@bardioc/app-sdk 0.4.0

package/dist/contract-matrix.js

@@ -0,0 +1,132 @@
+import { SDK_MSG } from './protocol.js';
+export const SDK_CONTRACT_MATRIX = {
+    [SDK_MSG.INIT]: {
+        requestPayload: '{ appId?: string }',
+        responsePayload: 'SdkInitResponse',
+        permission: null,
+        expectedHostBehavior: 'Handshake the iframe app and return SDK-owned host context.',
+    },
+    [SDK_MSG.NOTIFY]: {
+        requestPayload: 'SdkNotifyPayload',
+        responsePayload: '{ ok: true }',
+        permission: 'notify',
+        expectedHostBehavior: 'Surface a host-level notification and acknowledge delivery.',
+    },
+    [SDK_MSG.KERNEL_PROXY]: {
+        requestPayload: 'SdkKernelProxyPayload',
+        responsePayload: 'KernelProtocol response',
+        permission: 'kernel-proxy',
+        expectedHostBehavior: 'Forward only allow-listed kernel messages through the host.',
+    },
+    [SDK_MSG.TRANSPORT]: {
+        requestPayload: 'SdkTransportPayload',
+        responsePayload: 'Upstream transport response payload',
+        permission: 'transport',
+        expectedHostBehavior: 'Relay app-scoped transport requests with scope-aware host mediation.',
+    },
+    [SDK_MSG.SET_COMMANDS]: {
+        requestPayload: 'SdkSetCommandsPayload',
+        responsePayload: '{ ok: true }',
+        permission: null,
+        expectedHostBehavior: 'Store the app command registry for host command invocation.',
+    },
+    [SDK_MSG.SET_MENU]: {
+        requestPayload: 'SdkSetMenuPayload',
+        responsePayload: '{ ok: true }',
+        permission: null,
+        expectedHostBehavior: 'Store the app menu tree without degrading supported SDK menu kinds.',
+    },
+    [SDK_MSG.SET_ACTIVE_TAB]: {
+        requestPayload: 'SdkSetActiveTabPayload',
+        responsePayload: '{ ok: true }',
+        permission: null,
+        expectedHostBehavior: 'Persist the app-reported active tab label in host window state.',
+    },
+    [SDK_MSG.SHORTCUT_EVENT]: {
+        requestPayload: 'SdkShortcutEventPayload',
+        responsePayload: null,
+        permission: null,
+        expectedHostBehavior: 'Route a focused iframe shortcut event through host shortcut handling.',
+    },
+    [SDK_MSG.STORAGE_GET]: {
+        requestPayload: 'SdkStorageGetPayload',
+        responsePayload: 'unknown',
+        permission: 'storage',
+        expectedHostBehavior: 'Host-owned storage bridge; currently deferred in bdf.',
+    },
+    [SDK_MSG.STORAGE_SET]: {
+        requestPayload: 'SdkStorageSetPayload',
+        responsePayload: 'void',
+        permission: 'storage',
+        expectedHostBehavior: 'Host-owned storage bridge; currently deferred in bdf.',
+    },
+    [SDK_MSG.STORAGE_DELETE]: {
+        requestPayload: 'SdkStorageDeletePayload',
+        responsePayload: 'void',
+        permission: 'storage',
+        expectedHostBehavior: 'Host-owned storage bridge; currently deferred in bdf.',
+    },
+    [SDK_MSG.STORAGE_KEYS]: {
+        requestPayload: '{}',
+        responsePayload: 'string[]',
+        permission: 'storage',
+        expectedHostBehavior: 'Host-owned storage bridge; currently deferred in bdf.',
+    },
+    [SDK_MSG.IDB_GET]: {
+        requestPayload: 'SdkIdbGetPayload',
+        responsePayload: 'SdkIdbEntry | null',
+        permission: 'indexdb',
+        expectedHostBehavior: 'Perform app-scoped IndexedDB reads in host-owned storage.',
+    },
+    [SDK_MSG.IDB_PUT]: {
+        requestPayload: 'SdkIdbPutPayload',
+        responsePayload: 'void',
+        permission: 'indexdb',
+        expectedHostBehavior: 'Perform app-scoped IndexedDB writes in host-owned storage.',
+    },
+    [SDK_MSG.IDB_DELETE]: {
+        requestPayload: 'SdkIdbDeletePayload',
+        responsePayload: 'void',
+        permission: 'indexdb',
+        expectedHostBehavior: 'Perform app-scoped IndexedDB deletes in host-owned storage.',
+    },
+    [SDK_MSG.IDB_QUERY]: {
+        requestPayload: 'SdkIdbQueryPayload',
+        responsePayload: 'SdkIdbEntry[]',
+        permission: 'indexdb',
+        expectedHostBehavior: 'Perform app-scoped IndexedDB queries in host-owned storage.',
+    },
+    [SDK_MSG.LAUNCH_APP]: {
+        requestPayload: '{ appId: string }',
+        responsePayload: '{ windowId: string | null }',
+        permission: null,
+        expectedHostBehavior: 'Launch another registered app through the host shell.',
+    },
+    [SDK_MSG.COMMAND_INVOKE]: {
+        requestPayload: 'SdkCommandInvokePayload',
+        responsePayload: '{ ok: true }',
+        permission: null,
+        expectedHostBehavior: 'Host-to-app command callback delivery.',
+    },
+    [SDK_MSG.OS_CONFIG_UPDATE]: {
+        requestPayload: 'OsConfig',
+        responsePayload: null,
+        permission: null,
+        expectedHostBehavior: 'Host-to-app runtime OS configuration update delivery.',
+    },
+    [SDK_MSG.RESPONSE]: {
+        requestPayload: 'SdkResponse',
+        responsePayload: null,
+        permission: null,
+        expectedHostBehavior: 'Request/response envelope used by the bridge runtime.',
+    },
+    [SDK_MSG.INIT_ACK]: {
+        requestPayload: 'SdkInitResponse',
+        responsePayload: null,
+        permission: null,
+        expectedHostBehavior: 'Handshake acknowledgement used by the bridge runtime.',
+    },
+};
+export function getRequiredPermissionForSdkMessage(messageType) {
+    return SDK_CONTRACT_MATRIX[messageType]?.permission ?? null;
+}

package/dist/dev-auth-proxy-core.d.ts

@@ -0,0 +1,24 @@
+import type { IncomingMessage, ServerResponse } from 'node:http';
+export type ProxyPayload = {
+    sessionKey?: string;
+    hostUrl?: string;
+    scopeId?: string | null;
+    scopePolicy?: 'none' | 'optional' | 'required';
+    path: string;
+    method?: 'GET' | 'POST' | 'PUT' | 'PATCH' | 'DELETE';
+    body?: unknown;
+    contentType?: string;
+};
+interface ProxyTransportOptions {
+    appId: string;
+    hostUrl: string;
+    devSessionKey: string;
+}
+interface SendJsonOptions {
+    allowOrigin?: string;
+}
+export declare function readJsonBody<T = unknown>(req: IncomingMessage): Promise<T | null>;
+export declare function applyCors(res: ServerResponse, allowOrigin?: string): void;
+export declare function sendJson(res: ServerResponse, status: number, body: unknown, options?: SendJsonOptions): void;
+export declare function forwardDevAuthProxyRequest(payload: ProxyPayload, options: ProxyTransportOptions): Promise<Response>;
+export {};

package/dist/dev-auth-proxy-core.js

@@ -0,0 +1,59 @@
+export async function readJsonBody(req) {
+    return new Promise(resolveBody => {
+        const chunks = [];
+        req.on('data', (chunk) => chunks.push(chunk));
+        req.on('end', () => {
+            const buffer = Buffer.concat(chunks);
+            if (buffer.length === 0) {
+                resolveBody(null);
+                return;
+            }
+            try {
+                resolveBody(JSON.parse(buffer.toString('utf8')));
+            }
+            catch {
+                resolveBody(null);
+            }
+        });
+        req.on('error', () => resolveBody(null));
+    });
+}
+export function applyCors(res, allowOrigin) {
+    if (!allowOrigin) {
+        return;
+    }
+    res.setHeader('Access-Control-Allow-Origin', allowOrigin);
+    res.setHeader('Access-Control-Allow-Methods', 'POST,OPTIONS');
+    res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
+}
+export function sendJson(res, status, body, options = {}) {
+    applyCors(res, options.allowOrigin);
+    res.statusCode = status;
+    res.setHeader('Content-Type', 'application/json');
+    res.setHeader('Cache-Control', 'no-store');
+    res.end(JSON.stringify(body));
+}
+export async function forwardDevAuthProxyRequest(payload, options) {
+    const hostUrl = payload.hostUrl ?? options.hostUrl;
+    const sessionKey = payload.sessionKey ?? options.devSessionKey;
+    if (!hostUrl || !sessionKey) {
+        throw new Error('missing_dev_session');
+    }
+    return fetch(`${hostUrl.replace(/\/$/, '')}/api/transport`, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            'X-Dev-Session-Key': sessionKey,
+        },
+        body: JSON.stringify({
+            appId: options.appId,
+            path: payload.path,
+            method: payload.method ?? 'GET',
+            body: payload.body,
+            contentType: payload.contentType,
+            scopePolicy: payload.scopePolicy,
+            scopeId: payload.scopeId ?? null,
+        }),
+        cache: 'no-store',
+    });
+}

package/dist/dev-auth-vite.d.ts

@@ -0,0 +1,34 @@
+import type { IncomingMessage, ServerResponse } from 'node:http';
+type VitePlugin = {
+    name: string;
+    apply?: 'serve' | 'build';
+    enforce?: 'pre' | 'post';
+    configureServer?: (server: ViteDevServerLike) => void;
+    transformIndexHtml?: () => Array<{
+        tag: string;
+        attrs?: Record<string, string>;
+        children?: string;
+        injectTo?: 'head' | 'body' | 'head-prepend' | 'body-prepend';
+    }> | void;
+};
+interface ViteDevServerLike {
+    config: {
+        root: string;
+        envDir?: string;
+        mode?: string;
+        base: string;
+        logger: {
+            warn: (message: string) => void;
+            info: (message: string) => void;
+        };
+    };
+    middlewares: {
+        use: (handler: (req: IncomingMessage, res: ServerResponse, next: (error?: unknown) => void) => void) => void;
+    };
+}
+export interface BardiocDevAuthOptions {
+    appName: string;
+    sessionStorageKey?: string;
+}
+export declare function bardiocDevAuth(options: BardiocDevAuthOptions): VitePlugin;
+export {};

package/dist/dev-auth-vite.js

@@ -0,0 +1,221 @@
+import { existsSync } from 'node:fs';
+import { resolve } from 'node:path';
+import { forwardDevAuthProxyRequest, readJsonBody, sendJson, } from './dev-auth-proxy-core.js';
+import { readDotEnvFile } from './dot-env.js';
+function resolveSessionStorageKey(options) {
+    return options.sessionStorageKey ?? `bardioc.dev.auth.${options.appName}`;
+}
+function readRuntimeEnv(server) {
+    const envDir = server.config.envDir ?? server.config.root;
+    const mode = server.config.mode?.trim();
+    const envFileNames = [
+        '.env',
+        '.env.local',
+        mode ? `.env.${mode}` : null,
+        mode ? `.env.${mode}.local` : null,
+    ];
+    const env = {};
+    for (const fileName of envFileNames) {
+        if (!fileName) {
+            continue;
+        }
+        const filePath = resolve(envDir, fileName);
+        if (!existsSync(filePath)) {
+            continue;
+        }
+        Object.assign(env, readDotEnvFile(filePath));
+    }
+    for (const [key, value] of Object.entries(process.env)) {
+        if (typeof value === 'string') {
+            env[key] = value;
+        }
+    }
+    return env;
+}
+function readDevAuthEnv(server, options) {
+    const env = readRuntimeEnv(server);
+    const hostUrl = env.DEV_AUTH_HOST_URL?.trim().replace(/\/$/, '');
+    const devSessionKey = env.DEV_SESSION_KEY?.trim();
+    const exchangeAppId = env.VITE_APP_ID?.trim();
+    if (!hostUrl || !devSessionKey || !exchangeAppId) {
+        return null;
+    }
+    return {
+        exchangeAppId,
+        hostUrl,
+        devSessionKey,
+        sessionStorageKey: resolveSessionStorageKey(options),
+    };
+}
+function getRequestPathname(req) {
+    const originalUrl = req.__bardiocOriginalUrl;
+    return new URL(originalUrl ?? req.url ?? '/', `http://${req.headers.host ?? 'localhost'}`)
+        .pathname;
+}
+function getBasePath(req, routePath) {
+    const pathname = getRequestPathname(req);
+    if (pathname.endsWith(routePath)) {
+        const basePath = pathname.slice(0, -routePath.length);
+        return basePath || '/';
+    }
+    return '/';
+}
+function buildAppPath(basePath, path) {
+    const normalizedBase = basePath === '/' ? '' : basePath.replace(/\/$/, '');
+    const normalizedPath = path.startsWith('/') ? path : `/${path}`;
+    return `${normalizedBase}${normalizedPath}`;
+}
+function sendHtml(res, status, html) {
+    res.statusCode = status;
+    res.setHeader('Content-Type', 'text/html; charset=utf-8');
+    res.setHeader('Cache-Control', 'no-store');
+    res.end(html);
+}
+function renderLoginHtml(session, basePath, sessionStorageKey) {
+    const payload = JSON.stringify(JSON.stringify(session))
+        .replace(/</g, '\\u003c')
+        .replace(/>/g, '\\u003e')
+        .replace(/&/g, '\\u0026');
+    const redirectPath = buildAppPath(basePath, '/');
+    return `<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>Signing in...</title>
+  </head>
+  <body>
+    <script>
+      window.localStorage.removeItem('${sessionStorageKey.replace('bardioc.dev.auth.', '')}.dev.auth');
+      window.localStorage.setItem('${sessionStorageKey}', ${payload});
+      window.location.replace(${JSON.stringify(redirectPath)});
+    </script>
+  </body>
+</html>`;
+}
+function createLoginHandler(env) {
+    return async (req, res) => {
+        const basePath = getBasePath(req, '/login');
+        sendHtml(res, 200, renderLoginHtml({
+            sessionKey: env.devSessionKey,
+            hostUrl: env.hostUrl,
+            scopeId: null,
+        }, basePath, env.sessionStorageKey));
+    };
+}
+function createProxyHandler(options) {
+    return async (req, res) => {
+        const payload = await readJsonBody(req);
+        if (!payload?.path) {
+            sendJson(res, 400, { error: 'invalid_payload' });
+            return;
+        }
+        try {
+            const transportResponse = await forwardDevAuthProxyRequest(payload, {
+                appId: options.appId,
+                hostUrl: options.env.hostUrl,
+                devSessionKey: options.env.devSessionKey,
+            });
+            const responseText = await transportResponse.text();
+            res.statusCode = transportResponse.status;
+            const contentType = transportResponse.headers.get('content-type');
+            if (contentType) {
+                res.setHeader('Content-Type', contentType);
+            }
+            res.setHeader('Cache-Control', 'no-store');
+            res.end(responseText);
+        }
+        catch (error) {
+            if (error instanceof Error && error.message === 'missing_dev_session') {
+                sendJson(res, 400, { error: 'missing_dev_session' });
+                return;
+            }
+            sendJson(res, 502, { error: 'host_transport_failed' });
+        }
+    };
+}
+function createDevAuthRouter(options) {
+    const handleLogin = createLoginHandler(options.env);
+    const handleProxy = createProxyHandler(options);
+    const handlers = {
+        'GET /login': handleLogin,
+        'POST /proxy': handleProxy,
+    };
+    return async (req, res) => {
+        const url = new URL(req.url ?? '/', `http://${req.headers.host ?? 'localhost'}`);
+        const key = `${req.method ?? 'GET'} ${url.pathname}`;
+        const handler = handlers[key];
+        if (!handler) {
+            sendJson(res, 404, { error: 'not_found' });
+            return;
+        }
+        await handler(req, res);
+    };
+}
+export function bardiocDevAuth(options) {
+    let runtimeConfig = null;
+    return {
+        name: 'bardioc-dev-auth',
+        apply: 'serve',
+        enforce: 'pre',
+        configureServer(server) {
+            runtimeConfig = readDevAuthEnv(server, options);
+            if (!runtimeConfig) {
+                server.config.logger.warn(`[bardioc-dev-auth] DEV_AUTH_HOST_URL + DEV_SESSION_KEY, plus VITE_APP_ID, are required in env files — dev auth disabled for appName="${options.appName}".`);
+                return;
+            }
+            const env = {
+                hostUrl: runtimeConfig.hostUrl,
+                devSessionKey: runtimeConfig.devSessionKey,
+                sessionStorageKey: runtimeConfig.sessionStorageKey,
+            };
+            const router = createDevAuthRouter({ appId: runtimeConfig.exchangeAppId, env });
+            server.config.logger.info(`[bardioc-dev-auth] enabled for appName="${options.appName}" appId="${runtimeConfig.exchangeAppId}" → ${runtimeConfig.hostUrl}/api/transport`);
+            const basePath = server.config.base.endsWith('/')
+                ? server.config.base.slice(0, -1)
+                : server.config.base;
+            server.middlewares.use(async (req, res, next) => {
+                const originalUrl = req.url ?? '';
+                const devAuthReq = req;
+                const parsed = new URL(originalUrl, 'http://localhost');
+                const pathname = parsed.pathname;
+                const routePath = pathname.startsWith(basePath)
+                    ? pathname.slice(basePath.length) || '/'
+                    : pathname;
+                const shouldHandle = routePath === '/login' || routePath === '/proxy';
+                if (shouldHandle) {
+                    try {
+                        devAuthReq.__bardiocOriginalUrl = originalUrl;
+                        req.url = `${routePath}${parsed.search}`;
+                        await router(req, res);
+                    }
+                    catch (error) {
+                        next(error);
+                    }
+                    finally {
+                        req.url = originalUrl;
+                        delete devAuthReq.__bardiocOriginalUrl;
+                    }
+                }
+                else {
+                    next();
+                }
+            });
+        },
+        transformIndexHtml() {
+            if (!runtimeConfig) {
+                return;
+            }
+            return [
+                {
+                    tag: 'script',
+                    injectTo: 'head',
+                    children: `window.__BARDIOC_DEV_AUTH__ = ${JSON.stringify({
+                        hostUrl: runtimeConfig.hostUrl,
+                        sessionKey: runtimeConfig.devSessionKey,
+                    })};`,
+                },
+            ];
+        },
+    };
+}

package/dist/dev-proxy.d.ts

@@ -0,0 +1,8 @@
+import type { IncomingMessage, ServerResponse } from 'node:http';
+export interface DevAuthProxyOptions {
+    appId: string;
+    hostUrl: string;
+    devSessionKey: string;
+    allowOrigin?: string;
+}
+export declare function createDevAuthProxyHandler(options: DevAuthProxyOptions): (req: IncomingMessage, res: ServerResponse) => Promise<void>;

package/dist/dev-proxy.js

@@ -0,0 +1,40 @@
+import { applyCors, forwardDevAuthProxyRequest, readJsonBody, sendJson, } from './dev-auth-proxy-core.js';
+export function createDevAuthProxyHandler(options) {
+    return async (req, res) => {
+        const pathname = new URL(req.url ?? '/', `http://${req.headers.host ?? 'localhost'}`).pathname;
+        if (req.method === 'OPTIONS') {
+            applyCors(res, options.allowOrigin);
+            res.statusCode = 204;
+            res.end();
+            return;
+        }
+        if (req.method !== 'POST' || pathname !== '/proxy') {
+            sendJson(res, 404, { error: 'not_found' }, { allowOrigin: options.allowOrigin });
+            return;
+        }
+        const payload = await readJsonBody(req);
+        if (!payload?.path) {
+            sendJson(res, 400, { error: 'invalid_payload' }, { allowOrigin: options.allowOrigin });
+            return;
+        }
+        try {
+            const transportResponse = await forwardDevAuthProxyRequest(payload, options);
+            const responseText = await transportResponse.text();
+            applyCors(res, options.allowOrigin);
+            res.statusCode = transportResponse.status;
+            res.setHeader('Cache-Control', 'no-store');
+            const contentType = transportResponse.headers.get('content-type');
+            if (contentType) {
+                res.setHeader('Content-Type', contentType);
+            }
+            res.end(responseText);
+        }
+        catch (error) {
+            if (error instanceof Error && error.message === 'missing_dev_session') {
+                sendJson(res, 400, { error: 'missing_dev_session' }, { allowOrigin: options.allowOrigin });
+                return;
+            }
+            sendJson(res, 502, { error: 'host_transport_failed' }, { allowOrigin: options.allowOrigin });
+        }
+    };
+}

package/dist/dev-session-cli.d.ts

@@ -0,0 +1,34 @@
+import { spawn } from 'node:child_process';
+interface CliConfig {
+    hostUrl?: string;
+    cliAccessToken?: string;
+    cliAccessTokenExpiresAt?: number;
+}
+interface RuntimeEnv {
+    VITE_ENABLE_DEV_AUTH?: string;
+    VITE_APP_ID?: string;
+    DEV_AUTH_HOST_URL?: string;
+}
+interface DevSessionResponse {
+    sessionKey: string;
+    hostUrl: string;
+    appId: string;
+}
+interface CliMainRuntime {
+    argv?: string[];
+    cwd?: () => string;
+    env?: NodeJS.ProcessEnv;
+    platform?: NodeJS.Platform;
+    spawnCommand?: typeof spawn;
+    stdout?: Pick<NodeJS.WriteStream, 'write'>;
+    stderr?: Pick<NodeJS.WriteStream, 'write'>;
+    exit?: (code: number) => void;
+    readCliConfig?: () => CliConfig | null;
+}
+export declare function readLayeredEnv(cwd: string, runtimeEnv?: NodeJS.ProcessEnv): RuntimeEnv;
+export declare function readCliConfigFromFile(configPath: string): CliConfig | null;
+export declare function normalizeHostUrl(hostUrl: string): string;
+export declare function assertCliConfig(config: CliConfig | null, hostUrl: string): asserts config is CliConfig;
+export declare function fetchDevSession(hostUrl: string, cliAccessToken: string, appId: string): Promise<DevSessionResponse>;
+export declare function main(runtime?: CliMainRuntime): Promise<void>;
+export {};

package/dist/dev-session-cli.js

@@ -0,0 +1,125 @@
+import { spawn } from 'node:child_process';
+import { existsSync, readFileSync, realpathSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { readDotEnvFile } from './dot-env.js';
+export function readLayeredEnv(cwd, runtimeEnv = process.env) {
+    const env = {};
+    for (const fileName of ['.env', '.env.local']) {
+        const filePath = resolve(cwd, fileName);
+        if (!existsSync(filePath)) {
+            continue;
+        }
+        Object.assign(env, readDotEnvFile(filePath));
+    }
+    for (const [key, value] of Object.entries(runtimeEnv)) {
+        if (typeof value === 'string') {
+            env[key] = value;
+        }
+    }
+    return env;
+}
+export function readCliConfigFromFile(configPath) {
+    if (!existsSync(configPath)) {
+        return null;
+    }
+    const parsed = JSON.parse(readFileSync(configPath, 'utf8'));
+    return parsed;
+}
+function readCliConfig() {
+    return readCliConfigFromFile(resolve(homedir(), '.bardioc', 'config.json'));
+}
+export function normalizeHostUrl(hostUrl) {
+    return hostUrl.trim().replace(/\/$/, '');
+}
+export function assertCliConfig(config, hostUrl) {
+    if (!config?.hostUrl || !config.cliAccessToken) {
+        throw new Error('Missing CLI login. Run `bardioc login` first.');
+    }
+    if (normalizeHostUrl(config.hostUrl) !== normalizeHostUrl(hostUrl)) {
+        throw new Error(`CLI login host ${normalizeHostUrl(config.hostUrl)} does not match DEV_AUTH_HOST_URL ${normalizeHostUrl(hostUrl)}.`);
+    }
+    if (typeof config.cliAccessTokenExpiresAt === 'number' &&
+        config.cliAccessTokenExpiresAt > 0 &&
+        config.cliAccessTokenExpiresAt * 1000 <= Date.now()) {
+        throw new Error('Stored CLI login is expired. Run `bardioc login` again.');
+    }
+}
+export async function fetchDevSession(hostUrl, cliAccessToken, appId) {
+    const response = await fetch(`${normalizeHostUrl(hostUrl)}/api/auth/dev-session`, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            Authorization: `Bearer ${cliAccessToken}`,
+        },
+        body: JSON.stringify({ appId }),
+        cache: 'no-store',
+    });
+    if (!response.ok) {
+        const data = (await response.json().catch(() => ({})));
+        throw new Error(data.error ?? `Dev session failed (${response.status})`);
+    }
+    return (await response.json());
+}
+export async function main(runtime = {}) {
+    const argv = runtime.argv ?? process.argv;
+    const currentEnv = runtime.env ?? process.env;
+    const currentCwd = runtime.cwd ?? (() => process.cwd());
+    const spawnCommand = runtime.spawnCommand ?? spawn;
+    const stdout = runtime.stdout ?? process.stdout;
+    const stderr = runtime.stderr ?? process.stderr;
+    const exit = runtime.exit ?? process.exit;
+    const separatorIndex = argv.indexOf('--');
+    const commandArgs = separatorIndex >= 0 ? argv.slice(separatorIndex + 1) : [];
+    if (commandArgs.length === 0) {
+        throw new Error('Missing command after `--`. Example: bardioc-dev-session -- vite');
+    }
+    const cwd = currentCwd();
+    const env = readLayeredEnv(cwd, currentEnv);
+    const devAuthEnabled = env.VITE_ENABLE_DEV_AUTH === 'true';
+    const childEnv = { ...currentEnv };
+    const [command, ...commandRestArgs] = commandArgs;
+    if (!command) {
+        throw new Error('Missing command after `--`. Example: bardioc-dev-session -- vite');
+    }
+    if (devAuthEnabled) {
+        const appId = env.VITE_APP_ID?.trim();
+        const hostUrl = env.DEV_AUTH_HOST_URL?.trim();
+        if (!appId) {
+            throw new Error('Missing VITE_APP_ID for standalone dev auth.');
+        }
+        if (!hostUrl) {
+            throw new Error('Missing DEV_AUTH_HOST_URL for standalone dev auth.');
+        }
+        const cliConfig = (runtime.readCliConfig ?? readCliConfig)();
+        assertCliConfig(cliConfig, hostUrl);
+        const devSession = await fetchDevSession(hostUrl, cliConfig.cliAccessToken, appId);
+        childEnv.DEV_AUTH_HOST_URL = normalizeHostUrl(devSession.hostUrl);
+        childEnv.DEV_SESSION_KEY = devSession.sessionKey;
+        stdout.write(`[bardioc-dev-session] Refreshed dev session for appId="${devSession.appId}" via ${childEnv.DEV_AUTH_HOST_URL}\n`);
+    }
+    const child = spawnCommand(command, commandRestArgs, {
+        stdio: 'inherit',
+        env: childEnv,
+        shell: (runtime.platform ?? process.platform) === 'win32',
+    });
+    child.on('exit', (code) => {
+        exit(code ?? 0);
+    });
+    child.on('error', (error) => {
+        stderr.write(`${error.message}\n`);
+        exit(1);
+    });
+}
+const isDirectRun = process.argv[1]
+    ? realpathSync.native(resolve(process.argv[1])) ===
+        realpathSync.native(fileURLToPath(import.meta.url))
+    : false;
+if (isDirectRun) {
+    void main().catch(error => {
+        const message = error instanceof Error ? error.message : String(error);
+        process.stderr.write(`[bardioc-dev-session] ${message}\n`);
+        process.exit(1);
+    });
+}