poe-code 3.0.99 → 3.0.100

package/dist/index.js

@@ -31,7 +31,7 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
   mod
 ));
 
-// packages/poe-auth/src/encrypted-file-auth-store.ts
+// packages/auth-store/src/encrypted-file-store.ts
 import { createCipheriv, createDecipheriv, randomBytes, scrypt } from "node:crypto";
 import { promises as fs } from "node:fs";
 import { homedir, hostname, userInfo } from "node:os";
@@ -42,11 +42,11 @@ function defaultMachineIdentity() {
     username: userInfo().username
   };
 }
-async function deriveEncryptionKey(getMachineIdentity) {
+async function deriveEncryptionKey(getMachineIdentity, salt) {
   const machineIdentity = await getMachineIdentity();
   const secret = `${machineIdentity.hostname}:${machineIdentity.username}`;
   return await new Promise((resolve, reject) => {
-    scrypt(secret, ENCRYPTION_SALT, ENCRYPTION_KEY_BYTES, (error2, derivedKey) => {
+    scrypt(secret, salt, ENCRYPTION_KEY_BYTES, (error2, derivedKey) => {
       if (error2) {
         reject(error2);
         return;
@@ -85,34 +85,35 @@ function isNotFoundError(error2) {
     error2 && typeof error2 === "object" && "code" in error2 && error2.code === "ENOENT"
   );
 }
-var ENCRYPTION_ALGORITHM, ENCRYPTION_VERSION, ENCRYPTION_KEY_BYTES, ENCRYPTION_IV_BYTES, ENCRYPTION_AUTH_TAG_BYTES, ENCRYPTION_SALT, ENCRYPTION_FILE_MODE, EncryptedFileAuthStore;
-var init_encrypted_file_auth_store = __esm({
-  "packages/poe-auth/src/encrypted-file-auth-store.ts"() {
+var ENCRYPTION_ALGORITHM, ENCRYPTION_VERSION, ENCRYPTION_KEY_BYTES, ENCRYPTION_IV_BYTES, ENCRYPTION_AUTH_TAG_BYTES, ENCRYPTION_FILE_MODE, EncryptedFileStore;
+var init_encrypted_file_store = __esm({
+  "packages/auth-store/src/encrypted-file-store.ts"() {
     "use strict";
     ENCRYPTION_ALGORITHM = "aes-256-gcm";
     ENCRYPTION_VERSION = 1;
     ENCRYPTION_KEY_BYTES = 32;
     ENCRYPTION_IV_BYTES = 12;
     ENCRYPTION_AUTH_TAG_BYTES = 16;
-    ENCRYPTION_SALT = "poe-code:encrypted-file-auth-store:v1";
     ENCRYPTION_FILE_MODE = 384;
-    EncryptedFileAuthStore = class {
+    EncryptedFileStore = class {
       fs;
       filePath;
+      salt;
       getMachineIdentity;
       getRandomBytes;
       keyPromise = null;
-      constructor(input = {}) {
+      constructor(input) {
         this.fs = input.fs ?? fs;
+        this.salt = input.salt;
         this.filePath = input.filePath ?? path.join(
           (input.getHomeDirectory ?? homedir)(),
-          ".poe-code",
-          "credentials.enc"
+          input.defaultDirectory ?? ".auth-store",
+          input.defaultFileName ?? "credentials.enc"
         );
         this.getMachineIdentity = input.getMachineIdentity ?? defaultMachineIdentity;
         this.getRandomBytes = input.getRandomBytes ?? randomBytes;
       }
-      async getApiKey() {
+      async get() {
         let rawDocument;
         try {
           rawDocument = await this.fs.readFile(this.filePath, "utf8");
@@ -142,12 +143,12 @@ var init_encrypted_file_auth_store = __esm({
           return null;
         }
       }
-      async setApiKey(apiKey) {
+      async set(value) {
         const key = await this.getEncryptionKey();
         const iv = this.getRandomBytes(ENCRYPTION_IV_BYTES);
         const cipher = createCipheriv(ENCRYPTION_ALGORITHM, key, iv);
         const ciphertext = Buffer.concat([
-          cipher.update(apiKey, "utf8"),
+          cipher.update(value, "utf8"),
           cipher.final()
         ]);
         const authTag = cipher.getAuthTag();
@@ -163,7 +164,7 @@ var init_encrypted_file_auth_store = __esm({
         });
         await this.fs.chmod(this.filePath, ENCRYPTION_FILE_MODE);
       }
-      async deleteApiKey() {
+      async delete() {
         try {
           await this.fs.unlink(this.filePath);
         } catch (error2) {
@@ -174,7 +175,7 @@ var init_encrypted_file_auth_store = __esm({
       }
       getEncryptionKey() {
         if (!this.keyPromise) {
-          this.keyPromise = deriveEncryptionKey(this.getMachineIdentity);
+          this.keyPromise = deriveEncryptionKey(this.getMachineIdentity, this.salt);
         }
         return this.keyPromise;
       }
@@ -182,7 +183,7 @@ var init_encrypted_file_auth_store = __esm({
   }
 });
 
-// packages/poe-auth/src/keychain-auth-store.ts
+// packages/auth-store/src/keychain-store.ts
 import { spawn } from "node:child_process";
 function runSecurityCommand(command, args) {
   return new Promise((resolve) => {
@@ -242,27 +243,25 @@ function createSecurityCliFailure(operation, result) {
   }
   return new Error(`Failed to ${operation}: security exited with code ${result.exitCode}`);
 }
-var SECURITY_CLI, KEYCHAIN_SERVICE, KEYCHAIN_ACCOUNT, KEYCHAIN_ITEM_NOT_FOUND_EXIT_CODE, KeychainAuthStore;
-var init_keychain_auth_store = __esm({
-  "packages/poe-auth/src/keychain-auth-store.ts"() {
+var SECURITY_CLI, KEYCHAIN_ITEM_NOT_FOUND_EXIT_CODE, KeychainStore;
+var init_keychain_store = __esm({
+  "packages/auth-store/src/keychain-store.ts"() {
     "use strict";
     SECURITY_CLI = "security";
-    KEYCHAIN_SERVICE = "poe-code";
-    KEYCHAIN_ACCOUNT = "api-key";
     KEYCHAIN_ITEM_NOT_FOUND_EXIT_CODE = 44;
-    KeychainAuthStore = class {
+    KeychainStore = class {
       runCommand;
       service;
       account;
-      constructor(input = {}) {
+      constructor(input) {
         this.runCommand = input.runCommand ?? runSecurityCommand;
-        this.service = input.service ?? KEYCHAIN_SERVICE;
-        this.account = input.account ?? KEYCHAIN_ACCOUNT;
+        this.service = input.service;
+        this.account = input.account;
       }
-      async getApiKey() {
+      async get() {
         const result = await this.executeSecurityCommand(
           ["find-generic-password", "-s", this.service, "-a", this.account, "-w"],
-          "read API key from macOS Keychain"
+          "read secret from macOS Keychain"
         );
         if (result.exitCode === 0) {
           return stripTrailingLineBreak(result.stdout);
@@ -270,9 +269,9 @@ var init_keychain_auth_store = __esm({
         if (isKeychainEntryNotFound(result)) {
           return null;
         }
-        throw createSecurityCliFailure("read API key from macOS Keychain", result);
+        throw createSecurityCliFailure("read secret from macOS Keychain", result);
       }
-      async setApiKey(apiKey) {
+      async set(value) {
         const result = await this.executeSecurityCommand(
           [
             "add-generic-password",
@@ -281,24 +280,24 @@ var init_keychain_auth_store = __esm({
             "-a",
             this.account,
             "-w",
-            apiKey,
+            value,
             "-U"
           ],
-          "store API key in macOS Keychain"
+          "store secret in macOS Keychain"
         );
         if (result.exitCode !== 0) {
-          throw createSecurityCliFailure("store API key in macOS Keychain", result);
+          throw createSecurityCliFailure("store secret in macOS Keychain", result);
         }
       }
-      async deleteApiKey() {
+      async delete() {
         const result = await this.executeSecurityCommand(
           ["delete-generic-password", "-s", this.service, "-a", this.account],
-          "delete API key from macOS Keychain"
+          "delete secret from macOS Keychain"
         );
         if (result.exitCode === 0 || isKeychainEntryNotFound(result)) {
           return;
         }
-        throw createSecurityCliFailure("delete API key from macOS Keychain", result);
+        throw createSecurityCliFailure("delete secret from macOS Keychain", result);
       }
       async executeSecurityCommand(args, operation) {
         try {
@@ -312,382 +311,58 @@ var init_keychain_auth_store = __esm({
   }
 });
 
-// packages/poe-auth/src/create-auth-store.ts
-import { promises as nodeFs } from "node:fs";
-import { homedir as homedir2 } from "node:os";
-import path2 from "node:path";
-function createAuthStore(input = {}) {
+// packages/auth-store/src/create-secret-store.ts
+function createSecretStore(input) {
   const backend = resolveBackend(input);
   const platform = input.platform ?? process.platform;
   if (backend === "keychain" && platform !== MACOS_PLATFORM) {
     throw new Error(
-      `POE_AUTH_BACKEND=keychain is only supported on macOS. Current platform: ${platform}`
+      `Keychain backend is only supported on macOS. Current platform: ${platform}`
     );
   }
-  const store = authStoreFactories[backend](input);
-  return {
-    backend,
-    store: enableLegacyCredentialsMigration(store, input)
-  };
+  const store = storeFactories[backend](input);
+  return { backend, store };
 }
 function resolveBackend(input) {
-  const configuredBackend = input.backend ?? input.env?.[AUTH_BACKEND_ENV_VAR] ?? process.env[AUTH_BACKEND_ENV_VAR];
+  const envVar = input.backendEnvVar ?? DEFAULT_BACKEND_ENV_VAR;
+  const configuredBackend = input.backend ?? input.env?.[envVar] ?? process.env[envVar];
   if (configuredBackend === "keychain") {
     return "keychain";
   }
   return "file";
 }
-function enableLegacyCredentialsMigration(store, input) {
-  const migrationContext = createLegacyMigrationContext(input);
-  const readApiKeyFromStore = store.getApiKey.bind(store);
-  let hasCheckedLegacyCredentials = false;
-  let legacyMigrationPromise = null;
-  store.getApiKey = async () => {
-    const storedApiKey = await readApiKeyFromStore();
-    if (isNonEmptyString(storedApiKey)) {
-      return storedApiKey;
-    }
-    if (hasCheckedLegacyCredentials) {
-      return null;
-    }
-    if (!legacyMigrationPromise) {
-      legacyMigrationPromise = migrateLegacyApiKey(store, migrationContext).finally(() => {
-        hasCheckedLegacyCredentials = true;
-        legacyMigrationPromise = null;
-      });
-    }
-    return legacyMigrationPromise;
-  };
-  return store;
-}
-async function migrateLegacyApiKey(store, migrationContext) {
-  const legacyCredentials = await loadLegacyCredentials(
-    migrationContext.fs,
-    migrationContext.filePath
-  );
-  if (!legacyCredentials || !isNonEmptyString(legacyCredentials.apiKey)) {
-    return null;
-  }
-  const plaintextApiKey = legacyCredentials.apiKey;
-  try {
-    await store.setApiKey(plaintextApiKey);
-    delete legacyCredentials.apiKey;
-    await saveLegacyCredentials(
-      migrationContext.fs,
-      migrationContext.filePath,
-      legacyCredentials
-    );
-  } catch (error2) {
-    migrationContext.logWarning(
-      `Failed to migrate plaintext API key from ${migrationContext.filePath}.`,
-      error2
-    );
-  }
-  return plaintextApiKey;
-}
-function createLegacyMigrationContext(input) {
-  const legacyCredentialsInput = input.legacyCredentials;
-  const getHomeDirectory = legacyCredentialsInput?.getHomeDirectory ?? homedir2;
-  return {
-    fs: legacyCredentialsInput?.fs ?? input.fileStore?.fs ?? nodeFs,
-    filePath: legacyCredentialsInput?.filePath ?? path2.join(
-      getHomeDirectory(),
-      LEGACY_CREDENTIALS_RELATIVE_PATH
-    ),
-    logWarning: legacyCredentialsInput?.logWarning ?? defaultMigrationWarning
-  };
-}
-async function loadLegacyCredentials(fs3, filePath) {
-  let raw;
-  try {
-    raw = await fs3.readFile(filePath, "utf8");
-  } catch (error2) {
-    if (isNotFoundError2(error2)) {
-      return null;
-    }
-    return null;
-  }
-  try {
-    const parsed = JSON.parse(raw);
-    if (!isRecord2(parsed)) {
-      return null;
-    }
-    return parsed;
-  } catch {
-    return null;
-  }
-}
-async function saveLegacyCredentials(fs3, filePath, document) {
-  await fs3.mkdir(path2.dirname(filePath), { recursive: true });
-  await fs3.writeFile(filePath, `${JSON.stringify(document, null, 2)}
-`, {
-    encoding: "utf8"
-  });
-}
-function defaultMigrationWarning(message, error2) {
-  const details = toErrorDetails(error2);
-  if (details.length > 0) {
-    console.warn(`${message} ${details}`);
-    return;
-  }
-  console.warn(message);
-}
-function toErrorDetails(error2) {
-  if (error2 instanceof Error) {
-    return error2.message;
-  }
-  return typeof error2 === "string" ? error2 : "";
-}
-function isNonEmptyString(value) {
-  return typeof value === "string" && value.length > 0;
-}
-function isRecord2(value) {
-  return Boolean(value && typeof value === "object" && !Array.isArray(value));
-}
-function isNotFoundError2(error2) {
-  return Boolean(
-    error2 && typeof error2 === "object" && "code" in error2 && error2.code === "ENOENT"
-  );
-}
-var AUTH_BACKEND_ENV_VAR, MACOS_PLATFORM, LEGACY_CREDENTIALS_RELATIVE_PATH, authStoreFactories;
-var init_create_auth_store = __esm({
-  "packages/poe-auth/src/create-auth-store.ts"() {
+var DEFAULT_BACKEND_ENV_VAR, MACOS_PLATFORM, storeFactories;
+var init_create_secret_store = __esm({
+  "packages/auth-store/src/create-secret-store.ts"() {
     "use strict";
-    init_encrypted_file_auth_store();
-    init_keychain_auth_store();
-    AUTH_BACKEND_ENV_VAR = "POE_AUTH_BACKEND";
+    init_encrypted_file_store();
+    init_keychain_store();
+    DEFAULT_BACKEND_ENV_VAR = "AUTH_BACKEND";
     MACOS_PLATFORM = "darwin";
-    LEGACY_CREDENTIALS_RELATIVE_PATH = ".poe-code/credentials.json";
-    authStoreFactories = {
-      file: (input) => new EncryptedFileAuthStore(input.fileStore),
-      keychain: (input) => new KeychainAuthStore(input.keychainStore)
-    };
-  }
-});
-
-// packages/poe-auth/src/check-auth.ts
-var init_check_auth = __esm({
-  "packages/poe-auth/src/check-auth.ts"() {
-    "use strict";
-    init_create_auth_store();
-  }
-});
-
-// packages/poe-auth/src/get-token.ts
-var init_get_token = __esm({
-  "packages/poe-auth/src/get-token.ts"() {
-    "use strict";
-    init_create_auth_store();
-  }
-});
-
-// packages/poe-auth/src/api-key-validation.ts
-var init_api_key_validation = __esm({
-  "packages/poe-auth/src/api-key-validation.ts"() {
-    "use strict";
-  }
-});
-
-// packages/poe-auth/src/oauth-client.ts
-import http from "node:http";
-import crypto from "node:crypto";
-function createOAuthClient(config2) {
-  const fetchFn = config2.fetch ?? globalThis.fetch;
-  return {
-    authorize: () => startAuthorization(config2, fetchFn)
-  };
-}
-function generateCodeVerifier() {
-  return crypto.randomBytes(32).toString("base64url");
-}
-function generateCodeChallenge(verifier) {
-  return crypto.createHash("sha256").update(verifier).digest("base64url");
-}
-async function startAuthorization(config2, fetchFn) {
-  const codeVerifier = generateCodeVerifier();
-  const codeChallenge = generateCodeChallenge(codeVerifier);
-  const server = config2.createServer ? config2.createServer() : http.createServer();
-  const port = await startServer(server);
-  const redirectUri = `http://127.0.0.1:${port}/callback`;
-  const authorizationUrl = buildAuthorizationUrl({
-    endpoint: config2.authorizationEndpoint,
-    clientId: config2.clientId,
-    redirectUri,
-    codeChallenge
-  });
-  const waitForResult = async () => {
-    try {
-      const code = await waitForAuthorizationCode(server, config2, authorizationUrl);
-      return await exchangeCodeForApiKey({
-        tokenEndpoint: config2.tokenEndpoint,
-        code,
-        codeVerifier,
-        clientId: config2.clientId,
-        redirectUri,
-        fetchFn
-      });
-    } finally {
-      server.closeAllConnections?.();
-      server.close();
-    }
-  };
-  return { authorizationUrl, waitForResult };
-}
-function startServer(server) {
-  return new Promise((resolve) => {
-    server.listen(0, "127.0.0.1", () => {
-      const address = server.address();
-      resolve(address.port);
-    });
-  });
-}
-function buildAuthorizationUrl(params) {
-  const url2 = new URL(params.endpoint);
-  url2.searchParams.set("response_type", "code");
-  url2.searchParams.set("client_id", params.clientId);
-  url2.searchParams.set("scope", "apikey:create");
-  url2.searchParams.set("code_challenge", params.codeChallenge);
-  url2.searchParams.set("code_challenge_method", "S256");
-  url2.searchParams.set("redirect_uri", params.redirectUri);
-  return url2.toString();
-}
-function waitForAuthorizationCode(server, config2, authorizationUrl) {
-  return new Promise((resolve, reject) => {
-    let settled = false;
-    const settle = (fn) => {
-      if (!settled) {
-        settled = true;
-        fn();
+    storeFactories = {
+      file: (input) => {
+        if (!input.fileStore) {
+          throw new Error("fileStore configuration is required for file backend");
+        }
+        return new EncryptedFileStore(input.fileStore);
+      },
+      keychain: (input) => {
+        if (!input.keychainStore) {
+          throw new Error("keychainStore configuration is required for keychain backend");
+        }
+        return new KeychainStore(input.keychainStore);
       }
     };
-    server.on("request", (req, res) => {
-      const url2 = new URL(req.url, `http://127.0.0.1`);
-      if (url2.pathname !== "/callback") {
-        res.writeHead(404);
-        res.end("Not found");
-        return;
-      }
-      const error2 = url2.searchParams.get("error");
-      if (error2) {
-        const description = url2.searchParams.get("error_description") ?? error2;
-        res.writeHead(400);
-        res.end(`Authorization failed: ${description}`);
-        settle(() => reject(new Error(`OAuth authorization failed: ${error2} \u2014 ${description}`)));
-        return;
-      }
-      const code = url2.searchParams.get("code");
-      if (!code) {
-        res.writeHead(400);
-        res.end("Missing authorization code");
-        settle(() => reject(new Error("OAuth callback missing authorization code")));
-        return;
-      }
-      res.writeHead(200, { "Content-Type": "text/html" });
-      res.end(buildSuccessPage());
-      settle(() => resolve(code));
-    });
-    if (config2.readLine) {
-      config2.readLine().then((input) => {
-        const code = extractCodeFromInput(input);
-        if (code) {
-          settle(() => resolve(code));
-        }
-      }).catch(() => {
-      });
-    }
-    if (config2.openBrowser) {
-      config2.openBrowser(authorizationUrl).catch(
-        (err) => settle(() => reject(err))
-      );
-    }
-  });
-}
-function extractCodeFromInput(input) {
-  const trimmed = input.replace(/[\r\n]/g, "").trim();
-  if (trimmed.length === 0) {
-    return null;
-  }
-  try {
-    const url2 = new URL(trimmed);
-    return url2.searchParams.get("code");
-  } catch {
-    return trimmed;
-  }
-}
-async function exchangeCodeForApiKey(params) {
-  const body = new URLSearchParams({
-    grant_type: "authorization_code",
-    code: params.code,
-    code_verifier: params.codeVerifier,
-    client_id: params.clientId,
-    redirect_uri: params.redirectUri
-  });
-  const response = await params.fetchFn(params.tokenEndpoint, {
-    method: "POST",
-    headers: { "Content-Type": "application/x-www-form-urlencoded" },
-    body: body.toString()
-  });
-  if (!response.ok) {
-    const text4 = await response.text();
-    throw new Error(`Token exchange failed (${response.status}): ${text4}`);
-  }
-  const data = await response.json();
-  if (typeof data.api_key !== "string" || data.api_key.length === 0) {
-    throw new Error("Token response missing api_key field");
-  }
-  return {
-    apiKey: data.api_key,
-    expiresIn: typeof data.api_key_expires_in === "number" ? data.api_key_expires_in : null
-  };
-}
-function buildSuccessPage() {
-  return [
-    "<!DOCTYPE html>",
-    "<html><head><meta charset=utf-8><title>Connected to Poe</title></head>",
-    '<body style="font-family:system-ui,sans-serif;display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0">',
-    '<div style="text-align:center">',
-    "<h1>Connected to Poe</h1>",
-    '<p style="color:#666">You can close this tab and return to your terminal.</p>',
-    "</div></body></html>"
-  ].join("");
-}
-var init_oauth_client = __esm({
-  "packages/poe-auth/src/oauth-client.ts"() {
-    "use strict";
-  }
-});
-
-// packages/poe-auth/src/login.ts
-var init_login = __esm({
-  "packages/poe-auth/src/login.ts"() {
-    "use strict";
-    init_api_key_validation();
-    init_create_auth_store();
-    init_oauth_client();
-  }
-});
-
-// packages/poe-auth/src/logout.ts
-var init_logout = __esm({
-  "packages/poe-auth/src/logout.ts"() {
-    "use strict";
-    init_create_auth_store();
   }
 });
 
-// packages/poe-auth/src/index.ts
+// packages/auth-store/src/index.ts
 var init_src = __esm({
-  "packages/poe-auth/src/index.ts"() {
+  "packages/auth-store/src/index.ts"() {
     "use strict";
-    init_create_auth_store();
-    init_check_auth();
-    init_get_token();
-    init_api_key_validation();
-    init_login();
-    init_logout();
-    init_oauth_client();
-    init_encrypted_file_auth_store();
-    init_keychain_auth_store();
+    init_create_secret_store();
+    init_encrypted_file_store();
+    init_keychain_store();
   }
 });
 
@@ -697,8 +372,15 @@ async function getPoeApiKey() {
   if (typeof envKey === "string" && envKey.trim().length > 0) {
     return envKey.trim();
   }
-  const { store } = createAuthStore();
-  const storedKey = await store.getApiKey();
+  const { store } = createSecretStore({
+    backendEnvVar: "POE_AUTH_BACKEND",
+    fileStore: {
+      salt: "poe-code:encrypted-file-auth-store:v1",
+      defaultDirectory: ".poe-code",
+      defaultFileName: "credentials.enc"
+    }
+  });
+  const storedKey = await store.get();
   if (typeof storedKey === "string" && storedKey.trim().length > 0) {
     return storedKey.trim();
   }
@@ -1032,16 +714,16 @@ function getConfigFormat(pathOrFormat) {
   }
   return formatRegistry[formatName];
 }
-function detectFormat(path25) {
-  const ext = getExtension(path25);
+function detectFormat(path24) {
+  const ext = getExtension(path24);
   return extensionMap[ext];
 }
-function getExtension(path25) {
-  const lastDot = path25.lastIndexOf(".");
+function getExtension(path24) {
+  const lastDot = path24.lastIndexOf(".");
   if (lastDot === -1) {
     return "";
   }
-  return path25.slice(lastDot).toLowerCase();
+  return path24.slice(lastDot).toLowerCase();
 }
 var formatRegistry, extensionMap;
 var init_formats = __esm({
@@ -1063,7 +745,7 @@ var init_formats = __esm({
 });
 
 // packages/config-mutations/src/execution/path-utils.ts
-import path3 from "node:path";
+import path2 from "node:path";
 function expandHome(targetPath, homeDir) {
   if (!targetPath?.startsWith("~")) {
     return targetPath;
@@ -1080,7 +762,7 @@ function expandHome(targetPath, homeDir) {
       remainder = remainder.slice(1);
     }
   }
-  return remainder.length === 0 ? homeDir : path3.join(homeDir, remainder);
+  return remainder.length === 0 ? homeDir : path2.join(homeDir, remainder);
 }
 function validateHomePath(targetPath) {
   if (typeof targetPath !== "string" || targetPath.length === 0) {
@@ -1098,12 +780,12 @@ function resolvePath(rawPath, homeDir, pathMapper) {
   if (!pathMapper) {
     return expanded;
   }
-  const rawDirectory = path3.dirname(expanded);
+  const rawDirectory = path2.dirname(expanded);
   const mappedDirectory = pathMapper.mapTargetDirectory({
     targetDirectory: rawDirectory
   });
-  const filename = path3.basename(expanded);
-  return filename.length === 0 ? mappedDirectory : path3.join(mappedDirectory, filename);
+  const filename = path2.basename(expanded);
+  return filename.length === 0 ? mappedDirectory : path2.join(mappedDirectory, filename);
 }
 var init_path_utils = __esm({
   "packages/config-mutations/src/execution/path-utils.ts"() {
@@ -1768,38 +1450,38 @@ import { createTwoFilesPatch } from "diff";
 import chalk from "chalk";
 function createDryRunFileSystem(base, recorder) {
   const proxy = {
-    async readFile(path25, encoding) {
+    async readFile(path24, encoding) {
       if (encoding) {
-        return base.readFile(path25, encoding);
+        return base.readFile(path24, encoding);
       }
-      return base.readFile(path25);
+      return base.readFile(path24);
     },
-    async writeFile(path25, data, options) {
-      const previousContent = await tryReadText(base, path25);
+    async writeFile(path24, data, options) {
+      const previousContent = await tryReadText(base, path24);
       const nextContent = formatData(data, options?.encoding);
       recorder.record({
         type: "writeFile",
-        path: path25,
+        path: path24,
         nextContent,
         previousContent
       });
     },
-    async mkdir(path25, options) {
-      recorder.record({ type: "mkdir", path: path25, options });
+    async mkdir(path24, options) {
+      recorder.record({ type: "mkdir", path: path24, options });
     },
-    async stat(path25) {
-      return base.stat(path25);
+    async stat(path24) {
+      return base.stat(path24);
     },
-    async unlink(path25) {
-      recorder.record({ type: "unlink", path: path25 });
+    async unlink(path24) {
+      recorder.record({ type: "unlink", path: path24 });
     },
-    async readdir(path25) {
-      return base.readdir(path25);
+    async readdir(path24) {
+      return base.readdir(path24);
     }
   };
   if (typeof base.rm === "function") {
-    proxy.rm = async (path25, options) => {
-      recorder.record({ type: "rm", path: path25, options });
+    proxy.rm = async (path24, options) => {
+      recorder.record({ type: "rm", path: path24, options });
     };
   }
   if (typeof base.copyFile === "function") {
@@ -1889,8 +1571,8 @@ function describeWriteChange(previous, next) {
   }
   return "update";
 }
-function renderWriteCommand(path25, change) {
-  const command = `cat > ${path25}`;
+function renderWriteCommand(path24, change) {
+  const command = `cat > ${path24}`;
   if (change === "create") {
     return renderOperationCommand(command, chalk.green, "# create");
   }
@@ -2052,9 +1734,9 @@ function redactTomlLine(line) {
   }
   return line;
 }
-async function tryReadText(base, path25) {
+async function tryReadText(base, path24) {
   try {
-    return await base.readFile(path25, "utf8");
+    return await base.readFile(path24, "utf8");
   } catch (error2) {
     if (isNotFound(error2)) {
       return null;
@@ -2236,7 +1918,7 @@ var init_context = __esm({
 });
 
 // src/cli/isolated-env.ts
-import path4 from "node:path";
+import path3 from "node:path";
 async function resolveIsolatedEnvDetails(env, isolated, providerName, readApiKey) {
   if (!providerName) {
     throw new Error("resolveIsolatedEnvDetails requires providerName.");
@@ -2258,7 +1940,7 @@ function resolveIsolatedTargetDirectory(input) {
   const expanded = expandHomeShortcut(input.env, input.targetDirectory);
   const baseDir = resolveIsolatedBaseDir(input.env, input.providerName);
   const homeDir = input.env.homeDir;
-  const homeDirWithSep = `${homeDir}${path4.sep}`;
+  const homeDirWithSep = `${homeDir}${path3.sep}`;
   if (expanded !== homeDir && !expanded.startsWith(homeDirWithSep)) {
     throw new Error(
       `Isolated config targets must live under the user's home directory (received "${input.targetDirectory}").`
@@ -2273,7 +1955,7 @@ function resolveIsolatedTargetDirectory(input) {
   if (!expanded.startsWith(homeDirWithSep)) {
     return expanded;
   }
-  const mapped = path4.join(baseDir, expanded.slice(homeDirWithSep.length));
+  const mapped = path3.join(baseDir, expanded.slice(homeDirWithSep.length));
   return stripAgentHome(mapped, baseDir, input.isolated.agentBinary);
 }
 function resolveIsolatedBaseDir(env, providerName) {
@@ -2322,9 +2004,9 @@ async function resolveIsolatedEnvValue(env, baseDir, value, readApiKey) {
 function resolveIsolatedEnvPath(env, baseDir, value) {
   switch (value.kind) {
     case "isolatedDir":
-      return value.relativePath ? path4.join(baseDir, value.relativePath) : baseDir;
+      return value.relativePath ? path3.join(baseDir, value.relativePath) : baseDir;
     case "isolatedFile":
-      return path4.join(baseDir, value.relativePath);
+      return path3.join(baseDir, value.relativePath);
   }
 }
 function isEnvVarReference(value) {
@@ -2366,10 +2048,10 @@ async function applyIsolatedEnvRepairs(input) {
     if (repair.kind !== "chmod") {
       continue;
     }
-    if (path4.isAbsolute(repair.relativePath)) {
+    if (path3.isAbsolute(repair.relativePath)) {
       continue;
     }
-    const repairPath = path4.join(baseDir, repair.relativePath);
+    const repairPath = path3.join(baseDir, repair.relativePath);
     try {
       await input.fs.chmod(repairPath, repair.mode);
     } catch (error2) {
@@ -2420,13 +2102,13 @@ async function resolveCliSettingValue(value, env, readApiKey) {
 }
 function stripAgentHome(mapped, baseDir, agentBinary) {
   const agentDir = `.${agentBinary}`;
-  const prefix = path4.join(baseDir, agentDir);
+  const prefix = path3.join(baseDir, agentDir);
   if (mapped === prefix) {
     return baseDir;
   }
-  const withSep = `${prefix}${path4.sep}`;
+  const withSep = `${prefix}${path3.sep}`;
   if (mapped.startsWith(withSep)) {
-    return path4.join(baseDir, mapped.slice(withSep.length));
+    return path3.join(baseDir, mapped.slice(withSep.length));
   }
   return mapped;
 }
@@ -2437,11 +2119,11 @@ function expandHomeShortcut(env, input) {
   if (input === "~") {
     return env.homeDir;
   }
-  if (input.startsWith("~/") || input.startsWith(`~${path4.sep}`)) {
-    return path4.join(env.homeDir, input.slice(2));
+  if (input.startsWith("~/") || input.startsWith(`~${path3.sep}`)) {
+    return path3.join(env.homeDir, input.slice(2));
   }
-  if (input.startsWith("~./") || input.startsWith(`~.${path4.sep}`)) {
-    return path4.join(env.homeDir, `.${input.slice(3)}`);
+  if (input.startsWith("~./") || input.startsWith(`~.${path3.sep}`)) {
+    return path3.join(env.homeDir, `.${input.slice(3)}`);
   }
   return input;
 }
@@ -3946,13 +3628,13 @@ function truncate2(text4, maxLength) {
   if (maxLength <= 3) return text4.slice(0, maxLength);
   return `${text4.slice(0, maxLength - 3)}...`;
 }
-function isNonEmptyString2(value) {
+function isNonEmptyString(value) {
   return typeof value === "string" && value.length > 0;
 }
 function extractThreadId(value) {
   if (!value || typeof value !== "object") return;
   const obj = value;
-  const maybeThreadId = isNonEmptyString2(obj.thread_id) && obj.thread_id || isNonEmptyString2(obj.threadId) && obj.threadId || isNonEmptyString2(obj.threadID) && obj.threadID || isNonEmptyString2(obj.session_id) && obj.session_id || isNonEmptyString2(obj.sessionId) && obj.sessionId || isNonEmptyString2(obj.sessionID) && obj.sessionID;
+  const maybeThreadId = isNonEmptyString(obj.thread_id) && obj.thread_id || isNonEmptyString(obj.threadId) && obj.threadId || isNonEmptyString(obj.threadID) && obj.threadID || isNonEmptyString(obj.session_id) && obj.session_id || isNonEmptyString(obj.sessionId) && obj.sessionId || isNonEmptyString(obj.sessionID) && obj.sessionID;
   return maybeThreadId || void 0;
 }
 var init_utils = __esm({
@@ -3998,7 +3680,7 @@ async function* adaptClaude(lines) {
       continue;
     }
     const eventType = event.type;
-    if (!isNonEmptyString2(eventType)) continue;
+    if (!isNonEmptyString(eventType)) continue;
     if (!emittedSessionStart) {
       const threadId = extractThreadId(event);
       emittedSessionStart = true;
@@ -4021,16 +3703,16 @@ async function* adaptClaude(lines) {
       const item = block;
       if (!item || typeof item !== "object") continue;
       const blockType = item.type;
-      if (!isNonEmptyString2(blockType)) continue;
+      if (!isNonEmptyString(blockType)) continue;
       if (eventType === "assistant") {
-        if (blockType === "text" && isNonEmptyString2(item.text)) {
+        if (blockType === "text" && isNonEmptyString(item.text)) {
           yield {
             event: "agent_message",
             text: item.text
           };
           continue;
         }
-        if (blockType === "tool_use" && isNonEmptyString2(item.id) && isNonEmptyString2(item.name)) {
+        if (blockType === "tool_use" && isNonEmptyString(item.id) && isNonEmptyString(item.name)) {
           const kind = TOOL_KIND_MAP[item.name] ?? "other";
           toolKindsById.set(item.id, kind);
           yield {
@@ -4044,25 +3726,25 @@ async function* adaptClaude(lines) {
         continue;
       }
       if (eventType === "user") {
-        if (!isNonEmptyString2(item.tool_use_id)) continue;
+        if (!isNonEmptyString(item.tool_use_id)) continue;
         if (blockType !== "tool_result") continue;
         const kind = toolKindsById.get(item.tool_use_id);
         toolKindsById.delete(item.tool_use_id);
-        let path25;
+        let path24;
         if (typeof item.content === "string") {
-          path25 = item.content;
+          path24 = item.content;
         } else {
           try {
-            path25 = JSON.stringify(item.content);
+            path24 = JSON.stringify(item.content);
           } catch {
-            path25 = String(item.content);
+            path24 = String(item.content);
           }
         }
         yield {
           event: "tool_complete",
           id: item.tool_use_id,
           kind,
-          path: path25
+          path: path24
         };
       }
     }
@@ -4116,7 +3798,7 @@ async function* adaptCodex(lines) {
       continue;
     }
     const eventType = event.type;
-    if (!isNonEmptyString2(eventType)) continue;
+    if (!isNonEmptyString(eventType)) continue;
     if (eventType === "thread.started") {
       const maybeThreadId = extractThreadId(event);
       yield { event: "session_start", threadId: maybeThreadId };
@@ -4140,23 +3822,23 @@ async function* adaptCodex(lines) {
     const item = event.item ?? null;
     if (!item || typeof item !== "object") continue;
     const itemType = item.type;
-    if (!isNonEmptyString2(itemType)) continue;
+    if (!isNonEmptyString(itemType)) continue;
     if (eventType === "item.started") {
-      if (!isNonEmptyString2(item.id)) continue;
+      if (!isNonEmptyString(item.id)) continue;
       let kind;
       let title;
       if (itemType === "command_execution") {
         kind = "exec";
-        title = truncate2(isNonEmptyString2(item.command) ? item.command : "", 80);
+        title = truncate2(isNonEmptyString(item.command) ? item.command : "", 80);
       } else if (itemType === "file_edit") {
         kind = "edit";
-        title = isNonEmptyString2(item.path) ? item.path : "";
+        title = isNonEmptyString(item.path) ? item.path : "";
       } else if (itemType === "thinking") {
         kind = "think";
         title = "thinking...";
       } else if (itemType === "mcp_tool_call") {
-        const server = isNonEmptyString2(item.server) ? item.server : "unknown";
-        const tool = isNonEmptyString2(item.tool) ? item.tool : "unknown";
+        const server = isNonEmptyString(item.server) ? item.server : "unknown";
+        const tool = isNonEmptyString(item.tool) ? item.tool : "unknown";
         kind = "other";
         title = `${server}.${tool}`;
       }
@@ -4169,25 +3851,25 @@ async function* adaptCodex(lines) {
     }
     if (eventType === "item.completed") {
       if (itemType === "agent_message") {
-        if (!isNonEmptyString2(item.text)) continue;
+        if (!isNonEmptyString(item.text)) continue;
         yield { event: "agent_message", text: item.text };
         continue;
       }
       if (itemType === "reasoning") {
-        const text4 = isNonEmptyString2(item.text) ? item.text : isNonEmptyString2(item.content) ? item.content : isNonEmptyString2(item.summary) ? item.summary : void 0;
+        const text4 = isNonEmptyString(item.text) ? item.text : isNonEmptyString(item.content) ? item.content : isNonEmptyString(item.summary) ? item.summary : void 0;
         if (!text4) continue;
         yield { event: "reasoning", text: text4 };
         continue;
       }
-      if (!isNonEmptyString2(item.id)) continue;
+      if (!isNonEmptyString(item.id)) continue;
       if (itemType === "command_execution" || itemType === "file_edit" || itemType === "mcp_tool_call") {
         const kindFromStart = toolKindById.get(item.id);
         const kind = kindFromStart ?? (itemType === "command_execution" ? "exec" : itemType === "file_edit" ? "edit" : "other");
-        const titleFromEvent = isNonEmptyString2(item.path) ? item.path : itemType === "mcp_tool_call" ? `${isNonEmptyString2(item.server) ? item.server : "unknown"}.${isNonEmptyString2(item.tool) ? item.tool : "unknown"}` : void 0;
-        const path25 = titleFromEvent ?? toolTitleById.get(item.id) ?? "";
+        const titleFromEvent = isNonEmptyString(item.path) ? item.path : itemType === "mcp_tool_call" ? `${isNonEmptyString(item.server) ? item.server : "unknown"}.${isNonEmptyString(item.tool) ? item.tool : "unknown"}` : void 0;
+        const path24 = titleFromEvent ?? toolTitleById.get(item.id) ?? "";
         toolTitleById.delete(item.id);
         toolKindById.delete(item.id);
-        yield { event: "tool_complete", id: item.id, kind, path: path25 };
+        yield { event: "tool_complete", id: item.id, kind, path: path24 };
       }
     }
   }
@@ -4226,9 +3908,9 @@ async function* adaptKimi(lines) {
       }
     }
     const role = event.role;
-    if (!isNonEmptyString2(role) || role !== "assistant") continue;
+    if (!isNonEmptyString(role) || role !== "assistant") continue;
     const content = event.content;
-    if (!isNonEmptyString2(content)) continue;
+    if (!isNonEmptyString(content)) continue;
     yield { event: "agent_message", text: content };
   }
 }
@@ -4257,7 +3939,7 @@ async function* adaptNative(lines) {
       continue;
     }
     const maybeEventType = event?.event;
-    if (!isNonEmptyString2(maybeEventType)) {
+    if (!isNonEmptyString(maybeEventType)) {
       yield {
         event: "error",
         message: `[adaptNative] Line missing string "event" field: ${truncate2(line, 200)}`
@@ -4316,23 +3998,23 @@ async function* adaptOpenCode(lines) {
     }
     if (!event || typeof event !== "object") continue;
     const sessionID = extractThreadId(event);
-    if (!emittedSessionStart && isNonEmptyString2(sessionID)) {
+    if (!emittedSessionStart && isNonEmptyString(sessionID)) {
       emittedSessionStart = true;
       yield { event: "session_start", threadId: sessionID };
     }
     const eventType = event.type;
-    if (!isNonEmptyString2(eventType)) continue;
+    if (!isNonEmptyString(eventType)) continue;
     if (eventType === "text") {
       const part = event.part ?? null;
       if (!part || typeof part !== "object") continue;
-      if (!isNonEmptyString2(part.text)) continue;
+      if (!isNonEmptyString(part.text)) continue;
       yield { event: "agent_message", text: part.text };
       continue;
     }
     if (eventType === "tool_use") {
       const part = event.part ?? null;
       if (!part || typeof part !== "object") continue;
-      if (!isNonEmptyString2(part.callID) || !isNonEmptyString2(part.tool)) continue;
+      if (!isNonEmptyString(part.callID) || !isNonEmptyString(part.tool)) continue;
       const state = part.state ?? null;
       if (!state || typeof state !== "object") continue;
       const kind = guessToolKind(part.tool);
@@ -4344,7 +4026,7 @@ async function* adaptOpenCode(lines) {
         const maybeInput = state.input;
         if (kind === "exec" && maybeInput && typeof maybeInput === "object") {
           const command = maybeInput.command;
-          if (isNonEmptyString2(command)) {
+          if (isNonEmptyString(command)) {
             title = truncate2(command, 80);
           }
         }
@@ -4629,7 +4311,7 @@ function updateSessionFromEvent(ctx, event, toolCallsById) {
   }
   const id = readString(event.id);
   const kind = readString(event.kind);
-  const path25 = readString(event.path);
+  const path24 = readString(event.path);
   let toolCall = id ? toolCallsById.get(id) : void 0;
   if (!toolCall) {
     toolCall = {};
@@ -4644,8 +4326,8 @@ function updateSessionFromEvent(ctx, event, toolCallsById) {
   if (kind) {
     toolCall.kind = kind;
   }
-  if (path25) {
-    toolCall.path = path25;
+  if (path24) {
+    toolCall.path = path24;
   }
 }
 var sessionCapture;
@@ -4731,8 +4413,8 @@ var init_usage_capture = __esm({
 });
 
 // packages/agent-spawn/src/acp/middlewares/spawn-log.ts
-import path5 from "node:path";
-import { homedir as homedir3 } from "node:os";
+import path4 from "node:path";
+import { homedir as homedir2 } from "node:os";
 import { mkdir, open } from "node:fs/promises";
 function pad(value, width) {
   return String(value).padStart(width, "0");
@@ -4765,11 +4447,11 @@ function resolveStartedAt(value) {
   return value;
 }
 function resolveLogFilePath(ctx) {
-  const baseDir = ctx.logDir ?? path5.join(homedir3(), ".poe-code", "spawn-logs");
+  const baseDir = ctx.logDir ?? path4.join(homedir2(), ".poe-code", "spawn-logs");
   const startedAt = resolveStartedAt(ctx.startedAt);
   const { day, time: time3, milliseconds } = formatTimestamp(startedAt);
   const fileName = `${day}-${time3}-${milliseconds}-${normalizeAgent(ctx.agent)}.jsonl`;
-  return path5.join(baseDir, fileName);
+  return path4.join(baseDir, fileName);
 }
 async function writePreloadedEvents(writer, events) {
   for (const event of events) {
@@ -4787,7 +4469,7 @@ var init_spawn_log = __esm({
       logDirPath;
       constructor(ctx) {
         this.logFilePath = resolveLogFilePath(ctx);
-        this.logDirPath = path5.dirname(this.logFilePath);
+        this.logDirPath = path4.dirname(this.logFilePath);
       }
       async writeEvent(event) {
         if (this.isDisabled) {
@@ -4872,7 +4554,7 @@ var init_src5 = __esm({
 });
 
 // src/cli/commands/shared.ts
-import path6 from "node:path";
+import path5 from "node:path";
 function resolveCommandFlags(program) {
   const opts = program.optsWithGlobals();
   return {
@@ -4945,7 +4627,7 @@ function buildResumeCommand(canonicalService, threadId, cwd) {
   if (!binaryName) {
     return void 0;
   }
-  const resumeCwd = path6.resolve(cwd);
+  const resumeCwd = path5.resolve(cwd);
   const args = spawnConfig.resumeCommand(threadId, resumeCwd);
   const agentCommand = [binaryName, ...args.map(shlexQuote)].join(" ");
   const needsCdPrefix = !args.includes(resumeCwd);
@@ -5042,7 +4724,7 @@ var init_shared = __esm({
 });
 
 // src/sdk/spawn-core.ts
-import path7 from "node:path";
+import path6 from "node:path";
 import chalk10 from "chalk";
 async function spawnCore(container, service, options, flags = { dryRun: false, verbose: false }) {
   const cwdOverride = resolveSpawnWorkingDirectory(
@@ -5141,10 +4823,10 @@ function resolveSpawnWorkingDirectory(baseDir, candidate) {
   if (!candidate || candidate.trim().length === 0) {
     return void 0;
   }
-  if (path7.isAbsolute(candidate)) {
+  if (path6.isAbsolute(candidate)) {
     return candidate;
   }
-  return path7.resolve(baseDir, candidate);
+  return path6.resolve(baseDir, candidate);
 }
 var init_spawn_core = __esm({
   "src/sdk/spawn-core.ts"() {
@@ -5154,14 +4836,14 @@ var init_spawn_core = __esm({
 });
 
 // src/cli/environment.ts
-import path8 from "node:path";
+import path7 from "node:path";
 function createCliEnvironment(init) {
   const platform = init.platform ?? process.platform;
   const variables = init.variables ?? process.env;
   const configPath = resolveConfigPath(init.homeDir);
   const logDir = resolveLogDir(init.homeDir);
   const { poeApiBaseUrl, poeBaseUrl } = resolvePoeBaseUrls(variables);
-  const resolveHomePath = (...segments) => path8.join(init.homeDir, ...segments);
+  const resolveHomePath = (...segments) => path7.join(init.homeDir, ...segments);
   const getVariable = (name) => variables[name];
   return {
     cwd: init.cwd,
@@ -5177,10 +4859,10 @@ function createCliEnvironment(init) {
   };
 }
 function resolveConfigPath(homeDir) {
-  return path8.join(homeDir, ".poe-code", "config.json");
+  return path7.join(homeDir, ".poe-code", "config.json");
 }
 function resolveLogDir(homeDir) {
-  return path8.join(homeDir, ".poe-code", "logs");
+  return path7.join(homeDir, ".poe-code", "logs");
 }
 function resolvePoeBaseUrls(variables) {
   const raw = variables.POE_BASE_URL;
@@ -5404,7 +5086,7 @@ var init_prompts2 = __esm({
 });
 
 // src/cli/options.ts
-function stripBracketedPaste2(value) {
+function stripBracketedPaste(value) {
   return value.replace(/\x1b\[200~/g, "").replace(/\x1b\[201~/g, "").replace(/undefinedndefined$/, "").replace(/undefined$/, "").replace(/ndefined$/, "");
 }
 function isAlphanumericWithSeparators(value) {
@@ -5423,7 +5105,7 @@ function isAlphanumericWithSeparators(value) {
 function hasMinimumApiKeyLength(value) {
   return value.length >= MIN_API_KEY_LENGTH;
 }
-function isValidApiKeyFormat2(key) {
+function isValidApiKeyFormat(key) {
   if (key.length === 0) return false;
   if (key.startsWith("sk-poe-")) {
     const hash2 = key.slice(7);
@@ -5447,7 +5129,7 @@ function createOptionResolvers(init) {
     return result;
   };
   const normalizeApiKey2 = (value) => {
-    const sanitized = stripBracketedPaste2(value);
+    const sanitized = stripBracketedPaste(value);
     const trimmed = sanitized.trim();
     if (trimmed.length === 0) {
       throw new Error("POE API key cannot be empty.");
@@ -5455,7 +5137,7 @@ function createOptionResolvers(init) {
     return trimmed;
   };
   const confirmKeyFormat = async (apiKey, assumeYes) => {
-    if (isValidApiKeyFormat2(apiKey)) return true;
+    if (isValidApiKeyFormat(apiKey)) return true;
     if (assumeYes) return false;
     return await init.confirm(
       "Key doesn't match expected API key format. Use it anyway?"
@@ -5614,7 +5296,7 @@ function isSilentError(error2) {
   }
   return error2.name === "SilentError" || error2.name === "OperationCancelledError";
 }
-var CliError, SilentError, ApiError, ValidationError, OperationCancelledError;
+var CliError, SilentError, ApiError, ValidationError, AuthenticationError, OperationCancelledError;
 var init_errors = __esm({
   "src/cli/errors.ts"() {
     "use strict";
@@ -5654,6 +5336,11 @@ var init_errors = __esm({
         super(message, context, { isUserError: true });
       }
     };
+    AuthenticationError = class extends CliError {
+      constructor(message, context) {
+        super(message, context, { isUserError: true });
+      }
+    };
     OperationCancelledError = class extends SilentError {
       constructor(message = "Operation cancelled.") {
         super(message, { isUserError: true });
@@ -5868,7 +5555,7 @@ var init_logger2 = __esm({
 });
 
 // src/cli/error-logger.ts
-import path9 from "node:path";
+import path8 from "node:path";
 var DEFAULT_MAX_SIZE, DEFAULT_MAX_BACKUPS, ErrorLogger;
 var init_error_logger = __esm({
   "src/cli/error-logger.ts"() {
@@ -5885,7 +5572,7 @@ var init_error_logger = __esm({
       fileLoggingAvailable;
       constructor(options) {
         this.fs = options.fs;
-        this.logFilePath = path9.join(options.logDir, "errors.log");
+        this.logFilePath = path8.join(options.logDir, "errors.log");
         this.logToStderr = options.logToStderr ?? true;
         this.maxSize = options.maxSize ?? DEFAULT_MAX_SIZE;
         this.maxBackups = options.maxBackups ?? DEFAULT_MAX_BACKUPS;
@@ -6004,7 +5691,7 @@ ${entry.stack}`);
         return `${this.logFilePath}.${index}`;
       }
       ensureLogDirectory() {
-        const directory = path9.dirname(this.logFilePath);
+        const directory = path8.dirname(this.logFilePath);
         try {
           if (!this.fs.existsSync(directory)) {
             this.fs.mkdirSync(directory, { recursive: true });
@@ -6022,7 +5709,7 @@ ${entry.stack}`);
 });
 
 // src/providers/index.ts
-import path10 from "node:path";
+import path9 from "node:path";
 import { readdir } from "node:fs/promises";
 import { fileURLToPath, pathToFileURL } from "node:url";
 function isProviderModule(filename) {
@@ -6049,7 +5736,7 @@ async function loadProviders() {
   for (const entry of entries) {
     if (!entry.isFile()) continue;
     if (!isProviderModule(entry.name)) continue;
-    const moduleUrl = pathToFileURL(path10.join(currentDir, entry.name)).href;
+    const moduleUrl = pathToFileURL(path9.join(currentDir, entry.name)).href;
     const moduleExports = await import(moduleUrl);
     if (!moduleExports.provider) {
       throw new Error(`Provider module "${entry.name}" must export "provider".`);
@@ -6065,8 +5752,8 @@ var moduleDir, currentDir, defaultProviders;
 var init_providers = __esm({
   async "src/providers/index.ts"() {
     "use strict";
-    moduleDir = path10.dirname(fileURLToPath(import.meta.url));
-    currentDir = path10.basename(moduleDir) === "providers" ? moduleDir : path10.join(moduleDir, "providers");
+    moduleDir = path9.dirname(fileURLToPath(import.meta.url));
+    currentDir = path9.basename(moduleDir) === "providers" ? moduleDir : path9.join(moduleDir, "providers");
     defaultProviders = await loadProviders();
   }
 });
@@ -6408,21 +6095,21 @@ function createSdkContainer(options) {
   });
   loggerFactory.setErrorLogger(errorLogger);
   const asyncFs = {
-    readFile: ((path25, encoding) => {
+    readFile: ((path24, encoding) => {
       if (encoding) {
-        return fs2.readFile(path25, encoding);
+        return fs2.readFile(path24, encoding);
       }
-      return fs2.readFile(path25);
+      return fs2.readFile(path24);
     }),
-    writeFile: (path25, data, opts) => fs2.writeFile(path25, data, opts),
-    mkdir: (path25, opts) => fs2.mkdir(path25, opts).then(() => {
+    writeFile: (path24, data, opts) => fs2.writeFile(path24, data, opts),
+    mkdir: (path24, opts) => fs2.mkdir(path24, opts).then(() => {
     }),
-    stat: (path25) => fs2.stat(path25),
-    rm: (path25, opts) => fs2.rm(path25, opts),
-    unlink: (path25) => fs2.unlink(path25),
-    readdir: (path25) => fs2.readdir(path25),
+    stat: (path24) => fs2.stat(path24),
+    rm: (path24, opts) => fs2.rm(path24, opts),
+    unlink: (path24) => fs2.unlink(path24),
+    readdir: (path24) => fs2.readdir(path24),
     copyFile: (src, dest) => fs2.copyFile(src, dest),
-    chmod: (path25, mode) => fs2.chmod(path25, mode)
+    chmod: (path24, mode) => fs2.chmod(path24, mode)
   };
   const contextFactory = createCommandContextFactory({ fs: asyncFs });
   const authFs = {
@@ -6432,21 +6119,21 @@ function createSdkContainer(options) {
     unlink: (filePath) => fs2.unlink(filePath),
     chmod: (filePath, mode) => fs2.chmod(filePath, mode)
   };
-  const { store: authStore } = createAuthStore({
+  const { store: authStore } = createSecretStore({
+    backendEnvVar: "POE_AUTH_BACKEND",
     env: variables,
     platform: process.platform,
     fileStore: {
       fs: authFs,
-      getHomeDirectory: () => homeDir
-    },
-    legacyCredentials: {
-      fs: authFs,
+      salt: "poe-code:encrypted-file-auth-store:v1",
+      defaultDirectory: ".poe-code",
+      defaultFileName: "credentials.enc",
       getHomeDirectory: () => homeDir
     }
   });
-  const readApiKey = authStore.getApiKey.bind(authStore);
-  const writeApiKey = authStore.setApiKey.bind(authStore);
-  const deleteApiKey = authStore.deleteApiKey.bind(authStore);
+  const readApiKey = authStore.get.bind(authStore);
+  const writeApiKey = authStore.set.bind(authStore);
+  const deleteApiKey = authStore.delete.bind(authStore);
   const noopPrompts = async () => {
     throw new Error("SDK does not support interactive prompts");
   };
@@ -7124,8 +6811,8 @@ function resourceNotFound(resource) {
     `Resource not found: ${resource}`
   );
 }
-function assertAbsolutePath(path25) {
-  if (!isAbsolute(path25)) {
+function assertAbsolutePath(path24) {
+  if (!isAbsolute(path24)) {
     throw invalidParams('"path" must be an absolute path');
   }
 }
@@ -7723,7 +7410,7 @@ var init_stream_helpers = __esm({
 
 // packages/poe-acp-client/src/run-report.ts
 import * as fsPromises from "node:fs/promises";
-import { homedir as homedir5 } from "node:os";
+import { homedir as homedir4 } from "node:os";
 import { join } from "node:path";
 async function generateRunReportFromSessionUpdateStream(stream, options = {}) {
   const now = options.now ?? (() => /* @__PURE__ */ new Date());
@@ -8886,7 +8573,7 @@ var init_acp_core = __esm({
 });
 
 // packages/poe-agent/src/plugins/plugin-args.ts
-import path11 from "node:path";
+import path10 from "node:path";
 function isObjectRecord3(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
@@ -8917,13 +8604,13 @@ function getOptionalString(args, key) {
   return value;
 }
 function resolveAllowedPath(cwd, allowedPaths, inputPath) {
-  const resolvedPath = path11.resolve(cwd, inputPath);
+  const resolvedPath = path10.resolve(cwd, inputPath);
   const isAllowed = allowedPaths.some((allowedPath) => {
     if (allowedPath === resolvedPath) {
       return true;
     }
-    const rel = path11.relative(allowedPath, resolvedPath);
-    return rel.length > 0 && !rel.startsWith("..") && !path11.isAbsolute(rel);
+    const rel = path10.relative(allowedPath, resolvedPath);
+    return rel.length > 0 && !rel.startsWith("..") && !path10.isAbsolute(rel);
   });
   if (!isAllowed) {
     throw new Error(`Path is outside allowed paths: ${inputPath}`);
@@ -8938,7 +8625,7 @@ var init_plugin_args = __esm({
 
 // packages/poe-agent/src/plugins/poe-agent-plugin-files.ts
 import fsPromises2 from "node:fs/promises";
-import path12 from "node:path";
+import path11 from "node:path";
 async function fileExists(fs3, filePath) {
   try {
     await fs3.readFile(filePath, "utf8");
@@ -8962,9 +8649,9 @@ var init_poe_agent_plugin_files = __esm({
     "use strict";
     init_plugin_args();
     filesPlugin = (options = {}) => {
-      const cwd = path12.resolve(options.cwd ?? process.cwd());
+      const cwd = path11.resolve(options.cwd ?? process.cwd());
       const allowedPaths = (options.allowedPaths ?? [cwd]).map(
-        (allowedPath) => path12.resolve(cwd, allowedPath)
+        (allowedPath) => path11.resolve(cwd, allowedPath)
       );
       const fs3 = options.fs ?? fsPromises2;
       const readFileTool = {
@@ -9018,7 +8705,7 @@ var init_poe_agent_plugin_files = __esm({
         async call(args) {
           const command = getRequiredString(args, "command");
           const filePath = resolveAllowedPath(cwd, allowedPaths, getRequiredString(args, "path"));
-          const displayedPath = path12.relative(cwd, filePath) || path12.basename(filePath);
+          const displayedPath = path11.relative(cwd, filePath) || path11.basename(filePath);
           if (command === "str_replace") {
             const oldStr = getRequiredString(args, "old_str", true);
             const newStr = getRequiredString(args, "new_str", true);
@@ -9038,7 +8725,7 @@ var init_poe_agent_plugin_files = __esm({
             if (await fileExists(fs3, filePath)) {
               throw new Error("File already exists \u2014 use str_replace to edit");
             }
-            await fs3.mkdir(path12.dirname(filePath), { recursive: true });
+            await fs3.mkdir(path11.dirname(filePath), { recursive: true });
             await fs3.writeFile(filePath, fileText, "utf8");
             return `Created file: ${displayedPath}`;
           }
@@ -9079,7 +8766,7 @@ var init_poe_agent_plugin_files = __esm({
 
 // packages/poe-agent/src/plugins/poe-agent-plugin-shell.ts
 import { exec as execCallback } from "node:child_process";
-import path13 from "node:path";
+import path12 from "node:path";
 import { promisify } from "node:util";
 async function defaultRunCommand(command, cwd) {
   try {
@@ -9112,9 +8799,9 @@ var init_poe_agent_plugin_shell = __esm({
     init_plugin_args();
     exec = promisify(execCallback);
     shellPlugin = (options = {}) => {
-      const cwd = path13.resolve(options.cwd ?? process.cwd());
+      const cwd = path12.resolve(options.cwd ?? process.cwd());
       const allowedPaths = (options.allowedPaths ?? [cwd]).map(
-        (allowedPath) => path13.resolve(cwd, allowedPath)
+        (allowedPath) => path12.resolve(cwd, allowedPath)
       );
       const runCommand2 = options.runCommand ?? defaultRunCommand;
       const runCommandTool = {
@@ -11441,8 +11128,15 @@ async function resolveApiKey(explicitApiKey) {
   if (normalizedExplicitApiKey) {
     return normalizedExplicitApiKey;
   }
-  const { store } = createAuthStore();
-  const storedApiKey = normalizeNonEmptyString(await store.getApiKey());
+  const { store } = createSecretStore({
+    backendEnvVar: "POE_AUTH_BACKEND",
+    fileStore: {
+      salt: "poe-code:encrypted-file-auth-store:v1",
+      defaultDirectory: ".poe-code",
+      defaultFileName: "credentials.enc"
+    }
+  });
+  const storedApiKey = normalizeNonEmptyString(await store.get());
   if (storedApiKey) {
     return storedApiKey;
   }
@@ -12451,7 +12145,7 @@ var init_spawn3 = __esm({
 });
 
 // packages/pipeline/src/utils.ts
-function isRecord3(value) {
+function isRecord2(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
 function isNotFound2(error2) {
@@ -12485,7 +12179,7 @@ var init_utils2 = __esm({
 });
 
 // packages/pipeline/src/config/loader.ts
-import path14 from "node:path";
+import path13 from "node:path";
 import { parse as parse4 } from "yaml";
 function asStepMode(value) {
   if (value === void 0 || value === null) {
@@ -12509,19 +12203,19 @@ function parseStepConfigDocument(filePath, content) {
   if (document === null || document === void 0) {
     return {};
   }
-  if (!isRecord3(document)) {
+  if (!isRecord2(document)) {
     throw new Error(`Invalid pipeline step config in "${filePath}": expected a top-level object.`);
   }
   const stepsValue = document.steps;
   if (stepsValue === void 0 || stepsValue === null) {
     return {};
   }
-  if (!isRecord3(stepsValue)) {
+  if (!isRecord2(stepsValue)) {
     throw new Error(`Invalid pipeline step config in "${filePath}": "steps" must be an object.`);
   }
   const steps = {};
   for (const [stepName, value] of Object.entries(stepsValue)) {
-    if (!isRecord3(value)) {
+    if (!isRecord2(value)) {
       throw new Error(`Invalid step "${stepName}" in "${filePath}": expected an object.`);
     }
     const instruction = value.instruction;
@@ -12543,7 +12237,7 @@ function parseConfigDocument(filePath, content) {
   if (document === null || document === void 0) {
     return {};
   }
-  if (!isRecord3(document)) {
+  if (!isRecord2(document)) {
     throw new Error(`Invalid pipeline config in "${filePath}": expected a top-level object.`);
   }
   const planPath = document.planPath;
@@ -12569,8 +12263,8 @@ async function loadStepsFile(fs3, filePath) {
   return parseStepConfigDocument(filePath, content);
 }
 async function loadPipelineConfig(options) {
-  const globalPath = path14.join(options.homeDir, ".poe-code", "pipeline", "config.yaml");
-  const projectPath = path14.join(options.cwd, ".poe-code", "pipeline", "config.yaml");
+  const globalPath = path13.join(options.homeDir, ".poe-code", "pipeline", "config.yaml");
+  const projectPath = path13.join(options.cwd, ".poe-code", "pipeline", "config.yaml");
   const [globalConfig2, projectConfig] = await Promise.all([
     loadConfigFile(options.fs, globalPath),
     loadConfigFile(options.fs, projectPath)
@@ -12581,8 +12275,8 @@ async function loadPipelineConfig(options) {
   };
 }
 async function loadResolvedSteps(options) {
-  const globalPath = path14.join(options.homeDir, ".poe-code", "pipeline", "steps.yaml");
-  const projectPath = path14.join(options.cwd, ".poe-code", "pipeline", "steps.yaml");
+  const globalPath = path13.join(options.homeDir, ".poe-code", "pipeline", "steps.yaml");
+  const projectPath = path13.join(options.cwd, ".poe-code", "pipeline", "steps.yaml");
   const [globalSteps, projectSteps] = await Promise.all([
     loadStepsFile(options.fs, globalPath),
     loadStepsFile(options.fs, projectPath)
@@ -12621,7 +12315,7 @@ function parseTaskStatus(value, availableSteps, taskId) {
   if (typeof value === "string") {
     return normalizeStatus(value, "task status");
   }
-  if (!isRecord3(value)) {
+  if (!isRecord2(value)) {
     throw new Error(`Invalid status for task "${taskId}": expected a string or step-status map.`);
   }
   const statusMap = {};
@@ -12641,7 +12335,7 @@ function parsePlan(yamlContent, options = {}) {
     const message = error2 instanceof Error ? error2.message : String(error2);
     throw new Error(`Invalid plan YAML: ${message}`);
   }
-  if (!isRecord3(document)) {
+  if (!isRecord2(document)) {
     throw new Error("Invalid plan YAML: expected a top-level object.");
   }
   const tasksValue = document.tasks;
@@ -12650,7 +12344,7 @@ function parsePlan(yamlContent, options = {}) {
   }
   const ids = /* @__PURE__ */ new Set();
   const tasks = tasksValue.map((value, index) => {
-    if (!isRecord3(value)) {
+    if (!isRecord2(value)) {
       throw new Error(`Invalid tasks[${index}]: expected an object.`);
     }
     const id = asRequiredString(value.id, `tasks[${index}].id`);
@@ -12675,7 +12369,7 @@ var init_parser = __esm({
 });
 
 // packages/pipeline/src/plan/discovery.ts
-import path15 from "node:path";
+import path14 from "node:path";
 import * as fsPromises3 from "node:fs/promises";
 function createDefaultFs() {
   return {
@@ -12711,7 +12405,7 @@ function countCompletedTasks(planPath, content) {
   };
 }
 async function ensurePlanExists(fs3, cwd, planPath) {
-  const absolutePath = path15.isAbsolute(planPath) ? planPath : path15.resolve(cwd, planPath);
+  const absolutePath = path14.isAbsolute(planPath) ? planPath : path14.resolve(cwd, planPath);
   try {
     const stat6 = await fs3.stat(absolutePath);
     if (!stat6.isFile()) {
@@ -12739,20 +12433,20 @@ async function scanPlansDir(fs3, plansDir, displayPrefix) {
     if (!isPlanCandidateFile(entry)) {
       continue;
     }
-    const absolutePath = path15.join(plansDir, entry);
+    const absolutePath = path14.join(plansDir, entry);
     const stat6 = await fs3.stat(absolutePath);
     if (!stat6.isFile()) {
       continue;
     }
-    const displayPath = path15.join(displayPrefix, entry);
+    const displayPath = path14.join(displayPrefix, entry);
     const content = await fs3.readFile(absolutePath, "utf8");
     candidates.push(countCompletedTasks(displayPath, content));
   }
   return candidates;
 }
 async function listPlanCandidates(fs3, cwd, homeDir) {
-  const projectDir = path15.join(cwd, ".poe-code", "pipeline", "plans");
-  const globalDir = path15.join(homeDir, ".poe-code", "pipeline", "plans");
+  const projectDir = path14.join(cwd, ".poe-code", "pipeline", "plans");
+  const globalDir = path14.join(homeDir, ".poe-code", "pipeline", "plans");
   const [projectCandidates, globalCandidates] = await Promise.all([
     scanPlansDir(fs3, projectDir, ".poe-code/pipeline/plans"),
     scanPlansDir(fs3, globalDir, "~/.poe-code/pipeline/plans")
@@ -12763,9 +12457,9 @@ async function listPlanCandidates(fs3, cwd, homeDir) {
 }
 function resolveAbsolutePlanPath(planPath, cwd, homeDir) {
   if (planPath.startsWith("~/")) {
-    return path15.join(homeDir, planPath.slice(2));
+    return path14.join(homeDir, planPath.slice(2));
   }
-  return path15.isAbsolute(planPath) ? planPath : path15.resolve(cwd, planPath);
+  return path14.isAbsolute(planPath) ? planPath : path14.resolve(cwd, planPath);
 }
 async function resolvePlanPath(options) {
   const fs3 = options.fs ?? createDefaultFs();
@@ -13008,7 +12702,7 @@ var init_lock = __esm({
 });
 
 // packages/pipeline/src/run/pipeline.ts
-import path16 from "node:path";
+import path15 from "node:path";
 import * as fsPromises5 from "node:fs/promises";
 function createDefaultFs3() {
   return {
@@ -13044,9 +12738,9 @@ function resolveMode(stepName, steps) {
   return step.mode;
 }
 async function archivePlan(fs3, absolutePlanPath) {
-  const dir = path16.dirname(absolutePlanPath);
-  const archiveDir = path16.join(dir, "archive");
-  const archivePath = path16.join(archiveDir, path16.basename(absolutePlanPath));
+  const dir = path15.dirname(absolutePlanPath);
+  const archiveDir = path15.join(dir, "archive");
+  const archivePath = path15.join(archiveDir, path15.basename(absolutePlanPath));
   await fs3.mkdir(archiveDir, { recursive: true });
   await fs3.rename(absolutePlanPath, archivePath);
 }
@@ -13383,13 +13077,13 @@ async function readErrorBody(response) {
   }
 }
 function extractTextContent(data) {
-  if (!isRecord4(data)) return void 0;
+  if (!isRecord3(data)) return void 0;
   const choices = data.choices;
   if (!Array.isArray(choices) || choices.length === 0) return void 0;
   const first = choices[0];
-  if (!isRecord4(first)) return void 0;
+  if (!isRecord3(first)) return void 0;
   const message = first.message;
-  if (!isRecord4(message)) return void 0;
+  if (!isRecord3(message)) return void 0;
   return typeof message.content === "string" ? message.content : void 0;
 }
 function extractMediaFromCompletion(data) {
@@ -13397,14 +13091,14 @@ function extractMediaFromCompletion(data) {
   if (!content) return {};
   try {
     const parsed = JSON.parse(content);
-    if (isRecord4(parsed) && typeof parsed.url === "string") {
+    if (isRecord3(parsed) && typeof parsed.url === "string") {
       return {
         url: parsed.url,
         mimeType: typeof parsed.mimeType === "string" ? parsed.mimeType : void 0,
         data: typeof parsed.data === "string" ? parsed.data : void 0
       };
     }
-    if (isRecord4(parsed) && typeof parsed.data === "string") {
+    if (isRecord3(parsed) && typeof parsed.data === "string") {
       return {
         data: parsed.data,
         mimeType: typeof parsed.mimeType === "string" ? parsed.mimeType : void 0
@@ -13438,7 +13132,7 @@ function isValidUrl(value) {
     return false;
   }
 }
-function isRecord4(value) {
+function isRecord3(value) {
   return Boolean(value && typeof value === "object" && !Array.isArray(value));
 }
 var init_llm_client = __esm({
@@ -13478,6 +13172,213 @@ var init_client_instance = __esm({
   }
 });
 
+// packages/poe-oauth/src/check-auth.ts
+var init_check_auth = __esm({
+  "packages/poe-oauth/src/check-auth.ts"() {
+    "use strict";
+  }
+});
+
+// packages/poe-oauth/src/api-key-validation.ts
+var init_api_key_validation = __esm({
+  "packages/poe-oauth/src/api-key-validation.ts"() {
+    "use strict";
+  }
+});
+
+// packages/poe-oauth/src/oauth-client.ts
+import http from "node:http";
+import crypto from "node:crypto";
+function createOAuthClient(config2) {
+  const fetchFn = config2.fetch ?? globalThis.fetch;
+  return {
+    authorize: () => startAuthorization(config2, fetchFn)
+  };
+}
+function generateCodeVerifier() {
+  return crypto.randomBytes(32).toString("base64url");
+}
+function generateCodeChallenge(verifier) {
+  return crypto.createHash("sha256").update(verifier).digest("base64url");
+}
+async function startAuthorization(config2, fetchFn) {
+  const codeVerifier = generateCodeVerifier();
+  const codeChallenge = generateCodeChallenge(codeVerifier);
+  const server = config2.createServer ? config2.createServer() : http.createServer();
+  const port = await startServer(server);
+  const redirectUri = `http://127.0.0.1:${port}/callback`;
+  const authorizationUrl = buildAuthorizationUrl({
+    endpoint: config2.authorizationEndpoint,
+    clientId: config2.clientId,
+    redirectUri,
+    codeChallenge
+  });
+  const waitForResult = async () => {
+    try {
+      const code = await waitForAuthorizationCode(server, config2, authorizationUrl);
+      return await exchangeCodeForApiKey({
+        tokenEndpoint: config2.tokenEndpoint,
+        code,
+        codeVerifier,
+        clientId: config2.clientId,
+        redirectUri,
+        fetchFn
+      });
+    } finally {
+      server.closeAllConnections?.();
+      server.close();
+    }
+  };
+  return { authorizationUrl, waitForResult };
+}
+function startServer(server) {
+  return new Promise((resolve) => {
+    server.listen(0, "127.0.0.1", () => {
+      const address = server.address();
+      resolve(address.port);
+    });
+  });
+}
+function buildAuthorizationUrl(params) {
+  const url2 = new URL(params.endpoint);
+  url2.searchParams.set("response_type", "code");
+  url2.searchParams.set("client_id", params.clientId);
+  url2.searchParams.set("scope", "apikey:create");
+  url2.searchParams.set("code_challenge", params.codeChallenge);
+  url2.searchParams.set("code_challenge_method", "S256");
+  url2.searchParams.set("redirect_uri", params.redirectUri);
+  return url2.toString();
+}
+function waitForAuthorizationCode(server, config2, authorizationUrl) {
+  return new Promise((resolve, reject) => {
+    let settled = false;
+    const settle = (fn) => {
+      if (!settled) {
+        settled = true;
+        fn();
+      }
+    };
+    server.on("request", (req, res) => {
+      const url2 = new URL(req.url, `http://127.0.0.1`);
+      if (url2.pathname !== "/callback") {
+        res.writeHead(404);
+        res.end("Not found");
+        return;
+      }
+      const error2 = url2.searchParams.get("error");
+      if (error2) {
+        const description = url2.searchParams.get("error_description") ?? error2;
+        res.writeHead(400);
+        res.end(`Authorization failed: ${description}`);
+        settle(() => reject(new Error(`OAuth authorization failed: ${error2} \u2014 ${description}`)));
+        return;
+      }
+      const code = url2.searchParams.get("code");
+      if (!code) {
+        res.writeHead(400);
+        res.end("Missing authorization code");
+        settle(() => reject(new Error("OAuth callback missing authorization code")));
+        return;
+      }
+      res.writeHead(200, { "Content-Type": "text/html" });
+      res.end(buildSuccessPage());
+      settle(() => resolve(code));
+    });
+    if (config2.readLine) {
+      config2.readLine().then((input) => {
+        const code = extractCodeFromInput(input);
+        if (code) {
+          settle(() => resolve(code));
+        }
+      }).catch(() => {
+      });
+    }
+    if (config2.openBrowser) {
+      config2.openBrowser(authorizationUrl).catch(
+        (err) => settle(() => reject(err))
+      );
+    }
+  });
+}
+function extractCodeFromInput(input) {
+  const trimmed = input.replace(/[\r\n]/g, "").trim();
+  if (trimmed.length === 0) {
+    return null;
+  }
+  try {
+    const url2 = new URL(trimmed);
+    return url2.searchParams.get("code");
+  } catch {
+    return trimmed;
+  }
+}
+async function exchangeCodeForApiKey(params) {
+  const body = new URLSearchParams({
+    grant_type: "authorization_code",
+    code: params.code,
+    code_verifier: params.codeVerifier,
+    client_id: params.clientId,
+    redirect_uri: params.redirectUri
+  });
+  const response = await params.fetchFn(params.tokenEndpoint, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: body.toString()
+  });
+  if (!response.ok) {
+    const text4 = await response.text();
+    const description = parseErrorDescription(text4);
+    throw new Error(description ?? `Token exchange failed (${response.status}): ${text4}`);
+  }
+  const data = await response.json();
+  if (typeof data.api_key !== "string" || data.api_key.length === 0) {
+    throw new Error("Token response missing api_key field");
+  }
+  return {
+    apiKey: data.api_key,
+    expiresIn: typeof data.api_key_expires_in === "number" ? data.api_key_expires_in : null
+  };
+}
+function parseErrorDescription(text4) {
+  try {
+    const data = JSON.parse(text4);
+    if (typeof data.error_description === "string") {
+      return data.error_description;
+    }
+    if (typeof data.error === "string") {
+      return data.error;
+    }
+  } catch {
+  }
+  return null;
+}
+function buildSuccessPage() {
+  return [
+    "<!DOCTYPE html>",
+    "<html><head><meta charset=utf-8><title>Connected to Poe</title></head>",
+    '<body style="font-family:system-ui,sans-serif;display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0">',
+    '<div style="text-align:center">',
+    "<h1>Connected to Poe</h1>",
+    '<p style="color:#666">You can close this tab and return to your terminal.</p>',
+    "</div></body></html>"
+  ].join("");
+}
+var init_oauth_client = __esm({
+  "packages/poe-oauth/src/oauth-client.ts"() {
+    "use strict";
+  }
+});
+
+// packages/poe-oauth/src/index.ts
+var init_src10 = __esm({
+  "packages/poe-oauth/src/index.ts"() {
+    "use strict";
+    init_check_auth();
+    init_api_key_validation();
+    init_oauth_client();
+  }
+});
+
 // src/cli/oauth-login.ts
 import { exec as exec2 } from "node:child_process";
 import readline from "node:readline";
@@ -13522,7 +13423,7 @@ function openInBrowser(url2) {
 var init_oauth_login = __esm({
   "src/cli/oauth-login.ts"() {
     "use strict";
-    init_src();
+    init_src10();
     init_src4();
   }
 });
@@ -13569,21 +13470,21 @@ function createCliContainer(dependencies) {
     unlink: (filePath) => dependencies.fs.unlink(filePath),
     chmod: (filePath, mode) => dependencies.fs.chmod ? dependencies.fs.chmod(filePath, mode) : Promise.resolve()
   };
-  const { store: authStore } = createAuthStore({
+  const { store: authStore } = createSecretStore({
+    backendEnvVar: "POE_AUTH_BACKEND",
     env: dependencies.env.variables,
     platform: dependencies.env.platform,
     fileStore: {
       fs: authFs,
-      getHomeDirectory: () => dependencies.env.homeDir
-    },
-    legacyCredentials: {
-      fs: authFs,
+      salt: "poe-code:encrypted-file-auth-store:v1",
+      defaultDirectory: ".poe-code",
+      defaultFileName: "credentials.enc",
       getHomeDirectory: () => dependencies.env.homeDir
     }
   });
-  const readApiKey = authStore.getApiKey.bind(authStore);
-  const writeApiKey = authStore.setApiKey.bind(authStore);
-  const deleteApiKey = authStore.deleteApiKey.bind(authStore);
+  const readApiKey = authStore.get.bind(authStore);
+  const writeApiKey = authStore.set.bind(authStore);
+  const deleteApiKey = authStore.delete.bind(authStore);
   const oauthEnabled = (dependencies.env.variables ?? process.env).POE_CODE_OAUTH_LOGIN !== "0";
   const options = createOptionResolvers({
     prompts: dependencies.prompts,
@@ -13653,7 +13554,7 @@ var init_container2 = __esm({
 });
 
 // src/services/config.ts
-import path18 from "node:path";
+import path17 from "node:path";
 async function deleteConfig(options) {
   const { fs: fs3, filePath } = options;
   try {
@@ -13723,7 +13624,7 @@ async function readConfigDocument(fs3, filePath) {
   }
 }
 async function migrateLegacyCredentialsFile(fs3, configPath) {
-  const legacyPath = path18.join(path18.dirname(configPath), "credentials.json");
+  const legacyPath = path17.join(path17.dirname(configPath), "credentials.json");
   try {
     const raw = await fs3.readFile(legacyPath, "utf8");
     const document = await parseConfigDocument2(fs3, legacyPath, raw);
@@ -13747,7 +13648,7 @@ async function parseConfigDocument2(fs3, filePath, raw) {
   }
 }
 function normalizeConfigDocument(value) {
-  if (!isRecord5(value)) {
+  if (!isRecord4(value)) {
     return {};
   }
   const document = {};
@@ -13761,12 +13662,12 @@ function normalizeConfigDocument(value) {
   return document;
 }
 function normalizeConfiguredServices(value) {
-  if (!isRecord5(value)) {
+  if (!isRecord4(value)) {
     return {};
   }
   const entries = {};
   for (const [key, entry] of Object.entries(value)) {
-    if (!isRecord5(entry)) {
+    if (!isRecord4(entry)) {
       continue;
     }
     const normalized = normalizeConfiguredServiceMetadata({
@@ -13777,7 +13678,7 @@ function normalizeConfiguredServices(value) {
   return entries;
 }
 async function writeConfigDocument(fs3, filePath, document) {
-  await fs3.mkdir(path18.dirname(filePath), { recursive: true });
+  await fs3.mkdir(path17.dirname(filePath), { recursive: true });
   const payload = {};
   if (document.apiKey) {
     payload.apiKey = document.apiKey;
@@ -13797,11 +13698,11 @@ async function recoverInvalidConfig(fs3, filePath, content) {
 }
 function createInvalidBackupPath(filePath) {
   const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-  const dir = path18.dirname(filePath);
-  const base = path18.basename(filePath);
-  return path18.join(dir, `${base}.invalid-${timestamp}.json`);
+  const dir = path17.dirname(filePath);
+  const base = path17.basename(filePath);
+  return path17.join(dir, `${base}.invalid-${timestamp}.json`);
 }
-function isRecord5(value) {
+function isRecord4(value) {
   return Boolean(value && typeof value === "object" && !Array.isArray(value));
 }
 var EMPTY_DOCUMENT;
@@ -14061,7 +13962,7 @@ var init_agent2 = __esm({
 });
 
 // src/cli/commands/spawn.ts
-import path19 from "node:path";
+import path18 from "node:path";
 function registerSpawnCommand(program, container, options = {}) {
   const spawnServices = container.registry.list().filter((service) => typeof service.spawn === "function" || getSpawnConfig(service.name)).map((service) => service.name);
   const extraServices = options.extraServices ?? [];
@@ -14272,10 +14173,10 @@ function resolveSpawnWorkingDirectory2(baseDir, candidate) {
   if (!candidate || candidate.trim().length === 0) {
     return void 0;
   }
-  if (path19.isAbsolute(candidate)) {
+  if (path18.isAbsolute(candidate)) {
     return candidate;
   }
-  return path19.resolve(baseDir, candidate);
+  return path18.resolve(baseDir, candidate);
 }
 function parseMcpSpawnConfig2(input) {
   if (!input) {
@@ -14395,7 +14296,7 @@ var init_spawn4 = __esm({
 });
 
 // src/sdk/research.ts
-import path20 from "node:path";
+import path19 from "node:path";
 async function research(container, options) {
   const logger2 = options.logger;
   const source = await resolveSource({
@@ -14430,7 +14331,7 @@ async function research(container, options) {
         markdown: markdownOutput
       });
       outputPath = buildOutputPath(container.env.homeDir, options.prompt);
-      await ensureDirectory2(container.fs, path20.dirname(outputPath));
+      await ensureDirectory2(container.fs, path19.dirname(outputPath));
       await container.fs.writeFile(outputPath, document, {
         encoding: "utf8"
       });
@@ -14505,7 +14406,7 @@ function buildResearchDocument(input) {
 }
 function buildClonePath(homeDir, github) {
   const slug = extractRepoSlug(github);
-  return path20.join(homeDir, ".poe-code", "repos", slug);
+  return path19.join(homeDir, ".poe-code", "repos", slug);
 }
 function extractRepoSlug(value) {
   const trimmed = value.trim();
@@ -14543,7 +14444,7 @@ function extractRepoSlug(value) {
 function buildOutputPath(homeDir, prompt, now = /* @__PURE__ */ new Date()) {
   const timestamp = formatTimestamp2(now);
   const slug = buildSlug(prompt);
-  return path20.join(
+  return path19.join(
     homeDir,
     ".poe-code",
     "research",
@@ -14564,7 +14465,7 @@ async function resolveSource(input) {
   if (options.github) {
     const cloneUrl = resolveGithubCloneUrl(options.github);
     const clonePath = buildClonePath(container.env.homeDir, options.github);
-    await ensureDirectory2(container.fs, path20.dirname(clonePath));
+    await ensureDirectory2(container.fs, path19.dirname(clonePath));
     const exists = await pathExists2(container.fs, clonePath);
     if (!exists) {
       const cloneResult = await container.commandRunner(
@@ -14662,10 +14563,10 @@ function formatYamlString(value) {
   return JSON.stringify(value);
 }
 function resolvePath2(baseDir, candidate) {
-  if (path20.isAbsolute(candidate)) {
+  if (path19.isAbsolute(candidate)) {
     return candidate;
   }
-  return path20.resolve(baseDir, candidate);
+  return path19.resolve(baseDir, candidate);
 }
 function teeAcpStream(events) {
   const chunks = [];
@@ -14725,7 +14626,7 @@ async function removePathFallback(fs3, target) {
   if (stats && typeof stats.isDirectory === "function" && stats.isDirectory()) {
     const entries = await fs3.readdir(target);
     for (const entry of entries) {
-      await removePathFallback(fs3, path20.join(target, entry));
+      await removePathFallback(fs3, path19.join(target, entry));
     }
   }
   try {
@@ -15064,10 +14965,7 @@ async function executeLogin(program, container, options) {
     resources.context.finalize();
   } catch (error2) {
     if (error2 instanceof Error) {
-      resources.logger.logException(error2, "login command", {
-        operation: "login",
-        configPath: container.env.configPath
-      });
+      throw new AuthenticationError(error2.message);
     }
     throw error2;
   }
@@ -15120,10 +15018,11 @@ async function reconfigureServices(input) {
     });
   }
 }
-var init_login2 = __esm({
+var init_login = __esm({
   "src/cli/commands/login.ts"() {
     "use strict";
     init_shared();
+    init_errors();
     init_config2();
     init_mutation_events();
   }
@@ -15300,7 +15199,7 @@ async function executeLogout(program, container) {
   });
   resources.context.finalize();
 }
-var init_logout2 = __esm({
+var init_logout = __esm({
   "src/cli/commands/logout.ts"() {
     "use strict";
     init_config2();
@@ -15405,8 +15304,8 @@ var init_auth = __esm({
     init_errors();
     init_config2();
     init_shared();
-    init_login2();
-    init_logout2();
+    init_login();
+    init_logout();
   }
 });
 
@@ -15606,7 +15505,7 @@ var init_media_download = __esm({
 });
 
 // src/cli/commands/generate.ts
-import path21 from "node:path";
+import path20 from "node:path";
 function registerGenerateCommand(program, container) {
   const generate2 = program.command("generate").description("Generate content via Poe API").option("--model <model>", `Model identifier (default: ${DEFAULT_TEXT_MODEL})`).option(
     "--param <key=value>",
@@ -15872,11 +15771,11 @@ function getDefaultMimeType(type) {
   return defaults[type];
 }
 function resolveOutputPath(filename, cwd) {
-  if (path21.isAbsolute(filename)) {
+  if (path20.isAbsolute(filename)) {
     return { path: filename, label: filename };
   }
   return {
-    path: path21.join(cwd, filename),
+    path: path20.join(cwd, filename),
     label: `./${filename}`
   };
 }
@@ -16980,8 +16879,8 @@ var init_parseUtil = __esm({
     init_errors3();
     init_en();
     makeIssue = (params) => {
-      const { data, path: path25, errorMaps, issueData } = params;
-      const fullPath = [...path25, ...issueData.path || []];
+      const { data, path: path24, errorMaps, issueData } = params;
+      const fullPath = [...path24, ...issueData.path || []];
       const fullIssue = {
         ...issueData,
         path: fullPath
@@ -17261,11 +17160,11 @@ var init_types4 = __esm({
     init_parseUtil();
     init_util();
     ParseInputLazyPath = class {
-      constructor(parent, value, path25, key) {
+      constructor(parent, value, path24, key) {
         this._cachedPath = [];
         this.parent = parent;
         this.data = value;
-        this._path = path25;
+        this._path = path24;
         this._key = key;
       }
       get path() {
@@ -20769,10 +20668,10 @@ function mergeDefs(...defs) {
 function cloneDef(schema) {
   return mergeDefs(schema._zod.def);
 }
-function getElementAtPath(obj, path25) {
-  if (!path25)
+function getElementAtPath(obj, path24) {
+  if (!path24)
     return obj;
-  return path25.reduce((acc, key) => acc?.[key], obj);
+  return path24.reduce((acc, key) => acc?.[key], obj);
 }
 function promiseAllObject(promisesObj) {
   const keys = Object.keys(promisesObj);
@@ -21084,11 +20983,11 @@ function aborted(x, startIndex = 0) {
   }
   return false;
 }
-function prefixIssues(path25, issues) {
+function prefixIssues(path24, issues) {
   return issues.map((iss) => {
     var _a2;
     (_a2 = iss).path ?? (_a2.path = []);
-    iss.path.unshift(path25);
+    iss.path.unshift(path24);
     return iss;
   });
 }
@@ -33249,8 +33148,8 @@ var require_utils = __commonJS({
       }
       return ind;
     }
-    function removeDotSegments(path25) {
-      let input = path25;
+    function removeDotSegments(path24) {
+      let input = path24;
       const output = [];
       let nextSlash = -1;
       let len = 0;
@@ -33449,8 +33348,8 @@ var require_schemes = __commonJS({
         wsComponent.secure = void 0;
       }
       if (wsComponent.resourceName) {
-        const [path25, query] = wsComponent.resourceName.split("?");
-        wsComponent.path = path25 && path25 !== "/" ? path25 : void 0;
+        const [path24, query] = wsComponent.resourceName.split("?");
+        wsComponent.path = path24 && path24 !== "/" ? path24 : void 0;
         wsComponent.query = query;
         wsComponent.resourceName = void 0;
       }
@@ -36683,7 +36582,7 @@ var init_content = __esm({
 });
 
 // packages/tiny-stdio-mcp-server/src/index.ts
-var init_src10 = __esm({
+var init_src11 = __esm({
   "packages/tiny-stdio-mcp-server/src/index.ts"() {
     "use strict";
     init_server();
@@ -36987,7 +36886,7 @@ var generateTextSchema, generateImageSchema, generateVideoSchema, generateAudioS
 var init_mcp_server = __esm({
   "src/cli/mcp-server.ts"() {
     "use strict";
-    init_src10();
+    init_src11();
     init_client_instance();
     init_constants();
     generateTextSchema = defineSchema({
@@ -37393,9 +37292,9 @@ var init_shapes = __esm({
 });
 
 // packages/agent-mcp-config/src/apply.ts
-import path22 from "node:path";
+import path21 from "node:path";
 function getConfigDirectory(configPath) {
-  return path22.dirname(configPath);
+  return path21.dirname(configPath);
 }
 function isConfigObject5(value) {
   return Boolean(value) && typeof value === "object" && !Array.isArray(value);
@@ -37497,7 +37396,7 @@ var init_apply = __esm({
 });
 
 // packages/agent-mcp-config/src/index.ts
-var init_src11 = __esm({
+var init_src12 = __esm({
   "packages/agent-mcp-config/src/index.ts"() {
     "use strict";
     init_configs2();
@@ -37677,7 +37576,7 @@ var init_mcp2 = __esm({
     init_shared();
     init_mcp_output_format();
     init_command_not_found();
-    init_src11();
+    init_src12();
     init_execution_context();
     DEFAULT_MCP_AGENT = "claude-code";
   }
@@ -37685,7 +37584,7 @@ var init_mcp2 = __esm({
 
 // packages/agent-skill-config/src/configs.ts
 import os2 from "node:os";
-import path23 from "node:path";
+import path22 from "node:path";
 function resolveAgentSupport2(input, registry2 = agentSkillConfigs) {
   const resolvedId = resolveAgentId(input);
   if (!resolvedId) {
@@ -37877,7 +37776,7 @@ var init_apply2 = __esm({
 });
 
 // packages/agent-skill-config/src/index.ts
-var init_src12 = __esm({
+var init_src13 = __esm({
   "packages/agent-skill-config/src/index.ts"() {
     "use strict";
     init_configs3();
@@ -38102,7 +38001,7 @@ var init_skill = __esm({
   "src/cli/commands/skill.ts"() {
     "use strict";
     init_src4();
-    init_src12();
+    init_src13();
     init_shared();
     init_command_not_found();
     DEFAULT_SKILL_AGENT = "claude-code";
@@ -38696,7 +38595,7 @@ var init_models = __esm({
 });
 
 // src/cli/commands/pipeline.ts
-import path24 from "node:path";
+import path23 from "node:path";
 import { readFile as readFile6, stat as stat5 } from "node:fs/promises";
 import { fileURLToPath as fileURLToPath4 } from "node:url";
 function formatDuration(ms) {
@@ -38728,11 +38627,11 @@ function resolveMaxRuns(value) {
   return parsed;
 }
 function resolvePipelinePaths(scope, cwd, homeDir) {
-  const rootPath = scope === "global" ? path24.join(homeDir, ".poe-code", "pipeline") : path24.join(cwd, ".poe-code", "pipeline");
+  const rootPath = scope === "global" ? path23.join(homeDir, ".poe-code", "pipeline") : path23.join(cwd, ".poe-code", "pipeline");
   const displayRoot = scope === "global" ? "~/.poe-code/pipeline" : ".poe-code/pipeline";
   return {
-    plansPath: path24.join(rootPath, "plans"),
-    stepsPath: path24.join(rootPath, "steps.yaml"),
+    plansPath: path23.join(rootPath, "plans"),
+    stepsPath: path23.join(rootPath, "steps.yaml"),
     displayPlansPath: `${displayRoot}/plans`,
     displayStepsPath: `${displayRoot}/steps.yaml`
   };
@@ -38743,16 +38642,16 @@ async function loadPipelineTemplates() {
   }
   const packageRoot = await findPackageRoot(fileURLToPath4(import.meta.url));
   const templateRoots = [
-    path24.join(packageRoot, "src", "templates", "pipeline"),
-    path24.join(packageRoot, "dist", "templates", "pipeline")
+    path23.join(packageRoot, "src", "templates", "pipeline"),
+    path23.join(packageRoot, "dist", "templates", "pipeline")
   ];
   for (const templateRoot of templateRoots) {
     if (!await pathExistsOnDisk(templateRoot)) {
       continue;
     }
     const [skillPlan, steps] = await Promise.all([
-      readFile6(path24.join(templateRoot, "SKILL_plan.md"), "utf8"),
-      readFile6(path24.join(templateRoot, "steps.yaml.hbs"), "utf8")
+      readFile6(path23.join(templateRoot, "SKILL_plan.md"), "utf8"),
+      readFile6(path23.join(templateRoot, "steps.yaml.hbs"), "utf8")
     ]);
     pipelineTemplatesCache = { skillPlan, steps };
     return pipelineTemplatesCache;
@@ -38771,12 +38670,12 @@ async function pathExistsOnDisk(targetPath) {
   }
 }
 async function findPackageRoot(entryFilePath) {
-  let currentPath = path24.dirname(entryFilePath);
+  let currentPath = path23.dirname(entryFilePath);
   while (true) {
-    if (await pathExistsOnDisk(path24.join(currentPath, "package.json"))) {
+    if (await pathExistsOnDisk(path23.join(currentPath, "package.json"))) {
       return currentPath;
     }
-    const parentPath = path24.dirname(currentPath);
+    const parentPath = path23.dirname(currentPath);
     if (parentPath === currentPath) {
       throw new Error("Unable to locate package root for Pipeline templates.");
     }
@@ -39054,7 +38953,7 @@ function registerPipelineCommand(program, container) {
           `Would ${stepsExists ? "overwrite" : "create"}: ${pipelinePaths.displayStepsPath}`
         );
       } else {
-        await container.fs.mkdir(path24.dirname(pipelinePaths.stepsPath), {
+        await container.fs.mkdir(path23.dirname(pipelinePaths.stepsPath), {
           recursive: true
         });
         await container.fs.writeFile(pipelinePaths.stepsPath, templates.steps, {
@@ -39079,7 +38978,7 @@ var init_pipeline4 = __esm({
     "use strict";
     init_src4();
     init_src3();
-    init_src12();
+    init_src13();
     init_errors();
     init_shared();
     await init_pipeline2();
@@ -39096,7 +38995,7 @@ var init_package = __esm({
   "package.json"() {
     package_default = {
       name: "poe-code",
-      version: "3.0.99",
+      version: "3.0.100",
       description: "CLI tool to configure Poe API for developer workflows.",
       type: "module",
       main: "./dist/index.js",
@@ -39180,7 +39079,8 @@ var init_package = __esm({
       devDependencies: {
         "@eslint/js": "^9.0.0",
         "@modelcontextprotocol/sdk": "^1.26.0",
-        "@poe-code/poe-auth": "*",
+        "auth-store": "*",
+        "poe-oauth": "*",
         "@poe-code/agent-spawn": "*",
         "@poe-code/config-mutations": "*",
         "@poe-code/design-system": "*",
@@ -39518,8 +39418,8 @@ var init_program = __esm({
     await init_spawn4();
     await init_research2();
     init_wrap();
-    init_login2();
-    init_logout2();
+    init_login();
+    init_logout();
     init_auth();
     init_install();
     init_unconfigure();
@@ -39622,16 +39522,16 @@ __export(bootstrap_exports, {
   createCliMain: () => createCliMain,
   isCliInvocation: () => isCliInvocation
 });
-import * as nodeFs2 from "node:fs/promises";
+import * as nodeFs from "node:fs/promises";
 import * as nodeFsSync3 from "node:fs";
 import { realpathSync } from "node:fs";
-import { homedir as homedir6 } from "node:os";
+import { homedir as homedir5 } from "node:os";
 import { pathToFileURL as pathToFileURL2 } from "node:url";
 import { join as join2 } from "node:path";
 import chalk13 from "chalk";
 function createCliMain(programFactory) {
   return async function runCli() {
-    const homeDir = homedir6();
+    const homeDir = homedir5();
     const logDir = join2(homeDir, ".poe-code", "logs");
     const promptRunner = createPromptRunner();
     const shouldLogToStderr = process.env.POE_CODE_STDERR_LOGS === "1" || process.env.POE_CODE_STDERR_LOGS === "true";
@@ -39697,7 +39597,7 @@ var init_bootstrap = __esm({
     init_error_logger();
     init_errors();
     init_prompt_runner();
-    fsAdapter = nodeFs2;
+    fsAdapter = nodeFs;
   }
 });
 
@@ -39812,7 +39712,7 @@ init_src5();
 init_src4();
 init_constants();
 init_errors();
-import path17 from "node:path";
+import path16 from "node:path";
 import { Command } from "commander";
 function parseMcpSpawnConfig(input) {
   if (!input) {
@@ -39883,10 +39783,10 @@ function resolveWorkingDirectory(baseDir, candidate) {
   if (!candidate || candidate.trim().length === 0) {
     return void 0;
   }
-  if (path17.isAbsolute(candidate)) {
+  if (path16.isAbsolute(candidate)) {
     return candidate;
   }
-  return path17.resolve(baseDir, candidate);
+  return path16.resolve(baseDir, candidate);
 }
 function createPoeAgentProgram() {
   const program = new Command();