@cybedefend/vibedefend 1.1.1

package/dist/index.js

@@ -0,0 +1,129 @@
+#!/usr/bin/env node
+import { Command } from 'commander';
+import updateNotifier from 'update-notifier';
+import { runDoctor } from './doctor.js';
+import { runInstall } from './install.js';
+import { runLoginCommand } from './login.js';
+import { selfUpdate } from './self-update.js';
+import { runStatus } from './status.js';
+import { log } from './utils.js';
+import { pkg } from './version.js';
+/**
+ * `update-notifier` runs an asynchronous, cached version check against the
+ * npm registry. The first call seeds the cache; subsequent invocations
+ * within `updateCheckInterval` (24h) are no-ops on the hot path. If a
+ * newer version exists, we print a non-blocking banner before commander
+ * dispatches the subcommand — the install/update flow still runs
+ * normally, the user just sees a nudge.
+ *
+ * Why not auto-update silently? Two reasons:
+ *  1. Global npm installs often need elevated privileges. A surprise
+ *     `sudo`-required prompt mid-flow is a worse UX than a banner.
+ *  2. Self-updating without the user's knowledge is a footgun — they
+ *     might be deliberately pinning a known-good version while debugging.
+ *
+ * `--self` (below) does the actual update, on explicit request.
+ */
+const notifier = updateNotifier({
+    pkg: { name: pkg.name, version: pkg.version },
+    updateCheckInterval: 1000 * 60 * 60 * 24, // once per day
+});
+notifier.notify({
+    message: '🛡️ {packageName} update: {currentVersion} → {latestVersion}\n' +
+        'Run `vibedefend update --self` to upgrade.',
+    defer: false, // print before commander dispatches, not after exit
+    isGlobal: true,
+});
+const program = new Command();
+program
+    .name('vibedefend')
+    .description('VibeDefend — install the CybeDefend MCP, set up Claude Code hooks, manage the business-rules workflow for AI coding agents.')
+    .version(pkg.version);
+program
+    .command('install')
+    .description('Interactive installer: pick a region, register the MCP, configure hooks for each detected agent.')
+    .action(async () => {
+    try {
+        await runInstall();
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        // Inquirer throws `ExitPromptError` when the user hits Ctrl-C. Treat
+        // that as a clean exit, not a crash.
+        if (message.includes('User force closed') || message.includes('SIGINT')) {
+            log.info('Installer cancelled by user.');
+            process.exit(130);
+        }
+        log.err(`Install failed: ${message}`);
+        process.exit(1);
+    }
+});
+program
+    .command('update')
+    .description('Re-run the installer to refresh hook scripts. With --self, also upgrade the @cybedefend/vibedefend binary first.')
+    .option('--self', 'Update the @cybedefend/vibedefend binary in place before refreshing hooks (npm/pnpm/yarn auto-detected).')
+    .option('--version-tag <tag>', 'Version to install when --self is used (default: latest).', 'latest')
+    .action(async (opts) => {
+    if (opts.self) {
+        log.step('Upgrading vibedefend binary');
+        const result = selfUpdate({ version: opts.versionTag });
+        log.hint(`Resolved from: ${result.resolvedFrom}`);
+        log.hint(`Install mode:  ${result.mode}`);
+        log.info(result.message);
+        if (result.attempted && result.exitCode !== 0) {
+            process.exit(1);
+        }
+        if (result.attempted && result.exitCode === 0) {
+            // The currently-running process is still the OLD binary. To pick up
+            // the new templates, the user re-runs `vibedefend update` (without
+            // --self). Don't re-exec automatically — terminal state + PATH
+            // resolution after a global install is fragile across managers
+            // (npm/pnpm/yarn each behave slightly differently).
+            log.ok('Binary upgraded.');
+            log.info('Re-run `vibedefend update` (without --self) to render hooks with the new templates.');
+            process.exit(0);
+        }
+        // Not attempted (npx-cache, project-local, unknown) — message
+        // already told the user what to do. Exit cleanly so we don't
+        // proceed to re-render against possibly-stale templates.
+        process.exit(0);
+    }
+    log.info('Re-running install flow (idempotent).');
+    await runInstall();
+});
+program
+    .command('login')
+    .description('Authenticate against the CybeDefend gateway using OAuth 2.0 Authorization Code + PKCE. ' +
+    'Opens your browser to the Logto sign-in page, receives the callback locally, ' +
+    'and stores the token bundle (access + refresh) in your OS keychain.')
+    .option('--force', 'Re-authenticate even if credentials are already stored.')
+    .action(async (opts) => {
+    try {
+        await runLoginCommand(opts);
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        if (message.includes('User force closed') || message.includes('SIGINT')) {
+            log.info('Login cancelled by user.');
+            process.exit(130);
+        }
+        log.err(`Login failed: ${message}`);
+        process.exit(1);
+    }
+});
+program
+    .command('status')
+    .description('Show the VibeDefend install state: region, agents, caches, and a live API check.')
+    .action(async () => {
+    await runStatus();
+});
+program
+    .command('doctor')
+    .description('Diagnose the VibeDefend install and repair what is fixable.')
+    .option('--yes', 'Apply all fixes without the confirmation prompt.')
+    .option('--check', 'Report problems only — apply nothing (dry-run).')
+    .action(async (opts) => {
+    await runDoctor(opts);
+});
+program.parseAsync(process.argv);
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,cAAc,MAAM,iBAAiB,CAAC;AAE7C,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxC,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxC,OAAO,EAAE,GAAG,EAAE,MAAM,YAAY,CAAC;AACjC,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAC;AAEnC;;;;;;;;;;;;;;;GAeG;AACH,MAAM,QAAQ,GAAG,cAAc,CAAC;IAC9B,GAAG,EAAE,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE;IAC7C,mBAAmB,EAAE,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,eAAe;CAC1D,CAAC,CAAC;AACH,QAAQ,CAAC,MAAM,CAAC;IACd,OAAO,EACL,gEAAgE;QAChE,4CAA4C;IAC9C,KAAK,EAAE,KAAK,EAAE,oDAAoD;IAClE,QAAQ,EAAE,IAAI;CACf,CAAC,CAAC;AAEH,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,YAAY,CAAC;KAClB,WAAW,CACV,6HAA6H,CAC9H;KACA,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;AAExB,OAAO;KACJ,OAAO,CAAC,SAAS,CAAC;KAClB,WAAW,CACV,kGAAkG,CACnG;KACA,MAAM,CAAC,KAAK,IAAI,EAAE;IACjB,IAAI,CAAC;QACH,MAAM,UAAU,EAAE,CAAC;IACrB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,qEAAqE;QACrE,qCAAqC;QACrC,IAAI,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YACxE,GAAG,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC;YACzC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACpB,CAAC;QACD,GAAG,CAAC,GAAG,CAAC,mBAAmB,OAAO,EAAE,CAAC,CAAC;QACtC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CACV,kHAAkH,CACnH;KACA,MAAM,CACL,QAAQ,EACR,0GAA0G,CAC3G;KACA,MAAM,CACL,qBAAqB,EACrB,2DAA2D,EAC3D,QAAQ,CACT;KACA,MAAM,CACL,KAAK,EAAE,IAA6C,EAAE,EAAE;IACtD,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACd,GAAG,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;QACxC,MAAM,MAAM,GAAG,UAAU,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;QACxD,GAAG,CAAC,IAAI,CAAC,kBAAkB,MAAM,CAAC,YAAY,EAAE,CAAC,CAAC;QAClD,GAAG,CAAC,IAAI,CAAC,kBAAkB,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;QAC1C,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAEzB,IAAI,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,QAAQ,KAAK,CAAC,EAAE,CAAC;YAC9C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QACD,IAAI,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,QAAQ,KAAK,CAAC,EAAE,CAAC;YAC9C,oEAAoE;YACpE,mEAAmE;YACnE,+DAA+D;YAC/D,+DAA+D;YAC/D,oDAAoD;YACpD,GAAG,CAAC,EAAE,CAAC,kBAAkB,CAAC,CAAC;YAC3B,GAAG,CAAC,IAAI,CACN,qFAAqF,CACtF,CAAC;YACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QACD,8DAA8D;QAC9D,6DAA6D;QAC7D,yDAAyD;QACzD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,GAAG,CAAC,IAAI,CAAC,uCAAuC,CAAC,CAAC;IAClD,MAAM,UAAU,EAAE,CAAC;AACrB,CAAC,CACF,CAAC;AAEJ,OAAO;KACJ,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CACV,yFAAyF;IACzF,+EAA+E;IAC/E,qEAAqE,CACtE;KACA,MAAM,CAAC,SAAS,EAAE,yDAAyD,CAAC;KAC5E,MAAM,CAAC,KAAK,EAAE,IAAyB,EAAE,EAAE;IAC1C,IAAI,CAAC;QACH,MAAM,eAAe,CAAC,IAAI,CAAC,CAAC;IAC9B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,IAAI,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YACxE,GAAG,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;YACrC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACpB,CAAC;QACD,GAAG,CAAC,GAAG,CAAC,iBAAiB,OAAO,EAAE,CAAC,CAAC;QACpC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CACV,kFAAkF,CACnF;KACA,MAAM,CAAC,KAAK,IAAI,EAAE;IACjB,MAAM,SAAS,EAAE,CAAC;AACpB,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,6DAA6D,CAAC;KAC1E,MAAM,CAAC,OAAO,EAAE,kDAAkD,CAAC;KACnE,MAAM,CAAC,SAAS,EAAE,iDAAiD,CAAC;KACpE,MAAM,CAAC,KAAK,EAAE,IAAwC,EAAE,EAAE;IACzD,MAAM,SAAS,CAAC,IAAI,CAAC,CAAC;AACxB,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC"}

package/dist/install.js

@@ -0,0 +1,183 @@
+import kleur from 'kleur';
+import { adapterFor } from './clients/registry.js';
+import { checkPlatformSupport } from './clients/claude-code.js';
+import { installHookRuntime } from './hooks/install.js';
+import { runLogin } from './login.js';
+import { hasStoredAuth } from './auth/auth.js';
+import { runInstallPrompts } from './prompts.js';
+import { stampInstalledVersion } from './self-update.js';
+import { detectPlatform, home, log } from './utils.js';
+import { pkg } from './version.js';
+/**
+ * Top-level installer.
+ *
+ * Flow:
+ *  1. Banner + platform sanity check (Windows hooks unsupported)
+ *  2. Region pick (Production EU / US)
+ *  3. Multi-select: which agents to wire hooks into?
+ *     - shows detection result + version for each
+ *     - pre-checks supported clients, disables too-old versions
+ *  4. Hook config (threshold, auto-propose)
+ *  5. For each selected adapter:
+ *     - (optional) registerMcp — only Claude Code currently
+ *     - writeSettings — drop hook entries into its config file
+ *  6. Write the universal hook scripts to ~/.cybedefend/hooks/
+ *     (one set serves all adapters)
+ *  7. Stamp ~/.cybedefend/version (auto-update plumbing)
+ *  8. Print next-steps footer
+ */
+export async function runInstall() {
+    banner();
+    const p = detectPlatform();
+    const platformSupport = checkPlatformSupport();
+    log.info(`Platform: ${kleur.bold(p)}`);
+    if (!platformSupport.hooksSupported) {
+        log.warn(platformSupport.reason ?? 'Hooks unsupported on this platform.');
+    }
+    const selection = await runInstallPrompts();
+    log.step('Region selected: ' + kleur.bold(selection.region.label));
+    log.hint(`MCP URL: ${selection.region.mcpUrl}`);
+    log.hint(`API base: ${selection.region.apiBase}`);
+    if (selection.selectedClients.length === 0) {
+        log.info('No agents selected. The MCP URL is printed above — add it to your client manually if needed. ' +
+            'The doctrine arrives via Server.instructions on every supported client.');
+        stampInstalledVersion(home, pkg.version);
+        printDoneFooter([], selection.region.mcpName);
+        return;
+    }
+    if (!selection.hooks) {
+        // Shouldn't happen — prompts guarantees hooks when selection > 0.
+        log.err('Hook config missing despite selected agents — aborting.');
+        process.exit(1);
+    }
+    // Install the Node-based hook runner ONCE — one bundled file serves
+    // every adapter. The runner reads runtime-config.json at every
+    // invocation, so re-running `vibedefend update` propagates new
+    // tunables (threshold, auto-propose, region) without re-rendering
+    // adapter settings files (they just point at the same runner path).
+    if (platformSupport.hooksSupported) {
+        log.step('Installing universal hook runner');
+        const { runnerPath, configPath } = installHookRuntime({
+            region: selection.region,
+            hooks: selection.hooks,
+            installedVersion: pkg.version,
+        });
+        log.ok(`Runner:  ${runnerPath}`);
+        log.hint(`Config:  ${configPath}`);
+    }
+    else {
+        log.warn('Skipping hook runner (platform not supported). MCP registration steps below still run.');
+    }
+    // Now wire each selected client's settings file. Adapters are
+    // responsible for their own idempotency + error handling.
+    const installedLabels = [];
+    for (const id of selection.selectedClients) {
+        const adapter = adapterFor(id);
+        log.step(`Wiring ${adapter.label}`);
+        if (adapter.registerMcp) {
+            adapter.registerMcp({ region: selection.region });
+        }
+        if (adapter.postRegister) {
+            adapter.postRegister({ region: selection.region });
+        }
+        if (platformSupport.hooksSupported) {
+            adapter.writeSettings({
+                // hookDir is now legacy — the new design uses a single
+                // `~/.cybedefend/hook-runner.js`. Adapters compose `node <path>
+                // <subcommand>` via `hookCommand(...)` and ignore this field.
+                hookDir: home('.cybedefend'),
+                enableSessionReview: selection.hooks.enableSessionReview,
+                region: selection.region,
+                hooks: selection.hooks,
+            });
+        }
+        installedLabels.push(adapter.label);
+    }
+    if (selection.hooks.autoProposeMode) {
+        log.warn('Auto-propose mode is ON — the agent will call cybe_rules_report_missing ' +
+            'without asking you first. You will still review proposals at the next session ' +
+            'start (Accept/Reject picker), but they land without a chat-side prompt.');
+    }
+    stampInstalledVersion(home, pkg.version);
+    log.hint(`Version stamp: ~/.cybedefend/version (v${pkg.version})`);
+    // Auto-login: if no VibeDefend OAuth bundle exists after hook wiring, run
+    // the login flow so the user is fully set up in one command. If login fails,
+    // log a warning and continue — the user can run `vibedefend login` later.
+    //
+    // We check `hasStoredAuth` (which validates OUR specific bundle shape:
+    // accessToken + refreshToken + expiresAt + logtoEndpoint + cliAppId +
+    // logtoResource) rather than the legacy `resolveToken` resolver. The legacy
+    // resolver also matches Codex CLI's own MCP credential (stored under the
+    // same keychain service `Codex MCP Credentials` but with a different account
+    // shape), which would falsely tell us "already configured" even though our
+    // hook can't actually use Codex's MCP-scoped JWT to call the gateway.
+    //
+    // Note for users who already have Codex set up: yes, you'll see the login
+    // flow once. Codex's MCP-scoped token has `aud: cybedefend-mcp` and limited
+    // Permify rights; vibedefend's runtime hook needs a USER token (`aud:
+    // cybedefend-api`) to call /effective-rules and friends. They are NOT
+    // interchangeable. After one Logto SSO consent (instant if your browser
+    // already has a session) the refresh_token persists for 14 days.
+    if (hasStoredAuth(selection.region.mcpName)) {
+        log.ok('VibeDefend credentials already present. Skipping login.');
+    }
+    else {
+        log.info('No VibeDefend credentials found. Running login flow...');
+        try {
+            await runLogin({
+                mcpName: selection.region.mcpName,
+                apiBase: selection.region.apiBase,
+                logtoEndpoint: selection.region.logtoEndpoint ??
+                    deriveLogtoEndpoint(selection.region.apiBase),
+            });
+        }
+        catch (e) {
+            const msg = e instanceof Error ? e.message : String(e);
+            log.warn(`Login skipped (${msg}). Run \`vibedefend login\` to authenticate.`);
+        }
+    }
+    printDoneFooter(installedLabels, selection.region.mcpName);
+}
+/**
+ * Derive the Logto OIDC endpoint from a gateway apiBase.
+ * Mirrors the logic in login.ts#deriveLogtoEndpointFromApiBase.
+ */
+function deriveLogtoEndpoint(apiBase) {
+    if (apiBase.includes('://api.')) {
+        return apiBase.replace('://api.', '://auth.');
+    }
+    if (apiBase.match(/\/\/api-[a-z]+\./)) {
+        return apiBase.replace('://api-', '://auth-');
+    }
+    return apiBase;
+}
+function banner() {
+    console.log();
+    console.log(kleur.bold().cyan('  VibeDefend  ') +
+        kleur.dim('— CybeDefend installer for AI coding agents'));
+    console.log(kleur.dim('  Sets up the MCP server, hooks, and project link.'));
+    console.log();
+}
+function printDoneFooter(installedLabels, mcpName) {
+    console.log();
+    log.ok('Install complete.');
+    console.log();
+    if (installedLabels.length > 0) {
+        console.log(kleur.bold('Installed hooks for: ') +
+            installedLabels.map((l) => kleur.green(l)).join(', '));
+        console.log();
+    }
+    console.log(kleur.bold('Next steps:'));
+    console.log(`  ${kleur.cyan('1.')} Open your IDE in your repo. First MCP tool call triggers OAuth (browser opens). ` +
+        `Tokens are cached in your OS keychain after that.`);
+    console.log(`  ${kleur.cyan('2.')} Drop a ${kleur.bold('.cybedefend/config.json')} at the repo root with the project UUID:`);
+    console.log(kleur.dim('       { "projectId": "<your-project-uuid>" }'));
+    console.log(`  ${kleur.cyan('3.')} Verify (Claude Code): ${kleur.dim('`claude mcp list`')} should show ${kleur.bold(mcpName)}.`);
+    console.log();
+    console.log(kleur.dim('  Tunables (set per-shell or per-project to override defaults):'));
+    console.log(kleur.dim('    CYBEDEFEND_REVIEW_THRESHOLD  — edits before the Stop hook fires'));
+    console.log(kleur.dim('    CYBEDEFEND_AUTO_PROPOSE      — 1 = auto, 0 = ask user'));
+    console.log(kleur.dim('    CYBEDEFEND_PROJECT_ID        — override .cybedefend/config.json'));
+    console.log();
+}
+//# sourceMappingURL=install.js.map

package/dist/install.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"install.js","sourceRoot":"","sources":["../src/install.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAE1B,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AACtC,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAC/C,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACjD,OAAO,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AACzD,OAAO,EAAE,cAAc,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,YAAY,CAAC;AACvD,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAC;AAEnC;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU;IAC9B,MAAM,EAAE,CAAC;IAET,MAAM,CAAC,GAAG,cAAc,EAAE,CAAC;IAC3B,MAAM,eAAe,GAAG,oBAAoB,EAAE,CAAC;IAE/C,GAAG,CAAC,IAAI,CAAC,aAAa,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IACvC,IAAI,CAAC,eAAe,CAAC,cAAc,EAAE,CAAC;QACpC,GAAG,CAAC,IAAI,CAAC,eAAe,CAAC,MAAM,IAAI,qCAAqC,CAAC,CAAC;IAC5E,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,iBAAiB,EAAE,CAAC;IAE5C,GAAG,CAAC,IAAI,CAAC,mBAAmB,GAAG,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IACnE,GAAG,CAAC,IAAI,CAAC,YAAY,SAAS,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IAChD,GAAG,CAAC,IAAI,CAAC,aAAa,SAAS,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;IAElD,IAAI,SAAS,CAAC,eAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3C,GAAG,CAAC,IAAI,CACN,+FAA+F;YAC7F,yEAAyE,CAC5E,CAAC;QACF,qBAAqB,CAAC,IAAI,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;QACzC,eAAe,CAAC,EAAE,EAAE,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC9C,OAAO;IACT,CAAC;IAED,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;QACrB,kEAAkE;QAClE,GAAG,CAAC,GAAG,CAAC,yDAAyD,CAAC,CAAC;QACnE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,oEAAoE;IACpE,+DAA+D;IAC/D,+DAA+D;IAC/D,kEAAkE;IAClE,oEAAoE;IACpE,IAAI,eAAe,CAAC,cAAc,EAAE,CAAC;QACnC,GAAG,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;QAC7C,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,GAAG,kBAAkB,CAAC;YACpD,MAAM,EAAE,SAAS,CAAC,MAAM;YACxB,KAAK,EAAE,SAAS,CAAC,KAAK;YACtB,gBAAgB,EAAE,GAAG,CAAC,OAAO;SAC9B,CAAC,CAAC;QACH,GAAG,CAAC,EAAE,CAAC,YAAY,UAAU,EAAE,CAAC,CAAC;QACjC,GAAG,CAAC,IAAI,CAAC,YAAY,UAAU,EAAE,CAAC,CAAC;IACrC,CAAC;SAAM,CAAC;QACN,GAAG,CAAC,IAAI,CACN,wFAAwF,CACzF,CAAC;IACJ,CAAC;IAED,8DAA8D;IAC9D,0DAA0D;IAC1D,MAAM,eAAe,GAAa,EAAE,CAAC;IACrC,KAAK,MAAM,EAAE,IAAI,SAAS,CAAC,eAAe,EAAE,CAAC;QAC3C,MAAM,OAAO,GAAG,UAAU,CAAC,EAAE,CAAC,CAAC;QAC/B,GAAG,CAAC,IAAI,CAAC,UAAU,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC;QAEpC,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;YACxB,OAAO,CAAC,WAAW,CAAC,EAAE,MAAM,EAAE,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC;QACpD,CAAC;QAED,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;YACzB,OAAO,CAAC,YAAY,CAAC,EAAE,MAAM,EAAE,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC;QACrD,CAAC;QAED,IAAI,eAAe,CAAC,cAAc,EAAE,CAAC;YACnC,OAAO,CAAC,aAAa,CAAC;gBACpB,uDAAuD;gBACvD,gEAAgE;gBAChE,8DAA8D;gBAC9D,OAAO,EAAE,IAAI,CAAC,aAAa,CAAC;gBAC5B,mBAAmB,EAAE,SAAS,CAAC,KAAK,CAAC,mBAAmB;gBACxD,MAAM,EAAE,SAAS,CAAC,MAAM;gBACxB,KAAK,EAAE,SAAS,CAAC,KAAK;aACvB,CAAC,CAAC;QACL,CAAC;QACD,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IACtC,CAAC;IAED,IAAI,SAAS,CAAC,KAAK,CAAC,eAAe,EAAE,CAAC;QACpC,GAAG,CAAC,IAAI,CACN,0EAA0E;YACxE,gFAAgF;YAChF,yEAAyE,CAC5E,CAAC;IACJ,CAAC;IAED,qBAAqB,CAAC,IAAI,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IACzC,GAAG,CAAC,IAAI,CAAC,0CAA0C,GAAG,CAAC,OAAO,GAAG,CAAC,CAAC;IAEnE,0EAA0E;IAC1E,6EAA6E;IAC7E,0EAA0E;IAC1E,EAAE;IACF,uEAAuE;IACvE,sEAAsE;IACtE,4EAA4E;IAC5E,yEAAyE;IACzE,6EAA6E;IAC7E,2EAA2E;IAC3E,sEAAsE;IACtE,EAAE;IACF,0EAA0E;IAC1E,4EAA4E;IAC5E,sEAAsE;IACtE,sEAAsE;IACtE,wEAAwE;IACxE,iEAAiE;IACjE,IAAI,aAAa,CAAC,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5C,GAAG,CAAC,EAAE,CAAC,yDAAyD,CAAC,CAAC;IACpE,CAAC;SAAM,CAAC;QACN,GAAG,CAAC,IAAI,CAAC,wDAAwD,CAAC,CAAC;QACnE,IAAI,CAAC;YACH,MAAM,QAAQ,CAAC;gBACb,OAAO,EAAE,SAAS,CAAC,MAAM,CAAC,OAAO;gBACjC,OAAO,EAAE,SAAS,CAAC,MAAM,CAAC,OAAO;gBACjC,aAAa,EACV,SAAS,CAAC,MAAqC,CAAC,aAAa;oBAC9D,mBAAmB,CAAC,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC;aAChD,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,GAAG,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YACvD,GAAG,CAAC,IAAI,CAAC,kBAAkB,GAAG,8CAA8C,CAAC,CAAC;QAChF,CAAC;IACH,CAAC;IAED,eAAe,CAAC,eAAe,EAAE,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;AAC7D,CAAC;AAED;;;GAGG;AACH,SAAS,mBAAmB,CAAC,OAAe;IAC1C,IAAI,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QAChC,OAAO,OAAO,CAAC,OAAO,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IAChD,CAAC;IACD,IAAI,OAAO,CAAC,KAAK,CAAC,kBAAkB,CAAC,EAAE,CAAC;QACtC,OAAO,OAAO,CAAC,OAAO,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IAChD,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,MAAM;IACb,OAAO,CAAC,GAAG,EAAE,CAAC;IACd,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,gBAAgB,CAAC;QACjC,KAAK,CAAC,GAAG,CAAC,6CAA6C,CAAC,CAC3D,CAAC;IACF,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,GAAG,CAAC,oDAAoD,CAAC,CAChE,CAAC;IACF,OAAO,CAAC,GAAG,EAAE,CAAC;AAChB,CAAC;AAED,SAAS,eAAe,CAAC,eAAyB,EAAE,OAAe;IACjE,OAAO,CAAC,GAAG,EAAE,CAAC;IACd,GAAG,CAAC,EAAE,CAAC,mBAAmB,CAAC,CAAC;IAC5B,OAAO,CAAC,GAAG,EAAE,CAAC;IACd,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,IAAI,CAAC,uBAAuB,CAAC;YACjC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CACxD,CAAC;QACF,OAAO,CAAC,GAAG,EAAE,CAAC;IAChB,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC;IACvC,OAAO,CAAC,GAAG,CACT,KAAK,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,mFAAmF;QACtG,mDAAmD,CACtD,CAAC;IACF,OAAO,CAAC,GAAG,CACT,KAAK,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,KAAK,CAAC,IAAI,CAAC,yBAAyB,CAAC,0CAA0C,CAChH,CAAC;IACF,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,+CAA+C,CAAC,CAAC,CAAC;IACxE,OAAO,CAAC,GAAG,CACT,KAAK,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,0BAA0B,KAAK,CAAC,GAAG,CAAC,mBAAmB,CAAC,gBAAgB,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CACpH,CAAC;IACF,OAAO,CAAC,GAAG,EAAE,CAAC;IACd,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,GAAG,CAAC,iEAAiE,CAAC,CAC7E,CAAC;IACF,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,GAAG,CAAC,qEAAqE,CAAC,CACjF,CAAC;IACF,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,GAAG,CAAC,2DAA2D,CAAC,CACvE,CAAC;IACF,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,GAAG,CAAC,qEAAqE,CAAC,CACjF,CAAC;IACF,OAAO,CAAC,GAAG,EAAE,CAAC;AAChB,CAAC"}

package/dist/login.js

@@ -0,0 +1,335 @@
+/**
+ * `vibedefend login` — authenticate against CybeDefend via OAuth 2.0
+ * Authorization Code + PKCE (RFC 7636).
+ *
+ * Flow:
+ *  1. Fetch the CLI Logto app_id and API resource from GET /client-apps.
+ *  2. Generate a PKCE code_verifier / code_challenge pair (S256).
+ *  3. Start a local HTTP callback server on a random unprivileged port
+ *     (bound to 127.0.0.1 only).
+ *  4. Build the Logto /oidc/auth URL with all PKCE + OIDC params.
+ *  5. Open the user's default browser. Print fallback URL to terminal.
+ *  6. Wait up to 5 minutes for the browser callback (port/callback → code).
+ *  7. Exchange code + code_verifier for tokens at /oidc/token.
+ *  8. Store full bundle (access, refresh, id tokens + absolute expiry) in
+ *     the OS keychain (macOS) or ~/.cybedefend/auth.json with mode 0600
+ *     (Linux/Windows).
+ *  9. Pre-seed the guards cache for a warm first hook call.
+ * 10. Decode the id_token to extract the user email for the confirmation line.
+ *
+ * The --token <jwt> flag has been removed. Use `vibedefend login` interactively
+ * or obtain a token via the dashboard PAT flow (see PatUsageGuide).
+ */
+import { execFileSync } from 'node:child_process';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+import { existsSync, readFileSync } from 'node:fs';
+import kleur from 'kleur';
+import { resolveToken } from './hooks/runtime/resolve.js';
+import { log } from './utils.js';
+import { randomBase64url, pkceChallenge } from './auth/pkce.js';
+import { startCallbackServer } from './auth/callback-server.js';
+import { exchangeCodeForTokens } from './auth/token-exchange.js';
+import { storeAuth } from './auth/auth-store.js';
+/**
+ * Fetch the CLI OAuth client_id and API resource URL from the public
+ * GET /client-apps gateway endpoint.
+ *
+ * Falls back to `logtoResource` in runtime-config.json if the gateway
+ * response doesn't include it (older deployments).
+ */
+export async function fetchClientAppsConfig(apiBase, fetchImpl = globalThis.fetch) {
+    let res;
+    try {
+        res = await fetchImpl(`${apiBase}/client-apps`, {
+            method: 'GET',
+            signal: AbortSignal.timeout(10_000),
+        });
+    }
+    catch (e) {
+        throw new Error(`Could not reach the gateway at ${apiBase}: ${e.message}`);
+    }
+    if (!res.ok) {
+        throw new Error(`GET /client-apps failed: HTTP ${res.status}`);
+    }
+    const body = (await res.json());
+    const cli = body.cli;
+    const cliAppId = cli?.appId ?? '';
+    if (!cliAppId) {
+        throw new Error('GET /client-apps did not return cli.appId — ' +
+            'is this gateway version too old?');
+    }
+    // logtoResource at top level (extended gateway) or fall back to
+    // runtime-config.json.
+    const logtoResource = body.logtoResource ??
+        cli?.resource ??
+        loadLogtoResourceFromRuntimeConfig() ??
+        '';
+    if (!logtoResource) {
+        throw new Error('Could not determine the Logto API resource. ' +
+            'Add logtoResource to ~/.cybedefend/runtime-config.json or upgrade the gateway.');
+    }
+    return { cliAppId, logtoResource };
+}
+/** Read logtoResource from the runtime config, if present. */
+function loadLogtoResourceFromRuntimeConfig() {
+    const p = join(homedir(), '.cybedefend', 'runtime-config.json');
+    if (!existsSync(p))
+        return null;
+    try {
+        const cfg = JSON.parse(readFileSync(p, 'utf8'));
+        return cfg.logtoResource ?? null;
+    }
+    catch {
+        return null;
+    }
+}
+// ─── Helpers ──────────────────────────────────────────────────────────────────
+/**
+ * Try to open a URL in the default browser. Best-effort — if `open` (macOS)
+ * or `xdg-open` (Linux) isn't available we just return false and the caller
+ * prints the fallback URL.
+ */
+export function openBrowser(url) {
+    const cmd = process.platform === 'darwin' ? 'open' : 'xdg-open';
+    try {
+        execFileSync(cmd, [url], { stdio: 'ignore', timeout: 3000 });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Reject a promise after `ms` milliseconds with a descriptive timeout error.
+ */
+function timeoutAfter(ms) {
+    return new Promise((_, reject) => setTimeout(() => reject(new Error(`Login timed out after ${ms / 60_000} minutes — no callback received.`)), ms));
+}
+/**
+ * Decode the `email` claim from an id_token JWT without verifying the
+ * signature (the token was just issued by Logto moments ago — verification
+ * is important in adversarial contexts, but here we only use it for the
+ * confirmation display line).
+ */
+export function decodeIdTokenEmail(idToken) {
+    try {
+        const parts = idToken.split('.');
+        if (parts.length < 2)
+            return 'unknown';
+        const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString('utf8'));
+        return typeof payload.email === 'string' ? payload.email : 'unknown';
+    }
+    catch {
+        return 'unknown';
+    }
+}
+// ─── Guard cache seed ─────────────────────────────────────────────────────────
+/**
+ * Seed the guards cache immediately after login so the first tool call has
+ * a warm cache and doesn't show the UNVERIFIED banner.
+ */
+async function seedGuardsCache(apiBase, token, fetchImpl = globalThis.fetch) {
+    const projectId = resolveProjectIdForLogin();
+    if (!projectId)
+        return;
+    const { fetchEffectiveRulesFromGateway, makeGuardRulesCache } = await import('./hooks/runtime/guard-rules-cache.js');
+    const cache = makeGuardRulesCache({
+        fetchFn: (ctx) => fetchEffectiveRulesFromGateway(ctx, { fetchImpl }),
+    });
+    await cache.refreshIfStale({ projectId, token, apiBaseResolved: apiBase });
+}
+/** Read projectId from .cybedefend/config.json in CWD. */
+function resolveProjectIdForLogin() {
+    const configPath = join(process.cwd(), '.cybedefend', 'config.json');
+    if (!existsSync(configPath))
+        return null;
+    try {
+        const cfg = JSON.parse(readFileSync(configPath, 'utf8'));
+        return cfg.projectId ?? null;
+    }
+    catch {
+        return null;
+    }
+}
+function loadRuntimeConfigForLogin() {
+    const configPath = join(homedir(), '.cybedefend', 'runtime-config.json');
+    if (!existsSync(configPath))
+        return null;
+    try {
+        const raw = readFileSync(configPath, 'utf8');
+        const cfg = JSON.parse(raw);
+        const region = cfg.region;
+        if (!region?.apiBase || !region?.mcpName)
+            return null;
+        return {
+            mcpName: region.mcpName,
+            apiBase: region.apiBase,
+            logtoEndpoint: region.logtoEndpoint ??
+                cfg.logtoEndpoint ??
+                undefined,
+        };
+    }
+    catch {
+        return null;
+    }
+}
+// ─── Core login logic ─────────────────────────────────────────────────────────
+/**
+ * Perform the full OAuth PKCE login flow.
+ * Exported for testing and for the install chain.
+ */
+export async function runLogin(opts) {
+    const { mcpName, apiBase, logtoEndpoint, force, fetchImpl = globalThis.fetch, openBrowserFn = openBrowser, callbackServerFn = startCallbackServer, } = opts;
+    // 1. Already logged in?
+    const existingToken = resolveToken(mcpName);
+    if (existingToken && !force) {
+        log.warn('Already logged in. Use `vibedefend login --force` to re-authenticate.');
+        return { email: 'unknown' };
+    }
+    // 2. Fetch CLI client_id and logtoResource from gateway.
+    const { cliAppId, logtoResource } = await fetchClientAppsConfig(apiBase, fetchImpl);
+    // 3. PKCE pair.
+    const codeVerifier = randomBase64url(64);
+    const codeChallenge = pkceChallenge(codeVerifier);
+    const state = randomBase64url(16);
+    // 4. Start local callback server.
+    const { port, codePromise, stopServer } = await callbackServerFn(state);
+    const redirectUri = `http://localhost:${port}/callback`;
+    // 5. Build auth URL.
+    const authUrl = `${logtoEndpoint}/oidc/auth?` +
+        new URLSearchParams({
+            client_id: cliAppId,
+            response_type: 'code',
+            scope: 'openid profile email offline_access',
+            // prompt=consent forces Logto to surface the consent screen on EVERY
+            // `vibedefend login` and — crucially — to actually issue a refresh_token.
+            // Without it, Logto silently SSOs from any pre-existing browser session,
+            // skips the offline_access consent step, and omits refresh_token from the
+            // /oidc/token response. The user then can't refresh and has to re-login
+            // every time the access_token expires. Showing the consent screen once
+            // per explicit login (the user typed `vibedefend login`, they expect it)
+            // is the right trade-off.
+            prompt: 'consent',
+            resource: logtoResource,
+            redirect_uri: redirectUri,
+            code_challenge: codeChallenge,
+            code_challenge_method: 'S256',
+            state,
+        }).toString();
+    // 6. Open browser.
+    console.log();
+    console.log(kleur.bold('VibeDefend Login') + kleur.dim(' — sign in via your browser'));
+    console.log();
+    const opened = openBrowserFn(authUrl);
+    if (!opened) {
+        console.log(kleur.yellow('  Could not open the browser automatically.'));
+        console.log(`  Please open this URL manually:\n  ${kleur.cyan(authUrl)}`);
+    }
+    else {
+        console.log(kleur.dim('  If your browser did not open, visit:'));
+        console.log(`  ${kleur.cyan(authUrl)}`);
+    }
+    console.log();
+    console.log(kleur.dim('  Waiting for you to sign in...'));
+    // 7. Wait for callback (5 min timeout).
+    let code;
+    try {
+        code = await Promise.race([codePromise, timeoutAfter(5 * 60 * 1000)]);
+    }
+    finally {
+        await stopServer();
+    }
+    // 8. Exchange code + code_verifier for tokens.
+    const tokens = await exchangeCodeForTokens({
+        logtoEndpoint,
+        clientId: cliAppId,
+        code,
+        codeVerifier,
+        redirectUri,
+        resource: logtoResource,
+        fetchImpl,
+    });
+    // 9. Compute absolute expiry epoch ms (30s safety margin).
+    const expiresAt = Date.now() + (tokens.expires_in - 30) * 1000;
+    // 10. Store everything.
+    const authBundle = {
+        accessToken: tokens.access_token,
+        refreshToken: tokens.refresh_token,
+        idToken: tokens.id_token,
+        expiresAt,
+        logtoEndpoint,
+        cliAppId,
+        logtoResource,
+    };
+    storeAuth(mcpName, authBundle);
+    // 11. Pre-seed the guards cache (best-effort).
+    try {
+        await seedGuardsCache(apiBase, tokens.access_token, fetchImpl);
+        log.hint('Rules cache seeded — Action Guards are ready.');
+    }
+    catch {
+        // Non-fatal.
+    }
+    // 12. Confirm.
+    const email = decodeIdTokenEmail(tokens.id_token);
+    log.ok(`Logged in as ${kleur.bold(email)}`);
+    return { email };
+}
+// ─── CLI entry point ──────────────────────────────────────────────────────────
+/**
+ * Top-level entry point called by the `vibedefend login` commander action.
+ * Loads the region config from ~/.cybedefend/runtime-config.json and
+ * delegates to `runLogin`.
+ */
+export async function runLoginCommand(opts) {
+    const regionCfg = loadRuntimeConfigForLogin();
+    if (!regionCfg) {
+        log.err('VibeDefend is not installed yet. Run `vibedefend install` first.');
+        process.exit(1);
+    }
+    const logtoEndpoint = regionCfg.logtoEndpoint ??
+        deriveLogtoEndpointFromApiBase(regionCfg.apiBase);
+    try {
+        await runLogin({
+            mcpName: regionCfg.mcpName,
+            apiBase: regionCfg.apiBase,
+            logtoEndpoint,
+            force: opts.force,
+        });
+    }
+    catch (e) {
+        const message = e instanceof Error ? e.message : String(e);
+        log.err(message);
+        process.exit(1);
+    }
+    // Belt-and-suspenders: even after stopServer + closeAllConnections, some
+    // dependency (axios keep-alive agent, Logto fetch handle, OS DNS resolver)
+    // may keep a stray handle alive briefly. The standalone `vibedefend login`
+    // CLI command is finished here — explicit exit guarantees the user gets
+    // their prompt back immediately.
+    process.exit(0);
+}
+/**
+ * Derive the Logto OIDC endpoint from the gateway apiBase when not explicitly
+ * configured. Convention: api.cybedefend.com → auth.cybedefend.com.
+ * Local dev: localhost:3000 → localhost:3003.
+ */
+function deriveLogtoEndpointFromApiBase(apiBase) {
+    // Production: https://api.cybedefend.com → https://auth.cybedefend.com
+    if (apiBase.includes('://api.')) {
+        return apiBase.replace('://api.', '://auth.');
+    }
+    // Regional: https://api-us.cybedefend.com → https://auth-us.cybedefend.com
+    if (apiBase.match(/\/\/api-[a-z]+\./)) {
+        return apiBase.replace('://api-', '://auth-');
+    }
+    // Local dev: http://localhost:3000 (gateway) → http://localhost:3003 (Logto).
+    if (apiBase.includes('localhost')) {
+        return apiBase.replace(':3000', ':3003');
+    }
+    // Fallback: assume Logto is at the same host (won't work but at least
+    // gives a deterministic URL for the error message).
+    return apiBase;
+}
+//# sourceMappingURL=login.js.map