npm - @bitkyc08/opencodex - Versions diffs - 0.1.0 - Mend

@bitkyc08/opencodex 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (55) hide show

package/LICENSE +21 -0
package/README.ko.md +164 -0
package/README.md +165 -0
package/README.zh-CN.md +162 -0
package/gui/README.md +73 -0
package/gui/dist/assets/index-C1wlp1SM.css +1 -0
package/gui/dist/assets/index-C9y3iMF1.js +9 -0
package/gui/dist/favicon.png +0 -0
package/gui/dist/icons.svg +24 -0
package/gui/dist/index.html +15 -0
package/gui/dist/logo.png +0 -0
package/package.json +56 -0
package/scripts/postinstall.mjs +57 -0
package/src/adapters/anthropic.ts +306 -0
package/src/adapters/azure.ts +31 -0
package/src/adapters/base.ts +20 -0
package/src/adapters/google.ts +195 -0
package/src/adapters/image.ts +23 -0
package/src/adapters/openai-chat.ts +265 -0
package/src/adapters/openai-responses.ts +43 -0
package/src/bridge.ts +296 -0
package/src/cli.ts +183 -0
package/src/codex-catalog.ts +318 -0
package/src/codex-inject.ts +186 -0
package/src/config.ts +108 -0
package/src/index.ts +20 -0
package/src/init.ts +163 -0
package/src/model-cache.ts +42 -0
package/src/oauth/anthropic.ts +151 -0
package/src/oauth/callback-server.ts +249 -0
package/src/oauth/index.ts +235 -0
package/src/oauth/key-providers.ts +126 -0
package/src/oauth/kimi.ts +160 -0
package/src/oauth/local-token-detect.ts +71 -0
package/src/oauth/login-cli.ts +90 -0
package/src/oauth/pkce.ts +15 -0
package/src/oauth/store.ts +39 -0
package/src/oauth/types.ts +22 -0
package/src/oauth/xai.ts +234 -0
package/src/responses/parser.ts +402 -0
package/src/responses/schema.ts +145 -0
package/src/router.ts +86 -0
package/src/server.ts +522 -0
package/src/service.ts +130 -0
package/src/star-prompt.ts +50 -0
package/src/types.ts +228 -0
package/src/update.ts +64 -0
package/src/vision/describe.ts +98 -0
package/src/vision/index.ts +141 -0
package/src/web-search/executor.ts +75 -0
package/src/web-search/format-result.ts +45 -0
package/src/web-search/index.ts +62 -0
package/src/web-search/loop.ts +188 -0
package/src/web-search/parse.ts +128 -0
package/src/web-search/synthetic-tool.ts +42 -0

package/src/config.ts ADDED Viewed

@@ -0,0 +1,108 @@
+import { existsSync, mkdirSync, readFileSync, renameSync, writeFileSync } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+import type { OcxConfig } from "./types";
+/**
+ * Write a file atomically (temp + rename) so concurrent writers — e.g. `ocx stop` and the
+ * proxy's own shutdown handler both restoring Codex — can never leave a half-written file.
+ */
+export function atomicWriteFile(path: string, content: string): void {
+  const tmp = `${path}.ocx.tmp`;
+  writeFileSync(tmp, content, "utf-8");
+  renameSync(tmp, path);
+}
+const OCX_DIR = join(homedir(), ".opencodex");
+const CONFIG_PATH = join(OCX_DIR, "config.json");
+const PID_PATH = join(OCX_DIR, "ocx.pid");
+/**
+ * Default featured subagent models (native GPT) seeded on a fresh install and when `subagentModels`
+ * is unset. Codex's spawn_agent advertises the first 5 featured catalog entries; these are the GPT
+ * natives the installed Codex actually ships. The user can remove any in the GUI — once they set the
+ * list (even to []), it is respected, so removals persist (start-up only seeds the UNSET case).
+ * Kept to ids ChatGPT accepts; the start-up seed prefers the live catalog's native slugs.
+ */
+export const DEFAULT_SUBAGENT_MODELS = ["gpt-5.5", "gpt-5.4", "gpt-5.4-mini", "gpt-5.3-codex-spark"];
+export function getConfigDir(): string {
+  return OCX_DIR;
+}
+export function getConfigPath(): string {
+  return CONFIG_PATH;
+}
+export function getPidPath(): string {
+  return PID_PATH;
+}
+export function loadConfig(): OcxConfig {
+  if (!existsSync(CONFIG_PATH)) {
+    return getDefaultConfig();
+  }
+  try {
+    const raw = readFileSync(CONFIG_PATH, "utf-8");
+    return JSON.parse(raw) as OcxConfig;
+  } catch {
+    return getDefaultConfig();
+  }
+}
+export function saveConfig(config: OcxConfig): void {
+  if (!existsSync(OCX_DIR)) {
+    mkdirSync(OCX_DIR, { recursive: true });
+  }
+  writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2) + "\n", "utf-8");
+}
+export function getDefaultConfig(): OcxConfig {
+  // Fresh-install default: works out of the box with Codex's ChatGPT OAuth (no API key).
+  // gpt-* requests forward the caller's incoming OAuth headers to the ChatGPT backend.
+  // Adding extra providers (e.g. opencode-go) and switching defaultProvider is a user/runtime choice.
+  return {
+    port: 10100,
+    providers: {
+      openai: {
+        adapter: "openai-responses",
+        baseUrl: "https://chatgpt.com/backend-api/codex",
+        authMode: "forward",
+      },
+    },
+    defaultProvider: "openai",
+    subagentModels: [...DEFAULT_SUBAGENT_MODELS],
+  };
+}
+export function resolveEnvValue(value: string | undefined): string | undefined {
+  if (!value) return undefined;
+  const match = value.match(/^\$\{(\w+)\}$/);
+  if (match) return process.env[match[1]];
+  if (value.startsWith("$")) return process.env[value.slice(1)];
+  return value;
+}
+export function writePid(pid: number): void {
+  if (!existsSync(OCX_DIR)) mkdirSync(OCX_DIR, { recursive: true });
+  writeFileSync(PID_PATH, String(pid), "utf-8");
+}
+export function readPid(): number | null {
+  if (!existsSync(PID_PATH)) return null;
+  try {
+    const raw = readFileSync(PID_PATH, "utf-8").trim();
+    const pid = parseInt(raw, 10);
+    if (isNaN(pid)) return null;
+    try { process.kill(pid, 0); return pid; } catch { return null; }
+  } catch {
+    return null;
+  }
+}
+export function removePid(): void {
+  try {
+    const { unlinkSync } = require("node:fs");
+    unlinkSync(PID_PATH);
+  } catch { /* ignore */ }
+}

package/src/index.ts ADDED Viewed

@@ -0,0 +1,20 @@
+export { startServer } from "./server";
+export { parseRequest } from "./responses/parser";
+export { bridgeToResponsesSSE, buildResponseJSON, formatErrorResponse } from "./bridge";
+export { createAnthropicAdapter } from "./adapters/anthropic";
+export { createAzureAdapter } from "./adapters/azure";
+export { createGoogleAdapter } from "./adapters/google";
+export { createOpenAIChatAdapter } from "./adapters/openai-chat";
+export { createResponsesPassthroughAdapter } from "./adapters/openai-responses";
+export { loadConfig, saveConfig } from "./config";
+export type { ProviderAdapter } from "./adapters/base";
+export type {
+  OcxConfig,
+  OcxContext,
+  OcxMessage,
+  OcxParsedRequest,
+  OcxProviderConfig,
+  OcxRequestOptions,
+  OcxTool,
+  AdapterEvent,
+} from "./types";

package/src/init.ts ADDED Viewed

@@ -0,0 +1,163 @@
+import * as readline from "node:readline";
+import { injectCodexConfig } from "./codex-inject";
+import { getDefaultConfig, saveConfig } from "./config";
+import { KEY_LOGIN_PROVIDERS, enrichProviderFromCatalog } from "./oauth/key-providers";
+import { OAUTH_PROVIDERS } from "./oauth";
+import type { OcxConfig, OcxProviderConfig } from "./types";
+function createPrompt(): { ask(question: string): Promise<string>; close(): void } {
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  return {
+    ask(question: string): Promise<string> {
+      return new Promise(resolve => rl.question(question, resolve));
+    },
+    close() { rl.close(); },
+  };
+}
+type InitKind = "forward" | "oauth" | "key" | "local";
+export interface InitProvider {
+  id: string;
+  label: string;
+  adapter: string;
+  baseUrl: string;
+  kind: InitKind;
+  dashboardUrl?: string;
+  defaultModel?: string;
+}
+const OAUTH_LABELS: Record<string, string> = {
+  xai: "xAI (Grok)", anthropic: "Anthropic (Claude)", kimi: "Kimi (Moonshot)",
+};
+/**
+ * The full CLI provider menu, built from the SAME registries the GUI uses (OAUTH_PROVIDERS +
+ * KEY_LOGIN_PROVIDERS) plus the ChatGPT-forward, a few non-catalog key providers, and local servers —
+ * so `ocx init` reaches provider parity with the GUI. Exported for verification.
+ */
+export function buildInitProviders(): InitProvider[] {
+  const out: InitProvider[] = [];
+  // ChatGPT login (no key) — the default forward provider.
+  out.push({ id: "openai", label: "OpenAI — ChatGPT login (no key)", adapter: "openai-responses", baseUrl: "https://chatgpt.com/backend-api/codex", kind: "forward" });
+  // Real account logins (OAuth).
+  for (const id of Object.keys(OAUTH_PROVIDERS)) {
+    const pc = OAUTH_PROVIDERS[id].providerConfig;
+    out.push({ id, label: `${OAUTH_LABELS[id] ?? id} — account login`, adapter: pc.adapter, baseUrl: pc.baseUrl, kind: "oauth", defaultModel: pc.defaultModel });
+  }
+  // Key providers not in the catalog (native adapters / well-known endpoints).
+  out.push({ id: "openai-apikey", label: "OpenAI (API key)", adapter: "openai-responses", baseUrl: "https://api.openai.com/v1", kind: "key", dashboardUrl: "https://platform.openai.com/api-keys", defaultModel: "gpt-5.5" });
+  out.push({ id: "openrouter", label: "OpenRouter", adapter: "openai-chat", baseUrl: "https://openrouter.ai/api/v1", kind: "key", dashboardUrl: "https://openrouter.ai/keys" });
+  out.push({ id: "groq", label: "Groq", adapter: "openai-chat", baseUrl: "https://api.groq.com/openai/v1", kind: "key", dashboardUrl: "https://console.groq.com/keys" });
+  out.push({ id: "google", label: "Google Gemini", adapter: "google", baseUrl: "https://generativelanguage.googleapis.com", kind: "key", dashboardUrl: "https://aistudio.google.com/apikey", defaultModel: "gemini-3-pro" });
+  out.push({ id: "azure-openai", label: "Azure OpenAI", adapter: "azure", baseUrl: "https://{resource}.openai.azure.com/openai/deployments/{deployment}", kind: "key", dashboardUrl: "https://portal.azure.com" });
+  // The full API-key catalog (deepseek, mistral, kilo, minimax, … — same set the GUI shows).
+  for (const [id, p] of Object.entries(KEY_LOGIN_PROVIDERS)) {
+    out.push({ id, label: p.label, adapter: p.adapter, baseUrl: p.baseUrl, kind: "key", dashboardUrl: p.dashboardUrl, defaultModel: p.defaultModel });
+  }
+  // Local servers (usually no key).
+  out.push({ id: "ollama", label: "Ollama (local)", adapter: "openai-chat", baseUrl: "http://localhost:11434/v1", kind: "local" });
+  out.push({ id: "vllm", label: "vLLM (local)", adapter: "openai-chat", baseUrl: "http://localhost:8000/v1", kind: "local" });
+  out.push({ id: "lm-studio", label: "LM Studio (local)", adapter: "openai-chat", baseUrl: "http://localhost:1234/v1", kind: "local" });
+  return out;
+}
+const KIND_HEADING: Record<InitKind, string> = {
+  forward: "ChatGPT login",
+  oauth: "Account login (OAuth — then run: ocx login <id>)",
+  key: "API key (paste a key from the provider's dashboard)",
+  local: "Local servers (usually no key)",
+};
+function printMenu(providers: InitProvider[]): void {
+  console.log("Available providers:");
+  let lastKind: InitKind | null = null;
+  providers.forEach((p, i) => {
+    if (p.kind !== lastKind) { console.log(`\n  ${KIND_HEADING[p.kind]}:`); lastKind = p.kind; }
+    console.log(`   ${String(i + 1).padStart(2)}. ${p.label}`);
+  });
+  console.log(`\n   ${providers.length + 1}. custom (enter URL manually)`);
+}
+const envKeyFor = (id: string) => `${id.toUpperCase().replace(/[^A-Z0-9]+/g, "_")}_API_KEY`;
+export async function runInit(): Promise<void> {
+  const prompt = createPrompt();
+  console.log("\n🔧 opencodex (ocx) setup\n");
+  const providers = buildInitProviders();
+  printMenu(providers);
+  const choice = await prompt.ask("\nSelect provider (number): ");
+  const idx = parseInt(choice, 10) - 1;
+  let providerName: string;
+  let providerConfig: OcxProviderConfig;
+  let oauthHint = false;
+  if (idx >= 0 && idx < providers.length) {
+    const p = providers[idx];
+    providerName = p.id;
+    console.log(`\n📡 ${p.label}`);
+    console.log(`   Base URL: ${p.baseUrl}`);
+    if (p.kind === "forward") {
+      providerConfig = { adapter: p.adapter, baseUrl: p.baseUrl, authMode: "forward" };
+      console.log("   No API key needed — forwards your existing `codex login`.");
+    } else if (p.kind === "oauth") {
+      providerConfig = { adapter: p.adapter, baseUrl: p.baseUrl, authMode: "oauth", ...(p.defaultModel ? { defaultModel: p.defaultModel } : {}) };
+      oauthHint = true;
+    } else {
+      // key + local: collect a key (local usually blank).
+      if (p.dashboardUrl) console.log(`   🔑 Get your key: ${p.dashboardUrl}`);
+      const env = envKeyFor(p.id);
+      const hint = p.kind === "local" ? "API key (usually blank — press Enter): " : `API key (paste, or env var $${env}): `;
+      const apiKey = (await prompt.ask(`\n${hint}`)).trim();
+      const modelChoice = (await prompt.ask(`Default model${p.defaultModel ? ` [${p.defaultModel}]` : " (optional)"}: `)).trim();
+      const defaultModel = modelChoice || p.defaultModel;
+      providerConfig = {
+        adapter: p.adapter,
+        baseUrl: p.baseUrl,
+        ...(p.kind === "key" ? { apiKey: apiKey || `\${${env}}` } : apiKey ? { apiKey } : {}),
+        ...(defaultModel ? { defaultModel } : {}),
+      };
+      // Apply the catalog's models / vision classification (same enrichment as the GUI).
+      enrichProviderFromCatalog(p.id, providerConfig);
+    }
+  } else {
+    providerName = await prompt.ask("Provider name: ");
+    const baseUrl = await prompt.ask("Base URL (e.g. http://localhost:11434/v1): ");
+    const adapter = await prompt.ask("Adapter [openai-chat]: ") || "openai-chat";
+    const apiKey = await prompt.ask("API key (optional): ");
+    const defaultModel = await prompt.ask("Default model: ");
+    providerConfig = {
+      adapter: adapter.trim(),
+      baseUrl: baseUrl.trim(),
+      ...(apiKey.trim() ? { apiKey: apiKey.trim() } : {}),
+      ...(defaultModel.trim() ? { defaultModel: defaultModel.trim() } : {}),
+    };
+  }
+  const portStr = await prompt.ask("\nProxy port [10100]: ");
+  const port = parseInt(portStr, 10) || 10100;
+  const config: OcxConfig = {
+    ...getDefaultConfig(),
+    port,
+    providers: { [providerName]: providerConfig },
+    defaultProvider: providerName,
+  };
+  saveConfig(config);
+  console.log(`\n✅ Config saved to ~/.opencodex/config.json`);
+  if (oauthHint) console.log(`🔐 Authenticate this provider with:  ocx login ${providerName}`);
+  const injectAnswer = await prompt.ask("Inject into Codex config.toml? [Y/n]: ");
+  if (injectAnswer.trim().toLowerCase() !== "n") {
+    console.log("Fetching available models from provider...");
+    const result = await injectCodexConfig(port, config);
+    console.log(result.success ? `✅ ${result.message}` : `⚠️  ${result.message}`);
+  }
+  console.log(`\n🚀 Setup complete! Run 'ocx start' to start the proxy.`);
+  prompt.close();
+}

package/src/model-cache.ts ADDED Viewed

@@ -0,0 +1,42 @@
+/**
+ * In-memory, per-provider TTL cache for live `/models` results.
+ *
+ * Ported in spirit from jawcode's packages/ai/src/model-manager.ts (the "always load the latest
+ * model list" resolver): live fetch when the cache is stale, serve the cache while it is fresh,
+ * and fall back to the last-known-good list when a live fetch fails. opencodex's proxy is a single
+ * long-running process and the on-disk Codex catalog already persists the last sync across
+ * restarts, so an in-memory cache is sufficient here (no SQLite layer needed).
+ */
+import type { CatalogModel } from "./codex-catalog";
+/** Default freshness window. Matches Codex's own 5-min models cache so the two stay in step. */
+export const DEFAULT_MODEL_CACHE_TTL_MS = 5 * 60 * 1000;
+interface CacheEntry {
+  models: CatalogModel[];
+  fetchedAt: number;
+}
+const cache = new Map<string, CacheEntry>();
+/** Fresh cached models for a provider, or null when absent/stale (caller should re-fetch). */
+export function getFreshCached(provider: string, ttlMs: number, now = Date.now()): CatalogModel[] | null {
+  const entry = cache.get(provider);
+  if (!entry) return null;
+  return now - entry.fetchedAt < ttlMs ? entry.models : null;
+}
+/** Last-known-good models regardless of age — the fallback when a live fetch fails. */
+export function getStaleCached(provider: string): CatalogModel[] | null {
+  return cache.get(provider)?.models ?? null;
+}
+export function setCached(provider: string, models: CatalogModel[], now = Date.now()): void {
+  cache.set(provider, { models, fetchedAt: now });
+}
+/** Drop one provider's cache (or all) so the next resolve forces a live re-fetch. */
+export function clearModelCache(provider?: string): void {
+  if (provider) cache.delete(provider);
+  else cache.clear();
+}

package/src/oauth/anthropic.ts ADDED Viewed

@@ -0,0 +1,151 @@
+/** Anthropic OAuth flow (Claude Pro/Max). Ported from jawcode oauth/anthropic.ts. */
+import { OAuthCallbackFlow } from "./callback-server";
+import { generatePKCE } from "./pkce";
+import type { LocalTokenImportMode, OAuthController, OAuthCredentials } from "./types";
+const CLIENT_ID = atob("OWQxYzI1MGEtZTYxYi00NGQ5LTg4ZWQtNTk0NGQxOTYyZjVl");
+const AUTHORIZE_URL = "https://claude.ai/oauth/authorize";
+const TOKEN_URL = "https://api.anthropic.com/v1/oauth/token";
+const CALLBACK_PORT = 54545;
+const CALLBACK_PATH = "/callback";
+const SCOPES = "org:create_api_key user:profile user:inference";
+// ── OAuth-request requirements applied by the anthropic adapter when authMode==="oauth" ──
+export const ANTHROPIC_OAUTH_BETA = "claude-code-20250219,oauth-2025-04-20";
+export const CLAUDE_CODE_SYSTEM_INSTRUCTION = "You are a Claude agent, built on Anthropic's Claude Agent SDK.";
+const CLAUDE_TOOL_PREFIX = "proxy_";
+const ANTHROPIC_BUILTIN_TOOLS = new Set(["web_search", "code_execution", "text_editor", "computer"]);
+/** OAuth tokens reject arbitrary tool names; prefix custom tools (Anthropic builtins are exempt). */
+export function applyClaudeToolPrefix(name: string): string {
+  if (ANTHROPIC_BUILTIN_TOOLS.has(name.toLowerCase()) || name.toLowerCase().startsWith(CLAUDE_TOOL_PREFIX)) return name;
+  return CLAUDE_TOOL_PREFIX + name;
+}
+/** Strip the proxy_ prefix from a returned tool_use name so the caller (Codex) sees the original. */
+export function stripClaudeToolPrefix(name: string): string {
+  return name.startsWith(CLAUDE_TOOL_PREFIX) ? name.slice(CLAUDE_TOOL_PREFIX.length) : name;
+}
+interface AnthropicTokenResponse {
+  access_token: string;
+  refresh_token: string;
+  expires_in: number;
+  account?: { uuid?: string; email_address?: string };
+}
+async function postJson(url: string, body: Record<string, string | number>): Promise<string> {
+  const response = await fetch(url, {
+    method: "POST",
+    headers: { "Content-Type": "application/json", Accept: "application/json" },
+    body: JSON.stringify(body),
+    signal: AbortSignal.timeout(30_000),
+  });
+  const responseBody = await response.text();
+  if (!response.ok) {
+    throw new Error(`Anthropic OAuth HTTP ${response.status}: ${responseBody}`);
+  }
+  return responseBody;
+}
+function parseTokenResponse(responseBody: string): AnthropicTokenResponse {
+  try {
+    return JSON.parse(responseBody) as AnthropicTokenResponse;
+  } catch {
+    throw new Error(`Anthropic OAuth returned invalid JSON: ${responseBody.slice(0, 200)}`);
+  }
+}
+function credsFrom(data: AnthropicTokenResponse, refreshFallback?: string): OAuthCredentials {
+  const accountUuid = data.account?.uuid;
+  const email = data.account?.email_address;
+  return {
+    refresh: data.refresh_token || refreshFallback || "",
+    access: data.access_token,
+    expires: Date.now() + data.expires_in * 1000 - 5 * 60 * 1000,
+    accountId: typeof accountUuid === "string" && accountUuid.length > 0 ? accountUuid : undefined,
+    email: typeof email === "string" && email.length > 0 ? email : undefined,
+  };
+}
+export class AnthropicOAuthFlow extends OAuthCallbackFlow {
+  #verifier = "";
+  constructor(ctrl: OAuthController) {
+    super(ctrl, CALLBACK_PORT, CALLBACK_PATH);
+  }
+  async generateAuthUrl(state: string, redirectUri: string): Promise<{ url: string; instructions?: string }> {
+    const pkce = await generatePKCE();
+    this.#verifier = pkce.verifier;
+    const authParams = new URLSearchParams({
+      code: "true",
+      client_id: CLIENT_ID,
+      response_type: "code",
+      redirect_uri: redirectUri,
+      scope: SCOPES,
+      code_challenge: pkce.challenge,
+      code_challenge_method: "S256",
+      state,
+    });
+    return {
+      url: `${AUTHORIZE_URL}?${authParams.toString()}`,
+      instructions:
+        "Complete Claude login in your browser. If the browser cannot reach this machine, paste the final redirect URL or authorization code when prompted.",
+    };
+  }
+  async exchangeToken(code: string, state: string, redirectUri: string): Promise<OAuthCredentials> {
+    let exchangeCode = code;
+    let exchangeState = state;
+    const hash = code.indexOf("#");
+    if (hash >= 0) {
+      exchangeCode = code.slice(0, hash);
+      const frag = code.slice(hash + 1);
+      if (frag.length > 0) exchangeState = frag;
+    }
+    const responseBody = await postJson(TOKEN_URL, {
+      grant_type: "authorization_code",
+      client_id: CLIENT_ID,
+      code: exchangeCode,
+      state: exchangeState,
+      redirect_uri: redirectUri,
+      code_verifier: this.#verifier,
+    });
+    return credsFrom(parseTokenResponse(responseBody));
+  }
+}
+export async function loginAnthropic(
+  ctrl: OAuthController,
+  opts?: { importLocal?: LocalTokenImportMode },
+): Promise<OAuthCredentials> {
+  const importLocal = opts?.importLocal ?? "off";
+  if (importLocal !== "off") {
+    const { detectClaudeCodeToken } = await import("./local-token-detect");
+    const local = detectClaudeCodeToken();
+    if (local) {
+      ctrl.onProgress?.("Found Claude Code token, importing automatically");
+      if (local.expires >= Date.now() + 60_000) return local;
+      try {
+        return await refreshAnthropicToken(local.refresh);
+      } catch (error) {
+        if (importLocal === "only") {
+          throw new Error(`Claude Code token expired and could not be refreshed: ${error instanceof Error ? error.message : String(error)}`);
+        }
+      }
+    } else if (importLocal === "only") {
+      throw new Error("No Claude Code token found in the keychain. Run 'ocx login anthropic' for browser OAuth.");
+    }
+  }
+  return new AnthropicOAuthFlow(ctrl).login();
+}
+export async function refreshAnthropicToken(refreshToken: string): Promise<OAuthCredentials> {
+  const responseBody = await postJson(TOKEN_URL, {
+    grant_type: "refresh_token",
+    client_id: CLIENT_ID,
+    refresh_token: refreshToken,
+  });
+  return credsFrom(parseTokenResponse(responseBody), refreshToken);
+}