@m-kopa/launchpad-cli 0.26.1 → 0.27.1

package/dist/cli.js

@@ -19,21 +19,33 @@ var __toESM = (mod, isNodeMode, target) => {
 var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
 // src/version.ts
-var CLI_VERSION = "0.26.1";
+var CLI_VERSION = "0.27.1";
 
 // src/config.ts
 import * as os from "node:os";
 import * as path from "node:path";
 var DEFAULT_BOT_URL = "https://launchpad-portal-bot.mkopa-launchpad.workers.dev";
+var DEFAULT_AUTH_GATEWAY_URL = "https://auth.launchpad.m-kopa.us";
 function loadConfig(env = process.env) {
   const rawBotUrl = env.LAUNCHPAD_BOT_URL ?? DEFAULT_BOT_URL;
   const botUrl = rawBotUrl.replace(/\/+$/, "");
+  const rawGatewayUrl = env.LAUNCHPAD_AUTH_GATEWAY_URL ?? DEFAULT_AUTH_GATEWAY_URL;
+  const authGatewayUrl = rawGatewayUrl.replace(/\/+$/, "");
+  const authLegacy = env.LAUNCHPAD_AUTH_LEGACY === "1";
   const sessionPath = env.LAUNCHPAD_SESSION_PATH ?? path.join(os.homedir(), ".launchpad", "session.json");
   const cacheDir = env.LAUNCHPAD_CACHE_DIR ?? path.join(os.homedir(), ".launchpad", "cache");
   const stateDir = env.LAUNCHPAD_STATE_DIR ?? path.join(os.homedir(), ".launchpad", "state");
   const rawPlatformRepo = env.LAUNCHPAD_PLATFORM_REPO;
   const platformRepoPath = rawPlatformRepo !== undefined && rawPlatformRepo.length > 0 ? path.resolve(rawPlatformRepo) : null;
-  return { botUrl, sessionPath, cacheDir, stateDir, platformRepoPath };
+  return {
+    botUrl,
+    authGatewayUrl,
+    authLegacy,
+    sessionPath,
+    cacheDir,
+    stateDir,
+    platformRepoPath
+  };
 }
 
 // src/http/errors.ts
@@ -64,7 +76,7 @@ class TransportError extends Error {
 }
 
 // src/auth/flow.ts
-import { randomBytes as randomBytes3 } from "node:crypto";
+import { randomBytes as randomBytes4 } from "node:crypto";
 
 // src/auth/callback-server.ts
 import { createServer } from "node:http";
@@ -371,6 +383,10 @@ import * as fs from "node:fs/promises";
 import * as path2 from "node:path";
 import { randomBytes as randomBytes2 } from "node:crypto";
 var SESSION_VERSION = 1;
+var GATEWAY_SESSION_VERSION = 2;
+function isGatewaySession(s) {
+  return s.version === GATEWAY_SESSION_VERSION;
+}
 
 class SessionParseError extends Error {
   code = "session_parse_error";
@@ -394,8 +410,11 @@ async function readSession(sessionPath) {
     throw new SessionParseError(`session file at ${sessionPath} is not an object`);
   }
   const obj = parsed;
+  if (obj.version === GATEWAY_SESSION_VERSION) {
+    return parseGatewaySession(obj, sessionPath);
+  }
   if (obj.version !== SESSION_VERSION) {
-    throw new SessionParseError(`unsupported session version ${String(obj.version)} at ${sessionPath}; expected ${SESSION_VERSION}`);
+    throw new SessionParseError(`unsupported session version ${String(obj.version)} at ${sessionPath}; expected ${SESSION_VERSION} or ${GATEWAY_SESSION_VERSION}`);
   }
   for (const k of [
     "accessToken",
@@ -416,6 +435,20 @@ async function readSession(sessionPath) {
   }
   return obj;
 }
+function parseGatewaySession(obj, sessionPath) {
+  if (obj.kind !== "gateway") {
+    throw new SessionParseError(`session file at ${sessionPath}: version 2 with unknown kind ${String(obj.kind)}`);
+  }
+  for (const k of ["accessToken", "refreshToken", "gatewayUrl", "issuedAt"]) {
+    if (typeof obj[k] !== "string") {
+      throw new SessionParseError(`session file at ${sessionPath}: missing or non-string ${k}`);
+    }
+  }
+  if (typeof obj.accessTokenExpiresAt !== "number") {
+    throw new SessionParseError(`session file at ${sessionPath}: missing or non-number accessTokenExpiresAt`);
+  }
+  return obj;
+}
 async function writeSession(sessionPath, session) {
   const dir = path2.dirname(sessionPath);
   await fs.mkdir(dir, { recursive: true, mode: 448 });
@@ -453,6 +486,9 @@ function describe4(e) {
   return e instanceof Error ? e.message : String(e);
 }
 
+// src/auth/gateway-flow.ts
+import { randomBytes as randomBytes3 } from "node:crypto";
+
 // src/auth/browser.ts
 import { spawn } from "node:child_process";
 
@@ -487,16 +523,185 @@ function chooseOpener(platform, url) {
   }
 }
 
+// src/auth/gateway-flow.ts
+var CLI_SESSION_AUTH_PATH = "/__cli_session_auth";
+var CLI_SESSION_TOKEN_PATH = "/__cli_session_token";
+var CLI_LOGOUT_PATH = "/__cli_logout";
+
+class GatewayUnavailableError extends Error {
+  code = "gateway_unavailable";
+}
+
+class GatewayTokenError extends Error {
+  code = "gateway_token_error";
+  httpStatus;
+  constructor(message, httpStatus) {
+    super(message);
+    this.name = "GatewayTokenError";
+    if (httpStatus !== undefined)
+      this.httpStatus = httpStatus;
+  }
+}
+
+class GatewayRateLimitError extends Error {
+  code = "gateway_rate_limited";
+  retryAfterSec;
+  constructor(retryAfterSec) {
+    super(`gateway rate-limited the request — retry in ${retryAfterSec}s (your session is intact)`);
+    this.name = "GatewayRateLimitError";
+    this.retryAfterSec = retryAfterSec;
+  }
+}
+async function gatewayLogin(opts) {
+  const fetcher = opts.fetcher ?? fetch;
+  const opener = opts.browserOpener ?? ((url) => openBrowser(url));
+  await probeGateway(opts.gatewayUrl, fetcher);
+  const state = randomBytes3(16).toString("hex");
+  const server = await bindCallbackServer(state);
+  try {
+    const redirectUri = `http://127.0.0.1:${server.port}/callback`;
+    const pkce = generatePkcePair();
+    const u = new URL(`${opts.gatewayUrl}${CLI_SESSION_AUTH_PATH}`);
+    u.searchParams.set("cb", redirectUri);
+    u.searchParams.set("code_challenge", pkce.challenge);
+    u.searchParams.set("state", state);
+    const authUrl = u.toString();
+    opts.onAuthUrl?.(authUrl);
+    try {
+      await opener(authUrl);
+    } catch (e) {
+      opts.onAuthUrl?.(`(could not auto-open browser: ${describe5(e)} — copy the URL above into a browser instead)`);
+    }
+    const callback = await server.result;
+    const pair = await postSessionTokenForm(opts.gatewayUrl, new URLSearchParams({
+      grant_type: "authorization_code",
+      code: callback.code,
+      code_verifier: pkce.verifier
+    }), fetcher);
+    const session = {
+      version: GATEWAY_SESSION_VERSION,
+      kind: "gateway",
+      accessToken: pair.accessToken,
+      refreshToken: pair.refreshToken,
+      accessTokenExpiresAt: Date.now() + pair.expiresInSec * 1000,
+      gatewayUrl: opts.gatewayUrl,
+      issuedAt: new Date().toISOString()
+    };
+    await writeSession(opts.sessionPath, session);
+    return session;
+  } finally {
+    await server.close();
+  }
+}
+async function refreshGatewayTokens(params, fetcher = fetch) {
+  return postSessionTokenForm(params.gatewayUrl, new URLSearchParams({
+    grant_type: "refresh_token",
+    refresh_token: params.refreshToken
+  }), fetcher);
+}
+async function revokeGatewaySession(params, fetcher = fetch) {
+  const url = `${params.gatewayUrl}${CLI_LOGOUT_PATH}`;
+  let res;
+  try {
+    res = await fetcher(url, {
+      method: "POST",
+      headers: { "content-type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({ refresh_token: params.refreshToken }).toString()
+    });
+  } catch (e) {
+    throw new GatewayTokenError(`logout endpoint: network error: ${describe5(e)}`);
+  }
+  if (res.status === 429) {
+    throw new GatewayRateLimitError(readRetryAfter(res));
+  }
+  if (res.status !== 204 && !res.ok) {
+    const detail = await res.text().catch(() => "");
+    throw new GatewayTokenError(`logout endpoint returned HTTP ${res.status}: ${detail.slice(0, 200)}`, res.status);
+  }
+}
+async function probeGateway(gatewayUrl, fetcher) {
+  const url = `${gatewayUrl}${CLI_SESSION_AUTH_PATH}`;
+  let res;
+  try {
+    res = await fetcher(url, { method: "GET" });
+  } catch (e) {
+    throw new GatewayUnavailableError(`auth gateway unreachable at ${gatewayUrl}: ${describe5(e)}`);
+  }
+  if (res.status === 429) {
+    throw new GatewayRateLimitError(readRetryAfter(res));
+  }
+  if (res.status !== 400) {
+    throw new GatewayUnavailableError(`auth gateway at ${gatewayUrl} is not serving the cli-session grant (HTTP ${res.status} from ${CLI_SESSION_AUTH_PATH})`);
+  }
+}
+async function postSessionTokenForm(gatewayUrl, form, fetcher) {
+  const url = `${gatewayUrl}${CLI_SESSION_TOKEN_PATH}`;
+  let res;
+  try {
+    res = await fetcher(url, {
+      method: "POST",
+      headers: {
+        "content-type": "application/x-www-form-urlencoded",
+        accept: "application/json"
+      },
+      body: form.toString()
+    });
+  } catch (e) {
+    throw new GatewayTokenError(`session token endpoint: network error: ${describe5(e)}`);
+  }
+  if (res.status === 429) {
+    throw new GatewayRateLimitError(readRetryAfter(res));
+  }
+  if (!res.ok) {
+    const detail = await res.text().catch(() => "");
+    throw new GatewayTokenError(`session token endpoint returned HTTP ${res.status}: ${detail.slice(0, 200)}`, res.status);
+  }
+  let parsed;
+  try {
+    parsed = await res.json();
+  } catch (e) {
+    throw new GatewayTokenError(`session token endpoint: non-JSON response: ${describe5(e)}`);
+  }
+  if (parsed === null || typeof parsed !== "object") {
+    throw new GatewayTokenError(`session token endpoint: response is not an object`);
+  }
+  const obj = parsed;
+  if (typeof obj.access_token !== "string") {
+    throw new GatewayTokenError(`session token endpoint: response missing access_token`);
+  }
+  if (typeof obj.refresh_token !== "string") {
+    throw new GatewayTokenError(`session token endpoint: response missing refresh_token`);
+  }
+  const expiresIn = obj.expires_in;
+  if (typeof expiresIn !== "number" || !Number.isFinite(expiresIn) || expiresIn <= 0) {
+    throw new GatewayTokenError(`session token endpoint: response missing positive finite numeric expires_in (got ${String(expiresIn)})`);
+  }
+  return {
+    accessToken: obj.access_token,
+    refreshToken: obj.refresh_token,
+    expiresInSec: expiresIn
+  };
+}
+function readRetryAfter(res) {
+  const raw = res.headers.get("retry-after");
+  const n = raw === null ? NaN : Number.parseInt(raw, 10);
+  return Number.isFinite(n) && n > 0 ? n : 60;
+}
+function describe5(e) {
+  return e instanceof Error ? e.message : String(e);
+}
+
 // src/auth/flow.ts
 class LoginRequiredError extends Error {
   code = "login_required";
 }
 var REFRESH_SKEW_MS = 30000;
+var MAX_ABSORBED_RETRY_AFTER_SEC = 10;
 async function login(opts) {
   const fetcher = opts.fetcher ?? fetch;
   const opener = opts.browserOpener ?? ((url) => openBrowser(url));
   const endpoints = await discoverOauthEndpoints(opts.botUrl, fetcher);
-  const state = randomBytes3(16).toString("hex");
+  const state = randomBytes4(16).toString("hex");
   const server = await bindCallbackServer(state);
   try {
     const redirectUri = `http://127.0.0.1:${server.port}/callback`;
@@ -514,7 +719,7 @@ async function login(opts) {
     try {
       await opener(authUrl);
     } catch (e) {
-      opts.onAuthUrl?.(`(could not auto-open browser: ${describe5(e)} — copy the URL above into a browser instead)`);
+      opts.onAuthUrl?.(`(could not auto-open browser: ${describe6(e)} — copy the URL above into a browser instead)`);
     }
     const callback = await server.result;
     const tokens = await exchangeCodeForTokens({
@@ -541,7 +746,7 @@ async function login(opts) {
     await server.close();
   }
 }
-async function getValidAccessToken(sessionPath, fetcher = fetch, now = Date.now) {
+async function getValidAccessToken(sessionPath, fetcher = fetch, now = Date.now, sleep = (ms) => new Promise((r) => setTimeout(r, ms))) {
   const session = await readSession(sessionPath);
   if (session === null) {
     throw new LoginRequiredError("no session — run `launchpad login`");
@@ -549,6 +754,9 @@ async function getValidAccessToken(sessionPath, fetcher = fetch, now = Date.now)
   if (session.accessTokenExpiresAt - REFRESH_SKEW_MS > now()) {
     return { accessToken: session.accessToken, session };
   }
+  if (isGatewaySession(session)) {
+    return refreshGatewaySession(session, sessionPath, fetcher, now, sleep);
+  }
   if (session.resource === undefined) {
     throw new LoginRequiredError("session was written by a pre-0.7.1 CLI and is missing the resource indicator — run `launchpad login`");
   }
@@ -576,7 +784,39 @@ async function getValidAccessToken(sessionPath, fetcher = fetch, now = Date.now)
   await writeSession(sessionPath, refreshed);
   return { accessToken: refreshed.accessToken, session: refreshed };
 }
-function describe5(e) {
+async function refreshGatewaySession(session, sessionPath, fetcher, now, sleep) {
+  let pair;
+  try {
+    try {
+      pair = await refreshGatewayTokens({ gatewayUrl: session.gatewayUrl, refreshToken: session.refreshToken }, fetcher);
+    } catch (e) {
+      if (e instanceof GatewayRateLimitError && e.retryAfterSec <= MAX_ABSORBED_RETRY_AFTER_SEC) {
+        await sleep(e.retryAfterSec * 1000);
+        pair = await refreshGatewayTokens({ gatewayUrl: session.gatewayUrl, refreshToken: session.refreshToken }, fetcher);
+      } else {
+        throw e;
+      }
+    }
+  } catch (e) {
+    if (e instanceof GatewayTokenError && (e.httpStatus === 400 || e.httpStatus === 401)) {
+      await clearSession(sessionPath).catch(() => {
+        return;
+      });
+      throw new LoginRequiredError(`session revoked or expired — run \`launchpad login\` (gateway said: ${e.message})`);
+    }
+    throw e;
+  }
+  const refreshed = {
+    ...session,
+    accessToken: pair.accessToken,
+    refreshToken: pair.refreshToken,
+    accessTokenExpiresAt: now() + pair.expiresInSec * 1000,
+    issuedAt: new Date(now()).toISOString()
+  };
+  await writeSession(sessionPath, refreshed);
+  return { accessToken: refreshed.accessToken, session: refreshed };
+}
+function describe6(e) {
   return e instanceof Error ? e.message : String(e);
 }
 function buildAuthorizationUrl(params) {
@@ -598,7 +838,7 @@ async function apiJson(cfg, opts, fetcher = fetch) {
   try {
     parsed = await res.json();
   } catch (e) {
-    throw new TransportError(`bot returned non-JSON body for ${opts.path}: ${describe6(e)}`);
+    throw new TransportError(`bot returned non-JSON body for ${opts.path}: ${describe7(e)}`);
   }
   return parsed;
 }
@@ -640,7 +880,7 @@ async function apiRaw(cfg, opts, fetcher = fetch) {
   try {
     res = await fetcher(url, init);
   } catch (e) {
-    throw new TransportError(`network error calling ${url}: ${describe6(e)}`);
+    throw new TransportError(`network error calling ${url}: ${describe7(e)}`);
   }
   if (res.status === 401) {
     const detail = await peek(res);
@@ -671,7 +911,7 @@ async function peek(res) {
     return "";
   }
 }
-function describe6(e) {
+function describe7(e) {
   return e instanceof Error ? e.message : String(e);
 }
 
@@ -701,7 +941,7 @@ async function runApps(_args, io) {
       io.err(e.message);
       return 1;
     }
-    io.err(`launchpad apps failed: ${describe7(e)}`);
+    io.err(`launchpad apps failed: ${describe8(e)}`);
     return 1;
   }
 }
@@ -749,7 +989,7 @@ function formatRelative(iso) {
     return `${hr}h ago`;
   return `${Math.floor(hr / 24)}d ago`;
 }
-function describe7(e) {
+function describe8(e) {
   return e instanceof Error ? e.message : String(e);
 }
 
@@ -1046,7 +1286,7 @@ async function runClone(args, io) {
       io.err(`launchpad clone: ${e.message}`);
       return 1;
     }
-    io.err(`launchpad clone failed: ${describe8(e)}`);
+    io.err(`launchpad clone failed: ${describe9(e)}`);
     return 1;
   }
 }
@@ -1063,7 +1303,7 @@ function formatBytes(n) {
     return `${(n / 1024).toFixed(1)}KB`;
   return `${(n / (1024 * 1024)).toFixed(1)}MB`;
 }
-function describe8(e) {
+function describe9(e) {
   return e instanceof Error ? e.message : String(e);
 }
 
@@ -1129,7 +1369,7 @@ async function runCreate(args, io) {
       io.err(`launchpad create: ${e.message}`);
       return 1;
     }
-    io.err(`launchpad create failed: ${describe9(e)}`);
+    io.err(`launchpad create failed: ${describe10(e)}`);
     return 1;
   }
 }
@@ -1214,7 +1454,7 @@ function printUsage(io) {
   ].join(`
 `));
 }
-function describe9(e) {
+function describe10(e) {
   return e instanceof Error ? e.message : String(e);
 }
 
@@ -3882,7 +4122,7 @@ async function pollUntilApplied(args) {
         path: `/apps/${args.slug}/manifest/state`
       }, args.fetcher);
     } catch (e) {
-      args.io.err(`! state fetch failed (will retry): ${describe10(e)}`);
+      args.io.err(`! state fetch failed (will retry): ${describe11(e)}`);
       await sleep(args.pollIntervalSec * 1000);
       continue;
     }
@@ -3942,7 +4182,7 @@ function deletePinIfPresent(cfg, slug, io) {
     rmSync(pinPath, { force: true });
     io.out(`  (cleaned up obsolete pin file ${pinPath})`);
   } catch (e) {
-    io.err(`! warning: failed to delete obsolete pin file ${pinPath}: ${describe10(e)}`);
+    io.err(`! warning: failed to delete obsolete pin file ${pinPath}: ${describe11(e)}`);
   }
 }
 async function loadSlugForResume(opts, io) {
@@ -3966,7 +4206,7 @@ async function defaultPrompt(question) {
     rl.close();
   }
 }
-function describe10(e) {
+function describe11(e) {
   return e instanceof Error ? e.message : String(e);
 }
 function mapHttpError(e, slug, io) {
@@ -3990,7 +4230,7 @@ function mapHttpError(e, slug, io) {
     io.err(`launchpad deploy --apply: ${e.message}`);
     return 1;
   }
-  io.err(`launchpad deploy --apply failed: ${describe10(e)}`);
+  io.err(`launchpad deploy --apply failed: ${describe11(e)}`);
   return 2;
 }
 function renderManifestError(loaded, io) {
@@ -4032,7 +4272,7 @@ async function runDeployDryRun(opts, io, deps = {}) {
   try {
     manifestSha = (deps.gitHeadSha ?? defaultGitHeadSha)(process.cwd());
   } catch (e) {
-    const msg = `failed to resolve git HEAD in ${process.cwd()}: ${describe11(e)}`;
+    const msg = `failed to resolve git HEAD in ${process.cwd()}: ${describe12(e)}`;
     if (opts.json) {
       io.out(JSON.stringify({ ok: false, kind: "git-error", message: msg }));
     } else {
@@ -4081,7 +4321,7 @@ function defaultGitHeadSha(cwd) {
   });
   return out.trim();
 }
-function describe11(e) {
+function describe12(e) {
   return e instanceof Error ? e.message : String(e);
 }
 function mapHttpError2(e, slug, json, io) {
@@ -4570,7 +4810,7 @@ async function runDeploy(args, io) {
       io.err(`launchpad deploy: ${e.message}`);
       return 1;
     }
-    io.err(`launchpad deploy failed: ${describe12(e)}`);
+    io.err(`launchpad deploy failed: ${describe13(e)}`);
     return 1;
   }
 }
@@ -4642,7 +4882,7 @@ function formatBytes2(n) {
     return `${(n / 1024).toFixed(1)}KB`;
   return `${(n / (1024 * 1024)).toFixed(1)}MB`;
 }
-function describe12(e) {
+function describe13(e) {
   return e instanceof Error ? e.message : String(e);
 }
 function surfaceDeployExtras(body, io, slug) {
@@ -4678,7 +4918,7 @@ async function runModelADeploy(args) {
     }
     slug = metaSlug;
   } catch (e) {
-    io.err(`launchpad deploy: failed to read ${manifestPath}: ${describe12(e)}`);
+    io.err(`launchpad deploy: failed to read ${manifestPath}: ${describe13(e)}`);
     return 1;
   }
   if (!SLUG_RE4.test(slug)) {
@@ -4690,7 +4930,7 @@ async function runModelADeploy(args) {
   try {
     cfg = loadConfig();
   } catch (e) {
-    io.err(`launchpad deploy: ${describe12(e)}`);
+    io.err(`launchpad deploy: ${describe13(e)}`);
     return 1;
   }
   let result;
@@ -4702,7 +4942,7 @@ async function runModelADeploy(args) {
       io.err("       run `launchpad login` to refresh your session.");
       return 1;
     }
-    io.err(`launchpad deploy: unexpected error: ${describe12(e)}`);
+    io.err(`launchpad deploy: unexpected error: ${describe13(e)}`);
     return 1;
   }
   switch (result.kind) {
@@ -4777,9 +5017,12 @@ async function runModelADeploy(args) {
         io.out("");
         io.out(message);
         io.out("");
+        io.out(`Your bundle ships with this provisioning run — when lifecycle reaches "live",`);
+        io.out("this deploy's content is what's serving. No second deploy needed.");
+        io.out("");
         io.out("Next steps:");
         io.out(`  launchpad status ${slug}     # watch lifecycle (provisioning → live)`);
-        io.out(`  launchpad deploy             # re-run once lifecycle is "live"`);
+        io.out(`  launchpad deploy             # only if the app comes up live WITHOUT your content (rare)`);
         return 0;
       }
       if (typeof success.commit_sha !== "string" || typeof success.repo !== "string") {
@@ -4896,7 +5139,7 @@ async function runEnvvars(args, io) {
       io.err(`launchpad envvars: ${e.message}`);
       return 1;
     }
-    io.err(`launchpad envvars failed: ${describe13(e)}`);
+    io.err(`launchpad envvars failed: ${describe14(e)}`);
     return 1;
   }
 }
@@ -4993,7 +5236,7 @@ function renderList(envVars, io) {
     io.out(fmt(row));
   }
 }
-function describe13(e) {
+function describe14(e) {
   return e instanceof Error ? e.message : String(e);
 }
 
@@ -5325,7 +5568,7 @@ async function fetchGroups(cfg, opts = {}) {
     if (e instanceof UnauthenticatedError || e instanceof ForbiddenError) {
       throw e;
     }
-    return { kind: "error", message: describe14(e) };
+    return { kind: "error", message: describe15(e) };
   }
   if (typeof response !== "object" || response === null || !Array.isArray(response.groups) || !response.groups.every(isEntraGroup)) {
     return {
@@ -5375,7 +5618,7 @@ function writeCache(path9, envelope) {
     writeFileSync2(path9, JSON.stringify(envelope), "utf8");
   } catch {}
 }
-function describe14(e) {
+function describe15(e) {
   return e instanceof Error ? e.message : String(e);
 }
 var UUID_PATTERN = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
@@ -5413,13 +5656,13 @@ function decodeJwtPayload(token) {
   try {
     json = Buffer.from(b64UrlToB64(payload), "base64").toString("utf8");
   } catch (e) {
-    throw new JwtParseError(`could not base64-decode JWT payload: ${describe15(e)}`);
+    throw new JwtParseError(`could not base64-decode JWT payload: ${describe16(e)}`);
   }
   let parsed;
   try {
     parsed = JSON.parse(json);
   } catch (e) {
-    throw new JwtParseError(`JWT payload is not JSON: ${describe15(e)}`);
+    throw new JwtParseError(`JWT payload is not JSON: ${describe16(e)}`);
   }
   if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) {
     throw new JwtParseError(`JWT payload is not an object`);
@@ -5430,7 +5673,7 @@ function b64UrlToB64(s) {
   const padded = s.padEnd(s.length + (4 - s.length % 4) % 4, "=");
   return padded.replace(/-/g, "+").replace(/_/g, "/");
 }
-function describe15(e) {
+function describe16(e) {
   return e instanceof Error ? e.message : String(e);
 }
 
@@ -5457,7 +5700,7 @@ async function runGroupsWhoami(args, io) {
   try {
     payload = decodeJwtPayload(session.accessToken);
   } catch (e) {
-    const message = e instanceof JwtParseError ? e.message : describe16(e);
+    const message = e instanceof JwtParseError ? e.message : describe17(e);
     if (json) {
       io.out(JSON.stringify({ ok: false, kind: "jwt-parse-error", message }));
     } else {
@@ -5538,7 +5781,7 @@ function parseFlags2(args) {
   }
   return { kind: "ok", json };
 }
-function describe16(e) {
+function describe17(e) {
   return e instanceof Error ? e.message : String(e);
 }
 
@@ -5641,7 +5884,7 @@ async function loadGroups(io, refresh, json) {
       }
       return { kind: "error", code: 3 };
     }
-    renderFetchError(io, describe17(e), json);
+    renderFetchError(io, describe18(e), json);
     return { kind: "error", code: 2 };
   }
 }
@@ -5836,7 +6079,7 @@ function renderTable2(io, groups) {
   for (const r of rows)
     io.out(fmt(r));
 }
-function describe17(e) {
+function describe18(e) {
   return e instanceof Error ? e.message : String(e);
 }
 
@@ -6472,56 +6715,111 @@ async function defaultPrompt2(question, fallback) {
 }
 
 // src/commands/login.ts
-var loginCommand = {
-  name: "login",
-  summary: "authenticate (browser-based PKCE) and store a session",
-  run: runLogin
-};
-async function runLogin(_args, io) {
+var REAL_DEPS = { gatewayLogin, legacyLogin: login };
+var loginCommand = makeLoginCommand();
+function makeLoginCommand(deps = REAL_DEPS) {
+  return {
+    name: "login",
+    summary: "authenticate (browser-based PKCE) and store a session",
+    run: (args, io) => runLogin(args, io, deps)
+  };
+}
+async function runLogin(_args, io, deps) {
   try {
     const cfg = loadConfig();
-    io.out("Opening browser to authenticate with Cloudflare Access…");
+    if (cfg.authLegacy) {
+      io.out("LAUNCHPAD_AUTH_LEGACY=1 — using the legacy Cloudflare Access flow (deprecated; this path will be removed when the dual-auth window closes).");
+      return await runLegacyLogin(io, cfg.botUrl, cfg.sessionPath, deps);
+    }
+    io.out("Opening browser to sign in via the Launchpad auth gateway…");
     io.out("(if it doesn't open automatically, copy the URL below)");
     io.out("");
-    const session = await login({
-      botUrl: cfg.botUrl,
-      sessionPath: cfg.sessionPath,
-      onAuthUrl: (url) => {
-        io.out(url);
-        io.out("");
-      }
-    });
-    const expiresIn = Math.max(0, Math.round((session.accessTokenExpiresAt - Date.now()) / 1000));
-    io.out(`Logged in. Session stored at ${cfg.sessionPath}`);
-    io.out(`Access token expires in ~${expiresIn}s; refreshes silently.`);
-    return 0;
+    try {
+      const session = await deps.gatewayLogin({
+        gatewayUrl: cfg.authGatewayUrl,
+        sessionPath: cfg.sessionPath,
+        onAuthUrl: (url) => {
+          io.out(url);
+          io.out("");
+        }
+      });
+      const expiresIn = Math.max(0, Math.round((session.accessTokenExpiresAt - Date.now()) / 1000));
+      io.out(`Logged in. Session stored at ${cfg.sessionPath}`);
+      io.out(`Access token expires in ~${expiresIn}s; refreshes silently.`);
+      return 0;
+    } catch (e) {
+      io.err(`Gateway login failed: ${describe19(e)}`);
+      io.err("Falling back to the legacy Cloudflare Access flow (DEPRECATED — this fallback will be removed when the dual-auth window closes).");
+      io.err("");
+      return await runLegacyLogin(io, cfg.botUrl, cfg.sessionPath, deps);
+    }
   } catch (e) {
-    io.err(`launchpad login failed: ${describe18(e)}`);
+    io.err(`launchpad login failed: ${describe19(e)}`);
     return 1;
   }
 }
-function describe18(e) {
+async function runLegacyLogin(io, botUrl, sessionPath, deps) {
+  io.out("Opening browser to authenticate with Cloudflare Access…");
+  io.out("(if it doesn't open automatically, copy the URL below)");
+  io.out("");
+  const session = await deps.legacyLogin({
+    botUrl,
+    sessionPath,
+    onAuthUrl: (url) => {
+      io.out(url);
+      io.out("");
+    }
+  });
+  const expiresIn = Math.max(0, Math.round((session.accessTokenExpiresAt - Date.now()) / 1000));
+  io.out(`Logged in. Session stored at ${sessionPath}`);
+  io.out(`Access token expires in ~${expiresIn}s; refreshes silently.`);
+  return 0;
+}
+function describe19(e) {
   return e instanceof Error ? e.message : String(e);
 }
 
 // src/commands/logout.ts
-var logoutCommand = {
-  name: "logout",
-  summary: "clear the persisted session",
-  run: runLogout
-};
-async function runLogout(_args, io) {
+var REAL_DEPS2 = { revoke: revokeGatewaySession };
+var logoutCommand = makeLogoutCommand();
+function makeLogoutCommand(deps = REAL_DEPS2) {
+  return {
+    name: "logout",
+    summary: "revoke the session server-side and clear it locally",
+    run: (args, io) => runLogout(args, io, deps)
+  };
+}
+async function runLogout(_args, io, deps) {
   try {
     const cfg = loadConfig();
+    let session = null;
+    try {
+      session = await readSession(cfg.sessionPath);
+    } catch (e) {
+      if (!(e instanceof SessionParseError))
+        throw e;
+      io.err(`warning: session file is corrupt (${e.message}) — clearing it without a server-side revoke.`);
+    }
+    if (session !== null && isGatewaySession(session)) {
+      try {
+        await deps.revoke({
+          gatewayUrl: session.gatewayUrl,
+          refreshToken: session.refreshToken
+        });
+        io.out("Server-side session revoked.");
+      } catch (e) {
+        io.err(`warning: could not revoke the session server-side (${describe20(e)}) — clearing the local session anyway. Any in-flight access token expires within 15 minutes.`);
+      }
+    }
     const had = await clearSession(cfg.sessionPath);
     io.out(had ? `Logged out. Session cleared at ${cfg.sessionPath}` : "Already logged out.");
     return 0;
   } catch (e) {
-    io.err(`launchpad logout failed: ${describe19(e)}`);
+    io.err(`launchpad logout failed: ${describe20(e)}`);
     return 1;
   }
 }
-function describe19(e) {
+function describe20(e) {
   return e instanceof Error ? e.message : String(e);
 }
 
@@ -6591,7 +6889,7 @@ async function runLogs(args, io) {
       io.err(`launchpad logs: ${e.message}`);
       return 1;
     }
-    io.err(`launchpad logs failed: ${describe20(e)}`);
+    io.err(`launchpad logs failed: ${describe21(e)}`);
     return 1;
   }
 }
@@ -6671,7 +6969,7 @@ function formatRelative2(iso) {
     return `${hr}h ago`;
   return `${Math.floor(hr / 24)}d ago`;
 }
-function describe20(e) {
+function describe21(e) {
   return e instanceof Error ? e.message : String(e);
 }
 
@@ -6720,7 +7018,7 @@ async function runMerge(args, io) {
       try {
         body = await res.json();
       } catch (e) {
-        io.err(`launchpad merge: bot returned 2xx with malformed body: ${describe21(e)}`);
+        io.err(`launchpad merge: bot returned 2xx with malformed body: ${describe22(e)}`);
         return 1;
       }
       io.out("");
@@ -6760,7 +7058,7 @@ async function runMerge(args, io) {
       io.err(`launchpad merge: ${e.message}`);
       return 1;
     }
-    io.err(`launchpad merge failed: ${describe21(e)}`);
+    io.err(`launchpad merge failed: ${describe22(e)}`);
     return 1;
   }
 }
@@ -6844,7 +7142,7 @@ function renderBotError(status, env, io, prNumber = null) {
       io.err(`launchpad merge: bot returned ${status} ${code}${detail !== undefined ? `: ${detail}` : ""}`);
   }
 }
-function describe21(e) {
+function describe22(e) {
   return e instanceof Error ? e.message : String(e);
 }
 
@@ -7096,7 +7394,7 @@ async function runDestroy(args, io, prompt, isTty) {
       io.err(`launchpad destroy: ${e.message}`);
       return 1;
     }
-    io.err(`launchpad destroy failed: ${describe22(e)}`);
+    io.err(`launchpad destroy failed: ${describe23(e)}`);
     return 1;
   }
 }
@@ -7297,7 +7595,7 @@ function printUsage3(io) {
   ].join(`
 `));
 }
-function describe22(e) {
+function describe23(e) {
   return e instanceof Error ? e.message : String(e);
 }
 
@@ -7441,7 +7739,7 @@ async function runPull(args, io) {
       io.err(`launchpad pull: ${e.message}`);
       return 1;
     }
-    io.err(`launchpad pull failed: ${describe23(e)}`);
+    io.err(`launchpad pull failed: ${describe24(e)}`);
     return 1;
   }
 }
@@ -7522,7 +7820,7 @@ function printUsage4(io) {
   ].join(`
 `));
 }
-function describe23(e) {
+function describe24(e) {
   return e instanceof Error ? e.message : String(e);
 }
 
@@ -7731,7 +8029,7 @@ function mapBotError(e, slug, io) {
     io.err(`launchpad status: ${e.message}`);
     return 2;
   }
-  io.err(`launchpad status failed: ${describe24(e)}`);
+  io.err(`launchpad status failed: ${describe25(e)}`);
   return 2;
 }
 async function runStatus(args, io) {
@@ -7757,7 +8055,7 @@ async function runStatus(args, io) {
     localYaml = readFileSync12(parsed.file, "utf8");
   } catch (e) {
     if (!isEnoent(e)) {
-      io.err(`launchpad status: cannot read local manifest at ${parsed.file}: ${describe24(e)}`);
+      io.err(`launchpad status: cannot read local manifest at ${parsed.file}: ${describe25(e)}`);
       return 2;
     }
   }
@@ -7768,7 +8066,7 @@ async function runStatus(args, io) {
       const { parse: parseYaml6 } = await import("yaml");
       localObj = parseYaml6(localYaml);
     } catch (e) {
-      io.err(`launchpad status: ${parsed.file} is not valid YAML: ${describe24(e)}`);
+      io.err(`launchpad status: ${parsed.file} is not valid YAML: ${describe25(e)}`);
       return 2;
     }
     const localParse = parseManifest(localObj);
@@ -7797,7 +8095,7 @@ async function runStatus(args, io) {
     if (e instanceof UnauthenticatedError || e instanceof ForbiddenError) {
       return mapBotError(e, parsed.slug, io);
     }
-    io.err(`launchpad status: live deployment state unavailable (${describe24(e)}) — ` + `the report below is from the platform manifest view only.`);
+    io.err(`launchpad status: live deployment state unavailable (${describe25(e)}) — ` + `the report below is from the platform manifest view only.`);
   }
   let standingExceptions = null;
   try {
@@ -7806,7 +8104,7 @@ async function runStatus(args, io) {
     if (e instanceof UnauthenticatedError || e instanceof ForbiddenError) {
       return mapBotError(e, parsed.slug, io);
     }
-    io.err(`launchpad status: standing-exception inventory unavailable (${describe24(e)}).`);
+    io.err(`launchpad status: standing-exception inventory unavailable (${describe25(e)}).`);
   }
   if (state.manifestYaml === null || state.manifestYaml === undefined) {
     const live = deployment?.liveDeployment ?? null;
@@ -7857,7 +8155,7 @@ async function runStatus(args, io) {
     const { parse: parseYaml6 } = await import("yaml");
     deployedObj = parseYaml6(state.manifestYaml);
   } catch (e) {
-    io.err(`launchpad status: deployed manifest at ${state.lastAppliedManifestSha} is not valid YAML: ${describe24(e)}`);
+    io.err(`launchpad status: deployed manifest at ${state.lastAppliedManifestSha} is not valid YAML: ${describe25(e)}`);
     return 2;
   }
   const deployedParse = parseManifest(deployedObj);
@@ -8196,7 +8494,7 @@ function printUsage6(io) {
   ].join(`
 `));
 }
-function describe24(e) {
+function describe25(e) {
   return e instanceof Error ? e.message : String(e);
 }
 function isEnoent(e) {
@@ -8274,7 +8572,7 @@ async function runReview(args, io) {
       io.err(`launchpad review: ${e.message}`);
       return 1;
     }
-    io.err(`launchpad review failed: ${describe25(e)}`);
+    io.err(`launchpad review failed: ${describe26(e)}`);
     return 1;
   }
 }
@@ -8352,7 +8650,7 @@ function severityRank(s) {
       return 3;
   }
 }
-function describe25(e) {
+function describe26(e) {
   return e instanceof Error ? e.message : String(e);
 }
 
@@ -8412,7 +8710,7 @@ async function runRollback(opts, io, deps = {}) {
       cwd: process.cwd()
     });
   } catch (e) {
-    io.err(`launchpad rollback: git rev-parse failed to start: ${describe26(e)}`);
+    io.err(`launchpad rollback: git rev-parse failed to start: ${describe27(e)}`);
     return 2;
   }
   if (revParse.exitCode !== 0) {
@@ -8427,7 +8725,7 @@ async function runRollback(opts, io, deps = {}) {
   try {
     show = await runner.run("git", ["show", `${verifiedSha}:${manifestRelpath}`], { cwd: process.cwd() });
   } catch (e) {
-    io.err(`launchpad rollback: git show failed to start: ${describe26(e)}`);
+    io.err(`launchpad rollback: git show failed to start: ${describe27(e)}`);
     return 2;
   }
   if (show.exitCode !== 0) {
@@ -8461,7 +8759,7 @@ async function runRollback(opts, io, deps = {}) {
   try {
     writeFileSync5(manifestPath, historicalYaml, "utf8");
   } catch (e) {
-    io.err(`launchpad rollback: failed to write ${manifestPath}: ${describe26(e)}`);
+    io.err(`launchpad rollback: failed to write ${manifestPath}: ${describe27(e)}`);
     return 2;
   }
   io.out(`Restored ${manifestPath} from ${verifiedSha.slice(0, 12)}.`);
@@ -8543,7 +8841,7 @@ async function defaultPrompt4(question) {
     rl.close();
   }
 }
-function describe26(e) {
+function describe27(e) {
   return e instanceof Error ? e.message : String(e);
 }
 function renderManifestError3(result, io) {
@@ -8706,7 +9004,7 @@ async function runSecretsPush(opts, io, deps = {}) {
   try {
     envText = readFileSync14(envPath, "utf8");
   } catch (e) {
-    io.err(`launchpad secrets push: failed to read ${envPath}: ${describe27(e)}`);
+    io.err(`launchpad secrets push: failed to read ${envPath}: ${describe28(e)}`);
     return 2;
   }
   const parsed = parseEnv(envText);
@@ -8837,10 +9135,10 @@ function mapPushError(e, slug, name, io) {
     io.err(`✗ secrets push ${name}: ${e.message}`);
     return 1;
   }
-  io.err(`✗ secrets push ${name} failed: ${describe27(e)}`);
+  io.err(`✗ secrets push ${name} failed: ${describe28(e)}`);
   return 2;
 }
-function describe27(e) {
+function describe28(e) {
   return e instanceof Error ? e.message : String(e);
 }
 function renderManifestError4(result, io) {
@@ -9584,7 +9882,7 @@ async function runSkills(args, io) {
         return 64;
     }
   } catch (e) {
-    io.err(`launchpad skills ${action}: ${describe28(e)}`);
+    io.err(`launchpad skills ${action}: ${describe29(e)}`);
     return 1;
   }
 }
@@ -9714,7 +10012,7 @@ async function isDir(path12) {
     return false;
   }
 }
-function describe28(e) {
+function describe29(e) {
   return e instanceof Error ? e.message : String(e);
 }
 
@@ -9728,7 +10026,7 @@ import { readFileSync as readFileSync16, mkdtempSync, writeFileSync as writeFile
 
 // src/commands/channel-auth.ts
 import { createServer as createServer2 } from "node:http";
-import { createHash as createHash2, randomBytes as randomBytes4 } from "node:crypto";
+import { createHash as createHash2, randomBytes as randomBytes5 } from "node:crypto";
 var CHANNEL_BASE = "https://get.launchpad.m-kopa.us";
 var CLI_AUTH_URL = `${CHANNEL_BASE}/__cli_auth`;
 var CLI_TOKEN_URL = `${CHANNEL_BASE}/__cli_token`;
@@ -9738,7 +10036,7 @@ function base64url(b) {
   return b.toString("base64url");
 }
 function pkcePair() {
-  const verifier = base64url(randomBytes4(32));
+  const verifier = base64url(randomBytes5(32));
   const challenge = base64url(createHash2("sha256").update(verifier).digest());
   return { verifier, challenge };
 }
@@ -9784,7 +10082,7 @@ async function startLoopback(state, timeoutMs) {
 async function runChannelLoopbackUpdate(deps) {
   const timeoutMs = deps.timeoutMs ?? DEFAULT_TIMEOUT_MS;
   const { verifier, challenge } = pkcePair();
-  const state = base64url(randomBytes4(16));
+  const state = base64url(randomBytes5(16));
   const loopback = await startLoopback(state, timeoutMs);
   if (!loopback)
     return { ok: false, reason: "no-browser", detail: "could not bind a loopback port" };
@@ -10235,7 +10533,7 @@ async function checkGroup(allowedGroup, cfg) {
     if (e instanceof ForbiddenError) {
       return { kind: "forbidden", message: e.message };
     }
-    return { kind: "network", message: describe29(e) };
+    return { kind: "network", message: describe30(e) };
   }
 }
 async function checkGroups(groups) {
@@ -10448,7 +10746,7 @@ function parseArgs12(args) {
   }
   return { kind: "ok", file, json, strictGroups };
 }
-function describe29(e) {
+function describe30(e) {
   return e instanceof Error ? e.message : String(e);
 }
 
@@ -10497,11 +10795,11 @@ async function runWhoami(_args, io) {
       io.err(e.message);
       return 1;
     }
-    io.err(`launchpad whoami failed: ${describe30(e)}`);
+    io.err(`launchpad whoami failed: ${describe31(e)}`);
     return 1;
   }
 }
-function describe30(e) {
+function describe31(e) {
   return e instanceof Error ? e.message : String(e);
 }