npm - opensteer - Versions diffs - 0.6.0 → 0.6.2 - Mend

opensteer 0.6.0 → 0.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (29) hide show

package/CHANGELOG.md +16 -1
package/README.md +63 -0
package/bin/opensteer.mjs +214 -3
package/dist/browser-profile-client-CaL-mwqs.d.ts +168 -0
package/dist/browser-profile-client-DK9qa_Dj.d.cts +168 -0
package/dist/chunk-7RMY26CM.js +1130 -0
package/dist/{chunk-SGZYTGY3.js → chunk-F2VDVOJO.js} +1890 -1520
package/dist/chunk-WDRMHPWL.js +1320 -0
package/dist/chunk-WJI7TGBQ.js +77 -0
package/dist/cli/auth.cjs +1834 -0
package/dist/cli/auth.d.cts +114 -0
package/dist/cli/auth.d.ts +114 -0
package/dist/cli/auth.js +15 -0
package/dist/cli/profile.cjs +16222 -0
package/dist/cli/profile.d.cts +79 -0
package/dist/cli/profile.d.ts +79 -0
package/dist/cli/profile.js +866 -0
package/dist/cli/server.cjs +1816 -422
package/dist/cli/server.js +310 -10
package/dist/index.cjs +1772 -414
package/dist/index.d.cts +141 -395
package/dist/index.d.ts +141 -395
package/dist/index.js +203 -8
package/dist/types-BxiRblC7.d.cts +327 -0
package/dist/types-BxiRblC7.d.ts +327 -0
package/package.json +3 -2
package/skills/opensteer/SKILL.md +34 -5
package/skills/opensteer/references/cli-reference.md +10 -8
package/skills/opensteer/references/sdk-reference.md +14 -3

package/dist/cli/auth.cjs ADDED Viewed

@@ -0,0 +1,1834 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/cli/auth.ts
+var auth_exports = {};
+__export(auth_exports, {
+  ensureCloudCredentialsForCommand: () => ensureCloudCredentialsForCommand,
+  ensureCloudCredentialsForOpenCommand: () => ensureCloudCredentialsForOpenCommand,
+  isCloudModeEnabledForRootDir: () => isCloudModeEnabledForRootDir,
+  parseOpensteerAuthArgs: () => parseOpensteerAuthArgs,
+  runOpensteerAuthCli: () => runOpensteerAuthCli
+});
+module.exports = __toCommonJS(auth_exports);
+var import_open = __toESM(require("open"), 1);
+// src/cloud/cdp-client.ts
+var import_playwright = require("playwright");
+// src/utils/strip-trailing-slashes.ts
+function stripTrailingSlashes(value) {
+  let end = value.length;
+  while (end > 0 && value.charCodeAt(end - 1) === 47) {
+    end -= 1;
+  }
+  return end === value.length ? value : value.slice(0, end);
+}
+// src/cloud/http-client.ts
+function normalizeCloudBaseUrl(baseUrl) {
+  return stripTrailingSlashes(baseUrl);
+}
+// src/cloud/runtime.ts
+var DEFAULT_CLOUD_BASE_URL = "https://api.opensteer.com";
+// src/config.ts
+var import_fs = __toESM(require("fs"), 1);
+var import_path = __toESM(require("path"), 1);
+var import_dotenv = require("dotenv");
+// src/error-normalization.ts
+function extractErrorMessage(error, fallback = "Unknown error.") {
+  if (error instanceof Error) {
+    const message = error.message.trim();
+    if (message) return message;
+    const name = error.name.trim();
+    if (name) return name;
+  }
+  if (typeof error === "string" && error.trim()) {
+    return error.trim();
+  }
+  const record = asRecord(error);
+  const recordMessage = toNonEmptyString(record?.message) || toNonEmptyString(record?.error);
+  if (recordMessage) {
+    return recordMessage;
+  }
+  return fallback;
+}
+function asRecord(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    return null;
+  }
+  return value;
+}
+function toNonEmptyString(value) {
+  if (typeof value !== "string") return void 0;
+  const normalized = value.trim();
+  return normalized.length ? normalized : void 0;
+}
+// src/config.ts
+var DEFAULT_CONFIG = {
+  browser: {
+    headless: false,
+    executablePath: void 0,
+    slowMo: 0,
+    connectUrl: void 0,
+    channel: void 0,
+    profileDir: void 0
+  },
+  storage: {
+    rootDir: process.cwd()
+  },
+  cursor: {
+    enabled: false,
+    profile: "snappy"
+  },
+  model: "gpt-5.1",
+  debug: false
+};
+function dotenvFileOrder(nodeEnv) {
+  const normalized = nodeEnv?.trim() || "";
+  const files = [];
+  if (normalized) {
+    files.push(`.env.${normalized}.local`);
+  }
+  if (normalized !== "test") {
+    files.push(".env.local");
+  }
+  if (normalized) {
+    files.push(`.env.${normalized}`);
+  }
+  files.push(".env");
+  return files;
+}
+function loadDotenvValues(rootDir, baseEnv, options = {}) {
+  const values = {};
+  if (parseBool(baseEnv.OPENSTEER_DISABLE_DOTENV_AUTOLOAD) === true) {
+    return values;
+  }
+  const debug = options.debug ?? parseBool(baseEnv.OPENSTEER_DEBUG) === true;
+  const baseDir = import_path.default.resolve(rootDir);
+  const nodeEnv = baseEnv.NODE_ENV?.trim() || "";
+  for (const filename of dotenvFileOrder(nodeEnv)) {
+    const filePath = import_path.default.join(baseDir, filename);
+    if (!import_fs.default.existsSync(filePath)) continue;
+    try {
+      const raw = import_fs.default.readFileSync(filePath, "utf8");
+      const parsed = (0, import_dotenv.parse)(raw);
+      for (const [key, value] of Object.entries(parsed)) {
+        if (values[key] === void 0) {
+          values[key] = value;
+        }
+      }
+    } catch (error) {
+      const message = extractErrorMessage(
+        error,
+        "Unable to read or parse dotenv file."
+      );
+      if (debug) {
+        console.warn(
+          `[opensteer] failed to load dotenv file "${filePath}": ${message}`
+        );
+      }
+      continue;
+    }
+  }
+  return values;
+}
+function resolveEnv(rootDir, options = {}) {
+  const baseEnv = options.baseEnv ?? process.env;
+  const dotenvValues = loadDotenvValues(rootDir, baseEnv, options);
+  return {
+    ...dotenvValues,
+    ...baseEnv
+  };
+}
+function hasOwn(config, key) {
+  if (!config || typeof config !== "object") return false;
+  return Object.prototype.hasOwnProperty.call(config, key);
+}
+function hasLegacyAiConfig(config) {
+  return hasOwn(config, "ai");
+}
+function assertNoLegacyAiConfig(source, config) {
+  if (hasLegacyAiConfig(config)) {
+    throw new Error(
+      `Legacy "ai" config is no longer supported in ${source}. Use top-level "model" instead.`
+    );
+  }
+}
+function assertNoLegacyRuntimeConfig(source, config) {
+  if (!config || typeof config !== "object") return;
+  const configRecord = config;
+  if (hasOwn(configRecord, "runtime")) {
+    throw new Error(
+      `Legacy "runtime" config is no longer supported in ${source}. Use top-level "cloud" instead.`
+    );
+  }
+  if (hasOwn(configRecord, "mode")) {
+    throw new Error(
+      `Top-level "mode" config is no longer supported in ${source}. Use "cloud: true" to enable cloud mode.`
+    );
+  }
+  if (hasOwn(configRecord, "remote")) {
+    throw new Error(
+      `Top-level "remote" config is no longer supported in ${source}. Use "cloud" options instead.`
+    );
+  }
+  if (hasOwn(configRecord, "apiKey")) {
+    throw new Error(
+      `Top-level "apiKey" config is not supported in ${source}. Use "cloud.apiKey" instead.`
+    );
+  }
+}
+function loadConfigFile(rootDir, options = {}) {
+  const configPath = import_path.default.join(rootDir, ".opensteer", "config.json");
+  if (!import_fs.default.existsSync(configPath)) return {};
+  try {
+    const raw = import_fs.default.readFileSync(configPath, "utf8");
+    return JSON.parse(raw);
+  } catch (error) {
+    const message = extractErrorMessage(
+      error,
+      "Unable to read or parse config file."
+    );
+    if (options.debug) {
+      console.warn(
+        `[opensteer] failed to load config file "${configPath}": ${message}`
+      );
+    }
+    return {};
+  }
+}
+function mergeDeep(base, patch) {
+  const out = {
+    ...base
+  };
+  for (const [key, value] of Object.entries(patch || {})) {
+    const currentValue = out[key];
+    if (value && typeof value === "object" && !Array.isArray(value) && currentValue && typeof currentValue === "object" && !Array.isArray(currentValue)) {
+      out[key] = mergeDeep(
+        currentValue,
+        value
+      );
+      continue;
+    }
+    if (value !== void 0) {
+      out[key] = value;
+    }
+  }
+  return out;
+}
+function parseBool(value) {
+  if (value == null) return void 0;
+  const normalized = value.trim().toLowerCase();
+  if (normalized === "true" || normalized === "1") return true;
+  if (normalized === "false" || normalized === "0") return false;
+  return void 0;
+}
+function parseNumber(value) {
+  if (value == null || value.trim() === "") return void 0;
+  const parsed = Number(value);
+  if (!Number.isFinite(parsed)) return void 0;
+  return parsed;
+}
+function parseRuntimeMode(value, source) {
+  if (value == null) return void 0;
+  if (typeof value !== "string") {
+    throw new Error(
+      `Invalid ${source} value "${String(value)}". Use "local" or "cloud".`
+    );
+  }
+  const normalized = value.trim().toLowerCase();
+  if (!normalized) return void 0;
+  if (normalized === "local" || normalized === "cloud") {
+    return normalized;
+  }
+  throw new Error(
+    `Invalid ${source} value "${value}". Use "local" or "cloud".`
+  );
+}
+function parseAuthScheme(value, source) {
+  if (value == null) return void 0;
+  if (typeof value !== "string") {
+    throw new Error(
+      `Invalid ${source} value "${String(value)}". Use "api-key" or "bearer".`
+    );
+  }
+  const normalized = value.trim().toLowerCase();
+  if (!normalized) return void 0;
+  if (normalized === "api-key" || normalized === "bearer") {
+    return normalized;
+  }
+  throw new Error(
+    `Invalid ${source} value "${value}". Use "api-key" or "bearer".`
+  );
+}
+function parseCloudAnnounce(value, source) {
+  if (value == null) return void 0;
+  if (typeof value !== "string") {
+    throw new Error(
+      `Invalid ${source} value "${String(value)}". Use "always", "off", or "tty".`
+    );
+  }
+  const normalized = value.trim().toLowerCase();
+  if (!normalized) return void 0;
+  if (normalized === "always" || normalized === "off" || normalized === "tty") {
+    return normalized;
+  }
+  throw new Error(
+    `Invalid ${source} value "${value}". Use "always", "off", or "tty".`
+  );
+}
+function resolveOpensteerApiKey(env) {
+  const value = env.OPENSTEER_API_KEY?.trim();
+  if (!value) return void 0;
+  return value;
+}
+function resolveOpensteerAccessToken(env) {
+  const value = env.OPENSTEER_ACCESS_TOKEN?.trim();
+  if (!value) return void 0;
+  return value;
+}
+function resolveOpensteerBaseUrl(env) {
+  const value = env.OPENSTEER_BASE_URL?.trim();
+  if (!value) return void 0;
+  return value;
+}
+function resolveOpensteerAuthScheme(env) {
+  return parseAuthScheme(env.OPENSTEER_AUTH_SCHEME, "OPENSTEER_AUTH_SCHEME");
+}
+function resolveOpensteerCloudProfileId(env) {
+  const value = env.OPENSTEER_CLOUD_PROFILE_ID?.trim();
+  if (!value) return void 0;
+  return value;
+}
+function resolveOpensteerCloudProfileReuseIfActive(env) {
+  return parseBool(env.OPENSTEER_CLOUD_PROFILE_REUSE_IF_ACTIVE);
+}
+function parseCloudBrowserProfileReuseIfActive(value) {
+  if (value == null) return void 0;
+  if (typeof value !== "boolean") {
+    throw new Error(
+      `Invalid cloud.browserProfile.reuseIfActive value "${String(
+        value
+      )}". Use true or false.`
+    );
+  }
+  return value;
+}
+function normalizeCloudBrowserProfileOptions(value, source) {
+  if (value == null) {
+    return void 0;
+  }
+  if (typeof value !== "object" || Array.isArray(value)) {
+    throw new Error(
+      `Invalid ${source} value "${String(value)}". Use an object with profileId and optional reuseIfActive.`
+    );
+  }
+  const record = value;
+  const rawProfileId = record.profileId;
+  if (typeof rawProfileId !== "string" || !rawProfileId.trim()) {
+    throw new Error(
+      `${source}.profileId must be a non-empty string when browserProfile is provided.`
+    );
+  }
+  return {
+    profileId: rawProfileId.trim(),
+    reuseIfActive: parseCloudBrowserProfileReuseIfActive(record.reuseIfActive)
+  };
+}
+function resolveEnvCloudBrowserProfile(profileId, reuseIfActive) {
+  if (reuseIfActive !== void 0 && !profileId) {
+    throw new Error(
+      "OPENSTEER_CLOUD_PROFILE_REUSE_IF_ACTIVE requires OPENSTEER_CLOUD_PROFILE_ID."
+    );
+  }
+  if (!profileId) {
+    return void 0;
+  }
+  return {
+    profileId,
+    reuseIfActive
+  };
+}
+function normalizeCloudOptions(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    return void 0;
+  }
+  return value;
+}
+function normalizeNonEmptyString(value) {
+  if (typeof value !== "string") return void 0;
+  const normalized = value.trim();
+  return normalized.length ? normalized : void 0;
+}
+function parseCloudEnabled(value, source) {
+  if (value == null) return void 0;
+  if (typeof value === "boolean") return value;
+  if (typeof value === "object" && !Array.isArray(value)) return true;
+  throw new Error(
+    `Invalid ${source} value "${String(value)}". Use true, false, or a cloud options object.`
+  );
+}
+function resolveCloudSelection(config, env = process.env) {
+  const configCloud = parseCloudEnabled(config.cloud, "cloud");
+  if (configCloud !== void 0) {
+    return {
+      cloud: configCloud,
+      source: "config.cloud"
+    };
+  }
+  const envMode = parseRuntimeMode(env.OPENSTEER_MODE, "OPENSTEER_MODE");
+  if (envMode) {
+    return {
+      cloud: envMode === "cloud",
+      source: "env.OPENSTEER_MODE"
+    };
+  }
+  return {
+    cloud: false,
+    source: "default"
+  };
+}
+function resolveConfigWithEnv(input = {}, options = {}) {
+  const processEnv = options.env ?? process.env;
+  const debugHint = typeof input.debug === "boolean" ? input.debug : parseBool(processEnv.OPENSTEER_DEBUG) === true;
+  const initialRootDir = input.storage?.rootDir ?? process.cwd();
+  const runtimeDefaults = mergeDeep(DEFAULT_CONFIG, {
+    storage: {
+      rootDir: initialRootDir
+    }
+  });
+  assertNoLegacyAiConfig("Opensteer constructor config", input);
+  assertNoLegacyRuntimeConfig("Opensteer constructor config", input);
+  const fileConfig = loadConfigFile(initialRootDir, {
+    debug: debugHint
+  });
+  assertNoLegacyAiConfig(".opensteer/config.json", fileConfig);
+  assertNoLegacyRuntimeConfig(".opensteer/config.json", fileConfig);
+  const fileRootDir = typeof fileConfig.storage?.rootDir === "string" ? fileConfig.storage.rootDir : void 0;
+  const envRootDir = input.storage?.rootDir ?? fileRootDir ?? initialRootDir;
+  const env = resolveEnv(envRootDir, {
+    debug: debugHint,
+    baseEnv: processEnv
+  });
+  if (env.OPENSTEER_AI_MODEL) {
+    throw new Error(
+      "OPENSTEER_AI_MODEL is no longer supported. Use OPENSTEER_MODEL instead."
+    );
+  }
+  if (env.OPENSTEER_RUNTIME != null) {
+    throw new Error(
+      "OPENSTEER_RUNTIME is no longer supported. Use OPENSTEER_MODE instead."
+    );
+  }
+  const envConfig = {
+    browser: {
+      headless: parseBool(env.OPENSTEER_HEADLESS),
+      executablePath: env.OPENSTEER_BROWSER_PATH || void 0,
+      slowMo: parseNumber(env.OPENSTEER_SLOW_MO),
+      connectUrl: env.OPENSTEER_CONNECT_URL || void 0,
+      channel: env.OPENSTEER_CHANNEL || void 0,
+      profileDir: env.OPENSTEER_PROFILE_DIR || void 0
+    },
+    cursor: {
+      enabled: parseBool(env.OPENSTEER_CURSOR)
+    },
+    model: env.OPENSTEER_MODEL || void 0,
+    debug: parseBool(env.OPENSTEER_DEBUG)
+  };
+  const mergedWithFile = mergeDeep(runtimeDefaults, fileConfig);
+  const mergedWithEnv = mergeDeep(mergedWithFile, envConfig);
+  const resolved = mergeDeep(mergedWithEnv, input);
+  const envApiKey = resolveOpensteerApiKey(env);
+  const envAccessTokenRaw = resolveOpensteerAccessToken(env);
+  const envBaseUrl = resolveOpensteerBaseUrl(env);
+  const envAuthScheme = resolveOpensteerAuthScheme(env);
+  if (envApiKey && envAccessTokenRaw) {
+    throw new Error(
+      "OPENSTEER_API_KEY and OPENSTEER_ACCESS_TOKEN are mutually exclusive. Set only one."
+    );
+  }
+  const envAccessToken = envAccessTokenRaw || (envAuthScheme === "bearer" ? envApiKey : void 0);
+  const envApiCredential = envAuthScheme === "bearer" && !envAccessTokenRaw ? void 0 : envApiKey;
+  const envCloudProfileId = resolveOpensteerCloudProfileId(env);
+  const envCloudProfileReuseIfActive = resolveOpensteerCloudProfileReuseIfActive(env);
+  const envCloudAnnounce = parseCloudAnnounce(
+    env.OPENSTEER_REMOTE_ANNOUNCE,
+    "OPENSTEER_REMOTE_ANNOUNCE"
+  );
+  const inputCloudOptions = normalizeCloudOptions(input.cloud);
+  const inputCloudBrowserProfile = normalizeCloudBrowserProfileOptions(
+    inputCloudOptions?.browserProfile,
+    "cloud.browserProfile"
+  );
+  const inputAuthScheme = parseAuthScheme(
+    inputCloudOptions?.authScheme,
+    "cloud.authScheme"
+  );
+  const inputCloudAnnounce = parseCloudAnnounce(
+    inputCloudOptions?.announce,
+    "cloud.announce"
+  );
+  const inputHasCloudApiKey = Boolean(
+    inputCloudOptions && Object.prototype.hasOwnProperty.call(inputCloudOptions, "apiKey")
+  );
+  const inputHasCloudAccessToken = Boolean(
+    inputCloudOptions && Object.prototype.hasOwnProperty.call(inputCloudOptions, "accessToken")
+  );
+  const inputHasCloudBaseUrl = Boolean(
+    inputCloudOptions && Object.prototype.hasOwnProperty.call(inputCloudOptions, "baseUrl")
+  );
+  if (normalizeNonEmptyString(inputCloudOptions?.apiKey) && normalizeNonEmptyString(inputCloudOptions?.accessToken)) {
+    throw new Error(
+      "cloud.apiKey and cloud.accessToken are mutually exclusive. Set only one."
+    );
+  }
+  const cloudSelection = resolveCloudSelection({
+    cloud: resolved.cloud
+  }, env);
+  if (cloudSelection.cloud) {
+    const resolvedCloud = normalizeCloudOptions(resolved.cloud) ?? {};
+    const {
+      apiKey: resolvedCloudApiKeyRaw,
+      accessToken: resolvedCloudAccessTokenRaw,
+      ...resolvedCloudRest
+    } = resolvedCloud;
+    if (normalizeNonEmptyString(resolvedCloudApiKeyRaw) && normalizeNonEmptyString(resolvedCloudAccessTokenRaw)) {
+      throw new Error(
+        "Cloud config cannot include both apiKey and accessToken at the same time."
+      );
+    }
+    const resolvedCloudBrowserProfile = normalizeCloudBrowserProfileOptions(
+      resolvedCloud.browserProfile,
+      "resolved.cloud.browserProfile"
+    );
+    const envCloudBrowserProfile = resolveEnvCloudBrowserProfile(
+      envCloudProfileId,
+      envCloudProfileReuseIfActive
+    );
+    const browserProfile = inputCloudBrowserProfile ?? envCloudBrowserProfile ?? resolvedCloudBrowserProfile;
+    let authScheme = inputAuthScheme ?? envAuthScheme ?? parseAuthScheme(resolvedCloud.authScheme, "cloud.authScheme") ?? "api-key";
+    const announce = inputCloudAnnounce ?? envCloudAnnounce ?? parseCloudAnnounce(resolvedCloud.announce, "cloud.announce") ?? "always";
+    const credentialOverriddenByInput = inputHasCloudApiKey || inputHasCloudAccessToken;
+    let apiKey = normalizeNonEmptyString(resolvedCloudApiKeyRaw);
+    let accessToken = normalizeNonEmptyString(resolvedCloudAccessTokenRaw);
+    if (!credentialOverriddenByInput) {
+      if (envAccessToken) {
+        accessToken = envAccessToken;
+        apiKey = void 0;
+      } else if (envApiCredential) {
+        apiKey = envApiCredential;
+        accessToken = void 0;
+      }
+    }
+    if (accessToken) {
+      authScheme = "bearer";
+    }
+    resolved.cloud = {
+      ...resolvedCloudRest,
+      ...inputHasCloudApiKey ? { apiKey: resolvedCloudApiKeyRaw } : apiKey ? { apiKey } : {},
+      ...inputHasCloudAccessToken ? { accessToken: resolvedCloudAccessTokenRaw } : accessToken ? { accessToken } : {},
+      authScheme,
+      announce,
+      ...browserProfile ? { browserProfile } : {}
+    };
+  }
+  if (envBaseUrl && cloudSelection.cloud && !inputHasCloudBaseUrl) {
+    resolved.cloud = {
+      ...normalizeCloudOptions(resolved.cloud) ?? {},
+      baseUrl: envBaseUrl
+    };
+  }
+  return {
+    config: resolved,
+    env
+  };
+}
+// src/auth/credential-resolver.ts
+function resolveCloudCredential(options) {
+  const flagApiKey = normalizeToken(options.apiKeyFlag);
+  const flagAccessToken = normalizeToken(options.accessTokenFlag);
+  if (flagApiKey && flagAccessToken) {
+    throw new Error("--api-key and --access-token are mutually exclusive.");
+  }
+  if (flagAccessToken) {
+    return {
+      kind: "access-token",
+      source: "flag",
+      token: flagAccessToken,
+      authScheme: "bearer"
+    };
+  }
+  if (flagApiKey) {
+    return {
+      kind: "api-key",
+      source: "flag",
+      token: flagApiKey,
+      authScheme: "api-key"
+    };
+  }
+  const envAuthScheme = parseEnvAuthScheme(options.env.OPENSTEER_AUTH_SCHEME);
+  const envApiKey = normalizeToken(options.env.OPENSTEER_API_KEY);
+  const envAccessToken = normalizeToken(options.env.OPENSTEER_ACCESS_TOKEN);
+  if (envApiKey && envAccessToken) {
+    throw new Error(
+      "OPENSTEER_API_KEY and OPENSTEER_ACCESS_TOKEN are mutually exclusive. Set only one."
+    );
+  }
+  if (envAccessToken) {
+    return {
+      kind: "access-token",
+      source: "env",
+      token: envAccessToken,
+      authScheme: "bearer"
+    };
+  }
+  if (envApiKey) {
+    if (envAuthScheme === "bearer") {
+      return {
+        kind: "access-token",
+        source: "env",
+        token: envApiKey,
+        authScheme: "bearer",
+        compatibilityBearerApiKey: true
+      };
+    }
+    return {
+      kind: "api-key",
+      source: "env",
+      token: envApiKey,
+      authScheme: envAuthScheme ?? "api-key"
+    };
+  }
+  return null;
+}
+function applyCloudCredentialToEnv(env, credential) {
+  if (credential.kind === "access-token") {
+    env.OPENSTEER_ACCESS_TOKEN = credential.token;
+    delete env.OPENSTEER_API_KEY;
+    env.OPENSTEER_AUTH_SCHEME = "bearer";
+    return;
+  }
+  env.OPENSTEER_API_KEY = credential.token;
+  delete env.OPENSTEER_ACCESS_TOKEN;
+  env.OPENSTEER_AUTH_SCHEME = credential.authScheme;
+}
+function parseEnvAuthScheme(value) {
+  const normalized = normalizeToken(value);
+  if (!normalized) return void 0;
+  if (normalized === "api-key" || normalized === "bearer") {
+    return normalized;
+  }
+  throw new Error(
+    `Invalid OPENSTEER_AUTH_SCHEME value "${value}". Use "api-key" or "bearer".`
+  );
+}
+function normalizeToken(value) {
+  if (typeof value !== "string") return void 0;
+  const normalized = value.trim();
+  return normalized.length ? normalized : void 0;
+}
+// src/auth/machine-credential-store.ts
+var import_node_crypto = require("crypto");
+var import_node_fs = __toESM(require("fs"), 1);
+var import_node_os = __toESM(require("os"), 1);
+var import_node_path = __toESM(require("path"), 1);
+// src/auth/keychain-store.ts
+var import_node_child_process = require("child_process");
+function commandExists(command) {
+  const result = (0, import_node_child_process.spawnSync)(command, ["--help"], {
+    encoding: "utf8",
+    stdio: "ignore"
+  });
+  return result.error == null;
+}
+function commandFailed(result) {
+  return typeof result.status === "number" && result.status !== 0;
+}
+function sanitizeCommandArgs(command, args) {
+  if (command !== "security") {
+    return args;
+  }
+  const sanitized = [];
+  for (let index = 0; index < args.length; index += 1) {
+    const value = args[index];
+    sanitized.push(value);
+    if (value === "-w" && index + 1 < args.length) {
+      sanitized.push("[REDACTED]");
+      index += 1;
+    }
+  }
+  return sanitized;
+}
+function buildCommandError(command, args, result) {
+  const stderr = typeof result.stderr === "string" && result.stderr.trim() ? result.stderr.trim() : `Command "${command}" failed with status ${String(result.status)}.`;
+  const sanitizedArgs = sanitizeCommandArgs(command, args);
+  return new Error(
+    [
+      `Unable to persist credential via ${command}.`,
+      `${command} ${sanitizedArgs.join(" ")}`,
+      stderr
+    ].join(" ")
+  );
+}
+function createMacosSecurityStore() {
+  return {
+    backend: "macos-security",
+    get(service, account) {
+      const result = (0, import_node_child_process.spawnSync)(
+        "security",
+        ["find-generic-password", "-s", service, "-a", account, "-w"],
+        { encoding: "utf8" }
+      );
+      if (commandFailed(result)) {
+        return null;
+      }
+      const secret = result.stdout.trim();
+      return secret.length ? secret : null;
+    },
+    set(service, account, secret) {
+      const args = [
+        "add-generic-password",
+        "-U",
+        "-s",
+        service,
+        "-a",
+        account,
+        "-w",
+        secret
+      ];
+      const result = (0, import_node_child_process.spawnSync)("security", args, { encoding: "utf8" });
+      if (commandFailed(result)) {
+        throw buildCommandError("security", args, result);
+      }
+    },
+    delete(service, account) {
+      const args = ["delete-generic-password", "-s", service, "-a", account];
+      const result = (0, import_node_child_process.spawnSync)("security", args, { encoding: "utf8" });
+      if (commandFailed(result)) {
+        return;
+      }
+    }
+  };
+}
+function createLinuxSecretToolStore() {
+  return {
+    backend: "linux-secret-tool",
+    get(service, account) {
+      const result = (0, import_node_child_process.spawnSync)(
+        "secret-tool",
+        ["lookup", "service", service, "account", account],
+        {
+          encoding: "utf8"
+        }
+      );
+      if (commandFailed(result)) {
+        return null;
+      }
+      const secret = result.stdout.trim();
+      return secret.length ? secret : null;
+    },
+    set(service, account, secret) {
+      const args = [
+        "store",
+        "--label",
+        "Opensteer CLI",
+        "service",
+        service,
+        "account",
+        account
+      ];
+      const result = (0, import_node_child_process.spawnSync)("secret-tool", args, {
+        encoding: "utf8",
+        input: secret
+      });
+      if (commandFailed(result)) {
+        throw buildCommandError("secret-tool", args, result);
+      }
+    },
+    delete(service, account) {
+      const args = ["clear", "service", service, "account", account];
+      (0, import_node_child_process.spawnSync)("secret-tool", args, {
+        encoding: "utf8"
+      });
+    }
+  };
+}
+function createKeychainStore() {
+  if (process.platform === "darwin") {
+    if (!commandExists("security")) {
+      return null;
+    }
+    return createMacosSecurityStore();
+  }
+  if (process.platform === "linux") {
+    if (!commandExists("secret-tool")) {
+      return null;
+    }
+    return createLinuxSecretToolStore();
+  }
+  return null;
+}
+// src/auth/machine-credential-store.ts
+var METADATA_VERSION = 2;
+var ACTIVE_TARGET_VERSION = 2;
+var KEYCHAIN_SERVICE = "com.opensteer.cli.cloud";
+var KEYCHAIN_ACCOUNT_PREFIX = "machine:";
+var ACTIVE_TARGET_FILE_NAME = "cli-target.json";
+var MachineCredentialStore = class {
+  authDir;
+  warn;
+  keychain = createKeychainStore();
+  warnedFallback = false;
+  constructor(options = {}) {
+    const appName = options.appName || "opensteer";
+    const env = options.env ?? process.env;
+    const configDir = resolveConfigDir(appName, env);
+    this.authDir = import_node_path.default.join(configDir, "auth");
+    this.warn = options.warn ?? (() => void 0);
+  }
+  readCloudCredential(target) {
+    const normalizedTarget = normalizeCloudCredentialTarget(target);
+    return this.readCredentialSlot(
+      resolveCredentialSlot(this.authDir, normalizedTarget),
+      normalizedTarget
+    );
+  }
+  writeCloudCredential(args) {
+    const accessToken = args.accessToken.trim();
+    const refreshToken2 = args.refreshToken.trim();
+    if (!accessToken || !refreshToken2) {
+      throw new Error("Cannot persist empty machine credential secrets.");
+    }
+    const baseUrl = normalizeCredentialUrl(args.baseUrl);
+    const slot = resolveCredentialSlot(this.authDir, { baseUrl });
+    ensureDirectory(this.authDir);
+    const secretPayload = {
+      accessToken,
+      refreshToken: refreshToken2
+    };
+    let secretBackend = "file";
+    if (this.keychain) {
+      try {
+        this.keychain.set(
+          KEYCHAIN_SERVICE,
+          slot.keychainAccount,
+          JSON.stringify(secretPayload)
+        );
+        secretBackend = "keychain";
+        removeFileIfExists(slot.fallbackSecretPath);
+      } catch {
+        this.writeFallbackSecret(slot, secretPayload);
+        secretBackend = "file";
+      }
+    } else {
+      this.writeFallbackSecret(slot, secretPayload);
+    }
+    const metadata = {
+      version: METADATA_VERSION,
+      secretBackend,
+      baseUrl,
+      scope: args.scope,
+      obtainedAt: args.obtainedAt,
+      expiresAt: args.expiresAt,
+      updatedAt: Date.now()
+    };
+    writeJsonFile(slot.metadataPath, metadata);
+  }
+  readActiveCloudTarget() {
+    return readActiveCloudTargetMetadata(resolveActiveTargetPath(this.authDir));
+  }
+  writeActiveCloudTarget(target) {
+    const baseUrl = normalizeCredentialUrl(target.baseUrl);
+    ensureDirectory(this.authDir);
+    writeJsonFile(resolveActiveTargetPath(this.authDir), {
+      version: ACTIVE_TARGET_VERSION,
+      baseUrl,
+      updatedAt: Date.now()
+    });
+  }
+  clearCloudCredential(target) {
+    this.clearCredentialSlot(
+      resolveCredentialSlot(this.authDir, normalizeCloudCredentialTarget(target))
+    );
+  }
+  readCredentialSlot(slot, target) {
+    const metadata = readMetadata(slot.metadataPath);
+    if (!metadata) {
+      return null;
+    }
+    if (target && !matchesCredentialTarget(metadata, target)) {
+      return null;
+    }
+    const secret = this.readSecret(slot, metadata.secretBackend);
+    if (!secret) {
+      return null;
+    }
+    return {
+      baseUrl: metadata.baseUrl,
+      scope: metadata.scope,
+      accessToken: secret.accessToken,
+      refreshToken: secret.refreshToken,
+      obtainedAt: metadata.obtainedAt,
+      expiresAt: metadata.expiresAt
+    };
+  }
+  readSecret(slot, backend) {
+    if (backend === "keychain" && this.keychain) {
+      try {
+        const secret = this.keychain.get(
+          KEYCHAIN_SERVICE,
+          slot.keychainAccount
+        );
+        if (!secret) return null;
+        return parseSecretPayload(secret);
+      } catch {
+        return null;
+      }
+    }
+    return readSecretFile(slot.fallbackSecretPath);
+  }
+  writeFallbackSecret(slot, secretPayload) {
+    writeJsonFile(slot.fallbackSecretPath, secretPayload, {
+      mode: 384
+    });
+    if (!this.warnedFallback) {
+      this.warn({
+        code: "fallback_file_store",
+        path: slot.fallbackSecretPath,
+        message: "Secure keychain is unavailable. Falling back to file-based credential storage with mode 0600."
+      });
+      this.warnedFallback = true;
+    }
+  }
+  clearCredentialSlot(slot) {
+    removeFileIfExists(slot.metadataPath);
+    removeFileIfExists(slot.fallbackSecretPath);
+    if (this.keychain) {
+      this.keychain.delete(KEYCHAIN_SERVICE, slot.keychainAccount);
+    }
+  }
+};
+function createMachineCredentialStore(options = {}) {
+  return new MachineCredentialStore(options);
+}
+function resolveCredentialSlot(authDir, target) {
+  const normalizedBaseUrl = normalizeCredentialUrl(target.baseUrl);
+  const storageKey = (0, import_node_crypto.createHash)("sha256").update(normalizedBaseUrl).digest("hex").slice(0, 24);
+  return {
+    keychainAccount: `${KEYCHAIN_ACCOUNT_PREFIX}${storageKey}`,
+    metadataPath: import_node_path.default.join(authDir, `cli-login.${storageKey}.json`),
+    fallbackSecretPath: import_node_path.default.join(
+      authDir,
+      `cli-login.${storageKey}.secret.json`
+    )
+  };
+}
+function resolveActiveTargetPath(authDir) {
+  return import_node_path.default.join(authDir, ACTIVE_TARGET_FILE_NAME);
+}
+function matchesCredentialTarget(value, target) {
+  return normalizeCredentialUrl(value.baseUrl) === normalizeCredentialUrl(target.baseUrl);
+}
+function normalizeCredentialUrl(value) {
+  const normalized = stripTrailingSlashes(value.trim());
+  if (!normalized) {
+    throw new Error("Cannot persist machine credential without baseUrl.");
+  }
+  return normalized;
+}
+function normalizeCloudCredentialTarget(target) {
+  return {
+    baseUrl: normalizeCredentialUrl(target.baseUrl)
+  };
+}
+function resolveConfigDir(appName, env) {
+  if (process.platform === "win32") {
+    const appData = env.APPDATA?.trim() || import_node_path.default.join(import_node_os.default.homedir(), "AppData", "Roaming");
+    return import_node_path.default.join(appData, appName);
+  }
+  if (process.platform === "darwin") {
+    return import_node_path.default.join(
+      import_node_os.default.homedir(),
+      "Library",
+      "Application Support",
+      appName
+    );
+  }
+  const xdgConfigHome = env.XDG_CONFIG_HOME?.trim() || import_node_path.default.join(import_node_os.default.homedir(), ".config");
+  return import_node_path.default.join(xdgConfigHome, appName);
+}
+function ensureDirectory(directoryPath) {
+  import_node_fs.default.mkdirSync(directoryPath, { recursive: true, mode: 448 });
+}
+function removeFileIfExists(filePath) {
+  try {
+    import_node_fs.default.rmSync(filePath, { force: true });
+  } catch {
+    return;
+  }
+}
+function readMetadata(filePath) {
+  if (!import_node_fs.default.existsSync(filePath)) {
+    return null;
+  }
+  try {
+    const raw = import_node_fs.default.readFileSync(filePath, "utf8");
+    const parsed = JSON.parse(raw);
+    if (parsed.version !== METADATA_VERSION) return null;
+    if (parsed.secretBackend !== "keychain" && parsed.secretBackend !== "file") {
+      return null;
+    }
+    if (typeof parsed.baseUrl !== "string" || !parsed.baseUrl.trim()) return null;
+    if (!Array.isArray(parsed.scope)) return null;
+    if (typeof parsed.obtainedAt !== "number") return null;
+    if (typeof parsed.expiresAt !== "number") return null;
+    if (typeof parsed.updatedAt !== "number") return null;
+    return {
+      version: parsed.version,
+      secretBackend: parsed.secretBackend,
+      baseUrl: parsed.baseUrl,
+      scope: parsed.scope.filter(
+        (value) => typeof value === "string"
+      ),
+      obtainedAt: parsed.obtainedAt,
+      expiresAt: parsed.expiresAt,
+      updatedAt: parsed.updatedAt
+    };
+  } catch {
+    return null;
+  }
+}
+function readActiveCloudTargetMetadata(filePath) {
+  if (!import_node_fs.default.existsSync(filePath)) {
+    return null;
+  }
+  try {
+    const raw = import_node_fs.default.readFileSync(filePath, "utf8");
+    const parsed = JSON.parse(raw);
+    if (parsed.version !== ACTIVE_TARGET_VERSION) {
+      return null;
+    }
+    if (typeof parsed.baseUrl !== "string" || !parsed.baseUrl.trim()) {
+      return null;
+    }
+    return {
+      baseUrl: parsed.baseUrl
+    };
+  } catch {
+    return null;
+  }
+}
+function parseSecretPayload(raw) {
+  try {
+    const parsed = JSON.parse(raw);
+    if (typeof parsed.accessToken !== "string" || !parsed.accessToken.trim() || typeof parsed.refreshToken !== "string" || !parsed.refreshToken.trim()) {
+      return null;
+    }
+    return {
+      accessToken: parsed.accessToken,
+      refreshToken: parsed.refreshToken
+    };
+  } catch {
+    return null;
+  }
+}
+function readSecretFile(filePath) {
+  if (!import_node_fs.default.existsSync(filePath)) {
+    return null;
+  }
+  try {
+    return parseSecretPayload(import_node_fs.default.readFileSync(filePath, "utf8"));
+  } catch {
+    return null;
+  }
+}
+function writeJsonFile(filePath, value, options = {}) {
+  import_node_fs.default.writeFileSync(filePath, JSON.stringify(value, null, 2), {
+    encoding: "utf8",
+    mode: options.mode ?? 384
+  });
+  if (typeof options.mode === "number") {
+    import_node_fs.default.chmodSync(filePath, options.mode);
+  }
+}
+// src/cli/auth.ts
+var CliAuthHttpError = class extends Error {
+  status;
+  body;
+  constructor(message, status, body) {
+    super(message);
+    this.name = "CliAuthHttpError";
+    this.status = status;
+    this.body = body;
+  }
+};
+var HELP_TEXT = `Usage: opensteer auth <command> [options]
+Authenticate Opensteer CLI with Opensteer Cloud.
+Commands:
+  login                     Start device login flow in browser
+  status                    Show saved machine login state for the selected cloud host
+  logout                    Revoke and remove saved machine login for the selected cloud host
+Options:
+  --base-url <url>          Cloud API base URL (defaults to env or the last selected host)
+  --json                    JSON output (login prompts go to stderr)
+  --no-browser              Do not auto-open your default browser during login
+  -h, --help                Show this help
+`;
+var DEFAULT_AUTH_SITE_URL = "https://opensteer.com";
+var INTERNAL_AUTH_SITE_URL_ENV = "OPENSTEER_INTERNAL_AUTH_SITE_URL";
+function createDefaultDeps() {
+  const env = process.env;
+  return {
+    env,
+    store: createMachineCredentialStore({
+      env,
+      warn: (warning) => {
+        process.stderr.write(`${warning.message} (${warning.path})
+`);
+      }
+    }),
+    fetchFn: fetch,
+    writeStdout: (message) => process.stdout.write(message),
+    writeStderr: (message) => process.stderr.write(message),
+    isInteractive: () => Boolean(process.stdin.isTTY && process.stdout.isTTY),
+    sleep: async (ms) => {
+      await new Promise((resolve) => setTimeout(resolve, ms));
+    },
+    now: () => Date.now(),
+    openExternalUrl: openDefaultBrowser
+  };
+}
+function readFlagValue(args, index, flag) {
+  const value = args[index + 1];
+  if (value === void 0 || value.startsWith("-")) {
+    return {
+      ok: false,
+      error: `${flag} requires a value.`
+    };
+  }
+  return {
+    ok: true,
+    value,
+    nextIndex: index + 1
+  };
+}
+function parseAuthCommonArgs(rawArgs) {
+  const args = {};
+  for (let i = 0; i < rawArgs.length; i++) {
+    const arg = rawArgs[i];
+    if (arg === "--json") {
+      args.json = true;
+      continue;
+    }
+    if (arg === "--base-url") {
+      const value = readFlagValue(rawArgs, i, "--base-url");
+      if (!value.ok) return { args, error: value.error };
+      args.baseUrl = value.value;
+      i = value.nextIndex;
+      continue;
+    }
+    return {
+      args,
+      error: `Unsupported option "${arg}".`
+    };
+  }
+  return { args };
+}
+function parseOpensteerAuthArgs(rawArgs) {
+  if (!rawArgs.length) {
+    return { mode: "help" };
+  }
+  const [subcommand, ...rest] = rawArgs;
+  if (subcommand === "--help" || subcommand === "-h" || subcommand === "help") {
+    return { mode: "help" };
+  }
+  if (subcommand === "login") {
+    let openBrowser = true;
+    const filtered = [];
+    for (const arg of rest) {
+      if (arg === "--no-browser") {
+        openBrowser = false;
+        continue;
+      }
+      filtered.push(arg);
+    }
+    const parsed = parseAuthCommonArgs(filtered);
+    if (parsed.error) return { mode: "error", error: parsed.error };
+    return {
+      mode: "login",
+      args: {
+        ...parsed.args,
+        openBrowser
+      }
+    };
+  }
+  if (subcommand === "status") {
+    const parsed = parseAuthCommonArgs(rest);
+    if (parsed.error) return { mode: "error", error: parsed.error };
+    return { mode: "status", args: parsed.args };
+  }
+  if (subcommand === "logout") {
+    const parsed = parseAuthCommonArgs(rest);
+    if (parsed.error) return { mode: "error", error: parsed.error };
+    return { mode: "logout", args: parsed.args };
+  }
+  return {
+    mode: "error",
+    error: `Unsupported auth subcommand "${subcommand}".`
+  };
+}
+function printHelp(deps) {
+  deps.writeStdout(`${HELP_TEXT}
+`);
+}
+function writeHumanLine(deps, message) {
+  deps.writeStdout(`${message}
+`);
+}
+function writeJsonLine(deps, payload) {
+  deps.writeStdout(`${JSON.stringify(payload)}
+`);
+}
+function resolveBaseUrl(provided, env) {
+  const baseUrl = normalizeCloudBaseUrl(
+    (provided || env.OPENSTEER_BASE_URL || DEFAULT_CLOUD_BASE_URL).trim()
+  );
+  assertSecureUrl(baseUrl, "--base-url");
+  return baseUrl;
+}
+function resolveAuthSiteUrl(env) {
+  const authSiteUrl = normalizeCloudBaseUrl(
+    (env[INTERNAL_AUTH_SITE_URL_ENV] || DEFAULT_AUTH_SITE_URL).trim()
+  );
+  assertSecureUrl(
+    authSiteUrl,
+    `environment variable ${INTERNAL_AUTH_SITE_URL_ENV}`
+  );
+  return authSiteUrl;
+}
+function hasExplicitCloudTargetSelection(providedBaseUrl, env) {
+  return Boolean(
+    providedBaseUrl?.trim() || env.OPENSTEER_BASE_URL?.trim()
+  );
+}
+function readRememberedCloudTarget(store) {
+  const activeTarget = store.readActiveCloudTarget();
+  if (!activeTarget) {
+    return null;
+  }
+  try {
+    const baseUrl = normalizeCloudBaseUrl(activeTarget.baseUrl);
+    assertSecureUrl(baseUrl, "--base-url");
+    return { baseUrl };
+  } catch {
+    return null;
+  }
+}
+function resolveCloudTarget(args, env, store, options = {}) {
+  if (options.allowRememberedTarget !== false && !hasExplicitCloudTargetSelection(args.baseUrl, env)) {
+    const rememberedTarget = readRememberedCloudTarget(store);
+    if (rememberedTarget) {
+      return rememberedTarget;
+    }
+  }
+  const baseUrl = resolveBaseUrl(args.baseUrl, env);
+  return { baseUrl };
+}
+function assertSecureUrl(value, flag) {
+  let parsed;
+  try {
+    parsed = new URL(value);
+  } catch {
+    throw new Error(`Invalid ${flag} "${value}".`);
+  }
+  if (parsed.protocol === "https:") {
+    return;
+  }
+  if (parsed.protocol === "http:") {
+    const host = parsed.hostname.toLowerCase();
+    if (host === "localhost" || host === "127.0.0.1" || host === "::1") {
+      return;
+    }
+  }
+  throw new Error(
+    `Insecure URL "${value}". Use HTTPS, or HTTP only for localhost.`
+  );
+}
+async function postJson(fetchFn, url, body) {
+  const response = await fetchFn(url, {
+    method: "POST",
+    headers: {
+      "content-type": "application/json"
+    },
+    body: JSON.stringify(body)
+  });
+  let payload = null;
+  try {
+    payload = await response.json();
+  } catch {
+    payload = null;
+  }
+  if (!response.ok) {
+    throw new CliAuthHttpError(
+      `Auth request failed with status ${response.status}.`,
+      response.status,
+      payload
+    );
+  }
+  return payload;
+}
+function parseScope(rawScope) {
+  if (!rawScope) return ["cloud:browser"];
+  const values = rawScope.split(" ").map((value) => value.trim()).filter(Boolean);
+  return values.length ? values : ["cloud:browser"];
+}
+function parseCliTokenResponse(payload) {
+  const accessToken = typeof payload.access_token === "string" ? payload.access_token.trim() : "";
+  const refreshToken2 = typeof payload.refresh_token === "string" ? payload.refresh_token.trim() : "";
+  const expiresInSec = typeof payload.expires_in === "number" && Number.isFinite(payload.expires_in) && payload.expires_in > 0 ? Math.trunc(payload.expires_in) : 0;
+  if (!accessToken || !refreshToken2 || !expiresInSec) {
+    throw new Error("Invalid token response from cloud auth endpoint.");
+  }
+  return {
+    accessToken,
+    refreshToken: refreshToken2,
+    expiresInSec,
+    scope: parseScope(payload.scope)
+  };
+}
+function parseCliOauthError(error) {
+  if (!error || typeof error !== "object" || Array.isArray(error)) {
+    return null;
+  }
+  const root = error;
+  return {
+    error: typeof root.error === "string" ? root.error : void 0,
+    error_description: typeof root.error_description === "string" ? root.error_description : void 0,
+    interval: typeof root.interval === "number" ? root.interval : void 0
+  };
+}
+async function startDeviceAuthorization(authSiteUrl, fetchFn) {
+  const response = await postJson(
+    fetchFn,
+    `${authSiteUrl}/api/cli-auth/device/start`,
+    {
+      scope: ["cloud:browser"]
+    }
+  );
+  if (!response || typeof response.device_code !== "string" || !response.device_code.trim() || typeof response.user_code !== "string" || !response.user_code.trim() || typeof response.verification_uri_complete !== "string" || !response.verification_uri_complete.trim() || typeof response.expires_in !== "number" || response.expires_in <= 0 || typeof response.interval !== "number" || response.interval <= 0) {
+    throw new Error("Invalid device authorization response from cloud.");
+  }
+  return response;
+}
+async function pollDeviceToken(authSiteUrl, deviceCode, fetchFn) {
+  return await postJson(
+    fetchFn,
+    `${authSiteUrl}/api/cli-auth/device/token`,
+    {
+      grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+      device_code: deviceCode
+    }
+  );
+}
+async function refreshToken(authSiteUrl, refreshTokenValue, fetchFn) {
+  return await postJson(fetchFn, `${authSiteUrl}/api/cli-auth/token`, {
+    grant_type: "refresh_token",
+    refresh_token: refreshTokenValue
+  });
+}
+async function revokeToken(authSiteUrl, refreshTokenValue, fetchFn) {
+  await postJson(fetchFn, `${authSiteUrl}/api/cli-auth/revoke`, {
+    token: refreshTokenValue
+  });
+}
+async function openDefaultBrowser(url) {
+  try {
+    const child = await (0, import_open.default)(url, {
+      wait: false
+    });
+    child.on("error", () => void 0);
+    child.unref();
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function runDeviceLoginFlow(args) {
+  const start = await startDeviceAuthorization(args.authSiteUrl, args.fetchFn);
+  if (args.openBrowser) {
+    args.writeProgress(
+      "Opening your default browser for Opensteer CLI authentication.\n"
+    );
+    args.writeProgress(
+      `If nothing opens, use this URL:
+${start.verification_uri_complete}
+`
+    );
+  } else {
+    if (args.openBrowserDisabledReason) {
+      args.writeProgress(
+        `Automatic browser open is disabled (${args.openBrowserDisabledReason}).
+`
+      );
+    }
+    args.writeProgress(
+      `Open this URL to authenticate Opensteer CLI:
+${start.verification_uri_complete}
+`
+    );
+  }
+  args.writeProgress(`Verification code: ${start.user_code}
+`);
+  if (args.openBrowser) {
+    const browserOpened = await args.openExternalUrl(
+      start.verification_uri_complete
+    );
+    if (browserOpened) {
+      args.writeProgress(
+        "Opened your default browser. Finish authentication there; this terminal will continue automatically.\n"
+      );
+    } else {
+      args.writeProgress(
+        "Could not open your default browser automatically. Paste the URL above into a browser to continue.\n"
+      );
+    }
+  }
+  const deadline = args.now() + start.expires_in * 1e3;
+  let pollIntervalMs = Math.max(1, Math.trunc(start.interval)) * 1e3;
+  while (args.now() <= deadline) {
+    await args.sleep(pollIntervalMs);
+    try {
+      const tokenPayload = await pollDeviceToken(
+        args.authSiteUrl,
+        start.device_code,
+        args.fetchFn
+      );
+      const parsed = parseCliTokenResponse(tokenPayload);
+      return {
+        accessToken: parsed.accessToken,
+        refreshToken: parsed.refreshToken,
+        expiresAt: args.now() + parsed.expiresInSec * 1e3,
+        scope: parsed.scope
+      };
+    } catch (error) {
+      if (error instanceof CliAuthHttpError) {
+        const oauthError = parseCliOauthError(error.body);
+        if (!oauthError?.error) {
+          throw error;
+        }
+        if (oauthError.error === "authorization_pending") {
+          continue;
+        }
+        if (oauthError.error === "slow_down") {
+          const hintedInterval = typeof oauthError.interval === "number" && oauthError.interval > 0 ? Math.trunc(oauthError.interval) * 1e3 : pollIntervalMs + 5e3;
+          pollIntervalMs = Math.max(hintedInterval, pollIntervalMs + 1e3);
+          continue;
+        }
+        if (oauthError.error === "expired_token") {
+          throw new Error(
+            'Device authorization expired before approval. Run "opensteer auth login" again.'
+          );
+        }
+        if (oauthError.error === "access_denied") {
+          throw new Error(
+            'Cloud login was denied. Run "opensteer auth login" to retry.'
+          );
+        }
+        throw new Error(
+          oauthError.error_description || `Cloud login failed: ${oauthError.error}.`
+        );
+      }
+      throw error;
+    }
+  }
+  throw new Error(
+    'Timed out waiting for cloud login approval. Run "opensteer auth login" again.'
+  );
+}
+async function refreshSavedCredential(saved, deps) {
+  const tokenPayload = await refreshToken(
+    resolveAuthSiteUrl(deps.env),
+    saved.refreshToken,
+    deps.fetchFn
+  );
+  const parsed = parseCliTokenResponse(tokenPayload);
+  const updated = {
+    accessToken: parsed.accessToken,
+    refreshToken: parsed.refreshToken,
+    expiresAt: deps.now() + parsed.expiresInSec * 1e3,
+    scope: parsed.scope
+  };
+  deps.store.writeCloudCredential({
+    baseUrl: saved.baseUrl,
+    scope: updated.scope,
+    accessToken: updated.accessToken,
+    refreshToken: updated.refreshToken,
+    obtainedAt: deps.now(),
+    expiresAt: updated.expiresAt
+  });
+  return updated;
+}
+async function ensureSavedCredentialIsFresh(saved, deps) {
+  const refreshSkewMs = 6e4;
+  if (saved.expiresAt > deps.now() + refreshSkewMs) {
+    return saved;
+  }
+  try {
+    const refreshed = await refreshSavedCredential(saved, deps);
+    return {
+      ...saved,
+      accessToken: refreshed.accessToken,
+      refreshToken: refreshed.refreshToken,
+      expiresAt: refreshed.expiresAt,
+      scope: refreshed.scope,
+      obtainedAt: deps.now()
+    };
+  } catch (error) {
+    if (error instanceof CliAuthHttpError) {
+      const oauth = parseCliOauthError(error.body);
+      if (oauth?.error === "invalid_grant" || oauth?.error === "expired_token") {
+        deps.store.clearCloudCredential({
+          baseUrl: saved.baseUrl
+        });
+        return null;
+      }
+    }
+    deps.writeStderr(
+      `Unable to refresh saved cloud login: ${error instanceof Error ? error.message : "unknown error"}
+`
+    );
+    return null;
+  }
+}
+function toAuthMissingMessage(commandName) {
+  return [
+    `${commandName} requires cloud authentication.`,
+    'Use --api-key, --access-token, OPENSTEER_API_KEY, OPENSTEER_ACCESS_TOKEN, or run "opensteer auth login".'
+  ].join(" ");
+}
+function describeBrowserOpenMode(args, deps) {
+  if (!args.openBrowser) {
+    return {
+      enabled: false,
+      disabledReason: "--no-browser"
+    };
+  }
+  if (!deps.isInteractive()) {
+    return {
+      enabled: false,
+      disabledReason: "this shell is not interactive"
+    };
+  }
+  if (isCiEnvironment(deps.env)) {
+    return {
+      enabled: false,
+      disabledReason: "CI"
+    };
+  }
+  return {
+    enabled: true
+  };
+}
+function isCiEnvironment(env) {
+  const value = env.CI?.trim().toLowerCase();
+  return Boolean(value && value !== "0" && value !== "false");
+}
+function isCloudModeEnabledForRootDir(rootDir, env) {
+  const resolved = resolveConfigWithEnv(
+    {
+      storage: { rootDir }
+    },
+    {
+      env
+    }
+  );
+  return resolveCloudSelection(
+    {
+      cloud: resolved.config.cloud
+    },
+    resolved.env
+  ).cloud;
+}
+async function ensureCloudCredentialsForOpenCommand(options) {
+  const env = options.env ?? process.env;
+  if (!isCloudModeEnabledForRootDir(options.scopeDir, env)) {
+    return null;
+  }
+  const writeStderr = options.writeStderr ?? ((message) => process.stderr.write(message));
+  return await ensureCloudCredentialsForCommand({
+    commandName: "opensteer open",
+    env,
+    store: options.store,
+    apiKeyFlag: options.apiKeyFlag,
+    accessTokenFlag: options.accessTokenFlag,
+    interactive: options.interactive,
+    autoLoginIfNeeded: true,
+    writeProgress: options.writeProgress ?? writeStderr,
+    writeStderr,
+    fetchFn: options.fetchFn,
+    sleep: options.sleep,
+    now: options.now,
+    openExternalUrl: options.openExternalUrl
+  });
+}
+async function ensureCloudCredentialsForCommand(options) {
+  const env = options.env ?? process.env;
+  const writeProgress = options.writeProgress ?? options.writeStdout ?? ((message) => process.stdout.write(message));
+  const writeStderr = options.writeStderr ?? ((message) => process.stderr.write(message));
+  const fetchFn = options.fetchFn ?? fetch;
+  const sleep = options.sleep ?? (async (ms) => {
+    await new Promise((resolve) => setTimeout(resolve, ms));
+  });
+  const now = options.now ?? Date.now;
+  const openExternalUrl = options.openExternalUrl ?? openDefaultBrowser;
+  const store = options.store ?? createMachineCredentialStore({
+    env,
+    warn: (warning) => {
+      writeStderr(`${warning.message} (${warning.path})
+`);
+    }
+  });
+  const { baseUrl } = resolveCloudTarget(options, env, store);
+  const initialCredential = resolveCloudCredential({
+    env,
+    apiKeyFlag: options.apiKeyFlag,
+    accessTokenFlag: options.accessTokenFlag
+  });
+  let credential = initialCredential;
+  if (!credential) {
+    const saved = store.readCloudCredential({ baseUrl });
+    const freshSaved = saved ? await ensureSavedCredentialIsFresh(saved, {
+      env,
+      fetchFn,
+      store,
+      now,
+      writeStderr
+    }) : null;
+    if (freshSaved) {
+      credential = {
+        kind: "access-token",
+        source: "saved",
+        token: freshSaved.accessToken,
+        authScheme: "bearer"
+      };
+    }
+  }
+  if (!credential) {
+    if (options.autoLoginIfNeeded && (options.interactive ?? false)) {
+      const loggedIn = await runDeviceLoginFlow({
+        authSiteUrl: resolveAuthSiteUrl(env),
+        fetchFn,
+        writeProgress,
+        openExternalUrl,
+        sleep,
+        now,
+        openBrowser: true
+      });
+      store.writeCloudCredential({
+        baseUrl,
+        scope: loggedIn.scope,
+        accessToken: loggedIn.accessToken,
+        refreshToken: loggedIn.refreshToken,
+        obtainedAt: now(),
+        expiresAt: loggedIn.expiresAt
+      });
+      credential = {
+        kind: "access-token",
+        source: "saved",
+        token: loggedIn.accessToken,
+        authScheme: "bearer"
+      };
+      writeProgress("Cloud login complete.\n");
+    } else {
+      throw new Error(toAuthMissingMessage(options.commandName));
+    }
+  }
+  store.writeActiveCloudTarget({ baseUrl });
+  applyCloudCredentialToEnv(env, credential);
+  env.OPENSTEER_BASE_URL = baseUrl;
+  return {
+    token: credential.token,
+    authScheme: credential.authScheme,
+    source: credential.source,
+    kind: credential.kind,
+    baseUrl
+  };
+}
+async function runLogin(args, deps) {
+  const { baseUrl } = resolveCloudTarget(args, deps.env, deps.store, {
+    allowRememberedTarget: false
+  });
+  const writeProgress = args.json ? deps.writeStderr : deps.writeStdout;
+  const browserOpenMode = describeBrowserOpenMode(args, deps);
+  const login = await runDeviceLoginFlow({
+    authSiteUrl: resolveAuthSiteUrl(deps.env),
+    fetchFn: deps.fetchFn,
+    writeProgress,
+    openExternalUrl: deps.openExternalUrl,
+    sleep: deps.sleep,
+    now: deps.now,
+    openBrowser: browserOpenMode.enabled,
+    openBrowserDisabledReason: browserOpenMode.disabledReason
+  });
+  deps.store.writeCloudCredential({
+    baseUrl,
+    scope: login.scope,
+    accessToken: login.accessToken,
+    refreshToken: login.refreshToken,
+    obtainedAt: deps.now(),
+    expiresAt: login.expiresAt
+  });
+  deps.store.writeActiveCloudTarget({ baseUrl });
+  if (args.json) {
+    writeJsonLine(deps, {
+      loggedIn: true,
+      baseUrl,
+      expiresAt: login.expiresAt,
+      scope: login.scope,
+      authSource: "device"
+    });
+    return 0;
+  }
+  writeHumanLine(deps, "Opensteer CLI login successful.");
+  writeHumanLine(deps, `  API Base URL: ${baseUrl}`);
+  writeHumanLine(deps, `  Expires At: ${new Date(login.expiresAt).toISOString()}`);
+  return 0;
+}
+async function runStatus(args, deps) {
+  const { baseUrl } = resolveCloudTarget(args, deps.env, deps.store);
+  deps.store.writeActiveCloudTarget({ baseUrl });
+  const saved = deps.store.readCloudCredential({ baseUrl });
+  if (!saved) {
+    if (args.json) {
+      writeJsonLine(deps, {
+        loggedIn: false,
+        baseUrl
+      });
+    } else {
+      writeHumanLine(deps, `Opensteer CLI is not logged in for ${baseUrl}.`);
+    }
+    return 0;
+  }
+  const now = deps.now();
+  const expired = saved.expiresAt <= now;
+  if (args.json) {
+    writeJsonLine(deps, {
+      loggedIn: true,
+      expired,
+      baseUrl: saved.baseUrl,
+      expiresAt: saved.expiresAt,
+      scope: saved.scope
+    });
+    return 0;
+  }
+  writeHumanLine(
+    deps,
+    expired ? "Opensteer CLI has a saved login, but the access token is expired." : "Opensteer CLI is logged in."
+  );
+  writeHumanLine(deps, `  API Base URL: ${saved.baseUrl}`);
+  writeHumanLine(deps, `  Expires At: ${new Date(saved.expiresAt).toISOString()}`);
+  return 0;
+}
+async function runLogout(args, deps) {
+  const { baseUrl } = resolveCloudTarget(args, deps.env, deps.store);
+  deps.store.writeActiveCloudTarget({ baseUrl });
+  const saved = deps.store.readCloudCredential({ baseUrl });
+  if (saved) {
+    try {
+      await revokeToken(
+        resolveAuthSiteUrl(deps.env),
+        saved.refreshToken,
+        deps.fetchFn
+      );
+    } catch {
+    }
+  }
+  deps.store.clearCloudCredential({ baseUrl });
+  if (args.json) {
+    writeJsonLine(deps, {
+      loggedOut: true,
+      baseUrl
+    });
+    return 0;
+  }
+  writeHumanLine(deps, `Opensteer CLI login removed for ${baseUrl}.`);
+  return 0;
+}
+async function runOpensteerAuthCli(rawArgs, overrideDeps = {}) {
+  const deps = {
+    ...createDefaultDeps(),
+    ...overrideDeps
+  };
+  const parsed = parseOpensteerAuthArgs(rawArgs);
+  if (parsed.mode === "help") {
+    printHelp(deps);
+    return 0;
+  }
+  if (parsed.mode === "error") {
+    deps.writeStderr(`${parsed.error}
+`);
+    deps.writeStderr('Run "opensteer auth --help" for usage.\n');
+    return 1;
+  }
+  try {
+    if (parsed.mode === "login") {
+      return await runLogin(parsed.args, deps);
+    }
+    if (parsed.mode === "status") {
+      return await runStatus(parsed.args, deps);
+    }
+    return await runLogout(parsed.args, deps);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Auth command failed.";
+    deps.writeStderr(`${message}
+`);
+    return 1;
+  }
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ensureCloudCredentialsForCommand,
+  ensureCloudCredentialsForOpenCommand,
+  isCloudModeEnabledForRootDir,
+  parseOpensteerAuthArgs,
+  runOpensteerAuthCli
+});