opensteer 0.6.1 → 0.6.3

package/README.md

@@ -182,11 +182,10 @@ opensteer auth logout
   `--no-browser` on remote shells, containers, or CI and paste the printed URL
   into a browser manually. In `--json` mode, login prompts go to stderr and the
   final JSON result stays on stdout.
-- Saved machine logins remain scoped per resolved cloud host (`baseUrl` +
-  `siteUrl`). The CLI also remembers the last selected cloud host, so
-  `opensteer auth status`, `opensteer auth logout`, and other cloud commands
-  reuse it by default unless `--base-url`, `--site-url`, or env vars select a
-  different host.
+- Saved machine logins remain scoped per resolved cloud API host (`baseUrl`).
+  The CLI also remembers the last selected cloud host, so `opensteer auth
+  status`, `opensteer auth logout`, and other cloud commands reuse it by
+  default unless `--base-url` or env vars select a different host.
 
 - `OPENSTEER_BASE_URL` overrides the default cloud host
 - `OPENSTEER_ACCESS_TOKEN` provides bearer auth for cloud commands

package/bin/opensteer.mjs

@@ -1149,7 +1149,6 @@ Environment:
   OPENSTEER_API_KEY         Cloud API key credential
   OPENSTEER_ACCESS_TOKEN    Cloud bearer access token credential
   OPENSTEER_BASE_URL        Override cloud control-plane base URL
-  OPENSTEER_CLOUD_SITE_URL  Override cloud site URL for device login endpoints
   OPENSTEER_AUTH_SCHEME     Cloud auth scheme: api-key (default) or bearer
   OPENSTEER_REMOTE_ANNOUNCE Cloud session announcement policy: always (default), off, tty
 `)

package/dist/{chunk-F2VDVOJO.js → chunk-3OMXCBPD.js}

@@ -11,8 +11,9 @@ import {
   resolveCloudSelection,
   resolveConfigWithEnv,
   resolveNamespace,
-  resolveNamespaceDir
-} from "./chunk-WDRMHPWL.js";
+  resolveNamespaceDir,
+  selectCloudCredential
+} from "./chunk-KE35RQOJ.js";
 import {
   flattenExtractionDataToFieldPlan
 } from "./chunk-3H5RRIMZ.js";
@@ -10081,30 +10082,20 @@ var Opensteer = class _Opensteer {
     this.pool = new BrowserPool(resolved.browser || {});
     if (cloudSelection.cloud) {
       const cloudConfig = resolved.cloud && typeof resolved.cloud === "object" ? resolved.cloud : void 0;
-      const apiKey = cloudConfig?.apiKey?.trim();
-      const accessToken = cloudConfig?.accessToken?.trim();
-      if (apiKey && accessToken) {
-        throw new Error(
-          "Cloud mode cannot use both cloud.apiKey and cloud.accessToken. Set only one credential."
-        );
-      }
-      let credential = "";
-      let authScheme = cloudConfig?.authScheme ?? "api-key";
-      if (accessToken) {
-        credential = accessToken;
-        authScheme = "bearer";
-      } else if (apiKey) {
-        credential = apiKey;
-      }
+      const credential = selectCloudCredential({
+        apiKey: cloudConfig?.apiKey,
+        accessToken: cloudConfig?.accessToken,
+        authScheme: cloudConfig?.authScheme
+      });
       if (!credential) {
         throw new Error(
           "Cloud mode requires credentials via cloud.apiKey/cloud.accessToken or OPENSTEER_API_KEY/OPENSTEER_ACCESS_TOKEN."
         );
       }
       this.cloud = createCloudRuntimeState(
-        credential,
+        credential.token,
         cloudConfig?.baseUrl,
-        authScheme
+        credential.authScheme
       );
     } else {
       this.cloud = null;

package/dist/{chunk-WJI7TGBQ.js → chunk-FTKWQ6X3.js}

@@ -2,7 +2,7 @@ import {
   cloudAuthHeaders,
   normalizeCloudBaseUrl,
   parseCloudHttpError
-} from "./chunk-WDRMHPWL.js";
+} from "./chunk-KE35RQOJ.js";
 
 // src/cloud/browser-profile-client.ts
 var BrowserProfileClient = class {

package/dist/{chunk-WDRMHPWL.js → chunk-KE35RQOJ.js}

@@ -261,6 +261,67 @@ import fs from "fs";
 import path2 from "path";
 import { fileURLToPath } from "url";
 import { parse as parseDotenv } from "dotenv";
+
+// src/cloud/credential-selection.ts
+function selectCloudCredential(options) {
+  const apiKey = normalizeNonEmptyString(options.apiKey);
+  const accessToken = normalizeNonEmptyString(options.accessToken);
+  if (apiKey) {
+    if (options.authScheme === "bearer") {
+      return {
+        apiKey,
+        authScheme: "bearer",
+        kind: "access-token",
+        token: apiKey,
+        compatibilityBearerApiKey: true
+      };
+    }
+    return {
+      apiKey,
+      authScheme: "api-key",
+      kind: "api-key",
+      token: apiKey
+    };
+  }
+  if (accessToken) {
+    return {
+      accessToken,
+      authScheme: "bearer",
+      kind: "access-token",
+      token: accessToken
+    };
+  }
+  return null;
+}
+function selectCloudCredentialByPrecedence(layers, authScheme) {
+  for (const layer of layers) {
+    const hasApiKey = layer.hasApiKey ?? Object.prototype.hasOwnProperty.call(layer, "apiKey");
+    const hasAccessToken = layer.hasAccessToken ?? Object.prototype.hasOwnProperty.call(layer, "accessToken");
+    if (!hasApiKey && !hasAccessToken) {
+      continue;
+    }
+    return {
+      source: layer.source,
+      apiKey: layer.apiKey,
+      accessToken: layer.accessToken,
+      hasApiKey,
+      hasAccessToken,
+      credential: selectCloudCredential({
+        apiKey: layer.apiKey,
+        accessToken: layer.accessToken,
+        authScheme: layer.authScheme ?? authScheme
+      })
+    };
+  }
+  return null;
+}
+function normalizeNonEmptyString(value) {
+  if (typeof value !== "string") return void 0;
+  const normalized = value.trim();
+  return normalized.length ? normalized : void 0;
+}
+
+// src/config.ts
 var DEFAULT_CONFIG = {
   browser: {
     headless: false,
@@ -552,11 +613,6 @@ function normalizeCloudOptions(value) {
   }
   return value;
 }
-function normalizeNonEmptyString(value) {
-  if (typeof value !== "string") return void 0;
-  const normalized = value.trim();
-  return normalized.length ? normalized : void 0;
-}
 function parseCloudEnabled(value, source) {
   if (value == null) return void 0;
   if (typeof value === "boolean") return value;
@@ -565,6 +621,18 @@ function parseCloudEnabled(value, source) {
     `Invalid ${source} value "${String(value)}". Use true, false, or a cloud options object.`
   );
 }
+function resolveCloudCredentialFields(selectedLayer) {
+  const credential = selectedLayer?.credential;
+  if (!credential) return {};
+  if (credential.kind === "api-key" || credential.compatibilityBearerApiKey === true && selectedLayer?.source !== "env") {
+    return {
+      apiKey: credential.token
+    };
+  }
+  return {
+    accessToken: credential.token
+  };
+}
 function resolveCloudSelection(config, env = process.env) {
   const configCloud = parseCloudEnabled(config.cloud, "cloud");
   if (configCloud !== void 0) {
@@ -601,6 +669,9 @@ function resolveConfigWithEnv(input = {}, options = {}) {
   });
   assertNoLegacyAiConfig(".opensteer/config.json", fileConfig);
   assertNoLegacyRuntimeConfig(".opensteer/config.json", fileConfig);
+  const fileCloudOptions = normalizeCloudOptions(fileConfig.cloud);
+  const fileHasCloudApiKey = hasOwn(fileCloudOptions, "apiKey");
+  const fileHasCloudAccessToken = hasOwn(fileCloudOptions, "accessToken");
   const fileRootDir = typeof fileConfig.storage?.rootDir === "string" ? fileConfig.storage.rootDir : void 0;
   const envRootDir = input.storage?.rootDir ?? fileRootDir ?? initialRootDir;
   const env = resolveEnv(envRootDir, {
@@ -639,13 +710,6 @@ function resolveConfigWithEnv(input = {}, options = {}) {
   const envAccessTokenRaw = resolveOpensteerAccessToken(env);
   const envBaseUrl = resolveOpensteerBaseUrl(env);
   const envAuthScheme = resolveOpensteerAuthScheme(env);
-  if (envApiKey && envAccessTokenRaw) {
-    throw new Error(
-      "OPENSTEER_API_KEY and OPENSTEER_ACCESS_TOKEN are mutually exclusive. Set only one."
-    );
-  }
-  const envAccessToken = envAccessTokenRaw || (envAuthScheme === "bearer" ? envApiKey : void 0);
-  const envApiCredential = envAuthScheme === "bearer" && !envAccessTokenRaw ? void 0 : envApiKey;
   const envCloudProfileId = resolveOpensteerCloudProfileId(env);
   const envCloudProfileReuseIfActive = resolveOpensteerCloudProfileReuseIfActive(env);
   const envCloudAnnounce = parseCloudAnnounce(
@@ -674,11 +738,6 @@ function resolveConfigWithEnv(input = {}, options = {}) {
   const inputHasCloudBaseUrl = Boolean(
     inputCloudOptions && Object.prototype.hasOwnProperty.call(inputCloudOptions, "baseUrl")
   );
-  if (normalizeNonEmptyString(inputCloudOptions?.apiKey) && normalizeNonEmptyString(inputCloudOptions?.accessToken)) {
-    throw new Error(
-      "cloud.apiKey and cloud.accessToken are mutually exclusive. Set only one."
-    );
-  }
   const cloudSelection = resolveCloudSelection({
     cloud: resolved.cloud
   }, env);
@@ -689,11 +748,6 @@ function resolveConfigWithEnv(input = {}, options = {}) {
       accessToken: resolvedCloudAccessTokenRaw,
       ...resolvedCloudRest
     } = resolvedCloud;
-    if (normalizeNonEmptyString(resolvedCloudApiKeyRaw) && normalizeNonEmptyString(resolvedCloudAccessTokenRaw)) {
-      throw new Error(
-        "Cloud config cannot include both apiKey and accessToken at the same time."
-      );
-    }
     const resolvedCloudBrowserProfile = normalizeCloudBrowserProfileOptions(
       resolvedCloud.browserProfile,
       "resolved.cloud.browserProfile"
@@ -705,25 +759,40 @@ function resolveConfigWithEnv(input = {}, options = {}) {
     const browserProfile = inputCloudBrowserProfile ?? envCloudBrowserProfile ?? resolvedCloudBrowserProfile;
     let authScheme = inputAuthScheme ?? envAuthScheme ?? parseAuthScheme(resolvedCloud.authScheme, "cloud.authScheme") ?? "api-key";
     const announce = inputCloudAnnounce ?? envCloudAnnounce ?? parseCloudAnnounce(resolvedCloud.announce, "cloud.announce") ?? "always";
-    const credentialOverriddenByInput = inputHasCloudApiKey || inputHasCloudAccessToken;
-    let apiKey = normalizeNonEmptyString(resolvedCloudApiKeyRaw);
-    let accessToken = normalizeNonEmptyString(resolvedCloudAccessTokenRaw);
-    if (!credentialOverriddenByInput) {
-      if (envAccessToken) {
-        accessToken = envAccessToken;
-        apiKey = void 0;
-      } else if (envApiCredential) {
-        apiKey = envApiCredential;
-        accessToken = void 0;
-      }
-    }
+    const selectedCredentialLayer = selectCloudCredentialByPrecedence(
+      [
+        {
+          source: "input",
+          apiKey: inputCloudOptions?.apiKey,
+          accessToken: inputCloudOptions?.accessToken,
+          hasApiKey: inputHasCloudApiKey,
+          hasAccessToken: inputHasCloudAccessToken
+        },
+        {
+          source: "env",
+          apiKey: envApiKey,
+          accessToken: envAccessTokenRaw,
+          hasApiKey: envApiKey !== void 0,
+          hasAccessToken: envAccessTokenRaw !== void 0
+        },
+        {
+          source: "file",
+          apiKey: fileCloudOptions?.apiKey,
+          accessToken: fileCloudOptions?.accessToken,
+          hasApiKey: fileHasCloudApiKey,
+          hasAccessToken: fileHasCloudAccessToken
+        }
+      ],
+      authScheme
+    );
+    const { apiKey, accessToken } = resolveCloudCredentialFields(selectedCredentialLayer);
     if (accessToken) {
       authScheme = "bearer";
     }
     resolved.cloud = {
       ...resolvedCloudRest,
-      ...inputHasCloudApiKey ? { apiKey: resolvedCloudApiKeyRaw } : apiKey ? { apiKey } : {},
-      ...inputHasCloudAccessToken ? { accessToken: resolvedCloudAccessTokenRaw } : accessToken ? { accessToken } : {},
+      ...apiKey ? { apiKey } : selectedCredentialLayer?.hasApiKey && !accessToken ? { apiKey: selectedCredentialLayer.apiKey } : {},
+      ...accessToken ? { accessToken } : selectedCredentialLayer?.hasAccessToken && !apiKey ? { accessToken: selectedCredentialLayer.accessToken } : {},
       authScheme,
       announce,
       ...browserProfile ? { browserProfile } : {}
@@ -1300,6 +1369,7 @@ export {
   createKeychainStore,
   extractErrorMessage,
   normalizeError,
+  selectCloudCredential,
   normalizeNamespace,
   resolveNamespaceDir,
   resolveCloudSelection,