@openbkn/bkn-sdk 0.1.1-alpha.1 → 0.1.1-alpha.3

package/dist/{chunk-ADZ23DPF.js → chunk-APJNRHLS.js}

@@ -38,8 +38,12 @@ function toExitCode(err) {
 }
 function formatError(err) {
   if (err instanceof HttpError) {
-    if (err.status === 401 || err.status === 403) {
-      return `Not authorized (HTTP ${err.status}). Run \`openbkn auth login\` and retry.`;
+    const serverMsg = serverError(err.body);
+    if (err.status === 401) {
+      return `Not authorized (HTTP 401)${serverMsg ? `: ${serverMsg}` : ""}. Run \`openbkn auth login\` and retry.`;
+    }
+    if (err.status === 403) {
+      return `Forbidden (HTTP 403)${serverMsg ? `: ${serverMsg}` : " \u2014 admin privileges required"}.`;
     }
     const detail = err.body ? `: ${truncate(err.body, 500)}` : "";
     return `Request failed (HTTP ${err.status} ${err.statusText})${detail}`;
@@ -56,6 +60,16 @@ function formatError(err) {
   }
   return String(err);
 }
+function serverError(body) {
+  if (!body) return "";
+  try {
+    const j = JSON.parse(body);
+    const m = j.error ?? j.detail ?? j.description ?? j.message;
+    return typeof m === "string" ? m : "";
+  } catch {
+    return "";
+  }
+}
 function isTlsCertError(code) {
   return code === "DEPTH_ZERO_SELF_SIGNED_CERT" || code === "SELF_SIGNED_CERT_IN_CHAIN" || code === "UNABLE_TO_VERIFY_LEAF_SIGNATURE" || code === "CERT_HAS_EXPIRED" || code.includes("CERT");
 }
@@ -220,23 +234,228 @@ function resolveContext(opts = {}) {
   }
   const normalized = baseUrl.replace(/\/+$/, "");
   const stored = readToken(normalized);
-  const token = opts.token ?? process.env.BKN_TOKEN ?? stored?.accessToken;
-  if (!token) {
+  const explicit = opts.token ?? process.env.BKN_TOKEN;
+  const token = explicit ?? stored?.accessToken ?? "";
+  if (!token && !stored?.noAuth) {
     throw new InputError("No access token. Set BKN_TOKEN or run `openbkn auth login`.");
   }
+  const insecure = opts.insecure ?? stored?.tlsInsecure ?? false;
+  const refresh = !explicit && stored?.refreshToken ? {
+    refreshToken: stored.refreshToken,
+    persist: (t) => {
+      writeToken(normalized, {
+        ...stored,
+        accessToken: t.accessToken,
+        refreshToken: t.refreshToken ?? stored.refreshToken,
+        idToken: t.idToken ?? stored.idToken
+      });
+    }
+  } : void 0;
   return {
     baseUrl: normalized,
     token,
     businessDomain: opts.businessDomain ?? readPlatformConfig(normalized).businessDomain ?? DEFAULT_BUSINESS_DOMAIN,
-    insecure: opts.insecure ?? stored?.tlsInsecure ?? false
+    insecure,
+    ...refresh ? { refresh } : {}
   };
 }
 
+// src/auth/oauth.ts
+import { spawn } from "child_process";
+function normalizeBaseUrl(value) {
+  return value.replace(/\/+$/, "");
+}
+function mapToken(data) {
+  return {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    idToken: data.id_token
+  };
+}
+function openBrowser(url) {
+  const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
+  try {
+    spawn(cmd, [url], {
+      stdio: "ignore",
+      detached: true,
+      shell: process.platform === "win32"
+    }).unref();
+  } catch {
+  }
+}
+function mergeCookies(existing, res) {
+  const setCookies = typeof res.headers.getSetCookie === "function" ? res.headers.getSetCookie() : res.headers.get("set-cookie") ? [res.headers.get("set-cookie")] : [];
+  const map = /* @__PURE__ */ new Map();
+  const add = (pair) => {
+    const eq = pair.indexOf("=");
+    if (eq > 0) map.set(pair.slice(0, eq), pair.slice(eq + 1));
+  };
+  for (const p of existing.split(";").map((s) => s.trim()).filter(Boolean))
+    add(p);
+  for (const sc of setCookies) add(sc.split(";")[0]?.trim() ?? "");
+  return [...map.entries()].map(([k, v]) => `${k}=${v}`).join("; ");
+}
+async function fetchAuthStatus(baseUrl) {
+  try {
+    const res = await fetch(`${normalizeBaseUrl(baseUrl)}/install-status.json`, {
+      headers: { Accept: "application/json" }
+    });
+    if (!res.ok) return null;
+    const j = await res.json();
+    if (!j.auth) return null;
+    return { enabled: Boolean(j.auth.enabled), stack: j.auth.stack };
+  } catch {
+    return null;
+  }
+}
+async function refreshAccessToken(baseUrl, refreshToken, clientId = "openbkn-sdk") {
+  const base = normalizeBaseUrl(baseUrl);
+  const res = await fetch(`${base}/oauth2/token`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Accept: "application/json"
+    },
+    body: new URLSearchParams({
+      grant_type: "refresh_token",
+      refresh_token: refreshToken,
+      client_id: clientId
+    }).toString()
+  });
+  if (!res.ok) {
+    throw new Error(
+      `Token refresh failed (${res.status}): ${await res.text() || res.statusText}`
+    );
+  }
+  return mapToken(await res.json());
+}
+var DEVICE_GRANT = "urn:ietf:params:oauth:grant-type:device_code";
+var DEFAULT_DEVICE_CLIENT_ID = "openbkn-sdk";
+var DEVICE_SCOPE = "openid offline";
+var form = (body) => ({
+  method: "POST",
+  headers: {
+    "Content-Type": "application/x-www-form-urlencoded",
+    Accept: "application/json"
+  },
+  body: new URLSearchParams(body).toString()
+});
+async function requestDeviceCode(base, clientId, scope, audience) {
+  const params = { client_id: clientId, scope };
+  if (audience) params.audience = audience;
+  const res = await fetch(`${base}/oauth2/device/auth`, form(params));
+  if (!res.ok) {
+    throw new Error(`Device auth failed (${res.status}): ${await res.text() || res.statusText}`);
+  }
+  const da = await res.json();
+  if (!da.verification_uri) {
+    throw new Error(
+      "Device auth returned no verification_uri \u2014 is Hydra's device flow configured?"
+    );
+  }
+  return da;
+}
+async function pollDeviceToken(base, deviceCode, clientId, intervalMs, windowMs) {
+  let interval = intervalMs;
+  const deadline = Date.now() + windowMs;
+  while (Date.now() < deadline) {
+    await new Promise((r) => setTimeout(r, interval));
+    const tokRes = await fetch(
+      `${base}/oauth2/token`,
+      form({ grant_type: DEVICE_GRANT, device_code: deviceCode, client_id: clientId })
+    );
+    const data = await tokRes.json().catch(() => ({}));
+    if (tokRes.ok) return mapToken(data);
+    switch (data.error) {
+      case "authorization_pending":
+        break;
+      // keep polling
+      case "slow_down":
+        interval += 5e3;
+        break;
+      case "access_denied":
+        throw new InputError("Device authorization denied.");
+      case "expired_token":
+        throw new InputError("Device code expired \u2014 run login again.");
+      default:
+        throw new Error(`Device token poll failed: ${String(data.error ?? tokRes.status)}`);
+    }
+  }
+  throw new InputError("Device login timed out.");
+}
+async function deviceLogin(baseUrl, opts = {}) {
+  const base = normalizeBaseUrl(baseUrl);
+  const clientId = opts.clientId ?? DEFAULT_DEVICE_CLIENT_ID;
+  const da = await requestDeviceCode(base, clientId, opts.scope ?? DEVICE_SCOPE, opts.audience);
+  opts.onPrompt?.({
+    userCode: da.user_code,
+    verificationUri: onBaseHost(base, da.verification_uri),
+    verificationUriComplete: da.verification_uri_complete ? onBaseHost(base, da.verification_uri_complete) : void 0
+  });
+  const windowMs = Math.min(opts.timeoutMs ?? Number.POSITIVE_INFINITY, da.expires_in * 1e3);
+  return pollDeviceToken(base, da.device_code, clientId, (da.interval ?? 5) * 1e3, windowMs);
+}
+function onBaseHost(base, uri) {
+  try {
+    const u = new URL(uri);
+    const b = new URL(base);
+    return `${b.origin}${u.pathname}${u.search}`;
+  } catch {
+    return uri;
+  }
+}
+async function credentialDeviceLogin(baseUrl, username, password, opts = {}) {
+  const base = normalizeBaseUrl(baseUrl);
+  const clientId = opts.clientId ?? DEFAULT_DEVICE_CLIENT_ID;
+  const da = await requestDeviceCode(base, clientId, opts.scope ?? DEVICE_SCOPE, opts.audience);
+  let jar = "";
+  const hop = async (url, init) => {
+    const r = await fetch(url, {
+      method: init?.method ?? "GET",
+      headers: { Cookie: jar, Accept: "text/html,*/*;q=0.8", ...init?.headers ?? {} },
+      body: init?.body,
+      redirect: "manual"
+    });
+    jar = mergeCookies(jar, r);
+    return r;
+  };
+  const postForm = (path, body) => hop(`${base}${path}`, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams(body).toString()
+  });
+  const v = await hop(`${base}/oauth2/device/verify?user_code=${encodeURIComponent(da.user_code)}`);
+  let loc = v.headers.get("location");
+  for (let i = 0; i < 25 && loc; i++) {
+    const u = new URL(loc, base);
+    let r;
+    if (u.pathname.endsWith("/device")) {
+      const dc = u.searchParams.get("device_challenge");
+      if (!dc) throw new Error(`/device without device_challenge: ${loc}`);
+      r = await postForm("/device", { device_challenge: dc, user_code: da.user_code });
+    } else if (u.pathname.endsWith("/login")) {
+      const lc = u.searchParams.get("login_challenge");
+      if (!lc) throw new Error(`/login without login_challenge: ${loc}`);
+      r = await postForm("/login", { login_challenge: lc, account: username, password });
+      if (r.status === 401) throw new InputError("Sign-in failed: wrong account or password");
+    } else if (u.pathname.endsWith("/consent")) {
+      const cc = u.searchParams.get("consent_challenge");
+      if (!cc) throw new Error(`/consent without consent_challenge: ${loc}`);
+      r = await postForm("/consent", { consent_challenge: cc, decision: "allow" });
+    } else {
+      r = await hop(u.href);
+    }
+    loc = r.headers.get("location");
+  }
+  const windowMs = Math.min(opts.timeoutMs ?? Number.POSITIVE_INFINITY, da.expires_in * 1e3);
+  return pollDeviceToken(base, da.device_code, clientId, (da.interval ?? 5) * 1e3, windowMs);
+}
+
 // src/api/headers.ts
 function buildHeaders(ctx, extra) {
   return {
-    authorization: `Bearer ${ctx.token}`,
-    token: ctx.token,
+    // No token = a no-auth platform (no bkn-safe); send no Authorization.
+    ...ctx.token ? { authorization: `Bearer ${ctx.token}`, token: ctx.token } : {},
     "x-business-domain": ctx.businessDomain,
     ...extra
   };
@@ -260,16 +479,20 @@ async function request(ctx, path, init = {}) {
   const hasBody = init.body !== void 0;
   const controller = new AbortController();
   const timer = setTimeout(() => controller.abort(), init.timeoutMs ?? DEFAULT_TIMEOUT_MS);
+  const send = () => fetch(url, {
+    method: init.method ?? (hasBody ? "POST" : "GET"),
+    headers: buildHeaders(ctx, {
+      ...hasBody ? { "content-type": "application/json" } : {},
+      ...init.headers
+    }),
+    body: hasBody ? JSON.stringify(init.body) : void 0,
+    signal: controller.signal
+  });
   try {
-    const res = await fetch(url, {
-      method: init.method ?? (hasBody ? "POST" : "GET"),
-      headers: buildHeaders(ctx, {
-        ...hasBody ? { "content-type": "application/json" } : {},
-        ...init.headers
-      }),
-      body: hasBody ? JSON.stringify(init.body) : void 0,
-      signal: controller.signal
-    });
+    let res = await send();
+    if (res.status === 401 && ctx.refresh && await tryRefresh(ctx)) {
+      res = await send();
+    }
     const text = await res.text();
     if (!res.ok) throw new HttpError(res.status, res.statusText, text);
     return text ? JSON.parse(text) : void 0;
@@ -277,364 +500,244 @@ async function request(ctx, path, init = {}) {
     clearTimeout(timer);
   }
 }
-
-// src/api/eacp-crypto.ts
-import {
-  constants,
-  createPrivateKey,
-  createPublicKey,
-  publicEncrypt
-} from "crypto";
-var EACP_MODIFYPWD_PRIVATE_KEY_PEM = `-----BEGIN RSA PRIVATE KEY-----
-MIICXgIBAAKBgQDB2fhLla9rMx+6LWTXajnK11Kdp520s1Q+TfPfIXI/7G9+L2YC
-4RA3M5rgRi32s5+UFQ/CVqUFqMqVuzaZ4lw/uEdk1qHcP0g6LB3E9wkl2FclFR0M
-+/HrWmxPoON+0y/tFQxxfNgsUodFzbdh0XY1rIVUIbPLvufUBbLKXHDPpwIDAQAB
-AoGBALCM/H6ajXFs1nCR903aCVicUzoS9qckzI0SIhIOPCfMBp8+PAJTSJl9/ohU
-YnhVj/kmVXwBvboxyJAmOcxdRPWL7iTk5nA1oiVXMer3Wby+tRg/ls91xQbJLVv3
-oGSt7q0CXxJpRH2oYkVVlMMlZUwKz3ovHiLKAnhw+jEsdL2BAkEA9hA97yyeA2eq
-f9dMu/ici99R3WJRRtk4NEI4WShtWPyziDg48d3SOzYmhEJjPuOo3g1ze01os70P
-ApE7d0qcyQJBAMmt+FR8h5MwxPQPAzjh/fTuTttvUfBeMiUDrIycK1I/L96lH+fU
-i4Nu+7TPOzExnPeGO5UJbZxrpIEUB7Zs8O8CQQCLzTCTGiNwxc5eMgH77kVrRudp
-Q7nv6ex/7Hu9VDXEUFbkdyULbj9KuvppPJrMmWZROw04qgNp02mayM8jeLXZAkEA
-o+PM/pMn9TPXiWE9xBbaMhUKXgXLd2KEq1GeAbHS/oY8l1hmYhV1vjwNLbSNrH9d
-yEP73TQJL+jFiONHFTbYXwJAU03Xgum5mLIkX/02LpOrz2QCdfX1IMJk2iKi9osV
-KqfbvHsF0+GvFGg18/FXStG9Kr4TjqLsygQJT76/MnMluw==
------END RSA PRIVATE KEY-----`;
-var cachedKey;
-function publicKey() {
-  if (!cachedKey) cachedKey = createPublicKey(createPrivateKey(EACP_MODIFYPWD_PRIVATE_KEY_PEM));
-  return cachedKey;
-}
-function encryptModifyPwd(plain) {
-  const buf = publicEncrypt(
-    { key: publicKey(), padding: constants.RSA_PKCS1_PADDING },
-    Buffer.from(plain, "utf8")
-  );
-  return buf.toString("base64");
+async function tryRefresh(ctx) {
+  if (!ctx.refresh) return false;
+  try {
+    const t = await refreshAccessToken(ctx.baseUrl, ctx.refresh.refreshToken, ctx.refresh.clientId);
+    ctx.token = t.accessToken;
+    if (t.refreshToken) ctx.refresh.refreshToken = t.refreshToken;
+    ctx.refresh.persist(t);
+    return true;
+  } catch {
+    return false;
+  }
 }
 
-// src/api/admin.ts
-var UM = "/api/user-management/v1";
-var AUTHZ = "/api/authorization/v1";
-var ISFWEB = "/isfweb/api/ShareMgnt";
-async function callerUserId(ctx) {
-  const sub = decodeJwt(ctx.token)?.sub;
-  if (sub) return sub;
-  const info = await request(ctx, "/api/eacp/v1/user/get");
-  if (info?.userid) return info.userid;
-  throw new Error(
-    "Cannot resolve the caller user id (token has no JWT `sub` and eacp/v1/user/get returned no `userid`). Re-login."
+// src/api/safe.ts
+var ADMIN = "/api/safe/v1/admin";
+function notOnSafe(operation) {
+  throw new InputError(
+    `'${operation}' is not available on bkn-safe \u2014 its admin API has no such endpoint. See docs/exec-plans/admin-bkn-safe-migration.md.`
   );
 }
-async function shareMgnt(ctx, method, params = []) {
-  try {
-    return await request(ctx, `${ISFWEB}/${method}`, { method: "POST", body: params });
-  } catch (e) {
-    if (e instanceof HttpError) {
-      try {
-        const parsed = JSON.parse(e.body);
-        const err = parsed?.error;
-        if (err?.errMsg) {
-          const m = err.errID !== void 0 ? `${err.errMsg} (errID=${err.errID})` : err.errMsg;
-          throw new Error(`ShareMgnt.${method} failed: ${m}`);
-        }
-      } catch (inner) {
-        if (inner instanceof Error && inner.message.startsWith("ShareMgnt.")) throw inner;
-      }
-    }
-    throw e;
-  }
-}
-var DEPT_FIELDS = "name,code,remark,manager,enabled,parent_deps,email";
-var USER_FIELDS = "name,account,email,enabled,frozen,parent_deps,roles";
-function listDepartments(ctx, opts = {}) {
-  return request(ctx, `${UM}/console/search-departments/${DEPT_FIELDS}`, {
-    query: {
-      role: opts.role ?? "super_admin",
-      offset: opts.offset ?? 0,
-      limit: opts.limit ?? 100,
-      name: opts.name || void 0
-    }
+function listUsersSafe(ctx, opts = {}) {
+  return request(ctx, `${ADMIN}/users`, {
+    query: { search: opts.search || void 0, offset: opts.offset, limit: opts.limit }
   });
 }
-async function listAllDepartments(ctx, role = "super_admin", pageSize = 100) {
-  const out = [];
-  let offset = 0;
-  for (; ; ) {
-    const data = await listDepartments(ctx, { role, offset, limit: pageSize });
-    const entries = data.entries ?? [];
-    out.push(...entries);
-    if (entries.length < pageSize) break;
-    if (data.total_count !== void 0 && out.length >= data.total_count) break;
-    offset += pageSize;
-  }
-  return out;
+function getUserSafe(ctx, userId) {
+  return request(ctx, `${ADMIN}/users/${encodeURIComponent(userId)}`);
 }
-function listUsers(ctx, opts = {}) {
-  return request(ctx, `${UM}/console/search-users/${USER_FIELDS}`, {
-    query: {
-      role: opts.role ?? "super_admin",
-      offset: opts.offset ?? 0,
-      limit: opts.limit ?? 100,
-      department_id: opts.orgId || void 0,
-      name: opts.name || void 0
+function createUserSafe(ctx, input) {
+  return request(ctx, `${ADMIN}/users`, {
+    method: "POST",
+    body: {
+      account: input.account,
+      password: input.password,
+      ...input.name ? { name: input.name } : {},
+      ...input.email ? { email: input.email } : {},
+      ...input.accountType ? { account_type: input.accountType } : {},
+      ...input.id ? { id: input.id } : {}
     }
   });
 }
-function listRoles(ctx, opts = {}) {
-  return request(ctx, `${AUTHZ}/roles`, {
-    query: {
-      offset: opts.offset ?? 0,
-      limit: opts.limit ?? 100,
-      keyword: opts.keyword || void 0
+function updateUserSafe(ctx, userId, input) {
+  return request(ctx, `${ADMIN}/users/${encodeURIComponent(userId)}`, {
+    method: "PUT",
+    body: {
+      ...input.name !== void 0 ? { name: input.name } : {},
+      ...input.email !== void 0 ? { email: input.email } : {},
+      ...input.telephone !== void 0 ? { telephone: input.telephone } : {},
+      ...input.enabled !== void 0 ? { enabled: input.enabled } : {},
+      ...input.accountType !== void 0 ? { account_type: input.accountType } : {}
     }
   });
 }
-function getRole(ctx, roleId) {
-  return request(ctx, `${AUTHZ}/roles/${encodeURIComponent(roleId)}`);
+async function deleteUserSafe(ctx, userId) {
+  await request(ctx, `${ADMIN}/users/${encodeURIComponent(userId)}`, { method: "DELETE" });
+  return { ok: true };
 }
-function getUser(ctx, userId) {
-  return shareMgnt(ctx, "Usrm_GetUserInfo", [userId]);
+async function setUserPasswordSafe(ctx, userId, password) {
+  await request(ctx, `${ADMIN}/users/${encodeURIComponent(userId)}/password`, {
+    method: "PUT",
+    body: { password }
+  });
+  return { ok: true };
 }
-async function getUserRoles(ctx, userId) {
-  try {
-    return await request(ctx, `${AUTHZ}/accessor_roles`, {
-      query: { accessor_id: userId, accessor_type: "user" }
-    });
-  } catch (e) {
-    if (!(e instanceof HttpError) || e.status !== 404) throw e;
-    const rolesPage = await listRoles(ctx, { offset: 0, limit: 200 });
-    const roles = rolesPage.entries ?? [];
-    const matched = [];
-    await Promise.all(
-      roles.map(async (role) => {
-        const members = await listRoleMembers(ctx, role.id, { offset: 0, limit: 500 });
-        if ((members.entries ?? []).some((m) => m.id === userId && (!m.type || m.type === "user"))) {
-          matched.push(role);
-        }
-      })
-    );
-    return {
-      entries: matched,
-      total_count: matched.length,
-      route: "fallback:list-roles+role-members"
-    };
-  }
+function getUserRolesSafe(ctx, userId) {
+  return request(ctx, `${ADMIN}/role-bindings`, { query: { accessor_id: userId } });
 }
-async function getDepartment(ctx, deptId) {
-  try {
-    return await shareMgnt(ctx, "Usrm_GetOrgDepartmentById", [deptId]);
-  } catch (e) {
-    const msg = e instanceof Error ? e.message : String(e);
-    if (!/部门不存在|errID:?\s*20201|errID=?\s*99|NoneType.+subscriptable/i.test(msg)) throw e;
-    return shareMgnt(ctx, "Usrm_GetDepartmentById", [deptId]);
-  }
+async function assignRoleSafe(ctx, accessorId, roleId) {
+  await request(ctx, `${ADMIN}/role-bindings`, {
+    method: "POST",
+    body: { accessor_id: accessorId, role_id: roleId }
+  });
+  return { ok: true };
 }
-function getDepartmentMembers(ctx, deptId, opts = {}) {
-  return request(ctx, `${UM}/department-members/${encodeURIComponent(deptId)}/users`, {
-    query: { role: opts.role ?? "super_admin", offset: opts.offset ?? 0, limit: opts.limit ?? 100 }
+async function removeRoleSafe(ctx, accessorId, roleId) {
+  await request(ctx, `${ADMIN}/role-bindings`, {
+    method: "DELETE",
+    body: { accessor_id: accessorId, role_id: roleId }
   });
+  return { ok: true };
 }
-async function createDepartment(ctx, input) {
-  const ncTAddDepartParam = {
-    parentId: input.parentId ?? "-1",
-    departName: input.name,
-    managerID: input.managerID ?? null,
-    code: input.code ?? "",
-    remark: input.remark ?? "",
-    status: input.status ?? 1,
-    email: input.email ?? "",
-    ossId: ""
-  };
-  const id = await shareMgnt(ctx, "Usrm_AddDepartment", [{ ncTAddDepartParam }]);
-  return { id };
-}
-async function updateDepartment(ctx, deptId, input) {
-  const p = { departId: deptId };
-  if (input.name !== void 0) p.departName = input.name;
-  if (input.managerID !== void 0) p.managerID = input.managerID;
-  if (input.code !== void 0) p.code = input.code;
-  if (input.remark !== void 0) p.remark = input.remark;
-  if (input.status !== void 0) p.status = input.status;
-  if (input.email !== void 0) p.email = input.email;
-  await shareMgnt(ctx, "Usrm_EditDepartment", [{ ncTEditDepartParam: p }]);
-  return { id: deptId, updated: true };
-}
-async function deleteDepartment(ctx, deptId) {
-  await request(ctx, `${UM}/management/departments/${encodeURIComponent(deptId)}`, {
-    method: "DELETE"
+function listDepartmentsSafe(ctx, opts = {}) {
+  return request(ctx, `${ADMIN}/departments`, {
+    query: {
+      search: opts.search || void 0,
+      parent_id: opts.parentId,
+      offset: opts.offset,
+      limit: opts.limit
+    }
   });
-  return { id: deptId, deleted: true };
-}
-async function createUser(ctx, input) {
-  const ncTUsrmUserInfo = {
-    loginName: input.loginName,
-    displayName: input.displayName ?? input.loginName,
-    code: input.code ?? "",
-    position: input.position ?? "",
-    managerID: null,
-    managerDisplayName: null,
-    remark: input.remark ?? "",
-    email: input.email ?? "",
-    telNumber: input.telNumber ?? "",
-    idcardNumber: "",
-    departmentIds: input.departmentIds ?? ["-1"],
-    priority: input.priority ?? 999,
-    csfLevel2: null,
-    pwdControl: false,
-    expireTime: -1
-  };
-  if (input.csfLevel !== void 0) ncTUsrmUserInfo.csfLevel = input.csfLevel;
-  const id = await shareMgnt(ctx, "Usrm_AddUser", [
-    { ncTUsrmAddUserInfo: { user: { ncTUsrmUserInfo } } },
-    await callerUserId(ctx)
-  ]);
-  return { id };
-}
-async function updateUser(ctx, userId, input) {
-  const restBody = {};
-  if (input.displayName !== void 0) restBody.display_name = input.displayName;
-  if (input.code !== void 0) restBody.code = input.code;
-  if (input.position !== void 0) restBody.position = input.position;
-  if (input.remark !== void 0) restBody.remark = input.remark;
-  if (input.email !== void 0) restBody.email = input.email;
-  if (input.telNumber !== void 0) restBody.tel_number = input.telNumber;
-  if (input.managerID !== void 0) restBody.manager_id = input.managerID;
-  if (input.priority !== void 0) restBody.priority = input.priority;
-  if (input.csfLevel !== void 0) restBody.csf_level = input.csfLevel;
-  try {
-    const r = await request(ctx, `${UM}/management/users/${encodeURIComponent(userId)}`, {
-      method: "PATCH",
-      body: restBody
-    });
-    return r ?? { id: userId, updated: true, route: "rest" };
-  } catch (e) {
-    if (!(e instanceof HttpError) || e.status !== 404 && e.status !== 405) throw e;
-    const ncTEditUserParam = {
-      id: userId,
-      displayName: input.displayName ?? "",
-      code: input.code ?? "",
-      position: input.position ?? "",
-      managerID: input.managerID ?? "",
-      remark: input.remark ?? "",
-      idcardNumber: null,
-      priority: input.priority ?? 999,
-      csfLevel: input.csfLevel ?? 5,
-      csfLevel2: null,
-      email: input.email ?? "",
-      telNumber: input.telNumber ?? "",
-      expireTime: -1
-    };
-    await shareMgnt(ctx, "Usrm_EditUser", [{ ncTEditUserParam }, await callerUserId(ctx)]);
-    return { id: userId, updated: true, route: "shareMgnt" };
-  }
 }
-async function deleteUser(ctx, userId) {
-  try {
-    await request(ctx, `${UM}/users/${encodeURIComponent(userId)}`, { method: "DELETE" });
-  } catch (e) {
-    if (!(e instanceof HttpError) || e.status !== 404) throw e;
-    await shareMgnt(ctx, "Usrm_DelUser", [userId]);
-  }
-  return { id: userId, deleted: true };
+function getDepartmentSafe(ctx, deptId) {
+  return request(ctx, `${ADMIN}/departments/${encodeURIComponent(deptId)}`);
 }
-async function setUserPassword(ctx, userId, newPassword) {
-  await request(ctx, `${UM}/management/users/${encodeURIComponent(userId)}/password`, {
-    method: "PUT",
-    body: { password: encryptModifyPwd(newPassword) }
-  });
-  return { id: userId, passwordReset: true };
+function getDepartmentMembersSafe(ctx, deptId) {
+  return request(ctx, `${ADMIN}/departments/${encodeURIComponent(deptId)}/members`);
 }
-var EACP = "/api/eacp/v1";
-function listAuditLogs(ctx, opts = {}) {
-  return request(ctx, `${EACP}/auth1/login-log`, {
+function createDepartmentSafe(ctx, input) {
+  return request(ctx, `${ADMIN}/departments`, {
     method: "POST",
     body: {
-      page_num: opts.page ?? 1,
-      page_size: opts.size ?? 30,
-      user_name: opts.user || void 0,
-      start_time: opts.start || void 0,
-      end_time: opts.end || void 0
+      name: input.name,
+      ...input.parentId ? { parent_id: input.parentId } : {},
+      ...input.type ? { type: input.type } : {},
+      ...input.id ? { id: input.id } : {}
     }
   });
 }
-function changePassword(ctx, account, oldPassword, newPassword) {
-  return request(ctx, `${EACP}/auth1/modifypassword`, {
-    method: "POST",
+function updateDepartmentSafe(ctx, deptId, input) {
+  return request(ctx, `${ADMIN}/departments/${encodeURIComponent(deptId)}`, {
+    method: "PUT",
     body: {
-      account,
-      oldpwd: encryptModifyPwd(oldPassword),
-      newpwd: encryptModifyPwd(newPassword)
+      ...input.name !== void 0 ? { name: input.name } : {},
+      ...input.parentId !== void 0 ? { parent_id: input.parentId } : {},
+      ...input.type !== void 0 ? { type: input.type } : {}
     }
   });
 }
-function listRoleMembers(ctx, roleId, opts = {}) {
-  return request(ctx, `${AUTHZ}/role-members/${encodeURIComponent(roleId)}`, {
-    query: {
-      offset: opts.offset ?? 0,
-      limit: opts.limit ?? 100,
-      keyword: opts.keyword || void 0
+async function deleteDepartmentSafe(ctx, deptId) {
+  await request(ctx, `${ADMIN}/departments/${encodeURIComponent(deptId)}`, { method: "DELETE" });
+  return { ok: true };
+}
+async function buildDepartmentTree(ctx) {
+  const res = await listDepartmentsSafe(ctx, { limit: 1e3 });
+  const flat = Array.isArray(res) ? res : res.departments ?? [];
+  const byId = /* @__PURE__ */ new Map();
+  for (const d of flat) if (d.id) byId.set(d.id, { ...d, children: [] });
+  const roots = [];
+  for (const d of byId.values()) {
+    const parent = d.parent_id ? byId.get(d.parent_id) : void 0;
+    if (parent) parent.children?.push(d);
+    else roots.push(d);
+  }
+  return roots;
+}
+function listRolesSafe(ctx, source) {
+  return request(ctx, `${ADMIN}/roles`, { query: { source: source || void 0 } });
+}
+function getRoleSafe(ctx, roleId) {
+  return request(ctx, `${ADMIN}/roles/${encodeURIComponent(roleId)}`);
+}
+function roleMembersSafe(ctx, roleId) {
+  return request(ctx, `${ADMIN}/roles/${encodeURIComponent(roleId)}/members`);
+}
+function createRoleSafe(ctx, input) {
+  return request(ctx, `${ADMIN}/roles`, {
+    method: "POST",
+    body: {
+      name: input.name,
+      ...input.description ? { description: input.description } : {},
+      ...input.id ? { id: input.id } : {}
     }
   });
 }
-function modifyRoleMembers(ctx, roleId, method, members) {
-  return request(ctx, `${AUTHZ}/role-members/${encodeURIComponent(roleId)}`, {
-    method: "POST",
-    body: { method, members }
+function updateRoleSafe(ctx, roleId, input) {
+  return request(ctx, `${ADMIN}/roles/${encodeURIComponent(roleId)}`, {
+    method: "PUT",
+    body: {
+      ...input.name !== void 0 ? { name: input.name } : {},
+      ...input.description !== void 0 ? { description: input.description } : {}
+    }
   });
 }
-
-// src/utils/org-tree.ts
-function buildOrgTree(entries) {
-  const nodes = /* @__PURE__ */ new Map();
-  for (const e of entries) nodes.set(e.id, { id: e.id, name: e.name ?? e.id, children: [] });
-  const roots = [];
-  for (const e of entries) {
-    const node = nodes.get(e.id);
-    if (!node) continue;
-    const deps = e.parent_deps;
-    const parentId = deps && deps.length > 0 ? deps[deps.length - 1]?.id : void 0;
-    const parent = parentId ? nodes.get(parentId) : void 0;
-    if (parent) parent.children.push(node);
-    else roots.push(node);
-  }
-  return roots;
+async function deleteRoleSafe(ctx, roleId) {
+  await request(ctx, `${ADMIN}/roles/${encodeURIComponent(roleId)}`, { method: "DELETE" });
+  return { ok: true };
 }
-function renderOrgTree(nodes, prefix = "") {
-  const lines = [];
-  nodes.forEach((node, i) => {
-    const last = i === nodes.length - 1;
-    lines.push(`${prefix}${last ? "\u2514\u2500\u2500 " : "\u251C\u2500\u2500 "}${node.name} (id: ${node.id})`);
-    if (node.children.length) {
-      lines.push(renderOrgTree(node.children, `${prefix}${last ? "    " : "\u2502   "}`));
+async function setRolePermissionSafe(ctx, roleId, grant, perm) {
+  await request(ctx, `${ADMIN}/roles/${encodeURIComponent(roleId)}/permissions`, {
+    method: grant ? "POST" : "DELETE",
+    body: {
+      resource: { type: perm.resourceType, id: perm.resourceId },
+      operations: perm.operations
     }
   });
-  return lines.join("\n");
+  return { ok: true };
 }
 
 // src/resources/admin.ts
+var DEFAULT_NEW_USER_PASSWORD = "openbkn";
 function admin(ctx) {
   return {
-    orgList: (opts) => listDepartments(ctx, opts),
-    orgGet: (deptId) => getDepartment(ctx, deptId),
-    orgMembers: (deptId, opts) => getDepartmentMembers(ctx, deptId, opts),
-    orgTree: async (role) => buildOrgTree(await listAllDepartments(ctx, role)),
-    orgCreate: (input) => createDepartment(ctx, input),
-    orgUpdate: (deptId, input) => updateDepartment(ctx, deptId, input),
-    orgDelete: (deptId) => deleteDepartment(ctx, deptId),
-    userList: (opts) => listUsers(ctx, opts),
-    userGet: (userId) => getUser(ctx, userId),
-    userRoles: (userId) => getUserRoles(ctx, userId),
-    userCreate: (input) => createUser(ctx, input),
-    userUpdate: (userId, input) => updateUser(ctx, userId, input),
-    userDelete: (userId) => deleteUser(ctx, userId),
-    userResetPassword: (userId, newPassword) => setUserPassword(ctx, userId, newPassword),
-    roleList: (opts) => listRoles(ctx, opts),
-    roleGet: (roleId) => getRole(ctx, roleId),
-    roleMembers: (roleId, opts) => listRoleMembers(ctx, roleId, opts),
-    addRoleMember: (roleId, id, type = "user") => modifyRoleMembers(ctx, roleId, "POST", [{ id, type }]),
-    removeRoleMember: (roleId, id, type = "user") => modifyRoleMembers(ctx, roleId, "DELETE", [{ id, type }]),
-    auditList: (opts) => listAuditLogs(ctx, opts)
+    // ── departments ──
+    orgList: (opts) => listDepartmentsSafe(ctx, { search: opts?.name, offset: opts?.offset, limit: opts?.limit }),
+    orgGet: (deptId) => getDepartmentSafe(ctx, deptId),
+    orgTree: (_role) => buildDepartmentTree(ctx),
+    orgMembers: (deptId, _opts) => getDepartmentMembersSafe(ctx, deptId),
+    orgCreate: (input) => createDepartmentSafe(ctx, { name: input.name, parentId: input.parentId }),
+    orgUpdate: (deptId, input) => updateDepartmentSafe(ctx, deptId, { name: input.name }),
+    orgDelete: (deptId) => deleteDepartmentSafe(ctx, deptId),
+    // ── users ──
+    userList: (opts) => listUsersSafe(ctx, { search: opts?.name, offset: opts?.offset, limit: opts?.limit }),
+    userGet: (userId) => getUserSafe(ctx, userId),
+    userRoles: async (userId) => {
+      const [bound, all] = await Promise.all([getUserRolesSafe(ctx, userId), listRolesSafe(ctx)]);
+      const ids = bound.role_ids ?? [];
+      const nameById = new Map(
+        (all.roles ?? []).map((r) => [
+          r.id,
+          r.name
+        ])
+      );
+      return { roles: ids.map((id) => ({ name: nameById.get(id) ?? id, id })) };
+    },
+    userCreate: (input) => createUserSafe(ctx, {
+      account: input.loginName,
+      password: DEFAULT_NEW_USER_PASSWORD,
+      name: input.displayName,
+      email: input.email
+    }),
+    userUpdate: (userId, input) => updateUserSafe(ctx, userId, {
+      name: input.displayName,
+      email: input.email,
+      telephone: input.telNumber
+    }),
+    userDelete: (userId) => deleteUserSafe(ctx, userId),
+    userResetPassword: (userId, newPassword) => setUserPasswordSafe(ctx, userId, newPassword),
+    // ── roles ──
+    roleList: (_opts) => listRolesSafe(ctx),
+    roleGet: (roleId) => getRoleSafe(ctx, roleId),
+    roleMembers: async (roleId, _opts) => {
+      const [mem, users] = await Promise.all([
+        roleMembersSafe(ctx, roleId),
+        listUsersSafe(ctx, { limit: 500 })
+      ]);
+      const ids = mem.accessor_ids ?? [];
+      const nameById = new Map(
+        (users.users ?? []).map((u) => [u.id, u.account ?? u.name ?? u.id])
+      );
+      return { members: ids.map((id) => ({ account: nameById.get(id) ?? id, id })) };
+    },
+    addRoleMember: (roleId, id, _type = "user") => assignRoleSafe(ctx, id, roleId),
+    removeRoleMember: (roleId, id, _type = "user") => removeRoleSafe(ctx, id, roleId),
+    roleCreate: (name, description) => createRoleSafe(ctx, { name, description }),
+    roleUpdate: (roleId, input) => updateRoleSafe(ctx, roleId, input),
+    roleDelete: (roleId) => deleteRoleSafe(ctx, roleId),
+    rolePermission: (roleId, grant, resourceType, resourceId, operations) => setRolePermissionSafe(ctx, roleId, grant, { resourceType, resourceId, operations }),
+    auditList: (_opts) => notOnSafe("audit list")
   };
 }
 
@@ -2611,13 +2714,13 @@ async function uploadBkn(ctx, tarBuffer, opts = {}) {
   applyTls(ctx);
   const url = new URL(`${ctx.baseUrl}${BKNS}`);
   url.searchParams.set("branch", opts.branch ?? "main");
-  const form = new FormData();
-  form.append(
+  const form2 = new FormData();
+  form2.append(
     "file",
     new Blob([new Uint8Array(tarBuffer)], { type: "application/octet-stream" }),
     "bkn.tar"
   );
-  const res = await fetch(url, { method: "POST", headers: buildHeaders(ctx), body: form });
+  const res = await fetch(url, { method: "POST", headers: buildHeaders(ctx), body: form2 });
   const text = await res.text();
   if (!res.ok) throw new HttpError(res.status, res.statusText, text);
   return text ? JSON.parse(text) : void 0;
@@ -2973,9 +3076,9 @@ function extractTarToDirectory(tarBuffer, dirPath) {
 }
 
 // src/utils/csv-import.ts
-import { statSync as statSync2 } from "fs";
-import { glob, readFile } from "fs/promises";
-import { basename, resolve as resolve2 } from "path";
+import { readdirSync as readdirSync3, statSync as statSync2 } from "fs";
+import { readFile } from "fs/promises";
+import { basename, dirname, resolve as resolve2 } from "path";
 import { parse } from "csv-parse/sync";
 async function parseCsvFile(filePath) {
   let content = await readFile(filePath, "utf8");
@@ -3039,13 +3142,25 @@ function buildImportDag(opts) {
     ]
   };
 }
+function globOne(pattern) {
+  const dir = dirname(pattern);
+  const re = new RegExp(
+    `^${basename(pattern).replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*").replace(/\?/g, ".")}$`
+  );
+  let entries;
+  try {
+    entries = readdirSync3(resolve2(dir));
+  } catch {
+    return [];
+  }
+  return entries.filter((f) => re.test(f)).map((f) => resolve2(dir, f));
+}
 async function resolveFiles(pattern) {
   const out = [];
   for (const part of pattern.split(",").map((p) => p.trim()).filter(Boolean)) {
     if (part.includes("*") || part.includes("?")) {
-      for await (const entry of glob(part)) {
-        const p = String(entry);
-        if (/\.csv$/i.test(p)) out.push(resolve2(p));
+      for (const p of globOne(part)) {
+        if (/\.csv$/i.test(p)) out.push(p);
       }
     } else {
       statSync2(resolve2(part));
@@ -3628,21 +3743,21 @@ function resources(ctx) {
 
 // src/resources/skills.ts
 import { mkdirSync as mkdirSync4, writeFileSync as writeFileSync3 } from "fs";
-import { basename as basename2, dirname as dirname2, resolve as resolve5 } from "path";
+import { basename as basename2, dirname as dirname3, resolve as resolve5 } from "path";
 
 // src/api/skills.ts
 var BASE5 = "/api/agent-operator-integration/v1";
 async function registerSkillZip(ctx, bytes, opts = {}) {
   applyTls(ctx);
-  const form = new FormData();
-  form.set("file_type", "zip");
-  form.set("file", new Blob([bytes]), opts.filename ?? "skill.zip");
-  if (opts.source) form.set("source", opts.source);
-  if (opts.extendInfo) form.set("extend_info", JSON.stringify(opts.extendInfo));
+  const form2 = new FormData();
+  form2.set("file_type", "zip");
+  form2.set("file", new Blob([bytes]), opts.filename ?? "skill.zip");
+  if (opts.source) form2.set("source", opts.source);
+  if (opts.extendInfo) form2.set("extend_info", JSON.stringify(opts.extendInfo));
   const res = await fetch(`${ctx.baseUrl}${BASE5}/skills`, {
     method: "POST",
     headers: buildHeaders(ctx),
-    body: form
+    body: form2
   });
   const text = await res.text();
   if (!res.ok) throw new HttpError(res.status, res.statusText, text);
@@ -3650,13 +3765,13 @@ async function registerSkillZip(ctx, bytes, opts = {}) {
 }
 async function updateSkillPackageZip(ctx, skillId, bytes, filename = "skill.zip") {
   applyTls(ctx);
-  const form = new FormData();
-  form.set("file_type", "zip");
-  form.set("file", new Blob([bytes]), filename);
+  const form2 = new FormData();
+  form2.set("file_type", "zip");
+  form2.set("file", new Blob([bytes]), filename);
   const res = await fetch(`${ctx.baseUrl}${BASE5}/skills/${encodeURIComponent(skillId)}/package`, {
     method: "PUT",
     headers: buildHeaders(ctx),
-    body: form
+    body: form2
   });
   const text = await res.text();
   if (!res.ok) throw new HttpError(res.status, res.statusText, text);
@@ -3730,11 +3845,11 @@ function setSkillStatus(ctx, skillId, status2) {
 }
 
 // src/utils/skill-archive.ts
-import { existsSync as existsSync3, mkdirSync as mkdirSync3, readFileSync as readFileSync3, readdirSync as readdirSync3, statSync as statSync3, writeFileSync as writeFileSync2 } from "fs";
-import { dirname, join as join3, relative, resolve as resolve4, sep } from "path";
+import { existsSync as existsSync3, mkdirSync as mkdirSync3, readFileSync as readFileSync3, readdirSync as readdirSync4, statSync as statSync3, writeFileSync as writeFileSync2 } from "fs";
+import { dirname as dirname2, join as join3, relative, resolve as resolve4, sep } from "path";
 import JSZip from "jszip";
 function walk(dir, base, files) {
-  for (const entry of readdirSync3(dir)) {
+  for (const entry of readdirSync4(dir)) {
     const full = join3(dir, entry);
     const st = statSync3(full);
     if (st.isDirectory()) walk(full, base, files);
@@ -3762,7 +3877,7 @@ async function unzipToDirectory(bytes, dir) {
   for (const entry of entries) {
     if (entry.dir) continue;
     const out = join3(abs, entry.name);
-    mkdirSync3(dirname(out), { recursive: true });
+    mkdirSync3(dirname2(out), { recursive: true });
     writeFileSync2(out, await entry.async("nodebuffer"));
     written.push(out);
   }
@@ -3795,7 +3910,7 @@ function skills(ctx) {
     download: async (skillId, outPath) => {
       const bytes = await downloadSkill(ctx, skillId);
       const dest = resolve5(outPath ?? `${skillId}.zip`);
-      mkdirSync4(dirname2(dest), { recursive: true });
+      mkdirSync4(dirname3(dest), { recursive: true });
       writeFileSync3(dest, bytes);
       return { skillId, path: dest, bytes: bytes.length };
     },
@@ -3811,7 +3926,7 @@ function skills(ctx) {
 
 // src/resources/toolboxes.ts
 import { mkdirSync as mkdirSync5, writeFileSync as writeFileSync4 } from "fs";
-import { dirname as dirname3, resolve as resolve6 } from "path";
+import { dirname as dirname4, resolve as resolve6 } from "path";
 
 // src/api/toolboxes.ts
 import { readFile as readFile2 } from "fs/promises";
@@ -3831,12 +3946,12 @@ async function exportConfig(ctx, id, type = "toolbox") {
 async function importConfig(ctx, filePath, type = "toolbox") {
   applyTls(ctx);
   const buf = await readFile2(filePath);
-  const form = new FormData();
-  form.append("data", new Blob([new Uint8Array(buf)]), basename3(filePath));
+  const form2 = new FormData();
+  form2.append("data", new Blob([new Uint8Array(buf)]), basename3(filePath));
   const res = await fetch(`${ctx.baseUrl}${IMPEX}/import/${encodeURIComponent(type)}`, {
     method: "POST",
     headers: buildHeaders(ctx),
-    body: form
+    body: form2
   });
   const text = await res.text();
   if (!res.ok) throw new HttpError(res.status, res.statusText, text);
@@ -3845,13 +3960,13 @@ async function importConfig(ctx, filePath, type = "toolbox") {
 async function uploadTool(ctx, boxId, filePath, metadataType = "openapi") {
   applyTls(ctx);
   const buf = await readFile2(filePath);
-  const form = new FormData();
-  form.append("metadata_type", metadataType);
-  form.append("data", new Blob([new Uint8Array(buf)]), basename3(filePath));
+  const form2 = new FormData();
+  form2.append("metadata_type", metadataType);
+  form2.append("data", new Blob([new Uint8Array(buf)]), basename3(filePath));
   const res = await fetch(`${ctx.baseUrl}${PATH}/${encodeURIComponent(boxId)}/tool`, {
     method: "POST",
     headers: buildHeaders(ctx),
-    body: form
+    body: form2
   });
   const text = await res.text();
   if (!res.ok) throw new HttpError(res.status, res.statusText, text);
@@ -3937,7 +4052,7 @@ function toolboxes(ctx) {
     export: async (id, outPath, type) => {
       const bytes = await exportConfig(ctx, id, type);
       const dest = resolve6(outPath);
-      mkdirSync5(dirname3(dest), { recursive: true });
+      mkdirSync5(dirname4(dest), { recursive: true });
       writeFileSync4(dest, bytes);
       return { id, path: dest, bytes: bytes.length };
     },
@@ -4017,7 +4132,7 @@ async function getSpansByConversation(ctx, conversationId, opts = {}) {
 }
 
 // src/trace-ai/claude-judge.ts
-import { spawn, spawnSync as spawnSync2 } from "child_process";
+import { spawn as spawn2, spawnSync as spawnSync2 } from "child_process";
 var ClaudeJudgeError = class extends Error {
   constructor(message, reason) {
     super(message);
@@ -4063,7 +4178,7 @@ async function judgeJson(prompt, opts = {}) {
   const timeoutMs = opts.timeoutMs ?? 12e4;
   const args = ["-p", "--output-format=json", "--dangerously-skip-permissions"];
   const stdout = await new Promise((resolve7, reject) => {
-    const child = spawn(binary, args, { stdio: ["pipe", "pipe", "pipe"] });
+    const child = spawn2(binary, args, { stdio: ["pipe", "pipe", "pipe"] });
     let out = "";
     let timedOut = false;
     const killer = setTimeout(() => {
@@ -4864,6 +4979,7 @@ function createClient(opts = {}) {
 // src/resources/auth.ts
 var auth_exports = {};
 __export(auth_exports, {
+  attachNoAuth: () => attachNoAuth,
   attachToken: () => attachToken,
   currentToken: () => currentToken,
   deletePlatform: () => deletePlatform,
@@ -4901,12 +5017,19 @@ function attachToken(baseUrl, accessToken, opts = {}) {
     refreshToken: opts.refreshToken,
     idToken: opts.idToken,
     tlsInsecure: opts.insecure,
-    username: decodeJwt(opts.idToken ?? accessToken)?.preferred_username
+    // Prefer the account the user typed (-u); device tokens carry no username.
+    username: opts.username ?? decodeJwt(opts.idToken ?? accessToken)?.preferred_username
   };
   const userId = writeToken(url, token);
   setActivePlatform(url);
   return { baseUrl: url, userId, username: usernameOf(token) };
 }
+function attachNoAuth(baseUrl, opts = {}) {
+  const url = normalize(baseUrl);
+  writeToken(url, { baseUrl: url, accessToken: "", noAuth: true, tlsInsecure: opts.insecure });
+  setActivePlatform(url);
+  return { baseUrl: url, noAuth: true };
+}
 function status() {
   const baseUrl = activePlatform();
   if (!baseUrl) return { hasToken: false };
@@ -4961,14 +5084,16 @@ function logout() {
 function deletePlatform(baseUrl, userId) {
   return deleteToken(normalize(baseUrl), userId);
 }
-function switchUser(baseUrl, userId) {
+function switchUser(baseUrl, userOrName) {
   const url = normalize(baseUrl);
-  if (!readToken(url, userId)) {
-    throw new InputError(`No saved token for user '${userId}' on ${url}.`);
+  const users = usersOf(url);
+  const match = users.find((u) => u.userId === userOrName) ?? users.find((u) => (u.username ?? u.displayName) === userOrName);
+  if (!match) {
+    throw new InputError(`No saved user '${userOrName}' on ${url}. Try \`auth users ${url}\`.`);
   }
-  setActiveUser(url, userId);
+  setActiveUser(url, match.userId);
   setActivePlatform(url);
-  return { baseUrl: url, userId };
+  return { baseUrl: url, userId: match.userId, username: match.username ?? match.displayName };
 }
 function usersOf(baseUrl) {
   const url = normalize(baseUrl);
@@ -4996,14 +5121,18 @@ export {
   InputError,
   toExitCode,
   formatError,
+  decodeJwt,
   activePlatform,
   setActivePlatform,
   readPlatformConfig,
   writePlatformConfig,
   resolveContext,
+  openBrowser,
+  fetchAuthStatus,
+  deviceLogin,
+  credentialDeviceLogin,
   request,
-  changePassword,
-  renderOrgTree,
+  getUserSafe,
   admin,
   agents,
   context,
@@ -5020,6 +5149,7 @@ export {
   vega,
   createClient,
   attachToken,
+  attachNoAuth,
   status,
   currentToken,
   whoami,
@@ -5028,8 +5158,7 @@ export {
   logout,
   deletePlatform,
   switchUser,
-  usersOf,
   exportCreds,
   auth_exports
 };
-//# sourceMappingURL=chunk-ADZ23DPF.js.map
+//# sourceMappingURL=chunk-APJNRHLS.js.map