@doow/cli 0.1.0

package/dist/cjs/auth/keyring.js

@@ -0,0 +1,118 @@
+'use strict';
+
+var store = require('../config/store.js');
+
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+const SERVICE_NAME = 'doow-cli';
+const PROBE_TIMEOUT_MS = 3_000;
+const OP_TIMEOUT_MS = 3_000;
+// Module-level flag — only warn once per process lifetime.
+let hasPrintedFallbackWarning = false;
+// ---------------------------------------------------------------------------
+// Timeout helper
+// ---------------------------------------------------------------------------
+/**
+ * Races `promise` against a rejection that fires after `ms` milliseconds.
+ * Avoids AbortSignal.timeout which requires Node >=17.3.
+ */
+function withTimeout(promise, ms) {
+    return Promise.race([
+        promise,
+        new Promise((_, reject) => setTimeout(() => reject(new Error(`Operation timed out after ${ms}ms`)), ms)),
+    ]);
+}
+// ---------------------------------------------------------------------------
+// One-time fallback warning
+// ---------------------------------------------------------------------------
+function printFallbackWarning() {
+    if (hasPrintedFallbackWarning)
+        return;
+    hasPrintedFallbackWarning = true;
+    process.stderr.write('⚠ System keyring unavailable — credentials stored in ~/.doow/credentials.json (chmod 0600)\n');
+}
+// ---------------------------------------------------------------------------
+// File-backed store (wraps S118 store.ts functions)
+// ---------------------------------------------------------------------------
+function createFileStore() {
+    return {
+        async get(profileName) {
+            return store.getProfileCredentials(profileName);
+        },
+        async set(profileName, creds) {
+            return store.setProfileCredentials(profileName, creds);
+        },
+        async clear(profileName) {
+            return store.clearProfileCredentials(profileName);
+        },
+        backend() {
+            return 'file';
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// Keyring-backed store
+// ---------------------------------------------------------------------------
+function createKeyringStore(keytar) {
+    return {
+        async get(profileName) {
+            try {
+                const raw = await withTimeout(keytar.getPassword(SERVICE_NAME, profileName), OP_TIMEOUT_MS);
+                if (raw == null)
+                    return undefined;
+                return JSON.parse(raw);
+            }
+            catch {
+                return undefined;
+            }
+        },
+        async set(profileName, creds) {
+            await withTimeout(keytar.setPassword(SERVICE_NAME, profileName, JSON.stringify(creds)), OP_TIMEOUT_MS);
+        },
+        async clear(profileName) {
+            await withTimeout(keytar.deletePassword(SERVICE_NAME, profileName), OP_TIMEOUT_MS);
+        },
+        backend() {
+            return 'keyring';
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// Factory
+// ---------------------------------------------------------------------------
+/**
+ * Creates a CredentialStore backed by the system keyring when available,
+ * falling back to file storage silently when keytar is not installed or
+ * the system keyring does not respond within 3 seconds.
+ *
+ * Call this once at startup and reuse the returned instance.
+ */
+async function createCredentialStore() {
+    // Step 1: Try loading keytar (optional peer dependency).
+    let keytar;
+    try {
+        // Dynamic import so missing keytar never crashes the module at load time.
+        // @ts-expect-error — keytar is an optional peer dep and may not be installed.
+        const mod = await import('keytar');
+        // Support both default-export and named-export module shapes.
+        keytar = (mod.default ?? mod);
+    }
+    catch {
+        // keytar not installed — silent, no warning needed (not an error condition).
+        return createFileStore();
+    }
+    // Step 2: Probe the keyring with a 3s timeout to confirm it's responsive.
+    try {
+        await withTimeout(keytar.findPassword(SERVICE_NAME), PROBE_TIMEOUT_MS);
+    }
+    catch {
+        printFallbackWarning();
+        return createFileStore();
+    }
+    // Step 3: Keyring is available and responsive — use it.
+    return createKeyringStore(keytar);
+}
+
+exports.createCredentialStore = createCredentialStore;
+//# sourceMappingURL=keyring.js.map

package/dist/cjs/auth/keyring.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keyring.js","sources":["../../../../src/auth/keyring.ts"],"sourcesContent":[null],"names":["getProfileCredentials","setProfileCredentials","clearProfileCredentials"],"mappings":";;;;AA6BA;AACA;AACA;AAEA,MAAM,YAAY,GAAG,UAAU;AAC/B,MAAM,gBAAgB,GAAG,KAAK;AAC9B,MAAM,aAAa,GAAG,KAAK;AAE3B;AACA,IAAI,yBAAyB,GAAG,KAAK;AAErC;AACA;AACA;AAEA;;;AAGG;AACH,SAAS,WAAW,CAAI,OAAmB,EAAE,EAAU,EAAA;IACrD,OAAO,OAAO,CAAC,IAAI,CAAC;QAClB,OAAO;QACP,IAAI,OAAO,CAAI,CAAC,CAAC,EAAE,MAAM,KACvB,UAAU,CAAC,MAAM,MAAM,CAAC,IAAI,KAAK,CAAC,CAAA,0BAAA,EAA6B,EAAE,CAAA,EAAA,CAAI,CAAC,CAAC,EAAE,EAAE,CAAC,CAC7E;AACF,KAAA,CAAC;AACJ;AAEA;AACA;AACA;AAEA,SAAS,oBAAoB,GAAA;AAC3B,IAAA,IAAI,yBAAyB;QAAE;IAC/B,yBAAyB,GAAG,IAAI;AAChC,IAAA,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,8FAA8F,CAC/F;AACH;AAEA;AACA;AACA;AAEA,SAAS,eAAe,GAAA;IACtB,OAAO;QACL,MAAM,GAAG,CAAC,WAAmB,EAAA;AAC3B,YAAA,OAAOA,2BAAqB,CAAC,WAAW,CAAC;QAC3C,CAAC;AAED,QAAA,MAAM,GAAG,CAAC,WAAmB,EAAE,KAAyB,EAAA;AACtD,YAAA,OAAOC,2BAAqB,CAAC,WAAW,EAAE,KAAK,CAAC;QAClD,CAAC;QAED,MAAM,KAAK,CAAC,WAAmB,EAAA;AAC7B,YAAA,OAAOC,6BAAuB,CAAC,WAAW,CAAC;QAC7C,CAAC;QAED,OAAO,GAAA;AACL,YAAA,OAAO,MAAM;QACf,CAAC;KACF;AACH;AAEA;AACA;AACA;AAEA,SAAS,kBAAkB,CAAC,MAAc,EAAA;IACxC,OAAO;QACL,MAAM,GAAG,CAAC,WAAmB,EAAA;AAC3B,YAAA,IAAI;AACF,gBAAA,MAAM,GAAG,GAAG,MAAM,WAAW,CAC3B,MAAM,CAAC,WAAW,CAAC,YAAY,EAAE,WAAW,CAAC,EAC7C,aAAa,CACd;gBACD,IAAI,GAAG,IAAI,IAAI;AAAE,oBAAA,OAAO,SAAS;AACjC,gBAAA,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAuB;YAC9C;AAAE,YAAA,MAAM;AACN,gBAAA,OAAO,SAAS;YAClB;QACF,CAAC;AAED,QAAA,MAAM,GAAG,CAAC,WAAmB,EAAE,KAAyB,EAAA;YACtD,MAAM,WAAW,CACf,MAAM,CAAC,WAAW,CAAC,YAAY,EAAE,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EACpE,aAAa,CACd;QACH,CAAC;QAED,MAAM,KAAK,CAAC,WAAmB,EAAA;AAC7B,YAAA,MAAM,WAAW,CAAC,MAAM,CAAC,cAAc,CAAC,YAAY,EAAE,WAAW,CAAC,EAAE,aAAa,CAAC;QACpF,CAAC;QAED,OAAO,GAAA;AACL,YAAA,OAAO,SAAS;QAClB,CAAC;KACF;AACH;AAEA;AACA;AACA;AAEA;;;;;;AAMG;AACI,eAAe,qBAAqB,GAAA;;AAEzC,IAAA,IAAI,MAAc;AAClB,IAAA,IAAI;;;AAGF,QAAA,MAAM,GAAG,GAAG,MAAM,OAAO,QAAQ,CAAC;;QAElC,MAAM,IAAI,GAAG,CAAC,OAAO,IAAI,GAAG,CAAW;IACzC;AAAE,IAAA,MAAM;;QAEN,OAAO,eAAe,EAAE;IAC1B;;AAGA,IAAA,IAAI;QACF,MAAM,WAAW,CAAC,MAAM,CAAC,YAAY,CAAC,YAAY,CAAC,EAAE,gBAAgB,CAAC;IACxE;AAAE,IAAA,MAAM;AACN,QAAA,oBAAoB,EAAE;QACtB,OAAO,eAAe,EAAE;IAC1B;;AAGA,IAAA,OAAO,kBAAkB,CAAC,MAAM,CAAC;AACnC;;;;"}

package/dist/cjs/auth/pkce.js

@@ -0,0 +1,243 @@
+'use strict';
+
+var http = require('node:http');
+var crypto = require('node:crypto');
+var env = require('../config/env.js');
+var store = require('../config/store.js');
+var keyring = require('./keyring.js');
+
+function _interopNamespaceDefault(e) {
+    var n = Object.create(null);
+    if (e) {
+        Object.keys(e).forEach(function (k) {
+            if (k !== 'default') {
+                var d = Object.getOwnPropertyDescriptor(e, k);
+                Object.defineProperty(n, k, d.get ? d : {
+                    enumerable: true,
+                    get: function () { return e[k]; }
+                });
+            }
+        });
+    }
+    n.default = e;
+    return Object.freeze(n);
+}
+
+var http__namespace = /*#__PURE__*/_interopNamespaceDefault(http);
+var crypto__namespace = /*#__PURE__*/_interopNamespaceDefault(crypto);
+
+/**
+ * pkce.ts
+ *
+ * OAuth 2.0 PKCE (RFC 7636) interactive login flow for the Doow CLI.
+ *
+ * Steps:
+ *  1. Generate PKCE code_verifier + code_challenge
+ *  2. Generate CSRF state token
+ *  3. Start a localhost HTTP server on a random port
+ *  4. Open browser to the authorize URL
+ *  5. Wait for the OAuth callback (120 s default timeout)
+ *  6. Exchange authorization code for tokens
+ *  7. Store tokens via CredentialStore
+ *  8. Close server and return result
+ */
+// ---------------------------------------------------------------------------
+// HTML responses
+// ---------------------------------------------------------------------------
+const SUCCESS_HTML = `<!DOCTYPE html><html><body style="font-family:system-ui;text-align:center;padding:40px">
+<h2>Logged in to Doow</h2><p>You can close this tab.</p>
+</body></html>`;
+const ERROR_HTML = `<!DOCTYPE html><html><body style="font-family:system-ui;text-align:center;padding:40px">
+<h2>Login failed</h2><p>CSRF state mismatch. Please try again.</p>
+</body></html>`;
+// ---------------------------------------------------------------------------
+// PKCE helpers
+// ---------------------------------------------------------------------------
+/**
+ * Generates a PKCE code_verifier and code_challenge pair.
+ * - code_verifier: 32 random bytes, base64url-encoded (43 chars)
+ * - code_challenge: SHA-256 of verifier, base64url-encoded
+ */
+function generatePkcePair() {
+    const verifierBytes = crypto__namespace.randomBytes(32);
+    const codeVerifier = verifierBytes
+        .toString('base64')
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=/g, '');
+    const challengeBytes = crypto__namespace.createHash('sha256').update(codeVerifier).digest();
+    const codeChallenge = challengeBytes
+        .toString('base64')
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=/g, '');
+    return { codeVerifier, codeChallenge };
+}
+/**
+ * Generates a random CSRF state token (32 bytes, base64url).
+ */
+function generateState() {
+    return crypto__namespace
+        .randomBytes(32)
+        .toString('base64')
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=/g, '');
+}
+/**
+ * Starts a localhost HTTP server on a random port and waits for the OAuth
+ * callback. Resolves with { code, state } on success.
+ * Rejects if the CSRF state doesn't match.
+ */
+function startCallbackServer(expectedState, timeoutMs) {
+    return new Promise((resolveServer, rejectServer) => {
+        const server = http__namespace.createServer();
+        const callbackPromise = new Promise((resolveCallback, rejectCallback) => {
+            let timeoutHandle;
+            // Set the timeout for the callback wait — server.close() is handled
+            // by the finally block in executePkceFlow, not here.
+            timeoutHandle = setTimeout(() => {
+                rejectCallback(new Error('Login timed out after 120 seconds. Try doow login --device for headless environments.'));
+            }, timeoutMs);
+            server.on('request', (req, res) => {
+                // Only handle /callback path
+                if (!req.url?.startsWith('/callback')) {
+                    res.writeHead(404);
+                    res.end('Not found');
+                    return;
+                }
+                const url = new URL(req.url, 'http://127.0.0.1');
+                const code = url.searchParams.get('code');
+                const state = url.searchParams.get('state');
+                const errorParam = url.searchParams.get('error');
+                // Handle OAuth error from server
+                if (errorParam) {
+                    clearTimeout(timeoutHandle);
+                    res.writeHead(400, { 'Content-Type': 'text/html' });
+                    res.end(ERROR_HTML);
+                    rejectCallback(new Error(`Authorization failed: ${errorParam}`));
+                    return;
+                }
+                // Validate required params
+                if (!code || !state) {
+                    res.writeHead(400, { 'Content-Type': 'text/html' });
+                    res.end(ERROR_HTML);
+                    return;
+                }
+                // CSRF state validation
+                if (state !== expectedState) {
+                    clearTimeout(timeoutHandle);
+                    res.writeHead(400, { 'Content-Type': 'text/html' });
+                    res.end(ERROR_HTML);
+                    rejectCallback(new Error('CSRF state mismatch — possible attack. Try again.'));
+                    return;
+                }
+                // Success
+                clearTimeout(timeoutHandle);
+                res.writeHead(200, { 'Content-Type': 'text/html' });
+                res.end(SUCCESS_HTML);
+                resolveCallback({ code, state });
+            });
+        });
+        server.on('error', (err) => {
+            rejectServer(new Error(`Failed to start local callback server: ${err.message}. Try doow login --device for headless environments.`));
+        });
+        // Bind to port 0 — OS assigns a random available port
+        server.listen(0, '127.0.0.1', () => {
+            const addr = server.address();
+            if (!addr || typeof addr === 'string') {
+                server.close();
+                rejectServer(new Error('Failed to determine callback server port. Try doow login --device for headless environments.'));
+                return;
+            }
+            resolveServer({ server, port: addr.port, callbackPromise });
+        });
+    });
+}
+// ---------------------------------------------------------------------------
+// Token exchange
+// ---------------------------------------------------------------------------
+async function exchangeCodeForTokens(apiUrl, code, codeVerifier, state) {
+    const response = await fetch(`${apiUrl}/v1/auth/cli/token`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+            grant_type: 'authorization_code',
+            code,
+            code_verifier: codeVerifier,
+            state,
+        }),
+    });
+    if (!response.ok) {
+        const body = await response.text().catch(() => '(no body)');
+        throw new Error(`Token exchange failed: HTTP ${response.status} — ${body}`);
+    }
+    return response.json();
+}
+// ---------------------------------------------------------------------------
+// Main flow
+// ---------------------------------------------------------------------------
+/**
+ * Executes the full PKCE browser-based OAuth 2.0 login flow.
+ *
+ * Opens the system browser to the Doow authorize endpoint, waits for the
+ * localhost callback, exchanges the authorization code for tokens, and
+ * persists the tokens via the credential store.
+ */
+async function executePkceFlow(options = {}) {
+    // Resolve options
+    const profile = await store.getActiveProfile();
+    const apiUrl = options.apiUrl ?? env.getApiUrl(profile);
+    const profileName = options.profileName ?? profile.name;
+    const credentialStore = options.credentialStore ?? (await keyring.createCredentialStore());
+    const timeout = options.timeout ?? 120_000;
+    // Step 1 & 2: Generate PKCE pair and CSRF state
+    const { codeVerifier, codeChallenge } = generatePkcePair();
+    const state = generateState();
+    // Step 3: Start callback server
+    const { server, port, callbackPromise } = await startCallbackServer(state, timeout);
+    try {
+        // Step 4: Build authorize URL
+        const redirectUri = `http://127.0.0.1:${port}/callback`;
+        const authorizeUrl = `${apiUrl}/v1/auth/cli/authorize` +
+            `?response_type=code` +
+            `&code_challenge=${codeChallenge}` +
+            `&code_challenge_method=S256` +
+            `&state=${state}` +
+            `&redirect_uri=${encodeURIComponent(redirectUri)}`;
+        // Step 5: Open browser
+        try {
+            const { default: open } = await import('open');
+            await open(authorizeUrl);
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            throw new Error(`Failed to open browser: ${msg}. Try doow login --device for headless environments.`);
+        }
+        // Step 6: Wait for callback
+        const { code } = await callbackPromise;
+        // Step 7: Exchange code for tokens
+        const tokenResponse = await exchangeCodeForTokens(apiUrl, code, codeVerifier, state);
+        // Step 8: Store tokens
+        const expiresAt = new Date(Date.now() + tokenResponse.expires_in * 1000).toISOString();
+        const result = {
+            accessToken: tokenResponse.access_token,
+            refreshToken: tokenResponse.refresh_token,
+            expiresAt,
+        };
+        await credentialStore.set(profileName, {
+            accessToken: result.accessToken,
+            refreshToken: result.refreshToken,
+            expiresAt: result.expiresAt,
+        });
+        return result;
+    }
+    finally {
+        // Always close the server — success, error, or timeout
+        server.close();
+    }
+}
+
+exports.executePkceFlow = executePkceFlow;
+exports.generatePkcePair = generatePkcePair;
+//# sourceMappingURL=pkce.js.map

package/dist/cjs/auth/pkce.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce.js","sources":["../../../../src/auth/pkce.ts"],"sourcesContent":[null],"names":["crypto","http","getActiveProfile","getApiUrl","createCredentialStore"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;;;;;;AAcG;AAiCH;AACA;AACA;AAEA,MAAM,YAAY,GAAG,CAAA;;eAEN;AAEf,MAAM,UAAU,GAAG,CAAA;;eAEJ;AAEf;AACA;AACA;AAEA;;;;AAIG;SACa,gBAAgB,GAAA;IAC9B,MAAM,aAAa,GAAGA,iBAAM,CAAC,WAAW,CAAC,EAAE,CAAC;IAC5C,MAAM,YAAY,GAAG;SAClB,QAAQ,CAAC,QAAQ;AACjB,SAAA,OAAO,CAAC,KAAK,EAAE,GAAG;AAClB,SAAA,OAAO,CAAC,KAAK,EAAE,GAAG;AAClB,SAAA,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC;AAEpB,IAAA,MAAM,cAAc,GAAGA,iBAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,MAAM,EAAE;IAChF,MAAM,aAAa,GAAG;SACnB,QAAQ,CAAC,QAAQ;AACjB,SAAA,OAAO,CAAC,KAAK,EAAE,GAAG;AAClB,SAAA,OAAO,CAAC,KAAK,EAAE,GAAG;AAClB,SAAA,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC;AAEpB,IAAA,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE;AACxC;AAEA;;AAEG;AACH,SAAS,aAAa,GAAA;AACpB,IAAA,OAAOA;SACJ,WAAW,CAAC,EAAE;SACd,QAAQ,CAAC,QAAQ;AACjB,SAAA,OAAO,CAAC,KAAK,EAAE,GAAG;AAClB,SAAA,OAAO,CAAC,KAAK,EAAE,GAAG;AAClB,SAAA,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC;AACtB;AAWA;;;;AAIG;AACH,SAAS,mBAAmB,CAC1B,aAAqB,EACrB,SAAiB,EAAA;IAEjB,OAAO,IAAI,OAAO,CAAC,CAAC,aAAa,EAAE,YAAY,KAAI;AACjD,QAAA,MAAM,MAAM,GAAGC,eAAI,CAAC,YAAY,EAAE;QAElC,MAAM,eAAe,GAAG,IAAI,OAAO,CAAiB,CAAC,eAAe,EAAE,cAAc,KAAI;AACtF,YAAA,IAAI,aAAwD;;;AAI5D,YAAA,aAAa,GAAG,UAAU,CAAC,MAAK;AAC9B,gBAAA,cAAc,CACZ,IAAI,KAAK,CACP,uFAAuF,CACxF,CACF;YACH,CAAC,EAAE,SAAS,CAAC;YAEb,MAAM,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC,GAAG,EAAE,GAAG,KAAI;;gBAEhC,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC,WAAW,CAAC,EAAE;AACrC,oBAAA,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;AAClB,oBAAA,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC;oBACpB;gBACF;gBAEA,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,kBAAkB,CAAC;gBAChD,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC;gBACzC,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC;gBAC3C,MAAM,UAAU,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC;;gBAGhD,IAAI,UAAU,EAAE;oBACd,YAAY,CAAC,aAAa,CAAC;oBAC3B,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC;AACnD,oBAAA,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC;oBACnB,cAAc,CAAC,IAAI,KAAK,CAAC,yBAAyB,UAAU,CAAA,CAAE,CAAC,CAAC;oBAChE;gBACF;;AAGA,gBAAA,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE;oBACnB,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC;AACnD,oBAAA,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC;oBACnB;gBACF;;AAGA,gBAAA,IAAI,KAAK,KAAK,aAAa,EAAE;oBAC3B,YAAY,CAAC,aAAa,CAAC;oBAC3B,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC;AACnD,oBAAA,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC;AACnB,oBAAA,cAAc,CAAC,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;oBAC9E;gBACF;;gBAGA,YAAY,CAAC,aAAa,CAAC;gBAC3B,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC;AACnD,gBAAA,GAAG,CAAC,GAAG,CAAC,YAAY,CAAC;AACrB,gBAAA,eAAe,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;AAClC,YAAA,CAAC,CAAC;AACJ,QAAA,CAAC,CAAC;QAEF,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,KAAI;YACzB,YAAY,CACV,IAAI,KAAK,CACP,CAAA,uCAAA,EAA0C,GAAG,CAAC,OAAO,CAAA,oDAAA,CAAsD,CAC5G,CACF;AACH,QAAA,CAAC,CAAC;;QAGF,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,MAAK;AACjC,YAAA,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,EAAE;YAC7B,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE;gBACrC,MAAM,CAAC,KAAK,EAAE;AACd,gBAAA,YAAY,CACV,IAAI,KAAK,CACP,8FAA8F,CAC/F,CACF;gBACD;YACF;AACA,YAAA,aAAa,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,eAAe,EAAE,CAAC;AAC7D,QAAA,CAAC,CAAC;AACJ,IAAA,CAAC,CAAC;AACJ;AAEA;AACA;AACA;AAEA,eAAe,qBAAqB,CAClC,MAAc,EACd,IAAY,EACZ,YAAoB,EACpB,KAAa,EAAA;IAEb,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,CAAA,EAAG,MAAM,oBAAoB,EAAE;AAC1D,QAAA,MAAM,EAAE,MAAM;AACd,QAAA,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;AAC/C,QAAA,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;AACnB,YAAA,UAAU,EAAE,oBAAoB;YAChC,IAAI;AACJ,YAAA,aAAa,EAAE,YAAY;YAC3B,KAAK;SACN,CAAC;AACH,KAAA,CAAC;AAEF,IAAA,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;AAChB,QAAA,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,MAAM,WAAW,CAAC;QAC3D,MAAM,IAAI,KAAK,CAAC,CAAA,4BAAA,EAA+B,QAAQ,CAAC,MAAM,CAAA,GAAA,EAAM,IAAI,CAAA,CAAE,CAAC;IAC7E;AAEA,IAAA,OAAO,QAAQ,CAAC,IAAI,EAA4B;AAClD;AAEA;AACA;AACA;AAEA;;;;;;AAMG;AACI,eAAe,eAAe,CAAC,UAA2B,EAAE,EAAA;;AAEjE,IAAA,MAAM,OAAO,GAAG,MAAMC,sBAAgB,EAAE;IACxC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAIC,aAAS,CAAC,OAAO,CAAC;IACnD,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,OAAO,CAAC,IAAI;IACvD,MAAM,eAAe,GAAG,OAAO,CAAC,eAAe,KAAK,MAAMC,6BAAqB,EAAE,CAAC;AAClF,IAAA,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,OAAO;;IAG1C,MAAM,EAAE,YAAY,EAAE,aAAa,EAAE,GAAG,gBAAgB,EAAE;AAC1D,IAAA,MAAM,KAAK,GAAG,aAAa,EAAE;;AAG7B,IAAA,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,eAAe,EAAE,GAAG,MAAM,mBAAmB,CAAC,KAAK,EAAE,OAAO,CAAC;AAEnF,IAAA,IAAI;;AAEF,QAAA,MAAM,WAAW,GAAG,CAAA,iBAAA,EAAoB,IAAI,WAAW;AACvD,QAAA,MAAM,YAAY,GAChB,CAAA,EAAG,MAAM,CAAA,sBAAA,CAAwB;YACjC,CAAA,mBAAA,CAAqB;AACrB,YAAA,CAAA,gBAAA,EAAmB,aAAa,CAAA,CAAE;YAClC,CAAA,2BAAA,CAA6B;AAC7B,YAAA,CAAA,OAAA,EAAU,KAAK,CAAA,CAAE;AACjB,YAAA,CAAA,cAAA,EAAiB,kBAAkB,CAAC,WAAW,CAAC,EAAE;;AAGpD,QAAA,IAAI;YACF,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,MAAM,OAAO,MAAM,CAAC;AAC9C,YAAA,MAAM,IAAI,CAAC,YAAY,CAAC;QAC1B;QAAE,OAAO,GAAG,EAAE;AACZ,YAAA,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,GAAG,GAAG,CAAC,OAAO,GAAG,MAAM,CAAC,GAAG,CAAC;AAC5D,YAAA,MAAM,IAAI,KAAK,CACb,2BAA2B,GAAG,CAAA,oDAAA,CAAsD,CACrF;QACH;;AAGA,QAAA,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,eAAe;;AAGtC,QAAA,MAAM,aAAa,GAAG,MAAM,qBAAqB,CAAC,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,CAAC;;AAGpF,QAAA,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;AACtF,QAAA,MAAM,MAAM,GAAmB;YAC7B,WAAW,EAAE,aAAa,CAAC,YAAY;YACvC,YAAY,EAAE,aAAa,CAAC,aAAa;YACzC,SAAS;SACV;AAED,QAAA,MAAM,eAAe,CAAC,GAAG,CAAC,WAAW,EAAE;YACrC,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,SAAS,EAAE,MAAM,CAAC,SAAS;AAC5B,SAAA,CAAC;AAEF,QAAA,OAAO,MAAM;IACf;YAAU;;QAER,MAAM,CAAC,KAAK,EAAE;IAChB;AACF;;;;;"}

package/dist/cjs/auth/refresh.js

@@ -0,0 +1,203 @@
+'use strict';
+
+var promises = require('node:fs/promises');
+var node_path = require('node:path');
+var store = require('../config/store.js');
+var env = require('../config/env.js');
+var keyring = require('./keyring.js');
+
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+const REFRESH_BUFFER_SECONDS = 60;
+const STALE_LOCK_THRESHOLD_MS = 60_000;
+const LOCK_RETRY_DELAY_MS = 500;
+const LOCK_MAX_RETRIES = 10;
+// ---------------------------------------------------------------------------
+// needsRefresh
+// ---------------------------------------------------------------------------
+/**
+ * Returns true when the credential token needs a refresh:
+ * - no expiresAt present, OR
+ * - token expires within the 60-second buffer window
+ *
+ * Pure function — no I/O.
+ */
+function needsRefresh(creds) {
+    if (!creds.expiresAt)
+        return true;
+    const expiresAt = new Date(creds.expiresAt).getTime();
+    if (isNaN(expiresAt))
+        return true;
+    const bufferMs = REFRESH_BUFFER_SECONDS * 1_000;
+    return Date.now() >= expiresAt - bufferMs;
+}
+// ---------------------------------------------------------------------------
+// Lockfile helpers
+// ---------------------------------------------------------------------------
+/**
+ * Returns true when the process identified by `pid` is still running.
+ * Uses kill(pid, 0) which sends no signal but checks for process existence.
+ */
+function isPidAlive(pid) {
+    try {
+        process.kill(pid, 0);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Acquires an exclusive per-profile lock file.
+ *
+ * Uses O_EXCL (writeFile flag:'wx') for atomic exclusive creation.
+ * If a lock exists, checks staleness (>60s or dead PID) and cleans up if stale.
+ * Retries up to 10 times with 500ms back-off before throwing.
+ */
+async function acquireLock(profileName) {
+    const configDir = await store.getConfigDir();
+    const lockPath = node_path.join(configDir, `.${profileName}.refresh.lock`);
+    for (let attempt = 0; attempt < LOCK_MAX_RETRIES; attempt++) {
+        try {
+            const content = { pid: process.pid, timestamp: Date.now() };
+            await promises.writeFile(lockPath, JSON.stringify(content), { flag: 'wx', mode: 0o600 });
+            // Acquired — return handle with inline release
+            return {
+                lockPath,
+                async release() {
+                    await promises.unlink(lockPath).catch(() => undefined);
+                },
+            };
+        }
+        catch (err) {
+            // Only handle EEXIST — lock file already exists
+            if (!isEexist(err))
+                throw err;
+            // Read existing lock and decide whether it's stale
+            const isStale = await checkAndCleanStaleLock(lockPath);
+            if (isStale) {
+                // Stale lock deleted — retry immediately (don't sleep)
+                continue;
+            }
+            // Live lock — wait before retrying
+            if (attempt < LOCK_MAX_RETRIES - 1) {
+                await sleep(LOCK_RETRY_DELAY_MS);
+            }
+        }
+    }
+    throw new Error('Could not acquire refresh lock. Another process may be refreshing.');
+}
+/**
+ * Reads the lock file at `lockPath`, checks whether it's stale, and
+ * if so deletes it. Returns true if the lock was stale (and deleted).
+ */
+async function checkAndCleanStaleLock(lockPath) {
+    let content;
+    try {
+        const raw = await promises.readFile(lockPath, 'utf-8');
+        content = JSON.parse(raw);
+    }
+    catch {
+        // File vanished between our EEXIST and this read — treat as stale
+        return true;
+    }
+    const isOlderThanThreshold = Date.now() - content.timestamp > STALE_LOCK_THRESHOLD_MS;
+    const isProcDead = !isPidAlive(content.pid);
+    if (isOlderThanThreshold || isProcDead) {
+        await promises.unlink(lockPath).catch(() => undefined);
+        return true;
+    }
+    return false;
+}
+/**
+ * Releases a previously acquired lock handle. Best-effort — never throws.
+ */
+async function releaseLock(handle) {
+    await handle.release();
+}
+// ---------------------------------------------------------------------------
+// refreshToken
+// ---------------------------------------------------------------------------
+/**
+ * Performs a transparent token refresh with double-checked locking.
+ *
+ * 1. Acquires a per-profile lockfile
+ * 2. Re-reads credentials — another process may have already refreshed
+ * 3. If tokens are still fresh, skips the network call (wasRefreshed: false)
+ * 4. Otherwise calls POST /v1/auth/refresh and stores the new tokens
+ * 5. Always releases the lock in a finally block
+ *
+ * Throws with a user-friendly message if the session has expired.
+ */
+async function refreshToken(options = {}) {
+    const profileName = options.profileName ?? 'default';
+    const store = options.credentialStore ?? (await keyring.createCredentialStore());
+    const apiUrl = options.apiUrl ?? env.getApiUrl();
+    const lock = await acquireLock(profileName);
+    try {
+        // Double-checked locking: re-read credentials now that we hold the lock.
+        // Another process may have already refreshed while we waited.
+        const latestCreds = await store.get(profileName);
+        if (latestCreds && !needsRefresh(latestCreds)) {
+            // Already refreshed by another process — return current tokens.
+            return {
+                accessToken: latestCreds.accessToken ?? '',
+                refreshToken: latestCreds.refreshToken ?? '',
+                expiresAt: latestCreds.expiresAt ?? '',
+                wasRefreshed: false,
+            };
+        }
+        // We need to refresh — verify we have a refresh token to use.
+        if (!latestCreds?.refreshToken) {
+            await store.clear(profileName);
+            throw new Error('Session expired. Run doow login to re-authenticate.');
+        }
+        // Call the refresh endpoint.
+        const response = await fetch(`${apiUrl}/v1/auth/refresh`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ refresh_token: latestCreds.refreshToken }),
+        });
+        if (!response.ok) {
+            // 401 or any non-2xx → session expired
+            await store.clear(profileName);
+            throw new Error('Session expired. Run doow login to re-authenticate.');
+        }
+        const data = (await response.json());
+        const expiresAt = new Date(Date.now() + data.expires_in * 1_000).toISOString();
+        const newCreds = {
+            accessToken: data.access_token,
+            refreshToken: data.refresh_token,
+            expiresAt,
+        };
+        await store.set(profileName, newCreds);
+        return {
+            accessToken: data.access_token,
+            refreshToken: data.refresh_token,
+            expiresAt,
+            wasRefreshed: true,
+        };
+    }
+    finally {
+        await lock.release();
+    }
+}
+// ---------------------------------------------------------------------------
+// Utilities
+// ---------------------------------------------------------------------------
+function isEexist(err) {
+    return (typeof err === 'object' &&
+        err !== null &&
+        'code' in err &&
+        err.code === 'EEXIST');
+}
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+exports.acquireLock = acquireLock;
+exports.needsRefresh = needsRefresh;
+exports.refreshToken = refreshToken;
+exports.releaseLock = releaseLock;
+//# sourceMappingURL=refresh.js.map

package/dist/cjs/auth/refresh.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh.js","sources":["../../../../src/auth/refresh.ts"],"sourcesContent":[null],"names":["getConfigDir","join","writeFile","unlink","readFile","createCredentialStore","getApiUrl"],"mappings":";;;;;;;;AAwCA;AACA;AACA;AAEA,MAAM,sBAAsB,GAAG,EAAE;AACjC,MAAM,uBAAuB,GAAG,MAAM;AACtC,MAAM,mBAAmB,GAAG,GAAG;AAC/B,MAAM,gBAAgB,GAAG,EAAE;AAE3B;AACA;AACA;AAEA;;;;;;AAMG;AACG,SAAU,YAAY,CAAC,KAAyB,EAAA;IACpD,IAAI,CAAC,KAAK,CAAC,SAAS;AAAE,QAAA,OAAO,IAAI;AACjC,IAAA,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;IACrD,IAAI,KAAK,CAAC,SAAS,CAAC;AAAE,QAAA,OAAO,IAAI;AACjC,IAAA,MAAM,QAAQ,GAAG,sBAAsB,GAAG,KAAK;IAC/C,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,SAAS,GAAG,QAAQ;AAC3C;AAEA;AACA;AACA;AAEA;;;AAGG;AACH,SAAS,UAAU,CAAC,GAAW,EAAA;AAC7B,IAAA,IAAI;AACF,QAAA,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;AACpB,QAAA,OAAO,IAAI;IACb;AAAE,IAAA,MAAM;AACN,QAAA,OAAO,KAAK;IACd;AACF;AAEA;;;;;;AAMG;AACI,eAAe,WAAW,CAAC,WAAmB,EAAA;AACnD,IAAA,MAAM,SAAS,GAAG,MAAMA,kBAAY,EAAE;IACtC,MAAM,QAAQ,GAAGC,cAAI,CAAC,SAAS,EAAE,CAAA,CAAA,EAAI,WAAW,CAAA,aAAA,CAAe,CAAC;AAEhE,IAAA,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,gBAAgB,EAAE,OAAO,EAAE,EAAE;AAC3D,QAAA,IAAI;AACF,YAAA,MAAM,OAAO,GAAoB,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE;YAC5E,MAAMC,kBAAS,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;;YAG/E,OAAO;gBACL,QAAQ;AACR,gBAAA,MAAM,OAAO,GAAA;AACX,oBAAA,MAAMC,eAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,MAAM,SAAS,CAAC;gBAC/C,CAAC;aACF;QACH;QAAE,OAAO,GAAY,EAAE;;AAErB,YAAA,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;AAAE,gBAAA,MAAM,GAAG;;AAG7B,YAAA,MAAM,OAAO,GAAG,MAAM,sBAAsB,CAAC,QAAQ,CAAC;YACtD,IAAI,OAAO,EAAE;;gBAEX;YACF;;AAGA,YAAA,IAAI,OAAO,GAAG,gBAAgB,GAAG,CAAC,EAAE;AAClC,gBAAA,MAAM,KAAK,CAAC,mBAAmB,CAAC;YAClC;QACF;IACF;AAEA,IAAA,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC;AACvF;AAEA;;;AAGG;AACH,eAAe,sBAAsB,CAAC,QAAgB,EAAA;AACpD,IAAA,IAAI,OAAwB;AAC5B,IAAA,IAAI;QACF,MAAM,GAAG,GAAG,MAAMC,iBAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;AAC7C,QAAA,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAoB;IAC9C;AAAE,IAAA,MAAM;;AAEN,QAAA,OAAO,IAAI;IACb;AAEA,IAAA,MAAM,oBAAoB,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,SAAS,GAAG,uBAAuB;IACrF,MAAM,UAAU,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC;AAE3C,IAAA,IAAI,oBAAoB,IAAI,UAAU,EAAE;AACtC,QAAA,MAAMD,eAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,MAAM,SAAS,CAAC;AAC7C,QAAA,OAAO,IAAI;IACb;AAEA,IAAA,OAAO,KAAK;AACd;AAEA;;AAEG;AACI,eAAe,WAAW,CAAC,MAAkB,EAAA;AAClD,IAAA,MAAM,MAAM,CAAC,OAAO,EAAE;AACxB;AAEA;AACA;AACA;AAEA;;;;;;;;;;AAUG;AACI,eAAe,YAAY,CAAC,UAA0B,EAAE,EAAA;AAC7D,IAAA,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,SAAS;IACpD,MAAM,KAAK,GAAG,OAAO,CAAC,eAAe,KAAK,MAAME,6BAAqB,EAAE,CAAC;IACxE,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAIC,aAAS,EAAE;AAE5C,IAAA,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,WAAW,CAAC;AAE3C,IAAA,IAAI;;;QAGF,MAAM,WAAW,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,WAAW,CAAC;QAEhD,IAAI,WAAW,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,EAAE;;YAE7C,OAAO;AACL,gBAAA,WAAW,EAAE,WAAW,CAAC,WAAW,IAAI,EAAE;AAC1C,gBAAA,YAAY,EAAE,WAAW,CAAC,YAAY,IAAI,EAAE;AAC5C,gBAAA,SAAS,EAAE,WAAW,CAAC,SAAS,IAAI,EAAE;AACtC,gBAAA,YAAY,EAAE,KAAK;aACpB;QACH;;AAGA,QAAA,IAAI,CAAC,WAAW,EAAE,YAAY,EAAE;AAC9B,YAAA,MAAM,KAAK,CAAC,KAAK,CAAC,WAAW,CAAC;AAC9B,YAAA,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC;QACxE;;QAGA,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,CAAA,EAAG,MAAM,kBAAkB,EAAE;AACxD,YAAA,MAAM,EAAE,MAAM;AACd,YAAA,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;AAC/C,YAAA,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,aAAa,EAAE,WAAW,CAAC,YAAY,EAAE,CAAC;AAClE,SAAA,CAAC;AAEF,QAAA,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;;AAEhB,YAAA,MAAM,KAAK,CAAC,KAAK,CAAC,WAAW,CAAC;AAC9B,YAAA,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC;QACxE;QAEA,MAAM,IAAI,IAAI,MAAM,QAAQ,CAAC,IAAI,EAAE,CAIlC;AAED,QAAA,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,KAAK,CAAC,CAAC,WAAW,EAAE;AAE9E,QAAA,MAAM,QAAQ,GAAuB;YACnC,WAAW,EAAE,IAAI,CAAC,YAAY;YAC9B,YAAY,EAAE,IAAI,CAAC,aAAa;YAChC,SAAS;SACV;QAED,MAAM,KAAK,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC;QAEtC,OAAO;YACL,WAAW,EAAE,IAAI,CAAC,YAAY;YAC9B,YAAY,EAAE,IAAI,CAAC,aAAa;YAChC,SAAS;AACT,YAAA,YAAY,EAAE,IAAI;SACnB;IACH;YAAU;AACR,QAAA,MAAM,IAAI,CAAC,OAAO,EAAE;IACtB;AACF;AAEA;AACA;AACA;AAEA,SAAS,QAAQ,CAAC,GAAY,EAAA;AAC5B,IAAA,QACE,OAAO,GAAG,KAAK,QAAQ;AACvB,QAAA,GAAG,KAAK,IAAI;AACZ,QAAA,MAAM,IAAI,GAAG;AACZ,QAAA,GAA6B,CAAC,IAAI,KAAK,QAAQ;AAEpD;AAEA,SAAS,KAAK,CAAC,EAAU,EAAA;AACvB,IAAA,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,KAAK,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;AAC1D;;;;;;;"}

package/dist/cjs/config/env.js

@@ -0,0 +1,44 @@
+'use strict';
+
+/** True when stdout is an interactive terminal. */
+function isTTY() {
+    return process.stdout.isTTY === true;
+}
+/** True when running inside a CI environment (any common CI sets $CI). */
+function isCI() {
+    return !!process.env['CI'];
+}
+/**
+ * True when the CLI is invoked by an automated agent rather than a human.
+ * Detected via $DOOW_AGENT_MODE env var or the --agent CLI flag (which
+ * Commander stores on the global options object as `process.env` is the
+ * canonical signal here — Commander integration is wired up in cli.ts).
+ */
+function isAgentMode() {
+    return !!process.env['DOOW_AGENT_MODE'];
+}
+/**
+ * True when interactive UI (spinners, prompts, color) should be shown.
+ * Requires a real TTY, no CI env, and not running in agent mode.
+ */
+function shouldShowUI() {
+    return isTTY() && !isCI() && !isAgentMode();
+}
+/**
+ * Resolve the API base URL.
+ * Precedence: profile.apiUrl → $DOOW_API_URL → hardcoded default.
+ */
+function getApiUrl(profile) {
+    if (profile?.apiUrl)
+        return profile.apiUrl;
+    if (process.env['DOOW_API_URL'])
+        return process.env['DOOW_API_URL'];
+    return 'https://api.doow.com';
+}
+
+exports.getApiUrl = getApiUrl;
+exports.isAgentMode = isAgentMode;
+exports.isCI = isCI;
+exports.isTTY = isTTY;
+exports.shouldShowUI = shouldShowUI;
+//# sourceMappingURL=env.js.map

package/dist/cjs/config/env.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"env.js","sources":["../../../../src/config/env.ts"],"sourcesContent":[null],"names":[],"mappings":";;AAEA;SACgB,KAAK,GAAA;AACnB,IAAA,OAAO,OAAO,CAAC,MAAM,CAAC,KAAK,KAAK,IAAI;AACtC;AAEA;SACgB,IAAI,GAAA;IAClB,OAAO,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;AAC5B;AAEA;;;;;AAKG;SACa,WAAW,GAAA;IACzB,OAAO,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;AACzC;AAEA;;;AAGG;SACa,YAAY,GAAA;IAC1B,OAAO,KAAK,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,EAAE;AAC7C;AAEA;;;AAGG;AACG,SAAU,SAAS,CAAC,OAAiB,EAAA;IACzC,IAAI,OAAO,EAAE,MAAM;QAAE,OAAO,OAAO,CAAC,MAAM;AAC1C,IAAA,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;AAAE,QAAA,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;AACnE,IAAA,OAAO,sBAAsB;AAC/B;;;;;;;;"}