npm - @aryee337/aery-ai - Versions diffs - 0.1.148 → 0.2.10 - Mend

@aryee337/aery-ai 0.1.148 → 0.2.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (592) hide show

package/CHANGELOG.md +2914 -0
package/README.md +614 -813
package/dist/types/api-registry.d.ts +30 -0
package/dist/types/auth-broker/client.d.ts +66 -0
package/dist/types/auth-broker/index.d.ts +5 -0
package/dist/types/auth-broker/refresher.d.ts +25 -0
package/dist/types/auth-broker/remote-store.d.ts +96 -0
package/dist/types/auth-broker/server.d.ts +32 -0
package/dist/types/auth-broker/types.d.ts +105 -0
package/dist/types/auth-broker/wire-schemas.d.ts +412 -0
package/dist/types/auth-gateway/http.d.ts +39 -0
package/dist/types/auth-gateway/index.d.ts +3 -0
package/dist/types/auth-gateway/server.d.ts +36 -0
package/dist/types/auth-gateway/types.d.ts +117 -0
package/dist/types/auth-storage.d.ts +739 -0
package/dist/types/index.d.ts +49 -0
package/dist/types/model-cache.d.ts +17 -0
package/dist/types/model-manager.d.ts +64 -0
package/dist/types/model-thinking.d.ts +100 -0
package/dist/types/models.d.ts +12 -0
package/dist/types/provider-details.d.ts +24 -0
package/dist/types/provider-models/bundled-references.d.ts +4 -0
package/dist/types/provider-models/descriptors.d.ts +50 -0
package/dist/types/provider-models/google.d.ts +24 -0
package/dist/types/provider-models/index.d.ts +5 -0
package/dist/types/provider-models/ollama.d.ts +7 -0
package/dist/types/provider-models/openai-compat.d.ts +296 -0
package/dist/types/provider-models/special.d.ts +16 -0
package/dist/types/providers/aery-native-client.d.ts +13 -0
package/dist/types/providers/aery-native-server.d.ts +68 -0
package/dist/types/providers/amazon-bedrock.d.ts +38 -0
package/dist/types/providers/anthropic-client.d.ts +99 -0
package/dist/types/providers/anthropic-messages-server-schema.d.ts +465 -0
package/dist/types/providers/anthropic-messages-server.d.ts +17 -0
package/dist/types/providers/anthropic-wire.d.ts +262 -0
package/dist/types/providers/anthropic.d.ts +206 -0
package/dist/types/providers/aws-credentials.d.ts +43 -0
package/dist/types/providers/aws-eventstream.d.ts +38 -0
package/dist/types/providers/aws-sigv4.d.ts +55 -0
package/dist/types/providers/azure-openai-responses.d.ts +15 -0
package/dist/types/providers/cursor/gen/agent_pb.d.ts +13022 -0
package/dist/types/providers/cursor.d.ts +43 -0
package/dist/types/providers/error-message.d.ts +27 -0
package/dist/types/providers/github-copilot-headers.d.ts +40 -0
package/dist/types/providers/gitlab-duo.d.ts +27 -0
package/dist/types/providers/google-auth.d.ts +24 -0
package/dist/types/providers/google-gemini-cli.d.ts +81 -0
package/dist/types/providers/google-gemini-headers.d.ts +18 -0
package/dist/types/providers/google-shared.d.ts +171 -0
package/dist/types/providers/google-types.d.ts +138 -0
package/dist/types/providers/google-vertex.d.ts +7 -0
package/dist/types/providers/google.d.ts +4 -0
package/dist/types/providers/grammar.d.ts +1 -0
package/dist/types/providers/kimi.d.ts +27 -0
package/dist/types/providers/mock.d.ts +173 -0
package/dist/types/providers/ollama.d.ts +6 -0
package/dist/types/providers/openai-anthropic-shim.d.ts +31 -0
package/dist/types/providers/openai-chat-server-schema.d.ts +817 -0
package/dist/types/providers/openai-chat-server.d.ts +16 -0
package/dist/types/providers/openai-codex/constants.d.ts +26 -0
package/dist/types/providers/openai-codex/request-transformer.d.ts +49 -0
package/dist/types/providers/openai-codex/response-handler.d.ts +17 -0
package/dist/types/providers/openai-codex-responses.d.ts +67 -0
package/dist/types/providers/openai-completions-compat.d.ts +25 -0
package/dist/types/providers/openai-completions.d.ts +54 -0
package/dist/types/providers/openai-responses-server-schema.d.ts +392 -0
package/dist/types/providers/openai-responses-server.d.ts +17 -0
package/dist/types/providers/openai-responses-shared.d.ts +100 -0
package/dist/types/providers/openai-responses.d.ts +66 -0
package/dist/types/providers/register-builtins.d.ts +31 -0
package/dist/types/providers/synthetic.d.ts +26 -0
package/dist/{providers → types/providers}/transform-messages.d.ts +6 -2
package/dist/types/providers/vision-guard.d.ts +8 -0
package/dist/types/providers/xai-responses.d.ts +23 -0
package/dist/types/rate-limit-utils.d.ts +19 -0
package/dist/types/stream.d.ts +28 -0
package/dist/types/types.d.ts +801 -0
package/dist/types/usage/claude.d.ts +4 -0
package/dist/types/usage/gemini.d.ts +2 -0
package/dist/types/usage/github-copilot.d.ts +7 -0
package/dist/types/usage/google-antigravity.d.ts +2 -0
package/dist/types/usage/kimi.d.ts +2 -0
package/dist/types/usage/minimax-code.d.ts +2 -0
package/dist/types/usage/openai-codex.d.ts +3 -0
package/dist/types/usage/shared.d.ts +1 -0
package/dist/types/usage/zai.d.ts +2 -0
package/dist/types/usage.d.ts +260 -0
package/dist/types/utils/abort.d.ts +19 -0
package/dist/types/utils/abortable-iterator.d.ts +4 -0
package/dist/types/utils/anthropic-auth.d.ts +35 -0
package/dist/types/utils/discovery/antigravity.d.ts +61 -0
package/dist/types/utils/discovery/codex.d.ts +38 -0
package/dist/types/utils/discovery/cursor.d.ts +23 -0
package/dist/types/utils/discovery/gemini.d.ts +25 -0
package/dist/types/utils/discovery/index.d.ts +4 -0
package/dist/types/utils/discovery/openai-compatible.d.ts +72 -0
package/dist/types/utils/event-stream.d.ts +28 -0
package/dist/types/utils/fireworks-model-id.d.ts +10 -0
package/dist/types/utils/foundry.d.ts +1 -0
package/dist/types/utils/http-inspector.d.ts +31 -0
package/dist/types/utils/idle-iterator.d.ts +78 -0
package/dist/types/utils/json-parse.d.ts +37 -0
package/dist/types/utils/oauth/__tests__/xai-oauth.test.d.ts +1 -0
package/dist/types/utils/oauth/alibaba-coding-plan.d.ts +18 -0
package/dist/types/utils/oauth/anthropic.d.ts +22 -0
package/dist/types/utils/oauth/api-key-login.d.ts +35 -0
package/dist/types/utils/oauth/api-key-validation.d.ts +27 -0
package/dist/types/utils/oauth/callback-server.d.ts +57 -0
package/dist/types/utils/oauth/cerebras.d.ts +1 -0
package/dist/types/utils/oauth/cloudflare-ai-gateway.d.ts +18 -0
package/dist/types/utils/oauth/cursor.d.ts +15 -0
package/dist/types/utils/oauth/deepseek.d.ts +10 -0
package/dist/types/utils/oauth/firepass.d.ts +1 -0
package/dist/types/utils/oauth/fireworks.d.ts +1 -0
package/dist/types/utils/oauth/github-copilot.d.ts +38 -0
package/dist/types/utils/oauth/gitlab-duo.d.ts +3 -0
package/dist/types/utils/oauth/google-antigravity.d.ts +11 -0
package/dist/types/utils/oauth/google-gemini-cli.d.ts +10 -0
package/dist/types/utils/oauth/google-oauth-shared.d.ts +28 -0
package/dist/types/utils/oauth/huggingface.d.ts +19 -0
package/dist/types/utils/oauth/index.d.ts +38 -0
package/dist/types/utils/oauth/kagi.d.ts +17 -0
package/dist/types/utils/oauth/kilo.d.ts +5 -0
package/dist/types/utils/oauth/kimi.d.ts +21 -0
package/dist/types/utils/oauth/litellm.d.ts +18 -0
package/dist/types/utils/oauth/lm-studio.d.ts +17 -0
package/dist/types/utils/oauth/minimax-code.d.ts +28 -0
package/dist/types/utils/oauth/moonshot.d.ts +1 -0
package/dist/types/utils/oauth/nanogpt.d.ts +1 -0
package/dist/types/utils/oauth/nvidia.d.ts +18 -0
package/dist/types/utils/oauth/ollama-cloud.d.ts +2 -0
package/dist/types/utils/oauth/ollama.d.ts +18 -0
package/dist/types/utils/oauth/openai-codex.d.ts +21 -0
package/dist/types/utils/oauth/opencode.d.ts +18 -0
package/dist/types/utils/oauth/openrouter.d.ts +1 -0
package/dist/types/utils/oauth/parallel.d.ts +17 -0
package/dist/types/utils/oauth/perplexity.d.ts +9 -0
package/dist/{utils → types/utils}/oauth/pkce.d.ts +0 -5
package/dist/types/utils/oauth/qianfan.d.ts +17 -0
package/dist/types/utils/oauth/qwen-portal.d.ts +19 -0
package/dist/types/utils/oauth/synthetic.d.ts +1 -0
package/dist/types/utils/oauth/tavily.d.ts +17 -0
package/dist/types/utils/oauth/together.d.ts +1 -0
package/dist/types/utils/oauth/types.d.ts +44 -0
package/dist/types/utils/oauth/venice.d.ts +18 -0
package/dist/types/utils/oauth/vercel-ai-gateway.d.ts +18 -0
package/dist/types/utils/oauth/vllm.d.ts +16 -0
package/dist/types/utils/oauth/wafer.d.ts +2 -0
package/dist/types/utils/oauth/xai-oauth.d.ts +60 -0
package/dist/types/utils/oauth/xiaomi.d.ts +19 -0
package/dist/types/utils/oauth/zai.d.ts +18 -0
package/dist/types/utils/oauth/zenmux.d.ts +1 -0
package/dist/types/utils/oauth/zhipu.d.ts +18 -0
package/dist/{utils → types/utils}/overflow.d.ts +9 -11
package/dist/types/utils/parse-bind.d.ts +23 -0
package/dist/types/utils/provider-response.d.ts +3 -0
package/dist/types/utils/request-debug.d.ts +29 -0
package/dist/types/utils/retry-after.d.ts +3 -0
package/dist/types/utils/retry.d.ts +26 -0
package/dist/types/utils/schema/adapt.d.ts +24 -0
package/dist/types/utils/schema/compatibility.d.ts +30 -0
package/dist/types/utils/schema/dereference.d.ts +11 -0
package/dist/types/utils/schema/draft.d.ts +10 -0
package/dist/types/utils/schema/equality.d.ts +4 -0
package/dist/types/utils/schema/fields.d.ts +49 -0
package/dist/types/utils/schema/index.d.ts +13 -0
package/dist/types/utils/schema/json-schema-validator.d.ts +12 -0
package/dist/types/utils/schema/meta-validator.d.ts +2 -0
package/dist/types/utils/schema/normalize.d.ts +93 -0
package/dist/types/utils/schema/spill.d.ts +8 -0
package/dist/types/utils/schema/stamps.d.ts +25 -0
package/dist/types/utils/schema/types.d.ts +4 -0
package/dist/types/utils/schema/wire.d.ts +53 -0
package/dist/types/utils/schema/zod-decontaminate.d.ts +31 -0
package/dist/types/utils/sdk-stream-timeout.d.ts +33 -0
package/dist/types/utils/sse-debug.d.ts +10 -0
package/dist/types/utils/stream-markup-healing.d.ts +80 -0
package/dist/types/utils/tool-choice.d.ts +50 -0
package/dist/types/utils/validation.d.ts +17 -0
package/dist/types/utils.d.ts +28 -0
package/package.json +139 -105
package/src/api-registry.ts +96 -0
package/src/auth-broker/client.ts +358 -0
package/src/auth-broker/index.ts +5 -0
package/src/auth-broker/refresher.ts +117 -0
package/src/auth-broker/remote-store.ts +623 -0
package/src/auth-broker/server.ts +644 -0
package/src/auth-broker/types.ts +127 -0
package/src/auth-broker/wire-schemas.ts +200 -0
package/src/auth-gateway/http.ts +194 -0
package/src/auth-gateway/index.ts +3 -0
package/src/auth-gateway/server.ts +818 -0
package/src/auth-gateway/types.ts +143 -0
package/src/auth-storage.ts +4422 -0
package/src/index.ts +54 -0
package/src/model-cache.ts +129 -0
package/src/model-manager.ts +469 -0
package/src/model-thinking.ts +782 -0
package/src/models.json +83530 -0
package/src/models.json.d.ts +9 -0
package/src/models.ts +56 -0
package/src/prompts/turn-aborted-guidance.md +4 -0
package/src/provider-details.ts +90 -0
package/src/provider-models/bundled-references.ts +38 -0
package/src/provider-models/descriptors.ts +355 -0
package/src/provider-models/google.ts +88 -0
package/src/provider-models/index.ts +5 -0
package/src/provider-models/ollama.ts +153 -0
package/src/provider-models/openai-compat.ts +2817 -0
package/src/provider-models/special.ts +67 -0
package/src/providers/aery-native-client.ts +228 -0
package/src/providers/aery-native-server.ts +212 -0
package/src/providers/amazon-bedrock.ts +873 -0
package/src/providers/anthropic-client.ts +318 -0
package/src/providers/anthropic-messages-server-schema.ts +243 -0
package/src/providers/anthropic-messages-server.ts +683 -0
package/src/providers/anthropic-wire.ts +268 -0
package/src/providers/anthropic.ts +3094 -0
package/src/providers/aws-credentials.ts +501 -0
package/src/providers/aws-eventstream.ts +185 -0
package/src/providers/aws-sigv4.ts +218 -0
package/src/providers/azure-openai-responses.ts +361 -0
package/src/providers/cursor/gen/agent_pb.ts +15274 -0
package/src/providers/cursor/proto/agent.proto +3526 -0
package/src/providers/cursor/proto/buf.gen.yaml +6 -0
package/src/providers/cursor/proto/buf.yaml +17 -0
package/src/providers/cursor.ts +2621 -0
package/src/providers/error-message.ts +21 -0
package/src/providers/github-copilot-headers.ts +140 -0
package/src/providers/gitlab-duo.ts +372 -0
package/src/providers/google-auth.ts +252 -0
package/src/providers/google-gemini-cli.ts +809 -0
package/src/providers/google-gemini-headers.ts +41 -0
package/src/providers/google-shared.ts +917 -0
package/src/providers/google-types.ts +167 -0
package/src/providers/google-vertex.ts +91 -0
package/src/providers/google.ts +41 -0
package/src/providers/grammar.ts +70 -0
package/src/providers/kimi.ts +52 -0
package/src/providers/mock.ts +496 -0
package/src/providers/ollama.ts +644 -0
package/src/providers/openai-anthropic-shim.ts +138 -0
package/src/providers/openai-chat-server-schema.ts +252 -0
package/src/providers/openai-chat-server.ts +647 -0
package/src/providers/openai-codex/constants.ts +43 -0
package/src/providers/openai-codex/request-transformer.ts +161 -0
package/src/providers/openai-codex/response-handler.ts +81 -0
package/src/providers/openai-codex-responses.ts +3018 -0
package/src/providers/openai-completions-compat.ts +300 -0
package/src/providers/openai-completions.ts +1979 -0
package/src/providers/openai-responses-server-schema.ts +290 -0
package/src/providers/openai-responses-server.ts +1183 -0
package/src/providers/openai-responses-shared.ts +873 -0
package/src/providers/openai-responses.ts +679 -0
package/src/providers/register-builtins.ts +436 -0
package/src/providers/synthetic.ts +50 -0
package/src/providers/transform-messages.ts +382 -0
package/src/providers/vision-guard.ts +31 -0
package/src/providers/xai-responses.ts +82 -0
package/src/rate-limit-utils.ts +84 -0
package/src/stream.ts +1065 -0
package/src/types.ts +944 -0
package/src/usage/claude.ts +482 -0
package/src/usage/gemini.ts +250 -0
package/src/usage/github-copilot.ts +421 -0
package/src/usage/google-antigravity.ts +201 -0
package/src/usage/kimi.ts +271 -0
package/src/usage/minimax-code.ts +31 -0
package/src/usage/openai-codex.ts +503 -0
package/src/usage/shared.ts +10 -0
package/src/usage/zai.ts +247 -0
package/src/usage.ts +185 -0
package/src/utils/abort.ts +51 -0
package/src/utils/abortable-iterator.ts +69 -0
package/src/utils/anthropic-auth.ts +93 -0
package/src/utils/discovery/antigravity.ts +261 -0
package/src/utils/discovery/codex.ts +371 -0
package/src/utils/discovery/cursor.ts +306 -0
package/src/utils/discovery/gemini.ts +248 -0
package/src/utils/discovery/index.ts +4 -0
package/src/utils/discovery/openai-compatible.ts +224 -0
package/src/utils/event-stream.ts +142 -0
package/src/utils/fireworks-model-id.ts +30 -0
package/src/utils/foundry.ts +8 -0
package/src/utils/http-inspector.ts +176 -0
package/src/utils/idle-iterator.ts +267 -0
package/src/utils/json-parse.ts +182 -0
package/src/utils/oauth/__tests__/xai-oauth.test.ts +107 -0
package/src/utils/oauth/alibaba-coding-plan.ts +59 -0
package/src/utils/oauth/anthropic.ts +273 -0
package/src/utils/oauth/api-key-login.ts +87 -0
package/src/utils/oauth/api-key-validation.ts +92 -0
package/src/utils/oauth/callback-server.ts +276 -0
package/src/utils/oauth/cerebras.ts +16 -0
package/src/utils/oauth/cloudflare-ai-gateway.ts +48 -0
package/src/utils/oauth/cursor.ts +157 -0
package/src/utils/oauth/deepseek.ts +53 -0
package/src/utils/oauth/firepass.ts +24 -0
package/src/utils/oauth/fireworks.ts +15 -0
package/src/utils/oauth/github-copilot.ts +362 -0
package/src/utils/oauth/gitlab-duo.ts +123 -0
package/src/utils/oauth/google-antigravity.ts +200 -0
package/src/utils/oauth/google-gemini-cli.ts +256 -0
package/src/utils/oauth/google-oauth-shared.ts +110 -0
package/src/utils/oauth/huggingface.ts +62 -0
package/src/utils/oauth/index.ts +484 -0
package/src/utils/oauth/kagi.ts +47 -0
package/src/utils/oauth/kilo.ts +87 -0
package/src/utils/oauth/kimi.ts +254 -0
package/src/utils/oauth/litellm.ts +47 -0
package/src/utils/oauth/lm-studio.ts +38 -0
package/src/utils/oauth/minimax-code.ts +78 -0
package/src/utils/oauth/moonshot.ts +23 -0
package/src/utils/oauth/nanogpt.ts +15 -0
package/src/utils/oauth/nvidia.ts +70 -0
package/src/utils/oauth/oauth.html +203 -0
package/src/utils/oauth/ollama-cloud.ts +28 -0
package/src/utils/oauth/ollama.ts +47 -0
package/src/utils/oauth/openai-codex.ts +299 -0
package/src/utils/oauth/opencode.ts +49 -0
package/src/utils/oauth/openrouter.ts +20 -0
package/src/utils/oauth/parallel.ts +46 -0
package/src/utils/oauth/perplexity.ts +206 -0
package/src/utils/oauth/pkce.ts +18 -0
package/src/utils/oauth/qianfan.ts +58 -0
package/src/utils/oauth/qwen-portal.ts +60 -0
package/src/utils/oauth/synthetic.ts +15 -0
package/src/utils/oauth/tavily.ts +46 -0
package/src/utils/oauth/together.ts +16 -0
package/src/utils/oauth/types.ts +99 -0
package/src/utils/oauth/venice.ts +59 -0
package/src/utils/oauth/vercel-ai-gateway.ts +47 -0
package/src/utils/oauth/vllm.ts +40 -0
package/src/utils/oauth/wafer.ts +50 -0
package/src/utils/oauth/xai-oauth.ts +342 -0
package/src/utils/oauth/xiaomi.ts +139 -0
package/src/utils/oauth/zai.ts +60 -0
package/src/utils/oauth/zenmux.ts +15 -0
package/src/utils/oauth/zhipu.ts +60 -0
package/src/utils/overflow.ts +137 -0
package/src/utils/parse-bind.ts +54 -0
package/src/utils/provider-response.ts +30 -0
package/src/utils/request-debug.ts +336 -0
package/src/utils/retry-after.ts +110 -0
package/src/utils/retry.ts +54 -0
package/src/utils/schema/CONSTRAINTS.md +164 -0
package/src/utils/schema/adapt.ts +36 -0
package/src/utils/schema/compatibility.ts +435 -0
package/src/utils/schema/dereference.ts +98 -0
package/src/utils/schema/draft.ts +341 -0
package/src/utils/schema/equality.ts +97 -0
package/src/utils/schema/fields.ts +191 -0
package/src/utils/schema/index.ts +13 -0
package/src/utils/schema/json-schema-validator.ts +577 -0
package/src/utils/schema/meta-validator.ts +167 -0
package/src/utils/schema/normalize.ts +1588 -0
package/src/utils/schema/spill.ts +43 -0
package/src/utils/schema/stamps.ts +97 -0
package/src/utils/schema/types.ts +10 -0
package/src/utils/schema/wire.ts +293 -0
package/src/utils/schema/zod-decontaminate.ts +331 -0
package/src/utils/sdk-stream-timeout.ts +43 -0
package/src/utils/sse-debug.ts +289 -0
package/src/utils/stream-markup-healing.ts +612 -0
package/src/utils/tool-choice.ts +99 -0
package/src/utils/validation.ts +1024 -0
package/src/utils.ts +166 -0
package/dist/api-registry.d.ts +0 -20
package/dist/api-registry.d.ts.map +0 -1
package/dist/api-registry.js +0 -44
package/dist/api-registry.js.map +0 -1
package/dist/bedrock-provider.d.ts +0 -5
package/dist/bedrock-provider.d.ts.map +0 -1
package/dist/bedrock-provider.js +0 -6
package/dist/bedrock-provider.js.map +0 -1
package/dist/cli.d.ts +0 -3
package/dist/cli.d.ts.map +0 -1
package/dist/cli.js +0 -130
package/dist/cli.js.map +0 -1
package/dist/env-api-keys.d.ts +0 -18
package/dist/env-api-keys.d.ts.map +0 -1
package/dist/env-api-keys.js +0 -178
package/dist/env-api-keys.js.map +0 -1
package/dist/image-models.d.ts +0 -10
package/dist/image-models.d.ts.map +0 -1
package/dist/image-models.generated.d.ts +0 -440
package/dist/image-models.generated.d.ts.map +0 -1
package/dist/image-models.generated.js +0 -442
package/dist/image-models.generated.js.map +0 -1
package/dist/image-models.js +0 -23
package/dist/image-models.js.map +0 -1
package/dist/images-api-registry.d.ts +0 -14
package/dist/images-api-registry.d.ts.map +0 -1
package/dist/images-api-registry.js +0 -22
package/dist/images-api-registry.js.map +0 -1
package/dist/images.d.ts +0 -4
package/dist/images.d.ts.map +0 -1
package/dist/images.js +0 -14
package/dist/images.js.map +0 -1
package/dist/index.d.ts +0 -32
package/dist/index.d.ts.map +0 -1
package/dist/index.js +0 -20
package/dist/index.js.map +0 -1
package/dist/models.d.ts +0 -18
package/dist/models.d.ts.map +0 -1
package/dist/models.generated.d.ts +0 -17480
package/dist/models.generated.d.ts.map +0 -1
package/dist/models.generated.js +0 -16339
package/dist/models.generated.js.map +0 -1
package/dist/models.js +0 -71
package/dist/models.js.map +0 -1
package/dist/oauth.d.ts +0 -2
package/dist/oauth.d.ts.map +0 -1
package/dist/oauth.js +0 -2
package/dist/oauth.js.map +0 -1
package/dist/providers/aery-error-formatting.d.ts +0 -13
package/dist/providers/aery-error-formatting.d.ts.map +0 -1
package/dist/providers/aery-error-formatting.js +0 -112
package/dist/providers/aery-error-formatting.js.map +0 -1
package/dist/providers/amazon-bedrock.d.ts +0 -38
package/dist/providers/amazon-bedrock.d.ts.map +0 -1
package/dist/providers/amazon-bedrock.js +0 -763
package/dist/providers/amazon-bedrock.js.map +0 -1
package/dist/providers/anthropic.d.ts +0 -71
package/dist/providers/anthropic.d.ts.map +0 -1
package/dist/providers/anthropic.js +0 -949
package/dist/providers/anthropic.js.map +0 -1
package/dist/providers/azure-openai-responses.d.ts +0 -15
package/dist/providers/azure-openai-responses.d.ts.map +0 -1
package/dist/providers/azure-openai-responses.js +0 -225
package/dist/providers/azure-openai-responses.js.map +0 -1
package/dist/providers/cloudflare.d.ts +0 -13
package/dist/providers/cloudflare.d.ts.map +0 -1
package/dist/providers/cloudflare.js +0 -26
package/dist/providers/cloudflare.js.map +0 -1
package/dist/providers/faux.d.ts +0 -56
package/dist/providers/faux.d.ts.map +0 -1
package/dist/providers/faux.js +0 -368
package/dist/providers/faux.js.map +0 -1
package/dist/providers/github-copilot-headers.d.ts +0 -8
package/dist/providers/github-copilot-headers.d.ts.map +0 -1
package/dist/providers/github-copilot-headers.js +0 -29
package/dist/providers/github-copilot-headers.js.map +0 -1
package/dist/providers/google-gemini-cli.d.ts +0 -74
package/dist/providers/google-gemini-cli.d.ts.map +0 -1
package/dist/providers/google-gemini-cli.js +0 -779
package/dist/providers/google-gemini-cli.js.map +0 -1
package/dist/providers/google-shared.d.ts +0 -70
package/dist/providers/google-shared.d.ts.map +0 -1
package/dist/providers/google-shared.js +0 -329
package/dist/providers/google-shared.js.map +0 -1
package/dist/providers/google-vertex.d.ts +0 -15
package/dist/providers/google-vertex.d.ts.map +0 -1
package/dist/providers/google-vertex.js +0 -442
package/dist/providers/google-vertex.js.map +0 -1
package/dist/providers/google.d.ts +0 -13
package/dist/providers/google.d.ts.map +0 -1
package/dist/providers/google.js +0 -400
package/dist/providers/google.js.map +0 -1
package/dist/providers/images/openrouter.d.ts +0 -3
package/dist/providers/images/openrouter.d.ts.map +0 -1
package/dist/providers/images/openrouter.js +0 -129
package/dist/providers/images/openrouter.js.map +0 -1
package/dist/providers/images/register-builtins.d.ts +0 -4
package/dist/providers/images/register-builtins.d.ts.map +0 -1
package/dist/providers/images/register-builtins.js +0 -34
package/dist/providers/images/register-builtins.js.map +0 -1
package/dist/providers/mistral.d.ts +0 -25
package/dist/providers/mistral.d.ts.map +0 -1
package/dist/providers/mistral.js +0 -535
package/dist/providers/mistral.js.map +0 -1
package/dist/providers/openai-codex-responses.d.ts +0 -30
package/dist/providers/openai-codex-responses.d.ts.map +0 -1
package/dist/providers/openai-codex-responses.js +0 -1090
package/dist/providers/openai-codex-responses.js.map +0 -1
package/dist/providers/openai-completions.d.ts +0 -19
package/dist/providers/openai-completions.d.ts.map +0 -1
package/dist/providers/openai-completions.js +0 -950
package/dist/providers/openai-completions.js.map +0 -1
package/dist/providers/openai-prompt-cache.d.ts +0 -3
package/dist/providers/openai-prompt-cache.d.ts.map +0 -1
package/dist/providers/openai-prompt-cache.js +0 -10
package/dist/providers/openai-prompt-cache.js.map +0 -1
package/dist/providers/openai-responses-shared.d.ts +0 -18
package/dist/providers/openai-responses-shared.d.ts.map +0 -1
package/dist/providers/openai-responses-shared.js +0 -492
package/dist/providers/openai-responses-shared.js.map +0 -1
package/dist/providers/openai-responses.d.ts +0 -13
package/dist/providers/openai-responses.d.ts.map +0 -1
package/dist/providers/openai-responses.js +0 -237
package/dist/providers/openai-responses.js.map +0 -1
package/dist/providers/register-builtins.d.ts +0 -38
package/dist/providers/register-builtins.d.ts.map +0 -1
package/dist/providers/register-builtins.js +0 -278
package/dist/providers/register-builtins.js.map +0 -1
package/dist/providers/simple-options.d.ts +0 -8
package/dist/providers/simple-options.d.ts.map +0 -1
package/dist/providers/simple-options.js +0 -41
package/dist/providers/simple-options.js.map +0 -1
package/dist/providers/transform-messages.d.ts.map +0 -1
package/dist/providers/transform-messages.js +0 -184
package/dist/providers/transform-messages.js.map +0 -1
package/dist/session-resources.d.ts +0 -4
package/dist/session-resources.d.ts.map +0 -1
package/dist/session-resources.js +0 -22
package/dist/session-resources.js.map +0 -1
package/dist/stream.d.ts +0 -8
package/dist/stream.d.ts.map +0 -1
package/dist/stream.js +0 -27
package/dist/stream.js.map +0 -1
package/dist/types.d.ts +0 -498
package/dist/types.d.ts.map +0 -1
package/dist/types.js +0 -2
package/dist/types.js.map +0 -1
package/dist/utils/diagnostics.d.ts +0 -19
package/dist/utils/diagnostics.d.ts.map +0 -1
package/dist/utils/diagnostics.js +0 -25
package/dist/utils/diagnostics.js.map +0 -1
package/dist/utils/event-stream.d.ts +0 -21
package/dist/utils/event-stream.d.ts.map +0 -1
package/dist/utils/event-stream.js +0 -81
package/dist/utils/event-stream.js.map +0 -1
package/dist/utils/hash.d.ts +0 -3
package/dist/utils/hash.d.ts.map +0 -1
package/dist/utils/hash.js +0 -14
package/dist/utils/hash.js.map +0 -1
package/dist/utils/headers.d.ts +0 -2
package/dist/utils/headers.d.ts.map +0 -1
package/dist/utils/headers.js +0 -8
package/dist/utils/headers.js.map +0 -1
package/dist/utils/json-parse.d.ts +0 -16
package/dist/utils/json-parse.d.ts.map +0 -1
package/dist/utils/json-parse.js +0 -113
package/dist/utils/json-parse.js.map +0 -1
package/dist/utils/node-http-proxy.d.ts +0 -10
package/dist/utils/node-http-proxy.d.ts.map +0 -1
package/dist/utils/node-http-proxy.js +0 -97
package/dist/utils/node-http-proxy.js.map +0 -1
package/dist/utils/oauth/anthropic.d.ts +0 -25
package/dist/utils/oauth/anthropic.d.ts.map +0 -1
package/dist/utils/oauth/anthropic.js +0 -335
package/dist/utils/oauth/anthropic.js.map +0 -1
package/dist/utils/oauth/device-code.d.ts +0 -19
package/dist/utils/oauth/device-code.d.ts.map +0 -1
package/dist/utils/oauth/device-code.js +0 -55
package/dist/utils/oauth/device-code.js.map +0 -1
package/dist/utils/oauth/github-copilot.d.ts +0 -30
package/dist/utils/oauth/github-copilot.d.ts.map +0 -1
package/dist/utils/oauth/github-copilot.js +0 -268
package/dist/utils/oauth/github-copilot.js.map +0 -1
package/dist/utils/oauth/google-antigravity.d.ts +0 -26
package/dist/utils/oauth/google-antigravity.d.ts.map +0 -1
package/dist/utils/oauth/google-antigravity.js +0 -377
package/dist/utils/oauth/google-antigravity.js.map +0 -1
package/dist/utils/oauth/google-gemini-cli.d.ts +0 -26
package/dist/utils/oauth/google-gemini-cli.d.ts.map +0 -1
package/dist/utils/oauth/google-gemini-cli.js +0 -482
package/dist/utils/oauth/google-gemini-cli.js.map +0 -1
package/dist/utils/oauth/index.d.ts +0 -63
package/dist/utils/oauth/index.d.ts.map +0 -1
package/dist/utils/oauth/index.js +0 -131
package/dist/utils/oauth/index.js.map +0 -1
package/dist/utils/oauth/oauth-page.d.ts +0 -3
package/dist/utils/oauth/oauth-page.d.ts.map +0 -1
package/dist/utils/oauth/oauth-page.js +0 -105
package/dist/utils/oauth/oauth-page.js.map +0 -1
package/dist/utils/oauth/openai-codex.d.ts +0 -34
package/dist/utils/oauth/openai-codex.d.ts.map +0 -1
package/dist/utils/oauth/openai-codex.js +0 -385
package/dist/utils/oauth/openai-codex.js.map +0 -1
package/dist/utils/oauth/pkce.d.ts.map +0 -1
package/dist/utils/oauth/pkce.js +0 -31
package/dist/utils/oauth/pkce.js.map +0 -1
package/dist/utils/oauth/types.d.ts +0 -64
package/dist/utils/oauth/types.d.ts.map +0 -1
package/dist/utils/oauth/types.js +0 -2
package/dist/utils/oauth/types.js.map +0 -1
package/dist/utils/overflow.d.ts.map +0 -1
package/dist/utils/overflow.js +0 -151
package/dist/utils/overflow.js.map +0 -1
package/dist/utils/sanitize-unicode.d.ts +0 -22
package/dist/utils/sanitize-unicode.d.ts.map +0 -1
package/dist/utils/sanitize-unicode.js +0 -26
package/dist/utils/sanitize-unicode.js.map +0 -1
package/dist/utils/typebox-helpers.d.ts +0 -17
package/dist/utils/typebox-helpers.d.ts.map +0 -1
package/dist/utils/typebox-helpers.js +0 -21
package/dist/utils/typebox-helpers.js.map +0 -1
package/dist/utils/validation.d.ts +0 -18
package/dist/utils/validation.d.ts.map +0 -1
package/dist/utils/validation.js +0 -281
package/dist/utils/validation.js.map +0 -1

package/src/auth-broker/client.ts ADDED Viewed

@@ -0,0 +1,358 @@
+/**
+ * HTTP client for the aery auth-broker server.
+ *
+ * Used by {@link RemoteAuthCredentialStore} (snapshot pulls) and by
+ * `aery auth-broker status` (liveness checks). All endpoints except
+ * `/v1/healthz` require a bearer token.
+ */
+import { readSseEvents } from "@aryee337/aery-utils";
+import type { ZodType, infer as zInfer } from "zod/v4";
+import type { AuthCredential } from "../auth-storage";
+import type {
+	CredentialDisableRequest,
+	CredentialDisableResponse,
+	CredentialRefreshResponse,
+	CredentialUploadRequest,
+	CredentialUploadResponse,
+	HealthzResponse,
+	SnapshotResponse,
+	SnapshotStreamEvent,
+	UsageResponse,
+} from "./types";
+import {
+	credentialDisableResponseSchema,
+	credentialRefreshResponseSchema,
+	credentialUploadResponseSchema,
+	healthzResponseSchema,
+	snapshotResponseSchema,
+	snapshotStreamEventSchema,
+	usageResponseSchema,
+} from "./wire-schemas";
+export interface AuthBrokerClientOptions {
+	/** Base URL (e.g. `https://broker.tailnet:8765`). Trailing slashes are trimmed. */
+	url: string;
+	/** Bearer token used for everything except `healthz`. */
+	token: string;
+	/** Per-request timeout in milliseconds. Default 10s. */
+	timeoutMs?: number;
+	/** Retry connection errors this many times. Default 1. */
+	maxRetries?: number;
+	/** Override fetch (used in tests). Default global `fetch`. */
+	fetchImpl?: typeof fetch;
+}
+export class AuthBrokerError extends Error {
+	readonly status: number | undefined;
+	readonly body: string | undefined;
+	constructor(message: string, opts: { status?: number; body?: string; cause?: unknown } = {}) {
+		super(message, { cause: opts.cause });
+		this.name = "AuthBrokerError";
+		this.status = opts.status;
+		this.body = opts.body;
+	}
+}
+/**
+ * Thrown when a broker responds 404 to `GET /v1/snapshot/stream` — old
+ * brokers that predate the SSE endpoint. Callers (`RemoteAuthCredentialStore`)
+ * detect this sentinel to fall back to long-polling permanently.
+ */
+export class AuthBrokerStreamUnsupportedError extends AuthBrokerError {
+	constructor(message = "Auth broker does not support /v1/snapshot/stream") {
+		super(message, { status: 404 });
+		this.name = "AuthBrokerStreamUnsupportedError";
+	}
+}
+export interface FetchSnapshotOptions {
+	ifGenerationGt?: number;
+	waitMs?: number;
+	signal?: AbortSignal;
+}
+export type FetchSnapshotResult =
+	| { status: 200; snapshot: SnapshotResponse; generation: number }
+	| { status: 304; generation: number };
+function parseGenerationTag(header: string | null): number | undefined {
+	if (!header) return undefined;
+	let value = header.trim();
+	if (value.startsWith("W/")) value = value.slice(2).trim();
+	if (value.startsWith('"') && value.endsWith('"') && value.length >= 2) {
+		value = value.slice(1, -1);
+	}
+	const generation = Number(value);
+	if (!Number.isInteger(generation) || generation < 0) return undefined;
+	return generation;
+}
+const DEFAULT_TIMEOUT_MS = 10_000;
+const DEFAULT_MAX_RETRIES = 1;
+export class AuthBrokerClient {
+	readonly #baseUrl: string;
+	readonly #token: string;
+	readonly #timeoutMs: number;
+	readonly #maxRetries: number;
+	readonly #fetch: typeof fetch;
+	constructor(opts: AuthBrokerClientOptions) {
+		this.#baseUrl = opts.url.replace(/\/+$/, "");
+		this.#token = opts.token;
+		this.#timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+		this.#maxRetries = opts.maxRetries ?? DEFAULT_MAX_RETRIES;
+		this.#fetch = opts.fetchImpl ?? fetch;
+	}
+	healthz(signal?: AbortSignal): Promise<HealthzResponse> {
+		return this.#request("GET", "/v1/healthz", { schema: healthzResponseSchema, auth: false, signal });
+	}
+	async fetchSnapshot(opts: FetchSnapshotOptions = {}): Promise<FetchSnapshotResult> {
+		return this.#fetchSnapshotResult(opts);
+	}
+	async #fetchSnapshotResult(opts: FetchSnapshotOptions): Promise<FetchSnapshotResult> {
+		const query = new URLSearchParams();
+		if (opts.waitMs !== undefined) query.set("wait", String(opts.waitMs));
+		const path = `/v1/snapshot${query.size > 0 ? `?${query.toString()}` : ""}`;
+		const headers: Record<string, string> = {};
+		if (opts.ifGenerationGt !== undefined) headers["If-None-Match"] = `"${opts.ifGenerationGt}"`;
+		const timeoutMs =
+			opts.waitMs !== undefined && opts.waitMs > 0 ? Math.max(this.#timeoutMs, opts.waitMs + 1000) : undefined;
+		const response = await this.#fetchRaw("GET", path, {
+			auth: true,
+			headers,
+			signal: opts.signal,
+			timeoutMs,
+		});
+		const etagGeneration = parseGenerationTag(response.headers.get("etag"));
+		if (response.status === 304) {
+			return { status: 304, generation: etagGeneration ?? opts.ifGenerationGt ?? 0 };
+		}
+		const text = await response.text();
+		const raw = this.#parseJson(text, response.status);
+		const validated = snapshotResponseSchema.safeParse(raw);
+		if (!validated.success) {
+			throw new AuthBrokerError("Auth broker response failed schema validation", {
+				status: response.status,
+				body: validated.error.message,
+			});
+		}
+		const snapshot = validated.data as SnapshotResponse;
+		return { status: 200, snapshot, generation: etagGeneration ?? snapshot.generation };
+	}
+	/**
+	 * Subscribe to the broker's SSE snapshot stream. The first frame is always
+	 * a full `snapshot`; subsequent frames are `entry` upserts / refreshes or
+	 * `removed` deletes. Caller controls lifecycle via `opts.signal`.
+	 *
+	 * Throws {@link AuthBrokerStreamUnsupportedError} when the broker responds
+	 * 404 — older brokers predate this endpoint and the caller should fall back
+	 * to long-polling for the remainder of its lifetime.
+	 */
+	async *openSnapshotStream(opts: { signal?: AbortSignal } = {}): AsyncGenerator<SnapshotStreamEvent> {
+		const url = `${this.#baseUrl}/v1/snapshot/stream`;
+		const headers: Record<string, string> = {
+			Accept: "text/event-stream",
+			Authorization: `Bearer ${this.#token}`,
+		};
+		if (opts.signal?.aborted) {
+			throw new AuthBrokerError("Auth broker request aborted", { cause: opts.signal.reason });
+		}
+		// No timeout: this connection is intentionally long-lived. Caller's signal
+		// is the only cancel path.
+		const response = await this.#fetch(url, { method: "GET", headers, signal: opts.signal });
+		if (response.status === 404) {
+			// Drain the body so the socket can be reused; tiny payload.
+			await response.text().catch(() => {});
+			throw new AuthBrokerStreamUnsupportedError();
+		}
+		if (!response.ok) {
+			const text = await response.text().catch(() => "");
+			throw new AuthBrokerError(`Auth broker stream failed: ${response.status} ${response.statusText}`, {
+				status: response.status,
+				body: text,
+			});
+		}
+		if (!response.body) {
+			throw new AuthBrokerError("Auth broker stream response had no body", { status: response.status });
+		}
+		const contentType = response.headers.get("content-type")?.toLowerCase();
+		if (contentType?.split(";", 1)[0].trim() !== "text/event-stream") {
+			await response.body.cancel().catch(() => {});
+			throw new AuthBrokerError("Auth broker stream returned non-SSE response", {
+				status: response.status,
+				body: contentType ?? "",
+			});
+		}
+		let sawFirstEvent = false;
+		for await (const sse of readSseEvents(response.body, opts.signal)) {
+			if (sse.event === null && sse.data === "") continue; // keepalive comment frames
+			let parsed: unknown;
+			try {
+				parsed = JSON.parse(sse.data);
+			} catch (err) {
+				throw new AuthBrokerError("Auth broker stream returned malformed JSON", {
+					body: sse.data,
+					cause: err,
+				});
+			}
+			const validated = snapshotStreamEventSchema.safeParse(parsed);
+			if (!validated.success) {
+				throw new AuthBrokerError("Auth broker stream event failed schema validation", {
+					body: validated.error.message,
+				});
+			}
+			const event = validated.data;
+			if (!sawFirstEvent) {
+				sawFirstEvent = true;
+				if (event.kind !== "snapshot") {
+					throw new AuthBrokerError("Auth broker stream did not start with snapshot", { body: sse.data });
+				}
+			}
+			yield event;
+		}
+		if (!opts.signal?.aborted) {
+			throw new AuthBrokerError(
+				sawFirstEvent
+					? "Auth broker stream ended unexpectedly"
+					: "Auth broker stream ended before initial snapshot",
+				{ status: response.status },
+			);
+		}
+	}
+	fetchUsage(signal?: AbortSignal): Promise<UsageResponse> {
+		// Validates the envelope (`generatedAt`, `reports[].provider`, `limits`,
+		// `metadata`) but leaves provider-specific extension fields permissive so
+		// the broker can ship new shapes ahead of the client. `raw` is accepted
+		// but normally stripped by the broker before send.
+		return this.#request("GET", "/v1/usage", { schema: usageResponseSchema, signal }) as Promise<UsageResponse>;
+	}
+	async refreshCredential(id: number, signal?: AbortSignal): Promise<CredentialRefreshResponse> {
+		return this.#request("POST", `/v1/credential/${id}/refresh`, {
+			schema: credentialRefreshResponseSchema,
+			signal,
+		}) as Promise<CredentialRefreshResponse>;
+	}
+	async disableCredential(id: number, cause: string, signal?: AbortSignal): Promise<CredentialDisableResponse> {
+		const body: CredentialDisableRequest = { cause };
+		return this.#request("POST", `/v1/credential/${id}/disable`, {
+			body,
+			schema: credentialDisableResponseSchema,
+			signal,
+		});
+	}
+	async uploadCredential(
+		provider: string,
+		credential: AuthCredential,
+		signal?: AbortSignal,
+	): Promise<CredentialUploadResponse> {
+		const body: CredentialUploadRequest = { provider, credential };
+		return this.#request("POST", "/v1/credential", {
+			body,
+			schema: credentialUploadResponseSchema,
+			signal,
+		}) as Promise<CredentialUploadResponse>;
+	}
+	async #request<TSchema extends ZodType>(
+		method: "GET" | "POST",
+		path: string,
+		opts: { schema: TSchema; auth?: boolean; body?: unknown; signal?: AbortSignal },
+	): Promise<zInfer<TSchema>> {
+		const response = await this.#fetchRaw(method, path, opts);
+		const text = await response.text();
+		const raw = this.#parseJson(text, response.status);
+		const validated = opts.schema.safeParse(raw);
+		if (!validated.success) {
+			throw new AuthBrokerError("Auth broker response failed schema validation", {
+				status: response.status,
+				body: validated.error.message,
+			});
+		}
+		return validated.data;
+	}
+	#parseJson(text: string, status: number): unknown {
+		try {
+			return text.length === 0 ? null : JSON.parse(text);
+		} catch (parseError) {
+			throw new AuthBrokerError("Auth broker returned malformed JSON", {
+				status,
+				body: text,
+				cause: parseError,
+			});
+		}
+	}
+	async #fetchRaw(
+		method: "GET" | "POST",
+		path: string,
+		opts: {
+			auth?: boolean;
+			body?: unknown;
+			signal?: AbortSignal;
+			headers?: Record<string, string>;
+			timeoutMs?: number;
+		},
+	): Promise<Response> {
+		const auth = opts.auth ?? true;
+		const url = `${this.#baseUrl}${path}`;
+		const headers: Record<string, string> = { Accept: "application/json", ...(opts.headers ?? {}) };
+		if (auth) headers.Authorization = `Bearer ${this.#token}`;
+		let payload: string | undefined;
+		if (opts.body !== undefined) {
+			payload = JSON.stringify(opts.body);
+			headers["Content-Type"] = "application/json";
+		}
+		// Fast-fail when the caller's signal is already aborted — avoids spinning
+		// up a fetch + timer that the first `await` would just abort anyway.
+		if (opts.signal?.aborted) {
+			throw new AuthBrokerError("Auth broker request aborted", { cause: opts.signal.reason });
+		}
+		let lastError: unknown;
+		for (let attempt = 0; attempt <= this.#maxRetries; attempt += 1) {
+			const timeoutSignal = AbortSignal.timeout(opts.timeoutMs ?? this.#timeoutMs);
+			const signal = opts.signal ? AbortSignal.any([opts.signal, timeoutSignal]) : timeoutSignal;
+			try {
+				const response = await this.#fetch(url, {
+					method,
+					headers,
+					body: payload,
+					signal,
+				});
+				if (!response.ok && response.status !== 304) {
+					const text = await response.text();
+					throw new AuthBrokerError(`Auth broker request failed: ${response.status} ${response.statusText}`, {
+						status: response.status,
+						body: text,
+					});
+				}
+				return response;
+			} catch (error) {
+				lastError = error;
+				// Caller-driven abort wins over retry — the caller said stop.
+				if (opts.signal?.aborted) {
+					throw new AuthBrokerError("Auth broker request aborted", { cause: opts.signal.reason });
+				}
+				if (error instanceof AuthBrokerError && error.status !== undefined) {
+					// HTTP errors (4xx/5xx) don't retry — caller knows what to do.
+					throw error;
+				}
+				if (attempt >= this.#maxRetries) break;
+			}
+		}
+		throw new AuthBrokerError(`Auth broker request failed after ${this.#maxRetries + 1} attempt(s)`, {
+			cause: lastError,
+		});
+	}
+}

package/src/auth-broker/index.ts ADDED Viewed

@@ -0,0 +1,5 @@
+export * from "./client";
+export * from "./refresher";
+export * from "./remote-store";
+export * from "./server";
+export * from "./types";

package/src/auth-broker/refresher.ts ADDED Viewed

@@ -0,0 +1,117 @@
+/**
+ * Background OAuth refresh loop for the auth-broker server.
+ *
+ * Iterates active OAuth credentials at `refreshIntervalMs` cadence, refreshing
+ * any whose `expires - Date.now() < refreshSkewMs`. Refresh single-flight
+ * lives in {@link AuthStorage} so manual and background refreshes share the
+ * same upstream attempt.
+ * Definitively-failed credentials (invalid_grant / 401 not from network blip)
+ * are disabled via {@link AuthStorage.disableCredentialById} so the next
+ * snapshot pull surfaces a clean delete on the client.
+ */
+import { logger } from "@aryee337/aery-utils";
+import { type AuthStorage, isDefinitiveOAuthFailure } from "../auth-storage";
+import { DEFAULT_REFRESH_INTERVAL_MS, DEFAULT_REFRESH_SKEW_MS } from "./types";
+export interface AuthBrokerRefresherOptions {
+	storage: AuthStorage;
+	/** Refresh credentials expiring within this window. Default 5 min. */
+	refreshSkewMs?: number;
+	/** Loop cadence. Default 60s. */
+	refreshIntervalMs?: number;
+	/** Override clock (tests). */
+	now?: () => number;
+}
+export interface AuthBrokerRefresherSchedule {
+	enabled: boolean;
+	intervalMs: number;
+	skewMs: number;
+	nextSweepAt: number;
+}
+export class AuthBrokerRefresher {
+	readonly #storage: AuthStorage;
+	readonly #refreshSkewMs: number;
+	readonly #refreshIntervalMs: number;
+	readonly #now: () => number;
+	#timer: NodeJS.Timeout | undefined;
+	#running = false;
+	#nextSweepAt: number;
+	constructor(opts: AuthBrokerRefresherOptions) {
+		this.#storage = opts.storage;
+		this.#refreshSkewMs = opts.refreshSkewMs ?? DEFAULT_REFRESH_SKEW_MS;
+		this.#refreshIntervalMs = opts.refreshIntervalMs ?? DEFAULT_REFRESH_INTERVAL_MS;
+		this.#now = opts.now ?? Date.now;
+		this.#nextSweepAt = this.#now();
+	}
+	start(): void {
+		if (this.#timer !== undefined) return;
+		// Refresh sweep is best-effort; kick once immediately so freshly-booted
+		// brokers don't hand out near-expired tokens for the first interval.
+		this.#nextSweepAt = this.#now();
+		void this.tick();
+		this.#timer = setInterval(() => {
+			void this.tick();
+		}, this.#refreshIntervalMs);
+	}
+	stop(): void {
+		if (this.#timer !== undefined) {
+			clearInterval(this.#timer);
+			this.#timer = undefined;
+		}
+	}
+	getSchedule(): AuthBrokerRefresherSchedule {
+		return {
+			enabled: true,
+			intervalMs: this.#refreshIntervalMs,
+			skewMs: this.#refreshSkewMs,
+			nextSweepAt: this.#nextSweepAt,
+		};
+	}
+	/** Run one sweep. Exposed for tests. */
+	async tick(): Promise<void> {
+		if (this.#running) return;
+		this.#running = true;
+		this.#nextSweepAt = this.#now();
+		try {
+			await this.#storage.reload();
+			const snapshot = this.#storage.exportSnapshot();
+			const now = this.#now();
+			const deadline = now + this.#refreshSkewMs;
+			const targets: number[] = [];
+			for (const entry of snapshot.credentials) {
+				if (entry.credential.type !== "oauth") continue;
+				const expires = entry.credential.expires;
+				if (typeof expires !== "number" || !Number.isFinite(expires)) continue;
+				if (expires > deadline) continue;
+				targets.push(entry.id);
+			}
+			await Promise.all(targets.map(id => this.#refreshOne(id)));
+		} finally {
+			this.#running = false;
+			this.#nextSweepAt = this.#now() + this.#refreshIntervalMs;
+		}
+	}
+	async #refreshOne(id: number): Promise<void> {
+		try {
+			await this.#storage.refreshCredentialById(id);
+		} catch (error) {
+			const errorMsg = String(error);
+			if (isDefinitiveOAuthFailure(errorMsg)) {
+				logger.warn("auth-broker refresh failed definitively; disabling credential", {
+					id,
+					error: errorMsg,
+				});
+				this.#storage.disableCredentialById(id, `auth-broker refresh failed: ${errorMsg}`);
+			} else {
+				logger.debug("auth-broker refresh failed (transient)", { id, error: errorMsg });
+			}
+		}
+	}
+}