@elf5/periscope 1.0.64

package/dist/index.js

@@ -0,0 +1,4976 @@
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// src/lib/readline-instance.ts
+import * as readline from "readline";
+import chalk2 from "chalk";
+function getReadlineInterface() {
+  if (!readlineInstance) {
+    initializeReadline();
+  }
+  return readlineInstance;
+}
+function initializeReadline(isInteractive = false, completer) {
+  if (readlineInstance) {
+    return;
+  }
+  readlineInstance = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout,
+    prompt: isInteractive ? chalk2.cyan("periscope> ") : void 0,
+    completer
+  });
+}
+function closeReadline() {
+  if (readlineInstance) {
+    readlineInstance.close();
+    readlineInstance = null;
+  }
+}
+function isReadlineActive() {
+  return readlineInstance !== null;
+}
+var readlineInstance;
+var init_readline_instance = __esm({
+  "src/lib/readline-instance.ts"() {
+    "use strict";
+    readlineInstance = null;
+  }
+});
+
+// src/lib/telemetry.ts
+var telemetry_exports = {};
+__export(telemetry_exports, {
+  flushTelemetry: () => flushTelemetry,
+  initTelemetry: () => initTelemetry,
+  setUserContext: () => setUserContext,
+  shutdownTelemetry: () => shutdownTelemetry,
+  trackEvent: () => trackEvent,
+  trackException: () => trackException
+});
+import * as os2 from "os";
+import * as fs6 from "fs";
+import * as path5 from "path";
+import { fileURLToPath } from "url";
+function getCliVersion() {
+  try {
+    const __dirname = path5.dirname(fileURLToPath(import.meta.url));
+    const pkg = JSON.parse(
+      fs6.readFileSync(path5.join(__dirname, "..", "..", "package.json"), "utf-8")
+    );
+    return pkg.version ?? "unknown";
+  } catch {
+    return "unknown";
+  }
+}
+async function initTelemetry(connectionString) {
+  if (initialized) return false;
+  if (!connectionString) return false;
+  try {
+    process.env.OTEL_SERVICE_NAME = "periscope-cli";
+    const appInsights = await import("applicationinsights");
+    appInsights.default.setup(connectionString).setAutoCollectRequests(false).setAutoCollectPerformance(false, false).setAutoCollectExceptions(false).setAutoCollectDependencies(true).setAutoCollectConsole(false).setAutoCollectPreAggregatedMetrics(false).setUseDiskRetryCaching(false).start();
+    client2 = appInsights.default.defaultClient;
+    if (client2) {
+      const version = getCliVersion();
+      client2.commonProperties = {
+        cliVersion: version,
+        nodeVersion: process.version,
+        platform: os2.platform(),
+        arch: os2.arch()
+      };
+      initialized = true;
+      return true;
+    }
+  } catch {
+    client2 = null;
+  }
+  return false;
+}
+function trackException(error, properties) {
+  if (!client2) return;
+  const exception = error instanceof Error ? error : new Error(String(error));
+  const enriched = userEmail ? { email: userEmail, ...properties } : properties;
+  client2.trackException({
+    exception,
+    properties: enriched
+  });
+}
+function trackEvent(name, properties) {
+  if (!client2) return;
+  const enriched = userEmail ? { email: userEmail, ...properties } : properties;
+  client2.trackEvent({ name, properties: enriched });
+}
+function setUserContext(email) {
+  if (email) {
+    userEmail = email;
+  }
+}
+async function flushTelemetry() {
+  if (!client2) return;
+  try {
+    await Promise.race([
+      client2.flush(),
+      new Promise((resolve) => setTimeout(resolve, 5e3))
+    ]);
+  } catch {
+  }
+}
+async function shutdownTelemetry() {
+  await flushTelemetry();
+  if (client2) {
+    try {
+      const appInsights = await import("applicationinsights");
+      appInsights.dispose();
+    } catch {
+    }
+    client2 = null;
+    initialized = false;
+    userEmail = null;
+  }
+}
+var client2, initialized, userEmail;
+var init_telemetry = __esm({
+  "src/lib/telemetry.ts"() {
+    "use strict";
+    client2 = null;
+    initialized = false;
+    userEmail = null;
+  }
+});
+
+// src/lib/process-lifecycle.ts
+var process_lifecycle_exports = {};
+__export(process_lifecycle_exports, {
+  gracefulExit: () => gracefulExit
+});
+async function gracefulExit(code = 0) {
+  await shutdownTelemetry();
+  closeReadline();
+  process.exit(code);
+}
+var init_process_lifecycle = __esm({
+  "src/lib/process-lifecycle.ts"() {
+    "use strict";
+    init_readline_instance();
+    init_telemetry();
+  }
+});
+
+// package.json
+var package_exports = {};
+__export(package_exports, {
+  default: () => package_default
+});
+var package_default;
+var init_package = __esm({
+  "package.json"() {
+    package_default = {
+      name: "@elf5/periscope",
+      version: "1.0.64",
+      description: "CLI client for Periscope SSH tunnel server",
+      main: "dist/index.js",
+      types: "dist/index.d.ts",
+      bin: {
+        periscope: "./dist/cli.js"
+      },
+      scripts: {
+        build: "node scripts/build.mjs",
+        "build:tsc": "tsc",
+        dev: "tsc --watch",
+        clean: "rimraf dist",
+        prepublishOnly: "npm run clean && npm run build",
+        start: "node dist/cli.js",
+        cli: "npm run build && node dist/cli.js",
+        test: "npm run test:unit && npm run test:offline",
+        "test:watch": "vitest --config vitest.config.unit.js",
+        "test:ui": "vitest --ui --config vitest.config.unit.js",
+        "test:unit": "vitest run --coverage --config vitest.config.unit.js",
+        "test:offline": "vitest run --config vitest.config.integration.js",
+        "test:e2e": "vitest run --config vitest.config.e2e.js",
+        "test:ci": "npm run test && npm run test:e2e",
+        format: "prettier --write src/**/*.ts",
+        "format:check": "prettier --check src/**/*.ts",
+        lint: "eslint src",
+        "lint:fix": "eslint src --fix",
+        "test-server": "npx tsx src/__tests__/e2e/test-server.ts",
+        prepare: "husky"
+      },
+      keywords: [
+        "ssh",
+        "tunnel",
+        "cli",
+        "periscope",
+        "port-forwarding"
+      ],
+      author: "Elf 5",
+      type: "module",
+      license: "MIT",
+      repository: {
+        type: "git",
+        url: "https://github.com/elf-5/periscope-client-npm.git"
+      },
+      bugs: {
+        url: "https://github.com/elf-5/periscope-client-npm/issues"
+      },
+      homepage: "https://github.com/elf-5/periscope-client-npm#readme",
+      engines: {
+        node: ">=22.0.0"
+      },
+      files: [
+        "dist",
+        "README.md",
+        "LICENSE"
+      ],
+      overrides: {
+        glob: "^11.0.0",
+        uuid: "^10.0.0"
+      },
+      dependencies: {
+        "@azure/msal-node": "^2.6.6",
+        "@microsoft/dev-tunnels-connections": "^1.2.1",
+        "@microsoft/dev-tunnels-contracts": "^1.2.1",
+        "@microsoft/dev-tunnels-management": "^1.2.1",
+        "@microsoft/dev-tunnels-ssh": "^3.12.5",
+        "@microsoft/dev-tunnels-ssh-keys": "^3.12.5",
+        "@microsoft/dev-tunnels-ssh-tcp": "^3.12.5",
+        applicationinsights: "^3.13.0",
+        axios: "^1.7.2",
+        chalk: "^5.3.0",
+        commander: "^12.0.0",
+        dotenv: "^16.4.5",
+        open: "^10.0.3",
+        "openid-client": "^6.8.2"
+      },
+      "lint-staged": {
+        "*.ts": [
+          "prettier --write",
+          "eslint --fix"
+        ]
+      },
+      devDependencies: {
+        "@elf-5/periscope-api-client": "^1.0.129",
+        "@types/node": "^20.14.0",
+        "@typescript-eslint/eslint-plugin": "^8.41.0",
+        "@typescript-eslint/parser": "^8.41.0",
+        "@vitest/coverage-v8": "^3.2.4",
+        "@vitest/ui": "^3.2.4",
+        esbuild: "^0.27.3",
+        eslint: "^9.34.0",
+        "eslint-config-prettier": "^10.1.8",
+        globals: "^16.3.0",
+        husky: "^9.1.7",
+        "lint-staged": "^16.2.7",
+        prettier: "^3.8.1",
+        rimraf: "^6.0.0",
+        tsx: "^4.21.0",
+        typescript: "^5.4.5",
+        vitest: "^3.2.4",
+        "yocto-queue": "^1.2.1"
+      }
+    };
+  }
+});
+
+// src/lib/msal-auth-manager.ts
+import {
+  PublicClientApplication,
+  LogLevel
+} from "@azure/msal-node";
+import * as fs3 from "fs";
+import * as path3 from "path";
+import * as http2 from "http";
+import * as crypto from "crypto";
+import open2 from "open";
+
+// src/lib/logger.ts
+import chalk from "chalk";
+import { createRequire } from "module";
+var Logger = class _Logger {
+  config;
+  constructor(config2 = { level: 2 /* INFO */ }) {
+    this.config = config2;
+  }
+  /**
+   * Set the current log level
+   */
+  setLevel(level) {
+    this.config.level = level;
+  }
+  /**
+   * Get the current log level
+   */
+  getLevel() {
+    return this.config.level;
+  }
+  /**
+   * Check if a log level should be output
+   */
+  shouldLog(level) {
+    return level <= this.config.level;
+  }
+  /**
+   * Format an argument for logging
+   * Stack traces are only included at DEBUG level or higher
+   */
+  formatArg(arg) {
+    if (arg instanceof Error) {
+      if (this.shouldLog(3 /* DEBUG */) && arg.stack) {
+        return `${arg.message}
+${arg.stack}`;
+      }
+      return arg.message;
+    } else if (typeof arg === "object" && arg !== null) {
+      try {
+        return JSON.stringify(arg);
+      } catch {
+        return String(arg);
+      }
+    } else {
+      return String(arg);
+    }
+  }
+  /**
+   * Format the log message with optional timestamp and prefix
+   */
+  formatMessage(level, message, ...args) {
+    let formatted = message;
+    if (args.length > 0) {
+      formatted = message + " " + args.map((arg) => this.formatArg(arg)).join(" ");
+    }
+    if (this.config.timestamp) {
+      const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+      formatted = `[${timestamp}] ${formatted}`;
+    }
+    if (this.config.prefix) {
+      formatted = `[${this.config.prefix}] ${formatted}`;
+    }
+    return formatted;
+  }
+  /**
+   * Error level logging (always shown unless level is below ERROR)
+   */
+  error(message, ...args) {
+    if (this.shouldLog(0 /* ERROR */)) {
+      const formatted = this.formatMessage(0 /* ERROR */, message, ...args);
+      console.error(chalk.red("\u274C " + formatted));
+    }
+  }
+  /**
+   * Warning level logging
+   */
+  warn(message, ...args) {
+    if (this.shouldLog(1 /* WARN */)) {
+      const formatted = this.formatMessage(1 /* WARN */, message, ...args);
+      console.warn(chalk.yellow("\u26A0\uFE0F  " + formatted));
+    }
+  }
+  /**
+   * Info level logging (user-facing information)
+   */
+  info(message, ...args) {
+    if (this.shouldLog(2 /* INFO */)) {
+      const formatted = this.formatMessage(2 /* INFO */, message, ...args);
+      console.log(chalk.cyan("\u2139\uFE0F  " + formatted));
+    }
+  }
+  /**
+   * Success logging (special case of info)
+   */
+  success(message, ...args) {
+    if (this.shouldLog(2 /* INFO */)) {
+      const formatted = this.formatMessage(2 /* INFO */, message, ...args);
+      console.log(chalk.green("\u2705 " + formatted));
+    }
+  }
+  /**
+   * Debug level logging (internal operations, verbose)
+   */
+  debug(message, ...args) {
+    if (this.shouldLog(3 /* DEBUG */)) {
+      const formatted = this.formatMessage(3 /* DEBUG */, message, ...args);
+      console.log(chalk.gray("\u{1F50D} " + formatted));
+    }
+  }
+  /**
+   * Trace level logging (very detailed, internal state)
+   */
+  trace(message, ...args) {
+    if (this.shouldLog(4 /* TRACE */)) {
+      const formatted = this.formatMessage(4 /* TRACE */, message, ...args);
+      console.log(chalk.dim("\u{1F52C} " + formatted));
+    }
+  }
+  /**
+   * Raw output without formatting (for CLI output that shouldn't be logged)
+   */
+  raw(message, ...args) {
+    if (args.length > 0) {
+      console.log(message, ...args);
+    } else {
+      console.log(message);
+    }
+  }
+  /**
+   * Print a blank line without any icon or prefix.
+   */
+  blank() {
+    console.log("");
+  }
+  /**
+   * Print a section header: blank line + bold text, no icon.
+   * Use instead of log.info('\nSection Title:') for section headings.
+   */
+  header(text) {
+    console.log("");
+    console.log(chalk.bold(text));
+  }
+  /**
+   * Print a horizontal separator line without any icon or prefix.
+   */
+  separator(length = 40) {
+    console.log("\u2500".repeat(length));
+  }
+  /**
+   * Create a child logger with additional prefix
+   */
+  child(prefix) {
+    const childPrefix = this.config.prefix ? `${this.config.prefix}:${prefix}` : prefix;
+    return new _Logger({
+      ...this.config,
+      prefix: childPrefix
+    });
+  }
+};
+var globalLogger = null;
+function getLogger() {
+  if (!globalLogger) {
+    const logLevel = getLogLevelFromEnv();
+    globalLogger = new Logger({
+      level: logLevel,
+      timestamp: false
+      // Disable timestamps by default for CLI
+    });
+  }
+  return globalLogger;
+}
+function getLogLevelFromEnv() {
+  let envLevel = process.env.PERISCOPE_LOG_LEVEL?.toUpperCase();
+  if (!envLevel) {
+    try {
+      const require2 = createRequire(import.meta.url);
+      const { ConfigManager: ConfigManager2 } = require2("./config-manager.js");
+      const config2 = ConfigManager2.load();
+      envLevel = config2.logLevel?.toUpperCase();
+    } catch {
+    }
+  }
+  switch (envLevel) {
+    case "ERROR":
+      return 0 /* ERROR */;
+    case "WARN":
+    case "WARNING":
+      return 1 /* WARN */;
+    case "INFO":
+      return 2 /* INFO */;
+    case "DEBUG":
+      return 3 /* DEBUG */;
+    case "TRACE":
+      return 4 /* TRACE */;
+    default:
+      return 2 /* INFO */;
+  }
+}
+var log = {
+  error: (message, ...args) => getLogger().error(message, ...args),
+  warn: (message, ...args) => getLogger().warn(message, ...args),
+  info: (message, ...args) => getLogger().info(message, ...args),
+  success: (message, ...args) => getLogger().success(message, ...args),
+  debug: (message, ...args) => getLogger().debug(message, ...args),
+  trace: (message, ...args) => getLogger().trace(message, ...args),
+  raw: (message, ...args) => getLogger().raw(message, ...args),
+  blank: () => getLogger().blank(),
+  header: (text) => getLogger().header(text),
+  separator: (length) => getLogger().separator(length)
+};
+
+// src/lib/cache-utils.ts
+import * as fs from "fs";
+import * as path from "path";
+import * as os from "os";
+var CACHE_SUBDIR = ".periscope";
+function getCacheDir() {
+  return path.join(os.homedir(), CACHE_SUBDIR);
+}
+function ensureCacheDir() {
+  const cacheDir = getCacheDir();
+  if (!fs.existsSync(cacheDir)) {
+    fs.mkdirSync(cacheDir, { recursive: true });
+  }
+}
+function writeSecureFile(filePath, data) {
+  ensureCacheDir();
+  fs.writeFileSync(filePath, data, { mode: 384 });
+}
+
+// src/lib/msal-cache-plugin.ts
+import * as fs2 from "fs";
+import * as path2 from "path";
+var MSAL_CACHE_FILE = "msal-cache.json";
+function getMsalCacheFilePath() {
+  return path2.join(getCacheDir(), MSAL_CACHE_FILE);
+}
+function createMsalCachePlugin() {
+  return {
+    async beforeCacheAccess(cacheContext) {
+      const cachePath = getMsalCacheFilePath();
+      try {
+        if (fs2.existsSync(cachePath)) {
+          const data = fs2.readFileSync(cachePath, "utf-8");
+          cacheContext.tokenCache.deserialize(data);
+        }
+      } catch (error) {
+        log.debug("Failed to read MSAL cache from disk:", error);
+      }
+    },
+    async afterCacheAccess(cacheContext) {
+      if (cacheContext.cacheHasChanged) {
+        try {
+          const cachePath = getMsalCacheFilePath();
+          const data = cacheContext.tokenCache.serialize();
+          writeSecureFile(cachePath, data);
+        } catch (error) {
+          log.error("Failed to write MSAL cache to disk:", error);
+        }
+      }
+    }
+  };
+}
+function clearMsalCache() {
+  try {
+    const cachePath = getMsalCacheFilePath();
+    if (fs2.existsSync(cachePath)) {
+      fs2.unlinkSync(cachePath);
+    }
+  } catch (error) {
+    log.error("Failed to clear MSAL cache:", error);
+  }
+}
+
+// src/lib/auth-callback-server.ts
+import * as http from "http";
+import open from "open";
+function escapeHtml(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+}
+function listenForAuthCode(port, authUrl, expectedState) {
+  return new Promise((resolve, reject) => {
+    let timeoutHandle;
+    const done = (result) => {
+      clearTimeout(timeoutHandle);
+      server.close();
+      resolve(result);
+    };
+    const server = http.createServer((req, res) => {
+      const url = new URL(req.url || "", `http://localhost:${port}`);
+      const code = url.searchParams.get("code");
+      const error = url.searchParams.get("error");
+      if (error) {
+        const safeError = escapeHtml(error);
+        const safeDesc = escapeHtml(
+          url.searchParams.get("error_description") || ""
+        );
+        res.writeHead(400, { "Content-Type": "text/html" });
+        res.end(`
+          <html>
+            <body style="font-family: system-ui; text-align: center; padding: 50px;">
+              <h1>Authentication Failed</h1>
+              <p>Error: ${safeError}</p>
+              <p>${safeDesc}</p>
+              <p>You can close this window.</p>
+            </body>
+          </html>
+        `);
+        done(null);
+        return;
+      }
+      if (code) {
+        const callbackState = url.searchParams.get("state");
+        if (expectedState && callbackState !== expectedState) {
+          log.debug(
+            `Ignoring stale callback (state mismatch: expected ${expectedState.slice(0, 8)}\u2026, got ${callbackState?.slice(0, 8)}\u2026)`
+          );
+          const safeLocation2 = authUrl.replace(/[\r\n]/g, "");
+          res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+          res.end(`
+            <html>
+              <head>
+                <meta charset="UTF-8">
+                <title>Authentication - Retry</title>
+              </head>
+              <body style="font-family: system-ui; text-align: center; padding: 50px;">
+                <h1>Session Expired</h1>
+                <p>This callback was from a previous login attempt. Redirecting...</p>
+                <script>window.location.href = ${JSON.stringify(safeLocation2)};</script>
+              </body>
+            </html>
+          `);
+          return;
+        }
+        res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+        res.end(`
+          <html>
+            <head>
+              <meta charset="UTF-8">
+              <title>Authentication Successful</title>
+            </head>
+            <body style="font-family: system-ui; text-align: center; padding: 50px;">
+              <h1>&#x2713; Authentication Successful</h1>
+              <p>You can close this window and return to the terminal.</p>
+              <script>window.setTimeout(() => window.close(), 2000);</script>
+            </body>
+          </html>
+        `);
+        done({ code, fullPath: url.pathname + url.search });
+        return;
+      }
+      const safeLocation = authUrl.replace(/[\r\n]/g, "");
+      res.writeHead(302, { Location: safeLocation });
+      res.end();
+    });
+    server.on("error", (err) => {
+      clearTimeout(timeoutHandle);
+      server.close();
+      if (err.code === "EADDRINUSE") {
+        reject(
+          new Error(
+            `Port ${port} is already in use. Another authentication flow may be in progress.`
+          )
+        );
+      } else {
+        log.warn(`Auth callback server error: ${err.message}`);
+        resolve(null);
+      }
+    });
+    server.listen(port, "127.0.0.1", () => {
+      log.blank();
+      log.info("Opening browser for authentication...");
+      log.info("If the browser doesn't open automatically, visit:");
+      log.info(`  http://localhost:${port}`);
+      log.blank();
+      open(authUrl).catch(() => {
+        log.warn(
+          "Failed to open browser automatically. Please open the URL manually."
+        );
+      });
+    });
+    timeoutHandle = setTimeout(() => done(null), 5 * 60 * 1e3);
+  });
+}
+
+// src/lib/auth-types.ts
+var TOKEN_EXPIRY_BUFFER_MS = 6e4;
+function isTokenExpired(expiresAt) {
+  return expiresAt <= new Date(Date.now() + TOKEN_EXPIRY_BUFFER_MS);
+}
+
+// src/lib/msal-auth-manager.ts
+var MsalAuthManager = class _MsalAuthManager {
+  static TOKEN_CACHE_FILE = "token-cache.json";
+  msalApp = null;
+  config = null;
+  constructor(config2) {
+    if (config2) {
+      this.config = config2;
+      this.initializeMSAL();
+    }
+  }
+  initializeMSAL() {
+    if (!this.config) {
+      throw new Error("MSAL configuration is required");
+    }
+    const msalConfig = {
+      auth: {
+        clientId: this.config.clientId,
+        authority: this.config.authority,
+        // B2C requires knownAuthorities to include the B2C login domain
+        knownAuthorities: _MsalAuthManager.extractKnownAuthorities(
+          this.config.authority
+        )
+      },
+      cache: {
+        cachePlugin: createMsalCachePlugin()
+      },
+      system: {
+        loggerOptions: {
+          loggerCallback(loglevel, message) {
+            if (loglevel === LogLevel.Error) {
+              log.error("MSAL Error:", message);
+            }
+          },
+          piiLoggingEnabled: false,
+          logLevel: LogLevel.Error
+        }
+      }
+    };
+    this.msalApp = new PublicClientApplication(msalConfig);
+  }
+  /**
+   * Extract knownAuthorities from an authority URL for non-standard authority domains.
+   * B2C (*.b2clogin.com) and Entra External ID (*.ciamlogin.com) must be listed in knownAuthorities.
+   */
+  static extractKnownAuthorities(authority) {
+    try {
+      const url = new URL(authority);
+      if (url.hostname.includes(".b2clogin.com") || url.hostname.includes(".ciamlogin.com")) {
+        return [url.hostname];
+      }
+    } catch {
+    }
+    return [];
+  }
+  /**
+   * Authenticate user using device code flow
+   * This will display a device code and open the browser for authentication
+   */
+  async authenticate() {
+    if (!this.msalApp || !this.config) {
+      throw new Error(
+        "MSAL not initialized. Please configure authentication first."
+      );
+    }
+    try {
+      const cachedToken = this.getCachedToken();
+      if (cachedToken && !isTokenExpired(cachedToken.expiresOn)) {
+        return cachedToken;
+      }
+      const deviceCodeRequest = {
+        scopes: this.config.scopes,
+        deviceCodeCallback: (response2) => {
+          log.blank();
+          log.info("To authenticate, use a web browser to open the page:");
+          log.info(`  ${response2.verificationUri}`);
+          log.blank();
+          log.info("And enter the code:");
+          log.info(`  ${response2.userCode}`);
+          log.blank();
+          log.info("Opening browser automatically...");
+          log.blank();
+          open2(response2.verificationUri).catch(() => {
+            log.warn(
+              "Failed to open browser automatically. Please open the URL manually."
+            );
+          });
+        }
+      };
+      const response = await this.msalApp.acquireTokenByDeviceCode(deviceCodeRequest);
+      if (!response) {
+        throw new Error("Failed to acquire authentication token");
+      }
+      const authToken = {
+        accessToken: response.accessToken,
+        expiresOn: response.expiresOn || new Date(Date.now() + 36e5)
+        // Default 1 hour
+        // Note: MSAL node may not provide refresh token in all flows
+      };
+      this.cacheToken(authToken);
+      return authToken;
+    } catch (error) {
+      throw new Error(
+        `Authentication failed: ${error instanceof Error ? error.message : "Unknown error"}`
+      );
+    }
+  }
+  /**
+   * Authenticate user using interactive browser flow with prompt control
+   * This opens the system browser for authentication and handles the redirect
+   */
+  async authenticateInteractive(prompt = "select_account") {
+    if (!this.msalApp || !this.config) {
+      throw new Error(
+        "MSAL not initialized. Please configure authentication first."
+      );
+    }
+    try {
+      if (prompt === "none") {
+        try {
+          const accounts = await this.msalApp.getAllAccounts();
+          if (accounts && accounts.length > 0) {
+            const silentRequest = {
+              scopes: this.config.scopes,
+              account: accounts[0]
+              // Use the first available account
+            };
+            const silentResponse = await this.msalApp.acquireTokenSilent(silentRequest);
+            if (silentResponse) {
+              const authToken2 = {
+                accessToken: silentResponse.accessToken,
+                expiresOn: silentResponse.expiresOn || new Date(Date.now() + 36e5)
+              };
+              this.cacheToken(authToken2);
+              return authToken2;
+            }
+          }
+        } catch {
+          throw new Error(
+            "Silent authentication failed. User interaction required."
+          );
+        }
+      }
+      log.info(
+        `
+Starting browser authentication with prompt behavior: ${prompt}`
+      );
+      const redirectPort = await this.getAvailablePort();
+      const redirectUri = `http://localhost:${redirectPort}`;
+      const pkceCodes = {
+        challenge: "",
+        verifier: ""
+      };
+      pkceCodes.verifier = crypto.randomBytes(32).toString("base64url");
+      pkceCodes.challenge = crypto.createHash("sha256").update(pkceCodes.verifier).digest("base64url");
+      const authCodeUrlParameters = {
+        scopes: this.config.scopes,
+        redirectUri,
+        codeChallenge: pkceCodes.challenge,
+        codeChallengeMethod: "S256",
+        prompt,
+        // MSAL expects specific prompt values
+        responseMode: "query"
+      };
+      const authCodeUrl = await this.msalApp.getAuthCodeUrl(
+        authCodeUrlParameters
+      );
+      const result = await listenForAuthCode(redirectPort, authCodeUrl);
+      if (!result) {
+        throw new Error("Failed to receive authorization code");
+      }
+      const tokenRequest = {
+        code: result.code,
+        scopes: this.config.scopes,
+        redirectUri,
+        codeVerifier: pkceCodes.verifier
+      };
+      const response = await this.msalApp.acquireTokenByCode(tokenRequest);
+      if (!response) {
+        throw new Error("Failed to acquire authentication token");
+      }
+      const authToken = {
+        accessToken: response.accessToken,
+        expiresOn: response.expiresOn || new Date(Date.now() + 36e5)
+      };
+      this.cacheToken(authToken);
+      return authToken;
+    } catch (error) {
+      throw new Error(
+        `Browser authentication failed: ${error instanceof Error ? error.message : "Unknown error"}`
+      );
+    }
+  }
+  /**
+   * Get an available port for the redirect server
+   */
+  async getAvailablePort() {
+    return new Promise((resolve) => {
+      const server = http2.createServer();
+      server.listen(0, "127.0.0.1", () => {
+        const address = server.address();
+        const port = address && typeof address !== "string" ? address.port : 3e3;
+        server.close(() => resolve(port));
+      });
+    });
+  }
+  /**
+   * Try to get a valid token without user interaction.
+   * Checks the simple cache first, then attempts MSAL silent refresh.
+   * Returns null if no valid token is available.
+   */
+  async tryGetValidTokenSilently() {
+    const cachedToken = this.getCachedToken();
+    if (cachedToken && !isTokenExpired(cachedToken.expiresOn)) {
+      const ttlMin = Math.round(
+        (cachedToken.expiresOn.getTime() - Date.now()) / 6e4
+      );
+      log.debug(`Using cached MSAL token (expires in ${ttlMin}m)`);
+      return cachedToken.accessToken;
+    }
+    if (this.msalApp && this.config) {
+      try {
+        const accounts = await this.msalApp.getAllAccounts();
+        if (accounts.length > 0) {
+          log.debug("Attempting silent token refresh...");
+          const silentResult = await this.msalApp.acquireTokenSilent({
+            account: accounts[0],
+            scopes: this.config.scopes
+          });
+          if (silentResult) {
+            const refreshedToken = {
+              accessToken: silentResult.accessToken,
+              expiresOn: silentResult.expiresOn || new Date(Date.now() + 36e5)
+            };
+            this.cacheToken(refreshedToken);
+            const ttlMin = Math.round(
+              (refreshedToken.expiresOn.getTime() - Date.now()) / 6e4
+            );
+            log.debug(`Token silently refreshed (expires in ${ttlMin}m)`);
+            return refreshedToken.accessToken;
+          }
+        }
+      } catch (error) {
+        log.debug(
+          "Silent token refresh failed, falling back to interactive auth:",
+          error
+        );
+      }
+    }
+    return null;
+  }
+  /**
+   * Get a valid access token, refreshing if necessary
+   */
+  async getValidToken() {
+    const token = await this.tryGetValidTokenSilently();
+    if (token) {
+      return token;
+    }
+    const newToken = await this.authenticate();
+    return newToken.accessToken;
+  }
+  /**
+   * Check if user is currently authenticated with a valid token
+   */
+  isAuthenticated() {
+    const cachedToken = this.getCachedToken();
+    return cachedToken !== null && !isTokenExpired(cachedToken.expiresOn);
+  }
+  /**
+   * Clear all cached authentication data
+   */
+  logout() {
+    try {
+      const tokenCachePath = this.getTokenCachePath();
+      if (fs3.existsSync(tokenCachePath)) {
+        fs3.unlinkSync(tokenCachePath);
+      }
+    } catch (error) {
+      log.error("Error clearing token cache during logout:", error);
+    }
+    clearMsalCache();
+  }
+  getCachedToken() {
+    try {
+      const tokenCachePath = this.getTokenCachePath();
+      if (fs3.existsSync(tokenCachePath)) {
+        const content = fs3.readFileSync(tokenCachePath, "utf-8");
+        const data = JSON.parse(content);
+        return {
+          accessToken: data.accessToken,
+          expiresOn: new Date(data.expiresOn),
+          refreshToken: data.refreshToken
+        };
+      }
+    } catch (error) {
+      log.debug("Failed to load cached token:", error);
+    }
+    return null;
+  }
+  cacheToken(token) {
+    try {
+      const tokenCachePath = this.getTokenCachePath();
+      const tokenData = {
+        accessToken: token.accessToken,
+        expiresOn: token.expiresOn.toISOString(),
+        refreshToken: token.refreshToken
+      };
+      writeSecureFile(tokenCachePath, JSON.stringify(tokenData, null, 2));
+    } catch (error) {
+      log.error("Failed to cache token:", error);
+    }
+  }
+  getTokenCachePath() {
+    return path3.join(getCacheDir(), _MsalAuthManager.TOKEN_CACHE_FILE);
+  }
+};
+
+// src/lib/auth0-auth-manager.ts
+import * as client from "openid-client";
+import * as fs4 from "fs";
+import * as path4 from "path";
+import open3 from "open";
+var Auth0AuthManager = class _Auth0AuthManager {
+  static TOKEN_CACHE_FILE = "auth0-token-cache.json";
+  static REDIRECT_PORT = 19836;
+  oidcConfig = null;
+  config = null;
+  constructor(config2) {
+    if (config2) {
+      this.config = config2;
+    }
+  }
+  /**
+   * Discover OIDC endpoints and initialize the openid-client Configuration.
+   * Lazy-loaded on first use.
+   */
+  async ensureOidcConfig() {
+    if (this.oidcConfig) return this.oidcConfig;
+    if (!this.config) {
+      throw new Error("Auth0 configuration is required");
+    }
+    const serverUrl = new URL(this.config.authority);
+    this.oidcConfig = await client.discovery(
+      serverUrl,
+      this.config.clientId,
+      void 0,
+      client.None()
+    );
+    return this.oidcConfig;
+  }
+  /**
+   * Authenticate using the device code flow (RFC 8628).
+   * Displays a code + URL, opens the browser, and polls for completion.
+   */
+  async authenticate() {
+    const oidcConfig = await this.ensureOidcConfig();
+    const parameters = {
+      scope: this.getScopes()
+    };
+    if (this.config?.audience) {
+      parameters.audience = this.config.audience;
+    }
+    const deviceResponse = await client.initiateDeviceAuthorization(
+      oidcConfig,
+      parameters
+    );
+    const verificationUrl = deviceResponse.verification_uri_complete || deviceResponse.verification_uri;
+    log.blank();
+    log.info(
+      "To authenticate, open the page below and confirm the code matches:"
+    );
+    log.info(`  ${verificationUrl}`);
+    log.blank();
+    log.info(`Your code: ${deviceResponse.user_code}`);
+    log.blank();
+    log.info("Opening browser automatically...");
+    log.blank();
+    open3(verificationUrl).catch(() => {
+      log.warn(
+        "Failed to open browser automatically. Please open the URL manually."
+      );
+    });
+    const tokenResponse = await client.pollDeviceAuthorizationGrant(
+      oidcConfig,
+      deviceResponse
+    );
+    return this.processTokenResponse(tokenResponse);
+  }
+  /**
+   * Authenticate using the interactive browser flow (Authorization Code + PKCE).
+   * Opens the browser directly to Auth0 Universal Login — user enters email,
+   * receives OTP, enters it, and is redirected back. Single code, no device confirmation.
+   */
+  async authenticateInteractive(_prompt) {
+    const oidcConfig = await this.ensureOidcConfig();
+    const codeVerifier = client.randomPKCECodeVerifier();
+    const codeChallenge = await client.calculatePKCECodeChallenge(codeVerifier);
+    const state = client.randomState();
+    const port = _Auth0AuthManager.REDIRECT_PORT;
+    const redirectUri = `http://localhost:${port}/callback`;
+    const parameters = {
+      redirect_uri: redirectUri,
+      scope: this.getScopes(),
+      code_challenge: codeChallenge,
+      code_challenge_method: "S256",
+      state
+    };
+    if (this.config?.audience) {
+      parameters.audience = this.config.audience;
+    }
+    const authUrl = client.buildAuthorizationUrl(oidcConfig, parameters);
+    log.debug("Waiting for Auth0 callback on port", port);
+    const result = await listenForAuthCode(port, authUrl.href, state);
+    if (!result) {
+      throw new Error("Failed to receive authorization code from Auth0");
+    }
+    log.debug("Received authorization code, exchanging for tokens...");
+    log.debug("Callback fullPath:", result.fullPath);
+    const callbackUrl = new URL(result.fullPath, `http://localhost:${port}`);
+    try {
+      const tokenResponse = await client.authorizationCodeGrant(
+        oidcConfig,
+        callbackUrl,
+        {
+          pkceCodeVerifier: codeVerifier,
+          expectedState: state,
+          idTokenExpected: true
+        }
+      );
+      log.debug("Token exchange successful");
+      return this.processTokenResponse(tokenResponse);
+    } catch (error) {
+      log.debug("Token exchange failed:", error);
+      if (error instanceof Error && error.cause) {
+        log.debug("Token exchange error cause:", error.cause);
+      }
+      throw error;
+    }
+  }
+  /**
+   * Try to get a valid token without user interaction.
+   * Checks cache first, then tries refresh token.
+   */
+  async tryGetValidTokenSilently() {
+    const cached = this.getCachedTokens();
+    if (!cached) return null;
+    const expiresAt = new Date(cached.expiresAt);
+    if (!isTokenExpired(expiresAt)) {
+      const ttlMin = Math.round((expiresAt.getTime() - Date.now()) / 6e4);
+      log.debug(`Using cached Auth0 token (expires in ${ttlMin}m)`);
+      return cached.accessToken;
+    }
+    if (cached.refreshToken) {
+      try {
+        log.debug("Attempting Auth0 token refresh...");
+        const token = await this.refreshAccessToken(cached.refreshToken);
+        const ttlMin = Math.round(
+          (token.expiresOn.getTime() - Date.now()) / 6e4
+        );
+        log.debug(`Auth0 token refreshed successfully (expires in ${ttlMin}m)`);
+        return token.accessToken;
+      } catch (error) {
+        log.debug("Auth0 token refresh failed:", error);
+      }
+    } else {
+      log.debug(
+        "No refresh token available \u2014 cannot silently refresh. Re-authentication required."
+      );
+    }
+    return null;
+  }
+  /**
+   * Get a valid access token, refreshing or re-authenticating if necessary.
+   *
+   * Falls back to the device code flow (not browser PKCE) so this method can be
+   * called in headless environments (e.g., mid-tunnel token refresh). Callers that
+   * need browser-based re-authentication should call authenticateInteractive() directly.
+   */
+  async getValidToken() {
+    const token = await this.tryGetValidTokenSilently();
+    if (token) return token;
+    const newToken = await this.authenticate();
+    return newToken.accessToken;
+  }
+  /**
+   * Check if a valid cached token exists.
+   */
+  isAuthenticated() {
+    const cached = this.getCachedTokens();
+    if (!cached) return false;
+    return !isTokenExpired(new Date(cached.expiresAt));
+  }
+  /**
+   * Clear all cached Auth0 token data.
+   */
+  logout() {
+    try {
+      const cachePath = this.getTokenCachePath();
+      if (fs4.existsSync(cachePath)) {
+        fs4.unlinkSync(cachePath);
+      }
+    } catch (error) {
+      log.error("Error clearing Auth0 token cache during logout:", error);
+    }
+  }
+  /**
+   * Use a refresh token to obtain a new access token.
+   */
+  async refreshAccessToken(refreshToken) {
+    const oidcConfig = await this.ensureOidcConfig();
+    const tokenResponse = await client.refreshTokenGrant(
+      oidcConfig,
+      refreshToken
+    );
+    return this.processTokenResponse(tokenResponse);
+  }
+  /**
+   * Process a token endpoint response into our AuthToken format and cache it.
+   */
+  processTokenResponse(response) {
+    const expiresIn = response.expiresIn();
+    const expiresOn = expiresIn ? new Date(Date.now() + expiresIn * 1e3) : new Date(Date.now() + 36e5);
+    if (!response.refresh_token) {
+      log.debug(
+        "Auth0 token response did not include a refresh token. Token refresh will not be available when the access token expires."
+      );
+    }
+    const authToken = {
+      accessToken: response.access_token,
+      expiresOn,
+      refreshToken: response.refresh_token
+    };
+    this.cacheTokens({
+      accessToken: response.access_token,
+      refreshToken: response.refresh_token,
+      idToken: response.id_token,
+      expiresAt: expiresOn.toISOString()
+    });
+    return authToken;
+  }
+  getScopes() {
+    if (!this.config?.scopes?.length) {
+      return "openid profile email offline_access";
+    }
+    const scopes = new Set(this.config.scopes);
+    scopes.add("offline_access");
+    return [...scopes].join(" ");
+  }
+  getCachedTokens() {
+    try {
+      const cachePath = this.getTokenCachePath();
+      if (fs4.existsSync(cachePath)) {
+        const content = fs4.readFileSync(cachePath, "utf-8");
+        const parsed = JSON.parse(content);
+        if (!parsed.accessToken || !parsed.expiresAt) return null;
+        return parsed;
+      }
+    } catch (error) {
+      log.debug("Failed to load Auth0 cached tokens:", error);
+    }
+    return null;
+  }
+  cacheTokens(tokens) {
+    try {
+      const cachePath = this.getTokenCachePath();
+      writeSecureFile(cachePath, JSON.stringify(tokens, null, 2));
+    } catch (error) {
+      log.error("Failed to cache Auth0 tokens:", error);
+    }
+  }
+  getTokenCachePath() {
+    return path4.join(getCacheDir(), _Auth0AuthManager.TOKEN_CACHE_FILE);
+  }
+};
+
+// node_modules/@elf-5/periscope-api-client/dist/Generated/PeriscopeApiClient.js
+var PeriscopeApi;
+(function(PeriscopeApi2) {
+  class PeriscopeApiClient {
+    constructor(baseUrl, http3) {
+      this.jsonParseReviver = void 0;
+      this.http = http3 ? http3 : window;
+      this.baseUrl = baseUrl ?? "";
+    }
+    /**
+     * @param clientVersion (optional)
+     * @return OK
+     */
+    configuration(clientVersion) {
+      let url_ = this.baseUrl + "/api/configuration?";
+      if (clientVersion === null)
+        throw new Error("The parameter 'clientVersion' cannot be null.");
+      else if (clientVersion !== void 0)
+        url_ += "clientVersion=" + encodeURIComponent("" + clientVersion) + "&";
+      url_ = url_.replace(/[?&]$/, "");
+      let options_ = {
+        method: "GET",
+        headers: {
+          "Accept": "application/json"
+        }
+      };
+      return this.http.fetch(url_, options_).then((_response) => {
+        return this.processConfiguration(_response);
+      });
+    }
+    processConfiguration(response) {
+      const status = response.status;
+      let _headers = {};
+      if (response.headers && response.headers.forEach) {
+        response.headers.forEach((v, k) => _headers[k] = v);
+      }
+      ;
+      if (status === 200) {
+        return response.text().then((_responseText) => {
+          let result200 = null;
+          result200 = _responseText === "" ? null : JSON.parse(_responseText, this.jsonParseReviver);
+          return result200;
+        });
+      } else if (status === 503) {
+        return response.text().then((_responseText) => {
+          return throwException("Service Unavailable", status, _responseText, _headers);
+        });
+      } else if (status !== 200 && status !== 204) {
+        return response.text().then((_responseText) => {
+          return throwException("An unexpected server error occurred.", status, _responseText, _headers);
+        });
+      }
+      return Promise.resolve(null);
+    }
+    /**
+     * @return OK
+     */
+    telemetryGET() {
+      let url_ = this.baseUrl + "/api/configuration/telemetry";
+      url_ = url_.replace(/[?&]$/, "");
+      let options_ = {
+        method: "GET",
+        headers: {
+          "Accept": "application/json"
+        }
+      };
+      return this.http.fetch(url_, options_).then((_response) => {
+        return this.processTelemetryGET(_response);
+      });
+    }
+    processTelemetryGET(response) {
+      const status = response.status;
+      let _headers = {};
+      if (response.headers && response.headers.forEach) {
+        response.headers.forEach((v, k) => _headers[k] = v);
+      }
+      ;
+      if (status === 200) {
+        return response.text().then((_responseText) => {
+          let result200 = null;
+          result200 = _responseText === "" ? null : JSON.parse(_responseText, this.jsonParseReviver);
+          return result200;
+        });
+      } else if (status === 401) {
+        return response.text().then((_responseText) => {
+          let result401 = null;
+          result401 = _responseText === "" ? null : JSON.parse(_responseText, this.jsonParseReviver);
+          return throwException("Unauthorized", status, _responseText, _headers, result401);
+        });
+      } else if (status !== 200 && status !== 204) {
+        return response.text().then((_responseText) => {
+          return throwException("An unexpected server error occurred.", status, _responseText, _headers);
+        });
+      }
+      return Promise.resolve(null);
+    }
+    /**
+     * @param body (optional)
+     * @return OK
+     */
+    submitFeedback(body) {
+      let url_ = this.baseUrl + "/api/feedback";
+      url_ = url_.replace(/[?&]$/, "");
+      const content_ = JSON.stringify(body);
+      let options_ = {
+        body: content_,
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "Accept": "application/json"
+        }
+      };
+      return this.http.fetch(url_, options_).then((_response) => {
+        return this.processSubmitFeedback(_response);
+      });
+    }
+    processSubmitFeedback(response) {
+      const status = response.status;
+      let _headers = {};
+      if (response.headers && response.headers.forEach) {
+        response.headers.forEach((v, k) => _headers[k] = v);
+      }
+      ;
+      if (status === 200) {
+        return response.text().then((_responseText) => {
+          let result200 = null;
+          result200 = _responseText === "" ? null : JSON.parse(_responseText, this.jsonParseReviver);
+          return result200;
+        });
+      } else if (status === 400) {
+        return response.text().then((_responseText) => {
+          let result400 = null;
+          result400 = _responseText === "" ? null : JSON.parse(_responseText, this.jsonParseReviver);
+          return throwException("Bad Request", status, _responseText, _headers, result400);
+        });
+      } else if (status !== 200 && status !== 204) {
+        return response.text().then((_responseText) => {
+          return throwException("An unexpected server error occurred.", status, _responseText, _headers);
+        });
+      }
+      return Promise.resolve(null);
+    }
+    /**
+     * @return OK
+     */
+    telemetryGET2() {
+      let url_ = this.baseUrl + "/api/test/telemetry";
+      url_ = url_.replace(/[?&]$/, "");
+      let options_ = {
+        method: "GET",
+        headers: {}
+      };
+      return this.http.fetch(url_, options_).then((_response) => {
+        return this.processTelemetryGET2(_response);
+      });
+    }
+    processTelemetryGET2(response) {
+      const status = response.status;
+      let _headers = {};
+      if (response.headers && response.headers.forEach) {
+        response.headers.forEach((v, k) => _headers[k] = v);
+      }
+      ;
+      if (status === 200) {
+        return response.text().then((_responseText) => {
+          return;
+        });
+      } else if (status !== 200 && status !== 204) {
+        return response.text().then((_responseText) => {
+          return throwException("An unexpected server error occurred.", status, _responseText, _headers);
+        });
+      }
+      return Promise.resolve(null);
+    }
+    /**
+     * @return OK
+     */
+    telemetryDELETE() {
+      let url_ = this.baseUrl + "/api/test/telemetry";
+      url_ = url_.replace(/[?&]$/, "");
+      let options_ = {
+        method: "DELETE",
+        headers: {}
+      };
+      return this.http.fetch(url_, options_).then((_response) => {
+        return this.processTelemetryDELETE(_response);
+      });
+    }
+    processTelemetryDELETE(response) {
+      const status = response.status;
+      let _headers = {};
+      if (response.headers && response.headers.forEach) {
+        response.headers.forEach((v, k) => _headers[k] = v);
+      }
+      ;
+      if (status === 200) {
+        return response.text().then((_responseText) => {
+          return;
+        });
+      } else if (status !== 200 && status !== 204) {
+        return response.text().then((_responseText) => {
+          return throwException("An unexpected server error occurred.", status, _responseText, _headers);
+        });
+      }
+      return Promise.resolve(null);
+    }
+    /**
+     * @return OK
+     */
+    licenseConfigPOST(body) {
+      let url_ = this.baseUrl + "/api/test/license-config";
+      url_ = url_.replace(/[?&]$/, "");
+      const content_ = JSON.stringify(body);
+      let options_ = {
+        body: content_,
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json"
+        }
+      };
+      return this.http.fetch(url_, options_).then((_response) => {
+        return this.processLicenseConfigPOST(_response);
+      });
+    }
+    processLicenseConfigPOST(response) {
+      const status = response.status;
+      let _headers = {};
+      if (response.headers && response.headers.forEach) {
+        response.headers.forEach((v, k) => _headers[k] = v);
+      }
+      ;
+      if (status === 200) {
+        return response.text().then((_responseText) => {
+          return;
+        });
+      } else if (status !== 200 && status !== 204) {
+        return response.text().then((_responseText) => {
+          return throwException("An unexpected server error occurred.", status, _responseText, _headers);
+        });
+      }
+      return Promise.resolve(null);
+    }
+    /**
+     * @return OK
+     */
+    licenseConfigDELETE() {
+      let url_ = this.baseUrl + "/api/test/license-config";
+      url_ = url_.replace(/[?&]$/, "");
+      let options_ = {
+        method: "DELETE",
+        headers: {}
+      };
+      return this.http.fetch(url_, options_).then((_response) => {
+        return this.processLicenseConfigDELETE(_response);
+      });
+    }
+    processLicenseConfigDELETE(response) {
+      const status = response.status;
+      let _headers = {};
+      if (response.headers && response.headers.forEach) {
+        response.headers.forEach((v, k) => _headers[k] = v);
+      }
+      ;
+      if (status === 200) {
+        return response.text().then((_responseText) => {
+          return;
+        });
+      } else if (status !== 200 && status !== 204) {
+        return response.text().then((_responseText) => {
+          return throwException("An unexpected server error occurred.", status, _responseText, _headers);
+        });
+      }
+      return Promise.resolve(null);
+    }
+    /**
+     * @return OK
+     */
+    getCurrentUser() {
+      let url_ = this.baseUrl + "/api/user";
+      url_ = url_.replace(/[?&]$/, "");
+      let options_ = {
+        method: "GET",
+        headers: {
+          "Accept": "application/json"
+        }
+      };
+      return this.http.fetch(url_, options_).then((_response) => {
+        return this.processGetCurrentUser(_response);
+      });
+    }
+    processGetCurrentUser(response) {
+      const status = response.status;
+      let _headers = {};
+      if (response.headers && response.headers.forEach) {
+        response.headers.forEach((v, k) => _headers[k] = v);
+      }
+      ;
+      if (status === 200) {
+        return response.text().then((_responseText) => {
+          let result200 = null;
+          result200 = _responseText === "" ? null : JSON.parse(_responseText, this.jsonParseReviver);
+          return result200;
+        });
+      } else if (status === 404) {
+        return response.text().then((_responseText) => {
+          let result404 = null;
+          result404 = _responseText === "" ? null : JSON.parse(_responseText, this.jsonParseReviver);
+          return throwException("Not Found", status, _responseText, _headers, result404);
+        });
+      } else if (status === 500) {
+        return response.text().then((_responseText) => {
+          return throwException("Internal Server Error", status, _responseText, _headers);
+        });
+      } else if (status !== 200 && status !== 204) {
+        return response.text().then((_responseText) => {
+          return throwException("An unexpected server error occurred.", status, _responseText, _headers);
+        });
+      }
+      return Promise.resolve(null);
+    }
+    /**
+     * @return OK
+     */
+    getSshCredentials() {
+      let url_ = this.baseUrl + "/api/user/ssh-credentials";
+      url_ = url_.replace(/[?&]$/, "");
+      let options_ = {
+        method: "GET",
+        headers: {
+          "Accept": "application/json"
+        }
+      };
+      return this.http.fetch(url_, options_).then((_response) => {
+        return this.processGetSshCredentials(_response);
+      });
+    }
+    processGetSshCredentials(response) {
+      const status = response.status;
+      let _headers = {};
+      if (response.headers && response.headers.forEach) {
+        response.headers.forEach((v, k) => _headers[k] = v);
+      }
+      ;
+      if (status === 200) {
+        return response.text().then((_responseText) => {
+          let result200 = null;
+          result200 = _responseText === "" ? null : JSON.parse(_responseText, this.jsonParseReviver);
+          return result200;
+        });
+      } else if (status === 400) {
+        return response.text().then((_responseText) => {
+          let result400 = null;
+          result400 = _responseText === "" ? null : JSON.parse(_responseText, this.jsonParseReviver);
+          return throwException("Bad Request", status, _responseText, _headers, result400);
+        });
+      } else if (status === 500) {
+        return response.text().then((_responseText) => {
+          return throwException("Internal Server Error", status, _responseText, _headers);
+        });
+      } else if (status !== 200 && status !== 204) {
+        return response.text().then((_responseText) => {
+          return throwException("An unexpected server error occurred.", status, _responseText, _headers);
+        });
+      }
+      return Promise.resolve(null);
+    }
+    /**
+     * @param body (optional)
+     * @return OK
+     */
+    validateSshHostKey(body) {
+      let url_ = this.baseUrl + "/api/user/ssh/validate-host-key";
+      url_ = url_.replace(/[?&]$/, "");
+      const content_ = JSON.stringify(body);
+      let options_ = {
+        body: content_,
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json"
+        }
+      };
+      return this.http.fetch(url_, options_).then((_response) => {
+        return this.processValidateSshHostKey(_response);
+      });
+    }
+    processValidateSshHostKey(response) {
+      const status = response.status;
+      let _headers = {};
+      if (response.headers && response.headers.forEach) {
+        response.headers.forEach((v, k) => _headers[k] = v);
+      }
+      ;
+      if (status === 200) {
+        return response.text().then((_responseText) => {
+          return;
+        });
+      } else if (status === 422) {
+        return response.text().then((_responseText) => {
+          let result422 = null;
+          result422 = _responseText === "" ? null : JSON.parse(_responseText, this.jsonParseReviver);
+          return throwException("Unprocessable Content", status, _responseText, _headers, result422);
+        });
+      } else if (status === 400) {
+        return response.text().then((_responseText) => {
+          let result400 = null;
+          result400 = _responseText === "" ? null : JSON.parse(_responseText, this.jsonParseReviver);
+          return throwException("Bad Request", status, _responseText, _headers, result400);
+        });
+      } else if (status !== 200 && status !== 204) {
+        return response.text().then((_responseText) => {
+          return throwException("An unexpected server error occurred.", status, _responseText, _headers);
+        });
+      }
+      return Promise.resolve(null);
+    }
+    /**
+     * @param body (optional)
+     * @return OK
+     */
+    registerPublicKey(body) {
+      let url_ = this.baseUrl + "/api/user/public-key";
+      url_ = url_.replace(/[?&]$/, "");
+      const content_ = JSON.stringify(body);
+      let options_ = {
+        body: content_,
+        method: "PUT",
+        headers: {
+          "Content-Type": "application/json",
+          "Accept": "application/json"
+        }
+      };
+      return this.http.fetch(url_, options_).then((_response) => {
+        return this.processRegisterPublicKey(_response);
+      });
+    }
+    processRegisterPublicKey(response) {
+      const status = response.status;
+      let _headers = {};
+      if (response.headers && response.headers.forEach) {
+        response.headers.forEach((v, k) => _headers[k] = v);
+      }
+      ;
+      if (status === 200) {
+        return response.text().then((_responseText) => {
+          let result200 = null;
+          result200 = _responseText === "" ? null : JSON.parse(_responseText, this.jsonParseReviver);
+          return result200;
+        });
+      } else if (status === 400) {
+        return response.text().then((_responseText) => {
+          let result400 = null;
+          result400 = _responseText === "" ? null : JSON.parse(_responseText, this.jsonParseReviver);
+          return throwException("Bad Request", status, _responseText, _headers, result400);
+        });
+      } else if (status === 500) {
+        return response.text().then((_responseText) => {
+          return throwException("Internal Server Error", status, _responseText, _headers);
+        });
+      } else if (status !== 200 && status !== 204) {
+        return response.text().then((_responseText) => {
+          return throwException("An unexpected server error occurred.", status, _responseText, _headers);
+        });
+      }
+      return Promise.resolve(null);
+    }
+    /**
+     * @return OK
+     */
+    getTermsStatus() {
+      let url_ = this.baseUrl + "/api/user/terms-status";
+      url_ = url_.replace(/[?&]$/, "");
+      let options_ = {
+        method: "GET",
+        headers: {
+          "Accept": "application/json"
+        }
+      };
+      return this.http.fetch(url_, options_).then((_response) => {
+        return this.processGetTermsStatus(_response);
+      });
+    }
+    processGetTermsStatus(response) {
+      const status = response.status;
+      let _headers = {};
+      if (response.headers && response.headers.forEach) {
+        response.headers.forEach((v, k) => _headers[k] = v);
+      }
+      ;
+      if (status === 200) {
+        return response.text().then((_responseText) => {
+          let result200 = null;
+          result200 = _responseText === "" ? null : JSON.parse(_responseText, this.jsonParseReviver);
+          return result200;
+        });
+      } else if (status !== 200 && status !== 204) {
+        return response.text().then((_responseText) => {
+          return throwException("An unexpected server error occurred.", status, _responseText, _headers);
+        });
+      }
+      return Promise.resolve(null);
+    }
+    /**
+     * @param body (optional)
+     * @return OK
+     */
+    acceptTerms(body) {
+      let url_ = this.baseUrl + "/api/user/accept-terms";
+      url_ = url_.replace(/[?&]$/, "");
+      const content_ = JSON.stringify(body);
+      let options_ = {
+        body: content_,
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "Accept": "application/json"
+        }
+      };
+      return this.http.fetch(url_, options_).then((_response) => {
+        return this.processAcceptTerms(_response);
+      });
+    }
+    processAcceptTerms(response) {
+      const status = response.status;
+      let _headers = {};
+      if (response.headers && response.headers.forEach) {
+        response.headers.forEach((v, k) => _headers[k] = v);
+      }
+      ;
+      if (status === 200) {
+        return response.text().then((_responseText) => {
+          let result200 = null;
+          result200 = _responseText === "" ? null : JSON.parse(_responseText, this.jsonParseReviver);
+          return result200;
+        });
+      } else if (status === 400) {
+        return response.text().then((_responseText) => {
+          let result400 = null;
+          result400 = _responseText === "" ? null : JSON.parse(_responseText, this.jsonParseReviver);
+          return throwException("Bad Request", status, _responseText, _headers, result400);
+        });
+      } else if (status !== 200 && status !== 204) {
+        return response.text().then((_responseText) => {
+          return throwException("An unexpected server error occurred.", status, _responseText, _headers);
+        });
+      }
+      return Promise.resolve(null);
+    }
+    /**
+     * @param body (optional)
+     * @return OK
+     */
+    updateUserSlug(body) {
+      let url_ = this.baseUrl + "/api/user/slug";
+      url_ = url_.replace(/[?&]$/, "");
+      const content_ = JSON.stringify(body);
+      let options_ = {
+        body: content_,
+        method: "PUT",
+        headers: {
+          "Content-Type": "application/json",
+          "Accept": "application/json"
+        }
+      };
+      return this.http.fetch(url_, options_).then((_response) => {
+        return this.processUpdateUserSlug(_response);
+      });
+    }
+    processUpdateUserSlug(response) {
+      const status = response.status;
+      let _headers = {};
+      if (response.headers && response.headers.forEach) {
+        response.headers.forEach((v, k) => _headers[k] = v);
+      }
+      ;
+      if (status === 200) {
+        return response.text().then((_responseText) => {
+          let result200 = null;
+          result200 = _responseText === "" ? null : JSON.parse(_responseText, this.jsonParseReviver);
+          return result200;
+        });
+      } else if (status === 400) {
+        return response.text().then((_responseText) => {
+          let result400 = null;
+          result400 = _responseText === "" ? null : JSON.parse(_responseText, this.jsonParseReviver);
+          return throwException("Bad Request", status, _responseText, _headers, result400);
+        });
+      } else if (status === 409) {
+        return response.text().then((_responseText) => {
+          let result409 = null;
+          result409 = _responseText === "" ? null : JSON.parse(_responseText, this.jsonParseReviver);
+          return throwException("Conflict", status, _responseText, _headers, result409);
+        });
+      } else if (status === 500) {
+        return response.text().then((_responseText) => {
+          return throwException("Internal Server Error", status, _responseText, _headers);
+        });
+      } else if (status !== 200 && status !== 204) {
+        return response.text().then((_responseText) => {
+          return throwException("An unexpected server error occurred.", status, _responseText, _headers);
+        });
+      }
+      return Promise.resolve(null);
+    }
+  }
+  PeriscopeApi2.PeriscopeApiClient = PeriscopeApiClient;
+  class ApiException extends Error {
+    constructor(message, status, response, headers, result) {
+      super();
+      this.isApiException = true;
+      this.message = message;
+      this.status = status;
+      this.response = response;
+      this.headers = headers;
+      this.result = result;
+    }
+    static isApiException(obj) {
+      return obj.isApiException === true;
+    }
+  }
+  PeriscopeApi2.ApiException = ApiException;
+  function throwException(message, status, response, headers, result) {
+    throw new ApiException(message, status, response, headers, result);
+  }
+})(PeriscopeApi || (PeriscopeApi = {}));
+
+// src/lib/server-config.ts
+var cachedConfig = null;
+var fetchPromise = null;
+async function getServerConfig(serverUrl) {
+  if (cachedConfig) return cachedConfig;
+  if (fetchPromise) return fetchPromise;
+  fetchPromise = fetchServerConfig(serverUrl);
+  try {
+    cachedConfig = await fetchPromise;
+    return cachedConfig;
+  } finally {
+    fetchPromise = null;
+  }
+}
+async function fetchServerConfig(serverUrl) {
+  const client3 = new PeriscopeApi.PeriscopeApiClient(serverUrl, {
+    fetch: (url, init) => fetch(url, init)
+  });
+  return client3.configuration(void 0);
+}
+
+// src/lib/client.ts
+import * as https from "https";
+import * as fs5 from "fs";
+var AccountStatus = {
+  PENDING_APPROVAL: "PendingApproval",
+  ACTIVE: "Active",
+  REJECTED: "Rejected",
+  INACTIVE: "Inactive"
+};
+var PeriscopeClient = class {
+  constructor(config2) {
+    this.config = config2;
+    if (!config2.serverUrl) {
+      throw new Error("Server URL is required");
+    }
+    if (config2.caCertPath) {
+      try {
+        const caCert = fs5.readFileSync(config2.caCertPath);
+        this.httpsAgent = new https.Agent({
+          ca: caCert
+        });
+        this.logger.debug(
+          `Using custom CA certificate from: ${config2.caCertPath}`
+        );
+      } catch (error) {
+        this.logger.error(
+          `Failed to load CA certificate from ${config2.caCertPath}:`,
+          error
+        );
+        throw new Error(
+          `Failed to load CA certificate: ${error instanceof Error ? error.message : "Unknown error"}`
+        );
+      }
+    }
+  }
+  authManager = null;
+  apiClient = null;
+  logger = getLogger().child("PeriscopeClient");
+  httpsAgent = null;
+  authInitPromise = null;
+  /**
+   * Perform fetch with SSL configuration
+   */
+  async fetchWithOptions(url, init) {
+    const options = { ...init };
+    if (this.httpsAgent && url.toString().startsWith("https://")) {
+      options.agent = this.httpsAgent;
+    }
+    return fetch(url, options);
+  }
+  /**
+   * Initialize the auth manager with configuration from the API.
+   * Selects MSAL (Entra) or Auth0 based on the server's authProvider field.
+   * Uses a cached promise to prevent duplicate initialization attempts.
+   */
+  async initializeAuth() {
+    if (this.authManager) {
+      return;
+    }
+    if (this.authInitPromise) {
+      return this.authInitPromise;
+    }
+    this.authInitPromise = this.doInitializeAuth();
+    try {
+      await this.authInitPromise;
+    } finally {
+      this.authInitPromise = null;
+    }
+  }
+  /**
+   * Internal auth initialization logic.
+   * Uses the centralized ServerConfig cache to avoid duplicate /api/configuration requests.
+   */
+  async doInitializeAuth() {
+    const serverConfig = await getServerConfig(this.config.serverUrl);
+    if (!serverConfig.clientId || !serverConfig.authority) {
+      throw new Error("Incomplete auth configuration received from server");
+    }
+    const isAuth0 = serverConfig.authProvider?.toLowerCase() === "auth0";
+    if (isAuth0) {
+      this.authManager = new Auth0AuthManager({
+        authority: serverConfig.authority,
+        clientId: serverConfig.clientId,
+        scopes: serverConfig.scopes || ["openid", "profile", "email"],
+        audience: serverConfig.audience
+      });
+      this.logger.debug("Auth0 auth manager initialized from server config");
+    } else {
+      if (!serverConfig.scopes) {
+        throw new Error("Incomplete MSAL configuration received from server");
+      }
+      this.authManager = new MsalAuthManager({
+        clientId: serverConfig.clientId,
+        authority: serverConfig.authority,
+        scopes: serverConfig.scopes
+      });
+      this.logger.debug("MSAL auth manager initialized from server config");
+    }
+  }
+  /**
+   * Create a custom fetch implementation that includes authentication headers.
+   * Dynamically fetches a fresh token on each request via authManager so that
+   * long-lived API clients (e.g., during tunnel reconnection) automatically
+   * pick up refreshed tokens instead of replaying an expired one.
+   */
+  createAuthenticatedFetch(token) {
+    return {
+      fetch: async (url, init) => {
+        const headers = new Headers(init?.headers);
+        let currentToken;
+        if (this.authManager) {
+          const silentToken = await this.authManager.tryGetValidTokenSilently();
+          if (!silentToken) {
+            throw new Error(
+              "Authentication expired. Please run `periscope auth login` to re-authenticate."
+            );
+          }
+          currentToken = silentToken;
+        } else {
+          currentToken = token;
+        }
+        headers.set("Authorization", `Bearer ${currentToken}`);
+        headers.set("Content-Type", "application/json");
+        headers.set("Accept", "application/json");
+        const requestInit = {
+          ...init,
+          headers
+        };
+        this.logger.debug(`Making authenticated request to: ${url}`);
+        this.logger.trace("Using Bearer token: [present]");
+        const response = await this.fetchWithOptions(url, requestInit);
+        this.logger.debug(`Response status: ${response.status}`);
+        return response;
+      }
+    };
+  }
+  /**
+   * Create an unauthenticated fetch implementation for public endpoints
+   */
+  createUnauthenticatedFetch() {
+    return {
+      fetch: async (url, init) => {
+        const headers = new Headers(init?.headers);
+        headers.set("Content-Type", "application/json");
+        headers.set("Accept", "application/json");
+        const requestInit = {
+          ...init,
+          headers
+        };
+        this.logger.debug(`Making unauthenticated request to: ${url}`);
+        const response = await this.fetchWithOptions(url, requestInit);
+        this.logger.debug(`Response status: ${response.status}`);
+        return response;
+      }
+    };
+  }
+  /**
+   * Initialize the API client with authentication token
+   */
+  async initializeApiClient(token) {
+    try {
+      if (!this.config.serverUrl) {
+        throw new Error("Server URL is required");
+      }
+      const authenticatedFetch = this.createAuthenticatedFetch(token);
+      this.apiClient = new PeriscopeApi.PeriscopeApiClient(
+        this.config.serverUrl,
+        authenticatedFetch
+      );
+      this.logger.debug("Periscope API client initialized successfully");
+      this.logger.debug("API base URL:", this.config.serverUrl);
+      this.logger.debug("Auth token:", token ? "Present" : "Missing");
+      return true;
+    } catch (error) {
+      this.logger.error("Failed to initialize Periscope API client:", error);
+      return false;
+    }
+  }
+  /**
+   * Check if API client is initialized and ready
+   */
+  async isApiClientReady() {
+    if (this.apiClient) {
+      return true;
+    }
+    await this.ensureApiClientInitialized();
+    return this.apiClient !== null;
+  }
+  /**
+   * Authenticate and ensure we have a valid token
+   */
+  async authenticate() {
+    await this.initializeAuth();
+    if (!this.authManager) {
+      throw new Error("Failed to initialize auth configuration");
+    }
+    const authResult = await this.authManager.authenticate();
+    await this.initializeApiClient(authResult.accessToken);
+    return authResult;
+  }
+  /**
+   * Authenticate using interactive flow with prompt control
+   */
+  async authenticateInteractive(prompt) {
+    await this.initializeAuth();
+    if (!this.authManager) {
+      throw new Error("Failed to initialize auth configuration");
+    }
+    const authResult = await this.authManager.authenticateInteractive(prompt);
+    await this.initializeApiClient(authResult.accessToken);
+    return authResult;
+  }
+  /**
+   * Check if currently authenticated.
+   *
+   * Checks in order:
+   * 1. Already initialized authManager with valid token
+   * 2. Cached token on disk (without needing server config)
+   * 3. Initialize auth from server and check
+   *
+   * This layered approach allows the CLI to work even when the server
+   * doesn't provide auth configuration (e.g., test environments).
+   */
+  async isAuthenticated() {
+    if (this.authManager?.isAuthenticated()) {
+      await this.ensureApiClientInitialized();
+      return true;
+    }
+    if (await this.tryInitializeFromCachedToken()) {
+      try {
+        await this.initializeAuth();
+      } catch (error) {
+        this.logger.debug("Auth init failed after cached token login:", error);
+      }
+      return true;
+    }
+    try {
+      await this.initializeAuth();
+      if (this.authManager) {
+        const token = await this.authManager.tryGetValidTokenSilently();
+        if (token) {
+          await this.initializeApiClient(token);
+          return true;
+        }
+      }
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      const isNetworkError = errorMessage.includes("ECONNREFUSED") || errorMessage.includes("ENOTFOUND") || errorMessage.includes("ETIMEDOUT") || errorMessage.includes("ECONNRESET") || errorMessage.includes("fetch failed") || errorMessage.toLowerCase().includes("network");
+      if (isNetworkError) {
+        throw new Error(
+          `Server is unreachable (${this.config.serverUrl}): ${errorMessage}`
+        );
+      }
+      this.logger.debug("Auth initialization failed during auth check:", error);
+    }
+    return false;
+  }
+  /**
+   * @deprecated Use isAuthenticated() instead. This alias exists for backwards compatibility.
+   */
+  async isAuthenticatedAsync() {
+    return this.isAuthenticated();
+  }
+  /**
+   * Try to initialize from a cached token file without needing server config.
+   * Checks both MSAL and Auth0 token caches.
+   * Returns true if a valid cached token was found and API client initialized.
+   *
+   * NOTE: Config-less managers are used only to read the cache and extract
+   * a still-valid access token. They are NOT stored as this.authManager
+   * because they lack server config needed for re-authentication and
+   * token refresh. The full authManager is set later via initializeAuth().
+   */
+  async tryInitializeFromCachedToken() {
+    try {
+      const msalAuthManager = new MsalAuthManager();
+      if (msalAuthManager.isAuthenticated()) {
+        const token = await msalAuthManager.getValidToken();
+        await this.initializeApiClient(token);
+        this.logger.debug("Initialized API client from cached MSAL token");
+        return true;
+      }
+    } catch {
+    }
+    try {
+      const auth0AuthManager = new Auth0AuthManager();
+      if (auth0AuthManager.isAuthenticated()) {
+        const token = await auth0AuthManager.getValidToken();
+        await this.initializeApiClient(token);
+        this.logger.debug("Initialized API client from cached Auth0 token");
+        return true;
+      }
+    } catch {
+    }
+    return false;
+  }
+  /**
+   * Ensure API client is initialized if we have valid authentication.
+   */
+  async ensureApiClientInitialized() {
+    if (this.apiClient || !this.authManager) {
+      return;
+    }
+    try {
+      const token = await this.authManager.getValidToken();
+      await this.initializeApiClient(token);
+    } catch (error) {
+      this.logger.debug("Failed to initialize API client:", error);
+    }
+  }
+  /**
+   * Logout and clear authentication data.
+   * Clears both MSAL and Auth0 caches to ensure a clean slate.
+   */
+  async logout() {
+    try {
+      await this.initializeAuth();
+    } catch (error) {
+      this.logger.warn("Failed to initialize auth for logout:", error);
+    }
+    if (this.authManager) {
+      this.authManager.logout();
+    }
+    try {
+      if (!(this.authManager instanceof MsalAuthManager)) {
+        new MsalAuthManager().logout();
+      }
+    } catch {
+    }
+    try {
+      if (!(this.authManager instanceof Auth0AuthManager)) {
+        new Auth0AuthManager().logout();
+      }
+    } catch {
+    }
+    this.apiClient = null;
+  }
+  // API Methods - these use the real API client
+  /**
+   * Get auth configuration from server (unauthenticated endpoint)
+   */
+  async getAuthConfig() {
+    if (!this.config.serverUrl) {
+      throw new Error("Server URL is required to fetch auth configuration");
+    }
+    try {
+      const unauthenticatedFetch = this.createUnauthenticatedFetch();
+      const unauthenticatedClient = new PeriscopeApi.PeriscopeApiClient(
+        this.config.serverUrl,
+        unauthenticatedFetch
+      );
+      this.logger.debug(
+        `Getting auth configuration from ${this.config.serverUrl}`
+      );
+      const authConfig = await unauthenticatedClient.configuration(void 0);
+      this.logger.debug("Successfully fetched auth configuration from server");
+      return authConfig;
+    } catch (error) {
+      this.logger.debug(
+        "Failed to fetch auth configuration from server:",
+        error
+      );
+      throw new Error(
+        `Failed to fetch auth configuration: ${error instanceof Error ? error.message : "Unknown error"}`
+      );
+    }
+  }
+  async checkHealth() {
+    if (!this.config.serverUrl) {
+      throw new Error("Server URL is required");
+    }
+    const response = await this.fetchWithOptions(
+      `${this.config.serverUrl}/healthz`
+    );
+    if (!response.ok) {
+      return { healthy: false };
+    }
+    const body = await response.json();
+    return { healthy: body.status === "Healthy" };
+  }
+  /**
+   * Register the client's SSH public key with the server.
+   * Returns the normalized public key string accepted by the server.
+   */
+  async registerPublicKey(publicKey) {
+    if (!await this.isApiClientReady() || !this.apiClient) {
+      throw new Error("API client not initialized. Please authenticate first.");
+    }
+    const response = await this.apiClient.registerPublicKey({ publicKey });
+    if (response.publicKey == null) {
+      throw new Error(
+        "Server did not return the registered public key. The server may be outdated."
+      );
+    }
+    return response.publicKey;
+  }
+  async getSSHCredentials() {
+    if (!await this.isApiClientReady() || !this.apiClient) {
+      throw new Error("API client not initialized. Please authenticate first.");
+    }
+    try {
+      this.logger.debug("Fetching SSH credentials...");
+      const sshCredentials = await this.apiClient.getSshCredentials();
+      this.logger.debug(
+        `SSH credentials fetched for user '${sshCredentials.email ?? "unknown"}'`
+      );
+      return sshCredentials;
+    } catch (error) {
+      this.logger.warn("Failed to fetch SSH credentials:", error);
+      throw error;
+    }
+  }
+  /**
+   * Get current user information
+   */
+  async getCurrentUser() {
+    if (!await this.isApiClientReady() || !this.apiClient) {
+      throw new Error("API client not initialized. Please authenticate first.");
+    }
+    try {
+      this.logger.debug("Fetching current user from Periscope server...");
+      const user = await this.apiClient.getCurrentUser();
+      this.logger.debug(
+        "Successfully fetched current user from Periscope server"
+      );
+      return user;
+    } catch (error) {
+      this.logger.warn(
+        "Failed to fetch current user from Periscope server:",
+        error
+      );
+      throw error;
+    }
+  }
+  /**
+   * Get current user's account status from the server.
+   * Returns the status string (e.g., "Active", "PendingApproval").
+   * Throws if the status cannot be determined (fail-closed).
+   */
+  async getUserStatus() {
+    const user = await this.getCurrentUser();
+    if (!user.status) {
+      throw new Error("Server did not return account status");
+    }
+    return user.status;
+  }
+  /**
+   * Get current user's Terms of Service acceptance status.
+   * Uses direct fetch since these endpoints may not yet be in the generated API client.
+   */
+  async getTermsStatus() {
+    if (!await this.isApiClientReady()) {
+      throw new Error("API client not initialized. Please authenticate first.");
+    }
+    if (!this.authManager) {
+      throw new Error(
+        "Auth manager not initialized. Cannot check terms status."
+      );
+    }
+    const token = await this.authManager.getValidToken();
+    const response = await this.fetchWithOptions(
+      `${this.config.serverUrl}/api/user/terms-status`,
+      {
+        method: "GET",
+        headers: {
+          Authorization: `Bearer ${token}`,
+          Accept: "application/json"
+        }
+      }
+    );
+    if (!response.ok) {
+      throw new Error(
+        `Failed to get terms status: ${response.status} ${response.statusText}`
+      );
+    }
+    return await response.json();
+  }
+  /**
+   * Accept the Terms of Service for the current user.
+   */
+  async acceptTerms(termsVersion) {
+    if (!await this.isApiClientReady()) {
+      throw new Error("API client not initialized. Please authenticate first.");
+    }
+    if (!this.authManager) {
+      throw new Error("Auth manager not initialized. Cannot accept terms.");
+    }
+    const token = await this.authManager.getValidToken();
+    const response = await this.fetchWithOptions(
+      `${this.config.serverUrl}/api/user/accept-terms`,
+      {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${token}`,
+          "Content-Type": "application/json",
+          Accept: "application/json"
+        },
+        body: JSON.stringify({ termsVersion })
+      }
+    );
+    if (!response.ok) {
+      throw new Error(
+        `Failed to accept terms: ${response.status} ${response.statusText}`
+      );
+    }
+  }
+  /**
+   * Update the user's slug for tunnel namespacing (ELF-166).
+   * Requires authentication.
+   */
+  async updateSlug(request) {
+    if (!await this.isApiClientReady() || !this.apiClient) {
+      throw new Error("API client not initialized. Please authenticate first.");
+    }
+    try {
+      await this.apiClient.updateUserSlug(request);
+    } catch (error) {
+      if (error && typeof error === "object" && "status" in error && error.status === 409) {
+        throw Object.assign(new Error("Slug already in use"), {
+          response: { status: 409 }
+        });
+      }
+      throw error;
+    }
+  }
+  /**
+   * Validate the SSH host key received during the SSH handshake (ELF-198).
+   * Sends the raw SSH wire-format public key bytes (base64-encoded) to the server,
+   * which compares them against its own key using constant-time comparison.
+   * Throws ApiException with status 422 if the key does not match (potential MITM).
+   */
+  async validateSshHostKey(keyBytes) {
+    if (!await this.isApiClientReady() || !this.apiClient) {
+      throw new Error("API client not initialized. Please authenticate first.");
+    }
+    await this.apiClient.validateSshHostKey({ keyBytes });
+  }
+  /**
+   * Submit user feedback to create a Linear issue.
+   * Requires authentication.
+   */
+  async submitFeedback(message) {
+    if (!await this.isApiClientReady() || !this.apiClient) {
+      throw new Error("API client not initialized. Please authenticate first.");
+    }
+    try {
+      this.logger.debug("Submitting feedback...");
+      const response = await this.apiClient.submitFeedback({
+        message,
+        source: "cli"
+      });
+      this.logger.debug("Feedback submitted successfully");
+      return response;
+    } catch (error) {
+      this.logger.warn("Failed to submit feedback:", error);
+      throw error;
+    }
+  }
+  /**
+   * Get the Application Insights connection string from the authenticated telemetry endpoint.
+   * Returns null if not authenticated or if the server has no connection string configured.
+   */
+  async getTelemetryConnectionString() {
+    if (!await this.isApiClientReady()) {
+      return null;
+    }
+    try {
+      const config2 = await this.apiClient.telemetryGET();
+      return config2.applicationInsightsConnectionString ?? null;
+    } catch (error) {
+      this.logger.debug("Failed to fetch telemetry connection string:", error);
+      return null;
+    }
+  }
+  /**
+   * Get the configuration object
+   */
+  getConfig() {
+    return this.config;
+  }
+};
+
+// src/lib/secure-memory.ts
+init_readline_instance();
+var activeTunnelManagers = /* @__PURE__ */ new Set();
+function registerTunnelManager(tunnelManager) {
+  activeTunnelManagers.add(tunnelManager);
+}
+function unregisterTunnelManager(tunnelManager) {
+  activeTunnelManagers.delete(tunnelManager);
+}
+async function stopActiveTunnelManagers() {
+  const logger = getLogger().child("SecureCleanup");
+  const managers = [...activeTunnelManagers];
+  activeTunnelManagers.clear();
+  for (const tunnelManager of managers) {
+    try {
+      await tunnelManager.stopAll();
+    } catch (error) {
+      logger.error("Error during tunnel cleanup:", error);
+    }
+  }
+}
+var setupDone = false;
+function setupSecureCleanup() {
+  if (setupDone) return;
+  setupDone = true;
+  let isCleaningUp = false;
+  const logger = getLogger().child("SecureCleanup");
+  const cleanup = async () => {
+    if (isCleaningUp) return;
+    isCleaningUp = true;
+    logger.info("Cleaning up...");
+    await stopActiveTunnelManagers();
+  };
+  const exit = async (code) => {
+    const { gracefulExit: gracefulExit2 } = await Promise.resolve().then(() => (init_process_lifecycle(), process_lifecycle_exports));
+    await gracefulExit2(code);
+  };
+  process.on("SIGINT", async () => {
+    if (process.env.PERISCOPE_INTERACTIVE === "true" && isReadlineActive()) {
+      return;
+    }
+    logger.info("Shutting down gracefully...");
+    await cleanup();
+    await exit(0);
+  });
+  process.on("SIGTERM", async () => {
+    logger.info("Shutting down gracefully...");
+    await cleanup();
+    await exit(0);
+  });
+  process.on("uncaughtException", async (error) => {
+    if (isSshChannelDisposedError(error)) {
+      logger.warn(
+        `SSH channel disposed (connection lost) \u2014 reconnection will be attempted: ${error.message}`
+      );
+      return;
+    }
+    logger.error("Uncaught exception:", error);
+    try {
+      const { trackException: trackException2 } = await Promise.resolve().then(() => (init_telemetry(), telemetry_exports));
+      trackException2(error, { source: "uncaughtException" });
+    } catch {
+    }
+    await cleanup();
+    await exit(1);
+  });
+  process.on("unhandledRejection", async (reason, promise) => {
+    logger.error("Unhandled rejection at:", promise, "reason:", reason);
+    try {
+      const { trackException: trackException2 } = await Promise.resolve().then(() => (init_telemetry(), telemetry_exports));
+      const error = reason instanceof Error ? reason : new Error(String(reason));
+      trackException2(error, { source: "unhandledRejection" });
+    } catch {
+    }
+    await cleanup();
+    await exit(1);
+  });
+}
+async function performSecureCleanup() {
+  const logger = getLogger().child("SecureCleanup");
+  logger.info("Performing secure cleanup...");
+  await stopActiveTunnelManagers();
+}
+function isSshChannelDisposedError(error) {
+  return error.name === "ObjectDisposedError";
+}
+
+// src/lib/tunnel-manager.ts
+import {
+  SshSessionConfiguration,
+  SshDisconnectReason,
+  SshAuthenticationType
+} from "@microsoft/dev-tunnels-ssh";
+
+// src/lib/ssh-key-manager.ts
+import * as fs7 from "node:fs";
+import * as path6 from "node:path";
+import * as os3 from "node:os";
+import {
+  SshAlgorithms
+} from "@microsoft/dev-tunnels-ssh";
+import {
+  exportPrivateKey,
+  exportPublicKey,
+  importKeyFile
+} from "@microsoft/dev-tunnels-ssh-keys";
+var KEY_FORMAT_SSH = 1;
+var KEY_FORMAT_PRIVATE = 0;
+var DEFAULT_KEY_DIR = path6.join(os3.homedir(), ".periscope");
+var DEFAULT_PRIVATE_KEY_FILE = "id_ecdsa";
+var SshKeyNotFoundError = class extends Error {
+  constructor(keyPath) {
+    super(
+      `SSH key not found at ${keyPath}. Run 'periscope user key generate' to generate and register a key.`
+    );
+    this.name = "SshKeyNotFoundError";
+    Object.setPrototypeOf(this, new.target.prototype);
+  }
+};
+var SshKeyManager = class {
+  /**
+   * Returns the default SSH private key path.
+   */
+  static getDefaultKeyPath() {
+    return path6.join(DEFAULT_KEY_DIR, DEFAULT_PRIVATE_KEY_FILE);
+  }
+  /**
+   * Generates a new ECDSA P-256 key pair and saves to disk.
+   * Warns before overwriting an existing key — callers should confirm with the user
+   * before calling this on an already-registered key path.
+   */
+  static async generateKeyPair(keyPath) {
+    const privateKeyPath = keyPath ?? this.getDefaultKeyPath();
+    const publicKeyPath = `${privateKeyPath}.pub`;
+    if (fs7.existsSync(privateKeyPath)) {
+      log.warn(
+        `Overwriting existing SSH key at ${privateKeyPath}. Any active tunnels using the old key will need to reconnect after re-login.`
+      );
+    }
+    fs7.mkdirSync(path6.dirname(privateKeyPath), { recursive: true });
+    const algorithms = SshAlgorithms.publicKey;
+    const algorithm = algorithms["ecdsaSha2Nistp256"];
+    if (!algorithm) {
+      throw new Error("ECDSA P-256 algorithm not available");
+    }
+    const keyPair = await algorithm.generateKeyPair();
+    const privateKeyStr = await exportPrivateKey(
+      keyPair,
+      null,
+      KEY_FORMAT_PRIVATE
+    );
+    const publicKeyStr = await exportPublicKey(keyPair, KEY_FORMAT_SSH);
+    const tmpPrivatePath = `${privateKeyPath}.tmp`;
+    const tmpPublicPath = `${publicKeyPath}.tmp`;
+    try {
+      fs7.writeFileSync(tmpPrivatePath, privateKeyStr, { mode: 384 });
+      fs7.writeFileSync(tmpPublicPath, publicKeyStr, { mode: 420 });
+      fs7.renameSync(tmpPrivatePath, privateKeyPath);
+      fs7.renameSync(tmpPublicPath, publicKeyPath);
+    } catch (err) {
+      for (const tmp of [tmpPrivatePath, tmpPublicPath]) {
+        try {
+          fs7.unlinkSync(tmp);
+        } catch {
+        }
+      }
+      throw err;
+    }
+    log.debug(`SSH key pair generated at ${privateKeyPath}`);
+    return keyPair;
+  }
+  /**
+   * Loads an existing key pair from disk.
+   * Throws if the key file does not exist.
+   */
+  static async loadKeyPair(keyPath) {
+    const privateKeyPath = keyPath ?? this.getDefaultKeyPath();
+    if (!fs7.existsSync(privateKeyPath)) {
+      throw new SshKeyNotFoundError(privateKeyPath);
+    }
+    try {
+      return await importKeyFile(privateKeyPath, null);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      throw new Error(
+        `Failed to load SSH key at ${privateKeyPath}: ${msg}. If the key is passphrase-protected, use an unprotected key or specify an alternative key path with --key.`
+      );
+    }
+  }
+  /**
+   * Ensures a key pair exists, generating one if not.
+   * Returns the loaded key pair.
+   */
+  static async ensureKeyPair(keyPath) {
+    const privateKeyPath = keyPath ?? this.getDefaultKeyPath();
+    if (!fs7.existsSync(privateKeyPath)) {
+      log.info("Generating SSH key pair...");
+      return this.generateKeyPair(keyPath);
+    }
+    return this.loadKeyPair(keyPath);
+  }
+  /**
+   * Exports the public key from an in-memory KeyPair in SSH wire format.
+   * Use this after generateKeyPair() or ensureKeyPair() to avoid a redundant disk read.
+   */
+  static async exportPublicKey(keyPair) {
+    return (await exportPublicKey(keyPair, KEY_FORMAT_SSH)).trim();
+  }
+  /**
+   * Returns the public key string in SSH format (e.g. "ecdsa-sha2-nistp256 AAAA...").
+   * Reads from the .pub file if present; otherwise imports the private key to derive it.
+   */
+  static async getPublicKeyString(keyPath) {
+    const privateKeyPath = keyPath ?? this.getDefaultKeyPath();
+    const publicKeyPath = `${privateKeyPath}.pub`;
+    if (fs7.existsSync(publicKeyPath)) {
+      return fs7.readFileSync(publicKeyPath, "utf-8").trim();
+    }
+    const keyPair = await this.loadKeyPair(keyPath);
+    return (await exportPublicKey(keyPair, KEY_FORMAT_SSH)).trim();
+  }
+  /**
+   * Returns info about the current SSH key (path, existence).
+   */
+  static getKeyInfo(keyPath) {
+    const privateKeyPath = keyPath ?? this.getDefaultKeyPath();
+    return {
+      exists: fs7.existsSync(privateKeyPath),
+      path: privateKeyPath,
+      pubKeyPath: `${privateKeyPath}.pub`
+    };
+  }
+};
+
+// src/lib/interactive-utils.ts
+function isInteractiveMode() {
+  return process.env.PERISCOPE_INTERACTIVE === "true";
+}
+function exitOrThrow(code, message) {
+  if (isInteractiveMode()) {
+    throw new Error(message || `Command failed with exit code ${code}`);
+  } else {
+    if (message) {
+      log.error(message);
+    }
+    process.exit(code);
+  }
+}
+
+// src/lib/tunnel-utils.ts
+function displayTunnelInfo(tunnel, serverUrl, options) {
+  const {
+    isInteractive = false,
+    tunnelName,
+    showBackgroundStatus = false,
+    showAsListItem = false
+  } = options || {};
+  const serverHostname = tunnel.sshHost || new URL(serverUrl).hostname;
+  let remoteUrl;
+  if (tunnel.remoteURL) {
+    remoteUrl = tunnel.remoteURL;
+  } else if (tunnel.name && tunnel.wildcardHostname) {
+    const separator = tunnel.urlSeparator || ".";
+    const fullSubdomain = tunnel.slug ? `${tunnel.name}-${tunnel.slug}` : tunnel.name;
+    remoteUrl = `https://${fullSubdomain}${separator}${tunnel.wildcardHostname}`;
+  } else if (tunnel.name) {
+    const fullSubdomain = tunnel.slug ? `${tunnel.name}-${tunnel.slug}` : tunnel.name;
+    remoteUrl = `https://${fullSubdomain}.${serverHostname}`;
+  } else {
+    remoteUrl = "N/A";
+  }
+  if (isInteractive && tunnelName) {
+    log.success(`Tunnel connected: ${tunnelName}`);
+  }
+  if (showAsListItem) {
+    log.info(`  Local: localhost:${tunnel.clientPort || "N/A"}`);
+    log.info(`  Server: ${serverHostname}:${tunnel.sshTunnelPort || 443}`);
+    log.info(`  \u{1F310} Remote URL: ${remoteUrl}`);
+    log.info("\u2500".repeat(60));
+  } else {
+    log.info(`Local: localhost:${tunnel.clientPort || "N/A"}`);
+    log.info(`Server: ${serverHostname}:${tunnel.sshTunnelPort || 443}`);
+    log.info(`Remote URL: ${remoteUrl}`);
+  }
+  if (showBackgroundStatus) {
+    log.info("Status: Running in background");
+  }
+}
+
+// src/lib/tunnel-manager.ts
+import {
+  SshClient,
+  PortForwardingService as PortForwardingService2
+} from "@microsoft/dev-tunnels-ssh-tcp";
+
+// src/lib/error-classifier.ts
+var HTTP_STATUS = {
+  BAD_REQUEST: 400,
+  UNAUTHORIZED: 401,
+  FORBIDDEN: 403,
+  NOT_FOUND: 404,
+  REQUEST_TIMEOUT: 408,
+  RATE_LIMITED: 429,
+  INTERNAL_SERVER_ERROR: 500,
+  BAD_GATEWAY: 502,
+  SERVICE_UNAVAILABLE: 503,
+  GATEWAY_TIMEOUT: 504,
+  CLOUDFLARE_ERROR: 522,
+  ORIGIN_UNREACHABLE: 523,
+  TIMEOUT: 524
+};
+var ErrorClassifier = class {
+  /**
+   * Classify an error based on various signals
+   */
+  static classify(error, context) {
+    const errorMessage = this.extractMessage(error).toLowerCase();
+    const httpStatus = this.extractHttpStatus(error);
+    if (this.isAuthenticationError(errorMessage, httpStatus)) {
+      return this.createAuthenticationError(errorMessage, httpStatus);
+    }
+    if (this.isAuthorizationError(errorMessage, httpStatus)) {
+      return this.createAuthorizationError(errorMessage, httpStatus);
+    }
+    if (this.isNetworkError(errorMessage, httpStatus)) {
+      return this.createNetworkError(errorMessage, httpStatus);
+    }
+    if (this.isValidationError(errorMessage, httpStatus)) {
+      return this.createValidationError(errorMessage, context);
+    }
+    if (this.isServerError(errorMessage, httpStatus)) {
+      return this.createServerError(errorMessage, httpStatus);
+    }
+    if (this.isTunnelError(errorMessage, context)) {
+      return this.createTunnelError(errorMessage, context);
+    }
+    return this.createUnknownError(errorMessage, httpStatus);
+  }
+  /**
+   * Extract message from various error formats
+   */
+  static extractMessage(error) {
+    if (error instanceof Error) {
+      return error.message;
+    }
+    if (error && typeof error === "object") {
+      const err = error;
+      if (typeof err.message === "string") {
+        return err.message;
+      }
+    }
+    return String(error);
+  }
+  static extractHttpStatus(error) {
+    if (error && typeof error === "object") {
+      const err = error;
+      if (typeof err.status === "number") return err.status;
+      if (typeof err.statusCode === "number") return err.statusCode;
+      if (typeof err.response?.status === "number") return err.response.status;
+      if (typeof err.response?.statusCode === "number")
+        return err.response.statusCode;
+      if (typeof err.code === "number") return err.code;
+      const message = err.message || "";
+      const statusMatch = message.match(/\b([4-5]\d{2})\b/);
+      if (statusMatch) {
+        const statusCode = parseInt(statusMatch[1], 10);
+        if (statusCode >= 400 && statusCode < 600) {
+          return statusCode;
+        }
+      }
+    }
+    return void 0;
+  }
+  static isAuthenticationError(message, status) {
+    const authKeywords = [
+      "authentication failed",
+      "token expired",
+      "invalid token",
+      "token invalid",
+      "authentication required",
+      "login required",
+      "session expired",
+      "unauthorized",
+      "not authenticated",
+      "invalid credentials"
+    ];
+    return status === HTTP_STATUS.UNAUTHORIZED || authKeywords.some((keyword) => message.includes(keyword));
+  }
+  static isAuthorizationError(message, status) {
+    const authzKeywords = [
+      "forbidden",
+      "access denied",
+      "insufficient permissions",
+      "not authorized",
+      "permission denied",
+      "scope required",
+      "accountpendingapproval",
+      "maxusersexceeded",
+      "user limit reached"
+    ];
+    return status === HTTP_STATUS.FORBIDDEN || authzKeywords.some((keyword) => message.includes(keyword));
+  }
+  static isNetworkError(message, status) {
+    const networkKeywords = [
+      "connection timeout",
+      "network error",
+      "connection refused",
+      "connection reset",
+      "dns lookup failed",
+      "host not found",
+      "enotfound",
+      "econnrefused",
+      "econnreset",
+      "etimedout",
+      "socket hang up",
+      "network unreachable",
+      "rate limited",
+      "too many requests",
+      "request rate exceeded",
+      "fetch failed",
+      "server is unreachable",
+      "failed to fetch"
+    ];
+    const networkStatuses = [
+      HTTP_STATUS.REQUEST_TIMEOUT,
+      HTTP_STATUS.RATE_LIMITED,
+      HTTP_STATUS.BAD_GATEWAY,
+      HTTP_STATUS.SERVICE_UNAVAILABLE,
+      HTTP_STATUS.GATEWAY_TIMEOUT,
+      HTTP_STATUS.CLOUDFLARE_ERROR,
+      HTTP_STATUS.ORIGIN_UNREACHABLE,
+      HTTP_STATUS.TIMEOUT
+    ];
+    return status !== void 0 && networkStatuses.includes(status) || networkKeywords.some((keyword) => message.includes(keyword));
+  }
+  static isValidationError(message, status) {
+    const validationKeywords = [
+      "validation error",
+      "invalid input",
+      "bad request",
+      "malformed",
+      "invalid format",
+      "missing required",
+      "invalid parameter"
+    ];
+    return status === HTTP_STATUS.BAD_REQUEST || validationKeywords.some((keyword) => message.includes(keyword));
+  }
+  static isServerError(message, status) {
+    const serverKeywords = [
+      "internal server error",
+      "server error",
+      "service unavailable",
+      "database error",
+      "configuration error"
+    ];
+    return status !== void 0 && status >= 500 && status < 600 || serverKeywords.some((keyword) => message.includes(keyword));
+  }
+  static isTunnelError(message, context) {
+    const tunnelKeywords = [
+      "tunnel",
+      "ssh connection",
+      "port forwarding",
+      "local port",
+      "remote port",
+      "address already in use",
+      "port already in use",
+      "bind failed",
+      "eaddrinuse",
+      "port is not available",
+      "connection already exists",
+      "failed to establish tunnel"
+    ];
+    const portInUsePattern = /port\s+\d+\s+is\s+already\s+in\s+use/i;
+    const isTunnelContext = context?.toLowerCase().includes("tunnel");
+    return isTunnelContext || tunnelKeywords.some((keyword) => message.includes(keyword)) || portInUsePattern.test(message);
+  }
+  static createAuthenticationError(message, status) {
+    const isTokenExpired2 = message.includes("expired");
+    const isInvalidToken = message.includes("invalid") && message.includes("token");
+    return {
+      type: "authentication" /* AUTHENTICATION */,
+      severity: "high" /* HIGH */,
+      httpStatus: status,
+      isRetryable: true,
+      userMessage: isTokenExpired2 ? "Your session has expired. Please log in again." : isInvalidToken ? "Your authentication token is invalid. Please log in again." : "Authentication required. Please log in.",
+      suggestedActions: [
+        "Run: periscope auth login",
+        "Check status: periscope status"
+      ],
+      technicalDetails: isTokenExpired2 ? "Token expiration detected" : isInvalidToken ? "Invalid token format or signature" : "Authentication credentials missing or invalid"
+    };
+  }
+  static createAuthorizationError(message, status) {
+    const isPendingApproval = message.includes("accountpendingapproval") || message.includes("pending approval");
+    const isMaxUsersExceeded = message.includes("maxusersexceeded") || message.includes("user limit reached");
+    if (isMaxUsersExceeded) {
+      return {
+        type: "authorization" /* AUTHORIZATION */,
+        severity: "high" /* HIGH */,
+        httpStatus: status,
+        isRetryable: false,
+        userMessage: "Your organization has reached its maximum user limit. No new accounts can be created.",
+        suggestedActions: [
+          "Contact your administrator to increase the user limit or remove inactive users",
+          "Check your license details with your administrator"
+        ],
+        technicalDetails: "Server returned MaxUsersExceeded (HTTP 403)"
+      };
+    }
+    return {
+      type: "authorization" /* AUTHORIZATION */,
+      severity: "high" /* HIGH */,
+      httpStatus: status,
+      isRetryable: false,
+      userMessage: isPendingApproval ? "Your account is pending approval by an administrator." : "Access denied. You do not have permission to perform this action.",
+      suggestedActions: isPendingApproval ? [
+        "Wait for an administrator to approve your account",
+        "Check your account status: periscope status"
+      ] : [
+        "Check your account permissions",
+        "Contact your administrator if you believe you should have access",
+        "Verify you are using the correct account: periscope status"
+      ],
+      technicalDetails: isPendingApproval ? "Account status is PendingApproval" : "Insufficient permissions for the requested operation"
+    };
+  }
+  static createNetworkError(message, status) {
+    const isTimeout = message.includes("timeout");
+    const isConnectionRefused = message.includes("refused") || message.includes("econnrefused");
+    const isDnsError = message.includes("enotfound") || message.includes("dns");
+    const isServerUnreachable = message.includes("server is unreachable") || message.includes("fetch failed");
+    const isRateLimited = status === HTTP_STATUS.RATE_LIMITED || message.includes("rate limited") || message.includes("too many requests");
+    const urlMatch = message.match(/\((https?:\/\/[^)]+)\)/);
+    const serverUrl = urlMatch ? urlMatch[1] : null;
+    let userMessage;
+    if (isServerUnreachable) {
+      userMessage = serverUrl ? `Cannot connect to server at ${serverUrl}. Please check your network connection.` : "Cannot connect to server. Please check your network connection and server URL.";
+    } else if (isRateLimited) {
+      userMessage = "Too many requests. Please wait a few minutes and try again.";
+    } else if (isDnsError) {
+      userMessage = serverUrl ? `Cannot resolve server address for ${serverUrl}. Please check the server URL.` : "Cannot resolve server address. Please check the server URL.";
+    } else if (isConnectionRefused) {
+      userMessage = serverUrl ? `Connection refused by ${serverUrl}. The server may be down or unreachable.` : "Connection refused. The server may be down or unreachable.";
+    } else if (isTimeout) {
+      userMessage = "Request timed out. Please try again.";
+    } else {
+      userMessage = "Network error. Please check your connection.";
+    }
+    return {
+      type: "network" /* NETWORK */,
+      severity: isTimeout ? "medium" /* MEDIUM */ : isRateLimited ? "low" /* LOW */ : "high" /* HIGH */,
+      httpStatus: status,
+      isRetryable: true,
+      userMessage,
+      suggestedActions: isRateLimited ? [
+        "Wait a few minutes before trying again",
+        "Reduce the frequency of requests",
+        "Check if you have exceeded the rate limit"
+      ] : [
+        "Check your internet connection",
+        "Verify the server URL is correct: periscope config get",
+        "Check network connectivity and firewall settings"
+      ],
+      technicalDetails: isDnsError ? "DNS resolution failed" : isConnectionRefused ? "Connection refused by server" : isTimeout ? "Request timeout" : isRateLimited ? "API rate limit exceeded" : "Network connectivity issue"
+    };
+  }
+  static createValidationError(message, context) {
+    return {
+      type: "validation" /* VALIDATION */,
+      severity: "low" /* LOW */,
+      httpStatus: HTTP_STATUS.BAD_REQUEST,
+      isRetryable: false,
+      userMessage: "Invalid input. Please check your command parameters.",
+      suggestedActions: [
+        "Check the command parameters and try again",
+        "Review the command documentation: periscope --help",
+        "Ensure all required parameters are provided"
+      ],
+      technicalDetails: `Input validation failed${context ? ` in context: ${context}` : ""}: ${message}`
+    };
+  }
+  static createServerError(message, status) {
+    const isServiceUnavailable = status === HTTP_STATUS.SERVICE_UNAVAILABLE || message.includes("unavailable");
+    return {
+      type: "server" /* SERVER */,
+      severity: "high" /* HIGH */,
+      httpStatus: status,
+      isRetryable: isServiceUnavailable,
+      userMessage: isServiceUnavailable ? "Server is temporarily unavailable. Please try again later." : "Server error. Please try again or contact support.",
+      suggestedActions: [
+        "Try again in a few minutes",
+        "Check server status or contact support if the problem persists"
+      ],
+      technicalDetails: isServiceUnavailable ? "Service temporarily unavailable" : "Internal server error"
+    };
+  }
+  static createTunnelError(message, context) {
+    const portInUsePattern = /port\s+\d+\s+is\s+already\s+in\s+use/i;
+    const isPortError = message.includes("port") && (message.includes("use") || message.includes("bound")) || portInUsePattern.test(message);
+    const isAddressInUse = message.includes("address already in use") || message.includes("eaddrinuse");
+    const isLocalServiceError = message.includes("local") && message.includes("service");
+    const isBindError = message.includes("bind failed");
+    const isConnectionFailed = message.includes("failed to establish tunnel") || message.includes("ssh connection");
+    return {
+      type: "tunnel" /* TUNNEL */,
+      severity: isPortError || isAddressInUse || isBindError ? "high" /* HIGH */ : "medium" /* MEDIUM */,
+      isRetryable: !(isPortError || isAddressInUse || isBindError),
+      userMessage: isAddressInUse || isPortError ? "Port is already in use. Try a different local port." : isBindError ? "Failed to bind to port. Check port availability and permissions." : isLocalServiceError ? "Local service is not running." : isConnectionFailed ? "Failed to establish SSH connection to tunnel server." : "Tunnel operation failed.",
+      suggestedActions: [
+        "Try using a different local port",
+        "Verify local port is not already in use: netstat -tlnp | grep :PORT",
+        "Check tunnel connection: periscope connect <name> --target http://localhost:<port>",
+        "Ensure local service is running on the specified port"
+      ],
+      technicalDetails: `${isAddressInUse ? "Address/port already in use (EADDRINUSE)" : isPortError ? "Port conflict detected" : isBindError ? "Port binding failed" : isLocalServiceError ? "Local service not available" : isConnectionFailed ? "SSH tunnel connection failed" : "Tunnel operation failed"}${context ? ` in context: ${context}` : ""}`
+    };
+  }
+  static createUnknownError(message, httpStatus) {
+    return {
+      type: "unknown" /* UNKNOWN */,
+      severity: "medium" /* MEDIUM */,
+      httpStatus,
+      isRetryable: true,
+      userMessage: "An unexpected error occurred. Please try again.",
+      suggestedActions: [
+        "Try the operation again",
+        "Check the command documentation: periscope --help",
+        "Contact support if the issue persists"
+      ],
+      technicalDetails: `Unclassified error occurred: ${message}`
+    };
+  }
+};
+
+// src/lib/request-monitor.ts
+import chalk3 from "chalk";
+import { PortForwardingService } from "@microsoft/dev-tunnels-ssh-tcp";
+
+// src/lib/config-manager.ts
+import * as fs8 from "fs";
+import * as path7 from "path";
+import * as os4 from "os";
+import * as dotenv from "dotenv";
+var ConfigManager = class {
+  static CONFIG_DIR = path7.join(os4.homedir(), ".periscope");
+  static CONFIG_FILE = "config.json";
+  static testConfig = null;
+  static getConfigPath() {
+    return path7.join(this.CONFIG_DIR, this.CONFIG_FILE);
+  }
+  /**
+   * Set a test configuration that bypasses file system operations
+   * Only use this in tests!
+   */
+  static setTestConfig(config2) {
+    if (process.env.NODE_ENV !== "test" && !process.env.VITEST) {
+      throw new Error("setTestConfig can only be used in test environment");
+    }
+    this.testConfig = config2;
+  }
+  /**
+   * Load configuration from file, environment variables, and .env file
+   * Priority order: environment variables > .env file > config file
+   */
+  static load() {
+    let config2 = {};
+    if (this.testConfig !== null) {
+      config2 = { ...this.testConfig };
+    } else {
+      this.loadDotEnv();
+      try {
+        const configPath = this.getConfigPath();
+        if (fs8.existsSync(configPath)) {
+          const content = fs8.readFileSync(configPath, "utf-8");
+          config2 = JSON.parse(content);
+        }
+      } catch (error) {
+        log.debug("Failed to load config:", error);
+      }
+    }
+    config2 = this.mergeEnvironmentVariables(config2);
+    return config2;
+  }
+  /**
+   * Load .env file from current working directory or project root
+   */
+  static loadDotEnv() {
+    const cwd = process.cwd();
+    const envPaths = [
+      path7.join(cwd, ".env"),
+      path7.join(cwd, ".env.local"),
+      // Also try parent directories up to 3 levels
+      path7.join(cwd, "..", ".env"),
+      path7.join(cwd, "..", "..", ".env"),
+      path7.join(cwd, "..", "..", "..", ".env")
+    ];
+    for (const envPath of envPaths) {
+      if (fs8.existsSync(envPath)) {
+        dotenv.config({ path: envPath });
+        break;
+      }
+    }
+  }
+  /**
+   * Merge environment variables into configuration
+   */
+  static mergeEnvironmentVariables(config2) {
+    const env = process.env;
+    if (env.PERISCOPE_SERVER_URL) {
+      config2.serverUrl = env.PERISCOPE_SERVER_URL;
+    }
+    if (env.PERISCOPE_LOG_LEVEL) {
+      config2.logLevel = env.PERISCOPE_LOG_LEVEL;
+    }
+    if (env.PERISCOPE_CA_CERT_PATH) {
+      config2.caCertPath = env.PERISCOPE_CA_CERT_PATH;
+    }
+    if (env.PERISCOPE_SHOW_REQUEST_LOG !== void 0) {
+      config2.showRequestLog = env.PERISCOPE_SHOW_REQUEST_LOG !== "false";
+    }
+    if (env.PERISCOPE_SSH_KEY_PATH) {
+      config2.sshKeyPath = env.PERISCOPE_SSH_KEY_PATH;
+    }
+    if (env.PERISCOPE_ALLOW_EXTERNAL_KEY !== void 0) {
+      config2.allowExternalKey = env.PERISCOPE_ALLOW_EXTERNAL_KEY === "true";
+    }
+    return config2;
+  }
+  static save(config2) {
+    if (this.testConfig !== null) {
+      this.testConfig = { ...config2 };
+      return;
+    }
+    try {
+      if (!fs8.existsSync(this.CONFIG_DIR)) {
+        fs8.mkdirSync(this.CONFIG_DIR, { recursive: true });
+      }
+      const configPath = this.getConfigPath();
+      fs8.writeFileSync(configPath, JSON.stringify(config2, null, 2));
+      fs8.chmodSync(configPath, 384);
+    } catch (error) {
+      throw new Error(
+        `Failed to save config: ${error instanceof Error ? error.message : "Unknown error"}`
+      );
+    }
+  }
+};
+
+// src/lib/request-monitor.ts
+var HTTP_METHODS = /^(GET|POST|PUT|DELETE|PATCH|HEAD|OPTIONS|CONNECT|TRACE)\s+(\S+)/i;
+var MAX_PEEK_BYTES = 256;
+function parseAndLogRequestLine(chunk, _tunnelName) {
+  try {
+    const str = chunk.toString(
+      "utf8",
+      0,
+      Math.min(chunk.length, MAX_PEEK_BYTES)
+    );
+    const firstLine = str.split("\r\n")[0] || str.split("\n")[0];
+    const match = firstLine?.match(HTTP_METHODS);
+    if (match) {
+      log.raw(chalk3.dim(`  \u2190 ${match[1].toUpperCase()} ${match[2]}`));
+      return true;
+    }
+  } catch {
+  }
+  return false;
+}
+function monitorStream(stream, tunnelName) {
+  const originalPush = stream.push.bind(stream);
+  stream.push = function(chunk, encoding) {
+    if (chunk != null) {
+      try {
+        const buf = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+        parseAndLogRequestLine(buf, tunnelName);
+      } catch {
+      }
+    }
+    return originalPush(chunk, encoding);
+  };
+}
+function setupRequestMonitor(session, tunnelName) {
+  const config2 = ConfigManager.load();
+  const monitorEnabled = config2.showRequestLog !== false;
+  try {
+    const pfs = session.activateService(PortForwardingService);
+    pfs.onForwardedPortConnecting((e) => {
+      if (e.isIncoming) {
+        e.stream.on("error", (err) => {
+          if (isSshChannelDisposedError(err)) {
+            log.debug(
+              `SSH stream closed for tunnel '${tunnelName}': ${err.message}`
+            );
+          } else {
+            log.debug(
+              `SSH stream error for tunnel '${tunnelName}': ${err.message}`
+            );
+          }
+        });
+        if (monitorEnabled) {
+          monitorStream(e.stream, tunnelName);
+        }
+      }
+    });
+    log.debug(
+      monitorEnabled ? `Request monitor active for tunnel '${tunnelName}'` : `Stream error handler active for tunnel '${tunnelName}' (request logging disabled)`
+    );
+  } catch (error) {
+    log.debug(
+      `Could not activate request monitor: ${error instanceof Error ? error.message : "Unknown error"}`
+    );
+  }
+}
+
+// src/lib/tunnel-manager.ts
+import * as net from "net";
+var PORT_CHECK_TIMEOUT_MS = 2e3;
+var PORT_MONITORING_INTERVAL_MS = 3e3;
+var DEFAULT_SSH_TUNNEL_PORT = 2222;
+var SSH_HOST_KEY_VALIDATION_TIMEOUT_MS = 1e4;
+var RECONNECT_INITIAL_DELAY_MS = 1e3;
+var RECONNECT_MAX_DELAY_MS = 3e4;
+var RECONNECT_BACKOFF_MULTIPLIER = 2;
+var RECONNECT_MAX_ATTEMPTS = 10;
+var TunnelManager = class {
+  constructor(client3) {
+    this.client = client3;
+    this.clientConfig = this.client.getConfig();
+    if (!this.clientConfig.serverUrl) {
+      log.error("No server URL configured for tunnel manager");
+      throw new Error("Server URL is not configured");
+    }
+    setupSecureCleanup();
+    registerTunnelManager(this);
+  }
+  activeTunnels = /* @__PURE__ */ new Map();
+  sshClients = /* @__PURE__ */ new Map();
+  retryIntervals = /* @__PURE__ */ new Map();
+  // Maps tunnel name to tunnel info for tracking local state
+  tunnelInfoMap = /* @__PURE__ */ new Map();
+  // Tracks active reconnection attempts per tunnel to prevent concurrent reconnects
+  reconnecting = /* @__PURE__ */ new Map();
+  // Tracks pending reconnection timeouts so they can be cancelled on cleanup
+  reconnectTimeouts = /* @__PURE__ */ new Map();
+  // Tracks tunnels being intentionally closed by the client so onClosed handler
+  // can distinguish client-initiated closes from server rejections
+  intentionalDisconnects = /* @__PURE__ */ new Set();
+  clientConfig;
+  // SSH key pair loaded once per TunnelManager instance (set in connect()).
+  // Reusing the same KeyPair across reconnects avoids repeated disk reads and
+  // ensures consistent auth if the key file is rotated while a tunnel is active.
+  sshKeyPair = null;
+  /**
+   * Check if a local port is listening
+   */
+  async isPortListening(port, host = "localhost") {
+    return new Promise((resolve) => {
+      const socket = new net.Socket();
+      socket.setTimeout(PORT_CHECK_TIMEOUT_MS);
+      socket.on("connect", () => {
+        socket.destroy();
+        resolve(true);
+      });
+      socket.on("timeout", () => {
+        socket.destroy();
+        resolve(false);
+      });
+      socket.on("error", () => {
+        resolve(false);
+      });
+      socket.connect(port, host);
+    });
+  }
+  /**
+   * Start monitoring for local service availability and manage tunnel connection
+   * TODO(ELF-122): Add connection queuing/debouncing to prevent race conditions
+   * during rapid port state changes
+   */
+  startPortMonitoring(tunnelInfo) {
+    const tunnelName = tunnelInfo.name;
+    const localPort = tunnelInfo.clientPort;
+    if (this.retryIntervals.has(tunnelName)) {
+      clearInterval(this.retryIntervals.get(tunnelName));
+    }
+    let lastServiceState = null;
+    let isReconnecting = false;
+    const interval = setInterval(async () => {
+      try {
+        const currentServiceState = await this.isPortListening(localPort);
+        const tunnelIsActive = this.activeTunnels.has(tunnelName);
+        if (lastServiceState !== null && lastServiceState !== currentServiceState) {
+          if (currentServiceState && !tunnelIsActive && !isReconnecting && !this.reconnecting.get(tunnelName)) {
+            log.debug(
+              `Local service started on port ${localPort} - reconnecting tunnel`
+            );
+            isReconnecting = true;
+            try {
+              await this.createSSHConnection(tunnelInfo);
+            } catch (error) {
+              log.error(
+                `Failed to reconnect tunnel: ${error instanceof Error ? error.message : "Unknown error"}`
+              );
+            }
+            isReconnecting = false;
+          } else if (!currentServiceState && tunnelIsActive) {
+            log.debug(
+              `Local service stopped on port ${localPort} - disconnecting tunnel`
+            );
+            await this.disconnectTunnel(tunnelName);
+          }
+        } else if (lastServiceState === null) {
+          if (currentServiceState) {
+            log.debug(
+              `Local service detected on port ${localPort} - tunnel active`
+            );
+          } else {
+            log.debug(
+              `No local service on port ${localPort} - tunnel will connect when service starts`
+            );
+            if (tunnelIsActive) {
+              await this.disconnectTunnel(tunnelName);
+            }
+          }
+        }
+        lastServiceState = currentServiceState;
+      } catch (error) {
+        log.error(
+          `Error in port monitoring: ${error instanceof Error ? error.message : "Unknown error"}`
+        );
+      }
+    }, PORT_MONITORING_INTERVAL_MS);
+    this.retryIntervals.set(tunnelName, interval);
+  }
+  /**
+   * Disconnect tunnel without stopping the monitoring
+   */
+  async disconnectTunnel(tunnelName) {
+    const session = this.activeTunnels.get(tunnelName);
+    if (session) {
+      this.intentionalDisconnects.add(tunnelName);
+      await session.close(
+        SshDisconnectReason.byApplication,
+        "Local service unavailable"
+      );
+      this.activeTunnels.delete(tunnelName);
+    }
+    const sshClient = this.sshClients.get(tunnelName);
+    if (sshClient) {
+      sshClient.dispose();
+      this.sshClients.delete(tunnelName);
+    }
+    const tunnelInfo = this.tunnelInfoMap.get(tunnelName);
+    if (tunnelInfo) {
+      tunnelInfo.isConnected = false;
+    }
+  }
+  /**
+   * Handle unexpected server disconnection by attempting reconnection with exponential backoff.
+   * Only triggers when the disconnect was NOT initiated by the client (e.g., server restart).
+   */
+  async handleServerDisconnect(tunnelName) {
+    if (this.reconnecting.get(tunnelName)) {
+      log.debug(`Reconnection already in progress for tunnel '${tunnelName}'`);
+      return;
+    }
+    const tunnelInfo = this.tunnelInfoMap.get(tunnelName);
+    if (!tunnelInfo) {
+      log.debug(
+        `Tunnel '${tunnelName}' no longer tracked, skipping reconnection`
+      );
+      return;
+    }
+    this.activeTunnels.delete(tunnelName);
+    const sshClient = this.sshClients.get(tunnelName);
+    if (sshClient) {
+      sshClient.dispose();
+      this.sshClients.delete(tunnelName);
+    }
+    tunnelInfo.isConnected = false;
+    this.reconnecting.set(tunnelName, true);
+    let attempt = 0;
+    let delay = RECONNECT_INITIAL_DELAY_MS;
+    const attemptReconnect = async () => {
+      if (!this.tunnelInfoMap.has(tunnelName) || !this.reconnecting.get(tunnelName)) {
+        log.debug(`Reconnection cancelled for tunnel '${tunnelName}'`);
+        this.reconnecting.delete(tunnelName);
+        return;
+      }
+      attempt++;
+      log.info(
+        `Reconnecting tunnel '${tunnelName}' (attempt ${attempt}/${RECONNECT_MAX_ATTEMPTS})...`
+      );
+      const isServiceRunning = await this.isPortListening(
+        tunnelInfo.clientPort
+      );
+      if (!isServiceRunning) {
+        log.info(
+          `Local service on port ${tunnelInfo.clientPort} is not running, deferring reconnection to port monitor`
+        );
+        this.reconnecting.delete(tunnelName);
+        return;
+      }
+      try {
+        await this.createSSHConnection(tunnelInfo);
+        if (!this.reconnecting.get(tunnelName) || !this.tunnelInfoMap.has(tunnelName)) {
+          log.debug(
+            `Tunnel '${tunnelName}' was disconnected during reconnection, cleaning up`
+          );
+          const newSession = this.activeTunnels.get(tunnelName);
+          if (newSession) {
+            this.intentionalDisconnects.add(tunnelName);
+            await newSession.close(SshDisconnectReason.byApplication);
+            this.activeTunnels.delete(tunnelName);
+          }
+          const newClient = this.sshClients.get(tunnelName);
+          if (newClient) {
+            newClient.dispose();
+            this.sshClients.delete(tunnelName);
+          }
+          this.reconnecting.delete(tunnelName);
+          return;
+        }
+        log.success(`Tunnel '${tunnelName}' reconnected successfully`);
+        this.reconnecting.delete(tunnelName);
+        this.reconnectTimeouts.delete(tunnelName);
+        return;
+      } catch (error) {
+        const classified = ErrorClassifier.classify(error, "tunnel-reconnect");
+        const message = classified.type === "network" /* NETWORK */ ? "server unreachable (may still be restarting)" : classified.userMessage;
+        log.warn(
+          `Reconnection attempt ${attempt}/${RECONNECT_MAX_ATTEMPTS} for tunnel '${tunnelName}': ${message}`
+        );
+      }
+      if (attempt >= RECONNECT_MAX_ATTEMPTS) {
+        log.error(
+          `Failed to reconnect tunnel '${tunnelName}' after ${RECONNECT_MAX_ATTEMPTS} attempts. Port monitor will retry when server becomes available.`
+        );
+        this.reconnecting.delete(tunnelName);
+        this.reconnectTimeouts.delete(tunnelName);
+        return;
+      }
+      delay = Math.min(
+        delay * RECONNECT_BACKOFF_MULTIPLIER,
+        RECONNECT_MAX_DELAY_MS
+      );
+      log.debug(`Next reconnection attempt for '${tunnelName}' in ${delay}ms`);
+      const timeout2 = setTimeout(() => {
+        attemptReconnect();
+      }, delay);
+      this.reconnectTimeouts.set(tunnelName, timeout2);
+    };
+    log.warn(
+      `Server connection lost for tunnel '${tunnelName}', will attempt reconnection...`
+    );
+    const timeout = setTimeout(() => {
+      attemptReconnect();
+    }, delay);
+    this.reconnectTimeouts.set(tunnelName, timeout);
+  }
+  /**
+   * Establishes SSH connection with authentication
+   * TODO(ELF-123): Add configurable timeout for SSH connection establishment
+   */
+  async createSSHConnection(tunnelInfo) {
+    const name = tunnelInfo.name;
+    const sshCredentials = await this.client.getSSHCredentials();
+    if (sshCredentials.wildcardHostname) {
+      tunnelInfo.wildcardHostname = sshCredentials.wildcardHostname;
+      tunnelInfo.urlSeparator = sshCredentials.urlSeparator || ".";
+    }
+    if (sshCredentials.serverPort) {
+      tunnelInfo.sshTunnelPort = sshCredentials.serverPort;
+    }
+    if (sshCredentials.slug) {
+      tunnelInfo.slug = sshCredentials.slug;
+    }
+    if (!this.sshKeyPair) {
+      throw new Error(
+        "SSH key pair not loaded. Call connect() before createSSHConnection()."
+      );
+    }
+    const keyPair = this.sshKeyPair;
+    const publicKey = await SshKeyManager.exportPublicKey(keyPair);
+    await this.client.registerPublicKey(publicKey);
+    const sessionConfig = new SshSessionConfiguration();
+    sessionConfig.addService(PortForwardingService2);
+    const sshClient = new SshClient(sessionConfig);
+    const baseHostname = new URL(this.clientConfig.serverUrl).hostname;
+    const serverHostname = sshCredentials.sshHost || baseHostname;
+    tunnelInfo.sshHost = serverHostname;
+    const serverPort = tunnelInfo.sshTunnelPort;
+    log.debug(`Connecting to SSH server: ${serverHostname}:${serverPort}`);
+    const session = await sshClient.openSession(serverHostname, serverPort);
+    session.onAuthenticating((e) => {
+      log.trace(`Server authentication event - Type: ${e.authenticationType}`);
+      const serverIdentity = {
+        identity: { isAuthenticated: true, name: "server" }
+      };
+      if (e.authenticationType !== SshAuthenticationType.serverPublicKey) {
+        e.authenticationPromise = Promise.reject(
+          new Error(
+            `Unexpected server authentication type: ${e.authenticationType}`
+          )
+        );
+        return;
+      }
+      if (!e.publicKey) {
+        e.authenticationPromise = Promise.reject(
+          new Error("Server did not present a public key during SSH handshake")
+        );
+        return;
+      }
+      const pk = e.publicKey;
+      log.trace(`Server public key algorithm: ${pk.keyAlgorithmName}`);
+      e.authenticationPromise = (async () => {
+        const keyBytes = await pk.getPublicKeyBytes(pk.keyAlgorithmName);
+        if (!keyBytes) {
+          throw new Error("Failed to read server public key bytes");
+        }
+        const base64KeyBytes = Buffer.from(keyBytes).toString("base64");
+        try {
+          let timeoutId;
+          const timeoutPromise = new Promise((_, reject) => {
+            timeoutId = setTimeout(
+              () => reject(
+                new Error(
+                  `timed out after ${SSH_HOST_KEY_VALIDATION_TIMEOUT_MS / 1e3} s`
+                )
+              ),
+              SSH_HOST_KEY_VALIDATION_TIMEOUT_MS
+            );
+          });
+          try {
+            await Promise.race([
+              this.client.validateSshHostKey(base64KeyBytes),
+              timeoutPromise
+            ]);
+          } finally {
+            clearTimeout(timeoutId);
+          }
+          log.trace("SSH host key verified via server API");
+        } catch (error) {
+          if (PeriscopeApi.ApiException.isApiException(error) && error.status === 422) {
+            throw new Error(
+              "SSH host key verification failed: the key received during the SSH handshake does not match the server key. This may indicate a MITM attack. Contact your administrator if the server was recently updated."
+            );
+          }
+          throw new Error(
+            `SSH host key validation failed: ${error instanceof Error ? error.message : String(error)}`
+          );
+        }
+        return serverIdentity;
+      })();
+    });
+    const serverAuthenticated = await session.authenticateServer();
+    if (!serverAuthenticated) {
+      throw new Error("Server authentication failed");
+    }
+    let username = `${sshCredentials.email}:${tunnelInfo.name}:${tunnelInfo.clientPort}`;
+    if (tunnelInfo.localScheme === "https") {
+      username += `:https`;
+      if (tunnelInfo.localHost) {
+        username += `:${tunnelInfo.localHost}`;
+      }
+    } else if (tunnelInfo.localHost) {
+      username += `:${tunnelInfo.localHost}`;
+    }
+    const credentials = {
+      username,
+      publicKeys: [keyPair]
+    };
+    const clientAuthenticated = await session.authenticateClient(credentials);
+    if (!clientAuthenticated) {
+      throw new Error(
+        "SSH key rejected by server. Run 'periscope user key generate' to re-register your key."
+      );
+    }
+    this.activeTunnels.set(name, session);
+    this.sshClients.set(name, sshClient);
+    setupRequestMonitor(session, name);
+    session.onClosed((e) => {
+      tunnelInfo.isConnected = false;
+      if (this.intentionalDisconnects.has(name)) {
+        this.intentionalDisconnects.delete(name);
+        return;
+      }
+      if (e.reason === SshDisconnectReason.byApplication && e.message) {
+        log.error(`Server rejected tunnel '${name}': ${e.message}`);
+        this.intentionalDisconnects.add(name);
+        this.disconnect(name).then(() => {
+          exitOrThrow(1);
+        }).catch(() => {
+          exitOrThrow(1);
+        });
+        return;
+      }
+      if (e.reason !== SshDisconnectReason.none) {
+        log.warn(
+          `Tunnel '${name}' disconnected unexpectedly: ${e.message || e.reason}`
+        );
+      }
+      this.handleServerDisconnect(name);
+    });
+    session.onDisconnected(() => {
+      if (!tunnelInfo.isConnected) {
+        return;
+      }
+      tunnelInfo.isConnected = false;
+      log.warn(`Tunnel '${name}' transport disconnected`);
+      this.handleServerDisconnect(name);
+    });
+    tunnelInfo.isConnected = true;
+    if (isInteractiveMode()) {
+      displayTunnelInfo(tunnelInfo, this.clientConfig.serverUrl, {
+        isInteractive: true,
+        tunnelName: name,
+        showBackgroundStatus: true
+      });
+    } else {
+      displayTunnelInfo(tunnelInfo, this.clientConfig.serverUrl);
+    }
+    return;
+  }
+  /**
+   * Connect to establish an ephemeral SSH tunnel
+   * @param name - Unique name for this tunnel
+   * @param localPort - Local port to forward through the tunnel
+   * @param localHost - Optional Host header override for local service
+   * @param localScheme - Optional scheme for local service ("http" or "https")
+   * @param sshKeyPath - Optional path to SSH private key file
+   */
+  async connect(name, localPort, localHost, localScheme, sshKeyPath) {
+    try {
+      if (!name) {
+        throw new Error("Tunnel name is required");
+      }
+      if (!/^[a-zA-Z0-9_-]+$/.test(name)) {
+        throw new Error(
+          "Tunnel name must contain only alphanumeric characters, hyphens, and underscores"
+        );
+      }
+      if (!localPort || localPort <= 0 || localPort > 65535) {
+        throw new Error("Valid local port is required (1-65535)");
+      }
+      if (localHost !== void 0 && !/^[a-zA-Z0-9.\-:[\]]+$/.test(localHost)) {
+        throw new Error(
+          "localHost contains invalid characters (allowed: alphanumeric, hyphens, dots, colons, square brackets)"
+        );
+      }
+      if (localScheme !== void 0 && localScheme !== "http" && localScheme !== "https") {
+        throw new Error('localScheme must be "http" or "https"');
+      }
+      if (!this.sshKeyPair) {
+        this.sshKeyPair = await SshKeyManager.loadKeyPair(
+          sshKeyPath ?? this.clientConfig.sshKeyPath
+        );
+      }
+      const tunnelInfo = {
+        name,
+        clientPort: localPort,
+        sshTunnelPort: DEFAULT_SSH_TUNNEL_PORT,
+        isConnected: false,
+        localHost,
+        localScheme
+      };
+      this.tunnelInfoMap.set(name, tunnelInfo);
+      log.info(
+        `Establishing tunnel '${name}' for local port ${localPort} on ${this.clientConfig.serverUrl}`
+      );
+      const isServiceRunning = await this.isPortListening(localPort);
+      if (!isServiceRunning) {
+        log.warn(`Local service not detected on port ${localPort}`);
+        log.warn(
+          "Waiting for service - tunnel will connect when service becomes available"
+        );
+        this.startPortMonitoring(tunnelInfo);
+        return tunnelInfo;
+      }
+      log.debug(
+        `Local service detected on port ${localPort} - establishing tunnel connection`
+      );
+      await this.createSSHConnection(tunnelInfo);
+      this.startPortMonitoring(tunnelInfo);
+      return tunnelInfo;
+    } catch (error) {
+      this.tunnelInfoMap.delete(name);
+      if (error instanceof SshKeyNotFoundError) {
+        throw error;
+      }
+      throw new Error(
+        `Failed to establish tunnel: ${error instanceof Error ? error.message : "Unknown error"}`
+      );
+    }
+  }
+  /**
+   * Get list of active tunnels managed by this CLI session
+   */
+  getActiveTunnels() {
+    return Array.from(this.tunnelInfoMap.values());
+  }
+  /**
+   * Disconnect the SSH connection for a tunnel
+   */
+  async disconnect(name) {
+    this.reconnecting.delete(name);
+    const reconnectTimeout = this.reconnectTimeouts.get(name);
+    if (reconnectTimeout) {
+      clearTimeout(reconnectTimeout);
+      this.reconnectTimeouts.delete(name);
+    }
+    const interval = this.retryIntervals.get(name);
+    if (interval) {
+      clearInterval(interval);
+      this.retryIntervals.delete(name);
+    }
+    const session = this.activeTunnels.get(name);
+    if (session) {
+      this.intentionalDisconnects.add(name);
+      await session.close(
+        SshDisconnectReason.byApplication,
+        "Tunnel stopped by user"
+      );
+      this.activeTunnels.delete(name);
+    }
+    const sshClient = this.sshClients.get(name);
+    if (sshClient) {
+      sshClient.dispose();
+      this.sshClients.delete(name);
+    }
+    this.tunnelInfoMap.delete(name);
+    log.info(`Disconnected tunnel '${name}'`);
+  }
+  async stopAll() {
+    for (const [, timeout] of this.reconnectTimeouts) {
+      clearTimeout(timeout);
+    }
+    this.reconnectTimeouts.clear();
+    this.reconnecting.clear();
+    for (const [, interval] of this.retryIntervals) {
+      clearInterval(interval);
+    }
+    this.retryIntervals.clear();
+    for (const [name, session] of this.activeTunnels) {
+      this.intentionalDisconnects.add(name);
+      await session.close(
+        SshDisconnectReason.byApplication,
+        "All tunnels stopped"
+      );
+    }
+    this.activeTunnels.clear();
+    for (const [, sshClient] of this.sshClients) {
+      sshClient.dispose();
+    }
+    this.sshClients.clear();
+    this.sshKeyPair = null;
+    this.tunnelInfoMap.clear();
+  }
+  /**
+   * Cleanup and unregister this tunnel manager
+   */
+  async dispose() {
+    await this.stopAll();
+    unregisterTunnelManager(this);
+  }
+};
+
+// src/commands/tunnel.ts
+import * as fs9 from "node:fs";
+import * as os5 from "node:os";
+init_telemetry();
+init_readline_instance();
+
+// src/commands/base-command.ts
+init_readline_instance();
+
+// src/lib/terms.ts
+var TERMS_VERSION = "2026-02-14";
+var TERMS_TEXT = `
+PERISCOPE TERMS OF SERVICE
+Version: ${TERMS_VERSION}
+
+Copyright (c) 2024-2026 Elf 5. All rights reserved.
+
+By using Periscope ("the Service"), you agree to the following terms:
+
+1. ACCEPTANCE
+   By accessing or using Periscope, you agree to be bound by these Terms
+   of Service. If you do not agree, you may not use the Service.
+
+2. BETA PROGRAM
+   IMPORTANT: Periscope is currently in beta. By participating, you acknowledge:
+   - Beta products may contain bugs, errors, or incomplete features
+   - We may collect feedback and usage data to improve our products
+   - Beta access is provided "as is" without warranties of any kind
+   - We reserve the right to modify or terminate the beta at any time without notice
+   - The service may experience downtime, interruptions, or changes during the beta period
+
+3. SERVICE DESCRIPTION
+   Periscope provides secure SSH tunnel services that allow you to expose
+   local development services through publicly accessible URLs.
+
+4. ACCOUNT SECURITY
+   Periscope uses email-based passcode authentication. You are responsible for:
+   - Maintaining the security of the email address associated with your account
+   - Not sharing authentication passcodes sent to your email
+   - Promptly notifying us if you receive unexpected passcodes or suspect unauthorized access
+   - Ensuring your email address remains current and accessible
+   - All activities that occur using passcodes sent to your email address
+
+   We are not responsible for unauthorized access resulting from compromise of your
+   email account, sharing of passcodes, or use of an insecure or shared email address.
+
+5. ACCEPTABLE USE
+   You agree to use Periscope only for lawful purposes. You shall not:
+   - Use the Service to transmit harmful, illegal, or offensive content
+   - Violate any applicable laws or regulations
+   - Infringe upon the rights of others
+   - Distribute malicious software or engage in harmful activities
+   - Attempt to gain unauthorized access to other systems through tunnels
+   - Use the Service to circumvent network security policies
+   - Share your credentials or tunnel access with unauthorized parties
+   - Interfere with the proper functioning of our services
+
+6. DATA AND PRIVACY
+   - Tunnel traffic passes through Periscope infrastructure
+   - We collect minimal usage data (tunnel names, connection times, user identity)
+   - We do not inspect or store the content of your tunnel traffic
+   - Your authentication data is managed by your identity provider
+   - Your privacy is important to us. Our collection and use of personal information
+     is governed by our Privacy Policy
+
+   Data Access and Disclosure:
+   We reserve the right to access, preserve, and disclose your account information
+   and data if required by law or if we believe such action is necessary to:
+   (a) comply with legal process or government requests; (b) enforce these Terms;
+   (c) respond to claims of violation of third-party rights; or (d) protect the
+   rights, property, or safety of Elf 5, our users, or the public.
+
+7. DISCLAIMERS AND LIMITATIONS
+   Disclaimer of Warranties:
+   Our services are provided "as is" and "as available" without warranties of any kind,
+   either express or implied, including but not limited to warranties of merchantability,
+   fitness for a particular purpose, or non-infringement.
+
+   Limitation of Liability:
+   To the maximum extent permitted by law, Elf 5 shall not be liable for any indirect,
+   incidental, special, consequential, or punitive damages, or any loss of profits or
+   revenues, whether arising from:
+   - Your use or inability to use our services
+   - Services, applications, or data you expose through Periscope tunnels
+   - Unauthorized access to your tunnels or services due to your configuration choices
+   - Security vulnerabilities in services you make accessible through our platform
+   - Data breaches or exposure of sensitive information through tunnels you create
+   - Any actions taken by third parties who access services through your tunnels
+
+   User Responsibility:
+   You are solely responsible for the security, configuration, and content of any
+   services you expose through Periscope. You acknowledge that creating publicly
+   accessible tunnels to local services carries inherent security risks, and you
+   assume all such risks.
+
+   Liability Cap:
+   In no event shall Elf 5's total aggregate liability exceed the greater of:
+   (i) $100 USD or (ii) the total fees paid by you to Elf 5 in the twelve (12)
+   months immediately preceding the claim.
+
+8. TERMINATION
+   We may terminate or suspend your access to the Service at any time, with or
+   without cause or notice. Upon termination, your right to use our services will
+   cease immediately.
+
+9. CHANGES TO TERMS
+   We reserve the right to modify these Terms at any time. We will notify you of
+   any changes by updating the "Version" date. Your continued use of our services
+   after such modifications constitutes acceptance of the updated Terms.
+
+For questions, contact: hello@elf5.com
+`;
+
+// src/commands/base-command.ts
+init_telemetry();
+var BaseCommand = class {
+  /**
+   * Common error handler for all commands
+   * Uses ErrorClassifier for structured error handling based on HTTP status codes and error patterns
+   * @param action - Action constant from the command's Actions object (e.g., TunnelCommand.Action.CREATE)
+   * @param error - The error to handle
+   */
+  static handleError(action, error) {
+    log.debug(`handleError(${action}):`, error);
+    const classified = ErrorClassifier.classify(error, action);
+    log.debug(`Classified as: ${classified.type}`);
+    trackException(error, {
+      action,
+      errorType: classified.type,
+      userMessage: classified.userMessage
+    });
+    log.error(classified.userMessage);
+    if (classified.suggestedActions.length > 0) {
+      log.blank();
+      log.info("Troubleshooting:");
+      classified.suggestedActions.forEach((tip) => log.info(`  \u2022 ${tip}`));
+    }
+    exitOrThrow(1);
+  }
+  /**
+   * Display a warning that the account is pending approval.
+   */
+  static warnPendingApproval() {
+    log.warn("Your account is pending approval by an administrator.");
+    log.warn("You will be notified when your account has been approved.");
+    log.warn("Most commands will be unavailable until your account is active.");
+  }
+  /**
+   * Core authentication logic.
+   * Device code auth is hidden behind PERISCOPE_ENABLE_DEVICE_CODE=true for internal use.
+   * Returns the account status string if available.
+   */
+  static async authenticateWithChoice(client3, prompt = "select_account") {
+    log.info("Authentication required...");
+    const deviceCodeEnabled = process.env.PERISCOPE_ENABLE_DEVICE_CODE === "true";
+    let useBrowser = true;
+    if (deviceCodeEnabled) {
+      const rl = getReadlineInterface();
+      useBrowser = await new Promise((resolve, reject) => {
+        log.blank();
+        log.info("Choose authentication method:");
+        log.info("1. Browser authentication (recommended)");
+        log.info("2. Device code authentication");
+        try {
+          rl.question(
+            "Enter your choice (1 or 2) [default: 1]: ",
+            (answer) => resolve((answer.trim() || "1") === "1")
+          );
+        } catch (error) {
+          reject(error);
+        }
+      });
+    }
+    log.info(
+      useBrowser ? `Starting browser authentication (${prompt})...` : "Starting device code authentication..."
+    );
+    const authResult = useBrowser ? await client3.authenticateInteractive(prompt) : await client3.authenticate();
+    log.success("Authentication successful!");
+    log.success("Successfully authenticated");
+    log.info(`  Token expires: ${authResult.expiresOn.toLocaleString()}`);
+    log.info(
+      useBrowser ? `  Authentication method: Browser (${prompt})` : "  Authentication method: Device Code"
+    );
+    const method = useBrowser ? "browser" : "device_code";
+    try {
+      const status = await client3.getUserStatus();
+      if (status === AccountStatus.PENDING_APPROVAL) {
+        log.blank();
+        this.warnPendingApproval();
+      }
+      return { status, method };
+    } catch {
+      log.debug("Could not determine account status after authentication");
+      return { status: null, method };
+    }
+  }
+  /**
+   * Load config, validate server URL, init telemetry, and create client.
+   * Shared entry point for all command paths that need a PeriscopeClient.
+   * Accepts an optional pre-loaded config to avoid double-loading.
+   */
+  static async initClient(existingConfig) {
+    const config2 = existingConfig ?? ConfigManager.load();
+    if (!config2.serverUrl) {
+      log.error(
+        "Server URL not configured. Run: periscope config set --server <url>"
+      );
+      exitOrThrow(1);
+    }
+    return { client: new PeriscopeClient(config2), config: config2 };
+  }
+  /**
+   * Check client version compatibility with the server.
+   * Blocks on incompatible, warns on outdated, silent on compatible/null.
+   */
+  static async checkVersionCompatibility(serverUrl) {
+    try {
+      const packageJson = await Promise.resolve().then(() => (init_package(), package_exports));
+      const clientVersion = packageJson.default.version;
+      const response = await fetch(
+        `${serverUrl}/api/configuration?clientVersion=${encodeURIComponent(clientVersion)}`
+      );
+      if (!response.ok) {
+        return;
+      }
+      const config2 = await response.json();
+      if (config2.compatibilityStatus === "incompatible") {
+        log.blank();
+        log.error("CLIENT VERSION INCOMPATIBLE");
+        log.blank();
+        log.error(
+          config2.compatibilityMessage || `Your client version (${clientVersion}) is incompatible with this server.`
+        );
+        log.error(`Minimum required version: ${config2.minimumVersion}`);
+        log.error(`Latest version: ${config2.latestVersion}`);
+        log.blank();
+        log.error("Please upgrade:");
+        log.error("  npm update -g @elf5/periscope");
+        exitOrThrow(1);
+      } else if (config2.compatibilityStatus === "outdated") {
+        log.blank();
+        log.warn(
+          config2.compatibilityMessage || `Your client version (${clientVersion}) is outdated.`
+        );
+        log.warn(`Recommended version: ${config2.recommendedVersion}`);
+        log.warn(`Latest version: ${config2.latestVersion}`);
+        log.warn("Consider upgrading: npm update -g @elf5/periscope");
+        log.blank();
+      }
+    } catch (error) {
+      log.debug("Version compatibility check failed:", error);
+    }
+  }
+  /**
+   * Common setup for all commands - handles config loading and authentication
+   */
+  static async setupClient(actionDescription) {
+    const { client: client3, config: config2 } = await this.initClient();
+    await this.checkVersionCompatibility(config2.serverUrl);
+    let status = null;
+    let authMethod = null;
+    if (!await client3.isAuthenticated()) {
+      ({ status, method: authMethod } = await this.authenticateWithChoice(client3));
+      if (actionDescription) {
+        log.info(actionDescription);
+      }
+    }
+    let cachedUser = null;
+    if (status === null) {
+      cachedUser = await client3.getCurrentUser();
+      if (!cachedUser.status) {
+        throw new Error("Server did not return account status");
+      }
+      status = cachedUser.status;
+    } else {
+      try {
+        cachedUser = await client3.getCurrentUser();
+      } catch {
+      }
+    }
+    try {
+      const cs = await client3.getTelemetryConnectionString();
+      if (cs) await initTelemetry(cs);
+      setUserContext(cachedUser?.email);
+      if (authMethod) trackEvent("auth_login", { method: authMethod });
+    } catch {
+    }
+    if (status === AccountStatus.PENDING_APPROVAL) {
+      log.blank();
+      this.warnPendingApproval();
+      log.blank();
+      log.info("Available commands while pending:");
+      log.info(
+        "  periscope status         Show server, auth, and SSH key status"
+      );
+      log.info("  periscope auth logout    Sign out");
+      exitOrThrow(1);
+    }
+    await this.ensureTermsAccepted(client3);
+    return { client: client3, config: config2 };
+  }
+  /**
+   * Check if user has accepted the current Terms of Service.
+   * If not, display embedded TOS and prompt for acceptance.
+   */
+  static async ensureTermsAccepted(client3) {
+    try {
+      const termsStatus = await client3.getTermsStatus();
+      if (termsStatus.accepted) {
+        return;
+      }
+      log.blank();
+      log.info("Welcome to Periscope!");
+      log.blank();
+      log.info(
+        "Before you get started, please review and accept our Terms of Service."
+      );
+      log.blank();
+      console.log(TERMS_TEXT);
+      log.blank();
+      const accepted = await this.promptTermsAcceptance();
+      if (!accepted) {
+        log.error("You must accept the Terms of Service to use Periscope.");
+        exitOrThrow(1);
+      }
+      await client3.acceptTerms(TERMS_VERSION);
+      log.success("Terms of Service accepted.");
+      log.blank();
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      if (errorMessage.includes("404") || errorMessage.includes("Auth manager not initialized")) {
+        return;
+      }
+      throw error;
+    }
+  }
+  /**
+   * Prompt user to accept or decline Terms of Service.
+   */
+  static async promptTermsAcceptance() {
+    const rl = getReadlineInterface();
+    return new Promise((resolve) => {
+      rl.question("Do you accept the Terms of Service? [y/N] ", (answer) => {
+        resolve(answer.trim().toLowerCase() === "y");
+      });
+    });
+  }
+};
+
+// src/commands/tunnel.ts
+var SshKeySetupError = class extends Error {
+  constructor(cause) {
+    const msg = cause instanceof Error ? cause.message : String(cause);
+    super(`SSH key setup failed: ${msg}`);
+    this.cause = cause;
+    this.name = "SshKeySetupError";
+    Object.setPrototypeOf(this, new.target.prototype);
+  }
+};
+var TunnelCommand = class _TunnelCommand extends BaseCommand {
+  /** Action constants for type-safe error handling */
+  static Action = {
+    CONNECT: "connect to tunnel",
+    KEY_SETUP: "set up SSH key"
+  };
+  /**
+   * Wizard invoked when no local SSH key is found.
+   * By default, auto-generates a new key pair without prompting. When
+   * allowExternalKey is true (future enterprise feature), presents a menu
+   * that also allows providing a path to an existing key.
+   *
+   * Returns the resolved key path to use for the retry, or null if the user
+   * cancels. Throws SshKeySetupError if key generation or registration fails.
+   */
+  static async handleMissingKeyWizard(client3, customKeyPath) {
+    if (!process.stdin.isTTY) {
+      log.error(
+        "No SSH key found. Run `periscope user key generate` to generate and register one, or provide an existing key path with --key."
+      );
+      return null;
+    }
+    const defaultPath = SshKeyManager.getDefaultKeyPath();
+    const config2 = ConfigManager.load();
+    if (config2.allowExternalKey) {
+      return this.handleMissingKeyMenu(client3, customKeyPath, defaultPath);
+    }
+    const targetPath = customKeyPath ?? defaultPath;
+    log.blank();
+    log.info(`No SSH key found. Generating new key at ${targetPath}...`);
+    try {
+      const keyPair = await SshKeyManager.generateKeyPair(targetPath);
+      const publicKey = await SshKeyManager.exportPublicKey(keyPair);
+      await client3.registerPublicKey(publicKey);
+    } catch (err) {
+      throw new SshKeySetupError(err);
+    }
+    log.success("SSH key generated and registered successfully.");
+    if (targetPath !== defaultPath) {
+      config2.sshKeyPath = targetPath;
+      ConfigManager.save(config2);
+      log.info(`Key path saved to configuration.`);
+    }
+    return targetPath;
+  }
+  /**
+   * Full menu wizard for missing SSH key. Only shown when allowExternalKey
+   * is enabled in configuration. Allows generating a new key or providing
+   * a path to an existing one.
+   */
+  static async handleMissingKeyMenu(client3, customKeyPath, defaultPath) {
+    log.blank();
+    log.warn("No SSH key found for tunnel authentication.");
+    log.blank();
+    log.info("Options:");
+    log.info(
+      `  1. Generate a new SSH key at ${customKeyPath ?? defaultPath} (recommended)`
+    );
+    log.info("  2. Use an existing SSH key from a different path");
+    log.info("  3. Cancel");
+    const rl = getReadlineInterface();
+    const choice = await new Promise((resolve) => {
+      rl.question("Enter your choice [default: 1]: ", (answer) => {
+        resolve(answer.trim() || "1");
+      });
+    });
+    if (choice === "1") {
+      const targetPath = customKeyPath ?? defaultPath;
+      log.info(`Generating SSH key at ${targetPath}...`);
+      try {
+        const keyPair = await SshKeyManager.generateKeyPair(targetPath);
+        const publicKey = await SshKeyManager.exportPublicKey(keyPair);
+        await client3.registerPublicKey(publicKey);
+      } catch (err) {
+        throw new SshKeySetupError(err);
+      }
+      log.success("SSH key generated and registered successfully.");
+      if (targetPath !== defaultPath) {
+        const config2 = ConfigManager.load();
+        config2.sshKeyPath = targetPath;
+        ConfigManager.save(config2);
+        log.info(`Key path saved to configuration.`);
+      }
+      return targetPath;
+    } else if (choice === "2") {
+      const existingPath = await new Promise((resolve) => {
+        rl.question("Enter the full path to your SSH private key: ", (answer) => {
+          resolve(answer.trim());
+        });
+      });
+      if (!existingPath) {
+        log.error("No path provided.");
+        return null;
+      }
+      const expandedPath = existingPath.replace(/^~(?=\/|$)/, os5.homedir());
+      if (!fs9.existsSync(expandedPath)) {
+        log.error(`No key file found at ${expandedPath}.`);
+        return null;
+      }
+      log.info(`Registering public key from ${expandedPath}...`);
+      try {
+        const publicKey = await SshKeyManager.getPublicKeyString(expandedPath);
+        await client3.registerPublicKey(publicKey);
+      } catch (err) {
+        throw new SshKeySetupError(err);
+      }
+      log.success("SSH key registered successfully.");
+      const config2 = ConfigManager.load();
+      config2.sshKeyPath = expandedPath;
+      ConfigManager.save(config2);
+      log.info(`Key path saved to configuration.`);
+      return expandedPath;
+    } else if (choice === "3") {
+      log.info("Cancelled.");
+      return null;
+    } else {
+      log.error(`Invalid choice: "${choice}". Please enter 1, 2, or 3.`);
+      return null;
+    }
+  }
+  static parseTarget(target) {
+    let url;
+    try {
+      url = new URL(target);
+    } catch {
+      throw new Error(
+        `Invalid --target "${target}". Expected a URL like http://localhost:3000 or https://myapp.local:8443`
+      );
+    }
+    if (url.pathname !== "/" || url.search !== "") {
+      throw new Error(
+        `--target must not include a path or query string (e.g., use "http://localhost:3000" not "${target}")`
+      );
+    }
+    const scheme = url.protocol.slice(0, -1);
+    if (scheme !== "http" && scheme !== "https") {
+      throw new Error(
+        `Unsupported scheme "${scheme}" in --target. Only "http" and "https" are currently supported.`
+      );
+    }
+    const hostname = url.hostname;
+    const port = url.port ? parseInt(url.port, 10) : scheme === "https" ? 443 : 80;
+    const localScheme = scheme === "https" ? "https" : void 0;
+    const isLoopback = hostname === "localhost" || hostname === "127.0.0.1" || hostname === "[::1]";
+    let localHost;
+    if (!isLoopback) {
+      const isStandardPort = scheme === "http" && port === 80 || scheme === "https" && port === 443;
+      localHost = isStandardPort ? hostname : `${hostname}:${port}`;
+    }
+    return { port, localHost, localScheme };
+  }
+  static async connect(name, target, sshKeyPath) {
+    const { port, localHost, localScheme } = target ? this.parseTarget(target) : { port: 80, localHost: void 0, localScheme: void 0 };
+    log.info(`Establishing tunnel '${name}' for local port ${port}...`);
+    if (localHost) {
+      log.info(`Host header override: ${localHost}`);
+    }
+    try {
+      const { client: client3 } = await this.setupClient(
+        `Establishing tunnel '${name}'...`
+      );
+      const tunnelManager = new TunnelManager(client3);
+      let resolvedKeyPath = sshKeyPath;
+      try {
+        await tunnelManager.connect(
+          name,
+          port,
+          localHost,
+          localScheme,
+          resolvedKeyPath
+        );
+      } catch (innerError) {
+        if (innerError instanceof SshKeyNotFoundError) {
+          const wizardResult = await this.handleMissingKeyWizard(
+            client3,
+            sshKeyPath
+          );
+          if (wizardResult === null) {
+            closeReadline();
+            exitOrThrow(1);
+          }
+          resolvedKeyPath = wizardResult;
+          closeReadline();
+          await tunnelManager.connect(
+            name,
+            port,
+            localHost,
+            localScheme,
+            resolvedKeyPath
+          );
+        } else {
+          throw innerError;
+        }
+      }
+      trackEvent("tunnel_connect", {
+        tunnelName: name,
+        localPort: port.toString()
+      });
+      const keepAlive = setInterval(() => {
+      }, 1e3 * 60 * 60);
+      process.once("exit", () => clearInterval(keepAlive));
+      await new Promise(() => {
+      });
+    } catch (error) {
+      if (error instanceof SshKeySetupError) {
+        closeReadline();
+        this.handleError(_TunnelCommand.Action.KEY_SETUP, error.cause);
+      } else {
+        this.handleError(_TunnelCommand.Action.CONNECT, error);
+      }
+    }
+  }
+};
+
+// src/commands/config.ts
+var ConfigCommand = class _ConfigCommand extends BaseCommand {
+  /** Action constants for type-safe error handling */
+  static Action = {
+    SET: "update configuration",
+    SHOW: "load configuration"
+  };
+  static async set(options) {
+    try {
+      const config2 = ConfigManager.load();
+      let hasChanges = false;
+      if (!options.server && options.requestLog === void 0) {
+        log.warn("No configuration options provided.");
+        log.header("Available configuration options:");
+        log.info("  --server <url>         Set the Periscope server URL");
+        log.info(
+          "  --request-log <bool>   Show live HTTP request log during tunnel sessions (true/false)"
+        );
+        log.header("Examples:");
+        log.info("  periscope config set --server https://periscope.elf5.com");
+        log.info("  periscope config set --request-log false");
+        log.blank();
+        log.info("To view current configuration, use: periscope config show");
+        exitOrThrow(1);
+      }
+      if (options.server) {
+        try {
+          new URL(options.server);
+          config2.serverUrl = options.server;
+          log.success(`Server URL set to: ${options.server}`);
+          hasChanges = true;
+        } catch {
+          log.error("Invalid server URL format");
+          exitOrThrow(1);
+        }
+      }
+      if (options.requestLog !== void 0) {
+        config2.showRequestLog = options.requestLog !== "false";
+        log.success(`Request log set to: ${config2.showRequestLog}`);
+        hasChanges = true;
+      }
+      if (hasChanges) {
+        ConfigManager.save(config2);
+        log.info("Configuration saved successfully");
+      }
+    } catch (error) {
+      this.handleError(_ConfigCommand.Action.SET, error);
+    }
+  }
+  static async show() {
+    try {
+      const config2 = ConfigManager.load();
+      log.header("Periscope Configuration:");
+      log.separator(50);
+      _ConfigCommand.showConfigValue(
+        "Server URL  ",
+        config2.serverUrl,
+        "PERISCOPE_SERVER_URL"
+      );
+      _ConfigCommand.showConfigValue(
+        "Request Log ",
+        String(config2.showRequestLog ?? true),
+        "PERISCOPE_SHOW_REQUEST_LOG"
+      );
+      log.info("Config file: " + ConfigManager.getConfigPath());
+      log.separator(50);
+    } catch (error) {
+      this.handleError(_ConfigCommand.Action.SHOW, error);
+    }
+  }
+  static showConfigValue(label, value, envVar) {
+    const envValue = process.env[envVar];
+    const isFromEnv = envValue !== void 0 && envValue !== "";
+    const displayValue = value || "Not configured";
+    const source = isFromEnv ? " (from env)" : "";
+    log.info(`${label}: ${displayValue}${source}`);
+  }
+};
+
+// src/commands/status.ts
+init_telemetry();
+var StatusCommand = class _StatusCommand extends BaseCommand {
+  static Action = {
+    CHECK: "check status"
+  };
+  static async check() {
+    try {
+      const config2 = ConfigManager.load();
+      log.header("Periscope Status:");
+      log.separator();
+      if (!config2.serverUrl) {
+        log.info("Server URL:     Not configured");
+        log.info("Run: periscope config set --server <server-url>");
+        log.separator();
+        return;
+      }
+      log.info("Server URL:     " + config2.serverUrl);
+      const { client: client3 } = await this.initClient(config2);
+      try {
+        const health = await client3.checkHealth();
+        log.info(
+          "Server:         " + (health.healthy ? "\u25CF Healthy" : "\u25CF Unhealthy")
+        );
+        if (health.version) {
+          log.info("Server Version: " + health.version);
+        }
+      } catch {
+        log.info("Server:         \u25CF Unreachable");
+      }
+      const packageJson = await Promise.resolve().then(() => (init_package(), package_exports));
+      log.info("Client Version: " + packageJson.default.version);
+      try {
+        const serverConfig = await getServerConfig(config2.serverUrl);
+        log.info("Auth Provider:  " + (serverConfig.authProvider || "Default"));
+      } catch {
+      }
+      const isAuthenticated = await client3.isAuthenticated();
+      log.info(
+        "Auth:           " + (isAuthenticated ? "\u25CF Authenticated" : "\u25CF Not authenticated")
+      );
+      const keyInfo = SshKeyManager.getKeyInfo(config2.sshKeyPath);
+      log.info(
+        "SSH Key:        " + (keyInfo.exists ? `\u25CF Present (${keyInfo.path})` : "\u25CF Not generated")
+      );
+      if (!keyInfo.exists) {
+        log.info("Run: periscope user key generate");
+      }
+      if (isAuthenticated) {
+        let isPendingApproval = false;
+        try {
+          const accountStatus = await client3.getUserStatus();
+          if (accountStatus) {
+            isPendingApproval = accountStatus === AccountStatus.PENDING_APPROVAL;
+            const statusDisplay = isPendingApproval ? "\u23F3 Pending Approval" : accountStatus === AccountStatus.ACTIVE ? "\u25CF Active" : accountStatus;
+            log.info("Account:        " + statusDisplay);
+          }
+        } catch {
+        }
+        try {
+          const sshCreds = await client3.getSSHCredentials();
+          if (sshCreds.slug) {
+            log.info("User Slug:      " + sshCreds.slug);
+            log.info(
+              "Tunnel Format:  {name}-" + sshCreds.slug + "." + (sshCreds.wildcardHostname || "domain")
+            );
+          }
+          if (keyInfo.exists && sshCreds.keyGeneratedAt) {
+            const registeredDate = new Date(sshCreds.keyGeneratedAt);
+            if (!isNaN(registeredDate.getTime())) {
+              log.info("Key Registered: " + registeredDate.toLocaleString());
+            }
+          }
+        } catch {
+        }
+        if (isPendingApproval) {
+          log.blank();
+          log.warn("Your account is pending approval by an administrator.");
+          log.warn(
+            "Most commands will be unavailable until your account is active."
+          );
+        }
+      } else {
+        log.info("Run: periscope auth login");
+      }
+      log.info(
+        "Request Log:    " + (config2.showRequestLog !== false ? "\u25CF Enabled" : "\u25CB Disabled")
+      );
+      trackEvent("status_check", { authenticated: isAuthenticated.toString() });
+      log.separator();
+    } catch (error) {
+      this.handleError(_StatusCommand.Action.CHECK, error);
+    }
+  }
+};
+
+// src/commands/auth.ts
+init_telemetry();
+var AuthCommand = class _AuthCommand extends BaseCommand {
+  /** Action constants for type-safe error handling */
+  static Action = {
+    LOGIN: "authenticate",
+    LOGOUT: "logout"
+  };
+  static async login(options = {}) {
+    log.info("Initializing authentication...");
+    try {
+      const { client: client3, config: config2 } = await this.initClient();
+      log.debug("Starting authentication...");
+      await this.authenticateWithChoice(client3, options.prompt);
+      log.debug("Authentication complete");
+      log.debug("Ensuring SSH key pair...");
+      const keyPair = await SshKeyManager.ensureKeyPair(config2.sshKeyPath);
+      const publicKey = await SshKeyManager.exportPublicKey(keyPair);
+      log.debug("Registering SSH public key with server...");
+      await client3.registerPublicKey(publicKey);
+      log.success("SSH key registered with server.");
+    } catch (error) {
+      log.debug("Login failed with error:", error);
+      this.handleError(_AuthCommand.Action.LOGIN, error);
+    }
+  }
+  static async logout() {
+    log.info("Clearing authentication data...");
+    try {
+      const config2 = ConfigManager.load();
+      if (!config2.serverUrl) {
+        log.warn("No server URL configured - nothing to clear");
+        return;
+      }
+      const { client: client3 } = await this.initClient(config2);
+      await client3.logout();
+      log.success("Logged out successfully");
+      log.success("Authentication data cleared");
+      trackEvent("auth_logout");
+    } catch (error) {
+      this.handleError(_AuthCommand.Action.LOGOUT, error);
+    }
+  }
+};
+
+// src/commands/user.ts
+init_telemetry();
+var UserCommand = class _UserCommand extends BaseCommand {
+  /** Action constants for type-safe error handling */
+  static Action = {
+    KEY_GENERATE: "generate SSH key",
+    UPDATE_SLUG: "update user slug"
+  };
+  /**
+   * Generate a new SSH key pair and register it with the server.
+   * Overwrites any existing key at the configured path.
+   */
+  static async keyGenerate() {
+    try {
+      const { client: client3, config: config2 } = await this.setupClient(
+        "Generating SSH key..."
+      );
+      log.info("Generating new ECDSA P-256 SSH key pair...");
+      const keyPair = await SshKeyManager.generateKeyPair(config2.sshKeyPath);
+      const publicKey = await SshKeyManager.exportPublicKey(keyPair);
+      await client3.registerPublicKey(publicKey);
+      const keyInfo = SshKeyManager.getKeyInfo(config2.sshKeyPath);
+      log.success("SSH key generated and registered.");
+      log.info("Private key:", keyInfo.path);
+      log.info("Public key:", keyInfo.pubKeyPath);
+      trackEvent("user_key_generate");
+    } catch (error) {
+      this.handleError(_UserCommand.Action.KEY_GENERATE, error);
+    }
+  }
+  /**
+   * Update the user's slug for tunnel namespacing (delegates to server update).
+   */
+  static async updateSlug(newSlug) {
+    if (!/^[a-zA-Z]{6}$/.test(newSlug)) {
+      log.error("Invalid slug format");
+      log.info("Slug must be exactly 6 alphabetic characters (a-z, A-Z)");
+      log.info("Example: periscope user slug myslug");
+      return;
+    }
+    try {
+      const { client: client3 } = await this.setupClient();
+      const normalizedSlug = newSlug.toLowerCase();
+      log.info(`Updating user slug to: ${normalizedSlug}`);
+      await client3.updateSlug({ slug: normalizedSlug });
+      log.success("Slug updated successfully!");
+      log.info(`Your tunnels will now use: {name}-${normalizedSlug}.{domain}`);
+      trackEvent("auth_update_slug");
+    } catch (error) {
+      this.handleError(_UserCommand.Action.UPDATE_SLUG, error);
+    }
+  }
+};
+
+// src/interactive.ts
+init_readline_instance();
+init_process_lifecycle();
+var InteractiveMode = class _InteractiveMode {
+  static instance = null;
+  constructor() {
+    _InteractiveMode.instance = this;
+    initializeReadline(true, (line) => this.tabCompleter(line));
+    this.setupLineHandler();
+    this.setupSignalHandling();
+  }
+  get rl() {
+    return getReadlineInterface();
+  }
+  setupLineHandler() {
+    this.rl.on("line", (line) => this.handleCommand(line.trim()));
+  }
+  /**
+   * Tab completion for interactive mode.
+   * Maps the command tree so Tab expands to the next token at each level.
+   */
+  tabCompleter(line) {
+    const trimmed = line.trimEnd();
+    const parts = trimmed.split(" ");
+    const topLevel = [
+      "auth",
+      "config",
+      "connect",
+      "status",
+      "user",
+      "help",
+      "clear",
+      "exit",
+      "quit"
+    ];
+    let candidates;
+    if (parts.length <= 1) {
+      candidates = topLevel;
+    } else {
+      switch (parts[0]) {
+        case "auth":
+          candidates = ["auth login", "auth logout"];
+          break;
+        case "config":
+          if (parts[1] === "set" && parts.length >= 3) {
+            candidates = ["config set --server", "config set --request-log"];
+          } else {
+            candidates = ["config show", "config set"];
+          }
+          break;
+        case "user":
+          if (parts[1] === "key") {
+            candidates = ["user key generate"];
+          } else {
+            candidates = ["user slug", "user key"];
+          }
+          break;
+        default:
+          return [[], line];
+      }
+    }
+    const hits = candidates.filter((c) => c.startsWith(trimmed));
+    return [hits, line];
+  }
+  setupSignalHandling() {
+    this.rl.on("SIGINT", async () => {
+      log.info("Exiting interactive mode...");
+      await this.close();
+      await gracefulExit(0);
+    });
+  }
+  async start() {
+    process.env.PERISCOPE_INTERACTIVE = "true";
+    log.header("\u{1F52D} Periscope Interactive CLI");
+    log.info('Type "help" for available commands or "exit" to quit.');
+    log.blank();
+    this.rl.prompt();
+  }
+  async handleCommand(input) {
+    if (!input) {
+      this.rl.prompt();
+      return;
+    }
+    const [mainCommand, ...args] = input.split(" ");
+    try {
+      switch (mainCommand.toLowerCase()) {
+        case "help":
+          this.showHelp();
+          break;
+        case "exit":
+        case "quit":
+          log.raw("Goodbye! \u{1F44B}");
+          process.exit(0);
+          break;
+        case "auth":
+          await this.handleAuthCommand(args);
+          break;
+        case "config":
+          await this.handleConfigCommand(args);
+          break;
+        case "connect":
+          await this.handleConnectCommand(args);
+          break;
+        case "status":
+          await StatusCommand.check();
+          break;
+        case "user":
+          await this.handleUserCommand(args);
+          break;
+        case "clear":
+          console.clear();
+          break;
+        default:
+          log.error(`Unknown command: ${mainCommand}`);
+          log.info('Type "help" for available commands.');
+          break;
+      }
+    } catch (error) {
+      log.error(
+        `Error: ${error instanceof Error ? error.message : "Unknown error"}`
+      );
+    }
+    this.rl.prompt();
+  }
+  showHelp() {
+    log.header("Available Commands:");
+    log.separator(50);
+    log.info("Authentication:");
+    log.info("  auth login                 - Authenticate (choose method)");
+    log.info("  auth logout                - Clear authentication data");
+    log.header("User:");
+    log.info("  user slug <new-slug>       - Update user slug (6 letters)");
+    log.info(
+      "  user key generate          - Generate and register a new SSH key"
+    );
+    log.header("Configuration:");
+    log.info("  config show                - Show current configuration");
+    log.info("  config set --server <url>  - Set server URL");
+    log.info(
+      "  config set --request-log <bool> - Show request log (true/false)"
+    );
+    log.header("Tunnels:");
+    log.info(
+      "  connect <name> [--target <target>] [--key <path>] - Establish SSH tunnel"
+    );
+    log.header("General:");
+    log.info(
+      "  status                     - Show server, auth, and SSH key status"
+    );
+    log.info("  clear                      - Clear the screen");
+    log.info("  help                       - Show this help message");
+    log.info("  exit, quit                 - Exit interactive mode");
+    log.separator(50);
+    log.info("Use Tab for command completion");
+  }
+  async handleAuthCommand(args) {
+    const [subCommand] = args;
+    switch (subCommand) {
+      case "login":
+        await AuthCommand.login();
+        break;
+      case "logout":
+        await AuthCommand.logout();
+        break;
+      default:
+        log.error("Invalid auth command. Available: login, logout");
+        break;
+    }
+  }
+  async handleUserCommand(args) {
+    const [subCommand, ...options] = args;
+    switch (subCommand) {
+      case "slug": {
+        const newSlug = options[0];
+        if (!newSlug) {
+          log.error("Please provide a new slug.");
+          log.info("Usage: user slug <new-slug>");
+          break;
+        }
+        await UserCommand.updateSlug(newSlug);
+        break;
+      }
+      case "key": {
+        const keySubCommand = options[0];
+        if (keySubCommand === "generate") {
+          await UserCommand.keyGenerate();
+        } else {
+          log.error("Invalid key command. Available: generate");
+          log.info("Usage: user key generate");
+        }
+        break;
+      }
+      default:
+        log.error("Invalid user command. Available: slug, key");
+        break;
+    }
+  }
+  async handleConfigCommand(args) {
+    const [subCommand, ...options] = args;
+    switch (subCommand) {
+      case "show":
+        await ConfigCommand.show();
+        break;
+      case "set": {
+        const configOptions = {};
+        for (let i = 0; i < options.length; i += 2) {
+          const option = options[i];
+          const value = options[i + 1];
+          switch (option) {
+            case "--server":
+            case "-s":
+              configOptions.server = value;
+              break;
+            case "--request-log":
+              configOptions.requestLog = value;
+              break;
+          }
+        }
+        await ConfigCommand.set(configOptions);
+        break;
+      }
+      default:
+        log.error("Invalid config command. Available: show, set");
+        break;
+    }
+  }
+  async handleConnectCommand(args) {
+    if (args.length === 0) {
+      log.error("Please specify a tunnel name.");
+      log.info("Usage: connect <name> [--target <target>] [--key <path>]");
+      return;
+    }
+    const name = args[0];
+    let target;
+    let sshKeyPath;
+    for (let i = 1; i < args.length; i += 2) {
+      const option = args[i];
+      const value = args[i + 1];
+      switch (option) {
+        case "--target":
+          target = value;
+          break;
+        case "--key":
+          sshKeyPath = value;
+          break;
+      }
+    }
+    await TunnelCommand.connect(name, target, sshKeyPath);
+  }
+  /**
+   * Trigger a new prompt (useful for background operations)
+   */
+  static triggerPrompt() {
+    if (_InteractiveMode.instance) {
+      const rl = getReadlineInterface();
+      if (rl) {
+        rl.prompt();
+      }
+    }
+  }
+  async close() {
+    _InteractiveMode.instance = null;
+    closeReadline();
+    await performSecureCleanup();
+  }
+};
+export {
+  Auth0AuthManager,
+  ConfigManager,
+  InteractiveMode,
+  MsalAuthManager,
+  PeriscopeClient,
+  TunnelManager,
+  setupSecureCleanup
+};
+//# sourceMappingURL=index.js.map