opensteer 0.6.13 → 0.7.0

package/dist/chunk-U724TBY6.js

@@ -1,1262 +0,0 @@
-import {
-  DEFAULT_CLOUD_BASE_URL,
-  normalizeCloudBaseUrl,
-  resolveCloudSelection,
-  resolveConfigWithEnv,
-  selectCloudCredential,
-  stripTrailingSlashes
-} from "./chunk-2ES46WCO.js";
-
-// src/cli/auth.ts
-import open from "open";
-
-// src/auth/credential-resolver.ts
-function resolveCloudCredential(options) {
-  const flagCredential = selectCloudCredential({
-    apiKey: options.apiKeyFlag,
-    accessToken: options.accessTokenFlag
-  });
-  if (flagCredential) {
-    return toResolvedCloudCredential("flag", flagCredential);
-  }
-  const envAuthScheme = parseEnvAuthScheme(options.env.OPENSTEER_AUTH_SCHEME);
-  const envCredential = selectCloudCredential({
-    apiKey: options.env.OPENSTEER_API_KEY,
-    accessToken: options.env.OPENSTEER_ACCESS_TOKEN,
-    authScheme: envAuthScheme
-  });
-  if (envCredential) {
-    return toResolvedCloudCredential("env", envCredential);
-  }
-  return null;
-}
-function applyCloudCredentialToEnv(env, credential) {
-  if (credential.kind === "access-token") {
-    env.OPENSTEER_ACCESS_TOKEN = credential.token;
-    delete env.OPENSTEER_API_KEY;
-    env.OPENSTEER_AUTH_SCHEME = "bearer";
-    return;
-  }
-  env.OPENSTEER_API_KEY = credential.token;
-  delete env.OPENSTEER_ACCESS_TOKEN;
-  env.OPENSTEER_AUTH_SCHEME = credential.authScheme;
-}
-function parseEnvAuthScheme(value) {
-  const normalized = normalizeToken(value);
-  if (!normalized) return void 0;
-  if (normalized === "api-key" || normalized === "bearer") {
-    return normalized;
-  }
-  throw new Error(
-    `Invalid OPENSTEER_AUTH_SCHEME value "${value}". Use "api-key" or "bearer".`
-  );
-}
-function normalizeToken(value) {
-  if (typeof value !== "string") return void 0;
-  const normalized = value.trim();
-  return normalized.length ? normalized : void 0;
-}
-function toResolvedCloudCredential(source, credential) {
-  if (credential.compatibilityBearerApiKey) {
-    return {
-      kind: credential.kind,
-      source,
-      token: credential.token,
-      authScheme: credential.authScheme,
-      compatibilityBearerApiKey: true
-    };
-  }
-  return {
-    kind: credential.kind,
-    source,
-    token: credential.token,
-    authScheme: credential.authScheme
-  };
-}
-
-// src/auth/machine-credential-store.ts
-import { createHash } from "crypto";
-import fs from "fs";
-import os from "os";
-import path from "path";
-
-// src/auth/keychain-store.ts
-import { spawnSync } from "child_process";
-function commandExists(command) {
-  const result = spawnSync(command, ["--help"], {
-    encoding: "utf8",
-    stdio: "ignore"
-  });
-  return result.error == null;
-}
-function commandFailed(result) {
-  return typeof result.status === "number" && result.status !== 0;
-}
-function sanitizeCommandArgs(command, args) {
-  if (command !== "security") {
-    return args;
-  }
-  const sanitized = [];
-  for (let index = 0; index < args.length; index += 1) {
-    const value = args[index];
-    sanitized.push(value);
-    if (value === "-w" && index + 1 < args.length) {
-      sanitized.push("[REDACTED]");
-      index += 1;
-    }
-  }
-  return sanitized;
-}
-function buildCommandError(command, args, result) {
-  const stderr = typeof result.stderr === "string" && result.stderr.trim() ? result.stderr.trim() : `Command "${command}" failed with status ${String(result.status)}.`;
-  const sanitizedArgs = sanitizeCommandArgs(command, args);
-  return new Error(
-    [
-      `Unable to persist credential via ${command}.`,
-      `${command} ${sanitizedArgs.join(" ")}`,
-      stderr
-    ].join(" ")
-  );
-}
-function createMacosSecurityStore() {
-  return {
-    backend: "macos-security",
-    get(service, account) {
-      const result = spawnSync(
-        "security",
-        ["find-generic-password", "-s", service, "-a", account, "-w"],
-        { encoding: "utf8" }
-      );
-      if (commandFailed(result)) {
-        return null;
-      }
-      const secret = result.stdout.trim();
-      return secret.length ? secret : null;
-    },
-    set(service, account, secret) {
-      const args = [
-        "add-generic-password",
-        "-U",
-        "-s",
-        service,
-        "-a",
-        account,
-        "-w",
-        secret
-      ];
-      const result = spawnSync("security", args, { encoding: "utf8" });
-      if (commandFailed(result)) {
-        throw buildCommandError("security", args, result);
-      }
-    },
-    delete(service, account) {
-      const args = ["delete-generic-password", "-s", service, "-a", account];
-      const result = spawnSync("security", args, { encoding: "utf8" });
-      if (commandFailed(result)) {
-        return;
-      }
-    }
-  };
-}
-function createLinuxSecretToolStore() {
-  return {
-    backend: "linux-secret-tool",
-    get(service, account) {
-      const result = spawnSync(
-        "secret-tool",
-        ["lookup", "service", service, "account", account],
-        {
-          encoding: "utf8"
-        }
-      );
-      if (commandFailed(result)) {
-        return null;
-      }
-      const secret = result.stdout.trim();
-      return secret.length ? secret : null;
-    },
-    set(service, account, secret) {
-      const args = [
-        "store",
-        "--label",
-        "Opensteer CLI",
-        "service",
-        service,
-        "account",
-        account
-      ];
-      const result = spawnSync("secret-tool", args, {
-        encoding: "utf8",
-        input: secret
-      });
-      if (commandFailed(result)) {
-        throw buildCommandError("secret-tool", args, result);
-      }
-    },
-    delete(service, account) {
-      const args = ["clear", "service", service, "account", account];
-      spawnSync("secret-tool", args, {
-        encoding: "utf8"
-      });
-    }
-  };
-}
-function createKeychainStore() {
-  if (process.platform === "darwin") {
-    if (!commandExists("security")) {
-      return null;
-    }
-    return createMacosSecurityStore();
-  }
-  if (process.platform === "linux") {
-    if (!commandExists("secret-tool")) {
-      return null;
-    }
-    return createLinuxSecretToolStore();
-  }
-  return null;
-}
-
-// src/auth/machine-credential-store.ts
-var METADATA_VERSION = 2;
-var ACTIVE_TARGET_VERSION = 2;
-var KEYCHAIN_SERVICE = "com.opensteer.cli.cloud";
-var KEYCHAIN_ACCOUNT_PREFIX = "machine:";
-var ACTIVE_TARGET_FILE_NAME = "cli-target.json";
-var MachineCredentialStore = class {
-  authDir;
-  warn;
-  keychain = createKeychainStore();
-  warnedFallback = false;
-  constructor(options = {}) {
-    const appName = options.appName || "opensteer";
-    const env = options.env ?? process.env;
-    const configDir = resolveConfigDir(appName, env);
-    this.authDir = path.join(configDir, "auth");
-    this.warn = options.warn ?? (() => void 0);
-  }
-  readCloudCredential(target) {
-    const normalizedTarget = normalizeCloudCredentialTarget(target);
-    return this.readCredentialSlot(
-      resolveCredentialSlot(this.authDir, normalizedTarget),
-      normalizedTarget
-    );
-  }
-  writeCloudCredential(args) {
-    const accessToken = args.accessToken.trim();
-    const refreshToken2 = args.refreshToken.trim();
-    if (!accessToken || !refreshToken2) {
-      throw new Error("Cannot persist empty machine credential secrets.");
-    }
-    const baseUrl = normalizeCredentialUrl(args.baseUrl);
-    const slot = resolveCredentialSlot(this.authDir, { baseUrl });
-    ensureDirectory(this.authDir);
-    const secretPayload = {
-      accessToken,
-      refreshToken: refreshToken2
-    };
-    let secretBackend = "file";
-    if (this.keychain) {
-      try {
-        this.keychain.set(
-          KEYCHAIN_SERVICE,
-          slot.keychainAccount,
-          JSON.stringify(secretPayload)
-        );
-        secretBackend = "keychain";
-        removeFileIfExists(slot.fallbackSecretPath);
-      } catch {
-        this.writeFallbackSecret(slot, secretPayload);
-        secretBackend = "file";
-      }
-    } else {
-      this.writeFallbackSecret(slot, secretPayload);
-    }
-    const metadata = {
-      version: METADATA_VERSION,
-      secretBackend,
-      baseUrl,
-      scope: args.scope,
-      obtainedAt: args.obtainedAt,
-      expiresAt: args.expiresAt,
-      updatedAt: Date.now()
-    };
-    writeJsonFile(slot.metadataPath, metadata);
-  }
-  readActiveCloudTarget() {
-    return readActiveCloudTargetMetadata(resolveActiveTargetPath(this.authDir));
-  }
-  writeActiveCloudTarget(target) {
-    const baseUrl = normalizeCredentialUrl(target.baseUrl);
-    ensureDirectory(this.authDir);
-    writeJsonFile(resolveActiveTargetPath(this.authDir), {
-      version: ACTIVE_TARGET_VERSION,
-      baseUrl,
-      updatedAt: Date.now()
-    });
-  }
-  clearCloudCredential(target) {
-    this.clearCredentialSlot(
-      resolveCredentialSlot(this.authDir, normalizeCloudCredentialTarget(target))
-    );
-  }
-  readCredentialSlot(slot, target) {
-    const metadata = readMetadata(slot.metadataPath);
-    if (!metadata) {
-      return null;
-    }
-    if (target && !matchesCredentialTarget(metadata, target)) {
-      return null;
-    }
-    const secret = this.readSecret(slot, metadata.secretBackend);
-    if (!secret) {
-      return null;
-    }
-    return {
-      baseUrl: metadata.baseUrl,
-      scope: metadata.scope,
-      accessToken: secret.accessToken,
-      refreshToken: secret.refreshToken,
-      obtainedAt: metadata.obtainedAt,
-      expiresAt: metadata.expiresAt
-    };
-  }
-  readSecret(slot, backend) {
-    if (backend === "keychain" && this.keychain) {
-      try {
-        const secret = this.keychain.get(
-          KEYCHAIN_SERVICE,
-          slot.keychainAccount
-        );
-        if (!secret) return null;
-        return parseSecretPayload(secret);
-      } catch {
-        return null;
-      }
-    }
-    return readSecretFile(slot.fallbackSecretPath);
-  }
-  writeFallbackSecret(slot, secretPayload) {
-    writeJsonFile(slot.fallbackSecretPath, secretPayload, {
-      mode: 384
-    });
-    if (!this.warnedFallback) {
-      this.warn({
-        code: "fallback_file_store",
-        path: slot.fallbackSecretPath,
-        message: "Secure keychain is unavailable. Falling back to file-based credential storage with mode 0600."
-      });
-      this.warnedFallback = true;
-    }
-  }
-  clearCredentialSlot(slot) {
-    removeFileIfExists(slot.metadataPath);
-    removeFileIfExists(slot.fallbackSecretPath);
-    if (this.keychain) {
-      this.keychain.delete(KEYCHAIN_SERVICE, slot.keychainAccount);
-    }
-  }
-};
-function createMachineCredentialStore(options = {}) {
-  return new MachineCredentialStore(options);
-}
-function resolveCredentialSlot(authDir, target) {
-  const normalizedBaseUrl = normalizeCredentialUrl(target.baseUrl);
-  const storageKey = createHash("sha256").update(normalizedBaseUrl).digest("hex").slice(0, 24);
-  return {
-    keychainAccount: `${KEYCHAIN_ACCOUNT_PREFIX}${storageKey}`,
-    metadataPath: path.join(authDir, `cli-login.${storageKey}.json`),
-    fallbackSecretPath: path.join(
-      authDir,
-      `cli-login.${storageKey}.secret.json`
-    )
-  };
-}
-function resolveActiveTargetPath(authDir) {
-  return path.join(authDir, ACTIVE_TARGET_FILE_NAME);
-}
-function matchesCredentialTarget(value, target) {
-  return normalizeCredentialUrl(value.baseUrl) === normalizeCredentialUrl(target.baseUrl);
-}
-function normalizeCredentialUrl(value) {
-  const normalized = stripTrailingSlashes(value.trim());
-  if (!normalized) {
-    throw new Error("Cannot persist machine credential without baseUrl.");
-  }
-  return normalized;
-}
-function normalizeCloudCredentialTarget(target) {
-  return {
-    baseUrl: normalizeCredentialUrl(target.baseUrl)
-  };
-}
-function resolveConfigDir(appName, env) {
-  if (process.platform === "win32") {
-    const appData = env.APPDATA?.trim() || path.join(os.homedir(), "AppData", "Roaming");
-    return path.join(appData, appName);
-  }
-  if (process.platform === "darwin") {
-    return path.join(
-      os.homedir(),
-      "Library",
-      "Application Support",
-      appName
-    );
-  }
-  const xdgConfigHome = env.XDG_CONFIG_HOME?.trim() || path.join(os.homedir(), ".config");
-  return path.join(xdgConfigHome, appName);
-}
-function ensureDirectory(directoryPath) {
-  fs.mkdirSync(directoryPath, { recursive: true, mode: 448 });
-}
-function removeFileIfExists(filePath) {
-  try {
-    fs.rmSync(filePath, { force: true });
-  } catch {
-    return;
-  }
-}
-function readMetadata(filePath) {
-  if (!fs.existsSync(filePath)) {
-    return null;
-  }
-  try {
-    const raw = fs.readFileSync(filePath, "utf8");
-    const parsed = JSON.parse(raw);
-    if (parsed.version !== METADATA_VERSION) return null;
-    if (parsed.secretBackend !== "keychain" && parsed.secretBackend !== "file") {
-      return null;
-    }
-    if (typeof parsed.baseUrl !== "string" || !parsed.baseUrl.trim()) return null;
-    if (!Array.isArray(parsed.scope)) return null;
-    if (typeof parsed.obtainedAt !== "number") return null;
-    if (typeof parsed.expiresAt !== "number") return null;
-    if (typeof parsed.updatedAt !== "number") return null;
-    return {
-      version: parsed.version,
-      secretBackend: parsed.secretBackend,
-      baseUrl: parsed.baseUrl,
-      scope: parsed.scope.filter(
-        (value) => typeof value === "string"
-      ),
-      obtainedAt: parsed.obtainedAt,
-      expiresAt: parsed.expiresAt,
-      updatedAt: parsed.updatedAt
-    };
-  } catch {
-    return null;
-  }
-}
-function readActiveCloudTargetMetadata(filePath) {
-  if (!fs.existsSync(filePath)) {
-    return null;
-  }
-  try {
-    const raw = fs.readFileSync(filePath, "utf8");
-    const parsed = JSON.parse(raw);
-    if (parsed.version !== ACTIVE_TARGET_VERSION) {
-      return null;
-    }
-    if (typeof parsed.baseUrl !== "string" || !parsed.baseUrl.trim()) {
-      return null;
-    }
-    return {
-      baseUrl: parsed.baseUrl
-    };
-  } catch {
-    return null;
-  }
-}
-function parseSecretPayload(raw) {
-  try {
-    const parsed = JSON.parse(raw);
-    if (typeof parsed.accessToken !== "string" || !parsed.accessToken.trim() || typeof parsed.refreshToken !== "string" || !parsed.refreshToken.trim()) {
-      return null;
-    }
-    return {
-      accessToken: parsed.accessToken,
-      refreshToken: parsed.refreshToken
-    };
-  } catch {
-    return null;
-  }
-}
-function readSecretFile(filePath) {
-  if (!fs.existsSync(filePath)) {
-    return null;
-  }
-  try {
-    return parseSecretPayload(fs.readFileSync(filePath, "utf8"));
-  } catch {
-    return null;
-  }
-}
-function writeJsonFile(filePath, value, options = {}) {
-  fs.writeFileSync(filePath, JSON.stringify(value, null, 2), {
-    encoding: "utf8",
-    mode: options.mode ?? 384
-  });
-  if (typeof options.mode === "number") {
-    fs.chmodSync(filePath, options.mode);
-  }
-}
-
-// src/cli/auth.ts
-var CliAuthHttpError = class extends Error {
-  status;
-  body;
-  constructor(message, status, body) {
-    super(message);
-    this.name = "CliAuthHttpError";
-    this.status = status;
-    this.body = body;
-  }
-};
-var HELP_TEXT = `Usage: opensteer auth <command> [options]
-
-Authenticate Opensteer CLI with Opensteer Cloud.
-
-Commands:
-  login                     Start device login flow in browser
-  status                    Show saved machine login state for the selected cloud host
-  logout                    Revoke and remove saved machine login for the selected cloud host
-
-Options:
-  --base-url <url>          Cloud API base URL (defaults to env or the last selected host)
-  --json                    JSON output (login prompts go to stderr)
-  --no-browser              Do not auto-open your default browser during login
-  -h, --help                Show this help
-`;
-var DEFAULT_AUTH_SITE_URL = "https://opensteer.com";
-var INTERNAL_AUTH_SITE_URL_ENV = "OPENSTEER_INTERNAL_AUTH_SITE_URL";
-function createDefaultDeps() {
-  const env = process.env;
-  return {
-    env,
-    store: createMachineCredentialStore({
-      env,
-      warn: (warning) => {
-        process.stderr.write(`${warning.message} (${warning.path})
-`);
-      }
-    }),
-    fetchFn: fetch,
-    writeStdout: (message) => process.stdout.write(message),
-    writeStderr: (message) => process.stderr.write(message),
-    isInteractive: () => Boolean(process.stdin.isTTY && process.stdout.isTTY),
-    sleep: async (ms) => {
-      await new Promise((resolve) => setTimeout(resolve, ms));
-    },
-    now: () => Date.now(),
-    openExternalUrl: openDefaultBrowser
-  };
-}
-function readFlagValue(args, index, flag) {
-  const value = args[index + 1];
-  if (value === void 0 || value.startsWith("-")) {
-    return {
-      ok: false,
-      error: `${flag} requires a value.`
-    };
-  }
-  return {
-    ok: true,
-    value,
-    nextIndex: index + 1
-  };
-}
-function parseAuthCommonArgs(rawArgs) {
-  const args = {};
-  for (let i = 0; i < rawArgs.length; i++) {
-    const arg = rawArgs[i];
-    if (arg === "--json") {
-      args.json = true;
-      continue;
-    }
-    if (arg === "--base-url") {
-      const value = readFlagValue(rawArgs, i, "--base-url");
-      if (!value.ok) return { args, error: value.error };
-      args.baseUrl = value.value;
-      i = value.nextIndex;
-      continue;
-    }
-    return {
-      args,
-      error: `Unsupported option "${arg}".`
-    };
-  }
-  return { args };
-}
-function parseOpensteerAuthArgs(rawArgs) {
-  if (!rawArgs.length) {
-    return { mode: "help" };
-  }
-  const [subcommand, ...rest] = rawArgs;
-  if (subcommand === "--help" || subcommand === "-h" || subcommand === "help") {
-    return { mode: "help" };
-  }
-  if (subcommand === "login") {
-    let openBrowser = true;
-    const filtered = [];
-    for (const arg of rest) {
-      if (arg === "--no-browser") {
-        openBrowser = false;
-        continue;
-      }
-      filtered.push(arg);
-    }
-    const parsed = parseAuthCommonArgs(filtered);
-    if (parsed.error) return { mode: "error", error: parsed.error };
-    return {
-      mode: "login",
-      args: {
-        ...parsed.args,
-        openBrowser
-      }
-    };
-  }
-  if (subcommand === "status") {
-    const parsed = parseAuthCommonArgs(rest);
-    if (parsed.error) return { mode: "error", error: parsed.error };
-    return { mode: "status", args: parsed.args };
-  }
-  if (subcommand === "logout") {
-    const parsed = parseAuthCommonArgs(rest);
-    if (parsed.error) return { mode: "error", error: parsed.error };
-    return { mode: "logout", args: parsed.args };
-  }
-  return {
-    mode: "error",
-    error: `Unsupported auth subcommand "${subcommand}".`
-  };
-}
-function printHelp(deps) {
-  deps.writeStdout(`${HELP_TEXT}
-`);
-}
-function writeHumanLine(deps, message) {
-  deps.writeStdout(`${message}
-`);
-}
-function writeJsonLine(deps, payload) {
-  deps.writeStdout(`${JSON.stringify(payload)}
-`);
-}
-function resolveBaseUrl(provided, env) {
-  const baseUrl = normalizeCloudBaseUrl(
-    (provided || env.OPENSTEER_BASE_URL || DEFAULT_CLOUD_BASE_URL).trim()
-  );
-  assertSecureUrl(baseUrl, "--base-url");
-  return baseUrl;
-}
-function resolveAuthSiteUrl(env) {
-  const authSiteUrl = normalizeCloudBaseUrl(
-    (env[INTERNAL_AUTH_SITE_URL_ENV] || DEFAULT_AUTH_SITE_URL).trim()
-  );
-  assertSecureUrl(
-    authSiteUrl,
-    `environment variable ${INTERNAL_AUTH_SITE_URL_ENV}`
-  );
-  return authSiteUrl;
-}
-function hasExplicitCloudTargetSelection(providedBaseUrl, env) {
-  return Boolean(
-    providedBaseUrl?.trim() || env.OPENSTEER_BASE_URL?.trim()
-  );
-}
-function readRememberedCloudTarget(store) {
-  const activeTarget = store.readActiveCloudTarget();
-  if (!activeTarget) {
-    return null;
-  }
-  try {
-    const baseUrl = normalizeCloudBaseUrl(activeTarget.baseUrl);
-    assertSecureUrl(baseUrl, "--base-url");
-    return { baseUrl };
-  } catch {
-    return null;
-  }
-}
-function resolveCloudTarget(args, env, store, options = {}) {
-  if (options.allowRememberedTarget !== false && !hasExplicitCloudTargetSelection(args.baseUrl, env)) {
-    const rememberedTarget = readRememberedCloudTarget(store);
-    if (rememberedTarget) {
-      return rememberedTarget;
-    }
-  }
-  const baseUrl = resolveBaseUrl(args.baseUrl, env);
-  return { baseUrl };
-}
-function assertSecureUrl(value, flag) {
-  let parsed;
-  try {
-    parsed = new URL(value);
-  } catch {
-    throw new Error(`Invalid ${flag} "${value}".`);
-  }
-  if (parsed.protocol === "https:") {
-    return;
-  }
-  if (parsed.protocol === "http:") {
-    const host = parsed.hostname.toLowerCase();
-    if (host === "localhost" || host === "127.0.0.1" || host === "::1") {
-      return;
-    }
-  }
-  throw new Error(
-    `Insecure URL "${value}". Use HTTPS, or HTTP only for localhost.`
-  );
-}
-async function postJson(fetchFn, url, body) {
-  const response = await fetchFn(url, {
-    method: "POST",
-    headers: {
-      "content-type": "application/json"
-    },
-    body: JSON.stringify(body)
-  });
-  let payload = null;
-  try {
-    payload = await response.json();
-  } catch {
-    payload = null;
-  }
-  if (!response.ok) {
-    throw new CliAuthHttpError(
-      `Auth request failed with status ${response.status}.`,
-      response.status,
-      payload
-    );
-  }
-  return payload;
-}
-function parseScope(rawScope) {
-  if (!rawScope) return ["cloud:browser"];
-  const values = rawScope.split(" ").map((value) => value.trim()).filter(Boolean);
-  return values.length ? values : ["cloud:browser"];
-}
-function parseCliTokenResponse(payload) {
-  const accessToken = typeof payload.access_token === "string" ? payload.access_token.trim() : "";
-  const refreshToken2 = typeof payload.refresh_token === "string" ? payload.refresh_token.trim() : "";
-  const expiresInSec = typeof payload.expires_in === "number" && Number.isFinite(payload.expires_in) && payload.expires_in > 0 ? Math.trunc(payload.expires_in) : 0;
-  if (!accessToken || !refreshToken2 || !expiresInSec) {
-    throw new Error("Invalid token response from cloud auth endpoint.");
-  }
-  return {
-    accessToken,
-    refreshToken: refreshToken2,
-    expiresInSec,
-    scope: parseScope(payload.scope)
-  };
-}
-function parseCliOauthError(error) {
-  if (!error || typeof error !== "object" || Array.isArray(error)) {
-    return null;
-  }
-  const root = error;
-  return {
-    error: typeof root.error === "string" ? root.error : void 0,
-    error_description: typeof root.error_description === "string" ? root.error_description : void 0,
-    interval: typeof root.interval === "number" ? root.interval : void 0
-  };
-}
-async function startDeviceAuthorization(authSiteUrl, fetchFn) {
-  const response = await postJson(
-    fetchFn,
-    `${authSiteUrl}/api/cli-auth/device/start`,
-    {
-      scope: ["cloud:browser"]
-    }
-  );
-  if (!response || typeof response.device_code !== "string" || !response.device_code.trim() || typeof response.user_code !== "string" || !response.user_code.trim() || typeof response.verification_uri_complete !== "string" || !response.verification_uri_complete.trim() || typeof response.expires_in !== "number" || response.expires_in <= 0 || typeof response.interval !== "number" || response.interval <= 0) {
-    throw new Error("Invalid device authorization response from cloud.");
-  }
-  return response;
-}
-async function pollDeviceToken(authSiteUrl, deviceCode, fetchFn) {
-  return await postJson(
-    fetchFn,
-    `${authSiteUrl}/api/cli-auth/device/token`,
-    {
-      grant_type: "urn:ietf:params:oauth:grant-type:device_code",
-      device_code: deviceCode
-    }
-  );
-}
-async function refreshToken(authSiteUrl, refreshTokenValue, fetchFn) {
-  return await postJson(fetchFn, `${authSiteUrl}/api/cli-auth/token`, {
-    grant_type: "refresh_token",
-    refresh_token: refreshTokenValue
-  });
-}
-async function revokeToken(authSiteUrl, refreshTokenValue, fetchFn) {
-  await postJson(fetchFn, `${authSiteUrl}/api/cli-auth/revoke`, {
-    token: refreshTokenValue
-  });
-}
-async function openDefaultBrowser(url) {
-  try {
-    const child = await open(url, {
-      wait: false
-    });
-    child.on("error", () => void 0);
-    child.unref();
-    return true;
-  } catch {
-    return false;
-  }
-}
-async function runDeviceLoginFlow(args) {
-  const start = await startDeviceAuthorization(args.authSiteUrl, args.fetchFn);
-  if (args.openBrowser) {
-    args.writeProgress(
-      "Opening your default browser for Opensteer CLI authentication.\n"
-    );
-    args.writeProgress(
-      `If nothing opens, use this URL:
-${start.verification_uri_complete}
-`
-    );
-  } else {
-    if (args.openBrowserDisabledReason) {
-      args.writeProgress(
-        `Automatic browser open is disabled (${args.openBrowserDisabledReason}).
-`
-      );
-    }
-    args.writeProgress(
-      `Open this URL to authenticate Opensteer CLI:
-${start.verification_uri_complete}
-`
-    );
-  }
-  args.writeProgress(`Verification code: ${start.user_code}
-`);
-  if (args.openBrowser) {
-    const browserOpened = await args.openExternalUrl(
-      start.verification_uri_complete
-    );
-    if (browserOpened) {
-      args.writeProgress(
-        "Opened your default browser. Finish authentication there; this terminal will continue automatically.\n"
-      );
-    } else {
-      args.writeProgress(
-        "Could not open your default browser automatically. Paste the URL above into a browser to continue.\n"
-      );
-    }
-  }
-  const deadline = args.now() + start.expires_in * 1e3;
-  let pollIntervalMs = Math.max(1, Math.trunc(start.interval)) * 1e3;
-  while (args.now() <= deadline) {
-    await args.sleep(pollIntervalMs);
-    try {
-      const tokenPayload = await pollDeviceToken(
-        args.authSiteUrl,
-        start.device_code,
-        args.fetchFn
-      );
-      const parsed = parseCliTokenResponse(tokenPayload);
-      return {
-        accessToken: parsed.accessToken,
-        refreshToken: parsed.refreshToken,
-        expiresAt: args.now() + parsed.expiresInSec * 1e3,
-        scope: parsed.scope
-      };
-    } catch (error) {
-      if (error instanceof CliAuthHttpError) {
-        const oauthError = parseCliOauthError(error.body);
-        if (!oauthError?.error) {
-          throw error;
-        }
-        if (oauthError.error === "authorization_pending") {
-          continue;
-        }
-        if (oauthError.error === "slow_down") {
-          const hintedInterval = typeof oauthError.interval === "number" && oauthError.interval > 0 ? Math.trunc(oauthError.interval) * 1e3 : pollIntervalMs + 5e3;
-          pollIntervalMs = Math.max(hintedInterval, pollIntervalMs + 1e3);
-          continue;
-        }
-        if (oauthError.error === "expired_token") {
-          throw new Error(
-            'Device authorization expired before approval. Run "opensteer auth login" again.'
-          );
-        }
-        if (oauthError.error === "access_denied") {
-          throw new Error(
-            'Cloud login was denied. Run "opensteer auth login" to retry.'
-          );
-        }
-        throw new Error(
-          oauthError.error_description || `Cloud login failed: ${oauthError.error}.`
-        );
-      }
-      throw error;
-    }
-  }
-  throw new Error(
-    'Timed out waiting for cloud login approval. Run "opensteer auth login" again.'
-  );
-}
-async function refreshSavedCredential(saved, deps) {
-  const tokenPayload = await refreshToken(
-    resolveAuthSiteUrl(deps.env),
-    saved.refreshToken,
-    deps.fetchFn
-  );
-  const parsed = parseCliTokenResponse(tokenPayload);
-  const updated = {
-    accessToken: parsed.accessToken,
-    refreshToken: parsed.refreshToken,
-    expiresAt: deps.now() + parsed.expiresInSec * 1e3,
-    scope: parsed.scope
-  };
-  deps.store.writeCloudCredential({
-    baseUrl: saved.baseUrl,
-    scope: updated.scope,
-    accessToken: updated.accessToken,
-    refreshToken: updated.refreshToken,
-    obtainedAt: deps.now(),
-    expiresAt: updated.expiresAt
-  });
-  return updated;
-}
-async function ensureSavedCredentialIsFresh(saved, deps) {
-  const refreshSkewMs = 6e4;
-  if (saved.expiresAt > deps.now() + refreshSkewMs) {
-    return saved;
-  }
-  try {
-    const refreshed = await refreshSavedCredential(saved, deps);
-    return {
-      ...saved,
-      accessToken: refreshed.accessToken,
-      refreshToken: refreshed.refreshToken,
-      expiresAt: refreshed.expiresAt,
-      scope: refreshed.scope,
-      obtainedAt: deps.now()
-    };
-  } catch (error) {
-    if (error instanceof CliAuthHttpError) {
-      const oauth = parseCliOauthError(error.body);
-      if (oauth?.error === "invalid_grant" || oauth?.error === "expired_token") {
-        deps.store.clearCloudCredential({
-          baseUrl: saved.baseUrl
-        });
-        return null;
-      }
-    }
-    deps.writeStderr(
-      `Unable to refresh saved cloud login: ${error instanceof Error ? error.message : "unknown error"}
-`
-    );
-    return null;
-  }
-}
-function toAuthMissingMessage(commandName) {
-  return [
-    `${commandName} requires cloud authentication.`,
-    'Use --api-key, --access-token, OPENSTEER_API_KEY, OPENSTEER_ACCESS_TOKEN, or run "opensteer auth login".'
-  ].join(" ");
-}
-function describeBrowserOpenMode(args, deps) {
-  if (!args.openBrowser) {
-    return {
-      enabled: false,
-      disabledReason: "--no-browser"
-    };
-  }
-  if (!deps.isInteractive()) {
-    return {
-      enabled: false,
-      disabledReason: "this shell is not interactive"
-    };
-  }
-  if (isCiEnvironment(deps.env)) {
-    return {
-      enabled: false,
-      disabledReason: "CI"
-    };
-  }
-  return {
-    enabled: true
-  };
-}
-function isCiEnvironment(env) {
-  const value = env.CI?.trim().toLowerCase();
-  return Boolean(value && value !== "0" && value !== "false");
-}
-function resolveCloudSessionEnvForRootDir(rootDir, env) {
-  const resolved = resolveConfigWithEnv(
-    {
-      storage: { rootDir }
-    },
-    {
-      env
-    }
-  );
-  return {
-    cloud: resolveCloudSelection(
-      {
-        cloud: resolved.config.cloud
-      },
-      resolved.env
-    ).cloud,
-    env: resolved.env
-  };
-}
-function isCloudModeEnabledForRootDir(rootDir, env) {
-  return resolveCloudSessionEnvForRootDir(rootDir, env).cloud;
-}
-async function ensureCloudCredentialsForOpenCommand(options) {
-  const processEnv = options.env ?? process.env;
-  const runtime = resolveCloudSessionEnvForRootDir(options.scopeDir, processEnv);
-  if (!runtime.cloud) {
-    return null;
-  }
-  const writeStderr = options.writeStderr ?? ((message) => process.stderr.write(message));
-  const auth = await ensureCloudCredentialsForCommand({
-    commandName: "opensteer open",
-    env: runtime.env,
-    store: options.store,
-    apiKeyFlag: options.apiKeyFlag,
-    accessTokenFlag: options.accessTokenFlag,
-    interactive: options.interactive,
-    autoLoginIfNeeded: true,
-    writeProgress: options.writeProgress ?? writeStderr,
-    writeStderr,
-    fetchFn: options.fetchFn,
-    sleep: options.sleep,
-    now: options.now,
-    openExternalUrl: options.openExternalUrl
-  });
-  applyCloudCredentialToEnv(processEnv, {
-    kind: auth.kind,
-    source: auth.source,
-    token: auth.token,
-    authScheme: auth.authScheme
-  });
-  processEnv.OPENSTEER_BASE_URL = auth.baseUrl;
-  return auth;
-}
-async function ensureCloudCredentialsForCommand(options) {
-  const env = options.env ?? process.env;
-  const writeProgress = options.writeProgress ?? options.writeStdout ?? ((message) => process.stdout.write(message));
-  const writeStderr = options.writeStderr ?? ((message) => process.stderr.write(message));
-  const fetchFn = options.fetchFn ?? fetch;
-  const sleep = options.sleep ?? (async (ms) => {
-    await new Promise((resolve) => setTimeout(resolve, ms));
-  });
-  const now = options.now ?? Date.now;
-  const openExternalUrl = options.openExternalUrl ?? openDefaultBrowser;
-  const store = options.store ?? createMachineCredentialStore({
-    env,
-    warn: (warning) => {
-      writeStderr(`${warning.message} (${warning.path})
-`);
-    }
-  });
-  const { baseUrl } = resolveCloudTarget(options, env, store);
-  const initialCredential = resolveCloudCredential({
-    env,
-    apiKeyFlag: options.apiKeyFlag,
-    accessTokenFlag: options.accessTokenFlag
-  });
-  let credential = initialCredential;
-  if (!credential) {
-    const saved = store.readCloudCredential({ baseUrl });
-    const freshSaved = saved ? await ensureSavedCredentialIsFresh(saved, {
-      env,
-      fetchFn,
-      store,
-      now,
-      writeStderr
-    }) : null;
-    if (freshSaved) {
-      credential = {
-        kind: "access-token",
-        source: "saved",
-        token: freshSaved.accessToken,
-        authScheme: "bearer"
-      };
-    }
-  }
-  if (!credential) {
-    if (options.autoLoginIfNeeded && (options.interactive ?? false)) {
-      const loggedIn = await runDeviceLoginFlow({
-        authSiteUrl: resolveAuthSiteUrl(env),
-        fetchFn,
-        writeProgress,
-        openExternalUrl,
-        sleep,
-        now,
-        openBrowser: true
-      });
-      store.writeCloudCredential({
-        baseUrl,
-        scope: loggedIn.scope,
-        accessToken: loggedIn.accessToken,
-        refreshToken: loggedIn.refreshToken,
-        obtainedAt: now(),
-        expiresAt: loggedIn.expiresAt
-      });
-      credential = {
-        kind: "access-token",
-        source: "saved",
-        token: loggedIn.accessToken,
-        authScheme: "bearer"
-      };
-      writeProgress("Cloud login complete.\n");
-    } else {
-      throw new Error(toAuthMissingMessage(options.commandName));
-    }
-  }
-  store.writeActiveCloudTarget({ baseUrl });
-  applyCloudCredentialToEnv(env, credential);
-  env.OPENSTEER_BASE_URL = baseUrl;
-  return {
-    token: credential.token,
-    authScheme: credential.authScheme,
-    source: credential.source,
-    kind: credential.kind,
-    baseUrl
-  };
-}
-async function runLogin(args, deps) {
-  const { baseUrl } = resolveCloudTarget(args, deps.env, deps.store, {
-    allowRememberedTarget: false
-  });
-  const writeProgress = args.json ? deps.writeStderr : deps.writeStdout;
-  const browserOpenMode = describeBrowserOpenMode(args, deps);
-  const login = await runDeviceLoginFlow({
-    authSiteUrl: resolveAuthSiteUrl(deps.env),
-    fetchFn: deps.fetchFn,
-    writeProgress,
-    openExternalUrl: deps.openExternalUrl,
-    sleep: deps.sleep,
-    now: deps.now,
-    openBrowser: browserOpenMode.enabled,
-    openBrowserDisabledReason: browserOpenMode.disabledReason
-  });
-  deps.store.writeCloudCredential({
-    baseUrl,
-    scope: login.scope,
-    accessToken: login.accessToken,
-    refreshToken: login.refreshToken,
-    obtainedAt: deps.now(),
-    expiresAt: login.expiresAt
-  });
-  deps.store.writeActiveCloudTarget({ baseUrl });
-  if (args.json) {
-    writeJsonLine(deps, {
-      loggedIn: true,
-      baseUrl,
-      expiresAt: login.expiresAt,
-      scope: login.scope,
-      authSource: "device"
-    });
-    return 0;
-  }
-  writeHumanLine(deps, "Opensteer CLI login successful.");
-  return 0;
-}
-async function runStatus(args, deps) {
-  const { baseUrl } = resolveCloudTarget(args, deps.env, deps.store);
-  deps.store.writeActiveCloudTarget({ baseUrl });
-  const saved = deps.store.readCloudCredential({ baseUrl });
-  if (!saved) {
-    if (args.json) {
-      writeJsonLine(deps, {
-        loggedIn: false,
-        baseUrl
-      });
-    } else {
-      writeHumanLine(deps, `Opensteer CLI is not logged in for ${baseUrl}.`);
-    }
-    return 0;
-  }
-  const now = deps.now();
-  const expired = saved.expiresAt <= now;
-  if (args.json) {
-    writeJsonLine(deps, {
-      loggedIn: true,
-      expired,
-      baseUrl: saved.baseUrl,
-      expiresAt: saved.expiresAt,
-      scope: saved.scope
-    });
-    return 0;
-  }
-  writeHumanLine(
-    deps,
-    expired ? "Opensteer CLI has a saved login, but the access token is expired." : "Opensteer CLI is logged in."
-  );
-  writeHumanLine(deps, `  API Base URL: ${saved.baseUrl}`);
-  writeHumanLine(deps, `  Expires At: ${new Date(saved.expiresAt).toISOString()}`);
-  return 0;
-}
-async function runLogout(args, deps) {
-  const { baseUrl } = resolveCloudTarget(args, deps.env, deps.store);
-  deps.store.writeActiveCloudTarget({ baseUrl });
-  const saved = deps.store.readCloudCredential({ baseUrl });
-  if (saved) {
-    try {
-      await revokeToken(
-        resolveAuthSiteUrl(deps.env),
-        saved.refreshToken,
-        deps.fetchFn
-      );
-    } catch {
-    }
-  }
-  deps.store.clearCloudCredential({ baseUrl });
-  if (args.json) {
-    writeJsonLine(deps, {
-      loggedOut: true,
-      baseUrl
-    });
-    return 0;
-  }
-  writeHumanLine(deps, `Opensteer CLI login removed for ${baseUrl}.`);
-  return 0;
-}
-async function runOpensteerAuthCli(rawArgs, overrideDeps = {}) {
-  const deps = {
-    ...createDefaultDeps(),
-    ...overrideDeps
-  };
-  const parsed = parseOpensteerAuthArgs(rawArgs);
-  if (parsed.mode === "help") {
-    printHelp(deps);
-    return 0;
-  }
-  if (parsed.mode === "error") {
-    deps.writeStderr(`${parsed.error}
-`);
-    deps.writeStderr('Run "opensteer auth --help" for usage.\n');
-    return 1;
-  }
-  try {
-    if (parsed.mode === "login") {
-      return await runLogin(parsed.args, deps);
-    }
-    if (parsed.mode === "status") {
-      return await runStatus(parsed.args, deps);
-    }
-    return await runLogout(parsed.args, deps);
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Auth command failed.";
-    deps.writeStderr(`${message}
-`);
-    return 1;
-  }
-}
-
-export {
-  createKeychainStore,
-  parseOpensteerAuthArgs,
-  isCloudModeEnabledForRootDir,
-  ensureCloudCredentialsForOpenCommand,
-  ensureCloudCredentialsForCommand,
-  runOpensteerAuthCli
-};