@ganakailabs/cloudeval-cli 0.18.4

package/dist/chunk-4QIKW5TJ.js

@@ -0,0 +1,3472 @@
+// ../shared/dist/index.js
+var isObject = (value) => typeof value === "object" && value !== null;
+var stringOr = (value, fallback) => typeof value === "string" && value.trim() ? value : fallback;
+var normalizeProvider = (value) => {
+  if (value === "azure" || value === "aws" || value === "gcp") {
+    return value;
+  }
+  return "unknown";
+};
+var normalizeSections = (value) => {
+  if (!Array.isArray(value)) {
+    return [];
+  }
+  return value.map((section, index) => {
+    if (!isObject(section)) {
+      return void 0;
+    }
+    return {
+      id: stringOr(section.id, `section-${index + 1}`),
+      title: stringOr(section.title, `Section ${index + 1}`),
+      markdown: stringOr(section.markdown, "")
+    };
+  }).filter((section) => Boolean(section));
+};
+var normalizeReportEnvelope = (input) => {
+  const rawInput = isObject(input) && isObject(input.report) ? input.report : input;
+  if (!isObject(rawInput)) {
+    throw new Error("Report response must be an object.");
+  }
+  const source = isObject(rawInput.source) ? rawInput.source : {};
+  const formatted = isObject(rawInput.formatted) ? rawInput.formatted : void 0;
+  const period = isObject(rawInput.period) ? {
+    start: stringOr(rawInput.period.start, ""),
+    end: stringOr(rawInput.period.end, "")
+  } : void 0;
+  return {
+    id: stringOr(rawInput.id, "unknown-report"),
+    kind: rawInput.kind === "waf" ? "waf" : "cost",
+    projectId: stringOr(rawInput.projectId ?? rawInput.project_id, "unknown-project"),
+    generatedAt: stringOr(
+      rawInput.generatedAt ?? rawInput.generated_at,
+      (/* @__PURE__ */ new Date(0)).toISOString()
+    ),
+    period,
+    source: {
+      provider: normalizeProvider(source.provider ?? rawInput.provider),
+      backendVersion: typeof source.backendVersion === "string" ? source.backendVersion : typeof source.backend_version === "string" ? source.backend_version : void 0,
+      evidenceRefs: Array.isArray(source.evidenceRefs) ? source.evidenceRefs.filter((ref) => typeof ref === "string") : Array.isArray(source.evidence_refs) ? source.evidence_refs.filter((ref) => typeof ref === "string") : void 0
+    },
+    raw: rawInput.raw ?? {},
+    parsed: rawInput.parsed ?? {},
+    formatted: formatted ? {
+      title: stringOr(formatted.title, "Report"),
+      summary: stringOr(formatted.summary, ""),
+      sections: normalizeSections(formatted.sections)
+    } : void 0
+  };
+};
+var normalizeReportList = (input) => {
+  const list = Array.isArray(input) ? input : isObject(input) && Array.isArray(input.reports) ? input.reports : isObject(input) && Array.isArray(input.data) ? input.data : isObject(input) && Array.isArray(input.items) ? input.items : [];
+  return list.map((item) => normalizeReportEnvelope(item));
+};
+var SECRET_REDACTION = "[redacted]";
+var SENSITIVE_KEY_PATTERN = /token|authorization|cookie|secret|password|api[_-]?key|access[_-]?key|client[_-]?secret|refresh|device[_-]?code|user[_-]?code/i;
+var SENSITIVE_QUERY_PARAM_PATTERN = /token|authorization|cookie|secret|password|api[_-]?key|access[_-]?key|client[_-]?secret|refresh|device[_-]?code|user[_-]?code|code/i;
+var CLOUDEVAL_ACCESS_KEY_VALUE_PATTERN = /\bcev_[a-z0-9]+_ak_[A-Za-z0-9]+_[A-Za-z0-9._~+-]+(?:_[A-Za-z0-9._~+-]+)*\b/gi;
+var AUTHORIZATION_BEARER_PATTERN = /\b(authorization\s*:\s*bearer\s+)([^\s'",}]+)/gi;
+var isSensitiveSecretKey = (key) => SENSITIVE_KEY_PATTERN.test(key);
+var redactSensitiveText = (value) => {
+  let text = value;
+  try {
+    const parsed = JSON.parse(text);
+    if (parsed && typeof parsed === "object") {
+      return JSON.stringify(redactSensitiveSecrets(parsed));
+    }
+  } catch {
+  }
+  try {
+    const url = new URL(text);
+    let changed = false;
+    for (const key of Array.from(url.searchParams.keys())) {
+      if (SENSITIVE_QUERY_PARAM_PATTERN.test(key)) {
+        url.searchParams.set(key, SECRET_REDACTION);
+        changed = true;
+      }
+    }
+    if (changed) {
+      text = url.toString();
+    }
+  } catch {
+  }
+  return text.replace(AUTHORIZATION_BEARER_PATTERN, (_match, prefix) => `${prefix}${SECRET_REDACTION}`).replace(CLOUDEVAL_ACCESS_KEY_VALUE_PATTERN, SECRET_REDACTION);
+};
+var redactSensitiveSecrets = (value) => {
+  if (Array.isArray(value)) {
+    return value.map((item) => redactSensitiveSecrets(item));
+  }
+  if (typeof value === "string") {
+    return redactSensitiveText(value);
+  }
+  if (value && typeof value === "object") {
+    const redacted = {};
+    for (const [key, item] of Object.entries(value)) {
+      redacted[key] = item === null || item === void 0 ? item : isSensitiveSecretKey(key) ? SECRET_REDACTION : redactSensitiveSecrets(item);
+    }
+    return redacted;
+  }
+  return value;
+};
+var baseSettings = {
+  mode: "agent",
+  response_length: "Detailed",
+  technicality: "Expert",
+  reasoning_effort: "medium",
+  enable_judge: true,
+  enable_hitl: true
+};
+var BUNDLED_AGENT_PROFILES = [
+  {
+    id: "architecture",
+    display_name: "Architecture",
+    description: "Reviews topology, dependencies, blast radius, reliability, security, cost, operational excellence, and performance signals.",
+    personality: "Systems-minded, concise, and dependency-aware.",
+    accent_key: "blue",
+    icon_key: "network",
+    default_mode: "agent",
+    starter_prompt: "Review this project architecture for the highest-impact risks and next actions.",
+    starter_prompts: {
+      template: "Review this template architecture for topology, dependency, and platform-design risks.",
+      sync: "Review this live environment architecture for topology, dependency, and blast-radius risks."
+    },
+    starter_prompt_variants: [
+      {
+        id: "architecture-template-agent",
+        project_source: "template",
+        mode: "agent",
+        text: "Review this template architecture for topology, dependency, and platform-design risks.",
+        weight: 1
+      },
+      {
+        id: "architecture-sync-agent",
+        project_source: "sync",
+        mode: "agent",
+        text: "Review this live environment architecture for topology, dependency, and blast-radius risks.",
+        weight: 1
+      }
+    ],
+    system_instructions: "Use the Architecture lens. Prioritize topology, dependencies, blast radius, reliability, security, cost, operations, and performance evidence. Return risk-ranked findings with concrete validation steps.",
+    default_settings: { ...baseSettings },
+    required_capabilities: ["projects:read", "reports:read", "ask:run"],
+    allowed_toolsets: ["projects", "reports", "graph", "rules"],
+    output_contract: {
+      sections: ["interpretation", "top_signals", "actions", "checkpoint"]
+    }
+  },
+  {
+    id: "cost",
+    display_name: "Cost",
+    description: "Reviews project cost drivers, waste signals, and practical optimization opportunities.",
+    personality: "Commercially pragmatic, specific, and action-oriented.",
+    accent_key: "emerald",
+    icon_key: "wallet",
+    default_mode: "agent",
+    starter_prompt: "Review this project for cost drivers, waste signals, and practical savings actions.",
+    starter_prompts: {
+      template: "Review this template for cost drivers, expensive defaults, and safer sizing choices.",
+      sync: "Review this live environment for waste signals, savings opportunities, and ownership gaps."
+    },
+    starter_prompt_variants: [
+      {
+        id: "cost-template-agent",
+        project_source: "template",
+        mode: "agent",
+        text: "Review this template for cost drivers, expensive defaults, and safer sizing choices.",
+        weight: 1
+      },
+      {
+        id: "cost-sync-agent",
+        project_source: "sync",
+        mode: "agent",
+        text: "Review this live environment for waste signals, savings opportunities, and ownership gaps.",
+        weight: 1
+      }
+    ],
+    system_instructions: "Use the Cost lens. Prioritize spend drivers, over-provisioning, idle or low-value resources, tagging gaps, pricing model choices, and savings actions. Keep recommendations commercially practical.",
+    default_settings: { ...baseSettings },
+    required_capabilities: [
+      "projects:read",
+      "reports:read",
+      "billing:read",
+      "ask:run"
+    ],
+    allowed_toolsets: ["projects", "reports", "billing", "cost"],
+    output_contract: {
+      sections: ["cost_drivers", "waste_signals", "savings_actions", "checkpoint"]
+    }
+  },
+  {
+    id: "triage",
+    display_name: "Triage",
+    description: "Helps investigate likely failure domains, affected resources, and first response actions.",
+    personality: "Calm, diagnostic, and time-sensitive.",
+    accent_key: "orange",
+    icon_key: "activity",
+    default_mode: "agent",
+    starter_prompt: "Triage this project for likely failure domains, impact paths, and first checks.",
+    starter_prompts: {
+      template: "Triage this template for likely deployment failure domains and first checks.",
+      sync: "Triage this live environment for likely failure domains, impacted paths, and containment checks."
+    },
+    starter_prompt_variants: [
+      {
+        id: "triage-template-agent",
+        project_source: "template",
+        mode: "agent",
+        text: "Triage this template for likely deployment failure domains and first checks.",
+        weight: 1
+      },
+      {
+        id: "triage-sync-agent",
+        project_source: "sync",
+        mode: "agent",
+        text: "Triage this live environment for likely failure domains, impacted paths, and containment checks.",
+        weight: 1
+      }
+    ],
+    system_instructions: "Use the Triage lens. Prioritize failure domains, affected resources, impact paths, first checks, rollback or containment options, and uncertainty that needs quick validation.",
+    default_settings: { ...baseSettings },
+    required_capabilities: ["projects:read", "reports:read", "ask:run"],
+    allowed_toolsets: ["projects", "reports", "graph", "rules"],
+    output_contract: {
+      sections: ["hypothesis", "impact", "first_checks", "containment"]
+    }
+  },
+  {
+    id: "remediation",
+    display_name: "Remediation",
+    description: "Turns findings into ordered implementation steps with owners, dependencies, and validation checks.",
+    personality: "Delivery-focused, practical, and sequencing-aware.",
+    accent_key: "rose",
+    icon_key: "list-checks",
+    default_mode: "agent",
+    starter_prompt: "Create an ordered remediation plan for this project with dependencies and validation checks.",
+    starter_prompts: {
+      template: "Create a template remediation plan with ordered changes, dependencies, and validation checks.",
+      sync: "Create a live-environment remediation plan with owners, dependencies, and validation checks."
+    },
+    starter_prompt_variants: [
+      {
+        id: "remediation-template-agent",
+        project_source: "template",
+        mode: "agent",
+        text: "Create a template remediation plan with ordered changes, dependencies, and validation checks.",
+        weight: 1
+      },
+      {
+        id: "remediation-sync-agent",
+        project_source: "sync",
+        mode: "agent",
+        text: "Create a live-environment remediation plan with owners, dependencies, and validation checks.",
+        weight: 1
+      }
+    ],
+    system_instructions: "Use the Remediation lens. Convert evidence into ordered fixes, owners, dependencies, risk sequencing, validation checks, rollback notes, and measurable completion criteria.",
+    default_settings: { ...baseSettings },
+    required_capabilities: ["projects:read", "reports:read", "ask:run"],
+    allowed_toolsets: ["projects", "reports", "rules"],
+    output_contract: {
+      sections: ["plan", "dependencies", "validation", "rollback"]
+    }
+  }
+];
+var getBundledAgentProfiles = () => BUNDLED_AGENT_PROFILES.map((profile) => ({
+  ...profile,
+  starter_prompts: { ...profile.starter_prompts ?? {} },
+  starter_prompt_variants: profile.starter_prompt_variants?.map((variant) => ({
+    ...variant
+  })),
+  default_settings: { ...profile.default_settings },
+  required_capabilities: [...profile.required_capabilities],
+  allowed_toolsets: [...profile.allowed_toolsets],
+  output_contract: profile.output_contract ? { ...profile.output_contract } : void 0
+}));
+var getBundledAgentProfile = (profileId) => getBundledAgentProfiles().find((profile) => profile.id === profileId);
+
+// ../core/dist/index.js
+import fs from "fs";
+import os from "os";
+import path from "path";
+import { execFileSync, spawn, spawnSync } from "child_process";
+import { randomUUID } from "crypto";
+import { randomUUID as randomUUID2 } from "crypto";
+var DEFAULT_BASE_URL = "https://cloudeval.ai/api/proxy/v1";
+var DEFAULT_FRONTEND_URL = "https://cloudeval.ai";
+var TOKEN_EXPIRY_SKEW_MS = 12e4;
+var ACCESS_SECRET_LABEL = "access-token";
+var REFRESH_SECRET_LABEL = "refresh-token";
+var INSECURE_FILE_FALLBACK_ENV = "CLOUDEVAL_ALLOW_INSECURE_FILE_STORAGE";
+var CONCURRENT_REFRESH_WAIT_STEPS_MS = [50, 100, 150, 250];
+var REFRESH_LOCK_WAIT_STEP_MS = 100;
+var REFRESH_LOCK_STALE_MS = 3e4;
+var CLI_DEBUG_ENV = "CLOUDEVAL_CLI_DEBUG";
+var SENSITIVE_DEBUG_KEY_PATTERN = /token|authorization|cookie|secret|password|api[_-]?key|access[_-]?key|client_secret|refresh|device[_-]?code|user[_-]?code/i;
+var SENSITIVE_DEBUG_QUERY_PARAM_PATTERN = /token|authorization|cookie|secret|password|api[_-]?key|access[_-]?key|client_secret|refresh|device[_-]?code|user[_-]?code|code/i;
+var KEYCHAIN_SERVICE = "cloudeval-cli";
+var KEYCHAIN_LABEL = "Cloudeval CLI";
+var isCliDebugEnabled = () => {
+  const value = process.env[CLI_DEBUG_ENV];
+  return value === "1" || value?.toLowerCase() === "true";
+};
+var redactDebugValue = (value) => {
+  if (Array.isArray(value)) {
+    return value.map((item) => redactDebugValue(item));
+  }
+  if (typeof value === "string") {
+    try {
+      const url = new URL(value);
+      let changed = false;
+      for (const key of Array.from(url.searchParams.keys())) {
+        if (SENSITIVE_DEBUG_QUERY_PARAM_PATTERN.test(key)) {
+          url.searchParams.set(key, "[REDACTED]");
+          changed = true;
+        }
+      }
+      return redactSensitiveText(changed ? url.toString() : value);
+    } catch {
+      return redactSensitiveText(value);
+    }
+  }
+  if (value && typeof value === "object") {
+    const redacted = {};
+    for (const [key, item] of Object.entries(value)) {
+      redacted[key] = SENSITIVE_DEBUG_KEY_PATTERN.test(key) ? "[REDACTED]" : redactDebugValue(item);
+    }
+    return redacted;
+  }
+  return value;
+};
+var cliDebug = (message, data) => {
+  if (!isCliDebugEnabled()) {
+    return;
+  }
+  const prefix = `[${(/* @__PURE__ */ new Date()).toISOString()}] [CLI DEBUG]`;
+  if (data === void 0) {
+    console.error(`${prefix} ${message}`);
+    return;
+  }
+  try {
+    console.error(
+      `${prefix} ${message}
+${JSON.stringify(redactDebugValue(data), null, 2)}`
+    );
+  } catch {
+    console.error(`${prefix} ${message}`, redactDebugValue(data));
+  }
+};
+var cachedToken = null;
+var stored = null;
+var refreshInFlight = null;
+var warnedAboutSecretBackend = false;
+var memorySecrets = /* @__PURE__ */ new Map();
+var now = () => Date.now();
+var sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+var errorMessage = (error) => error instanceof Error ? error.message : typeof error === "string" ? error : String(error ?? "Unknown error");
+var isRejectedRefreshTokenError = (error) => {
+  const message = errorMessage(error).toLowerCase();
+  return message.includes("invalid_grant") || message.includes("consent_required") || message.includes("aadsts65001") || message.includes("interaction_required") || message.includes("refresh token") && (message.includes("revoked") || message.includes("expired") || message.includes("invalid")) || message.includes("aadsts700082") || message.includes("aadsts70000");
+};
+var isProcessAlive = (pid) => {
+  if (!Number.isInteger(pid) || pid <= 0) {
+    return false;
+  }
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch (error) {
+    return error?.code === "EPERM";
+  }
+};
+var configDir = path.join(os.homedir(), ".config", "cloudeval");
+var configPath = path.join(configDir, "config.json");
+var secretFilePath = path.join(configDir, "secrets.json");
+var refreshLockPath = path.join(configDir, "refresh.lock");
+var commandExists = (cmd) => {
+  const whichCmd = process.platform === "win32" ? "where" : "which";
+  try {
+    execFileSync(whichCmd, [cmd], { stdio: "ignore" });
+    return true;
+  } catch {
+    return false;
+  }
+};
+var detectSecretBackend = () => {
+  if (process.env[INSECURE_FILE_FALLBACK_ENV] === "1") {
+    return "insecure-file";
+  }
+  if (process.platform === "darwin" && commandExists("security")) {
+    return "macos-keychain";
+  }
+  if (process.platform === "linux" && commandExists("secret-tool")) {
+    return "linux-libsecret";
+  }
+  if (process.platform === "win32" && commandExists("powershell")) {
+    return "windows-dpapi";
+  }
+  return "memory";
+};
+var ensureConfigDir = () => {
+  fs.mkdirSync(configDir, { recursive: true, mode: 448 });
+};
+var acquireRefreshLock = async () => {
+  ensureConfigDir();
+  while (true) {
+    try {
+      const fd = fs.openSync(refreshLockPath, "wx", 384);
+      let released = false;
+      try {
+        fs.writeFileSync(fd, String(process.pid), { encoding: "utf8" });
+      } catch {
+      }
+      return () => {
+        if (released) {
+          return;
+        }
+        released = true;
+        try {
+          fs.closeSync(fd);
+        } catch {
+        }
+        try {
+          fs.unlinkSync(refreshLockPath);
+        } catch {
+        }
+      };
+    } catch (error) {
+      if (error?.code !== "EEXIST") {
+        throw error;
+      }
+      try {
+        const pid = Number(fs.readFileSync(refreshLockPath, "utf8").trim());
+        if (pid && !isProcessAlive(pid)) {
+          fs.unlinkSync(refreshLockPath);
+          continue;
+        }
+      } catch {
+      }
+      try {
+        const stat = fs.statSync(refreshLockPath);
+        if (now() - stat.mtimeMs > REFRESH_LOCK_STALE_MS) {
+          fs.unlinkSync(refreshLockPath);
+          continue;
+        }
+      } catch {
+        continue;
+      }
+      await sleep(REFRESH_LOCK_WAIT_STEP_MS);
+    }
+  }
+};
+var readSecretsFile = () => {
+  try {
+    const raw = fs.readFileSync(secretFilePath, "utf8");
+    const parsed = JSON.parse(raw);
+    return parsed && typeof parsed === "object" ? parsed : {};
+  } catch {
+    return {};
+  }
+};
+var writeSecretsFile = (secrets) => {
+  ensureConfigDir();
+  fs.writeFileSync(secretFilePath, JSON.stringify(secrets, null, 2), {
+    encoding: "utf8",
+    mode: 384
+  });
+  try {
+    fs.chmodSync(secretFilePath, 384);
+  } catch {
+  }
+};
+var dpapiProtect = (plainText) => {
+  const script = "[Convert]::ToBase64String([System.Security.Cryptography.ProtectedData]::Protect([Text.Encoding]::UTF8.GetBytes($env:CLOUDEVAL_SECRET), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser))";
+  return execFileSync(
+    "powershell",
+    ["-NoProfile", "-NonInteractive", "-Command", script],
+    {
+      encoding: "utf8",
+      env: {
+        ...process.env,
+        CLOUDEVAL_SECRET: plainText
+      }
+    }
+  ).trim();
+};
+var dpapiUnprotect = (cipherTextB64) => {
+  const script = "$bytes=[System.Security.Cryptography.ProtectedData]::Unprotect([Convert]::FromBase64String($env:CLOUDEVAL_SECRET_B64), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); [Text.Encoding]::UTF8.GetString($bytes)";
+  return execFileSync(
+    "powershell",
+    ["-NoProfile", "-NonInteractive", "-Command", script],
+    {
+      encoding: "utf8",
+      env: {
+        ...process.env,
+        CLOUDEVAL_SECRET_B64: cipherTextB64
+      }
+    }
+  ).trim();
+};
+var setSecret = (key, value) => {
+  const backend = detectSecretBackend();
+  try {
+    if (backend === "macos-keychain") {
+      execFileSync("security", [
+        "add-generic-password",
+        "-a",
+        key,
+        "-s",
+        KEYCHAIN_SERVICE,
+        "-l",
+        KEYCHAIN_LABEL,
+        "-w",
+        value,
+        "-U"
+      ]);
+      return true;
+    }
+    if (backend === "linux-libsecret") {
+      const result = spawnSync(
+        "secret-tool",
+        [
+          "store",
+          "--label",
+          KEYCHAIN_LABEL,
+          "service",
+          KEYCHAIN_SERVICE,
+          "account",
+          key
+        ],
+        {
+          input: value,
+          encoding: "utf8"
+        }
+      );
+      return result.status === 0;
+    }
+    if (backend === "windows-dpapi") {
+      const encrypted = dpapiProtect(value);
+      const secrets = readSecretsFile();
+      secrets[key] = encrypted;
+      writeSecretsFile(secrets);
+      return true;
+    }
+    if (backend === "insecure-file") {
+      const secrets = readSecretsFile();
+      secrets[key] = value;
+      writeSecretsFile(secrets);
+      return true;
+    }
+    memorySecrets.set(key, value);
+    return false;
+  } catch {
+    memorySecrets.set(key, value);
+    return false;
+  }
+};
+var getSecret = (key) => {
+  const backend = detectSecretBackend();
+  try {
+    if (backend === "macos-keychain") {
+      return execFileSync("security", [
+        "find-generic-password",
+        "-a",
+        key,
+        "-s",
+        KEYCHAIN_SERVICE,
+        "-w"
+      ], { encoding: "utf8" }).trim();
+    }
+    if (backend === "linux-libsecret") {
+      return execFileSync(
+        "secret-tool",
+        ["lookup", "service", KEYCHAIN_SERVICE, "account", key],
+        { encoding: "utf8" }
+      ).trim();
+    }
+    if (backend === "windows-dpapi") {
+      const secrets = readSecretsFile();
+      const encrypted = secrets[key];
+      if (!encrypted) {
+        return void 0;
+      }
+      return dpapiUnprotect(encrypted);
+    }
+    if (backend === "insecure-file") {
+      const secrets = readSecretsFile();
+      return secrets[key];
+    }
+    return memorySecrets.get(key);
+  } catch {
+    return memorySecrets.get(key);
+  }
+};
+var deleteSecret = (key) => {
+  const backend = detectSecretBackend();
+  try {
+    if (backend === "macos-keychain") {
+      execFileSync(
+        "security",
+        [
+          "delete-generic-password",
+          "-a",
+          key,
+          "-s",
+          KEYCHAIN_SERVICE
+        ],
+        { stdio: "ignore" }
+      );
+    } else if (backend === "linux-libsecret") {
+      execFileSync(
+        "secret-tool",
+        [
+          "clear",
+          "service",
+          KEYCHAIN_SERVICE,
+          "account",
+          key
+        ],
+        { stdio: "ignore" }
+      );
+    } else if (backend === "windows-dpapi" || backend === "insecure-file") {
+      const secrets = readSecretsFile();
+      if (secrets[key]) {
+        delete secrets[key];
+        writeSecretsFile(secrets);
+      }
+    }
+  } catch {
+  }
+  memorySecrets.delete(key);
+};
+var warnOnInsecureSecretStorage = () => {
+  if (warnedAboutSecretBackend) {
+    return;
+  }
+  warnedAboutSecretBackend = true;
+  const backend = detectSecretBackend();
+  if (backend === "memory") {
+    console.warn(
+      "Secure credential storage is unavailable on this system. Session refresh tokens will not persist across CLI restarts."
+    );
+    console.warn(
+      `To force file fallback (less secure), set ${INSECURE_FILE_FALLBACK_ENV}=1.`
+    );
+  } else if (backend === "insecure-file") {
+    console.warn(
+      `Using insecure file secret fallback because ${INSECURE_FILE_FALLBACK_ENV}=1 is set.`
+    );
+  }
+};
+var isLocalHostname = (hostname) => {
+  const lower = hostname.toLowerCase();
+  return lower === "localhost" || lower === "127.0.0.1" || lower === "::1" || lower === "[::1]";
+};
+var assertSecureBaseUrl = (rawBaseUrl) => {
+  let parsed;
+  try {
+    parsed = new URL(rawBaseUrl);
+  } catch {
+    throw new Error(`Invalid base URL: ${rawBaseUrl}`);
+  }
+  if (parsed.protocol === "https:") {
+    return;
+  }
+  if (parsed.protocol === "http:" && isLocalHostname(parsed.hostname)) {
+    return;
+  }
+  throw new Error(
+    `Refusing insecure base URL (${rawBaseUrl}). Use HTTPS for non-localhost endpoints.`
+  );
+};
+var normalizeApiBase = (baseUrl) => {
+  const raw = baseUrl || process.env.CLOUDEVAL_BASE_URL || DEFAULT_BASE_URL;
+  assertSecureBaseUrl(raw);
+  const trimmed = raw.replace(/\/+$/, "");
+  try {
+    const url = new URL(trimmed);
+    const hostname = url.hostname.toLowerCase();
+    const path2 = url.pathname.replace(/\/+$/, "") || "/";
+    if (hostname === "cloudeval.ai" && ["/", "/api", "/api/v1"].includes(path2)) {
+      url.pathname = "/api/proxy/v1";
+      url.search = "";
+      url.hash = "";
+      return url.toString().replace(/\/+$/, "");
+    }
+  } catch {
+  }
+  if (trimmed.endsWith("/api/v1") || trimmed.endsWith("/api/proxy/v1")) {
+    return trimmed;
+  }
+  if (trimmed.endsWith("/api/proxy")) {
+    return `${trimmed}/v1`;
+  }
+  return trimmed.replace(/\/api\/?$/, "") + "/api/v1";
+};
+var resolveAuthBootstrapBase = (apiBase) => {
+  try {
+    const url = new URL(apiBase);
+    const path2 = url.pathname.replace(/\/+$/, "");
+    if (url.hostname.toLowerCase() === "cloudeval.ai" && /\/api\/proxy\/v1$/i.test(path2)) {
+      url.pathname = path2.replace(/\/api\/proxy\/v1$/i, "/api/v1");
+      url.search = "";
+      url.hash = "";
+      return url.toString().replace(/\/+$/, "");
+    }
+  } catch {
+  }
+  return apiBase;
+};
+var sanitizeStoredForDisk = (data) => {
+  const clone = { ...data };
+  delete clone.token;
+  delete clone.refreshToken;
+  return clone;
+};
+var migrateLegacySecrets = (parsed) => {
+  const migrated = { ...parsed };
+  if (parsed.token && !parsed.tokenRef) {
+    const ref = ACCESS_SECRET_LABEL;
+    const persisted = setSecret(ref, parsed.token);
+    if (!persisted) {
+      warnOnInsecureSecretStorage();
+    }
+    migrated.tokenRef = ref;
+    delete migrated.token;
+  }
+  if (parsed.refreshToken && !parsed.refreshTokenRef) {
+    const ref = REFRESH_SECRET_LABEL;
+    const persisted = setSecret(ref, parsed.refreshToken);
+    if (!persisted) {
+      warnOnInsecureSecretStorage();
+    }
+    migrated.refreshTokenRef = ref;
+    delete migrated.refreshToken;
+  }
+  return migrated;
+};
+var loadStoredFromDisk = () => {
+  try {
+    const raw = fs.readFileSync(configPath, "utf8");
+    const parsed = JSON.parse(raw);
+    const nextStored = migrateLegacySecrets(parsed);
+    const accessToken = getAccessToken(nextStored);
+    if (accessToken) {
+      cachedToken = {
+        token: accessToken,
+        expiresAt: nextStored.tokenExpiresAt ?? 0
+      };
+    }
+    if (nextStored !== parsed) {
+      const sanitized = sanitizeStoredForDisk(nextStored);
+      fs.writeFileSync(configPath, JSON.stringify(sanitized, null, 2), {
+        encoding: "utf8",
+        mode: 384
+      });
+    }
+    return nextStored;
+  } catch {
+    return {};
+  }
+};
+var readStored = () => {
+  if (stored) {
+    return stored;
+  }
+  stored = loadStoredFromDisk();
+  return stored;
+};
+var reloadStored = () => {
+  stored = loadStoredFromDisk();
+  return stored;
+};
+var writeStored = (data) => {
+  const sanitized = sanitizeStoredForDisk(data);
+  try {
+    ensureConfigDir();
+    fs.writeFileSync(configPath, JSON.stringify(sanitized, null, 2), {
+      encoding: "utf8",
+      mode: 384
+    });
+    try {
+      fs.chmodSync(configPath, 384);
+    } catch {
+    }
+    stored = sanitized;
+  } catch {
+    stored = sanitized;
+  }
+};
+var getRefreshToken = (data) => {
+  if (data.refreshTokenRef) {
+    return getSecret(data.refreshTokenRef);
+  }
+  return void 0;
+};
+var getAccessToken = (data) => {
+  if (data.tokenRef) {
+    return getSecret(data.tokenRef);
+  }
+  return data.token;
+};
+var saveAccessToken = (data, accessToken) => {
+  const next = { ...data };
+  if (!accessToken) {
+    return next;
+  }
+  const ref = next.tokenRef || ACCESS_SECRET_LABEL;
+  const persisted = setSecret(ref, accessToken);
+  if (!persisted) {
+    warnOnInsecureSecretStorage();
+  }
+  next.tokenRef = ref;
+  return next;
+};
+var saveRefreshToken = (data, refreshToken) => {
+  const next = { ...data };
+  if (!refreshToken) {
+    return next;
+  }
+  const ref = next.refreshTokenRef || REFRESH_SECRET_LABEL;
+  const persisted = setSecret(ref, refreshToken);
+  if (!persisted) {
+    warnOnInsecureSecretStorage();
+  }
+  next.refreshTokenRef = ref;
+  return next;
+};
+var clearLocalAuth = (data) => {
+  cachedToken = null;
+  refreshInFlight = null;
+  const current = data ?? readStored();
+  if (current.tokenRef) {
+    deleteSecret(current.tokenRef);
+  }
+  if (current.refreshTokenRef) {
+    deleteSecret(current.refreshTokenRef);
+  }
+  stored = {};
+  writeStored({});
+  try {
+    if (fs.existsSync(configPath)) {
+      fs.unlinkSync(configPath);
+    }
+  } catch {
+  }
+};
+var clearAuthSession = () => {
+  clearLocalAuth();
+};
+var setCachedToken = (token, expiresInSeconds) => {
+  cachedToken = {
+    token,
+    expiresAt: now() + expiresInSeconds * 1e3 - TOKEN_EXPIRY_SKEW_MS
+  };
+};
+var persistAuthTokens = (tokenResponse, context) => {
+  setCachedToken(tokenResponse.access_token, tokenResponse.expires_in ?? 3600);
+  const current = readStored();
+  let next = {
+    ...current,
+    token: tokenResponse.access_token,
+    tokenExpiresAt: cachedToken?.expiresAt,
+    sessionId: tokenResponse.session_id ?? current.sessionId,
+    accountId: tokenResponse.account_id ?? current.accountId,
+    baseUrl: context.baseUrl,
+    lastRefreshAt: now()
+  };
+  next = saveAccessToken(next, tokenResponse.access_token);
+  next = saveRefreshToken(next, tokenResponse.refresh_token);
+  writeStored(next);
+  return tokenResponse.access_token;
+};
+var getCLIClientId = () => process.env.CLOUDEVAL_CLI_CLIENT_ID ?? "cloudeval-cli";
+var getDeviceVerificationOverride = () => (process.env.CLOUDEVAL_DEVICE_VERIFICATION_URI || process.env.CLOUDEVAL_FRONTEND_URL || process.env.CLOUDEVAL_WEB_URL || "").trim();
+var DEVICE_LOGIN_PROMPT = "select_account";
+var forceDeviceLoginAccountChooser = (value) => {
+  const url = new URL(value);
+  url.searchParams.set("prompt", DEVICE_LOGIN_PROMPT);
+  return url.toString();
+};
+var buildDeviceVerificationUrl = (override, userCode) => {
+  const url = new URL(override);
+  if (!url.pathname || url.pathname === "/") {
+    url.pathname = "/device/login";
+  }
+  if (userCode) {
+    url.searchParams.set("user_code", userCode);
+  }
+  url.searchParams.set("prompt", DEVICE_LOGIN_PROMPT);
+  return url.toString();
+};
+var isLocalDeviceVerificationUrl = (value) => {
+  try {
+    const url = new URL(value);
+    return url.hostname === "localhost" || url.hostname === "127.0.0.1";
+  } catch {
+    return false;
+  }
+};
+var resolveDeviceVerificationUrl = (deviceCodeData) => {
+  const override = getDeviceVerificationOverride();
+  if (override) {
+    try {
+      return buildDeviceVerificationUrl(override, deviceCodeData.user_code);
+    } catch {
+      console.warn(
+        `Ignoring invalid device verification URL override: ${override}`
+      );
+    }
+  }
+  const backendUrl = deviceCodeData.verification_uri_complete || (() => {
+    try {
+      return buildDeviceVerificationUrl(
+        deviceCodeData.verification_uri,
+        deviceCodeData.user_code
+      );
+    } catch {
+      return deviceCodeData.verification_uri;
+    }
+  })();
+  if (isLocalDeviceVerificationUrl(backendUrl)) {
+    return buildDeviceVerificationUrl(DEFAULT_FRONTEND_URL, deviceCodeData.user_code);
+  }
+  try {
+    return forceDeviceLoginAccountChooser(backendUrl);
+  } catch {
+    return backendUrl;
+  }
+};
+var openBrowser = (url) => {
+  try {
+    if (process.platform === "darwin") {
+      const child = spawn("open", [url], {
+        detached: true,
+        stdio: "ignore"
+      });
+      child.unref();
+      return true;
+    }
+    if (process.platform === "win32") {
+      const child = spawn("cmd", ["/c", "start", "", url], {
+        detached: true,
+        stdio: "ignore"
+      });
+      child.unref();
+      return true;
+    }
+    if (commandExists("xdg-open")) {
+      const child = spawn("xdg-open", [url], {
+        detached: true,
+        stdio: "ignore"
+      });
+      child.unref();
+      return true;
+    }
+    return false;
+  } catch {
+    return false;
+  }
+};
+var PLAYGROUND_PROJECT_NAME = "Playground";
+var getCLIHeaders = (token) => {
+  const headers = {
+    "X-Client-Type": "cloudeval-cli",
+    "X-Client-Version": "0.1.0",
+    "Content-Type": "application/json"
+  };
+  if (token) {
+    headers.Authorization = `Bearer ${token}`;
+  }
+  return headers;
+};
+var getProjects = async (baseUrl, token, userId) => {
+  try {
+    const apiBase = normalizeApiBase(baseUrl);
+    cliDebug("getProjects request", {
+      url: `${apiBase}/projects/user/${userId}`,
+      userId
+    });
+    const response = await fetch(`${apiBase}/projects/user/${userId}`, {
+      method: "GET",
+      headers: getCLIHeaders(token)
+    });
+    cliDebug("getProjects response", {
+      status: response.status,
+      ok: response.ok
+    });
+    if (!response.ok) {
+      if (response.status === 404) {
+        return [];
+      }
+      throw new Error(`Failed to fetch projects: ${response.status}`);
+    }
+    const projects = await response.json();
+    const parsedProjects = Array.isArray(projects) ? projects : [];
+    cliDebug("getProjects parsed", {
+      count: parsedProjects.length,
+      names: parsedProjects.map((project) => project?.name)
+    });
+    return parsedProjects;
+  } catch (error) {
+    cliDebug("getProjects failed", {
+      message: error?.message
+    });
+    console.warn("Failed to fetch projects:", error.message);
+    return [];
+  }
+};
+var getAccessibleProjects = async (baseUrl, token) => {
+  const apiBase = normalizeApiBase(baseUrl);
+  cliDebug("getAccessibleProjects request", {
+    url: `${apiBase}/projects/`
+  });
+  const response = await fetch(`${apiBase}/projects/`, {
+    method: "GET",
+    headers: getCLIHeaders(token)
+  });
+  cliDebug("getAccessibleProjects response", {
+    status: response.status,
+    ok: response.ok
+  });
+  if (!response.ok) {
+    if (response.status === 404) {
+      return [];
+    }
+    throw new Error(`Failed to fetch projects: ${response.status}`);
+  }
+  const projects = await response.json();
+  return Array.isArray(projects) ? projects : [];
+};
+var getPlaygroundProject = (projects) => projects.find((project) => project.name === PLAYGROUND_PROJECT_NAME);
+var getUserDisplayName = (user) => user.fullName || user.full_name || user.name;
+var quickOnboardPlayground = async (baseUrl, token, user, extraPayload = {}) => {
+  if (!user.email) {
+    throw new Error(
+      "Playground project is missing and the authenticated user email is unavailable. Please login again."
+    );
+  }
+  const apiBase = normalizeApiBase(baseUrl);
+  const fullName = getUserDisplayName(user);
+  const body = {
+    email: user.email,
+    ...fullName ? { full_name: fullName } : {},
+    ...extraPayload
+  };
+  cliDebug("quickOnboardPlayground request", {
+    url: `${apiBase}/onboard/quick`,
+    email: user.email,
+    hasFullName: !!fullName,
+    payloadKeys: Object.keys(body)
+  });
+  const response = await fetch(`${apiBase}/onboard/quick`, {
+    method: "POST",
+    headers: getCLIHeaders(token),
+    body: JSON.stringify(body)
+  });
+  cliDebug("quickOnboardPlayground response", {
+    status: response.status,
+    ok: response.ok
+  });
+  if (!response.ok) {
+    const detail = await readResponseDetail(response);
+    cliDebug("quickOnboardPlayground failed", {
+      status: response.status,
+      detail
+    });
+    throw new Error(
+      `Failed to run shared Playground onboarding: ${response.status} ${response.statusText}${detail ? ` - ${detail}` : ""}`
+    );
+  }
+  const data = await response.json();
+  cliDebug("quickOnboardPlayground parsed", {
+    userId: data.user?.id,
+    hasPlaygroundProject: !!data.playground_project?.id,
+    hasDefaultConnection: !!data.default_connection?.id,
+    setupJobs: data.setup_jobs?.map((job) => job.operation)
+  });
+  return data;
+};
+var ensurePlaygroundProject = async (baseUrl, token, user, options = {}) => {
+  cliDebug("ensurePlaygroundProject start", {
+    userId: user.id,
+    email: user.email,
+    forceQuickOnboard: !!options.forceQuickOnboard
+  });
+  const existingProjects = await getProjects(baseUrl, token, user.id);
+  const existingPlayground = getPlaygroundProject(existingProjects);
+  if (existingPlayground && !options.forceQuickOnboard) {
+    cliDebug("ensurePlaygroundProject existing Playground found", {
+      projectId: existingPlayground.id
+    });
+    return existingPlayground;
+  }
+  const onboardResponse = await quickOnboardPlayground(baseUrl, token, user);
+  if (onboardResponse.playground_project?.id) {
+    cliDebug("ensurePlaygroundProject repaired from quick response", {
+      projectId: onboardResponse.playground_project.id
+    });
+    return onboardResponse.playground_project;
+  }
+  const refreshedProjects = await getProjects(baseUrl, token, user.id);
+  const refreshedPlayground = getPlaygroundProject(refreshedProjects);
+  if (refreshedPlayground) {
+    cliDebug("ensurePlaygroundProject repaired after project refetch", {
+      projectId: refreshedPlayground.id
+    });
+    return refreshedPlayground;
+  }
+  throw new Error(
+    "Shared onboarding completed, but no Playground project was returned or found."
+  );
+};
+var ensureDefaultProject = async (baseUrl, token, user) => ensurePlaygroundProject(
+  baseUrl,
+  token,
+  typeof user === "string" ? { id: user } : user
+);
+var readResponseDetail = async (response) => {
+  try {
+    const raw = await response.text();
+    if (!raw || !raw.trim()) {
+      return void 0;
+    }
+    const contentType = response.headers.get("content-type") ?? "";
+    if (contentType.includes("text/html") || /^\s*</.test(raw)) {
+      return "backend returned an HTML error page; check --base-url/CLOUDEVAL_BASE_URL and backend health";
+    }
+    try {
+      const json = JSON.parse(raw);
+      return json.message || json.error_description || json.error || json.detail || raw;
+    } catch {
+      return raw;
+    }
+  } catch {
+    return void 0;
+  }
+};
+var loginWithDeviceCode = async (baseUrl, options = {}) => {
+  const apiBase = normalizeApiBase(baseUrl);
+  const authBase = resolveAuthBootstrapBase(apiBase);
+  const clientId = getCLIClientId();
+  const requestBody = JSON.stringify({ client_id: clientId });
+  cliDebug("backend device-code request", {
+    url: `${authBase}/auth/device/code`,
+    clientId
+  });
+  const deviceCodeResponse = await fetch(`${authBase}/auth/device/code`, {
+    method: "POST",
+    headers: getCLIHeaders(),
+    body: requestBody
+  });
+  cliDebug("backend device-code response", {
+    status: deviceCodeResponse.status,
+    ok: deviceCodeResponse.ok
+  });
+  if (!deviceCodeResponse.ok) {
+    const statusInfo = `${deviceCodeResponse.status} ${deviceCodeResponse.statusText}`;
+    const detail = await readResponseDetail(deviceCodeResponse);
+    if (deviceCodeResponse.status === 401 || deviceCodeResponse.status === 403) {
+      throw new Error(
+        `CloudEval backend device-code login is blocked by an authentication layer (${statusInfo}${detail ? ` - ${detail}` : ""}). The CLI needs /api/v1/auth/device/code to stay public so it can show the CloudEval approval URL.`
+      );
+    }
+    let errorMessage2 = `Failed to initiate login: ${statusInfo}`;
+    if (detail) {
+      errorMessage2 = `Failed to initiate login: ${statusInfo} - ${detail}`;
+    }
+    throw new Error(errorMessage2);
+  }
+  return pollDeviceCodeAndPersist(authBase, clientId, deviceCodeResponse, {
+    openInBrowser: options.openInBrowser,
+    browserOpener: options.browserOpener,
+    persistBaseUrl: apiBase
+  });
+};
+var pollDeviceCodeAndPersist = async (apiBase, clientId, deviceCodeResponse, options = {}) => {
+  const deviceCodeData = await deviceCodeResponse.json();
+  const verificationUrl = resolveDeviceVerificationUrl(deviceCodeData);
+  const browserOpener = options.browserOpener ?? openBrowser;
+  let openedInBrowser = false;
+  cliDebug("backend device-code parsed", {
+    hasVerificationUriComplete: !!deviceCodeData.verification_uri_complete,
+    verificationUrl,
+    userCode: deviceCodeData.user_code,
+    expiresIn: deviceCodeData.expires_in,
+    interval: deviceCodeData.interval
+  });
+  if (options.openInBrowser && verificationUrl) {
+    console.log("\nOpening browser for authentication...");
+    openedInBrowser = browserOpener(verificationUrl);
+    console.log(`Approval URL: ${verificationUrl}`);
+  }
+  if (!openedInBrowser) {
+    console.log("\nTo sign in, use a web browser to open:");
+    console.log(`  ${verificationUrl}`);
+  }
+  console.log(
+    `
+${openedInBrowser ? "If prompted, enter code" : "Enter code"}: ${deviceCodeData.user_code}
+`
+  );
+  console.log("Waiting for authentication...");
+  process.stdout.write("  ");
+  const startTime = now();
+  const expiresAt = startTime + deviceCodeData.expires_in * 1e3;
+  let intervalMs = Math.max(1, deviceCodeData.interval || 5) * 1e3;
+  while (now() < expiresAt) {
+    await new Promise((resolve) => setTimeout(resolve, intervalMs));
+    const tokenResponse = await fetch(`${apiBase}/auth/device/token`, {
+      method: "POST",
+      headers: getCLIHeaders(),
+      body: JSON.stringify({
+        device_code: deviceCodeData.device_code,
+        client_id: clientId
+      })
+    });
+    cliDebug("backend device-token response", {
+      status: tokenResponse.status,
+      ok: tokenResponse.ok
+    });
+    const tokenResponseForDetail = tokenResponse.clone();
+    let tokenData;
+    try {
+      tokenData = await tokenResponse.json();
+    } catch {
+      const detail = await readResponseDetail(tokenResponseForDetail);
+      throw new Error(
+        `Device token exchange failed: ${tokenResponse.status} ${tokenResponse.statusText}${detail ? ` - ${detail}` : ""}`
+      );
+    }
+    if (tokenResponse.ok && tokenData.access_token) {
+      const accessToken = persistAuthTokens(tokenData, {
+        baseUrl: options.persistBaseUrl ?? apiBase
+      });
+      cliDebug("backend device-token completed", {
+        hasRefreshToken: !!tokenData.refresh_token,
+        sessionId: tokenData.session_id,
+        accountId: tokenData.account_id
+      });
+      console.log("\nAuthentication successful. Session saved.\n");
+      return accessToken;
+    }
+    if (tokenData.error === "authorization_pending") {
+      process.stdout.write(".");
+      continue;
+    }
+    if (tokenData.error === "slow_down" && tokenData.interval) {
+      intervalMs = tokenData.interval * 1e3;
+      continue;
+    }
+    if (tokenData.error) {
+      throw new Error(tokenData.error);
+    }
+  }
+  throw new Error("Authentication timeout. Please try again.");
+};
+var login = async (baseUrl, options = {}) => {
+  return loginWithDeviceCode(baseUrl, {
+    openInBrowser: !options.headless,
+    browserOpener: options.browserOpener
+  });
+};
+var refreshViaBackend = async (apiBase, refreshToken) => {
+  const authBase = resolveAuthBootstrapBase(apiBase);
+  const response = await fetch(`${authBase}/auth/refresh`, {
+    method: "POST",
+    headers: getCLIHeaders(),
+    body: JSON.stringify({
+      refresh_token: refreshToken,
+      client_id: getCLIClientId()
+    })
+  });
+  if (response.status === 404 || response.status === 405) {
+    return null;
+  }
+  if (!response.ok) {
+    const errorText = await response.text();
+    const lowerErrorText = errorText.toLowerCase();
+    if ((response.status === 401 || response.status === 403) && (lowerErrorText.includes("auth_required_public") || lowerErrorText.includes("authentication required for this endpoint"))) {
+      return null;
+    }
+    throw new Error(errorText || "Token refresh failed");
+  }
+  return await response.json();
+};
+var refreshAuthToken = async (refreshToken, baseUrl) => {
+  const apiBase = normalizeApiBase(baseUrl);
+  const backendResponse = await refreshViaBackend(apiBase, refreshToken);
+  if (backendResponse) {
+    return backendResponse;
+  }
+  throw new Error(
+    "Token refresh unavailable from CloudEval backend. Run 'cloudeval login' and retry."
+  );
+};
+var waitForConcurrentRefreshToken = async (previousRefreshToken) => {
+  for (const delayMs of CONCURRENT_REFRESH_WAIT_STEPS_MS) {
+    await sleep(delayMs);
+    const latest2 = reloadStored();
+    const latestRefreshToken2 = getRefreshToken(latest2);
+    if (latestRefreshToken2 && latestRefreshToken2 !== previousRefreshToken) {
+      return latestRefreshToken2;
+    }
+  }
+  const latest = reloadStored();
+  const latestRefreshToken = getRefreshToken(latest);
+  if (latestRefreshToken && latestRefreshToken !== previousRefreshToken) {
+    return latestRefreshToken;
+  }
+  return void 0;
+};
+var resolveRefreshBaseUrl = (requestedBaseUrl, storedBaseUrl) => {
+  if (!requestedBaseUrl) {
+    return storedBaseUrl;
+  }
+  if (storedBaseUrl && normalizeApiBase(requestedBaseUrl) === DEFAULT_BASE_URL) {
+    return storedBaseUrl;
+  }
+  return requestedBaseUrl;
+};
+var performRefresh = async (options) => {
+  const disk = readStored();
+  const refreshToken = getRefreshToken(disk);
+  if (!refreshToken) {
+    throw new Error("No refresh token available. Please run 'cloudeval login'.");
+  }
+  const refreshBaseUrl = resolveRefreshBaseUrl(options.baseUrl, disk.baseUrl);
+  const finishRefresh = async (currentRefreshToken, currentBaseUrl) => {
+    const refreshed = await refreshAuthToken(currentRefreshToken, currentBaseUrl);
+    if (!refreshed.access_token) {
+      throw new Error("Token refresh response missing access_token.");
+    }
+    return persistAuthTokens(refreshed, {
+      baseUrl: normalizeApiBase(currentBaseUrl)
+    });
+  };
+  try {
+    return await finishRefresh(refreshToken, refreshBaseUrl);
+  } catch (error) {
+    let latest = reloadStored();
+    let latestRefreshToken = getRefreshToken(latest);
+    if (!latestRefreshToken || latestRefreshToken === refreshToken) {
+      const waitedRefreshToken = await waitForConcurrentRefreshToken(refreshToken);
+      if (waitedRefreshToken) {
+        latest = reloadStored();
+        latestRefreshToken = waitedRefreshToken;
+      }
+    }
+    if (latestRefreshToken && latestRefreshToken !== refreshToken) {
+      const latestBaseUrl = resolveRefreshBaseUrl(options.baseUrl, latest.baseUrl) || refreshBaseUrl;
+      return finishRefresh(latestRefreshToken, latestBaseUrl);
+    }
+    throw error;
+  }
+};
+var refreshWithSingleFlight = async (options) => {
+  if (refreshInFlight) {
+    return refreshInFlight;
+  }
+  refreshInFlight = (async () => {
+    const releaseRefreshLock = await acquireRefreshLock();
+    try {
+      return await performRefresh(options);
+    } finally {
+      releaseRefreshLock();
+      refreshInFlight = null;
+    }
+  })();
+  return refreshInFlight;
+};
+var logout = async (options = {}) => {
+  const disk = readStored();
+  const refreshToken = getRefreshToken(disk);
+  const currentToken = cachedToken?.token || getAccessToken(disk);
+  let revoked = false;
+  if (refreshToken) {
+    try {
+      const apiBase = normalizeApiBase(options.baseUrl || disk.baseUrl);
+      const endpoint = options.allDevices ? "/auth/logout-all" : "/auth/logout";
+      const response = await fetch(`${apiBase}${endpoint}`, {
+        method: "POST",
+        headers: getCLIHeaders(currentToken),
+        body: JSON.stringify({
+          refresh_token: refreshToken,
+          session_id: disk.sessionId
+        })
+      });
+      if (response.ok || response.status === 404 || response.status === 405) {
+        revoked = response.ok;
+      }
+    } catch {
+    }
+  }
+  clearLocalAuth(disk);
+  return { revoked, localCleared: true };
+};
+var getAuthStatus = async (baseUrl, options = {}) => {
+  let disk = readStored();
+  let refreshToken = getRefreshToken(disk);
+  let accessToken = getAccessToken(disk);
+  let accessTokenCached = Boolean(
+    cachedToken && cachedToken.expiresAt > now() || accessToken && disk.tokenExpiresAt && disk.tokenExpiresAt > now()
+  );
+  let authenticated = Boolean(accessTokenCached || refreshToken);
+  let authError;
+  if (options.validate && authenticated) {
+    try {
+      const validationBaseUrl = resolveRefreshBaseUrl(baseUrl, disk.baseUrl);
+      const token = await getAuthToken({ baseUrl: validationBaseUrl });
+      if (validationBaseUrl) {
+        await checkUserStatus(validationBaseUrl, token);
+      }
+      disk = readStored();
+      refreshToken = getRefreshToken(disk);
+      accessToken = getAccessToken(disk);
+      accessTokenCached = Boolean(
+        cachedToken && cachedToken.expiresAt > now() || accessToken && disk.tokenExpiresAt && disk.tokenExpiresAt > now()
+      );
+      authenticated = true;
+    } catch (error) {
+      authError = errorMessage(error);
+      disk = readStored();
+      refreshToken = getRefreshToken(disk);
+      accessToken = getAccessToken(disk);
+      accessTokenCached = Boolean(
+        cachedToken && cachedToken.expiresAt > now() || accessToken && disk.tokenExpiresAt && disk.tokenExpiresAt > now()
+      );
+      authenticated = false;
+    }
+  }
+  return {
+    authenticated,
+    accessTokenCached,
+    accessTokenExpiresAt: cachedToken?.expiresAt ?? disk.tokenExpiresAt,
+    hasRefreshToken: Boolean(refreshToken),
+    sessionId: disk.sessionId,
+    accountId: disk.accountId,
+    baseUrl: disk.baseUrl || baseUrl,
+    storageBackend: detectSecretBackend(),
+    validationAttempted: options.validate,
+    authError
+  };
+};
+var extractEmailFromToken = (token) => {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const payload = JSON.parse(
+      Buffer.from(parts[1], "base64url").toString("utf-8")
+    );
+    return payload.email || payload.upn || payload.preferred_username || null;
+  } catch {
+    return null;
+  }
+};
+var AUTH_LOOKUP_ERROR = "CloudEvalAuthLookupError";
+var authLookupError = async (response, context) => {
+  let detail = "";
+  try {
+    const body = await response.text();
+    if (body) {
+      detail = ` - ${body.slice(0, 300)}`;
+    }
+  } catch {
+  }
+  const error = new Error(`${context} failed: ${response.status} ${response.statusText}${detail}`);
+  error.name = AUTH_LOOKUP_ERROR;
+  return error;
+};
+var isAuthLookupError = (error) => error instanceof Error && error.name === AUTH_LOOKUP_ERROR;
+var isAuthLookupFailure = (error) => isAuthLookupError(error);
+var clearStoredAuthIfTokenMatches = (token) => {
+  const disk = readStored();
+  const diskAccessToken = getAccessToken(disk);
+  if (cachedToken?.token === token || diskAccessToken === token) {
+    clearLocalAuth(disk);
+    return true;
+  }
+  return false;
+};
+var fetchCurrentUserFromServer = async (apiBase, token) => {
+  try {
+    const startedAt = Date.now();
+    cliDebug("fetchCurrentUserFromServer request", {
+      url: `${apiBase}/auth/me`
+    });
+    const response = await fetch(`${apiBase}/auth/me`, {
+      method: "GET",
+      headers: getCLIHeaders(token)
+    });
+    cliDebug("fetchCurrentUserFromServer response", {
+      status: response.status,
+      ok: response.ok,
+      durationMs: Date.now() - startedAt
+    });
+    if (response.status === 401 || response.status === 403) {
+      throw await authLookupError(response, "Current user lookup");
+    }
+    if (!response.ok) {
+      return null;
+    }
+    const user = await response.json();
+    if (!user?.id) {
+      return null;
+    }
+    cliDebug("fetchCurrentUserFromServer parsed", {
+      userId: user.id,
+      email: user.email,
+      onboardingCompleted: !!user.preferences?.onboarding?.completedAt
+    });
+    return user;
+  } catch (error) {
+    if (isAuthLookupError(error)) {
+      clearStoredAuthIfTokenMatches(token);
+      throw error;
+    }
+    cliDebug("fetchCurrentUserFromServer failed", {
+      message: errorMessage(error)
+    });
+    return null;
+  }
+};
+var checkUserStatus = async (baseUrl, token) => {
+  try {
+    const apiBase = normalizeApiBase(baseUrl);
+    cliDebug("checkUserStatus start", { apiBase });
+    const currentUser = await fetchCurrentUserFromServer(apiBase, token);
+    if (currentUser) {
+      cliDebug("checkUserStatus resolved from /auth/me", {
+        userId: currentUser.id,
+        email: currentUser.email,
+        onboardingCompleted: !!currentUser.preferences?.onboarding?.completedAt
+      });
+      return {
+        exists: true,
+        onboardingCompleted: !!currentUser.preferences?.onboarding?.completedAt,
+        user: currentUser
+      };
+    }
+    const email = extractEmailFromToken(token);
+    if (!email) {
+      cliDebug("checkUserStatus no email claim; assuming existing completed user");
+      return { exists: true, onboardingCompleted: true };
+    }
+    const startedAt = Date.now();
+    cliDebug("checkUserStatus /user/email request", {
+      url: `${apiBase}/user/email`,
+      email
+    });
+    const response = await fetch(`${apiBase}/user/email`, {
+      method: "POST",
+      headers: getCLIHeaders(token),
+      body: JSON.stringify({ email })
+    });
+    cliDebug("checkUserStatus /user/email response", {
+      status: response.status,
+      ok: response.ok,
+      durationMs: Date.now() - startedAt
+    });
+    if (response.status === 401 || response.status === 403) {
+      throw await authLookupError(response, "User email lookup");
+    }
+    if (response.ok) {
+      const user = await response.json();
+      cliDebug("checkUserStatus /user/email parsed", {
+        userId: user?.id,
+        email: user?.email,
+        onboardingCompleted: !!user.preferences?.onboarding?.completedAt
+      });
+      return {
+        exists: true,
+        onboardingCompleted: !!user.preferences?.onboarding?.completedAt,
+        user
+      };
+    }
+    if (response.status === 404) {
+      cliDebug("checkUserStatus user missing");
+      return { exists: false, onboardingCompleted: false };
+    }
+    cliDebug("checkUserStatus non-404 fallback", {
+      status: response.status
+    });
+    return { exists: true, onboardingCompleted: true };
+  } catch (error) {
+    if (isAuthLookupError(error)) {
+      clearStoredAuthIfTokenMatches(token);
+      throw error;
+    }
+    cliDebug("checkUserStatus failed; assuming completed for compatibility", {
+      message: errorMessage(error)
+    });
+    return { exists: true, onboardingCompleted: true };
+  }
+};
+var completeOnboarding = async (baseUrl, token, data) => {
+  try {
+    const apiBase = normalizeApiBase(baseUrl);
+    cliDebug("completeOnboarding start", {
+      apiBase,
+      name: data.name,
+      role: data.role,
+      teamSize: data.teamSize,
+      goals: data.goals,
+      cloudProvider: data.cloudProvider
+    });
+    const serverUser = await fetchCurrentUserFromServer(apiBase, token);
+    const fallbackEmail = extractEmailFromToken(token);
+    const email = serverUser?.email || fallbackEmail;
+    if (!email) {
+      throw new Error("Could not determine user email. Please login again.");
+    }
+    const userStatus = await checkUserStatus(apiBase, token);
+    const knownUserId = userStatus.user?.id || serverUser?.id;
+    cliDebug("completeOnboarding identity resolved", {
+      email,
+      serverUserId: serverUser?.id,
+      knownUserId,
+      statusExists: userStatus.exists,
+      statusOnboardingCompleted: userStatus.onboardingCompleted
+    });
+    const onboarding = {
+      role: data.role,
+      teamSize: data.teamSize,
+      primaryGoals: data.goals,
+      cloudProvider: data.cloudProvider
+    };
+    const onboardData = await quickOnboardPlayground(
+      apiBase,
+      token,
+      {
+        id: knownUserId || "pending",
+        email,
+        fullName: data.name
+      },
+      {
+        onboarding
+      }
+    );
+    const userId = onboardData.user?.id || knownUserId;
+    if (!userId) {
+      throw new Error("Onboarding completed but no user ID returned");
+    }
+    const persistedOnboarding = onboardData.user?.preferences?.onboarding;
+    const hasPersistedCompletion = !!persistedOnboarding?.completedAt || !!onboardData.onboarding_completed_at;
+    cliDebug("completeOnboarding quick result", {
+      userId,
+      hasPersistedCompletion,
+      hasPlaygroundProject: !!onboardData.playground_project?.id,
+      setupJobs: onboardData.setup_jobs?.map((job) => job.operation)
+    });
+    if (!hasPersistedCompletion) {
+      const preferences = {
+        onboarding: {
+          ...onboarding,
+          completedAt: (/* @__PURE__ */ new Date()).toISOString()
+        }
+      };
+      cliDebug("completeOnboarding fallback PATCH request", {
+        url: `${apiBase}/users/${userId}`
+      });
+      const response = await fetch(`${apiBase}/users/${userId}`, {
+        method: "PATCH",
+        headers: getCLIHeaders(token),
+        body: JSON.stringify({ preferences })
+      });
+      cliDebug("completeOnboarding fallback PATCH response", {
+        status: response.status,
+        ok: response.ok
+      });
+      if (!response.ok) {
+        const error = await response.json().catch(() => ({ message: "Failed to complete onboarding" }));
+        throw new Error(error.message || "Failed to complete onboarding");
+      }
+    }
+    if (!onboardData.playground_project?.id) {
+      cliDebug("completeOnboarding quick response missing Playground; repairing");
+      await ensurePlaygroundProject(apiBase, token, {
+        id: userId,
+        email,
+        fullName: data.name
+      });
+    }
+    cliDebug("completeOnboarding finished", {
+      userId,
+      email
+    });
+  } catch (error) {
+    cliDebug("completeOnboarding failed", {
+      message: error?.message
+    });
+    if (error?.message) {
+      throw error;
+    }
+    throw new Error("Failed to complete onboarding");
+  }
+};
+var getAuthToken = async (options = {}) => {
+  if (options.accessKey) {
+    return options.accessKey;
+  }
+  const minValidUntil = now() + TOKEN_EXPIRY_SKEW_MS;
+  if (cachedToken && cachedToken.expiresAt > minValidUntil) {
+    return cachedToken.token;
+  }
+  const disk = readStored();
+  const refreshToken = getRefreshToken(disk);
+  const accessToken = getAccessToken(disk);
+  let refreshError;
+  if (accessToken && disk.tokenExpiresAt && disk.tokenExpiresAt > minValidUntil) {
+    cachedToken = { token: accessToken, expiresAt: disk.tokenExpiresAt };
+    return accessToken;
+  }
+  if (refreshToken) {
+    try {
+      return await refreshWithSingleFlight(options);
+    } catch (error) {
+      refreshError = error;
+      if (isRejectedRefreshTokenError(error)) {
+        clearLocalAuth(disk);
+      }
+    }
+  }
+  const loginHint = "No authentication available. Run 'cloudeval login' to authenticate or use --access-key-stdin for automation.";
+  if (refreshError) {
+    throw new Error(`${loginHint} Stored refresh failed: ${errorMessage(refreshError)}`);
+  }
+  throw new Error(loginHint);
+};
+var getAuthHeader = async (options = {}) => {
+  const token = await getAuthToken(options);
+  return { Authorization: `Bearer ${token}` };
+};
+var createIdempotencyKey = () => randomUUID();
+var withIdempotencyHeader = (headers, idempotencyKey) => ({
+  ...headers,
+  "Idempotency-Key": idempotencyKey ?? createIdempotencyKey()
+});
+var DEFAULT_PROJECT_TYPE = "sync";
+var RESPONSE_OUTPUT_NODES = /* @__PURE__ */ new Set([
+  "generate_response",
+  "handle_social_interaction",
+  "response_compose"
+]);
+var isLocalHostname2 = (hostname) => {
+  const lower = hostname.toLowerCase();
+  return lower === "localhost" || lower === "127.0.0.1" || lower === "::1" || lower === "[::1]";
+};
+var assertSecureBaseUrl2 = (rawBaseUrl) => {
+  const parsed = new URL(rawBaseUrl);
+  if (parsed.protocol === "https:") {
+    return;
+  }
+  if (parsed.protocol === "http:" && isLocalHostname2(parsed.hostname)) {
+    return;
+  }
+  throw new Error(
+    `Refusing insecure base URL (${rawBaseUrl}). Use HTTPS for non-localhost endpoints.`
+  );
+};
+var isObject2 = (value) => typeof value === "object" && value !== null;
+var isValidChunkStatus = (value) => {
+  return typeof value === "string" && (value === "streaming" || value === "completed" || value === "aborted" || value === "error" || value === "pending");
+};
+var stringOrUndefined = (value) => typeof value === "string" ? value : void 0;
+var numberOrUndefined = (value) => typeof value === "number" && Number.isFinite(value) ? value : void 0;
+var booleanOrUndefined = (value) => typeof value === "boolean" ? value : void 0;
+var isResponseOutputChunk = (chunk) => chunk.type === "responding" && (!chunk.node || RESPONSE_OUTPUT_NODES.has(chunk.node));
+var isResponseCompletionChunk = (chunk) => isResponseOutputChunk(chunk) && chunk.status === "completed";
+var isTerminalEndChunk = (chunk) => (chunk.type === "thinking" || chunk.type === "responding") && chunk.status === "completed" && chunk.node === "end";
+var normalizeHitlOption = (raw, index) => {
+  if (!isObject2(raw)) {
+    const label = String(raw ?? `Option ${index + 1}`);
+    return { id: label, label };
+  }
+  const id = stringOrUndefined(raw.id) ?? stringOrUndefined(raw.value) ?? stringOrUndefined(raw.label) ?? `option_${index}`;
+  return {
+    id,
+    label: stringOrUndefined(raw.label) ?? id,
+    description: stringOrUndefined(raw.description),
+    recommended: booleanOrUndefined(raw.recommended)
+  };
+};
+var normalizeHitlQuestion = (raw, index) => {
+  if (!isObject2(raw)) {
+    return {
+      id: `question_${index}`,
+      text: String(raw ?? "Action required")
+    };
+  }
+  const id = stringOrUndefined(raw.id) ?? stringOrUndefined(raw.question_id) ?? `question_${index}`;
+  const text = stringOrUndefined(raw.text) ?? stringOrUndefined(raw.label) ?? stringOrUndefined(raw.message) ?? "Action required";
+  const options = Array.isArray(raw.options) ? raw.options.map(
+    (option, optionIndex) => normalizeHitlOption(option, optionIndex)
+  ) : void 0;
+  return {
+    id,
+    text,
+    label: stringOrUndefined(raw.label),
+    kind: stringOrUndefined(raw.kind),
+    intent: stringOrUndefined(raw.intent),
+    tool_label: stringOrUndefined(raw.tool_label),
+    action: stringOrUndefined(raw.action),
+    options,
+    recommended_option_id: stringOrUndefined(raw.recommended_option_id),
+    mode_switch_source: stringOrUndefined(raw.mode_switch_source),
+    mode_switch_target: stringOrUndefined(raw.mode_switch_target),
+    resume_behavior: stringOrUndefined(raw.resume_behavior),
+    selectionMode: stringOrUndefined(raw.selectionMode),
+    minSelections: numberOrUndefined(raw.minSelections),
+    maxSelections: numberOrUndefined(raw.maxSelections)
+  };
+};
+var normalizeChunk = (raw, receivedAt) => {
+  if (!isObject2(raw) || typeof raw.type !== "string") {
+    return null;
+  }
+  const base = { receivedAt };
+  const data = isObject2(raw.data) ? raw.data : void 0;
+  switch (raw.type) {
+    case "metadata": {
+      const chunk = {
+        type: "metadata",
+        trace_id: typeof raw.trace_id === "string" ? raw.trace_id : void 0,
+        thread_id: typeof raw.thread_id === "string" ? raw.thread_id : void 0,
+        ...base
+      };
+      return chunk;
+    }
+    case "thinking": {
+      const chunk = {
+        type: "thinking",
+        node: typeof raw.node === "string" ? raw.node : void 0,
+        status: isValidChunkStatus(raw.status) ? raw.status : void 0,
+        description: typeof raw.description === "string" ? raw.description : void 0,
+        message: typeof raw.message === "string" ? raw.message : void 0,
+        content: typeof raw.content === "string" ? raw.content : void 0,
+        ...base
+      };
+      return chunk;
+    }
+    case "responding": {
+      const chunk = {
+        type: "responding",
+        node: typeof raw.node === "string" ? raw.node : void 0,
+        status: isValidChunkStatus(raw.status) ? raw.status : void 0,
+        description: typeof raw.description === "string" ? raw.description : void 0,
+        message: typeof raw.message === "string" ? raw.message : void 0,
+        content: typeof raw.content === "string" ? raw.content : void 0,
+        source: stringOrUndefined(raw.source),
+        ...base
+      };
+      return chunk;
+    }
+    case "error": {
+      const chunk = {
+        type: "error",
+        node: typeof raw.node === "string" ? raw.node : void 0,
+        status: isValidChunkStatus(raw.status) ? raw.status : void 0,
+        description: typeof raw.description === "string" ? raw.description : void 0,
+        message: typeof raw.message === "string" ? raw.message : void 0,
+        content: typeof raw.content === "string" ? raw.content : void 0,
+        stacktrace: typeof raw.stacktrace === "string" ? raw.stacktrace : void 0,
+        ...base
+      };
+      return chunk;
+    }
+    case "hitl":
+    case "hitl_request": {
+      const rawQuestions = Array.isArray(raw.questions) ? raw.questions : Array.isArray(data?.questions) ? data.questions : [];
+      const chunk = {
+        type: "hitl_request",
+        questions: rawQuestions.map(
+          (question, index) => normalizeHitlQuestion(question, index)
+        ),
+        checkpoint_id: stringOrUndefined(raw.checkpoint_id) ?? stringOrUndefined(data?.checkpoint_id),
+        pending_intent_id: stringOrUndefined(raw.pending_intent_id) ?? stringOrUndefined(data?.pending_intent_id),
+        run_id: stringOrUndefined(raw.run_id) ?? stringOrUndefined(data?.run_id),
+        langsmith_trace_id: stringOrUndefined(raw.langsmith_trace_id) ?? stringOrUndefined(data?.langsmith_trace_id),
+        ...base
+      };
+      return chunk;
+    }
+    case "hitl_resume": {
+      const chunk = {
+        type: "hitl_resume",
+        status: isValidChunkStatus(raw.status) ? raw.status : void 0,
+        message: typeof raw.message === "string" ? raw.message : void 0,
+        pending_intent_id: stringOrUndefined(raw.pending_intent_id) ?? stringOrUndefined(data?.pending_intent_id),
+        ...base
+      };
+      return chunk;
+    }
+    default:
+      return null;
+  }
+};
+var buildPayload = (options) => {
+  const user = options.project?.user_id && (!options.user.id || options.user.id === "cli-user") ? { ...options.user, id: options.project.user_id } : options.user;
+  const project = options.project ?? {
+    id: "cli-project",
+    name: "CLI Session",
+    user_id: user.id,
+    cloud_provider: "azure",
+    type: DEFAULT_PROJECT_TYPE
+  };
+  const context = options.context ?? [];
+  const settings = options.settings;
+  const message = options.message;
+  const agentProfileId = options.agentProfileId?.trim();
+  const payload = {
+    thread_id: options.threadId,
+    input: {
+      messages: [{ role: "user", content: message }],
+      user,
+      project,
+      settings,
+      ...agentProfileId ? { agent_profile_id: agentProfileId } : {},
+      context
+    },
+    user,
+    message,
+    project,
+    settings,
+    ...agentProfileId ? { agent_profile_id: agentProfileId } : {},
+    context,
+    group_size: 1,
+    streaming_mode: options.streamingMode ?? "USER"
+  };
+  if (options.hitlResume?.checkpointId && options.hitlResume.responses.length > 0) {
+    payload.hitl_resume = true;
+    payload.hitl_checkpoint_id = options.hitlResume.checkpointId;
+    payload.hitl_responses = options.hitlResume.responses;
+    if (options.hitlResume.runId) {
+      payload.run_id = options.hitlResume.runId;
+    }
+    if (options.hitlResume.langsmithTraceId) {
+      payload.langsmith_trace_id = options.hitlResume.langsmithTraceId;
+    }
+  }
+  return payload;
+};
+var compactErrorBody = (body) => {
+  const trimmed = body.trim();
+  if (!trimmed) {
+    return void 0;
+  }
+  try {
+    const parsed = JSON.parse(trimmed);
+    return redactSensitiveText(JSON.stringify(parsed));
+  } catch {
+    const redacted = redactSensitiveText(trimmed);
+    return redacted.length > 1e3 ? `${redacted.slice(0, 1e3)}...` : redacted;
+  }
+};
+async function* streamChat(options) {
+  assertSecureBaseUrl2(options.baseUrl);
+  const payload = buildPayload(options);
+  const apiBase = normalizeApiBase(options.baseUrl);
+  const url = `${apiBase}/chat/stream`;
+  const streamIdleTimeoutMs = typeof options.streamIdleTimeoutMs === "number" && Number.isFinite(options.streamIdleTimeoutMs) && options.streamIdleTimeoutMs > 0 ? options.streamIdleTimeoutMs : void 0;
+  const headers = withIdempotencyHeader({
+    "Content-Type": "application/json",
+    Accept: "text/event-stream",
+    "X-Client-Type": "cloudeval-cli",
+    "X-Client-Version": "0.1.0"
+  });
+  if (options.authToken) {
+    headers.Authorization = `Bearer ${options.authToken}`;
+  }
+  let connectTimedOut = false;
+  let connectTimeout;
+  let removeExternalAbort;
+  let requestSignal = options.signal;
+  const connectController = streamIdleTimeoutMs ? new AbortController() : void 0;
+  if (connectController) {
+    requestSignal = connectController.signal;
+    if (options.signal) {
+      const abortFromExternal = () => connectController.abort(options.signal?.reason);
+      if (options.signal.aborted) {
+        abortFromExternal();
+      } else {
+        options.signal.addEventListener("abort", abortFromExternal, { once: true });
+        removeExternalAbort = () => options.signal?.removeEventListener("abort", abortFromExternal);
+      }
+    }
+    connectTimeout = setTimeout(() => {
+      connectTimedOut = true;
+      connectController.abort();
+    }, streamIdleTimeoutMs);
+  }
+  let response;
+  try {
+    response = await fetch(url, {
+      method: "POST",
+      headers,
+      body: JSON.stringify(payload),
+      signal: requestSignal
+    });
+  } catch (error) {
+    if (connectTimedOut && streamIdleTimeoutMs) {
+      throw new Error(
+        `No chat stream response received within ${streamIdleTimeoutMs}ms. Please retry or check backend availability.`
+      );
+    }
+    throw error;
+  } finally {
+    if (connectTimeout) {
+      clearTimeout(connectTimeout);
+    }
+    removeExternalAbort?.();
+  }
+  if (!response.ok) {
+    const body = compactErrorBody(await response.text().catch(() => ""));
+    throw new Error(
+      `Stream request failed with status ${response.status} ${response.statusText}${body ? `: ${body}` : ""}`
+    );
+  }
+  if (!response.body) {
+    throw new Error("Streaming response body missing");
+  }
+  const reader = response.body.getReader();
+  const decoder = new TextDecoder("utf-8");
+  let buffer = "";
+  let sseDataLines = [];
+  let doneSeen = false;
+  let responseCompleteDeadline;
+  let streamActivityAt = Date.now();
+  const responseCompletionGraceMs = options.responseCompletionGraceMs ?? 5e3;
+  const parsePayload = (rawPayload) => {
+    const trimmed = rawPayload.trim();
+    if (!trimmed) {
+      return;
+    }
+    if (trimmed === "[DONE]") {
+      doneSeen = true;
+      return;
+    }
+    try {
+      const parsed = JSON.parse(trimmed);
+      const chunk = normalizeChunk(parsed, Date.now());
+      if (chunk && options.debug) {
+        console.error("[stream][chunk]", chunk);
+      }
+      if (chunk) {
+        return chunk;
+      }
+    } catch (error) {
+      if (options.debug) {
+        console.error("[stream][parse-error]", error, rawPayload);
+      }
+    }
+  };
+  const flushSseEvent = () => {
+    if (sseDataLines.length === 0) {
+      return;
+    }
+    const payload2 = sseDataLines.join("\n");
+    sseDataLines = [];
+    return parsePayload(payload2);
+  };
+  const parseLine = (line) => {
+    const normalizedLine = line.replace(/\r$/, "");
+    if (!normalizedLine) {
+      return flushSseEvent();
+    }
+    if (normalizedLine.startsWith(":")) {
+      return;
+    }
+    if (normalizedLine.startsWith("data:")) {
+      sseDataLines.push(normalizedLine.slice(5).trimStart());
+      return;
+    }
+    if (normalizedLine.startsWith("event:") || normalizedLine.startsWith("id:") || normalizedLine.startsWith("retry:")) {
+      return;
+    }
+    if (sseDataLines.length > 0) {
+      sseDataLines.push(normalizedLine);
+      return;
+    }
+    return parsePayload(normalizedLine);
+  };
+  const readWithOptionalDeadline = async () => {
+    if (!responseCompleteDeadline && !streamIdleTimeoutMs) {
+      return { type: "read", result: await reader.read() };
+    }
+    const deadline = responseCompleteDeadline ?? streamActivityAt + streamIdleTimeoutMs;
+    const remainingMs = deadline - Date.now();
+    if (remainingMs <= 0) {
+      return responseCompleteDeadline ? { type: "deadline" } : { type: "idle-timeout" };
+    }
+    return Promise.race([
+      reader.read().then((result) => ({ type: "read", result })),
+      new Promise(
+        (resolve) => setTimeout(
+          () => resolve(
+            responseCompleteDeadline ? { type: "deadline" } : { type: "idle-timeout" }
+          ),
+          remainingMs
+        )
+      )
+    ]);
+  };
+  const markResponseComplete = (chunk) => {
+    if (!options.completeAfterResponse) {
+      return;
+    }
+    if (isTerminalEndChunk(chunk)) {
+      responseCompleteDeadline ??= Date.now() + responseCompletionGraceMs;
+      return;
+    }
+    if (!isResponseOutputChunk(chunk)) {
+      return;
+    }
+    if (isResponseCompletionChunk(chunk)) {
+      responseCompleteDeadline ??= Date.now() + responseCompletionGraceMs;
+      return;
+    }
+    if (chunk.content) {
+      responseCompleteDeadline = Date.now() + responseCompletionGraceMs;
+    }
+  };
+  try {
+    while (true) {
+      const read = await readWithOptionalDeadline();
+      if (read.type === "deadline") {
+        return;
+      }
+      if (read.type === "idle-timeout") {
+        throw new Error(
+          `No chat stream data received within ${streamIdleTimeoutMs}ms. Please retry or check backend availability.`
+        );
+      }
+      const { value, done } = read.result;
+      if (done) break;
+      if (value?.length) {
+        streamActivityAt = Date.now();
+      }
+      buffer += decoder.decode(value, { stream: true });
+      const lines = buffer.split("\n");
+      buffer = lines.pop() ?? "";
+      for (const line of lines) {
+        const chunk = parseLine(line);
+        if (chunk) {
+          yield chunk;
+          markResponseComplete(chunk);
+        }
+        if (doneSeen) {
+          return;
+        }
+      }
+    }
+    if (buffer.trim()) {
+      const chunk = parseLine(buffer);
+      if (chunk) {
+        yield chunk;
+        markResponseComplete(chunk);
+      }
+      if (doneSeen) {
+        return;
+      }
+    }
+    const finalChunk = flushSseEvent();
+    if (finalChunk) {
+      yield finalChunk;
+      markResponseComplete(finalChunk);
+    }
+  } finally {
+    await reader.cancel().catch(() => void 0);
+    try {
+      reader.releaseLock();
+    } catch {
+    }
+  }
+}
+var STREAMING_NODES = /* @__PURE__ */ new Set([
+  "generate_response",
+  "handle_social_interaction",
+  "response_compose"
+]);
+var FOLLOW_UP_NODE = "generate_follow_up";
+var ERROR_FALLBACK_SOURCE_PREFIX = "error_fallback:";
+var TERMINAL_STEP_STATUSES = /* @__PURE__ */ new Set([
+  "completed",
+  "error",
+  "aborted",
+  "cancelled"
+]);
+var cloneMessage = (message) => ({
+  ...message,
+  thinkingSteps: message.thinkingSteps ? [...message.thinkingSteps.map((s) => ({ ...s }))] : [],
+  followUpQuestions: message.followUpQuestions ? [...message.followUpQuestions] : void 0
+});
+var finalizeOpenSteps = (steps, status, timestamp) => {
+  if (!steps) {
+    return steps;
+  }
+  return steps.map((step) => {
+    if (TERMINAL_STEP_STATUSES.has(step.status ?? "pending")) {
+      return step;
+    }
+    const startedAt = step.startedAt ?? step.timestamp;
+    return {
+      ...step,
+      status,
+      timestamp,
+      updatedAt: timestamp,
+      completedAt: timestamp,
+      durationMs: Math.max(0, timestamp - startedAt)
+    };
+  });
+};
+var ensureAssistantMessage = (state, timestamp) => {
+  const existing = state.activeMessageId && state.messages.find(
+    (m) => m.id === state.activeMessageId && m.role === "assistant"
+  ) || state.messages.find((m) => m.pending && m.role === "assistant");
+  if (existing) {
+    return [{ ...state, activeMessageId: existing.id }, cloneMessage(existing)];
+  }
+  const closedMessages = state.messages.map(
+    (m) => m.role === "assistant" && m.pending ? { ...m, pending: false, updatedAt: timestamp } : m
+  );
+  const message = {
+    id: randomUUID2(),
+    role: "assistant",
+    content: "",
+    pending: true,
+    thinkingSteps: [],
+    createdAt: timestamp,
+    updatedAt: timestamp
+  };
+  return [
+    {
+      ...state,
+      activeMessageId: message.id,
+      messages: [...closedMessages, message]
+    },
+    message
+  ];
+};
+var mergeThinkingStep = (steps, chunk) => {
+  const node = chunk.node ?? "unknown";
+  const mergedSteps = steps ? [...steps] : [];
+  const chunkStatus = chunk.status ?? "streaming";
+  const existingIdx = [...mergedSteps].reverse().findIndex(
+    (s) => s.node === node && !TERMINAL_STEP_STATUSES.has(s.status ?? "pending")
+  );
+  const existingStepIdx = existingIdx >= 0 ? mergedSteps.length - 1 - existingIdx : -1;
+  if (existingStepIdx >= 0) {
+    const existing = mergedSteps[existingStepIdx];
+    const startedAt = existing.startedAt ?? existing.timestamp ?? chunk.receivedAt;
+    const isTerminal = TERMINAL_STEP_STATUSES.has(chunkStatus);
+    mergedSteps[existingStepIdx] = {
+      ...existing,
+      content: (existing.content ?? "") + (chunk.content ?? ""),
+      description: chunk.description ?? existing.description,
+      message: chunk.message ?? existing.message,
+      status: chunkStatus,
+      timestamp: chunk.receivedAt,
+      startedAt,
+      updatedAt: chunk.receivedAt,
+      completedAt: isTerminal ? chunk.receivedAt : existing.completedAt,
+      durationMs: Math.max(0, chunk.receivedAt - startedAt)
+    };
+  } else {
+    const isTerminal = TERMINAL_STEP_STATUSES.has(chunkStatus);
+    mergedSteps.push({
+      node,
+      type: chunk.type === "responding" ? "responding" : "thinking",
+      content: chunk.content,
+      description: chunk.description,
+      message: chunk.message,
+      status: chunkStatus,
+      timestamp: chunk.receivedAt,
+      startedAt: chunk.receivedAt,
+      updatedAt: chunk.receivedAt,
+      completedAt: isTerminal ? chunk.receivedAt : void 0,
+      durationMs: 0
+    });
+  }
+  return mergedSteps;
+};
+var mergeHitlStep = (steps, chunk) => {
+  const node = "hitl_middleware";
+  const existingIdx = steps?.findIndex((s) => s.node === node) ?? -1;
+  const mergedSteps = steps ? [...steps] : [];
+  const firstQuestion = chunk.questions[0];
+  const step = {
+    node,
+    type: "hitl",
+    description: "Waiting for your input",
+    message: firstQuestion?.text,
+    content: firstQuestion?.text,
+    status: "pending",
+    timestamp: chunk.receivedAt,
+    startedAt: chunk.receivedAt,
+    updatedAt: chunk.receivedAt,
+    durationMs: 0,
+    hitlQuestions: chunk.questions
+  };
+  if (existingIdx >= 0) {
+    mergedSteps[existingIdx] = {
+      ...mergedSteps[existingIdx],
+      ...step
+    };
+  } else {
+    mergedSteps.push(step);
+  }
+  return mergedSteps;
+};
+var parseFollowUps = (scratch) => (scratch ?? "").split(";").map((q) => q.trim()).filter(Boolean);
+var isErrorFallbackRespondingChunk = (chunk) => typeof chunk.source === "string" && chunk.source.startsWith(ERROR_FALLBACK_SOURCE_PREFIX);
+var getFallbackErrorMessage = (chunk) => chunk.content || chunk.description || chunk.message || "Unknown error";
+var initialChatState = {
+  status: "idle",
+  messages: []
+};
+var completeActiveAssistantMessage = (state, timestamp = Date.now()) => {
+  const activeMessage = state.activeMessageId && state.messages.find(
+    (message) => message.id === state.activeMessageId && message.role === "assistant"
+  ) || [...state.messages].reverse().find(
+    (message) => message.role === "assistant" && message.pending
+  ) || [...state.messages].reverse().find(
+    (message) => message.role === "assistant"
+  );
+  if (!activeMessage) {
+    return {
+      ...state,
+      status: state.status === "error" || state.status === "hitl_waiting" ? state.status : "complete"
+    };
+  }
+  return {
+    ...state,
+    status: state.status === "error" || state.status === "hitl_waiting" ? state.status : "complete",
+    messages: state.messages.map(
+      (message) => message.id === activeMessage.id ? {
+        ...message,
+        pending: false,
+        updatedAt: timestamp,
+        thinkingSteps: finalizeOpenSteps(
+          message.thinkingSteps,
+          "completed",
+          timestamp
+        )
+      } : message
+    )
+  };
+};
+var reduceChunk = (state, chunk) => {
+  const next = {
+    ...state,
+    lastChunk: chunk
+  };
+  if (chunk.type === "metadata") {
+    return {
+      ...next,
+      threadId: chunk.thread_id ?? next.threadId,
+      traceId: chunk.trace_id ?? next.traceId
+    };
+  }
+  if (chunk.type === "hitl_request") {
+    const [stateWithMessage, streamingMessage] = ensureAssistantMessage(
+      next,
+      chunk.receivedAt
+    );
+    const updatedMessage = cloneMessage(streamingMessage);
+    updatedMessage.pending = true;
+    updatedMessage.thinkingSteps = mergeHitlStep(
+      updatedMessage.thinkingSteps,
+      chunk
+    );
+    updatedMessage.updatedAt = chunk.receivedAt;
+    const messages = stateWithMessage.messages.map(
+      (m) => m.id === updatedMessage.id ? updatedMessage : m
+    );
+    return {
+      ...stateWithMessage,
+      status: "hitl_waiting",
+      messages,
+      activeMessageId: updatedMessage.id,
+      followUpScratch: void 0,
+      hitl: {
+        waiting: true,
+        questions: chunk.questions,
+        checkpointId: chunk.checkpoint_id,
+        pendingIntentId: chunk.pending_intent_id,
+        runId: chunk.run_id,
+        langsmithTraceId: chunk.langsmith_trace_id,
+        messageId: updatedMessage.id
+      }
+    };
+  }
+  if (chunk.type === "hitl_resume") {
+    return {
+      ...next,
+      status: "thinking",
+      hitl: void 0,
+      error: void 0
+    };
+  }
+  if (chunk.type === "error") {
+    const status = chunk.status === "aborted" ? "canceled" : "error";
+    const error = chunk.description || chunk.content || chunk.message || "Unknown error";
+    const messages = state.messages.map(
+      (m) => m.id === state.activeMessageId ? {
+        ...m,
+        pending: false,
+        error,
+        updatedAt: chunk.receivedAt,
+        thinkingSteps: finalizeOpenSteps(
+          m.thinkingSteps,
+          status === "canceled" ? "aborted" : "error",
+          chunk.receivedAt
+        )
+      } : m
+    );
+    return {
+      ...next,
+      status,
+      error,
+      messages,
+      hitl: void 0
+    };
+  }
+  if (chunk.type === "thinking" || chunk.type === "responding") {
+    const [stateWithMessage, streamingMessage] = ensureAssistantMessage(
+      next,
+      chunk.receivedAt
+    );
+    const updatedMessage = cloneMessage(streamingMessage);
+    updatedMessage.thinkingSteps = mergeThinkingStep(
+      updatedMessage.thinkingSteps,
+      chunk
+    );
+    updatedMessage.updatedAt = chunk.receivedAt;
+    if (chunk.type === "responding" && isErrorFallbackRespondingChunk(chunk)) {
+      const error = getFallbackErrorMessage(chunk);
+      updatedMessage.content = `${updatedMessage.content ?? ""}${chunk.content ?? ""}`;
+      updatedMessage.pending = false;
+      updatedMessage.updatedAt = chunk.receivedAt;
+      updatedMessage.thinkingSteps = finalizeOpenSteps(
+        updatedMessage.thinkingSteps,
+        "error",
+        chunk.receivedAt
+      );
+      const messages2 = stateWithMessage.messages.map(
+        (m) => m.id === updatedMessage.id ? updatedMessage : m
+      );
+      return {
+        ...stateWithMessage,
+        status: "error",
+        error,
+        followUpScratch: void 0,
+        messages: messages2,
+        activeMessageId: updatedMessage.id,
+        hitl: void 0
+      };
+    }
+    let followUpScratch = stateWithMessage.followUpScratch;
+    let status = stateWithMessage.status;
+    const keepHitlWaiting = Boolean(stateWithMessage.hitl?.waiting);
+    if (chunk.type === "responding" && STREAMING_NODES.has(chunk.node ?? "")) {
+      updatedMessage.content = `${updatedMessage.content ?? ""}${chunk.content ?? ""}`;
+      updatedMessage.pending = chunk.status !== "completed";
+      if (chunk.status === "completed") {
+        updatedMessage.thinkingSteps = finalizeOpenSteps(
+          updatedMessage.thinkingSteps,
+          "completed",
+          chunk.receivedAt
+        );
+      }
+      status = chunk.status === "completed" ? "complete" : "streaming";
+    } else if (chunk.type === "responding" && (chunk.node ?? "") === FOLLOW_UP_NODE) {
+      followUpScratch = `${followUpScratch ?? ""}${chunk.content ?? ""}`;
+      if (chunk.status === "completed") {
+        updatedMessage.followUpQuestions = parseFollowUps(followUpScratch);
+        followUpScratch = void 0;
+      }
+      status = "tool_running";
+    } else {
+      status = chunk.status === "completed" && chunk.node === "end" ? "complete" : stateWithMessage.status === "idle" || stateWithMessage.status === "connecting" ? "thinking" : stateWithMessage.status;
+      updatedMessage.pending = chunk.status !== "completed" || updatedMessage.pending;
+      if (chunk.status === "completed" && chunk.node === "end") {
+        updatedMessage.thinkingSteps = finalizeOpenSteps(
+          updatedMessage.thinkingSteps,
+          "completed",
+          chunk.receivedAt
+        );
+      }
+    }
+    if (keepHitlWaiting) {
+      status = "hitl_waiting";
+      updatedMessage.pending = true;
+    }
+    const messages = stateWithMessage.messages.map(
+      (m) => m.id === updatedMessage.id ? updatedMessage : m
+    );
+    return {
+      ...stateWithMessage,
+      status,
+      followUpScratch,
+      messages,
+      activeMessageId: updatedMessage.id,
+      hitl: keepHitlWaiting ? stateWithMessage.hitl : void 0
+    };
+  }
+  return next;
+};
+var appendQuery = (url, values) => {
+  for (const [key, value] of Object.entries(values)) {
+    if (value) {
+      url.searchParams.set(key, value);
+    }
+  }
+  return url;
+};
+var compactErrorBody2 = async (response) => {
+  const body = await response.text().catch(() => "");
+  const trimmed = body.trim();
+  if (!trimmed) {
+    return void 0;
+  }
+  const redacted = redactSensitiveText(trimmed);
+  return redacted.length > 1e3 ? `${redacted.slice(0, 1e3)}...` : redacted;
+};
+var isObject22 = (value) => typeof value === "object" && value !== null;
+var stringOr2 = (value, fallback) => typeof value === "string" && value.trim() ? value : fallback;
+var numberOr = (value, fallback = 0) => typeof value === "number" && Number.isFinite(value) ? value : fallback;
+var arrayOrEmpty = (value) => Array.isArray(value) ? value : [];
+var reportTypeToKind = (value) => value === "architecture" || value === "waf" ? "waf" : "cost";
+var backendReportType = (kind) => {
+  if (!kind || kind === "all") return void 0;
+  return kind === "waf" ? "architecture" : kind;
+};
+var requireProjectId = (projectId) => {
+  if (!projectId) {
+    throw new Error("Project ID is required for report requests.");
+  }
+  return projectId;
+};
+var requireUserId = (userId) => {
+  if (!userId) {
+    throw new Error("Authenticated user ID is required for report requests.");
+  }
+  return userId;
+};
+var normalizeCostParsed = (report, metrics = {}) => {
+  const parsed = isObject22(report.parsed) ? report.parsed : void 0;
+  if (parsed && isObject22(parsed.totalSpend) && isObject22(parsed.estimatedSavings)) {
+    return parsed;
+  }
+  const processed = isObject22(report.processed) ? report.processed : {};
+  const dashboard = isObject22(report.dashboard) ? report.dashboard : {};
+  const source = { ...metrics, ...dashboard, ...processed };
+  const currency = stringOr2(source.currency, "USD");
+  const monthly = numberOr(
+    source.total_monthly_cost ?? source.monthly_cost ?? source.monthly,
+    0
+  );
+  const savings = numberOr(
+    source.total_monthly_savings ?? (isObject22(source.opportunity_summary) ? source.opportunity_summary.total_monthly_savings : void 0) ?? source.monthly_savings,
+    0
+  );
+  return {
+    totalSpend: {
+      amount: monthly,
+      currency,
+      changePercent: numberOr(source.change_percent, 0)
+    },
+    estimatedSavings: {
+      amount: savings,
+      currency,
+      percentOfSpend: monthly > 0 ? savings / monthly * 100 : 0
+    },
+    serviceGroups: arrayOrEmpty(
+      source.service_family_breakdown ?? source.serviceGroups
+    ).map((item, index) => {
+      const row = isObject22(item) ? item : {};
+      return {
+        name: stringOr2(row.name ?? row.service ?? row.family, `Service ${index + 1}`),
+        amount: numberOr(row.amount ?? row.monthly_cost ?? row.cost, 0),
+        currency: stringOr2(row.currency, currency),
+        changePercent: numberOr(row.change_percent ?? row.changePercent, 0)
+      };
+    }),
+    recommendations: arrayOrEmpty(
+      source.recommendations ?? source.top_opportunities ?? source.opportunities
+    ).map((item, index) => {
+      const row = isObject22(item) ? item : {};
+      return {
+        id: stringOr2(row.id ?? row.resource_id, `recommendation-${index + 1}`),
+        title: stringOr2(row.title ?? row.recommendation ?? row.description, "Cost recommendation"),
+        monthlySavings: numberOr(row.monthlySavings ?? row.monthly_savings ?? row.savings, 0),
+        currency: stringOr2(row.currency, currency),
+        risk: stringOr2(row.risk, "medium")
+      };
+    }),
+    anomalies: arrayOrEmpty(source.anomalies),
+    budgets: arrayOrEmpty(source.budgets),
+    trend: arrayOrEmpty(source.trend ?? source.time_series)
+  };
+};
+var normalizeWafParsed = (report, metrics = {}) => {
+  const parsed = isObject22(report.parsed) ? report.parsed : void 0;
+  if (parsed && isObject22(parsed.score) && isObject22(parsed.counts)) {
+    return parsed;
+  }
+  const processed = isObject22(report.processed) ? report.processed : {};
+  const source = { ...metrics, ...processed };
+  const pillarScores = isObject22(source.pillar_scores) ? source.pillar_scores : {};
+  const rules = arrayOrEmpty(report.all_rules ?? source.rules).map((item, index) => {
+    const row = isObject22(item) ? item : {};
+    const outcome = stringOr2(row.status ?? row.outcome, "pass").toLowerCase();
+    return {
+      id: stringOr2(row.id ?? row.rule_id ?? row.name, `rule-${index + 1}`),
+      pillar: stringOr2(row.pillar, "Uncategorized"),
+      title: stringOr2(row.title ?? row.description, "Architecture rule"),
+      status: outcome === "fail" || outcome === "error" ? "fail" : outcome === "warn" ? "warn" : "pass",
+      severity: stringOr2(row.severity, "medium").toLowerCase(),
+      resource: typeof row.resource === "string" ? row.resource : void 0,
+      evidence: typeof row.evidence === "string" ? row.evidence : void 0,
+      recommendation: typeof row.recommendation === "string" ? row.recommendation : void 0
+    };
+  });
+  const failedRules = rules.filter((rule) => rule.status === "fail");
+  const mediumRules = rules.filter((rule) => rule.severity === "medium");
+  const highRules = rules.filter(
+    (rule) => rule.severity === "high" || rule.severity === "critical"
+  );
+  return {
+    score: {
+      overall: numberOr(source.overall_score, 0),
+      pillars: Object.entries(pillarScores).map(([id, score]) => ({
+        id,
+        label: id,
+        score: numberOr(score, 0),
+        passed: 0,
+        warned: 0,
+        failed: 0
+      }))
+    },
+    counts: {
+      passed: rules.length - failedRules.length,
+      highRisk: numberOr(source.high_count, highRules.length),
+      mediumRisk: numberOr(source.medium_count, mediumRules.length),
+      evidenceCoveragePercent: numberOr(source.evidence_coverage_percent, 0)
+    },
+    rules
+  };
+};
+var normalizeBackendReportDetail = (input, fallback) => {
+  if (!isObject22(input)) {
+    return normalizeReportEnvelope(input);
+  }
+  const report = isObject22(input.report) ? input.report : input;
+  const reportType = input.report_type ?? report.kind ?? fallback.reportType;
+  const kind = reportTypeToKind(reportType);
+  const projectId = stringOr2(input.project_id ?? report.project_id, fallback.projectId);
+  const generatedAt = stringOr2(
+    input.timestamp ?? report.generated_at ?? (isObject22(report.metadata) ? report.metadata.generated_at : void 0),
+    (/* @__PURE__ */ new Date(0)).toISOString()
+  );
+  const parsed = kind === "waf" ? normalizeWafParsed(report) : normalizeCostParsed(report);
+  return {
+    id: stringOr2(report.id, `${kind}:latest:${projectId}`),
+    kind,
+    projectId,
+    generatedAt,
+    source: { provider: "azure" },
+    raw: report,
+    parsed,
+    formatted: isObject22(report.formatted) ? normalizeReportEnvelope({ ...report, kind, project_id: projectId }).formatted : void 0
+  };
+};
+var normalizeBackendHistoryItem = (input) => {
+  if (!isObject22(input)) {
+    return normalizeReportEnvelope(input);
+  }
+  const kind = reportTypeToKind(input.report_type);
+  const projectId = stringOr2(input.project_id, "unknown-project");
+  const generatedAt = stringOr2(input.generated_at, (/* @__PURE__ */ new Date(0)).toISOString());
+  const metrics = isObject22(input.metrics) ? input.metrics : {};
+  return {
+    id: stringOr2(input.report_id ?? input.id, `${kind}:${generatedAt}`),
+    kind,
+    projectId,
+    generatedAt,
+    source: { provider: "azure" },
+    raw: input,
+    parsed: kind === "waf" ? normalizeWafParsed({}, metrics) : normalizeCostParsed({}, metrics),
+    formatted: {
+      title: `${kind === "waf" ? "Well-Architected Framework" : "Cost"} report`,
+      summary: stringOr2(input.status, "Report available"),
+      sections: []
+    }
+  };
+};
+var normalizeBackendHistory = (input) => {
+  const items = isObject22(input) && Array.isArray(input.items) ? input.items : input;
+  if (!Array.isArray(items)) {
+    return normalizeReportList(input);
+  }
+  return items.map((item) => normalizeBackendHistoryItem(item));
+};
+var fetchJson = async (options, path2, query = {}) => {
+  const apiBase = normalizeApiBase(options.baseUrl);
+  const url = appendQuery(new URL(`${apiBase}${path2}`), query);
+  const response = await fetch(url, {
+    method: "GET",
+    headers: getCLIHeaders(options.authToken)
+  });
+  if (!response.ok) {
+    const body = await compactErrorBody2(response);
+    throw new Error(
+      `Report request failed with status ${response.status} ${response.statusText}${body ? `: ${body}` : ""}`
+    );
+  }
+  return response.json();
+};
+var postJson = async (options, path2, query = {}, body) => {
+  const apiBase = normalizeApiBase(options.baseUrl);
+  const url = appendQuery(new URL(`${apiBase}${path2}`), query);
+  const response = await fetch(url, {
+    method: "POST",
+    headers: withIdempotencyHeader({
+      ...getCLIHeaders(options.authToken),
+      "content-type": "application/json"
+    }),
+    body: body === void 0 ? void 0 : JSON.stringify(body)
+  });
+  if (!response.ok) {
+    const bodyText = await compactErrorBody2(response);
+    throw new Error(
+      `Report request failed with status ${response.status} ${response.statusText}${bodyText ? `: ${bodyText}` : ""}`
+    );
+  }
+  return response.json();
+};
+var fetchReportResource = async (options, path2, query = {}) => fetchJson(options, path2, query);
+var listReports = async (options) => {
+  const raw = await fetchJson(options, "/reports/history", {
+    user_id: requireUserId(options.userId),
+    project_ids: requireProjectId(options.projectId),
+    report_type: backendReportType(options.kind)
+  });
+  return normalizeBackendHistory(raw).filter((report) => {
+    if (!options.kind || options.kind === "all") return true;
+    return report.kind === options.kind;
+  });
+};
+var getReport = async (options) => {
+  if (options.reportId.startsWith("latest:") || options.reportId.startsWith("history:")) {
+    const reports = await listReports({
+      baseUrl: options.baseUrl,
+      authToken: options.authToken,
+      projectId: options.projectId,
+      userId: options.userId,
+      kind: "all"
+    });
+    const found = reports.find((report) => report.id === options.reportId);
+    if (found) {
+      const reportType = found.kind === "waf" ? "architecture" : "cost";
+      return normalizeBackendReportDetail(
+        await fetchJson(
+          options,
+          `/reports/detail/${encodeURIComponent(found.projectId)}/${reportType}`,
+          {
+            user_id: requireUserId(options.userId),
+            timestamp: found.raw && isObject22(found.raw) && !found.raw.is_latest ? found.generatedAt : void 0
+          }
+        ),
+        { projectId: found.projectId, reportType }
+      );
+    }
+  }
+  const raw = await fetchJson(
+    options,
+    `/reports/${encodeURIComponent(options.reportId)}`,
+    { project_id: options.projectId, view: options.view }
+  );
+  return normalizeReportEnvelope(raw);
+};
+var getCostReport = async (options) => {
+  const projectId = requireProjectId(options.projectId);
+  const raw = await fetchJson(
+    options,
+    `/reports/detail/${encodeURIComponent(projectId)}/cost`,
+    { user_id: requireUserId(options.userId) }
+  );
+  return normalizeBackendReportDetail(raw, { projectId, reportType: "cost" });
+};
+var getWafReport = async (options) => {
+  const projectId = requireProjectId(options.projectId);
+  const raw = await fetchJson(
+    options,
+    `/reports/detail/${encodeURIComponent(projectId)}/architecture`,
+    { user_id: requireUserId(options.userId) }
+  );
+  const report = normalizeBackendReportDetail(raw, { projectId, reportType: "architecture" });
+  if (options.severity && isObject22(report.parsed) && Array.isArray(report.parsed.rules)) {
+    return {
+      ...report,
+      parsed: {
+        ...report.parsed,
+        rules: report.parsed.rules.filter(
+          (rule) => isObject22(rule) && String(rule.severity).toLowerCase() === options.severity?.toLowerCase()
+        )
+      }
+    };
+  }
+  return report;
+};
+var getReportDetail = async (options) => fetchJson(
+  options,
+  `/reports/detail/${encodeURIComponent(options.projectId)}/${encodeURIComponent(
+    options.reportType
+  )}`,
+  {
+    user_id: options.userId,
+    timestamp: options.timestamp
+  }
+);
+var getCostReportFull = async (options) => fetchJson(options, `/cost-reports/${encodeURIComponent(options.projectId)}/full`, {
+  user_id: options.userId
+});
+var getWafReportFull = async (options) => fetchJson(
+  options,
+  `/well-architected-reports/${encodeURIComponent(options.projectId)}/full`,
+  {
+    user_id: options.userId
+  }
+);
+var getCostReportHistory = async (options) => options.timestamp ? fetchJson(
+  options,
+  `/cost-reports/${encodeURIComponent(options.projectId)}/historical/${encodeURIComponent(
+    options.timestamp
+  )}`,
+  { user_id: options.userId }
+) : fetchJson(options, `/cost-reports/${encodeURIComponent(options.projectId)}/historical`, {
+  user_id: options.userId
+});
+var getWafReportHistory = async (options) => options.timestamp ? fetchJson(
+  options,
+  `/well-architected-reports/${encodeURIComponent(
+    options.projectId
+  )}/history/${encodeURIComponent(options.timestamp)}`,
+  { user_id: options.userId }
+) : fetchJson(
+  options,
+  `/well-architected-reports/${encodeURIComponent(options.projectId)}/history`,
+  { user_id: options.userId }
+);
+var reportRunTypes = (type) => {
+  if (type === "all") return ["cost", "waf", "unit-tests"];
+  if (type === "architecture") return ["waf"];
+  return [type];
+};
+var boolQuery = (value) => value === void 0 ? void 0 : String(Boolean(value));
+var runReports = async (options) => {
+  const projectId = requireProjectId(options.projectId);
+  const userId = requireUserId(options.userId);
+  const results = [];
+  for (const type of reportRunTypes(options.type)) {
+    if (type === "cost") {
+      results.push(
+        await postJson(options, `/cost-reports/${encodeURIComponent(projectId)}/regenerate`, {
+          user_id: userId,
+          region: options.region,
+          currency: options.currency,
+          include_time_series: boolQuery(options.includeTimeSeries),
+          save_report: boolQuery(options.saveReport)
+        })
+      );
+      continue;
+    }
+    if (type === "waf") {
+      results.push(
+        await postJson(
+          options,
+          `/well-architected-reports/${encodeURIComponent(projectId)}/regenerate`,
+          {
+            user_id: userId,
+            save_report: boolQuery(options.saveReport)
+          }
+        )
+      );
+      continue;
+    }
+    results.push(
+      await postJson(options, `/reports/${encodeURIComponent(projectId)}/unit-tests/regenerate`, {
+        user_id: userId
+      })
+    );
+  }
+  return results;
+};
+var getReportJobStatus = async (options) => fetchJson(options, `/jobs/${encodeURIComponent(options.jobId)}`, {
+  user_id: requireUserId(options.userId)
+});
+var CREDIT_LOW_RATIO = 0.1;
+var CREDIT_WARNING_RATIO = 0.25;
+var DEFAULT_FREE_TRIAL_CREDITS_TOTAL = 1e3;
+var fetchBillingJson = async (options, path2, query = {}, request = {}) => {
+  const url = new URL(`${normalizeApiBase(options.baseUrl)}${path2}`);
+  for (const [key, value] of Object.entries(query)) {
+    if (value !== void 0 && value !== "") {
+      url.searchParams.set(key, String(value));
+    }
+  }
+  const headers = request.method === "POST" ? withIdempotencyHeader(getCLIHeaders(options.authToken)) : getCLIHeaders(options.authToken);
+  if (request.body) {
+    headers["content-type"] = "application/json";
+  }
+  const response = await fetch(url, {
+    method: request.method ?? "GET",
+    headers,
+    ...request.body ? { body: JSON.stringify(request.body) } : {}
+  });
+  if (!response.ok) {
+    const body = await response.text().catch(() => "");
+    const redactedBody = redactSensitiveText(body.trim());
+    throw new Error(
+      `Billing request failed with status ${response.status} ${response.statusText}${redactedBody ? `: ${redactedBody}` : ""}`
+    );
+  }
+  return await response.json();
+};
+var unwrapData = (value) => {
+  if (value && typeof value === "object" && "data" in value && value.data) {
+    return value.data;
+  }
+  return value;
+};
+var getBillingConfig = (options) => fetchBillingJson(options, "/billing/config");
+var getBillingEntitlement = async (options) => unwrapData(await fetchBillingJson(
+  options,
+  "/billing/entitlement"
+));
+var getSubscriptionStatus = (options) => fetchBillingJson(options, "/billing/subscription/status");
+var getSubscriptionBillingInfo = (options) => fetchBillingJson(options, "/billing/subscription/billing-info", {
+  limit: Math.max(1, Math.min(50, Number(options.limit ?? 20)))
+});
+var getTopUpPacks = (options) => fetchBillingJson(options, "/billing/top-up/packs");
+var createTopUpCheckoutSession = (options) => fetchBillingJson(
+  options,
+  "/billing/checkout/session/top-up",
+  {},
+  {
+    method: "POST",
+    body: {
+      pack_id: options.packId,
+      ...options.returnTo ? { return_to: options.returnTo } : {},
+      ...options.preferredCurrency ? { preferred_currency: options.preferredCurrency } : {},
+      ...options.countryCode ? { country_code: options.countryCode } : {},
+      ...options.contactEmail ? { contact_email: options.contactEmail } : {},
+      ...options.contactPhone ? { contact_phone: options.contactPhone } : {},
+      ...options.contactCountryCode ? { contact_country_code: options.contactCountryCode } : {}
+    }
+  }
+);
+var getBillingNotifications = (options) => fetchBillingJson(options, "/billing/notifications", {
+  limit: Math.max(1, Math.min(100, Number(options.limit ?? 25)))
+});
+var getBillingUsageSummary = (options) => fetchBillingJson(options, "/billing/usage/summary", {
+  start_at: options.startAt,
+  end_at: options.endAt,
+  granularity: options.granularity,
+  action_type: options.actionType,
+  model_name: options.modelName,
+  outcome: options.outcome,
+  trigger_mode: options.triggerMode,
+  charge_status: options.chargeStatus
+});
+var getBillingUsageLedger = (options) => fetchBillingJson(options, "/billing/usage/ledger", {
+  start_at: options.startAt,
+  end_at: options.endAt,
+  action_type: options.actionType,
+  model_name: options.modelName,
+  outcome: options.outcome,
+  trigger_mode: options.triggerMode,
+  charge_status: options.chargeStatus,
+  limit: options.limit,
+  cursor: options.cursor
+});
+var isFreePlan = (plan) => {
+  if (!plan) {
+    return false;
+  }
+  const id = String(plan.id || "").toLowerCase();
+  const name = String(plan.name || "").toLowerCase();
+  return id === "free" || name === "free" || Number(plan.price_usd ?? NaN) === 0;
+};
+var getCreditStatus = (summary, options) => {
+  if (!summary) {
+    return null;
+  }
+  const planName = summary.plan?.name || "Plan";
+  const planId = String(summary.plan?.id || "").toLowerCase();
+  const normalizedPlanName = String(summary.plan?.name || "").toLowerCase();
+  const planSource = String(summary.plan_source || "").toLowerCase();
+  const isFreeLikePlan = isFreePlan(summary.plan) || planSource === "trial" || planSource === "free" || planSource === "free_blocked";
+  const explicitUnlimited = planId.includes("enterprise") || normalizedPlanName.includes("enterprise");
+  const balance = summary.balance || {};
+  const cycleTotal = Math.max(
+    Number(balance.credits_total_cycle ?? balance.credits_total ?? 0),
+    0
+  );
+  const cycleRemaining = Math.max(
+    Number(balance.credits_remaining_cycle ?? balance.credits_remaining ?? 0),
+    0
+  );
+  const cycleUsed = Math.max(
+    Number.isFinite(Number(balance.credits_used_cycle ?? balance.credits_used)) ? Number(balance.credits_used_cycle ?? balance.credits_used) : cycleTotal - cycleRemaining,
+    0
+  );
+  const topUpBalance = Math.max(
+    Number(balance.top_up_credits_balance ?? summary.top_up_credits_balance ?? 0),
+    0
+  );
+  const fallbackEffectiveTotal = cycleTotal + topUpBalance;
+  const fallbackEffectiveRemaining = cycleRemaining + topUpBalance;
+  const reportedEffectiveTotal = Number(balance.credits_total_effective ?? NaN);
+  const reportedEffectiveRemaining = Number(
+    balance.credits_remaining_effective ?? summary.credits_remaining_total ?? NaN
+  );
+  let effectiveTotal = Number.isFinite(reportedEffectiveTotal) ? Math.max(reportedEffectiveTotal, fallbackEffectiveTotal, 0) : fallbackEffectiveTotal;
+  const effectiveRemaining = Number.isFinite(reportedEffectiveRemaining) ? Math.max(reportedEffectiveRemaining, fallbackEffectiveRemaining, 0) : fallbackEffectiveRemaining;
+  if (effectiveTotal <= 0) {
+    effectiveTotal = fallbackEffectiveTotal;
+  }
+  if (effectiveRemaining > effectiveTotal) {
+    effectiveTotal = effectiveRemaining;
+  }
+  const trialTotal = Math.max(
+    Number(
+      summary.trial_state?.credits_total ?? summary.trial_state?.initial_credits ?? summary.plan?.features?.trial_credits_total ?? DEFAULT_FREE_TRIAL_CREDITS_TOTAL
+    ),
+    0
+  );
+  const useTrialDisplayTotal = isFreeLikePlan && effectiveTotal <= 0 && trialTotal > 0;
+  const displayTotal = useTrialDisplayTotal ? trialTotal : effectiveTotal;
+  const remainingCandidate = useTrialDisplayTotal && (summary.trial_state?.consumed || summary.trial_state?.blocked) ? 0 : effectiveRemaining;
+  const remaining = displayTotal > 0 ? Math.min(Math.max(remainingCandidate, 0), displayTotal) : 0;
+  const used = displayTotal > 0 ? Math.max(displayTotal - remaining, 0) : 0;
+  const remainingRatio = displayTotal > 0 ? remaining / displayTotal : explicitUnlimited ? 1 : 0;
+  const creditsPerEvent = options?.creditsPerEvent;
+  const messagesRemaining = explicitUnlimited || !creditsPerEvent || creditsPerEvent <= 0 ? null : Math.max(0, Math.floor(remaining / creditsPerEvent));
+  const exhausted = summary.credits_exhausted === true || !explicitUnlimited && remaining <= 0;
+  const low = !exhausted && (summary.credits_low === true || remainingRatio <= CREDIT_LOW_RATIO);
+  const warning = !exhausted && !low && remainingRatio <= CREDIT_WARNING_RATIO;
+  const tone = exhausted ? "exhausted" : low ? "low" : warning ? "warning" : "normal";
+  return {
+    planName,
+    remaining,
+    total: displayTotal,
+    used,
+    cycleTotal,
+    cycleUsed,
+    cycleRemaining,
+    effectiveTotal,
+    effectiveRemaining,
+    topUpBalance,
+    remainingRatio,
+    isUnlimited: explicitUnlimited,
+    tone,
+    messagesRemaining
+  };
+};
+var providerValues = /* @__PURE__ */ new Set(["azure", "aws", "gcp"]);
+var sanitizeNamePart = (value) => value.replace(/\.(json|yaml|yml|tf)$/i, "").replace(/[-_]+/g, " ").replace(/\s+/g, " ").trim();
+var inferCloudProvider = (owner, repo, filePath) => {
+  const haystack = `${owner}/${repo}/${filePath}`.toLowerCase();
+  if (haystack.includes("aws") || haystack.includes("cloudformation")) {
+    return "aws";
+  }
+  if (haystack.includes("gcp") || haystack.includes("google")) {
+    return "gcp";
+  }
+  return "azure";
+};
+var generateProjectName = (filePath, repo) => {
+  const parts = filePath.split("/").filter(Boolean);
+  const file = parts[parts.length - 1] || repo;
+  const parent = parts.length > 1 ? parts[parts.length - 2] : "";
+  if (/^azuredeploy\.json$/i.test(file) && parent) {
+    return sanitizeNamePart(parent);
+  }
+  return sanitizeNamePart(file || repo) || repo;
+};
+var parseTemplateUrl = (value) => {
+  try {
+    const url = new URL(value);
+    const parts = url.pathname.split("/").filter(Boolean);
+    if (url.hostname === "raw.githubusercontent.com") {
+      if (parts.length < 3) {
+        return null;
+      }
+      const [owner2, repo2, branch2, ...fileParts] = parts;
+      const filePath2 = fileParts.join("/");
+      return {
+        normalizedUrl: value,
+        githubUrl: `https://github.com/${owner2}/${repo2}/blob/${branch2}/${filePath2}`,
+        cloudProvider: inferCloudProvider(owner2, repo2, filePath2),
+        suggestedName: generateProjectName(filePath2, repo2),
+        suggestedDescription: `Template from ${owner2}/${repo2}`,
+        owner: owner2,
+        repo: repo2,
+        branch: branch2,
+        filePath: filePath2
+      };
+    }
+    if (url.hostname !== "github.com" || parts.length < 4) {
+      return null;
+    }
+    const [owner, repo, type, branch, ...rest] = parts;
+    if (type !== "blob" && type !== "tree") {
+      return null;
+    }
+    const rawRest = rest.join("/");
+    const filePath = rawRest && /\.(json|yaml|yml|tf)$/i.test(rawRest) ? rawRest : rawRest ? `${rawRest}/azuredeploy.json` : "azuredeploy.json";
+    return {
+      normalizedUrl: `https://raw.githubusercontent.com/${owner}/${repo}/${branch}/${filePath}`,
+      githubUrl: value,
+      cloudProvider: inferCloudProvider(owner, repo, filePath),
+      suggestedName: generateProjectName(filePath, repo),
+      suggestedDescription: `Template from ${owner}/${repo}`,
+      owner,
+      repo,
+      branch,
+      filePath
+    };
+  } catch {
+    return null;
+  }
+};
+var buildQuickProjectPayload = (input) => {
+  const inferred = input.templateUrl ? parseTemplateUrl(input.templateUrl) : null;
+  const normalizedTemplateUrl = inferred?.normalizedUrl ?? input.templateUrl;
+  const provider = input.provider ?? inferred?.cloudProvider ?? "azure";
+  if (!providerValues.has(provider)) {
+    throw new Error(`Unsupported cloud provider '${provider}'.`);
+  }
+  const name = input.name?.trim() || inferred?.suggestedName || "Quick Project";
+  const description = input.description?.trim() || inferred?.suggestedDescription || `Template project for ${name}`;
+  const connection = {
+    user_id: input.userId,
+    name: `${name} Connection`,
+    cloud_provider: provider,
+    description,
+    type: "template",
+    ...normalizedTemplateUrl ? { template_url: normalizedTemplateUrl } : {},
+    ...input.parametersUrl ? { parameters_file_url: input.parametersUrl } : {},
+    auto_sync: true
+  };
+  const project = {
+    user_id: input.userId,
+    name,
+    description,
+    cloud_provider: provider,
+    connection_ids: [],
+    type: "template",
+    report_config: {
+      auto_generate_reports: true,
+      include_cost_report: true,
+      include_cost_forecast: true,
+      region: "eastus",
+      currency: "USD"
+    }
+  };
+  return {
+    connection,
+    project,
+    normalizedTemplateUrl,
+    inferred
+  };
+};
+var responseJson = async (response, label) => {
+  if (!response.ok) {
+    const body = await response.text().catch(() => "");
+    const redactedBody = redactSensitiveText(body.trim());
+    throw new Error(
+      `${label} failed with status ${response.status} ${response.statusText}${redactedBody ? `: ${redactedBody}` : ""}`
+    );
+  }
+  return await response.json();
+};
+var appendConnectionBody = (payload, input) => {
+  if (!input.templateFile && !input.parametersFile) {
+    return JSON.stringify(payload);
+  }
+  const formData = new FormData();
+  formData.append("user_id", payload.user_id);
+  formData.append("name", payload.name);
+  formData.append("cloud_provider", payload.cloud_provider);
+  formData.append("description", payload.description);
+  formData.append("type", payload.type);
+  formData.append("auto_sync", String(payload.auto_sync ?? true));
+  if (payload.template_url) {
+    formData.append("template_url", payload.template_url);
+  }
+  if (payload.parameters_file_url) {
+    formData.append("parameters_file_url", payload.parameters_file_url);
+  }
+  if (input.templateFile) {
+    formData.append("template_file", input.templateFile, input.templateFileName || "template.json");
+  }
+  if (input.parametersFile) {
+    formData.append(
+      "parameters_file",
+      input.parametersFile,
+      input.parametersFileName || "parameters.json"
+    );
+  }
+  return formData;
+};
+var headersForBody = (authToken, body) => {
+  if (typeof FormData !== "undefined" && body instanceof FormData) {
+    const headers = getCLIHeaders(authToken);
+    delete headers["Content-Type"];
+    return headers;
+  }
+  return getCLIHeaders(authToken);
+};
+var createQuickProject = async (input) => {
+  if (!input.templateUrl && !input.templateFile) {
+    throw new Error("Provide --template-url or --template-file.");
+  }
+  const built = buildQuickProjectPayload(input);
+  const apiBase = normalizeApiBase(input.baseUrl);
+  const connectionBody = appendConnectionBody(built.connection, input);
+  const connection = await responseJson(
+    await fetch(`${apiBase}/connection/`, {
+      method: "POST",
+      headers: withIdempotencyHeader(headersForBody(input.authToken, connectionBody)),
+      body: connectionBody
+    }),
+    "Connection creation"
+  );
+  const connectionId = String(connection.id || "");
+  if (!connectionId) {
+    throw new Error("Connection creation did not return a connection id.");
+  }
+  const projectPayload = {
+    ...built.project,
+    connection_ids: [connectionId]
+  };
+  const project = await responseJson(
+    await fetch(`${apiBase}/projects/`, {
+      method: "POST",
+      headers: withIdempotencyHeader(getCLIHeaders(input.authToken)),
+      body: JSON.stringify(projectPayload)
+    }),
+    "Project creation"
+  );
+  return {
+    project,
+    connection,
+    syncStatus: connection.sync_status ?? connection.sync_job ?? null,
+    normalizedTemplateUrl: built.normalizedTemplateUrl,
+    inferred: built.inferred
+  };
+};
+var listConnections = async (options) => {
+  const response = await fetch(
+    `${normalizeApiBase(options.baseUrl)}/connection/user/${encodeURIComponent(options.userId)}`,
+    { method: "GET", headers: getCLIHeaders(options.authToken) }
+  );
+  return responseJson(response, "List connections");
+};
+var getConnection = async (options) => {
+  const connections = await listConnections(options);
+  return connections.find((connection) => String(connection.id) === options.connectionId) ?? null;
+};
+var compactErrorBody3 = async (response) => {
+  const body = await response.text().catch(() => "");
+  const trimmed = body.trim();
+  return trimmed ? redactSensitiveText(trimmed).slice(0, 1e3) : void 0;
+};
+var fetchCredentialJson = async (options, path2, request = {}) => {
+  const url = new URL(`${normalizeApiBase(options.baseUrl)}${path2}`);
+  for (const [key, value] of Object.entries(request.query ?? {})) {
+    if (value) {
+      url.searchParams.set(key, value);
+    }
+  }
+  const headers = request.method === "POST" ? withIdempotencyHeader(getCLIHeaders(options.authToken), request.idempotencyKey) : getCLIHeaders(options.authToken);
+  const response = await fetch(url, {
+    method: request.method ?? "GET",
+    headers,
+    ...request.body ? { body: JSON.stringify(request.body) } : {}
+  });
+  if (!response.ok) {
+    const body = await compactErrorBody3(response);
+    throw new Error(
+      `Credential request failed with status ${response.status} ${response.statusText}${body ? `: ${body}` : ""}`
+    );
+  }
+  return await response.json();
+};
+var getCredentialTemplates = (options) => fetchCredentialJson(options, "/credential-templates");
+var listCredentials = (options) => fetchCredentialJson(options, "/credentials", {
+  query: { project_id: options.projectId }
+});
+var createCredential = (options) => fetchCredentialJson(options, "/credentials", {
+  method: "POST",
+  idempotencyKey: options.idempotencyKey,
+  body: {
+    template: options.template,
+    name: options.name,
+    ...options.projectId ? { project_id: options.projectId } : {},
+    ...options.expires ? { expires: options.expires } : {},
+    ...options.capabilities?.length ? { capabilities: options.capabilities } : {}
+  }
+});
+var getCredential = (options) => fetchCredentialJson(
+  options,
+  `/credentials/${encodeURIComponent(options.credentialId)}`
+);
+var revokeCredential = (options) => fetchCredentialJson(
+  options,
+  `/credentials/${encodeURIComponent(options.credentialId)}/revoke`,
+  {
+    method: "POST",
+    idempotencyKey: options.idempotencyKey,
+    body: options.reason ? { reason: options.reason } : {}
+  }
+);
+var getIdentity = (options) => fetchCredentialJson(options, "/identity");
+var getCapabilities = (options) => fetchCredentialJson(options, "/capabilities");
+var AgentProfileRequestError = class extends Error {
+  status;
+  statusText;
+  body;
+  code;
+  requiresAuth;
+  constructor(input) {
+    super(
+      `Agent Profile request failed with status ${input.status} ${input.statusText}${input.body.trim() ? `: ${input.body.trim().slice(0, 1e3)}` : ""}`
+    );
+    this.name = "AgentProfileRequestError";
+    this.status = input.status;
+    this.statusText = input.statusText;
+    this.body = input.body;
+    this.code = input.code;
+    this.requiresAuth = input.requiresAuth;
+  }
+};
+var parseErrorBody = (body) => {
+  try {
+    const parsed = JSON.parse(body);
+    return {
+      code: typeof parsed.code === "string" ? parsed.code : void 0,
+      requiresAuth: typeof parsed.requiresAuth === "boolean" ? parsed.requiresAuth : void 0
+    };
+  } catch {
+    return {};
+  }
+};
+var isAgentProfileAuthRequiredError = (error) => {
+  if (!(error instanceof AgentProfileRequestError)) {
+    return false;
+  }
+  return error.requiresAuth === true || error.code === "AUTH_REQUIRED_PUBLIC" || error.status === 401 || error.status === 403;
+};
+var isAgentProfileDiscoveryFallbackError = (error) => {
+  if (isAgentProfileAuthRequiredError(error)) {
+    return true;
+  }
+  return error instanceof AgentProfileRequestError && error.status === 404;
+};
+var fetchAgentProfileJson = async (options, path2) => {
+  const response = await fetch(`${normalizeApiBase(options.baseUrl)}${path2}`, {
+    headers: getCLIHeaders(options.authToken)
+  });
+  if (!response.ok) {
+    const body = await response.text().catch(() => "");
+    const parsed = parseErrorBody(body);
+    throw new AgentProfileRequestError({
+      status: response.status,
+      statusText: response.statusText,
+      body,
+      code: parsed.code,
+      requiresAuth: parsed.requiresAuth
+    });
+  }
+  return await response.json();
+};
+var listAgentProfiles = (options) => fetchAgentProfileJson(options, "/agent-profiles");
+var getAgentProfile = (options) => fetchAgentProfileJson(
+  options,
+  `/agent-profiles/${encodeURIComponent(options.profileId)}`
+);
+
+export {
+  normalizeReportEnvelope,
+  normalizeReportList,
+  SECRET_REDACTION,
+  isSensitiveSecretKey,
+  redactSensitiveText,
+  redactSensitiveSecrets,
+  BUNDLED_AGENT_PROFILES,
+  getBundledAgentProfiles,
+  getBundledAgentProfile,
+  assertSecureBaseUrl,
+  normalizeApiBase,
+  clearAuthSession,
+  getCLIHeaders,
+  getProjects,
+  getAccessibleProjects,
+  ensurePlaygroundProject,
+  ensureDefaultProject,
+  loginWithDeviceCode,
+  login,
+  logout,
+  getAuthStatus,
+  extractEmailFromToken,
+  isAuthLookupFailure,
+  checkUserStatus,
+  completeOnboarding,
+  getAuthToken,
+  getAuthHeader,
+  streamChat,
+  initialChatState,
+  completeActiveAssistantMessage,
+  reduceChunk,
+  fetchReportResource,
+  listReports,
+  getReport,
+  getCostReport,
+  getWafReport,
+  getReportDetail,
+  getCostReportFull,
+  getWafReportFull,
+  getCostReportHistory,
+  getWafReportHistory,
+  runReports,
+  getReportJobStatus,
+  getBillingConfig,
+  getBillingEntitlement,
+  getSubscriptionStatus,
+  getSubscriptionBillingInfo,
+  getTopUpPacks,
+  createTopUpCheckoutSession,
+  getBillingNotifications,
+  getBillingUsageSummary,
+  getBillingUsageLedger,
+  getCreditStatus,
+  parseTemplateUrl,
+  buildQuickProjectPayload,
+  createQuickProject,
+  listConnections,
+  getConnection,
+  getCredentialTemplates,
+  listCredentials,
+  createCredential,
+  getCredential,
+  revokeCredential,
+  getIdentity,
+  getCapabilities,
+  AgentProfileRequestError,
+  isAgentProfileAuthRequiredError,
+  isAgentProfileDiscoveryFallbackError,
+  listAgentProfiles,
+  getAgentProfile
+};