init.headers),
+        });
+        if (response.status !== 401) {
+            return response;
+        }
+        await this.refresh(true);
+        return fetch(buildApiUrl(this.options.apiUrl, p), {
+            ...init,
+            headers: this.buildHeaders(init.headers),
+        });
+    }
+    async revoke() {
+        const response = await fetch(buildApiUrl(this.options.apiUrl, "/api/v1/auth/token/revoke"), {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+            },
+            body: JSON.stringify({ token: this.refreshToken }),
+        });
+        if (!response.ok && response.status !== 404) {
+            throw new Error(`Failed to revoke API token: ${response.status} ${response.statusText}`);
+        }
+    }
+    async refresh(force = false) {
+        if (this.refreshPromise) {
+            return this.refreshPromise;
+        }
+        if (!force && !this.shouldRefresh()) {
+            return;
+        }
+        this.refreshPromise = this.doRefresh().finally(() => {
+            this.refreshPromise = null;
+        });
+        return this.refreshPromise;
+    }
+    async doRefresh() {
+        const response = await fetch(buildApiUrl(this.options.apiUrl, "/api/v1/auth/token/refresh"), {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+            },
+            body: JSON.stringify({ refreshToken: this.refreshToken }),
+        });
+        if (!response.ok) {
+            throw new Error(`Failed to refresh API token: ${response.status} ${response.statusText}`);
+        }
+        const payload = (await response.json());
+        if (!payload.accessToken || !payload.accessTokenExpiresAt || !payload.refreshToken) {
+            throw new Error("Refresh response missing token fields");
+        }
+        this.accessToken = payload.accessToken;
+        this.accessTokenExpiresAt = payload.accessTokenExpiresAt;
+        this.refreshToken = payload.refreshToken;
+        this.refreshTokenExpiresAt = payload.refreshTokenExpiresAt;
+    }
+    buildHeaders(headers) {
+        const merged = new Headers(headers);
+        merged.set("Authorization", `Bearer ${this.accessToken}`);
+        return merged;
+    }
+    shouldRefresh() {
+        const expiresAt = Date.parse(this.accessTokenExpiresAt);
+        if (Number.isNaN(expiresAt)) {
+            return true;
+        }
+        return expiresAt - Date.now() <= REFRESH_WINDOW_MS;
+    }
+}
+//# sourceMappingURL=api-client.js.map

package/dist/api-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-client.js","sourceRoot":"","sources":["../src/api-client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAkB/C,SAAS,gBAAgB,CAAC,CAAS;IACjC,OAAO,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAC/B,CAAC;AAED,SAAS,iBAAiB,CAAC,CAAS;IAClC,OAAO,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC;AACvC,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,MAAc,EAAE,CAAS;IACnD,OAAO,IAAI,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC,EAAE,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC;AACjE,CAAC;AAED,MAAM,OAAO,cAAc;IAOI;IANrB,WAAW,CAAS;IACpB,YAAY,CAAS;IACrB,oBAAoB,CAAS;IAC7B,qBAAqB,CAAU;IAC/B,cAAc,GAAyB,IAAI,CAAC;IAEpD,YAA6B,OAA8B;QAA9B,YAAO,GAAP,OAAO,CAAuB;QACzD,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;QACvC,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC;QACzC,IAAI,CAAC,oBAAoB,GAAG,OAAO,CAAC,oBAAoB,CAAC;QACzD,IAAI,CAAC,qBAAqB,GAAG,OAAO,CAAC,qBAAqB,CAAC;IAC7D,CAAC;IAED,MAAM,CAAC,OAAO,CAAC,GAAsB;QACnC,MAAM,MAAM,GAAG,GAAG,CAAC,aAAa,EAAE,IAAI,EAAE,CAAC;QACzC,MAAM,WAAW,GAAG,GAAG,CAAC,sBAAsB,EAAE,IAAI,EAAE,CAAC;QACvD,MAAM,YAAY,GAAG,GAAG,CAAC,uBAAuB,EAAE,IAAI,EAAE,CAAC;QACzD,MAAM,oBAAoB,GAAG,GAAG,CAAC,iCAAiC,EAAE,IAAI,EAAE,CAAC;QAC3E,MAAM,qBAAqB,GAAG,GAAG,CAAC,kCAAkC,EAAE,IAAI,EAAE,CAAC;QAE7E,IAAI,CAAC,MAAM,IAAI,CAAC,WAAW,IAAI,CAAC,YAAY,IAAI,CAAC,oBAAoB,EAAE,CAAC;YACtE,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,IAAI,cAAc,CAAC;YACxB,MAAM;YACN,WAAW;YACX,YAAY;YACZ,oBAAoB;YACpB,qBAAqB;SACtB,CAAC,CAAC;IACL,CAAC;IAED,QAAQ;QACN,OAAO;YACL,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM;YAC3B,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,oBAAoB,EAAE,IAAI,CAAC,oBAAoB;YAC/C,GAAG,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC,EAAE,qBAAqB,EAAE,IAAI,CAAC,qBAAqB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC7F,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,CAAS,EAAE,OAAoB,EAAE;QAC3C,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QAErB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,EAAE;YAChE,GAAG,IAAI;YACP,OAAO,EAAE,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC;SACzC,CAAC,CAAC;QAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAEzB,OAAO,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,EAAE;YAChD,GAAG,IAAI;YACP,OAAO,EAAE,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC;SACzC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,MAAM;QACV,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,2BAA2B,CAAC,EAAE;YAC1F,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC;SACnD,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5C,MAAM,IAAI,KAAK,CAAC,+BAA+B,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;QAC3F,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,OAAO,CAAC,KAAK,GAAG,KAAK;QACjC,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACxB,OAAO,IAAI,CAAC,cAAc,CAAC;QAC7B,CAAC;QAED,IAAI,CAAC,KAAK,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,EAAE,CAAC;YACpC,OAAO;QACT,CAAC;QAED,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE;YAClD,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;QAC7B,CAAC,CAAC,CAAC;QAEH,OAAO,IAAI,CAAC,cAAc,CAAC;IAC7B,CAAC;IAEO,KAAK,CAAC,SAAS;QACrB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,4BAA4B,CAAC,EAAE;YAC3F,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,YAAY,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC;SAC1D,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,gCAAgC,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;QAC5F,CAAC;QAED,MAAM,OAAO,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAKrC,CAAC;QAEF,IAAI,CAAC,OAAO,CAAC,WAAW,IAAI,CAAC,OAAO,CAAC,oBAAoB,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC;YACnF,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,CAAC;QAED,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;QACvC,IAAI,CAAC,oBAAoB,GAAG,OAAO,CAAC,oBAAoB,CAAC;QACzD,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC;QACzC,IAAI,CAAC,qBAAqB,GAAG,OAAO,CAAC,qBAAqB,CAAC;IAC7D,CAAC;IAEO,YAAY,CAAC,OAAgC;QACnD,MAAM,MAAM,GAAG,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;QACpC,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,UAAU,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QAC1D,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,aAAa;QACnB,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;QACxD,IAAI,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC;YAC5B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,IAAI,iBAAiB,CAAC;IACrD,CAAC;CACF"}

package/dist/auth.d.ts

@@ -0,0 +1,13 @@
+import { type StoredAuth } from './types.js';
+export declare function readStoredAuth(env?: NodeJS.ProcessEnv): Promise<StoredAuth | null>;
+export declare function writeStoredAuth(auth: StoredAuth): Promise<void>;
+export declare function clearStoredAuth(): Promise<void>;
+export declare function refreshStoredAuth(auth: StoredAuth): Promise<StoredAuth>;
+export declare function ensureAuthenticated(apiUrl: string, options?: {
+    force?: boolean;
+}): Promise<StoredAuth>;
+export declare function authorizedApiFetch(auth: StoredAuth, requestPath: string, init: RequestInit): Promise<{
+    response: Response;
+    auth: StoredAuth;
+}>;
+//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAOA,OAAO,EAAqC,KAAK,UAAU,EAAE,MAAM,YAAY,CAAC;AAgEhF,wBAAsB,cAAc,CAAC,GAAG,GAAE,MAAM,CAAC,UAAwB,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAarG;AAED,wBAAsB,eAAe,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CASrE;AAED,wBAAsB,eAAe,IAAI,OAAO,CAAC,IAAI,CAAC,CAErD;AAyKD,wBAAsB,iBAAiB,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAgC7E;AASD,wBAAsB,mBAAmB,CACvC,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,OAAO,CAAA;CAAE,GAC5B,OAAO,CAAC,UAAU,CAAC,CA0BrB;AAkBD,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,UAAU,EAChB,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE,WAAW,GAChB,OAAO,CAAC;IAAE,QAAQ,EAAE,QAAQ,CAAC;IAAC,IAAI,EAAE,UAAU,CAAA;CAAE,CAAC,CAoBnD"}

package/dist/auth.js

@@ -0,0 +1,299 @@
+import fs from 'node:fs/promises';
+import http from 'node:http';
+import os from 'node:os';
+import path from 'node:path';
+import { spawn } from 'node:child_process';
+import { buildApiUrl } from './api-client.js';
+import { AUTH_FILE_PATH, REFRESH_WINDOW_MS } from './types.js';
+const envBackedAuth = new WeakSet();
+function markEnvBackedAuth(auth) {
+    envBackedAuth.add(auth);
+    return auth;
+}
+function isEnvBackedAuth(auth) {
+    return envBackedAuth.has(auth);
+}
+function readEnvAuth(env = process.env) {
+    const apiUrl = env.CLOUD_API_URL?.trim();
+    const accessToken = env.CLOUD_API_ACCESS_TOKEN?.trim();
+    const refreshToken = env.CLOUD_API_REFRESH_TOKEN?.trim();
+    const accessTokenExpiresAt = env.CLOUD_API_ACCESS_TOKEN_EXPIRES_AT?.trim();
+    if (!apiUrl || !accessToken || !refreshToken || !accessTokenExpiresAt) {
+        return null;
+    }
+    try {
+        new URL(apiUrl);
+    }
+    catch {
+        return null;
+    }
+    if (Number.isNaN(Date.parse(accessTokenExpiresAt))) {
+        return null;
+    }
+    return markEnvBackedAuth({
+        apiUrl,
+        accessToken,
+        refreshToken,
+        accessTokenExpiresAt,
+    });
+}
+function toEnvAuthRefreshError(error) {
+    const message = error instanceof Error && error.message ? `${error.message}. ` : '';
+    return new Error(`${message}Env-backed cloud auth could not be refreshed interactively; re-provision CLOUD_API_URL, CLOUD_API_ACCESS_TOKEN, CLOUD_API_REFRESH_TOKEN, and CLOUD_API_ACCESS_TOKEN_EXPIRES_AT.`, error instanceof Error ? { cause: error } : undefined);
+}
+function isValidStoredAuth(value) {
+    if (!value || typeof value !== 'object') {
+        return false;
+    }
+    const auth = value;
+    return (typeof auth.accessToken === 'string' &&
+        typeof auth.refreshToken === 'string' &&
+        typeof auth.accessTokenExpiresAt === 'string' &&
+        typeof auth.apiUrl === 'string');
+}
+export async function readStoredAuth(env = process.env) {
+    const envAuth = readEnvAuth(env);
+    if (envAuth) {
+        return envAuth;
+    }
+    try {
+        const file = await fs.readFile(AUTH_FILE_PATH, 'utf8');
+        const parsed = JSON.parse(file);
+        return isValidStoredAuth(parsed) ? parsed : null;
+    }
+    catch {
+        return null;
+    }
+}
+export async function writeStoredAuth(auth) {
+    await fs.mkdir(path.dirname(AUTH_FILE_PATH), {
+        recursive: true,
+        mode: 0o700,
+    });
+    await fs.writeFile(AUTH_FILE_PATH, `${JSON.stringify(auth, null, 2)}\n`, {
+        encoding: 'utf8',
+        mode: 0o600,
+    });
+}
+export async function clearStoredAuth() {
+    await fs.rm(AUTH_FILE_PATH, { force: true });
+}
+function shouldRefresh(accessTokenExpiresAt) {
+    const expiresAt = Date.parse(accessTokenExpiresAt);
+    if (Number.isNaN(expiresAt)) {
+        return true;
+    }
+    return expiresAt - Date.now() <= REFRESH_WINDOW_MS;
+}
+function openBrowser(url) {
+    const platform = os.platform();
+    if (platform === 'darwin') {
+        return spawn('open', [url], { stdio: 'ignore', detached: true });
+    }
+    if (platform === 'win32') {
+        return spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true });
+    }
+    return spawn('xdg-open', [url], { stdio: 'ignore', detached: true });
+}
+function redirectToHostedCliAuthPage(response, apiUrl, options) {
+    const resultUrl = buildApiUrl(apiUrl, '/cli/auth-result');
+    resultUrl.searchParams.set('status', options.status);
+    if (options.detail) {
+        resultUrl.searchParams.set('detail', options.detail);
+    }
+    response.statusCode = 302;
+    response.setHeader('location', resultUrl.toString());
+    response.end();
+}
+async function beginBrowserLogin(apiUrl) {
+    const state = crypto.randomUUID();
+    return new Promise((resolve, reject) => {
+        let settled = false;
+        const server = http.createServer((request, response) => {
+            const requestUrl = new URL(request.url || '/', 'http://127.0.0.1');
+            if (requestUrl.pathname !== '/callback') {
+                response.statusCode = 404;
+                response.end('Not found');
+                return;
+            }
+            const returnedState = requestUrl.searchParams.get('state');
+            // Validate state parameter first (CSRF protection) — this check
+            // must run unconditionally, before any user-controlled values.
+            if (returnedState !== state) {
+                redirectToHostedCliAuthPage(response, apiUrl, {
+                    status: 'error',
+                    detail: 'Invalid state parameter',
+                });
+                if (!settled) {
+                    settled = true;
+                    server.close();
+                    reject(new Error('Invalid state parameter in CLI login callback'));
+                }
+                return;
+            }
+            const error = requestUrl.searchParams.get('error');
+            if (error) {
+                redirectToHostedCliAuthPage(response, apiUrl, {
+                    status: 'error',
+                    detail: error,
+                });
+                if (!settled) {
+                    settled = true;
+                    server.close();
+                    reject(new Error(error));
+                }
+                return;
+            }
+            const accessToken = requestUrl.searchParams.get('access_token');
+            const refreshToken = requestUrl.searchParams.get('refresh_token');
+            const accessTokenExpiresAt = requestUrl.searchParams.get('access_token_expires_at');
+            const returnedApiUrl = requestUrl.searchParams.get('api_url');
+            if (!accessToken || !refreshToken || !accessTokenExpiresAt || !returnedApiUrl) {
+                redirectToHostedCliAuthPage(response, apiUrl, {
+                    status: 'error',
+                    detail: 'Expected access token, refresh token, API URL, and expiration timestamp.',
+                });
+                if (!settled) {
+                    settled = true;
+                    server.close();
+                    reject(new Error('CLI login callback was missing required fields'));
+                }
+                return;
+            }
+            redirectToHostedCliAuthPage(response, returnedApiUrl, {
+                status: 'success',
+                detail: `API endpoint: ${returnedApiUrl}`,
+            });
+            if (!settled) {
+                settled = true;
+                server.close();
+                resolve({
+                    accessToken,
+                    refreshToken,
+                    accessTokenExpiresAt,
+                    apiUrl: returnedApiUrl,
+                });
+            }
+        });
+        server.listen(0, '127.0.0.1', () => {
+            const address = server.address();
+            if (!address || typeof address === 'string') {
+                if (!settled) {
+                    settled = true;
+                    server.close();
+                    reject(new Error('Failed to start local callback server'));
+                }
+                return;
+            }
+            const callbackUrl = new URL('/callback', `http://127.0.0.1:${address.port}`);
+            const loginUrl = buildApiUrl(apiUrl, '/api/v1/cli/login');
+            loginUrl.searchParams.set('redirect_uri', callbackUrl.toString());
+            loginUrl.searchParams.set('state', state);
+            console.log(`Opening browser for cloud login: ${loginUrl.toString()}`);
+            console.log('If the browser does not open, paste this URL into your browser.');
+            try {
+                const child = openBrowser(loginUrl.toString());
+                child.unref();
+            }
+            catch {
+                // Browser open failure is non-fatal; user still has the URL.
+            }
+        });
+        server.on('error', (error) => {
+            if (!settled) {
+                settled = true;
+                reject(error);
+            }
+        });
+        setTimeout(() => {
+            if (!settled) {
+                settled = true;
+                server.close();
+                reject(new Error('Timed out waiting for browser login'));
+            }
+        }, 5 * 60_000).unref();
+    });
+}
+export async function refreshStoredAuth(auth) {
+    const response = await fetch(buildApiUrl(auth.apiUrl, '/api/v1/auth/token/refresh'), {
+        method: 'POST',
+        headers: {
+            'content-type': 'application/json',
+        },
+        body: JSON.stringify({ refreshToken: auth.refreshToken }),
+    });
+    const payload = (await response.json().catch(() => null));
+    if (!response.ok || !payload?.accessToken || !payload?.refreshToken || !payload?.accessTokenExpiresAt) {
+        throw new Error('Stored cloud login has expired');
+    }
+    const nextAuth = {
+        apiUrl: auth.apiUrl,
+        accessToken: payload.accessToken,
+        refreshToken: payload.refreshToken,
+        accessTokenExpiresAt: payload.accessTokenExpiresAt,
+    };
+    if (isEnvBackedAuth(auth)) {
+        return markEnvBackedAuth(nextAuth);
+    }
+    await writeStoredAuth(nextAuth);
+    return nextAuth;
+}
+async function loginWithBrowser(apiUrl) {
+    const auth = await beginBrowserLogin(apiUrl);
+    await writeStoredAuth(auth);
+    console.log(`Logged in to ${auth.apiUrl}`);
+    return auth;
+}
+export async function ensureAuthenticated(apiUrl, options) {
+    const force = options?.force === true;
+    const stored = !force ? await readStoredAuth() : null;
+    // Stored auth is authoritative on its own host. A host mismatch between
+    // `apiUrl` (typically defaultApiUrl()) and `stored.apiUrl` is NOT a reason
+    // to force a fresh browser login — the user already linked, and the default
+    // may have drifted (e.g. CLOUD_API_URL env set/unset between sessions).
+    // Only `--force` re-links to a different host.
+    if (!stored) {
+        return loginWithBrowser(apiUrl);
+    }
+    if (!shouldRefresh(stored.accessTokenExpiresAt)) {
+        return stored;
+    }
+    try {
+        return await refreshStoredAuth(stored);
+    }
+    catch (error) {
+        if (isEnvBackedAuth(stored)) {
+            throw toEnvAuthRefreshError(error);
+        }
+        return loginWithBrowser(stored.apiUrl);
+    }
+}
+function apiFetch(apiUrl, accessToken, requestPath, init) {
+    return fetch(buildApiUrl(apiUrl, requestPath), {
+        ...init,
+        headers: {
+            'content-type': 'application/json',
+            authorization: `Bearer ${accessToken}`,
+            ...(init.headers ?? {}),
+        },
+    });
+}
+export async function authorizedApiFetch(auth, requestPath, init) {
+    let activeAuth = auth;
+    let response = await apiFetch(activeAuth.apiUrl, activeAuth.accessToken, requestPath, init);
+    if (response.status !== 401) {
+        return { response, auth: activeAuth };
+    }
+    try {
+        activeAuth = await refreshStoredAuth(activeAuth);
+    }
+    catch (error) {
+        if (isEnvBackedAuth(activeAuth)) {
+            throw toEnvAuthRefreshError(error);
+        }
+        activeAuth = await loginWithBrowser(activeAuth.apiUrl);
+    }
+    response = await apiFetch(activeAuth.apiUrl, activeAuth.accessToken, requestPath, init);
+    return { response, auth: activeAuth };
+}
+//# sourceMappingURL=auth.js.map

package/dist/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAClC,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAE3C,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAmB,MAAM,YAAY,CAAC;AAEhF,MAAM,aAAa,GAAG,IAAI,OAAO,EAAc,CAAC;AAEhD,SAAS,iBAAiB,CAAC,IAAgB;IACzC,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACxB,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,eAAe,CAAC,IAAgB;IACvC,OAAO,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AACjC,CAAC;AAED,SAAS,WAAW,CAAC,MAAyB,OAAO,CAAC,GAAG;IACvD,MAAM,MAAM,GAAG,GAAG,CAAC,aAAa,EAAE,IAAI,EAAE,CAAC;IACzC,MAAM,WAAW,GAAG,GAAG,CAAC,sBAAsB,EAAE,IAAI,EAAE,CAAC;IACvD,MAAM,YAAY,GAAG,GAAG,CAAC,uBAAuB,EAAE,IAAI,EAAE,CAAC;IACzD,MAAM,oBAAoB,GAAG,GAAG,CAAC,iCAAiC,EAAE,IAAI,EAAE,CAAC;IAE3E,IAAI,CAAC,MAAM,IAAI,CAAC,WAAW,IAAI,CAAC,YAAY,IAAI,CAAC,oBAAoB,EAAE,CAAC;QACtE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;IAClB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,EAAE,CAAC;QACnD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,iBAAiB,CAAC;QACvB,MAAM;QACN,WAAW;QACX,YAAY;QACZ,oBAAoB;KACrB,CAAC,CAAC;AACL,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAc;IAC3C,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;IAEpF,OAAO,IAAI,KAAK,CACd,GAAG,OAAO,iLAAiL,EAC3L,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,SAAS,CACtD,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAc;IACvC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACxC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,IAAI,GAAG,KAA4B,CAAC;IAC1C,OAAO,CACL,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ;QACpC,OAAO,IAAI,CAAC,YAAY,KAAK,QAAQ;QACrC,OAAO,IAAI,CAAC,oBAAoB,KAAK,QAAQ;QAC7C,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,CAChC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,MAAyB,OAAO,CAAC,GAAG;IACvE,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IACjC,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC;QACvD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAY,CAAC;QAC3C,OAAO,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC;IACnD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,IAAgB;IACpD,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE;QAC3C,SAAS,EAAE,IAAI;QACf,IAAI,EAAE,KAAK;KACZ,CAAC,CAAC;IACH,MAAM,EAAE,CAAC,SAAS,CAAC,cAAc,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE;QACvE,QAAQ,EAAE,MAAM;QAChB,IAAI,EAAE,KAAK;KACZ,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,MAAM,EAAE,CAAC,EAAE,CAAC,cAAc,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;AAC/C,CAAC;AAED,SAAS,aAAa,CAAC,oBAA4B;IACjD,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;IACnD,IAAI,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC;QAC5B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,IAAI,iBAAiB,CAAC;AACrD,CAAC;AAED,SAAS,WAAW,CAAC,GAAW;IAC9B,MAAM,QAAQ,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;IAE/B,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,OAAO,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;IACnE,CAAC;IAED,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;QACzB,OAAO,KAAK,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;IACrF,CAAC;IAED,OAAO,KAAK,CAAC,UAAU,EAAE,CAAC,GAAG,CAAC,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;AACvE,CAAC;AAED,SAAS,2BAA2B,CAClC,QAAmD,EACnD,MAAc,EACd,OAGC;IAED,MAAM,SAAS,GAAG,WAAW,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC;IAC1D,SAAS,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;IACrD,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,SAAS,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;IACvD,CAAC;IAED,QAAQ,CAAC,UAAU,GAAG,GAAG,CAAC;IAC1B,QAAQ,CAAC,SAAS,CAAC,UAAU,EAAE,SAAS,CAAC,QAAQ,EAAE,CAAC,CAAC;IACrD,QAAQ,CAAC,GAAG,EAAE,CAAC;AACjB,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,MAAc;IAC7C,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAElC,OAAO,IAAI,OAAO,CAAa,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACjD,IAAI,OAAO,GAAG,KAAK,CAAC;QAEpB,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE,QAAQ,EAAE,EAAE;YACrD,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,IAAI,GAAG,EAAE,kBAAkB,CAAC,CAAC;YAEnE,IAAI,UAAU,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;gBACxC,QAAQ,CAAC,UAAU,GAAG,GAAG,CAAC;gBAC1B,QAAQ,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;gBAC1B,OAAO;YACT,CAAC;YAED,MAAM,aAAa,GAAG,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAE3D,gEAAgE;YAChE,+DAA+D;YAC/D,IAAI,aAAa,KAAK,KAAK,EAAE,CAAC;gBAC5B,2BAA2B,CAAC,QAAQ,EAAE,MAAM,EAAE;oBAC5C,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE,yBAAyB;iBAClC,CAAC,CAAC;gBACH,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,OAAO,GAAG,IAAI,CAAC;oBACf,MAAM,CAAC,KAAK,EAAE,CAAC;oBACf,MAAM,CAAC,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC,CAAC;gBACrE,CAAC;gBACD,OAAO;YACT,CAAC;YAED,MAAM,KAAK,GAAG,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YACnD,IAAI,KAAK,EAAE,CAAC;gBACV,2BAA2B,CAAC,QAAQ,EAAE,MAAM,EAAE;oBAC5C,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE,KAAK;iBACd,CAAC,CAAC;gBACH,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,OAAO,GAAG,IAAI,CAAC;oBACf,MAAM,CAAC,KAAK,EAAE,CAAC;oBACf,MAAM,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC;gBAC3B,CAAC;gBACD,OAAO;YACT,CAAC;YAED,MAAM,WAAW,GAAG,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YAChE,MAAM,YAAY,GAAG,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;YAClE,MAAM,oBAAoB,GAAG,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,yBAAyB,CAAC,CAAC;YACpF,MAAM,cAAc,GAAG,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YAE9D,IAAI,CAAC,WAAW,IAAI,CAAC,YAAY,IAAI,CAAC,oBAAoB,IAAI,CAAC,cAAc,EAAE,CAAC;gBAC9E,2BAA2B,CAAC,QAAQ,EAAE,MAAM,EAAE;oBAC5C,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE,0EAA0E;iBACnF,CAAC,CAAC;gBACH,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,OAAO,GAAG,IAAI,CAAC;oBACf,MAAM,CAAC,KAAK,EAAE,CAAC;oBACf,MAAM,CAAC,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC,CAAC;gBACtE,CAAC;gBACD,OAAO;YACT,CAAC;YAED,2BAA2B,CAAC,QAAQ,EAAE,cAAc,EAAE;gBACpD,MAAM,EAAE,SAAS;gBACjB,MAAM,EAAE,iBAAiB,cAAc,EAAE;aAC1C,CAAC,CAAC;YAEH,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,GAAG,IAAI,CAAC;gBACf,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC;oBACN,WAAW;oBACX,YAAY;oBACZ,oBAAoB;oBACpB,MAAM,EAAE,cAAc;iBACvB,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE;YACjC,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;YACjC,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;gBAC5C,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,OAAO,GAAG,IAAI,CAAC;oBACf,MAAM,CAAC,KAAK,EAAE,CAAC;oBACf,MAAM,CAAC,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC,CAAC;gBAC7D,CAAC;gBACD,OAAO;YACT,CAAC;YAED,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,WAAW,EAAE,oBAAoB,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;YAC7E,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC;YAC1D,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,QAAQ,EAAE,CAAC,CAAC;YAClE,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;YAE1C,OAAO,CAAC,GAAG,CAAC,oCAAoC,QAAQ,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;YACvE,OAAO,CAAC,GAAG,CAAC,iEAAiE,CAAC,CAAC;YAE/E,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,WAAW,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAC;gBAC/C,KAAK,CAAC,KAAK,EAAE,CAAC;YAChB,CAAC;YAAC,MAAM,CAAC;gBACP,6DAA6D;YAC/D,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE;YAC3B,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,GAAG,IAAI,CAAC;gBACf,MAAM,CAAC,KAAK,CAAC,CAAC;YAChB,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,UAAU,CAAC,GAAG,EAAE;YACd,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,GAAG,IAAI,CAAC;gBACf,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,MAAM,CAAC,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC,CAAC;YAC3D,CAAC;QACH,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,CAAC,KAAK,EAAE,CAAC;IACzB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,IAAgB;IACtD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,4BAA4B,CAAC,EAAE;QACnF,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,YAAY,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC;KAC1D,CAAC,CAAC;IAEH,MAAM,OAAO,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAIhD,CAAC;IAET,IAAI,CAAC,QAAQ,CAAC,EAAE,IAAI,CAAC,OAAO,EAAE,WAAW,IAAI,CAAC,OAAO,EAAE,YAAY,IAAI,CAAC,OAAO,EAAE,oBAAoB,EAAE,CAAC;QACtG,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;IACpD,CAAC;IAED,MAAM,QAAQ,GAAe;QAC3B,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,oBAAoB,EAAE,OAAO,CAAC,oBAAoB;KACnD,CAAC;IAEF,IAAI,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1B,OAAO,iBAAiB,CAAC,QAAQ,CAAC,CAAC;IACrC,CAAC;IAED,MAAM,eAAe,CAAC,QAAQ,CAAC,CAAC;IAChC,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,KAAK,UAAU,gBAAgB,CAAC,MAAc;IAC5C,MAAM,IAAI,GAAG,MAAM,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAC7C,MAAM,eAAe,CAAC,IAAI,CAAC,CAAC;IAC5B,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3C,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,MAAc,EACd,OAA6B;IAE7B,MAAM,KAAK,GAAG,OAAO,EAAE,KAAK,KAAK,IAAI,CAAC;IACtC,MAAM,MAAM,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,cAAc,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;IAEtD,wEAAwE;IACxE,2EAA2E;IAC3E,4EAA4E;IAC5E,wEAAwE;IACxE,+CAA+C;IAC/C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAClC,CAAC;IAED,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,oBAAoB,CAAC,EAAE,CAAC;QAChD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,IAAI,CAAC;QACH,OAAO,MAAM,iBAAiB,CAAC,MAAM,CAAC,CAAC;IACzC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC;YAC5B,MAAM,qBAAqB,CAAC,KAAK,CAAC,CAAC;QACrC,CAAC;QAED,OAAO,gBAAgB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACzC,CAAC;AACH,CAAC;AAED,SAAS,QAAQ,CACf,MAAc,EACd,WAAmB,EACnB,WAAmB,EACnB,IAAiB;IAEjB,OAAO,KAAK,CAAC,WAAW,CAAC,MAAM,EAAE,WAAW,CAAC,EAAE;QAC7C,GAAG,IAAI;QACP,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,aAAa,EAAE,UAAU,WAAW,EAAE;YACtC,GAAG,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC;SACxB;KACF,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,IAAgB,EAChB,WAAmB,EACnB,IAAiB;IAEjB,IAAI,UAAU,GAAG,IAAI,CAAC;IACtB,IAAI,QAAQ,GAAG,MAAM,QAAQ,CAAC,UAAU,CAAC,MAAM,EAAE,UAAU,CAAC,WAAW,EAAE,WAAW,EAAE,IAAI,CAAC,CAAC;IAE5F,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC5B,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;IACxC,CAAC;IAED,IAAI,CAAC;QACH,UAAU,GAAG,MAAM,iBAAiB,CAAC,UAAU,CAAC,CAAC;IACnD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,eAAe,CAAC,UAAU,CAAC,EAAE,CAAC;YAChC,MAAM,qBAAqB,CAAC,KAAK,CAAC,CAAC;QACrC,CAAC;QAED,UAAU,GAAG,MAAM,gBAAgB,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IACzD,CAAC;IAED,QAAQ,GAAG,MAAM,QAAQ,CAAC,UAAU,CAAC,MAAM,EAAE,UAAU,CAAC,WAAW,EAAE,WAAW,EAAE,IAAI,CAAC,CAAC;IACxF,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;AACxC,CAAC"}

package/dist/connect.d.ts

@@ -0,0 +1,45 @@
+/**
+ * Provider connect orchestration — provisions a Daytona sandbox via the
+ * Cloud API, opens an interactive SSH session that runs the provider CLI,
+ * and finalizes the auth state with Cloud.
+ *
+ * The CLI command in `agent-relay cloud connect <provider>` is a thin wrapper
+ * around this function; other tools (e.g. `ricky connect <provider>`) can
+ * import it directly and drive the same flow.
+ */
+import type { AuthSshRuntime } from './lib/ssh-runtime.js';
+export declare function getProviderHelpText(): string;
+export declare function normalizeProvider(providerArg: string): string;
+export interface ConnectProviderIo {
+    log: (...args: unknown[]) => void;
+    error: (...args: unknown[]) => void;
+}
+export interface ConnectProviderOptions {
+    /** Provider id or alias (`anthropic`/`claude`, `openai`/`codex`, `google`/`gemini`, …). */
+    provider: string;
+    /** Override the Cloud API URL. Defaults to `defaultApiUrl()`. */
+    apiUrl?: string;
+    /** Sandbox language/image. Defaults to `'typescript'`. */
+    language?: string;
+    /** Auth timeout in milliseconds. Defaults to 5 minutes. */
+    timeoutMs?: number;
+    /** Logger sink. Defaults to `console.log` / `console.error`. */
+    io?: ConnectProviderIo;
+    /** Override SSH/network runtime hooks (used in tests). */
+    runtime?: Partial<AuthSshRuntime>;
+}
+export interface ConnectProviderResult {
+    /** Normalized provider id used for the request. */
+    provider: string;
+    /** Whether the interactive session reported a positive auth pattern match. */
+    success: boolean;
+}
+/**
+ * Connect a provider via interactive SSH session.
+ *
+ * Throws on any failure. Returns `{ provider, success }` when the auth flow
+ * completed successfully — `success` is always `true` on resolved promises;
+ * an unsuccessful auth attempt rejects with a descriptive Error.
+ */
+export declare function connectProvider(options: ConnectProviderOptions): Promise<ConnectProviderResult>;
+//# sourceMappingURL=connect.d.ts.map

package/dist/connect.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"connect.d.ts","sourceRoot":"","sources":["../src/connect.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAOH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAQ3D,wBAAgB,mBAAmB,IAAI,MAAM,CAQ5C;AAED,wBAAgB,iBAAiB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAG7D;AAED,MAAM,WAAW,iBAAiB;IAChC,GAAG,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,IAAI,CAAC;IAClC,KAAK,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,IAAI,CAAC;CACrC;AAED,MAAM,WAAW,sBAAsB;IACrC,2FAA2F;IAC3F,QAAQ,EAAE,MAAM,CAAC;IACjB,iEAAiE;IACjE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,0DAA0D;IAC1D,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,2DAA2D;IAC3D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gEAAgE;IAChE,EAAE,CAAC,EAAE,iBAAiB,CAAC;IACvB,0DAA0D;IAC1D,OAAO,CAAC,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;CACnC;AAED,MAAM,WAAW,qBAAqB;IACpC,mDAAmD;IACnD,QAAQ,EAAE,MAAM,CAAC;IACjB,8EAA8E;IAC9E,OAAO,EAAE,OAAO,CAAC;CAClB;AA+BD;;;;;;GAMG;AACH,wBAAsB,eAAe,CAAC,OAAO,EAAE,sBAAsB,GAAG,OAAO,CAAC,qBAAqB,CAAC,CA4HrG"}