@aexol/spectral 0.7.1 → 0.7.5

package/dist/pi/ai/utils/oauth/openai-codex.js

@@ -0,0 +1,384 @@
+/**
+ * OpenAI Codex (ChatGPT OAuth) flow
+ *
+ * NOTE: This module uses Node.js crypto and http for the OAuth callback.
+ * It is only intended for CLI use, not browser environments.
+ */
+// NEVER convert to top-level imports - breaks browser/Vite builds
+let _randomBytes = null;
+let _http = null;
+if (typeof process !== "undefined" && (process.versions?.node || process.versions?.bun)) {
+    import("node:crypto").then((m) => {
+        _randomBytes = m.randomBytes;
+    });
+    import("node:http").then((m) => {
+        _http = m;
+    });
+}
+import { oauthErrorHtml, oauthSuccessHtml } from "./oauth-page.js";
+import { generatePKCE } from "./pkce.js";
+const CALLBACK_HOST = process.env.PI_OAUTH_CALLBACK_HOST || "127.0.0.1";
+const CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
+const AUTHORIZE_URL = "https://auth.openai.com/oauth/authorize";
+const TOKEN_URL = "https://auth.openai.com/oauth/token";
+const REDIRECT_URI = "http://localhost:1455/auth/callback";
+const SCOPE = "openid profile email offline_access";
+const JWT_CLAIM_PATH = "https://api.openai.com/auth";
+function createState() {
+    if (!_randomBytes) {
+        throw new Error("OpenAI Codex OAuth is only available in Node.js environments");
+    }
+    return _randomBytes(16).toString("hex");
+}
+function parseAuthorizationInput(input) {
+    const value = input.trim();
+    if (!value)
+        return {};
+    try {
+        const url = new URL(value);
+        return {
+            code: url.searchParams.get("code") ?? undefined,
+            state: url.searchParams.get("state") ?? undefined,
+        };
+    }
+    catch {
+        // not a URL
+    }
+    if (value.includes("#")) {
+        const [code, state] = value.split("#", 2);
+        return { code, state };
+    }
+    if (value.includes("code=")) {
+        const params = new URLSearchParams(value);
+        return {
+            code: params.get("code") ?? undefined,
+            state: params.get("state") ?? undefined,
+        };
+    }
+    return { code: value };
+}
+function decodeJwt(token) {
+    try {
+        const parts = token.split(".");
+        if (parts.length !== 3)
+            return null;
+        const payload = parts[1] ?? "";
+        const decoded = atob(payload);
+        return JSON.parse(decoded);
+    }
+    catch {
+        return null;
+    }
+}
+async function exchangeAuthorizationCode(code, verifier, redirectUri = REDIRECT_URI) {
+    const response = await fetch(TOKEN_URL, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+            grant_type: "authorization_code",
+            client_id: CLIENT_ID,
+            code,
+            code_verifier: verifier,
+            redirect_uri: redirectUri,
+        }),
+    });
+    if (!response.ok) {
+        const text = await response.text().catch(() => "");
+        return {
+            type: "failed",
+            status: response.status,
+            message: `OpenAI Codex token exchange failed (${response.status}): ${text || response.statusText}`,
+        };
+    }
+    const json = (await response.json());
+    if (!json.access_token || !json.refresh_token || typeof json.expires_in !== "number") {
+        return {
+            type: "failed",
+            message: `OpenAI Codex token exchange response missing fields: ${JSON.stringify(json)}`,
+        };
+    }
+    return {
+        type: "success",
+        access: json.access_token,
+        refresh: json.refresh_token,
+        expires: Date.now() + json.expires_in * 1000,
+    };
+}
+async function refreshAccessToken(refreshToken) {
+    try {
+        const response = await fetch(TOKEN_URL, {
+            method: "POST",
+            headers: { "Content-Type": "application/x-www-form-urlencoded" },
+            body: new URLSearchParams({
+                grant_type: "refresh_token",
+                refresh_token: refreshToken,
+                client_id: CLIENT_ID,
+            }),
+        });
+        if (!response.ok) {
+            const text = await response.text().catch(() => "");
+            return {
+                type: "failed",
+                status: response.status,
+                message: `OpenAI Codex token refresh failed (${response.status}): ${text || response.statusText}`,
+            };
+        }
+        const json = (await response.json());
+        if (!json.access_token || !json.refresh_token || typeof json.expires_in !== "number") {
+            return {
+                type: "failed",
+                message: `OpenAI Codex token refresh response missing fields: ${JSON.stringify(json)}`,
+            };
+        }
+        return {
+            type: "success",
+            access: json.access_token,
+            refresh: json.refresh_token,
+            expires: Date.now() + json.expires_in * 1000,
+        };
+    }
+    catch (error) {
+        return {
+            type: "failed",
+            message: `OpenAI Codex token refresh error: ${error instanceof Error ? error.message : String(error)}`,
+        };
+    }
+}
+async function createAuthorizationFlow(originator = "pi") {
+    const { verifier, challenge } = await generatePKCE();
+    const state = createState();
+    const url = new URL(AUTHORIZE_URL);
+    url.searchParams.set("response_type", "code");
+    url.searchParams.set("client_id", CLIENT_ID);
+    url.searchParams.set("redirect_uri", REDIRECT_URI);
+    url.searchParams.set("scope", SCOPE);
+    url.searchParams.set("code_challenge", challenge);
+    url.searchParams.set("code_challenge_method", "S256");
+    url.searchParams.set("state", state);
+    url.searchParams.set("id_token_add_organizations", "true");
+    url.searchParams.set("codex_cli_simplified_flow", "true");
+    url.searchParams.set("originator", originator);
+    return { verifier, state, url: url.toString() };
+}
+function startLocalOAuthServer(state) {
+    if (!_http) {
+        throw new Error("OpenAI Codex OAuth is only available in Node.js environments");
+    }
+    let settleWait;
+    const waitForCodePromise = new Promise((resolve) => {
+        let settled = false;
+        settleWait = (value) => {
+            if (settled)
+                return;
+            settled = true;
+            resolve(value);
+        };
+    });
+    const server = _http.createServer((req, res) => {
+        try {
+            const url = new URL(req.url || "", "http://localhost");
+            if (url.pathname !== "/auth/callback") {
+                res.statusCode = 404;
+                res.setHeader("Content-Type", "text/html; charset=utf-8");
+                res.end(oauthErrorHtml("Callback route not found."));
+                return;
+            }
+            if (url.searchParams.get("state") !== state) {
+                res.statusCode = 400;
+                res.setHeader("Content-Type", "text/html; charset=utf-8");
+                res.end(oauthErrorHtml("State mismatch."));
+                return;
+            }
+            const code = url.searchParams.get("code");
+            if (!code) {
+                res.statusCode = 400;
+                res.setHeader("Content-Type", "text/html; charset=utf-8");
+                res.end(oauthErrorHtml("Missing authorization code."));
+                return;
+            }
+            res.statusCode = 200;
+            res.setHeader("Content-Type", "text/html; charset=utf-8");
+            res.end(oauthSuccessHtml("OpenAI authentication completed. You can close this window."));
+            settleWait?.({ code });
+        }
+        catch {
+            res.statusCode = 500;
+            res.setHeader("Content-Type", "text/html; charset=utf-8");
+            res.end(oauthErrorHtml("Internal error while processing OAuth callback."));
+        }
+    });
+    return new Promise((resolve) => {
+        server
+            .listen(1455, CALLBACK_HOST, () => {
+            resolve({
+                close: () => server.close(),
+                cancelWait: () => {
+                    settleWait?.(null);
+                },
+                waitForCode: () => waitForCodePromise,
+            });
+        })
+            .on("error", (_err) => {
+            settleWait?.(null);
+            resolve({
+                close: () => {
+                    try {
+                        server.close();
+                    }
+                    catch {
+                        // ignore
+                    }
+                },
+                cancelWait: () => { },
+                waitForCode: async () => null,
+            });
+        });
+    });
+}
+function getAccountId(accessToken) {
+    const payload = decodeJwt(accessToken);
+    const auth = payload?.[JWT_CLAIM_PATH];
+    const accountId = auth?.chatgpt_account_id;
+    return typeof accountId === "string" && accountId.length > 0 ? accountId : null;
+}
+/**
+ * Login with OpenAI Codex OAuth
+ *
+ * @param options.onAuth - Called with URL and instructions when auth starts
+ * @param options.onPrompt - Called to prompt user for manual code paste (fallback if no onManualCodeInput)
+ * @param options.onProgress - Optional progress messages
+ * @param options.onManualCodeInput - Optional promise that resolves with user-pasted code.
+ *                                    Races with browser callback - whichever completes first wins.
+ *                                    Useful for showing paste input immediately alongside browser flow.
+ * @param options.originator - OAuth originator parameter (defaults to "pi")
+ */
+export async function loginOpenAICodex(options) {
+    const { verifier, state, url } = await createAuthorizationFlow(options.originator);
+    const server = await startLocalOAuthServer(state);
+    options.onAuth({ url, instructions: "A browser window should open. Complete login to finish." });
+    let code;
+    try {
+        if (options.onManualCodeInput) {
+            // Race between browser callback and manual input
+            let manualCode;
+            let manualError;
+            const manualPromise = options
+                .onManualCodeInput()
+                .then((input) => {
+                manualCode = input;
+                server.cancelWait();
+            })
+                .catch((err) => {
+                manualError = err instanceof Error ? err : new Error(String(err));
+                server.cancelWait();
+            });
+            const result = await server.waitForCode();
+            // If manual input was cancelled, throw that error
+            if (manualError) {
+                throw manualError;
+            }
+            if (result?.code) {
+                // Browser callback won
+                code = result.code;
+            }
+            else if (manualCode) {
+                // Manual input won (or callback timed out and user had entered code)
+                const parsed = parseAuthorizationInput(manualCode);
+                if (parsed.state && parsed.state !== state) {
+                    throw new Error("State mismatch");
+                }
+                code = parsed.code;
+            }
+            // If still no code, wait for manual promise to complete and try that
+            if (!code) {
+                await manualPromise;
+                if (manualError) {
+                    throw manualError;
+                }
+                if (manualCode) {
+                    const parsed = parseAuthorizationInput(manualCode);
+                    if (parsed.state && parsed.state !== state) {
+                        throw new Error("State mismatch");
+                    }
+                    code = parsed.code;
+                }
+            }
+        }
+        else {
+            // Original flow: wait for callback, then prompt if needed
+            const result = await server.waitForCode();
+            if (result?.code) {
+                code = result.code;
+            }
+        }
+        // Fallback to onPrompt if still no code
+        if (!code) {
+            const input = await options.onPrompt({
+                message: "Paste the authorization code (or full redirect URL):",
+            });
+            const parsed = parseAuthorizationInput(input);
+            if (parsed.state && parsed.state !== state) {
+                throw new Error("State mismatch");
+            }
+            code = parsed.code;
+        }
+        if (!code) {
+            throw new Error("Missing authorization code");
+        }
+        const tokenResult = await exchangeAuthorizationCode(code, verifier);
+        if (tokenResult.type !== "success") {
+            throw new Error(tokenResult.message);
+        }
+        const accountId = getAccountId(tokenResult.access);
+        if (!accountId) {
+            throw new Error("Failed to extract accountId from token");
+        }
+        return {
+            access: tokenResult.access,
+            refresh: tokenResult.refresh,
+            expires: tokenResult.expires,
+            accountId,
+        };
+    }
+    finally {
+        server.close();
+    }
+}
+/**
+ * Refresh OpenAI Codex OAuth token
+ */
+export async function refreshOpenAICodexToken(refreshToken) {
+    const result = await refreshAccessToken(refreshToken);
+    if (result.type !== "success") {
+        throw new Error(result.message);
+    }
+    const accountId = getAccountId(result.access);
+    if (!accountId) {
+        throw new Error("Failed to extract accountId from token");
+    }
+    return {
+        access: result.access,
+        refresh: result.refresh,
+        expires: result.expires,
+        accountId,
+    };
+}
+export const openaiCodexOAuthProvider = {
+    id: "openai-codex",
+    name: "ChatGPT Plus/Pro (Codex Subscription)",
+    usesCallbackServer: true,
+    async login(callbacks) {
+        return loginOpenAICodex({
+            onAuth: callbacks.onAuth,
+            onPrompt: callbacks.onPrompt,
+            onProgress: callbacks.onProgress,
+            onManualCodeInput: callbacks.onManualCodeInput,
+        });
+    },
+    async refreshToken(credentials) {
+        return refreshOpenAICodexToken(credentials.refresh);
+    },
+    getApiKey(credentials) {
+        return credentials.access;
+    },
+};

package/dist/pi/ai/utils/oauth/pkce.js

@@ -0,0 +1,30 @@
+/**
+ * PKCE utilities using Web Crypto API.
+ * Works in both Node.js 20+ and browsers.
+ */
+/**
+ * Encode bytes as base64url string.
+ */
+function base64urlEncode(bytes) {
+    let binary = "";
+    for (const byte of bytes) {
+        binary += String.fromCharCode(byte);
+    }
+    return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+/**
+ * Generate PKCE code verifier and challenge.
+ * Uses Web Crypto API for cross-platform compatibility.
+ */
+export async function generatePKCE() {
+    // Generate random verifier
+    const verifierBytes = new Uint8Array(32);
+    crypto.getRandomValues(verifierBytes);
+    const verifier = base64urlEncode(verifierBytes);
+    // Compute SHA-256 challenge
+    const encoder = new TextEncoder();
+    const data = encoder.encode(verifier);
+    const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+    const challenge = base64urlEncode(new Uint8Array(hashBuffer));
+    return { verifier, challenge };
+}

package/dist/pi/ai/utils/oauth/types.js

@@ -0,0 +1 @@
+export {};

package/dist/pi/ai/utils/overflow.js

@@ -0,0 +1,150 @@
+/**
+ * Regex patterns to detect context overflow errors from different providers.
+ *
+ * These patterns match error messages returned when the input exceeds
+ * the model's context window.
+ *
+ * Provider-specific patterns (with example error messages):
+ *
+ * - Anthropic: "prompt is too long: 213462 tokens > 200000 maximum"
+ * - Anthropic: "413 {\"error\":{\"type\":\"request_too_large\",\"message\":\"Request exceeds the maximum size\"}}"
+ * - OpenAI: "Your input exceeds the context window of this model"
+ * - OpenAI/LiteLLM: "Requested token count exceeds the model's maximum context length of 131072 tokens"
+ * - Google: "The input token count (1196265) exceeds the maximum number of tokens allowed (1048575)"
+ * - xAI: "This model's maximum prompt length is 131072 but the request contains 537812 tokens"
+ * - Groq: "Please reduce the length of the messages or completion"
+ * - OpenRouter: "This endpoint's maximum context length is X tokens. However, you requested about Y tokens"
+ * - Together AI: "The input (X tokens) is longer than the model's context length (Y tokens)."
+ * - llama.cpp: "the request exceeds the available context size, try increasing it"
+ * - LM Studio: "tokens to keep from the initial prompt is greater than the context length"
+ * - GitHub Copilot: "prompt token count of X exceeds the limit of Y"
+ * - MiniMax: "invalid params, context window exceeds limit"
+ * - Kimi For Coding: "Your request exceeded model token limit: X (requested: Y)"
+ * - Cerebras: "400/413 status code (no body)"
+ * - Mistral: "Prompt contains X tokens ... too large for model with Y maximum context length"
+ * - z.ai: Does NOT error, accepts overflow silently - handled via usage.input > contextWindow
+ * - Xiaomi MiMo: Truncates input to fill contextWindow exactly, then returns finish_reason "length"
+ *   with output=0 (no room left to generate). Detected via stopReason "length" + zero output +
+ *   input filling the context window.
+ * - Ollama: Some deployments truncate silently, others return errors like "prompt too long; exceeded max context length by X tokens"
+ */
+const OVERFLOW_PATTERNS = [
+    /prompt is too long/i, // Anthropic token overflow
+    /request_too_large/i, // Anthropic request byte-size overflow (HTTP 413)
+    /input is too long for requested model/i, // Amazon Bedrock
+    /exceeds the context window/i, // OpenAI (Completions & Responses API)
+    /exceeds (?:the )?(?:model'?s )?maximum context length of [\d,]+ tokens?/i, // OpenAI-compatible proxies (LiteLLM)
+    /input token count.*exceeds the maximum/i, // Google (Gemini)
+    /maximum prompt length is \d+/i, // xAI (Grok)
+    /reduce the length of the messages/i, // Groq
+    /maximum context length is \d+ tokens/i, // OpenRouter (all backends)
+    /input \(\d+ tokens\) is longer than the model'?s context length \(\d+ tokens\)/i, // Together AI
+    /exceeds the limit of \d+/i, // GitHub Copilot
+    /exceeds the available context size/i, // llama.cpp server
+    /greater than the context length/i, // LM Studio
+    /context window exceeds limit/i, // MiniMax
+    /exceeded model token limit/i, // Kimi For Coding
+    /too large for model with \d+ maximum context length/i, // Mistral
+    /model_context_window_exceeded/i, // z.ai non-standard finish_reason surfaced as error text
+    /prompt too long; exceeded (?:max )?context length/i, // Ollama explicit overflow error
+    /context[_ ]length[_ ]exceeded/i, // Generic fallback
+    /too many tokens/i, // Generic fallback
+    /token limit exceeded/i, // Generic fallback
+    /^4(?:00|13)\s*(?:status code)?\s*\(no body\)/i, // Cerebras: 400/413 with no body
+];
+/**
+ * Patterns that indicate non-overflow errors (e.g. rate limiting, server errors).
+ * Error messages matching any of these are excluded from overflow detection
+ * even if they also match an OVERFLOW_PATTERN.
+ *
+ * Example: Bedrock formats throttling errors as "ThrottlingException: Too many tokens,
+ * please wait before trying again." which would match the /too many tokens/i overflow
+ * pattern without this exclusion.
+ */
+const NON_OVERFLOW_PATTERNS = [
+    /^(Throttling error|Service unavailable):/i, // AWS Bedrock non-overflow errors (human-readable prefixes from formatBedrockError)
+    /rate limit/i, // Generic rate limiting
+    /too many requests/i, // Generic HTTP 429 style
+];
+/**
+ * Check if an assistant message represents a context overflow error.
+ *
+ * This handles two cases:
+ * 1. Error-based overflow: Most providers return stopReason "error" with a
+ *    specific error message pattern.
+ * 2. Silent overflow: Some providers accept overflow requests and return
+ *    successfully. For these, we check if usage.input exceeds the context window.
+ *
+ * ## Reliability by Provider
+ *
+ * **Reliable detection (returns error with detectable message):**
+ * - Anthropic: "prompt is too long: X tokens > Y maximum" or "request_too_large"
+ * - OpenAI (Completions & Responses): "exceeds the context window" or "exceeds the model's maximum context length of X tokens"
+ * - Google Gemini: "input token count exceeds the maximum"
+ * - xAI (Grok): "maximum prompt length is X but request contains Y"
+ * - Groq: "reduce the length of the messages"
+ * - Cerebras: 400/413 status code (no body)
+ * - Mistral: "Prompt contains X tokens ... too large for model with Y maximum context length"
+ * - OpenRouter (all backends): "maximum context length is X tokens"
+ * - Together AI: "The input (X tokens) is longer than the model's context length (Y tokens)."
+ * - llama.cpp: "exceeds the available context size"
+ * - LM Studio: "greater than the context length"
+ * - Kimi For Coding: "exceeded model token limit: X (requested: Y)"
+ *
+ * **Unreliable detection:**
+ * - z.ai: Sometimes accepts overflow silently (detectable via usage.input > contextWindow),
+ *   sometimes returns rate limit errors. Pass contextWindow param to detect silent overflow.
+ * - Xiaomi MiMo: Truncates input to fit contextWindow then returns stopReason "length" with
+ *   output=0. Pass contextWindow param to detect via the "filled context + zero output" signal.
+ * - Ollama: May truncate input silently for some setups, but may also return explicit
+ *   overflow errors that match the patterns above. Silent truncation still cannot be
+ *   detected here because we do not know the expected token count.
+ *
+ * ## Custom Providers
+ *
+ * If you've added custom models via settings.json, this function may not detect
+ * overflow errors from those providers. To add support:
+ *
+ * 1. Send a request that exceeds the model's context window
+ * 2. Check the errorMessage in the response
+ * 3. Create a regex pattern that matches the error
+ * 4. The pattern should be added to OVERFLOW_PATTERNS in this file, or
+ *    check the errorMessage yourself before calling this function
+ *
+ * @param message - The assistant message to check
+ * @param contextWindow - Optional context window size for detecting silent overflow (z.ai)
+ * @returns true if the message indicates a context overflow
+ */
+export function isContextOverflow(message, contextWindow) {
+    // Case 1: Check error message patterns
+    if (message.stopReason === "error" && message.errorMessage) {
+        // Skip messages matching known non-overflow patterns (e.g. throttling / rate-limit)
+        const isNonOverflow = NON_OVERFLOW_PATTERNS.some((p) => p.test(message.errorMessage));
+        if (!isNonOverflow && OVERFLOW_PATTERNS.some((p) => p.test(message.errorMessage))) {
+            return true;
+        }
+    }
+    // Case 2: Silent overflow (z.ai style) - successful but usage exceeds context
+    if (contextWindow && message.stopReason === "stop") {
+        const inputTokens = message.usage.input + message.usage.cacheRead;
+        if (inputTokens > contextWindow) {
+            return true;
+        }
+    }
+    // Case 3: Length-stop overflow (Xiaomi MiMo style) - server truncates oversized input
+    // to fit the context window, leaving no room for output. Returns stopReason "length"
+    // with output=0 and input+cacheRead filling the context window.
+    if (contextWindow && message.stopReason === "length" && message.usage.output === 0) {
+        const inputTokens = message.usage.input + message.usage.cacheRead;
+        if (inputTokens >= contextWindow * 0.99) {
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * Get the overflow patterns for testing purposes.
+ */
+export function getOverflowPatterns() {
+    return [...OVERFLOW_PATTERNS];
+}

package/dist/pi/ai/utils/sanitize-unicode.js

@@ -0,0 +1,25 @@
+/**
+ * Removes unpaired Unicode surrogate characters from a string.
+ *
+ * Unpaired surrogates (high surrogates 0xD800-0xDBFF without matching low surrogates 0xDC00-0xDFFF,
+ * or vice versa) cause JSON serialization errors in many API providers.
+ *
+ * Valid emoji and other characters outside the Basic Multilingual Plane use properly paired
+ * surrogates and will NOT be affected by this function.
+ *
+ * @param text - The text to sanitize
+ * @returns The sanitized text with unpaired surrogates removed
+ *
+ * @example
+ * // Valid emoji (properly paired surrogates) are preserved
+ * sanitizeSurrogates("Hello 🙈 World") // => "Hello 🙈 World"
+ *
+ * // Unpaired high surrogate is removed
+ * const unpaired = String.fromCharCode(0xD83D); // high surrogate without low
+ * sanitizeSurrogates(`Text ${unpaired} here`) // => "Text  here"
+ */
+export function sanitizeSurrogates(text) {
+    // Replace unpaired high surrogates (0xD800-0xDBFF not followed by low surrogate)
+    // Replace unpaired low surrogates (0xDC00-0xDFFF not preceded by high surrogate)
+    return text.replace(/[\uD800-\uDBFF](?![\uDC00-\uDFFF])|(?<![\uD800-\uDBFF])[\uDC00-\uDFFF]/g, "");
+}

package/dist/pi/ai/utils/typebox-helpers.js

@@ -0,0 +1,20 @@
+import { Type } from "typebox";
+/**
+ * Creates a string enum schema compatible with Google's API and other providers
+ * that don't support anyOf/const patterns.
+ *
+ * @example
+ * const OperationSchema = StringEnum(["add", "subtract", "multiply", "divide"], {
+ *   description: "The operation to perform"
+ * });
+ *
+ * type Operation = Static<typeof OperationSchema>; // "add" | "subtract" | "multiply" | "divide"
+ */
+export function StringEnum(values, options) {
+    return Type.Unsafe({
+        type: "string",
+        enum: values,
+        ...(options?.description && { description: options.description }),
+        ...(options?.default && { default: options.default }),
+    });
+}