cyymall-cli 0.1.5 → 0.1.7

package/README.md

@@ -57,6 +57,7 @@ npm publish --otp=123456
 cyy config path
 cyy auth send-code --phone <mobile>
 cyy auth login --phone <mobile> --code <sms>
+cyy auth import --token <appToken> [--member-id <id>] [--shop-id <id>] [--site-id <id>]
 cyy auth whoami
 cyy shop list
 cyy shop sites --shop-id <门店ID>
@@ -70,14 +71,28 @@ cyy serve --port 8787
 
 ## Session vs bootstrap env
 
-**After `cyy auth login` succeeds**, the CLI reads the session token from **`data.token`** or **`data.appToken`** (plus optional **`shopId` / `siteId` / `versionCode` / `loginId`->`memberId`** when present) and saves them under **`~/.cyymall/config.json`**. If the API omits `shopId`/`siteId`, previously saved or bootstrap values are kept where applicable.
-后续 **`api call`、`product search`、`order quick`** 等命令都会从该文件加载并组装 Header，正常情况下不再需要设置 `CYY_BOOTSTRAP_*`。
+**After `cyy auth login` or `cyy auth import` succeeds**, session fields live under **`~/.cyymall/config.json`** (`token`, `member_id`, `shop_id`, `site_id`, `version_code`, …). **`api call`、`product search`、`order quick`** 等命令读取**有效会话**：先合并配置文件，再用下表 `CYY_*` 覆盖（适合 Gateway / MCP 子进程注入、不落盘）。
 
-**`CYY_BOOTSTRAP_*` 仅用于「尚未登录」时**（例如第一次调用 `/app/auth/ua/registerMember/v2` 本身需要的网关 Header）。若你的环境里登录接口在未带 shop/token 时会被网关拒绝，再按需配置这些变量；**登录成功后的业务请求一律优先使用配置文件里的会话字段**。
+**External token (skip SMS login):**
+
+```bash
+cyy auth import --token "<appToken>" --member-id "<id>" --shop-id "<id>"
+# or ephemeral for one process:
+export CYY_TOKEN="<appToken>"
+export CYY_SHOP_ID="<id>"
+```
+
+**`CYY_BOOTSTRAP_*` 仅用于「尚未登录」时**（无 saved token 且无 `CYY_TOKEN`）。已登录时业务请求优先使用配置文件 + `CYY_TOKEN` 等会话变量。
 
 | Variable | Purpose |
 |----------|---------|
 | `CYY_BASE_URL` | Override API host (default `https://dhcmall.ifoodbuy.com`) |
+| `CYY_TOKEN` | Session token for current process (overrides saved config) |
+| `CYY_MEMBER_ID` | Override `member_id` header |
+| `CYY_SHOP_ID` | Override `shop_id` header |
+| `CYY_SITE_ID` | Override `site_id` header |
+| `CYY_VERSION_CODE` | Override `version_code` header |
+| `CYY_PHONE` | Optional label in config display |
 | `CYY_ENCRYPT_OFF` | `1` / `true`: disable hybrid crypto (plaintext `sendCodeV2`) |
 | `CYY_ENCRYPT_DEBUG` | `1` / `true`: print RSA/AES diagnostics for hybrid decrypt failures |
 | `CYY_BOOTSTRAP_TOKEN` | Optional - **only before login**, gateway may expect placeholder token |
@@ -92,4 +107,4 @@ cyy serve --port 8787
 
 ## Implementation phases
 
-See [`../README_CLI.md`](../README_CLI.md) for staged rollout and acceptance notes.
+See [`../README_CLI.md`](../README_CLI.md) for staged rollout and acceptance notes.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cyymall-cli",
-  "version": "0.1.5",
+  "version": "0.1.7",
   "description": "CyyMall / 菜洋洋商城 API CLI (per app-api-cli-spec)",
   "bin": {
     "cyy": "bin/cyy.js"

package/src/Untitled

@@ -0,0 +1 @@
+shop

package/src/cli.js

@@ -4,6 +4,7 @@ const path = require("path");
 const pkg = require(path.join(__dirname, "..", "package.json"));
 
 const config = require("./config");
+const http = require("./http");
 const apiCall = require("./commands/apiCall");
 const auth = require("./commands/auth");
 const product = require("./commands/product");
@@ -31,14 +32,26 @@ cfgCmd
 
 cfgCmd
   .command("show")
-  .description("Show config (token masked)")
+  .description("Show config (token masked); includes effective session and env overrides")
   .action(() => {
-    const c = config.loadConfig();
-    if (!c) {
+    const file = config.loadConfig();
+    const session = config.getSession();
+    const envOverrides = config.getEnvSessionOverrideKeys();
+    if (!config.hasAuthToken(session) && !file) {
       console.log(JSON.stringify({ loggedIn: false }, null, 2));
       return;
     }
-    const masked = { ...c, token: config.maskToken(String(c.token || "")) };
+    const masked = {
+      loggedIn: config.hasAuthToken(session),
+      saved: file
+        ? { ...file, token: config.maskToken(String(file.token || "")) }
+        : null,
+      effective: {
+        ...session,
+        token: config.maskToken(String(session.token || "")),
+      },
+      envOverrides: envOverrides.length ? envOverrides : undefined,
+    };
     console.log(JSON.stringify(masked, null, 2));
   });
 
@@ -92,6 +105,32 @@ authCmd
     await auth.whoami();
   });
 
+authCmd
+  .command("import")
+  .description(
+    "Import external session token into ~/.cyymall/config.json (skip SMS login); optional --no-verify",
+  )
+  .option("--token <t>", "App session token (appToken / Authorization value)")
+  .option("--token-file <file>", "Read token from UTF-8 file (e.g. secret mount)")
+  .option("--member-id <id>", "memberId header")
+  .option("--shop-id <id>", "shopId header")
+  .option("--site-id <id>", "siteId header (default 1 if omitted and not in saved config)")
+  .option("--version-code <n>", "version-code header")
+  .option("--phone <p>", "Optional phone label for config display")
+  .option("--no-verify", "Save without calling GET /member/getInfo/V2")
+  .action(async (opts) => {
+    await auth.importSession({
+      token: opts.token,
+      tokenFile: opts.tokenFile,
+      memberId: opts.memberId,
+      shopId: opts.shopId,
+      siteId: opts.siteId,
+      versionCode: opts.versionCode,
+      phone: opts.phone,
+      noVerify: Boolean(opts.noVerify),
+    });
+  });
+
 const prod = program.command("product").description("Product helpers");
 
 prod

package/src/commands/apiCall.js

@@ -74,7 +74,7 @@ async function executeApiCall(opts) {
   let headers = {};
 
   if (!noAuth) {
-    const cfg = config.loadConfig();
+    const cfg = config.getSession();
     headers = /** @type {Record<string,string>} */ (
       http.buildAuthHeaders(cfg)
     );

package/src/commands/auth.js

@@ -1,5 +1,6 @@
-"use strict";
+"use strict";
 
+const fs = require("fs");
 const crypto = require("crypto");
 const readline = require("readline/promises");
 const { stdin: input, stdout: output } = require("process");
@@ -9,15 +10,15 @@ const biz = require("../biz");
 const encrypt = require("../encrypt");
 
 /**
- * `/app/auth/ua/*` responses (e.g. sendCodeV2, registerMember/v2): raw wire -> decryptResponse ->
- * JSON.parse -> optional parsedJsonAfterHybridEnvelopeDecrypt, same order as App.
+ * `/app/auth/ua/sendCodeV2` responses may still be returned as a hybrid envelope.
+ * Decrypt the raw wire body first, then parse JSON, matching the App pipeline.
  *
  * @param {string} [rawWireText]
  * @param {unknown} jsonAfterParse
- * @param {string} clientPkForDecrypt
  * @returns {unknown}
  */
-function plainBizJsonFromSendCodeWire(rawWireText, jsonAfterParse, clientPkForDecrypt) {
+function plainBizJsonFromSendCodeWire(rawWireText, jsonAfterParse) {
+  const { clientPrivateKey } = encrypt.resolveEncryptKeys();
   let wire =
     typeof rawWireText === "string" && rawWireText.trim()
       ? rawWireText.trim()
@@ -44,26 +45,26 @@ function plainBizJsonFromSendCodeWire(rawWireText, jsonAfterParse, clientPkForDe
     }
   }
 
-  if (wire) {
-    const decryptedText = encrypt.decryptResponse(wire, clientPkForDecrypt);
+  if (wire && clientPrivateKey) {
+    const decryptedText = encrypt.decryptResponse(wire, clientPrivateKey);
     try {
       const obj = decryptedText ? JSON.parse(decryptedText) : null;
       if (obj != null && typeof obj === "object" && !Array.isArray(obj)) {
         const out = encrypt.looksLikeHybridEnvelope(obj)
-          ? encrypt.parsedJsonAfterHybridEnvelopeDecrypt(obj, clientPkForDecrypt)
+          ? encrypt.parsedJsonAfterHybridEnvelopeDecrypt(obj, clientPrivateKey)
           : obj;
         if (!encrypt.looksLikeHybridEnvelope(out)) {
           return out;
         }
       }
     } catch {
-      // fall through to parsed-json fallback
+      // fall through to parsed fallback
     }
   }
 
   if (jsonAfterParse != null && typeof jsonAfterParse === "object" && !Array.isArray(jsonAfterParse)) {
-    return encrypt.looksLikeHybridEnvelope(jsonAfterParse)
-      ? encrypt.parsedJsonAfterHybridEnvelopeDecrypt(jsonAfterParse, clientPkForDecrypt)
+    return clientPrivateKey && encrypt.looksLikeHybridEnvelope(jsonAfterParse)
+      ? encrypt.parsedJsonAfterHybridEnvelopeDecrypt(jsonAfterParse, clientPrivateKey)
       : jsonAfterParse;
   }
 
@@ -91,31 +92,24 @@ function extractBizMessage(json, fallback) {
     : fallback;
 }
 
-function buildHybridAuthBody(plainBody, headers) {
+function buildEncryptedSendCodeBody(phone) {
+  const headers = /** @type {Record<string,string>} */ (http.buildDefaultHeaders());
+  const plainBody = JSON.stringify({ phone, objectCode: "3" });
   if (!encrypt.encryptEnvConfigured()) {
-    return plainBody;
+    return { headers, body: plainBody };
   }
   headers.encrypte = "true";
   const { serverPublicKey } = encrypt.resolveEncryptKeys();
   const hy = encrypt.hybridEncrypt(plainBody, serverPublicKey);
-  return encrypt.hybridEncryptResultToJson(hy);
-}
-
-function decryptAuthBizJson(rawWireText, jsonAfterParse) {
-  const { clientPrivateKey } = encrypt.resolveEncryptKeys();
-  if (!clientPrivateKey) return jsonAfterParse;
-  return plainBizJsonFromSendCodeWire(
-    typeof rawWireText === "string" ? rawWireText : "",
-    jsonAfterParse,
-    clientPrivateKey,
-  );
+  return {
+    headers,
+    body: encrypt.hybridEncryptResultToJson(hy),
+  };
 }
 
 async function requestSmsCode(phone) {
   const url = http.moduleUrl("DEFAULT", "/app/auth/ua/sendCodeV2");
-  const headers = /** @type {Record<string,string>} */ (http.buildDefaultHeaders());
-  const plainBody = JSON.stringify({ phone, objectCode: "3" });
-  const body = buildHybridAuthBody(plainBody, headers);
+  const { headers, body } = buildEncryptedSendCodeBody(phone);
 
   const { ok, status, json: jsonAfterParse, rawWireText } = await http.request(url, {
     method: "POST",
@@ -125,7 +119,7 @@ async function requestSmsCode(phone) {
     includeRawWireText: true,
   });
 
-  const json = decryptAuthBizJson(rawWireText, jsonAfterParse);
+  const json = plainBizJsonFromSendCodeWire(rawWireText, jsonAfterParse);
 
   if (!ok) {
     const msg = extractBizMessage(json, `send login code failed (HTTP ${status})`);
@@ -134,26 +128,24 @@ async function requestSmsCode(phone) {
     process.exit(2);
   }
 
-  // User-requested behavior: once the send-code request itself succeeds over HTTP,
-  // treat SMS dispatch as successful even if the encrypted response body cannot be
-  // decrypted into upstream business JSON.
-  return { status, json, acceptedByGateway: true };
+  // Only sendCodeV2 is encrypted. Once transport succeeds, treat the SMS request as accepted.
+  return { status, json, gatewayAccepted: true };
 }
 
 async function sendCode(phone) {
-  const { status, json, acceptedByGateway } = await requestSmsCode(phone);
+  const { status, json, gatewayAccepted } = await requestSmsCode(phone);
   const traceId = buildTraceId();
   console.log(
     JSON.stringify(
       {
         success: true,
         code: "OK",
-        message: acceptedByGateway ? "code sent" : "code send accepted",
+        message: "code sent",
         data: {
           phone,
           objectCode: "3",
           httpStatus: status,
-          gatewayAccepted: acceptedByGateway,
+          gatewayAccepted,
           upstream: json,
         },
         traceId,
@@ -168,7 +160,7 @@ async function sendCode(phone) {
 async function loginWithCode(phone, code) {
   const url = http.moduleUrl("DEFAULT", "/app/auth/ua/registerMember/v2");
   const headers = /** @type {Record<string,string>} */ (http.buildDefaultHeaders());
-  const plainBody = JSON.stringify({
+  const body = JSON.stringify({
     phone,
     objectCode: "3",
     password: "",
@@ -177,18 +169,13 @@ async function loginWithCode(phone, code) {
     smsCode: code,
     wxOpenid: "",
   });
-  const body = buildHybridAuthBody(plainBody, headers);
 
-  const { ok, json: jsonAfterParse, rawWireText } = await http.request(url, {
+  const { ok, json } = await http.request(url, {
     method: "POST",
     headers,
     body,
-    decryptHybridResponse: false,
-    includeRawWireText: true,
   });
 
-  const json = decryptAuthBizJson(rawWireText, jsonAfterParse);
-
   if (!ok || !biz.isBizSuccess(json)) {
     const msg = extractBizMessage(json, "login failed");
     console.error(`cyy: ${msg}`);
@@ -202,8 +189,8 @@ async function loginWithCode(phone, code) {
 
   const loginId = String(data.loginId || "");
   const memberId = loginId.includes("_") ? loginId.split("_")[0] : loginId;
-
   const token = pickLoginToken(data);
+
   if (!token) {
     console.error(
       "cyy: login reported success but data has no token (expected token, appToken, or accessToken)",
@@ -272,12 +259,89 @@ async function login(phone, code) {
   await loginWithCode(phone, smsCode);
 }
 
-async function whoami() {
-  const cfg = config.loadConfig();
-  if (!cfg?.token) {
-    console.error("cyy: not logged in. Run: cyy auth login --phone ...");
+/**
+ * Persist an externally supplied session (Native App / Gateway token), skipping SMS login.
+ * @param {object} opts
+ * @param {string} [opts.token]
+ * @param {string} [opts.tokenFile]
+ * @param {string} [opts.memberId]
+ * @param {string} [opts.shopId]
+ * @param {string} [opts.siteId]
+ * @param {string} [opts.versionCode]
+ * @param {string} [opts.phone]
+ * @param {boolean} [opts.noVerify]
+ */
+async function importSession(opts) {
+  let token = opts.token != null ? String(opts.token).trim() : "";
+  if (!token && opts.tokenFile) {
+    token = fs.readFileSync(opts.tokenFile, "utf8").trim();
+  }
+  if (!token) {
+    console.error("cyy: --token or --token-file is required");
     process.exit(1);
   }
+
+  const prev = config.loadConfig() || {};
+  const saved = {
+    ...prev,
+    token,
+    member_id:
+      opts.memberId != null && String(opts.memberId).trim() !== ""
+        ? String(opts.memberId).trim()
+        : String(prev.member_id || ""),
+    shop_id:
+      opts.shopId != null && String(opts.shopId).trim() !== ""
+        ? String(opts.shopId).trim()
+        : String(prev.shop_id || ""),
+    site_id:
+      opts.siteId != null && String(opts.siteId).trim() !== ""
+        ? String(opts.siteId).trim()
+        : String(prev.site_id || "1"),
+    version_code: String(
+      opts.versionCode != null && String(opts.versionCode).trim() !== ""
+        ? opts.versionCode
+        : prev.version_code ?? http.DEFAULT_VERSION,
+    ),
+    phone:
+      opts.phone != null && String(opts.phone).trim() !== ""
+        ? String(opts.phone).trim()
+        : String(prev.phone || ""),
+    login_time: Math.floor(Date.now() / 1000),
+    session_source: "import",
+  };
+
+  config.saveConfig(saved);
+
+  if (opts.noVerify) {
+    const traceId = buildTraceId();
+    console.log(
+      JSON.stringify(
+        {
+          success: true,
+          code: "OK",
+          message: "session imported (not verified)",
+          data: {
+            phone: saved.phone,
+            member_id: saved.member_id,
+            shop_id: saved.shop_id,
+            site_id: saved.site_id,
+            version_code: saved.version_code,
+            token_preview: config.maskToken(saved.token),
+          },
+          traceId,
+        },
+        null,
+        2,
+      ),
+    );
+    process.exit(0);
+  }
+
+  await whoami();
+}
+
+async function whoami() {
+  const cfg = config.requireAuthSession();
   const url = http.moduleUrl("DEFAULT", "/member/getInfo/V2");
   const headers = /** @type {Record<string,string>} */ (http.buildAuthHeaders(cfg));
   delete headers["Content-Type"];
@@ -305,4 +369,4 @@ async function whoami() {
   process.exit(success ? 0 : 2);
 }
 
-module.exports = { login, loginWithCode, sendCode, whoami };
+module.exports = { login, loginWithCode, sendCode, whoami, importSession };

package/src/commands/cart.js

@@ -10,11 +10,7 @@ const biz = require("../biz");
  * @param {{ bodyFile?: string, bodyJson?: string }} opts
  */
 async function add(opts) {
-  const cfg = config.loadConfig();
-  if (!cfg?.token) {
-    console.error("cyy: not logged in.");
-    process.exit(1);
-  }
+  const cfg = config.requireAuthSession();
 
   let raw = opts.bodyJson;
   if (opts.bodyFile) {

package/src/commands/order.js

@@ -28,11 +28,7 @@ function envelope(success, message, data, exitCode) {
  * @param {{ bodyFile?: string, bodyJson?: string }} opts
  */
 async function preSettle(opts) {
-  const cfg = config.loadConfig();
-  if (!cfg?.token) {
-    console.error("cyy: not logged in.");
-    process.exit(1);
-  }
+  const cfg = config.requireAuthSession();
   let raw = opts.bodyJson;
   if (opts.bodyFile) raw = fs.readFileSync(opts.bodyFile, "utf8");
   if (!raw) {
@@ -54,11 +50,7 @@ async function preSettle(opts) {
  * @param {{ bodyFile?: string, bodyJson?: string }} opts
  */
 async function confirm(opts) {
-  const cfg = config.loadConfig();
-  if (!cfg?.token) {
-    console.error("cyy: not logged in.");
-    process.exit(1);
-  }
+  const cfg = config.requireAuthSession();
   let raw = opts.bodyJson;
   if (opts.bodyFile) raw = fs.readFileSync(opts.bodyFile, "utf8");
   if (!raw) {
@@ -77,11 +69,7 @@ async function confirm(opts) {
 }
 
 async function payUrl(opts) {
-  const cfg = config.loadConfig();
-  if (!cfg?.token) {
-    console.error("cyy: not logged in.");
-    process.exit(1);
-  }
+  const cfg = config.requireAuthSession();
   const orderId = opts.orderId;
   if (!orderId) {
     console.error("cyy: --order-id required");
@@ -118,11 +106,7 @@ async function payUrl(opts) {
  * @param {object} opts
  */
 async function quick(opts) {
-  const cfg = config.loadConfig();
-  if (!cfg?.token) {
-    console.error("cyy: not logged in.");
-    process.exit(1);
-  }
+  const cfg = config.requireAuthSession();
 
   const keyword = opts.keyword;
   const quantity = Number(opts.quantity || 1);
@@ -329,11 +313,7 @@ async function quick(opts) {
  * @param {{ page?: string, pageSize?: string, status?: string, shopId?: string, objectCode?: string, all?: boolean, shopKeyword?: string }} opts
  */
 async function list(opts) {
-  const cfg = config.loadConfig();
-  if (!cfg?.token) {
-    console.error("cyy: not logged in.");
-    process.exit(1);
-  }
+  const cfg = config.requireAuthSession();
   const shopId = opts.shopId != null && opts.shopId !== "" ? Number(opts.shopId) : Number(cfg.shop_id);
   if (!Number.isFinite(shopId)) {
     console.error("cyy: shopId missing (set shop_id in config or pass --shop-id)");
@@ -371,11 +351,7 @@ async function list(opts) {
  * @param {{ orderId?: string, childId?: string }} opts
  */
 async function cancel(opts) {
-  const cfg = config.loadConfig();
-  if (!cfg?.token) {
-    console.error("cyy: not logged in.");
-    process.exit(1);
-  }
+  const cfg = config.requireAuthSession();
   const orderId = opts.orderId;
   if (!orderId) {
     console.error("cyy: --order-id required");

package/src/commands/product.js

@@ -9,11 +9,7 @@ const biz = require("../biz");
  * @param {object} opts
  */
 async function search(opts) {
-  const cfg = config.loadConfig();
-  if (!cfg?.token) {
-    console.error("cyy: not logged in. Run: cyy auth login");
-    process.exit(1);
-  }
+  const cfg = config.requireAuthSession();
 
   const shopId = Number(opts.shopId ?? cfg.shop_id);
   const siteId = Number(opts.siteId ?? cfg.site_id);

package/src/commands/shop.js

@@ -28,11 +28,7 @@ function envelope(success, message, upstream, exitCode) {
  * @param {{ page?: string, pageSize?: string, name?: string, objectCode?: string }} opts
  */
 async function list(opts) {
-  const cfg = config.loadConfig();
-  if (!cfg?.token) {
-    console.error("cyy: not logged in. Run: cyy auth login");
-    process.exit(1);
-  }
+  const cfg = config.requireAuthSession();
 
   const body = JSON.stringify({
     pageNum: Number(opts.page || 1),
@@ -62,11 +58,7 @@ async function list(opts) {
  * @param {{ shopId?: string, siteName?: string }} opts
  */
 async function sites(opts) {
-  const cfg = config.loadConfig();
-  if (!cfg?.token) {
-    console.error("cyy: not logged in. Run: cyy auth login");
-    process.exit(1);
-  }
+  const cfg = config.requireAuthSession();
 
   const shopId = opts.shopId ?? cfg.shop_id;
   if (shopId === undefined || shopId === null || String(shopId).trim() === "") {
@@ -179,11 +171,7 @@ async function shopIdBelongsToMember(cfg, shopId) {
  * @param {{ shopId?: string }} opts
  */
 async function useShop(opts) {
-  const cfg = config.loadConfig();
-  if (!cfg?.token) {
-    console.error("cyy: not logged in. Run: cyy auth login");
-    process.exit(1);
-  }
+  const cfg = config.requireAuthSession();
   const shopId = opts.shopId;
   if (shopId === undefined || shopId === null || String(shopId).trim() === "") {
     console.error("cyy: shop use requires --shop-id");
@@ -229,11 +217,7 @@ async function useShop(opts) {
  * @param {{ siteId?: string }} opts
  */
 async function useSite(opts) {
-  const cfg = config.loadConfig();
-  if (!cfg?.token) {
-    console.error("cyy: not logged in. Run: cyy auth login");
-    process.exit(1);
-  }
+  const cfg = config.requireAuthSession();
   const shopId = cfg.shop_id;
   if (shopId === undefined || shopId === null || String(shopId).trim() === "") {
     console.error("cyy: no shop_id in session; run: cyy shop use --shop-id <id>");

package/src/config.js

@@ -4,7 +4,7 @@ const fs = require("fs");
 const path = require("path");
 const os = require("os");
 
-const DEFAULT_BASE_URL = "https://dhcmall.ifoodbuy.com";
+const DEFAULT_BASE_URL = "https://yunping.ifoodbuy.com/";
 
 /** BuildConfig-style module prefixes (app-api-cli-spec §1.2) */
 const MODULE_MAP = {
@@ -69,9 +69,71 @@ function maskToken(t) {
   return `${t.slice(0, 8)}...${t.slice(-4)}`;
 }
 
+/** Env keys that override ~/.cyymall/config.json for the current process (ephemeral). */
+const SESSION_ENV_KEYS = [
+  ["token", "CYY_TOKEN"],
+  ["member_id", "CYY_MEMBER_ID"],
+  ["shop_id", "CYY_SHOP_ID"],
+  ["site_id", "CYY_SITE_ID"],
+  ["version_code", "CYY_VERSION_CODE"],
+  ["phone", "CYY_PHONE"],
+];
+
+/**
+ * Effective session: saved config merged with CYY_* env overrides (env wins when set).
+ * @returns {Record<string, unknown>}
+ */
+function getSession() {
+  const file = loadConfig() || {};
+  /** @type {Record<string, unknown>} */
+  const merged = { ...file };
+  for (const [field, envKey] of SESSION_ENV_KEYS) {
+    const v = process.env[envKey];
+    if (v != null && String(v).trim() !== "") {
+      merged[field] = String(v).trim();
+    }
+  }
+  return merged;
+}
+
+/**
+ * @param {Record<string, unknown>|null|undefined} [session]
+ */
+function hasAuthToken(session) {
+  const s = session ?? getSession();
+  const t = s?.token;
+  return t != null && String(t).trim() !== "";
+}
+
+/**
+ * @returns {Record<string, unknown>}
+ */
+function requireAuthSession() {
+  if (!hasAuthToken()) {
+    console.error(
+      "cyy: not logged in. Use one of: cyy auth login --phone ... | cyy auth import --token ... | CYY_TOKEN=...",
+    );
+    process.exit(1);
+  }
+  return getSession();
+}
+
+/** Names of CYY_* env vars currently overriding saved config. */
+function getEnvSessionOverrideKeys() {
+  const active = [];
+  for (const [, envKey] of SESSION_ENV_KEYS) {
+    const v = process.env[envKey];
+    if (v != null && String(v).trim() !== "") {
+      active.push(envKey);
+    }
+  }
+  return active;
+}
+
 module.exports = {
   DEFAULT_BASE_URL,
   MODULE_MAP,
+  SESSION_ENV_KEYS,
   getBaseUrl,
   getConfigDir,
   getConfigPath,
@@ -79,4 +141,8 @@ module.exports = {
   loadConfig,
   saveConfig,
   maskToken,
+  getSession,
+  hasAuthToken,
+  requireAuthSession,
+  getEnvSessionOverrideKeys,
 };

package/src/http.js

@@ -46,8 +46,7 @@ function buildAuthHeaders(cfg) {
 
 /** Headers for unauthenticated calls (e.g. login) — still need default shop/site for gateway */
 function buildDefaultHeaders() {
-  const cfg = config.loadConfig();
-  return buildAuthHeaders(cfg);
+  return buildAuthHeaders(config.getSession());
 }
 
 /**