duplocloud
diff --git a/‎.github/workflows/dev-check.yml
+1 b/‎.github/workflows/dev-check.yml
+1
diff --git a/‎LICENSE
+2-2 b/‎LICENSE
+2-2
diff --git a/‎README.md
+38-53 b/‎README.md
+38-53
diff --git a/‎cmd/duplo-jit/main.go
+42-19 b/‎cmd/duplo-jit/main.go
+42-19
@@ -24,6 +24,7 @@ jobs:
         uses: golangci/golangci-lint-action@v6
         with:
           only-new-issues: true  # Only show new issues for pull requests.
+          args: --timeout 2m
   format:
     runs-on: ubuntu-latest
     steps:
 
@@ -2,7 +2,7 @@ LICENSE
 
 MIT License
 
-Copyright © 2022 DuploCloud, Inc. 
+Copyright © 2025 DuploCloud, Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
@@ -20,4 +20,4 @@ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+SOFTWARE.
@@ -1,4 +1,5 @@
 # duplo-jit
+
 Command-line tools for JIT Duplo, AWS and Kubernetes access
 
 ## Installation
@@ -23,15 +24,15 @@ This tool is intended to be used in your `~/.aws/config`.  It provides just-in-t
 
 Example `~/.aws/config` for admin access to Duplo:
 
-```
+```ini
 [profile myduplo-admin]
 region=us-west-2
 credential_process=duplo-jit aws --admin --host https://MY-DUPLO-HOSTNAME.duplocloud.net --interactive
 ```
 
 Example `~/.aws/config` for tenant-level access to Duplo:
 
-```
+```ini
 [profile myduplo-tenant]
 region=us-west-2
 credential_process=duplo-jit aws --tenant MY-TENANT-NAME --host https://MY-DUPLO-HOSTNAME.duplocloud.net --interactive
@@ -44,89 +45,73 @@ credential_process=duplo-jit aws --tenant MY-TENANT-NAME --host https://MY-DUPLO
 ```
 Usage of duplo-jit:
   -admin
-    	Get admin credentials
+        Get admin credentials
+  -api-host string
+        Specify an alternate DuploCloud API base URL if it differs from the UI host (defaults to the value of --host if omitted)
   -debug
-    	Turn on verbose (debugging) output
+        Turn on verbose (debugging) output
   -duplo-ops
-    	Get Duplo operations credentials
+        Get Duplo operations credentials
   -host string
-    	Duplo API base URL
+        DuploCloud base URL
   -interactive
-    	Allow getting Duplo credentials via an interactive browser session
-  -port
-    	Allow choosing a port for the interactive browser session. Default is random
+        Allow getting Duplo credentials via an interactive browser session
   -no-cache
-    	Disable caching (not recommended)
+        Disable caching (not recommended)
+  -port int
+        Port to use for the local web server
   -tenant string
-    	Get credentials for the given tenant
+        Get credentials for the given tenant
   -token string
-    	Duplo API token
+        DuploCloud API token
   -version
-    	Output version information and exit
+        Output version information and exit
 ```
 
 ### duplo-jit duplo --help
 
 ```
 Usage of duplo-jit:
+  -api-host string
+        Specify an alternate DuploCloud API base URL if it differs from the UI host (defaults to the value of --host if omitted)
   -debug
-    	Turn on verbose (debugging) output
+        Turn on verbose (debugging) output
   -host string
-    	Duplo API base URL
+        DuploCloud base URL
   -interactive
-    	Allow getting Duplo credentials via an interactive browser session
-  -port
-    	Allow choosing a port for the interactive browser session. Default is random
+        Allow getting Duplo credentials via an interactive browser session
   -no-cache
-    	Disable caching (not recommended)
+        Disable caching (not recommended)
+  -port int
+        Port to use for the local web server
   -token string
-    	Duplo API token
+        DuploCloud API token
   -version
-    	Output version information and exit
+        Output version information and exit
 ```
 
 ### duplo-jit k8s --help
 
 ```
 Usage of duplo-jit:
+  -api-host string
+        Specify an alternate DuploCloud API base URL if it differs from the UI host (defaults to the value of --host if omitted)
   -debug
-    	Turn on verbose (debugging) output
+        Turn on verbose (debugging) output
   -host string
-    	Duplo API base URL
+        DuploCloud base URL
   -interactive
-    	Allow getting Duplo credentials via an interactive browser session
+        Allow getting Duplo credentials via an interactive browser session
   -no-cache
-    	Disable caching (not recommended)
+        Disable caching (not recommended)
   -plan string
-    	Get credentials for the given plan
-  -tenant string
-    	Get credentials for the given tenant
-  -token string
-    	Duplo API token
-  -version
-    	Output version information and exit
-```
-
-## Deprecated: duplo-aws-credential-process --help
-
-```
-Usage of duplo-aws-credential-process:
-  -admin
-    	Get admin credentials
-  -debug
-    	Turn on verbose (debugging) output
-  -duplo-ops
-    	Get Duplo operations credentials
-  -host string
-    	Duplo API base URL
-  -interactive
-    	Allow getting Duplo credentials via an interactive browser session
-  -no-cache
-    	Disable caching (not recommended)
+        Get credentials for the given plan
+  -port int
+        Port to use for the local web server
   -tenant string
-    	Get credentials for the given tenant
+        Get credentials for the given tenant
   -token string
-    	Duplo API token
+        DuploCloud API token
   -version
-    	Output version information and exit
+        Output version information and exit
 ```
@@ -26,13 +26,14 @@ func main() {
 	log.SetOutput(os.Stderr)
 
 	// Common command-line arguments.
-	host := flag.String("host", "", "Duplo API base URL")
-	token := flag.String("token", "", "Duplo API token")
+	host := flag.String("host", "", "DuploCloud base URL")
+	token := flag.String("token", "", "DuploCloud API token")
 	debug := flag.Bool("debug", false, "Turn on verbose (debugging) output")
 	noCache := flag.Bool("no-cache", false, "Disable caching (not recommended)")
 	interactive := flag.Bool("interactive", false, "Allow getting Duplo credentials via an interactive browser session")
 	port := flag.Int("port", 0, "Port to use for the local web server")
 	showVersion := flag.Bool("version", false, "Output version information and exit")
+	apiHost := flag.String("api-host", "", "Specify an alternate DuploCloud API base URL if it differs from the UI host (defaults to the value of --host if omitted)")
 	admin = new(bool)
 	duploOps = new(bool)
 
@@ -76,13 +77,35 @@ func main() {
 		os.Exit(1)
 	}
 
-	// Refuse to call APIs over anything but https://
-	// Trim a trailing slash.
-	if host == nil || !strings.HasPrefix(*host, "https://") {
-		log.Fatalf("%s: %s", os.Args[0], "--host must be present and start with https://")
+	// Validate the host.
+	const fatalFmt = "%s: %s"
+	if *host == "" {
+		log.Fatalf(fatalFmt, os.Args[0], "--host must be present")
+	} else if strings.HasPrefix(*host, "http://localhost") {
+		fmt.Fprintf(os.Stderr, "Using developer host %s\n", *host)
+	} else if !strings.HasPrefix(*host, "https://") {
+		// Refuse to call APIs over anything but https://
+		log.Fatalf(fatalFmt, os.Args[0], "--host must start with https://")
 	}
+
+	// Trim a trailing slash.
 	*host = strings.TrimSuffix(*host, "/")
 
+	// Validate the api-host if provided.
+	if *apiHost != "" {
+		if strings.HasPrefix(*apiHost, "http://localhost") {
+			fmt.Printf("Using developer api-host %s\n", *apiHost)
+		} else if !strings.HasPrefix(*apiHost, "https://") {
+			// Refuse to call APIs over anything but https://
+			log.Fatalf(fatalFmt, os.Args[0], "--api-host must start with https://")
+		}
+		// Trim a trailing slash.
+		*apiHost = strings.TrimSuffix(*apiHost, "/")
+	} else {
+		// By default, the api host is the same as the UI host.
+		apiHost = host
+	}
+
 	// Possibly enable debugging
 	if *debug {
 		duplocloud.LogLevel = duplocloud.TRACE
@@ -92,21 +115,22 @@ func main() {
 	internal.MustInitCache("duplo-jit", *noCache)
 
 	// Get AWS credentials and output them
+	cacheKey := internal.GetHostCacheKey(*host)
+
 	switch cmd {
 	case "aws":
 		var creds *internal.AwsConfigOutput
-		var cacheKey string
 		if *admin {
 
 			// Build the cache key
-			cacheKey = strings.Join([]string{strings.TrimPrefix(*host, "https://"), "admin"}, ",")
+			cacheKey = strings.Join([]string{cacheKey, "admin"}, ",")
 
 			// Try to find credentials from the cache.
 			creds = internal.CacheGetAwsConfigOutput(cacheKey)
 
 			// Otherwise, get the credentials from Duplo.
 			if creds == nil {
-				client, _ := internal.MustDuploClient(*host, *token, *interactive, true, *port)
+				client, _ := internal.MustDuploClient(*host, *apiHost, *token, *interactive, true, *port)
 				result, err := client.AdminGetJitAwsCredentials()
 				internal.DieIf(err, "failed to get credentials")
 				creds = internal.ConvertAwsCreds(result)
@@ -115,14 +139,14 @@ func main() {
 		} else if *duploOps {
 
 			// Build the cache key
-			cacheKey = strings.Join([]string{strings.TrimPrefix(*host, "https://"), "duplo-ops"}, ",")
+			cacheKey = strings.Join([]string{cacheKey, "duplo-ops"}, ",")
 
 			// Try to find credentials from the cache.
 			creds = internal.CacheGetAwsConfigOutput(cacheKey)
 
 			// Otherwise, get the credentials from Duplo.
 			if creds == nil {
-				client, _ := internal.MustDuploClient(*host, *token, *interactive, true, *port)
+				client, _ := internal.MustDuploClient(*host, *apiHost, *token, *interactive, true, *port)
 				result, err := client.AdminAwsGetJitAccess("duplo-ops")
 				internal.DieIf(err, "failed to get credentials")
 				creds = internal.ConvertAwsCreds(result)
@@ -137,11 +161,11 @@ func main() {
 
 			// Identify the tenant name to use for the cache key.
 			var tenantName string
-			client, _ := internal.MustDuploClient(*host, *token, *interactive, false, *port)
+			client, _ := internal.MustDuploClient(*host, *apiHost, *token, *interactive, false, *port)
 			*tenantID, tenantName = getTenantIDAndName(*tenantID, client)
 
 			// Build the cache key.
-			cacheKey = strings.Join([]string{strings.TrimPrefix(*host, "https://"), "tenant", tenantName}, ",")
+			cacheKey = strings.Join([]string{cacheKey, "tenant", tenantName}, ",")
 
 			// Try to find credentials from the cache.
 			creds = internal.CacheGetAwsConfigOutput(cacheKey)
@@ -159,23 +183,22 @@ func main() {
 		internal.OutputAwsCreds(creds, cacheKey)
 
 	case "duplo":
-		_, creds := internal.MustDuploClient(*host, *token, *interactive, true, *port)
+		_, creds := internal.MustDuploClient(*host, *apiHost, *token, *interactive, true, *port)
 		internal.OutputDuploCreds(creds)
 
 	case "k8s":
 		var creds *clientauthv1beta1.ExecCredential
-		var cacheKey string
 		if planID != nil && *planID != "" {
 
 			// Build the cache key
-			cacheKey = strings.Join([]string{strings.TrimPrefix(*host, "https://"), "plan", *planID}, ",")
+			cacheKey = strings.Join([]string{cacheKey, "plan", *planID}, ",")
 
 			// Try to find credentials from the cache.
 			creds = internal.CacheGetK8sConfigOutput(cacheKey, "")
 
 			// Otherwise, get the credentials from Duplo.
 			if creds == nil {
-				client, _ := internal.MustDuploClient(*host, *token, *interactive, true, *port)
+				client, _ := internal.MustDuploClient(*host, *apiHost, *token, *interactive, true, *port)
 				result, err := client.AdminGetK8sJitAccess(*planID)
 				internal.DieIf(err, "failed to get credentials")
 				creds = internal.ConvertK8sCreds(result)
@@ -190,11 +213,11 @@ func main() {
 
 			// Identify the tenant name to use for the cache key.
 			var tenantName string
-			client, _ := internal.MustDuploClient(*host, *token, *interactive, false, *port)
+			client, _ := internal.MustDuploClient(*host, *apiHost, *token, *interactive, false, *port)
 			*tenantID, tenantName = getTenantIDAndName(*tenantID, client)
 
 			// Build the cache key.
-			cacheKey = strings.Join([]string{strings.TrimPrefix(*host, "https://"), "tenant", tenantName}, ",")
+			cacheKey = strings.Join([]string{cacheKey, "tenant", tenantName}, ",")
 
 			// Try to find credentials from the cache.
 			creds = internal.CacheGetK8sConfigOutput(cacheKey, tenantName)