archal 0.9.7 → 0.9.9

package/dist/vitest/chunk-YJICENME.js

@@ -0,0 +1,1230 @@
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+var __commonJS = (cb, mod) => function __require2() {
+  return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+
+// ../node-auth/src/constants.ts
+var CREDENTIALS_FILE = "credentials.json";
+var CREDENTIALS_KEY_FILE = "credentials.key";
+var AUTH_TOKEN_ENV_VAR = "ARCHAL_TOKEN";
+var TOKEN_ENCRYPTION_PREFIX = "enc-v1";
+var CREDENTIALS_MASTER_KEY_ENV_VAR = "ARCHAL_CREDENTIALS_MASTER_KEY";
+var KEYCHAIN_SERVICE = "archal-cli";
+var KEYCHAIN_ACCOUNT = "credentials-master-key";
+var HOSTED_DEFAULT_AUTH_BASE_URL = "https://www.archal.ai";
+var HOSTED_DEFAULT_API_BASE_URL = "https://api.archal.ai";
+var HOSTED_DEFAULT_RUNTIME_BASE_URL = "https://api.archal.ai";
+var STRICT_ENDPOINTS_ENV_VAR = "ARCHAL_STRICT_ENDPOINTS";
+var REQUEST_TIMEOUT_MS = 8e3;
+var ENV_TOKEN_FALLBACK_TTL_SECONDS = 24 * 60 * 60;
+var AUTH_RETRY_OPTIONS = {
+  maxRetries: 2,
+  timeoutMs: REQUEST_TIMEOUT_MS,
+  retryableStatusCodes: /* @__PURE__ */ new Set([429, 502, 503, 504]),
+  backoffMs: [500, 1500],
+  label: "auth"
+};
+
+// ../node-auth/src/types.ts
+function isPlan(value) {
+  return value === "free" || value === "pro" || value === "enterprise";
+}
+
+// ../node-auth/src/errors.ts
+var ExpiredEnvTokenError = class extends Error {
+  constructor(envVar = AUTH_TOKEN_ENV_VAR) {
+    super(`${envVar} is expired. Remove it or replace it with a valid token.`);
+    this.name = "ExpiredEnvTokenError";
+    Object.setPrototypeOf(this, new.target.prototype);
+  }
+};
+function errorMessage(error) {
+  return error instanceof Error ? error.message : String(error);
+}
+
+// ../node-auth/src/credential-store.ts
+import { spawnSync } from "child_process";
+import { createCipheriv, createDecipheriv, createHash, randomBytes } from "crypto";
+import { chmodSync, existsSync, mkdirSync, readFileSync, renameSync, unlinkSync, writeFileSync } from "fs";
+import { homedir, tmpdir } from "os";
+import { dirname, join } from "path";
+var KEYCHAIN_COMMAND_TIMEOUT_MS = 1500;
+var ARCHAL_DIR_NAME = ".archal";
+var TEST_SANDBOX_ID_ENV_VAR = "ARCHAL_TEST_SANDBOX_ID";
+function debug(message) {
+  if (process.env["ARCHAL_DEBUG"] !== "1") {
+    return;
+  }
+  process.stderr.write(`[archal-node-auth] ${message}
+`);
+}
+function getWarn(options) {
+  return options?.warn ?? console.warn;
+}
+function isExpired(expiresAt) {
+  return expiresAt <= Math.floor(Date.now() / 1e3);
+}
+function isRunningUnderTests() {
+  return process.env["VITEST"] === "true" || process.env["VITEST_WORKER_ID"] !== void 0 || process.env["JEST_WORKER_ID"] !== void 0 || process.env["NODE_TEST_CONTEXT"] !== void 0;
+}
+function getRealArchalDir() {
+  return join(homedir(), ARCHAL_DIR_NAME);
+}
+function normalizeSandboxId(raw) {
+  const trimmed = raw.trim();
+  if (/^[A-Za-z0-9][A-Za-z0-9._-]{0,63}$/.test(trimmed)) {
+    return trimmed;
+  }
+  return createHash("sha256").update(trimmed).digest("hex").slice(0, 16);
+}
+function getTestSandboxDir() {
+  const sharedSandboxId = process.env[TEST_SANDBOX_ID_ENV_VAR]?.trim();
+  if (sharedSandboxId) {
+    return join(tmpdir(), `archal-test-sandbox-${normalizeSandboxId(sharedSandboxId)}`);
+  }
+  const workerId = process.env["VITEST_WORKER_ID"] ?? process.env["JEST_WORKER_ID"] ?? String(process.pid);
+  return join(tmpdir(), `archal-test-sandbox-${workerId}-${process.pid}`);
+}
+var seededSandboxes = /* @__PURE__ */ new Set();
+function seedSandboxFromRealHomeOnce(sandboxDir) {
+  try {
+    if (seededSandboxes.has(sandboxDir)) {
+      const credsIntact = existsSync(join(sandboxDir, CREDENTIALS_FILE));
+      if (credsIntact) return;
+      seededSandboxes.delete(sandboxDir);
+    }
+    const realDir = getRealArchalDir();
+    if (!existsSync(realDir)) {
+      seededSandboxes.add(sandboxDir);
+      return;
+    }
+    if (!existsSync(sandboxDir)) {
+      mkdirSync(sandboxDir, { recursive: true, mode: 448 });
+    }
+    for (const filename of [CREDENTIALS_FILE, CREDENTIALS_KEY_FILE]) {
+      const realPath = join(realDir, filename);
+      const sandboxPath = join(sandboxDir, filename);
+      if (!existsSync(realPath) || existsSync(sandboxPath)) continue;
+      const contents = readFileSync(realPath);
+      writeFileSync(sandboxPath, contents, { mode: 384 });
+      try {
+        chmodSync(sandboxPath, 384);
+      } catch {
+      }
+    }
+    seededSandboxes.add(sandboxDir);
+  } catch (err) {
+    debug(`Sandbox seed skipped: ${errorMessage(err)}`);
+  }
+}
+function getArchalDir() {
+  const explicit = process.env["ARCHAL_HOME"];
+  if (explicit) {
+    return explicit;
+  }
+  if (isRunningUnderTests()) {
+    const sandbox = getTestSandboxDir();
+    seedSandboxFromRealHomeOnce(sandbox);
+    return sandbox;
+  }
+  return getRealArchalDir();
+}
+function ensureArchalDir() {
+  const dir = getArchalDir();
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true });
+    debug(`Created archal directory at ${dir}`);
+  }
+  return dir;
+}
+function getCredentialsPath() {
+  return join(ensureArchalDir(), CREDENTIALS_FILE);
+}
+function ensureDir(dir) {
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true });
+    debug(`Created archal directory at ${dir}`);
+  }
+  return dir;
+}
+function getCredentialsPathForDir(dir) {
+  return join(dir, CREDENTIALS_FILE);
+}
+function getCredentialsKeyPathForDir(dir) {
+  return join(dir, CREDENTIALS_KEY_FILE);
+}
+function readCredentialsKeyFromEnv() {
+  const raw = process.env[CREDENTIALS_MASTER_KEY_ENV_VAR]?.trim();
+  if (!raw) {
+    return null;
+  }
+  if (/^[a-fA-F0-9]{64}$/.test(raw)) {
+    return Buffer.from(raw, "hex");
+  }
+  try {
+    const decoded = Buffer.from(raw, "base64");
+    if (decoded.length === 32) {
+      return decoded;
+    }
+  } catch (err) {
+    debug(`Base64 master key decode failed: ${errorMessage(err)}`);
+  }
+  return createHash("sha256").update(raw, "utf8").digest();
+}
+function readCredentialsKeyFromMacKeychain() {
+  if (process.platform !== "darwin") return null;
+  try {
+    const result = spawnSync(
+      "security",
+      ["find-generic-password", "-s", KEYCHAIN_SERVICE, "-a", KEYCHAIN_ACCOUNT, "-w"],
+      { encoding: "utf-8", timeout: KEYCHAIN_COMMAND_TIMEOUT_MS }
+    );
+    if (!result || result.error || result.status !== 0 || typeof result.stdout !== "string" || result.stdout.length === 0) {
+      if (result?.error) {
+        debug(`Keychain lookup failed: ${result.error.message}`);
+      }
+      return null;
+    }
+    const raw = result.stdout.trim();
+    if (!/^[a-fA-F0-9]{64}$/.test(raw)) {
+      return null;
+    }
+    return Buffer.from(raw, "hex");
+  } catch (err) {
+    debug(`Keychain lookup threw: ${errorMessage(err)}`);
+    return null;
+  }
+}
+function readCredentialsKeyFromFile(dir = getArchalDir()) {
+  const keyPath = getCredentialsKeyPathForDir(dir);
+  if (!existsSync(keyPath)) {
+    return null;
+  }
+  try {
+    const raw = readFileSync(keyPath, "utf-8").trim();
+    const key = Buffer.from(raw, "hex");
+    if (key.length === 32) {
+      return key;
+    }
+  } catch (err) {
+    debug(`Failed to read credentials key file: ${errorMessage(err)}`);
+  }
+  return null;
+}
+function collectCredentialKeysForDecrypt(dir = getArchalDir()) {
+  const keys = [];
+  for (const candidate of [
+    readCredentialsKeyFromEnv(),
+    readCredentialsKeyFromMacKeychain(),
+    readCredentialsKeyFromFile(dir)
+  ]) {
+    if (!candidate) continue;
+    if (!keys.some((entry) => entry.equals(candidate))) {
+      keys.push(candidate);
+    }
+  }
+  return keys;
+}
+function writeCredentialsKeyToMacKeychain(key) {
+  if (process.platform !== "darwin") return false;
+  try {
+    const result = spawnSync(
+      "security",
+      [
+        "add-generic-password",
+        "-U",
+        "-s",
+        KEYCHAIN_SERVICE,
+        "-a",
+        KEYCHAIN_ACCOUNT,
+        "-w",
+        key.toString("hex")
+      ],
+      { encoding: "utf-8", timeout: KEYCHAIN_COMMAND_TIMEOUT_MS }
+    );
+    if (result?.error) {
+      debug(`Keychain write failed: ${result.error.message}`);
+    }
+    return !!result && !result.error && result.status === 0;
+  } catch (err) {
+    debug(`Keychain write threw: ${errorMessage(err)}`);
+    return false;
+  }
+}
+function getOrCreateCredentialsKey(dir = getArchalDir()) {
+  const envKey = readCredentialsKeyFromEnv();
+  if (envKey) {
+    return envKey;
+  }
+  const keychainKey = readCredentialsKeyFromMacKeychain();
+  if (keychainKey) {
+    return keychainKey;
+  }
+  const fileKey = readCredentialsKeyFromFile(dir);
+  if (fileKey) {
+    if (writeCredentialsKeyToMacKeychain(fileKey)) {
+      try {
+        unlinkSync(getCredentialsKeyPathForDir(dir));
+      } catch {
+      }
+    }
+    return fileKey;
+  }
+  const generated = randomBytes(32);
+  if (!writeCredentialsKeyToMacKeychain(generated)) {
+    ensureDir(dir);
+    writeFileSync(getCredentialsKeyPathForDir(dir), `${generated.toString("hex")}
+`, {
+      encoding: "utf-8",
+      mode: 384
+    });
+  }
+  return generated;
+}
+function encryptToken(token, dir = getArchalDir()) {
+  const key = getOrCreateCredentialsKey(dir);
+  const iv = randomBytes(12);
+  const cipher = createCipheriv("aes-256-gcm", key, iv);
+  const encrypted = Buffer.concat([cipher.update(token, "utf-8"), cipher.final()]);
+  return `${TOKEN_ENCRYPTION_PREFIX}:${iv.toString("hex")}:${cipher.getAuthTag().toString("hex")}:${encrypted.toString("hex")}`;
+}
+function decryptToken(ciphertext, dir = getArchalDir()) {
+  const parts = ciphertext.split(":");
+  if (parts.length !== 4 || parts[0] !== TOKEN_ENCRYPTION_PREFIX) {
+    return null;
+  }
+  const [, ivHex, tagHex, dataHex] = parts;
+  if (!ivHex || !tagHex || !dataHex) {
+    return null;
+  }
+  const iv = Buffer.from(ivHex, "hex");
+  const tag = Buffer.from(tagHex, "hex");
+  const data = Buffer.from(dataHex, "hex");
+  const keys = collectCredentialKeysForDecrypt(dir);
+  if (keys.length === 0) {
+    keys.push(getOrCreateCredentialsKey(dir));
+  }
+  for (const key of keys) {
+    try {
+      const decipher = createDecipheriv("aes-256-gcm", key, iv);
+      decipher.setAuthTag(tag);
+      return Buffer.concat([decipher.update(data), decipher.final()]).toString("utf-8");
+    } catch {
+    }
+  }
+  debug("Token decryption failed with all available credential keys.");
+  return null;
+}
+function decodeJwtPayload(token) {
+  try {
+    const payloadPart = token.split(".")[1];
+    if (!payloadPart) return null;
+    const normalized = payloadPart.replace(/-/g, "+").replace(/_/g, "/");
+    const padded = normalized + "=".repeat((4 - normalized.length % 4) % 4);
+    return JSON.parse(Buffer.from(padded, "base64").toString("utf-8"));
+  } catch (err) {
+    debug(`JWT payload decode failed (expected for non-JWT tokens): ${errorMessage(err)}`);
+    return null;
+  }
+}
+function hasValidSelectedTwins(value) {
+  return value === void 0 || Array.isArray(value) && value.every((twin) => typeof twin === "string");
+}
+function resolveStoredToken(parsed, dir = getArchalDir()) {
+  if (typeof parsed.token === "string") {
+    const token = parsed.token.trim();
+    return { token: token.length > 0 ? token : null, source: "legacy" };
+  }
+  if (typeof parsed.accessToken === "string") {
+    const token = parsed.accessToken.trim();
+    return { token: token.length > 0 ? token : null, source: "legacy" };
+  }
+  if (typeof parsed.tokenEncrypted === "string") {
+    const token = decryptToken(parsed.tokenEncrypted, dir)?.trim() || null;
+    return { token: token?.length ? token : null, source: "encrypted" };
+  }
+  return { token: null, source: "legacy" };
+}
+function resolveStoredRefreshToken(parsed, dir = getArchalDir()) {
+  if (typeof parsed.refreshTokenEncrypted === "string") {
+    const refreshToken = decryptToken(parsed.refreshTokenEncrypted, dir)?.trim() || null;
+    if (refreshToken !== null) {
+      return { refreshToken, source: "encrypted" };
+    }
+    if (typeof parsed.refreshToken === "string") {
+      return { refreshToken: parsed.refreshToken.trim(), source: "legacy" };
+    }
+    return { refreshToken: null, source: "encrypted" };
+  }
+  if (typeof parsed.refreshToken === "string") {
+    return { refreshToken: parsed.refreshToken.trim(), source: "legacy" };
+  }
+  return { refreshToken: "", source: "none" };
+}
+function buildStoredCredentials(parsed, path, warn) {
+  const dir = dirname(path);
+  const { token, source: tokenSource } = resolveStoredToken(parsed, dir);
+  const { refreshToken, source: refreshTokenSource } = resolveStoredRefreshToken(parsed, dir);
+  if (token === null || refreshToken === null || parsed.refreshToken !== void 0 && typeof parsed.refreshToken !== "string" || parsed.refreshTokenEncrypted !== void 0 && typeof parsed.refreshTokenEncrypted !== "string" || !hasValidSelectedTwins(parsed.selectedTwins)) {
+    warn(
+      `Credentials file at ${path} has missing or invalid fields. Run \`archal login\` to re-authenticate.`
+    );
+    return null;
+  }
+  const { email, plan, expiresAt } = parsed;
+  if (typeof email !== "string" || !isPlan(plan) || typeof expiresAt !== "number") {
+    warn(
+      `Credentials file at ${path} has missing or invalid fields. Run \`archal login\` to re-authenticate.`
+    );
+    return null;
+  }
+  const creds = {
+    token,
+    refreshToken,
+    email,
+    plan,
+    selectedTwins: parsed.selectedTwins ?? [],
+    expiresAt
+  };
+  if (tokenSource === "legacy" || refreshTokenSource === "legacy") {
+    try {
+      writeCredentialsAtPath(path, creds);
+    } catch (err) {
+      debug(`Credential migration failed: ${errorMessage(err)}`);
+    }
+  }
+  return creds;
+}
+function readCredentialsFileAtPath(path, options) {
+  if (!existsSync(path)) {
+    return null;
+  }
+  try {
+    const warn = getWarn(options);
+    const parsed = JSON.parse(readFileSync(path, "utf-8"));
+    return buildStoredCredentials(parsed, path, warn);
+  } catch {
+    const warn = getWarn(options);
+    warn(
+      `Credentials file at ${path} exists but could not be parsed. Delete it and run \`archal login\` to re-authenticate.`
+    );
+    return null;
+  }
+}
+function readCredentialsFile(options) {
+  return readCredentialsFileAtPath(getCredentialsPath(), options);
+}
+function readCredentialsFromEnv(options) {
+  const raw = process.env[AUTH_TOKEN_ENV_VAR];
+  if (typeof raw !== "string") {
+    return null;
+  }
+  const token = raw.trim();
+  if (token.length === 0) {
+    return null;
+  }
+  const claims = decodeJwtPayload(token);
+  const nowSeconds = Math.floor(Date.now() / 1e3);
+  const email = claims !== null && typeof claims["email"] === "string" ? claims["email"] : "(from ARCHAL_TOKEN)";
+  let plan = claims !== null && isPlan(claims["plan"]) ? claims["plan"] : void 0;
+  if (!plan) {
+    if (claims !== null) {
+      getWarn(options)("JWT does not contain a valid plan claim - defaulting to free");
+    }
+    plan = "free";
+  }
+  const expiresAt = claims !== null && typeof claims["exp"] === "number" ? claims["exp"] : nowSeconds + ENV_TOKEN_FALLBACK_TTL_SECONDS;
+  if (expiresAt <= nowSeconds) {
+    if (options?.onExpiredEnvToken === "throw") {
+      throw new ExpiredEnvTokenError();
+    }
+    debug("Ignoring expired ARCHAL_TOKEN from environment.");
+    return null;
+  }
+  return {
+    token,
+    refreshToken: "",
+    email,
+    plan,
+    selectedTwins: [],
+    expiresAt
+  };
+}
+function getCredentials(options) {
+  const creds = readCredentialsFromEnv(options) ?? getStoredCredentials(options);
+  if (!creds) {
+    return null;
+  }
+  return isExpired(creds.expiresAt) ? null : creds;
+}
+function getStoredCredentials(options) {
+  const creds = readCredentialsFile(options);
+  if (!creds) {
+    return null;
+  }
+  if (options?.includeExpired) {
+    return creds;
+  }
+  return isExpired(creds.expiresAt) ? null : creds;
+}
+function getRealHomeStoredCredentials(options) {
+  const creds = readCredentialsFileAtPath(getCredentialsPathForDir(getRealArchalDir()), options);
+  if (!creds) {
+    return null;
+  }
+  if (options?.includeExpired) {
+    return creds;
+  }
+  return isExpired(creds.expiresAt) ? null : creds;
+}
+function writeCredentialsAtPath(path, creds) {
+  const dir = dirname(path);
+  ensureDir(dir);
+  const payload = {
+    email: creds.email,
+    plan: creds.plan,
+    selectedTwins: creds.selectedTwins,
+    expiresAt: creds.expiresAt,
+    tokenEncrypted: encryptToken(creds.token.trim(), dir),
+    refreshTokenEncrypted: creds.refreshToken.trim().length > 0 ? encryptToken(creds.refreshToken.trim(), dir) : void 0
+  };
+  const tmpPath = `${path}.${randomBytes(4).toString("hex")}.tmp`;
+  writeFileSync(tmpPath, `${JSON.stringify(payload, null, 2)}
+`, {
+    encoding: "utf-8",
+    mode: 384
+  });
+  renameSync(tmpPath, path);
+}
+function saveCredentials(creds) {
+  writeCredentialsAtPath(getCredentialsPath(), creds);
+}
+function saveRealHomeCredentials(creds) {
+  writeCredentialsAtPath(getCredentialsPathForDir(getRealArchalDir()), creds);
+}
+function deleteCredentials() {
+  const path = getCredentialsPath();
+  if (!existsSync(path)) {
+    return false;
+  }
+  unlinkSync(path);
+  return true;
+}
+
+// ../node-auth/src/loopback.ts
+import { isIP } from "net";
+var CLI_LOOPBACK_CALLBACK_HOST = "127.0.0.1";
+function normalizeHostname(hostname) {
+  const trimmed = hostname.trim().toLowerCase();
+  if (trimmed.startsWith("[") && trimmed.endsWith("]")) {
+    return trimmed.slice(1, -1);
+  }
+  return trimmed;
+}
+function isLoopbackHostname(hostname) {
+  const normalized = normalizeHostname(hostname);
+  if (normalized === "localhost" || normalized === "::1") {
+    return true;
+  }
+  if (isIP(normalized) === 4) {
+    return normalized.startsWith("127.");
+  }
+  return false;
+}
+function isLoopbackHttpUrl(rawUrl) {
+  try {
+    const parsed = new URL(rawUrl);
+    return parsed.protocol === "http:" && isLoopbackHostname(parsed.hostname);
+  } catch {
+    return false;
+  }
+}
+function isLoopbackRedirectUri(rawUrl) {
+  return isLoopbackHttpUrl(rawUrl);
+}
+function buildLoopbackCallbackUrl(port) {
+  return `http://${CLI_LOOPBACK_CALLBACK_HOST}:${port}/callback`;
+}
+
+// ../node-auth/src/url-resolver.ts
+function getWarn2(options) {
+  return options?.warn ?? console.warn;
+}
+function stripUrlCredentials(url) {
+  try {
+    const parsed = new URL(url);
+    parsed.username = "";
+    parsed.password = "";
+    return parsed.toString();
+  } catch {
+    const atIndex = url.indexOf("@");
+    return atIndex >= 0 ? url.slice(atIndex + 1) : url;
+  }
+}
+function normalizeAuthUrl(value) {
+  if (typeof value !== "string") {
+    return null;
+  }
+  const trimmed = value.trim().replace(/\/+$/, "");
+  if (trimmed.length === 0) {
+    return null;
+  }
+  const normalized = trimmed.endsWith("/api") ? trimmed.slice(0, -4) : trimmed;
+  if (normalized.length === 0) {
+    return null;
+  }
+  const parsed = new URL(normalized);
+  if (parsed.protocol === "https:") {
+    return normalized;
+  }
+  const isLocalHttp = isLoopbackHttpUrl(normalized);
+  if (!isLocalHttp) {
+    throw new Error(
+      `Auth URL must use HTTPS (got ${stripUrlCredentials(normalized)}). HTTP is only allowed for loopback hosts.`
+    );
+  }
+  return normalized;
+}
+function parseBooleanEnvFlag(value) {
+  if (typeof value !== "string") {
+    return false;
+  }
+  switch (value.trim().toLowerCase()) {
+    case "1":
+    case "true":
+    case "yes":
+    case "on":
+      return true;
+    default:
+      return false;
+  }
+}
+function isStrictEndpointModeEnabled() {
+  return parseBooleanEnvFlag(process.env[STRICT_ENDPOINTS_ENV_VAR]);
+}
+function readConfiguredUrl(options, ...envKeys) {
+  for (const key of envKeys) {
+    try {
+      const value = normalizeAuthUrl(process.env[key]);
+      if (value) {
+        return value;
+      }
+    } catch (err) {
+      getWarn2(options)(
+        `Ignoring invalid ${key}: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
+  return null;
+}
+function getConfiguredAuthBaseUrl(options) {
+  const explicit = readConfiguredUrl(options, "ARCHAL_AUTH_URL", "ARCHAL_AUTH_BASE_URL");
+  if (explicit) {
+    return explicit;
+  }
+  return isStrictEndpointModeEnabled() ? null : HOSTED_DEFAULT_AUTH_BASE_URL;
+}
+function getConfiguredApiBaseUrl(options) {
+  const explicit = readConfiguredUrl(options, "ARCHAL_API_URL", "ARCHAL_API_BASE_URL");
+  if (explicit) {
+    return explicit;
+  }
+  return isStrictEndpointModeEnabled() ? null : HOSTED_DEFAULT_API_BASE_URL;
+}
+function getConfiguredRuntimeBaseUrl(options) {
+  const explicit = readConfiguredUrl(options, "ARCHAL_RUNTIME_URL");
+  if (explicit) {
+    return explicit;
+  }
+  return isStrictEndpointModeEnabled() ? null : HOSTED_DEFAULT_RUNTIME_BASE_URL;
+}
+
+// ../node-auth/src/request-metadata.ts
+function buildAuthRequestHeaders(metadata, includeContentType = false) {
+  const headers = {};
+  if (includeContentType) {
+    headers["content-type"] = "application/json";
+  }
+  if (metadata?.userAgent) {
+    headers["user-agent"] = metadata.userAgent;
+  }
+  if (metadata?.cliVersion) {
+    headers["x-archal-cli-version"] = metadata.cliVersion;
+  }
+  return headers;
+}
+
+// ../billing-constants/src/index.ts
+var PLAN_MAX_SESSION_TTL_SECONDS = {
+  free: 30 * 60,
+  // 30 minutes
+  pro: 60 * 60,
+  // 60 minutes
+  enterprise: 90 * 60
+  // 90 minutes
+};
+var MAX_ABSOLUTE_SESSION_LIFETIME_SECONDS = 4 * 60 * 60;
+var FREE_PLAN_BASE_TWINS = [
+  "discord",
+  "github",
+  "google-workspace",
+  "jira",
+  "linear",
+  "ramp",
+  "slack",
+  "stripe",
+  "supabase"
+];
+function normalizeTwinIds(twinIds) {
+  if (!twinIds) {
+    return [];
+  }
+  const normalized = /* @__PURE__ */ new Set();
+  for (const twinId of twinIds) {
+    const trimmed = twinId.trim();
+    if (trimmed.length > 0) {
+      normalized.add(trimmed);
+    }
+  }
+  return [...normalized];
+}
+function resolveKnownTwinSet(knownTwinIds) {
+  return new Set(normalizeTwinIds(knownTwinIds ?? FREE_PLAN_BASE_TWINS));
+}
+function getFreePlanEntitledTwins(selectedTwinIds, knownTwinIds) {
+  const knownTwinSet = resolveKnownTwinSet(knownTwinIds);
+  const selected = normalizeTwinIds(selectedTwinIds).filter((twinId) => knownTwinSet.has(twinId));
+  if (selected.length > 0) {
+    return new Set(selected);
+  }
+  const entitled = /* @__PURE__ */ new Set();
+  for (const twinId of FREE_PLAN_BASE_TWINS) {
+    if (knownTwinSet.has(twinId)) {
+      entitled.add(twinId);
+    }
+  }
+  return entitled;
+}
+function isTwinEntitled(plan, twinId, selectedTwinIds, knownTwinIds) {
+  if (plan !== "free") {
+    return true;
+  }
+  return getFreePlanEntitledTwins(selectedTwinIds, knownTwinIds).has(twinId);
+}
+var SCENARIO_USAGE_WINDOW_DAYS = 7;
+var SCENARIO_USAGE_WINDOW_MS = SCENARIO_USAGE_WINDOW_DAYS * 24 * 60 * 60 * 1e3;
+var SCENARIO_USAGE_WINDOW_SECONDS = SCENARIO_USAGE_WINDOW_DAYS * 24 * 60 * 60;
+
+// ../node-auth/src/entitlements.ts
+function isTokenDerivedIdentity(email) {
+  return email === "(from ARCHAL_TOKEN)" || email === "(from token)";
+}
+function getWarn3(metadata) {
+  return metadata?.warn ?? console.warn;
+}
+function getAuthBaseUrl(metadata) {
+  const configured = metadata?.authBaseUrl?.trim();
+  if (configured) {
+    return configured.replace(/\/+$/, "");
+  }
+  return getConfiguredAuthBaseUrl();
+}
+function logRefreshFailure(creds, reason, authBaseUrl, metadata) {
+  const endpoint = `${authBaseUrl}/auth/me`;
+  const warn = getWarn3(metadata);
+  if (isTokenDerivedIdentity(creds.email)) {
+    warn(
+      `Could not verify token with ${endpoint} (${reason}). Using token without refreshed account metadata.`
+    );
+    return;
+  }
+  warn(
+    `Could not refresh account metadata from ${endpoint} (${reason}). Using cached credentials.`
+  );
+}
+async function readFailureDetail(response) {
+  const contentType = response.headers.get("content-type")?.toLowerCase() ?? "";
+  if (!contentType.includes("application/json")) {
+    return null;
+  }
+  try {
+    const payload = await response.json();
+    const error = typeof payload.error === "string" ? payload.error.trim() : "";
+    const message = typeof payload.message === "string" ? payload.message.trim() : "";
+    if (error && message) return `${error}: ${message}`;
+    if (message) return message;
+    if (error) return error;
+  } catch {
+    return null;
+  }
+  return null;
+}
+async function validateTokenWithServer(creds, metadata) {
+  const authBaseUrl = getAuthBaseUrl(metadata);
+  if (!authBaseUrl) {
+    return {
+      ok: false,
+      code: "no_auth_url",
+      status: null,
+      reason: "no auth URL configured"
+    };
+  }
+  try {
+    const response = await fetch(`${authBaseUrl}/auth/me`, {
+      method: "GET",
+      headers: {
+        authorization: `Bearer ${creds.token}`,
+        ...buildAuthRequestHeaders(metadata, false)
+      },
+      signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS)
+    });
+    if (!response.ok) {
+      const detail = await readFailureDetail(response);
+      return {
+        ok: false,
+        code: response.status === 401 ? "auth_rejected" : "http_error",
+        status: response.status,
+        reason: detail ? `HTTP ${response.status} ${detail}` : `HTTP ${response.status}`
+      };
+    }
+    let data;
+    try {
+      data = await response.json();
+    } catch {
+      return {
+        ok: false,
+        code: "invalid_payload",
+        status: null,
+        reason: "invalid response payload"
+      };
+    }
+    if (typeof data.email !== "string" || !isPlan(data.plan)) {
+      return {
+        ok: false,
+        code: "invalid_payload",
+        status: null,
+        reason: "invalid response payload"
+      };
+    }
+    const selectedTwins = Array.isArray(data.selectedTwinIds) ? data.selectedTwinIds.filter((id) => typeof id === "string") : creds.selectedTwins;
+    const updated = {
+      ...creds,
+      email: data.email,
+      plan: data.plan,
+      selectedTwins
+    };
+    if ((updated.email !== creds.email || updated.plan !== creds.plan || JSON.stringify(updated.selectedTwins) !== JSON.stringify(creds.selectedTwins)) && !process.env[AUTH_TOKEN_ENV_VAR]) {
+      saveCredentials(updated);
+    }
+    return { ok: true, credentials: updated };
+  } catch (error) {
+    return {
+      ok: false,
+      code: "network_error",
+      status: null,
+      reason: errorMessage(error)
+    };
+  }
+}
+async function refreshAuthFromServer(creds, metadata) {
+  const authBaseUrl = getAuthBaseUrl(metadata);
+  if (!authBaseUrl) return creds;
+  const result = await refreshAuthFromServerWithValidation(creds, metadata);
+  if (!result.validation.ok) {
+    logRefreshFailure(creds, result.validation.reason, authBaseUrl, metadata);
+    if (result.validation.code === "auth_rejected") {
+      throw new Error("Authentication failed. Your token may be expired or invalid. Run: archal login");
+    }
+  }
+  return result.credentials;
+}
+async function refreshAuthFromServerWithValidation(creds, metadata) {
+  const result = await validateTokenWithServer(creds, metadata);
+  if (result.ok) {
+    return {
+      credentials: result.credentials,
+      validation: result
+    };
+  }
+  return {
+    credentials: creds,
+    validation: result
+  };
+}
+async function resolveWhoamiAuthState(creds, metadata) {
+  if (!creds) {
+    return { loggedIn: false };
+  }
+  const refreshed = await refreshAuthFromServerWithValidation(creds, metadata);
+  return {
+    loggedIn: true,
+    credentials: refreshed.credentials,
+    validation: refreshed.validation
+  };
+}
+function isEntitled(creds, twinName) {
+  return isTwinEntitled(creds.plan, twinName, creds.selectedTwins);
+}
+function getJwtExpiry(token) {
+  const claims = decodeJwtPayload(token);
+  if (claims === null) return null;
+  return typeof claims["exp"] === "number" ? claims["exp"] : null;
+}
+
+// ../node-auth/src/fetch-with-retry.ts
+function sleep(ms, signal) {
+  if (!signal) {
+    return new Promise((resolve) => {
+      setTimeout(resolve, ms);
+    });
+  }
+  const abortSignal = signal;
+  if (abortSignal.aborted) {
+    return Promise.reject(abortSignal.reason instanceof Error ? abortSignal.reason : new DOMException("The operation was aborted.", "AbortError"));
+  }
+  return new Promise((resolve, reject) => {
+    const timeout = setTimeout(() => {
+      abortSignal.removeEventListener("abort", onAbort);
+      resolve();
+    }, ms);
+    function onAbort() {
+      clearTimeout(timeout);
+      reject(abortSignal.reason instanceof Error ? abortSignal.reason : new DOMException("The operation was aborted.", "AbortError"));
+    }
+    abortSignal.addEventListener("abort", onAbort, { once: true });
+  });
+}
+function resolveBackoffDelay(backoffMs, attempt, fallbackMs) {
+  const indexed = backoffMs[attempt];
+  if (typeof indexed === "number" && Number.isFinite(indexed) && indexed >= 0) {
+    return indexed;
+  }
+  const last = backoffMs.length > 0 ? backoffMs[backoffMs.length - 1] : void 0;
+  if (typeof last === "number" && Number.isFinite(last) && last >= 0) {
+    return last;
+  }
+  return fallbackMs;
+}
+async function fetchWithRetry(url, init, options) {
+  const maxRetries = options?.maxRetries ?? AUTH_RETRY_OPTIONS.maxRetries;
+  const timeoutMs = options?.timeoutMs ?? AUTH_RETRY_OPTIONS.timeoutMs;
+  const retryableStatusCodes = options?.retryableStatusCodes instanceof Set ? options.retryableStatusCodes : new Set(options?.retryableStatusCodes ?? AUTH_RETRY_OPTIONS.retryableStatusCodes);
+  const backoffMs = options?.backoffMs ?? AUTH_RETRY_OPTIONS.backoffMs;
+  const fetchImpl = options?.fetchImpl ?? fetch;
+  const externalSignal = options?.signal;
+  let lastError;
+  for (let attempt = 0; attempt <= maxRetries; attempt += 1) {
+    if (externalSignal?.aborted) {
+      throw externalSignal.reason ?? new DOMException("The operation was aborted.", "AbortError");
+    }
+    try {
+      const requestSignal = externalSignal ? AbortSignal.any([externalSignal, AbortSignal.timeout(timeoutMs)]) : AbortSignal.timeout(timeoutMs);
+      const response = await fetchImpl(url, {
+        ...init,
+        signal: requestSignal
+      });
+      if (response.ok || !retryableStatusCodes.has(response.status) || attempt >= maxRetries) {
+        return response;
+      }
+      lastError = new Error(`HTTP ${response.status}`);
+    } catch (error) {
+      lastError = error;
+      if (attempt >= maxRetries) {
+        break;
+      }
+    }
+    if (attempt < maxRetries) {
+      const delay = resolveBackoffDelay(backoffMs, attempt, 3e3);
+      await sleep(delay, externalSignal);
+    }
+  }
+  throw lastError instanceof Error ? lastError : new Error(errorMessage(lastError));
+}
+
+// ../node-auth/src/token-exchange.ts
+function isCliTokenExchangeResponse(value) {
+  if (!value || typeof value !== "object") return false;
+  const data = value;
+  return typeof data["accessToken"] === "string" && typeof data["refreshToken"] === "string" && typeof data["email"] === "string" && isPlan(data["plan"]) && typeof data["expiresAt"] === "number";
+}
+function isCliRefreshResponse(value) {
+  if (!value || typeof value !== "object") return false;
+  const data = value;
+  return typeof data["accessToken"] === "string" && typeof data["refreshToken"] === "string" && typeof data["expiresAt"] === "number";
+}
+function isCliDeviceAuthStartPayload(value) {
+  if (!value || typeof value !== "object") return false;
+  const data = value;
+  return typeof data["device_code"] === "string" && typeof data["user_code"] === "string" && typeof data["verification_uri"] === "string" && typeof data["verification_uri_complete"] === "string" && typeof data["expires_in"] === "number" && typeof data["interval"] === "number";
+}
+function isCliDeviceAuthApprovedPayload(value) {
+  if (!value || typeof value !== "object") return false;
+  const data = value;
+  return typeof data["access_token"] === "string" && typeof data["token_type"] === "string" && typeof data["expires_in"] === "number";
+}
+function parseCliDeviceAuthErrorPayload(value) {
+  if (!value || typeof value !== "object") return null;
+  const data = value;
+  const error = typeof data.error === "string" ? data.error.trim() : "";
+  if (!error) return null;
+  const interval = typeof data.interval === "number" ? data.interval : void 0;
+  return { error, interval };
+}
+function debug2(message) {
+  if (process.env["ARCHAL_DEBUG"] !== "1") {
+    return;
+  }
+  process.stderr.write(`[archal-node-auth] ${message}
+`);
+}
+function getAuthBaseUrl2(metadata) {
+  const configured = metadata?.authBaseUrl?.trim();
+  if (configured) {
+    return configured.replace(/\/+$/, "");
+  }
+  return getConfiguredAuthBaseUrl();
+}
+async function readJsonPayload(response) {
+  try {
+    return await response.json();
+  } catch {
+    return null;
+  }
+}
+async function exchangeCliAuthCode(input, metadata) {
+  const authBaseUrl = getAuthBaseUrl2(metadata);
+  if (!authBaseUrl) {
+    throw new Error(
+      "ARCHAL_AUTH_BASE_URL (or ARCHAL_AUTH_URL) is required for browser login when ARCHAL_STRICT_ENDPOINTS=1. Set ARCHAL_AUTH_BASE_URL and run `archal login` again."
+    );
+  }
+  const response = await fetchWithRetry(
+    `${authBaseUrl}/auth/cli/token`,
+    {
+      method: "POST",
+      headers: buildAuthRequestHeaders(metadata, true),
+      body: JSON.stringify(input)
+    },
+    AUTH_RETRY_OPTIONS
+  );
+  if (!response.ok) {
+    throw new Error(`Login failed during code exchange (${response.status})`);
+  }
+  const payload = await response.json();
+  if (!isCliTokenExchangeResponse(payload)) {
+    throw new Error("Login failed: invalid token exchange response");
+  }
+  const selectedTwins = Array.isArray(payload.selectedTwinIds) ? payload.selectedTwinIds.filter((id) => typeof id === "string") : [];
+  return {
+    token: payload.accessToken,
+    refreshToken: payload.refreshToken,
+    email: payload.email,
+    plan: payload.plan,
+    selectedTwins,
+    expiresAt: payload.expiresAt
+  };
+}
+async function startCliDeviceAuth(metadata) {
+  const authBaseUrl = getAuthBaseUrl2(metadata);
+  if (!authBaseUrl) {
+    throw new Error(
+      "ARCHAL_AUTH_BASE_URL (or ARCHAL_AUTH_URL) is required for device login when ARCHAL_STRICT_ENDPOINTS=1. Set ARCHAL_AUTH_BASE_URL and run `archal login --device` again."
+    );
+  }
+  const response = await fetchWithRetry(
+    `${authBaseUrl}/auth/device`,
+    {
+      method: "POST",
+      headers: buildAuthRequestHeaders(metadata, false)
+    },
+    AUTH_RETRY_OPTIONS
+  );
+  const payload = await readJsonPayload(response);
+  if (!response.ok) {
+    const error = parseCliDeviceAuthErrorPayload(payload);
+    const detail = error ? `: ${error.error}` : "";
+    throw new Error(`Device login failed to start (${response.status})${detail}`);
+  }
+  if (!isCliDeviceAuthStartPayload(payload)) {
+    throw new Error("Device login failed: invalid device auth response");
+  }
+  return {
+    deviceCode: payload.device_code,
+    userCode: payload.user_code,
+    verificationUri: payload.verification_uri,
+    verificationUriComplete: payload.verification_uri_complete,
+    expiresIn: payload.expires_in,
+    interval: payload.interval
+  };
+}
+async function pollCliDeviceAuth(deviceCode, metadata) {
+  const authBaseUrl = getAuthBaseUrl2(metadata);
+  if (!authBaseUrl) {
+    throw new Error(
+      "ARCHAL_AUTH_BASE_URL (or ARCHAL_AUTH_URL) is required for device login when ARCHAL_STRICT_ENDPOINTS=1. Set ARCHAL_AUTH_BASE_URL and run `archal login --device` again."
+    );
+  }
+  const response = await fetchWithRetry(
+    `${authBaseUrl}/auth/device/token`,
+    {
+      method: "POST",
+      headers: buildAuthRequestHeaders(metadata, true),
+      body: JSON.stringify({ device_code: deviceCode })
+    },
+    AUTH_RETRY_OPTIONS
+  );
+  const payload = await readJsonPayload(response);
+  if (response.ok) {
+    if (!isCliDeviceAuthApprovedPayload(payload)) {
+      throw new Error("Device login failed: invalid poll response");
+    }
+    return {
+      status: "approved",
+      accessToken: payload.access_token,
+      tokenType: payload.token_type,
+      expiresIn: payload.expires_in
+    };
+  }
+  const error = parseCliDeviceAuthErrorPayload(payload);
+  if (error?.error === "slow_down") {
+    return {
+      status: "slow_down",
+      interval: error.interval ?? 0
+    };
+  }
+  if (error?.error === "authorization_pending" || error?.error === "expired_token" || error?.error === "invalid_device_code") {
+    return { status: error.error };
+  }
+  const detail = error ? `: ${error.error}` : "";
+  throw new Error(`Device login poll failed (${response.status})${detail}`);
+}
+async function refreshCliSession(creds, metadata) {
+  if (!creds.refreshToken) {
+    return null;
+  }
+  const authBaseUrl = getAuthBaseUrl2(metadata);
+  if (!authBaseUrl) {
+    return null;
+  }
+  const response = await fetchWithRetry(
+    `${authBaseUrl}/auth/cli/refresh`,
+    {
+      method: "POST",
+      headers: buildAuthRequestHeaders(metadata, true),
+      body: JSON.stringify({ refreshToken: creds.refreshToken })
+    },
+    AUTH_RETRY_OPTIONS
+  );
+  if (!response.ok) {
+    return null;
+  }
+  const payload = await response.json();
+  if (!isCliRefreshResponse(payload)) {
+    return null;
+  }
+  return {
+    ...creds,
+    token: payload.accessToken,
+    refreshToken: payload.refreshToken,
+    expiresAt: payload.expiresAt
+  };
+}
+async function revokeCliSession(refreshToken, metadata) {
+  const authBaseUrl = getAuthBaseUrl2(metadata);
+  if (!authBaseUrl) {
+    return;
+  }
+  try {
+    await fetch(`${authBaseUrl}/auth/cli/revoke`, {
+      method: "POST",
+      headers: buildAuthRequestHeaders(metadata, true),
+      body: JSON.stringify({ refreshToken }),
+      signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS)
+    });
+  } catch (error) {
+    debug2(`Session revoke failed (best-effort): ${errorMessage(error)}`);
+  }
+}
+
+export {
+  __require,
+  __commonJS,
+  __export,
+  __toESM,
+  CREDENTIALS_FILE,
+  CREDENTIALS_KEY_FILE,
+  AUTH_TOKEN_ENV_VAR,
+  TOKEN_ENCRYPTION_PREFIX,
+  CREDENTIALS_MASTER_KEY_ENV_VAR,
+  KEYCHAIN_SERVICE,
+  KEYCHAIN_ACCOUNT,
+  HOSTED_DEFAULT_AUTH_BASE_URL,
+  HOSTED_DEFAULT_API_BASE_URL,
+  HOSTED_DEFAULT_RUNTIME_BASE_URL,
+  STRICT_ENDPOINTS_ENV_VAR,
+  REQUEST_TIMEOUT_MS,
+  ENV_TOKEN_FALLBACK_TTL_SECONDS,
+  AUTH_RETRY_OPTIONS,
+  isPlan,
+  ExpiredEnvTokenError,
+  errorMessage,
+  getArchalDir,
+  decodeJwtPayload,
+  getCredentials,
+  getStoredCredentials,
+  getRealHomeStoredCredentials,
+  saveCredentials,
+  saveRealHomeCredentials,
+  deleteCredentials,
+  CLI_LOOPBACK_CALLBACK_HOST,
+  isLoopbackHostname,
+  isLoopbackHttpUrl,
+  isLoopbackRedirectUri,
+  buildLoopbackCallbackUrl,
+  getConfiguredAuthBaseUrl,
+  getConfiguredApiBaseUrl,
+  getConfiguredRuntimeBaseUrl,
+  buildAuthRequestHeaders,
+  validateTokenWithServer,
+  refreshAuthFromServer,
+  refreshAuthFromServerWithValidation,
+  resolveWhoamiAuthState,
+  isEntitled,
+  getJwtExpiry,
+  exchangeCliAuthCode,
+  startCliDeviceAuth,
+  pollCliDeviceAuth,
+  refreshCliSession,
+  revokeCliSession
+};