npm - @cdoing/core - Versions diffs - 0.1.0 - Mend

@cdoing/core 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (378) hide show

package/dist/agents/coordinator.d.ts +114 -0
package/dist/agents/coordinator.d.ts.map +1 -0
package/dist/agents/coordinator.js +158 -0
package/dist/agents/coordinator.js.map +1 -0
package/dist/context-providers/clipboard.d.ts +13 -0
package/dist/context-providers/clipboard.d.ts.map +1 -0
package/dist/context-providers/clipboard.js +53 -0
package/dist/context-providers/clipboard.js.map +1 -0
package/dist/context-providers/codebase.d.ts +46 -0
package/dist/context-providers/codebase.d.ts.map +1 -0
package/dist/context-providers/codebase.js +273 -0
package/dist/context-providers/codebase.js.map +1 -0
package/dist/context-providers/diff.d.ts +18 -0
package/dist/context-providers/diff.d.ts.map +1 -0
package/dist/context-providers/diff.js +63 -0
package/dist/context-providers/diff.js.map +1 -0
package/dist/context-providers/docs.d.ts +21 -0
package/dist/context-providers/docs.d.ts.map +1 -0
package/dist/context-providers/docs.js +180 -0
package/dist/context-providers/docs.js.map +1 -0
package/dist/context-providers/file-include.d.ts +13 -0
package/dist/context-providers/file-include.d.ts.map +1 -0
package/dist/context-providers/file-include.js +82 -0
package/dist/context-providers/file-include.js.map +1 -0
package/dist/context-providers/folder.d.ts +19 -0
package/dist/context-providers/folder.d.ts.map +1 -0
package/dist/context-providers/folder.js +130 -0
package/dist/context-providers/folder.js.map +1 -0
package/dist/context-providers/git.d.ts +19 -0
package/dist/context-providers/git.d.ts.map +1 -0
package/dist/context-providers/git.js +74 -0
package/dist/context-providers/git.js.map +1 -0
package/dist/context-providers/index.d.ts +26 -0
package/dist/context-providers/index.d.ts.map +1 -0
package/dist/context-providers/index.js +37 -0
package/dist/context-providers/index.js.map +1 -0
package/dist/context-providers/open-files.d.ts +25 -0
package/dist/context-providers/open-files.d.ts.map +1 -0
package/dist/context-providers/open-files.js +134 -0
package/dist/context-providers/open-files.js.map +1 -0
package/dist/context-providers/problems.d.ts +24 -0
package/dist/context-providers/problems.d.ts.map +1 -0
package/dist/context-providers/problems.js +97 -0
package/dist/context-providers/problems.js.map +1 -0
package/dist/context-providers/registry.d.ts +61 -0
package/dist/context-providers/registry.d.ts.map +1 -0
package/dist/context-providers/registry.js +92 -0
package/dist/context-providers/registry.js.map +1 -0
package/dist/context-providers/terminal.d.ts +25 -0
package/dist/context-providers/terminal.d.ts.map +1 -0
package/dist/context-providers/terminal.js +55 -0
package/dist/context-providers/terminal.js.map +1 -0
package/dist/context-providers/tree.d.ts +29 -0
package/dist/context-providers/tree.d.ts.map +1 -0
package/dist/context-providers/tree.js +172 -0
package/dist/context-providers/tree.js.map +1 -0
package/dist/context-providers/types.d.ts +72 -0
package/dist/context-providers/types.d.ts.map +1 -0
package/dist/context-providers/types.js +10 -0
package/dist/context-providers/types.js.map +1 -0
package/dist/context-providers/url.d.ts +27 -0
package/dist/context-providers/url.d.ts.map +1 -0
package/dist/context-providers/url.js +131 -0
package/dist/context-providers/url.js.map +1 -0
package/dist/effort/index.d.ts +78 -0
package/dist/effort/index.d.ts.map +1 -0
package/dist/effort/index.js +146 -0
package/dist/effort/index.js.map +1 -0
package/dist/hooks/index.d.ts +47 -0
package/dist/hooks/index.d.ts.map +1 -0
package/dist/hooks/index.js +151 -0
package/dist/hooks/index.js.map +1 -0
package/dist/index.d.ts +75 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +152 -0
package/dist/index.js.map +1 -0
package/dist/indexing/chunker.d.ts +25 -0
package/dist/indexing/chunker.d.ts.map +1 -0
package/dist/indexing/chunker.js +217 -0
package/dist/indexing/chunker.js.map +1 -0
package/dist/indexing/database.d.ts +49 -0
package/dist/indexing/database.d.ts.map +1 -0
package/dist/indexing/database.js +287 -0
package/dist/indexing/database.js.map +1 -0
package/dist/indexing/index.d.ts +9 -0
package/dist/indexing/index.d.ts.map +1 -0
package/dist/indexing/index.js +13 -0
package/dist/indexing/index.js.map +1 -0
package/dist/indexing/indexer.d.ts +63 -0
package/dist/indexing/indexer.d.ts.map +1 -0
package/dist/indexing/indexer.js +352 -0
package/dist/indexing/indexer.js.map +1 -0
package/dist/indexing/recent-edits-cache.d.ts +77 -0
package/dist/indexing/recent-edits-cache.d.ts.map +1 -0
package/dist/indexing/recent-edits-cache.js +123 -0
package/dist/indexing/recent-edits-cache.js.map +1 -0
package/dist/indexing/types.d.ts +39 -0
package/dist/indexing/types.d.ts.map +1 -0
package/dist/indexing/types.js +6 -0
package/dist/indexing/types.js.map +1 -0
package/dist/mcp/index.d.ts +33 -0
package/dist/mcp/index.d.ts.map +1 -0
package/dist/mcp/index.js +37 -0
package/dist/mcp/index.js.map +1 -0
package/dist/mcp/manager.d.ts +123 -0
package/dist/mcp/manager.d.ts.map +1 -0
package/dist/mcp/manager.js +331 -0
package/dist/mcp/manager.js.map +1 -0
package/dist/oauth.d.ts +33 -0
package/dist/oauth.d.ts.map +1 -0
package/dist/oauth.js +312 -0
package/dist/oauth.js.map +1 -0
package/dist/permissions/index.d.ts +216 -0
package/dist/permissions/index.d.ts.map +1 -0
package/dist/permissions/index.js +938 -0
package/dist/permissions/index.js.map +1 -0
package/dist/plan/index.d.ts +20 -0
package/dist/plan/index.d.ts.map +1 -0
package/dist/plan/index.js +24 -0
package/dist/plan/index.js.map +1 -0
package/dist/plan/manager.d.ts +101 -0
package/dist/plan/manager.d.ts.map +1 -0
package/dist/plan/manager.js +170 -0
package/dist/plan/manager.js.map +1 -0
package/dist/rules/index.d.ts +28 -0
package/dist/rules/index.d.ts.map +1 -0
package/dist/rules/index.js +31 -0
package/dist/rules/index.js.map +1 -0
package/dist/rules/manager.d.ts +77 -0
package/dist/rules/manager.d.ts.map +1 -0
package/dist/rules/manager.js +279 -0
package/dist/rules/manager.js.map +1 -0
package/dist/rules/types.d.ts +34 -0
package/dist/rules/types.d.ts.map +1 -0
package/dist/rules/types.js +9 -0
package/dist/rules/types.js.map +1 -0
package/dist/sandbox/filesystem.d.ts +20 -0
package/dist/sandbox/filesystem.d.ts.map +1 -0
package/dist/sandbox/filesystem.js +141 -0
package/dist/sandbox/filesystem.js.map +1 -0
package/dist/sandbox/index.d.ts +4 -0
package/dist/sandbox/index.d.ts.map +1 -0
package/dist/sandbox/index.js +8 -0
package/dist/sandbox/index.js.map +1 -0
package/dist/sandbox/manager.d.ts +47 -0
package/dist/sandbox/manager.d.ts.map +1 -0
package/dist/sandbox/manager.js +220 -0
package/dist/sandbox/manager.js.map +1 -0
package/dist/sandbox/network.d.ts +14 -0
package/dist/sandbox/network.d.ts.map +1 -0
package/dist/sandbox/network.js +87 -0
package/dist/sandbox/network.js.map +1 -0
package/dist/sandbox/types.d.ts +42 -0
package/dist/sandbox/types.d.ts.map +1 -0
package/dist/sandbox/types.js +25 -0
package/dist/sandbox/types.js.map +1 -0
package/dist/tools/ast-edit.d.ts +57 -0
package/dist/tools/ast-edit.d.ts.map +1 -0
package/dist/tools/ast-edit.js +443 -0
package/dist/tools/ast-edit.js.map +1 -0
package/dist/tools/code-verify.d.ts +8 -0
package/dist/tools/code-verify.d.ts.map +1 -0
package/dist/tools/code-verify.js +159 -0
package/dist/tools/code-verify.js.map +1 -0
package/dist/tools/codebase-search.d.ts +17 -0
package/dist/tools/codebase-search.d.ts.map +1 -0
package/dist/tools/codebase-search.js +104 -0
package/dist/tools/codebase-search.js.map +1 -0
package/dist/tools/file-delete.d.ts +26 -0
package/dist/tools/file-delete.d.ts.map +1 -0
package/dist/tools/file-delete.js +179 -0
package/dist/tools/file-delete.js.map +1 -0
package/dist/tools/file-edit.d.ts +10 -0
package/dist/tools/file-edit.d.ts.map +1 -0
package/dist/tools/file-edit.js +138 -0
package/dist/tools/file-edit.js.map +1 -0
package/dist/tools/file-read.d.ts +12 -0
package/dist/tools/file-read.d.ts.map +1 -0
package/dist/tools/file-read.js +211 -0
package/dist/tools/file-read.js.map +1 -0
package/dist/tools/file-run.d.ts +10 -0
package/dist/tools/file-run.d.ts.map +1 -0
package/dist/tools/file-run.js +179 -0
package/dist/tools/file-run.js.map +1 -0
package/dist/tools/file-write.d.ts +10 -0
package/dist/tools/file-write.d.ts.map +1 -0
package/dist/tools/file-write.js +134 -0
package/dist/tools/file-write.js.map +1 -0
package/dist/tools/glob-search.d.ts +8 -0
package/dist/tools/glob-search.d.ts.map +1 -0
package/dist/tools/glob-search.js +108 -0
package/dist/tools/glob-search.js.map +1 -0
package/dist/tools/grep-search.d.ts +8 -0
package/dist/tools/grep-search.d.ts.map +1 -0
package/dist/tools/grep-search.js +139 -0
package/dist/tools/grep-search.js.map +1 -0
package/dist/tools/list-dir.d.ts +16 -0
package/dist/tools/list-dir.d.ts.map +1 -0
package/dist/tools/list-dir.js +183 -0
package/dist/tools/list-dir.js.map +1 -0
package/dist/tools/multi-edit.d.ts +16 -0
package/dist/tools/multi-edit.d.ts.map +1 -0
package/dist/tools/multi-edit.js +163 -0
package/dist/tools/multi-edit.js.map +1 -0
package/dist/tools/notebook-edit.d.ts +31 -0
package/dist/tools/notebook-edit.d.ts.map +1 -0
package/dist/tools/notebook-edit.js +321 -0
package/dist/tools/notebook-edit.js.map +1 -0
package/dist/tools/registry.d.ts +16 -0
package/dist/tools/registry.d.ts.map +1 -0
package/dist/tools/registry.js +41 -0
package/dist/tools/registry.js.map +1 -0
package/dist/tools/shell-exec.d.ts +12 -0
package/dist/tools/shell-exec.d.ts.map +1 -0
package/dist/tools/shell-exec.js +261 -0
package/dist/tools/shell-exec.js.map +1 -0
package/dist/tools/sub-agent-manager.d.ts +57 -0
package/dist/tools/sub-agent-manager.d.ts.map +1 -0
package/dist/tools/sub-agent-manager.js +153 -0
package/dist/tools/sub-agent-manager.js.map +1 -0
package/dist/tools/sub-agent-status.d.ts +12 -0
package/dist/tools/sub-agent-status.d.ts.map +1 -0
package/dist/tools/sub-agent-status.js +59 -0
package/dist/tools/sub-agent-status.js.map +1 -0
package/dist/tools/sub-agent-terminate.d.ts +12 -0
package/dist/tools/sub-agent-terminate.d.ts.map +1 -0
package/dist/tools/sub-agent-terminate.js +55 -0
package/dist/tools/sub-agent-terminate.js.map +1 -0
package/dist/tools/sub-agent.d.ts +34 -0
package/dist/tools/sub-agent.d.ts.map +1 -0
package/dist/tools/sub-agent.js +140 -0
package/dist/tools/sub-agent.js.map +1 -0
package/dist/tools/system-info.d.ts +24 -0
package/dist/tools/system-info.d.ts.map +1 -0
package/dist/tools/system-info.js +220 -0
package/dist/tools/system-info.js.map +1 -0
package/dist/tools/todo.d.ts +16 -0
package/dist/tools/todo.d.ts.map +1 -0
package/dist/tools/todo.js +144 -0
package/dist/tools/todo.js.map +1 -0
package/dist/tools/types.d.ts +20 -0
package/dist/tools/types.d.ts.map +1 -0
package/dist/tools/types.js +3 -0
package/dist/tools/types.js.map +1 -0
package/dist/tools/view-diff.d.ts +11 -0
package/dist/tools/view-diff.d.ts.map +1 -0
package/dist/tools/view-diff.js +88 -0
package/dist/tools/view-diff.js.map +1 -0
package/dist/tools/view-repo-map.d.ts +18 -0
package/dist/tools/view-repo-map.d.ts.map +1 -0
package/dist/tools/view-repo-map.js +245 -0
package/dist/tools/view-repo-map.js.map +1 -0
package/dist/tools/web-fetch.d.ts +13 -0
package/dist/tools/web-fetch.d.ts.map +1 -0
package/dist/tools/web-fetch.js +106 -0
package/dist/tools/web-fetch.js.map +1 -0
package/dist/tools/web-search.d.ts +10 -0
package/dist/tools/web-search.d.ts.map +1 -0
package/dist/tools/web-search.js +106 -0
package/dist/tools/web-search.js.map +1 -0
package/dist/utils/gitignore.d.ts +10 -0
package/dist/utils/gitignore.d.ts.map +1 -0
package/dist/utils/gitignore.js +104 -0
package/dist/utils/gitignore.js.map +1 -0
package/dist/utils/lazy-apply.d.ts +45 -0
package/dist/utils/lazy-apply.d.ts.map +1 -0
package/dist/utils/lazy-apply.js +164 -0
package/dist/utils/lazy-apply.js.map +1 -0
package/dist/utils/memory.d.ts +36 -0
package/dist/utils/memory.d.ts.map +1 -0
package/dist/utils/memory.js +136 -0
package/dist/utils/memory.js.map +1 -0
package/dist/utils/path-matching.d.ts +24 -0
package/dist/utils/path-matching.d.ts.map +1 -0
package/dist/utils/path-matching.js +116 -0
package/dist/utils/path-matching.js.map +1 -0
package/dist/utils/path-safety.d.ts +13 -0
package/dist/utils/path-safety.d.ts.map +1 -0
package/dist/utils/path-safety.js +54 -0
package/dist/utils/path-safety.js.map +1 -0
package/dist/utils/project-config.d.ts +18 -0
package/dist/utils/project-config.d.ts.map +1 -0
package/dist/utils/project-config.js +76 -0
package/dist/utils/project-config.js.map +1 -0
package/dist/utils/search-match.d.ts +63 -0
package/dist/utils/search-match.d.ts.map +1 -0
package/dist/utils/search-match.js +426 -0
package/dist/utils/search-match.js.map +1 -0
package/dist/utils/shell-paths.d.ts +17 -0
package/dist/utils/shell-paths.d.ts.map +1 -0
package/dist/utils/shell-paths.js +107 -0
package/dist/utils/shell-paths.js.map +1 -0
package/dist/utils/streaming-diff.d.ts +45 -0
package/dist/utils/streaming-diff.d.ts.map +1 -0
package/dist/utils/streaming-diff.js +230 -0
package/dist/utils/streaming-diff.js.map +1 -0
package/dist/utils/todo.d.ts +47 -0
package/dist/utils/todo.d.ts.map +1 -0
package/dist/utils/todo.js +102 -0
package/dist/utils/todo.js.map +1 -0
package/package.json +23 -0
package/src/agents/coordinator.ts +240 -0
package/src/context-providers/clipboard.ts +48 -0
package/src/context-providers/codebase.ts +274 -0
package/src/context-providers/diff.ts +66 -0
package/src/context-providers/docs.ts +160 -0
package/src/context-providers/file-include.ts +54 -0
package/src/context-providers/folder.ts +106 -0
package/src/context-providers/git.ts +72 -0
package/src/context-providers/index.ts +26 -0
package/src/context-providers/open-files.ts +113 -0
package/src/context-providers/problems.ts +100 -0
package/src/context-providers/registry.ts +99 -0
package/src/context-providers/terminal.ts +58 -0
package/src/context-providers/tree.ts +161 -0
package/src/context-providers/types.ts +84 -0
package/src/context-providers/url.ts +138 -0
package/src/effort/index.ts +177 -0
package/src/hooks/index.ts +148 -0
package/src/index.ts +114 -0
package/src/indexing/README.md +267 -0
package/src/indexing/chunker.ts +206 -0
package/src/indexing/database.ts +299 -0
package/src/indexing/index.ts +15 -0
package/src/indexing/indexer.ts +383 -0
package/src/indexing/recent-edits-cache.ts +150 -0
package/src/indexing/types.ts +44 -0
package/src/mcp/index.ts +33 -0
package/src/mcp/manager.ts +385 -0
package/src/oauth.ts +330 -0
package/src/permissions/index.ts +1011 -0
package/src/plan/index.ts +20 -0
package/src/plan/manager.ts +233 -0
package/src/rules/index.ts +28 -0
package/src/rules/manager.ts +276 -0
package/src/rules/types.ts +40 -0
package/src/sandbox/filesystem.ts +135 -0
package/src/sandbox/index.ts +9 -0
package/src/sandbox/manager.ts +213 -0
package/src/sandbox/network.ts +101 -0
package/src/sandbox/types.ts +63 -0
package/src/tools/ast-edit.ts +493 -0
package/src/tools/code-verify.ts +143 -0
package/src/tools/codebase-search.ts +117 -0
package/src/tools/file-delete.ts +155 -0
package/src/tools/file-edit.ts +115 -0
package/src/tools/file-read.ts +195 -0
package/src/tools/file-run.ts +158 -0
package/src/tools/file-write.ts +104 -0
package/src/tools/glob-search.ts +80 -0
package/src/tools/grep-search.ts +120 -0
package/src/tools/list-dir.ts +172 -0
package/src/tools/multi-edit.ts +138 -0
package/src/tools/notebook-edit.ts +342 -0
package/src/tools/registry.ts +43 -0
package/src/tools/shell-exec.ts +251 -0
package/src/tools/sub-agent-manager.ts +183 -0
package/src/tools/sub-agent-status.ts +67 -0
package/src/tools/sub-agent-terminate.ts +62 -0
package/src/tools/sub-agent.ts +162 -0
package/src/tools/system-info.ts +248 -0
package/src/tools/todo.ts +149 -0
package/src/tools/types.ts +21 -0
package/src/tools/view-diff.ts +99 -0
package/src/tools/view-repo-map.ts +249 -0
package/src/tools/web-fetch.ts +118 -0
package/src/tools/web-search.ts +129 -0
package/src/utils/gitignore.ts +73 -0
package/src/utils/lazy-apply.ts +189 -0
package/src/utils/memory.ts +124 -0
package/src/utils/path-matching.ts +84 -0
package/src/utils/path-safety.ts +19 -0
package/src/utils/project-config.ts +41 -0
package/src/utils/search-match.ts +495 -0
package/src/utils/shell-paths.ts +79 -0
package/src/utils/streaming-diff.ts +260 -0
package/src/utils/todo.ts +115 -0
package/tsconfig.json +18 -0

package/src/oauth.ts ADDED Viewed

@@ -0,0 +1,330 @@
+/**
+ * OAuth 2.0 (PKCE) for Claude — Shared Core Module
+ *
+ * All credential storage, token management, and OAuth flow logic lives here.
+ * Both CLI and VS Code extension import from this module.
+ *
+ * Credential storage:
+ *  - macOS: encrypted Keychain via `security` CLI
+ *  - Linux: libsecret via `secret-tool` if available, else file fallback
+ *  - Windows: Windows Credential Manager via `cmdkey`, else file fallback
+ */
+import * as crypto from "crypto";
+import * as fs from "fs";
+import * as path from "path";
+import * as os from "os";
+import { execSync } from "child_process";
+const CONFIG_DIR = path.join(os.homedir(), ".cdoing");
+const KEYCHAIN_SERVICE = "cdoing-agent";
+const KEYCHAIN_ACCOUNT = "oauth-tokens";
+// Claude OAuth endpoints (matching Claude Code CLI)
+const CLAUDE_AUTH_URL = "https://claude.ai/oauth/authorize";
+const CLAUDE_TOKEN_URL = "https://console.anthropic.com/v1/oauth/token";
+const CLAUDE_REDIRECT_URI = "https://console.anthropic.com/oauth/code/callback";
+const CLAUDE_CLIENT_ID = "9d1c250a-e61b-44d9-88ed-5944d1962f5e";
+const SCOPES = "org:create_api_key user:profile user:inference";
+// ── Types ────────────────────────────────────────────────
+export interface OAuthTokens {
+  access_token: string;
+  refresh_token?: string;
+  expires_at?: number;
+  token_type: string;
+}
+// ── PKCE helpers ─────────────────────────────────────────
+function generateCodeVerifier(): string {
+  return crypto.randomBytes(32).toString("base64url");
+}
+function generateCodeChallenge(verifier: string): string {
+  return crypto.createHash("sha256").update(verifier).digest("base64url");
+}
+// ── Secure credential storage ────────────────────────────
+function storeSecret(value: string): void {
+  const platform = process.platform;
+  try {
+    if (platform === "darwin") {
+      try {
+        execSync(
+          `security delete-generic-password -s "${KEYCHAIN_SERVICE}" -a "${KEYCHAIN_ACCOUNT}" 2>/dev/null`,
+          { stdio: "ignore" },
+        );
+      } catch {}
+      execSync(
+        `security add-generic-password -s "${KEYCHAIN_SERVICE}" -a "${KEYCHAIN_ACCOUNT}" -w "${value.replace(/"/g, '\\"')}" -U`,
+        { stdio: "ignore" },
+      );
+      return;
+    }
+    if (platform === "linux") {
+      try {
+        execSync(
+          `echo -n "${value.replace(/"/g, '\\"')}" | secret-tool store --label="Cdoing Agent OAuth" service "${KEYCHAIN_SERVICE}" account "${KEYCHAIN_ACCOUNT}"`,
+          { stdio: "ignore" },
+        );
+        return;
+      } catch {}
+    }
+    if (platform === "win32") {
+      try {
+        execSync(
+          `cmdkey /generic:"${KEYCHAIN_SERVICE}" /user:"${KEYCHAIN_ACCOUNT}" /pass:"${value.replace(/"/g, '""')}"`,
+          { stdio: "ignore" },
+        );
+        return;
+      } catch {}
+    }
+  } catch {}
+  storeSecretToFile(value);
+}
+function loadSecret(): string | null {
+  const platform = process.platform;
+  try {
+    if (platform === "darwin") {
+      const result = execSync(
+        `security find-generic-password -s "${KEYCHAIN_SERVICE}" -a "${KEYCHAIN_ACCOUNT}" -w 2>/dev/null`,
+        { encoding: "utf-8" },
+      );
+      return result.trim();
+    }
+    if (platform === "linux") {
+      try {
+        const result = execSync(
+          `secret-tool lookup service "${KEYCHAIN_SERVICE}" account "${KEYCHAIN_ACCOUNT}" 2>/dev/null`,
+          { encoding: "utf-8" },
+        );
+        return result.trim() || null;
+      } catch {}
+    }
+    if (platform === "win32") {
+      try {
+        const result = execSync(
+          `cmdkey /list:"${KEYCHAIN_SERVICE}"`,
+          { encoding: "utf-8" },
+        );
+        if (result.includes(KEYCHAIN_SERVICE)) {
+          return loadSecretFromFile();
+        }
+      } catch {}
+    }
+  } catch {}
+  return loadSecretFromFile();
+}
+function deleteSecret(): void {
+  const platform = process.platform;
+  try {
+    if (platform === "darwin") {
+      execSync(
+        `security delete-generic-password -s "${KEYCHAIN_SERVICE}" -a "${KEYCHAIN_ACCOUNT}" 2>/dev/null`,
+        { stdio: "ignore" },
+      );
+    } else if (platform === "linux") {
+      execSync(
+        `secret-tool clear service "${KEYCHAIN_SERVICE}" account "${KEYCHAIN_ACCOUNT}" 2>/dev/null`,
+        { stdio: "ignore" },
+      );
+    } else if (platform === "win32") {
+      execSync(`cmdkey /delete:"${KEYCHAIN_SERVICE}" 2>nul`, { stdio: "ignore" });
+    }
+  } catch {}
+  deleteSecretFile();
+}
+// ── File-based fallback (AES-256-CBC) ────────────────────
+function deriveFileKey(): Buffer {
+  const machineId = os.hostname() + os.userInfo().username;
+  return crypto.createHash("sha256").update(machineId).digest();
+}
+function getSecretFilePath(): string {
+  return path.join(CONFIG_DIR, ".oauth-tokens.enc");
+}
+function storeSecretToFile(value: string): void {
+  if (!fs.existsSync(CONFIG_DIR)) fs.mkdirSync(CONFIG_DIR, { recursive: true });
+  const key = deriveFileKey();
+  const iv = crypto.randomBytes(16);
+  const cipher = crypto.createCipheriv("aes-256-cbc", key, iv);
+  let encrypted = cipher.update(value, "utf-8", "hex");
+  encrypted += cipher.final("hex");
+  fs.writeFileSync(getSecretFilePath(), iv.toString("hex") + ":" + encrypted, { mode: 0o600 });
+}
+function loadSecretFromFile(): string | null {
+  try {
+    const filePath = getSecretFilePath();
+    if (!fs.existsSync(filePath)) return null;
+    const raw = fs.readFileSync(filePath, "utf-8");
+    const [ivHex, encrypted] = raw.split(":");
+    if (!ivHex || !encrypted) return null;
+    const key = deriveFileKey();
+    const decipher = crypto.createDecipheriv("aes-256-cbc", key, Buffer.from(ivHex, "hex"));
+    let decrypted = decipher.update(encrypted, "hex", "utf-8");
+    decrypted += decipher.final("utf-8");
+    return decrypted;
+  } catch {
+    return null;
+  }
+}
+function deleteSecretFile(): void {
+  try {
+    const filePath = getSecretFilePath();
+    if (fs.existsSync(filePath)) fs.unlinkSync(filePath);
+  } catch {}
+}
+// ── Token storage ────────────────────────────────────────
+export function saveOAuthTokens(tokens: OAuthTokens): void {
+  storeSecret(JSON.stringify({ ...tokens, saved_at: Date.now() }));
+}
+export function loadOAuthTokens(): OAuthTokens | null {
+  const raw = loadSecret();
+  if (!raw) return null;
+  try {
+    const parsed = JSON.parse(raw) as OAuthTokens;
+    return parsed.access_token ? parsed : null;
+  } catch {
+    return null;
+  }
+}
+export function clearOAuthTokens(): void {
+  deleteSecret();
+}
+export function isOAuthExpired(tokens: OAuthTokens): boolean {
+  if (!tokens.expires_at) return false;
+  return Date.now() >= tokens.expires_at;
+}
+// ── Token refresh ────────────────────────────────────────
+export async function refreshAccessToken(refreshToken: string): Promise<OAuthTokens | null> {
+  try {
+    const response = await fetch(CLAUDE_TOKEN_URL, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({
+        grant_type: "refresh_token",
+        refresh_token: refreshToken,
+        client_id: CLAUDE_CLIENT_ID,
+      }).toString(),
+    });
+    if (!response.ok) return null;
+    const data = (await response.json()) as Record<string, unknown>;
+    const tokens: OAuthTokens = {
+      access_token: data.access_token as string,
+      refresh_token: (data.refresh_token as string) || refreshToken,
+      expires_at: data.expires_in ? Date.now() + (data.expires_in as number) * 1000 : undefined,
+      token_type: (data.token_type as string) || "Bearer",
+    };
+    saveOAuthTokens(tokens);
+    return tokens;
+  } catch {
+    return null;
+  }
+}
+// ── Resolve token (with auto-refresh) ────────────────────
+export async function resolveOAuthToken(): Promise<string | null> {
+  const tokens = loadOAuthTokens();
+  if (!tokens) return null;
+  if (isOAuthExpired(tokens) && tokens.refresh_token) {
+    const refreshed = await refreshAccessToken(tokens.refresh_token);
+    return refreshed ? refreshed.access_token : null;
+  }
+  return tokens.access_token;
+}
+// ── OAuth URL generation ─────────────────────────────────
+export function generateOAuthUrl(): { url: string; codeVerifier: string } {
+  const codeVerifier = generateCodeVerifier();
+  const codeChallenge = generateCodeChallenge(codeVerifier);
+  const params = new URLSearchParams({
+    code: "true",
+    client_id: CLAUDE_CLIENT_ID,
+    response_type: "code",
+    redirect_uri: CLAUDE_REDIRECT_URI,
+    scope: SCOPES,
+    code_challenge: codeChallenge,
+    code_challenge_method: "S256",
+    state: codeVerifier,
+  });
+  return { url: `${CLAUDE_AUTH_URL}?${params.toString()}`, codeVerifier };
+}
+// ── Code exchange ────────────────────────────────────────
+export async function exchangeOAuthCode(code: string, codeVerifier: string): Promise<OAuthTokens> {
+  const splits = code.split("#");
+  const response = await fetch(CLAUDE_TOKEN_URL, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      code: splits[0],
+      state: splits[1] || codeVerifier,
+      grant_type: "authorization_code",
+      client_id: CLAUDE_CLIENT_ID,
+      redirect_uri: CLAUDE_REDIRECT_URI,
+      code_verifier: codeVerifier,
+    }),
+  });
+  if (!response.ok) {
+    const errText = await response.text();
+    throw new Error(`Token exchange failed (${response.status}): ${errText.substring(0, 200)}`);
+  }
+  const data = (await response.json()) as Record<string, unknown>;
+  const tokens: OAuthTokens = {
+    access_token: data.access_token as string,
+    refresh_token: data.refresh_token as string | undefined,
+    expires_at: data.expires_in ? Date.now() + (data.expires_in as number) * 1000 : undefined,
+    token_type: (data.token_type as string) || "Bearer",
+  };
+  saveOAuthTokens(tokens);
+  return tokens;
+}
+// ── Status helper ────────────────────────────────────────
+export function getOAuthStatus(): { status: "none" | "active" | "expired"; expiresAt?: number } {
+  const tokens = loadOAuthTokens();
+  if (!tokens) return { status: "none" };
+  if (isOAuthExpired(tokens)) return { status: "expired", expiresAt: tokens.expires_at };
+  return { status: "active", expiresAt: tokens.expires_at };
+}