@bitkyc08/opencodex 0.1.0

package/src/oauth/callback-server.ts

@@ -0,0 +1,249 @@
+/**
+ * Abstract base class for OAuth flows with local callback servers.
+ * Ported from jawcode packages/ai/src/utils/oauth/callback-server.ts.
+ *
+ * Change vs source: the success/error page is an inline HTML constant. opencodex's GUI polls
+ * GET /api/oauth/status, so it does not need OAuth state injected into the callback page.
+ *
+ * Handles: port allocation (preferred → random fallback), callback server, CSRF state,
+ * manual-input race, 300s timeout. Providers implement generateAuthUrl() + exchangeToken().
+ */
+import type { OAuthController, OAuthCredentials } from "./types";
+
+const DEFAULT_TIMEOUT = 300_000;
+const DEFAULT_HOSTNAME = "localhost";
+const CALLBACK_PATH = "/callback";
+
+const SUCCESS_HTML =
+  "<!doctype html><html><head><meta charset='utf-8'><title>opencodex</title></head>" +
+  "<body style='font-family:system-ui,sans-serif;text-align:center;padding:4rem;color:#111'>" +
+  "<h2>&#9989; Login complete</h2><p>You can close this tab and return to opencodex.</p></body></html>";
+
+function escapeHtml(s: string): string {
+  return s.replace(/[&<>"']/g, (c) =>
+    ({ "&": "&amp;", "<": "&lt;", ">": "&gt;", '"': "&quot;", "'": "&#39;" })[c] ?? c,
+  );
+}
+
+function errorHtml(message: string): string {
+  return (
+    "<!doctype html><html><head><meta charset='utf-8'><title>opencodex</title></head>" +
+    "<body style='font-family:system-ui,sans-serif;text-align:center;padding:4rem;color:#111'>" +
+    `<h2>&#9888; Login failed</h2><p>${escapeHtml(message)}</p></body></html>`
+  );
+}
+
+export type CallbackResult = { code: string; state: string };
+
+export interface OAuthCallbackFlowOptions {
+  preferredPort: number;
+  callbackPath?: string;
+  callbackHostname?: string;
+  /** Local listener hostname; defaults to callbackHostname when omitted. */
+  callbackBindHostname?: string;
+  /** Exact redirect URI advertised to the provider; disables port fallback. */
+  redirectUri?: string;
+}
+
+type BunServer = ReturnType<typeof Bun.serve>;
+
+export abstract class OAuthCallbackFlow {
+  ctrl: OAuthController;
+  preferredPort: number;
+  callbackPath: string;
+  callbackHostname: string;
+  callbackBindHostname: string;
+  redirectUri?: string;
+  #callbackResolve?: (result: CallbackResult) => void;
+  #callbackReject?: (error: string) => void;
+
+  constructor(
+    ctrl: OAuthController,
+    preferredPortOrOptions: number | OAuthCallbackFlowOptions,
+    callbackPath: string = CALLBACK_PATH,
+  ) {
+    this.ctrl = ctrl;
+    if (typeof preferredPortOrOptions === "number") {
+      this.preferredPort = preferredPortOrOptions;
+      this.callbackPath = callbackPath;
+      this.callbackHostname = DEFAULT_HOSTNAME;
+      this.callbackBindHostname = DEFAULT_HOSTNAME;
+      return;
+    }
+    this.preferredPort = preferredPortOrOptions.preferredPort;
+    this.callbackPath = preferredPortOrOptions.callbackPath ?? CALLBACK_PATH;
+    this.callbackHostname = preferredPortOrOptions.callbackHostname ?? DEFAULT_HOSTNAME;
+    this.callbackBindHostname = preferredPortOrOptions.callbackBindHostname ?? this.callbackHostname;
+    this.redirectUri = preferredPortOrOptions.redirectUri;
+  }
+
+  /** Build provider-specific authorization URL. */
+  abstract generateAuthUrl(state: string, redirectUri: string): Promise<{ url: string; instructions?: string }>;
+
+  /** Exchange authorization code for OAuth tokens. */
+  abstract exchangeToken(code: string, state: string, redirectUri: string): Promise<OAuthCredentials>;
+
+  /** Generate CSRF state token. */
+  generateState(): string {
+    const bytes = new Uint8Array(16);
+    crypto.getRandomValues(bytes);
+    return Array.from(bytes)
+      .map((value) => value.toString(16).padStart(2, "0"))
+      .join("");
+  }
+
+  /** Execute the OAuth login flow. */
+  async login(): Promise<OAuthCredentials> {
+    const state = this.generateState();
+    const { server, redirectUri } = await this.#startCallbackServer(state);
+    try {
+      const { url: authUrl, instructions } = await this.generateAuthUrl(state, redirectUri);
+      this.ctrl.onAuth?.({ url: authUrl, instructions });
+      this.ctrl.onProgress?.("Waiting for browser authentication...");
+      const { code } = await this.#waitForCallback(state);
+      this.ctrl.onProgress?.("Exchanging authorization code for tokens...");
+      return await this.exchangeToken(code, state, redirectUri);
+    } finally {
+      server.stop();
+    }
+  }
+
+  async #startCallbackServer(expectedState: string): Promise<{ server: BunServer; redirectUri: string }> {
+    try {
+      const server = this.#createServer(this.preferredPort, expectedState);
+      if (this.redirectUri) {
+        return { server, redirectUri: this.redirectUri };
+      }
+      const redirectUri = `http://${this.callbackHostname}:${this.preferredPort}${this.callbackPath}`;
+      return { server, redirectUri };
+    } catch {
+      if (this.redirectUri) {
+        throw new Error(
+          `OAuth callback port ${this.preferredPort} unavailable; cannot fall back to a random port when redirectUri is set`,
+        );
+      }
+      const server = this.#createServer(0, expectedState);
+      const actualPort = server.port;
+      const redirectUri = `http://${this.callbackHostname}:${actualPort}${this.callbackPath}`;
+      this.ctrl.onProgress?.(`Preferred port ${this.preferredPort} unavailable, using port ${actualPort}`);
+      return { server, redirectUri };
+    }
+  }
+
+  #createServer(port: number, expectedState: string): BunServer {
+    return Bun.serve({
+      hostname: this.callbackBindHostname,
+      port,
+      reusePort: false,
+      fetch: (req: Request) => this.#handleCallback(req, expectedState),
+    });
+  }
+
+  #handleCallback(req: Request, expectedState: string): Response {
+    const url = new URL(req.url);
+    if (url.pathname !== this.callbackPath) {
+      return new Response("Not Found", { status: 404 });
+    }
+
+    const code = url.searchParams.get("code");
+    const state = url.searchParams.get("state") || "";
+    const error = url.searchParams.get("error") || "";
+    const errorDescription = url.searchParams.get("error_description") || error;
+
+    let ok = false;
+    let errMessage = "";
+    if (error) {
+      errMessage = `Authorization failed: ${errorDescription}`;
+    } else if (!code) {
+      errMessage = "Missing authorization code";
+    } else if (expectedState && state !== expectedState) {
+      errMessage = "State mismatch - possible CSRF attack";
+    } else {
+      ok = true;
+    }
+
+    // Capture refs before they could be cleared, then resolve on the next microtask.
+    const resolve = this.#callbackResolve;
+    const reject = this.#callbackReject;
+    queueMicrotask(() => {
+      if (ok && code) {
+        resolve?.({ code, state });
+      } else {
+        reject?.(errMessage || "Unknown error");
+      }
+    });
+
+    return new Response(ok ? SUCCESS_HTML : errorHtml(errMessage), {
+      status: ok ? 200 : 500,
+      headers: { "Content-Type": "text/html" },
+    });
+  }
+
+  #waitForCallback(expectedState: string): Promise<CallbackResult> {
+    const timeoutSignal = AbortSignal.timeout(DEFAULT_TIMEOUT);
+    const signal = this.ctrl.signal ? AbortSignal.any([this.ctrl.signal, timeoutSignal]) : timeoutSignal;
+
+    const callbackPromise = new Promise<CallbackResult>((resolve, reject) => {
+      this.#callbackResolve = resolve;
+      this.#callbackReject = (e: string) => reject(new Error(e));
+
+      signal.addEventListener("abort", () => {
+        this.#callbackResolve = undefined;
+        this.#callbackReject = undefined;
+        reject(new Error(`OAuth callback cancelled: ${signal.reason}`));
+      });
+    });
+
+    if (this.ctrl.onManualCodeInput) {
+      const requestManualInput = this.ctrl.onManualCodeInput;
+      const manualPromise = (async (): Promise<CallbackResult> => {
+        while (true) {
+          const result = await Promise.race([
+            callbackPromise,
+            requestManualInput()
+              .then((input): CallbackResult | null => {
+                const parsed = parseCallbackInput(input);
+                if (!parsed.code) return null;
+                if (expectedState && parsed.state && parsed.state !== expectedState) return null;
+                return { code: parsed.code, state: parsed.state ?? "" };
+              })
+              .catch((): CallbackResult | null => null),
+          ]);
+          if (result) return result;
+        }
+      })();
+
+      return Promise.race([callbackPromise, manualPromise]);
+    }
+
+    return callbackPromise;
+  }
+}
+
+/** Parse a redirect URL or code string to extract code and state. */
+export function parseCallbackInput(input: string): { code?: string; state?: string } {
+  const value = input.trim();
+  if (!value) return {};
+
+  try {
+    const url = new URL(value);
+    return {
+      code: url.searchParams.get("code") ?? undefined,
+      state: url.searchParams.get("state") ?? undefined,
+    };
+  } catch {
+    // Not a URL - check for query string format
+  }
+
+  if (value.includes("code=")) {
+    const params = new URLSearchParams(value.replace(/^[?#]/, ""));
+    return {
+      code: params.get("code") ?? undefined,
+      state: params.get("state") ?? undefined,
+    };
+  }
+
+  // Assume raw code, possibly with state after #
+  const [code, state] = value.split("#", 2);
+  return { code, state };
+}

package/src/oauth/index.ts

@@ -0,0 +1,235 @@
+import type { OAuthController, OAuthCredentials } from "./types";
+import type { OcxConfig, OcxProviderConfig } from "../types";
+import { loadConfig, resolveEnvValue, saveConfig } from "../config";
+import { getCredential, saveCredential } from "./store";
+import { loginXai, refreshXaiToken } from "./xai";
+import { ANTHROPIC_OAUTH_BETA, loginAnthropic, refreshAnthropicToken } from "./anthropic";
+import { loginKimi, refreshKimiToken } from "./kimi";
+
+const REFRESH_SKEW_MS = 60_000;
+
+interface OAuthProviderDef {
+  login(ctrl: OAuthController): Promise<OAuthCredentials>;
+  refresh(refreshToken: string, signal?: AbortSignal): Promise<OAuthCredentials>;
+  /** provider entry written into config.json on first login. */
+  providerConfig: OcxProviderConfig;
+  defaultModel: string;
+}
+
+export const OAUTH_PROVIDERS: Record<string, OAuthProviderDef> = {
+  xai: {
+    login: (ctrl) => loginXai(ctrl, { importLocal: "fallback" }),
+    refresh: refreshXaiToken,
+    providerConfig: {
+      adapter: "openai-chat",
+      baseUrl: "https://api.x.ai/v1",
+      authMode: "oauth",
+      // Real xAI model ids (verified live via GET api.x.ai/v1/models); the proxy also fetches
+      // the live list at sync time, so this is the routing hint / fallback + explicit additions.
+      models: ["grok-4.3", "grok-4.20-0309-reasoning", "grok-4.20-0309-non-reasoning", "grok-build-0.1", "grok-composer-2.5-fast"],
+      defaultModel: "grok-4.3",
+      // These don't accept a reasoning/thinking param — never forward reasoning_effort for them.
+      noReasoningModels: ["grok-build-0.1", "grok-composer-2.5-fast"],
+      // These are text-only (no image input) — the vision sidecar describes images for them.
+      noVisionModels: ["grok-build-0.1", "grok-composer-2.5-fast"],
+    },
+    defaultModel: "grok-4.3",
+  },
+  anthropic: {
+    login: (ctrl) => loginAnthropic(ctrl, { importLocal: "fallback" }),
+    refresh: refreshAnthropicToken,
+    providerConfig: {
+      adapter: "anthropic",
+      baseUrl: "https://api.anthropic.com",
+      authMode: "oauth",
+      // Current dateless flagship ids — routing hint / fallback only; the proxy fetches the live
+      // list from Anthropic's GET /v1/models at sync time (always-latest), so this just seeds a
+      // sane set when that fetch is unavailable.
+      models: ["claude-opus-4-8", "claude-opus-4-7", "claude-opus-4-6", "claude-sonnet-4-6", "claude-haiku-4-5"],
+      defaultModel: "claude-sonnet-4-6",
+    },
+    defaultModel: "claude-sonnet-4-6",
+  },
+  kimi: {
+    login: (ctrl) => loginKimi(ctrl),
+    refresh: refreshKimiToken,
+    providerConfig: {
+      adapter: "openai-chat",
+      baseUrl: "https://api.kimi.com/coding/v1",
+      authMode: "oauth",
+      models: ["kimi-k2.6", "kimi-k2.5"],
+      defaultModel: "kimi-k2.6",
+    },
+    defaultModel: "kimi-k2.6",
+  },
+};
+
+export function isOAuthProvider(name: string): boolean {
+  return name in OAUTH_PROVIDERS;
+}
+
+/** Provider ids that support real OAuth login (drives the GUI's "Log in with …" buttons). */
+export function listOAuthProviders(): string[] {
+  return Object.keys(OAUTH_PROVIDERS);
+}
+
+/** Return a valid access token, refreshing + persisting if expired. Throws if not logged in. */
+export async function getValidAccessToken(provider: string): Promise<string> {
+  const def = OAUTH_PROVIDERS[provider];
+  if (!def) throw new Error(`Unknown OAuth provider: ${provider}`);
+  const cred = getCredential(provider);
+  if (!cred) throw new Error(`Not logged in to ${provider}. Run: ocx login ${provider}`);
+  if (cred.expires > Date.now() + REFRESH_SKEW_MS) return cred.access;
+  const fresh = await def.refresh(cred.refresh);
+  saveCredential(provider, fresh);
+  return fresh.access;
+}
+
+/**
+ * Shared bearer-token resolver for /models listing — used by BOTH server.ts:fetchAllModels and
+ * codex-catalog.ts:fetchProviderModels so OAuth providers' models are listed once logged in.
+ * Returns undefined for forward-mode or oauth-not-logged-in (caller skips).
+ */
+export async function resolveModelsAuthToken(name: string, prov: OcxProviderConfig): Promise<string | undefined> {
+  if (prov.authMode === "forward") return undefined;
+  if (prov.authMode === "oauth") {
+    try {
+      return await getValidAccessToken(name);
+    } catch {
+      return undefined;
+    }
+  }
+  return resolveEnvValue(prov.apiKey);
+}
+
+/**
+ * Provider-correct `GET /models` request (URL + headers), so both model-listing paths fetch the
+ * LIVE catalog correctly per adapter. Anthropic is the special case: its endpoint is `/v1/models`
+ * (not `/models`), it needs `anthropic-version`, and it authenticates with `x-api-key` (key) or
+ * `Authorization: Bearer` + the OAuth beta (oauth) — not a bare Bearer. Everyone else uses the
+ * OpenAI-style `/models` + Bearer. Response shape is `{ data: [{ id, owned_by? }] }` for both.
+ */
+export function buildModelsRequest(prov: OcxProviderConfig, apiKey: string | undefined): { url: string; headers: Record<string, string> } {
+  const headers: Record<string, string> = { ...(prov.headers ?? {}) };
+  if (prov.adapter === "anthropic") {
+    headers["anthropic-version"] = "2023-06-01";
+    if (prov.authMode === "oauth") {
+      headers["anthropic-beta"] = ANTHROPIC_OAUTH_BETA;
+      if (apiKey) headers["Authorization"] = `Bearer ${apiKey}`;
+    } else if (apiKey) {
+      headers["x-api-key"] = apiKey;
+    }
+    return { url: `${prov.baseUrl}/v1/models?limit=1000`, headers };
+  }
+  if (apiKey) headers["Authorization"] = `Bearer ${apiKey}`;
+  return { url: `${prov.baseUrl}/models`, headers };
+}
+
+/**
+ * Refresh OAuth-managed provider presets (`models`, `noReasoningModels`, and a stale `defaultModel`)
+ * from the registry so a proxy update that revises a provider's models — e.g. dropping deprecated
+ * Claude snapshots or adding a new grok endpoint not in the live `/models` — reaches EXISTING
+ * configs on the next `ocx start`, instead of only fresh installs. The live `/models` fetch stays
+ * the primary source; this keeps the static fallback (and models-not-in-/models) current.
+ *
+ * Only touches providers that are registry-managed AND still `authMode: "oauth"`, and only the
+ * preset fields (never apiKey/baseUrl/user toggles). Persists + returns true when anything changed.
+ */
+export function reconcileOAuthProviders(config: OcxConfig): boolean {
+  let changed = false;
+  for (const [name, prov] of Object.entries(config.providers)) {
+    const def = OAUTH_PROVIDERS[name];
+    if (!def || prov.authMode !== "oauth") continue;
+    const preset = def.providerConfig;
+    if (preset.models && JSON.stringify(prov.models) !== JSON.stringify(preset.models)) {
+      prov.models = [...preset.models];
+      changed = true;
+    }
+    if (JSON.stringify(prov.noReasoningModels) !== JSON.stringify(preset.noReasoningModels)) {
+      if (preset.noReasoningModels) prov.noReasoningModels = [...preset.noReasoningModels];
+      else delete prov.noReasoningModels;
+      changed = true;
+    }
+    if (JSON.stringify(prov.noVisionModels) !== JSON.stringify(preset.noVisionModels)) {
+      if (preset.noVisionModels) prov.noVisionModels = [...preset.noVisionModels];
+      else delete prov.noVisionModels;
+      changed = true;
+    }
+    // Heal a defaultModel that no longer exists in the refreshed list (e.g. a deprecated snapshot).
+    if (prov.defaultModel && preset.defaultModel && !(prov.models ?? []).includes(prov.defaultModel)) {
+      prov.defaultModel = preset.defaultModel;
+      changed = true;
+    }
+  }
+  if (changed) saveConfig(config);
+  return changed;
+}
+
+/** Add/refresh an OAuth provider's config entry on a config object (does not persist). */
+export function upsertOAuthProvider(config: OcxConfig, provider: string): void {
+  const def = OAUTH_PROVIDERS[provider];
+  if (!def) return;
+  config.providers[provider] = { ...def.providerConfig };
+}
+
+/** Run the login flow, persist the credential + upsert the provider entry to disk, return cred. */
+export async function runLogin(provider: string, ctrl: OAuthController): Promise<OAuthCredentials> {
+  const def = OAUTH_PROVIDERS[provider];
+  if (!def) throw new Error(`Unknown OAuth provider: ${provider}`);
+  const cred = await def.login(ctrl);
+  saveCredential(provider, cred);
+  const config = loadConfig();
+  upsertOAuthProvider(config, provider);
+  saveConfig(config);
+  return cred;
+}
+
+/**
+ * GUI async login: start the flow, return the auth URL EARLY (the flow keeps running in the
+ * background until the callback server captures the redirect), with a concurrency guard and an
+ * error surfaced via getLoginStatus().
+ */
+const loginState = new Map<string, { error?: string; done: boolean }>();
+
+export function getLoginStatus(provider: string): { loggedIn: boolean; email?: string; error?: string } {
+  const cred = getCredential(provider);
+  const st = loginState.get(provider);
+  return { loggedIn: !!cred, email: cred?.email, error: st?.error };
+}
+
+export function clearLoginState(provider: string): void {
+  loginState.delete(provider);
+}
+
+export async function startLoginFlow(provider: string): Promise<{ url: string; instructions?: string }> {
+  const def = OAUTH_PROVIDERS[provider];
+  if (!def) throw new Error(`Unknown OAuth provider: ${provider}`);
+  const existing = loginState.get(provider);
+  if (existing && !existing.done) {
+    throw new Error(`A login for ${provider} is already in progress`);
+  }
+  loginState.set(provider, { done: false });
+  return new Promise((resolve, reject) => {
+    let urlResolved = false;
+    const ctrl: OAuthController = {
+      onAuth: ({ url, instructions }) => {
+        urlResolved = true;
+        resolve({ url, instructions });
+      },
+      onProgress: () => {},
+    };
+    // Background: runLogin persists the credential + upserts the provider entry to disk config.
+    runLogin(provider, ctrl)
+      .then(() => {
+        loginState.set(provider, { done: true });
+        // Local-token import (grok-cli / Claude Code keychain) completes WITHOUT firing onAuth —
+        // resolve so the GUI call returns instead of hanging.
+        if (!urlResolved) resolve({ url: "", instructions: "Logged in via an existing local CLI/keychain token — no browser needed." });
+      })
+      .catch((e: unknown) => {
+        const msg = e instanceof Error ? e.message : String(e);
+        loginState.set(provider, { done: true, error: msg });
+        if (!urlResolved) reject(e);
+      });
+  });
+}

package/src/oauth/key-providers.ts

@@ -0,0 +1,126 @@
+import type { OcxProviderConfig } from "../types";
+
+/**
+ * API-key "login" providers: not OAuth — the flow opens the provider's dashboard so the user can
+ * create/copy a key, then validates + stores it as the provider's `apiKey` (authMode "key").
+ * Most use the OpenAI-compatible chat API (`openai-chat` adapter, `Authorization: Bearer <key>`); a
+ * few expose only an Anthropic-compatible endpoint and set `adapter: "anthropic"` (`x-api-key`).
+ */
+export interface KeyLoginProvider {
+  label: string;
+  baseUrl: string;
+  adapter: string;
+  /** Where the user creates/copies the API key. */
+  dashboardUrl: string;
+  models?: string[];
+  defaultModel?: string;
+  /**
+   * Model ids that do NOT accept image input (the vision sidecar describes images for them) / do NOT
+   * accept a reasoning param. Copied into the created provider config by `enrichProviderFromCatalog`,
+   * so the classification actually gates the sidecars (matching is tolerant of an Ollama ":size" tag).
+   */
+  noVisionModels?: string[];
+  noReasoningModels?: string[];
+}
+
+export const KEY_LOGIN_PROVIDERS: Record<string, KeyLoginProvider> = {
+  deepseek: { label: "DeepSeek", baseUrl: "https://api.deepseek.com", adapter: "openai-chat", dashboardUrl: "https://platform.deepseek.com/api_keys", models: ["deepseek-chat", "deepseek-reasoner"], defaultModel: "deepseek-chat" },
+  cerebras: { label: "Cerebras", baseUrl: "https://api.cerebras.ai/v1", adapter: "openai-chat", dashboardUrl: "https://cloud.cerebras.ai/platform/apikeys", defaultModel: "llama-3.3-70b" },
+  together: { label: "Together", baseUrl: "https://api.together.xyz/v1", adapter: "openai-chat", dashboardUrl: "https://api.together.xyz/settings/api-keys" },
+  fireworks: { label: "Fireworks", baseUrl: "https://api.fireworks.ai/inference/v1", adapter: "openai-chat", dashboardUrl: "https://fireworks.ai/account/api-keys" },
+  firepass: { label: "Fire Pass (Fireworks Kimi)", baseUrl: "https://api.fireworks.ai/inference/v1", adapter: "openai-chat", dashboardUrl: "https://fireworks.ai/account/api-keys" },
+  moonshot: { label: "Moonshot (Kimi API)", baseUrl: "https://api.moonshot.ai/v1", adapter: "openai-chat", dashboardUrl: "https://platform.moonshot.ai/console/api-keys", defaultModel: "kimi-k2-0905-preview" },
+  huggingface: { label: "Hugging Face", baseUrl: "https://router.huggingface.co/v1", adapter: "openai-chat", dashboardUrl: "https://huggingface.co/settings/tokens" },
+  nvidia: { label: "NVIDIA NIM", baseUrl: "https://integrate.api.nvidia.com/v1", adapter: "openai-chat", dashboardUrl: "https://build.nvidia.com" },
+  venice: { label: "Venice", baseUrl: "https://api.venice.ai/api/v1", adapter: "openai-chat", dashboardUrl: "https://venice.ai/settings/api" },
+  zai: { label: "Z.AI (GLM Coding)", baseUrl: "https://api.z.ai/api/coding/paas/v4", adapter: "openai-chat", dashboardUrl: "https://z.ai/manage-apikey/apikey-list", defaultModel: "glm-4.6" },
+  nanogpt: { label: "NanoGPT", baseUrl: "https://nano-gpt.com/api/v1", adapter: "openai-chat", dashboardUrl: "https://nano-gpt.com/api" },
+  synthetic: { label: "Synthetic", baseUrl: "https://api.synthetic.new/openai/v1", adapter: "openai-chat", dashboardUrl: "https://synthetic.new" },
+  "qwen-portal": { label: "Qwen Portal", baseUrl: "https://portal.qwen.ai/v1", adapter: "openai-chat", dashboardUrl: "https://portal.qwen.ai" },
+  qianfan: { label: "Qianfan (Baidu)", baseUrl: "https://qianfan.baidubce.com/v2", adapter: "openai-chat", dashboardUrl: "https://console.bce.baidu.com/iam/#/iam/apikey/list" },
+  alibaba: { label: "Alibaba Coding Plan", baseUrl: "https://coding-intl.dashscope.aliyuncs.com/v1", adapter: "openai-chat", dashboardUrl: "https://dashscope.console.aliyun.com/apiKey" },
+  parallel: { label: "Parallel", baseUrl: "https://platform.parallel.ai", adapter: "openai-chat", dashboardUrl: "https://platform.parallel.ai" },
+  zenmux: { label: "ZenMux", baseUrl: "https://zenmux.ai/api/v1", adapter: "openai-chat", dashboardUrl: "https://zenmux.ai" },
+  litellm: { label: "LiteLLM (self-hosted)", baseUrl: "http://localhost:4000/v1", adapter: "openai-chat", dashboardUrl: "https://docs.litellm.ai/docs/proxy/quick_start" },
+  // Ollama Cloud — hosted (not local), OpenAI-compatible at /v1, Bearer key from ollama.com.
+  // models/noVisionModels reflect the live ollama.com cloud lineup (the proxy still fetches /v1/models
+  // live; this is the seed + the vision/text classification, web-verified against ollama.com search
+  // filters). Vision-capable cloud models are EXCLUDED from noVisionModels: kimi-k2.5/.6/.7-code,
+  // minimax-m3, gemma3/gemma4, qwen3.5, gemini-3-flash-preview, ministral-3, devstral-small-2,
+  // mistral-large-3. gpt-oss is text-only despite a stale third-party list claiming otherwise.
+  "ollama-cloud": {
+    label: "Ollama Cloud",
+    baseUrl: "https://ollama.com/v1",
+    adapter: "openai-chat",
+    dashboardUrl: "https://ollama.com/settings/keys",
+    models: ["glm-5.2", "deepseek-v4-pro", "qwen3-coder", "gpt-oss:120b", "kimi-k2.6", "minimax-m3", "qwen3.5", "gemma4"],
+    defaultModel: "glm-5.2",
+    noVisionModels: [
+      "glm-5.2", "glm-5.1", "glm-5", "glm-4.7",
+      "minimax-m2.7", "minimax-m2.5", "minimax-m2.1",
+      "nemotron-3-ultra", "nemotron-3-super",
+      "deepseek-v4-pro", "deepseek-v4-flash",
+      "gpt-oss", "qwen3-coder",
+    ],
+  },
+  // ── Brought over from the jawcode provider registry ────────────────────────────────────
+  // Real LLM API providers. CLI-agent integrations (cursor, github-copilot, gitlab-duo,
+  // google-gemini-cli/antigravity, kilo, opencode, openai-codex) and native-cloud-auth providers
+  // (amazon-bedrock, google-vertex) are intentionally excluded. baseUrls are taken from jawcode.
+  mistral: { label: "Mistral", baseUrl: "https://api.mistral.ai/v1", adapter: "openai-chat", dashboardUrl: "https://console.mistral.ai/api-keys", defaultModel: "codestral-latest" },
+  minimax: { label: "MiniMax", baseUrl: "https://api.minimax.io/v1", adapter: "openai-chat", dashboardUrl: "https://platform.minimax.io", defaultModel: "MiniMax-M2.5" },
+  "minimax-cn": { label: "MiniMax (CN)", baseUrl: "https://api.minimaxi.com/v1", adapter: "openai-chat", dashboardUrl: "https://platform.minimaxi.com", defaultModel: "MiniMax-M2.5" },
+  "kimi-code": { label: "Kimi (coding)", baseUrl: "https://api.kimi.com/coding/v1", adapter: "openai-chat", dashboardUrl: "https://platform.moonshot.cn/console/api-keys", defaultModel: "kimi-k2.5" },
+  "opencode-zen": { label: "opencode zen", baseUrl: "https://opencode.ai/zen/v1", adapter: "openai-chat", dashboardUrl: "https://opencode.ai/auth" },
+  "vercel-ai-gateway": { label: "Vercel AI Gateway", baseUrl: "https://ai-gateway.vercel.sh/v1", adapter: "openai-chat", dashboardUrl: "https://vercel.com/dashboard" },
+  // Xiaomi MiMo exposes an Anthropic-compatible endpoint → anthropic adapter (x-api-key).
+  xiaomi: { label: "Xiaomi MiMo", baseUrl: "https://api.xiaomimimo.com/anthropic", adapter: "anthropic", dashboardUrl: "https://xiaomimimo.com", defaultModel: "mimo-v2.5-pro" },
+  // ── Gateways / multi-model proxies (standard wire; subscription-token auth) ──────────────
+  // kilo: single-protocol OpenAI-compatible gateway (443 models). Cloudflare AI Gateway: anthropic
+  // wire, URL is a template (fill in your account + gateway). github-copilot & gitlab-duo are
+  // multi-model gateways whose models span 3 protocols on ONE host — mapped to their universal
+  // OpenAI-compatible endpoint (one wire serves the whole lineup). Both need a Bearer subscription
+  // token (not a plain API key), and copilot may need a `User-Agent` header via custom provider config.
+  kilo: { label: "Kilo", baseUrl: "https://api.kilo.ai/api/gateway", adapter: "openai-chat", dashboardUrl: "https://kilo.ai" },
+  "cloudflare-ai-gateway": { label: "Cloudflare AI Gateway", baseUrl: "https://gateway.ai.cloudflare.com/v1/{account-id}/{gateway}/anthropic", adapter: "anthropic", dashboardUrl: "https://dash.cloudflare.com/?to=/:account/ai/ai-gateway" },
+  "github-copilot": { label: "GitHub Copilot", baseUrl: "https://api.githubcopilot.com", adapter: "openai-chat", dashboardUrl: "https://github.com/settings/copilot" },
+  "gitlab-duo": { label: "GitLab Duo", baseUrl: "https://cloud.gitlab.com/ai/v1/proxy/openai/v1", adapter: "openai-chat", dashboardUrl: "https://gitlab.com/-/user_settings/personal_access_tokens" },
+};
+
+/**
+ * Copy a key-login catalog entry's seed/classification (`models`, `noVisionModels`,
+ * `noReasoningModels`, `defaultModel`) onto a provider config being created, for any field the caller
+ * didn't already supply. Lets the vision/reasoning classification actually reach the saved config
+ * (the GUI/API only send adapter/baseUrl/apiKey/defaultModel). No-op for non-catalog provider names.
+ */
+export function enrichProviderFromCatalog(name: string, prov: OcxProviderConfig): void {
+  const e = KEY_LOGIN_PROVIDERS[name];
+  if (!e) return;
+  if (!prov.models && e.models) prov.models = [...e.models];
+  if (!prov.defaultModel && e.defaultModel) prov.defaultModel = e.defaultModel;
+  if (!prov.noVisionModels && e.noVisionModels) prov.noVisionModels = [...e.noVisionModels];
+  if (!prov.noReasoningModels && e.noReasoningModels) prov.noReasoningModels = [...e.noReasoningModels];
+}
+
+export function isKeyLoginProvider(name: string): boolean {
+  return name in KEY_LOGIN_PROVIDERS;
+}
+
+export function listKeyLoginProviders(): Array<{ id: string } & KeyLoginProvider> {
+  return Object.entries(KEY_LOGIN_PROVIDERS).map(([id, p]) => ({ id, ...p }));
+}
+
+/** Best-effort key validation: GET {baseUrl}/models with the key. Returns true/false/unknown. */
+export async function validateApiKey(baseUrl: string, key: string): Promise<boolean | "unknown"> {
+  try {
+    const res = await fetch(`${baseUrl}/models`, {
+      headers: { Authorization: `Bearer ${key}` },
+      signal: AbortSignal.timeout(8000),
+    });
+    if (res.ok) return true;
+    if (res.status === 401 || res.status === 403) return false;
+    return "unknown";
+  } catch {
+    return "unknown";
+  }
+}