npm - opensteer - Versions diffs - 0.6.1 → 0.6.3 - Mend

opensteer 0.6.1 → 0.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/README.md +4 -5
package/bin/opensteer.mjs +0 -1
package/dist/{chunk-F2VDVOJO.js → chunk-3OMXCBPD.js} +10 -19
package/dist/{chunk-WJI7TGBQ.js → chunk-FTKWQ6X3.js} +1 -1
package/dist/{chunk-WDRMHPWL.js → chunk-KE35RQOJ.js} +106 -36
package/dist/{chunk-3FNI7JUU.js → chunk-SCNX4NN3.js} +114 -241
package/dist/cli/auth.cjs +215 -276
package/dist/cli/auth.d.cts +0 -6
package/dist/cli/auth.d.ts +0 -6
package/dist/cli/auth.js +2 -2
package/dist/cli/profile.cjs +199 -259
package/dist/cli/profile.d.cts +0 -2
package/dist/cli/profile.d.ts +0 -2
package/dist/cli/profile.js +4 -28
package/dist/cli/server.cjs +110 -53
package/dist/cli/server.js +2 -2
package/dist/index.cjs +110 -53
package/dist/index.js +3 -3
package/package.json +1 -1

package/dist/cli/auth.cjs CHANGED Viewed

@@ -94,6 +94,65 @@ function toNonEmptyString(value) {
   return normalized.length ? normalized : void 0;
 }
+// src/cloud/credential-selection.ts
+function selectCloudCredential(options) {
+  const apiKey = normalizeNonEmptyString(options.apiKey);
+  const accessToken = normalizeNonEmptyString(options.accessToken);
+  if (apiKey) {
+    if (options.authScheme === "bearer") {
+      return {
+        apiKey,
+        authScheme: "bearer",
+        kind: "access-token",
+        token: apiKey,
+        compatibilityBearerApiKey: true
+      };
+    }
+    return {
+      apiKey,
+      authScheme: "api-key",
+      kind: "api-key",
+      token: apiKey
+    };
+  }
+  if (accessToken) {
+    return {
+      accessToken,
+      authScheme: "bearer",
+      kind: "access-token",
+      token: accessToken
+    };
+  }
+  return null;
+}
+function selectCloudCredentialByPrecedence(layers, authScheme) {
+  for (const layer of layers) {
+    const hasApiKey = layer.hasApiKey ?? Object.prototype.hasOwnProperty.call(layer, "apiKey");
+    const hasAccessToken = layer.hasAccessToken ?? Object.prototype.hasOwnProperty.call(layer, "accessToken");
+    if (!hasApiKey && !hasAccessToken) {
+      continue;
+    }
+    return {
+      source: layer.source,
+      apiKey: layer.apiKey,
+      accessToken: layer.accessToken,
+      hasApiKey,
+      hasAccessToken,
+      credential: selectCloudCredential({
+        apiKey: layer.apiKey,
+        accessToken: layer.accessToken,
+        authScheme: layer.authScheme ?? authScheme
+      })
+    };
+  }
+  return null;
+}
+function normalizeNonEmptyString(value) {
+  if (typeof value !== "string") return void 0;
+  const normalized = value.trim();
+  return normalized.length ? normalized : void 0;
+}
 // src/config.ts
 var DEFAULT_CONFIG = {
   browser: {
@@ -386,11 +445,6 @@ function normalizeCloudOptions(value) {
   }
   return value;
 }
-function normalizeNonEmptyString(value) {
-  if (typeof value !== "string") return void 0;
-  const normalized = value.trim();
-  return normalized.length ? normalized : void 0;
-}
 function parseCloudEnabled(value, source) {
   if (value == null) return void 0;
   if (typeof value === "boolean") return value;
@@ -399,6 +453,18 @@ function parseCloudEnabled(value, source) {
     `Invalid ${source} value "${String(value)}". Use true, false, or a cloud options object.`
   );
 }
+function resolveCloudCredentialFields(selectedLayer) {
+  const credential = selectedLayer?.credential;
+  if (!credential) return {};
+  if (credential.kind === "api-key" || credential.compatibilityBearerApiKey === true && selectedLayer?.source !== "env") {
+    return {
+      apiKey: credential.token
+    };
+  }
+  return {
+    accessToken: credential.token
+  };
+}
 function resolveCloudSelection(config, env = process.env) {
   const configCloud = parseCloudEnabled(config.cloud, "cloud");
   if (configCloud !== void 0) {
@@ -435,6 +501,9 @@ function resolveConfigWithEnv(input = {}, options = {}) {
   });
   assertNoLegacyAiConfig(".opensteer/config.json", fileConfig);
   assertNoLegacyRuntimeConfig(".opensteer/config.json", fileConfig);
+  const fileCloudOptions = normalizeCloudOptions(fileConfig.cloud);
+  const fileHasCloudApiKey = hasOwn(fileCloudOptions, "apiKey");
+  const fileHasCloudAccessToken = hasOwn(fileCloudOptions, "accessToken");
   const fileRootDir = typeof fileConfig.storage?.rootDir === "string" ? fileConfig.storage.rootDir : void 0;
   const envRootDir = input.storage?.rootDir ?? fileRootDir ?? initialRootDir;
   const env = resolveEnv(envRootDir, {
@@ -473,13 +542,6 @@ function resolveConfigWithEnv(input = {}, options = {}) {
   const envAccessTokenRaw = resolveOpensteerAccessToken(env);
   const envBaseUrl = resolveOpensteerBaseUrl(env);
   const envAuthScheme = resolveOpensteerAuthScheme(env);
-  if (envApiKey && envAccessTokenRaw) {
-    throw new Error(
-      "OPENSTEER_API_KEY and OPENSTEER_ACCESS_TOKEN are mutually exclusive. Set only one."
-    );
-  }
-  const envAccessToken = envAccessTokenRaw || (envAuthScheme === "bearer" ? envApiKey : void 0);
-  const envApiCredential = envAuthScheme === "bearer" && !envAccessTokenRaw ? void 0 : envApiKey;
   const envCloudProfileId = resolveOpensteerCloudProfileId(env);
   const envCloudProfileReuseIfActive = resolveOpensteerCloudProfileReuseIfActive(env);
   const envCloudAnnounce = parseCloudAnnounce(
@@ -508,11 +570,6 @@ function resolveConfigWithEnv(input = {}, options = {}) {
   const inputHasCloudBaseUrl = Boolean(
     inputCloudOptions && Object.prototype.hasOwnProperty.call(inputCloudOptions, "baseUrl")
   );
-  if (normalizeNonEmptyString(inputCloudOptions?.apiKey) && normalizeNonEmptyString(inputCloudOptions?.accessToken)) {
-    throw new Error(
-      "cloud.apiKey and cloud.accessToken are mutually exclusive. Set only one."
-    );
-  }
   const cloudSelection = resolveCloudSelection({
     cloud: resolved.cloud
   }, env);
@@ -523,11 +580,6 @@ function resolveConfigWithEnv(input = {}, options = {}) {
       accessToken: resolvedCloudAccessTokenRaw,
       ...resolvedCloudRest
     } = resolvedCloud;
-    if (normalizeNonEmptyString(resolvedCloudApiKeyRaw) && normalizeNonEmptyString(resolvedCloudAccessTokenRaw)) {
-      throw new Error(
-        "Cloud config cannot include both apiKey and accessToken at the same time."
-      );
-    }
     const resolvedCloudBrowserProfile = normalizeCloudBrowserProfileOptions(
       resolvedCloud.browserProfile,
       "resolved.cloud.browserProfile"
@@ -539,25 +591,40 @@ function resolveConfigWithEnv(input = {}, options = {}) {
     const browserProfile = inputCloudBrowserProfile ?? envCloudBrowserProfile ?? resolvedCloudBrowserProfile;
     let authScheme = inputAuthScheme ?? envAuthScheme ?? parseAuthScheme(resolvedCloud.authScheme, "cloud.authScheme") ?? "api-key";
     const announce = inputCloudAnnounce ?? envCloudAnnounce ?? parseCloudAnnounce(resolvedCloud.announce, "cloud.announce") ?? "always";
-    const credentialOverriddenByInput = inputHasCloudApiKey || inputHasCloudAccessToken;
-    let apiKey = normalizeNonEmptyString(resolvedCloudApiKeyRaw);
-    let accessToken = normalizeNonEmptyString(resolvedCloudAccessTokenRaw);
-    if (!credentialOverriddenByInput) {
-      if (envAccessToken) {
-        accessToken = envAccessToken;
-        apiKey = void 0;
-      } else if (envApiCredential) {
-        apiKey = envApiCredential;
-        accessToken = void 0;
-      }
-    }
+    const selectedCredentialLayer = selectCloudCredentialByPrecedence(
+      [
+        {
+          source: "input",
+          apiKey: inputCloudOptions?.apiKey,
+          accessToken: inputCloudOptions?.accessToken,
+          hasApiKey: inputHasCloudApiKey,
+          hasAccessToken: inputHasCloudAccessToken
+        },
+        {
+          source: "env",
+          apiKey: envApiKey,
+          accessToken: envAccessTokenRaw,
+          hasApiKey: envApiKey !== void 0,
+          hasAccessToken: envAccessTokenRaw !== void 0
+        },
+        {
+          source: "file",
+          apiKey: fileCloudOptions?.apiKey,
+          accessToken: fileCloudOptions?.accessToken,
+          hasApiKey: fileHasCloudApiKey,
+          hasAccessToken: fileHasCloudAccessToken
+        }
+      ],
+      authScheme
+    );
+    const { apiKey, accessToken } = resolveCloudCredentialFields(selectedCredentialLayer);
     if (accessToken) {
       authScheme = "bearer";
     }
     resolved.cloud = {
       ...resolvedCloudRest,
-      ...inputHasCloudApiKey ? { apiKey: resolvedCloudApiKeyRaw } : apiKey ? { apiKey } : {},
-      ...inputHasCloudAccessToken ? { accessToken: resolvedCloudAccessTokenRaw } : accessToken ? { accessToken } : {},
+      ...apiKey ? { apiKey } : selectedCredentialLayer?.hasApiKey && !accessToken ? { apiKey: selectedCredentialLayer.apiKey } : {},
+      ...accessToken ? { accessToken } : selectedCredentialLayer?.hasAccessToken && !apiKey ? { accessToken: selectedCredentialLayer.accessToken } : {},
       authScheme,
       announce,
       ...browserProfile ? { browserProfile } : {}
@@ -577,59 +644,21 @@ function resolveConfigWithEnv(input = {}, options = {}) {
 // src/auth/credential-resolver.ts
 function resolveCloudCredential(options) {
-  const flagApiKey = normalizeToken(options.apiKeyFlag);
-  const flagAccessToken = normalizeToken(options.accessTokenFlag);
-  if (flagApiKey && flagAccessToken) {
-    throw new Error("--api-key and --access-token are mutually exclusive.");
-  }
-  if (flagAccessToken) {
-    return {
-      kind: "access-token",
-      source: "flag",
-      token: flagAccessToken,
-      authScheme: "bearer"
-    };
-  }
-  if (flagApiKey) {
-    return {
-      kind: "api-key",
-      source: "flag",
-      token: flagApiKey,
-      authScheme: "api-key"
-    };
+  const flagCredential = selectCloudCredential({
+    apiKey: options.apiKeyFlag,
+    accessToken: options.accessTokenFlag
+  });
+  if (flagCredential) {
+    return toResolvedCloudCredential("flag", flagCredential);
   }
   const envAuthScheme = parseEnvAuthScheme(options.env.OPENSTEER_AUTH_SCHEME);
-  const envApiKey = normalizeToken(options.env.OPENSTEER_API_KEY);
-  const envAccessToken = normalizeToken(options.env.OPENSTEER_ACCESS_TOKEN);
-  if (envApiKey && envAccessToken) {
-    throw new Error(
-      "OPENSTEER_API_KEY and OPENSTEER_ACCESS_TOKEN are mutually exclusive. Set only one."
-    );
-  }
-  if (envAccessToken) {
-    return {
-      kind: "access-token",
-      source: "env",
-      token: envAccessToken,
-      authScheme: "bearer"
-    };
-  }
-  if (envApiKey) {
-    if (envAuthScheme === "bearer") {
-      return {
-        kind: "access-token",
-        source: "env",
-        token: envApiKey,
-        authScheme: "bearer",
-        compatibilityBearerApiKey: true
-      };
-    }
-    return {
-      kind: "api-key",
-      source: "env",
-      token: envApiKey,
-      authScheme: envAuthScheme ?? "api-key"
-    };
+  const envCredential = selectCloudCredential({
+    apiKey: options.env.OPENSTEER_API_KEY,
+    accessToken: options.env.OPENSTEER_ACCESS_TOKEN,
+    authScheme: envAuthScheme
+  });
+  if (envCredential) {
+    return toResolvedCloudCredential("env", envCredential);
   }
   return null;
 }
@@ -659,6 +688,23 @@ function normalizeToken(value) {
   const normalized = value.trim();
   return normalized.length ? normalized : void 0;
 }
+function toResolvedCloudCredential(source, credential) {
+  if (credential.compatibilityBearerApiKey) {
+    return {
+      kind: credential.kind,
+      source,
+      token: credential.token,
+      authScheme: credential.authScheme,
+      compatibilityBearerApiKey: true
+    };
+  }
+  return {
+    kind: credential.kind,
+    source,
+    token: credential.token,
+    authScheme: credential.authScheme
+  };
+}
 // src/auth/machine-credential-store.ts
 var import_node_crypto = require("crypto");
@@ -804,13 +850,10 @@ function createKeychainStore() {
 }
 // src/auth/machine-credential-store.ts
-var METADATA_VERSION = 1;
-var ACTIVE_TARGET_VERSION = 1;
+var METADATA_VERSION = 2;
+var ACTIVE_TARGET_VERSION = 2;
 var KEYCHAIN_SERVICE = "com.opensteer.cli.cloud";
 var KEYCHAIN_ACCOUNT_PREFIX = "machine:";
-var LEGACY_KEYCHAIN_ACCOUNT = "machine";
-var LEGACY_METADATA_FILE_NAME = "cli-login.json";
-var LEGACY_FALLBACK_SECRET_FILE_NAME = "cli-login.secret.json";
 var ACTIVE_TARGET_FILE_NAME = "cli-target.json";
 var MachineCredentialStore = class {
   authDir;
@@ -825,8 +868,11 @@ var MachineCredentialStore = class {
     this.warn = options.warn ?? (() => void 0);
   }
   readCloudCredential(target) {
-    const slot = resolveCredentialSlot(this.authDir, target);
-    return this.readCredentialSlot(slot, target) ?? this.readAndMigrateLegacyCredential(target);
+    const normalizedTarget = normalizeCloudCredentialTarget(target);
+    return this.readCredentialSlot(
+      resolveCredentialSlot(this.authDir, normalizedTarget),
+      normalizedTarget
+    );
   }
   writeCloudCredential(args) {
     const accessToken = args.accessToken.trim();
@@ -834,12 +880,8 @@ var MachineCredentialStore = class {
     if (!accessToken || !refreshToken2) {
       throw new Error("Cannot persist empty machine credential secrets.");
     }
-    const baseUrl = normalizeCredentialUrl(args.baseUrl, "baseUrl");
-    const siteUrl = normalizeCredentialUrl(args.siteUrl, "siteUrl");
-    const slot = resolveCredentialSlot(this.authDir, {
-      baseUrl,
-      siteUrl
-    });
+    const baseUrl = normalizeCredentialUrl(args.baseUrl);
+    const slot = resolveCredentialSlot(this.authDir, { baseUrl });
     ensureDirectory(this.authDir);
     const secretPayload = {
       accessToken,
@@ -866,7 +908,6 @@ var MachineCredentialStore = class {
       version: METADATA_VERSION,
       secretBackend,
       baseUrl,
-      siteUrl,
       scope: args.scope,
       obtainedAt: args.obtainedAt,
       expiresAt: args.expiresAt,
@@ -878,23 +919,18 @@ var MachineCredentialStore = class {
     return readActiveCloudTargetMetadata(resolveActiveTargetPath(this.authDir));
   }
   writeActiveCloudTarget(target) {
-    const baseUrl = normalizeCredentialUrl(target.baseUrl, "baseUrl");
-    const siteUrl = normalizeCredentialUrl(target.siteUrl, "siteUrl");
+    const baseUrl = normalizeCredentialUrl(target.baseUrl);
     ensureDirectory(this.authDir);
     writeJsonFile(resolveActiveTargetPath(this.authDir), {
       version: ACTIVE_TARGET_VERSION,
       baseUrl,
-      siteUrl,
       updatedAt: Date.now()
     });
   }
   clearCloudCredential(target) {
-    this.clearCredentialSlot(resolveCredentialSlot(this.authDir, target));
-    const legacySlot = resolveLegacyCredentialSlot(this.authDir);
-    const legacyMetadata = readMetadata(legacySlot.metadataPath);
-    if (legacyMetadata && matchesCredentialTarget(legacyMetadata, target)) {
-      this.clearCredentialSlot(legacySlot);
-    }
+    this.clearCredentialSlot(
+      resolveCredentialSlot(this.authDir, normalizeCloudCredentialTarget(target))
+    );
   }
   readCredentialSlot(slot, target) {
     const metadata = readMetadata(slot.metadataPath);
@@ -910,7 +946,6 @@ var MachineCredentialStore = class {
     }
     return {
       baseUrl: metadata.baseUrl,
-      siteUrl: metadata.siteUrl,
       scope: metadata.scope,
       accessToken: secret.accessToken,
       refreshToken: secret.refreshToken,
@@ -918,16 +953,6 @@ var MachineCredentialStore = class {
       expiresAt: metadata.expiresAt
     };
   }
-  readAndMigrateLegacyCredential(target) {
-    const legacySlot = resolveLegacyCredentialSlot(this.authDir);
-    const legacyCredential = this.readCredentialSlot(legacySlot, target);
-    if (!legacyCredential) {
-      return null;
-    }
-    this.writeCloudCredential(legacyCredential);
-    this.clearCredentialSlot(legacySlot);
-    return legacyCredential;
-  }
   readSecret(slot, backend) {
     if (backend === "keychain" && this.keychain) {
       try {
@@ -968,9 +993,8 @@ function createMachineCredentialStore(options = {}) {
   return new MachineCredentialStore(options);
 }
 function resolveCredentialSlot(authDir, target) {
-  const normalizedBaseUrl = normalizeCredentialUrl(target.baseUrl, "baseUrl");
-  const normalizedSiteUrl = normalizeCredentialUrl(target.siteUrl, "siteUrl");
-  const storageKey = (0, import_node_crypto.createHash)("sha256").update(`${normalizedBaseUrl}\0${normalizedSiteUrl}`).digest("hex").slice(0, 24);
+  const normalizedBaseUrl = normalizeCredentialUrl(target.baseUrl);
+  const storageKey = (0, import_node_crypto.createHash)("sha256").update(normalizedBaseUrl).digest("hex").slice(0, 24);
   return {
     keychainAccount: `${KEYCHAIN_ACCOUNT_PREFIX}${storageKey}`,
     metadataPath: import_node_path.default.join(authDir, `cli-login.${storageKey}.json`),
@@ -980,26 +1004,24 @@ function resolveCredentialSlot(authDir, target) {
     )
   };
 }
-function resolveLegacyCredentialSlot(authDir) {
-  return {
-    keychainAccount: LEGACY_KEYCHAIN_ACCOUNT,
-    metadataPath: import_node_path.default.join(authDir, LEGACY_METADATA_FILE_NAME),
-    fallbackSecretPath: import_node_path.default.join(authDir, LEGACY_FALLBACK_SECRET_FILE_NAME)
-  };
-}
 function resolveActiveTargetPath(authDir) {
   return import_node_path.default.join(authDir, ACTIVE_TARGET_FILE_NAME);
 }
 function matchesCredentialTarget(value, target) {
-  return normalizeCredentialUrl(value.baseUrl, "baseUrl") === normalizeCredentialUrl(target.baseUrl, "baseUrl") && normalizeCredentialUrl(value.siteUrl, "siteUrl") === normalizeCredentialUrl(target.siteUrl, "siteUrl");
+  return normalizeCredentialUrl(value.baseUrl) === normalizeCredentialUrl(target.baseUrl);
 }
-function normalizeCredentialUrl(value, field) {
+function normalizeCredentialUrl(value) {
   const normalized = stripTrailingSlashes(value.trim());
   if (!normalized) {
-    throw new Error(`Cannot persist machine credential without ${field}.`);
+    throw new Error("Cannot persist machine credential without baseUrl.");
   }
   return normalized;
 }
+function normalizeCloudCredentialTarget(target) {
+  return {
+    baseUrl: normalizeCredentialUrl(target.baseUrl)
+  };
+}
 function resolveConfigDir(appName, env) {
   if (process.platform === "win32") {
     const appData = env.APPDATA?.trim() || import_node_path.default.join(import_node_os.default.homedir(), "AppData", "Roaming");
@@ -1038,7 +1060,6 @@ function readMetadata(filePath) {
       return null;
     }
     if (typeof parsed.baseUrl !== "string" || !parsed.baseUrl.trim()) return null;
-    if (typeof parsed.siteUrl !== "string" || !parsed.siteUrl.trim()) return null;
     if (!Array.isArray(parsed.scope)) return null;
     if (typeof parsed.obtainedAt !== "number") return null;
     if (typeof parsed.expiresAt !== "number") return null;
@@ -1047,7 +1068,6 @@ function readMetadata(filePath) {
       version: parsed.version,
       secretBackend: parsed.secretBackend,
       baseUrl: parsed.baseUrl,
-      siteUrl: parsed.siteUrl,
       scope: parsed.scope.filter(
         (value) => typeof value === "string"
       ),
@@ -1072,12 +1092,8 @@ function readActiveCloudTargetMetadata(filePath) {
     if (typeof parsed.baseUrl !== "string" || !parsed.baseUrl.trim()) {
       return null;
     }
-    if (typeof parsed.siteUrl !== "string" || !parsed.siteUrl.trim()) {
-      return null;
-    }
     return {
-      baseUrl: parsed.baseUrl,
-      siteUrl: parsed.siteUrl
+      baseUrl: parsed.baseUrl
     };
   } catch {
     return null;
@@ -1102,14 +1118,13 @@ function readSecretFile(filePath) {
     return null;
   }
   try {
-    const raw = import_node_fs.default.readFileSync(filePath, "utf8");
-    return parseSecretPayload(raw);
+    return parseSecretPayload(import_node_fs.default.readFileSync(filePath, "utf8"));
   } catch {
     return null;
   }
 }
-function writeJsonFile(filePath, payload, options = {}) {
-  import_node_fs.default.writeFileSync(filePath, JSON.stringify(payload, null, 2), {
+function writeJsonFile(filePath, value, options = {}) {
+  import_node_fs.default.writeFileSync(filePath, JSON.stringify(value, null, 2), {
     encoding: "utf8",
     mode: options.mode ?? 384
   });
@@ -1140,11 +1155,12 @@ Commands:
 Options:
   --base-url <url>          Cloud API base URL (defaults to env or the last selected host)
-  --site-url <url>          Cloud site URL for browser/device auth (defaults to env or the last selected host)
   --json                    JSON output (login prompts go to stderr)
   --no-browser              Do not auto-open your default browser during login
   -h, --help                Show this help
 `;
+var DEFAULT_AUTH_SITE_URL = "https://opensteer.com";
+var INTERNAL_AUTH_SITE_URL_ENV = "OPENSTEER_INTERNAL_AUTH_SITE_URL";
 function createDefaultDeps() {
   const env = process.env;
   return {
@@ -1196,13 +1212,6 @@ function parseAuthCommonArgs(rawArgs) {
       i = value.nextIndex;
       continue;
     }
-    if (arg === "--site-url") {
-      const value = readFlagValue(rawArgs, i, "--site-url");
-      if (!value.ok) return { args, error: value.error };
-      args.siteUrl = value.value;
-      i = value.nextIndex;
-      continue;
-    }
     return {
       args,
       error: `Unsupported option "${arg}".`
@@ -1272,16 +1281,19 @@ function resolveBaseUrl(provided, env) {
   assertSecureUrl(baseUrl, "--base-url");
   return baseUrl;
 }
-function resolveSiteUrl(provided, baseUrl, env) {
-  const siteUrl = normalizeCloudBaseUrl(
-    (provided || env.OPENSTEER_CLOUD_SITE_URL || deriveSiteUrlFromBaseUrl(baseUrl)).trim()
+function resolveAuthSiteUrl(env) {
+  const authSiteUrl = normalizeCloudBaseUrl(
+    (env[INTERNAL_AUTH_SITE_URL_ENV] || DEFAULT_AUTH_SITE_URL).trim()
   );
-  assertSecureUrl(siteUrl, "--site-url");
-  return siteUrl;
+  assertSecureUrl(
+    authSiteUrl,
+    `environment variable ${INTERNAL_AUTH_SITE_URL_ENV}`
+  );
+  return authSiteUrl;
 }
-function hasExplicitCloudTargetSelection(providedBaseUrl, providedSiteUrl, env) {
+function hasExplicitCloudTargetSelection(providedBaseUrl, env) {
   return Boolean(
-    providedBaseUrl?.trim() || providedSiteUrl?.trim() || env.OPENSTEER_BASE_URL?.trim() || env.OPENSTEER_CLOUD_SITE_URL?.trim()
+    providedBaseUrl?.trim() || env.OPENSTEER_BASE_URL?.trim()
   );
 }
 function readRememberedCloudTarget(store) {
@@ -1291,57 +1303,21 @@ function readRememberedCloudTarget(store) {
   }
   try {
     const baseUrl = normalizeCloudBaseUrl(activeTarget.baseUrl);
-    const siteUrl = normalizeCloudBaseUrl(activeTarget.siteUrl);
     assertSecureUrl(baseUrl, "--base-url");
-    assertSecureUrl(siteUrl, "--site-url");
-    return {
-      baseUrl,
-      siteUrl
-    };
+    return { baseUrl };
   } catch {
     return null;
   }
 }
-function resolveCloudTarget(args, env, store) {
-  if (!hasExplicitCloudTargetSelection(args.baseUrl, args.siteUrl, env)) {
+function resolveCloudTarget(args, env, store, options = {}) {
+  if (options.allowRememberedTarget !== false && !hasExplicitCloudTargetSelection(args.baseUrl, env)) {
     const rememberedTarget = readRememberedCloudTarget(store);
     if (rememberedTarget) {
       return rememberedTarget;
     }
   }
   const baseUrl = resolveBaseUrl(args.baseUrl, env);
-  const siteUrl = resolveSiteUrl(args.siteUrl, baseUrl, env);
-  return {
-    baseUrl,
-    siteUrl
-  };
-}
-function deriveSiteUrlFromBaseUrl(baseUrl) {
-  let parsed;
-  try {
-    parsed = new URL(baseUrl);
-  } catch {
-    return "https://opensteer.com";
-  }
-  const hostname = parsed.hostname.toLowerCase();
-  if (hostname.startsWith("api.")) {
-    parsed.hostname = hostname.slice("api.".length);
-    parsed.pathname = "";
-    parsed.search = "";
-    parsed.hash = "";
-    return normalizeCloudBaseUrl(parsed.toString());
-  }
-  if (hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1") {
-    parsed.port = "3001";
-    parsed.pathname = "";
-    parsed.search = "";
-    parsed.hash = "";
-    return normalizeCloudBaseUrl(parsed.toString());
-  }
-  parsed.pathname = "";
-  parsed.search = "";
-  parsed.hash = "";
-  return normalizeCloudBaseUrl(parsed.toString());
+  return { baseUrl };
 }
 function assertSecureUrl(value, flag) {
   let parsed;
@@ -1416,10 +1392,10 @@ function parseCliOauthError(error) {
     interval: typeof root.interval === "number" ? root.interval : void 0
   };
 }
-async function startDeviceAuthorization(siteUrl, fetchFn) {
+async function startDeviceAuthorization(authSiteUrl, fetchFn) {
   const response = await postJson(
     fetchFn,
-    `${siteUrl}/api/cli-auth/device/start`,
+    `${authSiteUrl}/api/cli-auth/device/start`,
     {
       scope: ["cloud:browser"]
     }
@@ -1429,24 +1405,24 @@ async function startDeviceAuthorization(siteUrl, fetchFn) {
   }
   return response;
 }
-async function pollDeviceToken(siteUrl, deviceCode, fetchFn) {
+async function pollDeviceToken(authSiteUrl, deviceCode, fetchFn) {
   return await postJson(
     fetchFn,
-    `${siteUrl}/api/cli-auth/device/token`,
+    `${authSiteUrl}/api/cli-auth/device/token`,
     {
       grant_type: "urn:ietf:params:oauth:grant-type:device_code",
       device_code: deviceCode
     }
   );
 }
-async function refreshToken(siteUrl, refreshTokenValue, fetchFn) {
-  return await postJson(fetchFn, `${siteUrl}/api/cli-auth/token`, {
+async function refreshToken(authSiteUrl, refreshTokenValue, fetchFn) {
+  return await postJson(fetchFn, `${authSiteUrl}/api/cli-auth/token`, {
     grant_type: "refresh_token",
     refresh_token: refreshTokenValue
   });
 }
-async function revokeToken(siteUrl, refreshTokenValue, fetchFn) {
-  await postJson(fetchFn, `${siteUrl}/api/cli-auth/revoke`, {
+async function revokeToken(authSiteUrl, refreshTokenValue, fetchFn) {
+  await postJson(fetchFn, `${authSiteUrl}/api/cli-auth/revoke`, {
     token: refreshTokenValue
   });
 }
@@ -1463,7 +1439,7 @@ async function openDefaultBrowser(url) {
   }
 }
 async function runDeviceLoginFlow(args) {
-  const start = await startDeviceAuthorization(args.siteUrl, args.fetchFn);
+  const start = await startDeviceAuthorization(args.authSiteUrl, args.fetchFn);
   if (args.openBrowser) {
     args.writeProgress(
       "Opening your default browser for Opensteer CLI authentication.\n"
@@ -1508,7 +1484,7 @@ ${start.verification_uri_complete}
     await args.sleep(pollIntervalMs);
     try {
       const tokenPayload = await pollDeviceToken(
-        args.siteUrl,
+        args.authSiteUrl,
         start.device_code,
         args.fetchFn
       );
@@ -1556,7 +1532,7 @@ ${start.verification_uri_complete}
 }
 async function refreshSavedCredential(saved, deps) {
   const tokenPayload = await refreshToken(
-    saved.siteUrl,
+    resolveAuthSiteUrl(deps.env),
     saved.refreshToken,
     deps.fetchFn
   );
@@ -1569,7 +1545,6 @@ async function refreshSavedCredential(saved, deps) {
   };
   deps.store.writeCloudCredential({
     baseUrl: saved.baseUrl,
-    siteUrl: saved.siteUrl,
     scope: updated.scope,
     accessToken: updated.accessToken,
     refreshToken: updated.refreshToken,
@@ -1598,8 +1573,7 @@ async function ensureSavedCredentialIsFresh(saved, deps) {
       const oauth = parseCliOauthError(error.body);
       if (oauth?.error === "invalid_grant" || oauth?.error === "expired_token") {
         deps.store.clearCloudCredential({
-          baseUrl: saved.baseUrl,
-          siteUrl: saved.siteUrl
+          baseUrl: saved.baseUrl
         });
         return null;
       }
@@ -1699,7 +1673,7 @@ async function ensureCloudCredentialsForCommand(options) {
 `);
     }
   });
-  const { baseUrl, siteUrl } = resolveCloudTarget(options, env, store);
+  const { baseUrl } = resolveCloudTarget(options, env, store);
   const initialCredential = resolveCloudCredential({
     env,
     apiKeyFlag: options.apiKeyFlag,
@@ -1707,11 +1681,9 @@ async function ensureCloudCredentialsForCommand(options) {
   });
   let credential = initialCredential;
   if (!credential) {
-    const saved = store.readCloudCredential({
-      baseUrl,
-      siteUrl
-    });
+    const saved = store.readCloudCredential({ baseUrl });
     const freshSaved = saved ? await ensureSavedCredentialIsFresh(saved, {
+      env,
       fetchFn,
       store,
       now,
@@ -1729,7 +1701,7 @@ async function ensureCloudCredentialsForCommand(options) {
   if (!credential) {
     if (options.autoLoginIfNeeded && (options.interactive ?? false)) {
       const loggedIn = await runDeviceLoginFlow({
-        siteUrl,
+        authSiteUrl: resolveAuthSiteUrl(env),
         fetchFn,
         writeProgress,
         openExternalUrl,
@@ -1739,7 +1711,6 @@ async function ensureCloudCredentialsForCommand(options) {
       });
       store.writeCloudCredential({
         baseUrl,
-        siteUrl,
         scope: loggedIn.scope,
         accessToken: loggedIn.accessToken,
         refreshToken: loggedIn.refreshToken,
@@ -1757,28 +1728,25 @@ async function ensureCloudCredentialsForCommand(options) {
       throw new Error(toAuthMissingMessage(options.commandName));
     }
   }
-  store.writeActiveCloudTarget({
-    baseUrl,
-    siteUrl
-  });
+  store.writeActiveCloudTarget({ baseUrl });
   applyCloudCredentialToEnv(env, credential);
   env.OPENSTEER_BASE_URL = baseUrl;
-  env.OPENSTEER_CLOUD_SITE_URL = siteUrl;
   return {
     token: credential.token,
     authScheme: credential.authScheme,
     source: credential.source,
     kind: credential.kind,
-    baseUrl,
-    siteUrl
+    baseUrl
   };
 }
 async function runLogin(args, deps) {
-  const { baseUrl, siteUrl } = resolveCloudTarget(args, deps.env, deps.store);
+  const { baseUrl } = resolveCloudTarget(args, deps.env, deps.store, {
+    allowRememberedTarget: false
+  });
   const writeProgress = args.json ? deps.writeStderr : deps.writeStdout;
   const browserOpenMode = describeBrowserOpenMode(args, deps);
   const login = await runDeviceLoginFlow({
-    siteUrl,
+    authSiteUrl: resolveAuthSiteUrl(deps.env),
     fetchFn: deps.fetchFn,
     writeProgress,
     openExternalUrl: deps.openExternalUrl,
@@ -1789,22 +1757,17 @@ async function runLogin(args, deps) {
   });
   deps.store.writeCloudCredential({
     baseUrl,
-    siteUrl,
     scope: login.scope,
     accessToken: login.accessToken,
     refreshToken: login.refreshToken,
     obtainedAt: deps.now(),
     expiresAt: login.expiresAt
   });
-  deps.store.writeActiveCloudTarget({
-    baseUrl,
-    siteUrl
-  });
+  deps.store.writeActiveCloudTarget({ baseUrl });
   if (args.json) {
     writeJsonLine(deps, {
       loggedIn: true,
       baseUrl,
-      siteUrl,
       expiresAt: login.expiresAt,
       scope: login.scope,
       authSource: "device"
@@ -1812,33 +1775,20 @@ async function runLogin(args, deps) {
     return 0;
   }
   writeHumanLine(deps, "Opensteer CLI login successful.");
-  writeHumanLine(deps, `  Site URL: ${siteUrl}`);
-  writeHumanLine(deps, `  API Base URL: ${baseUrl}`);
-  writeHumanLine(deps, `  Expires At: ${new Date(login.expiresAt).toISOString()}`);
   return 0;
 }
 async function runStatus(args, deps) {
-  const { baseUrl, siteUrl } = resolveCloudTarget(args, deps.env, deps.store);
-  deps.store.writeActiveCloudTarget({
-    baseUrl,
-    siteUrl
-  });
-  const saved = deps.store.readCloudCredential({
-    baseUrl,
-    siteUrl
-  });
+  const { baseUrl } = resolveCloudTarget(args, deps.env, deps.store);
+  deps.store.writeActiveCloudTarget({ baseUrl });
+  const saved = deps.store.readCloudCredential({ baseUrl });
   if (!saved) {
     if (args.json) {
       writeJsonLine(deps, {
         loggedIn: false,
-        baseUrl,
-        siteUrl
+        baseUrl
       });
     } else {
-      writeHumanLine(
-        deps,
-        `Opensteer CLI is not logged in for ${siteUrl}.`
-      );
+      writeHumanLine(deps, `Opensteer CLI is not logged in for ${baseUrl}.`);
     }
     return 0;
   }
@@ -1849,7 +1799,6 @@ async function runStatus(args, deps) {
       loggedIn: true,
       expired,
       baseUrl: saved.baseUrl,
-      siteUrl: saved.siteUrl,
       expiresAt: saved.expiresAt,
       scope: saved.scope
     });
@@ -1859,43 +1808,33 @@ async function runStatus(args, deps) {
     deps,
     expired ? "Opensteer CLI has a saved login, but the access token is expired." : "Opensteer CLI is logged in."
   );
-  writeHumanLine(deps, `  Site URL: ${saved.siteUrl}`);
   writeHumanLine(deps, `  API Base URL: ${saved.baseUrl}`);
   writeHumanLine(deps, `  Expires At: ${new Date(saved.expiresAt).toISOString()}`);
   return 0;
 }
 async function runLogout(args, deps) {
-  const { baseUrl, siteUrl } = resolveCloudTarget(args, deps.env, deps.store);
-  deps.store.writeActiveCloudTarget({
-    baseUrl,
-    siteUrl
-  });
-  const saved = deps.store.readCloudCredential({
-    baseUrl,
-    siteUrl
-  });
+  const { baseUrl } = resolveCloudTarget(args, deps.env, deps.store);
+  deps.store.writeActiveCloudTarget({ baseUrl });
+  const saved = deps.store.readCloudCredential({ baseUrl });
   if (saved) {
     try {
-      await revokeToken(saved.siteUrl, saved.refreshToken, deps.fetchFn);
+      await revokeToken(
+        resolveAuthSiteUrl(deps.env),
+        saved.refreshToken,
+        deps.fetchFn
+      );
     } catch {
     }
   }
-  deps.store.clearCloudCredential({
-    baseUrl,
-    siteUrl
-  });
+  deps.store.clearCloudCredential({ baseUrl });
   if (args.json) {
     writeJsonLine(deps, {
       loggedOut: true,
-      baseUrl,
-      siteUrl
+      baseUrl
     });
     return 0;
   }
-  writeHumanLine(
-    deps,
-    `Opensteer CLI login removed for ${siteUrl}.`
-  );
+  writeHumanLine(deps, `Opensteer CLI login removed for ${baseUrl}.`);
   return 0;
 }
 async function runOpensteerAuthCli(rawArgs, overrideDeps = {}) {