npm - opensteer - Versions diffs - 0.6.1 → 0.6.3 - Mend

opensteer 0.6.1 → 0.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/README.md +4 -5
package/bin/opensteer.mjs +0 -1
package/dist/{chunk-F2VDVOJO.js → chunk-3OMXCBPD.js} +10 -19
package/dist/{chunk-WJI7TGBQ.js → chunk-FTKWQ6X3.js} +1 -1
package/dist/{chunk-WDRMHPWL.js → chunk-KE35RQOJ.js} +106 -36
package/dist/{chunk-3FNI7JUU.js → chunk-SCNX4NN3.js} +114 -241
package/dist/cli/auth.cjs +215 -276
package/dist/cli/auth.d.cts +0 -6
package/dist/cli/auth.d.ts +0 -6
package/dist/cli/auth.js +2 -2
package/dist/cli/profile.cjs +199 -259
package/dist/cli/profile.d.cts +0 -2
package/dist/cli/profile.d.ts +0 -2
package/dist/cli/profile.js +4 -28
package/dist/cli/server.cjs +110 -53
package/dist/cli/server.js +2 -2
package/dist/index.cjs +110 -53
package/dist/index.js +3 -3
package/package.json +1 -1

package/dist/cli/profile.cjs CHANGED Viewed

@@ -659,6 +659,65 @@ function toJsonSafeValue(value, seen) {
   return void 0;
 }
+// src/cloud/credential-selection.ts
+function selectCloudCredential(options) {
+  const apiKey = normalizeNonEmptyString(options.apiKey);
+  const accessToken = normalizeNonEmptyString(options.accessToken);
+  if (apiKey) {
+    if (options.authScheme === "bearer") {
+      return {
+        apiKey,
+        authScheme: "bearer",
+        kind: "access-token",
+        token: apiKey,
+        compatibilityBearerApiKey: true
+      };
+    }
+    return {
+      apiKey,
+      authScheme: "api-key",
+      kind: "api-key",
+      token: apiKey
+    };
+  }
+  if (accessToken) {
+    return {
+      accessToken,
+      authScheme: "bearer",
+      kind: "access-token",
+      token: accessToken
+    };
+  }
+  return null;
+}
+function selectCloudCredentialByPrecedence(layers, authScheme) {
+  for (const layer of layers) {
+    const hasApiKey = layer.hasApiKey ?? Object.prototype.hasOwnProperty.call(layer, "apiKey");
+    const hasAccessToken = layer.hasAccessToken ?? Object.prototype.hasOwnProperty.call(layer, "accessToken");
+    if (!hasApiKey && !hasAccessToken) {
+      continue;
+    }
+    return {
+      source: layer.source,
+      apiKey: layer.apiKey,
+      accessToken: layer.accessToken,
+      hasApiKey,
+      hasAccessToken,
+      credential: selectCloudCredential({
+        apiKey: layer.apiKey,
+        accessToken: layer.accessToken,
+        authScheme: layer.authScheme ?? authScheme
+      })
+    };
+  }
+  return null;
+}
+function normalizeNonEmptyString(value) {
+  if (typeof value !== "string") return void 0;
+  const normalized = value.trim();
+  return normalized.length ? normalized : void 0;
+}
 // src/storage/namespace.ts
 var import_path = __toESM(require("path"), 1);
 var DEFAULT_NAMESPACE = "default";
@@ -983,11 +1042,6 @@ function normalizeCloudOptions(value) {
   }
   return value;
 }
-function normalizeNonEmptyString(value) {
-  if (typeof value !== "string") return void 0;
-  const normalized = value.trim();
-  return normalized.length ? normalized : void 0;
-}
 function parseCloudEnabled(value, source) {
   if (value == null) return void 0;
   if (typeof value === "boolean") return value;
@@ -996,6 +1050,18 @@ function parseCloudEnabled(value, source) {
     `Invalid ${source} value "${String(value)}". Use true, false, or a cloud options object.`
   );
 }
+function resolveCloudCredentialFields(selectedLayer) {
+  const credential = selectedLayer?.credential;
+  if (!credential) return {};
+  if (credential.kind === "api-key" || credential.compatibilityBearerApiKey === true && selectedLayer?.source !== "env") {
+    return {
+      apiKey: credential.token
+    };
+  }
+  return {
+    accessToken: credential.token
+  };
+}
 function resolveCloudSelection(config, env = process.env) {
   const configCloud = parseCloudEnabled(config.cloud, "cloud");
   if (configCloud !== void 0) {
@@ -1032,6 +1098,9 @@ function resolveConfigWithEnv(input = {}, options = {}) {
   });
   assertNoLegacyAiConfig(".opensteer/config.json", fileConfig);
   assertNoLegacyRuntimeConfig(".opensteer/config.json", fileConfig);
+  const fileCloudOptions = normalizeCloudOptions(fileConfig.cloud);
+  const fileHasCloudApiKey = hasOwn(fileCloudOptions, "apiKey");
+  const fileHasCloudAccessToken = hasOwn(fileCloudOptions, "accessToken");
   const fileRootDir = typeof fileConfig.storage?.rootDir === "string" ? fileConfig.storage.rootDir : void 0;
   const envRootDir = input.storage?.rootDir ?? fileRootDir ?? initialRootDir;
   const env = resolveEnv(envRootDir, {
@@ -1070,13 +1139,6 @@ function resolveConfigWithEnv(input = {}, options = {}) {
   const envAccessTokenRaw = resolveOpensteerAccessToken(env);
   const envBaseUrl = resolveOpensteerBaseUrl(env);
   const envAuthScheme = resolveOpensteerAuthScheme(env);
-  if (envApiKey && envAccessTokenRaw) {
-    throw new Error(
-      "OPENSTEER_API_KEY and OPENSTEER_ACCESS_TOKEN are mutually exclusive. Set only one."
-    );
-  }
-  const envAccessToken = envAccessTokenRaw || (envAuthScheme === "bearer" ? envApiKey : void 0);
-  const envApiCredential = envAuthScheme === "bearer" && !envAccessTokenRaw ? void 0 : envApiKey;
   const envCloudProfileId = resolveOpensteerCloudProfileId(env);
   const envCloudProfileReuseIfActive = resolveOpensteerCloudProfileReuseIfActive(env);
   const envCloudAnnounce = parseCloudAnnounce(
@@ -1105,11 +1167,6 @@ function resolveConfigWithEnv(input = {}, options = {}) {
   const inputHasCloudBaseUrl = Boolean(
     inputCloudOptions && Object.prototype.hasOwnProperty.call(inputCloudOptions, "baseUrl")
   );
-  if (normalizeNonEmptyString(inputCloudOptions?.apiKey) && normalizeNonEmptyString(inputCloudOptions?.accessToken)) {
-    throw new Error(
-      "cloud.apiKey and cloud.accessToken are mutually exclusive. Set only one."
-    );
-  }
   const cloudSelection = resolveCloudSelection({
     cloud: resolved.cloud
   }, env);
@@ -1120,11 +1177,6 @@ function resolveConfigWithEnv(input = {}, options = {}) {
       accessToken: resolvedCloudAccessTokenRaw,
       ...resolvedCloudRest
     } = resolvedCloud;
-    if (normalizeNonEmptyString(resolvedCloudApiKeyRaw) && normalizeNonEmptyString(resolvedCloudAccessTokenRaw)) {
-      throw new Error(
-        "Cloud config cannot include both apiKey and accessToken at the same time."
-      );
-    }
     const resolvedCloudBrowserProfile = normalizeCloudBrowserProfileOptions(
       resolvedCloud.browserProfile,
       "resolved.cloud.browserProfile"
@@ -1136,25 +1188,40 @@ function resolveConfigWithEnv(input = {}, options = {}) {
     const browserProfile = inputCloudBrowserProfile ?? envCloudBrowserProfile ?? resolvedCloudBrowserProfile;
     let authScheme = inputAuthScheme ?? envAuthScheme ?? parseAuthScheme(resolvedCloud.authScheme, "cloud.authScheme") ?? "api-key";
     const announce = inputCloudAnnounce ?? envCloudAnnounce ?? parseCloudAnnounce(resolvedCloud.announce, "cloud.announce") ?? "always";
-    const credentialOverriddenByInput = inputHasCloudApiKey || inputHasCloudAccessToken;
-    let apiKey = normalizeNonEmptyString(resolvedCloudApiKeyRaw);
-    let accessToken = normalizeNonEmptyString(resolvedCloudAccessTokenRaw);
-    if (!credentialOverriddenByInput) {
-      if (envAccessToken) {
-        accessToken = envAccessToken;
-        apiKey = void 0;
-      } else if (envApiCredential) {
-        apiKey = envApiCredential;
-        accessToken = void 0;
-      }
-    }
+    const selectedCredentialLayer = selectCloudCredentialByPrecedence(
+      [
+        {
+          source: "input",
+          apiKey: inputCloudOptions?.apiKey,
+          accessToken: inputCloudOptions?.accessToken,
+          hasApiKey: inputHasCloudApiKey,
+          hasAccessToken: inputHasCloudAccessToken
+        },
+        {
+          source: "env",
+          apiKey: envApiKey,
+          accessToken: envAccessTokenRaw,
+          hasApiKey: envApiKey !== void 0,
+          hasAccessToken: envAccessTokenRaw !== void 0
+        },
+        {
+          source: "file",
+          apiKey: fileCloudOptions?.apiKey,
+          accessToken: fileCloudOptions?.accessToken,
+          hasApiKey: fileHasCloudApiKey,
+          hasAccessToken: fileHasCloudAccessToken
+        }
+      ],
+      authScheme
+    );
+    const { apiKey, accessToken } = resolveCloudCredentialFields(selectedCredentialLayer);
     if (accessToken) {
       authScheme = "bearer";
     }
     resolved.cloud = {
       ...resolvedCloudRest,
-      ...inputHasCloudApiKey ? { apiKey: resolvedCloudApiKeyRaw } : apiKey ? { apiKey } : {},
-      ...inputHasCloudAccessToken ? { accessToken: resolvedCloudAccessTokenRaw } : accessToken ? { accessToken } : {},
+      ...apiKey ? { apiKey } : selectedCredentialLayer?.hasApiKey && !accessToken ? { apiKey: selectedCredentialLayer.apiKey } : {},
+      ...accessToken ? { accessToken } : selectedCredentialLayer?.hasAccessToken && !apiKey ? { accessToken: selectedCredentialLayer.accessToken } : {},
       authScheme,
       announce,
       ...browserProfile ? { browserProfile } : {}
@@ -11780,30 +11847,20 @@ var Opensteer = class _Opensteer {
     this.pool = new BrowserPool(resolved.browser || {});
     if (cloudSelection.cloud) {
       const cloudConfig = resolved.cloud && typeof resolved.cloud === "object" ? resolved.cloud : void 0;
-      const apiKey = cloudConfig?.apiKey?.trim();
-      const accessToken = cloudConfig?.accessToken?.trim();
-      if (apiKey && accessToken) {
-        throw new Error(
-          "Cloud mode cannot use both cloud.apiKey and cloud.accessToken. Set only one credential."
-        );
-      }
-      let credential = "";
-      let authScheme = cloudConfig?.authScheme ?? "api-key";
-      if (accessToken) {
-        credential = accessToken;
-        authScheme = "bearer";
-      } else if (apiKey) {
-        credential = apiKey;
-      }
+      const credential = selectCloudCredential({
+        apiKey: cloudConfig?.apiKey,
+        accessToken: cloudConfig?.accessToken,
+        authScheme: cloudConfig?.authScheme
+      });
       if (!credential) {
         throw new Error(
           "Cloud mode requires credentials via cloud.apiKey/cloud.accessToken or OPENSTEER_API_KEY/OPENSTEER_ACCESS_TOKEN."
         );
       }
       this.cloud = createCloudRuntimeState(
-        credential,
+        credential.token,
         cloudConfig?.baseUrl,
-        authScheme
+        credential.authScheme
       );
     } else {
       this.cloud = null;
@@ -14691,59 +14748,21 @@ var import_open = __toESM(require("open"), 1);
 // src/auth/credential-resolver.ts
 function resolveCloudCredential(options) {
-  const flagApiKey = normalizeToken(options.apiKeyFlag);
-  const flagAccessToken = normalizeToken(options.accessTokenFlag);
-  if (flagApiKey && flagAccessToken) {
-    throw new Error("--api-key and --access-token are mutually exclusive.");
-  }
-  if (flagAccessToken) {
-    return {
-      kind: "access-token",
-      source: "flag",
-      token: flagAccessToken,
-      authScheme: "bearer"
-    };
-  }
-  if (flagApiKey) {
-    return {
-      kind: "api-key",
-      source: "flag",
-      token: flagApiKey,
-      authScheme: "api-key"
-    };
+  const flagCredential = selectCloudCredential({
+    apiKey: options.apiKeyFlag,
+    accessToken: options.accessTokenFlag
+  });
+  if (flagCredential) {
+    return toResolvedCloudCredential("flag", flagCredential);
   }
   const envAuthScheme = parseEnvAuthScheme(options.env.OPENSTEER_AUTH_SCHEME);
-  const envApiKey = normalizeToken(options.env.OPENSTEER_API_KEY);
-  const envAccessToken = normalizeToken(options.env.OPENSTEER_ACCESS_TOKEN);
-  if (envApiKey && envAccessToken) {
-    throw new Error(
-      "OPENSTEER_API_KEY and OPENSTEER_ACCESS_TOKEN are mutually exclusive. Set only one."
-    );
-  }
-  if (envAccessToken) {
-    return {
-      kind: "access-token",
-      source: "env",
-      token: envAccessToken,
-      authScheme: "bearer"
-    };
-  }
-  if (envApiKey) {
-    if (envAuthScheme === "bearer") {
-      return {
-        kind: "access-token",
-        source: "env",
-        token: envApiKey,
-        authScheme: "bearer",
-        compatibilityBearerApiKey: true
-      };
-    }
-    return {
-      kind: "api-key",
-      source: "env",
-      token: envApiKey,
-      authScheme: envAuthScheme ?? "api-key"
-    };
+  const envCredential = selectCloudCredential({
+    apiKey: options.env.OPENSTEER_API_KEY,
+    accessToken: options.env.OPENSTEER_ACCESS_TOKEN,
+    authScheme: envAuthScheme
+  });
+  if (envCredential) {
+    return toResolvedCloudCredential("env", envCredential);
   }
   return null;
 }
@@ -14773,19 +14792,33 @@ function normalizeToken(value) {
   const normalized = value.trim();
   return normalized.length ? normalized : void 0;
 }
+function toResolvedCloudCredential(source, credential) {
+  if (credential.compatibilityBearerApiKey) {
+    return {
+      kind: credential.kind,
+      source,
+      token: credential.token,
+      authScheme: credential.authScheme,
+      compatibilityBearerApiKey: true
+    };
+  }
+  return {
+    kind: credential.kind,
+    source,
+    token: credential.token,
+    authScheme: credential.authScheme
+  };
+}
 // src/auth/machine-credential-store.ts
 var import_node_crypto2 = require("crypto");
 var import_node_fs2 = __toESM(require("fs"), 1);
 var import_node_os2 = __toESM(require("os"), 1);
 var import_node_path2 = __toESM(require("path"), 1);
-var METADATA_VERSION = 1;
-var ACTIVE_TARGET_VERSION = 1;
+var METADATA_VERSION = 2;
+var ACTIVE_TARGET_VERSION = 2;
 var KEYCHAIN_SERVICE = "com.opensteer.cli.cloud";
 var KEYCHAIN_ACCOUNT_PREFIX = "machine:";
-var LEGACY_KEYCHAIN_ACCOUNT = "machine";
-var LEGACY_METADATA_FILE_NAME = "cli-login.json";
-var LEGACY_FALLBACK_SECRET_FILE_NAME = "cli-login.secret.json";
 var ACTIVE_TARGET_FILE_NAME = "cli-target.json";
 var MachineCredentialStore = class {
   authDir;
@@ -14800,8 +14833,11 @@ var MachineCredentialStore = class {
     this.warn = options.warn ?? (() => void 0);
   }
   readCloudCredential(target) {
-    const slot = resolveCredentialSlot(this.authDir, target);
-    return this.readCredentialSlot(slot, target) ?? this.readAndMigrateLegacyCredential(target);
+    const normalizedTarget = normalizeCloudCredentialTarget(target);
+    return this.readCredentialSlot(
+      resolveCredentialSlot(this.authDir, normalizedTarget),
+      normalizedTarget
+    );
   }
   writeCloudCredential(args) {
     const accessToken = args.accessToken.trim();
@@ -14809,12 +14845,8 @@ var MachineCredentialStore = class {
     if (!accessToken || !refreshToken2) {
       throw new Error("Cannot persist empty machine credential secrets.");
     }
-    const baseUrl = normalizeCredentialUrl(args.baseUrl, "baseUrl");
-    const siteUrl = normalizeCredentialUrl(args.siteUrl, "siteUrl");
-    const slot = resolveCredentialSlot(this.authDir, {
-      baseUrl,
-      siteUrl
-    });
+    const baseUrl = normalizeCredentialUrl(args.baseUrl);
+    const slot = resolveCredentialSlot(this.authDir, { baseUrl });
     ensureDirectory(this.authDir);
     const secretPayload = {
       accessToken,
@@ -14841,7 +14873,6 @@ var MachineCredentialStore = class {
       version: METADATA_VERSION,
       secretBackend,
       baseUrl,
-      siteUrl,
       scope: args.scope,
       obtainedAt: args.obtainedAt,
       expiresAt: args.expiresAt,
@@ -14853,23 +14884,18 @@ var MachineCredentialStore = class {
     return readActiveCloudTargetMetadata(resolveActiveTargetPath(this.authDir));
   }
   writeActiveCloudTarget(target) {
-    const baseUrl = normalizeCredentialUrl(target.baseUrl, "baseUrl");
-    const siteUrl = normalizeCredentialUrl(target.siteUrl, "siteUrl");
+    const baseUrl = normalizeCredentialUrl(target.baseUrl);
     ensureDirectory(this.authDir);
     writeJsonFile(resolveActiveTargetPath(this.authDir), {
       version: ACTIVE_TARGET_VERSION,
       baseUrl,
-      siteUrl,
       updatedAt: Date.now()
     });
   }
   clearCloudCredential(target) {
-    this.clearCredentialSlot(resolveCredentialSlot(this.authDir, target));
-    const legacySlot = resolveLegacyCredentialSlot(this.authDir);
-    const legacyMetadata = readMetadata(legacySlot.metadataPath);
-    if (legacyMetadata && matchesCredentialTarget(legacyMetadata, target)) {
-      this.clearCredentialSlot(legacySlot);
-    }
+    this.clearCredentialSlot(
+      resolveCredentialSlot(this.authDir, normalizeCloudCredentialTarget(target))
+    );
   }
   readCredentialSlot(slot, target) {
     const metadata = readMetadata(slot.metadataPath);
@@ -14885,7 +14911,6 @@ var MachineCredentialStore = class {
     }
     return {
       baseUrl: metadata.baseUrl,
-      siteUrl: metadata.siteUrl,
       scope: metadata.scope,
       accessToken: secret.accessToken,
       refreshToken: secret.refreshToken,
@@ -14893,16 +14918,6 @@ var MachineCredentialStore = class {
       expiresAt: metadata.expiresAt
     };
   }
-  readAndMigrateLegacyCredential(target) {
-    const legacySlot = resolveLegacyCredentialSlot(this.authDir);
-    const legacyCredential = this.readCredentialSlot(legacySlot, target);
-    if (!legacyCredential) {
-      return null;
-    }
-    this.writeCloudCredential(legacyCredential);
-    this.clearCredentialSlot(legacySlot);
-    return legacyCredential;
-  }
   readSecret(slot, backend) {
     if (backend === "keychain" && this.keychain) {
       try {
@@ -14943,9 +14958,8 @@ function createMachineCredentialStore(options = {}) {
   return new MachineCredentialStore(options);
 }
 function resolveCredentialSlot(authDir, target) {
-  const normalizedBaseUrl = normalizeCredentialUrl(target.baseUrl, "baseUrl");
-  const normalizedSiteUrl = normalizeCredentialUrl(target.siteUrl, "siteUrl");
-  const storageKey = (0, import_node_crypto2.createHash)("sha256").update(`${normalizedBaseUrl}\0${normalizedSiteUrl}`).digest("hex").slice(0, 24);
+  const normalizedBaseUrl = normalizeCredentialUrl(target.baseUrl);
+  const storageKey = (0, import_node_crypto2.createHash)("sha256").update(normalizedBaseUrl).digest("hex").slice(0, 24);
   return {
     keychainAccount: `${KEYCHAIN_ACCOUNT_PREFIX}${storageKey}`,
     metadataPath: import_node_path2.default.join(authDir, `cli-login.${storageKey}.json`),
@@ -14955,26 +14969,24 @@ function resolveCredentialSlot(authDir, target) {
     )
   };
 }
-function resolveLegacyCredentialSlot(authDir) {
-  return {
-    keychainAccount: LEGACY_KEYCHAIN_ACCOUNT,
-    metadataPath: import_node_path2.default.join(authDir, LEGACY_METADATA_FILE_NAME),
-    fallbackSecretPath: import_node_path2.default.join(authDir, LEGACY_FALLBACK_SECRET_FILE_NAME)
-  };
-}
 function resolveActiveTargetPath(authDir) {
   return import_node_path2.default.join(authDir, ACTIVE_TARGET_FILE_NAME);
 }
 function matchesCredentialTarget(value, target) {
-  return normalizeCredentialUrl(value.baseUrl, "baseUrl") === normalizeCredentialUrl(target.baseUrl, "baseUrl") && normalizeCredentialUrl(value.siteUrl, "siteUrl") === normalizeCredentialUrl(target.siteUrl, "siteUrl");
+  return normalizeCredentialUrl(value.baseUrl) === normalizeCredentialUrl(target.baseUrl);
 }
-function normalizeCredentialUrl(value, field) {
+function normalizeCredentialUrl(value) {
   const normalized = stripTrailingSlashes(value.trim());
   if (!normalized) {
-    throw new Error(`Cannot persist machine credential without ${field}.`);
+    throw new Error("Cannot persist machine credential without baseUrl.");
   }
   return normalized;
 }
+function normalizeCloudCredentialTarget(target) {
+  return {
+    baseUrl: normalizeCredentialUrl(target.baseUrl)
+  };
+}
 function resolveConfigDir(appName, env) {
   if (process.platform === "win32") {
     const appData = env.APPDATA?.trim() || import_node_path2.default.join(import_node_os2.default.homedir(), "AppData", "Roaming");
@@ -15013,7 +15025,6 @@ function readMetadata(filePath) {
       return null;
     }
     if (typeof parsed.baseUrl !== "string" || !parsed.baseUrl.trim()) return null;
-    if (typeof parsed.siteUrl !== "string" || !parsed.siteUrl.trim()) return null;
     if (!Array.isArray(parsed.scope)) return null;
     if (typeof parsed.obtainedAt !== "number") return null;
     if (typeof parsed.expiresAt !== "number") return null;
@@ -15022,7 +15033,6 @@ function readMetadata(filePath) {
       version: parsed.version,
       secretBackend: parsed.secretBackend,
       baseUrl: parsed.baseUrl,
-      siteUrl: parsed.siteUrl,
       scope: parsed.scope.filter(
         (value) => typeof value === "string"
       ),
@@ -15047,12 +15057,8 @@ function readActiveCloudTargetMetadata(filePath) {
     if (typeof parsed.baseUrl !== "string" || !parsed.baseUrl.trim()) {
       return null;
     }
-    if (typeof parsed.siteUrl !== "string" || !parsed.siteUrl.trim()) {
-      return null;
-    }
     return {
-      baseUrl: parsed.baseUrl,
-      siteUrl: parsed.siteUrl
+      baseUrl: parsed.baseUrl
     };
   } catch {
     return null;
@@ -15077,14 +15083,13 @@ function readSecretFile(filePath) {
     return null;
   }
   try {
-    const raw = import_node_fs2.default.readFileSync(filePath, "utf8");
-    return parseSecretPayload(raw);
+    return parseSecretPayload(import_node_fs2.default.readFileSync(filePath, "utf8"));
   } catch {
     return null;
   }
 }
-function writeJsonFile(filePath, payload, options = {}) {
-  import_node_fs2.default.writeFileSync(filePath, JSON.stringify(payload, null, 2), {
+function writeJsonFile(filePath, value, options = {}) {
+  import_node_fs2.default.writeFileSync(filePath, JSON.stringify(value, null, 2), {
     encoding: "utf8",
     mode: options.mode ?? 384
   });
@@ -15104,6 +15109,8 @@ var CliAuthHttpError = class extends Error {
     this.body = body;
   }
 };
+var DEFAULT_AUTH_SITE_URL = "https://opensteer.com";
+var INTERNAL_AUTH_SITE_URL_ENV = "OPENSTEER_INTERNAL_AUTH_SITE_URL";
 function resolveBaseUrl(provided, env) {
   const baseUrl = normalizeCloudBaseUrl(
     (provided || env.OPENSTEER_BASE_URL || DEFAULT_CLOUD_BASE_URL).trim()
@@ -15111,16 +15118,19 @@ function resolveBaseUrl(provided, env) {
   assertSecureUrl(baseUrl, "--base-url");
   return baseUrl;
 }
-function resolveSiteUrl(provided, baseUrl, env) {
-  const siteUrl = normalizeCloudBaseUrl(
-    (provided || env.OPENSTEER_CLOUD_SITE_URL || deriveSiteUrlFromBaseUrl(baseUrl)).trim()
+function resolveAuthSiteUrl(env) {
+  const authSiteUrl = normalizeCloudBaseUrl(
+    (env[INTERNAL_AUTH_SITE_URL_ENV] || DEFAULT_AUTH_SITE_URL).trim()
+  );
+  assertSecureUrl(
+    authSiteUrl,
+    `environment variable ${INTERNAL_AUTH_SITE_URL_ENV}`
   );
-  assertSecureUrl(siteUrl, "--site-url");
-  return siteUrl;
+  return authSiteUrl;
 }
-function hasExplicitCloudTargetSelection(providedBaseUrl, providedSiteUrl, env) {
+function hasExplicitCloudTargetSelection(providedBaseUrl, env) {
   return Boolean(
-    providedBaseUrl?.trim() || providedSiteUrl?.trim() || env.OPENSTEER_BASE_URL?.trim() || env.OPENSTEER_CLOUD_SITE_URL?.trim()
+    providedBaseUrl?.trim() || env.OPENSTEER_BASE_URL?.trim()
   );
 }
 function readRememberedCloudTarget(store) {
@@ -15130,57 +15140,21 @@ function readRememberedCloudTarget(store) {
   }
   try {
     const baseUrl = normalizeCloudBaseUrl(activeTarget.baseUrl);
-    const siteUrl = normalizeCloudBaseUrl(activeTarget.siteUrl);
     assertSecureUrl(baseUrl, "--base-url");
-    assertSecureUrl(siteUrl, "--site-url");
-    return {
-      baseUrl,
-      siteUrl
-    };
+    return { baseUrl };
   } catch {
     return null;
   }
 }
-function resolveCloudTarget(args, env, store) {
-  if (!hasExplicitCloudTargetSelection(args.baseUrl, args.siteUrl, env)) {
+function resolveCloudTarget(args, env, store, options = {}) {
+  if (options.allowRememberedTarget !== false && !hasExplicitCloudTargetSelection(args.baseUrl, env)) {
     const rememberedTarget = readRememberedCloudTarget(store);
     if (rememberedTarget) {
       return rememberedTarget;
     }
   }
   const baseUrl = resolveBaseUrl(args.baseUrl, env);
-  const siteUrl = resolveSiteUrl(args.siteUrl, baseUrl, env);
-  return {
-    baseUrl,
-    siteUrl
-  };
-}
-function deriveSiteUrlFromBaseUrl(baseUrl) {
-  let parsed;
-  try {
-    parsed = new URL(baseUrl);
-  } catch {
-    return "https://opensteer.com";
-  }
-  const hostname = parsed.hostname.toLowerCase();
-  if (hostname.startsWith("api.")) {
-    parsed.hostname = hostname.slice("api.".length);
-    parsed.pathname = "";
-    parsed.search = "";
-    parsed.hash = "";
-    return normalizeCloudBaseUrl(parsed.toString());
-  }
-  if (hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1") {
-    parsed.port = "3001";
-    parsed.pathname = "";
-    parsed.search = "";
-    parsed.hash = "";
-    return normalizeCloudBaseUrl(parsed.toString());
-  }
-  parsed.pathname = "";
-  parsed.search = "";
-  parsed.hash = "";
-  return normalizeCloudBaseUrl(parsed.toString());
+  return { baseUrl };
 }
 function assertSecureUrl(value, flag) {
   let parsed;
@@ -15255,10 +15229,10 @@ function parseCliOauthError(error) {
     interval: typeof root.interval === "number" ? root.interval : void 0
   };
 }
-async function startDeviceAuthorization(siteUrl, fetchFn) {
+async function startDeviceAuthorization(authSiteUrl, fetchFn) {
   const response = await postJson(
     fetchFn,
-    `${siteUrl}/api/cli-auth/device/start`,
+    `${authSiteUrl}/api/cli-auth/device/start`,
     {
       scope: ["cloud:browser"]
     }
@@ -15268,18 +15242,18 @@ async function startDeviceAuthorization(siteUrl, fetchFn) {
   }
   return response;
 }
-async function pollDeviceToken(siteUrl, deviceCode, fetchFn) {
+async function pollDeviceToken(authSiteUrl, deviceCode, fetchFn) {
   return await postJson(
     fetchFn,
-    `${siteUrl}/api/cli-auth/device/token`,
+    `${authSiteUrl}/api/cli-auth/device/token`,
     {
       grant_type: "urn:ietf:params:oauth:grant-type:device_code",
       device_code: deviceCode
     }
   );
 }
-async function refreshToken(siteUrl, refreshTokenValue, fetchFn) {
-  return await postJson(fetchFn, `${siteUrl}/api/cli-auth/token`, {
+async function refreshToken(authSiteUrl, refreshTokenValue, fetchFn) {
+  return await postJson(fetchFn, `${authSiteUrl}/api/cli-auth/token`, {
     grant_type: "refresh_token",
     refresh_token: refreshTokenValue
   });
@@ -15297,7 +15271,7 @@ async function openDefaultBrowser(url) {
   }
 }
 async function runDeviceLoginFlow(args) {
-  const start = await startDeviceAuthorization(args.siteUrl, args.fetchFn);
+  const start = await startDeviceAuthorization(args.authSiteUrl, args.fetchFn);
   if (args.openBrowser) {
     args.writeProgress(
       "Opening your default browser for Opensteer CLI authentication.\n"
@@ -15342,7 +15316,7 @@ ${start.verification_uri_complete}
     await args.sleep(pollIntervalMs);
     try {
       const tokenPayload = await pollDeviceToken(
-        args.siteUrl,
+        args.authSiteUrl,
         start.device_code,
         args.fetchFn
       );
@@ -15390,7 +15364,7 @@ ${start.verification_uri_complete}
 }
 async function refreshSavedCredential(saved, deps) {
   const tokenPayload = await refreshToken(
-    saved.siteUrl,
+    resolveAuthSiteUrl(deps.env),
     saved.refreshToken,
     deps.fetchFn
   );
@@ -15403,7 +15377,6 @@ async function refreshSavedCredential(saved, deps) {
   };
   deps.store.writeCloudCredential({
     baseUrl: saved.baseUrl,
-    siteUrl: saved.siteUrl,
     scope: updated.scope,
     accessToken: updated.accessToken,
     refreshToken: updated.refreshToken,
@@ -15432,8 +15405,7 @@ async function ensureSavedCredentialIsFresh(saved, deps) {
       const oauth = parseCliOauthError(error.body);
       if (oauth?.error === "invalid_grant" || oauth?.error === "expired_token") {
         deps.store.clearCloudCredential({
-          baseUrl: saved.baseUrl,
-          siteUrl: saved.siteUrl
+          baseUrl: saved.baseUrl
         });
         return null;
       }
@@ -15468,7 +15440,7 @@ async function ensureCloudCredentialsForCommand(options) {
 `);
     }
   });
-  const { baseUrl, siteUrl } = resolveCloudTarget(options, env, store);
+  const { baseUrl } = resolveCloudTarget(options, env, store);
   const initialCredential = resolveCloudCredential({
     env,
     apiKeyFlag: options.apiKeyFlag,
@@ -15476,11 +15448,9 @@ async function ensureCloudCredentialsForCommand(options) {
   });
   let credential = initialCredential;
   if (!credential) {
-    const saved = store.readCloudCredential({
-      baseUrl,
-      siteUrl
-    });
+    const saved = store.readCloudCredential({ baseUrl });
     const freshSaved = saved ? await ensureSavedCredentialIsFresh(saved, {
+      env,
       fetchFn,
       store,
       now,
@@ -15498,7 +15468,7 @@ async function ensureCloudCredentialsForCommand(options) {
   if (!credential) {
     if (options.autoLoginIfNeeded && (options.interactive ?? false)) {
       const loggedIn = await runDeviceLoginFlow({
-        siteUrl,
+        authSiteUrl: resolveAuthSiteUrl(env),
         fetchFn,
         writeProgress,
         openExternalUrl,
@@ -15508,7 +15478,6 @@ async function ensureCloudCredentialsForCommand(options) {
       });
       store.writeCloudCredential({
         baseUrl,
-        siteUrl,
         scope: loggedIn.scope,
         accessToken: loggedIn.accessToken,
         refreshToken: loggedIn.refreshToken,
@@ -15526,20 +15495,15 @@ async function ensureCloudCredentialsForCommand(options) {
       throw new Error(toAuthMissingMessage(options.commandName));
     }
   }
-  store.writeActiveCloudTarget({
-    baseUrl,
-    siteUrl
-  });
+  store.writeActiveCloudTarget({ baseUrl });
   applyCloudCredentialToEnv(env, credential);
   env.OPENSTEER_BASE_URL = baseUrl;
-  env.OPENSTEER_CLOUD_SITE_URL = siteUrl;
   return {
     token: credential.token,
     authScheme: credential.authScheme,
     source: credential.source,
     kind: credential.kind,
-    baseUrl,
-    siteUrl
+    baseUrl
   };
 }
@@ -15557,7 +15521,6 @@ Cloud auth options (all commands):
   --api-key <key>           Cloud API key (defaults to OPENSTEER_API_KEY)
   --access-token <token>    Cloud bearer access token (defaults to OPENSTEER_ACCESS_TOKEN)
   --base-url <url>          Cloud API base URL (defaults to env or the last selected host)
-  --site-url <url>          Cloud site URL for login/refresh/revoke flows
   --auth-scheme <scheme>    api-key (default) or bearer
   --json                    JSON output (progress logs go to stderr)
@@ -15644,13 +15607,6 @@ function parseListArgs(rawArgs) {
       i = value.nextIndex;
       continue;
     }
-    if (arg === "--site-url") {
-      const value = readFlagValue(rawArgs, i, "--site-url");
-      if (!value.ok) return { mode: "error", error: value.error };
-      args.siteUrl = value.value;
-      i = value.nextIndex;
-      continue;
-    }
     if (arg === "--auth-scheme") {
       const value = readFlagValue(rawArgs, i, "--auth-scheme");
       if (!value.ok) return { mode: "error", error: value.error };
@@ -15743,13 +15699,6 @@ function parseCreateArgs(rawArgs) {
       i = value.nextIndex;
       continue;
     }
-    if (arg === "--site-url") {
-      const value = readFlagValue(rawArgs, i, "--site-url");
-      if (!value.ok) return { mode: "error", error: value.error };
-      args.siteUrl = value.value;
-      i = value.nextIndex;
-      continue;
-    }
     if (arg === "--auth-scheme") {
       const value = readFlagValue(rawArgs, i, "--auth-scheme");
       if (!value.ok) return { mode: "error", error: value.error };
@@ -15868,13 +15817,6 @@ function parseSyncArgs(rawArgs) {
       i = value.nextIndex;
       continue;
     }
-    if (arg === "--site-url") {
-      const value = readFlagValue(rawArgs, i, "--site-url");
-      if (!value.ok) return { mode: "error", error: value.error };
-      args.siteUrl = value.value;
-      i = value.nextIndex;
-      continue;
-    }
     if (arg === "--auth-scheme") {
       const value = readFlagValue(rawArgs, i, "--auth-scheme");
       if (!value.ok) return { mode: "error", error: value.error };
@@ -15965,7 +15907,6 @@ async function buildCloudAuthContext(args, deps) {
     apiKeyFlag: args.apiKey,
     accessTokenFlag: args.accessToken,
     baseUrl: args.baseUrl,
-    siteUrl: args.siteUrl,
     interactive: deps.isInteractive(),
     autoLoginIfNeeded: true,
     writeProgress: args.json ? deps.writeStderr : deps.writeStdout,
@@ -15987,7 +15928,6 @@ async function buildCloudAuthContext(args, deps) {
   return {
     token: ensured.token,
     baseUrl: ensured.baseUrl,
-    siteUrl: ensured.siteUrl,
     authScheme: ensured.authScheme,
     kind: ensured.kind,
     source: ensured.source