opensteer 0.6.0 → 0.6.2

package/dist/chunk-7RMY26CM.js

@@ -0,0 +1,1130 @@
+import {
+  DEFAULT_CLOUD_BASE_URL,
+  createKeychainStore,
+  normalizeCloudBaseUrl,
+  resolveCloudSelection,
+  resolveConfigWithEnv,
+  stripTrailingSlashes
+} from "./chunk-WDRMHPWL.js";
+
+// src/cli/auth.ts
+import open from "open";
+
+// src/auth/credential-resolver.ts
+function resolveCloudCredential(options) {
+  const flagApiKey = normalizeToken(options.apiKeyFlag);
+  const flagAccessToken = normalizeToken(options.accessTokenFlag);
+  if (flagApiKey && flagAccessToken) {
+    throw new Error("--api-key and --access-token are mutually exclusive.");
+  }
+  if (flagAccessToken) {
+    return {
+      kind: "access-token",
+      source: "flag",
+      token: flagAccessToken,
+      authScheme: "bearer"
+    };
+  }
+  if (flagApiKey) {
+    return {
+      kind: "api-key",
+      source: "flag",
+      token: flagApiKey,
+      authScheme: "api-key"
+    };
+  }
+  const envAuthScheme = parseEnvAuthScheme(options.env.OPENSTEER_AUTH_SCHEME);
+  const envApiKey = normalizeToken(options.env.OPENSTEER_API_KEY);
+  const envAccessToken = normalizeToken(options.env.OPENSTEER_ACCESS_TOKEN);
+  if (envApiKey && envAccessToken) {
+    throw new Error(
+      "OPENSTEER_API_KEY and OPENSTEER_ACCESS_TOKEN are mutually exclusive. Set only one."
+    );
+  }
+  if (envAccessToken) {
+    return {
+      kind: "access-token",
+      source: "env",
+      token: envAccessToken,
+      authScheme: "bearer"
+    };
+  }
+  if (envApiKey) {
+    if (envAuthScheme === "bearer") {
+      return {
+        kind: "access-token",
+        source: "env",
+        token: envApiKey,
+        authScheme: "bearer",
+        compatibilityBearerApiKey: true
+      };
+    }
+    return {
+      kind: "api-key",
+      source: "env",
+      token: envApiKey,
+      authScheme: envAuthScheme ?? "api-key"
+    };
+  }
+  return null;
+}
+function applyCloudCredentialToEnv(env, credential) {
+  if (credential.kind === "access-token") {
+    env.OPENSTEER_ACCESS_TOKEN = credential.token;
+    delete env.OPENSTEER_API_KEY;
+    env.OPENSTEER_AUTH_SCHEME = "bearer";
+    return;
+  }
+  env.OPENSTEER_API_KEY = credential.token;
+  delete env.OPENSTEER_ACCESS_TOKEN;
+  env.OPENSTEER_AUTH_SCHEME = credential.authScheme;
+}
+function parseEnvAuthScheme(value) {
+  const normalized = normalizeToken(value);
+  if (!normalized) return void 0;
+  if (normalized === "api-key" || normalized === "bearer") {
+    return normalized;
+  }
+  throw new Error(
+    `Invalid OPENSTEER_AUTH_SCHEME value "${value}". Use "api-key" or "bearer".`
+  );
+}
+function normalizeToken(value) {
+  if (typeof value !== "string") return void 0;
+  const normalized = value.trim();
+  return normalized.length ? normalized : void 0;
+}
+
+// src/auth/machine-credential-store.ts
+import { createHash } from "crypto";
+import fs from "fs";
+import os from "os";
+import path from "path";
+var METADATA_VERSION = 2;
+var ACTIVE_TARGET_VERSION = 2;
+var KEYCHAIN_SERVICE = "com.opensteer.cli.cloud";
+var KEYCHAIN_ACCOUNT_PREFIX = "machine:";
+var ACTIVE_TARGET_FILE_NAME = "cli-target.json";
+var MachineCredentialStore = class {
+  authDir;
+  warn;
+  keychain = createKeychainStore();
+  warnedFallback = false;
+  constructor(options = {}) {
+    const appName = options.appName || "opensteer";
+    const env = options.env ?? process.env;
+    const configDir = resolveConfigDir(appName, env);
+    this.authDir = path.join(configDir, "auth");
+    this.warn = options.warn ?? (() => void 0);
+  }
+  readCloudCredential(target) {
+    const normalizedTarget = normalizeCloudCredentialTarget(target);
+    return this.readCredentialSlot(
+      resolveCredentialSlot(this.authDir, normalizedTarget),
+      normalizedTarget
+    );
+  }
+  writeCloudCredential(args) {
+    const accessToken = args.accessToken.trim();
+    const refreshToken2 = args.refreshToken.trim();
+    if (!accessToken || !refreshToken2) {
+      throw new Error("Cannot persist empty machine credential secrets.");
+    }
+    const baseUrl = normalizeCredentialUrl(args.baseUrl);
+    const slot = resolveCredentialSlot(this.authDir, { baseUrl });
+    ensureDirectory(this.authDir);
+    const secretPayload = {
+      accessToken,
+      refreshToken: refreshToken2
+    };
+    let secretBackend = "file";
+    if (this.keychain) {
+      try {
+        this.keychain.set(
+          KEYCHAIN_SERVICE,
+          slot.keychainAccount,
+          JSON.stringify(secretPayload)
+        );
+        secretBackend = "keychain";
+        removeFileIfExists(slot.fallbackSecretPath);
+      } catch {
+        this.writeFallbackSecret(slot, secretPayload);
+        secretBackend = "file";
+      }
+    } else {
+      this.writeFallbackSecret(slot, secretPayload);
+    }
+    const metadata = {
+      version: METADATA_VERSION,
+      secretBackend,
+      baseUrl,
+      scope: args.scope,
+      obtainedAt: args.obtainedAt,
+      expiresAt: args.expiresAt,
+      updatedAt: Date.now()
+    };
+    writeJsonFile(slot.metadataPath, metadata);
+  }
+  readActiveCloudTarget() {
+    return readActiveCloudTargetMetadata(resolveActiveTargetPath(this.authDir));
+  }
+  writeActiveCloudTarget(target) {
+    const baseUrl = normalizeCredentialUrl(target.baseUrl);
+    ensureDirectory(this.authDir);
+    writeJsonFile(resolveActiveTargetPath(this.authDir), {
+      version: ACTIVE_TARGET_VERSION,
+      baseUrl,
+      updatedAt: Date.now()
+    });
+  }
+  clearCloudCredential(target) {
+    this.clearCredentialSlot(
+      resolveCredentialSlot(this.authDir, normalizeCloudCredentialTarget(target))
+    );
+  }
+  readCredentialSlot(slot, target) {
+    const metadata = readMetadata(slot.metadataPath);
+    if (!metadata) {
+      return null;
+    }
+    if (target && !matchesCredentialTarget(metadata, target)) {
+      return null;
+    }
+    const secret = this.readSecret(slot, metadata.secretBackend);
+    if (!secret) {
+      return null;
+    }
+    return {
+      baseUrl: metadata.baseUrl,
+      scope: metadata.scope,
+      accessToken: secret.accessToken,
+      refreshToken: secret.refreshToken,
+      obtainedAt: metadata.obtainedAt,
+      expiresAt: metadata.expiresAt
+    };
+  }
+  readSecret(slot, backend) {
+    if (backend === "keychain" && this.keychain) {
+      try {
+        const secret = this.keychain.get(
+          KEYCHAIN_SERVICE,
+          slot.keychainAccount
+        );
+        if (!secret) return null;
+        return parseSecretPayload(secret);
+      } catch {
+        return null;
+      }
+    }
+    return readSecretFile(slot.fallbackSecretPath);
+  }
+  writeFallbackSecret(slot, secretPayload) {
+    writeJsonFile(slot.fallbackSecretPath, secretPayload, {
+      mode: 384
+    });
+    if (!this.warnedFallback) {
+      this.warn({
+        code: "fallback_file_store",
+        path: slot.fallbackSecretPath,
+        message: "Secure keychain is unavailable. Falling back to file-based credential storage with mode 0600."
+      });
+      this.warnedFallback = true;
+    }
+  }
+  clearCredentialSlot(slot) {
+    removeFileIfExists(slot.metadataPath);
+    removeFileIfExists(slot.fallbackSecretPath);
+    if (this.keychain) {
+      this.keychain.delete(KEYCHAIN_SERVICE, slot.keychainAccount);
+    }
+  }
+};
+function createMachineCredentialStore(options = {}) {
+  return new MachineCredentialStore(options);
+}
+function resolveCredentialSlot(authDir, target) {
+  const normalizedBaseUrl = normalizeCredentialUrl(target.baseUrl);
+  const storageKey = createHash("sha256").update(normalizedBaseUrl).digest("hex").slice(0, 24);
+  return {
+    keychainAccount: `${KEYCHAIN_ACCOUNT_PREFIX}${storageKey}`,
+    metadataPath: path.join(authDir, `cli-login.${storageKey}.json`),
+    fallbackSecretPath: path.join(
+      authDir,
+      `cli-login.${storageKey}.secret.json`
+    )
+  };
+}
+function resolveActiveTargetPath(authDir) {
+  return path.join(authDir, ACTIVE_TARGET_FILE_NAME);
+}
+function matchesCredentialTarget(value, target) {
+  return normalizeCredentialUrl(value.baseUrl) === normalizeCredentialUrl(target.baseUrl);
+}
+function normalizeCredentialUrl(value) {
+  const normalized = stripTrailingSlashes(value.trim());
+  if (!normalized) {
+    throw new Error("Cannot persist machine credential without baseUrl.");
+  }
+  return normalized;
+}
+function normalizeCloudCredentialTarget(target) {
+  return {
+    baseUrl: normalizeCredentialUrl(target.baseUrl)
+  };
+}
+function resolveConfigDir(appName, env) {
+  if (process.platform === "win32") {
+    const appData = env.APPDATA?.trim() || path.join(os.homedir(), "AppData", "Roaming");
+    return path.join(appData, appName);
+  }
+  if (process.platform === "darwin") {
+    return path.join(
+      os.homedir(),
+      "Library",
+      "Application Support",
+      appName
+    );
+  }
+  const xdgConfigHome = env.XDG_CONFIG_HOME?.trim() || path.join(os.homedir(), ".config");
+  return path.join(xdgConfigHome, appName);
+}
+function ensureDirectory(directoryPath) {
+  fs.mkdirSync(directoryPath, { recursive: true, mode: 448 });
+}
+function removeFileIfExists(filePath) {
+  try {
+    fs.rmSync(filePath, { force: true });
+  } catch {
+    return;
+  }
+}
+function readMetadata(filePath) {
+  if (!fs.existsSync(filePath)) {
+    return null;
+  }
+  try {
+    const raw = fs.readFileSync(filePath, "utf8");
+    const parsed = JSON.parse(raw);
+    if (parsed.version !== METADATA_VERSION) return null;
+    if (parsed.secretBackend !== "keychain" && parsed.secretBackend !== "file") {
+      return null;
+    }
+    if (typeof parsed.baseUrl !== "string" || !parsed.baseUrl.trim()) return null;
+    if (!Array.isArray(parsed.scope)) return null;
+    if (typeof parsed.obtainedAt !== "number") return null;
+    if (typeof parsed.expiresAt !== "number") return null;
+    if (typeof parsed.updatedAt !== "number") return null;
+    return {
+      version: parsed.version,
+      secretBackend: parsed.secretBackend,
+      baseUrl: parsed.baseUrl,
+      scope: parsed.scope.filter(
+        (value) => typeof value === "string"
+      ),
+      obtainedAt: parsed.obtainedAt,
+      expiresAt: parsed.expiresAt,
+      updatedAt: parsed.updatedAt
+    };
+  } catch {
+    return null;
+  }
+}
+function readActiveCloudTargetMetadata(filePath) {
+  if (!fs.existsSync(filePath)) {
+    return null;
+  }
+  try {
+    const raw = fs.readFileSync(filePath, "utf8");
+    const parsed = JSON.parse(raw);
+    if (parsed.version !== ACTIVE_TARGET_VERSION) {
+      return null;
+    }
+    if (typeof parsed.baseUrl !== "string" || !parsed.baseUrl.trim()) {
+      return null;
+    }
+    return {
+      baseUrl: parsed.baseUrl
+    };
+  } catch {
+    return null;
+  }
+}
+function parseSecretPayload(raw) {
+  try {
+    const parsed = JSON.parse(raw);
+    if (typeof parsed.accessToken !== "string" || !parsed.accessToken.trim() || typeof parsed.refreshToken !== "string" || !parsed.refreshToken.trim()) {
+      return null;
+    }
+    return {
+      accessToken: parsed.accessToken,
+      refreshToken: parsed.refreshToken
+    };
+  } catch {
+    return null;
+  }
+}
+function readSecretFile(filePath) {
+  if (!fs.existsSync(filePath)) {
+    return null;
+  }
+  try {
+    return parseSecretPayload(fs.readFileSync(filePath, "utf8"));
+  } catch {
+    return null;
+  }
+}
+function writeJsonFile(filePath, value, options = {}) {
+  fs.writeFileSync(filePath, JSON.stringify(value, null, 2), {
+    encoding: "utf8",
+    mode: options.mode ?? 384
+  });
+  if (typeof options.mode === "number") {
+    fs.chmodSync(filePath, options.mode);
+  }
+}
+
+// src/cli/auth.ts
+var CliAuthHttpError = class extends Error {
+  status;
+  body;
+  constructor(message, status, body) {
+    super(message);
+    this.name = "CliAuthHttpError";
+    this.status = status;
+    this.body = body;
+  }
+};
+var HELP_TEXT = `Usage: opensteer auth <command> [options]
+
+Authenticate Opensteer CLI with Opensteer Cloud.
+
+Commands:
+  login                     Start device login flow in browser
+  status                    Show saved machine login state for the selected cloud host
+  logout                    Revoke and remove saved machine login for the selected cloud host
+
+Options:
+  --base-url <url>          Cloud API base URL (defaults to env or the last selected host)
+  --json                    JSON output (login prompts go to stderr)
+  --no-browser              Do not auto-open your default browser during login
+  -h, --help                Show this help
+`;
+var DEFAULT_AUTH_SITE_URL = "https://opensteer.com";
+var INTERNAL_AUTH_SITE_URL_ENV = "OPENSTEER_INTERNAL_AUTH_SITE_URL";
+function createDefaultDeps() {
+  const env = process.env;
+  return {
+    env,
+    store: createMachineCredentialStore({
+      env,
+      warn: (warning) => {
+        process.stderr.write(`${warning.message} (${warning.path})
+`);
+      }
+    }),
+    fetchFn: fetch,
+    writeStdout: (message) => process.stdout.write(message),
+    writeStderr: (message) => process.stderr.write(message),
+    isInteractive: () => Boolean(process.stdin.isTTY && process.stdout.isTTY),
+    sleep: async (ms) => {
+      await new Promise((resolve) => setTimeout(resolve, ms));
+    },
+    now: () => Date.now(),
+    openExternalUrl: openDefaultBrowser
+  };
+}
+function readFlagValue(args, index, flag) {
+  const value = args[index + 1];
+  if (value === void 0 || value.startsWith("-")) {
+    return {
+      ok: false,
+      error: `${flag} requires a value.`
+    };
+  }
+  return {
+    ok: true,
+    value,
+    nextIndex: index + 1
+  };
+}
+function parseAuthCommonArgs(rawArgs) {
+  const args = {};
+  for (let i = 0; i < rawArgs.length; i++) {
+    const arg = rawArgs[i];
+    if (arg === "--json") {
+      args.json = true;
+      continue;
+    }
+    if (arg === "--base-url") {
+      const value = readFlagValue(rawArgs, i, "--base-url");
+      if (!value.ok) return { args, error: value.error };
+      args.baseUrl = value.value;
+      i = value.nextIndex;
+      continue;
+    }
+    return {
+      args,
+      error: `Unsupported option "${arg}".`
+    };
+  }
+  return { args };
+}
+function parseOpensteerAuthArgs(rawArgs) {
+  if (!rawArgs.length) {
+    return { mode: "help" };
+  }
+  const [subcommand, ...rest] = rawArgs;
+  if (subcommand === "--help" || subcommand === "-h" || subcommand === "help") {
+    return { mode: "help" };
+  }
+  if (subcommand === "login") {
+    let openBrowser = true;
+    const filtered = [];
+    for (const arg of rest) {
+      if (arg === "--no-browser") {
+        openBrowser = false;
+        continue;
+      }
+      filtered.push(arg);
+    }
+    const parsed = parseAuthCommonArgs(filtered);
+    if (parsed.error) return { mode: "error", error: parsed.error };
+    return {
+      mode: "login",
+      args: {
+        ...parsed.args,
+        openBrowser
+      }
+    };
+  }
+  if (subcommand === "status") {
+    const parsed = parseAuthCommonArgs(rest);
+    if (parsed.error) return { mode: "error", error: parsed.error };
+    return { mode: "status", args: parsed.args };
+  }
+  if (subcommand === "logout") {
+    const parsed = parseAuthCommonArgs(rest);
+    if (parsed.error) return { mode: "error", error: parsed.error };
+    return { mode: "logout", args: parsed.args };
+  }
+  return {
+    mode: "error",
+    error: `Unsupported auth subcommand "${subcommand}".`
+  };
+}
+function printHelp(deps) {
+  deps.writeStdout(`${HELP_TEXT}
+`);
+}
+function writeHumanLine(deps, message) {
+  deps.writeStdout(`${message}
+`);
+}
+function writeJsonLine(deps, payload) {
+  deps.writeStdout(`${JSON.stringify(payload)}
+`);
+}
+function resolveBaseUrl(provided, env) {
+  const baseUrl = normalizeCloudBaseUrl(
+    (provided || env.OPENSTEER_BASE_URL || DEFAULT_CLOUD_BASE_URL).trim()
+  );
+  assertSecureUrl(baseUrl, "--base-url");
+  return baseUrl;
+}
+function resolveAuthSiteUrl(env) {
+  const authSiteUrl = normalizeCloudBaseUrl(
+    (env[INTERNAL_AUTH_SITE_URL_ENV] || DEFAULT_AUTH_SITE_URL).trim()
+  );
+  assertSecureUrl(
+    authSiteUrl,
+    `environment variable ${INTERNAL_AUTH_SITE_URL_ENV}`
+  );
+  return authSiteUrl;
+}
+function hasExplicitCloudTargetSelection(providedBaseUrl, env) {
+  return Boolean(
+    providedBaseUrl?.trim() || env.OPENSTEER_BASE_URL?.trim()
+  );
+}
+function readRememberedCloudTarget(store) {
+  const activeTarget = store.readActiveCloudTarget();
+  if (!activeTarget) {
+    return null;
+  }
+  try {
+    const baseUrl = normalizeCloudBaseUrl(activeTarget.baseUrl);
+    assertSecureUrl(baseUrl, "--base-url");
+    return { baseUrl };
+  } catch {
+    return null;
+  }
+}
+function resolveCloudTarget(args, env, store, options = {}) {
+  if (options.allowRememberedTarget !== false && !hasExplicitCloudTargetSelection(args.baseUrl, env)) {
+    const rememberedTarget = readRememberedCloudTarget(store);
+    if (rememberedTarget) {
+      return rememberedTarget;
+    }
+  }
+  const baseUrl = resolveBaseUrl(args.baseUrl, env);
+  return { baseUrl };
+}
+function assertSecureUrl(value, flag) {
+  let parsed;
+  try {
+    parsed = new URL(value);
+  } catch {
+    throw new Error(`Invalid ${flag} "${value}".`);
+  }
+  if (parsed.protocol === "https:") {
+    return;
+  }
+  if (parsed.protocol === "http:") {
+    const host = parsed.hostname.toLowerCase();
+    if (host === "localhost" || host === "127.0.0.1" || host === "::1") {
+      return;
+    }
+  }
+  throw new Error(
+    `Insecure URL "${value}". Use HTTPS, or HTTP only for localhost.`
+  );
+}
+async function postJson(fetchFn, url, body) {
+  const response = await fetchFn(url, {
+    method: "POST",
+    headers: {
+      "content-type": "application/json"
+    },
+    body: JSON.stringify(body)
+  });
+  let payload = null;
+  try {
+    payload = await response.json();
+  } catch {
+    payload = null;
+  }
+  if (!response.ok) {
+    throw new CliAuthHttpError(
+      `Auth request failed with status ${response.status}.`,
+      response.status,
+      payload
+    );
+  }
+  return payload;
+}
+function parseScope(rawScope) {
+  if (!rawScope) return ["cloud:browser"];
+  const values = rawScope.split(" ").map((value) => value.trim()).filter(Boolean);
+  return values.length ? values : ["cloud:browser"];
+}
+function parseCliTokenResponse(payload) {
+  const accessToken = typeof payload.access_token === "string" ? payload.access_token.trim() : "";
+  const refreshToken2 = typeof payload.refresh_token === "string" ? payload.refresh_token.trim() : "";
+  const expiresInSec = typeof payload.expires_in === "number" && Number.isFinite(payload.expires_in) && payload.expires_in > 0 ? Math.trunc(payload.expires_in) : 0;
+  if (!accessToken || !refreshToken2 || !expiresInSec) {
+    throw new Error("Invalid token response from cloud auth endpoint.");
+  }
+  return {
+    accessToken,
+    refreshToken: refreshToken2,
+    expiresInSec,
+    scope: parseScope(payload.scope)
+  };
+}
+function parseCliOauthError(error) {
+  if (!error || typeof error !== "object" || Array.isArray(error)) {
+    return null;
+  }
+  const root = error;
+  return {
+    error: typeof root.error === "string" ? root.error : void 0,
+    error_description: typeof root.error_description === "string" ? root.error_description : void 0,
+    interval: typeof root.interval === "number" ? root.interval : void 0
+  };
+}
+async function startDeviceAuthorization(authSiteUrl, fetchFn) {
+  const response = await postJson(
+    fetchFn,
+    `${authSiteUrl}/api/cli-auth/device/start`,
+    {
+      scope: ["cloud:browser"]
+    }
+  );
+  if (!response || typeof response.device_code !== "string" || !response.device_code.trim() || typeof response.user_code !== "string" || !response.user_code.trim() || typeof response.verification_uri_complete !== "string" || !response.verification_uri_complete.trim() || typeof response.expires_in !== "number" || response.expires_in <= 0 || typeof response.interval !== "number" || response.interval <= 0) {
+    throw new Error("Invalid device authorization response from cloud.");
+  }
+  return response;
+}
+async function pollDeviceToken(authSiteUrl, deviceCode, fetchFn) {
+  return await postJson(
+    fetchFn,
+    `${authSiteUrl}/api/cli-auth/device/token`,
+    {
+      grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+      device_code: deviceCode
+    }
+  );
+}
+async function refreshToken(authSiteUrl, refreshTokenValue, fetchFn) {
+  return await postJson(fetchFn, `${authSiteUrl}/api/cli-auth/token`, {
+    grant_type: "refresh_token",
+    refresh_token: refreshTokenValue
+  });
+}
+async function revokeToken(authSiteUrl, refreshTokenValue, fetchFn) {
+  await postJson(fetchFn, `${authSiteUrl}/api/cli-auth/revoke`, {
+    token: refreshTokenValue
+  });
+}
+async function openDefaultBrowser(url) {
+  try {
+    const child = await open(url, {
+      wait: false
+    });
+    child.on("error", () => void 0);
+    child.unref();
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function runDeviceLoginFlow(args) {
+  const start = await startDeviceAuthorization(args.authSiteUrl, args.fetchFn);
+  if (args.openBrowser) {
+    args.writeProgress(
+      "Opening your default browser for Opensteer CLI authentication.\n"
+    );
+    args.writeProgress(
+      `If nothing opens, use this URL:
+${start.verification_uri_complete}
+`
+    );
+  } else {
+    if (args.openBrowserDisabledReason) {
+      args.writeProgress(
+        `Automatic browser open is disabled (${args.openBrowserDisabledReason}).
+`
+      );
+    }
+    args.writeProgress(
+      `Open this URL to authenticate Opensteer CLI:
+${start.verification_uri_complete}
+`
+    );
+  }
+  args.writeProgress(`Verification code: ${start.user_code}
+`);
+  if (args.openBrowser) {
+    const browserOpened = await args.openExternalUrl(
+      start.verification_uri_complete
+    );
+    if (browserOpened) {
+      args.writeProgress(
+        "Opened your default browser. Finish authentication there; this terminal will continue automatically.\n"
+      );
+    } else {
+      args.writeProgress(
+        "Could not open your default browser automatically. Paste the URL above into a browser to continue.\n"
+      );
+    }
+  }
+  const deadline = args.now() + start.expires_in * 1e3;
+  let pollIntervalMs = Math.max(1, Math.trunc(start.interval)) * 1e3;
+  while (args.now() <= deadline) {
+    await args.sleep(pollIntervalMs);
+    try {
+      const tokenPayload = await pollDeviceToken(
+        args.authSiteUrl,
+        start.device_code,
+        args.fetchFn
+      );
+      const parsed = parseCliTokenResponse(tokenPayload);
+      return {
+        accessToken: parsed.accessToken,
+        refreshToken: parsed.refreshToken,
+        expiresAt: args.now() + parsed.expiresInSec * 1e3,
+        scope: parsed.scope
+      };
+    } catch (error) {
+      if (error instanceof CliAuthHttpError) {
+        const oauthError = parseCliOauthError(error.body);
+        if (!oauthError?.error) {
+          throw error;
+        }
+        if (oauthError.error === "authorization_pending") {
+          continue;
+        }
+        if (oauthError.error === "slow_down") {
+          const hintedInterval = typeof oauthError.interval === "number" && oauthError.interval > 0 ? Math.trunc(oauthError.interval) * 1e3 : pollIntervalMs + 5e3;
+          pollIntervalMs = Math.max(hintedInterval, pollIntervalMs + 1e3);
+          continue;
+        }
+        if (oauthError.error === "expired_token") {
+          throw new Error(
+            'Device authorization expired before approval. Run "opensteer auth login" again.'
+          );
+        }
+        if (oauthError.error === "access_denied") {
+          throw new Error(
+            'Cloud login was denied. Run "opensteer auth login" to retry.'
+          );
+        }
+        throw new Error(
+          oauthError.error_description || `Cloud login failed: ${oauthError.error}.`
+        );
+      }
+      throw error;
+    }
+  }
+  throw new Error(
+    'Timed out waiting for cloud login approval. Run "opensteer auth login" again.'
+  );
+}
+async function refreshSavedCredential(saved, deps) {
+  const tokenPayload = await refreshToken(
+    resolveAuthSiteUrl(deps.env),
+    saved.refreshToken,
+    deps.fetchFn
+  );
+  const parsed = parseCliTokenResponse(tokenPayload);
+  const updated = {
+    accessToken: parsed.accessToken,
+    refreshToken: parsed.refreshToken,
+    expiresAt: deps.now() + parsed.expiresInSec * 1e3,
+    scope: parsed.scope
+  };
+  deps.store.writeCloudCredential({
+    baseUrl: saved.baseUrl,
+    scope: updated.scope,
+    accessToken: updated.accessToken,
+    refreshToken: updated.refreshToken,
+    obtainedAt: deps.now(),
+    expiresAt: updated.expiresAt
+  });
+  return updated;
+}
+async function ensureSavedCredentialIsFresh(saved, deps) {
+  const refreshSkewMs = 6e4;
+  if (saved.expiresAt > deps.now() + refreshSkewMs) {
+    return saved;
+  }
+  try {
+    const refreshed = await refreshSavedCredential(saved, deps);
+    return {
+      ...saved,
+      accessToken: refreshed.accessToken,
+      refreshToken: refreshed.refreshToken,
+      expiresAt: refreshed.expiresAt,
+      scope: refreshed.scope,
+      obtainedAt: deps.now()
+    };
+  } catch (error) {
+    if (error instanceof CliAuthHttpError) {
+      const oauth = parseCliOauthError(error.body);
+      if (oauth?.error === "invalid_grant" || oauth?.error === "expired_token") {
+        deps.store.clearCloudCredential({
+          baseUrl: saved.baseUrl
+        });
+        return null;
+      }
+    }
+    deps.writeStderr(
+      `Unable to refresh saved cloud login: ${error instanceof Error ? error.message : "unknown error"}
+`
+    );
+    return null;
+  }
+}
+function toAuthMissingMessage(commandName) {
+  return [
+    `${commandName} requires cloud authentication.`,
+    'Use --api-key, --access-token, OPENSTEER_API_KEY, OPENSTEER_ACCESS_TOKEN, or run "opensteer auth login".'
+  ].join(" ");
+}
+function describeBrowserOpenMode(args, deps) {
+  if (!args.openBrowser) {
+    return {
+      enabled: false,
+      disabledReason: "--no-browser"
+    };
+  }
+  if (!deps.isInteractive()) {
+    return {
+      enabled: false,
+      disabledReason: "this shell is not interactive"
+    };
+  }
+  if (isCiEnvironment(deps.env)) {
+    return {
+      enabled: false,
+      disabledReason: "CI"
+    };
+  }
+  return {
+    enabled: true
+  };
+}
+function isCiEnvironment(env) {
+  const value = env.CI?.trim().toLowerCase();
+  return Boolean(value && value !== "0" && value !== "false");
+}
+function isCloudModeEnabledForRootDir(rootDir, env) {
+  const resolved = resolveConfigWithEnv(
+    {
+      storage: { rootDir }
+    },
+    {
+      env
+    }
+  );
+  return resolveCloudSelection(
+    {
+      cloud: resolved.config.cloud
+    },
+    resolved.env
+  ).cloud;
+}
+async function ensureCloudCredentialsForOpenCommand(options) {
+  const env = options.env ?? process.env;
+  if (!isCloudModeEnabledForRootDir(options.scopeDir, env)) {
+    return null;
+  }
+  const writeStderr = options.writeStderr ?? ((message) => process.stderr.write(message));
+  return await ensureCloudCredentialsForCommand({
+    commandName: "opensteer open",
+    env,
+    store: options.store,
+    apiKeyFlag: options.apiKeyFlag,
+    accessTokenFlag: options.accessTokenFlag,
+    interactive: options.interactive,
+    autoLoginIfNeeded: true,
+    writeProgress: options.writeProgress ?? writeStderr,
+    writeStderr,
+    fetchFn: options.fetchFn,
+    sleep: options.sleep,
+    now: options.now,
+    openExternalUrl: options.openExternalUrl
+  });
+}
+async function ensureCloudCredentialsForCommand(options) {
+  const env = options.env ?? process.env;
+  const writeProgress = options.writeProgress ?? options.writeStdout ?? ((message) => process.stdout.write(message));
+  const writeStderr = options.writeStderr ?? ((message) => process.stderr.write(message));
+  const fetchFn = options.fetchFn ?? fetch;
+  const sleep = options.sleep ?? (async (ms) => {
+    await new Promise((resolve) => setTimeout(resolve, ms));
+  });
+  const now = options.now ?? Date.now;
+  const openExternalUrl = options.openExternalUrl ?? openDefaultBrowser;
+  const store = options.store ?? createMachineCredentialStore({
+    env,
+    warn: (warning) => {
+      writeStderr(`${warning.message} (${warning.path})
+`);
+    }
+  });
+  const { baseUrl } = resolveCloudTarget(options, env, store);
+  const initialCredential = resolveCloudCredential({
+    env,
+    apiKeyFlag: options.apiKeyFlag,
+    accessTokenFlag: options.accessTokenFlag
+  });
+  let credential = initialCredential;
+  if (!credential) {
+    const saved = store.readCloudCredential({ baseUrl });
+    const freshSaved = saved ? await ensureSavedCredentialIsFresh(saved, {
+      env,
+      fetchFn,
+      store,
+      now,
+      writeStderr
+    }) : null;
+    if (freshSaved) {
+      credential = {
+        kind: "access-token",
+        source: "saved",
+        token: freshSaved.accessToken,
+        authScheme: "bearer"
+      };
+    }
+  }
+  if (!credential) {
+    if (options.autoLoginIfNeeded && (options.interactive ?? false)) {
+      const loggedIn = await runDeviceLoginFlow({
+        authSiteUrl: resolveAuthSiteUrl(env),
+        fetchFn,
+        writeProgress,
+        openExternalUrl,
+        sleep,
+        now,
+        openBrowser: true
+      });
+      store.writeCloudCredential({
+        baseUrl,
+        scope: loggedIn.scope,
+        accessToken: loggedIn.accessToken,
+        refreshToken: loggedIn.refreshToken,
+        obtainedAt: now(),
+        expiresAt: loggedIn.expiresAt
+      });
+      credential = {
+        kind: "access-token",
+        source: "saved",
+        token: loggedIn.accessToken,
+        authScheme: "bearer"
+      };
+      writeProgress("Cloud login complete.\n");
+    } else {
+      throw new Error(toAuthMissingMessage(options.commandName));
+    }
+  }
+  store.writeActiveCloudTarget({ baseUrl });
+  applyCloudCredentialToEnv(env, credential);
+  env.OPENSTEER_BASE_URL = baseUrl;
+  return {
+    token: credential.token,
+    authScheme: credential.authScheme,
+    source: credential.source,
+    kind: credential.kind,
+    baseUrl
+  };
+}
+async function runLogin(args, deps) {
+  const { baseUrl } = resolveCloudTarget(args, deps.env, deps.store, {
+    allowRememberedTarget: false
+  });
+  const writeProgress = args.json ? deps.writeStderr : deps.writeStdout;
+  const browserOpenMode = describeBrowserOpenMode(args, deps);
+  const login = await runDeviceLoginFlow({
+    authSiteUrl: resolveAuthSiteUrl(deps.env),
+    fetchFn: deps.fetchFn,
+    writeProgress,
+    openExternalUrl: deps.openExternalUrl,
+    sleep: deps.sleep,
+    now: deps.now,
+    openBrowser: browserOpenMode.enabled,
+    openBrowserDisabledReason: browserOpenMode.disabledReason
+  });
+  deps.store.writeCloudCredential({
+    baseUrl,
+    scope: login.scope,
+    accessToken: login.accessToken,
+    refreshToken: login.refreshToken,
+    obtainedAt: deps.now(),
+    expiresAt: login.expiresAt
+  });
+  deps.store.writeActiveCloudTarget({ baseUrl });
+  if (args.json) {
+    writeJsonLine(deps, {
+      loggedIn: true,
+      baseUrl,
+      expiresAt: login.expiresAt,
+      scope: login.scope,
+      authSource: "device"
+    });
+    return 0;
+  }
+  writeHumanLine(deps, "Opensteer CLI login successful.");
+  writeHumanLine(deps, `  API Base URL: ${baseUrl}`);
+  writeHumanLine(deps, `  Expires At: ${new Date(login.expiresAt).toISOString()}`);
+  return 0;
+}
+async function runStatus(args, deps) {
+  const { baseUrl } = resolveCloudTarget(args, deps.env, deps.store);
+  deps.store.writeActiveCloudTarget({ baseUrl });
+  const saved = deps.store.readCloudCredential({ baseUrl });
+  if (!saved) {
+    if (args.json) {
+      writeJsonLine(deps, {
+        loggedIn: false,
+        baseUrl
+      });
+    } else {
+      writeHumanLine(deps, `Opensteer CLI is not logged in for ${baseUrl}.`);
+    }
+    return 0;
+  }
+  const now = deps.now();
+  const expired = saved.expiresAt <= now;
+  if (args.json) {
+    writeJsonLine(deps, {
+      loggedIn: true,
+      expired,
+      baseUrl: saved.baseUrl,
+      expiresAt: saved.expiresAt,
+      scope: saved.scope
+    });
+    return 0;
+  }
+  writeHumanLine(
+    deps,
+    expired ? "Opensteer CLI has a saved login, but the access token is expired." : "Opensteer CLI is logged in."
+  );
+  writeHumanLine(deps, `  API Base URL: ${saved.baseUrl}`);
+  writeHumanLine(deps, `  Expires At: ${new Date(saved.expiresAt).toISOString()}`);
+  return 0;
+}
+async function runLogout(args, deps) {
+  const { baseUrl } = resolveCloudTarget(args, deps.env, deps.store);
+  deps.store.writeActiveCloudTarget({ baseUrl });
+  const saved = deps.store.readCloudCredential({ baseUrl });
+  if (saved) {
+    try {
+      await revokeToken(
+        resolveAuthSiteUrl(deps.env),
+        saved.refreshToken,
+        deps.fetchFn
+      );
+    } catch {
+    }
+  }
+  deps.store.clearCloudCredential({ baseUrl });
+  if (args.json) {
+    writeJsonLine(deps, {
+      loggedOut: true,
+      baseUrl
+    });
+    return 0;
+  }
+  writeHumanLine(deps, `Opensteer CLI login removed for ${baseUrl}.`);
+  return 0;
+}
+async function runOpensteerAuthCli(rawArgs, overrideDeps = {}) {
+  const deps = {
+    ...createDefaultDeps(),
+    ...overrideDeps
+  };
+  const parsed = parseOpensteerAuthArgs(rawArgs);
+  if (parsed.mode === "help") {
+    printHelp(deps);
+    return 0;
+  }
+  if (parsed.mode === "error") {
+    deps.writeStderr(`${parsed.error}
+`);
+    deps.writeStderr('Run "opensteer auth --help" for usage.\n');
+    return 1;
+  }
+  try {
+    if (parsed.mode === "login") {
+      return await runLogin(parsed.args, deps);
+    }
+    if (parsed.mode === "status") {
+      return await runStatus(parsed.args, deps);
+    }
+    return await runLogout(parsed.args, deps);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Auth command failed.";
+    deps.writeStderr(`${message}
+`);
+    return 1;
+  }
+}
+
+export {
+  parseOpensteerAuthArgs,
+  isCloudModeEnabledForRootDir,
+  ensureCloudCredentialsForOpenCommand,
+  ensureCloudCredentialsForCommand,
+  runOpensteerAuthCli
+};