salesprompter-cli 0.1.19 → 0.1.20

package/dist/linkedin-session.js

@@ -0,0 +1,751 @@
+import { createCipheriv, createDecipheriv, createHash, randomBytes } from "node:crypto";
+import { existsSync, readFileSync } from "node:fs";
+import { dirname, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+import { createClient } from "@supabase/supabase-js";
+const COOKIE_VAULT_KEY_CONTEXT = "salesprompter:linkedin-session-cookie:v1";
+const AES_256_KEY_BYTES = 32;
+const REQUEST_TIMEOUT_MS = 20_000;
+const DEFAULT_USER_AGENT = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36";
+const MAX_COOKIE_VALIDATION_ATTEMPTS = 8;
+const COOKIE_VALIDATION_TIMEOUT_MS = 75_000;
+const COOKIE_PROBE_TIMEOUT_MS = 8_000;
+const DEFAULT_EXCLUDED_LINKEDIN_SESSION_USER_EMAILS = ["hello@danielsinewe.com"];
+const DEFAULT_EXCLUDED_LINKEDIN_SESSION_USER_HANDLES = ["danielsinewe"];
+const ACTIVE_LINKEDIN_SESSION_LOOKBACK_HOURS = 72;
+const MAX_RECOVERABLE_LINKEDIN_SESSION_CANDIDATES = 12;
+const RECOVERABLE_LINKEDIN_SESSION_INACTIVE_REASON_PREFIX = "quarantined_browser_unverified";
+const ENV_FILE_PATHS = [
+    resolve(dirname(fileURLToPath(import.meta.url)), "..", ".env.local"),
+    resolve(dirname(fileURLToPath(import.meta.url)), "..", ".env"),
+    resolve(dirname(fileURLToPath(import.meta.url)), "..", "..", "salesprompter-app", ".env.local"),
+    resolve(dirname(fileURLToPath(import.meta.url)), "..", "..", "salesprompter-app", ".env.vercel.local")
+];
+const envFileCache = new Map();
+function normalizeSessionCookie(sessionCookie) {
+    const trimmed = sessionCookie?.trim() || "";
+    return trimmed.length > 0 ? trimmed : null;
+}
+function normalizeIdentityValue(value) {
+    const trimmed = value?.trim().toLowerCase() || "";
+    return trimmed.length > 0 ? trimmed : null;
+}
+function dedupeIdentityValues(values) {
+    return Array.from(new Set(values
+        .map((value) => normalizeIdentityValue(value))
+        .filter((value) => Boolean(value))));
+}
+function parseIdentityEnvList(value) {
+    return dedupeIdentityValues((value || "").split(","));
+}
+function parseDotEnvFile(filePath) {
+    if (envFileCache.has(filePath)) {
+        return envFileCache.get(filePath);
+    }
+    const parsed = new Map();
+    if (existsSync(filePath)) {
+        const content = readFileSync(filePath, "utf8");
+        for (const line of content.split(/\r?\n/)) {
+            const trimmed = line.trim();
+            if (trimmed.length === 0 || trimmed.startsWith("#")) {
+                continue;
+            }
+            const separatorIndex = trimmed.indexOf("=");
+            if (separatorIndex <= 0) {
+                continue;
+            }
+            const key = trimmed.slice(0, separatorIndex).trim();
+            let value = trimmed.slice(separatorIndex + 1).trim();
+            if ((value.startsWith('"') && value.endsWith('"')) ||
+                (value.startsWith("'") && value.endsWith("'"))) {
+                value = value.slice(1, -1);
+            }
+            if (key.length > 0 && value.length > 0) {
+                parsed.set(key, value);
+            }
+        }
+    }
+    envFileCache.set(filePath, parsed);
+    return parsed;
+}
+function resolveConfiguredEnvValue(env, key) {
+    const directValue = env[key]?.trim() || "";
+    if (directValue.length > 0) {
+        return directValue;
+    }
+    if (env !== process.env) {
+        return null;
+    }
+    for (const filePath of ENV_FILE_PATHS) {
+        const parsed = parseDotEnvFile(filePath);
+        const value = parsed.get(key)?.trim() || "";
+        if (value.length > 0) {
+            return value;
+        }
+    }
+    return null;
+}
+function isTruthySetting(value) {
+    return ["1", "true", "on", "yes"].includes(value?.trim().toLowerCase() || "");
+}
+function isFalsySetting(value) {
+    return ["0", "false", "off", "no"].includes(value?.trim().toLowerCase() || "");
+}
+export function resolveCliLinkedInSessionExclusions(env = process.env) {
+    return {
+        userEmails: dedupeIdentityValues([
+            ...DEFAULT_EXCLUDED_LINKEDIN_SESSION_USER_EMAILS,
+            ...parseIdentityEnvList(resolveConfiguredEnvValue(env, "SALESPROMPTER_LINKEDIN_SESSION_EXCLUDED_EMAILS"))
+        ]),
+        userHandles: dedupeIdentityValues([
+            ...DEFAULT_EXCLUDED_LINKEDIN_SESSION_USER_HANDLES,
+            ...parseIdentityEnvList(resolveConfiguredEnvValue(env, "SALESPROMPTER_LINKEDIN_SESSION_EXCLUDED_HANDLES"))
+        ])
+    };
+}
+function isExcludedLinkedInSessionIdentity(identity, exclusions) {
+    const normalizedEmail = normalizeIdentityValue(identity.userEmail);
+    if (normalizedEmail && exclusions.userEmails.includes(normalizedEmail)) {
+        return true;
+    }
+    const normalizedHandle = normalizeIdentityValue(identity.userHandle);
+    return Boolean(normalizedHandle && exclusions.userHandles.includes(normalizedHandle));
+}
+function getCookieVaultKey(env = process.env) {
+    const secret = resolveConfiguredEnvValue(env, "LINKEDIN_SESSION_COOKIE_ENCRYPTION_KEY") ||
+        resolveConfiguredEnvValue(env, "EXTENSION_AUTH_SECRET") ||
+        resolveConfiguredEnvValue(env, "CLERK_SECRET_KEY") ||
+        null;
+    if (!secret) {
+        return null;
+    }
+    return createHash("sha256")
+        .update(`${COOKIE_VAULT_KEY_CONTEXT}:${secret}`)
+        .digest()
+        .subarray(0, AES_256_KEY_BYTES);
+}
+export function sessionCookieHash(sessionCookie) {
+    const normalized = normalizeSessionCookie(sessionCookie);
+    if (!normalized) {
+        return null;
+    }
+    return createHash("sha256").update(normalized).digest("hex");
+}
+export function encryptLinkedInSessionCookie(sessionCookie, env = process.env) {
+    const normalized = normalizeSessionCookie(sessionCookie);
+    const key = getCookieVaultKey(env);
+    if (!normalized || !key) {
+        return null;
+    }
+    const iv = randomBytes(12);
+    const cipher = createCipheriv("aes-256-gcm", key, iv);
+    const ciphertext = Buffer.concat([cipher.update(normalized, "utf8"), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    return {
+        sessionCookieSha256: sessionCookieHash(normalized),
+        sessionCookieCiphertext: ciphertext.toString("base64url"),
+        sessionCookieIv: iv.toString("base64url"),
+        sessionCookieAuthTag: authTag.toString("base64url")
+    };
+}
+export function decryptLinkedInSessionCookie(record, env = process.env) {
+    if (!record) {
+        return null;
+    }
+    const key = getCookieVaultKey(env);
+    if (!key) {
+        return null;
+    }
+    const decipher = createDecipheriv("aes-256-gcm", key, Buffer.from(record.sessionCookieIv, "base64url"));
+    decipher.setAuthTag(Buffer.from(record.sessionCookieAuthTag, "base64url"));
+    const plaintext = Buffer.concat([
+        decipher.update(Buffer.from(record.sessionCookieCiphertext, "base64url")),
+        decipher.final()
+    ]).toString("utf8");
+    return normalizeSessionCookie(plaintext);
+}
+export function resolveCliLinkedInSessionConfig(env = process.env) {
+    const manageSessionsSetting = resolveConfiguredEnvValue(env, "SALESPROMPTER_CLI_MANAGE_LINKEDIN_SESSIONS");
+    const explicitEnable = isTruthySetting(manageSessionsSetting);
+    const explicitDisable = isFalsySetting(manageSessionsSetting);
+    const autoEnable = !manageSessionsSetting;
+    if (explicitDisable || (!explicitEnable && !autoEnable)) {
+        return null;
+    }
+    const supabaseUrl = resolveConfiguredEnvValue(env, "SALESPROMPTER_SUPABASE_URL") ||
+        resolveConfiguredEnvValue(env, "NEXT_PUBLIC_SUPABASE_URL") ||
+        "";
+    const supabaseServiceRoleKey = resolveConfiguredEnvValue(env, "SUPABASE_SERVICE_ROLE_KEY") || "";
+    const hasVaultKey = Boolean(getCookieVaultKey(env));
+    const missing = [];
+    if (!supabaseUrl) {
+        missing.push("SALESPROMPTER_SUPABASE_URL or NEXT_PUBLIC_SUPABASE_URL");
+    }
+    if (!supabaseServiceRoleKey) {
+        missing.push("SUPABASE_SERVICE_ROLE_KEY");
+    }
+    if (!hasVaultKey) {
+        missing.push("LINKEDIN_SESSION_COOKIE_ENCRYPTION_KEY or EXTENSION_AUTH_SECRET or CLERK_SECRET_KEY");
+    }
+    if (missing.length > 0) {
+        if (!explicitEnable) {
+            return null;
+        }
+        throw new Error(`CLI-managed LinkedIn session rotation is enabled, but required configuration is missing: ${missing.join(", ")}. Disable SALESPROMPTER_CLI_MANAGE_LINKEDIN_SESSIONS to use the app-managed export path instead.`);
+    }
+    return {
+        supabaseUrl,
+        supabaseServiceRoleKey
+    };
+}
+export function createLinkedInSessionSupabaseClient(env = process.env) {
+    const config = resolveCliLinkedInSessionConfig(env);
+    if (!config) {
+        return null;
+    }
+    return createClient(config.supabaseUrl, config.supabaseServiceRoleKey, {
+        auth: { persistSession: false }
+    });
+}
+export async function recordLinkedInSessionCookieAudit(supabase, input) {
+    const checkedAt = input.checkedAt || new Date().toISOString();
+    const updateResult = await supabase
+        .from("linkedin_session_cookies")
+        .update({
+        is_active: input.isActive,
+        inactive_reason: input.inactiveReason ?? null,
+        last_validation_at: checkedAt,
+        last_validation_status: input.isActive ? "active" : "inactive",
+        last_feed_status: input.feedStatus,
+        last_sales_navigator_status: input.salesNavigatorStatus,
+        last_recruiter_status: input.recruiterStatus,
+        last_product_class: input.productClass,
+        last_validation_error: input.validationError ?? null,
+        last_validation_details: input.details ?? {}
+    })
+        .eq("session_cookie_sha256", input.sessionCookieSha256);
+    if (updateResult.error) {
+        throw new Error(`Failed to update LinkedIn session cookie status: ${updateResult.error.message}`);
+    }
+    const insertResult = await supabase.from("linkedin_session_cookie_checks").insert({
+        session_cookie_sha256: input.sessionCookieSha256,
+        checked_at: checkedAt,
+        source: input.source,
+        is_active: input.isActive,
+        inactive_reason: input.inactiveReason ?? null,
+        feed_status: input.feedStatus,
+        sales_navigator_status: input.salesNavigatorStatus,
+        recruiter_status: input.recruiterStatus,
+        product_class: input.productClass,
+        validation_error: input.validationError ?? null,
+        details: input.details ?? {}
+    });
+    if (insertResult.error) {
+        throw new Error(`Failed to insert LinkedIn session cookie audit row: ${insertResult.error.message}`);
+    }
+}
+function lookbackThresholdIso(hours) {
+    return new Date(Date.now() - hours * 60 * 60 * 1000).toISOString();
+}
+function normalizeCandidateSelectionError(error) {
+    return error instanceof Error ? error.message : String(error);
+}
+async function listLinkedInSessionCookieCandidates(supabase, options) {
+    const query = supabase
+        .from("linkedin_session_cookies")
+        .select([
+        "session_cookie_sha256",
+        "session_cookie_ciphertext",
+        "session_cookie_iv",
+        "session_cookie_auth_tag",
+        "last_user_email",
+        "last_user_handle",
+        "is_active",
+        "inactive_reason",
+        "last_validation_at",
+        "last_selected_at"
+    ].join(","))
+        .eq("last_product_class", "sales_navigator")
+        .eq("last_sales_navigator_status", "ok")
+        .not("last_validation_at", "is", null)
+        .gte("last_validation_at", lookbackThresholdIso(ACTIVE_LINKEDIN_SESSION_LOOKBACK_HOURS))
+        .order("last_selected_at", { ascending: true, nullsFirst: true })
+        .order("last_validation_at", { ascending: false })
+        .limit(options.limit ?? MAX_RECOVERABLE_LINKEDIN_SESSION_CANDIDATES);
+    const filteredQuery = options.activeOnly
+        ? query.eq("is_active", true)
+        : query
+            .eq("is_active", false)
+            .like("inactive_reason", `${RECOVERABLE_LINKEDIN_SESSION_INACTIVE_REASON_PREFIX}%`);
+    const result = await filteredQuery;
+    if (result.error) {
+        throw new Error(`Failed to query LinkedIn session cookie candidates: ${result.error.message}`);
+    }
+    const rows = (result.data ?? []);
+    return rows.filter((row) => !isExcludedLinkedInSessionIdentity({
+        userEmail: row.last_user_email ?? null,
+        userHandle: row.last_user_handle ?? null
+    }, options.exclusions));
+}
+async function buildClaimedLinkedInSessionCookieFromRow(supabase, row, source, exclusions, options) {
+    const claimedIdentity = {
+        userEmail: row.last_user_email ?? null,
+        userHandle: row.last_user_handle ?? null
+    };
+    if (isExcludedLinkedInSessionIdentity(claimedIdentity, exclusions)) {
+        await recordLinkedInSessionCookieAudit(supabase, {
+            sessionCookieSha256: row.session_cookie_sha256,
+            source: `${source}_excluded_identity`,
+            feedStatus: null,
+            salesNavigatorStatus: "ok",
+            recruiterStatus: null,
+            productClass: "sales_navigator",
+            isActive: true,
+            inactiveReason: null,
+            validationError: "excluded_linkedin_session_identity",
+            details: {
+                userEmail: claimedIdentity.userEmail,
+                userHandle: claimedIdentity.userHandle,
+                excludedUserEmails: exclusions.userEmails,
+                excludedUserHandles: exclusions.userHandles,
+                claimStrategy: options?.claimStrategy ?? null
+            }
+        });
+        return null;
+    }
+    try {
+        const sessionCookie = decryptLinkedInSessionCookie({
+            sessionCookieSha256: row.session_cookie_sha256,
+            sessionCookieCiphertext: row.session_cookie_ciphertext,
+            sessionCookieIv: row.session_cookie_iv,
+            sessionCookieAuthTag: row.session_cookie_auth_tag
+        }, options?.env ?? process.env);
+        if (!sessionCookie) {
+            throw new Error("Claimed LinkedIn session cookie could not be decrypted");
+        }
+        return {
+            sessionCookieSha256: row.session_cookie_sha256,
+            sessionCookie,
+            userEmail: claimedIdentity.userEmail,
+            userHandle: claimedIdentity.userHandle,
+            claimStrategy: options?.claimStrategy,
+            previousInactiveReason: row.inactive_reason ?? null
+        };
+    }
+    catch (error) {
+        await recordLinkedInSessionCookieAudit(supabase, {
+            sessionCookieSha256: row.session_cookie_sha256,
+            source: `${source}_decrypt_failure`,
+            feedStatus: null,
+            salesNavigatorStatus: "error",
+            recruiterStatus: null,
+            productClass: null,
+            isActive: false,
+            inactiveReason: "decrypt_failed",
+            validationError: error instanceof Error ? error.message : String(error),
+            details: {
+                userEmail: claimedIdentity.userEmail,
+                userHandle: claimedIdentity.userHandle,
+                claimStrategy: options?.claimStrategy ?? null
+            }
+        });
+        return null;
+    }
+}
+async function claimLinkedInSessionCookieFromCandidates(supabase, source, exclusions, options) {
+    const candidates = await listLinkedInSessionCookieCandidates(supabase, {
+        activeOnly: options.activeOnly,
+        exclusions
+    });
+    for (const candidate of candidates) {
+        const claimed = await buildClaimedLinkedInSessionCookieFromRow(supabase, candidate, source, exclusions, {
+            claimStrategy: options.claimStrategy,
+            env: options.env
+        });
+        if (claimed) {
+            return claimed;
+        }
+    }
+    return null;
+}
+export async function claimActiveLinkedInSessionCookie(supabase, source, env = process.env) {
+    if (typeof supabase.rpc !== "function") {
+        throw new Error("Supabase client does not support RPC");
+    }
+    const exclusions = resolveCliLinkedInSessionExclusions(env);
+    let lastClaimError = null;
+    for (let attempt = 0; attempt < 10; attempt += 1) {
+        try {
+            const result = await supabase
+                .rpc("claim_active_linkedin_session_cookie_excluding", {
+                selection_source: source,
+                excluded_user_emails: exclusions.userEmails,
+                excluded_user_handles: exclusions.userHandles
+            })
+                .single();
+            if (result.error) {
+                lastClaimError = result.error.message;
+                break;
+            }
+            const data = result.data;
+            if (!data) {
+                lastClaimError = "No active LinkedIn session cookies available";
+                break;
+            }
+            const claimed = await buildClaimedLinkedInSessionCookieFromRow(supabase, data, source, exclusions, {
+                claimStrategy: "rpc_exclusion_rotation",
+                env
+            });
+            if (claimed) {
+                return claimed;
+            }
+        }
+        catch (error) {
+            lastClaimError = normalizeCandidateSelectionError(error);
+            break;
+        }
+    }
+    const directFallback = await claimLinkedInSessionCookieFromCandidates(supabase, source, exclusions, {
+        activeOnly: true,
+        claimStrategy: "direct_active_fallback",
+        env
+    });
+    if (directFallback) {
+        return directFallback;
+    }
+    if (lastClaimError &&
+        /claim_active_linkedin_session_cookie_excluding/i.test(lastClaimError)) {
+        throw new Error("LinkedIn session exclusion rotation RPC is unavailable. Apply the Salesprompter app migration that adds claim_active_linkedin_session_cookie_excluding before running Sales Navigator exports.");
+    }
+    if (lastClaimError) {
+        throw new Error(`Failed to claim LinkedIn session cookie: ${lastClaimError}`);
+    }
+    throw new Error("No non-excluded decryptable active LinkedIn session cookies available");
+}
+async function claimRecoverableInactiveLinkedInSessionCookie(supabase, source, exclusions, env = process.env, seenCookieHashes) {
+    const candidates = await listLinkedInSessionCookieCandidates(supabase, {
+        activeOnly: false,
+        exclusions
+    });
+    for (const candidate of candidates) {
+        if (seenCookieHashes?.has(candidate.session_cookie_sha256)) {
+            continue;
+        }
+        const claimed = await buildClaimedLinkedInSessionCookieFromRow(supabase, candidate, source, exclusions, {
+            claimStrategy: "recoverable_inactive_fallback",
+            env
+        });
+        if (claimed) {
+            return claimed;
+        }
+    }
+    return null;
+}
+async function describeLinkedInSessionPool(supabase, exclusions) {
+    const result = await supabase
+        .from("linkedin_session_cookies")
+        .select([
+        "last_user_email",
+        "last_user_handle",
+        "is_active",
+        "inactive_reason",
+        "last_validation_at",
+        "last_sales_navigator_status",
+        "last_product_class"
+    ].join(","))
+        .eq("last_product_class", "sales_navigator");
+    if (result.error) {
+        throw new Error(`Failed to inspect LinkedIn session pool: ${result.error.message}`);
+    }
+    const rows = (result.data ?? []).filter((row) => !isExcludedLinkedInSessionIdentity({
+        userEmail: row.last_user_email ?? null,
+        userHandle: row.last_user_handle ?? null
+    }, exclusions));
+    const recentThresholdMs = Date.now() - ACTIVE_LINKEDIN_SESSION_LOOKBACK_HOURS * 60 * 60 * 1000;
+    const recentRows = rows.filter((row) => {
+        if (!row.last_validation_at) {
+            return false;
+        }
+        const timestamp = Date.parse(row.last_validation_at);
+        return Number.isFinite(timestamp) && timestamp >= recentThresholdMs;
+    });
+    const eligibleActive = recentRows.filter((row) => row.is_active === true && row.last_sales_navigator_status === "ok").length;
+    const recoverableInactive = recentRows.filter((row) => row.is_active === false &&
+        row.last_sales_navigator_status === "ok" &&
+        Boolean(row.inactive_reason?.startsWith(RECOVERABLE_LINKEDIN_SESSION_INACTIVE_REASON_PREFIX))).length;
+    const recentStatusBreakdown = recentRows.reduce((accumulator, row) => {
+        const key = row.last_sales_navigator_status ?? "unknown";
+        accumulator[key] = (accumulator[key] ?? 0) + 1;
+        return accumulator;
+    }, {});
+    return {
+        totalNonExcludedSalesNavigatorCookies: rows.length,
+        recentNonExcludedSalesNavigatorCookies: recentRows.length,
+        eligibleActive,
+        recoverableInactive,
+        recentStatusBreakdown
+    };
+}
+async function buildLinkedInSessionPoolDiagnosticsMessage(supabase, exclusions) {
+    try {
+        const summary = await describeLinkedInSessionPool(supabase, exclusions);
+        const breakdown = Object.entries(summary.recentStatusBreakdown)
+            .sort(([left], [right]) => left.localeCompare(right))
+            .map(([status, count]) => `${status}=${count}`)
+            .join(", ");
+        return ` LinkedIn session pool after exclusions: ${summary.totalNonExcludedSalesNavigatorCookies} sales-nav cookies, ${summary.recentNonExcludedSalesNavigatorCookies} recently validated, ${summary.eligibleActive} eligible active, ${summary.recoverableInactive} recoverable inactive${breakdown ? `; recent statuses: ${breakdown}` : ""}.`;
+    }
+    catch (error) {
+        return ` LinkedIn session pool diagnostics unavailable: ${normalizeCandidateSelectionError(error)}.`;
+    }
+}
+function extractTitle(body) {
+    const match = body.match(/<title[^>]*>([^<]+)<\/title>/i);
+    return match ? match[1].trim().replace(/\s+/g, " ") : null;
+}
+function normalizeLiAtCookie(sessionCookie) {
+    const trimmed = sessionCookie.trim();
+    return trimmed.startsWith("li_at=") ? trimmed.slice("li_at=".length) : trimmed;
+}
+function includesAny(value, patterns) {
+    const normalized = value ?? "";
+    return patterns.some((pattern) => pattern.test(normalized));
+}
+function isLoggedOut(result) {
+    return (includesAny(result.finalUrl, [/linkedin\.com\/login/i, /uas\/login/i, /checkpoint\/challenge/i]) ||
+        includesAny(result.title, [/login/i, /sign in/i]) ||
+        includesAny(result.body, [/session has expired/i, /sign in to linkedin/i, /checkpoint\/challenge/i]));
+}
+function isUpsell(result) {
+    return includesAny(result.body, [
+        /unlock sales navigator/i,
+        /find the right prospects/i,
+        /start your free trial/i,
+        /guest_login_sales_nav/i,
+        /premium\/products\/sales/i,
+        /you don'?t have a sales navigator account/i
+    ]);
+}
+function hasSearchEntitlementSignals(result) {
+    const inSalesSurface = includesAny(result.finalUrl, [/\/sales\/search\/people/i, /\/sales\/home/i]);
+    if (!inSalesSurface) {
+        return false;
+    }
+    return (includesAny(result.title, [/sales navigator/i, /lead search/i]) ||
+        includesAny(result.body, [
+            /sales navigator/i,
+            /lead search/i,
+            /saved searches/i,
+            /personas/i,
+            /viewallfilters=true/i,
+            /current job title/i,
+            /company headcount/i,
+            /search keywords/i,
+            /sales\/search\/people/i,
+            /accounts<\/span>/i,
+            /leads<\/span>/i,
+            /messaging<\/span>/i
+        ]));
+}
+export async function fetchHtmlWithSessionCookie(url, sessionCookie, options) {
+    const normalizedSessionCookie = normalizeLiAtCookie(sessionCookie);
+    const redirectChain = [];
+    let currentUrl = url;
+    const seenUrls = new Set([url]);
+    for (let index = 0; index < 5; index += 1) {
+        const controller = new AbortController();
+        const timeout = setTimeout(() => controller.abort(), options?.timeoutMs ?? REQUEST_TIMEOUT_MS);
+        try {
+            const response = await fetch(currentUrl, {
+                method: "GET",
+                redirect: "manual",
+                signal: controller.signal,
+                headers: {
+                    Cookie: `li_at=${normalizedSessionCookie}`,
+                    "User-Agent": options?.userAgent ?? DEFAULT_USER_AGENT,
+                    Accept: "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
+                    "Accept-Language": "en-US,en;q=0.9",
+                    "Cache-Control": "no-cache",
+                    Pragma: "no-cache"
+                }
+            });
+            clearTimeout(timeout);
+            const location = response.headers.get("location");
+            if (location && [301, 302, 303, 307, 308].includes(response.status)) {
+                const nextUrl = new URL(location, currentUrl).toString();
+                redirectChain.push({
+                    status: response.status,
+                    location: nextUrl
+                });
+                if (seenUrls.has(nextUrl)) {
+                    return {
+                        status: response.status,
+                        finalUrl: nextUrl,
+                        redirectChain,
+                        title: null,
+                        body: "",
+                        error: "redirect_loop"
+                    };
+                }
+                seenUrls.add(nextUrl);
+                currentUrl = nextUrl;
+                continue;
+            }
+            const body = await response.text();
+            return {
+                status: response.status,
+                finalUrl: currentUrl,
+                redirectChain,
+                title: extractTitle(body),
+                body,
+                error: null
+            };
+        }
+        catch (error) {
+            clearTimeout(timeout);
+            return {
+                status: null,
+                finalUrl: currentUrl,
+                redirectChain,
+                title: null,
+                body: "",
+                error: error instanceof Error
+                    ? error.name === "AbortError"
+                        ? "timeout"
+                        : error.message
+                    : String(error)
+            };
+        }
+    }
+    return {
+        status: null,
+        finalUrl: currentUrl,
+        redirectChain,
+        title: null,
+        body: "",
+        error: "too_many_redirects"
+    };
+}
+export async function probeSalesNavigatorSearchSession(sessionCookie, queryUrl, options) {
+    const result = await fetchHtmlWithSessionCookie(queryUrl, sessionCookie, {
+        timeoutMs: options?.timeoutMs
+    });
+    let status = "unknown";
+    if (result.error) {
+        status = "error";
+    }
+    else if (result.status === 999 || result.status === 429) {
+        status = "rate_limited";
+    }
+    else if (isLoggedOut(result)) {
+        status = "logged_out";
+    }
+    else if (isUpsell(result)) {
+        status = "upsell";
+    }
+    else if (hasSearchEntitlementSignals(result)) {
+        status = "ok";
+    }
+    else if (includesAny(result.finalUrl, [/\/sales\//i])) {
+        status = "unknown";
+    }
+    const validationError = status === "ok"
+        ? null
+        : result.error ??
+            (status === "logged_out"
+                ? "linkedin_session_invalid"
+                : status === "upsell"
+                    ? "sales_navigator_upsell_detected"
+                    : status === "rate_limited"
+                        ? "linkedin_rate_limited"
+                        : "sales_navigator_search_probe_failed");
+    return {
+        status,
+        finalUrl: result.finalUrl,
+        title: result.title,
+        redirectChain: result.redirectChain,
+        validationError,
+        details: {
+            statusCode: result.status,
+            error: result.error,
+            redirectCount: result.redirectChain.length,
+            queryUrl
+        }
+    };
+}
+export async function claimValidatedSalesNavigatorSessionCookieForCli(options) {
+    const env = options.env ?? process.env;
+    const supabase = options.supabase ?? createLinkedInSessionSupabaseClient(env);
+    if (!supabase) {
+        return null;
+    }
+    const seenCookieHashes = new Set();
+    const startedAt = Date.now();
+    let lastFailureMessage = null;
+    let attempts = 0;
+    const exclusions = resolveCliLinkedInSessionExclusions(env);
+    for (let attempt = 0; attempt < MAX_COOKIE_VALIDATION_ATTEMPTS; attempt += 1) {
+        if (Date.now() - startedAt >= COOKIE_VALIDATION_TIMEOUT_MS) {
+            break;
+        }
+        let claimedSession = null;
+        let claimErrorMessage = null;
+        try {
+            claimedSession = await claimActiveLinkedInSessionCookie(supabase, options.source, env);
+        }
+        catch (error) {
+            claimErrorMessage = normalizeCandidateSelectionError(error);
+        }
+        if (!claimedSession) {
+            claimedSession = await claimRecoverableInactiveLinkedInSessionCookie(supabase, options.source, exclusions, env, seenCookieHashes);
+        }
+        if (!claimedSession) {
+            lastFailureMessage =
+                claimErrorMessage ?? "No non-excluded decryptable active LinkedIn session cookies available";
+            break;
+        }
+        attempts += 1;
+        if (seenCookieHashes.has(claimedSession.sessionCookieSha256)) {
+            break;
+        }
+        seenCookieHashes.add(claimedSession.sessionCookieSha256);
+        const probe = await probeSalesNavigatorSearchSession(claimedSession.sessionCookie, options.queryUrl, {
+            timeoutMs: COOKIE_PROBE_TIMEOUT_MS
+        });
+        const shouldDeactivate = probe.status === "logged_out" || probe.status === "upsell";
+        await recordLinkedInSessionCookieAudit(supabase, {
+            sessionCookieSha256: claimedSession.sessionCookieSha256,
+            source: `${options.source}_preflight`,
+            feedStatus: null,
+            salesNavigatorStatus: probe.status,
+            recruiterStatus: null,
+            productClass: probe.status === "ok" ? "sales_navigator" : null,
+            isActive: !shouldDeactivate,
+            inactiveReason: shouldDeactivate
+                ? probe.status === "upsell"
+                    ? "salesnav_search_upsell_detected"
+                    : "linkedin_session_invalid"
+                : null,
+            validationError: probe.validationError,
+            details: {
+                attemptNumber: attempts,
+                validationElapsedMs: Date.now() - startedAt,
+                claimStrategy: claimedSession.claimStrategy ?? null,
+                previousInactiveReason: claimedSession.previousInactiveReason ?? null,
+                ...probe.details,
+                finalUrl: probe.finalUrl,
+                title: probe.title,
+                redirectChain: probe.redirectChain.slice(0, 5)
+            }
+        });
+        if (probe.status === "ok") {
+            return claimedSession;
+        }
+        lastFailureMessage =
+            probe.validationError ?? `Sales Navigator search probe returned ${probe.status}`;
+    }
+    const poolDiagnostics = await buildLinkedInSessionPoolDiagnosticsMessage(supabase, exclusions);
+    throw new Error(lastFailureMessage
+        ? `No validated LinkedIn Sales Navigator session cookies available after ${attempts} preflight attempt${attempts === 1 ? "" : "s"}: ${lastFailureMessage}${poolDiagnostics}`
+        : `No validated LinkedIn Sales Navigator session cookies available after ${attempts} preflight attempt${attempts === 1 ? "" : "s"}${poolDiagnostics}`);
+}