opensteer 0.6.13 → 0.7.0

package/dist/cli/profile.js

@@ -1,1328 +0,0 @@
-import {
-  BrowserProfileClient
-} from "../chunk-ZRCFF546.js";
-import {
-  createKeychainStore,
-  ensureCloudCredentialsForCommand
-} from "../chunk-U724TBY6.js";
-import {
-  Opensteer
-} from "../chunk-HBTSQ2V4.js";
-import {
-  resolveConfigWithEnv
-} from "../chunk-2ES46WCO.js";
-import {
-  expandHome
-} from "../chunk-K5CL76MG.js";
-import "../chunk-3H5RRIMZ.js";
-
-// src/cli/profile.ts
-import path from "path";
-import { createInterface } from "readline/promises";
-
-// src/browser/chromium-profile.ts
-import { promisify } from "util";
-import { execFile } from "child_process";
-import { createDecipheriv, createHash, pbkdf2Sync } from "crypto";
-import {
-  cp,
-  copyFile,
-  mkdtemp,
-  readdir,
-  readFile,
-  rm
-} from "fs/promises";
-import { existsSync, statSync } from "fs";
-import { basename, dirname, join } from "path";
-import { tmpdir } from "os";
-import { chromium } from "playwright";
-var execFileAsync = promisify(execFile);
-var CHROMIUM_EPOCH_MICROS = 11644473600000000n;
-var AES_BLOCK_BYTES = 16;
-var MAC_KEY_ITERATIONS = 1003;
-var LINUX_KEY_ITERATIONS = 1;
-var KEY_LENGTH = 16;
-var KEY_SALT = "saltysalt";
-var DEFAULT_CHROMIUM_BRAND = {
-  macService: "Chrome Safe Storage",
-  macAccount: "Chrome",
-  linuxApplications: ["chrome", "google-chrome"]
-};
-var CHROMIUM_BRANDS = [
-  {
-    match: ["bravesoftware", "brave-browser"],
-    brand: {
-      macService: "Brave Safe Storage",
-      macAccount: "Brave",
-      linuxApplications: ["brave-browser", "brave"]
-    }
-  },
-  {
-    match: ["microsoft", "edge"],
-    brand: {
-      macService: "Microsoft Edge Safe Storage",
-      macAccount: "Microsoft Edge",
-      linuxApplications: ["microsoft-edge"],
-      playwrightChannel: "msedge"
-    }
-  },
-  {
-    match: ["google", "chrome beta"],
-    brand: {
-      macService: "Chrome Beta Safe Storage",
-      macAccount: "Chrome Beta",
-      linuxApplications: ["chrome-beta"],
-      playwrightChannel: "chrome-beta"
-    }
-  },
-  {
-    match: ["google", "chrome"],
-    brand: {
-      macService: "Chrome Safe Storage",
-      macAccount: "Chrome",
-      linuxApplications: ["chrome", "google-chrome"],
-      playwrightChannel: "chrome"
-    }
-  },
-  {
-    match: ["chromium"],
-    brand: {
-      macService: "Chromium Safe Storage",
-      macAccount: "Chromium",
-      linuxApplications: ["chromium"]
-    }
-  }
-];
-function directoryExists(filePath) {
-  try {
-    return statSync(filePath).isDirectory();
-  } catch {
-    return false;
-  }
-}
-function fileExists(filePath) {
-  try {
-    return statSync(filePath).isFile();
-  } catch {
-    return false;
-  }
-}
-function resolveCookieDbPath(profileDir) {
-  const candidates = [join(profileDir, "Network", "Cookies"), join(profileDir, "Cookies")];
-  for (const candidate of candidates) {
-    if (fileExists(candidate)) {
-      return candidate;
-    }
-  }
-  return null;
-}
-async function selectProfileDirFromUserDataDir(userDataDir) {
-  const entries = await readdir(userDataDir, {
-    withFileTypes: true
-  }).catch(() => []);
-  const candidates = entries.filter((entry) => entry.isDirectory()).map((entry) => join(userDataDir, entry.name)).filter((entryPath) => resolveCookieDbPath(entryPath));
-  return candidates;
-}
-async function resolveChromiumProfileLocation(inputPath) {
-  const expandedPath = expandHome(inputPath.trim());
-  if (!expandedPath) {
-    throw new Error("Profile path cannot be empty.");
-  }
-  if (fileExists(expandedPath) && basename(expandedPath) === "Cookies") {
-    const directParent = dirname(expandedPath);
-    const profileDir = basename(directParent) === "Network" ? dirname(directParent) : directParent;
-    const userDataDir = dirname(profileDir);
-    return {
-      userDataDir,
-      profileDir,
-      profileDirectory: basename(profileDir),
-      cookieDbPath: expandedPath,
-      localStatePath: fileExists(join(userDataDir, "Local State")) ? join(userDataDir, "Local State") : null
-    };
-  }
-  if (fileExists(expandedPath)) {
-    throw new Error(
-      `Unsupported profile source "${inputPath}". Pass a Chromium profile directory, user-data dir, or Cookies database path.`
-    );
-  }
-  if (!directoryExists(expandedPath)) {
-    throw new Error(
-      `Could not find a Chromium profile at "${inputPath}".`
-    );
-  }
-  const directCookieDb = resolveCookieDbPath(expandedPath);
-  if (directCookieDb) {
-    const userDataDir = dirname(expandedPath);
-    return {
-      userDataDir,
-      profileDir: expandedPath,
-      profileDirectory: basename(expandedPath),
-      cookieDbPath: directCookieDb,
-      localStatePath: fileExists(join(userDataDir, "Local State")) ? join(userDataDir, "Local State") : null
-    };
-  }
-  const localStatePath = join(expandedPath, "Local State");
-  if (!fileExists(localStatePath)) {
-    throw new Error(
-      `Unsupported profile source "${inputPath}". Pass a Chromium profile directory, user-data dir, or Cookies database path.`
-    );
-  }
-  const profileDirs = await selectProfileDirFromUserDataDir(expandedPath);
-  if (profileDirs.length === 0) {
-    throw new Error(
-      `No Chromium profile with a Cookies database was found under "${inputPath}".`
-    );
-  }
-  if (profileDirs.length > 1) {
-    const candidates = profileDirs.map((entry) => basename(entry)).join(", ");
-    throw new Error(
-      `"${inputPath}" contains multiple Chromium profiles (${candidates}). Pass a specific profile directory such as "${profileDirs[0]}".`
-    );
-  }
-  const selectedProfileDir = profileDirs[0];
-  const cookieDbPath = resolveCookieDbPath(selectedProfileDir);
-  if (!cookieDbPath) {
-    throw new Error(
-      `No Chromium Cookies database was found for "${inputPath}".`
-    );
-  }
-  return {
-    userDataDir: expandedPath,
-    profileDir: selectedProfileDir,
-    profileDirectory: basename(selectedProfileDir),
-    cookieDbPath,
-    localStatePath
-  };
-}
-function detectChromiumBrand(location) {
-  const normalizedPath = location.userDataDir.toLowerCase();
-  for (const candidate of CHROMIUM_BRANDS) {
-    if (candidate.match.every((fragment) => normalizedPath.includes(fragment))) {
-      return candidate.brand;
-    }
-  }
-  return DEFAULT_CHROMIUM_BRAND;
-}
-async function createSqliteSnapshot(dbPath) {
-  const snapshotDir = await mkdtemp(join(tmpdir(), "opensteer-cookie-db-"));
-  const snapshotPath = join(snapshotDir, "Cookies");
-  await copyFile(dbPath, snapshotPath);
-  for (const suffix of ["-wal", "-shm", "-journal"]) {
-    const source = `${dbPath}${suffix}`;
-    if (!existsSync(source)) {
-      continue;
-    }
-    await copyFile(source, `${snapshotPath}${suffix}`);
-  }
-  return {
-    snapshotPath,
-    cleanup: async () => {
-      await rm(snapshotDir, { recursive: true, force: true });
-    }
-  };
-}
-async function querySqliteJson(dbPath, query) {
-  const result = await execFileAsync("sqlite3", ["-json", dbPath, query], {
-    encoding: "utf8",
-    maxBuffer: 64 * 1024 * 1024
-  });
-  const stdout = result.stdout;
-  const trimmed = stdout.trim();
-  if (!trimmed) {
-    return [];
-  }
-  return JSON.parse(trimmed);
-}
-function convertChromiumTimestampToUnixSeconds(value) {
-  if (!value || value === "0") {
-    return -1;
-  }
-  const micros = BigInt(value);
-  if (micros <= CHROMIUM_EPOCH_MICROS) {
-    return -1;
-  }
-  return Number((micros - CHROMIUM_EPOCH_MICROS) / 1000000n);
-}
-function mapChromiumSameSite(value) {
-  if (value === 2) {
-    return "Strict";
-  }
-  if (value === 0) {
-    return "None";
-  }
-  return "Lax";
-}
-function stripChromiumPadding(buffer) {
-  const paddingLength = buffer[buffer.length - 1];
-  if (paddingLength <= 0 || paddingLength > AES_BLOCK_BYTES) {
-    return buffer;
-  }
-  return buffer.subarray(0, buffer.length - paddingLength);
-}
-function stripDomainHashPrefix(buffer, hostKey) {
-  if (buffer.length < 32) {
-    return buffer;
-  }
-  const domainHash = createHash("sha256").update(hostKey, "utf8").digest();
-  if (buffer.subarray(0, 32).equals(domainHash)) {
-    return buffer.subarray(32);
-  }
-  return buffer;
-}
-function decryptChromiumAes128CbcValue(encryptedValue, key, hostKey) {
-  const ciphertext = encryptedValue.length > 3 && encryptedValue[0] === 118 && encryptedValue[1] === 49 && (encryptedValue[2] === 48 || encryptedValue[2] === 49) ? encryptedValue.subarray(3) : encryptedValue;
-  const iv = Buffer.alloc(AES_BLOCK_BYTES, " ");
-  const decipher = createDecipheriv("aes-128-cbc", key, iv);
-  const plaintext = Buffer.concat([
-    decipher.update(ciphertext),
-    decipher.final()
-  ]);
-  return stripDomainHashPrefix(stripChromiumPadding(plaintext), hostKey).toString(
-    "utf8"
-  );
-}
-function decryptChromiumAes256GcmValue(encryptedValue, key) {
-  const nonce = encryptedValue.subarray(3, 15);
-  const ciphertext = encryptedValue.subarray(15, encryptedValue.length - 16);
-  const authTag = encryptedValue.subarray(encryptedValue.length - 16);
-  const decipher = createDecipheriv("aes-256-gcm", key, nonce);
-  decipher.setAuthTag(authTag);
-  return Buffer.concat([
-    decipher.update(ciphertext),
-    decipher.final()
-  ]).toString("utf8");
-}
-async function dpapiUnprotect(buffer) {
-  const script = [
-    `$inputBytes = [Convert]::FromBase64String('${buffer.toString("base64")}')`,
-    "$plainBytes = [System.Security.Cryptography.ProtectedData]::Unprotect(",
-    "  $inputBytes,",
-    "  $null,",
-    "  [System.Security.Cryptography.DataProtectionScope]::CurrentUser",
-    ")",
-    "[Convert]::ToBase64String($plainBytes)"
-  ].join("\n");
-  const { stdout } = await execFileAsync(
-    "powershell.exe",
-    ["-NoProfile", "-NonInteractive", "-Command", script],
-    {
-      encoding: "utf8",
-      maxBuffer: 8 * 1024 * 1024
-    }
-  );
-  return Buffer.from(stdout.trim(), "base64");
-}
-async function buildChromiumDecryptor(location) {
-  if (process.platform === "darwin") {
-    const brand = detectChromiumBrand(location);
-    const keychainStore = createKeychainStore();
-    const password = keychainStore?.get(brand.macService, brand.macAccount) ?? null;
-    if (!password) {
-      throw new Error(
-        `Unable to read ${brand.macService} from macOS Keychain.`
-      );
-    }
-    const key = pbkdf2Sync(password, KEY_SALT, MAC_KEY_ITERATIONS, KEY_LENGTH, "sha1");
-    return async (row) => decryptChromiumAes128CbcValue(
-      Buffer.from(row.encrypted_value || "", "hex"),
-      key,
-      row.host_key
-    );
-  }
-  if (process.platform === "linux") {
-    const brand = detectChromiumBrand(location);
-    const keychainStore = createKeychainStore();
-    const password = keychainStore?.get(brand.macService, brand.macAccount) ?? brand.linuxApplications.map((application) => keychainStore?.get(application, application) ?? null).find(Boolean) ?? null;
-    const key = pbkdf2Sync(
-      password || "peanuts",
-      KEY_SALT,
-      LINUX_KEY_ITERATIONS,
-      KEY_LENGTH,
-      "sha1"
-    );
-    return async (row) => decryptChromiumAes128CbcValue(
-      Buffer.from(row.encrypted_value || "", "hex"),
-      key,
-      row.host_key
-    );
-  }
-  if (process.platform === "win32") {
-    if (!location.localStatePath) {
-      throw new Error(
-        `Unable to locate Chromium Local State for profile: ${location.profileDir}`
-      );
-    }
-    const localState = JSON.parse(
-      await readFile(location.localStatePath, "utf8")
-    );
-    const encryptedKeyBase64 = localState.os_crypt?.encrypted_key;
-    if (!encryptedKeyBase64) {
-      throw new Error(
-        `Local State did not include os_crypt.encrypted_key for ${location.userDataDir}`
-      );
-    }
-    const encryptedKey = Buffer.from(encryptedKeyBase64, "base64");
-    const masterKey = await dpapiUnprotect(encryptedKey.subarray(5));
-    return async (row) => {
-      const encryptedValue = Buffer.from(row.encrypted_value || "", "hex");
-      if (encryptedValue.length > 4 && encryptedValue[0] === 1 && encryptedValue[1] === 0 && encryptedValue[2] === 0 && encryptedValue[3] === 0) {
-        const decrypted = await dpapiUnprotect(encryptedValue);
-        return decrypted.toString("utf8");
-      }
-      return decryptChromiumAes256GcmValue(encryptedValue, masterKey);
-    };
-  }
-  throw new Error(
-    `Local Chromium cookie sync is not supported on ${process.platform}.`
-  );
-}
-function buildPlaywrightCookie(row, value) {
-  if (!row.name.trim()) {
-    return null;
-  }
-  if (!row.host_key.trim()) {
-    return null;
-  }
-  const expires = row.has_expires === 1 ? convertChromiumTimestampToUnixSeconds(row.expires_utc) : -1;
-  if (expires !== -1 && expires <= Math.floor(Date.now() / 1e3)) {
-    return null;
-  }
-  return {
-    name: row.name,
-    value,
-    domain: row.host_key,
-    path: row.path || "/",
-    expires,
-    httpOnly: row.is_httponly === 1,
-    secure: row.is_secure === 1,
-    sameSite: mapChromiumSameSite(row.samesite)
-  };
-}
-async function loadCookiesFromLocalProfileDir(inputPath, options = {}) {
-  const location = await resolveChromiumProfileLocation(inputPath);
-  try {
-    return await loadCookiesFromSqlite(location);
-  } catch (error) {
-    if (!isMissingSqliteBinary(error)) {
-      throw error;
-    }
-  }
-  return await loadCookiesFromBrowserSnapshot(location, options);
-}
-async function loadCookiesFromSqlite(location) {
-  const snapshot = await createSqliteSnapshot(location.cookieDbPath);
-  try {
-    const rows = await querySqliteJson(
-      snapshot.snapshotPath,
-      [
-        "SELECT",
-        "  host_key,",
-        "  name,",
-        "  value,",
-        "  hex(encrypted_value) AS encrypted_value,",
-        "  path,",
-        "  CAST(expires_utc AS TEXT) AS expires_utc,",
-        "  is_secure,",
-        "  is_httponly,",
-        "  has_expires,",
-        "  samesite",
-        "FROM cookies"
-      ].join(" ")
-    );
-    const decryptValue = await buildChromiumDecryptor(location);
-    const cookies = [];
-    for (const row of rows) {
-      let value = row.value || "";
-      if (!value && row.encrypted_value) {
-        value = await decryptValue(row);
-      }
-      const cookie = buildPlaywrightCookie(row, value);
-      if (cookie) {
-        cookies.push(cookie);
-      }
-    }
-    return cookies;
-  } finally {
-    await snapshot.cleanup();
-  }
-}
-async function loadCookiesFromBrowserSnapshot(location, options) {
-  const snapshotRootDir = await mkdtemp(join(tmpdir(), "opensteer-profile-"));
-  const snapshotProfileDir = join(
-    snapshotRootDir,
-    basename(location.profileDir)
-  );
-  let context = null;
-  try {
-    await cp(location.profileDir, snapshotProfileDir, {
-      recursive: true
-    });
-    if (location.localStatePath) {
-      await copyFile(location.localStatePath, join(snapshotRootDir, "Local State"));
-    }
-    const brand = detectChromiumBrand(location);
-    const args = [`--profile-directory=${basename(snapshotProfileDir)}`];
-    context = await chromium.launchPersistentContext(snapshotRootDir, {
-      channel: brand.playwrightChannel,
-      headless: options.headless ?? true,
-      timeout: options.timeout ?? 12e4,
-      args
-    });
-    return await context.cookies();
-  } finally {
-    await context?.close().catch(() => void 0);
-    await rm(snapshotRootDir, { recursive: true, force: true });
-  }
-}
-function isMissingSqliteBinary(error) {
-  return Boolean(
-    error && typeof error === "object" && "code" in error && error.code === "ENOENT"
-  );
-}
-
-// src/cli/profile-sync.ts
-function normalizeCookieDomain(value) {
-  const trimmed = value.trim().toLowerCase();
-  return trimmed.replace(/^\.+/, "");
-}
-function extractCookieDomain(cookie) {
-  if (typeof cookie.domain === "string" && cookie.domain.trim()) {
-    return normalizeCookieDomain(cookie.domain);
-  }
-  return null;
-}
-function cookieMatchesDomainFilters(cookie, domainFilters) {
-  if (!domainFilters.length) return true;
-  const cookieDomain = extractCookieDomain(cookie);
-  if (!cookieDomain) return false;
-  return domainFilters.some((domain) => {
-    if (cookieDomain === domain) return true;
-    return cookieDomain.endsWith(`.${domain}`);
-  });
-}
-function toCookieParam(cookie) {
-  const name = typeof cookie.name === "string" ? cookie.name.trim() : "";
-  if (!name) return null;
-  if (typeof cookie.value !== "string") return null;
-  const output = {
-    name,
-    value: cookie.value
-  };
-  if (typeof cookie.domain === "string" && cookie.domain.trim()) {
-    output.domain = cookie.domain.trim();
-  }
-  if (typeof cookie.path === "string" && cookie.path.trim()) {
-    output.path = cookie.path;
-  }
-  if (!output.domain) {
-    return null;
-  }
-  if (!output.path) {
-    output.path = "/";
-  }
-  if (typeof cookie.expires === "number" && Number.isFinite(cookie.expires)) {
-    if (cookie.expires > 0) {
-      output.expires = cookie.expires;
-    }
-  }
-  if (typeof cookie.httpOnly === "boolean") {
-    output.httpOnly = cookie.httpOnly;
-  }
-  if (typeof cookie.secure === "boolean") {
-    output.secure = cookie.secure;
-  }
-  if (cookie.sameSite === "Strict" || cookie.sameSite === "Lax" || cookie.sameSite === "None") {
-    output.sameSite = cookie.sameSite;
-  }
-  return output;
-}
-function prepareCookiesForSync(cookies, options = {}) {
-  const filteredDomains = Array.from(
-    new Set(
-      (options.domains || []).map((domain) => normalizeCookieDomain(domain)).filter(Boolean)
-    )
-  );
-  const domainCounts = {};
-  let matchedCookies = 0;
-  let droppedInvalid = 0;
-  const dedupeMap = /* @__PURE__ */ new Map();
-  for (const cookie of cookies) {
-    if (!cookieMatchesDomainFilters(cookie, filteredDomains)) {
-      continue;
-    }
-    matchedCookies += 1;
-    const normalizedCookie = toCookieParam(cookie);
-    if (!normalizedCookie) {
-      droppedInvalid += 1;
-      continue;
-    }
-    const domainKey = extractCookieDomain(cookie) || "(unknown)";
-    domainCounts[domainKey] = (domainCounts[domainKey] || 0) + 1;
-    const identityDomain = normalizedCookie.domain ? normalizeCookieDomain(normalizedCookie.domain) : "";
-    const dedupeKey = [
-      normalizedCookie.name,
-      identityDomain,
-      normalizedCookie.path || "/"
-    ].join("
");
-    dedupeMap.set(dedupeKey, normalizedCookie);
-  }
-  const dedupedCookies = dedupeMap.size;
-  return {
-    cookies: Array.from(dedupeMap.values()),
-    totalCookies: cookies.length,
-    matchedCookies,
-    dedupedCookies,
-    droppedInvalid,
-    filteredDomains,
-    domainCounts
-  };
-}
-
-// src/cli/profile.ts
-var HELP_TEXT = `Usage: opensteer profile <command> [options]
-
-Manage cloud browser profiles and sync local cookie state into cloud profiles.
-
-Commands:
-  list                      List cloud browser profiles
-  create --name <name>      Create a cloud browser profile
-  sync                      Sync local profile cookies to cloud
-
-Cloud auth options (all commands):
-  --api-key <key>           Cloud API key (defaults to OPENSTEER_API_KEY)
-  --access-token <token>    Cloud bearer access token (defaults to OPENSTEER_ACCESS_TOKEN)
-  --base-url <url>          Cloud API base URL (defaults to env or the last selected host)
-  --auth-scheme <scheme>    api-key (default) or bearer
-  --json                    JSON output (progress logs go to stderr)
-
-Sync options:
-  --from-profile-dir <dir>  Local browser profile directory or Chromium user-data dir to read cookies from (required)
-  --to-profile-id <id>      Destination cloud profile id
-  --name <name>             Create destination cloud profile with this name if --to-profile-id is omitted
-  --domain <domain>         Restrict sync to one domain (repeatable)
-  --all-domains             Explicitly sync all domains
-  --dry-run                 Analyze cookies and scope without uploading to cloud
-  --yes                     Required for non-interactive execution
-  --headless <true|false>   Browser headless mode for local/cloud sync sessions (default: true)
-  -h, --help                Show this help
-
-Examples:
-  opensteer profile list
-  opensteer profile create --name "My Session Profile"
-  opensteer profile sync --from-profile-dir ~/Library/Application\\ Support/Google/Chrome/Default --to-profile-id bp_123 --domain github.com
-  opensteer profile sync --from-profile-dir ./my-profile --name "Imported Profile" --all-domains --yes
-`;
-function parseBooleanValue(raw, flag) {
-  const normalized = raw.trim().toLowerCase();
-  if (normalized === "true" || normalized === "1") {
-    return { ok: true, value: true };
-  }
-  if (normalized === "false" || normalized === "0") {
-    return { ok: true, value: false };
-  }
-  return {
-    ok: false,
-    error: `${flag} must be "true" or "false".`
-  };
-}
-function parseAuthScheme(raw) {
-  const normalized = raw.trim().toLowerCase();
-  if (normalized === "api-key" || normalized === "bearer") {
-    return normalized;
-  }
-  return null;
-}
-function isBrowserProfileStatus(value) {
-  return value === "active" || value === "archived" || value === "error";
-}
-function readFlagValue(args, index, flag) {
-  const value = args[index + 1];
-  if (value === void 0 || value.startsWith("-")) {
-    return {
-      ok: false,
-      error: `${flag} requires a value.`
-    };
-  }
-  return {
-    ok: true,
-    value,
-    nextIndex: index + 1
-  };
-}
-function parseListArgs(rawArgs) {
-  const args = {};
-  for (let i = 0; i < rawArgs.length; i++) {
-    const arg = rawArgs[i];
-    if (arg === "--json") {
-      args.json = true;
-      continue;
-    }
-    if (arg === "--api-key") {
-      const value = readFlagValue(rawArgs, i, "--api-key");
-      if (!value.ok) return { mode: "error", error: value.error };
-      args.apiKey = value.value;
-      i = value.nextIndex;
-      continue;
-    }
-    if (arg === "--access-token") {
-      const value = readFlagValue(rawArgs, i, "--access-token");
-      if (!value.ok) return { mode: "error", error: value.error };
-      args.accessToken = value.value;
-      i = value.nextIndex;
-      continue;
-    }
-    if (arg === "--base-url") {
-      const value = readFlagValue(rawArgs, i, "--base-url");
-      if (!value.ok) return { mode: "error", error: value.error };
-      args.baseUrl = value.value;
-      i = value.nextIndex;
-      continue;
-    }
-    if (arg === "--auth-scheme") {
-      const value = readFlagValue(rawArgs, i, "--auth-scheme");
-      if (!value.ok) return { mode: "error", error: value.error };
-      const parsed = parseAuthScheme(value.value);
-      if (!parsed) {
-        return {
-          mode: "error",
-          error: '--auth-scheme must be "api-key" or "bearer".'
-        };
-      }
-      args.authScheme = parsed;
-      i = value.nextIndex;
-      continue;
-    }
-    if (arg === "--cursor") {
-      const value = readFlagValue(rawArgs, i, "--cursor");
-      if (!value.ok) return { mode: "error", error: value.error };
-      args.cursor = value.value;
-      i = value.nextIndex;
-      continue;
-    }
-    if (arg === "--limit") {
-      const value = readFlagValue(rawArgs, i, "--limit");
-      if (!value.ok) return { mode: "error", error: value.error };
-      const parsed = Number.parseInt(value.value, 10);
-      if (!Number.isInteger(parsed) || parsed <= 0) {
-        return {
-          mode: "error",
-          error: "--limit must be a positive integer."
-        };
-      }
-      args.limit = parsed;
-      i = value.nextIndex;
-      continue;
-    }
-    if (arg === "--status") {
-      const value = readFlagValue(rawArgs, i, "--status");
-      if (!value.ok) return { mode: "error", error: value.error };
-      const status = value.value.trim();
-      if (!isBrowserProfileStatus(status)) {
-        return {
-          mode: "error",
-          error: "--status must be one of: active, archived, error."
-        };
-      }
-      args.status = status;
-      i = value.nextIndex;
-      continue;
-    }
-    return {
-      mode: "error",
-      error: `Unsupported option "${arg}" for "opensteer profile list".`
-    };
-  }
-  return { mode: "list", args };
-}
-function parseCreateArgs(rawArgs) {
-  const args = {};
-  for (let i = 0; i < rawArgs.length; i++) {
-    const arg = rawArgs[i];
-    if (arg === "--json") {
-      args.json = true;
-      continue;
-    }
-    if (arg === "--name") {
-      const value = readFlagValue(rawArgs, i, "--name");
-      if (!value.ok) return { mode: "error", error: value.error };
-      args.name = value.value.trim();
-      i = value.nextIndex;
-      continue;
-    }
-    if (arg === "--api-key") {
-      const value = readFlagValue(rawArgs, i, "--api-key");
-      if (!value.ok) return { mode: "error", error: value.error };
-      args.apiKey = value.value;
-      i = value.nextIndex;
-      continue;
-    }
-    if (arg === "--access-token") {
-      const value = readFlagValue(rawArgs, i, "--access-token");
-      if (!value.ok) return { mode: "error", error: value.error };
-      args.accessToken = value.value;
-      i = value.nextIndex;
-      continue;
-    }
-    if (arg === "--base-url") {
-      const value = readFlagValue(rawArgs, i, "--base-url");
-      if (!value.ok) return { mode: "error", error: value.error };
-      args.baseUrl = value.value;
-      i = value.nextIndex;
-      continue;
-    }
-    if (arg === "--auth-scheme") {
-      const value = readFlagValue(rawArgs, i, "--auth-scheme");
-      if (!value.ok) return { mode: "error", error: value.error };
-      const parsed = parseAuthScheme(value.value);
-      if (!parsed) {
-        return {
-          mode: "error",
-          error: '--auth-scheme must be "api-key" or "bearer".'
-        };
-      }
-      args.authScheme = parsed;
-      i = value.nextIndex;
-      continue;
-    }
-    return {
-      mode: "error",
-      error: `Unsupported option "${arg}" for "opensteer profile create".`
-    };
-  }
-  if (!args.name) {
-    return {
-      mode: "error",
-      error: '--name is required for "opensteer profile create".'
-    };
-  }
-  return {
-    mode: "create",
-    args: {
-      ...args,
-      name: args.name
-    }
-  };
-}
-function parseSyncArgs(rawArgs) {
-  const args = {
-    fromProfileDir: "",
-    domains: [],
-    allDomains: false,
-    dryRun: false,
-    yes: false,
-    headless: true
-  };
-  for (let i = 0; i < rawArgs.length; i++) {
-    const arg = rawArgs[i];
-    if (arg === "--json") {
-      args.json = true;
-      continue;
-    }
-    if (arg === "--all-domains") {
-      args.allDomains = true;
-      continue;
-    }
-    if (arg === "--dry-run") {
-      args.dryRun = true;
-      continue;
-    }
-    if (arg === "--yes") {
-      args.yes = true;
-      continue;
-    }
-    if (arg === "--from-profile-dir") {
-      const value = readFlagValue(rawArgs, i, "--from-profile-dir");
-      if (!value.ok) return { mode: "error", error: value.error };
-      args.fromProfileDir = value.value;
-      i = value.nextIndex;
-      continue;
-    }
-    if (arg === "--to-profile-id") {
-      const value = readFlagValue(rawArgs, i, "--to-profile-id");
-      if (!value.ok) return { mode: "error", error: value.error };
-      args.toProfileId = value.value;
-      i = value.nextIndex;
-      continue;
-    }
-    if (arg === "--name") {
-      const value = readFlagValue(rawArgs, i, "--name");
-      if (!value.ok) return { mode: "error", error: value.error };
-      args.name = value.value;
-      i = value.nextIndex;
-      continue;
-    }
-    if (arg === "--domain") {
-      const value = readFlagValue(rawArgs, i, "--domain");
-      if (!value.ok) return { mode: "error", error: value.error };
-      args.domains.push(value.value);
-      i = value.nextIndex;
-      continue;
-    }
-    if (arg === "--headless") {
-      const value = readFlagValue(rawArgs, i, "--headless");
-      if (!value.ok) return { mode: "error", error: value.error };
-      const parsed = parseBooleanValue(value.value, "--headless");
-      if (!parsed.ok) return { mode: "error", error: parsed.error };
-      args.headless = parsed.value;
-      i = value.nextIndex;
-      continue;
-    }
-    if (arg === "--api-key") {
-      const value = readFlagValue(rawArgs, i, "--api-key");
-      if (!value.ok) return { mode: "error", error: value.error };
-      args.apiKey = value.value;
-      i = value.nextIndex;
-      continue;
-    }
-    if (arg === "--access-token") {
-      const value = readFlagValue(rawArgs, i, "--access-token");
-      if (!value.ok) return { mode: "error", error: value.error };
-      args.accessToken = value.value;
-      i = value.nextIndex;
-      continue;
-    }
-    if (arg === "--base-url") {
-      const value = readFlagValue(rawArgs, i, "--base-url");
-      if (!value.ok) return { mode: "error", error: value.error };
-      args.baseUrl = value.value;
-      i = value.nextIndex;
-      continue;
-    }
-    if (arg === "--auth-scheme") {
-      const value = readFlagValue(rawArgs, i, "--auth-scheme");
-      if (!value.ok) return { mode: "error", error: value.error };
-      const parsed = parseAuthScheme(value.value);
-      if (!parsed) {
-        return {
-          mode: "error",
-          error: '--auth-scheme must be "api-key" or "bearer".'
-        };
-      }
-      args.authScheme = parsed;
-      i = value.nextIndex;
-      continue;
-    }
-    return {
-      mode: "error",
-      error: `Unsupported option "${arg}" for "opensteer profile sync".`
-    };
-  }
-  if (!args.fromProfileDir.trim()) {
-    return {
-      mode: "error",
-      error: '--from-profile-dir is required for "opensteer profile sync".'
-    };
-  }
-  if (args.allDomains && args.domains.length > 0) {
-    return {
-      mode: "error",
-      error: "Use either --all-domains or --domain, not both."
-    };
-  }
-  return { mode: "sync", args };
-}
-function parseOpensteerProfileArgs(rawArgs) {
-  if (!rawArgs.length) {
-    return { mode: "help" };
-  }
-  const [subcommand, ...rest] = rawArgs;
-  if (subcommand === "--help" || subcommand === "-h" || subcommand === "help") {
-    return { mode: "help" };
-  }
-  if (subcommand === "list") {
-    return parseListArgs(rest);
-  }
-  if (subcommand === "create") {
-    return parseCreateArgs(rest);
-  }
-  if (subcommand === "sync") {
-    return parseSyncArgs(rest);
-  }
-  return {
-    mode: "error",
-    error: `Unsupported profile subcommand "${subcommand}".`
-  };
-}
-function createDefaultDeps() {
-  return {
-    env: process.env,
-    createBrowserProfileClient: (context) => new BrowserProfileClient(
-      context.baseUrl,
-      context.token,
-      context.authScheme
-    ),
-    createOpensteer: (config) => new Opensteer(config),
-    loadLocalProfileCookies: (profileDir, options) => loadCookiesFromLocalProfileDir(profileDir, options),
-    isInteractive: () => Boolean(process.stdin.isTTY && process.stdout.isTTY),
-    confirm: async (message) => {
-      const rl = createInterface({
-        input: process.stdin,
-        output: process.stderr
-      });
-      try {
-        const answer = await rl.question(`${message} [y/N] `);
-        const normalized = answer.trim().toLowerCase();
-        return normalized === "y" || normalized === "yes";
-      } finally {
-        rl.close();
-      }
-    },
-    writeStdout: (message) => process.stdout.write(message),
-    writeStderr: (message) => process.stderr.write(message)
-  };
-}
-async function buildCloudAuthContext(args, deps) {
-  const ensured = await ensureCloudCredentialsForCommand({
-    commandName: "opensteer profile",
-    env: deps.env,
-    apiKeyFlag: args.apiKey,
-    accessTokenFlag: args.accessToken,
-    baseUrl: args.baseUrl,
-    interactive: deps.isInteractive(),
-    autoLoginIfNeeded: true,
-    writeProgress: args.json ? deps.writeStderr : deps.writeStdout,
-    writeStderr: deps.writeStderr
-  });
-  if (args.authScheme) {
-    if (ensured.kind === "access-token" && args.authScheme !== "bearer") {
-      throw new Error(
-        "--auth-scheme=api-key is incompatible with --access-token or saved login credentials."
-      );
-    }
-    if (ensured.kind === "api-key" && args.authScheme === "bearer") {
-      return {
-        ...ensured,
-        authScheme: "bearer"
-      };
-    }
-  }
-  return {
-    token: ensured.token,
-    baseUrl: ensured.baseUrl,
-    authScheme: ensured.authScheme,
-    kind: ensured.kind,
-    source: ensured.source
-  };
-}
-function printProfileHelp(deps) {
-  deps.writeStdout(`${HELP_TEXT}
-`);
-}
-function writeJson(deps, payload) {
-  deps.writeStdout(`${JSON.stringify(payload)}
-`);
-}
-function writeHumanLine(deps, message) {
-  deps.writeStdout(`${message}
-`);
-}
-function writeProgressLine(deps, jsonOutput, message) {
-  if (jsonOutput) {
-    deps.writeStderr(`${message}
-`);
-    return;
-  }
-  deps.writeStdout(`${message}
-`);
-}
-async function runList(args, deps) {
-  const auth = await buildCloudAuthContext(args, deps);
-  const client = deps.createBrowserProfileClient(auth);
-  const response = await client.list({
-    cursor: args.cursor,
-    limit: args.limit,
-    status: args.status
-  });
-  if (args.json) {
-    writeJson(deps, response);
-    return 0;
-  }
-  if (!response.profiles.length) {
-    writeHumanLine(deps, "No cloud browser profiles found.");
-    return 0;
-  }
-  writeHumanLine(deps, `Cloud browser profiles (${response.profiles.length}):`);
-  for (const profile of response.profiles) {
-    writeHumanLine(
-      deps,
-      `  ${profile.profileId}  ${profile.name}  [${profile.status}]`
-    );
-  }
-  if (response.nextCursor) {
-    writeHumanLine(
-      deps,
-      `Next cursor: ${response.nextCursor}`
-    );
-  }
-  return 0;
-}
-async function runCreate(args, deps) {
-  const auth = await buildCloudAuthContext(args, deps);
-  const client = deps.createBrowserProfileClient(auth);
-  const profile = await client.create({
-    name: args.name
-  });
-  if (args.json) {
-    writeJson(deps, profile);
-    return 0;
-  }
-  writeHumanLine(
-    deps,
-    `Created cloud browser profile "${profile.name}" (${profile.profileId}).`
-  );
-  return 0;
-}
-async function importCookiesInBatches(context, cookies, batchSize = 100) {
-  let imported = 0;
-  let skipped = 0;
-  for (let offset = 0; offset < cookies.length; offset += batchSize) {
-    const batch = cookies.slice(offset, offset + batchSize);
-    try {
-      await context.addCookies(batch);
-      imported += batch.length;
-    } catch {
-      for (const cookie of batch) {
-        try {
-          await context.addCookies([cookie]);
-          imported += 1;
-        } catch {
-          skipped += 1;
-        }
-      }
-    }
-  }
-  return {
-    imported,
-    skipped
-  };
-}
-async function resolveTargetProfileId(args, deps, client) {
-  const explicitProfileId = args.toProfileId?.trim();
-  if (explicitProfileId) {
-    return {
-      profileId: explicitProfileId,
-      created: false
-    };
-  }
-  const requestedName = args.name?.trim();
-  if (requestedName) {
-    const profile = await client.create({
-      name: requestedName
-    });
-    return {
-      profileId: profile.profileId,
-      created: true
-    };
-  }
-  if (!deps.isInteractive()) {
-    throw new Error(
-      "Sync target is required in non-interactive mode. Use --to-profile-id <id> or --name <name>."
-    );
-  }
-  const defaultName = `Synced ${path.basename(args.fromProfileDir)}`;
-  const shouldCreate = await deps.confirm(
-    `No destination profile provided. Create a new cloud profile named "${defaultName}"?`
-  );
-  if (!shouldCreate) {
-    throw new Error(
-      "Profile sync cancelled. Provide --to-profile-id or --name to choose a destination profile."
-    );
-  }
-  const created = await client.create({
-    name: defaultName
-  });
-  return {
-    profileId: created.profileId,
-    created: true
-  };
-}
-function resolveSyncBrowserProfilePreference(profileId, env) {
-  const resolved = resolveConfigWithEnv({
-    cloud: true
-  }, {
-    env
-  }).config;
-  const cloudConfig = resolved.cloud && typeof resolved.cloud === "object" ? resolved.cloud : void 0;
-  const configured = cloudConfig?.browserProfile;
-  if (configured && configured.profileId.trim() === profileId && configured.reuseIfActive !== void 0) {
-    return {
-      profileId,
-      reuseIfActive: configured.reuseIfActive
-    };
-  }
-  return { profileId };
-}
-async function runSync(args, deps) {
-  const sourceProfileDir = expandHome(args.fromProfileDir.trim());
-  const nonInteractive = !deps.isInteractive();
-  const hasExplicitScope = args.allDomains || args.domains.length > 0;
-  if (nonInteractive && !args.yes) {
-    throw new Error(
-      "Non-interactive profile sync requires --yes."
-    );
-  }
-  if (nonInteractive && !hasExplicitScope) {
-    throw new Error(
-      "Non-interactive profile sync requires explicit scope: --domain <domain> (repeatable) or --all-domains."
-    );
-  }
-  if (!hasExplicitScope && !nonInteractive) {
-    const confirmed = await deps.confirm(
-      "No domain filter provided. Sync cookies for all domains?"
-    );
-    if (!confirmed) {
-      throw new Error(
-        "Profile sync cancelled. Use --domain <domain> or --all-domains."
-      );
-    }
-  }
-  writeProgressLine(
-    deps,
-    Boolean(args.json),
-    `Reading cookies from local profile: ${sourceProfileDir}`
-  );
-  let sourceCookies = [];
-  sourceCookies = await deps.loadLocalProfileCookies(sourceProfileDir, {
-    headless: args.headless,
-    timeout: 12e4
-  });
-  const prepared = prepareCookiesForSync(sourceCookies, {
-    domains: args.allDomains ? [] : args.domains
-  });
-  if (!prepared.cookies.length) {
-    throw new Error(
-      "No syncable cookies found for the selected profile and scope."
-    );
-  }
-  if (args.dryRun) {
-    const payload2 = {
-      success: true,
-      dryRun: true,
-      profileId: args.toProfileId?.trim() || null,
-      createdProfile: false,
-      totalCookies: prepared.totalCookies,
-      matchedCookies: prepared.matchedCookies,
-      dedupedCookies: prepared.dedupedCookies,
-      droppedInvalid: prepared.droppedInvalid,
-      filteredDomains: prepared.filteredDomains,
-      domainCounts: prepared.domainCounts
-    };
-    if (args.json) {
-      writeJson(deps, payload2);
-    } else {
-      writeHumanLine(deps, "Dry run complete.");
-      writeHumanLine(deps, `  Total cookies: ${prepared.totalCookies}`);
-      writeHumanLine(deps, `  Scope-matched cookies: ${prepared.matchedCookies}`);
-      writeHumanLine(deps, `  Deduped cookies: ${prepared.dedupedCookies}`);
-      writeHumanLine(deps, `  Dropped invalid: ${prepared.droppedInvalid}`);
-      if (prepared.filteredDomains.length) {
-        writeHumanLine(
-          deps,
-          `  Domain filters: ${prepared.filteredDomains.join(", ")}`
-        );
-      } else {
-        writeHumanLine(deps, "  Domain scope: all domains");
-      }
-    }
-    return 0;
-  }
-  const auth = await buildCloudAuthContext(args, deps);
-  const client = deps.createBrowserProfileClient(auth);
-  const target = await resolveTargetProfileId(args, deps, client);
-  const targetBrowserProfile = resolveSyncBrowserProfilePreference(
-    target.profileId,
-    deps.env
-  );
-  writeProgressLine(
-    deps,
-    Boolean(args.json),
-    `Importing ${prepared.cookies.length} cookies into cloud profile ${target.profileId}`
-  );
-  const cloud = deps.createOpensteer({
-    cloud: {
-      ...auth.kind === "api-key" ? { apiKey: auth.token } : { accessToken: auth.token },
-      baseUrl: auth.baseUrl,
-      authScheme: auth.authScheme,
-      browserProfile: targetBrowserProfile
-    },
-    cursor: { enabled: false }
-  });
-  let imported = 0;
-  let skipped = 0;
-  try {
-    await cloud.launch({
-      headless: args.headless,
-      timeout: 12e4
-    });
-    const result = await importCookiesInBatches(cloud.context, prepared.cookies);
-    imported = result.imported;
-    skipped = result.skipped;
-  } finally {
-    await cloud.close().catch(() => void 0);
-  }
-  const payload = {
-    success: true,
-    profileId: target.profileId,
-    createdProfile: target.created,
-    totalCookies: prepared.totalCookies,
-    matchedCookies: prepared.matchedCookies,
-    dedupedCookies: prepared.dedupedCookies,
-    droppedInvalid: prepared.droppedInvalid,
-    importedCookies: imported,
-    skippedCookies: skipped,
-    filteredDomains: prepared.filteredDomains,
-    domainCounts: prepared.domainCounts
-  };
-  if (args.json) {
-    writeJson(deps, payload);
-    return 0;
-  }
-  writeHumanLine(deps, "Profile cookie sync complete.");
-  writeHumanLine(deps, `  Cloud profile: ${target.profileId}`);
-  writeHumanLine(deps, `  Imported cookies: ${imported}`);
-  writeHumanLine(deps, `  Skipped cookies: ${skipped}`);
-  if (prepared.filteredDomains.length) {
-    writeHumanLine(
-      deps,
-      `  Domain filters: ${prepared.filteredDomains.join(", ")}`
-    );
-  } else {
-    writeHumanLine(deps, "  Domain scope: all domains");
-  }
-  return 0;
-}
-async function runOpensteerProfileCli(rawArgs, overrideDeps = {}) {
-  const deps = {
-    ...createDefaultDeps(),
-    ...overrideDeps
-  };
-  const parsed = parseOpensteerProfileArgs(rawArgs);
-  if (parsed.mode === "help") {
-    printProfileHelp(deps);
-    return 0;
-  }
-  if (parsed.mode === "error") {
-    deps.writeStderr(`${parsed.error}
-`);
-    deps.writeStderr('Run "opensteer profile --help" for usage.\n');
-    return 1;
-  }
-  try {
-    if (parsed.mode === "list") {
-      return await runList(parsed.args, deps);
-    }
-    if (parsed.mode === "create") {
-      return await runCreate(parsed.args, deps);
-    }
-    return await runSync(parsed.args, deps);
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Profile command failed.";
-    deps.writeStderr(`${message}
-`);
-    return 1;
-  }
-}
-export {
-  parseOpensteerProfileArgs,
-  runOpensteerProfileCli
-};