@kweaver-ai/kweaver-sdk 0.5.1 → 0.6.0

package/dist/auth/oauth.js

@@ -1,10 +1,32 @@
-import { getCurrentPlatform, loadClientConfig, loadTokenConfig, saveClientConfig, saveTokenConfig, setCurrentPlatform, } from "../config/store.js";
-import { HttpError, NetworkRequestError } from "../utils/http.js";
+import { isNoAuth } from "../config/no-auth.js";
+import { deleteClientConfig, getCurrentPlatform, loadClientConfig, loadTokenConfig, loadUserTokenConfig, resolveUserId, saveClientConfig, saveNoAuthPlatform, saveTokenConfig, setCurrentPlatform, } from "../config/store.js";
+import { HttpError, NetworkRequestError, fetchWithRetry } from "../utils/http.js";
 const TOKEN_TTL_SECONDS = 3600;
 /** Seconds before access token expiry to trigger refresh (matches Python ConfigAuth). */
 const REFRESH_THRESHOLD_SEC = 60;
 const DEFAULT_REDIRECT_PORT = 9010;
 const DEFAULT_SCOPE = "openid offline all";
+/** Best-effort fetch of display name via EACP userinfo (ShareServer). */
+async function fetchDisplayName(baseUrl, accessToken, tlsInsecure) {
+    try {
+        const res = await runWithTlsInsecure(tlsInsecure, () => fetch(`${baseUrl}/api/eacp/v1/user/get`, {
+            headers: { Authorization: `Bearer ${accessToken}`, Accept: "application/json" },
+        }));
+        if (!res.ok)
+            return null;
+        const info = (await res.json());
+        if (typeof info.account === "string")
+            return info.account;
+        if (typeof info.name === "string")
+            return info.name;
+        if (typeof info.mail === "string")
+            return info.mail;
+    }
+    catch {
+        /* Non-critical — displayName will be absent. */
+    }
+    return null;
+}
 /** POSIX shell single-quote escaping for copy-paste commands. */
 export function shellQuoteForShell(value) {
     return `'${value.replace(/'/g, `'\\''`)}'`;
@@ -118,11 +140,132 @@ async function generatePkce() {
     const challenge = createHash("sha256").update(verifier).digest("base64url");
     return { verifier, challenge };
 }
+/**
+ * Pre-flight check: verify that a cached OAuth2 client is still recognised
+ * by the server. Fetches the authorization endpoint with `redirect: "manual"`
+ * and inspects the Location header. Returns false when Hydra redirects to an
+ * error page containing `invalid_client` or similar indicators.
+ */
+async function isClientStillValid(baseUrl, clientId, redirectUri) {
+    try {
+        const params = new URLSearchParams({
+            client_id: clientId,
+            response_type: "code",
+            scope: "openid",
+            redirect_uri: redirectUri,
+            state: "preflight",
+        });
+        const resp = await fetch(`${baseUrl}/oauth2/auth?${params}`, {
+            redirect: "manual",
+        });
+        if (resp.status === 302) {
+            const location = resp.headers.get("location") ?? "";
+            if (location.includes("error=invalid_client") ||
+                location.includes("error=error")) {
+                return false;
+            }
+            return true;
+        }
+        // Non-redirect — Hydra might serve an error page directly
+        if (resp.status >= 400)
+            return false;
+        return true;
+    }
+    catch {
+        // Network error — cannot pre-validate; let the real flow proceed
+        return true;
+    }
+}
+/**
+ * Resolve a cached client or register a new one. When a cached client fails
+ * pre-flight validation (stale registration after server reset), the local
+ * client.json is deleted and a fresh registration is performed.
+ */
+async function resolveOrRegisterClient(baseUrl, redirectUri, scope, options) {
+    if (options?.clientId) {
+        const client = {
+            baseUrl,
+            clientId: options.clientId,
+            clientSecret: options.clientSecret ?? "",
+            redirectUri,
+            logoutRedirectUri: redirectUri.replace("/callback", "/successful-logout"),
+            scope,
+            lang: "zh-cn",
+            product: "adp",
+            xForwardedPrefix: "",
+        };
+        saveClientConfig(baseUrl, client);
+        return client;
+    }
+    let client = loadClientConfig(baseUrl);
+    if (client?.clientId) {
+        const valid = await isClientStillValid(baseUrl, client.clientId, redirectUri);
+        if (valid)
+            return client;
+        process.stderr.write("Cached OAuth2 client is no longer valid on the server. Re-registering…\n");
+        deleteClientConfig(baseUrl);
+        client = null;
+    }
+    const registered = await registerOAuth2Client(baseUrl, redirectUri, scope);
+    saveClientConfig(baseUrl, registered);
+    return registered;
+}
+/**
+ * Parse a redirect URI to extract host, port, and pathname.
+ * Returns null if the URI is not a valid HTTP(S) URL.
+ */
+function parseRedirectUri(uri) {
+    try {
+        const parsed = new URL(uri);
+        const host = parsed.hostname;
+        const port = parsed.port ? Number(parsed.port) : (parsed.protocol === "https:" ? 443 : 80);
+        const isLocalhost = host === "127.0.0.1" || host === "localhost" || host === "::1";
+        return { host, port, pathname: parsed.pathname, isLocalhost };
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Manual code flow for non-localhost redirect URIs.
+ * Prints the auth URL, then reads the full callback URL from stdin
+ * to extract the authorization code.
+ */
+async function waitForManualCode(authUrl, state) {
+    const { createInterface } = await import("node:readline");
+    process.stderr.write("\nSince the redirect URI is not localhost, you need to complete login manually.\n" +
+        "1. Open this URL in your browser:\n\n" +
+        `   ${authUrl}\n\n` +
+        "2. After login, the browser will redirect to your callback URL.\n" +
+        "3. Copy the full callback URL and paste it here:\n\n");
+    const rl = createInterface({ input: process.stdin, output: process.stderr });
+    const callbackUrl = await new Promise((resolve) => {
+        rl.question("Callback URL> ", (answer) => {
+            rl.close();
+            resolve(answer.trim());
+        });
+    });
+    const parsed = new URL(callbackUrl);
+    const receivedState = parsed.searchParams.get("state");
+    if (receivedState !== state) {
+        throw new Error("OAuth2 state mismatch — possible CSRF attack.");
+    }
+    const error = parsed.searchParams.get("error");
+    if (error) {
+        const desc = parsed.searchParams.get("error_description") ?? "";
+        throw new Error(desc ? `Authorization failed: ${error} — ${desc}` : `Authorization failed: ${error}`);
+    }
+    const code = parsed.searchParams.get("code");
+    if (!code) {
+        throw new Error("No authorization code found in the callback URL.");
+    }
+    return code;
+}
 /**
  * OAuth2 Authorization Code login flow.
  * 1. Register client (if not already registered), OR use a provided client ID
  * 2. Open browser to /oauth2/auth
- * 3. Receive authorization code via local HTTP callback
+ * 3. Receive authorization code via local HTTP callback (or manual paste for non-localhost)
  * 4. Exchange code for access_token + refresh_token
  * 5. Save token.json + client.json to ~/.kweaver/
  */
@@ -133,28 +276,23 @@ export async function oauth2Login(baseUrl, options) {
         const base = normalizeBaseUrl(baseUrl);
         const port = options?.port ?? DEFAULT_REDIRECT_PORT;
         const scope = options?.scope ?? DEFAULT_SCOPE;
-        const redirectUri = `http://127.0.0.1:${port}/callback`;
+        // Determine redirect URI: explicit option > port-based default
+        const redirectUri = options?.redirectUri ?? `http://127.0.0.1:${port}/callback`;
+        const parsedRedirect = parseRedirectUri(redirectUri);
+        const isLocalRedirect = parsedRedirect?.isLocalhost ?? true;
+        const listenPort = parsedRedirect?.port ?? port;
+        const callbackPathname = parsedRedirect?.pathname ?? "/callback";
         // Step 1: Determine client — use provided client ID or fall back to dynamic registration
-        let client = loadClientConfig(base);
-        if (options?.clientId) {
-            // Use the platform's existing client (e.g. the web app client).
-            // Persist it so future logins reuse it without re-registering.
-            client = {
-                baseUrl: base,
-                clientId: options.clientId,
-                clientSecret: options.clientSecret ?? "",
-                redirectUri,
-                logoutRedirectUri: redirectUri.replace("/callback", "/successful-logout"),
-                scope,
-                lang: "zh-cn",
-                product: "adp",
-                xForwardedPrefix: "",
-            };
-            saveClientConfig(base, client);
+        let client;
+        try {
+            client = await resolveOrRegisterClient(base, redirectUri, scope, options);
         }
-        else if (!client?.clientId) {
-            client = await registerOAuth2Client(base, redirectUri, scope);
-            saveClientConfig(base, client);
+        catch (e) {
+            if (e instanceof HttpError && e.status === 404) {
+                process.stderr.write("OAuth2 endpoint not found (404). Saving platform in no-auth mode.\n");
+                return saveNoAuthPlatform(base, { tlsInsecure: options?.tlsInsecure });
+            }
+            throw e;
         }
         // Use PKCE when no client secret is available (public client / platform client).
         const usePkce = !client.clientSecret;
@@ -177,71 +315,91 @@ export async function oauth2Login(baseUrl, options) {
             authParams.set("code_challenge_method", "S256");
         }
         const authUrl = `${base}/oauth2/auth?${authParams.toString()}`;
-        // Step 4: Start local callback server; exchange code inside handler, then show credentials HTML
-        const token = await new Promise((resolve, reject) => {
-            let server;
-            const timeoutId = setTimeout(() => {
-                server?.close();
-                reject(new Error("OAuth2 login timed out (120s). No authorization code received."));
-            }, 120_000);
-            server = createServer((req, res) => {
-                void (async () => {
-                    try {
-                        const url = new URL(req.url ?? "/", `http://127.0.0.1:${port}`);
-                        if (url.pathname !== "/callback") {
-                            res.writeHead(404);
-                            res.end();
-                            return;
-                        }
-                        const receivedState = url.searchParams.get("state");
-                        const receivedCode = url.searchParams.get("code");
-                        if (receivedState !== state) {
-                            res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
-                            res.end(buildCallbackExchangeErrorHtml("OAuth2 state mismatch — possible CSRF attack."));
+        let token;
+        if (isLocalRedirect) {
+            // Step 4a: Local callback — start HTTP server to receive the authorization code
+            token = await new Promise((resolve, reject) => {
+                let server;
+                const timeoutId = setTimeout(() => {
+                    server?.close();
+                    reject(new Error("OAuth2 login timed out (120s). No authorization code received."));
+                }, 120_000);
+                server = createServer((req, res) => {
+                    void (async () => {
+                        try {
+                            const url = new URL(req.url ?? "/", `http://127.0.0.1:${listenPort}`);
+                            if (url.pathname !== callbackPathname) {
+                                res.writeHead(404);
+                                res.end();
+                                return;
+                            }
+                            const receivedState = url.searchParams.get("state");
+                            const code = url.searchParams.get("code");
+                            const callbackError = url.searchParams.get("error");
+                            const callbackErrorDesc = url.searchParams.get("error_description");
+                            if (receivedState !== state) {
+                                res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
+                                res.end(buildCallbackExchangeErrorHtml("OAuth2 state mismatch — possible CSRF attack."));
+                                clearTimeout(timeoutId);
+                                server.close();
+                                reject(new Error("OAuth2 state mismatch — possible CSRF attack."));
+                                return;
+                            }
+                            if (callbackError) {
+                                const msg = callbackErrorDesc
+                                    ? `Authorization failed: ${callbackError} — ${callbackErrorDesc}`
+                                    : `Authorization failed: ${callbackError}`;
+                                res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
+                                res.end(buildCallbackExchangeErrorHtml(msg));
+                                clearTimeout(timeoutId);
+                                server.close();
+                                reject(new Error(msg));
+                                return;
+                            }
+                            if (!code) {
+                                res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
+                                res.end(buildCallbackExchangeErrorHtml("No authorization code received in callback."));
+                                clearTimeout(timeoutId);
+                                server.close();
+                                reject(new Error("No authorization code received in callback."));
+                                return;
+                            }
+                            const exchanged = await exchangeCodeForToken(base, code, client.clientId, client.clientSecret, redirectUri, pkce?.verifier, options?.tlsInsecure);
+                            const copyCommand = buildCopyCommand(base, client.clientId, client.clientSecret, exchanged.refreshToken, options?.tlsInsecure);
+                            res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+                            res.end(buildCallbackHtml(copyCommand));
                             clearTimeout(timeoutId);
                             server.close();
-                            reject(new Error("OAuth2 state mismatch — possible CSRF attack."));
-                            return;
+                            resolve(exchanged);
                         }
-                        if (!receivedCode) {
-                            res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
-                            res.end(buildCallbackExchangeErrorHtml("No authorization code received in callback."));
+                        catch (err) {
+                            const message = err instanceof Error ? err.message : String(err);
+                            try {
+                                res.writeHead(500, { "Content-Type": "text/html; charset=utf-8" });
+                                res.end(buildCallbackExchangeErrorHtml(message));
+                            }
+                            catch {
+                                /* response may already be sent */
+                            }
                             clearTimeout(timeoutId);
                             server.close();
-                            reject(new Error("No authorization code received in callback."));
-                            return;
-                        }
-                        const exchanged = await exchangeCodeForToken(base, receivedCode, client.clientId, client.clientSecret, redirectUri, pkce?.verifier, options?.tlsInsecure);
-                        const copyCommand = buildCopyCommand(base, client.clientId, client.clientSecret, exchanged.refreshToken, options?.tlsInsecure);
-                        res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
-                        res.end(buildCallbackHtml(copyCommand));
-                        clearTimeout(timeoutId);
-                        server.close();
-                        resolve(exchanged);
-                    }
-                    catch (err) {
-                        const message = err instanceof Error ? err.message : String(err);
-                        try {
-                            res.writeHead(500, { "Content-Type": "text/html; charset=utf-8" });
-                            res.end(buildCallbackExchangeErrorHtml(message));
-                        }
-                        catch {
-                            /* response may already be sent */
+                            reject(err instanceof Error ? err : new Error(message));
                         }
-                        clearTimeout(timeoutId);
-                        server.close();
-                        reject(err instanceof Error ? err : new Error(message));
-                    }
-                })();
-            });
-            server.listen(port, "127.0.0.1", () => {
-                // Step 5: Open browser (uses spawn with proper Windows quoting)
-                import("../utils/browser.js").then(({ openBrowser }) => {
-                    openBrowser(authUrl);
+                    })();
+                });
+                server.listen(listenPort, "127.0.0.1", () => {
+                    import("../utils/browser.js").then(({ openBrowser }) => {
+                        openBrowser(authUrl);
+                    });
+                    process.stderr.write(`If the wrong browser opens, copy this URL to your correct browser:\n  ${authUrl}\n`);
                 });
-                process.stderr.write(`If the wrong browser opens, copy this URL to your correct browser:\n  ${authUrl}\n`);
             });
-        });
+        }
+        else {
+            // Step 4b: Non-localhost redirect — manual code entry flow
+            const code = await waitForManualCode(authUrl, state);
+            token = await exchangeCodeForToken(base, code, client.clientId, client.clientSecret, redirectUri, pkce?.verifier, options?.tlsInsecure);
+        }
         setCurrentPlatform(base);
         return token;
     });
@@ -329,6 +487,9 @@ async function exchangeCodeForToken(baseUrl, code, clientId, clientSecret, redir
         obtainedAt: now.toISOString(),
         ...(tlsInsecure ? { tlsInsecure: true } : {}),
     };
+    const displayName = await fetchDisplayName(baseUrl, data.access_token, tlsInsecure);
+    if (displayName)
+        token.displayName = displayName;
     saveTokenConfig(token);
     return token;
 }
@@ -359,13 +520,22 @@ export async function playwrightLogin(baseUrl, options) {
         const base = normalizeBaseUrl(baseUrl);
         const port = options?.port ?? DEFAULT_REDIRECT_PORT;
         const scope = options?.scope ?? DEFAULT_SCOPE;
-        const redirectUri = `http://127.0.0.1:${port}/callback`;
+        const redirectUri = options?.redirectUri ?? `http://127.0.0.1:${port}/callback`;
+        const parsedRedirect = parseRedirectUri(redirectUri);
+        const listenPort = parsedRedirect?.port ?? port;
+        const callbackPathname = parsedRedirect?.pathname ?? "/callback";
         const hasCredentials = !!(options?.username && options?.password);
-        // Step 1: Ensure registered OAuth2 client
-        let client = loadClientConfig(base);
-        if (!client?.clientId) {
-            client = await registerOAuth2Client(base, redirectUri, scope);
-            saveClientConfig(base, client);
+        // Step 1: Ensure registered OAuth2 client (with stale-client auto-recovery)
+        let client;
+        try {
+            client = await resolveOrRegisterClient(base, redirectUri, scope);
+        }
+        catch (e) {
+            if (e instanceof HttpError && e.status === 404) {
+                process.stderr.write("OAuth2 endpoint not found (404). Saving platform in no-auth mode.\n");
+                return saveNoAuthPlatform(base, { tlsInsecure: options?.tlsInsecure });
+            }
+            throw e;
         }
         // Step 2: Generate CSRF state
         const state = randomBytes(12).toString("hex");
@@ -394,14 +564,16 @@ export async function playwrightLogin(baseUrl, options) {
             server = createServer((req, res) => {
                 void (async () => {
                     try {
-                        const url = new URL(req.url ?? "/", `http://127.0.0.1:${port}`);
-                        if (url.pathname !== "/callback") {
+                        const url = new URL(req.url ?? "/", `http://127.0.0.1:${listenPort}`);
+                        if (url.pathname !== callbackPathname) {
                             res.writeHead(404);
                             res.end();
                             return;
                         }
                         const receivedState = url.searchParams.get("state");
                         const receivedCode = url.searchParams.get("code");
+                        const callbackError = url.searchParams.get("error");
+                        const callbackErrorDesc = url.searchParams.get("error_description");
                         if (receivedState !== state) {
                             res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
                             res.end(buildCallbackExchangeErrorHtml("OAuth2 state mismatch — possible CSRF attack."));
@@ -411,6 +583,18 @@ export async function playwrightLogin(baseUrl, options) {
                             reject(new Error("OAuth2 state mismatch — possible CSRF attack."));
                             return;
                         }
+                        if (callbackError) {
+                            const msg = callbackErrorDesc
+                                ? `Authorization failed: ${callbackError} — ${callbackErrorDesc}`
+                                : `Authorization failed: ${callbackError}`;
+                            res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
+                            res.end(buildCallbackExchangeErrorHtml(msg));
+                            clearTimeout(timeoutId);
+                            server.close();
+                            browser?.close();
+                            reject(new Error(msg));
+                            return;
+                        }
                         if (!receivedCode) {
                             res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
                             res.end(buildCallbackExchangeErrorHtml("No authorization code received in callback."));
@@ -445,7 +629,7 @@ export async function playwrightLogin(baseUrl, options) {
                     }
                 })();
             });
-            server.listen(port, "127.0.0.1", async () => {
+            server.listen(listenPort, "127.0.0.1", async () => {
                 try {
                     browser = await chromium.launch({ headless: hasCredentials });
                     const context = await browser.newContext({ ignoreHTTPSErrors: !!options?.tlsInsecure });
@@ -513,6 +697,9 @@ export async function refreshTokenLogin(baseUrl, options) {
     return token;
 }
 function tokenNeedsRefresh(token) {
+    if (isNoAuth(token.accessToken)) {
+        return false;
+    }
     if (!token.expiresAt) {
         return false;
     }
@@ -529,6 +716,9 @@ function tokenNeedsRefresh(token) {
  */
 export async function refreshAccessToken(token) {
     const baseUrl = normalizeBaseUrl(token.baseUrl);
+    if (isNoAuth(token.accessToken)) {
+        throw new Error(`Cannot refresh no-auth session for ${baseUrl}.`);
+    }
     const refreshToken = token.refreshToken?.trim();
     if (!refreshToken) {
         throw new Error(`Token expired and no refresh_token available for ${baseUrl}. Run \`kweaver auth login ${baseUrl}\` again.`);
@@ -547,7 +737,7 @@ export async function refreshAccessToken(token) {
     });
     let response;
     try {
-        response = await runWithTlsInsecure(token.tlsInsecure, () => fetch(url, {
+        response = await runWithTlsInsecure(token.tlsInsecure, () => fetchWithRetry(url, {
             method: "POST",
             headers: {
                 Authorization: `Basic ${credentials}`,
@@ -577,6 +767,10 @@ export async function refreshAccessToken(token) {
     }
     const now = new Date();
     const expiresIn = typeof data.expires_in === "number" ? data.expires_in : 3600;
+    let displayName = token.displayName;
+    if (!displayName) {
+        displayName = (await fetchDisplayName(baseUrl, data.access_token, token.tlsInsecure)) ?? undefined;
+    }
     const newToken = {
         baseUrl,
         accessToken: data.access_token,
@@ -588,6 +782,7 @@ export async function refreshAccessToken(token) {
         idToken: data.id_token ?? token.idToken ?? "",
         obtainedAt: now.toISOString(),
         ...(token.tlsInsecure ? { tlsInsecure: true } : {}),
+        ...(displayName ? { displayName } : {}),
     };
     saveTokenConfig(newToken);
     return newToken;
@@ -609,19 +804,48 @@ export async function ensureValidToken(opts) {
         return {
             baseUrl: normalizeBaseUrl(envBaseUrl),
             accessToken: rawToken,
-            tokenType: "bearer",
+            tokenType: isNoAuth(rawToken) ? "none" : "bearer",
             scope: "",
             obtainedAt: new Date().toISOString(),
         };
     }
+    if (!opts?.forceRefresh && envToken && !envBaseUrl) {
+        const currentPlatformForEnv = getCurrentPlatform();
+        if (currentPlatformForEnv) {
+            const rawToken = envToken.replace(/^Bearer\s+/i, "");
+            return {
+                baseUrl: normalizeBaseUrl(currentPlatformForEnv),
+                accessToken: rawToken,
+                tokenType: isNoAuth(rawToken) ? "none" : "bearer",
+                scope: "",
+                obtainedAt: new Date().toISOString(),
+            };
+        }
+    }
     const currentPlatform = getCurrentPlatform();
     if (!currentPlatform) {
         throw new Error("No active platform selected. Run `kweaver auth login <platform-url>` first.");
     }
-    let token = loadTokenConfig(currentPlatform);
+    // KWEAVER_USER: load a specific user's token without switching active user
+    const envUser = process.env.KWEAVER_USER;
+    let token;
+    if (envUser) {
+        const userId = resolveUserId(currentPlatform, envUser);
+        if (!userId) {
+            throw new Error(`User '${envUser}' not found for ${currentPlatform}. ` +
+                "Run `kweaver auth users` to see available users.");
+        }
+        token = loadUserTokenConfig(currentPlatform, userId);
+    }
+    else {
+        token = loadTokenConfig(currentPlatform);
+    }
     if (!token) {
         throw new Error(`No saved token for ${currentPlatform}. Run \`kweaver auth login ${currentPlatform}\` first.`);
     }
+    if (isNoAuth(token.accessToken)) {
+        return token;
+    }
     if (opts?.forceRefresh) {
         return refreshAccessToken(token);
     }
@@ -652,10 +876,21 @@ export async function with401RefreshRetry(fn) {
                 throw error;
             }
             const platformUrl = normalizeBaseUrl(currentPlatform);
-            const latest = loadTokenConfig(platformUrl);
+            const envUser = process.env.KWEAVER_USER;
+            let latest;
+            if (envUser) {
+                const userId = resolveUserId(platformUrl, envUser);
+                latest = userId ? loadUserTokenConfig(platformUrl, userId) : null;
+            }
+            else {
+                latest = loadTokenConfig(platformUrl);
+            }
             if (!latest) {
                 throw error;
             }
+            if (isNoAuth(latest.accessToken)) {
+                throw error;
+            }
             try {
                 await refreshAccessToken(latest);
             }
@@ -680,8 +915,21 @@ export async function withTokenRetry(fn) {
     }
     catch (error) {
         if (error instanceof HttpError && error.status === 401) {
+            if (isNoAuth(token.accessToken)) {
+                throw error;
+            }
             const platformUrl = normalizeBaseUrl(token.baseUrl);
-            const latest = loadTokenConfig(platformUrl) ?? token;
+            const envUser = process.env.KWEAVER_USER;
+            let latest;
+            if (envUser) {
+                const userId = resolveUserId(platformUrl, envUser);
+                latest = userId ? loadUserTokenConfig(platformUrl, userId) : null;
+            }
+            else {
+                latest = loadTokenConfig(platformUrl);
+            }
+            if (!latest)
+                latest = token;
             try {
                 const refreshed = await refreshAccessToken(latest);
                 return await fn(refreshed);
@@ -719,6 +967,11 @@ function formatOAuthErrorBody(body) {
     }
     return lines.join("\n");
 }
+function isTlsVerificationDisabledForProcess() {
+    return (process.env.NODE_TLS_REJECT_UNAUTHORIZED === "0" ||
+        process.env.KWEAVER_TLS_INSECURE === "1" ||
+        process.env.KWEAVER_TLS_INSECURE === "true");
+}
 export function formatHttpError(error) {
     if (error instanceof HttpError) {
         const oauthMessage = formatOAuthErrorBody(error.body);
@@ -739,7 +992,10 @@ export function formatHttpError(error) {
     if (error instanceof Error) {
         const cause = "cause" in error && error.cause instanceof Error ? error.cause.message : "";
         if (cause && error.message === "fetch failed") {
-            return `${error.message}: ${cause}\nHint: use --insecure (-k) to skip TLS verification for self-signed certificates.`;
+            const hint = isTlsVerificationDisabledForProcess()
+                ? "Hint: TLS verification is already disabled for this process. Check network reachability, TLS termination, or proxy stability."
+                : "Hint: use --insecure (-k) to skip TLS verification for self-signed certificates.";
+            return `${error.message}: ${cause}\n${hint}`;
         }
         return error.message;
     }