opensteer 0.6.13 → 0.7.0

package/dist/cli/auth.cjs

@@ -1,2022 +0,0 @@
-"use strict";
-var __create = Object.create;
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-
-// src/cli/auth.ts
-var auth_exports = {};
-__export(auth_exports, {
-  ensureCloudCredentialsForCommand: () => ensureCloudCredentialsForCommand,
-  ensureCloudCredentialsForOpenCommand: () => ensureCloudCredentialsForOpenCommand,
-  isCloudModeEnabledForRootDir: () => isCloudModeEnabledForRootDir,
-  parseOpensteerAuthArgs: () => parseOpensteerAuthArgs,
-  runOpensteerAuthCli: () => runOpensteerAuthCli
-});
-module.exports = __toCommonJS(auth_exports);
-var import_open = __toESM(require("open"), 1);
-
-// src/cloud/cdp-client.ts
-var import_playwright = require("playwright");
-
-// src/cloud/contracts.ts
-var cloudActionMethods = [
-  "goto",
-  "snapshot",
-  "screenshot",
-  "state",
-  "click",
-  "dblclick",
-  "rightclick",
-  "hover",
-  "input",
-  "select",
-  "scroll",
-  "tabs",
-  "newTab",
-  "switchTab",
-  "closeTab",
-  "getCookies",
-  "setCookie",
-  "clearCookies",
-  "pressKey",
-  "type",
-  "getElementText",
-  "getElementValue",
-  "getElementAttributes",
-  "getElementBoundingBox",
-  "getHtml",
-  "getTitle",
-  "uploadFile",
-  "exportCookies",
-  "importCookies",
-  "waitForText",
-  "extract",
-  "extractFromPlan",
-  "clearCache"
-];
-var cloudErrorCodes = [
-  "CLOUD_AUTH_FAILED",
-  "CLOUD_SESSION_NOT_FOUND",
-  "CLOUD_SESSION_CLOSED",
-  "CLOUD_UNSUPPORTED_METHOD",
-  "CLOUD_INVALID_REQUEST",
-  "CLOUD_MODEL_NOT_ALLOWED",
-  "CLOUD_ACTION_FAILED",
-  "CLOUD_CAPACITY_EXHAUSTED",
-  "CLOUD_RUNTIME_UNAVAILABLE",
-  "CLOUD_RUNTIME_MISMATCH",
-  "CLOUD_SESSION_STALE",
-  "CLOUD_CONTROL_PLANE_ERROR",
-  "CLOUD_CONTRACT_MISMATCH",
-  "CLOUD_PROXY_UNAVAILABLE",
-  "CLOUD_PROXY_REQUIRED",
-  "CLOUD_BILLING_LIMIT_REACHED",
-  "CLOUD_RATE_LIMITED",
-  "CLOUD_BROWSER_PROFILE_NOT_FOUND",
-  "CLOUD_BROWSER_PROFILE_BUSY",
-  "CLOUD_BROWSER_PROFILE_DISABLED",
-  "CLOUD_BROWSER_PROFILE_PROXY_UNAVAILABLE",
-  "CLOUD_BROWSER_PROFILE_SYNC_FAILED",
-  "CLOUD_INTERNAL"
-];
-var cloudSessionStatuses = [
-  "provisioning",
-  "active",
-  "closing",
-  "closed",
-  "failed"
-];
-var cloudSessionSourceTypes = [
-  "agent-thread",
-  "agent-run",
-  "project-agent-run",
-  "local-cloud",
-  "manual"
-];
-var cloudActionMethodSet = new Set(cloudActionMethods);
-var cloudErrorCodeSet = new Set(cloudErrorCodes);
-var cloudSessionSourceTypeSet = new Set(
-  cloudSessionSourceTypes
-);
-var cloudSessionStatusSet = new Set(cloudSessionStatuses);
-
-// src/utils/strip-trailing-slashes.ts
-function stripTrailingSlashes(value) {
-  let end = value.length;
-  while (end > 0 && value.charCodeAt(end - 1) === 47) {
-    end -= 1;
-  }
-  return end === value.length ? value : value.slice(0, end);
-}
-
-// src/cloud/http-client.ts
-function normalizeCloudBaseUrl(baseUrl) {
-  return stripTrailingSlashes(baseUrl);
-}
-
-// src/cloud/runtime.ts
-var DEFAULT_CLOUD_BASE_URL = "https://api.opensteer.com";
-
-// src/config.ts
-var import_fs = __toESM(require("fs"), 1);
-var import_path = __toESM(require("path"), 1);
-var import_dotenv = require("dotenv");
-
-// src/error-normalization.ts
-function extractErrorMessage(error, fallback = "Unknown error.") {
-  if (error instanceof Error) {
-    const message = error.message.trim();
-    if (message) return message;
-    const name = error.name.trim();
-    if (name) return name;
-  }
-  if (typeof error === "string" && error.trim()) {
-    return error.trim();
-  }
-  const record = asRecord(error);
-  const recordMessage = toNonEmptyString(record?.message) || toNonEmptyString(record?.error);
-  if (recordMessage) {
-    return recordMessage;
-  }
-  return fallback;
-}
-function asRecord(value) {
-  if (!value || typeof value !== "object" || Array.isArray(value)) {
-    return null;
-  }
-  return value;
-}
-function toNonEmptyString(value) {
-  if (typeof value !== "string") return void 0;
-  const normalized = value.trim();
-  return normalized.length ? normalized : void 0;
-}
-
-// src/cloud/credential-selection.ts
-function selectCloudCredential(options) {
-  const apiKey = normalizeNonEmptyString(options.apiKey);
-  const accessToken = normalizeNonEmptyString(options.accessToken);
-  if (apiKey) {
-    if (options.authScheme === "bearer") {
-      return {
-        apiKey,
-        authScheme: "bearer",
-        kind: "access-token",
-        token: apiKey,
-        compatibilityBearerApiKey: true
-      };
-    }
-    return {
-      apiKey,
-      authScheme: "api-key",
-      kind: "api-key",
-      token: apiKey
-    };
-  }
-  if (accessToken) {
-    return {
-      accessToken,
-      authScheme: "bearer",
-      kind: "access-token",
-      token: accessToken
-    };
-  }
-  return null;
-}
-function selectCloudCredentialByPrecedence(layers, authScheme) {
-  for (const layer of layers) {
-    const hasApiKey = layer.hasApiKey ?? Object.prototype.hasOwnProperty.call(layer, "apiKey");
-    const hasAccessToken = layer.hasAccessToken ?? Object.prototype.hasOwnProperty.call(layer, "accessToken");
-    if (!hasApiKey && !hasAccessToken) {
-      continue;
-    }
-    return {
-      source: layer.source,
-      apiKey: layer.apiKey,
-      accessToken: layer.accessToken,
-      hasApiKey,
-      hasAccessToken,
-      credential: selectCloudCredential({
-        apiKey: layer.apiKey,
-        accessToken: layer.accessToken,
-        authScheme: layer.authScheme ?? authScheme
-      })
-    };
-  }
-  return null;
-}
-function normalizeNonEmptyString(value) {
-  if (typeof value !== "string") return void 0;
-  const normalized = value.trim();
-  return normalized.length ? normalized : void 0;
-}
-
-// src/config.ts
-var DEFAULT_CONFIG = {
-  browser: {
-    headless: void 0,
-    executablePath: void 0,
-    slowMo: 0,
-    mode: void 0,
-    cdpUrl: void 0,
-    userDataDir: void 0,
-    profileDirectory: void 0
-  },
-  storage: {
-    rootDir: process.cwd()
-  },
-  cursor: {
-    enabled: false,
-    profile: "snappy"
-  },
-  model: "gpt-5.1",
-  debug: false
-};
-function dotenvFileOrder(nodeEnv) {
-  const normalized = nodeEnv?.trim() || "";
-  const files = [];
-  if (normalized) {
-    files.push(`.env.${normalized}.local`);
-  }
-  if (normalized !== "test") {
-    files.push(".env.local");
-  }
-  if (normalized) {
-    files.push(`.env.${normalized}`);
-  }
-  files.push(".env");
-  return files;
-}
-function loadDotenvValues(rootDir, baseEnv, options = {}) {
-  const values = {};
-  if (parseBool(baseEnv.OPENSTEER_DISABLE_DOTENV_AUTOLOAD) === true) {
-    return values;
-  }
-  const debug = options.debug ?? parseBool(baseEnv.OPENSTEER_DEBUG) === true;
-  const baseDir = import_path.default.resolve(rootDir);
-  const nodeEnv = baseEnv.NODE_ENV?.trim() || "";
-  for (const filename of dotenvFileOrder(nodeEnv)) {
-    const filePath = import_path.default.join(baseDir, filename);
-    if (!import_fs.default.existsSync(filePath)) continue;
-    try {
-      const raw = import_fs.default.readFileSync(filePath, "utf8");
-      const parsed = (0, import_dotenv.parse)(raw);
-      for (const [key, value] of Object.entries(parsed)) {
-        if (values[key] === void 0) {
-          values[key] = value;
-        }
-      }
-    } catch (error) {
-      const message = extractErrorMessage(
-        error,
-        "Unable to read or parse dotenv file."
-      );
-      if (debug) {
-        console.warn(
-          `[opensteer] failed to load dotenv file "${filePath}": ${message}`
-        );
-      }
-      continue;
-    }
-  }
-  return values;
-}
-function resolveEnv(rootDir, options = {}) {
-  const baseEnv = options.baseEnv ?? process.env;
-  const dotenvValues = loadDotenvValues(rootDir, baseEnv, options);
-  return {
-    ...dotenvValues,
-    ...baseEnv
-  };
-}
-function hasOwn(config, key) {
-  if (!config || typeof config !== "object") return false;
-  return Object.prototype.hasOwnProperty.call(config, key);
-}
-function hasLegacyAiConfig(config) {
-  return hasOwn(config, "ai");
-}
-function assertNoLegacyAiConfig(source, config) {
-  if (hasLegacyAiConfig(config)) {
-    throw new Error(
-      `Legacy "ai" config is no longer supported in ${source}. Use top-level "model" instead.`
-    );
-  }
-}
-function assertNoLegacyRuntimeConfig(source, config) {
-  if (!config || typeof config !== "object") return;
-  const configRecord = config;
-  if (hasOwn(configRecord, "runtime")) {
-    throw new Error(
-      `Legacy "runtime" config is no longer supported in ${source}. Use top-level "cloud" instead.`
-    );
-  }
-  if (hasOwn(configRecord, "mode")) {
-    throw new Error(
-      `Top-level "mode" config is no longer supported in ${source}. Use "cloud: true" to enable cloud mode.`
-    );
-  }
-  if (hasOwn(configRecord, "remote")) {
-    throw new Error(
-      `Top-level "remote" config is no longer supported in ${source}. Use "cloud" options instead.`
-    );
-  }
-  if (hasOwn(configRecord, "apiKey")) {
-    throw new Error(
-      `Top-level "apiKey" config is not supported in ${source}. Use "cloud.apiKey" instead.`
-    );
-  }
-}
-function loadConfigFile(rootDir, options = {}) {
-  const configPath = import_path.default.join(rootDir, ".opensteer", "config.json");
-  if (!import_fs.default.existsSync(configPath)) return {};
-  try {
-    const raw = import_fs.default.readFileSync(configPath, "utf8");
-    return JSON.parse(raw);
-  } catch (error) {
-    const message = extractErrorMessage(
-      error,
-      "Unable to read or parse config file."
-    );
-    if (options.debug) {
-      console.warn(
-        `[opensteer] failed to load config file "${configPath}": ${message}`
-      );
-    }
-    return {};
-  }
-}
-function mergeDeep(base, patch) {
-  const out = {
-    ...base
-  };
-  for (const [key, value] of Object.entries(patch || {})) {
-    const currentValue = out[key];
-    if (value && typeof value === "object" && !Array.isArray(value) && currentValue && typeof currentValue === "object" && !Array.isArray(currentValue)) {
-      out[key] = mergeDeep(
-        currentValue,
-        value
-      );
-      continue;
-    }
-    if (value !== void 0) {
-      out[key] = value;
-    }
-  }
-  return out;
-}
-function parseBool(value) {
-  if (value == null) return void 0;
-  const normalized = value.trim().toLowerCase();
-  if (normalized === "true" || normalized === "1") return true;
-  if (normalized === "false" || normalized === "0") return false;
-  return void 0;
-}
-function parseNumber(value) {
-  if (value == null || value.trim() === "") return void 0;
-  const parsed = Number(value);
-  if (!Number.isFinite(parsed)) return void 0;
-  return parsed;
-}
-function parseRuntimeMode(value, source) {
-  if (value == null) return void 0;
-  if (typeof value !== "string") {
-    throw new Error(
-      `Invalid ${source} value "${String(value)}". Use "local" or "cloud".`
-    );
-  }
-  const normalized = value.trim().toLowerCase();
-  if (!normalized) return void 0;
-  if (normalized === "local" || normalized === "cloud") {
-    return normalized;
-  }
-  throw new Error(
-    `Invalid ${source} value "${value}". Use "local" or "cloud".`
-  );
-}
-function parseAuthScheme(value, source) {
-  if (value == null) return void 0;
-  if (typeof value !== "string") {
-    throw new Error(
-      `Invalid ${source} value "${String(value)}". Use "api-key" or "bearer".`
-    );
-  }
-  const normalized = value.trim().toLowerCase();
-  if (!normalized) return void 0;
-  if (normalized === "api-key" || normalized === "bearer") {
-    return normalized;
-  }
-  throw new Error(
-    `Invalid ${source} value "${value}". Use "api-key" or "bearer".`
-  );
-}
-function parseCloudAnnounce(value, source) {
-  if (value == null) return void 0;
-  if (typeof value !== "string") {
-    throw new Error(
-      `Invalid ${source} value "${String(value)}". Use "always", "off", or "tty".`
-    );
-  }
-  const normalized = value.trim().toLowerCase();
-  if (!normalized) return void 0;
-  if (normalized === "always" || normalized === "off" || normalized === "tty") {
-    return normalized;
-  }
-  throw new Error(
-    `Invalid ${source} value "${value}". Use "always", "off", or "tty".`
-  );
-}
-function resolveOpensteerApiKey(env) {
-  const value = env.OPENSTEER_API_KEY?.trim();
-  if (!value) return void 0;
-  return value;
-}
-function resolveOpensteerAccessToken(env) {
-  const value = env.OPENSTEER_ACCESS_TOKEN?.trim();
-  if (!value) return void 0;
-  return value;
-}
-function resolveOpensteerBaseUrl(env) {
-  const value = env.OPENSTEER_BASE_URL?.trim();
-  if (!value) return void 0;
-  return value;
-}
-function resolveOpensteerAuthScheme(env) {
-  return parseAuthScheme(env.OPENSTEER_AUTH_SCHEME, "OPENSTEER_AUTH_SCHEME");
-}
-function resolveOpensteerCloudProfileId(env) {
-  const value = env.OPENSTEER_CLOUD_PROFILE_ID?.trim();
-  if (!value) return void 0;
-  return value;
-}
-function resolveOpensteerCloudProfileReuseIfActive(env) {
-  return parseBool(env.OPENSTEER_CLOUD_PROFILE_REUSE_IF_ACTIVE);
-}
-function parseCloudBrowserProfileReuseIfActive(value) {
-  if (value == null) return void 0;
-  if (typeof value !== "boolean") {
-    throw new Error(
-      `Invalid cloud.browserProfile.reuseIfActive value "${String(
-        value
-      )}". Use true or false.`
-    );
-  }
-  return value;
-}
-function normalizeCloudBrowserProfileOptions(value, source) {
-  if (value == null) {
-    return void 0;
-  }
-  if (typeof value !== "object" || Array.isArray(value)) {
-    throw new Error(
-      `Invalid ${source} value "${String(value)}". Use an object with profileId and optional reuseIfActive.`
-    );
-  }
-  const record = value;
-  const rawProfileId = record.profileId;
-  if (typeof rawProfileId !== "string" || !rawProfileId.trim()) {
-    throw new Error(
-      `${source}.profileId must be a non-empty string when browserProfile is provided.`
-    );
-  }
-  return {
-    profileId: rawProfileId.trim(),
-    reuseIfActive: parseCloudBrowserProfileReuseIfActive(record.reuseIfActive)
-  };
-}
-function resolveEnvCloudBrowserProfile(profileId, reuseIfActive) {
-  if (reuseIfActive !== void 0 && !profileId) {
-    throw new Error(
-      "OPENSTEER_CLOUD_PROFILE_REUSE_IF_ACTIVE requires OPENSTEER_CLOUD_PROFILE_ID."
-    );
-  }
-  if (!profileId) {
-    return void 0;
-  }
-  return {
-    profileId,
-    reuseIfActive
-  };
-}
-function normalizeCloudOptions(value) {
-  if (!value || typeof value !== "object" || Array.isArray(value)) {
-    return void 0;
-  }
-  return value;
-}
-function parseCloudEnabled(value, source) {
-  if (value == null) return void 0;
-  if (typeof value === "boolean") return value;
-  if (typeof value === "object" && !Array.isArray(value)) return true;
-  throw new Error(
-    `Invalid ${source} value "${String(value)}". Use true, false, or a cloud options object.`
-  );
-}
-function resolveCloudCredentialFields(selectedLayer) {
-  const credential = selectedLayer?.credential;
-  if (!credential) return {};
-  if (credential.kind === "api-key" || credential.compatibilityBearerApiKey === true && selectedLayer?.source !== "env") {
-    return {
-      apiKey: credential.token
-    };
-  }
-  return {
-    accessToken: credential.token
-  };
-}
-function resolveCloudSelection(config, env = process.env) {
-  const configCloud = parseCloudEnabled(config.cloud, "cloud");
-  if (configCloud !== void 0) {
-    return {
-      cloud: configCloud,
-      source: "config.cloud"
-    };
-  }
-  const envMode = parseRuntimeMode(env.OPENSTEER_MODE, "OPENSTEER_MODE");
-  if (envMode) {
-    return {
-      cloud: envMode === "cloud",
-      source: "env.OPENSTEER_MODE"
-    };
-  }
-  return {
-    cloud: false,
-    source: "default"
-  };
-}
-function resolveConfigWithEnv(input = {}, options = {}) {
-  const processEnv = options.env ?? process.env;
-  const debugHint = typeof input.debug === "boolean" ? input.debug : parseBool(processEnv.OPENSTEER_DEBUG) === true;
-  const initialRootDir = input.storage?.rootDir ?? process.cwd();
-  const runtimeDefaults = mergeDeep(DEFAULT_CONFIG, {
-    storage: {
-      rootDir: initialRootDir
-    }
-  });
-  assertNoLegacyAiConfig("Opensteer constructor config", input);
-  assertNoLegacyRuntimeConfig("Opensteer constructor config", input);
-  const fileConfig = loadConfigFile(initialRootDir, {
-    debug: debugHint
-  });
-  assertNoLegacyAiConfig(".opensteer/config.json", fileConfig);
-  assertNoLegacyRuntimeConfig(".opensteer/config.json", fileConfig);
-  const fileCloudOptions = normalizeCloudOptions(fileConfig.cloud);
-  const fileHasCloudApiKey = hasOwn(fileCloudOptions, "apiKey");
-  const fileHasCloudAccessToken = hasOwn(fileCloudOptions, "accessToken");
-  const fileRootDir = typeof fileConfig.storage?.rootDir === "string" ? fileConfig.storage.rootDir : void 0;
-  assertNoRemovedBrowserConfig(input.browser, "Opensteer constructor config");
-  assertNoRemovedBrowserConfig(fileConfig.browser, ".opensteer/config.json");
-  const envRootDir = input.storage?.rootDir ?? fileRootDir ?? initialRootDir;
-  const env = resolveEnv(envRootDir, {
-    debug: debugHint,
-    baseEnv: processEnv
-  });
-  if (env.OPENSTEER_AI_MODEL) {
-    throw new Error(
-      "OPENSTEER_AI_MODEL is no longer supported. Use OPENSTEER_MODEL instead."
-    );
-  }
-  if (env.OPENSTEER_RUNTIME != null) {
-    throw new Error(
-      "OPENSTEER_RUNTIME is no longer supported. Use OPENSTEER_MODE instead."
-    );
-  }
-  if (env.OPENSTEER_CONNECT_URL != null) {
-    throw new Error(
-      "OPENSTEER_CONNECT_URL is no longer supported. Use OPENSTEER_CDP_URL instead."
-    );
-  }
-  if (env.OPENSTEER_CHANNEL != null) {
-    throw new Error(
-      "OPENSTEER_CHANNEL is no longer supported. Use OPENSTEER_BROWSER plus OPENSTEER_BROWSER_PATH when needed."
-    );
-  }
-  if (env.OPENSTEER_PROFILE_DIR != null) {
-    throw new Error(
-      "OPENSTEER_PROFILE_DIR is no longer supported. Use OPENSTEER_USER_DATA_DIR and OPENSTEER_PROFILE_DIRECTORY instead."
-    );
-  }
-  const envConfig = {
-    browser: {
-      headless: parseBool(env.OPENSTEER_HEADLESS),
-      executablePath: env.OPENSTEER_BROWSER_PATH || void 0,
-      slowMo: parseNumber(env.OPENSTEER_SLOW_MO),
-      mode: env.OPENSTEER_BROWSER === "real" || env.OPENSTEER_BROWSER === "chromium" ? env.OPENSTEER_BROWSER : void 0,
-      cdpUrl: env.OPENSTEER_CDP_URL || void 0,
-      userDataDir: env.OPENSTEER_USER_DATA_DIR || void 0,
-      profileDirectory: env.OPENSTEER_PROFILE_DIRECTORY || void 0
-    },
-    cursor: {
-      enabled: parseBool(env.OPENSTEER_CURSOR)
-    },
-    model: env.OPENSTEER_MODEL || void 0,
-    debug: parseBool(env.OPENSTEER_DEBUG)
-  };
-  const mergedWithFile = mergeDeep(runtimeDefaults, fileConfig);
-  const mergedWithEnv = mergeDeep(mergedWithFile, envConfig);
-  const resolved = mergeDeep(mergedWithEnv, input);
-  const browserHeadlessExplicit = input.browser?.headless !== void 0 || fileConfig.browser?.headless !== void 0 || envConfig.browser?.headless !== void 0;
-  if (!browserHeadlessExplicit && resolved.browser?.mode === "real") {
-    resolved.browser = {
-      ...resolved.browser,
-      headless: true
-    };
-  }
-  function assertNoRemovedBrowserConfig(value, source) {
-    if (!value || typeof value !== "object" || Array.isArray(value)) {
-      return;
-    }
-    const record = value;
-    if (record.connectUrl !== void 0) {
-      throw new Error(
-        `${source}.browser.connectUrl is no longer supported. Use browser.cdpUrl instead.`
-      );
-    }
-    if (record.channel !== void 0) {
-      throw new Error(
-        `${source}.browser.channel is no longer supported. Use browser.mode plus browser.executablePath instead.`
-      );
-    }
-    if (record.profileDir !== void 0) {
-      throw new Error(
-        `${source}.browser.profileDir is no longer supported. Use browser.userDataDir and browser.profileDirectory instead.`
-      );
-    }
-  }
-  const envApiKey = resolveOpensteerApiKey(env);
-  const envAccessTokenRaw = resolveOpensteerAccessToken(env);
-  const envBaseUrl = resolveOpensteerBaseUrl(env);
-  const envAuthScheme = resolveOpensteerAuthScheme(env);
-  const envCloudProfileId = resolveOpensteerCloudProfileId(env);
-  const envCloudProfileReuseIfActive = resolveOpensteerCloudProfileReuseIfActive(env);
-  const envCloudAnnounce = parseCloudAnnounce(
-    env.OPENSTEER_REMOTE_ANNOUNCE,
-    "OPENSTEER_REMOTE_ANNOUNCE"
-  );
-  const inputCloudOptions = normalizeCloudOptions(input.cloud);
-  const inputCloudBrowserProfile = normalizeCloudBrowserProfileOptions(
-    inputCloudOptions?.browserProfile,
-    "cloud.browserProfile"
-  );
-  const inputAuthScheme = parseAuthScheme(
-    inputCloudOptions?.authScheme,
-    "cloud.authScheme"
-  );
-  const inputCloudAnnounce = parseCloudAnnounce(
-    inputCloudOptions?.announce,
-    "cloud.announce"
-  );
-  const inputHasCloudApiKey = Boolean(
-    inputCloudOptions && Object.prototype.hasOwnProperty.call(inputCloudOptions, "apiKey")
-  );
-  const inputHasCloudAccessToken = Boolean(
-    inputCloudOptions && Object.prototype.hasOwnProperty.call(inputCloudOptions, "accessToken")
-  );
-  const inputHasCloudBaseUrl = Boolean(
-    inputCloudOptions && Object.prototype.hasOwnProperty.call(inputCloudOptions, "baseUrl")
-  );
-  const cloudSelection = resolveCloudSelection({
-    cloud: resolved.cloud
-  }, env);
-  if (cloudSelection.cloud) {
-    const resolvedCloud = normalizeCloudOptions(resolved.cloud) ?? {};
-    const {
-      apiKey: resolvedCloudApiKeyRaw,
-      accessToken: resolvedCloudAccessTokenRaw,
-      ...resolvedCloudRest
-    } = resolvedCloud;
-    const resolvedCloudBrowserProfile = normalizeCloudBrowserProfileOptions(
-      resolvedCloud.browserProfile,
-      "resolved.cloud.browserProfile"
-    );
-    const envCloudBrowserProfile = resolveEnvCloudBrowserProfile(
-      envCloudProfileId,
-      envCloudProfileReuseIfActive
-    );
-    const browserProfile = inputCloudBrowserProfile ?? envCloudBrowserProfile ?? resolvedCloudBrowserProfile;
-    let authScheme = inputAuthScheme ?? envAuthScheme ?? parseAuthScheme(resolvedCloud.authScheme, "cloud.authScheme") ?? "api-key";
-    const announce = inputCloudAnnounce ?? envCloudAnnounce ?? parseCloudAnnounce(resolvedCloud.announce, "cloud.announce") ?? "always";
-    const selectedCredentialLayer = selectCloudCredentialByPrecedence(
-      [
-        {
-          source: "input",
-          apiKey: inputCloudOptions?.apiKey,
-          accessToken: inputCloudOptions?.accessToken,
-          hasApiKey: inputHasCloudApiKey,
-          hasAccessToken: inputHasCloudAccessToken
-        },
-        {
-          source: "env",
-          apiKey: envApiKey,
-          accessToken: envAccessTokenRaw,
-          hasApiKey: envApiKey !== void 0,
-          hasAccessToken: envAccessTokenRaw !== void 0
-        },
-        {
-          source: "file",
-          apiKey: fileCloudOptions?.apiKey,
-          accessToken: fileCloudOptions?.accessToken,
-          hasApiKey: fileHasCloudApiKey,
-          hasAccessToken: fileHasCloudAccessToken
-        }
-      ],
-      authScheme
-    );
-    const { apiKey, accessToken } = resolveCloudCredentialFields(selectedCredentialLayer);
-    if (accessToken) {
-      authScheme = "bearer";
-    }
-    resolved.cloud = {
-      ...resolvedCloudRest,
-      ...apiKey ? { apiKey } : selectedCredentialLayer?.hasApiKey && !accessToken ? { apiKey: selectedCredentialLayer.apiKey } : {},
-      ...accessToken ? { accessToken } : selectedCredentialLayer?.hasAccessToken && !apiKey ? { accessToken: selectedCredentialLayer.accessToken } : {},
-      authScheme,
-      announce,
-      ...browserProfile ? { browserProfile } : {}
-    };
-  }
-  if (envBaseUrl && cloudSelection.cloud && !inputHasCloudBaseUrl) {
-    resolved.cloud = {
-      ...normalizeCloudOptions(resolved.cloud) ?? {},
-      baseUrl: envBaseUrl
-    };
-  }
-  return {
-    config: resolved,
-    env
-  };
-}
-
-// src/auth/credential-resolver.ts
-function resolveCloudCredential(options) {
-  const flagCredential = selectCloudCredential({
-    apiKey: options.apiKeyFlag,
-    accessToken: options.accessTokenFlag
-  });
-  if (flagCredential) {
-    return toResolvedCloudCredential("flag", flagCredential);
-  }
-  const envAuthScheme = parseEnvAuthScheme(options.env.OPENSTEER_AUTH_SCHEME);
-  const envCredential = selectCloudCredential({
-    apiKey: options.env.OPENSTEER_API_KEY,
-    accessToken: options.env.OPENSTEER_ACCESS_TOKEN,
-    authScheme: envAuthScheme
-  });
-  if (envCredential) {
-    return toResolvedCloudCredential("env", envCredential);
-  }
-  return null;
-}
-function applyCloudCredentialToEnv(env, credential) {
-  if (credential.kind === "access-token") {
-    env.OPENSTEER_ACCESS_TOKEN = credential.token;
-    delete env.OPENSTEER_API_KEY;
-    env.OPENSTEER_AUTH_SCHEME = "bearer";
-    return;
-  }
-  env.OPENSTEER_API_KEY = credential.token;
-  delete env.OPENSTEER_ACCESS_TOKEN;
-  env.OPENSTEER_AUTH_SCHEME = credential.authScheme;
-}
-function parseEnvAuthScheme(value) {
-  const normalized = normalizeToken(value);
-  if (!normalized) return void 0;
-  if (normalized === "api-key" || normalized === "bearer") {
-    return normalized;
-  }
-  throw new Error(
-    `Invalid OPENSTEER_AUTH_SCHEME value "${value}". Use "api-key" or "bearer".`
-  );
-}
-function normalizeToken(value) {
-  if (typeof value !== "string") return void 0;
-  const normalized = value.trim();
-  return normalized.length ? normalized : void 0;
-}
-function toResolvedCloudCredential(source, credential) {
-  if (credential.compatibilityBearerApiKey) {
-    return {
-      kind: credential.kind,
-      source,
-      token: credential.token,
-      authScheme: credential.authScheme,
-      compatibilityBearerApiKey: true
-    };
-  }
-  return {
-    kind: credential.kind,
-    source,
-    token: credential.token,
-    authScheme: credential.authScheme
-  };
-}
-
-// src/auth/machine-credential-store.ts
-var import_node_crypto = require("crypto");
-var import_node_fs = __toESM(require("fs"), 1);
-var import_node_os = __toESM(require("os"), 1);
-var import_node_path = __toESM(require("path"), 1);
-
-// src/auth/keychain-store.ts
-var import_node_child_process = require("child_process");
-function commandExists(command) {
-  const result = (0, import_node_child_process.spawnSync)(command, ["--help"], {
-    encoding: "utf8",
-    stdio: "ignore"
-  });
-  return result.error == null;
-}
-function commandFailed(result) {
-  return typeof result.status === "number" && result.status !== 0;
-}
-function sanitizeCommandArgs(command, args) {
-  if (command !== "security") {
-    return args;
-  }
-  const sanitized = [];
-  for (let index = 0; index < args.length; index += 1) {
-    const value = args[index];
-    sanitized.push(value);
-    if (value === "-w" && index + 1 < args.length) {
-      sanitized.push("[REDACTED]");
-      index += 1;
-    }
-  }
-  return sanitized;
-}
-function buildCommandError(command, args, result) {
-  const stderr = typeof result.stderr === "string" && result.stderr.trim() ? result.stderr.trim() : `Command "${command}" failed with status ${String(result.status)}.`;
-  const sanitizedArgs = sanitizeCommandArgs(command, args);
-  return new Error(
-    [
-      `Unable to persist credential via ${command}.`,
-      `${command} ${sanitizedArgs.join(" ")}`,
-      stderr
-    ].join(" ")
-  );
-}
-function createMacosSecurityStore() {
-  return {
-    backend: "macos-security",
-    get(service, account) {
-      const result = (0, import_node_child_process.spawnSync)(
-        "security",
-        ["find-generic-password", "-s", service, "-a", account, "-w"],
-        { encoding: "utf8" }
-      );
-      if (commandFailed(result)) {
-        return null;
-      }
-      const secret = result.stdout.trim();
-      return secret.length ? secret : null;
-    },
-    set(service, account, secret) {
-      const args = [
-        "add-generic-password",
-        "-U",
-        "-s",
-        service,
-        "-a",
-        account,
-        "-w",
-        secret
-      ];
-      const result = (0, import_node_child_process.spawnSync)("security", args, { encoding: "utf8" });
-      if (commandFailed(result)) {
-        throw buildCommandError("security", args, result);
-      }
-    },
-    delete(service, account) {
-      const args = ["delete-generic-password", "-s", service, "-a", account];
-      const result = (0, import_node_child_process.spawnSync)("security", args, { encoding: "utf8" });
-      if (commandFailed(result)) {
-        return;
-      }
-    }
-  };
-}
-function createLinuxSecretToolStore() {
-  return {
-    backend: "linux-secret-tool",
-    get(service, account) {
-      const result = (0, import_node_child_process.spawnSync)(
-        "secret-tool",
-        ["lookup", "service", service, "account", account],
-        {
-          encoding: "utf8"
-        }
-      );
-      if (commandFailed(result)) {
-        return null;
-      }
-      const secret = result.stdout.trim();
-      return secret.length ? secret : null;
-    },
-    set(service, account, secret) {
-      const args = [
-        "store",
-        "--label",
-        "Opensteer CLI",
-        "service",
-        service,
-        "account",
-        account
-      ];
-      const result = (0, import_node_child_process.spawnSync)("secret-tool", args, {
-        encoding: "utf8",
-        input: secret
-      });
-      if (commandFailed(result)) {
-        throw buildCommandError("secret-tool", args, result);
-      }
-    },
-    delete(service, account) {
-      const args = ["clear", "service", service, "account", account];
-      (0, import_node_child_process.spawnSync)("secret-tool", args, {
-        encoding: "utf8"
-      });
-    }
-  };
-}
-function createKeychainStore() {
-  if (process.platform === "darwin") {
-    if (!commandExists("security")) {
-      return null;
-    }
-    return createMacosSecurityStore();
-  }
-  if (process.platform === "linux") {
-    if (!commandExists("secret-tool")) {
-      return null;
-    }
-    return createLinuxSecretToolStore();
-  }
-  return null;
-}
-
-// src/auth/machine-credential-store.ts
-var METADATA_VERSION = 2;
-var ACTIVE_TARGET_VERSION = 2;
-var KEYCHAIN_SERVICE = "com.opensteer.cli.cloud";
-var KEYCHAIN_ACCOUNT_PREFIX = "machine:";
-var ACTIVE_TARGET_FILE_NAME = "cli-target.json";
-var MachineCredentialStore = class {
-  authDir;
-  warn;
-  keychain = createKeychainStore();
-  warnedFallback = false;
-  constructor(options = {}) {
-    const appName = options.appName || "opensteer";
-    const env = options.env ?? process.env;
-    const configDir = resolveConfigDir(appName, env);
-    this.authDir = import_node_path.default.join(configDir, "auth");
-    this.warn = options.warn ?? (() => void 0);
-  }
-  readCloudCredential(target) {
-    const normalizedTarget = normalizeCloudCredentialTarget(target);
-    return this.readCredentialSlot(
-      resolveCredentialSlot(this.authDir, normalizedTarget),
-      normalizedTarget
-    );
-  }
-  writeCloudCredential(args) {
-    const accessToken = args.accessToken.trim();
-    const refreshToken2 = args.refreshToken.trim();
-    if (!accessToken || !refreshToken2) {
-      throw new Error("Cannot persist empty machine credential secrets.");
-    }
-    const baseUrl = normalizeCredentialUrl(args.baseUrl);
-    const slot = resolveCredentialSlot(this.authDir, { baseUrl });
-    ensureDirectory(this.authDir);
-    const secretPayload = {
-      accessToken,
-      refreshToken: refreshToken2
-    };
-    let secretBackend = "file";
-    if (this.keychain) {
-      try {
-        this.keychain.set(
-          KEYCHAIN_SERVICE,
-          slot.keychainAccount,
-          JSON.stringify(secretPayload)
-        );
-        secretBackend = "keychain";
-        removeFileIfExists(slot.fallbackSecretPath);
-      } catch {
-        this.writeFallbackSecret(slot, secretPayload);
-        secretBackend = "file";
-      }
-    } else {
-      this.writeFallbackSecret(slot, secretPayload);
-    }
-    const metadata = {
-      version: METADATA_VERSION,
-      secretBackend,
-      baseUrl,
-      scope: args.scope,
-      obtainedAt: args.obtainedAt,
-      expiresAt: args.expiresAt,
-      updatedAt: Date.now()
-    };
-    writeJsonFile(slot.metadataPath, metadata);
-  }
-  readActiveCloudTarget() {
-    return readActiveCloudTargetMetadata(resolveActiveTargetPath(this.authDir));
-  }
-  writeActiveCloudTarget(target) {
-    const baseUrl = normalizeCredentialUrl(target.baseUrl);
-    ensureDirectory(this.authDir);
-    writeJsonFile(resolveActiveTargetPath(this.authDir), {
-      version: ACTIVE_TARGET_VERSION,
-      baseUrl,
-      updatedAt: Date.now()
-    });
-  }
-  clearCloudCredential(target) {
-    this.clearCredentialSlot(
-      resolveCredentialSlot(this.authDir, normalizeCloudCredentialTarget(target))
-    );
-  }
-  readCredentialSlot(slot, target) {
-    const metadata = readMetadata(slot.metadataPath);
-    if (!metadata) {
-      return null;
-    }
-    if (target && !matchesCredentialTarget(metadata, target)) {
-      return null;
-    }
-    const secret = this.readSecret(slot, metadata.secretBackend);
-    if (!secret) {
-      return null;
-    }
-    return {
-      baseUrl: metadata.baseUrl,
-      scope: metadata.scope,
-      accessToken: secret.accessToken,
-      refreshToken: secret.refreshToken,
-      obtainedAt: metadata.obtainedAt,
-      expiresAt: metadata.expiresAt
-    };
-  }
-  readSecret(slot, backend) {
-    if (backend === "keychain" && this.keychain) {
-      try {
-        const secret = this.keychain.get(
-          KEYCHAIN_SERVICE,
-          slot.keychainAccount
-        );
-        if (!secret) return null;
-        return parseSecretPayload(secret);
-      } catch {
-        return null;
-      }
-    }
-    return readSecretFile(slot.fallbackSecretPath);
-  }
-  writeFallbackSecret(slot, secretPayload) {
-    writeJsonFile(slot.fallbackSecretPath, secretPayload, {
-      mode: 384
-    });
-    if (!this.warnedFallback) {
-      this.warn({
-        code: "fallback_file_store",
-        path: slot.fallbackSecretPath,
-        message: "Secure keychain is unavailable. Falling back to file-based credential storage with mode 0600."
-      });
-      this.warnedFallback = true;
-    }
-  }
-  clearCredentialSlot(slot) {
-    removeFileIfExists(slot.metadataPath);
-    removeFileIfExists(slot.fallbackSecretPath);
-    if (this.keychain) {
-      this.keychain.delete(KEYCHAIN_SERVICE, slot.keychainAccount);
-    }
-  }
-};
-function createMachineCredentialStore(options = {}) {
-  return new MachineCredentialStore(options);
-}
-function resolveCredentialSlot(authDir, target) {
-  const normalizedBaseUrl = normalizeCredentialUrl(target.baseUrl);
-  const storageKey = (0, import_node_crypto.createHash)("sha256").update(normalizedBaseUrl).digest("hex").slice(0, 24);
-  return {
-    keychainAccount: `${KEYCHAIN_ACCOUNT_PREFIX}${storageKey}`,
-    metadataPath: import_node_path.default.join(authDir, `cli-login.${storageKey}.json`),
-    fallbackSecretPath: import_node_path.default.join(
-      authDir,
-      `cli-login.${storageKey}.secret.json`
-    )
-  };
-}
-function resolveActiveTargetPath(authDir) {
-  return import_node_path.default.join(authDir, ACTIVE_TARGET_FILE_NAME);
-}
-function matchesCredentialTarget(value, target) {
-  return normalizeCredentialUrl(value.baseUrl) === normalizeCredentialUrl(target.baseUrl);
-}
-function normalizeCredentialUrl(value) {
-  const normalized = stripTrailingSlashes(value.trim());
-  if (!normalized) {
-    throw new Error("Cannot persist machine credential without baseUrl.");
-  }
-  return normalized;
-}
-function normalizeCloudCredentialTarget(target) {
-  return {
-    baseUrl: normalizeCredentialUrl(target.baseUrl)
-  };
-}
-function resolveConfigDir(appName, env) {
-  if (process.platform === "win32") {
-    const appData = env.APPDATA?.trim() || import_node_path.default.join(import_node_os.default.homedir(), "AppData", "Roaming");
-    return import_node_path.default.join(appData, appName);
-  }
-  if (process.platform === "darwin") {
-    return import_node_path.default.join(
-      import_node_os.default.homedir(),
-      "Library",
-      "Application Support",
-      appName
-    );
-  }
-  const xdgConfigHome = env.XDG_CONFIG_HOME?.trim() || import_node_path.default.join(import_node_os.default.homedir(), ".config");
-  return import_node_path.default.join(xdgConfigHome, appName);
-}
-function ensureDirectory(directoryPath) {
-  import_node_fs.default.mkdirSync(directoryPath, { recursive: true, mode: 448 });
-}
-function removeFileIfExists(filePath) {
-  try {
-    import_node_fs.default.rmSync(filePath, { force: true });
-  } catch {
-    return;
-  }
-}
-function readMetadata(filePath) {
-  if (!import_node_fs.default.existsSync(filePath)) {
-    return null;
-  }
-  try {
-    const raw = import_node_fs.default.readFileSync(filePath, "utf8");
-    const parsed = JSON.parse(raw);
-    if (parsed.version !== METADATA_VERSION) return null;
-    if (parsed.secretBackend !== "keychain" && parsed.secretBackend !== "file") {
-      return null;
-    }
-    if (typeof parsed.baseUrl !== "string" || !parsed.baseUrl.trim()) return null;
-    if (!Array.isArray(parsed.scope)) return null;
-    if (typeof parsed.obtainedAt !== "number") return null;
-    if (typeof parsed.expiresAt !== "number") return null;
-    if (typeof parsed.updatedAt !== "number") return null;
-    return {
-      version: parsed.version,
-      secretBackend: parsed.secretBackend,
-      baseUrl: parsed.baseUrl,
-      scope: parsed.scope.filter(
-        (value) => typeof value === "string"
-      ),
-      obtainedAt: parsed.obtainedAt,
-      expiresAt: parsed.expiresAt,
-      updatedAt: parsed.updatedAt
-    };
-  } catch {
-    return null;
-  }
-}
-function readActiveCloudTargetMetadata(filePath) {
-  if (!import_node_fs.default.existsSync(filePath)) {
-    return null;
-  }
-  try {
-    const raw = import_node_fs.default.readFileSync(filePath, "utf8");
-    const parsed = JSON.parse(raw);
-    if (parsed.version !== ACTIVE_TARGET_VERSION) {
-      return null;
-    }
-    if (typeof parsed.baseUrl !== "string" || !parsed.baseUrl.trim()) {
-      return null;
-    }
-    return {
-      baseUrl: parsed.baseUrl
-    };
-  } catch {
-    return null;
-  }
-}
-function parseSecretPayload(raw) {
-  try {
-    const parsed = JSON.parse(raw);
-    if (typeof parsed.accessToken !== "string" || !parsed.accessToken.trim() || typeof parsed.refreshToken !== "string" || !parsed.refreshToken.trim()) {
-      return null;
-    }
-    return {
-      accessToken: parsed.accessToken,
-      refreshToken: parsed.refreshToken
-    };
-  } catch {
-    return null;
-  }
-}
-function readSecretFile(filePath) {
-  if (!import_node_fs.default.existsSync(filePath)) {
-    return null;
-  }
-  try {
-    return parseSecretPayload(import_node_fs.default.readFileSync(filePath, "utf8"));
-  } catch {
-    return null;
-  }
-}
-function writeJsonFile(filePath, value, options = {}) {
-  import_node_fs.default.writeFileSync(filePath, JSON.stringify(value, null, 2), {
-    encoding: "utf8",
-    mode: options.mode ?? 384
-  });
-  if (typeof options.mode === "number") {
-    import_node_fs.default.chmodSync(filePath, options.mode);
-  }
-}
-
-// src/cli/auth.ts
-var CliAuthHttpError = class extends Error {
-  status;
-  body;
-  constructor(message, status, body) {
-    super(message);
-    this.name = "CliAuthHttpError";
-    this.status = status;
-    this.body = body;
-  }
-};
-var HELP_TEXT = `Usage: opensteer auth <command> [options]
-
-Authenticate Opensteer CLI with Opensteer Cloud.
-
-Commands:
-  login                     Start device login flow in browser
-  status                    Show saved machine login state for the selected cloud host
-  logout                    Revoke and remove saved machine login for the selected cloud host
-
-Options:
-  --base-url <url>          Cloud API base URL (defaults to env or the last selected host)
-  --json                    JSON output (login prompts go to stderr)
-  --no-browser              Do not auto-open your default browser during login
-  -h, --help                Show this help
-`;
-var DEFAULT_AUTH_SITE_URL = "https://opensteer.com";
-var INTERNAL_AUTH_SITE_URL_ENV = "OPENSTEER_INTERNAL_AUTH_SITE_URL";
-function createDefaultDeps() {
-  const env = process.env;
-  return {
-    env,
-    store: createMachineCredentialStore({
-      env,
-      warn: (warning) => {
-        process.stderr.write(`${warning.message} (${warning.path})
-`);
-      }
-    }),
-    fetchFn: fetch,
-    writeStdout: (message) => process.stdout.write(message),
-    writeStderr: (message) => process.stderr.write(message),
-    isInteractive: () => Boolean(process.stdin.isTTY && process.stdout.isTTY),
-    sleep: async (ms) => {
-      await new Promise((resolve) => setTimeout(resolve, ms));
-    },
-    now: () => Date.now(),
-    openExternalUrl: openDefaultBrowser
-  };
-}
-function readFlagValue(args, index, flag) {
-  const value = args[index + 1];
-  if (value === void 0 || value.startsWith("-")) {
-    return {
-      ok: false,
-      error: `${flag} requires a value.`
-    };
-  }
-  return {
-    ok: true,
-    value,
-    nextIndex: index + 1
-  };
-}
-function parseAuthCommonArgs(rawArgs) {
-  const args = {};
-  for (let i = 0; i < rawArgs.length; i++) {
-    const arg = rawArgs[i];
-    if (arg === "--json") {
-      args.json = true;
-      continue;
-    }
-    if (arg === "--base-url") {
-      const value = readFlagValue(rawArgs, i, "--base-url");
-      if (!value.ok) return { args, error: value.error };
-      args.baseUrl = value.value;
-      i = value.nextIndex;
-      continue;
-    }
-    return {
-      args,
-      error: `Unsupported option "${arg}".`
-    };
-  }
-  return { args };
-}
-function parseOpensteerAuthArgs(rawArgs) {
-  if (!rawArgs.length) {
-    return { mode: "help" };
-  }
-  const [subcommand, ...rest] = rawArgs;
-  if (subcommand === "--help" || subcommand === "-h" || subcommand === "help") {
-    return { mode: "help" };
-  }
-  if (subcommand === "login") {
-    let openBrowser = true;
-    const filtered = [];
-    for (const arg of rest) {
-      if (arg === "--no-browser") {
-        openBrowser = false;
-        continue;
-      }
-      filtered.push(arg);
-    }
-    const parsed = parseAuthCommonArgs(filtered);
-    if (parsed.error) return { mode: "error", error: parsed.error };
-    return {
-      mode: "login",
-      args: {
-        ...parsed.args,
-        openBrowser
-      }
-    };
-  }
-  if (subcommand === "status") {
-    const parsed = parseAuthCommonArgs(rest);
-    if (parsed.error) return { mode: "error", error: parsed.error };
-    return { mode: "status", args: parsed.args };
-  }
-  if (subcommand === "logout") {
-    const parsed = parseAuthCommonArgs(rest);
-    if (parsed.error) return { mode: "error", error: parsed.error };
-    return { mode: "logout", args: parsed.args };
-  }
-  return {
-    mode: "error",
-    error: `Unsupported auth subcommand "${subcommand}".`
-  };
-}
-function printHelp(deps) {
-  deps.writeStdout(`${HELP_TEXT}
-`);
-}
-function writeHumanLine(deps, message) {
-  deps.writeStdout(`${message}
-`);
-}
-function writeJsonLine(deps, payload) {
-  deps.writeStdout(`${JSON.stringify(payload)}
-`);
-}
-function resolveBaseUrl(provided, env) {
-  const baseUrl = normalizeCloudBaseUrl(
-    (provided || env.OPENSTEER_BASE_URL || DEFAULT_CLOUD_BASE_URL).trim()
-  );
-  assertSecureUrl(baseUrl, "--base-url");
-  return baseUrl;
-}
-function resolveAuthSiteUrl(env) {
-  const authSiteUrl = normalizeCloudBaseUrl(
-    (env[INTERNAL_AUTH_SITE_URL_ENV] || DEFAULT_AUTH_SITE_URL).trim()
-  );
-  assertSecureUrl(
-    authSiteUrl,
-    `environment variable ${INTERNAL_AUTH_SITE_URL_ENV}`
-  );
-  return authSiteUrl;
-}
-function hasExplicitCloudTargetSelection(providedBaseUrl, env) {
-  return Boolean(
-    providedBaseUrl?.trim() || env.OPENSTEER_BASE_URL?.trim()
-  );
-}
-function readRememberedCloudTarget(store) {
-  const activeTarget = store.readActiveCloudTarget();
-  if (!activeTarget) {
-    return null;
-  }
-  try {
-    const baseUrl = normalizeCloudBaseUrl(activeTarget.baseUrl);
-    assertSecureUrl(baseUrl, "--base-url");
-    return { baseUrl };
-  } catch {
-    return null;
-  }
-}
-function resolveCloudTarget(args, env, store, options = {}) {
-  if (options.allowRememberedTarget !== false && !hasExplicitCloudTargetSelection(args.baseUrl, env)) {
-    const rememberedTarget = readRememberedCloudTarget(store);
-    if (rememberedTarget) {
-      return rememberedTarget;
-    }
-  }
-  const baseUrl = resolveBaseUrl(args.baseUrl, env);
-  return { baseUrl };
-}
-function assertSecureUrl(value, flag) {
-  let parsed;
-  try {
-    parsed = new URL(value);
-  } catch {
-    throw new Error(`Invalid ${flag} "${value}".`);
-  }
-  if (parsed.protocol === "https:") {
-    return;
-  }
-  if (parsed.protocol === "http:") {
-    const host = parsed.hostname.toLowerCase();
-    if (host === "localhost" || host === "127.0.0.1" || host === "::1") {
-      return;
-    }
-  }
-  throw new Error(
-    `Insecure URL "${value}". Use HTTPS, or HTTP only for localhost.`
-  );
-}
-async function postJson(fetchFn, url, body) {
-  const response = await fetchFn(url, {
-    method: "POST",
-    headers: {
-      "content-type": "application/json"
-    },
-    body: JSON.stringify(body)
-  });
-  let payload = null;
-  try {
-    payload = await response.json();
-  } catch {
-    payload = null;
-  }
-  if (!response.ok) {
-    throw new CliAuthHttpError(
-      `Auth request failed with status ${response.status}.`,
-      response.status,
-      payload
-    );
-  }
-  return payload;
-}
-function parseScope(rawScope) {
-  if (!rawScope) return ["cloud:browser"];
-  const values = rawScope.split(" ").map((value) => value.trim()).filter(Boolean);
-  return values.length ? values : ["cloud:browser"];
-}
-function parseCliTokenResponse(payload) {
-  const accessToken = typeof payload.access_token === "string" ? payload.access_token.trim() : "";
-  const refreshToken2 = typeof payload.refresh_token === "string" ? payload.refresh_token.trim() : "";
-  const expiresInSec = typeof payload.expires_in === "number" && Number.isFinite(payload.expires_in) && payload.expires_in > 0 ? Math.trunc(payload.expires_in) : 0;
-  if (!accessToken || !refreshToken2 || !expiresInSec) {
-    throw new Error("Invalid token response from cloud auth endpoint.");
-  }
-  return {
-    accessToken,
-    refreshToken: refreshToken2,
-    expiresInSec,
-    scope: parseScope(payload.scope)
-  };
-}
-function parseCliOauthError(error) {
-  if (!error || typeof error !== "object" || Array.isArray(error)) {
-    return null;
-  }
-  const root = error;
-  return {
-    error: typeof root.error === "string" ? root.error : void 0,
-    error_description: typeof root.error_description === "string" ? root.error_description : void 0,
-    interval: typeof root.interval === "number" ? root.interval : void 0
-  };
-}
-async function startDeviceAuthorization(authSiteUrl, fetchFn) {
-  const response = await postJson(
-    fetchFn,
-    `${authSiteUrl}/api/cli-auth/device/start`,
-    {
-      scope: ["cloud:browser"]
-    }
-  );
-  if (!response || typeof response.device_code !== "string" || !response.device_code.trim() || typeof response.user_code !== "string" || !response.user_code.trim() || typeof response.verification_uri_complete !== "string" || !response.verification_uri_complete.trim() || typeof response.expires_in !== "number" || response.expires_in <= 0 || typeof response.interval !== "number" || response.interval <= 0) {
-    throw new Error("Invalid device authorization response from cloud.");
-  }
-  return response;
-}
-async function pollDeviceToken(authSiteUrl, deviceCode, fetchFn) {
-  return await postJson(
-    fetchFn,
-    `${authSiteUrl}/api/cli-auth/device/token`,
-    {
-      grant_type: "urn:ietf:params:oauth:grant-type:device_code",
-      device_code: deviceCode
-    }
-  );
-}
-async function refreshToken(authSiteUrl, refreshTokenValue, fetchFn) {
-  return await postJson(fetchFn, `${authSiteUrl}/api/cli-auth/token`, {
-    grant_type: "refresh_token",
-    refresh_token: refreshTokenValue
-  });
-}
-async function revokeToken(authSiteUrl, refreshTokenValue, fetchFn) {
-  await postJson(fetchFn, `${authSiteUrl}/api/cli-auth/revoke`, {
-    token: refreshTokenValue
-  });
-}
-async function openDefaultBrowser(url) {
-  try {
-    const child = await (0, import_open.default)(url, {
-      wait: false
-    });
-    child.on("error", () => void 0);
-    child.unref();
-    return true;
-  } catch {
-    return false;
-  }
-}
-async function runDeviceLoginFlow(args) {
-  const start = await startDeviceAuthorization(args.authSiteUrl, args.fetchFn);
-  if (args.openBrowser) {
-    args.writeProgress(
-      "Opening your default browser for Opensteer CLI authentication.\n"
-    );
-    args.writeProgress(
-      `If nothing opens, use this URL:
-${start.verification_uri_complete}
-`
-    );
-  } else {
-    if (args.openBrowserDisabledReason) {
-      args.writeProgress(
-        `Automatic browser open is disabled (${args.openBrowserDisabledReason}).
-`
-      );
-    }
-    args.writeProgress(
-      `Open this URL to authenticate Opensteer CLI:
-${start.verification_uri_complete}
-`
-    );
-  }
-  args.writeProgress(`Verification code: ${start.user_code}
-`);
-  if (args.openBrowser) {
-    const browserOpened = await args.openExternalUrl(
-      start.verification_uri_complete
-    );
-    if (browserOpened) {
-      args.writeProgress(
-        "Opened your default browser. Finish authentication there; this terminal will continue automatically.\n"
-      );
-    } else {
-      args.writeProgress(
-        "Could not open your default browser automatically. Paste the URL above into a browser to continue.\n"
-      );
-    }
-  }
-  const deadline = args.now() + start.expires_in * 1e3;
-  let pollIntervalMs = Math.max(1, Math.trunc(start.interval)) * 1e3;
-  while (args.now() <= deadline) {
-    await args.sleep(pollIntervalMs);
-    try {
-      const tokenPayload = await pollDeviceToken(
-        args.authSiteUrl,
-        start.device_code,
-        args.fetchFn
-      );
-      const parsed = parseCliTokenResponse(tokenPayload);
-      return {
-        accessToken: parsed.accessToken,
-        refreshToken: parsed.refreshToken,
-        expiresAt: args.now() + parsed.expiresInSec * 1e3,
-        scope: parsed.scope
-      };
-    } catch (error) {
-      if (error instanceof CliAuthHttpError) {
-        const oauthError = parseCliOauthError(error.body);
-        if (!oauthError?.error) {
-          throw error;
-        }
-        if (oauthError.error === "authorization_pending") {
-          continue;
-        }
-        if (oauthError.error === "slow_down") {
-          const hintedInterval = typeof oauthError.interval === "number" && oauthError.interval > 0 ? Math.trunc(oauthError.interval) * 1e3 : pollIntervalMs + 5e3;
-          pollIntervalMs = Math.max(hintedInterval, pollIntervalMs + 1e3);
-          continue;
-        }
-        if (oauthError.error === "expired_token") {
-          throw new Error(
-            'Device authorization expired before approval. Run "opensteer auth login" again.'
-          );
-        }
-        if (oauthError.error === "access_denied") {
-          throw new Error(
-            'Cloud login was denied. Run "opensteer auth login" to retry.'
-          );
-        }
-        throw new Error(
-          oauthError.error_description || `Cloud login failed: ${oauthError.error}.`
-        );
-      }
-      throw error;
-    }
-  }
-  throw new Error(
-    'Timed out waiting for cloud login approval. Run "opensteer auth login" again.'
-  );
-}
-async function refreshSavedCredential(saved, deps) {
-  const tokenPayload = await refreshToken(
-    resolveAuthSiteUrl(deps.env),
-    saved.refreshToken,
-    deps.fetchFn
-  );
-  const parsed = parseCliTokenResponse(tokenPayload);
-  const updated = {
-    accessToken: parsed.accessToken,
-    refreshToken: parsed.refreshToken,
-    expiresAt: deps.now() + parsed.expiresInSec * 1e3,
-    scope: parsed.scope
-  };
-  deps.store.writeCloudCredential({
-    baseUrl: saved.baseUrl,
-    scope: updated.scope,
-    accessToken: updated.accessToken,
-    refreshToken: updated.refreshToken,
-    obtainedAt: deps.now(),
-    expiresAt: updated.expiresAt
-  });
-  return updated;
-}
-async function ensureSavedCredentialIsFresh(saved, deps) {
-  const refreshSkewMs = 6e4;
-  if (saved.expiresAt > deps.now() + refreshSkewMs) {
-    return saved;
-  }
-  try {
-    const refreshed = await refreshSavedCredential(saved, deps);
-    return {
-      ...saved,
-      accessToken: refreshed.accessToken,
-      refreshToken: refreshed.refreshToken,
-      expiresAt: refreshed.expiresAt,
-      scope: refreshed.scope,
-      obtainedAt: deps.now()
-    };
-  } catch (error) {
-    if (error instanceof CliAuthHttpError) {
-      const oauth = parseCliOauthError(error.body);
-      if (oauth?.error === "invalid_grant" || oauth?.error === "expired_token") {
-        deps.store.clearCloudCredential({
-          baseUrl: saved.baseUrl
-        });
-        return null;
-      }
-    }
-    deps.writeStderr(
-      `Unable to refresh saved cloud login: ${error instanceof Error ? error.message : "unknown error"}
-`
-    );
-    return null;
-  }
-}
-function toAuthMissingMessage(commandName) {
-  return [
-    `${commandName} requires cloud authentication.`,
-    'Use --api-key, --access-token, OPENSTEER_API_KEY, OPENSTEER_ACCESS_TOKEN, or run "opensteer auth login".'
-  ].join(" ");
-}
-function describeBrowserOpenMode(args, deps) {
-  if (!args.openBrowser) {
-    return {
-      enabled: false,
-      disabledReason: "--no-browser"
-    };
-  }
-  if (!deps.isInteractive()) {
-    return {
-      enabled: false,
-      disabledReason: "this shell is not interactive"
-    };
-  }
-  if (isCiEnvironment(deps.env)) {
-    return {
-      enabled: false,
-      disabledReason: "CI"
-    };
-  }
-  return {
-    enabled: true
-  };
-}
-function isCiEnvironment(env) {
-  const value = env.CI?.trim().toLowerCase();
-  return Boolean(value && value !== "0" && value !== "false");
-}
-function resolveCloudSessionEnvForRootDir(rootDir, env) {
-  const resolved = resolveConfigWithEnv(
-    {
-      storage: { rootDir }
-    },
-    {
-      env
-    }
-  );
-  return {
-    cloud: resolveCloudSelection(
-      {
-        cloud: resolved.config.cloud
-      },
-      resolved.env
-    ).cloud,
-    env: resolved.env
-  };
-}
-function isCloudModeEnabledForRootDir(rootDir, env) {
-  return resolveCloudSessionEnvForRootDir(rootDir, env).cloud;
-}
-async function ensureCloudCredentialsForOpenCommand(options) {
-  const processEnv = options.env ?? process.env;
-  const runtime = resolveCloudSessionEnvForRootDir(options.scopeDir, processEnv);
-  if (!runtime.cloud) {
-    return null;
-  }
-  const writeStderr = options.writeStderr ?? ((message) => process.stderr.write(message));
-  const auth = await ensureCloudCredentialsForCommand({
-    commandName: "opensteer open",
-    env: runtime.env,
-    store: options.store,
-    apiKeyFlag: options.apiKeyFlag,
-    accessTokenFlag: options.accessTokenFlag,
-    interactive: options.interactive,
-    autoLoginIfNeeded: true,
-    writeProgress: options.writeProgress ?? writeStderr,
-    writeStderr,
-    fetchFn: options.fetchFn,
-    sleep: options.sleep,
-    now: options.now,
-    openExternalUrl: options.openExternalUrl
-  });
-  applyCloudCredentialToEnv(processEnv, {
-    kind: auth.kind,
-    source: auth.source,
-    token: auth.token,
-    authScheme: auth.authScheme
-  });
-  processEnv.OPENSTEER_BASE_URL = auth.baseUrl;
-  return auth;
-}
-async function ensureCloudCredentialsForCommand(options) {
-  const env = options.env ?? process.env;
-  const writeProgress = options.writeProgress ?? options.writeStdout ?? ((message) => process.stdout.write(message));
-  const writeStderr = options.writeStderr ?? ((message) => process.stderr.write(message));
-  const fetchFn = options.fetchFn ?? fetch;
-  const sleep = options.sleep ?? (async (ms) => {
-    await new Promise((resolve) => setTimeout(resolve, ms));
-  });
-  const now = options.now ?? Date.now;
-  const openExternalUrl = options.openExternalUrl ?? openDefaultBrowser;
-  const store = options.store ?? createMachineCredentialStore({
-    env,
-    warn: (warning) => {
-      writeStderr(`${warning.message} (${warning.path})
-`);
-    }
-  });
-  const { baseUrl } = resolveCloudTarget(options, env, store);
-  const initialCredential = resolveCloudCredential({
-    env,
-    apiKeyFlag: options.apiKeyFlag,
-    accessTokenFlag: options.accessTokenFlag
-  });
-  let credential = initialCredential;
-  if (!credential) {
-    const saved = store.readCloudCredential({ baseUrl });
-    const freshSaved = saved ? await ensureSavedCredentialIsFresh(saved, {
-      env,
-      fetchFn,
-      store,
-      now,
-      writeStderr
-    }) : null;
-    if (freshSaved) {
-      credential = {
-        kind: "access-token",
-        source: "saved",
-        token: freshSaved.accessToken,
-        authScheme: "bearer"
-      };
-    }
-  }
-  if (!credential) {
-    if (options.autoLoginIfNeeded && (options.interactive ?? false)) {
-      const loggedIn = await runDeviceLoginFlow({
-        authSiteUrl: resolveAuthSiteUrl(env),
-        fetchFn,
-        writeProgress,
-        openExternalUrl,
-        sleep,
-        now,
-        openBrowser: true
-      });
-      store.writeCloudCredential({
-        baseUrl,
-        scope: loggedIn.scope,
-        accessToken: loggedIn.accessToken,
-        refreshToken: loggedIn.refreshToken,
-        obtainedAt: now(),
-        expiresAt: loggedIn.expiresAt
-      });
-      credential = {
-        kind: "access-token",
-        source: "saved",
-        token: loggedIn.accessToken,
-        authScheme: "bearer"
-      };
-      writeProgress("Cloud login complete.\n");
-    } else {
-      throw new Error(toAuthMissingMessage(options.commandName));
-    }
-  }
-  store.writeActiveCloudTarget({ baseUrl });
-  applyCloudCredentialToEnv(env, credential);
-  env.OPENSTEER_BASE_URL = baseUrl;
-  return {
-    token: credential.token,
-    authScheme: credential.authScheme,
-    source: credential.source,
-    kind: credential.kind,
-    baseUrl
-  };
-}
-async function runLogin(args, deps) {
-  const { baseUrl } = resolveCloudTarget(args, deps.env, deps.store, {
-    allowRememberedTarget: false
-  });
-  const writeProgress = args.json ? deps.writeStderr : deps.writeStdout;
-  const browserOpenMode = describeBrowserOpenMode(args, deps);
-  const login = await runDeviceLoginFlow({
-    authSiteUrl: resolveAuthSiteUrl(deps.env),
-    fetchFn: deps.fetchFn,
-    writeProgress,
-    openExternalUrl: deps.openExternalUrl,
-    sleep: deps.sleep,
-    now: deps.now,
-    openBrowser: browserOpenMode.enabled,
-    openBrowserDisabledReason: browserOpenMode.disabledReason
-  });
-  deps.store.writeCloudCredential({
-    baseUrl,
-    scope: login.scope,
-    accessToken: login.accessToken,
-    refreshToken: login.refreshToken,
-    obtainedAt: deps.now(),
-    expiresAt: login.expiresAt
-  });
-  deps.store.writeActiveCloudTarget({ baseUrl });
-  if (args.json) {
-    writeJsonLine(deps, {
-      loggedIn: true,
-      baseUrl,
-      expiresAt: login.expiresAt,
-      scope: login.scope,
-      authSource: "device"
-    });
-    return 0;
-  }
-  writeHumanLine(deps, "Opensteer CLI login successful.");
-  return 0;
-}
-async function runStatus(args, deps) {
-  const { baseUrl } = resolveCloudTarget(args, deps.env, deps.store);
-  deps.store.writeActiveCloudTarget({ baseUrl });
-  const saved = deps.store.readCloudCredential({ baseUrl });
-  if (!saved) {
-    if (args.json) {
-      writeJsonLine(deps, {
-        loggedIn: false,
-        baseUrl
-      });
-    } else {
-      writeHumanLine(deps, `Opensteer CLI is not logged in for ${baseUrl}.`);
-    }
-    return 0;
-  }
-  const now = deps.now();
-  const expired = saved.expiresAt <= now;
-  if (args.json) {
-    writeJsonLine(deps, {
-      loggedIn: true,
-      expired,
-      baseUrl: saved.baseUrl,
-      expiresAt: saved.expiresAt,
-      scope: saved.scope
-    });
-    return 0;
-  }
-  writeHumanLine(
-    deps,
-    expired ? "Opensteer CLI has a saved login, but the access token is expired." : "Opensteer CLI is logged in."
-  );
-  writeHumanLine(deps, `  API Base URL: ${saved.baseUrl}`);
-  writeHumanLine(deps, `  Expires At: ${new Date(saved.expiresAt).toISOString()}`);
-  return 0;
-}
-async function runLogout(args, deps) {
-  const { baseUrl } = resolveCloudTarget(args, deps.env, deps.store);
-  deps.store.writeActiveCloudTarget({ baseUrl });
-  const saved = deps.store.readCloudCredential({ baseUrl });
-  if (saved) {
-    try {
-      await revokeToken(
-        resolveAuthSiteUrl(deps.env),
-        saved.refreshToken,
-        deps.fetchFn
-      );
-    } catch {
-    }
-  }
-  deps.store.clearCloudCredential({ baseUrl });
-  if (args.json) {
-    writeJsonLine(deps, {
-      loggedOut: true,
-      baseUrl
-    });
-    return 0;
-  }
-  writeHumanLine(deps, `Opensteer CLI login removed for ${baseUrl}.`);
-  return 0;
-}
-async function runOpensteerAuthCli(rawArgs, overrideDeps = {}) {
-  const deps = {
-    ...createDefaultDeps(),
-    ...overrideDeps
-  };
-  const parsed = parseOpensteerAuthArgs(rawArgs);
-  if (parsed.mode === "help") {
-    printHelp(deps);
-    return 0;
-  }
-  if (parsed.mode === "error") {
-    deps.writeStderr(`${parsed.error}
-`);
-    deps.writeStderr('Run "opensteer auth --help" for usage.\n');
-    return 1;
-  }
-  try {
-    if (parsed.mode === "login") {
-      return await runLogin(parsed.args, deps);
-    }
-    if (parsed.mode === "status") {
-      return await runStatus(parsed.args, deps);
-    }
-    return await runLogout(parsed.args, deps);
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Auth command failed.";
-    deps.writeStderr(`${message}
-`);
-    return 1;
-  }
-}
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
-  ensureCloudCredentialsForCommand,
-  ensureCloudCredentialsForOpenCommand,
-  isCloudModeEnabledForRootDir,
-  parseOpensteerAuthArgs,
-  runOpensteerAuthCli
-});