@aria-cli/cli 1.0.54 → 1.0.56

package/dist/commands/login-handler.js

@@ -0,0 +1,1108 @@
+/**
+ * Slash command handler for /login — authenticate with providers.
+ *
+ * Supports three result modes:
+ * - PickerResult:  `/login` with no args → return provider list for interactive picker
+ * - DirectResult:  `/login bedrock`, `/login anthropic <key>` → immediate result
+ * - OAuthFlowResult: `/login anthropic` (no key) → trigger OAuth flow component
+ */
+import { ensureAuthProfileStore, syncExternalCliCredentials, isProfileInCooldown, upsertAuthProfile, updateAuthProfileStoreWithLockSync, refreshBedrockSsoToken, loginBedrockSso, listProfilesForProvider, loginWithGitHubCopilotToken, readClaudeCodeCredentialsCached, readCodexCredentialsCached, readGeminiCredentialsCached, normalizeProviderId, OPENAI_CODEX_OAUTH_PROFILE_ID, } from "@aria-cli/auth";
+import { spawnSync } from "node:child_process";
+import { loadConfig, saveConfig, persistAwsSelectorHintsFromEnv } from "../config.js";
+function readGhAuthToken() {
+    try {
+        const result = spawnSync("gh", ["auth", "token", "-h", "github.com"], {
+            encoding: "utf8",
+            timeout: 5000,
+        });
+        if (result.error) {
+            return { error: result.error.message };
+        }
+        if (result.status !== 0) {
+            const stderr = (result.stderr || "").trim();
+            const stdout = (result.stdout || "").trim();
+            return { error: stderr || stdout || `gh auth token exited with status ${result.status}` };
+        }
+        const token = (result.stdout || "").trim();
+        if (token.length < 8) {
+            return { error: "gh auth token returned an empty/short token" };
+        }
+        return { token };
+    }
+    catch (error) {
+        return { error: error instanceof Error ? error.message : String(error) };
+    }
+}
+function readGhUsernames(host = "github.com") {
+    try {
+        const result = spawnSync("gh", ["auth", "status", "-h", host], {
+            encoding: "utf8",
+            timeout: 5000,
+        });
+        const text = `${result.stdout || ""}\n${result.stderr || ""}`;
+        const names = new Set();
+        for (const line of text.split(/\r?\n/)) {
+            const m = line.match(/Logged in to .* account\s+([^\s]+)/i);
+            if (m?.[1]) {
+                names.add(m[1]);
+            }
+        }
+        return [...names];
+    }
+    catch {
+        return [];
+    }
+}
+function readGhTokenForUser(user, host = "github.com") {
+    try {
+        const result = spawnSync("gh", ["auth", "token", "-h", host, "-u", user], {
+            encoding: "utf8",
+            timeout: 5000,
+        });
+        if (result.error) {
+            return { error: result.error.message };
+        }
+        if (result.status !== 0) {
+            return { error: (result.stderr || result.stdout || "").trim() || "gh token failed" };
+        }
+        const token = (result.stdout || "").trim();
+        if (token.length < 8) {
+            return { error: "empty/short token" };
+        }
+        return { token };
+    }
+    catch (error) {
+        return { error: error instanceof Error ? error.message : String(error) };
+    }
+}
+function readCopilotLastLoggedInUser() {
+    try {
+        const configPath = `${process.env.HOME || ""}/.copilot/config.json`;
+        const result = spawnSync("node", [
+            "-e",
+            `const fs=require('fs');const p=${JSON.stringify(configPath)};if(!fs.existsSync(p)){process.exit(0);}const j=JSON.parse(fs.readFileSync(p,'utf8'));const login=j?.last_logged_in_user?.login||j?.logged_in_users?.[0]?.login||'';if(login)process.stdout.write(login);`,
+        ], {
+            encoding: "utf8",
+            timeout: 5000,
+        });
+        const login = (result.stdout || "").trim();
+        return login ? { login } : {};
+    }
+    catch (error) {
+        return { error: error instanceof Error ? error.message : String(error) };
+    }
+}
+function parseCopilotLoginArgs(raw) {
+    const text = raw?.trim() ?? "";
+    if (!text) {
+        return { useGhToken: true, autoSelectSource: true };
+    }
+    const parts = text.split(/\s+/).filter(Boolean);
+    let token;
+    let profileLabel;
+    let useGhToken = true;
+    let autoSelectSource = false;
+    const takeValue = (index) => {
+        const value = parts[index + 1];
+        return value && !value.startsWith("--") ? value : undefined;
+    };
+    for (let i = 0; i < parts.length; i += 1) {
+        const part = parts[i];
+        if (part === "--profile" || part === "--label") {
+            const value = takeValue(i);
+            if (value) {
+                profileLabel = value;
+                i += 1;
+            }
+            continue;
+        }
+        if (part.startsWith("--profile=") || part.startsWith("--label=")) {
+            profileLabel = part.split("=", 2)[1]?.trim() || profileLabel;
+            continue;
+        }
+        if (part === "--source") {
+            const value = takeValue(i)?.toLowerCase();
+            if (value === "device") {
+                useGhToken = false;
+            }
+            else if (value === "auto") {
+                autoSelectSource = true;
+            }
+            i += value ? 1 : 0;
+            continue;
+        }
+        if (part.startsWith("--source=")) {
+            const value = part.split("=", 2)[1]?.toLowerCase();
+            if (value === "device") {
+                useGhToken = false;
+            }
+            else if (value === "auto") {
+                autoSelectSource = true;
+            }
+            continue;
+        }
+        if (!part.startsWith("--") && !token) {
+            token = part;
+            useGhToken = false;
+        }
+    }
+    if (token && token.length > 0) {
+        useGhToken = false;
+    }
+    return { token, profileLabel, useGhToken, autoSelectSource };
+}
+function sanitizeProfileLabel(input) {
+    const raw = (input || "").trim();
+    if (!raw)
+        return undefined;
+    return (raw
+        .toLowerCase()
+        .replace(/[^a-z0-9._-]+/g, "-")
+        .replace(/^-+|-+$/g, "") || undefined);
+}
+function buildCopilotSourceOptions() {
+    const options = [];
+    const seen = new Set();
+    // Check GitHub token env vars (GH_TOKEN, GITHUB_TOKEN, COPILOT_GITHUB_TOKEN)
+    const envTokenVars = ["GH_TOKEN", "GITHUB_TOKEN", "COPILOT_GITHUB_TOKEN"];
+    for (const varName of envTokenVars) {
+        const token = process.env[varName]?.trim();
+        if (token && token.length >= 8) {
+            const key = `env:${varName}`;
+            if (!seen.has(key)) {
+                options.push({
+                    id: key,
+                    label: `Using ${varName} from environment`,
+                    source: "env",
+                    token,
+                    status: "connected",
+                });
+                seen.add(key);
+            }
+            // Only show the first env var that has a token — they're likely the same value
+            break;
+        }
+    }
+    const ghUsers = readGhUsernames("github.com");
+    for (const user of ghUsers) {
+        const token = readGhTokenForUser(user, "github.com").token;
+        const label = `GitHub CLI account: ${user}`;
+        const key = `gh:${user}`;
+        if (!seen.has(key)) {
+            options.push({
+                id: key,
+                label,
+                source: "gh",
+                login: user,
+                token,
+                profileLabel: sanitizeProfileLabel(user),
+                status: token ? "connected" : "none",
+            });
+            seen.add(key);
+        }
+    }
+    // Check existing Copilot auth profiles in the store — these already have
+    // working tokens and don't need device flow re-authentication.
+    const store = ensureAuthProfileStore();
+    syncExternalCliCredentials(store);
+    const copilotProfiles = listProfilesForProvider(store, "github-copilot");
+    for (const profileId of copilotProfiles) {
+        const profile = store.profiles[profileId];
+        if (!profile)
+            continue;
+        // Extract the login name from the profile ID (e.g. "github-copilot:hole_axoncorp" → "hole_axoncorp")
+        const login = profileId.split(":").slice(1).join(":") || profileId;
+        const key = `profile:${login}`;
+        if (seen.has(key))
+            continue;
+        // For OAuth profiles, the refresh token is the original GitHub token
+        // that can be used for Copilot token exchange via loginWithGitHubCopilotToken.
+        const token = profile.type === "oauth" && profile.refresh ? profile.refresh : undefined;
+        const isFresh = profile.type === "oauth" && Date.now() < profile.expires;
+        options.push({
+            id: key,
+            label: `Copilot profile: ${login}`,
+            source: "copilot",
+            login,
+            token,
+            profileLabel: sanitizeProfileLabel(login),
+            status: isFresh || token ? "connected" : "none",
+        });
+        seen.add(key);
+    }
+    const copilot = readCopilotLastLoggedInUser();
+    if (copilot.login) {
+        const key = `copilot:${copilot.login}`;
+        // Only add if not already covered by an auth profile above
+        if (!seen.has(key) && !seen.has(`profile:${copilot.login}`)) {
+            options.push({
+                id: key,
+                label: `Copilot CLI last login: ${copilot.login}`,
+                source: "copilot",
+                login: copilot.login,
+                profileLabel: sanitizeProfileLabel(copilot.login),
+                status: "connected",
+            });
+            seen.add(key);
+        }
+    }
+    options.push({
+        id: "device:new",
+        label: "Sign in with a new GitHub account (device flow)",
+        source: "device",
+        status: "none",
+    });
+    return options;
+}
+// ---------------------------------------------------------------------------
+// Anthropic method picker — 3-method login flow + import + setup-token
+// ---------------------------------------------------------------------------
+function buildAnthropicMethodOptions() {
+    const options = [];
+    const config = loadConfig();
+    if (persistAwsSelectorHintsFromEnv(config)) {
+        saveConfig(config);
+    }
+    const configuredAwsProfile = config.awsProfile?.trim();
+    // 0. Check for ANTHROPIC_API_KEY in environment
+    const envKey = process.env.ANTHROPIC_API_KEY?.trim();
+    if (envKey && envKey.length > 8) {
+        const looksValid = envKey.startsWith("sk-ant-api");
+        options.push({
+            id: "env-key",
+            label: "Using ANTHROPIC_API_KEY from environment",
+            description: looksValid ? "API key detected" : "Key format unrecognized",
+            method: "env-key",
+            status: looksValid ? "connected" : "none",
+        });
+    }
+    // 1. Check existing Anthropic profiles in the auth store
+    const store = ensureAuthProfileStore();
+    syncExternalCliCredentials(store);
+    const anthropicProfiles = listProfilesForProvider(store, "anthropic");
+    for (const profileId of anthropicProfiles) {
+        const profile = store.profiles[profileId];
+        if (!profile)
+            continue;
+        const isFresh = (profile.type === "oauth" || profile.type === "token") &&
+            "expires" in profile &&
+            typeof profile.expires === "number" &&
+            profile.expires > Date.now();
+        options.push({
+            id: `profile:${profileId}`,
+            label: `Saved profile: ${profileId}`,
+            description: isFresh ? "Credentials active" : "Credentials expired — will refresh on use",
+            method: "api-key", // existing profiles don't need a new login method
+            status: isFresh ? "connected" : "available",
+        });
+    }
+    // 2. Check if Claude Code CLI credentials exist
+    const claudeCred = readClaudeCodeCredentialsCached();
+    if (claudeCred) {
+        const isFresh = claudeCred.expires > Date.now();
+        options.push({
+            id: "claude-cli",
+            label: "Import from Claude Code CLI",
+            description: isFresh
+                ? "Use existing Claude Code credentials from keychain"
+                : "Credentials expired, will refresh",
+            method: "claude-cli",
+            status: isFresh ? "connected" : "available",
+        });
+    }
+    // 3. Claude subscription (OAuth via claude.ai)
+    options.push({
+        id: "subscription",
+        label: "Claude account with subscription",
+        description: "Pro, Max, Team, or Enterprise",
+        method: "subscription",
+        status: resolveProviderStatus("anthropic") === "connected" ? "connected" : "none",
+    });
+    // 4. Console account (API key)
+    options.push({
+        id: "console",
+        label: "Anthropic Console account",
+        description: "API usage billing",
+        method: "console",
+        status: "none",
+    });
+    // 5. Setup token (from `claude setup-token`)
+    options.push({
+        id: "setup-token",
+        label: "Paste setup-token",
+        description: "From `claude setup-token` or admin provisioning",
+        method: "setup-token",
+        status: "none",
+    });
+    // 6. Bedrock (3rd-party platform) — always shown with appropriate status
+    {
+        const bedrockStatus = resolveProviderStatus("bedrock");
+        const hasAwsProfile = !!configuredAwsProfile;
+        options.push({
+            id: "bedrock",
+            label: "3rd-party platform",
+            description: hasAwsProfile
+                ? `Amazon Bedrock (profile=${configuredAwsProfile})`
+                : "Amazon Bedrock — configure daemon-owned awsProfile/region selectors",
+            method: "bedrock",
+            status: bedrockStatus === "connected" ? "connected" : hasAwsProfile ? "available" : "none",
+        });
+    }
+    return options;
+}
+export async function handleAnthropicMethodSelection(methodId) {
+    switch (methodId) {
+        case "subscription":
+            return { mode: "oauth", provider: "anthropic" };
+        case "console":
+        case "api-key":
+            return { mode: "anthropic_key_input", provider: "anthropic" };
+        case "setup-token":
+            return { mode: "anthropic_setup_token", provider: "anthropic" };
+        case "env-key": {
+            const key = process.env.ANTHROPIC_API_KEY?.trim();
+            if (!key) {
+                return {
+                    mode: "direct",
+                    result: { success: false, message: "ANTHROPIC_API_KEY not set in environment" },
+                };
+            }
+            upsertAuthProfile({
+                profileId: "anthropic:env",
+                credential: { type: "api_key", provider: "anthropic", key },
+            });
+            return {
+                mode: "direct",
+                result: { success: true, message: "Saved ANTHROPIC_API_KEY from environment" },
+            };
+        }
+        case "claude-cli": {
+            const cred = readClaudeCodeCredentialsCached();
+            if (!cred) {
+                return {
+                    mode: "direct",
+                    result: {
+                        success: false,
+                        message: "No Claude Code credentials found. Run `claude login` first.",
+                    },
+                };
+            }
+            if (cred.type === "oauth") {
+                upsertAuthProfile({
+                    profileId: "anthropic:claude-cli",
+                    credential: {
+                        type: "oauth",
+                        provider: "anthropic",
+                        access: cred.access,
+                        refresh: cred.refresh,
+                        expires: cred.expires,
+                    },
+                });
+                return {
+                    mode: "direct",
+                    result: { success: true, message: "Imported Claude Code OAuth credentials" },
+                };
+            }
+            if (cred.type === "token") {
+                upsertAuthProfile({
+                    profileId: "anthropic:claude-cli",
+                    credential: {
+                        type: "token",
+                        provider: "anthropic",
+                        token: cred.token,
+                        expires: cred.expires,
+                    },
+                });
+                return {
+                    mode: "direct",
+                    result: { success: true, message: "Imported Claude Code token" },
+                };
+            }
+            return {
+                mode: "direct",
+                result: { success: false, message: "Unknown Claude Code credential type" },
+            };
+        }
+        case "bedrock":
+            return handleBedrockLogin();
+        default: {
+            if (methodId.startsWith("profile:")) {
+                return {
+                    mode: "direct",
+                    result: {
+                        success: true,
+                        message: `Selected profile: ${methodId.replace("profile:", "")}`,
+                    },
+                };
+            }
+            return {
+                mode: "direct",
+                result: { success: false, message: `Unknown method: ${methodId}` },
+            };
+        }
+    }
+}
+// ---------------------------------------------------------------------------
+// OpenAI method picker — env key + profiles + Codex import + paste key
+// ---------------------------------------------------------------------------
+function buildOpenAIMethodOptions() {
+    const options = [];
+    // 0. Check for OPENAI_API_KEY in environment
+    const envKey = process.env.OPENAI_API_KEY?.trim();
+    if (envKey && envKey.length > 8) {
+        const looksValid = envKey.startsWith("sk-");
+        options.push({
+            id: "env-key",
+            label: "Using OPENAI_API_KEY from environment",
+            description: looksValid ? "API key detected" : "Key format unrecognized",
+            method: "env-key",
+            status: looksValid ? "connected" : "none",
+        });
+    }
+    // 1. Check existing OpenAI profiles in the auth store
+    const store = ensureAuthProfileStore();
+    syncExternalCliCredentials(store);
+    const seenProfiles = new Set();
+    for (const providerKey of ["openai", "openai-codex"]) {
+        const profiles = listProfilesForProvider(store, providerKey);
+        for (const profileId of profiles) {
+            if (seenProfiles.has(profileId))
+                continue;
+            seenProfiles.add(profileId);
+            const profile = store.profiles[profileId];
+            if (!profile)
+                continue;
+            const isFresh = (profile.type === "oauth" || profile.type === "token") &&
+                "expires" in profile &&
+                typeof profile.expires === "number" &&
+                profile.expires > Date.now();
+            options.push({
+                id: `profile:${profileId}`,
+                label: `Saved profile: ${profileId}`,
+                description: isFresh ? "Credentials active" : "Credentials expired — will refresh on use",
+                method: "profile",
+                status: isFresh ? "connected" : "available",
+            });
+        }
+    }
+    // 2. Check if Codex CLI credentials exist
+    const codexCred = readCodexCredentialsCached();
+    if (codexCred) {
+        const isFresh = codexCred.expires > Date.now();
+        options.push({
+            id: "codex-import",
+            label: "Import from Codex CLI",
+            description: isFresh ? "Use existing Codex credentials" : "Credentials expired, will refresh",
+            method: "codex-import",
+            status: isFresh ? "connected" : "available",
+        });
+    }
+    // 3. Paste API key option
+    options.push({
+        id: "api-key",
+        label: "Paste API key",
+        description: "Enter your OpenAI sk-* API key",
+        method: "api-key",
+        status: "none",
+    });
+    return options;
+}
+export async function handleOpenAIMethodSelection(methodId) {
+    switch (methodId) {
+        case "api-key":
+            return { mode: "openai_key_input", provider: "openai" };
+        case "env-key": {
+            const key = process.env.OPENAI_API_KEY?.trim();
+            if (!key) {
+                return {
+                    mode: "direct",
+                    result: { success: false, message: "OPENAI_API_KEY not set in environment" },
+                };
+            }
+            upsertAuthProfile({
+                profileId: "openai:env",
+                credential: { type: "api_key", provider: "openai", key },
+            });
+            return {
+                mode: "direct",
+                result: { success: true, message: "Saved OPENAI_API_KEY from environment" },
+            };
+        }
+        case "codex-import": {
+            const cred = readCodexCredentialsCached();
+            if (!cred) {
+                return {
+                    mode: "direct",
+                    result: {
+                        success: false,
+                        message: "No Codex CLI credentials found. Run `codex auth` first.",
+                    },
+                };
+            }
+            upsertAuthProfile({
+                profileId: OPENAI_CODEX_OAUTH_PROFILE_ID,
+                credential: {
+                    type: "oauth",
+                    provider: "openai",
+                    access: cred.access,
+                    refresh: cred.refresh,
+                    expires: cred.expires,
+                },
+            });
+            return {
+                mode: "direct",
+                result: { success: true, message: "Imported Codex CLI OAuth credentials" },
+            };
+        }
+        default: {
+            if (methodId.startsWith("profile:")) {
+                return {
+                    mode: "direct",
+                    result: {
+                        success: true,
+                        message: `Selected profile: ${methodId.replace("profile:", "")}`,
+                    },
+                };
+            }
+            return {
+                mode: "direct",
+                result: { success: false, message: `Unknown method: ${methodId}` },
+            };
+        }
+    }
+}
+// ---------------------------------------------------------------------------
+// Google method picker — env key + profiles + Gemini import + paste key + OAuth
+// ---------------------------------------------------------------------------
+function buildGoogleMethodOptions() {
+    const options = [];
+    // 0. Check for GOOGLE_API_KEY or GEMINI_API_KEY in environment
+    const envKey = (process.env.GOOGLE_API_KEY ?? process.env.GEMINI_API_KEY)?.trim();
+    if (envKey && envKey.length > 8) {
+        const looksValid = envKey.startsWith("AIza");
+        options.push({
+            id: "env-key",
+            label: `Using ${process.env.GOOGLE_API_KEY ? "GOOGLE_API_KEY" : "GEMINI_API_KEY"} from environment`,
+            description: looksValid ? "API key detected" : "Key format unrecognized",
+            method: "env-key",
+            status: looksValid ? "connected" : "none",
+        });
+    }
+    // 1. Check existing Google profiles in the auth store
+    const store = ensureAuthProfileStore();
+    syncExternalCliCredentials(store);
+    const googleProfiles = listProfilesForProvider(store, "google");
+    for (const profileId of googleProfiles) {
+        const profile = store.profiles[profileId];
+        if (!profile)
+            continue;
+        const isFresh = (profile.type === "oauth" || profile.type === "token") &&
+            "expires" in profile &&
+            typeof profile.expires === "number" &&
+            profile.expires > Date.now();
+        options.push({
+            id: `profile:${profileId}`,
+            label: `Saved profile: ${profileId}`,
+            description: isFresh ? "Credentials active" : "Credentials expired — will refresh on use",
+            method: "profile",
+            status: isFresh ? "connected" : "available",
+        });
+    }
+    // 2. Check if Gemini CLI credentials exist
+    const geminiCred = readGeminiCredentialsCached();
+    if (geminiCred) {
+        const isFresh = geminiCred.expires > Date.now();
+        options.push({
+            id: "gemini-import",
+            label: "Import from Gemini CLI",
+            description: isFresh
+                ? "Use existing Gemini CLI credentials"
+                : "Credentials expired, will refresh",
+            method: "gemini-import",
+            status: isFresh ? "connected" : "available",
+        });
+    }
+    // 3. Paste API key option
+    options.push({
+        id: "api-key",
+        label: "Paste API key",
+        description: "Enter your Google AIza* API key",
+        method: "api-key",
+        status: "none",
+    });
+    // 4. Gemini CLI OAuth option
+    options.push({
+        id: "oauth",
+        label: "Gemini CLI OAuth",
+        description: "Sign in via browser-based OAuth flow",
+        method: "oauth",
+        status: "none",
+    });
+    return options;
+}
+export async function handleGoogleMethodSelection(methodId) {
+    switch (methodId) {
+        case "api-key":
+            return { mode: "google_key_input", provider: "google" };
+        case "oauth":
+            return { mode: "oauth", provider: "google" };
+        case "env-key": {
+            const key = (process.env.GOOGLE_API_KEY ?? process.env.GEMINI_API_KEY)?.trim();
+            if (!key) {
+                return {
+                    mode: "direct",
+                    result: {
+                        success: false,
+                        message: "GOOGLE_API_KEY / GEMINI_API_KEY not set in environment",
+                    },
+                };
+            }
+            upsertAuthProfile({
+                profileId: "google:env",
+                credential: { type: "api_key", provider: "google", key },
+            });
+            return {
+                mode: "direct",
+                result: { success: true, message: "Saved Google API key from environment" },
+            };
+        }
+        case "gemini-import": {
+            const cred = readGeminiCredentialsCached();
+            if (!cred) {
+                return {
+                    mode: "direct",
+                    result: {
+                        success: false,
+                        message: "No Gemini CLI credentials found. Run `gemini auth` first.",
+                    },
+                };
+            }
+            upsertAuthProfile({
+                profileId: "google:gemini-cli",
+                credential: {
+                    type: "oauth",
+                    provider: "google",
+                    access: cred.access,
+                    refresh: cred.refresh,
+                    expires: cred.expires,
+                },
+            });
+            return {
+                mode: "direct",
+                result: { success: true, message: "Imported Gemini CLI OAuth credentials" },
+            };
+        }
+        default: {
+            if (methodId.startsWith("profile:")) {
+                return {
+                    mode: "direct",
+                    result: {
+                        success: true,
+                        message: `Selected profile: ${methodId.replace("profile:", "")}`,
+                    },
+                };
+            }
+            return {
+                mode: "direct",
+                result: { success: false, message: `Unknown method: ${methodId}` },
+            };
+        }
+    }
+}
+// ---------------------------------------------------------------------------
+// Provider metadata
+// ---------------------------------------------------------------------------
+const SUPPORTED_PROVIDERS = ["bedrock", "anthropic", "google", "openai", "github-copilot"];
+const PROVIDER_LABELS = {
+    bedrock: "Bedrock (AWS SSO)",
+    anthropic: "Anthropic",
+    google: "Google (Gemini)",
+    openai: "OpenAI",
+    "github-copilot": "GitHub Copilot",
+};
+function isSupportedProvider(name) {
+    return SUPPORTED_PROVIDERS.includes(name);
+}
+// ---------------------------------------------------------------------------
+// Provider status resolution
+// ---------------------------------------------------------------------------
+/** Env vars that indicate a provider is available without stored profiles. */
+const PROVIDER_ENV_VARS = {
+    anthropic: ["ANTHROPIC_API_KEY"],
+    openai: ["OPENAI_API_KEY"],
+    google: ["GOOGLE_API_KEY", "GEMINI_API_KEY"],
+    "github-copilot": ["GH_TOKEN", "GITHUB_TOKEN", "COPILOT_GITHUB_TOKEN"],
+    bedrock: [],
+};
+function resolveProviderStatus(provider) {
+    const store = updateAuthProfileStoreWithLockSync({
+        updater: (freshStore) => syncExternalCliCredentials(freshStore),
+    }) ?? ensureAuthProfileStore();
+    const normalized = normalizeProviderId(provider);
+    const profileIds = listProfilesForProvider(store, normalized);
+    // Check if any profile is active (not expired, not in cooldown)
+    for (const id of profileIds) {
+        const cred = store.profiles[id];
+        if (!cred)
+            continue;
+        if (isProfileInCooldown(store, id))
+            continue;
+        // API key profiles are always active if they have a key
+        if (cred.type === "api_key" && cred.key?.trim())
+            return "connected";
+        if (cred.type === "oauth" && "expires" in cred) {
+            const expires = cred.expires;
+            if (expires && expires < Date.now())
+                continue; // expired
+            return "connected";
+        }
+        if (cred.type === "token") {
+            const expires = cred.expires;
+            if (!expires || Date.now() < expires)
+                return "connected";
+            continue; // expired
+        }
+        // Unknown type with no expiry — treat as active
+        return "connected";
+    }
+    // Check environment variables
+    const vars = PROVIDER_ENV_VARS[normalized] ?? [];
+    for (const v of vars) {
+        if (process.env[v]?.trim())
+            return "connected";
+    }
+    // Profiles exist but none are active → expired; otherwise → none
+    return profileIds.length > 0 ? "expired" : "none";
+}
+// ---------------------------------------------------------------------------
+// getProviderOptions — build the picker list
+// ---------------------------------------------------------------------------
+export function getProviderOptions() {
+    return SUPPORTED_PROVIDERS.map((id) => {
+        const status = resolveProviderStatus(id);
+        const store = ensureAuthProfileStore();
+        const profileIds = listProfilesForProvider(store, id);
+        // Try to find an email from any profile
+        let email;
+        for (const pid of profileIds) {
+            const cred = store.profiles[pid];
+            if (cred?.email) {
+                email = cred.email;
+                break;
+            }
+        }
+        return {
+            id,
+            label: PROVIDER_LABELS[id],
+            status,
+            ...(email ? { email } : {}),
+        };
+    });
+}
+// ---------------------------------------------------------------------------
+// Bedrock SSO login — tries silent refresh first, then interactive
+// ---------------------------------------------------------------------------
+async function handleBedrockLogin(profile) {
+    const config = loadConfig();
+    const selectedProfile = profile?.trim() || config.awsProfile?.trim();
+    const selectedRegion = config.awsRegion?.trim();
+    const selector = {
+        awsProfile: selectedProfile,
+        awsRegion: selectedRegion,
+        awsConfigFile: config.awsConfigFile?.trim(),
+        awsSharedCredentialsFile: config.awsSharedCredentialsFile?.trim(),
+    };
+    if (!selectedProfile) {
+        return {
+            mode: "direct",
+            result: {
+                success: false,
+                message: "Bedrock is not configured. Set daemon-owned awsProfile (and ideally awsRegion) selectors before logging in.",
+            },
+        };
+    }
+    // Step 1: silent refresh
+    const silentOk = await refreshBedrockSsoToken(selector);
+    if (silentOk) {
+        return {
+            mode: "direct",
+            result: { success: true, message: "Bedrock SSO token refreshed (silent)" },
+        };
+    }
+    // Step 2: interactive aws sso login
+    const loginOk = await loginBedrockSso(selector);
+    if (loginOk) {
+        return {
+            mode: "direct",
+            result: {
+                success: true,
+                message: `Bedrock SSO login succeeded — credentials refreshed${selectedRegion ? ` (${selectedProfile} @ ${selectedRegion})` : ` (${selectedProfile})`}`,
+            },
+        };
+    }
+    return {
+        mode: "direct",
+        result: {
+            success: false,
+            message: [
+                "Bedrock SSO login failed.",
+                "The daemon resolves Bedrock auth from its configured AWS profile/region selectors and AWS shared config/SSO cache.",
+                "Try running manually: aws sso login --profile " + selectedProfile,
+            ].join("\n"),
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// API key login — save directly
+// ---------------------------------------------------------------------------
+function handleApiKeyLogin(provider, apiKey) {
+    if (apiKey.length < 8) {
+        return {
+            mode: "direct",
+            result: { success: false, message: "API key too short (minimum 8 characters)" },
+        };
+    }
+    const profileId = `${provider}:manual`;
+    upsertAuthProfile({
+        profileId,
+        credential: { type: "api_key", provider, key: apiKey },
+    });
+    return {
+        mode: "direct",
+        result: { success: true, message: `Saved ${provider} API key (profile: ${profileId})` },
+    };
+}
+function handleAnthropicSetupTokenLogin(token) {
+    if (token.length < 8) {
+        return {
+            mode: "direct",
+            result: { success: false, message: "Setup token too short (minimum 8 characters)" },
+        };
+    }
+    const profileId = "anthropic:setup-token";
+    upsertAuthProfile({
+        profileId,
+        credential: { type: "api_key", provider: "anthropic", key: token },
+    });
+    return {
+        mode: "direct",
+        result: { success: true, message: `Saved Anthropic setup token (profile: ${profileId})` },
+    };
+}
+// ---------------------------------------------------------------------------
+// loginProvider — handle login for a specific provider
+// ---------------------------------------------------------------------------
+export async function loginProvider(provider, args) {
+    if (!isSupportedProvider(provider)) {
+        return {
+            mode: "direct",
+            result: {
+                success: false,
+                message: `Unknown provider "${provider}". Supported: ${SUPPORTED_PROVIDERS.join(", ")}`,
+            },
+        };
+    }
+    // Bedrock: always SSO flow
+    if (provider === "bedrock") {
+        const trimmedArgs = args?.trim();
+        if (trimmedArgs) {
+            const parts = trimmedArgs.split(/\s+/);
+            const nextConfig = loadConfig();
+            let mutated = false;
+            const candidateProfile = parts[0]?.trim();
+            if (candidateProfile) {
+                nextConfig.awsProfile = candidateProfile;
+                mutated = true;
+            }
+            const candidateRegion = parts[1]?.trim();
+            if (candidateRegion) {
+                nextConfig.awsRegion = candidateRegion;
+                mutated = true;
+            }
+            if (persistAwsSelectorHintsFromEnv(nextConfig)) {
+                mutated = true;
+            }
+            if (mutated) {
+                saveConfig(nextConfig);
+            }
+        }
+        return handleBedrockLogin();
+    }
+    // GitHub Copilot: token shortcut or interactive device-code flow
+    if (provider === "github-copilot") {
+        const parsed = parseCopilotLoginArgs(args);
+        if (!parsed.token && !parsed.profileLabel && parsed.autoSelectSource) {
+            const options = buildCopilotSourceOptions();
+            return {
+                mode: "copilot_source_picker",
+                provider: "github-copilot",
+                options,
+            };
+        }
+        if (parsed.token) {
+            const result = await loginWithGitHubCopilotToken({
+                githubToken: parsed.token,
+                profileLabel: parsed.profileLabel,
+            });
+            return {
+                mode: "direct",
+                result: {
+                    success: result.success,
+                    message: result.message,
+                },
+            };
+        }
+        // No explicit token provided: best-effort import from GitHub CLI auth.
+        if (parsed.useGhToken) {
+            const gh = readGhAuthToken();
+            if (gh.token) {
+                const result = await loginWithGitHubCopilotToken({
+                    githubToken: gh.token,
+                    profileLabel: parsed.profileLabel,
+                });
+                if (result.success) {
+                    return {
+                        mode: "direct",
+                        result: {
+                            success: true,
+                            message: `${result.message} (imported from gh auth token)`,
+                        },
+                    };
+                }
+                return {
+                    mode: "copilot_device",
+                    provider: "github-copilot",
+                    profileLabel: parsed.profileLabel,
+                    message: `gh auth token import failed: ${result.message}\nFalling back to interactive device login...`,
+                };
+            }
+            return {
+                mode: "copilot_device",
+                provider: "github-copilot",
+                profileLabel: parsed.profileLabel,
+                ...(gh.error ? { message: `Could not read gh auth token: ${gh.error}` } : {}),
+            };
+        }
+        return {
+            mode: "copilot_device",
+            provider: "github-copilot",
+            profileLabel: parsed.profileLabel,
+        };
+    }
+    // Anthropic: 3-method picker or --method dispatch
+    if (provider === "anthropic") {
+        const keyArg = args?.trim();
+        if (keyArg?.startsWith("--setup-token")) {
+            const token = keyArg.replace(/^--setup-token\s*/, "").trim();
+            return handleAnthropicSetupTokenLogin(token);
+        }
+        // `/login anthropic --method <method>` — handle specific method
+        if (keyArg?.startsWith("--method")) {
+            const methodId = keyArg.replace(/^--method\s*/, "").trim();
+            return handleAnthropicMethodSelection(methodId);
+        }
+        // `/login anthropic <api-key>` — direct API key (preserve existing behavior)
+        if (keyArg) {
+            return handleApiKeyLogin(provider, keyArg);
+        }
+        // `/login anthropic` with no args → show method picker
+        const options = buildAnthropicMethodOptions();
+        return {
+            mode: "anthropic_method_picker",
+            provider: "anthropic",
+            options,
+        };
+    }
+    // OpenAI: method picker or direct key
+    if (provider === "openai") {
+        const keyArg = args?.trim();
+        if (keyArg?.startsWith("--method")) {
+            const methodId = keyArg.replace(/^--method\s*/, "").trim();
+            return handleOpenAIMethodSelection(methodId);
+        }
+        if (keyArg) {
+            return handleApiKeyLogin(provider, keyArg);
+        }
+        const options = buildOpenAIMethodOptions();
+        return {
+            mode: "openai_method_picker",
+            provider: "openai",
+            options,
+        };
+    }
+    // Google: method picker or direct key
+    if (provider === "google") {
+        const keyArg = args?.trim();
+        if (keyArg?.startsWith("--method")) {
+            const methodId = keyArg.replace(/^--method\s*/, "").trim();
+            return handleGoogleMethodSelection(methodId);
+        }
+        if (keyArg) {
+            return handleApiKeyLogin(provider, keyArg);
+        }
+        const options = buildGoogleMethodOptions();
+        return {
+            mode: "google_method_picker",
+            provider: "google",
+            options,
+        };
+    }
+    // Fallback: direct key or OAuth
+    const keyArg = args?.trim();
+    if (keyArg) {
+        return handleApiKeyLogin(provider, keyArg);
+    }
+    return { mode: "oauth", provider };
+}
+// ---------------------------------------------------------------------------
+// handleLoginCommand — entry point from REPL command dispatch
+// ---------------------------------------------------------------------------
+export async function handleLoginCommand(args) {
+    const parts = args.trim().split(/\s+/);
+    const providerArg = parts[0]?.toLowerCase() || "";
+    const keyArg = parts.slice(1).join(" ").trim();
+    // /login with no args → show interactive picker
+    if (!providerArg) {
+        return { mode: "picker", providers: getProviderOptions() };
+    }
+    if (providerArg === "github-copilot" && keyArg.startsWith("--from ")) {
+        const sourceId = keyArg.slice("--from ".length).trim();
+        const options = buildCopilotSourceOptions();
+        const selected = options.find((o) => o.id === sourceId);
+        if (!selected) {
+            return {
+                mode: "direct",
+                result: { success: false, message: `Unknown Copilot source: ${sourceId}` },
+            };
+        }
+        if (selected.source === "device") {
+            return {
+                mode: "copilot_device",
+                provider: "github-copilot",
+                profileLabel: selected.profileLabel,
+            };
+        }
+        if (selected.token) {
+            const result = await loginWithGitHubCopilotToken({
+                githubToken: selected.token,
+                profileLabel: selected.profileLabel,
+            });
+            return {
+                mode: "direct",
+                result: {
+                    success: result.success,
+                    message: result.message,
+                },
+            };
+        }
+        if (selected.login) {
+            return {
+                mode: "copilot_device",
+                provider: "github-copilot",
+                profileLabel: sanitizeProfileLabel(selected.login),
+            };
+        }
+    }
+    return loginProvider(providerArg, keyArg || undefined);
+}
+//# sourceMappingURL=login-handler.js.map