opensteer 0.6.1 → 0.6.2

package/README.md

@@ -182,11 +182,10 @@ opensteer auth logout
   `--no-browser` on remote shells, containers, or CI and paste the printed URL
   into a browser manually. In `--json` mode, login prompts go to stderr and the
   final JSON result stays on stdout.
-- Saved machine logins remain scoped per resolved cloud host (`baseUrl` +
-  `siteUrl`). The CLI also remembers the last selected cloud host, so
-  `opensteer auth status`, `opensteer auth logout`, and other cloud commands
-  reuse it by default unless `--base-url`, `--site-url`, or env vars select a
-  different host.
+- Saved machine logins remain scoped per resolved cloud API host (`baseUrl`).
+  The CLI also remembers the last selected cloud host, so `opensteer auth
+  status`, `opensteer auth logout`, and other cloud commands reuse it by
+  default unless `--base-url` or env vars select a different host.
 
 - `OPENSTEER_BASE_URL` overrides the default cloud host
 - `OPENSTEER_ACCESS_TOKEN` provides bearer auth for cloud commands

package/bin/opensteer.mjs

@@ -1149,7 +1149,6 @@ Environment:
   OPENSTEER_API_KEY         Cloud API key credential
   OPENSTEER_ACCESS_TOKEN    Cloud bearer access token credential
   OPENSTEER_BASE_URL        Override cloud control-plane base URL
-  OPENSTEER_CLOUD_SITE_URL  Override cloud site URL for device login endpoints
   OPENSTEER_AUTH_SCHEME     Cloud auth scheme: api-key (default) or bearer
   OPENSTEER_REMOTE_ANNOUNCE Cloud session announcement policy: always (default), off, tty
 `)

package/dist/{chunk-3FNI7JUU.js → chunk-7RMY26CM.js}

@@ -100,13 +100,10 @@ import { createHash } from "crypto";
 import fs from "fs";
 import os from "os";
 import path from "path";
-var METADATA_VERSION = 1;
-var ACTIVE_TARGET_VERSION = 1;
+var METADATA_VERSION = 2;
+var ACTIVE_TARGET_VERSION = 2;
 var KEYCHAIN_SERVICE = "com.opensteer.cli.cloud";
 var KEYCHAIN_ACCOUNT_PREFIX = "machine:";
-var LEGACY_KEYCHAIN_ACCOUNT = "machine";
-var LEGACY_METADATA_FILE_NAME = "cli-login.json";
-var LEGACY_FALLBACK_SECRET_FILE_NAME = "cli-login.secret.json";
 var ACTIVE_TARGET_FILE_NAME = "cli-target.json";
 var MachineCredentialStore = class {
   authDir;
@@ -121,8 +118,11 @@ var MachineCredentialStore = class {
     this.warn = options.warn ?? (() => void 0);
   }
   readCloudCredential(target) {
-    const slot = resolveCredentialSlot(this.authDir, target);
-    return this.readCredentialSlot(slot, target) ?? this.readAndMigrateLegacyCredential(target);
+    const normalizedTarget = normalizeCloudCredentialTarget(target);
+    return this.readCredentialSlot(
+      resolveCredentialSlot(this.authDir, normalizedTarget),
+      normalizedTarget
+    );
   }
   writeCloudCredential(args) {
     const accessToken = args.accessToken.trim();
@@ -130,12 +130,8 @@ var MachineCredentialStore = class {
     if (!accessToken || !refreshToken2) {
       throw new Error("Cannot persist empty machine credential secrets.");
     }
-    const baseUrl = normalizeCredentialUrl(args.baseUrl, "baseUrl");
-    const siteUrl = normalizeCredentialUrl(args.siteUrl, "siteUrl");
-    const slot = resolveCredentialSlot(this.authDir, {
-      baseUrl,
-      siteUrl
-    });
+    const baseUrl = normalizeCredentialUrl(args.baseUrl);
+    const slot = resolveCredentialSlot(this.authDir, { baseUrl });
     ensureDirectory(this.authDir);
     const secretPayload = {
       accessToken,
@@ -162,7 +158,6 @@ var MachineCredentialStore = class {
       version: METADATA_VERSION,
       secretBackend,
       baseUrl,
-      siteUrl,
       scope: args.scope,
       obtainedAt: args.obtainedAt,
       expiresAt: args.expiresAt,
@@ -174,23 +169,18 @@ var MachineCredentialStore = class {
     return readActiveCloudTargetMetadata(resolveActiveTargetPath(this.authDir));
   }
   writeActiveCloudTarget(target) {
-    const baseUrl = normalizeCredentialUrl(target.baseUrl, "baseUrl");
-    const siteUrl = normalizeCredentialUrl(target.siteUrl, "siteUrl");
+    const baseUrl = normalizeCredentialUrl(target.baseUrl);
     ensureDirectory(this.authDir);
     writeJsonFile(resolveActiveTargetPath(this.authDir), {
       version: ACTIVE_TARGET_VERSION,
       baseUrl,
-      siteUrl,
       updatedAt: Date.now()
     });
   }
   clearCloudCredential(target) {
-    this.clearCredentialSlot(resolveCredentialSlot(this.authDir, target));
-    const legacySlot = resolveLegacyCredentialSlot(this.authDir);
-    const legacyMetadata = readMetadata(legacySlot.metadataPath);
-    if (legacyMetadata && matchesCredentialTarget(legacyMetadata, target)) {
-      this.clearCredentialSlot(legacySlot);
-    }
+    this.clearCredentialSlot(
+      resolveCredentialSlot(this.authDir, normalizeCloudCredentialTarget(target))
+    );
   }
   readCredentialSlot(slot, target) {
     const metadata = readMetadata(slot.metadataPath);
@@ -206,7 +196,6 @@ var MachineCredentialStore = class {
     }
     return {
       baseUrl: metadata.baseUrl,
-      siteUrl: metadata.siteUrl,
       scope: metadata.scope,
       accessToken: secret.accessToken,
       refreshToken: secret.refreshToken,
@@ -214,16 +203,6 @@ var MachineCredentialStore = class {
       expiresAt: metadata.expiresAt
     };
   }
-  readAndMigrateLegacyCredential(target) {
-    const legacySlot = resolveLegacyCredentialSlot(this.authDir);
-    const legacyCredential = this.readCredentialSlot(legacySlot, target);
-    if (!legacyCredential) {
-      return null;
-    }
-    this.writeCloudCredential(legacyCredential);
-    this.clearCredentialSlot(legacySlot);
-    return legacyCredential;
-  }
   readSecret(slot, backend) {
     if (backend === "keychain" && this.keychain) {
       try {
@@ -264,9 +243,8 @@ function createMachineCredentialStore(options = {}) {
   return new MachineCredentialStore(options);
 }
 function resolveCredentialSlot(authDir, target) {
-  const normalizedBaseUrl = normalizeCredentialUrl(target.baseUrl, "baseUrl");
-  const normalizedSiteUrl = normalizeCredentialUrl(target.siteUrl, "siteUrl");
-  const storageKey = createHash("sha256").update(`${normalizedBaseUrl}\0${normalizedSiteUrl}`).digest("hex").slice(0, 24);
+  const normalizedBaseUrl = normalizeCredentialUrl(target.baseUrl);
+  const storageKey = createHash("sha256").update(normalizedBaseUrl).digest("hex").slice(0, 24);
   return {
     keychainAccount: `${KEYCHAIN_ACCOUNT_PREFIX}${storageKey}`,
     metadataPath: path.join(authDir, `cli-login.${storageKey}.json`),
@@ -276,26 +254,24 @@ function resolveCredentialSlot(authDir, target) {
     )
   };
 }
-function resolveLegacyCredentialSlot(authDir) {
-  return {
-    keychainAccount: LEGACY_KEYCHAIN_ACCOUNT,
-    metadataPath: path.join(authDir, LEGACY_METADATA_FILE_NAME),
-    fallbackSecretPath: path.join(authDir, LEGACY_FALLBACK_SECRET_FILE_NAME)
-  };
-}
 function resolveActiveTargetPath(authDir) {
   return path.join(authDir, ACTIVE_TARGET_FILE_NAME);
 }
 function matchesCredentialTarget(value, target) {
-  return normalizeCredentialUrl(value.baseUrl, "baseUrl") === normalizeCredentialUrl(target.baseUrl, "baseUrl") && normalizeCredentialUrl(value.siteUrl, "siteUrl") === normalizeCredentialUrl(target.siteUrl, "siteUrl");
+  return normalizeCredentialUrl(value.baseUrl) === normalizeCredentialUrl(target.baseUrl);
 }
-function normalizeCredentialUrl(value, field) {
+function normalizeCredentialUrl(value) {
   const normalized = stripTrailingSlashes(value.trim());
   if (!normalized) {
-    throw new Error(`Cannot persist machine credential without ${field}.`);
+    throw new Error("Cannot persist machine credential without baseUrl.");
   }
   return normalized;
 }
+function normalizeCloudCredentialTarget(target) {
+  return {
+    baseUrl: normalizeCredentialUrl(target.baseUrl)
+  };
+}
 function resolveConfigDir(appName, env) {
   if (process.platform === "win32") {
     const appData = env.APPDATA?.trim() || path.join(os.homedir(), "AppData", "Roaming");
@@ -334,7 +310,6 @@ function readMetadata(filePath) {
       return null;
     }
     if (typeof parsed.baseUrl !== "string" || !parsed.baseUrl.trim()) return null;
-    if (typeof parsed.siteUrl !== "string" || !parsed.siteUrl.trim()) return null;
     if (!Array.isArray(parsed.scope)) return null;
     if (typeof parsed.obtainedAt !== "number") return null;
     if (typeof parsed.expiresAt !== "number") return null;
@@ -343,7 +318,6 @@ function readMetadata(filePath) {
       version: parsed.version,
       secretBackend: parsed.secretBackend,
       baseUrl: parsed.baseUrl,
-      siteUrl: parsed.siteUrl,
       scope: parsed.scope.filter(
         (value) => typeof value === "string"
       ),
@@ -368,12 +342,8 @@ function readActiveCloudTargetMetadata(filePath) {
     if (typeof parsed.baseUrl !== "string" || !parsed.baseUrl.trim()) {
       return null;
     }
-    if (typeof parsed.siteUrl !== "string" || !parsed.siteUrl.trim()) {
-      return null;
-    }
     return {
-      baseUrl: parsed.baseUrl,
-      siteUrl: parsed.siteUrl
+      baseUrl: parsed.baseUrl
     };
   } catch {
     return null;
@@ -398,14 +368,13 @@ function readSecretFile(filePath) {
     return null;
   }
   try {
-    const raw = fs.readFileSync(filePath, "utf8");
-    return parseSecretPayload(raw);
+    return parseSecretPayload(fs.readFileSync(filePath, "utf8"));
   } catch {
     return null;
   }
 }
-function writeJsonFile(filePath, payload, options = {}) {
-  fs.writeFileSync(filePath, JSON.stringify(payload, null, 2), {
+function writeJsonFile(filePath, value, options = {}) {
+  fs.writeFileSync(filePath, JSON.stringify(value, null, 2), {
     encoding: "utf8",
     mode: options.mode ?? 384
   });
@@ -436,11 +405,12 @@ Commands:
 
 Options:
   --base-url <url>          Cloud API base URL (defaults to env or the last selected host)
-  --site-url <url>          Cloud site URL for browser/device auth (defaults to env or the last selected host)
   --json                    JSON output (login prompts go to stderr)
   --no-browser              Do not auto-open your default browser during login
   -h, --help                Show this help
 `;
+var DEFAULT_AUTH_SITE_URL = "https://opensteer.com";
+var INTERNAL_AUTH_SITE_URL_ENV = "OPENSTEER_INTERNAL_AUTH_SITE_URL";
 function createDefaultDeps() {
   const env = process.env;
   return {
@@ -492,13 +462,6 @@ function parseAuthCommonArgs(rawArgs) {
       i = value.nextIndex;
       continue;
     }
-    if (arg === "--site-url") {
-      const value = readFlagValue(rawArgs, i, "--site-url");
-      if (!value.ok) return { args, error: value.error };
-      args.siteUrl = value.value;
-      i = value.nextIndex;
-      continue;
-    }
     return {
       args,
       error: `Unsupported option "${arg}".`
@@ -568,16 +531,19 @@ function resolveBaseUrl(provided, env) {
   assertSecureUrl(baseUrl, "--base-url");
   return baseUrl;
 }
-function resolveSiteUrl(provided, baseUrl, env) {
-  const siteUrl = normalizeCloudBaseUrl(
-    (provided || env.OPENSTEER_CLOUD_SITE_URL || deriveSiteUrlFromBaseUrl(baseUrl)).trim()
+function resolveAuthSiteUrl(env) {
+  const authSiteUrl = normalizeCloudBaseUrl(
+    (env[INTERNAL_AUTH_SITE_URL_ENV] || DEFAULT_AUTH_SITE_URL).trim()
+  );
+  assertSecureUrl(
+    authSiteUrl,
+    `environment variable ${INTERNAL_AUTH_SITE_URL_ENV}`
   );
-  assertSecureUrl(siteUrl, "--site-url");
-  return siteUrl;
+  return authSiteUrl;
 }
-function hasExplicitCloudTargetSelection(providedBaseUrl, providedSiteUrl, env) {
+function hasExplicitCloudTargetSelection(providedBaseUrl, env) {
   return Boolean(
-    providedBaseUrl?.trim() || providedSiteUrl?.trim() || env.OPENSTEER_BASE_URL?.trim() || env.OPENSTEER_CLOUD_SITE_URL?.trim()
+    providedBaseUrl?.trim() || env.OPENSTEER_BASE_URL?.trim()
   );
 }
 function readRememberedCloudTarget(store) {
@@ -587,57 +553,21 @@ function readRememberedCloudTarget(store) {
   }
   try {
     const baseUrl = normalizeCloudBaseUrl(activeTarget.baseUrl);
-    const siteUrl = normalizeCloudBaseUrl(activeTarget.siteUrl);
     assertSecureUrl(baseUrl, "--base-url");
-    assertSecureUrl(siteUrl, "--site-url");
-    return {
-      baseUrl,
-      siteUrl
-    };
+    return { baseUrl };
   } catch {
     return null;
   }
 }
-function resolveCloudTarget(args, env, store) {
-  if (!hasExplicitCloudTargetSelection(args.baseUrl, args.siteUrl, env)) {
+function resolveCloudTarget(args, env, store, options = {}) {
+  if (options.allowRememberedTarget !== false && !hasExplicitCloudTargetSelection(args.baseUrl, env)) {
     const rememberedTarget = readRememberedCloudTarget(store);
     if (rememberedTarget) {
       return rememberedTarget;
     }
   }
   const baseUrl = resolveBaseUrl(args.baseUrl, env);
-  const siteUrl = resolveSiteUrl(args.siteUrl, baseUrl, env);
-  return {
-    baseUrl,
-    siteUrl
-  };
-}
-function deriveSiteUrlFromBaseUrl(baseUrl) {
-  let parsed;
-  try {
-    parsed = new URL(baseUrl);
-  } catch {
-    return "https://opensteer.com";
-  }
-  const hostname = parsed.hostname.toLowerCase();
-  if (hostname.startsWith("api.")) {
-    parsed.hostname = hostname.slice("api.".length);
-    parsed.pathname = "";
-    parsed.search = "";
-    parsed.hash = "";
-    return normalizeCloudBaseUrl(parsed.toString());
-  }
-  if (hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1") {
-    parsed.port = "3001";
-    parsed.pathname = "";
-    parsed.search = "";
-    parsed.hash = "";
-    return normalizeCloudBaseUrl(parsed.toString());
-  }
-  parsed.pathname = "";
-  parsed.search = "";
-  parsed.hash = "";
-  return normalizeCloudBaseUrl(parsed.toString());
+  return { baseUrl };
 }
 function assertSecureUrl(value, flag) {
   let parsed;
@@ -712,10 +642,10 @@ function parseCliOauthError(error) {
     interval: typeof root.interval === "number" ? root.interval : void 0
   };
 }
-async function startDeviceAuthorization(siteUrl, fetchFn) {
+async function startDeviceAuthorization(authSiteUrl, fetchFn) {
   const response = await postJson(
     fetchFn,
-    `${siteUrl}/api/cli-auth/device/start`,
+    `${authSiteUrl}/api/cli-auth/device/start`,
     {
       scope: ["cloud:browser"]
     }
@@ -725,24 +655,24 @@ async function startDeviceAuthorization(siteUrl, fetchFn) {
   }
   return response;
 }
-async function pollDeviceToken(siteUrl, deviceCode, fetchFn) {
+async function pollDeviceToken(authSiteUrl, deviceCode, fetchFn) {
   return await postJson(
     fetchFn,
-    `${siteUrl}/api/cli-auth/device/token`,
+    `${authSiteUrl}/api/cli-auth/device/token`,
     {
       grant_type: "urn:ietf:params:oauth:grant-type:device_code",
       device_code: deviceCode
     }
   );
 }
-async function refreshToken(siteUrl, refreshTokenValue, fetchFn) {
-  return await postJson(fetchFn, `${siteUrl}/api/cli-auth/token`, {
+async function refreshToken(authSiteUrl, refreshTokenValue, fetchFn) {
+  return await postJson(fetchFn, `${authSiteUrl}/api/cli-auth/token`, {
     grant_type: "refresh_token",
     refresh_token: refreshTokenValue
   });
 }
-async function revokeToken(siteUrl, refreshTokenValue, fetchFn) {
-  await postJson(fetchFn, `${siteUrl}/api/cli-auth/revoke`, {
+async function revokeToken(authSiteUrl, refreshTokenValue, fetchFn) {
+  await postJson(fetchFn, `${authSiteUrl}/api/cli-auth/revoke`, {
     token: refreshTokenValue
   });
 }
@@ -759,7 +689,7 @@ async function openDefaultBrowser(url) {
   }
 }
 async function runDeviceLoginFlow(args) {
-  const start = await startDeviceAuthorization(args.siteUrl, args.fetchFn);
+  const start = await startDeviceAuthorization(args.authSiteUrl, args.fetchFn);
   if (args.openBrowser) {
     args.writeProgress(
       "Opening your default browser for Opensteer CLI authentication.\n"
@@ -804,7 +734,7 @@ ${start.verification_uri_complete}
     await args.sleep(pollIntervalMs);
     try {
       const tokenPayload = await pollDeviceToken(
-        args.siteUrl,
+        args.authSiteUrl,
         start.device_code,
         args.fetchFn
       );
@@ -852,7 +782,7 @@ ${start.verification_uri_complete}
 }
 async function refreshSavedCredential(saved, deps) {
   const tokenPayload = await refreshToken(
-    saved.siteUrl,
+    resolveAuthSiteUrl(deps.env),
     saved.refreshToken,
     deps.fetchFn
   );
@@ -865,7 +795,6 @@ async function refreshSavedCredential(saved, deps) {
   };
   deps.store.writeCloudCredential({
     baseUrl: saved.baseUrl,
-    siteUrl: saved.siteUrl,
     scope: updated.scope,
     accessToken: updated.accessToken,
     refreshToken: updated.refreshToken,
@@ -894,8 +823,7 @@ async function ensureSavedCredentialIsFresh(saved, deps) {
       const oauth = parseCliOauthError(error.body);
       if (oauth?.error === "invalid_grant" || oauth?.error === "expired_token") {
         deps.store.clearCloudCredential({
-          baseUrl: saved.baseUrl,
-          siteUrl: saved.siteUrl
+          baseUrl: saved.baseUrl
         });
         return null;
       }
@@ -995,7 +923,7 @@ async function ensureCloudCredentialsForCommand(options) {
 `);
     }
   });
-  const { baseUrl, siteUrl } = resolveCloudTarget(options, env, store);
+  const { baseUrl } = resolveCloudTarget(options, env, store);
   const initialCredential = resolveCloudCredential({
     env,
     apiKeyFlag: options.apiKeyFlag,
@@ -1003,11 +931,9 @@ async function ensureCloudCredentialsForCommand(options) {
   });
   let credential = initialCredential;
   if (!credential) {
-    const saved = store.readCloudCredential({
-      baseUrl,
-      siteUrl
-    });
+    const saved = store.readCloudCredential({ baseUrl });
     const freshSaved = saved ? await ensureSavedCredentialIsFresh(saved, {
+      env,
       fetchFn,
       store,
       now,
@@ -1025,7 +951,7 @@ async function ensureCloudCredentialsForCommand(options) {
   if (!credential) {
     if (options.autoLoginIfNeeded && (options.interactive ?? false)) {
       const loggedIn = await runDeviceLoginFlow({
-        siteUrl,
+        authSiteUrl: resolveAuthSiteUrl(env),
         fetchFn,
         writeProgress,
         openExternalUrl,
@@ -1035,7 +961,6 @@ async function ensureCloudCredentialsForCommand(options) {
       });
       store.writeCloudCredential({
         baseUrl,
-        siteUrl,
         scope: loggedIn.scope,
         accessToken: loggedIn.accessToken,
         refreshToken: loggedIn.refreshToken,
@@ -1053,28 +978,25 @@ async function ensureCloudCredentialsForCommand(options) {
       throw new Error(toAuthMissingMessage(options.commandName));
     }
   }
-  store.writeActiveCloudTarget({
-    baseUrl,
-    siteUrl
-  });
+  store.writeActiveCloudTarget({ baseUrl });
   applyCloudCredentialToEnv(env, credential);
   env.OPENSTEER_BASE_URL = baseUrl;
-  env.OPENSTEER_CLOUD_SITE_URL = siteUrl;
   return {
     token: credential.token,
     authScheme: credential.authScheme,
     source: credential.source,
     kind: credential.kind,
-    baseUrl,
-    siteUrl
+    baseUrl
   };
 }
 async function runLogin(args, deps) {
-  const { baseUrl, siteUrl } = resolveCloudTarget(args, deps.env, deps.store);
+  const { baseUrl } = resolveCloudTarget(args, deps.env, deps.store, {
+    allowRememberedTarget: false
+  });
   const writeProgress = args.json ? deps.writeStderr : deps.writeStdout;
   const browserOpenMode = describeBrowserOpenMode(args, deps);
   const login = await runDeviceLoginFlow({
-    siteUrl,
+    authSiteUrl: resolveAuthSiteUrl(deps.env),
     fetchFn: deps.fetchFn,
     writeProgress,
     openExternalUrl: deps.openExternalUrl,
@@ -1085,22 +1007,17 @@ async function runLogin(args, deps) {
   });
   deps.store.writeCloudCredential({
     baseUrl,
-    siteUrl,
     scope: login.scope,
     accessToken: login.accessToken,
     refreshToken: login.refreshToken,
     obtainedAt: deps.now(),
     expiresAt: login.expiresAt
   });
-  deps.store.writeActiveCloudTarget({
-    baseUrl,
-    siteUrl
-  });
+  deps.store.writeActiveCloudTarget({ baseUrl });
   if (args.json) {
     writeJsonLine(deps, {
       loggedIn: true,
       baseUrl,
-      siteUrl,
       expiresAt: login.expiresAt,
       scope: login.scope,
       authSource: "device"
@@ -1108,33 +1025,22 @@ async function runLogin(args, deps) {
     return 0;
   }
   writeHumanLine(deps, "Opensteer CLI login successful.");
-  writeHumanLine(deps, `  Site URL: ${siteUrl}`);
   writeHumanLine(deps, `  API Base URL: ${baseUrl}`);
   writeHumanLine(deps, `  Expires At: ${new Date(login.expiresAt).toISOString()}`);
   return 0;
 }
 async function runStatus(args, deps) {
-  const { baseUrl, siteUrl } = resolveCloudTarget(args, deps.env, deps.store);
-  deps.store.writeActiveCloudTarget({
-    baseUrl,
-    siteUrl
-  });
-  const saved = deps.store.readCloudCredential({
-    baseUrl,
-    siteUrl
-  });
+  const { baseUrl } = resolveCloudTarget(args, deps.env, deps.store);
+  deps.store.writeActiveCloudTarget({ baseUrl });
+  const saved = deps.store.readCloudCredential({ baseUrl });
   if (!saved) {
     if (args.json) {
       writeJsonLine(deps, {
         loggedIn: false,
-        baseUrl,
-        siteUrl
+        baseUrl
       });
     } else {
-      writeHumanLine(
-        deps,
-        `Opensteer CLI is not logged in for ${siteUrl}.`
-      );
+      writeHumanLine(deps, `Opensteer CLI is not logged in for ${baseUrl}.`);
     }
     return 0;
   }
@@ -1145,7 +1051,6 @@ async function runStatus(args, deps) {
       loggedIn: true,
       expired,
       baseUrl: saved.baseUrl,
-      siteUrl: saved.siteUrl,
       expiresAt: saved.expiresAt,
       scope: saved.scope
     });
@@ -1155,43 +1060,33 @@ async function runStatus(args, deps) {
     deps,
     expired ? "Opensteer CLI has a saved login, but the access token is expired." : "Opensteer CLI is logged in."
   );
-  writeHumanLine(deps, `  Site URL: ${saved.siteUrl}`);
   writeHumanLine(deps, `  API Base URL: ${saved.baseUrl}`);
   writeHumanLine(deps, `  Expires At: ${new Date(saved.expiresAt).toISOString()}`);
   return 0;
 }
 async function runLogout(args, deps) {
-  const { baseUrl, siteUrl } = resolveCloudTarget(args, deps.env, deps.store);
-  deps.store.writeActiveCloudTarget({
-    baseUrl,
-    siteUrl
-  });
-  const saved = deps.store.readCloudCredential({
-    baseUrl,
-    siteUrl
-  });
+  const { baseUrl } = resolveCloudTarget(args, deps.env, deps.store);
+  deps.store.writeActiveCloudTarget({ baseUrl });
+  const saved = deps.store.readCloudCredential({ baseUrl });
   if (saved) {
     try {
-      await revokeToken(saved.siteUrl, saved.refreshToken, deps.fetchFn);
+      await revokeToken(
+        resolveAuthSiteUrl(deps.env),
+        saved.refreshToken,
+        deps.fetchFn
+      );
     } catch {
     }
   }
-  deps.store.clearCloudCredential({
-    baseUrl,
-    siteUrl
-  });
+  deps.store.clearCloudCredential({ baseUrl });
   if (args.json) {
     writeJsonLine(deps, {
       loggedOut: true,
-      baseUrl,
-      siteUrl
+      baseUrl
     });
     return 0;
   }
-  writeHumanLine(
-    deps,
-    `Opensteer CLI login removed for ${siteUrl}.`
-  );
+  writeHumanLine(deps, `Opensteer CLI login removed for ${baseUrl}.`);
   return 0;
 }
 async function runOpensteerAuthCli(rawArgs, overrideDeps = {}) {