khotan-data 0.1.1 → 0.3.0

package/README.md

@@ -53,6 +53,11 @@ import { shopifyProductsSnapshotCache } from "@/lib/khotan/caches/shopify-produc
 
 const khotanData = khotan({
   adapter: drizzleAdapter(db),
+  // Gate the management API behind your auth layer (see "Security" below).
+  authorize: async (request) => {
+    const session = await auth.api.getSession({ headers: request.headers });
+    return Boolean(session?.user);
+  },
   resources: [
     { name: "products", mapping: { connectField: "sku" } },
   ],
@@ -79,6 +84,36 @@ await khotanData.flow("products-inflow", { plugName: "shopify" }).start({
 });
 ```
 
+## Security
+
+The management API (`/api/khotan/*`) exposes plug credentials and operational
+controls. It is **public unless you gate it**. Pass an `authorize` hook — it
+receives the raw `Request` and returns `true`/`false`, so it composes directly
+with session libraries like better-auth:
+
+```typescript
+authorize: async (request) => {
+  const session = await auth.api.getSession({ headers: request.headers });
+  return session?.user?.role === "admin";
+},
+```
+
+- `KHOTAN_SECRET` encrypts plug credentials **at rest** (AES-256-GCM). It is not
+  an auth credential — it never gates requests, and **must not** be sent as a
+  `Bearer` token. Management routes are gated only by `authorize` (plus a
+  dev-only CLI HMAC token derived from the secret). A rejected request returns
+  `401` with `code: "authorize_rejected"` and a `hint`. To trigger a flow over
+  HTTP (`POST /api/khotan/flows/{flowId}/runs`), send a credential your
+  `authorize` hook accepts — or just call `khotanData.flow(name).start()` from
+  server code, which needs no auth. Set the secret to a high-entropy value.
+- Inbound webhooks (verified via per-plug `onVerify`), the cron dispatcher
+  (`CRON_SECRET`), and debug routes (`KHOTAN_DEBUG`, non-production only) are
+  exempt from `authorize` automatically.
+- `KHOTAN_DEBUG` is force-disabled when `NODE_ENV=production`. The cron route
+  fails closed in production when `CRON_SECRET` is unset.
+- Protect the Hub dashboard page (e.g. `/config`) with your app's middleware —
+  `authorize` only guards the API.
+
 ## Caches
 
 Use first-class caches when a flow, relay, catch, or pass needs durable state between runs.
@@ -99,32 +134,38 @@ export const shopifyProductsSnapshotCache = cache({
 
 Inside workflows, use `khotanCache(ctx, "name")` for snapshots, cursors, and dedupe markers:
 
+Declare `"use step"` functions at module top level and pass them serializable
+values only (`ctx` is plain data). Nesting steps inside the `"use workflow"`
+function fails at runtime — the Workflow compiler cannot hoist closures that
+capture workflow scope.
+
 ```typescript
 import { khotanCache } from "khotan-data/factory";
 
-async function shopifyProductsWorkflow(ctx: InflowContext) {
-  "use workflow";
-
-  async function syncProducts() {
-    "use step";
-    const snapshotCache = khotanCache(ctx, "shopify-products-snapshot");
-    const previous =
-      (await snapshotCache.get<Array<Record<string, unknown>>>("latest")) ?? [];
+// Step: top-level, retried independently, full Node.js access.
+async function syncProducts(ctx: InflowContext) {
+  "use step";
+  const snapshotCache = khotanCache(ctx, "shopify-products-snapshot");
+  const previous =
+    (await snapshotCache.get<Array<Record<string, unknown>>>("latest")) ?? [];
 
-    const response = await shopifyPlug.get<{ data?: Array<Record<string, unknown>> }>("/products");
-    const records = Array.isArray(response.data) ? response.data : [];
+  const response = await shopifyPlug.get<{ data?: Array<Record<string, unknown>> }>("/products");
+  const records = Array.isArray(response.data) ? response.data : [];
 
-    await snapshotCache.set("latest", records);
+  await snapshotCache.set("latest", records);
 
-    return {
-      extracted: records.length,
-      transformed: records.length,
-      created: records.length,
-      metadata: { previousCount: previous.length },
-    };
-  }
+  return {
+    extracted: records.length,
+    transformed: records.length,
+    created: records.length,
+    metadata: { previousCount: previous.length },
+  };
+}
 
-  return syncProducts();
+// Workflow: orchestration only.
+async function shopifyProductsWorkflow(ctx: InflowContext) {
+  "use workflow";
+  return syncProducts(ctx);
 }
 ```
 

package/dist/cli.js

@@ -5,6 +5,7 @@ import path2 from 'path';
 import { fileURLToPath } from 'url';
 import { execSync } from 'child_process';
 import prompts2 from 'prompts';
+import crypto from 'crypto';
 
 // src/cli/config-template.ts
 function configTemplate(outputDir) {
@@ -152,6 +153,11 @@ var COMPONENTS = {
         outputFile: "wires/wire.ts",
         outputBase: "outputDir"
       },
+      {
+        templatePath: path2.resolve(__dirname$1, "templates", "api-state.tsx"),
+        outputFile: "api-state.tsx",
+        outputBase: "components"
+      },
       {
         templatePath: path2.resolve(__dirname$1, "templates", "wire-panel.tsx"),
         outputFile: "wire.tsx",
@@ -202,6 +208,11 @@ var COMPONENTS = {
       ]
     },
     files: [
+      {
+        templatePath: path2.resolve(__dirname$1, "templates", "api-state.tsx"),
+        outputFile: "api-state.tsx",
+        outputBase: "components"
+      },
       {
         templatePath: path2.resolve(__dirname$1, "templates", "hub.tsx"),
         outputFile: "hub.tsx",
@@ -227,6 +238,11 @@ var COMPONENTS = {
       shadcnComponents: ["card", "table", "badge", "button"]
     },
     files: [
+      {
+        templatePath: path2.resolve(__dirname$1, "templates", "api-state.tsx"),
+        outputFile: "api-state.tsx",
+        outputBase: "components"
+      },
       {
         templatePath: path2.resolve(__dirname$1, "templates", "logs.tsx"),
         outputFile: "logs.tsx",
@@ -256,6 +272,11 @@ var COMPONENTS = {
       shadcnComponents: ["card", "table", "button", "input", "label"]
     },
     files: [
+      {
+        templatePath: path2.resolve(__dirname$1, "templates", "api-state.tsx"),
+        outputFile: "api-state.tsx",
+        outputBase: "components"
+      },
       {
         templatePath: path2.resolve(
           __dirname$1,
@@ -276,6 +297,11 @@ var COMPONENTS = {
       shadcnComponents: ["card", "badge", "button", "input", "label"]
     },
     files: [
+      {
+        templatePath: path2.resolve(__dirname$1, "templates", "api-state.tsx"),
+        outputFile: "api-state.tsx",
+        outputBase: "components"
+      },
       {
         templatePath: path2.resolve(__dirname$1, "templates", "plug-debugger.tsx"),
         outputFile: "plug-debugger.tsx",
@@ -523,6 +549,11 @@ var BLOCKS = {
       shadcnComponents: ["card", "badge"]
     },
     files: [
+      {
+        templatePath: path2.resolve(__dirname$1, "templates", "api-state.tsx"),
+        outputFile: "api-state.tsx",
+        outputBase: "components"
+      },
       {
         templatePath: path2.resolve(
           __dirname$1,
@@ -647,6 +678,15 @@ function resolveAgentsMdPaths(content, targets) {
 // src/cli/commands/init.ts
 var __dirname2 = path2.dirname(fileURLToPath(import.meta.url));
 function resolveOutputDir(projectRoot) {
+  const configPath = path2.join(projectRoot, "khotan.config.ts");
+  if (fs4.existsSync(configPath)) {
+    try {
+      const content = fs4.readFileSync(configPath, "utf-8");
+      const match = /outputDir:\s*["']([^"']+)["']/.exec(content);
+      if (match?.[1]) return match[1];
+    } catch {
+    }
+  }
   if (fs4.existsSync(path2.join(projectRoot, "src", "app"))) {
     return "src/khotan";
   }
@@ -697,6 +737,45 @@ function scaffoldCoreFiles(cwd, outputDir) {
   }
   return created;
 }
+var MIDDLEWARE_CANDIDATES = [
+  "middleware.ts",
+  "middleware.js",
+  "src/middleware.ts",
+  "src/middleware.js",
+  "proxy.ts",
+  "proxy.js",
+  "src/proxy.ts",
+  "src/proxy.js"
+];
+function warnAboutWorkflowProxy(cwd) {
+  const found = MIDDLEWARE_CANDIDATES.map((rel) => ({
+    rel,
+    abs: path2.join(cwd, rel)
+  })).find((c) => fs4.existsSync(c.abs));
+  if (!found) return false;
+  let contents = "";
+  try {
+    contents = fs4.readFileSync(found.abs, "utf-8");
+  } catch {
+    return false;
+  }
+  if (/\.well-known|workflow/i.test(contents)) {
+    return false;
+  }
+  console.log(
+    `
+\u26A0 Detected ${found.rel}. Vercel Workflow (used by inflows, outflows,
+  relays, catch, and pass) communicates over /.well-known/workflow/*.
+  If your middleware/proxy matcher captures these paths, durable runs
+  will silently fail. Exclude them from your matcher, e.g.:
+
+    export const config = {
+      matcher: ["/((?!_next|.well-known/workflow).*)"],
+    };
+`
+  );
+  return true;
+}
 async function runFullSetup(cwd) {
   const results = [];
   const pm = detectPackageManager(cwd);
@@ -808,6 +887,7 @@ Installing shadcn components: ${missingShadcn.join(", ")}...`
     results.push({ name: "Scaffold core files", status: "skipped" });
   }
   results.push(ensureKhotanDataInstalled(cwd));
+  warnAboutWorkflowProxy(cwd);
   return results;
 }
 function ensureKhotanDataInstalled(cwd) {
@@ -836,6 +916,7 @@ async function runInit(cwd) {
   }
   scaffoldCoreFiles(cwd, outputDir);
   ensureKhotanDataInstalled(cwd);
+  warnAboutWorkflowProxy(cwd);
   return fs4.existsSync(configPath);
 }
 var SKILL_COMPONENTS = [
@@ -908,6 +989,7 @@ ${String(failed.length)} step(s) failed. You may need to run them manually.`
   }
   const coreFiles = scaffoldCoreFiles(cwd, outputDir);
   ensureKhotanDataInstalled(cwd);
+  warnAboutWorkflowProxy(cwd);
   let installSkills2 = opts.yes ?? false;
   if (!installSkills2 && process.stdin.isTTY) {
     const response = await prompts2({
@@ -1774,13 +1856,13 @@ function diffSchemas(expected, actual, basePath = "$") {
   }
   return diffObjectSchema(expected, actual, basePath);
 }
-function diffTypedNode(expected, actual, path15) {
+function diffTypedNode(expected, actual, path16) {
   const expectedType = expected["_type"];
   if (expectedType === "array") {
     if (actual.type !== "array") {
       return [
         {
-          path: path15,
+          path: path16,
           issue: "type_mismatch",
           note: `expected array, got ${actual.type}`
         }
@@ -1788,13 +1870,13 @@ function diffTypedNode(expected, actual, path15) {
     }
     const itemSchema = expected["items"];
     if (!itemSchema || !actual.items) return [];
-    return diffSchemas(itemSchema, actual.items, `${path15}[]`);
+    return diffSchemas(itemSchema, actual.items, `${path16}[]`);
   }
   const normalizedExpected = normalizeType(expectedType);
   if (normalizedExpected !== actual.type && actual.type !== "null") {
     return [
       {
-        path: path15,
+        path: path16,
         issue: "type_mismatch",
         note: `expected ${expectedType}, got ${actual.type}`
       }
@@ -1802,11 +1884,11 @@ function diffTypedNode(expected, actual, path15) {
   }
   return [];
 }
-function diffObjectSchema(expected, actual, path15) {
+function diffObjectSchema(expected, actual, path16) {
   if (actual.type !== "object") {
     return [
       {
-        path: path15,
+        path: path16,
         issue: "type_mismatch",
         note: `expected object, got ${actual.type}`
       }
@@ -1815,7 +1897,7 @@ function diffObjectSchema(expected, actual, path15) {
   const mismatches = [];
   const actualProps = actual.properties;
   for (const [key, typeDesc] of Object.entries(expected)) {
-    const childPath = path15 === "$" ? `$.${key}` : `${path15}.${key}`;
+    const childPath = path16 === "$" ? `$.${key}` : `${path16}.${key}`;
     const typeStr = typeof typeDesc === "string" ? typeDesc : null;
     const isOptional = typeStr?.endsWith("?") ?? false;
     if (!(key in actualProps)) {
@@ -1853,7 +1935,7 @@ function diffObjectSchema(expected, actual, path15) {
   }
   for (const key of Object.keys(actualProps)) {
     if (!(key in expected)) {
-      const childPath = path15 === "$" ? `$.${key}` : `${path15}.${key}`;
+      const childPath = path16 === "$" ? `$.${key}` : `${path16}.${key}`;
       mismatches.push({ path: childPath, issue: "extra" });
     }
   }
@@ -1874,6 +1956,48 @@ function normalizeType(typeStr) {
       return lower;
   }
 }
+var CLI_TOKEN_SCHEME = "KhotanCLI";
+function readSecretFromEnvFile(filePath) {
+  try {
+    const content = fs4.readFileSync(filePath, "utf-8");
+    for (const line of content.split("\n")) {
+      const trimmed = line.trim();
+      if (!trimmed || trimmed.startsWith("#")) continue;
+      const match = /^KHOTAN_SECRET\s*=\s*["']?(.*?)["']?\s*$/.exec(trimmed);
+      if (match) return match[1] ?? null;
+    }
+  } catch {
+  }
+  return null;
+}
+function resolveKhotanSecret(cwd = process.cwd()) {
+  const fromEnv = process.env["KHOTAN_SECRET"]?.trim();
+  if (fromEnv) return fromEnv;
+  return readSecretFromEnvFile(path2.join(cwd, ".env.local")) ?? readSecretFromEnvFile(path2.join(cwd, ".env")) ?? null;
+}
+function cliAuthHeader() {
+  const secret = resolveKhotanSecret();
+  if (!secret) return null;
+  const timestamp = String(Date.now());
+  const sig = crypto.createHmac("sha256", secret).update(`khotan-cli:${timestamp}`).digest("hex");
+  return `${CLI_TOKEN_SCHEME} ${timestamp}.${sig}`;
+}
+function cliFetch(url, init) {
+  const auth = cliAuthHeader();
+  if (!auth) {
+    return init === void 0 ? fetch(url) : fetch(url, init);
+  }
+  const headers = {
+    ...init?.headers ?? {},
+    Authorization: auth
+  };
+  return fetch(url, { ...init, headers });
+}
+function unauthorizedHint() {
+  return resolveKhotanSecret() ? "Unauthorized. The dev server rejected the CLI token \u2014 confirm KHOTAN_SECRET matches the value the server is running with." : "Unauthorized. Set KHOTAN_SECRET in your environment (or .env.local) so the CLI can authenticate against your authorize() hook.";
+}
+
+// src/cli/commands/plug-vars.ts
 function output(obj) {
   process.stdout.write(JSON.stringify(obj, null, 2) + "\n");
 }
@@ -1911,13 +2035,14 @@ function resolvePort(portFlag) {
 async function checkConnectivity(baseUrl) {
   let res;
   try {
-    res = await fetch(`${baseUrl}/plugs`);
+    res = await cliFetch(`${baseUrl}/plugs`);
   } catch {
     fail(
       "connect_failed",
       `Could not connect to dev server at ${baseUrl.replace("http://", "")}. Is it running?`
     );
   }
+  if (res.status === 401) fail("unauthorized", unauthorizedHint());
   if (!res.ok) {
     fail(
       "api_unavailable",
@@ -1931,11 +2056,11 @@ var varsCommand = new Command("vars").description("View and manage plug variable
     const baseUrl = `http://localhost:${port}${opts.basePath}`;
     await checkConnectivity(baseUrl);
     if (opts.list) {
-      const plugsRes = await fetch(`${baseUrl}/plugs`);
+      const plugsRes = await cliFetch(`${baseUrl}/plugs`);
       const plugs = await plugsRes.json();
       const variables = await Promise.all(
         plugs.map(async (plug) => {
-          const res = await fetch(`${baseUrl}/variables/${plug.name}`);
+          const res = await cliFetch(`${baseUrl}/variables/${plug.name}`);
           if (res.status === 404) {
             return {
               plugName: plug.name,
@@ -1964,7 +2089,7 @@ var varsCommand = new Command("vars").description("View and manage plug variable
     }
     const resolvedAction = action ?? "show";
     if (resolvedAction === "show") {
-      const res = await fetch(`${baseUrl}/variables/${plugName}`);
+      const res = await cliFetch(`${baseUrl}/variables/${plugName}`);
       if (res.status === 404) {
         fail("plug_not_found", `Plug "${plugName}" not found.`);
       }
@@ -1991,7 +2116,7 @@ var varsCommand = new Command("vars").description("View and manage plug variable
       } catch {
         fail("invalid_json", "Could not parse --json as JSON.");
       }
-      const res = await fetch(`${baseUrl}/variables/${plugName}`, {
+      const res = await cliFetch(`${baseUrl}/variables/${plugName}`, {
         method: "POST",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify(payload)
@@ -2007,7 +2132,7 @@ var varsCommand = new Command("vars").description("View and manage plug variable
       return;
     }
     if (resolvedAction === "clear") {
-      const res = await fetch(`${baseUrl}/variables/${plugName}`, {
+      const res = await cliFetch(`${baseUrl}/variables/${plugName}`, {
         method: "DELETE"
       });
       if (!res.ok && res.status !== 204) {
@@ -2075,7 +2200,7 @@ function tryParseJson(value) {
 async function checkConnectivity2(baseUrl) {
   let res;
   try {
-    res = await fetch(`${baseUrl}/debug`);
+    res = await cliFetch(`${baseUrl}/debug`);
   } catch {
     fail2(
       "connect_failed",
@@ -2098,7 +2223,8 @@ var plugCommand = new Command("plug").alias("probe").description(
     if (opts.list) {
       await checkConnectivity2(baseUrl);
       try {
-        const res = await fetch(`${baseUrl}/plugs`);
+        const res = await cliFetch(`${baseUrl}/plugs`);
+        if (res.status === 401) fail2("unauthorized", unauthorizedHint());
         const data = await res.json();
         const raw = Array.isArray(data) ? data : data.plugs ?? [];
         const plugs = raw.map((p) => ({
@@ -2122,7 +2248,7 @@ var plugCommand = new Command("plug").alias("probe").description(
     await checkConnectivity2(baseUrl);
     if (opts.info) {
       try {
-        const res = await fetch(`${baseUrl}/debug/${plugName}`);
+        const res = await cliFetch(`${baseUrl}/debug/${plugName}`);
         if (res.status === 404) {
           fail2(
             "plug_not_found",
@@ -2141,7 +2267,7 @@ var plugCommand = new Command("plug").alias("probe").description(
     let allEndpoints = null;
     if (opts.endpoint) {
       try {
-        const res = await fetch(`${baseUrl}/debug/${plugName}`);
+        const res = await cliFetch(`${baseUrl}/debug/${plugName}`);
         if (res.status === 404) {
           fail2(
             "plug_not_found",
@@ -2205,7 +2331,7 @@ var plugCommand = new Command("plug").alias("probe").description(
     if (extraHeaders) debugPayload["headers"] = extraHeaders;
     let debugRes;
     try {
-      debugRes = await fetch(`${baseUrl}/debug/${plugName}`, {
+      debugRes = await cliFetch(`${baseUrl}/debug/${plugName}`, {
         method: "POST",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify(debugPayload)
@@ -2252,7 +2378,7 @@ var plugCommand = new Command("plug").alias("probe").description(
       } else {
         if (!allEndpoints) {
           try {
-            const metaRes = await fetch(`${baseUrl}/debug/${plugName}`);
+            const metaRes = await cliFetch(`${baseUrl}/debug/${plugName}`);
             const metaData = await metaRes.json();
             allEndpoints = metaData.endpoints ?? null;
           } catch {
@@ -2327,13 +2453,14 @@ function resolveWebhookOrigin(originFlag) {
 async function checkConnectivity3(baseUrl) {
   let res;
   try {
-    res = await fetch(`${baseUrl}/plugs`);
+    res = await cliFetch(`${baseUrl}/plugs`);
   } catch {
     fail3(
       "connect_failed",
       `Could not connect to dev server at ${baseUrl.replace("http://", "")}. Is it running?`
     );
   }
+  if (res.status === 401) fail3("unauthorized", unauthorizedHint());
   if (!res.ok) {
     fail3(
       "api_unavailable",
@@ -2355,11 +2482,11 @@ var wireCommand = new Command("wire").description(
     const baseUrl = `http://localhost:${port}${opts.basePath}`;
     await checkConnectivity3(baseUrl);
     if (opts.list) {
-      const plugsRes = await fetch(`${baseUrl}/plugs`);
+      const plugsRes = await cliFetch(`${baseUrl}/plugs`);
       const plugs = await plugsRes.json();
       const wires = await Promise.all(
         plugs.map(async (plug) => {
-          const res = await fetch(`${baseUrl}/wires/${plug.name}`);
+          const res = await cliFetch(`${baseUrl}/wires/${plug.name}`);
           const data = await res.json();
           return {
             plugName: plug.name,
@@ -2380,7 +2507,7 @@ var wireCommand = new Command("wire").description(
     }
     const resolvedAction = opts.info ? "info" : action ?? "info";
     if (resolvedAction === "info") {
-      const res = await fetch(`${baseUrl}/wires/${plugName}`);
+      const res = await cliFetch(`${baseUrl}/wires/${plugName}`);
       if (res.status === 404) {
         fail3("plug_not_found", `Plug "${plugName}" not found.`);
       }
@@ -2395,7 +2522,7 @@ var wireCommand = new Command("wire").description(
     }
     if (resolvedAction === "connect") {
       const callbackUrl = opts.callbackUrl ?? `${resolveWebhookOrigin(opts.webhookOrigin)}/api/khotan/webhook/${plugName}`;
-      const res = await fetch(`${baseUrl}/wires/${plugName}`, {
+      const res = await cliFetch(`${baseUrl}/wires/${plugName}`, {
         method: "POST",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify({ callbackUrl })
@@ -2419,7 +2546,7 @@ var wireCommand = new Command("wire").description(
     if (resolvedAction === "disconnect") {
       let wireId = opts.wireId;
       if (!wireId) {
-        const currentRes = await fetch(`${baseUrl}/wires/${plugName}`);
+        const currentRes = await cliFetch(`${baseUrl}/wires/${plugName}`);
         const current = await currentRes.json();
         wireId = current.wire?.id;
       }
@@ -2429,7 +2556,7 @@ var wireCommand = new Command("wire").description(
           `No active wire found for "${plugName}". Use --wire-id to override.`
         );
       }
-      const res = await fetch(`${baseUrl}/wires/${plugName}`, {
+      const res = await cliFetch(`${baseUrl}/wires/${plugName}`, {
         method: "DELETE",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify({ wireId })
@@ -2487,9 +2614,10 @@ function resolveBaseUrl(opts) {
   return `http://localhost:${resolvePort4(opts.port)}${opts.basePath}`;
 }
 async function fetchJson(url, init) {
-  const res = await fetch(url, init);
+  const res = await cliFetch(url, init);
   const data = await res.json().catch(() => ({}));
   if (!res.ok) {
+    if (res.status === 401) fail4("unauthorized", unauthorizedHint());
     fail4(
       "request_failed",
       data.error ?? `Request to ${url} failed with status ${res.status}`
@@ -2498,20 +2626,22 @@ async function fetchJson(url, init) {
   return data;
 }
 async function checkConnectivity4(baseUrl) {
+  let res;
   try {
-    const res = await fetch(`${baseUrl}/flows`);
-    if (!res.ok) {
-      fail4(
-        "api_unavailable",
-        `Could not reach Khotan flows API at ${baseUrl}. Check your base path and dev server.`
-      );
-    }
+    res = await cliFetch(`${baseUrl}/flows`);
   } catch {
     fail4(
       "connect_failed",
       `Could not connect to dev server at ${baseUrl.replace("http://", "")}. Is it running?`
     );
   }
+  if (res.status === 401) fail4("unauthorized", unauthorizedHint());
+  if (!res.ok) {
+    fail4(
+      "api_unavailable",
+      `Could not reach Khotan flows API at ${baseUrl}. Check your base path and dev server.`
+    );
+  }
 }
 function parseJsonOption(value, label) {
   if (!value) return void 0;
@@ -2660,9 +2790,10 @@ function resolveBaseUrl2(opts) {
   return `http://localhost:${resolvePort5(opts.port)}${opts.basePath}`;
 }
 async function fetchJson2(url, init) {
-  const res = await fetch(url, init);
+  const res = await cliFetch(url, init);
   const data = await res.json().catch(() => ({}));
   if (!res.ok) {
+    if (res.status === 401) fail5("unauthorized", unauthorizedHint());
     fail5(
       "request_failed",
       data.error ?? `Request to ${url} failed with status ${res.status}`
@@ -2671,20 +2802,22 @@ async function fetchJson2(url, init) {
   return data;
 }
 async function checkConnectivity5(baseUrl) {
+  let res;
   try {
-    const res = await fetch(`${baseUrl}/flows`);
-    if (!res.ok) {
-      fail5(
-        "api_unavailable",
-        `Could not reach Khotan flows API at ${baseUrl}. Check your base path and dev server.`
-      );
-    }
+    res = await cliFetch(`${baseUrl}/flows`);
   } catch {
     fail5(
       "connect_failed",
       `Could not connect to dev server at ${baseUrl.replace("http://", "")}. Is it running?`
     );
   }
+  if (res.status === 401) fail5("unauthorized", unauthorizedHint());
+  if (!res.ok) {
+    fail5(
+      "api_unavailable",
+      `Could not reach Khotan flows API at ${baseUrl}. Check your base path and dev server.`
+    );
+  }
 }
 function parseJsonObjectOption(value, label) {
   if (!value) return void 0;
@@ -2842,10 +2975,14 @@ withApiOptions2(
 ).action(async (mappingId, opts) => {
   const baseUrl = resolveBaseUrl2(opts);
   await checkConnectivity5(baseUrl);
-  const res = await fetch(`${baseUrl}/mappings/${encodeURIComponent(mappingId)}`, {
-    method: "DELETE"
-  });
+  const res = await cliFetch(
+    `${baseUrl}/mappings/${encodeURIComponent(mappingId)}`,
+    {
+      method: "DELETE"
+    }
+  );
   if (!res.ok) {
+    if (res.status === 401) fail5("unauthorized", unauthorizedHint());
     const data = await res.json().catch(() => ({}));
     fail5(
       "request_failed",