opensteer 0.6.2 → 0.6.4

package/dist/cli/profile.cjs

@@ -424,8 +424,8 @@ __export(profile_exports, {
   runOpensteerProfileCli: () => runOpensteerProfileCli
 });
 module.exports = __toCommonJS(profile_exports);
-var import_node_path3 = __toESM(require("path"), 1);
-var import_promises3 = require("readline/promises");
+var import_node_path4 = __toESM(require("path"), 1);
+var import_promises4 = require("readline/promises");
 
 // src/config.ts
 var import_fs = __toESM(require("fs"), 1);
@@ -659,6 +659,65 @@ function toJsonSafeValue(value, seen) {
   return void 0;
 }
 
+// src/cloud/credential-selection.ts
+function selectCloudCredential(options) {
+  const apiKey = normalizeNonEmptyString(options.apiKey);
+  const accessToken = normalizeNonEmptyString(options.accessToken);
+  if (apiKey) {
+    if (options.authScheme === "bearer") {
+      return {
+        apiKey,
+        authScheme: "bearer",
+        kind: "access-token",
+        token: apiKey,
+        compatibilityBearerApiKey: true
+      };
+    }
+    return {
+      apiKey,
+      authScheme: "api-key",
+      kind: "api-key",
+      token: apiKey
+    };
+  }
+  if (accessToken) {
+    return {
+      accessToken,
+      authScheme: "bearer",
+      kind: "access-token",
+      token: accessToken
+    };
+  }
+  return null;
+}
+function selectCloudCredentialByPrecedence(layers, authScheme) {
+  for (const layer of layers) {
+    const hasApiKey = layer.hasApiKey ?? Object.prototype.hasOwnProperty.call(layer, "apiKey");
+    const hasAccessToken = layer.hasAccessToken ?? Object.prototype.hasOwnProperty.call(layer, "accessToken");
+    if (!hasApiKey && !hasAccessToken) {
+      continue;
+    }
+    return {
+      source: layer.source,
+      apiKey: layer.apiKey,
+      accessToken: layer.accessToken,
+      hasApiKey,
+      hasAccessToken,
+      credential: selectCloudCredential({
+        apiKey: layer.apiKey,
+        accessToken: layer.accessToken,
+        authScheme: layer.authScheme ?? authScheme
+      })
+    };
+  }
+  return null;
+}
+function normalizeNonEmptyString(value) {
+  if (typeof value !== "string") return void 0;
+  const normalized = value.trim();
+  return normalized.length ? normalized : void 0;
+}
+
 // src/storage/namespace.ts
 var import_path = __toESM(require("path"), 1);
 var DEFAULT_NAMESPACE = "default";
@@ -697,9 +756,10 @@ var DEFAULT_CONFIG = {
     headless: false,
     executablePath: void 0,
     slowMo: 0,
-    connectUrl: void 0,
-    channel: void 0,
-    profileDir: void 0
+    mode: void 0,
+    cdpUrl: void 0,
+    userDataDir: void 0,
+    profileDirectory: void 0
   },
   storage: {
     rootDir: process.cwd()
@@ -983,11 +1043,6 @@ function normalizeCloudOptions(value) {
   }
   return value;
 }
-function normalizeNonEmptyString(value) {
-  if (typeof value !== "string") return void 0;
-  const normalized = value.trim();
-  return normalized.length ? normalized : void 0;
-}
 function parseCloudEnabled(value, source) {
   if (value == null) return void 0;
   if (typeof value === "boolean") return value;
@@ -996,6 +1051,18 @@ function parseCloudEnabled(value, source) {
     `Invalid ${source} value "${String(value)}". Use true, false, or a cloud options object.`
   );
 }
+function resolveCloudCredentialFields(selectedLayer) {
+  const credential = selectedLayer?.credential;
+  if (!credential) return {};
+  if (credential.kind === "api-key" || credential.compatibilityBearerApiKey === true && selectedLayer?.source !== "env") {
+    return {
+      apiKey: credential.token
+    };
+  }
+  return {
+    accessToken: credential.token
+  };
+}
 function resolveCloudSelection(config, env = process.env) {
   const configCloud = parseCloudEnabled(config.cloud, "cloud");
   if (configCloud !== void 0) {
@@ -1032,7 +1099,12 @@ function resolveConfigWithEnv(input = {}, options = {}) {
   });
   assertNoLegacyAiConfig(".opensteer/config.json", fileConfig);
   assertNoLegacyRuntimeConfig(".opensteer/config.json", fileConfig);
+  const fileCloudOptions = normalizeCloudOptions(fileConfig.cloud);
+  const fileHasCloudApiKey = hasOwn(fileCloudOptions, "apiKey");
+  const fileHasCloudAccessToken = hasOwn(fileCloudOptions, "accessToken");
   const fileRootDir = typeof fileConfig.storage?.rootDir === "string" ? fileConfig.storage.rootDir : void 0;
+  assertNoRemovedBrowserConfig(input.browser, "Opensteer constructor config");
+  assertNoRemovedBrowserConfig(fileConfig.browser, ".opensteer/config.json");
   const envRootDir = input.storage?.rootDir ?? fileRootDir ?? initialRootDir;
   const env = resolveEnv(envRootDir, {
     debug: debugHint,
@@ -1048,14 +1120,30 @@ function resolveConfigWithEnv(input = {}, options = {}) {
       "OPENSTEER_RUNTIME is no longer supported. Use OPENSTEER_MODE instead."
     );
   }
+  if (env.OPENSTEER_CONNECT_URL != null) {
+    throw new Error(
+      "OPENSTEER_CONNECT_URL is no longer supported. Use OPENSTEER_CDP_URL instead."
+    );
+  }
+  if (env.OPENSTEER_CHANNEL != null) {
+    throw new Error(
+      "OPENSTEER_CHANNEL is no longer supported. Use OPENSTEER_BROWSER plus OPENSTEER_BROWSER_PATH when needed."
+    );
+  }
+  if (env.OPENSTEER_PROFILE_DIR != null) {
+    throw new Error(
+      "OPENSTEER_PROFILE_DIR is no longer supported. Use OPENSTEER_USER_DATA_DIR and OPENSTEER_PROFILE_DIRECTORY instead."
+    );
+  }
   const envConfig = {
     browser: {
       headless: parseBool(env.OPENSTEER_HEADLESS),
       executablePath: env.OPENSTEER_BROWSER_PATH || void 0,
       slowMo: parseNumber(env.OPENSTEER_SLOW_MO),
-      connectUrl: env.OPENSTEER_CONNECT_URL || void 0,
-      channel: env.OPENSTEER_CHANNEL || void 0,
-      profileDir: env.OPENSTEER_PROFILE_DIR || void 0
+      mode: env.OPENSTEER_BROWSER === "real" || env.OPENSTEER_BROWSER === "chromium" ? env.OPENSTEER_BROWSER : void 0,
+      cdpUrl: env.OPENSTEER_CDP_URL || void 0,
+      userDataDir: env.OPENSTEER_USER_DATA_DIR || void 0,
+      profileDirectory: env.OPENSTEER_PROFILE_DIRECTORY || void 0
     },
     cursor: {
       enabled: parseBool(env.OPENSTEER_CURSOR)
@@ -1066,17 +1154,38 @@ function resolveConfigWithEnv(input = {}, options = {}) {
   const mergedWithFile = mergeDeep(runtimeDefaults, fileConfig);
   const mergedWithEnv = mergeDeep(mergedWithFile, envConfig);
   const resolved = mergeDeep(mergedWithEnv, input);
+  const browserHeadlessExplicit = input.browser?.headless !== void 0 || fileConfig.browser?.headless !== void 0 || envConfig.browser?.headless !== void 0;
+  if (!browserHeadlessExplicit && resolved.browser?.mode === "real") {
+    resolved.browser = {
+      ...resolved.browser,
+      headless: true
+    };
+  }
+  function assertNoRemovedBrowserConfig(value, source) {
+    if (!value || typeof value !== "object" || Array.isArray(value)) {
+      return;
+    }
+    const record = value;
+    if (record.connectUrl !== void 0) {
+      throw new Error(
+        `${source}.browser.connectUrl is no longer supported. Use browser.cdpUrl instead.`
+      );
+    }
+    if (record.channel !== void 0) {
+      throw new Error(
+        `${source}.browser.channel is no longer supported. Use browser.mode plus browser.executablePath instead.`
+      );
+    }
+    if (record.profileDir !== void 0) {
+      throw new Error(
+        `${source}.browser.profileDir is no longer supported. Use browser.userDataDir and browser.profileDirectory instead.`
+      );
+    }
+  }
   const envApiKey = resolveOpensteerApiKey(env);
   const envAccessTokenRaw = resolveOpensteerAccessToken(env);
   const envBaseUrl = resolveOpensteerBaseUrl(env);
   const envAuthScheme = resolveOpensteerAuthScheme(env);
-  if (envApiKey && envAccessTokenRaw) {
-    throw new Error(
-      "OPENSTEER_API_KEY and OPENSTEER_ACCESS_TOKEN are mutually exclusive. Set only one."
-    );
-  }
-  const envAccessToken = envAccessTokenRaw || (envAuthScheme === "bearer" ? envApiKey : void 0);
-  const envApiCredential = envAuthScheme === "bearer" && !envAccessTokenRaw ? void 0 : envApiKey;
   const envCloudProfileId = resolveOpensteerCloudProfileId(env);
   const envCloudProfileReuseIfActive = resolveOpensteerCloudProfileReuseIfActive(env);
   const envCloudAnnounce = parseCloudAnnounce(
@@ -1105,11 +1214,6 @@ function resolveConfigWithEnv(input = {}, options = {}) {
   const inputHasCloudBaseUrl = Boolean(
     inputCloudOptions && Object.prototype.hasOwnProperty.call(inputCloudOptions, "baseUrl")
   );
-  if (normalizeNonEmptyString(inputCloudOptions?.apiKey) && normalizeNonEmptyString(inputCloudOptions?.accessToken)) {
-    throw new Error(
-      "cloud.apiKey and cloud.accessToken are mutually exclusive. Set only one."
-    );
-  }
   const cloudSelection = resolveCloudSelection({
     cloud: resolved.cloud
   }, env);
@@ -1120,11 +1224,6 @@ function resolveConfigWithEnv(input = {}, options = {}) {
       accessToken: resolvedCloudAccessTokenRaw,
       ...resolvedCloudRest
     } = resolvedCloud;
-    if (normalizeNonEmptyString(resolvedCloudApiKeyRaw) && normalizeNonEmptyString(resolvedCloudAccessTokenRaw)) {
-      throw new Error(
-        "Cloud config cannot include both apiKey and accessToken at the same time."
-      );
-    }
     const resolvedCloudBrowserProfile = normalizeCloudBrowserProfileOptions(
       resolvedCloud.browserProfile,
       "resolved.cloud.browserProfile"
@@ -1136,25 +1235,40 @@ function resolveConfigWithEnv(input = {}, options = {}) {
     const browserProfile = inputCloudBrowserProfile ?? envCloudBrowserProfile ?? resolvedCloudBrowserProfile;
     let authScheme = inputAuthScheme ?? envAuthScheme ?? parseAuthScheme(resolvedCloud.authScheme, "cloud.authScheme") ?? "api-key";
     const announce = inputCloudAnnounce ?? envCloudAnnounce ?? parseCloudAnnounce(resolvedCloud.announce, "cloud.announce") ?? "always";
-    const credentialOverriddenByInput = inputHasCloudApiKey || inputHasCloudAccessToken;
-    let apiKey = normalizeNonEmptyString(resolvedCloudApiKeyRaw);
-    let accessToken = normalizeNonEmptyString(resolvedCloudAccessTokenRaw);
-    if (!credentialOverriddenByInput) {
-      if (envAccessToken) {
-        accessToken = envAccessToken;
-        apiKey = void 0;
-      } else if (envApiCredential) {
-        apiKey = envApiCredential;
-        accessToken = void 0;
-      }
-    }
+    const selectedCredentialLayer = selectCloudCredentialByPrecedence(
+      [
+        {
+          source: "input",
+          apiKey: inputCloudOptions?.apiKey,
+          accessToken: inputCloudOptions?.accessToken,
+          hasApiKey: inputHasCloudApiKey,
+          hasAccessToken: inputHasCloudAccessToken
+        },
+        {
+          source: "env",
+          apiKey: envApiKey,
+          accessToken: envAccessTokenRaw,
+          hasApiKey: envApiKey !== void 0,
+          hasAccessToken: envAccessTokenRaw !== void 0
+        },
+        {
+          source: "file",
+          apiKey: fileCloudOptions?.apiKey,
+          accessToken: fileCloudOptions?.accessToken,
+          hasApiKey: fileHasCloudApiKey,
+          hasAccessToken: fileHasCloudAccessToken
+        }
+      ],
+      authScheme
+    );
+    const { apiKey, accessToken } = resolveCloudCredentialFields(selectedCredentialLayer);
     if (accessToken) {
       authScheme = "bearer";
     }
     resolved.cloud = {
       ...resolvedCloudRest,
-      ...inputHasCloudApiKey ? { apiKey: resolvedCloudApiKeyRaw } : apiKey ? { apiKey } : {},
-      ...inputHasCloudAccessToken ? { accessToken: resolvedCloudAccessTokenRaw } : accessToken ? { accessToken } : {},
+      ...apiKey ? { apiKey } : selectedCredentialLayer?.hasApiKey && !accessToken ? { apiKey: selectedCredentialLayer.apiKey } : {},
+      ...accessToken ? { accessToken } : selectedCredentialLayer?.hasAccessToken && !apiKey ? { accessToken: selectedCredentialLayer.accessToken } : {},
       authScheme,
       announce,
       ...browserProfile ? { browserProfile } : {}
@@ -1209,7 +1323,13 @@ function getCallerFilePath() {
 var import_crypto = require("crypto");
 
 // src/browser/pool.ts
-var import_playwright2 = require("playwright");
+var import_node_child_process = require("child_process");
+var import_node_fs = require("fs");
+var import_promises = require("fs/promises");
+var import_node_net = require("net");
+var import_node_os = require("os");
+var import_node_path = require("path");
+var import_playwright = require("playwright");
 
 // src/browser/cdp-proxy.ts
 var import_ws = __toESM(require("ws"), 1);
@@ -1548,839 +1668,598 @@ function errorMessage(error) {
   return error instanceof Error ? error.message : String(error);
 }
 
-// src/browser/chromium-profile.ts
-var import_node_util = require("util");
-var import_node_child_process2 = require("child_process");
-var import_node_crypto = require("crypto");
-var import_promises = require("fs/promises");
-var import_node_fs = require("fs");
-var import_node_path = require("path");
-var import_node_os = require("os");
-var import_playwright = require("playwright");
-
-// src/auth/keychain-store.ts
-var import_node_child_process = require("child_process");
-function commandExists(command) {
-  const result = (0, import_node_child_process.spawnSync)(command, ["--help"], {
-    encoding: "utf8",
-    stdio: "ignore"
-  });
-  return result.error == null;
+// src/browser/chrome.ts
+var import_os = require("os");
+var import_path3 = require("path");
+var import_fs2 = require("fs");
+function detectChromePaths() {
+  const os2 = (0, import_os.platform)();
+  if (os2 === "darwin") {
+    const executable2 = "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome";
+    return {
+      executable: (0, import_fs2.existsSync)(executable2) ? executable2 : null,
+      defaultUserDataDir: (0, import_path3.join)(
+        (0, import_os.homedir)(),
+        "Library",
+        "Application Support",
+        "Google",
+        "Chrome"
+      )
+    };
+  }
+  if (os2 === "win32") {
+    const executable2 = (0, import_path3.join)(
+      process.env.PROGRAMFILES || "C:\\Program Files",
+      "Google",
+      "Chrome",
+      "Application",
+      "chrome.exe"
+    );
+    return {
+      executable: (0, import_fs2.existsSync)(executable2) ? executable2 : null,
+      defaultUserDataDir: (0, import_path3.join)(
+        process.env.LOCALAPPDATA || (0, import_path3.join)((0, import_os.homedir)(), "AppData", "Local"),
+        "Google",
+        "Chrome",
+        "User Data"
+      )
+    };
+  }
+  const executable = "/usr/bin/google-chrome";
+  return {
+    executable: (0, import_fs2.existsSync)(executable) ? executable : null,
+    defaultUserDataDir: (0, import_path3.join)((0, import_os.homedir)(), ".config", "google-chrome")
+  };
 }
-function commandFailed(result) {
-  return typeof result.status === "number" && result.status !== 0;
+function expandHome(p) {
+  if (p.startsWith("~/") || p === "~") {
+    return (0, import_path3.join)((0, import_os.homedir)(), p.slice(1));
+  }
+  return p;
 }
-function sanitizeCommandArgs(command, args) {
-  if (command !== "security") {
-    return args;
+function listLocalChromeProfiles(userDataDir = detectChromePaths().defaultUserDataDir) {
+  const resolvedUserDataDir = expandHome(userDataDir);
+  const localStatePath = (0, import_path3.join)(resolvedUserDataDir, "Local State");
+  if (!(0, import_fs2.existsSync)(localStatePath)) {
+    return [];
   }
-  const sanitized = [];
-  for (let index = 0; index < args.length; index += 1) {
-    const value = args[index];
-    sanitized.push(value);
-    if (value === "-w" && index + 1 < args.length) {
-      sanitized.push("[REDACTED]");
-      index += 1;
+  try {
+    const raw = JSON.parse((0, import_fs2.readFileSync)(localStatePath, "utf-8"));
+    const infoCache = raw && typeof raw === "object" && !Array.isArray(raw) && raw.profile && typeof raw.profile === "object" && !Array.isArray(raw.profile) ? raw.profile.info_cache : void 0;
+    if (!infoCache || typeof infoCache !== "object") {
+      return [];
     }
+    return Object.entries(infoCache).map(([directory, info]) => {
+      const record = info && typeof info === "object" && !Array.isArray(info) ? info : {};
+      const name = typeof record.name === "string" && record.name.trim() ? record.name.trim() : directory;
+      return {
+        directory,
+        name
+      };
+    }).filter((profile) => profile.directory.trim().length > 0).sort(
+      (left, right) => left.directory.localeCompare(right.directory)
+    );
+  } catch {
+    return [];
   }
-  return sanitized;
-}
-function buildCommandError(command, args, result) {
-  const stderr = typeof result.stderr === "string" && result.stderr.trim() ? result.stderr.trim() : `Command "${command}" failed with status ${String(result.status)}.`;
-  const sanitizedArgs = sanitizeCommandArgs(command, args);
-  return new Error(
-    [
-      `Unable to persist credential via ${command}.`,
-      `${command} ${sanitizedArgs.join(" ")}`,
-      stderr
-    ].join(" ")
-  );
 }
-function createMacosSecurityStore() {
-  return {
-    backend: "macos-security",
-    get(service, account) {
-      const result = (0, import_node_child_process.spawnSync)(
-        "security",
-        ["find-generic-password", "-s", service, "-a", account, "-w"],
-        { encoding: "utf8" }
-      );
-      if (commandFailed(result)) {
-        return null;
+
+// src/browser/pool.ts
+var BrowserPool = class {
+  browser = null;
+  cdpProxy = null;
+  launchedProcess = null;
+  tempUserDataDir = null;
+  defaults;
+  constructor(defaults = {}) {
+    this.defaults = defaults;
+  }
+  async launch(options = {}) {
+    if (this.browser || this.cdpProxy || this.launchedProcess || this.tempUserDataDir) {
+      await this.close();
+    }
+    const mode = options.mode ?? this.defaults.mode ?? "chromium";
+    const cdpUrl = options.cdpUrl ?? this.defaults.cdpUrl;
+    const userDataDir = options.userDataDir ?? this.defaults.userDataDir;
+    const profileDirectory = options.profileDirectory ?? this.defaults.profileDirectory;
+    const executablePath = options.executablePath ?? this.defaults.executablePath;
+    if (cdpUrl) {
+      if (mode === "real") {
+        throw new Error(
+          'cdpUrl cannot be combined with mode "real". Use one browser launch path at a time.'
+        );
       }
-      const secret = result.stdout.trim();
-      return secret.length ? secret : null;
-    },
-    set(service, account, secret) {
-      const args = [
-        "add-generic-password",
-        "-U",
-        "-s",
-        service,
-        "-a",
-        account,
-        "-w",
-        secret
-      ];
-      const result = (0, import_node_child_process.spawnSync)("security", args, { encoding: "utf8" });
-      if (commandFailed(result)) {
-        throw buildCommandError("security", args, result);
+      if (userDataDir || profileDirectory) {
+        throw new Error(
+          "userDataDir/profileDirectory cannot be combined with cdpUrl."
+        );
       }
-    },
-    delete(service, account) {
-      const args = ["delete-generic-password", "-s", service, "-a", account];
-      const result = (0, import_node_child_process.spawnSync)("security", args, { encoding: "utf8" });
-      if (commandFailed(result)) {
-        return;
+      if (options.context && Object.keys(options.context).length > 0) {
+        throw new Error(
+          "context launch options are not supported when attaching over CDP."
+        );
       }
+      return this.connectToRunning(cdpUrl, options.timeout);
     }
-  };
-}
-function createLinuxSecretToolStore() {
-  return {
-    backend: "linux-secret-tool",
-    get(service, account) {
-      const result = (0, import_node_child_process.spawnSync)(
-        "secret-tool",
-        ["lookup", "service", service, "account", account],
-        {
-          encoding: "utf8"
-        }
+    if (mode !== "real" && (userDataDir || profileDirectory)) {
+      throw new Error(
+        'userDataDir/profileDirectory require mode "real".'
       );
-      if (commandFailed(result)) {
-        return null;
-      }
-      const secret = result.stdout.trim();
-      return secret.length ? secret : null;
-    },
-    set(service, account, secret) {
-      const args = [
-        "store",
-        "--label",
-        "Opensteer CLI",
-        "service",
-        service,
-        "account",
-        account
-      ];
-      const result = (0, import_node_child_process.spawnSync)("secret-tool", args, {
-        encoding: "utf8",
-        input: secret
-      });
-      if (commandFailed(result)) {
-        throw buildCommandError("secret-tool", args, result);
+    }
+    if (mode === "real") {
+      if (options.context && Object.keys(options.context).length > 0) {
+        throw new Error(
+          "context launch options are not supported for real-browser mode."
+        );
       }
-    },
-    delete(service, account) {
-      const args = ["clear", "service", service, "account", account];
-      (0, import_node_child_process.spawnSync)("secret-tool", args, {
-        encoding: "utf8"
+      return this.launchOwnedRealBrowser({
+        ...options,
+        executablePath,
+        userDataDir,
+        profileDirectory
       });
     }
-  };
-}
-function createKeychainStore() {
-  if (process.platform === "darwin") {
-    if (!commandExists("security")) {
-      return null;
-    }
-    return createMacosSecurityStore();
+    return this.launchSandbox(options);
   }
-  if (process.platform === "linux") {
-    if (!commandExists("secret-tool")) {
-      return null;
+  async close() {
+    const browser = this.browser;
+    const cdpProxy = this.cdpProxy;
+    const launchedProcess = this.launchedProcess;
+    const tempUserDataDir = this.tempUserDataDir;
+    this.browser = null;
+    this.cdpProxy = null;
+    this.launchedProcess = null;
+    this.tempUserDataDir = null;
+    try {
+      if (browser) {
+        await browser.close().catch(() => void 0);
+      }
+    } finally {
+      cdpProxy?.close();
+      await killProcessTree(launchedProcess);
+      if (tempUserDataDir) {
+        await (0, import_promises.rm)(tempUserDataDir, {
+          recursive: true,
+          force: true
+        }).catch(() => void 0);
+      }
     }
-    return createLinuxSecretToolStore();
-  }
-  return null;
-}
-
-// src/browser/chrome.ts
-var import_os = require("os");
-var import_path3 = require("path");
-function expandHome(p) {
-  if (p.startsWith("~/") || p === "~") {
-    return (0, import_path3.join)((0, import_os.homedir)(), p.slice(1));
   }
-  return p;
-}
-
-// src/browser/chromium-profile.ts
-var execFileAsync = (0, import_node_util.promisify)(import_node_child_process2.execFile);
-var CHROMIUM_EPOCH_MICROS = 11644473600000000n;
-var AES_BLOCK_BYTES = 16;
-var MAC_KEY_ITERATIONS = 1003;
-var LINUX_KEY_ITERATIONS = 1;
-var KEY_LENGTH = 16;
-var KEY_SALT = "saltysalt";
-var DEFAULT_CHROMIUM_BRAND = {
-  macService: "Chrome Safe Storage",
-  macAccount: "Chrome",
-  linuxApplications: ["chrome", "google-chrome"]
-};
-var CHROMIUM_BRANDS = [
-  {
-    match: ["bravesoftware", "brave-browser"],
-    brand: {
-      macService: "Brave Safe Storage",
-      macAccount: "Brave",
-      linuxApplications: ["brave-browser", "brave"]
-    }
-  },
-  {
-    match: ["microsoft", "edge"],
-    brand: {
-      macService: "Microsoft Edge Safe Storage",
-      macAccount: "Microsoft Edge",
-      linuxApplications: ["microsoft-edge"],
-      playwrightChannel: "msedge"
-    }
-  },
-  {
-    match: ["google", "chrome beta"],
-    brand: {
-      macService: "Chrome Beta Safe Storage",
-      macAccount: "Chrome Beta",
-      linuxApplications: ["chrome-beta"],
-      playwrightChannel: "chrome-beta"
+  async connectToRunning(cdpUrl, timeout) {
+    let browser = null;
+    let cdpProxy = null;
+    try {
+      const { browserWsUrl, targets } = await discoverTargets(cdpUrl);
+      if (targets.length === 0) {
+        throw new Error(
+          "No page targets found. Is the browser running with an open window?"
+        );
+      }
+      cdpProxy = new CDPProxy(browserWsUrl, targets[0].id);
+      const proxyWsUrl = await cdpProxy.start();
+      browser = await import_playwright.chromium.connectOverCDP(proxyWsUrl, {
+        timeout: timeout ?? 3e4
+      });
+      this.browser = browser;
+      this.cdpProxy = cdpProxy;
+      const { context, page } = await pickBrowserContextAndPage(browser);
+      return { browser, context, page, isExternal: true };
+    } catch (error) {
+      if (browser) {
+        await browser.close().catch(() => void 0);
+      }
+      cdpProxy?.close();
+      this.browser = null;
+      this.cdpProxy = null;
+      throw error;
     }
-  },
-  {
-    match: ["google", "chrome"],
-    brand: {
-      macService: "Chrome Safe Storage",
-      macAccount: "Chrome",
-      linuxApplications: ["chrome", "google-chrome"],
-      playwrightChannel: "chrome"
+  }
+  async launchOwnedRealBrowser(options) {
+    const chromePaths = detectChromePaths();
+    const executablePath = options.executablePath ?? chromePaths.executable ?? void 0;
+    if (!executablePath) {
+      throw new Error(
+        "Chrome was not found. Set browser.executablePath or install Chrome in a supported location."
+      );
     }
-  },
-  {
-    match: ["chromium"],
-    brand: {
-      macService: "Chromium Safe Storage",
-      macAccount: "Chromium",
-      linuxApplications: ["chromium"]
+    const sourceUserDataDir = expandHome(
+      options.userDataDir ?? chromePaths.defaultUserDataDir
+    );
+    const profileDirectory = options.profileDirectory ?? "Default";
+    const tempUserDataDir = await cloneProfileToTempDir(
+      sourceUserDataDir,
+      profileDirectory
+    );
+    const debugPort = await reserveDebugPort();
+    const headless = resolveLaunchHeadless(
+      "real",
+      options.headless,
+      this.defaults.headless
+    );
+    const launchArgs = buildRealBrowserLaunchArgs({
+      userDataDir: tempUserDataDir,
+      profileDirectory,
+      debugPort,
+      headless
+    });
+    const processHandle = (0, import_node_child_process.spawn)(executablePath, launchArgs, {
+      detached: process.platform !== "win32",
+      stdio: "ignore"
+    });
+    processHandle.unref();
+    let browser = null;
+    try {
+      const wsUrl = await resolveCdpWebSocketUrl(
+        `http://127.0.0.1:${debugPort}`,
+        options.timeout ?? 3e4
+      );
+      browser = await import_playwright.chromium.connectOverCDP(wsUrl, {
+        timeout: options.timeout ?? 3e4
+      });
+      const { context, page } = await createOwnedBrowserContextAndPage(
+        browser,
+        {
+          headless,
+          initialUrl: options.initialUrl,
+          timeoutMs: options.timeout ?? 3e4
+        }
+      );
+      this.browser = browser;
+      this.launchedProcess = processHandle;
+      this.tempUserDataDir = tempUserDataDir;
+      return { browser, context, page, isExternal: false };
+    } catch (error) {
+      await browser?.close().catch(() => void 0);
+      await killProcessTree(processHandle);
+      await (0, import_promises.rm)(tempUserDataDir, {
+        recursive: true,
+        force: true
+      }).catch(() => void 0);
+      throw error;
     }
   }
-];
-function directoryExists(filePath) {
-  try {
-    return (0, import_node_fs.statSync)(filePath).isDirectory();
-  } catch {
-    return false;
+  async launchSandbox(options) {
+    const browser = await import_playwright.chromium.launch({
+      headless: resolveLaunchHeadless(
+        "chromium",
+        options.headless,
+        this.defaults.headless
+      ),
+      executablePath: options.executablePath ?? this.defaults.executablePath ?? void 0,
+      slowMo: options.slowMo ?? this.defaults.slowMo ?? 0,
+      timeout: options.timeout
+    });
+    const context = await browser.newContext(options.context || {});
+    const page = await context.newPage();
+    this.browser = browser;
+    return { browser, context, page, isExternal: false };
   }
+};
+async function pickBrowserContextAndPage(browser) {
+  const context = getPrimaryBrowserContext(browser);
+  const pages = context.pages();
+  const page = pages.find((candidate) => isInspectablePageUrl2(candidate.url())) || pages[0] || await context.newPage();
+  return { context, page };
 }
-function fileExists(filePath) {
-  try {
-    return (0, import_node_fs.statSync)(filePath).isFile();
-  } catch {
-    return false;
+function resolveLaunchHeadless(mode, requestedHeadless, defaultHeadless) {
+  if (requestedHeadless !== void 0) {
+    return requestedHeadless;
   }
-}
-function resolveCookieDbPath(profileDir) {
-  const candidates = [(0, import_node_path.join)(profileDir, "Network", "Cookies"), (0, import_node_path.join)(profileDir, "Cookies")];
-  for (const candidate of candidates) {
-    if (fileExists(candidate)) {
-      return candidate;
-    }
+  if (defaultHeadless !== void 0) {
+    return defaultHeadless;
   }
-  return null;
+  return mode === "real";
 }
-async function selectProfileDirFromUserDataDir(userDataDir) {
-  const entries = await (0, import_promises.readdir)(userDataDir, {
-    withFileTypes: true
-  }).catch(() => []);
-  const candidates = entries.filter((entry) => entry.isDirectory()).map((entry) => (0, import_node_path.join)(userDataDir, entry.name)).filter((entryPath) => resolveCookieDbPath(entryPath));
-  return candidates;
+async function createOwnedBrowserContextAndPage(browser, options) {
+  const context = getPrimaryBrowserContext(browser);
+  const page = await createOwnedBrowserPage(browser, context, options);
+  return { context, page };
 }
-async function resolveChromiumProfileLocation(inputPath) {
-  const expandedPath = expandHome(inputPath.trim());
-  if (!expandedPath) {
-    throw new Error("Profile path cannot be empty.");
+async function createOwnedBrowserPage(browser, context, options) {
+  const targetUrl = options.initialUrl ?? "about:blank";
+  const existingPages = new Set(context.pages());
+  const browserSession = await browser.newBrowserCDPSession();
+  try {
+    const { targetId } = await browserSession.send("Target.createTarget", {
+      url: targetUrl,
+      newWindow: !options.headless
+    });
+    await browserSession.send("Target.activateTarget", { targetId }).catch(() => void 0);
+    const page = await waitForOwnedBrowserPage(context, {
+      existingPages,
+      targetUrl,
+      timeoutMs: options.timeoutMs
+    });
+    if (targetUrl !== "about:blank") {
+      await page.waitForLoadState("domcontentloaded", {
+        timeout: options.timeoutMs
+      });
+    }
+    await closeDisposableStartupTargets(browserSession, targetId);
+    return page;
+  } finally {
+    await browserSession.detach().catch(() => void 0);
   }
-  if (fileExists(expandedPath) && (0, import_node_path.basename)(expandedPath) === "Cookies") {
-    const directParent = (0, import_node_path.dirname)(expandedPath);
-    const profileDir = (0, import_node_path.basename)(directParent) === "Network" ? (0, import_node_path.dirname)(directParent) : directParent;
-    const userDataDir = (0, import_node_path.dirname)(profileDir);
-    return {
-      userDataDir,
-      profileDir,
-      profileDirectory: (0, import_node_path.basename)(profileDir),
-      cookieDbPath: expandedPath,
-      localStatePath: fileExists((0, import_node_path.join)(userDataDir, "Local State")) ? (0, import_node_path.join)(userDataDir, "Local State") : null
-    };
+}
+async function closeDisposableStartupTargets(browserSession, preservedTargetId) {
+  const response = await browserSession.send("Target.getTargets").catch(() => null);
+  if (!response) {
+    return;
   }
-  if (fileExists(expandedPath)) {
-    throw new Error(
-      `Unsupported profile source "${inputPath}". Pass a Chromium profile directory, user-data dir, or Cookies database path.`
-    );
+  for (const targetInfo of response.targetInfos) {
+    if (targetInfo.targetId === preservedTargetId || targetInfo.type !== "page" || !isDisposableStartupPageUrl(targetInfo.url)) {
+      continue;
+    }
+    await browserSession.send("Target.closeTarget", { targetId: targetInfo.targetId }).catch(() => void 0);
   }
-  if (!directoryExists(expandedPath)) {
-    throw new Error(
-      `Could not find a Chromium profile at "${inputPath}".`
-    );
+}
+async function waitForOwnedBrowserPage(context, options) {
+  const deadline = Date.now() + options.timeoutMs;
+  let fallbackPage = null;
+  while (Date.now() < deadline) {
+    for (const candidate of context.pages()) {
+      if (options.existingPages.has(candidate)) {
+        continue;
+      }
+      const url = candidate.url();
+      if (!isInspectablePageUrl2(url)) {
+        continue;
+      }
+      fallbackPage ??= candidate;
+      if (options.targetUrl === "about:blank") {
+        return candidate;
+      }
+      if (pageLooselyMatchesUrl(url, options.targetUrl)) {
+        return candidate;
+      }
+    }
+    await sleep(100);
   }
-  const directCookieDb = resolveCookieDbPath(expandedPath);
-  if (directCookieDb) {
-    const userDataDir = (0, import_node_path.dirname)(expandedPath);
-    return {
-      userDataDir,
-      profileDir: expandedPath,
-      profileDirectory: (0, import_node_path.basename)(expandedPath),
-      cookieDbPath: directCookieDb,
-      localStatePath: fileExists((0, import_node_path.join)(userDataDir, "Local State")) ? (0, import_node_path.join)(userDataDir, "Local State") : null
-    };
+  if (fallbackPage) {
+    return fallbackPage;
   }
-  const localStatePath = (0, import_node_path.join)(expandedPath, "Local State");
-  if (!fileExists(localStatePath)) {
+  throw new Error(
+    `Chrome created a target for ${options.targetUrl}, but Playwright did not expose the page in time.`
+  );
+}
+function getPrimaryBrowserContext(browser) {
+  const contexts = browser.contexts();
+  if (contexts.length === 0) {
     throw new Error(
-      `Unsupported profile source "${inputPath}". Pass a Chromium profile directory, user-data dir, or Cookies database path.`
+      "Connection succeeded but no browser contexts were exposed."
     );
   }
-  const profileDirs = await selectProfileDirFromUserDataDir(expandedPath);
-  if (profileDirs.length === 0) {
-    throw new Error(
-      `No Chromium profile with a Cookies database was found under "${inputPath}".`
-    );
+  return contexts[0];
+}
+function isInspectablePageUrl2(url) {
+  return url === "about:blank" || url.startsWith("http://") || url.startsWith("https://");
+}
+function isDisposableStartupPageUrl(url) {
+  return url === "about:blank" || url === "chrome://newtab/" || url === "chrome://new-tab-page/";
+}
+function pageLooselyMatchesUrl(currentUrl, initialUrl) {
+  try {
+    const current = new URL(currentUrl);
+    const requested = new URL(initialUrl);
+    if (current.href === requested.href) {
+      return true;
+    }
+    return current.hostname === requested.hostname && current.pathname === requested.pathname;
+  } catch {
+    return currentUrl === initialUrl;
   }
-  if (profileDirs.length > 1) {
-    const candidates = profileDirs.map((entry) => (0, import_node_path.basename)(entry)).join(", ");
+}
+function normalizeDiscoveryUrl(cdpUrl) {
+  let parsed;
+  try {
+    parsed = new URL(cdpUrl);
+  } catch {
     throw new Error(
-      `"${inputPath}" contains multiple Chromium profiles (${candidates}). Pass a specific profile directory such as "${profileDirs[0]}".`
+      `Invalid CDP URL "${cdpUrl}". Use an http(s) or ws(s) endpoint.`
     );
   }
-  const selectedProfileDir = profileDirs[0];
-  const cookieDbPath = resolveCookieDbPath(selectedProfileDir);
-  if (!cookieDbPath) {
+  if (parsed.protocol === "ws:" || parsed.protocol === "wss:") {
+    return parsed;
+  }
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
     throw new Error(
-      `No Chromium Cookies database was found for "${inputPath}".`
+      `Unsupported CDP URL protocol "${parsed.protocol}". Use http(s) or ws(s).`
     );
   }
-  return {
-    userDataDir: expandedPath,
-    profileDir: selectedProfileDir,
-    profileDirectory: (0, import_node_path.basename)(selectedProfileDir),
-    cookieDbPath,
-    localStatePath
-  };
+  const normalized = new URL(parsed.toString());
+  normalized.pathname = "/json/version";
+  normalized.search = "";
+  normalized.hash = "";
+  return normalized;
 }
-function resolvePersistentChromiumLaunchProfile(inputPath) {
-  const expandedPath = expandHome(inputPath.trim());
-  if (!expandedPath) {
-    return {
-      userDataDir: inputPath
-    };
-  }
-  if (fileExists(expandedPath) && (0, import_node_path.basename)(expandedPath) === "Cookies") {
-    const directParent = (0, import_node_path.dirname)(expandedPath);
-    const profileDir = (0, import_node_path.basename)(directParent) === "Network" ? (0, import_node_path.dirname)(directParent) : directParent;
-    return {
-      userDataDir: (0, import_node_path.dirname)(profileDir),
-      profileDirectory: (0, import_node_path.basename)(profileDir)
-    };
+async function resolveCdpWebSocketUrl(cdpUrl, timeoutMs) {
+  if (cdpUrl.startsWith("ws://") || cdpUrl.startsWith("wss://")) {
+    return cdpUrl;
   }
-  if (directoryExists(expandedPath) && resolveCookieDbPath(expandedPath) && fileExists((0, import_node_path.join)((0, import_node_path.dirname)(expandedPath), "Local State"))) {
-    return {
-      userDataDir: (0, import_node_path.dirname)(expandedPath),
-      profileDirectory: (0, import_node_path.basename)(expandedPath)
-    };
+  const versionUrl = normalizeDiscoveryUrl(cdpUrl);
+  const deadline = Date.now() + timeoutMs;
+  let lastError = "CDP discovery did not respond.";
+  while (Date.now() < deadline) {
+    const remaining = Math.max(deadline - Date.now(), 1e3);
+    try {
+      const response = await fetch(versionUrl, {
+        signal: AbortSignal.timeout(Math.min(remaining, 5e3))
+      });
+      if (!response.ok) {
+        lastError = `${response.status} ${response.statusText}`;
+      } else {
+        const payload = await response.json();
+        const wsUrl = payload && typeof payload === "object" && !Array.isArray(payload) && typeof payload.webSocketDebuggerUrl === "string" ? payload.webSocketDebuggerUrl : null;
+        if (wsUrl && wsUrl.trim()) {
+          return wsUrl;
+        }
+        lastError = "CDP discovery response did not include webSocketDebuggerUrl.";
+      }
+    } catch (error) {
+      lastError = error instanceof Error ? error.message : "Unknown error";
+    }
+    await sleep(100);
   }
-  return {
-    userDataDir: expandedPath
-  };
+  throw new Error(
+    `Failed to resolve a CDP websocket URL from ${versionUrl.toString()}: ${lastError}`
+  );
 }
-function detectChromiumBrand(location) {
-  const normalizedPath = location.userDataDir.toLowerCase();
-  for (const candidate of CHROMIUM_BRANDS) {
-    if (candidate.match.every((fragment) => normalizedPath.includes(fragment))) {
-      return candidate.brand;
-    }
-  }
-  return DEFAULT_CHROMIUM_BRAND;
-}
-async function createSqliteSnapshot(dbPath) {
-  const snapshotDir = await (0, import_promises.mkdtemp)((0, import_node_path.join)((0, import_node_os.tmpdir)(), "opensteer-cookie-db-"));
-  const snapshotPath = (0, import_node_path.join)(snapshotDir, "Cookies");
-  await (0, import_promises.copyFile)(dbPath, snapshotPath);
-  for (const suffix of ["-wal", "-shm", "-journal"]) {
-    const source = `${dbPath}${suffix}`;
-    if (!(0, import_node_fs.existsSync)(source)) {
-      continue;
-    }
-    await (0, import_promises.copyFile)(source, `${snapshotPath}${suffix}`);
-  }
-  return {
-    snapshotPath,
-    cleanup: async () => {
-      await (0, import_promises.rm)(snapshotDir, { recursive: true, force: true });
-    }
-  };
-}
-async function querySqliteJson(dbPath, query) {
-  const result = await execFileAsync("sqlite3", ["-json", dbPath, query], {
-    encoding: "utf8",
-    maxBuffer: 64 * 1024 * 1024
+async function reserveDebugPort() {
+  return await new Promise((resolve, reject) => {
+    const server = (0, import_node_net.createServer)();
+    server.unref();
+    server.on("error", reject);
+    server.listen(0, "127.0.0.1", () => {
+      const address = server.address();
+      if (!address || typeof address === "string") {
+        server.close();
+        reject(new Error("Failed to reserve a local debug port."));
+        return;
+      }
+      server.close((error) => {
+        if (error) {
+          reject(error);
+          return;
+        }
+        resolve(address.port);
+      });
+    });
   });
-  const stdout = result.stdout;
-  const trimmed = stdout.trim();
-  if (!trimmed) {
-    return [];
-  }
-  return JSON.parse(trimmed);
-}
-function convertChromiumTimestampToUnixSeconds(value) {
-  if (!value || value === "0") {
-    return -1;
-  }
-  const micros = BigInt(value);
-  if (micros <= CHROMIUM_EPOCH_MICROS) {
-    return -1;
-  }
-  return Number((micros - CHROMIUM_EPOCH_MICROS) / 1000000n);
 }
-function mapChromiumSameSite(value) {
-  if (value === 2) {
-    return "Strict";
+async function cloneProfileToTempDir(userDataDir, profileDirectory) {
+  const resolvedUserDataDir = expandHome(userDataDir);
+  const tempUserDataDir = await (0, import_promises.mkdtemp)(
+    (0, import_node_path.join)((0, import_node_os.tmpdir)(), "opensteer-real-browser-")
+  );
+  const sourceProfileDir = (0, import_node_path.join)(resolvedUserDataDir, profileDirectory);
+  const targetProfileDir = (0, import_node_path.join)(tempUserDataDir, profileDirectory);
+  if ((0, import_node_fs.existsSync)(sourceProfileDir)) {
+    await (0, import_promises.cp)(sourceProfileDir, targetProfileDir, {
+      recursive: true
+    });
+  } else {
+    await (0, import_promises.mkdir)(targetProfileDir, {
+      recursive: true
+    });
   }
-  if (value === 0) {
-    return "None";
+  const localStatePath = (0, import_node_path.join)(resolvedUserDataDir, "Local State");
+  if ((0, import_node_fs.existsSync)(localStatePath)) {
+    await (0, import_promises.copyFile)(localStatePath, (0, import_node_path.join)(tempUserDataDir, "Local State"));
+  }
+  return tempUserDataDir;
+}
+function buildRealBrowserLaunchArgs(options) {
+  const args = [
+    `--user-data-dir=${options.userDataDir}`,
+    `--profile-directory=${options.profileDirectory}`,
+    `--remote-debugging-port=${options.debugPort}`,
+    "--no-first-run",
+    "--no-default-browser-check",
+    "--disable-background-networking",
+    "--disable-sync",
+    "--disable-popup-blocking"
+  ];
+  if (options.headless) {
+    args.push("--headless=new");
   }
-  return "Lax";
+  return args;
 }
-function stripChromiumPadding(buffer) {
-  const paddingLength = buffer[buffer.length - 1];
-  if (paddingLength <= 0 || paddingLength > AES_BLOCK_BYTES) {
-    return buffer;
+async function killProcessTree(processHandle) {
+  if (!processHandle || processHandle.pid == null || processHandle.exitCode !== null) {
+    return;
   }
-  return buffer.subarray(0, buffer.length - paddingLength);
-}
-function stripDomainHashPrefix(buffer, hostKey) {
-  if (buffer.length < 32) {
-    return buffer;
+  if (process.platform === "win32") {
+    await new Promise((resolve) => {
+      const killer = (0, import_node_child_process.spawn)(
+        "taskkill",
+        ["/pid", String(processHandle.pid), "/t", "/f"],
+        {
+          stdio: "ignore"
+        }
+      );
+      killer.on("error", () => resolve());
+      killer.on("exit", () => resolve());
+    });
+    return;
   }
-  const domainHash = (0, import_node_crypto.createHash)("sha256").update(hostKey, "utf8").digest();
-  if (buffer.subarray(0, 32).equals(domainHash)) {
-    return buffer.subarray(32);
+  try {
+    process.kill(-processHandle.pid, "SIGKILL");
+  } catch {
+    try {
+      processHandle.kill("SIGKILL");
+    } catch {
+    }
   }
-  return buffer;
 }
-function decryptChromiumAes128CbcValue(encryptedValue, key, hostKey) {
-  const ciphertext = encryptedValue.length > 3 && encryptedValue[0] === 118 && encryptedValue[1] === 49 && (encryptedValue[2] === 48 || encryptedValue[2] === 49) ? encryptedValue.subarray(3) : encryptedValue;
-  const iv = Buffer.alloc(AES_BLOCK_BYTES, " ");
-  const decipher = (0, import_node_crypto.createDecipheriv)("aes-128-cbc", key, iv);
-  const plaintext = Buffer.concat([
-    decipher.update(ciphertext),
-    decipher.final()
-  ]);
-  return stripDomainHashPrefix(stripChromiumPadding(plaintext), hostKey).toString(
-    "utf8"
-  );
+async function sleep(ms) {
+  await new Promise((resolve) => setTimeout(resolve, ms));
 }
-function decryptChromiumAes256GcmValue(encryptedValue, key) {
-  const nonce = encryptedValue.subarray(3, 15);
-  const ciphertext = encryptedValue.subarray(15, encryptedValue.length - 16);
-  const authTag = encryptedValue.subarray(encryptedValue.length - 16);
-  const decipher = (0, import_node_crypto.createDecipheriv)("aes-256-gcm", key, nonce);
-  decipher.setAuthTag(authTag);
-  return Buffer.concat([
-    decipher.update(ciphertext),
-    decipher.final()
-  ]).toString("utf8");
+
+// src/navigation.ts
+var DEFAULT_TIMEOUT = 3e4;
+var DEFAULT_SETTLE_MS = 750;
+var FRAME_EVALUATE_GRACE_MS = 200;
+var TRANSIENT_CONTEXT_RETRY_DELAY_MS = 25;
+var STEALTH_WORLD_NAME = "__opensteer_wait__";
+var StealthWaitUnavailableError = class extends Error {
+  constructor(cause) {
+    super("Stealth visual wait requires Chromium CDP support.", { cause });
+    this.name = "StealthWaitUnavailableError";
+  }
+};
+function isStealthWaitUnavailableError(error) {
+  return error instanceof StealthWaitUnavailableError;
 }
-async function dpapiUnprotect(buffer) {
-  const script = [
-    `$inputBytes = [Convert]::FromBase64String('${buffer.toString("base64")}')`,
-    "$plainBytes = [System.Security.Cryptography.ProtectedData]::Unprotect(",
-    "  $inputBytes,",
-    "  $null,",
-    "  [System.Security.Cryptography.DataProtectionScope]::CurrentUser",
-    ")",
-    "[Convert]::ToBase64String($plainBytes)"
-  ].join("\n");
-  const { stdout } = await execFileAsync(
-    "powershell.exe",
-    ["-NoProfile", "-NonInteractive", "-Command", script],
-    {
-      encoding: "utf8",
-      maxBuffer: 8 * 1024 * 1024
+var FRAME_OWNER_VISIBILITY_FUNCTION = `function() {
+    if (!(this instanceof HTMLElement)) return false;
+
+    var rect = this.getBoundingClientRect();
+    if (rect.width <= 0 || rect.height <= 0) return false;
+    if (
+        rect.bottom <= 0 ||
+        rect.right <= 0 ||
+        rect.top >= window.innerHeight ||
+        rect.left >= window.innerWidth
+    ) {
+        return false;
     }
-  );
-  return Buffer.from(stdout.trim(), "base64");
-}
-async function buildChromiumDecryptor(location) {
-  if (process.platform === "darwin") {
-    const brand = detectChromiumBrand(location);
-    const keychainStore = createKeychainStore();
-    const password = keychainStore?.get(brand.macService, brand.macAccount) ?? null;
-    if (!password) {
-      throw new Error(
-        `Unable to read ${brand.macService} from macOS Keychain.`
-      );
+
+    var style = window.getComputedStyle(this);
+    if (
+        style.display === 'none' ||
+        style.visibility === 'hidden' ||
+        Number(style.opacity) === 0
+    ) {
+        return false;
     }
-    const key = (0, import_node_crypto.pbkdf2Sync)(password, KEY_SALT, MAC_KEY_ITERATIONS, KEY_LENGTH, "sha1");
-    return async (row) => decryptChromiumAes128CbcValue(
-      Buffer.from(row.encrypted_value || "", "hex"),
-      key,
-      row.host_key
-    );
-  }
-  if (process.platform === "linux") {
-    const brand = detectChromiumBrand(location);
-    const keychainStore = createKeychainStore();
-    const password = keychainStore?.get(brand.macService, brand.macAccount) ?? brand.linuxApplications.map((application) => keychainStore?.get(application, application) ?? null).find(Boolean) ?? null;
-    const key = (0, import_node_crypto.pbkdf2Sync)(
-      password || "peanuts",
-      KEY_SALT,
-      LINUX_KEY_ITERATIONS,
-      KEY_LENGTH,
-      "sha1"
-    );
-    return async (row) => decryptChromiumAes128CbcValue(
-      Buffer.from(row.encrypted_value || "", "hex"),
-      key,
-      row.host_key
-    );
-  }
-  if (process.platform === "win32") {
-    if (!location.localStatePath) {
-      throw new Error(
-        `Unable to locate Chromium Local State for profile: ${location.profileDir}`
-      );
+
+    return true;
+}`;
+function buildStabilityScript(timeout, settleMs) {
+  return `new Promise(function(resolve) {
+    var deadline = Date.now() + ${timeout};
+    var resolved = false;
+    var timer = null;
+    var observers = [];
+    var observedShadowRoots = [];
+    var fonts = document.fonts;
+    var fontsReady = !fonts || fonts.status === 'loaded';
+    var lastRelevantMutationAt = Date.now();
+
+    function clearObservers() {
+        for (var i = 0; i < observers.length; i++) {
+            observers[i].disconnect();
+        }
+        observers = [];
     }
-    const localState = JSON.parse(
-      await (0, import_promises.readFile)(location.localStatePath, "utf8")
-    );
-    const encryptedKeyBase64 = localState.os_crypt?.encrypted_key;
-    if (!encryptedKeyBase64) {
-      throw new Error(
-        `Local State did not include os_crypt.encrypted_key for ${location.userDataDir}`
-      );
-    }
-    const encryptedKey = Buffer.from(encryptedKeyBase64, "base64");
-    const masterKey = await dpapiUnprotect(encryptedKey.subarray(5));
-    return async (row) => {
-      const encryptedValue = Buffer.from(row.encrypted_value || "", "hex");
-      if (encryptedValue.length > 4 && encryptedValue[0] === 1 && encryptedValue[1] === 0 && encryptedValue[2] === 0 && encryptedValue[3] === 0) {
-        const decrypted = await dpapiUnprotect(encryptedValue);
-        return decrypted.toString("utf8");
-      }
-      return decryptChromiumAes256GcmValue(encryptedValue, masterKey);
-    };
-  }
-  throw new Error(
-    `Local Chromium cookie sync is not supported on ${process.platform}.`
-  );
-}
-function buildPlaywrightCookie(row, value) {
-  if (!row.name.trim()) {
-    return null;
-  }
-  if (!row.host_key.trim()) {
-    return null;
-  }
-  const expires = row.has_expires === 1 ? convertChromiumTimestampToUnixSeconds(row.expires_utc) : -1;
-  if (expires !== -1 && expires <= Math.floor(Date.now() / 1e3)) {
-    return null;
-  }
-  return {
-    name: row.name,
-    value,
-    domain: row.host_key,
-    path: row.path || "/",
-    expires,
-    httpOnly: row.is_httponly === 1,
-    secure: row.is_secure === 1,
-    sameSite: mapChromiumSameSite(row.samesite)
-  };
-}
-async function loadCookiesFromLocalProfileDir(inputPath, options = {}) {
-  const location = await resolveChromiumProfileLocation(inputPath);
-  try {
-    return await loadCookiesFromSqlite(location);
-  } catch (error) {
-    if (!isMissingSqliteBinary(error)) {
-      throw error;
-    }
-  }
-  return await loadCookiesFromBrowserSnapshot(location, options);
-}
-async function loadCookiesFromSqlite(location) {
-  const snapshot = await createSqliteSnapshot(location.cookieDbPath);
-  try {
-    const rows = await querySqliteJson(
-      snapshot.snapshotPath,
-      [
-        "SELECT",
-        "  host_key,",
-        "  name,",
-        "  value,",
-        "  hex(encrypted_value) AS encrypted_value,",
-        "  path,",
-        "  CAST(expires_utc AS TEXT) AS expires_utc,",
-        "  is_secure,",
-        "  is_httponly,",
-        "  has_expires,",
-        "  samesite",
-        "FROM cookies"
-      ].join(" ")
-    );
-    const decryptValue = await buildChromiumDecryptor(location);
-    const cookies = [];
-    for (const row of rows) {
-      let value = row.value || "";
-      if (!value && row.encrypted_value) {
-        value = await decryptValue(row);
-      }
-      const cookie = buildPlaywrightCookie(row, value);
-      if (cookie) {
-        cookies.push(cookie);
-      }
-    }
-    return cookies;
-  } finally {
-    await snapshot.cleanup();
-  }
-}
-async function loadCookiesFromBrowserSnapshot(location, options) {
-  const snapshotRootDir = await (0, import_promises.mkdtemp)((0, import_node_path.join)((0, import_node_os.tmpdir)(), "opensteer-profile-"));
-  const snapshotProfileDir = (0, import_node_path.join)(
-    snapshotRootDir,
-    (0, import_node_path.basename)(location.profileDir)
-  );
-  let context = null;
-  try {
-    await (0, import_promises.cp)(location.profileDir, snapshotProfileDir, {
-      recursive: true
-    });
-    if (location.localStatePath) {
-      await (0, import_promises.copyFile)(location.localStatePath, (0, import_node_path.join)(snapshotRootDir, "Local State"));
-    }
-    const brand = detectChromiumBrand(location);
-    const args = [`--profile-directory=${(0, import_node_path.basename)(snapshotProfileDir)}`];
-    context = await import_playwright.chromium.launchPersistentContext(snapshotRootDir, {
-      channel: brand.playwrightChannel,
-      headless: options.headless ?? true,
-      timeout: options.timeout ?? 12e4,
-      args
-    });
-    return await context.cookies();
-  } finally {
-    await context?.close().catch(() => void 0);
-    await (0, import_promises.rm)(snapshotRootDir, { recursive: true, force: true });
-  }
-}
-function isMissingSqliteBinary(error) {
-  return Boolean(
-    error && typeof error === "object" && "code" in error && error.code === "ENOENT"
-  );
-}
-
-// src/browser/pool.ts
-var BrowserPool = class {
-  browser = null;
-  persistentContext = null;
-  cdpProxy = null;
-  defaults;
-  constructor(defaults = {}) {
-    this.defaults = defaults;
-  }
-  async launch(options = {}) {
-    if (this.browser || this.cdpProxy) {
-      await this.close();
-    }
-    const connectUrl = options.connectUrl ?? this.defaults.connectUrl;
-    const channel = options.channel ?? this.defaults.channel;
-    const profileDir = options.profileDir ?? this.defaults.profileDir;
-    if (connectUrl) {
-      return this.connectToRunning(connectUrl, options.timeout);
-    }
-    if (profileDir) {
-      return this.launchPersistentProfile(options, channel, profileDir);
-    }
-    if (channel) {
-      return this.launchWithChannel(options, channel);
-    }
-    return this.launchSandbox(options);
-  }
-  async close() {
-    const browser = this.browser;
-    const persistentContext = this.persistentContext;
-    this.browser = null;
-    this.persistentContext = null;
-    try {
-      if (persistentContext) {
-        await persistentContext.close();
-      } else if (browser) {
-        await browser.close();
-      }
-    } finally {
-      this.cdpProxy?.close();
-      this.cdpProxy = null;
-    }
-  }
-  async connectToRunning(connectUrl, timeout) {
-    this.cdpProxy?.close();
-    this.cdpProxy = null;
-    let browser = null;
-    try {
-      const { browserWsUrl, targets } = await discoverTargets(connectUrl);
-      if (targets.length === 0) {
-        throw new Error(
-          "No page targets found. Is the browser running with an open window?"
-        );
-      }
-      const target = targets[0];
-      this.cdpProxy = new CDPProxy(browserWsUrl, target.id);
-      const proxyWsUrl = await this.cdpProxy.start();
-      browser = await import_playwright2.chromium.connectOverCDP(proxyWsUrl, {
-        timeout: timeout ?? 3e4
-      });
-      this.browser = browser;
-      this.persistentContext = null;
-      const contexts = browser.contexts();
-      if (contexts.length === 0) {
-        throw new Error(
-          "Connection succeeded but no browser contexts found. Is the browser running with an open window?"
-        );
-      }
-      const context = contexts[0];
-      const pages = context.pages();
-      const page = pages.length > 0 ? pages[0] : await context.newPage();
-      return { browser, context, page, isExternal: true };
-    } catch (error) {
-      if (browser) {
-        await browser.close().catch(() => void 0);
-      }
-      this.browser = null;
-      this.persistentContext = null;
-      this.cdpProxy?.close();
-      this.cdpProxy = null;
-      throw error;
-    }
-  }
-  async launchPersistentProfile(options, channel, profileDir) {
-    const args = [];
-    const launchProfile = resolvePersistentChromiumLaunchProfile(profileDir);
-    if (launchProfile.profileDirectory) {
-      args.push(`--profile-directory=${launchProfile.profileDirectory}`);
-    }
-    const context = await import_playwright2.chromium.launchPersistentContext(
-      launchProfile.userDataDir,
-      {
-        channel,
-        headless: options.headless ?? this.defaults.headless,
-        executablePath: options.executablePath ?? this.defaults.executablePath ?? void 0,
-        slowMo: options.slowMo ?? this.defaults.slowMo ?? 0,
-        timeout: options.timeout,
-        ...options.context || {},
-        args
-      }
-    );
-    const browser = context.browser();
-    if (!browser) {
-      await context.close().catch(() => void 0);
-      throw new Error("Persistent browser launch did not expose a browser instance.");
-    }
-    this.browser = browser;
-    this.persistentContext = context;
-    const pages = context.pages();
-    const page = pages.length > 0 ? pages[0] : await context.newPage();
-    return { browser, context, page, isExternal: false };
-  }
-  async launchWithChannel(options, channel) {
-    const browser = await import_playwright2.chromium.launch({
-      channel,
-      headless: options.headless ?? this.defaults.headless,
-      executablePath: options.executablePath ?? this.defaults.executablePath ?? void 0,
-      slowMo: options.slowMo ?? this.defaults.slowMo ?? 0,
-      timeout: options.timeout
-    });
-    this.browser = browser;
-    this.persistentContext = null;
-    const context = await browser.newContext(options.context || {});
-    const page = await context.newPage();
-    return { browser, context, page, isExternal: false };
-  }
-  async launchSandbox(options) {
-    const browser = await import_playwright2.chromium.launch({
-      headless: options.headless ?? this.defaults.headless,
-      executablePath: options.executablePath ?? this.defaults.executablePath ?? void 0,
-      slowMo: options.slowMo ?? this.defaults.slowMo ?? 0,
-      timeout: options.timeout
-    });
-    const context = await browser.newContext(options.context || {});
-    const page = await context.newPage();
-    this.browser = browser;
-    this.persistentContext = null;
-    return { browser, context, page, isExternal: false };
-  }
-};
-
-// src/navigation.ts
-var DEFAULT_TIMEOUT = 3e4;
-var DEFAULT_SETTLE_MS = 750;
-var FRAME_EVALUATE_GRACE_MS = 200;
-var TRANSIENT_CONTEXT_RETRY_DELAY_MS = 25;
-var STEALTH_WORLD_NAME = "__opensteer_wait__";
-var StealthWaitUnavailableError = class extends Error {
-  constructor(cause) {
-    super("Stealth visual wait requires Chromium CDP support.", { cause });
-    this.name = "StealthWaitUnavailableError";
-  }
-};
-function isStealthWaitUnavailableError(error) {
-  return error instanceof StealthWaitUnavailableError;
-}
-var FRAME_OWNER_VISIBILITY_FUNCTION = `function() {
-    if (!(this instanceof HTMLElement)) return false;
-
-    var rect = this.getBoundingClientRect();
-    if (rect.width <= 0 || rect.height <= 0) return false;
-    if (
-        rect.bottom <= 0 ||
-        rect.right <= 0 ||
-        rect.top >= window.innerHeight ||
-        rect.left >= window.innerWidth
-    ) {
-        return false;
-    }
-
-    var style = window.getComputedStyle(this);
-    if (
-        style.display === 'none' ||
-        style.visibility === 'hidden' ||
-        Number(style.opacity) === 0
-    ) {
-        return false;
-    }
-
-    return true;
-}`;
-function buildStabilityScript(timeout, settleMs) {
-  return `new Promise(function(resolve) {
-    var deadline = Date.now() + ${timeout};
-    var resolved = false;
-    var timer = null;
-    var observers = [];
-    var observedShadowRoots = [];
-    var fonts = document.fonts;
-    var fontsReady = !fonts || fonts.status === 'loaded';
-    var lastRelevantMutationAt = Date.now();
-
-    function clearObservers() {
-        for (var i = 0; i < observers.length; i++) {
-            observers[i].disconnect();
-        }
-        observers = [];
-    }
-
-    function done() {
-        if (resolved) return;
-        resolved = true;
-        if (timer) clearTimeout(timer);
-        if (safetyTimer) clearTimeout(safetyTimer);
-        clearObservers();
-        resolve();
+
+    function done() {
+        if (resolved) return;
+        resolved = true;
+        if (timer) clearTimeout(timer);
+        if (safetyTimer) clearTimeout(safetyTimer);
+        clearObservers();
+        resolve();
     }
 
     function isElementVisiblyIntersectingViewport(element) {
@@ -2694,7 +2573,7 @@ var StealthCdpRuntime = class _StealthCdpRuntime {
           TRANSIENT_CONTEXT_RETRY_DELAY_MS,
           Math.max(0, deadline - Date.now())
         );
-        await sleep(retryDelay);
+        await sleep2(retryDelay);
       }
     }
   }
@@ -2727,7 +2606,7 @@ var StealthCdpRuntime = class _StealthCdpRuntime {
       () => ({ kind: "resolved" }),
       (error) => ({ kind: "rejected", error })
     );
-    const timeoutPromise = sleep(
+    const timeoutPromise = sleep2(
       timeout + FRAME_EVALUATE_GRACE_MS
     ).then(() => ({ kind: "timeout" }));
     const result = await Promise.race([
@@ -2869,14 +2748,14 @@ function isIgnorableFrameError(error) {
   const message = error.message;
   return message.includes("Frame was detached") || message.includes("Target page, context or browser has been closed") || isTransientExecutionContextError(error) || message.includes("No frame for given id found");
 }
-function sleep(ms) {
+function sleep2(ms) {
   return new Promise((resolve) => {
     setTimeout(resolve, ms);
   });
 }
 
 // src/storage/local.ts
-var import_fs2 = __toESM(require("fs"), 1);
+var import_fs3 = __toESM(require("fs"), 1);
 var import_path4 = __toESM(require("path"), 1);
 
 // src/storage/registry.ts
@@ -2920,14 +2799,14 @@ var LocalSelectorStorage = class {
     return import_path4.default.join(this.getNamespaceDir(), this.getSelectorFileName(id));
   }
   ensureDirs() {
-    import_fs2.default.mkdirSync(this.getNamespaceDir(), { recursive: true });
+    import_fs3.default.mkdirSync(this.getNamespaceDir(), { recursive: true });
   }
   loadRegistry() {
     this.ensureDirs();
     const file = this.getRegistryPath();
-    if (!import_fs2.default.existsSync(file)) return createEmptyRegistry(this.namespace);
+    if (!import_fs3.default.existsSync(file)) return createEmptyRegistry(this.namespace);
     try {
-      const raw = import_fs2.default.readFileSync(file, "utf8");
+      const raw = import_fs3.default.readFileSync(file, "utf8");
       return JSON.parse(raw);
     } catch (error) {
       const message = extractErrorMessage(
@@ -2944,16 +2823,16 @@ var LocalSelectorStorage = class {
   }
   saveRegistry(registry) {
     this.ensureDirs();
-    import_fs2.default.writeFileSync(
+    import_fs3.default.writeFileSync(
       this.getRegistryPath(),
       JSON.stringify(registry, null, 2)
     );
   }
   readSelector(id) {
     const file = this.getSelectorPath(id);
-    if (!import_fs2.default.existsSync(file)) return null;
+    if (!import_fs3.default.existsSync(file)) return null;
     try {
-      const raw = import_fs2.default.readFileSync(file, "utf8");
+      const raw = import_fs3.default.readFileSync(file, "utf8");
       return JSON.parse(raw);
     } catch (error) {
       const message = extractErrorMessage(
@@ -2970,15 +2849,15 @@ var LocalSelectorStorage = class {
   }
   writeSelector(payload) {
     this.ensureDirs();
-    import_fs2.default.writeFileSync(
+    import_fs3.default.writeFileSync(
       this.getSelectorPath(payload.id),
       JSON.stringify(payload, null, 2)
     );
   }
   clearNamespace() {
     const dir = this.getNamespaceDir();
-    if (!import_fs2.default.existsSync(dir)) return;
-    import_fs2.default.rmSync(dir, { recursive: true, force: true });
+    if (!import_fs3.default.existsSync(dir)) return;
+    import_fs3.default.rmSync(dir, { recursive: true, force: true });
   }
 };
 
@@ -7422,7 +7301,7 @@ var AdaptiveNetworkTracker = class {
         this.idleSince = 0;
       }
       const remaining = Math.max(1, options.deadline - now);
-      await sleep2(Math.min(NETWORK_POLL_MS, remaining));
+      await sleep3(Math.min(NETWORK_POLL_MS, remaining));
     }
   }
   handleRequestStarted = (request) => {
@@ -7467,7 +7346,7 @@ var AdaptiveNetworkTracker = class {
     return false;
   }
 };
-async function sleep2(ms) {
+async function sleep3(ms) {
   await new Promise((resolve) => {
     setTimeout(resolve, ms);
   });
@@ -8944,15 +8823,15 @@ function withTokenQuery(wsUrl, token) {
 }
 
 // src/cloud/local-cache-sync.ts
-var import_fs3 = __toESM(require("fs"), 1);
+var import_fs4 = __toESM(require("fs"), 1);
 var import_path5 = __toESM(require("path"), 1);
 function collectLocalSelectorCacheEntries(storage, options = {}) {
   const debug = options.debug === true;
   const namespace = storage.getNamespace();
   const namespaceDir = storage.getNamespaceDir();
-  if (!import_fs3.default.existsSync(namespaceDir)) return [];
+  if (!import_fs4.default.existsSync(namespaceDir)) return [];
   const entries = [];
-  const fileNames = import_fs3.default.readdirSync(namespaceDir);
+  const fileNames = import_fs4.default.readdirSync(namespaceDir);
   for (const fileName of fileNames) {
     if (fileName === "index.json" || !fileName.endsWith(".json")) continue;
     const filePath = import_path5.default.join(namespaceDir, fileName);
@@ -8983,7 +8862,7 @@ function collectLocalSelectorCacheEntries(storage, options = {}) {
 }
 function readSelectorFile(filePath, debug) {
   try {
-    const raw = import_fs3.default.readFileSync(filePath, "utf8");
+    const raw = import_fs4.default.readFileSync(filePath, "utf8");
     return JSON.parse(raw);
   } catch (error) {
     const message = extractErrorMessage(
@@ -9078,13 +8957,13 @@ function dedupeNewest(entries) {
 }
 
 // src/cloud/cdp-client.ts
-var import_playwright3 = require("playwright");
+var import_playwright2 = require("playwright");
 var CloudCdpClient = class {
   async connect(args) {
     const endpoint = withTokenQuery2(args.wsUrl, args.token);
     let browser;
     try {
-      browser = await import_playwright3.chromium.connectOverCDP(endpoint);
+      browser = await import_playwright2.chromium.connectOverCDP(endpoint);
     } catch (error) {
       const message = error instanceof Error ? error.message : "Failed to connect to cloud CDP endpoint.";
       throw new OpensteerCloudError("CLOUD_TRANSPORT_ERROR", message);
@@ -10877,7 +10756,7 @@ async function executeAgentAction(page, action) {
     }
     case "wait": {
       const ms = numberOr(action.timeMs, action.time_ms, 1e3);
-      await sleep3(ms);
+      await sleep4(ms);
       return;
     }
     case "goto": {
@@ -11042,7 +10921,7 @@ async function pressKeyCombo(page, combo) {
     }
   }
 }
-function sleep3(ms) {
+function sleep4(ms) {
   return new Promise((resolve) => setTimeout(resolve, Math.max(0, ms)));
 }
 
@@ -11073,7 +10952,7 @@ var OpensteerCuaAgentHandler = class {
       if (isMutatingAgentAction(action)) {
         this.onMutatingAction?.(action);
       }
-      await sleep4(this.config.waitBetweenActionsMs);
+      await sleep5(this.config.waitBetweenActionsMs);
     });
     try {
       const result = await this.client.execute({
@@ -11135,7 +11014,7 @@ var OpensteerCuaAgentHandler = class {
     await this.cursorController.preview({ x, y }, "agent");
   }
 };
-function sleep4(ms) {
+function sleep5(ms) {
   return new Promise((resolve) => setTimeout(resolve, Math.max(0, ms)));
 }
 
@@ -11571,7 +11450,7 @@ var CursorController = class {
       for (const step of motion.points) {
         await this.renderer.move(step, this.style);
         if (motion.stepDelayMs > 0) {
-          await sleep5(motion.stepDelayMs);
+          await sleep6(motion.stepDelayMs);
         }
       }
       if (shouldPulse(intent)) {
@@ -11729,7 +11608,7 @@ function clamp2(value, min, max) {
 function shouldPulse(intent) {
   return intent === "click" || intent === "dblclick" || intent === "rightclick" || intent === "agent";
 }
-function sleep5(ms) {
+function sleep6(ms) {
   return new Promise((resolve) => setTimeout(resolve, ms));
 }
 
@@ -11780,30 +11659,20 @@ var Opensteer = class _Opensteer {
     this.pool = new BrowserPool(resolved.browser || {});
     if (cloudSelection.cloud) {
       const cloudConfig = resolved.cloud && typeof resolved.cloud === "object" ? resolved.cloud : void 0;
-      const apiKey = cloudConfig?.apiKey?.trim();
-      const accessToken = cloudConfig?.accessToken?.trim();
-      if (apiKey && accessToken) {
-        throw new Error(
-          "Cloud mode cannot use both cloud.apiKey and cloud.accessToken. Set only one credential."
-        );
-      }
-      let credential = "";
-      let authScheme = cloudConfig?.authScheme ?? "api-key";
-      if (accessToken) {
-        credential = accessToken;
-        authScheme = "bearer";
-      } else if (apiKey) {
-        credential = apiKey;
-      }
+      const credential = selectCloudCredential({
+        apiKey: cloudConfig?.apiKey,
+        accessToken: cloudConfig?.accessToken,
+        authScheme: cloudConfig?.authScheme
+      });
       if (!credential) {
         throw new Error(
           "Cloud mode requires credentials via cloud.apiKey/cloud.accessToken or OPENSTEER_API_KEY/OPENSTEER_ACCESS_TOKEN."
         );
       }
       this.cloud = createCloudRuntimeState(
-        credential,
+        credential.token,
         cloudConfig?.baseUrl,
-        authScheme
+        credential.authScheme
       );
     } else {
       this.cloud = null;
@@ -12124,9 +11993,11 @@ var Opensteer = class _Opensteer {
     }
     const session = await this.pool.launch({
       ...options,
-      connectUrl: options.connectUrl ?? this.config.browser?.connectUrl,
-      channel: options.channel ?? this.config.browser?.channel,
-      profileDir: options.profileDir ?? this.config.browser?.profileDir
+      mode: options.mode ?? this.config.browser?.mode,
+      cdpUrl: options.cdpUrl ?? this.config.browser?.cdpUrl,
+      userDataDir: options.userDataDir ?? this.config.browser?.userDataDir,
+      profileDirectory: options.profileDirectory ?? this.config.browser?.profileDirectory,
+      executablePath: options.executablePath ?? this.config.browser?.executablePath
     });
     this.browser = session.browser;
     this.contextRef = session.context;
@@ -12157,6 +12028,32 @@ var Opensteer = class _Opensteer {
     instance.snapshotCache = null;
     return instance;
   }
+  static listLocalProfiles(userDataDir) {
+    return listLocalChromeProfiles(userDataDir);
+  }
+  static fromSystemChrome(browser = {}, config = {}) {
+    const chromePaths = detectChromePaths();
+    const executablePath = browser.executablePath ?? config.browser?.executablePath ?? chromePaths.executable ?? void 0;
+    if (!executablePath) {
+      throw new Error(
+        "Chrome was not found. Pass executablePath explicitly or install Chrome in a supported location."
+      );
+    }
+    const userDataDir = browser.userDataDir ?? config.browser?.userDataDir ?? chromePaths.defaultUserDataDir;
+    const autoDetectedProfiles = listLocalChromeProfiles(userDataDir);
+    const profileDirectory = browser.profileDirectory ?? config.browser?.profileDirectory ?? autoDetectedProfiles[0]?.directory ?? "Default";
+    return new _Opensteer({
+      ...config,
+      browser: {
+        ...config.browser || {},
+        mode: "real",
+        headless: browser.headless ?? config.browser?.headless ?? true,
+        executablePath,
+        userDataDir,
+        profileDirectory
+      }
+    });
+  }
   async close() {
     this.snapshotCache = null;
     if (this.cloud) {
@@ -14124,400 +14021,992 @@ var Opensteer = class _Opensteer {
         });
         continue;
       }
-      pathFields.push({
-        key: field.key,
-        path: this.normalizePath(field.path),
-        attribute: field.attribute
+      pathFields.push({
+        key: field.key,
+        path: this.normalizePath(field.path),
+        attribute: field.attribute
+      });
+    }
+    if (currentUrlKeys.length) {
+      const pageUrl = this.page.url();
+      for (const key of currentUrlKeys) {
+        result[key] = pageUrl;
+      }
+    }
+    if (counterRequests.length) {
+      const counterValues = await resolveCountersBatch(this.page, counterRequests);
+      Object.assign(result, counterValues);
+    }
+    if (pathFields.length) {
+      const pathValues = await extractWithPaths(this.page, pathFields);
+      Object.assign(result, pathValues);
+    }
+    return result;
+  }
+  async resolveFieldTargetsToPersistableFields(fields) {
+    const resolved = [];
+    for (const field of fields) {
+      if ("source" in field) {
+        resolved.push({
+          key: field.key,
+          source: "current_url"
+        });
+        continue;
+      }
+      if ("path" in field) {
+        resolved.push({
+          key: field.key,
+          path: this.normalizePath(field.path),
+          attribute: field.attribute
+        });
+        continue;
+      }
+      const path7 = await this.buildPathFromElement(field.counter);
+      if (!path7) {
+        throw new Error(
+          `Unable to persist extraction schema field "${field.key}": counter ${field.counter} could not be converted into a stable element path.`
+        );
+      }
+      resolved.push({
+        key: field.key,
+        path: path7,
+        attribute: field.attribute
+      });
+    }
+    return resolved;
+  }
+  buildActionResult(storageKey, method, persisted, selectorUsed) {
+    return {
+      method,
+      namespace: this.storage.getNamespace(),
+      persisted,
+      pathFile: storageKey && persisted ? this.storage.getSelectorFileName(storageKey) : null,
+      selectorUsed: selectorUsed || null
+    };
+  }
+  resolveStorageKey(description) {
+    if (!description) return null;
+    return (0, import_crypto.createHash)("sha256").update(description).digest("hex").slice(0, 16);
+  }
+  normalizePath(path7) {
+    return sanitizeElementPath(path7);
+  }
+};
+function formatActionFailureMessage(action, description, cause) {
+  const label = description ? `"${description}"` : "unnamed target";
+  return `${action} action failed for ${label}: ${cause}`;
+}
+function cloneContextHops(context) {
+  return JSON.parse(JSON.stringify(context || []));
+}
+function collectIframeContextPrefix(path7) {
+  const context = path7.context || [];
+  let lastIframeIndex = -1;
+  for (let index = 0; index < context.length; index += 1) {
+    if (context[index]?.kind === "iframe") {
+      lastIframeIndex = index;
+    }
+  }
+  if (lastIframeIndex < 0) return [];
+  return cloneContextHops(context.slice(0, lastIframeIndex + 1));
+}
+function measureContextOverlap(indexedPrefix, builtContext) {
+  const maxOverlap = Math.min(indexedPrefix.length, builtContext.length);
+  for (let size = maxOverlap; size > 0; size -= 1) {
+    if (matchesContextPrefix(indexedPrefix, builtContext, size, true)) {
+      return size;
+    }
+  }
+  for (let size = maxOverlap; size > 0; size -= 1) {
+    if (matchesContextPrefix(indexedPrefix, builtContext, size, false)) {
+      return size;
+    }
+  }
+  return 0;
+}
+function matchesContextPrefix(indexedPrefix, builtContext, size, strictHost) {
+  for (let idx = 0; idx < size; idx += 1) {
+    const left = indexedPrefix[indexedPrefix.length - size + idx];
+    const right = builtContext[idx];
+    if (left.kind !== right.kind) {
+      return false;
+    }
+    if (strictHost && JSON.stringify(left.host) !== JSON.stringify(right.host)) {
+      return false;
+    }
+  }
+  return true;
+}
+function normalizeSchemaValue(value) {
+  if (!value) return null;
+  if (typeof value !== "object" || Array.isArray(value)) {
+    return null;
+  }
+  const field = value;
+  return {
+    element: field.element,
+    selector: field.selector,
+    attribute: field.attribute,
+    source: normalizeExtractSource(field.source)
+  };
+}
+function normalizeExtractSource(source) {
+  if (typeof source !== "string") return void 0;
+  const normalized = source.trim().toLowerCase();
+  if (normalized === "current_url") return "current_url";
+  return void 0;
+}
+function computeSchemaHash(schema) {
+  const stable = stableStringify(schema);
+  return (0, import_crypto.createHash)("sha256").update(stable).digest("hex");
+}
+function buildPathMap(fields) {
+  const out = {};
+  for (const field of fields) {
+    out[field.key] = cloneElementPath(field.path);
+  }
+  return out;
+}
+function toPathFields(fields) {
+  return fields.filter(isPersistablePathField).map((field) => ({
+    key: field.key,
+    path: field.path,
+    attribute: field.attribute
+  }));
+}
+function normalizePersistedExtractPayload(raw) {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+    throw new Error(
+      "Invalid persisted extraction payload: expected an object payload."
+    );
+  }
+  const root = {};
+  for (const [key, value] of Object.entries(raw)) {
+    const normalizedKey = String(key || "").trim();
+    if (!normalizedKey) continue;
+    if (normalizedKey.startsWith("$")) {
+      throw new Error(
+        `Invalid persisted extraction payload key "${normalizedKey}": root keys must not start with "$".`
+      );
+    }
+    root[normalizedKey] = normalizePersistedExtractNode(
+      value,
+      normalizedKey
+    );
+  }
+  return root;
+}
+function normalizePersistedExtractNode(raw, label) {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+    throw new Error(
+      `Invalid persisted extraction node at "${label}": expected an object.`
+    );
+  }
+  const record = raw;
+  if (record.$path) {
+    if (typeof record.$path !== "object") {
+      throw new Error(
+        `Invalid persisted extraction value node at "${label}": "$path" must be an element path object.`
+      );
+    }
+    return {
+      $path: sanitizeElementPath(record.$path),
+      attribute: typeof record.attribute === "string" ? record.attribute : void 0
+    };
+  }
+  if (record.$source != null) {
+    const source = normalizeExtractSource(record.$source);
+    if (!source) {
+      throw new Error(
+        `Invalid persisted extraction source node at "${label}": unsupported "$source" value.`
+      );
+    }
+    return {
+      $source: source
+    };
+  }
+  if (record.$array) {
+    if (!record.$array || typeof record.$array !== "object" || Array.isArray(record.$array)) {
+      throw new Error(
+        `Invalid persisted extraction array node at "${label}": "$array" must be an object.`
+      );
+    }
+    const arrayRecord = record.$array;
+    if (arrayRecord.itemParentPath !== void 0 || arrayRecord.item !== void 0) {
+      throw new Error(
+        `Legacy persisted extraction array format detected at "${label}". Clear cached selectors in .opensteer/selectors/<namespace> and rerun extraction.`
+      );
+    }
+    if (!Array.isArray(arrayRecord.variants) || !arrayRecord.variants.length) {
+      throw new Error(
+        `Invalid persisted extraction array node at "${label}": variants must be a non-empty array.`
+      );
+    }
+    const variants = arrayRecord.variants.map((variantRaw, index) => {
+      if (!variantRaw || typeof variantRaw !== "object" || Array.isArray(variantRaw)) {
+        throw new Error(
+          `Invalid persisted extraction array variant at "${label}"[${index}]: expected an object.`
+        );
+      }
+      const variant = variantRaw;
+      if (!variant.itemParentPath || typeof variant.itemParentPath !== "object") {
+        throw new Error(
+          `Invalid persisted extraction array variant at "${label}"[${index}]: itemParentPath is required.`
+        );
+      }
+      if (!variant.item || typeof variant.item !== "object" || Array.isArray(variant.item)) {
+        throw new Error(
+          `Invalid persisted extraction array variant at "${label}"[${index}]: item is required.`
+        );
+      }
+      return {
+        itemParentPath: sanitizeElementPath(
+          variant.itemParentPath
+        ),
+        item: normalizePersistedExtractNode(
+          variant.item,
+          `${label}[${index}]`
+        )
+      };
+    });
+    return {
+      $array: {
+        variants
+      }
+    };
+  }
+  const objectNode = {};
+  for (const [key, value] of Object.entries(record)) {
+    const normalizedKey = String(key || "").trim();
+    if (!normalizedKey) continue;
+    if (normalizedKey.startsWith("$")) {
+      throw new Error(
+        `Invalid persisted extraction node at "${label}": unexpected reserved key "${normalizedKey}".`
+      );
+    }
+    objectNode[normalizedKey] = normalizePersistedExtractNode(
+      value,
+      `${label}.${normalizedKey}`
+    );
+  }
+  return objectNode;
+}
+function computeArrayRowCoverage(value, flat) {
+  if (isPrimitiveLike(value)) {
+    return value == null ? 0 : 1;
+  }
+  const flatCoverage = Object.values(flat).reduce((sum, current) => {
+    return current == null ? sum : sum + 1;
+  }, 0);
+  if (flatCoverage > 0) return flatCoverage;
+  return countNonNullLeaves(value);
+}
+function countNonNullLeaves(value) {
+  if (value == null) return 0;
+  if (Array.isArray(value)) {
+    return value.reduce(
+      (sum, current) => sum + countNonNullLeaves(current),
+      0
+    );
+  }
+  if (typeof value === "object") {
+    return Object.values(value).reduce(
+      (sum, current) => sum + countNonNullLeaves(current),
+      0
+    );
+  }
+  return 1;
+}
+function isPrimitiveLike(value) {
+  return value == null || typeof value === "string" || typeof value === "number" || typeof value === "boolean";
+}
+function assertValidExtractSchemaRoot(schema) {
+  if (!schema || typeof schema !== "object") {
+    throw new Error(
+      "Invalid extraction schema: expected a JSON object at the top level."
+    );
+  }
+  if (Array.isArray(schema)) {
+    throw new Error(
+      'Invalid extraction schema: top-level arrays are not supported. Wrap array fields in an object (for example {"items":[...]}).'
+    );
+  }
+}
+function parseAiExtractResponse(response) {
+  if (typeof response === "string") {
+    const trimmed = stripCodeFence2(response);
+    try {
+      return JSON.parse(trimmed);
+    } catch {
+      const preview = summarizeForError(trimmed);
+      throw new Error(
+        `LLM extraction returned a non-JSON response.${preview ? ` Preview: "${preview}"` : ""}`
+      );
+    }
+  }
+  if (response && typeof response === "object") {
+    const candidate = response;
+    if (candidate.fields || candidate.paths || candidate.data !== void 0) {
+      return candidate;
+    }
+  }
+  return {
+    data: response
+  };
+}
+function stripCodeFence2(input) {
+  const trimmed = input.trim();
+  if (!trimmed.startsWith("```")) return trimmed;
+  const firstBreak = trimmed.indexOf("\n");
+  if (firstBreak === -1) {
+    return trimmed.replace(/```/g, "").trim();
+  }
+  const withoutHeader = trimmed.slice(firstBreak + 1);
+  const lastFence = withoutHeader.lastIndexOf("```");
+  if (lastFence === -1) return withoutHeader.trim();
+  return withoutHeader.slice(0, lastFence).trim();
+}
+function summarizeForError(input, maxLength = 180) {
+  const compact = input.replace(/\s+/g, " ").trim();
+  if (!compact) return "";
+  if (compact.length <= maxLength) return compact;
+  return `${compact.slice(0, maxLength)}...`;
+}
+function getScrollDelta2(options) {
+  const amount = typeof options.amount === "number" ? options.amount : 600;
+  const absoluteAmount = Math.abs(amount);
+  switch (options.direction) {
+    case "up":
+      return { x: 0, y: -absoluteAmount };
+    case "left":
+      return { x: -absoluteAmount, y: 0 };
+    case "right":
+      return { x: absoluteAmount, y: 0 };
+    case "down":
+    default:
+      return { x: 0, y: absoluteAmount };
+  }
+}
+function isInternalOrBlankPageUrl(url) {
+  if (!url) return true;
+  if (url === "about:blank") return true;
+  return url.startsWith("chrome://") || url.startsWith("devtools://") || url.startsWith("edge://");
+}
+function normalizeCloudBrowserProfilePreference(value, source) {
+  if (!value) {
+    return void 0;
+  }
+  const profileId = typeof value.profileId === "string" ? value.profileId.trim() : "";
+  if (!profileId) {
+    throw new Error(
+      `Invalid cloud browser profile in ${source}: profileId must be a non-empty string.`
+    );
+  }
+  if (value.reuseIfActive !== void 0 && typeof value.reuseIfActive !== "boolean") {
+    throw new Error(
+      `Invalid cloud browser profile in ${source}: reuseIfActive must be a boolean.`
+    );
+  }
+  return {
+    profileId,
+    reuseIfActive: value.reuseIfActive
+  };
+}
+function buildLocalRunId(namespace) {
+  const normalized = namespace.trim() || "default";
+  return `${normalized}-${Date.now().toString(36)}-${(0, import_crypto.randomUUID)().slice(0, 8)}`;
+}
+
+// src/browser/chromium-profile.ts
+var import_node_util = require("util");
+var import_node_child_process3 = require("child_process");
+var import_node_crypto = require("crypto");
+var import_promises3 = require("fs/promises");
+var import_node_fs2 = require("fs");
+var import_node_path2 = require("path");
+var import_node_os2 = require("os");
+var import_playwright3 = require("playwright");
+
+// src/auth/keychain-store.ts
+var import_node_child_process2 = require("child_process");
+function commandExists(command) {
+  const result = (0, import_node_child_process2.spawnSync)(command, ["--help"], {
+    encoding: "utf8",
+    stdio: "ignore"
+  });
+  return result.error == null;
+}
+function commandFailed(result) {
+  return typeof result.status === "number" && result.status !== 0;
+}
+function sanitizeCommandArgs(command, args) {
+  if (command !== "security") {
+    return args;
+  }
+  const sanitized = [];
+  for (let index = 0; index < args.length; index += 1) {
+    const value = args[index];
+    sanitized.push(value);
+    if (value === "-w" && index + 1 < args.length) {
+      sanitized.push("[REDACTED]");
+      index += 1;
+    }
+  }
+  return sanitized;
+}
+function buildCommandError(command, args, result) {
+  const stderr = typeof result.stderr === "string" && result.stderr.trim() ? result.stderr.trim() : `Command "${command}" failed with status ${String(result.status)}.`;
+  const sanitizedArgs = sanitizeCommandArgs(command, args);
+  return new Error(
+    [
+      `Unable to persist credential via ${command}.`,
+      `${command} ${sanitizedArgs.join(" ")}`,
+      stderr
+    ].join(" ")
+  );
+}
+function createMacosSecurityStore() {
+  return {
+    backend: "macos-security",
+    get(service, account) {
+      const result = (0, import_node_child_process2.spawnSync)(
+        "security",
+        ["find-generic-password", "-s", service, "-a", account, "-w"],
+        { encoding: "utf8" }
+      );
+      if (commandFailed(result)) {
+        return null;
+      }
+      const secret = result.stdout.trim();
+      return secret.length ? secret : null;
+    },
+    set(service, account, secret) {
+      const args = [
+        "add-generic-password",
+        "-U",
+        "-s",
+        service,
+        "-a",
+        account,
+        "-w",
+        secret
+      ];
+      const result = (0, import_node_child_process2.spawnSync)("security", args, { encoding: "utf8" });
+      if (commandFailed(result)) {
+        throw buildCommandError("security", args, result);
+      }
+    },
+    delete(service, account) {
+      const args = ["delete-generic-password", "-s", service, "-a", account];
+      const result = (0, import_node_child_process2.spawnSync)("security", args, { encoding: "utf8" });
+      if (commandFailed(result)) {
+        return;
+      }
+    }
+  };
+}
+function createLinuxSecretToolStore() {
+  return {
+    backend: "linux-secret-tool",
+    get(service, account) {
+      const result = (0, import_node_child_process2.spawnSync)(
+        "secret-tool",
+        ["lookup", "service", service, "account", account],
+        {
+          encoding: "utf8"
+        }
+      );
+      if (commandFailed(result)) {
+        return null;
+      }
+      const secret = result.stdout.trim();
+      return secret.length ? secret : null;
+    },
+    set(service, account, secret) {
+      const args = [
+        "store",
+        "--label",
+        "Opensteer CLI",
+        "service",
+        service,
+        "account",
+        account
+      ];
+      const result = (0, import_node_child_process2.spawnSync)("secret-tool", args, {
+        encoding: "utf8",
+        input: secret
       });
-    }
-    if (currentUrlKeys.length) {
-      const pageUrl = this.page.url();
-      for (const key of currentUrlKeys) {
-        result[key] = pageUrl;
+      if (commandFailed(result)) {
+        throw buildCommandError("secret-tool", args, result);
       }
+    },
+    delete(service, account) {
+      const args = ["clear", "service", service, "account", account];
+      (0, import_node_child_process2.spawnSync)("secret-tool", args, {
+        encoding: "utf8"
+      });
     }
-    if (counterRequests.length) {
-      const counterValues = await resolveCountersBatch(this.page, counterRequests);
-      Object.assign(result, counterValues);
-    }
-    if (pathFields.length) {
-      const pathValues = await extractWithPaths(this.page, pathFields);
-      Object.assign(result, pathValues);
+  };
+}
+function createKeychainStore() {
+  if (process.platform === "darwin") {
+    if (!commandExists("security")) {
+      return null;
     }
-    return result;
+    return createMacosSecurityStore();
   }
-  async resolveFieldTargetsToPersistableFields(fields) {
-    const resolved = [];
-    for (const field of fields) {
-      if ("source" in field) {
-        resolved.push({
-          key: field.key,
-          source: "current_url"
-        });
-        continue;
-      }
-      if ("path" in field) {
-        resolved.push({
-          key: field.key,
-          path: this.normalizePath(field.path),
-          attribute: field.attribute
-        });
-        continue;
-      }
-      const path7 = await this.buildPathFromElement(field.counter);
-      if (!path7) {
-        throw new Error(
-          `Unable to persist extraction schema field "${field.key}": counter ${field.counter} could not be converted into a stable element path.`
-        );
-      }
-      resolved.push({
-        key: field.key,
-        path: path7,
-        attribute: field.attribute
-      });
+  if (process.platform === "linux") {
+    if (!commandExists("secret-tool")) {
+      return null;
     }
-    return resolved;
-  }
-  buildActionResult(storageKey, method, persisted, selectorUsed) {
-    return {
-      method,
-      namespace: this.storage.getNamespace(),
-      persisted,
-      pathFile: storageKey && persisted ? this.storage.getSelectorFileName(storageKey) : null,
-      selectorUsed: selectorUsed || null
-    };
-  }
-  resolveStorageKey(description) {
-    if (!description) return null;
-    return (0, import_crypto.createHash)("sha256").update(description).digest("hex").slice(0, 16);
-  }
-  normalizePath(path7) {
-    return sanitizeElementPath(path7);
+    return createLinuxSecretToolStore();
   }
-};
-function formatActionFailureMessage(action, description, cause) {
-  const label = description ? `"${description}"` : "unnamed target";
-  return `${action} action failed for ${label}: ${cause}`;
-}
-function cloneContextHops(context) {
-  return JSON.parse(JSON.stringify(context || []));
+  return null;
 }
-function collectIframeContextPrefix(path7) {
-  const context = path7.context || [];
-  let lastIframeIndex = -1;
-  for (let index = 0; index < context.length; index += 1) {
-    if (context[index]?.kind === "iframe") {
-      lastIframeIndex = index;
+
+// src/browser/chromium-profile.ts
+var execFileAsync = (0, import_node_util.promisify)(import_node_child_process3.execFile);
+var CHROMIUM_EPOCH_MICROS = 11644473600000000n;
+var AES_BLOCK_BYTES = 16;
+var MAC_KEY_ITERATIONS = 1003;
+var LINUX_KEY_ITERATIONS = 1;
+var KEY_LENGTH = 16;
+var KEY_SALT = "saltysalt";
+var DEFAULT_CHROMIUM_BRAND = {
+  macService: "Chrome Safe Storage",
+  macAccount: "Chrome",
+  linuxApplications: ["chrome", "google-chrome"]
+};
+var CHROMIUM_BRANDS = [
+  {
+    match: ["bravesoftware", "brave-browser"],
+    brand: {
+      macService: "Brave Safe Storage",
+      macAccount: "Brave",
+      linuxApplications: ["brave-browser", "brave"]
     }
-  }
-  if (lastIframeIndex < 0) return [];
-  return cloneContextHops(context.slice(0, lastIframeIndex + 1));
-}
-function measureContextOverlap(indexedPrefix, builtContext) {
-  const maxOverlap = Math.min(indexedPrefix.length, builtContext.length);
-  for (let size = maxOverlap; size > 0; size -= 1) {
-    if (matchesContextPrefix(indexedPrefix, builtContext, size, true)) {
-      return size;
+  },
+  {
+    match: ["microsoft", "edge"],
+    brand: {
+      macService: "Microsoft Edge Safe Storage",
+      macAccount: "Microsoft Edge",
+      linuxApplications: ["microsoft-edge"],
+      playwrightChannel: "msedge"
     }
-  }
-  for (let size = maxOverlap; size > 0; size -= 1) {
-    if (matchesContextPrefix(indexedPrefix, builtContext, size, false)) {
-      return size;
+  },
+  {
+    match: ["google", "chrome beta"],
+    brand: {
+      macService: "Chrome Beta Safe Storage",
+      macAccount: "Chrome Beta",
+      linuxApplications: ["chrome-beta"],
+      playwrightChannel: "chrome-beta"
     }
-  }
-  return 0;
-}
-function matchesContextPrefix(indexedPrefix, builtContext, size, strictHost) {
-  for (let idx = 0; idx < size; idx += 1) {
-    const left = indexedPrefix[indexedPrefix.length - size + idx];
-    const right = builtContext[idx];
-    if (left.kind !== right.kind) {
-      return false;
+  },
+  {
+    match: ["google", "chrome"],
+    brand: {
+      macService: "Chrome Safe Storage",
+      macAccount: "Chrome",
+      linuxApplications: ["chrome", "google-chrome"],
+      playwrightChannel: "chrome"
     }
-    if (strictHost && JSON.stringify(left.host) !== JSON.stringify(right.host)) {
-      return false;
+  },
+  {
+    match: ["chromium"],
+    brand: {
+      macService: "Chromium Safe Storage",
+      macAccount: "Chromium",
+      linuxApplications: ["chromium"]
     }
   }
-  return true;
+];
+function directoryExists(filePath) {
+  try {
+    return (0, import_node_fs2.statSync)(filePath).isDirectory();
+  } catch {
+    return false;
+  }
 }
-function normalizeSchemaValue(value) {
-  if (!value) return null;
-  if (typeof value !== "object" || Array.isArray(value)) {
-    return null;
+function fileExists(filePath) {
+  try {
+    return (0, import_node_fs2.statSync)(filePath).isFile();
+  } catch {
+    return false;
   }
-  const field = value;
-  return {
-    element: field.element,
-    selector: field.selector,
-    attribute: field.attribute,
-    source: normalizeExtractSource(field.source)
-  };
 }
-function normalizeExtractSource(source) {
-  if (typeof source !== "string") return void 0;
-  const normalized = source.trim().toLowerCase();
-  if (normalized === "current_url") return "current_url";
-  return void 0;
+function resolveCookieDbPath(profileDir) {
+  const candidates = [(0, import_node_path2.join)(profileDir, "Network", "Cookies"), (0, import_node_path2.join)(profileDir, "Cookies")];
+  for (const candidate of candidates) {
+    if (fileExists(candidate)) {
+      return candidate;
+    }
+  }
+  return null;
 }
-function computeSchemaHash(schema) {
-  const stable = stableStringify(schema);
-  return (0, import_crypto.createHash)("sha256").update(stable).digest("hex");
+async function selectProfileDirFromUserDataDir(userDataDir) {
+  const entries = await (0, import_promises3.readdir)(userDataDir, {
+    withFileTypes: true
+  }).catch(() => []);
+  const candidates = entries.filter((entry) => entry.isDirectory()).map((entry) => (0, import_node_path2.join)(userDataDir, entry.name)).filter((entryPath) => resolveCookieDbPath(entryPath));
+  return candidates;
 }
-function buildPathMap(fields) {
-  const out = {};
-  for (const field of fields) {
-    out[field.key] = cloneElementPath(field.path);
+async function resolveChromiumProfileLocation(inputPath) {
+  const expandedPath = expandHome(inputPath.trim());
+  if (!expandedPath) {
+    throw new Error("Profile path cannot be empty.");
+  }
+  if (fileExists(expandedPath) && (0, import_node_path2.basename)(expandedPath) === "Cookies") {
+    const directParent = (0, import_node_path2.dirname)(expandedPath);
+    const profileDir = (0, import_node_path2.basename)(directParent) === "Network" ? (0, import_node_path2.dirname)(directParent) : directParent;
+    const userDataDir = (0, import_node_path2.dirname)(profileDir);
+    return {
+      userDataDir,
+      profileDir,
+      profileDirectory: (0, import_node_path2.basename)(profileDir),
+      cookieDbPath: expandedPath,
+      localStatePath: fileExists((0, import_node_path2.join)(userDataDir, "Local State")) ? (0, import_node_path2.join)(userDataDir, "Local State") : null
+    };
+  }
+  if (fileExists(expandedPath)) {
+    throw new Error(
+      `Unsupported profile source "${inputPath}". Pass a Chromium profile directory, user-data dir, or Cookies database path.`
+    );
+  }
+  if (!directoryExists(expandedPath)) {
+    throw new Error(
+      `Could not find a Chromium profile at "${inputPath}".`
+    );
+  }
+  const directCookieDb = resolveCookieDbPath(expandedPath);
+  if (directCookieDb) {
+    const userDataDir = (0, import_node_path2.dirname)(expandedPath);
+    return {
+      userDataDir,
+      profileDir: expandedPath,
+      profileDirectory: (0, import_node_path2.basename)(expandedPath),
+      cookieDbPath: directCookieDb,
+      localStatePath: fileExists((0, import_node_path2.join)(userDataDir, "Local State")) ? (0, import_node_path2.join)(userDataDir, "Local State") : null
+    };
   }
-  return out;
-}
-function toPathFields(fields) {
-  return fields.filter(isPersistablePathField).map((field) => ({
-    key: field.key,
-    path: field.path,
-    attribute: field.attribute
-  }));
-}
-function normalizePersistedExtractPayload(raw) {
-  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+  const localStatePath = (0, import_node_path2.join)(expandedPath, "Local State");
+  if (!fileExists(localStatePath)) {
     throw new Error(
-      "Invalid persisted extraction payload: expected an object payload."
+      `Unsupported profile source "${inputPath}". Pass a Chromium profile directory, user-data dir, or Cookies database path.`
     );
   }
-  const root = {};
-  for (const [key, value] of Object.entries(raw)) {
-    const normalizedKey = String(key || "").trim();
-    if (!normalizedKey) continue;
-    if (normalizedKey.startsWith("$")) {
-      throw new Error(
-        `Invalid persisted extraction payload key "${normalizedKey}": root keys must not start with "$".`
-      );
-    }
-    root[normalizedKey] = normalizePersistedExtractNode(
-      value,
-      normalizedKey
+  const profileDirs = await selectProfileDirFromUserDataDir(expandedPath);
+  if (profileDirs.length === 0) {
+    throw new Error(
+      `No Chromium profile with a Cookies database was found under "${inputPath}".`
     );
   }
-  return root;
-}
-function normalizePersistedExtractNode(raw, label) {
-  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+  if (profileDirs.length > 1) {
+    const candidates = profileDirs.map((entry) => (0, import_node_path2.basename)(entry)).join(", ");
     throw new Error(
-      `Invalid persisted extraction node at "${label}": expected an object.`
+      `"${inputPath}" contains multiple Chromium profiles (${candidates}). Pass a specific profile directory such as "${profileDirs[0]}".`
     );
   }
-  const record = raw;
-  if (record.$path) {
-    if (typeof record.$path !== "object") {
-      throw new Error(
-        `Invalid persisted extraction value node at "${label}": "$path" must be an element path object.`
-      );
-    }
-    return {
-      $path: sanitizeElementPath(record.$path),
-      attribute: typeof record.attribute === "string" ? record.attribute : void 0
-    };
+  const selectedProfileDir = profileDirs[0];
+  const cookieDbPath = resolveCookieDbPath(selectedProfileDir);
+  if (!cookieDbPath) {
+    throw new Error(
+      `No Chromium Cookies database was found for "${inputPath}".`
+    );
   }
-  if (record.$source != null) {
-    const source = normalizeExtractSource(record.$source);
-    if (!source) {
-      throw new Error(
-        `Invalid persisted extraction source node at "${label}": unsupported "$source" value.`
-      );
+  return {
+    userDataDir: expandedPath,
+    profileDir: selectedProfileDir,
+    profileDirectory: (0, import_node_path2.basename)(selectedProfileDir),
+    cookieDbPath,
+    localStatePath
+  };
+}
+function detectChromiumBrand(location) {
+  const normalizedPath = location.userDataDir.toLowerCase();
+  for (const candidate of CHROMIUM_BRANDS) {
+    if (candidate.match.every((fragment) => normalizedPath.includes(fragment))) {
+      return candidate.brand;
     }
-    return {
-      $source: source
-    };
   }
-  if (record.$array) {
-    if (!record.$array || typeof record.$array !== "object" || Array.isArray(record.$array)) {
-      throw new Error(
-        `Invalid persisted extraction array node at "${label}": "$array" must be an object.`
-      );
-    }
-    const arrayRecord = record.$array;
-    if (arrayRecord.itemParentPath !== void 0 || arrayRecord.item !== void 0) {
-      throw new Error(
-        `Legacy persisted extraction array format detected at "${label}". Clear cached selectors in .opensteer/selectors/<namespace> and rerun extraction.`
-      );
-    }
-    if (!Array.isArray(arrayRecord.variants) || !arrayRecord.variants.length) {
-      throw new Error(
-        `Invalid persisted extraction array node at "${label}": variants must be a non-empty array.`
-      );
+  return DEFAULT_CHROMIUM_BRAND;
+}
+async function createSqliteSnapshot(dbPath) {
+  const snapshotDir = await (0, import_promises3.mkdtemp)((0, import_node_path2.join)((0, import_node_os2.tmpdir)(), "opensteer-cookie-db-"));
+  const snapshotPath = (0, import_node_path2.join)(snapshotDir, "Cookies");
+  await (0, import_promises3.copyFile)(dbPath, snapshotPath);
+  for (const suffix of ["-wal", "-shm", "-journal"]) {
+    const source = `${dbPath}${suffix}`;
+    if (!(0, import_node_fs2.existsSync)(source)) {
+      continue;
     }
-    const variants = arrayRecord.variants.map((variantRaw, index) => {
-      if (!variantRaw || typeof variantRaw !== "object" || Array.isArray(variantRaw)) {
-        throw new Error(
-          `Invalid persisted extraction array variant at "${label}"[${index}]: expected an object.`
-        );
-      }
-      const variant = variantRaw;
-      if (!variant.itemParentPath || typeof variant.itemParentPath !== "object") {
-        throw new Error(
-          `Invalid persisted extraction array variant at "${label}"[${index}]: itemParentPath is required.`
-        );
-      }
-      if (!variant.item || typeof variant.item !== "object" || Array.isArray(variant.item)) {
-        throw new Error(
-          `Invalid persisted extraction array variant at "${label}"[${index}]: item is required.`
-        );
-      }
-      return {
-        itemParentPath: sanitizeElementPath(
-          variant.itemParentPath
-        ),
-        item: normalizePersistedExtractNode(
-          variant.item,
-          `${label}[${index}]`
-        )
-      };
-    });
-    return {
-      $array: {
-        variants
-      }
-    };
+    await (0, import_promises3.copyFile)(source, `${snapshotPath}${suffix}`);
   }
-  const objectNode = {};
-  for (const [key, value] of Object.entries(record)) {
-    const normalizedKey = String(key || "").trim();
-    if (!normalizedKey) continue;
-    if (normalizedKey.startsWith("$")) {
-      throw new Error(
-        `Invalid persisted extraction node at "${label}": unexpected reserved key "${normalizedKey}".`
-      );
+  return {
+    snapshotPath,
+    cleanup: async () => {
+      await (0, import_promises3.rm)(snapshotDir, { recursive: true, force: true });
     }
-    objectNode[normalizedKey] = normalizePersistedExtractNode(
-      value,
-      `${label}.${normalizedKey}`
-    );
+  };
+}
+async function querySqliteJson(dbPath, query) {
+  const result = await execFileAsync("sqlite3", ["-json", dbPath, query], {
+    encoding: "utf8",
+    maxBuffer: 64 * 1024 * 1024
+  });
+  const stdout = result.stdout;
+  const trimmed = stdout.trim();
+  if (!trimmed) {
+    return [];
   }
-  return objectNode;
+  return JSON.parse(trimmed);
 }
-function computeArrayRowCoverage(value, flat) {
-  if (isPrimitiveLike(value)) {
-    return value == null ? 0 : 1;
+function convertChromiumTimestampToUnixSeconds(value) {
+  if (!value || value === "0") {
+    return -1;
   }
-  const flatCoverage = Object.values(flat).reduce((sum, current) => {
-    return current == null ? sum : sum + 1;
-  }, 0);
-  if (flatCoverage > 0) return flatCoverage;
-  return countNonNullLeaves(value);
+  const micros = BigInt(value);
+  if (micros <= CHROMIUM_EPOCH_MICROS) {
+    return -1;
+  }
+  return Number((micros - CHROMIUM_EPOCH_MICROS) / 1000000n);
 }
-function countNonNullLeaves(value) {
-  if (value == null) return 0;
-  if (Array.isArray(value)) {
-    return value.reduce(
-      (sum, current) => sum + countNonNullLeaves(current),
-      0
+function mapChromiumSameSite(value) {
+  if (value === 2) {
+    return "Strict";
+  }
+  if (value === 0) {
+    return "None";
+  }
+  return "Lax";
+}
+function stripChromiumPadding(buffer) {
+  const paddingLength = buffer[buffer.length - 1];
+  if (paddingLength <= 0 || paddingLength > AES_BLOCK_BYTES) {
+    return buffer;
+  }
+  return buffer.subarray(0, buffer.length - paddingLength);
+}
+function stripDomainHashPrefix(buffer, hostKey) {
+  if (buffer.length < 32) {
+    return buffer;
+  }
+  const domainHash = (0, import_node_crypto.createHash)("sha256").update(hostKey, "utf8").digest();
+  if (buffer.subarray(0, 32).equals(domainHash)) {
+    return buffer.subarray(32);
+  }
+  return buffer;
+}
+function decryptChromiumAes128CbcValue(encryptedValue, key, hostKey) {
+  const ciphertext = encryptedValue.length > 3 && encryptedValue[0] === 118 && encryptedValue[1] === 49 && (encryptedValue[2] === 48 || encryptedValue[2] === 49) ? encryptedValue.subarray(3) : encryptedValue;
+  const iv = Buffer.alloc(AES_BLOCK_BYTES, " ");
+  const decipher = (0, import_node_crypto.createDecipheriv)("aes-128-cbc", key, iv);
+  const plaintext = Buffer.concat([
+    decipher.update(ciphertext),
+    decipher.final()
+  ]);
+  return stripDomainHashPrefix(stripChromiumPadding(plaintext), hostKey).toString(
+    "utf8"
+  );
+}
+function decryptChromiumAes256GcmValue(encryptedValue, key) {
+  const nonce = encryptedValue.subarray(3, 15);
+  const ciphertext = encryptedValue.subarray(15, encryptedValue.length - 16);
+  const authTag = encryptedValue.subarray(encryptedValue.length - 16);
+  const decipher = (0, import_node_crypto.createDecipheriv)("aes-256-gcm", key, nonce);
+  decipher.setAuthTag(authTag);
+  return Buffer.concat([
+    decipher.update(ciphertext),
+    decipher.final()
+  ]).toString("utf8");
+}
+async function dpapiUnprotect(buffer) {
+  const script = [
+    `$inputBytes = [Convert]::FromBase64String('${buffer.toString("base64")}')`,
+    "$plainBytes = [System.Security.Cryptography.ProtectedData]::Unprotect(",
+    "  $inputBytes,",
+    "  $null,",
+    "  [System.Security.Cryptography.DataProtectionScope]::CurrentUser",
+    ")",
+    "[Convert]::ToBase64String($plainBytes)"
+  ].join("\n");
+  const { stdout } = await execFileAsync(
+    "powershell.exe",
+    ["-NoProfile", "-NonInteractive", "-Command", script],
+    {
+      encoding: "utf8",
+      maxBuffer: 8 * 1024 * 1024
+    }
+  );
+  return Buffer.from(stdout.trim(), "base64");
+}
+async function buildChromiumDecryptor(location) {
+  if (process.platform === "darwin") {
+    const brand = detectChromiumBrand(location);
+    const keychainStore = createKeychainStore();
+    const password = keychainStore?.get(brand.macService, brand.macAccount) ?? null;
+    if (!password) {
+      throw new Error(
+        `Unable to read ${brand.macService} from macOS Keychain.`
+      );
+    }
+    const key = (0, import_node_crypto.pbkdf2Sync)(password, KEY_SALT, MAC_KEY_ITERATIONS, KEY_LENGTH, "sha1");
+    return async (row) => decryptChromiumAes128CbcValue(
+      Buffer.from(row.encrypted_value || "", "hex"),
+      key,
+      row.host_key
     );
   }
-  if (typeof value === "object") {
-    return Object.values(value).reduce(
-      (sum, current) => sum + countNonNullLeaves(current),
-      0
+  if (process.platform === "linux") {
+    const brand = detectChromiumBrand(location);
+    const keychainStore = createKeychainStore();
+    const password = keychainStore?.get(brand.macService, brand.macAccount) ?? brand.linuxApplications.map((application) => keychainStore?.get(application, application) ?? null).find(Boolean) ?? null;
+    const key = (0, import_node_crypto.pbkdf2Sync)(
+      password || "peanuts",
+      KEY_SALT,
+      LINUX_KEY_ITERATIONS,
+      KEY_LENGTH,
+      "sha1"
     );
-  }
-  return 1;
-}
-function isPrimitiveLike(value) {
-  return value == null || typeof value === "string" || typeof value === "number" || typeof value === "boolean";
-}
-function assertValidExtractSchemaRoot(schema) {
-  if (!schema || typeof schema !== "object") {
-    throw new Error(
-      "Invalid extraction schema: expected a JSON object at the top level."
+    return async (row) => decryptChromiumAes128CbcValue(
+      Buffer.from(row.encrypted_value || "", "hex"),
+      key,
+      row.host_key
     );
   }
-  if (Array.isArray(schema)) {
-    throw new Error(
-      'Invalid extraction schema: top-level arrays are not supported. Wrap array fields in an object (for example {"items":[...]}).'
+  if (process.platform === "win32") {
+    if (!location.localStatePath) {
+      throw new Error(
+        `Unable to locate Chromium Local State for profile: ${location.profileDir}`
+      );
+    }
+    const localState = JSON.parse(
+      await (0, import_promises3.readFile)(location.localStatePath, "utf8")
     );
-  }
-}
-function parseAiExtractResponse(response) {
-  if (typeof response === "string") {
-    const trimmed = stripCodeFence2(response);
-    try {
-      return JSON.parse(trimmed);
-    } catch {
-      const preview = summarizeForError(trimmed);
+    const encryptedKeyBase64 = localState.os_crypt?.encrypted_key;
+    if (!encryptedKeyBase64) {
       throw new Error(
-        `LLM extraction returned a non-JSON response.${preview ? ` Preview: "${preview}"` : ""}`
+        `Local State did not include os_crypt.encrypted_key for ${location.userDataDir}`
       );
     }
+    const encryptedKey = Buffer.from(encryptedKeyBase64, "base64");
+    const masterKey = await dpapiUnprotect(encryptedKey.subarray(5));
+    return async (row) => {
+      const encryptedValue = Buffer.from(row.encrypted_value || "", "hex");
+      if (encryptedValue.length > 4 && encryptedValue[0] === 1 && encryptedValue[1] === 0 && encryptedValue[2] === 0 && encryptedValue[3] === 0) {
+        const decrypted = await dpapiUnprotect(encryptedValue);
+        return decrypted.toString("utf8");
+      }
+      return decryptChromiumAes256GcmValue(encryptedValue, masterKey);
+    };
   }
-  if (response && typeof response === "object") {
-    const candidate = response;
-    if (candidate.fields || candidate.paths || candidate.data !== void 0) {
-      return candidate;
-    }
+  throw new Error(
+    `Local Chromium cookie sync is not supported on ${process.platform}.`
+  );
+}
+function buildPlaywrightCookie(row, value) {
+  if (!row.name.trim()) {
+    return null;
+  }
+  if (!row.host_key.trim()) {
+    return null;
+  }
+  const expires = row.has_expires === 1 ? convertChromiumTimestampToUnixSeconds(row.expires_utc) : -1;
+  if (expires !== -1 && expires <= Math.floor(Date.now() / 1e3)) {
+    return null;
   }
   return {
-    data: response
+    name: row.name,
+    value,
+    domain: row.host_key,
+    path: row.path || "/",
+    expires,
+    httpOnly: row.is_httponly === 1,
+    secure: row.is_secure === 1,
+    sameSite: mapChromiumSameSite(row.samesite)
   };
 }
-function stripCodeFence2(input) {
-  const trimmed = input.trim();
-  if (!trimmed.startsWith("```")) return trimmed;
-  const firstBreak = trimmed.indexOf("\n");
-  if (firstBreak === -1) {
-    return trimmed.replace(/```/g, "").trim();
-  }
-  const withoutHeader = trimmed.slice(firstBreak + 1);
-  const lastFence = withoutHeader.lastIndexOf("```");
-  if (lastFence === -1) return withoutHeader.trim();
-  return withoutHeader.slice(0, lastFence).trim();
-}
-function summarizeForError(input, maxLength = 180) {
-  const compact = input.replace(/\s+/g, " ").trim();
-  if (!compact) return "";
-  if (compact.length <= maxLength) return compact;
-  return `${compact.slice(0, maxLength)}...`;
-}
-function getScrollDelta2(options) {
-  const amount = typeof options.amount === "number" ? options.amount : 600;
-  const absoluteAmount = Math.abs(amount);
-  switch (options.direction) {
-    case "up":
-      return { x: 0, y: -absoluteAmount };
-    case "left":
-      return { x: -absoluteAmount, y: 0 };
-    case "right":
-      return { x: absoluteAmount, y: 0 };
-    case "down":
-    default:
-      return { x: 0, y: absoluteAmount };
+async function loadCookiesFromLocalProfileDir(inputPath, options = {}) {
+  const location = await resolveChromiumProfileLocation(inputPath);
+  try {
+    return await loadCookiesFromSqlite(location);
+  } catch (error) {
+    if (!isMissingSqliteBinary(error)) {
+      throw error;
+    }
   }
+  return await loadCookiesFromBrowserSnapshot(location, options);
 }
-function isInternalOrBlankPageUrl(url) {
-  if (!url) return true;
-  if (url === "about:blank") return true;
-  return url.startsWith("chrome://") || url.startsWith("devtools://") || url.startsWith("edge://");
-}
-function normalizeCloudBrowserProfilePreference(value, source) {
-  if (!value) {
-    return void 0;
-  }
-  const profileId = typeof value.profileId === "string" ? value.profileId.trim() : "";
-  if (!profileId) {
-    throw new Error(
-      `Invalid cloud browser profile in ${source}: profileId must be a non-empty string.`
+async function loadCookiesFromSqlite(location) {
+  const snapshot = await createSqliteSnapshot(location.cookieDbPath);
+  try {
+    const rows = await querySqliteJson(
+      snapshot.snapshotPath,
+      [
+        "SELECT",
+        "  host_key,",
+        "  name,",
+        "  value,",
+        "  hex(encrypted_value) AS encrypted_value,",
+        "  path,",
+        "  CAST(expires_utc AS TEXT) AS expires_utc,",
+        "  is_secure,",
+        "  is_httponly,",
+        "  has_expires,",
+        "  samesite",
+        "FROM cookies"
+      ].join(" ")
     );
+    const decryptValue = await buildChromiumDecryptor(location);
+    const cookies = [];
+    for (const row of rows) {
+      let value = row.value || "";
+      if (!value && row.encrypted_value) {
+        value = await decryptValue(row);
+      }
+      const cookie = buildPlaywrightCookie(row, value);
+      if (cookie) {
+        cookies.push(cookie);
+      }
+    }
+    return cookies;
+  } finally {
+    await snapshot.cleanup();
   }
-  if (value.reuseIfActive !== void 0 && typeof value.reuseIfActive !== "boolean") {
-    throw new Error(
-      `Invalid cloud browser profile in ${source}: reuseIfActive must be a boolean.`
-    );
+}
+async function loadCookiesFromBrowserSnapshot(location, options) {
+  const snapshotRootDir = await (0, import_promises3.mkdtemp)((0, import_node_path2.join)((0, import_node_os2.tmpdir)(), "opensteer-profile-"));
+  const snapshotProfileDir = (0, import_node_path2.join)(
+    snapshotRootDir,
+    (0, import_node_path2.basename)(location.profileDir)
+  );
+  let context = null;
+  try {
+    await (0, import_promises3.cp)(location.profileDir, snapshotProfileDir, {
+      recursive: true
+    });
+    if (location.localStatePath) {
+      await (0, import_promises3.copyFile)(location.localStatePath, (0, import_node_path2.join)(snapshotRootDir, "Local State"));
+    }
+    const brand = detectChromiumBrand(location);
+    const args = [`--profile-directory=${(0, import_node_path2.basename)(snapshotProfileDir)}`];
+    context = await import_playwright3.chromium.launchPersistentContext(snapshotRootDir, {
+      channel: brand.playwrightChannel,
+      headless: options.headless ?? true,
+      timeout: options.timeout ?? 12e4,
+      args
+    });
+    return await context.cookies();
+  } finally {
+    await context?.close().catch(() => void 0);
+    await (0, import_promises3.rm)(snapshotRootDir, { recursive: true, force: true });
   }
-  return {
-    profileId,
-    reuseIfActive: value.reuseIfActive
-  };
 }
-function buildLocalRunId(namespace) {
-  const normalized = namespace.trim() || "default";
-  return `${normalized}-${Date.now().toString(36)}-${(0, import_crypto.randomUUID)().slice(0, 8)}`;
+function isMissingSqliteBinary(error) {
+  return Boolean(
+    error && typeof error === "object" && "code" in error && error.code === "ENOENT"
+  );
 }
 
 // src/cloud/browser-profile-client.ts
@@ -14691,59 +15180,21 @@ var import_open = __toESM(require("open"), 1);
 
 // src/auth/credential-resolver.ts
 function resolveCloudCredential(options) {
-  const flagApiKey = normalizeToken(options.apiKeyFlag);
-  const flagAccessToken = normalizeToken(options.accessTokenFlag);
-  if (flagApiKey && flagAccessToken) {
-    throw new Error("--api-key and --access-token are mutually exclusive.");
-  }
-  if (flagAccessToken) {
-    return {
-      kind: "access-token",
-      source: "flag",
-      token: flagAccessToken,
-      authScheme: "bearer"
-    };
-  }
-  if (flagApiKey) {
-    return {
-      kind: "api-key",
-      source: "flag",
-      token: flagApiKey,
-      authScheme: "api-key"
-    };
+  const flagCredential = selectCloudCredential({
+    apiKey: options.apiKeyFlag,
+    accessToken: options.accessTokenFlag
+  });
+  if (flagCredential) {
+    return toResolvedCloudCredential("flag", flagCredential);
   }
   const envAuthScheme = parseEnvAuthScheme(options.env.OPENSTEER_AUTH_SCHEME);
-  const envApiKey = normalizeToken(options.env.OPENSTEER_API_KEY);
-  const envAccessToken = normalizeToken(options.env.OPENSTEER_ACCESS_TOKEN);
-  if (envApiKey && envAccessToken) {
-    throw new Error(
-      "OPENSTEER_API_KEY and OPENSTEER_ACCESS_TOKEN are mutually exclusive. Set only one."
-    );
-  }
-  if (envAccessToken) {
-    return {
-      kind: "access-token",
-      source: "env",
-      token: envAccessToken,
-      authScheme: "bearer"
-    };
-  }
-  if (envApiKey) {
-    if (envAuthScheme === "bearer") {
-      return {
-        kind: "access-token",
-        source: "env",
-        token: envApiKey,
-        authScheme: "bearer",
-        compatibilityBearerApiKey: true
-      };
-    }
-    return {
-      kind: "api-key",
-      source: "env",
-      token: envApiKey,
-      authScheme: envAuthScheme ?? "api-key"
-    };
+  const envCredential = selectCloudCredential({
+    apiKey: options.env.OPENSTEER_API_KEY,
+    accessToken: options.env.OPENSTEER_ACCESS_TOKEN,
+    authScheme: envAuthScheme
+  });
+  if (envCredential) {
+    return toResolvedCloudCredential("env", envCredential);
   }
   return null;
 }
@@ -14773,12 +15224,29 @@ function normalizeToken(value) {
   const normalized = value.trim();
   return normalized.length ? normalized : void 0;
 }
+function toResolvedCloudCredential(source, credential) {
+  if (credential.compatibilityBearerApiKey) {
+    return {
+      kind: credential.kind,
+      source,
+      token: credential.token,
+      authScheme: credential.authScheme,
+      compatibilityBearerApiKey: true
+    };
+  }
+  return {
+    kind: credential.kind,
+    source,
+    token: credential.token,
+    authScheme: credential.authScheme
+  };
+}
 
 // src/auth/machine-credential-store.ts
 var import_node_crypto2 = require("crypto");
-var import_node_fs2 = __toESM(require("fs"), 1);
-var import_node_os2 = __toESM(require("os"), 1);
-var import_node_path2 = __toESM(require("path"), 1);
+var import_node_fs3 = __toESM(require("fs"), 1);
+var import_node_os3 = __toESM(require("os"), 1);
+var import_node_path3 = __toESM(require("path"), 1);
 var METADATA_VERSION = 2;
 var ACTIVE_TARGET_VERSION = 2;
 var KEYCHAIN_SERVICE = "com.opensteer.cli.cloud";
@@ -14793,7 +15261,7 @@ var MachineCredentialStore = class {
     const appName = options.appName || "opensteer";
     const env = options.env ?? process.env;
     const configDir = resolveConfigDir(appName, env);
-    this.authDir = import_node_path2.default.join(configDir, "auth");
+    this.authDir = import_node_path3.default.join(configDir, "auth");
     this.warn = options.warn ?? (() => void 0);
   }
   readCloudCredential(target) {
@@ -14926,15 +15394,15 @@ function resolveCredentialSlot(authDir, target) {
   const storageKey = (0, import_node_crypto2.createHash)("sha256").update(normalizedBaseUrl).digest("hex").slice(0, 24);
   return {
     keychainAccount: `${KEYCHAIN_ACCOUNT_PREFIX}${storageKey}`,
-    metadataPath: import_node_path2.default.join(authDir, `cli-login.${storageKey}.json`),
-    fallbackSecretPath: import_node_path2.default.join(
+    metadataPath: import_node_path3.default.join(authDir, `cli-login.${storageKey}.json`),
+    fallbackSecretPath: import_node_path3.default.join(
       authDir,
       `cli-login.${storageKey}.secret.json`
     )
   };
 }
 function resolveActiveTargetPath(authDir) {
-  return import_node_path2.default.join(authDir, ACTIVE_TARGET_FILE_NAME);
+  return import_node_path3.default.join(authDir, ACTIVE_TARGET_FILE_NAME);
 }
 function matchesCredentialTarget(value, target) {
   return normalizeCredentialUrl(value.baseUrl) === normalizeCredentialUrl(target.baseUrl);
@@ -14953,36 +15421,36 @@ function normalizeCloudCredentialTarget(target) {
 }
 function resolveConfigDir(appName, env) {
   if (process.platform === "win32") {
-    const appData = env.APPDATA?.trim() || import_node_path2.default.join(import_node_os2.default.homedir(), "AppData", "Roaming");
-    return import_node_path2.default.join(appData, appName);
+    const appData = env.APPDATA?.trim() || import_node_path3.default.join(import_node_os3.default.homedir(), "AppData", "Roaming");
+    return import_node_path3.default.join(appData, appName);
   }
   if (process.platform === "darwin") {
-    return import_node_path2.default.join(
-      import_node_os2.default.homedir(),
+    return import_node_path3.default.join(
+      import_node_os3.default.homedir(),
       "Library",
       "Application Support",
       appName
     );
   }
-  const xdgConfigHome = env.XDG_CONFIG_HOME?.trim() || import_node_path2.default.join(import_node_os2.default.homedir(), ".config");
-  return import_node_path2.default.join(xdgConfigHome, appName);
+  const xdgConfigHome = env.XDG_CONFIG_HOME?.trim() || import_node_path3.default.join(import_node_os3.default.homedir(), ".config");
+  return import_node_path3.default.join(xdgConfigHome, appName);
 }
 function ensureDirectory(directoryPath) {
-  import_node_fs2.default.mkdirSync(directoryPath, { recursive: true, mode: 448 });
+  import_node_fs3.default.mkdirSync(directoryPath, { recursive: true, mode: 448 });
 }
 function removeFileIfExists(filePath) {
   try {
-    import_node_fs2.default.rmSync(filePath, { force: true });
+    import_node_fs3.default.rmSync(filePath, { force: true });
   } catch {
     return;
   }
 }
 function readMetadata(filePath) {
-  if (!import_node_fs2.default.existsSync(filePath)) {
+  if (!import_node_fs3.default.existsSync(filePath)) {
     return null;
   }
   try {
-    const raw = import_node_fs2.default.readFileSync(filePath, "utf8");
+    const raw = import_node_fs3.default.readFileSync(filePath, "utf8");
     const parsed = JSON.parse(raw);
     if (parsed.version !== METADATA_VERSION) return null;
     if (parsed.secretBackend !== "keychain" && parsed.secretBackend !== "file") {
@@ -15009,11 +15477,11 @@ function readMetadata(filePath) {
   }
 }
 function readActiveCloudTargetMetadata(filePath) {
-  if (!import_node_fs2.default.existsSync(filePath)) {
+  if (!import_node_fs3.default.existsSync(filePath)) {
     return null;
   }
   try {
-    const raw = import_node_fs2.default.readFileSync(filePath, "utf8");
+    const raw = import_node_fs3.default.readFileSync(filePath, "utf8");
     const parsed = JSON.parse(raw);
     if (parsed.version !== ACTIVE_TARGET_VERSION) {
       return null;
@@ -15043,22 +15511,22 @@ function parseSecretPayload(raw) {
   }
 }
 function readSecretFile(filePath) {
-  if (!import_node_fs2.default.existsSync(filePath)) {
+  if (!import_node_fs3.default.existsSync(filePath)) {
     return null;
   }
   try {
-    return parseSecretPayload(import_node_fs2.default.readFileSync(filePath, "utf8"));
+    return parseSecretPayload(import_node_fs3.default.readFileSync(filePath, "utf8"));
   } catch {
     return null;
   }
 }
 function writeJsonFile(filePath, value, options = {}) {
-  import_node_fs2.default.writeFileSync(filePath, JSON.stringify(value, null, 2), {
+  import_node_fs3.default.writeFileSync(filePath, JSON.stringify(value, null, 2), {
     encoding: "utf8",
     mode: options.mode ?? 384
   });
   if (typeof options.mode === "number") {
-    import_node_fs2.default.chmodSync(filePath, options.mode);
+    import_node_fs3.default.chmodSync(filePath, options.mode);
   }
 }
 
@@ -15392,7 +15860,7 @@ async function ensureCloudCredentialsForCommand(options) {
   const writeProgress = options.writeProgress ?? options.writeStdout ?? ((message) => process.stdout.write(message));
   const writeStderr = options.writeStderr ?? ((message) => process.stderr.write(message));
   const fetchFn = options.fetchFn ?? fetch;
-  const sleep6 = options.sleep ?? (async (ms) => {
+  const sleep7 = options.sleep ?? (async (ms) => {
     await new Promise((resolve) => setTimeout(resolve, ms));
   });
   const now = options.now ?? Date.now;
@@ -15436,7 +15904,7 @@ async function ensureCloudCredentialsForCommand(options) {
         fetchFn,
         writeProgress,
         openExternalUrl,
-        sleep: sleep6,
+        sleep: sleep7,
         now,
         openBrowser: true
       });
@@ -15848,7 +16316,7 @@ function createDefaultDeps() {
     loadLocalProfileCookies: (profileDir, options) => loadCookiesFromLocalProfileDir(profileDir, options),
     isInteractive: () => Boolean(process.stdin.isTTY && process.stdout.isTTY),
     confirm: async (message) => {
-      const rl = (0, import_promises3.createInterface)({
+      const rl = (0, import_promises4.createInterface)({
         input: process.stdin,
         output: process.stderr
       });
@@ -16012,7 +16480,7 @@ async function resolveTargetProfileId(args, deps, client) {
       "Sync target is required in non-interactive mode. Use --to-profile-id <id> or --name <name>."
     );
   }
-  const defaultName = `Synced ${import_node_path3.default.basename(args.fromProfileDir)}`;
+  const defaultName = `Synced ${import_node_path4.default.basename(args.fromProfileDir)}`;
   const shouldCreate = await deps.confirm(
     `No destination profile provided. Create a new cloud profile named "${defaultName}"?`
   );