npm - @dreamboard-games/cli - Versions diffs - 0.1.30-alpha.12 → 0.1.30-alpha.15 - Mend

@dreamboard-games/cli 0.1.30-alpha.12 → 0.1.30-alpha.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (143) hide show

package/dist/agent-verifier/chunk-AXXUGU7Q.mjs ADDED Viewed

@@ -0,0 +1,255 @@
+#!/usr/bin/env node
+import {
+  atomicWriteFile,
+  withFileLock
+} from "./chunk-TAEQKBJB.mjs";
+import {
+  PROJECT_DIR_NAME
+} from "./chunk-M7UVBANQ.mjs";
+// src/config/credential-store.ts
+import os from "os";
+import path from "path";
+import { promises as fs } from "fs";
+// src/build-target.ts
+var injectedBuildChannel = true ? "development" : void 0;
+var BUILD_CHANNEL = injectedBuildChannel === "published" ? "published" : "development";
+var IS_PUBLISHED_BUILD = BUILD_CHANNEL === "published";
+var PUBLISHED_ENVIRONMENT = "prod";
+// src/config/credential-store.ts
+function getCredentialFilePath() {
+  return path.join(os.homedir(), PROJECT_DIR_NAME, "auth.json");
+}
+function getCredentialLockPath() {
+  return `${getCredentialFilePath()}.lock`;
+}
+async function fileRead() {
+  const filePath = getCredentialFilePath();
+  let data;
+  try {
+    data = await fs.readFile(filePath, "utf8");
+  } catch (err) {
+    if (err.code === "ENOENT") return null;
+    throw err;
+  }
+  if (data.trim().length === 0) {
+    return null;
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(data);
+  } catch {
+    return null;
+  }
+  const accessToken = parsed.clerkAccessToken ?? parsed.accessToken ?? parsed.authToken;
+  const refreshToken = parsed.refreshToken;
+  if (!accessToken && !refreshToken) return null;
+  return {
+    accessToken: accessToken || void 0,
+    refreshToken: refreshToken || void 0,
+    tokenExpiresAt: parsed.clerkAccessExpiresAt || parsed.tokenExpiresAt || void 0,
+    dreamboardApiToken: parsed.dreamboardApiToken || void 0,
+    dreamboardApiExpiresAt: parsed.dreamboardApiExpiresAt || void 0,
+    clerkOAuthIssuer: parsed.clerkOAuthIssuer || void 0,
+    clerkOAuthClientId: parsed.clerkOAuthClientId || void 0,
+    clerkOAuthTokenUrl: parsed.clerkOAuthTokenUrl || void 0,
+    environment: parsed.environment || void 0
+  };
+}
+async function writeFilePayload(payload) {
+  await atomicWriteFile(
+    getCredentialFilePath(),
+    `${JSON.stringify(payload, null, 2)}
+`,
+    { mode: 384 }
+  );
+}
+async function fileWriteFull(creds) {
+  if (!creds.accessToken || !creds.refreshToken) {
+    throw new Error(
+      "Refusing to persist credentials with an empty accessToken or refreshToken."
+    );
+  }
+  await writeFilePayload({
+    clerkAccessToken: creds.accessToken,
+    refreshToken: creds.refreshToken,
+    clerkAccessExpiresAt: creds.tokenExpiresAt,
+    dreamboardApiToken: creds.dreamboardApiToken,
+    dreamboardApiExpiresAt: creds.dreamboardApiExpiresAt,
+    clerkOAuthIssuer: creds.clerkOAuthIssuer,
+    clerkOAuthClientId: creds.clerkOAuthClientId,
+    clerkOAuthTokenUrl: creds.clerkOAuthTokenUrl,
+    environment: creds.environment
+  });
+}
+async function fileWriteAccessOnly(accessToken) {
+  if (!accessToken) {
+    throw new Error("Refusing to persist an empty access token.");
+  }
+  await writeFilePayload({ authToken: accessToken });
+}
+async function fileClear() {
+  const filePath = getCredentialFilePath();
+  try {
+    await fs.unlink(filePath);
+  } catch (err) {
+    if (err.code !== "ENOENT") throw err;
+  }
+}
+var fileCredentialBackend = {
+  name: "file",
+  read: fileRead,
+  writeFull: fileWriteFull,
+  writeAccessOnly: fileWriteAccessOnly,
+  clear: fileClear
+};
+var CredentialStoreUnavailableError = class extends Error {
+  code = "CREDENTIAL_STORE_UNAVAILABLE";
+  constructor(reason) {
+    super(`Credential store unavailable: ${reason}`);
+    this.name = "CredentialStoreUnavailableError";
+  }
+};
+var cachedBackend = null;
+var migrationCompleted = false;
+var backendResolver = defaultBackendResolver;
+async function defaultBackendResolver() {
+  const override = (process.env.DREAMBOARD_CREDENTIAL_BACKEND ?? "").trim().toLowerCase();
+  if (IS_PUBLISHED_BUILD) {
+    if (override && override !== "keychain" && override !== "auto") {
+      throw new CredentialStoreUnavailableError(
+        "published builds require the OS credential store"
+      );
+    }
+    const { tryKeychainBackend: tryKeychainBackend2 } = await import("./keychain-backend-BQLW5VEC.mjs");
+    const keychain2 = await tryKeychainBackend2();
+    if (keychain2.available) {
+      return keychain2.backend;
+    }
+    throw new CredentialStoreUnavailableError(keychain2.reason);
+  }
+  if (override === "file") {
+    return fileCredentialBackend;
+  }
+  if (override && override !== "keychain" && override !== "auto") {
+    throw new Error(
+      `Unknown DREAMBOARD_CREDENTIAL_BACKEND value "${override}" (expected "file", "keychain", or "auto").`
+    );
+  }
+  const useKeychain = override === "keychain" || await readCredentialBackendPreference();
+  if (!useKeychain) {
+    return fileCredentialBackend;
+  }
+  const { tryKeychainBackend } = await import("./keychain-backend-BQLW5VEC.mjs");
+  const keychain = await tryKeychainBackend();
+  if (keychain.available) {
+    return keychain.backend;
+  }
+  return fileCredentialBackend;
+}
+async function readCredentialBackendPreference() {
+  try {
+    const { loadGlobalConfig } = await import("./global-config-6UGFPLDA.mjs");
+    const config = await loadGlobalConfig();
+    return config.credentialBackend === "keychain";
+  } catch {
+    return false;
+  }
+}
+async function getCredentialBackend() {
+  if (cachedBackend === null) {
+    cachedBackend = await backendResolver();
+    if (!migrationCompleted && cachedBackend.name !== "file") {
+      await migrateFromFileBackendIfNeeded(cachedBackend, {
+        failClosed: IS_PUBLISHED_BUILD
+      });
+    }
+    migrationCompleted = true;
+  }
+  return cachedBackend;
+}
+async function migrateFromFileBackendIfNeeded(target, options = {}) {
+  try {
+    const [onDisk, onTarget] = await Promise.all([
+      fileCredentialBackend.read(),
+      target.read()
+    ]);
+    if (!onDisk) return;
+    if (onTarget) {
+      await fileCredentialBackend.clear();
+      return;
+    }
+    if (onDisk.accessToken && onDisk.refreshToken) {
+      const migrated = {
+        accessToken: onDisk.accessToken,
+        refreshToken: onDisk.refreshToken,
+        tokenExpiresAt: onDisk.tokenExpiresAt,
+        dreamboardApiToken: onDisk.dreamboardApiToken,
+        dreamboardApiExpiresAt: onDisk.dreamboardApiExpiresAt,
+        clerkOAuthIssuer: onDisk.clerkOAuthIssuer,
+        clerkOAuthClientId: onDisk.clerkOAuthClientId,
+        clerkOAuthTokenUrl: onDisk.clerkOAuthTokenUrl,
+        environment: onDisk.environment
+      };
+      await target.writeFull(migrated);
+      await verifyMigratedSession(target, migrated);
+    } else if (onDisk.accessToken) {
+      await target.writeAccessOnly(onDisk.accessToken);
+      const migrated = await target.read();
+      if (migrated?.accessToken !== onDisk.accessToken) {
+        throw new Error("Credential migration verification failed.");
+      }
+    } else {
+      return;
+    }
+    await fileCredentialBackend.clear();
+  } catch (error) {
+    if (options.failClosed) {
+      throw new CredentialStoreUnavailableError(
+        error instanceof Error ? error.message : String(error)
+      );
+    }
+  }
+}
+async function verifyMigratedSession(target, expected) {
+  const migrated = await target.read();
+  if (migrated?.accessToken !== expected.accessToken || migrated.refreshToken !== expected.refreshToken) {
+    throw new Error("Credential migration verification failed.");
+  }
+}
+async function getStoredSession() {
+  if (process.env.DREAMBOARD_AGENT_TOKEN?.trim()) {
+    return null;
+  }
+  const backend = await getCredentialBackend();
+  return backend.read();
+}
+async function withCredentialLock(fn, options) {
+  return withFileLock(
+    getCredentialLockPath(),
+    async () => {
+      const backend = await getCredentialBackend();
+      const ops = {
+        backendName: backend.name,
+        read: () => backend.read(),
+        writeFull: (creds) => backend.writeFull(creds),
+        writeAccessOnly: (accessToken) => backend.writeAccessOnly(accessToken),
+        clear: () => backend.clear()
+      };
+      return fn(ops);
+    },
+    options
+  );
+}
+export {
+  BUILD_CHANNEL,
+  IS_PUBLISHED_BUILD,
+  PUBLISHED_ENVIRONMENT,
+  getCredentialFilePath,
+  getStoredSession,
+  withCredentialLock
+};
+//# sourceMappingURL=chunk-AXXUGU7Q.mjs.map

package/dist/agent-verifier/chunk-AXXUGU7Q.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../src/config/credential-store.ts","../../src/build-target.ts"],"sourcesContent":["/**\n * Single writer for the long-lived Dreamboard session credentials.\n *\n * Design invariants (enforced at the type level and tested in\n * `credential-store.test.ts`):\n *\n * 1. This module is the ONLY place in the CLI that writes credentials to\n * disk or the OS keychain. `global-config.ts` used to own both the\n * config and the credentials via `saveGlobalConfig`, which made it\n * trivial to wipe a refresh token by accident. The `GlobalConfig` type\n * no longer carries credentials, so attempting to persist one through\n * the config path is a type error.\n *\n * 2. The mutating surface is intentionally narrow:\n * - `setCredentials(c)` for refreshable sessions (both tokens present)\n * - `setAccessOnlySession(accessToken)` for the `auth set` / `config set\n * --token` power-user path, which has no refresh token by\n * construction\n * - `clearCredentials()` wipes the file entirely\n * There is no \"partial update\" API. `Credentials` requires both\n * `accessToken` and `refreshToken`, so it is impossible to persist a\n * half-populated refreshable session.\n *\n * 3. Writes go through `atomicWriteFile` + `withFileLock`, so a crash or\n * interrupt during `dreamboard sync`/`compile` cannot leave `auth.json`\n * truncated, and parallel CLI invocations cannot clobber each other's\n * rotated refresh tokens.\n *\n * 4. The on-disk JSON shape for the file backend is kept backward\n * compatible: we continue to read/write `authToken` + `refreshToken`\n * so existing users are not forced to log in again after this change.\n * A newer `accessToken` key is also accepted for read to ease any\n * future format bump.\n *\n * 5. Development builds may still use the file backend for local testing.\n * Published builds require the OS keychain and fail closed when it is\n * unavailable.\n */\n\nimport os from \"node:os\";\nimport path from \"node:path\";\nimport { promises as fs } from \"node:fs\";\nimport { PROJECT_DIR_NAME } from \"../constants.js\";\nimport { IS_PUBLISHED_BUILD } from \"../build-target.js\";\nimport {\n atomicWriteFile,\n withFileLock,\n type FileLockOptions,\n} from \"../utils/atomic-file.js\";\n\n/**\n * Fully refreshable session. `accessToken` is the Clerk OAuth bootstrap token\n * retained for refresh/exchange compatibility; ordinary API calls use\n * `dreamboardApiToken`.\n */\nexport type Credentials = {\n readonly accessToken: string;\n readonly refreshToken: string;\n readonly tokenExpiresAt?: string;\n readonly dreamboardApiToken?: string;\n readonly dreamboardApiExpiresAt?: string;\n readonly clerkOAuthIssuer?: string;\n readonly clerkOAuthClientId?: string;\n readonly clerkOAuthTokenUrl?: string;\n readonly environment?: string;\n};\n\n/**\n * Raw on-disk snapshot. Either or both fields may be present. The refresh\n * coordinator only acts on snapshots that have both tokens populated.\n */\nexport type StoredSessionSnapshot = {\n readonly accessToken?: string;\n readonly refreshToken?: string;\n readonly tokenExpiresAt?: string;\n readonly dreamboardApiToken?: string;\n readonly dreamboardApiExpiresAt?: string;\n readonly clerkOAuthIssuer?: string;\n readonly clerkOAuthClientId?: string;\n readonly clerkOAuthTokenUrl?: string;\n readonly environment?: string;\n};\n\nexport type CredentialBackendName = \"file\" | \"keychain\";\n\nexport type CredentialBackend = {\n readonly name: CredentialBackendName;\n read(): Promise<StoredSessionSnapshot | null>;\n writeFull(creds: Credentials): Promise<void>;\n writeAccessOnly(accessToken: string): Promise<void>;\n clear(): Promise<void>;\n};\n\nexport type CredentialLockOps = {\n readonly backendName: CredentialBackendName;\n read(): Promise<StoredSessionSnapshot | null>;\n writeFull(creds: Credentials): Promise<void>;\n writeAccessOnly(accessToken: string): Promise<void>;\n clear(): Promise<void>;\n};\n\ntype DiskShape = Partial<{\n clerkAccessToken: string;\n clerkAccessExpiresAt: string;\n accessToken: string;\n authToken: string;\n refreshToken: string;\n tokenExpiresAt: string;\n dreamboardApiToken: string;\n dreamboardApiExpiresAt: string;\n clerkOAuthIssuer: string;\n clerkOAuthClientId: string;\n clerkOAuthTokenUrl: string;\n environment: string;\n}>;\n\nexport function getCredentialFilePath(): string {\n return path.join(os.homedir(), PROJECT_DIR_NAME, \"auth.json\");\n}\n\nfunction getCredentialLockPath(): string {\n return `${getCredentialFilePath()}.lock`;\n}\n\nasync function fileRead(): Promise<StoredSessionSnapshot | null> {\n const filePath = getCredentialFilePath();\n let data: string;\n try {\n data = await fs.readFile(filePath, \"utf8\");\n } catch (err) {\n if ((err as NodeJS.ErrnoException).code === \"ENOENT\") return null;\n throw err;\n }\n if (data.trim().length === 0) {\n return null;\n }\n let parsed: DiskShape;\n try {\n parsed = JSON.parse(data) as DiskShape;\n } catch {\n return null;\n }\n const accessToken =\n parsed.clerkAccessToken ?? parsed.accessToken ?? parsed.authToken;\n const refreshToken = parsed.refreshToken;\n if (!accessToken && !refreshToken) return null;\n return {\n accessToken: accessToken || undefined,\n refreshToken: refreshToken || undefined,\n tokenExpiresAt:\n parsed.clerkAccessExpiresAt || parsed.tokenExpiresAt || undefined,\n dreamboardApiToken: parsed.dreamboardApiToken || undefined,\n dreamboardApiExpiresAt: parsed.dreamboardApiExpiresAt || undefined,\n clerkOAuthIssuer: parsed.clerkOAuthIssuer || undefined,\n clerkOAuthClientId: parsed.clerkOAuthClientId || undefined,\n clerkOAuthTokenUrl: parsed.clerkOAuthTokenUrl || undefined,\n environment: parsed.environment || undefined,\n };\n}\n\nasync function writeFilePayload(payload: DiskShape): Promise<void> {\n await atomicWriteFile(\n getCredentialFilePath(),\n `${JSON.stringify(payload, null, 2)}\\n`,\n { mode: 0o600 },\n );\n}\n\nasync function fileWriteFull(creds: Credentials): Promise<void> {\n if (!creds.accessToken || !creds.refreshToken) {\n throw new Error(\n \"Refusing to persist credentials with an empty accessToken or refreshToken.\",\n );\n }\n await writeFilePayload({\n clerkAccessToken: creds.accessToken,\n refreshToken: creds.refreshToken,\n clerkAccessExpiresAt: creds.tokenExpiresAt,\n dreamboardApiToken: creds.dreamboardApiToken,\n dreamboardApiExpiresAt: creds.dreamboardApiExpiresAt,\n clerkOAuthIssuer: creds.clerkOAuthIssuer,\n clerkOAuthClientId: creds.clerkOAuthClientId,\n clerkOAuthTokenUrl: creds.clerkOAuthTokenUrl,\n environment: creds.environment,\n });\n}\n\nasync function fileWriteAccessOnly(accessToken: string): Promise<void> {\n if (!accessToken) {\n throw new Error(\"Refusing to persist an empty access token.\");\n }\n await writeFilePayload({ authToken: accessToken });\n}\n\nasync function fileClear(): Promise<void> {\n const filePath = getCredentialFilePath();\n try {\n await fs.unlink(filePath);\n } catch (err) {\n if ((err as NodeJS.ErrnoException).code !== \"ENOENT\") throw err;\n }\n}\n\nexport const fileCredentialBackend: CredentialBackend = {\n name: \"file\",\n read: fileRead,\n writeFull: fileWriteFull,\n writeAccessOnly: fileWriteAccessOnly,\n clear: fileClear,\n};\n\nexport type BackendResolver = () =>\n | CredentialBackend\n | Promise<CredentialBackend>;\n\nexport class CredentialStoreUnavailableError extends Error {\n readonly code = \"CREDENTIAL_STORE_UNAVAILABLE\";\n\n constructor(reason: string) {\n super(`Credential store unavailable: ${reason}`);\n this.name = \"CredentialStoreUnavailableError\";\n }\n}\n\nlet cachedBackend: CredentialBackend | null = null;\nlet migrationCompleted = false;\nlet backendResolver: BackendResolver = defaultBackendResolver;\n\n/**\n * Development resolver precedence:\n *\n * 1. `DREAMBOARD_CREDENTIAL_BACKEND` env var (debugging / CI override).\n * - \"file\" -> force file\n * - \"keychain\" -> force keychain (falls back to file if the native\n * module or the OS keyring is unavailable)\n * - \"auto\" -> same as unset (use config)\n * - unknown -> throw so typos fail loud\n * 2. `credentialBackend` in `~/.dreamboard/config.json`.\n * - \"keychain\" -> opt in to the OS keychain (with file fallback)\n * - \"file\" / unset / malformed -> file\n * 3. Default: file backend.\n *\n * Published builds skip this precedence, require keychain, and throw\n * CREDENTIAL_STORE_UNAVAILABLE instead of falling back to plaintext.\n *\n * In development, keychain is opt-in because on macOS the OS login-keychain prompts for\n * the user's password the first time a new binary tries to write to an\n * item, and re-prompts whenever the Node binary signature changes. We\n * would rather ship a zero-prompt default and let users who care about\n * encrypted-at-rest storage enable it.\n *\n * The resolver is async because the keychain probe requires a dynamic\n * `@napi-rs/keyring` import.\n */\nasync function defaultBackendResolver(): Promise<CredentialBackend> {\n const override = (process.env.DREAMBOARD_CREDENTIAL_BACKEND ?? \"\")\n .trim()\n .toLowerCase();\n if (IS_PUBLISHED_BUILD) {\n if (override && override !== \"keychain\" && override !== \"auto\") {\n throw new CredentialStoreUnavailableError(\n \"published builds require the OS credential store\",\n );\n }\n const { tryKeychainBackend } = await import(\"./keychain-backend.js\");\n const keychain = await tryKeychainBackend();\n if (keychain.available) {\n return keychain.backend;\n }\n throw new CredentialStoreUnavailableError(keychain.reason);\n }\n\n if (override === \"file\") {\n return fileCredentialBackend;\n }\n if (override && override !== \"keychain\" && override !== \"auto\") {\n // Fail loud on typos rather than silently falling back: this env\n // var exists specifically for users who are debugging auth issues\n // and need to know their override took effect.\n throw new Error(\n `Unknown DREAMBOARD_CREDENTIAL_BACKEND value \"${override}\" (expected \"file\", \"keychain\", or \"auto\").`,\n );\n }\n\n const useKeychain =\n override === \"keychain\" || (await readCredentialBackendPreference());\n if (!useKeychain) {\n return fileCredentialBackend;\n }\n\n const { tryKeychainBackend } = await import(\"./keychain-backend.js\");\n const keychain = await tryKeychainBackend();\n if (keychain.available) {\n return keychain.backend;\n }\n // The user explicitly asked for keychain but the platform can't\n // provide one (no libsecret on Linux, missing native module, etc).\n // Silently degrade to the file backend so the CLI stays usable; the\n // active backend is still visible through `dreamboard auth status`.\n return fileCredentialBackend;\n}\n\nasync function readCredentialBackendPreference(): Promise<boolean> {\n try {\n // Dynamic import to avoid a top-level cycle with `global-config.ts`\n // (which imports `getCredentialFilePath` from this module). Using\n // the async path keeps the cycle purely lazy.\n const { loadGlobalConfig } = await import(\"./global-config.js\");\n const config = await loadGlobalConfig();\n return config.credentialBackend === \"keychain\";\n } catch {\n // If the config file is unreadable or the dynamic import fails\n // (e.g. during early bootstrap), fall back to the file-backed\n // default rather than crashing credential lookups.\n return false;\n }\n}\n\n/**\n * Override which backend is used. Tests use this to inject in-memory\n * backends; production code uses the default keychain-first resolver.\n */\nexport function setCredentialBackendResolver(resolver: BackendResolver): void {\n backendResolver = resolver;\n cachedBackend = null;\n migrationCompleted = false;\n}\n\nexport async function getCredentialBackend(): Promise<CredentialBackend> {\n if (cachedBackend === null) {\n cachedBackend = await backendResolver();\n // One-time migration: if we resolved to a non-file backend and\n // `auth.json` still has credentials from the old layout, copy them\n // over and remove the file. We only do this when the new backend is\n // empty, so repeated migrations cannot stomp a newer keychain\n // session with a stale file session.\n if (!migrationCompleted && cachedBackend.name !== \"file\") {\n await migrateFromFileBackendIfNeeded(cachedBackend, {\n failClosed: IS_PUBLISHED_BUILD,\n });\n }\n migrationCompleted = true;\n }\n return cachedBackend;\n}\n\nasync function migrateFromFileBackendIfNeeded(\n target: CredentialBackend,\n options: { failClosed?: boolean } = {},\n): Promise<void> {\n try {\n const [onDisk, onTarget] = await Promise.all([\n fileCredentialBackend.read(),\n target.read(),\n ]);\n if (!onDisk) return;\n if (onTarget) {\n // Target already has a session - the user has already migrated.\n // Remove the file so it cannot get re-used accidentally.\n await fileCredentialBackend.clear();\n return;\n }\n if (onDisk.accessToken && onDisk.refreshToken) {\n const migrated: Credentials = {\n accessToken: onDisk.accessToken,\n refreshToken: onDisk.refreshToken,\n tokenExpiresAt: onDisk.tokenExpiresAt,\n dreamboardApiToken: onDisk.dreamboardApiToken,\n dreamboardApiExpiresAt: onDisk.dreamboardApiExpiresAt,\n clerkOAuthIssuer: onDisk.clerkOAuthIssuer,\n clerkOAuthClientId: onDisk.clerkOAuthClientId,\n clerkOAuthTokenUrl: onDisk.clerkOAuthTokenUrl,\n environment: onDisk.environment,\n };\n await target.writeFull(migrated);\n await verifyMigratedSession(target, migrated);\n } else if (onDisk.accessToken) {\n await target.writeAccessOnly(onDisk.accessToken);\n const migrated = await target.read();\n if (migrated?.accessToken !== onDisk.accessToken) {\n throw new Error(\"Credential migration verification failed.\");\n }\n } else {\n return;\n }\n await fileCredentialBackend.clear();\n } catch (error) {\n if (options.failClosed) {\n throw new CredentialStoreUnavailableError(\n error instanceof Error ? error.message : String(error),\n );\n }\n // Migration is best-effort. A failure here should not block CLI\n // operation; on next run the file backend is still consulted\n // directly because the keychain backend's `read` returns null and\n // callers fall through to \"missing session\" → login prompt.\n }\n}\n\nasync function verifyMigratedSession(\n target: CredentialBackend,\n expected: Credentials,\n): Promise<void> {\n const migrated = await target.read();\n if (\n migrated?.accessToken !== expected.accessToken ||\n migrated.refreshToken !== expected.refreshToken\n ) {\n throw new Error(\"Credential migration verification failed.\");\n }\n}\n\nexport async function getActiveCredentialBackendName(): Promise<CredentialBackendName> {\n const backend = await getCredentialBackend();\n return backend.name;\n}\n\n/** Loose read: returns whatever is on disk, including access-only sessions. */\nexport async function getStoredSession(): Promise<StoredSessionSnapshot | null> {\n if (process.env.DREAMBOARD_AGENT_TOKEN?.trim()) {\n return null;\n }\n const backend = await getCredentialBackend();\n return backend.read();\n}\n\n/** Strict read: returns a refreshable pair, or null if either token is missing. */\nexport async function getCredentials(): Promise<Credentials | null> {\n const snapshot = await getStoredSession();\n if (!snapshot) return null;\n const { accessToken, refreshToken } = snapshot;\n if (!accessToken || !refreshToken) return null;\n return {\n accessToken,\n refreshToken,\n tokenExpiresAt: snapshot.tokenExpiresAt,\n dreamboardApiToken: snapshot.dreamboardApiToken,\n dreamboardApiExpiresAt: snapshot.dreamboardApiExpiresAt,\n clerkOAuthIssuer: snapshot.clerkOAuthIssuer,\n clerkOAuthClientId: snapshot.clerkOAuthClientId,\n clerkOAuthTokenUrl: snapshot.clerkOAuthTokenUrl,\n environment: snapshot.environment,\n };\n}\n\nexport async function setCredentials(creds: Credentials): Promise<void> {\n await withFileLock(getCredentialLockPath(), async () => {\n const backend = await getCredentialBackend();\n await backend.writeFull(creds);\n });\n}\n\nexport async function setAccessOnlySession(accessToken: string): Promise<void> {\n await withFileLock(getCredentialLockPath(), async () => {\n const backend = await getCredentialBackend();\n await backend.writeAccessOnly(accessToken);\n });\n}\n\nexport async function clearCredentials(): Promise<void> {\n await withFileLock(getCredentialLockPath(), async () => {\n const backend = await getCredentialBackend();\n await backend.clear();\n });\n}\n\n/**\n * Run `fn` while holding the cross-process credential lock. `fn` receives\n * an ops handle that reads/writes the active backend without re-acquiring\n * the lock (avoiding deadlock).\n *\n * This is the only correct way to perform a read-modify-write on stored\n * credentials (e.g. CLI refresh rotation) in the presence of\n * concurrent CLI invocations.\n */\nexport async function withCredentialLock<T>(\n fn: (ops: CredentialLockOps) => Promise<T>,\n options?: FileLockOptions,\n): Promise<T> {\n return withFileLock(\n getCredentialLockPath(),\n async () => {\n const backend = await getCredentialBackend();\n const ops: CredentialLockOps = {\n backendName: backend.name,\n read: () => backend.read(),\n writeFull: (creds) => backend.writeFull(creds),\n writeAccessOnly: (accessToken) => backend.writeAccessOnly(accessToken),\n clear: () => backend.clear(),\n };\n return fn(ops);\n },\n options,\n );\n}\n\n/** Test-only reset of module state. Not exported through the barrel. */\nexport function _resetCredentialStoreForTests(): void {\n cachedBackend = null;\n migrationCompleted = false;\n backendResolver = defaultBackendResolver;\n}\n","declare const __DREAMBOARD_BUILD_CHANNEL__: string | undefined;\n\nconst injectedBuildChannel =\n typeof __DREAMBOARD_BUILD_CHANNEL__ === \"string\"\n ? __DREAMBOARD_BUILD_CHANNEL__\n : undefined;\n\nexport const BUILD_CHANNEL =\n injectedBuildChannel === \"published\" ? \"published\" : \"development\";\n\nexport const IS_PUBLISHED_BUILD = BUILD_CHANNEL === \"published\";\nexport const PUBLISHED_ENVIRONMENT = \"prod\" as const;\n"],"mappings":";;;;;;;;;;AAuCA,OAAO,QAAQ;AACf,OAAO,UAAU;AACjB,SAAS,YAAY,UAAU;;;ACvC/B,IAAM,uBACJ,OACI,gBACA;AAEC,IAAM,gBACX,yBAAyB,cAAc,cAAc;AAEhD,IAAM,qBAAqB,kBAAkB;AAC7C,IAAM,wBAAwB;;;ADyG9B,SAAS,wBAAgC;AAC9C,SAAO,KAAK,KAAK,GAAG,QAAQ,GAAG,kBAAkB,WAAW;AAC9D;AAEA,SAAS,wBAAgC;AACvC,SAAO,GAAG,sBAAsB,CAAC;AACnC;AAEA,eAAe,WAAkD;AAC/D,QAAM,WAAW,sBAAsB;AACvC,MAAI;AACJ,MAAI;AACF,WAAO,MAAM,GAAG,SAAS,UAAU,MAAM;AAAA,EAC3C,SAAS,KAAK;AACZ,QAAK,IAA8B,SAAS,SAAU,QAAO;AAC7D,UAAM;AAAA,EACR;AACA,MAAI,KAAK,KAAK,EAAE,WAAW,GAAG;AAC5B,WAAO;AAAA,EACT;AACA,MAAI;AACJ,MAAI;AACF,aAAS,KAAK,MAAM,IAAI;AAAA,EAC1B,QAAQ;AACN,WAAO;AAAA,EACT;AACA,QAAM,cACJ,OAAO,oBAAoB,OAAO,eAAe,OAAO;AAC1D,QAAM,eAAe,OAAO;AAC5B,MAAI,CAAC,eAAe,CAAC,aAAc,QAAO;AAC1C,SAAO;AAAA,IACL,aAAa,eAAe;AAAA,IAC5B,cAAc,gBAAgB;AAAA,IAC9B,gBACE,OAAO,wBAAwB,OAAO,kBAAkB;AAAA,IAC1D,oBAAoB,OAAO,sBAAsB;AAAA,IACjD,wBAAwB,OAAO,0BAA0B;AAAA,IACzD,kBAAkB,OAAO,oBAAoB;AAAA,IAC7C,oBAAoB,OAAO,sBAAsB;AAAA,IACjD,oBAAoB,OAAO,sBAAsB;AAAA,IACjD,aAAa,OAAO,eAAe;AAAA,EACrC;AACF;AAEA,eAAe,iBAAiB,SAAmC;AACjE,QAAM;AAAA,IACJ,sBAAsB;AAAA,IACtB,GAAG,KAAK,UAAU,SAAS,MAAM,CAAC,CAAC;AAAA;AAAA,IACnC,EAAE,MAAM,IAAM;AAAA,EAChB;AACF;AAEA,eAAe,cAAc,OAAmC;AAC9D,MAAI,CAAC,MAAM,eAAe,CAAC,MAAM,cAAc;AAC7C,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,QAAM,iBAAiB;AAAA,IACrB,kBAAkB,MAAM;AAAA,IACxB,cAAc,MAAM;AAAA,IACpB,sBAAsB,MAAM;AAAA,IAC5B,oBAAoB,MAAM;AAAA,IAC1B,wBAAwB,MAAM;AAAA,IAC9B,kBAAkB,MAAM;AAAA,IACxB,oBAAoB,MAAM;AAAA,IAC1B,oBAAoB,MAAM;AAAA,IAC1B,aAAa,MAAM;AAAA,EACrB,CAAC;AACH;AAEA,eAAe,oBAAoB,aAAoC;AACrE,MAAI,CAAC,aAAa;AAChB,UAAM,IAAI,MAAM,4CAA4C;AAAA,EAC9D;AACA,QAAM,iBAAiB,EAAE,WAAW,YAAY,CAAC;AACnD;AAEA,eAAe,YAA2B;AACxC,QAAM,WAAW,sBAAsB;AACvC,MAAI;AACF,UAAM,GAAG,OAAO,QAAQ;AAAA,EAC1B,SAAS,KAAK;AACZ,QAAK,IAA8B,SAAS,SAAU,OAAM;AAAA,EAC9D;AACF;AAEO,IAAM,wBAA2C;AAAA,EACtD,MAAM;AAAA,EACN,MAAM;AAAA,EACN,WAAW;AAAA,EACX,iBAAiB;AAAA,EACjB,OAAO;AACT;AAMO,IAAM,kCAAN,cAA8C,MAAM;AAAA,EAChD,OAAO;AAAA,EAEhB,YAAY,QAAgB;AAC1B,UAAM,iCAAiC,MAAM,EAAE;AAC/C,SAAK,OAAO;AAAA,EACd;AACF;AAEA,IAAI,gBAA0C;AAC9C,IAAI,qBAAqB;AACzB,IAAI,kBAAmC;AA4BvC,eAAe,yBAAqD;AAClE,QAAM,YAAY,QAAQ,IAAI,iCAAiC,IAC5D,KAAK,EACL,YAAY;AACf,MAAI,oBAAoB;AACtB,QAAI,YAAY,aAAa,cAAc,aAAa,QAAQ;AAC9D,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AACA,UAAM,EAAE,oBAAAA,oBAAmB,IAAI,MAAM,OAAO,iCAAuB;AACnE,UAAMC,YAAW,MAAMD,oBAAmB;AAC1C,QAAIC,UAAS,WAAW;AACtB,aAAOA,UAAS;AAAA,IAClB;AACA,UAAM,IAAI,gCAAgCA,UAAS,MAAM;AAAA,EAC3D;AAEA,MAAI,aAAa,QAAQ;AACvB,WAAO;AAAA,EACT;AACA,MAAI,YAAY,aAAa,cAAc,aAAa,QAAQ;AAI9D,UAAM,IAAI;AAAA,MACR,gDAAgD,QAAQ;AAAA,IAC1D;AAAA,EACF;AAEA,QAAM,cACJ,aAAa,cAAe,MAAM,gCAAgC;AACpE,MAAI,CAAC,aAAa;AAChB,WAAO;AAAA,EACT;AAEA,QAAM,EAAE,mBAAmB,IAAI,MAAM,OAAO,iCAAuB;AACnE,QAAM,WAAW,MAAM,mBAAmB;AAC1C,MAAI,SAAS,WAAW;AACtB,WAAO,SAAS;AAAA,EAClB;AAKA,SAAO;AACT;AAEA,eAAe,kCAAoD;AACjE,MAAI;AAIF,UAAM,EAAE,iBAAiB,IAAI,MAAM,OAAO,8BAAoB;AAC9D,UAAM,SAAS,MAAM,iBAAiB;AACtC,WAAO,OAAO,sBAAsB;AAAA,EACtC,QAAQ;AAIN,WAAO;AAAA,EACT;AACF;AAYA,eAAsB,uBAAmD;AACvE,MAAI,kBAAkB,MAAM;AAC1B,oBAAgB,MAAM,gBAAgB;AAMtC,QAAI,CAAC,sBAAsB,cAAc,SAAS,QAAQ;AACxD,YAAM,+BAA+B,eAAe;AAAA,QAClD,YAAY;AAAA,MACd,CAAC;AAAA,IACH;AACA,yBAAqB;AAAA,EACvB;AACA,SAAO;AACT;AAEA,eAAe,+BACb,QACA,UAAoC,CAAC,GACtB;AACf,MAAI;AACF,UAAM,CAAC,QAAQ,QAAQ,IAAI,MAAM,QAAQ,IAAI;AAAA,MAC3C,sBAAsB,KAAK;AAAA,MAC3B,OAAO,KAAK;AAAA,IACd,CAAC;AACD,QAAI,CAAC,OAAQ;AACb,QAAI,UAAU;AAGZ,YAAM,sBAAsB,MAAM;AAClC;AAAA,IACF;AACA,QAAI,OAAO,eAAe,OAAO,cAAc;AAC7C,YAAM,WAAwB;AAAA,QAC5B,aAAa,OAAO;AAAA,QACpB,cAAc,OAAO;AAAA,QACrB,gBAAgB,OAAO;AAAA,QACvB,oBAAoB,OAAO;AAAA,QAC3B,wBAAwB,OAAO;AAAA,QAC/B,kBAAkB,OAAO;AAAA,QACzB,oBAAoB,OAAO;AAAA,QAC3B,oBAAoB,OAAO;AAAA,QAC3B,aAAa,OAAO;AAAA,MACtB;AACA,YAAM,OAAO,UAAU,QAAQ;AAC/B,YAAM,sBAAsB,QAAQ,QAAQ;AAAA,IAC9C,WAAW,OAAO,aAAa;AAC7B,YAAM,OAAO,gBAAgB,OAAO,WAAW;AAC/C,YAAM,WAAW,MAAM,OAAO,KAAK;AACnC,UAAI,UAAU,gBAAgB,OAAO,aAAa;AAChD,cAAM,IAAI,MAAM,2CAA2C;AAAA,MAC7D;AAAA,IACF,OAAO;AACL;AAAA,IACF;AACA,UAAM,sBAAsB,MAAM;AAAA,EACpC,SAAS,OAAO;AACd,QAAI,QAAQ,YAAY;AACtB,YAAM,IAAI;AAAA,QACR,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AAAA,MACvD;AAAA,IACF;AAAA,EAKF;AACF;AAEA,eAAe,sBACb,QACA,UACe;AACf,QAAM,WAAW,MAAM,OAAO,KAAK;AACnC,MACE,UAAU,gBAAgB,SAAS,eACnC,SAAS,iBAAiB,SAAS,cACnC;AACA,UAAM,IAAI,MAAM,2CAA2C;AAAA,EAC7D;AACF;AAQA,eAAsB,mBAA0D;AAC9E,MAAI,QAAQ,IAAI,wBAAwB,KAAK,GAAG;AAC9C,WAAO;AAAA,EACT;AACA,QAAM,UAAU,MAAM,qBAAqB;AAC3C,SAAO,QAAQ,KAAK;AACtB;AAmDA,eAAsB,mBACpB,IACA,SACY;AACZ,SAAO;AAAA,IACL,sBAAsB;AAAA,IACtB,YAAY;AACV,YAAM,UAAU,MAAM,qBAAqB;AAC3C,YAAM,MAAyB;AAAA,QAC7B,aAAa,QAAQ;AAAA,QACrB,MAAM,MAAM,QAAQ,KAAK;AAAA,QACzB,WAAW,CAAC,UAAU,QAAQ,UAAU,KAAK;AAAA,QAC7C,iBAAiB,CAAC,gBAAgB,QAAQ,gBAAgB,WAAW;AAAA,QACrE,OAAO,MAAM,QAAQ,MAAM;AAAA,MAC7B;AACA,aAAO,GAAG,GAAG;AAAA,IACf;AAAA,IACA;AAAA,EACF;AACF;","names":["tryKeychainBackend","keychain"]}

package/dist/agent-verifier/chunk-CO3BRUD6.mjs ADDED Viewed

@@ -0,0 +1,342 @@
+#!/usr/bin/env node
+import {
+  IS_PUBLISHED_BUILD,
+  withCredentialLock
+} from "./chunk-AXXUGU7Q.mjs";
+// src/auth/clerk-oauth.ts
+import crypto from "crypto";
+async function refreshClerkOAuthToken(input) {
+  const { clientId, tokenUrl } = assertConfigured(input.config);
+  const body = new URLSearchParams({
+    grant_type: "refresh_token",
+    client_id: clientId,
+    refresh_token: input.refreshToken
+  });
+  return requestClerkToken(tokenUrl, body);
+}
+function assertConfigured(config) {
+  const issuer = config.issuer?.trim().replace(/\/$/, "");
+  const clientId = config.clientId?.trim();
+  if (!issuer || !clientId) {
+    throw new Error(
+      [
+        "Clerk OAuth CLI is not configured for this environment.",
+        "The CLI expects first-party environments to be configured in its built-in registry.",
+        "If this environment has no registered public Clerk OAuth client, create one and release a CLI with its client id.",
+        "For emergency overrides, set the environment-specific DREAMBOARD_<ENV>_CLERK_OAUTH_* variables or DREAMBOARD_CLERK_OAUTH_*.",
+        "For local harness auth, use `pnpm auth:local` or the auto-bootstrapped local harness flows instead."
+      ].join(" ")
+    );
+  }
+  return {
+    issuer,
+    clientId,
+    tokenUrl: config.tokenUrl?.trim() || new URL("/oauth/token", issuer).toString(),
+    scope: config.scope?.trim() || void 0
+  };
+}
+async function requestClerkToken(tokenUrl, body) {
+  const response = await fetch(tokenUrl, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Accept: "application/json"
+    },
+    body
+  });
+  if (!response.ok) {
+    const detail = await response.text();
+    throw new Error(
+      `Clerk OAuth token request failed (${response.status}): ${detail}`
+    );
+  }
+  const payload = await response.json();
+  if (typeof payload.access_token !== "string") {
+    throw new Error("Clerk OAuth token response did not include access_token.");
+  }
+  if (typeof payload.refresh_token !== "string") {
+    throw new Error(
+      "Clerk OAuth token response did not include refresh_token."
+    );
+  }
+  const expiresAt = typeof payload.expires_in === "number" ? new Date(Date.now() + payload.expires_in * 1e3).toISOString() : void 0;
+  return {
+    accessToken: payload.access_token,
+    refreshToken: payload.refresh_token,
+    expiresAt,
+    tokenUrl
+  };
+}
+// src/auth/token-exchange.ts
+async function exchangeDreamboardUserToken(input) {
+  const fetchImpl = input.fetchImpl ?? globalThis.fetch.bind(globalThis);
+  const response = await fetchImpl(
+    new URL("/api/auth/token-exchange", input.apiBaseUrl),
+    {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${input.clerkAccessToken}`,
+        "Content-Type": "application/json",
+        Accept: "application/json"
+      },
+      body: JSON.stringify({ audience: input.audience })
+    }
+  );
+  if (!response.ok) {
+    throw new Error(
+      `Dreamboard token exchange failed (${response.status}). Run \`dreamboard login\` to authenticate again.`
+    );
+  }
+  const payload = await response.json();
+  if (typeof payload.accessToken !== "string" || payload.accessToken === "") {
+    throw new Error("Dreamboard token exchange response omitted accessToken.");
+  }
+  if (payload.tokenType !== "Bearer") {
+    throw new Error(
+      "Dreamboard token exchange response had invalid tokenType."
+    );
+  }
+  if (payload.audience !== input.audience) {
+    throw new Error("Dreamboard token exchange response had wrong audience.");
+  }
+  const expiresIn = typeof payload.expiresIn === "number" && Number.isFinite(payload.expiresIn) ? payload.expiresIn : void 0;
+  return {
+    accessToken: payload.accessToken,
+    tokenType: "Bearer",
+    audience: input.audience,
+    expiresIn,
+    expiresAt: expiresIn === void 0 ? void 0 : new Date(Date.now() + expiresIn * 1e3).toISOString()
+  };
+}
+// src/auth/user-token-manager.ts
+var TOKEN_REFRESH_WINDOW_MS = 60 * 1e3;
+function createUserTokenManager(config) {
+  return {
+    async resolveApiToken() {
+      const localOrInjected = resolveNonStoredToken(config, "dreamboard-api");
+      if (localOrInjected) return localOrInjected;
+      if (!usesStoredSession(config)) return null;
+      return withCredentialLock(async (ops) => {
+        const stored = await ops.read();
+        const apiToken = freshStoredApiToken(stored);
+        if (apiToken) return apiToken;
+        const clerk = await resolveFreshClerkAccessToken(config, stored);
+        const exchanged = await exchangeDreamboardUserToken({
+          apiBaseUrl: config.apiBaseUrl,
+          clerkAccessToken: clerk.accessToken,
+          audience: "dreamboard-api"
+        });
+        await ops.writeFull({
+          ...clerk,
+          dreamboardApiToken: exchanged.accessToken,
+          dreamboardApiExpiresAt: exchanged.expiresAt
+        });
+        return {
+          token: exchanged.accessToken,
+          expiresAt: exchanged.expiresAt,
+          audience: "dreamboard-api"
+        };
+      });
+    },
+    async resolveGitToken() {
+      const localOrInjected = resolveNonStoredToken(config, "dreamboard-git");
+      if (localOrInjected) return localOrInjected;
+      if (!usesStoredSession(config)) {
+        throw new Error(
+          "Missing Dreamboard session. Run `dreamboard login` to authenticate."
+        );
+      }
+      return withCredentialLock(async (ops) => {
+        const stored = await ops.read();
+        const clerk = await resolveFreshClerkAccessToken(config, stored);
+        const exchanged = await exchangeDreamboardUserToken({
+          apiBaseUrl: config.apiBaseUrl,
+          clerkAccessToken: clerk.accessToken,
+          audience: "dreamboard-git"
+        });
+        await ops.writeFull(clerk);
+        return {
+          token: exchanged.accessToken,
+          expiresAt: exchanged.expiresAt,
+          audience: "dreamboard-git"
+        };
+      });
+    }
+  };
+}
+function resolveNonStoredToken(config, audience) {
+  if (usesStoredSession(config)) return null;
+  if (!config.authToken) return null;
+  return {
+    token: config.authToken,
+    expiresAt: config.tokenExpiresAt,
+    audience
+  };
+}
+function freshStoredApiToken(stored) {
+  if (!stored?.dreamboardApiToken) return null;
+  if (isFresh(stored.dreamboardApiExpiresAt, stored.dreamboardApiToken)) {
+    return {
+      token: stored.dreamboardApiToken,
+      expiresAt: stored.dreamboardApiExpiresAt,
+      audience: "dreamboard-api"
+    };
+  }
+  return null;
+}
+async function resolveFreshClerkAccessToken(config, stored) {
+  const accessToken = stored?.accessToken ?? config.clerkAccessToken;
+  const refreshToken = stored?.refreshToken ?? config.refreshToken;
+  const tokenExpiresAt = stored?.tokenExpiresAt ?? config.clerkAccessExpiresAt;
+  if (!refreshToken) {
+    throw new Error(
+      "Stored Dreamboard session is missing its refresh token. Run `dreamboard login` to authenticate again."
+    );
+  }
+  if (accessToken && isFresh(tokenExpiresAt, accessToken)) {
+    return {
+      accessToken,
+      refreshToken,
+      tokenExpiresAt,
+      dreamboardApiToken: stored?.dreamboardApiToken,
+      dreamboardApiExpiresAt: stored?.dreamboardApiExpiresAt,
+      clerkOAuthIssuer: stored?.clerkOAuthIssuer ?? config.clerkOAuthIssuer,
+      clerkOAuthClientId: stored?.clerkOAuthClientId ?? config.clerkOAuthClientId,
+      clerkOAuthTokenUrl: stored?.clerkOAuthTokenUrl ?? config.clerkOAuthTokenUrl,
+      environment: stored?.environment ?? config.environment
+    };
+  }
+  const payload = await refreshClerkOAuthToken({
+    config: {
+      issuer: stored?.clerkOAuthIssuer ?? config.clerkOAuthIssuer,
+      clientId: stored?.clerkOAuthClientId ?? config.clerkOAuthClientId,
+      tokenUrl: stored?.clerkOAuthTokenUrl ?? config.clerkOAuthTokenUrl
+    },
+    refreshToken
+  });
+  return {
+    accessToken: payload.accessToken,
+    refreshToken: payload.refreshToken,
+    tokenExpiresAt: payload.expiresAt,
+    clerkOAuthIssuer: stored?.clerkOAuthIssuer ?? config.clerkOAuthIssuer,
+    clerkOAuthClientId: stored?.clerkOAuthClientId ?? config.clerkOAuthClientId,
+    clerkOAuthTokenUrl: payload.tokenUrl,
+    environment: stored?.environment ?? config.environment
+  };
+}
+function isFresh(expiresAt, token) {
+  const expiry = expiresAt ? new Date(expiresAt) : getJwtExpiry(token);
+  return expiry !== null && Number.isFinite(expiry.getTime()) && expiry.getTime() > Date.now() + TOKEN_REFRESH_WINDOW_MS;
+}
+function getJwtExpiry(accessToken) {
+  if (!accessToken) return null;
+  const parts = accessToken.split(".");
+  if (parts.length !== 3) return null;
+  try {
+    const payload = JSON.parse(
+      Buffer.from(parts[1], "base64url").toString("utf8")
+    );
+    if (typeof payload.exp !== "number" || !Number.isFinite(payload.exp)) {
+      return null;
+    }
+    return new Date(payload.exp * 1e3);
+  } catch {
+    return null;
+  }
+}
+function usesStoredSession(config) {
+  return config.refreshTokenSource === "global";
+}
+// src/config/local-harness-auth.ts
+import { createHmac, randomUUID } from "crypto";
+var DEFAULT_SUBJECT = "harness-smoke-local@dreamboard.local";
+var DEFAULT_ISSUER = "dreamboard-local-harness";
+var DEFAULT_SECRET = "dreamboard-local-harness-token-secret";
+var LOCAL_AWS_ISSUER = "dreamboard-local-aws-harness";
+var LOCAL_AWS_SECRET = "dreamboard-local-aws-harness-token-secret";
+var DEFAULT_TTL_SECONDS = 8 * 60 * 60;
+var mintedTokens = /* @__PURE__ */ new Map();
+function resolveLocalHarnessAccessToken(config) {
+  if (IS_PUBLISHED_BUILD || config.environment !== "local") {
+    return void 0;
+  }
+  const profile = inferLocalHarnessProfile(config);
+  if (config.authToken && (profile !== "local-aws" || isExplicitTokenSource(config.authTokenSource))) {
+    return void 0;
+  }
+  const cacheKey = [
+    profile,
+    process.env.LOCAL_HARNESS_TOKEN_ISSUER ?? "",
+    process.env.LOCAL_HARNESS_TOKEN_SECRET ?? "",
+    process.env.LOCAL_HARNESS_SUBJECT ?? "",
+    process.env.HARNESS_USER_EMAIL ?? "",
+    process.env.LOCAL_HARNESS_EMAIL ?? "",
+    process.env.LOCAL_HARNESS_TOKEN_TTL_SECONDS ?? ""
+  ].join("\0");
+  const cached = mintedTokens.get(cacheKey);
+  if (cached) return cached;
+  const token = mintLocalHarnessToken(profile);
+  mintedTokens.set(cacheKey, token);
+  return token;
+}
+function isExplicitTokenSource(source) {
+  return source === "flag" || source === "env" || source === "agent-env";
+}
+function inferLocalHarnessProfile(config) {
+  return isLocalAwsUrl(config.apiBaseUrl) || isLocalAwsUrl(config.webBaseUrl) ? "local-aws" : "local";
+}
+function mintLocalHarnessToken(profile) {
+  const subject = envValue(process.env.LOCAL_HARNESS_SUBJECT) ?? envValue(process.env.HARNESS_USER_EMAIL) ?? DEFAULT_SUBJECT;
+  const email = envValue(process.env.LOCAL_HARNESS_EMAIL) ?? (subject.includes("@") ? subject : void 0);
+  const issuer = envValue(process.env.LOCAL_HARNESS_TOKEN_ISSUER) ?? (profile === "local-aws" ? LOCAL_AWS_ISSUER : DEFAULT_ISSUER);
+  const secret = envValue(process.env.LOCAL_HARNESS_TOKEN_SECRET) ?? (profile === "local-aws" ? LOCAL_AWS_SECRET : DEFAULT_SECRET);
+  const ttlSeconds = Number(
+    envValue(process.env.LOCAL_HARNESS_TOKEN_TTL_SECONDS) ?? String(DEFAULT_TTL_SECONDS)
+  );
+  if (!Number.isFinite(ttlSeconds) || ttlSeconds <= 0) {
+    throw new Error(
+      "LOCAL_HARNESS_TOKEN_TTL_SECONDS must be a positive number."
+    );
+  }
+  const now = Math.floor(Date.now() / 1e3);
+  const payload = {
+    typ: "local_harness_access",
+    dreamboard_provider: "local-harness",
+    dreamboard_provider_subject: subject,
+    ...email ? { email } : {},
+    iss: issuer,
+    sub: subject,
+    iat: now,
+    exp: now + Math.floor(ttlSeconds),
+    jti: randomUUID()
+  };
+  const headerPart = base64UrlJson({ alg: "HS256", typ: "JWT" });
+  const payloadPart = base64UrlJson(payload);
+  const signature = createHmac("sha256", secret).update(`${headerPart}.${payloadPart}`).digest("base64url");
+  return `${headerPart}.${payloadPart}.${signature}`;
+}
+function base64UrlJson(value) {
+  return Buffer.from(JSON.stringify(value), "utf8").toString("base64url");
+}
+function envValue(raw) {
+  return typeof raw === "string" && raw.trim().length > 0 ? raw.trim() : void 0;
+}
+function isLocalAwsUrl(rawUrl) {
+  if (!rawUrl) return false;
+  try {
+    const url = new URL(rawUrl);
+    return (url.hostname === "localhost" || url.hostname === "127.0.0.1") && (url.port === "18080" || url.port === "8088");
+  } catch {
+    return false;
+  }
+}
+export {
+  createUserTokenManager,
+  resolveLocalHarnessAccessToken
+};
+//# sourceMappingURL=chunk-CO3BRUD6.mjs.map