opensteer 0.6.2 → 0.6.3

package/dist/{chunk-F2VDVOJO.js → chunk-3OMXCBPD.js}

@@ -11,8 +11,9 @@ import {
   resolveCloudSelection,
   resolveConfigWithEnv,
   resolveNamespace,
-  resolveNamespaceDir
-} from "./chunk-WDRMHPWL.js";
+  resolveNamespaceDir,
+  selectCloudCredential
+} from "./chunk-KE35RQOJ.js";
 import {
   flattenExtractionDataToFieldPlan
 } from "./chunk-3H5RRIMZ.js";
@@ -10081,30 +10082,20 @@ var Opensteer = class _Opensteer {
     this.pool = new BrowserPool(resolved.browser || {});
     if (cloudSelection.cloud) {
       const cloudConfig = resolved.cloud && typeof resolved.cloud === "object" ? resolved.cloud : void 0;
-      const apiKey = cloudConfig?.apiKey?.trim();
-      const accessToken = cloudConfig?.accessToken?.trim();
-      if (apiKey && accessToken) {
-        throw new Error(
-          "Cloud mode cannot use both cloud.apiKey and cloud.accessToken. Set only one credential."
-        );
-      }
-      let credential = "";
-      let authScheme = cloudConfig?.authScheme ?? "api-key";
-      if (accessToken) {
-        credential = accessToken;
-        authScheme = "bearer";
-      } else if (apiKey) {
-        credential = apiKey;
-      }
+      const credential = selectCloudCredential({
+        apiKey: cloudConfig?.apiKey,
+        accessToken: cloudConfig?.accessToken,
+        authScheme: cloudConfig?.authScheme
+      });
       if (!credential) {
         throw new Error(
           "Cloud mode requires credentials via cloud.apiKey/cloud.accessToken or OPENSTEER_API_KEY/OPENSTEER_ACCESS_TOKEN."
         );
       }
       this.cloud = createCloudRuntimeState(
-        credential,
+        credential.token,
         cloudConfig?.baseUrl,
-        authScheme
+        credential.authScheme
       );
     } else {
       this.cloud = null;

package/dist/{chunk-WJI7TGBQ.js → chunk-FTKWQ6X3.js}

@@ -2,7 +2,7 @@ import {
   cloudAuthHeaders,
   normalizeCloudBaseUrl,
   parseCloudHttpError
-} from "./chunk-WDRMHPWL.js";
+} from "./chunk-KE35RQOJ.js";
 
 // src/cloud/browser-profile-client.ts
 var BrowserProfileClient = class {

package/dist/{chunk-WDRMHPWL.js → chunk-KE35RQOJ.js}

@@ -261,6 +261,67 @@ import fs from "fs";
 import path2 from "path";
 import { fileURLToPath } from "url";
 import { parse as parseDotenv } from "dotenv";
+
+// src/cloud/credential-selection.ts
+function selectCloudCredential(options) {
+  const apiKey = normalizeNonEmptyString(options.apiKey);
+  const accessToken = normalizeNonEmptyString(options.accessToken);
+  if (apiKey) {
+    if (options.authScheme === "bearer") {
+      return {
+        apiKey,
+        authScheme: "bearer",
+        kind: "access-token",
+        token: apiKey,
+        compatibilityBearerApiKey: true
+      };
+    }
+    return {
+      apiKey,
+      authScheme: "api-key",
+      kind: "api-key",
+      token: apiKey
+    };
+  }
+  if (accessToken) {
+    return {
+      accessToken,
+      authScheme: "bearer",
+      kind: "access-token",
+      token: accessToken
+    };
+  }
+  return null;
+}
+function selectCloudCredentialByPrecedence(layers, authScheme) {
+  for (const layer of layers) {
+    const hasApiKey = layer.hasApiKey ?? Object.prototype.hasOwnProperty.call(layer, "apiKey");
+    const hasAccessToken = layer.hasAccessToken ?? Object.prototype.hasOwnProperty.call(layer, "accessToken");
+    if (!hasApiKey && !hasAccessToken) {
+      continue;
+    }
+    return {
+      source: layer.source,
+      apiKey: layer.apiKey,
+      accessToken: layer.accessToken,
+      hasApiKey,
+      hasAccessToken,
+      credential: selectCloudCredential({
+        apiKey: layer.apiKey,
+        accessToken: layer.accessToken,
+        authScheme: layer.authScheme ?? authScheme
+      })
+    };
+  }
+  return null;
+}
+function normalizeNonEmptyString(value) {
+  if (typeof value !== "string") return void 0;
+  const normalized = value.trim();
+  return normalized.length ? normalized : void 0;
+}
+
+// src/config.ts
 var DEFAULT_CONFIG = {
   browser: {
     headless: false,
@@ -552,11 +613,6 @@ function normalizeCloudOptions(value) {
   }
   return value;
 }
-function normalizeNonEmptyString(value) {
-  if (typeof value !== "string") return void 0;
-  const normalized = value.trim();
-  return normalized.length ? normalized : void 0;
-}
 function parseCloudEnabled(value, source) {
   if (value == null) return void 0;
   if (typeof value === "boolean") return value;
@@ -565,6 +621,18 @@ function parseCloudEnabled(value, source) {
     `Invalid ${source} value "${String(value)}". Use true, false, or a cloud options object.`
   );
 }
+function resolveCloudCredentialFields(selectedLayer) {
+  const credential = selectedLayer?.credential;
+  if (!credential) return {};
+  if (credential.kind === "api-key" || credential.compatibilityBearerApiKey === true && selectedLayer?.source !== "env") {
+    return {
+      apiKey: credential.token
+    };
+  }
+  return {
+    accessToken: credential.token
+  };
+}
 function resolveCloudSelection(config, env = process.env) {
   const configCloud = parseCloudEnabled(config.cloud, "cloud");
   if (configCloud !== void 0) {
@@ -601,6 +669,9 @@ function resolveConfigWithEnv(input = {}, options = {}) {
   });
   assertNoLegacyAiConfig(".opensteer/config.json", fileConfig);
   assertNoLegacyRuntimeConfig(".opensteer/config.json", fileConfig);
+  const fileCloudOptions = normalizeCloudOptions(fileConfig.cloud);
+  const fileHasCloudApiKey = hasOwn(fileCloudOptions, "apiKey");
+  const fileHasCloudAccessToken = hasOwn(fileCloudOptions, "accessToken");
   const fileRootDir = typeof fileConfig.storage?.rootDir === "string" ? fileConfig.storage.rootDir : void 0;
   const envRootDir = input.storage?.rootDir ?? fileRootDir ?? initialRootDir;
   const env = resolveEnv(envRootDir, {
@@ -639,13 +710,6 @@ function resolveConfigWithEnv(input = {}, options = {}) {
   const envAccessTokenRaw = resolveOpensteerAccessToken(env);
   const envBaseUrl = resolveOpensteerBaseUrl(env);
   const envAuthScheme = resolveOpensteerAuthScheme(env);
-  if (envApiKey && envAccessTokenRaw) {
-    throw new Error(
-      "OPENSTEER_API_KEY and OPENSTEER_ACCESS_TOKEN are mutually exclusive. Set only one."
-    );
-  }
-  const envAccessToken = envAccessTokenRaw || (envAuthScheme === "bearer" ? envApiKey : void 0);
-  const envApiCredential = envAuthScheme === "bearer" && !envAccessTokenRaw ? void 0 : envApiKey;
   const envCloudProfileId = resolveOpensteerCloudProfileId(env);
   const envCloudProfileReuseIfActive = resolveOpensteerCloudProfileReuseIfActive(env);
   const envCloudAnnounce = parseCloudAnnounce(
@@ -674,11 +738,6 @@ function resolveConfigWithEnv(input = {}, options = {}) {
   const inputHasCloudBaseUrl = Boolean(
     inputCloudOptions && Object.prototype.hasOwnProperty.call(inputCloudOptions, "baseUrl")
   );
-  if (normalizeNonEmptyString(inputCloudOptions?.apiKey) && normalizeNonEmptyString(inputCloudOptions?.accessToken)) {
-    throw new Error(
-      "cloud.apiKey and cloud.accessToken are mutually exclusive. Set only one."
-    );
-  }
   const cloudSelection = resolveCloudSelection({
     cloud: resolved.cloud
   }, env);
@@ -689,11 +748,6 @@ function resolveConfigWithEnv(input = {}, options = {}) {
       accessToken: resolvedCloudAccessTokenRaw,
       ...resolvedCloudRest
     } = resolvedCloud;
-    if (normalizeNonEmptyString(resolvedCloudApiKeyRaw) && normalizeNonEmptyString(resolvedCloudAccessTokenRaw)) {
-      throw new Error(
-        "Cloud config cannot include both apiKey and accessToken at the same time."
-      );
-    }
     const resolvedCloudBrowserProfile = normalizeCloudBrowserProfileOptions(
       resolvedCloud.browserProfile,
       "resolved.cloud.browserProfile"
@@ -705,25 +759,40 @@ function resolveConfigWithEnv(input = {}, options = {}) {
     const browserProfile = inputCloudBrowserProfile ?? envCloudBrowserProfile ?? resolvedCloudBrowserProfile;
     let authScheme = inputAuthScheme ?? envAuthScheme ?? parseAuthScheme(resolvedCloud.authScheme, "cloud.authScheme") ?? "api-key";
     const announce = inputCloudAnnounce ?? envCloudAnnounce ?? parseCloudAnnounce(resolvedCloud.announce, "cloud.announce") ?? "always";
-    const credentialOverriddenByInput = inputHasCloudApiKey || inputHasCloudAccessToken;
-    let apiKey = normalizeNonEmptyString(resolvedCloudApiKeyRaw);
-    let accessToken = normalizeNonEmptyString(resolvedCloudAccessTokenRaw);
-    if (!credentialOverriddenByInput) {
-      if (envAccessToken) {
-        accessToken = envAccessToken;
-        apiKey = void 0;
-      } else if (envApiCredential) {
-        apiKey = envApiCredential;
-        accessToken = void 0;
-      }
-    }
+    const selectedCredentialLayer = selectCloudCredentialByPrecedence(
+      [
+        {
+          source: "input",
+          apiKey: inputCloudOptions?.apiKey,
+          accessToken: inputCloudOptions?.accessToken,
+          hasApiKey: inputHasCloudApiKey,
+          hasAccessToken: inputHasCloudAccessToken
+        },
+        {
+          source: "env",
+          apiKey: envApiKey,
+          accessToken: envAccessTokenRaw,
+          hasApiKey: envApiKey !== void 0,
+          hasAccessToken: envAccessTokenRaw !== void 0
+        },
+        {
+          source: "file",
+          apiKey: fileCloudOptions?.apiKey,
+          accessToken: fileCloudOptions?.accessToken,
+          hasApiKey: fileHasCloudApiKey,
+          hasAccessToken: fileHasCloudAccessToken
+        }
+      ],
+      authScheme
+    );
+    const { apiKey, accessToken } = resolveCloudCredentialFields(selectedCredentialLayer);
     if (accessToken) {
       authScheme = "bearer";
     }
     resolved.cloud = {
       ...resolvedCloudRest,
-      ...inputHasCloudApiKey ? { apiKey: resolvedCloudApiKeyRaw } : apiKey ? { apiKey } : {},
-      ...inputHasCloudAccessToken ? { accessToken: resolvedCloudAccessTokenRaw } : accessToken ? { accessToken } : {},
+      ...apiKey ? { apiKey } : selectedCredentialLayer?.hasApiKey && !accessToken ? { apiKey: selectedCredentialLayer.apiKey } : {},
+      ...accessToken ? { accessToken } : selectedCredentialLayer?.hasAccessToken && !apiKey ? { accessToken: selectedCredentialLayer.accessToken } : {},
       authScheme,
       announce,
       ...browserProfile ? { browserProfile } : {}
@@ -1300,6 +1369,7 @@ export {
   createKeychainStore,
   extractErrorMessage,
   normalizeError,
+  selectCloudCredential,
   normalizeNamespace,
   resolveNamespaceDir,
   resolveCloudSelection,

package/dist/{chunk-7RMY26CM.js → chunk-SCNX4NN3.js}

@@ -4,67 +4,30 @@ import {
   normalizeCloudBaseUrl,
   resolveCloudSelection,
   resolveConfigWithEnv,
+  selectCloudCredential,
   stripTrailingSlashes
-} from "./chunk-WDRMHPWL.js";
+} from "./chunk-KE35RQOJ.js";
 
 // src/cli/auth.ts
 import open from "open";
 
 // src/auth/credential-resolver.ts
 function resolveCloudCredential(options) {
-  const flagApiKey = normalizeToken(options.apiKeyFlag);
-  const flagAccessToken = normalizeToken(options.accessTokenFlag);
-  if (flagApiKey && flagAccessToken) {
-    throw new Error("--api-key and --access-token are mutually exclusive.");
-  }
-  if (flagAccessToken) {
-    return {
-      kind: "access-token",
-      source: "flag",
-      token: flagAccessToken,
-      authScheme: "bearer"
-    };
-  }
-  if (flagApiKey) {
-    return {
-      kind: "api-key",
-      source: "flag",
-      token: flagApiKey,
-      authScheme: "api-key"
-    };
+  const flagCredential = selectCloudCredential({
+    apiKey: options.apiKeyFlag,
+    accessToken: options.accessTokenFlag
+  });
+  if (flagCredential) {
+    return toResolvedCloudCredential("flag", flagCredential);
   }
   const envAuthScheme = parseEnvAuthScheme(options.env.OPENSTEER_AUTH_SCHEME);
-  const envApiKey = normalizeToken(options.env.OPENSTEER_API_KEY);
-  const envAccessToken = normalizeToken(options.env.OPENSTEER_ACCESS_TOKEN);
-  if (envApiKey && envAccessToken) {
-    throw new Error(
-      "OPENSTEER_API_KEY and OPENSTEER_ACCESS_TOKEN are mutually exclusive. Set only one."
-    );
-  }
-  if (envAccessToken) {
-    return {
-      kind: "access-token",
-      source: "env",
-      token: envAccessToken,
-      authScheme: "bearer"
-    };
-  }
-  if (envApiKey) {
-    if (envAuthScheme === "bearer") {
-      return {
-        kind: "access-token",
-        source: "env",
-        token: envApiKey,
-        authScheme: "bearer",
-        compatibilityBearerApiKey: true
-      };
-    }
-    return {
-      kind: "api-key",
-      source: "env",
-      token: envApiKey,
-      authScheme: envAuthScheme ?? "api-key"
-    };
+  const envCredential = selectCloudCredential({
+    apiKey: options.env.OPENSTEER_API_KEY,
+    accessToken: options.env.OPENSTEER_ACCESS_TOKEN,
+    authScheme: envAuthScheme
+  });
+  if (envCredential) {
+    return toResolvedCloudCredential("env", envCredential);
   }
   return null;
 }
@@ -94,6 +57,23 @@ function normalizeToken(value) {
   const normalized = value.trim();
   return normalized.length ? normalized : void 0;
 }
+function toResolvedCloudCredential(source, credential) {
+  if (credential.compatibilityBearerApiKey) {
+    return {
+      kind: credential.kind,
+      source,
+      token: credential.token,
+      authScheme: credential.authScheme,
+      compatibilityBearerApiKey: true
+    };
+  }
+  return {
+    kind: credential.kind,
+    source,
+    token: credential.token,
+    authScheme: credential.authScheme
+  };
+}
 
 // src/auth/machine-credential-store.ts
 import { createHash } from "crypto";
@@ -1025,8 +1005,6 @@ async function runLogin(args, deps) {
     return 0;
   }
   writeHumanLine(deps, "Opensteer CLI login successful.");
-  writeHumanLine(deps, `  API Base URL: ${baseUrl}`);
-  writeHumanLine(deps, `  Expires At: ${new Date(login.expiresAt).toISOString()}`);
   return 0;
 }
 async function runStatus(args, deps) {

package/dist/cli/auth.cjs

@@ -94,6 +94,65 @@ function toNonEmptyString(value) {
   return normalized.length ? normalized : void 0;
 }
 
+// src/cloud/credential-selection.ts
+function selectCloudCredential(options) {
+  const apiKey = normalizeNonEmptyString(options.apiKey);
+  const accessToken = normalizeNonEmptyString(options.accessToken);
+  if (apiKey) {
+    if (options.authScheme === "bearer") {
+      return {
+        apiKey,
+        authScheme: "bearer",
+        kind: "access-token",
+        token: apiKey,
+        compatibilityBearerApiKey: true
+      };
+    }
+    return {
+      apiKey,
+      authScheme: "api-key",
+      kind: "api-key",
+      token: apiKey
+    };
+  }
+  if (accessToken) {
+    return {
+      accessToken,
+      authScheme: "bearer",
+      kind: "access-token",
+      token: accessToken
+    };
+  }
+  return null;
+}
+function selectCloudCredentialByPrecedence(layers, authScheme) {
+  for (const layer of layers) {
+    const hasApiKey = layer.hasApiKey ?? Object.prototype.hasOwnProperty.call(layer, "apiKey");
+    const hasAccessToken = layer.hasAccessToken ?? Object.prototype.hasOwnProperty.call(layer, "accessToken");
+    if (!hasApiKey && !hasAccessToken) {
+      continue;
+    }
+    return {
+      source: layer.source,
+      apiKey: layer.apiKey,
+      accessToken: layer.accessToken,
+      hasApiKey,
+      hasAccessToken,
+      credential: selectCloudCredential({
+        apiKey: layer.apiKey,
+        accessToken: layer.accessToken,
+        authScheme: layer.authScheme ?? authScheme
+      })
+    };
+  }
+  return null;
+}
+function normalizeNonEmptyString(value) {
+  if (typeof value !== "string") return void 0;
+  const normalized = value.trim();
+  return normalized.length ? normalized : void 0;
+}
+
 // src/config.ts
 var DEFAULT_CONFIG = {
   browser: {
@@ -386,11 +445,6 @@ function normalizeCloudOptions(value) {
   }
   return value;
 }
-function normalizeNonEmptyString(value) {
-  if (typeof value !== "string") return void 0;
-  const normalized = value.trim();
-  return normalized.length ? normalized : void 0;
-}
 function parseCloudEnabled(value, source) {
   if (value == null) return void 0;
   if (typeof value === "boolean") return value;
@@ -399,6 +453,18 @@ function parseCloudEnabled(value, source) {
     `Invalid ${source} value "${String(value)}". Use true, false, or a cloud options object.`
   );
 }
+function resolveCloudCredentialFields(selectedLayer) {
+  const credential = selectedLayer?.credential;
+  if (!credential) return {};
+  if (credential.kind === "api-key" || credential.compatibilityBearerApiKey === true && selectedLayer?.source !== "env") {
+    return {
+      apiKey: credential.token
+    };
+  }
+  return {
+    accessToken: credential.token
+  };
+}
 function resolveCloudSelection(config, env = process.env) {
   const configCloud = parseCloudEnabled(config.cloud, "cloud");
   if (configCloud !== void 0) {
@@ -435,6 +501,9 @@ function resolveConfigWithEnv(input = {}, options = {}) {
   });
   assertNoLegacyAiConfig(".opensteer/config.json", fileConfig);
   assertNoLegacyRuntimeConfig(".opensteer/config.json", fileConfig);
+  const fileCloudOptions = normalizeCloudOptions(fileConfig.cloud);
+  const fileHasCloudApiKey = hasOwn(fileCloudOptions, "apiKey");
+  const fileHasCloudAccessToken = hasOwn(fileCloudOptions, "accessToken");
   const fileRootDir = typeof fileConfig.storage?.rootDir === "string" ? fileConfig.storage.rootDir : void 0;
   const envRootDir = input.storage?.rootDir ?? fileRootDir ?? initialRootDir;
   const env = resolveEnv(envRootDir, {
@@ -473,13 +542,6 @@ function resolveConfigWithEnv(input = {}, options = {}) {
   const envAccessTokenRaw = resolveOpensteerAccessToken(env);
   const envBaseUrl = resolveOpensteerBaseUrl(env);
   const envAuthScheme = resolveOpensteerAuthScheme(env);
-  if (envApiKey && envAccessTokenRaw) {
-    throw new Error(
-      "OPENSTEER_API_KEY and OPENSTEER_ACCESS_TOKEN are mutually exclusive. Set only one."
-    );
-  }
-  const envAccessToken = envAccessTokenRaw || (envAuthScheme === "bearer" ? envApiKey : void 0);
-  const envApiCredential = envAuthScheme === "bearer" && !envAccessTokenRaw ? void 0 : envApiKey;
   const envCloudProfileId = resolveOpensteerCloudProfileId(env);
   const envCloudProfileReuseIfActive = resolveOpensteerCloudProfileReuseIfActive(env);
   const envCloudAnnounce = parseCloudAnnounce(
@@ -508,11 +570,6 @@ function resolveConfigWithEnv(input = {}, options = {}) {
   const inputHasCloudBaseUrl = Boolean(
     inputCloudOptions && Object.prototype.hasOwnProperty.call(inputCloudOptions, "baseUrl")
   );
-  if (normalizeNonEmptyString(inputCloudOptions?.apiKey) && normalizeNonEmptyString(inputCloudOptions?.accessToken)) {
-    throw new Error(
-      "cloud.apiKey and cloud.accessToken are mutually exclusive. Set only one."
-    );
-  }
   const cloudSelection = resolveCloudSelection({
     cloud: resolved.cloud
   }, env);
@@ -523,11 +580,6 @@ function resolveConfigWithEnv(input = {}, options = {}) {
       accessToken: resolvedCloudAccessTokenRaw,
       ...resolvedCloudRest
     } = resolvedCloud;
-    if (normalizeNonEmptyString(resolvedCloudApiKeyRaw) && normalizeNonEmptyString(resolvedCloudAccessTokenRaw)) {
-      throw new Error(
-        "Cloud config cannot include both apiKey and accessToken at the same time."
-      );
-    }
     const resolvedCloudBrowserProfile = normalizeCloudBrowserProfileOptions(
       resolvedCloud.browserProfile,
       "resolved.cloud.browserProfile"
@@ -539,25 +591,40 @@ function resolveConfigWithEnv(input = {}, options = {}) {
     const browserProfile = inputCloudBrowserProfile ?? envCloudBrowserProfile ?? resolvedCloudBrowserProfile;
     let authScheme = inputAuthScheme ?? envAuthScheme ?? parseAuthScheme(resolvedCloud.authScheme, "cloud.authScheme") ?? "api-key";
     const announce = inputCloudAnnounce ?? envCloudAnnounce ?? parseCloudAnnounce(resolvedCloud.announce, "cloud.announce") ?? "always";
-    const credentialOverriddenByInput = inputHasCloudApiKey || inputHasCloudAccessToken;
-    let apiKey = normalizeNonEmptyString(resolvedCloudApiKeyRaw);
-    let accessToken = normalizeNonEmptyString(resolvedCloudAccessTokenRaw);
-    if (!credentialOverriddenByInput) {
-      if (envAccessToken) {
-        accessToken = envAccessToken;
-        apiKey = void 0;
-      } else if (envApiCredential) {
-        apiKey = envApiCredential;
-        accessToken = void 0;
-      }
-    }
+    const selectedCredentialLayer = selectCloudCredentialByPrecedence(
+      [
+        {
+          source: "input",
+          apiKey: inputCloudOptions?.apiKey,
+          accessToken: inputCloudOptions?.accessToken,
+          hasApiKey: inputHasCloudApiKey,
+          hasAccessToken: inputHasCloudAccessToken
+        },
+        {
+          source: "env",
+          apiKey: envApiKey,
+          accessToken: envAccessTokenRaw,
+          hasApiKey: envApiKey !== void 0,
+          hasAccessToken: envAccessTokenRaw !== void 0
+        },
+        {
+          source: "file",
+          apiKey: fileCloudOptions?.apiKey,
+          accessToken: fileCloudOptions?.accessToken,
+          hasApiKey: fileHasCloudApiKey,
+          hasAccessToken: fileHasCloudAccessToken
+        }
+      ],
+      authScheme
+    );
+    const { apiKey, accessToken } = resolveCloudCredentialFields(selectedCredentialLayer);
     if (accessToken) {
       authScheme = "bearer";
     }
     resolved.cloud = {
       ...resolvedCloudRest,
-      ...inputHasCloudApiKey ? { apiKey: resolvedCloudApiKeyRaw } : apiKey ? { apiKey } : {},
-      ...inputHasCloudAccessToken ? { accessToken: resolvedCloudAccessTokenRaw } : accessToken ? { accessToken } : {},
+      ...apiKey ? { apiKey } : selectedCredentialLayer?.hasApiKey && !accessToken ? { apiKey: selectedCredentialLayer.apiKey } : {},
+      ...accessToken ? { accessToken } : selectedCredentialLayer?.hasAccessToken && !apiKey ? { accessToken: selectedCredentialLayer.accessToken } : {},
       authScheme,
       announce,
       ...browserProfile ? { browserProfile } : {}
@@ -577,59 +644,21 @@ function resolveConfigWithEnv(input = {}, options = {}) {
 
 // src/auth/credential-resolver.ts
 function resolveCloudCredential(options) {
-  const flagApiKey = normalizeToken(options.apiKeyFlag);
-  const flagAccessToken = normalizeToken(options.accessTokenFlag);
-  if (flagApiKey && flagAccessToken) {
-    throw new Error("--api-key and --access-token are mutually exclusive.");
-  }
-  if (flagAccessToken) {
-    return {
-      kind: "access-token",
-      source: "flag",
-      token: flagAccessToken,
-      authScheme: "bearer"
-    };
-  }
-  if (flagApiKey) {
-    return {
-      kind: "api-key",
-      source: "flag",
-      token: flagApiKey,
-      authScheme: "api-key"
-    };
+  const flagCredential = selectCloudCredential({
+    apiKey: options.apiKeyFlag,
+    accessToken: options.accessTokenFlag
+  });
+  if (flagCredential) {
+    return toResolvedCloudCredential("flag", flagCredential);
   }
   const envAuthScheme = parseEnvAuthScheme(options.env.OPENSTEER_AUTH_SCHEME);
-  const envApiKey = normalizeToken(options.env.OPENSTEER_API_KEY);
-  const envAccessToken = normalizeToken(options.env.OPENSTEER_ACCESS_TOKEN);
-  if (envApiKey && envAccessToken) {
-    throw new Error(
-      "OPENSTEER_API_KEY and OPENSTEER_ACCESS_TOKEN are mutually exclusive. Set only one."
-    );
-  }
-  if (envAccessToken) {
-    return {
-      kind: "access-token",
-      source: "env",
-      token: envAccessToken,
-      authScheme: "bearer"
-    };
-  }
-  if (envApiKey) {
-    if (envAuthScheme === "bearer") {
-      return {
-        kind: "access-token",
-        source: "env",
-        token: envApiKey,
-        authScheme: "bearer",
-        compatibilityBearerApiKey: true
-      };
-    }
-    return {
-      kind: "api-key",
-      source: "env",
-      token: envApiKey,
-      authScheme: envAuthScheme ?? "api-key"
-    };
+  const envCredential = selectCloudCredential({
+    apiKey: options.env.OPENSTEER_API_KEY,
+    accessToken: options.env.OPENSTEER_ACCESS_TOKEN,
+    authScheme: envAuthScheme
+  });
+  if (envCredential) {
+    return toResolvedCloudCredential("env", envCredential);
   }
   return null;
 }
@@ -659,6 +688,23 @@ function normalizeToken(value) {
   const normalized = value.trim();
   return normalized.length ? normalized : void 0;
 }
+function toResolvedCloudCredential(source, credential) {
+  if (credential.compatibilityBearerApiKey) {
+    return {
+      kind: credential.kind,
+      source,
+      token: credential.token,
+      authScheme: credential.authScheme,
+      compatibilityBearerApiKey: true
+    };
+  }
+  return {
+    kind: credential.kind,
+    source,
+    token: credential.token,
+    authScheme: credential.authScheme
+  };
+}
 
 // src/auth/machine-credential-store.ts
 var import_node_crypto = require("crypto");
@@ -1729,8 +1775,6 @@ async function runLogin(args, deps) {
     return 0;
   }
   writeHumanLine(deps, "Opensteer CLI login successful.");
-  writeHumanLine(deps, `  API Base URL: ${baseUrl}`);
-  writeHumanLine(deps, `  Expires At: ${new Date(login.expiresAt).toISOString()}`);
   return 0;
 }
 async function runStatus(args, deps) {