@elizaos/agent 2.0.0-alpha.413 → 2.0.0-alpha.414

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elizaos/agent",
-  "version": "2.0.0-alpha.413",
+  "version": "2.0.0-alpha.414",
   "description": "Standalone elizaOS-based agent and backend server package.",
   "type": "module",
   "license": "MIT",
@@ -467,7 +467,7 @@
     "@elizaos/app-steward": "^0.0.0",
     "@elizaos/app-task-coordinator": "^0.0.0",
     "@elizaos/app-training": "^0.0.1",
-    "@elizaos/core": "^2.0.0-alpha.413",
+    "@elizaos/core": "^2.0.0-alpha.414",
     "@elizaos/plugin-agent-orchestrator": "^0.6.2-alpha.0",
     "@elizaos/plugin-browser-bridge": "^0.1.0",
     "@elizaos/plugin-local-embedding": "^2.0.0-alpha.12",
@@ -476,8 +476,8 @@
     "@elizaos/plugin-solana": "^2.0.0-alpha.6",
     "@elizaos/plugin-sql": "^2.0.0-alpha.19",
     "@elizaos/plugin-wechat": "^0.1.0",
-    "@elizaos/shared": "^2.0.0-alpha.413",
-    "@elizaos/skills": "^2.0.0-alpha.413",
+    "@elizaos/shared": "^2.0.0-alpha.414",
+    "@elizaos/skills": "^2.0.0-alpha.414",
     "@hapi/boom": "^10.0.1",
     "@noble/curves": "^2.0.1",
     "@solana/web3.js": "^1.98.4",

package/packages/agent/src/api/model-provider-helpers.js

@@ -34,28 +34,28 @@ export function getModelOptions() {
         },
         // OpenAI
         {
-            id: "openai/gpt-5.4-pro",
-            name: "GPT-5.4 Pro",
+            id: "openai/gpt-5.5-pro",
+            name: "GPT-5.5 Pro",
             provider: "OpenAI",
-            description: "Highest-precision GPT-5.4 variant.",
+            description: "Highest-precision GPT-5.5 variant.",
         },
         {
-            id: "openai/gpt-5.4",
-            name: "GPT-5.4",
+            id: "openai/gpt-5.5",
+            name: "GPT-5.5",
             provider: "OpenAI",
             description: "Flagship OpenAI model for coding and reasoning.",
         },
         {
-            id: "openai/gpt-5.4-mini",
-            name: "GPT-5.4 Mini",
+            id: "openai/gpt-5.5-mini",
+            name: "GPT-5.5 Mini",
             provider: "OpenAI",
             description: "High-volume OpenAI mini model.",
         },
         {
-            id: "openai/gpt-5.4-nano",
-            name: "GPT-5.4 Nano",
+            id: "openai/gpt-5.5-nano",
+            name: "GPT-5.5 Nano",
             provider: "OpenAI",
-            description: "Cheapest GPT-5.4 tier for fast routing and gating.",
+            description: "Cheapest GPT-5.5 tier for fast routing and gating.",
         },
         // Google
         {

package/packages/agent/src/api/provider-switch-config.js

@@ -281,9 +281,9 @@ const PROVIDER_DEFAULT_MODELS = {
     },
     openai: {
         smallKey: "OPENAI_SMALL_MODEL",
-        smallVal: "gpt-5.4-mini",
+        smallVal: "gpt-5.5-mini",
         largeKey: "OPENAI_LARGE_MODEL",
-        largeVal: "gpt-5.4",
+        largeVal: "gpt-5.5",
     },
     google: {
         smallKey: "GOOGLE_SMALL_MODEL",

package/packages/agent/src/auth/index.d.ts

@@ -1,6 +1,8 @@
+export * from "./account-storage.js";
 export * from "./anthropic.js";
 export * from "./claude-code-stealth.js";
 export * from "./credentials.js";
+export * from "./oauth-flow.js";
 export * from "./openai-codex.js";
 export * from "./types.js";
 //# sourceMappingURL=index.d.ts.map

package/packages/agent/src/auth/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/auth/index.ts"],"names":[],"mappings":"AAAA,cAAc,gBAAgB,CAAC;AAC/B,cAAc,0BAA0B,CAAC;AACzC,cAAc,kBAAkB,CAAC;AACjC,cAAc,mBAAmB,CAAC;AAClC,cAAc,YAAY,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/auth/index.ts"],"names":[],"mappings":"AAAA,cAAc,sBAAsB,CAAC;AACrC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,0BAA0B,CAAC;AACzC,cAAc,kBAAkB,CAAC;AACjC,cAAc,iBAAiB,CAAC;AAChC,cAAc,mBAAmB,CAAC;AAClC,cAAc,YAAY,CAAC"}

package/packages/agent/src/auth/index.js

@@ -1,5 +1,7 @@
+export * from "./account-storage.js";
 export * from "./anthropic.js";
 export * from "./claude-code-stealth.js";
 export * from "./credentials.js";
+export * from "./oauth-flow.js";
 export * from "./openai-codex.js";
 export * from "./types.js";

package/packages/agent/src/auth/oauth-flow.d.ts

@@ -0,0 +1,106 @@
+/**
+ * OAuth flow orchestration registry.
+ *
+ * Wraps the provider-specific programmatic OAuth helpers
+ * (`startAnthropicOAuthFlowRaw` from
+ * `vendor/pi-oauth/anthropic-login.ts` and the loopback-listener flow
+ * in `openai-codex.ts`) with:
+ *
+ *   - a 5-minute timeout per flow,
+ *   - automatic `saveAccount(...)` after token exchange,
+ *   - an in-memory registry keyed by `sessionId` so the HTTP API can
+ *     stream progress over SSE and the CLI can `await` completion,
+ *   - garbage collection 10 minutes after a flow reaches a terminal
+ *     state.
+ *
+ * Both the CLI and the new accounts-routes HTTP endpoints drive flows
+ * through this module — there is no direct caller of the vendor-level
+ * OAuth helpers anymore.
+ */
+import { type AccountCredentialRecord } from "./account-storage.js";
+import type { SubscriptionProvider } from "./types.js";
+/** Server-tracked status of an in-flight OAuth flow. */
+export type FlowStatus = "pending" | "success" | "error" | "cancelled" | "timeout";
+export interface FlowState {
+    sessionId: string;
+    providerId: SubscriptionProvider;
+    status: FlowStatus;
+    /** Set on `pending` (so the UI can re-open the browser) and on `success`. */
+    authUrl?: string;
+    /** Anthropic only — the user must paste `code#state`; Codex uses the loopback callback. */
+    needsCodeSubmission: boolean;
+    account?: AccountCredentialRecord;
+    error?: string;
+    startedAt: number;
+    endedAt?: number;
+}
+export interface OAuthFlowHandle {
+    sessionId: string;
+    authUrl: string;
+    /** Codex flows resolve via the loopback listener; Anthropic requires `submitCode`. */
+    needsCodeSubmission: boolean;
+    /** Resolves with the saved AccountCredentialRecord; rejects on cancel/timeout/error. */
+    completion: Promise<{
+        account: AccountCredentialRecord;
+    }>;
+    /** Anthropic only — submit `code#state` from the redirect page. No-op for Codex. */
+    submitCode: (code: string) => void;
+    cancel: (reason?: string) => void;
+}
+interface StartOptions {
+    label: string;
+    accountId?: string;
+    /**
+     * Called after the account is saved on disk. Used by the HTTP
+     * route layer to also write a `LinkedAccountConfig` row into
+     * `milady.json`. Failures here propagate as flow `error`.
+     */
+    onAccountSaved?: (account: AccountCredentialRecord) => void | Promise<void>;
+}
+/**
+ * Start a programmatic Anthropic OAuth flow. Anthropic's redirect URI
+ * is hardcoded to `console.anthropic.com/oauth/code/callback` — the
+ * UI must surface the auth URL, prompt the user to copy the
+ * `code#state` blob, and call `submitCode()` with it. Once the code is
+ * submitted, the token exchange runs and the account is persisted.
+ */
+export declare function startAnthropicOAuthFlow(opts: StartOptions): Promise<OAuthFlowHandle>;
+/**
+ * Start a programmatic Codex OAuth flow. Codex has a loopback listener
+ * on :1455, so the user just signs in in the browser and the listener
+ * picks up the redirect — `submitCode()` is a no-op. The accountId
+ * baked into the JWT is preserved on `LinkedAccountConfig.organizationId`
+ * (used by the Codex usage probe via the `ChatGPT-Account-Id` header).
+ */
+export declare function startCodexOAuthFlow(opts: StartOptions): Promise<OAuthFlowHandle>;
+export declare function getFlowState(sessionId: string): FlowState | null;
+export declare function getFlowHandle(sessionId: string): OAuthFlowHandle | null;
+/**
+ * Subscribe to status updates for a flow. Replays the current state
+ * synchronously so SSE consumers always receive an immediate frame.
+ * Returns an unsubscribe function.
+ */
+export declare function subscribeFlow(sessionId: string, listener: (state: FlowState) => void): () => void;
+export declare function cancelFlow(sessionId: string, reason?: string): boolean;
+export declare function submitFlowCode(sessionId: string, code: string): boolean;
+/**
+ * Remove every flow from the registry. Tests use this to reset
+ * between cases without resetting the whole module.
+ */
+export declare function _resetFlowRegistry(): void;
+/**
+ * Test-only helper to seed a synthetic flow without going through the
+ * vendor layer. Used by `accounts-routes.test.ts` to assert the SSE
+ * surface streams `success` / `error` payloads correctly.
+ */
+export declare function _registerSyntheticFlow(args: {
+    sessionId?: string;
+    providerId: SubscriptionProvider;
+    authUrl: string;
+    needsCodeSubmission?: boolean;
+}): {
+    sessionId: string;
+    complete: (state: FlowState) => void;
+};
+export {};
+//# sourceMappingURL=oauth-flow.d.ts.map

package/packages/agent/src/auth/oauth-flow.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-flow.d.ts","sourceRoot":"","sources":["../../../../../src/auth/oauth-flow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAIH,OAAO,EACL,KAAK,uBAAuB,EAE7B,MAAM,sBAAsB,CAAC;AAG9B,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAMvD,wDAAwD;AACxD,MAAM,MAAM,UAAU,GAClB,SAAS,GACT,SAAS,GACT,OAAO,GACP,WAAW,GACX,SAAS,CAAC;AAEd,MAAM,WAAW,SAAS;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,oBAAoB,CAAC;IACjC,MAAM,EAAE,UAAU,CAAC;IACnB,6EAA6E;IAC7E,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,2FAA2F;IAC3F,mBAAmB,EAAE,OAAO,CAAC;IAC7B,OAAO,CAAC,EAAE,uBAAuB,CAAC;IAClC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,eAAe;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,sFAAsF;IACtF,mBAAmB,EAAE,OAAO,CAAC;IAC7B,wFAAwF;IACxF,UAAU,EAAE,OAAO,CAAC;QAAE,OAAO,EAAE,uBAAuB,CAAA;KAAE,CAAC,CAAC;IAC1D,oFAAoF;IACpF,UAAU,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,CAAC;IACnC,MAAM,EAAE,CAAC,MAAM,CAAC,EAAE,MAAM,KAAK,IAAI,CAAC;CACnC;AAuED,UAAU,YAAY;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;OAIG;IACH,cAAc,CAAC,EAAE,CAAC,OAAO,EAAE,uBAAuB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7E;AAID;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CACrC,IAAI,EAAE,YAAY,GACjB,OAAO,CAAC,eAAe,CAAC,CAqB1B;AAID;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CACjC,IAAI,EAAE,YAAY,GACjB,OAAO,CAAC,eAAe,CAAC,CAmB1B;AA2ID,wBAAgB,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,CAGhE;AAED,wBAAgB,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,eAAe,GAAG,IAAI,CAGvE;AAED;;;;GAIG;AACH,wBAAgB,aAAa,CAC3B,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,CAAC,KAAK,EAAE,SAAS,KAAK,IAAI,GACnC,MAAM,IAAI,CASZ;AAED,wBAAgB,UAAU,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAMtE;AAED,wBAAgB,cAAc,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAOvE;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,IAAI,IAAI,CAKzC;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE;IAC3C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,oBAAoB,CAAC;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,mBAAmB,CAAC,EAAE,OAAO,CAAC;CAC/B,GAAG;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,CAAC,KAAK,EAAE,SAAS,KAAK,IAAI,CAAA;CAAE,CA+B9D"}

package/packages/agent/src/auth/oauth-flow.js

@@ -0,0 +1,349 @@
+/**
+ * OAuth flow orchestration registry.
+ *
+ * Wraps the provider-specific programmatic OAuth helpers
+ * (`startAnthropicOAuthFlowRaw` from
+ * `vendor/pi-oauth/anthropic-login.ts` and the loopback-listener flow
+ * in `openai-codex.ts`) with:
+ *
+ *   - a 5-minute timeout per flow,
+ *   - automatic `saveAccount(...)` after token exchange,
+ *   - an in-memory registry keyed by `sessionId` so the HTTP API can
+ *     stream progress over SSE and the CLI can `await` completion,
+ *   - garbage collection 10 minutes after a flow reaches a terminal
+ *     state.
+ *
+ * Both the CLI and the new accounts-routes HTTP endpoints drive flows
+ * through this module — there is no direct caller of the vendor-level
+ * OAuth helpers anymore.
+ */
+import crypto from "node:crypto";
+import { logger } from "@elizaos/core";
+import { saveAccount, } from "./account-storage.js";
+import { startCodexLogin } from "./openai-codex.js";
+import { startAnthropicOAuthFlowRaw, } from "./vendor/pi-oauth/anthropic-login.js";
+const FLOW_TIMEOUT_MS = 5 * 60 * 1000;
+const FLOW_GC_MS = 10 * 60 * 1000;
+const flows = new Map();
+function newSessionId() {
+    return crypto.randomUUID();
+}
+function emit(entry) {
+    for (const listener of entry.listeners) {
+        listener(entry.state);
+    }
+}
+function scheduleGc(sessionId) {
+    const entry = flows.get(sessionId);
+    if (!entry)
+        return;
+    if (entry.gcTimer)
+        clearTimeout(entry.gcTimer);
+    entry.gcTimer = setTimeout(() => {
+        flows.delete(sessionId);
+    }, FLOW_GC_MS);
+}
+function resolveAccountId(opts) {
+    return opts.accountId?.trim() || crypto.randomUUID();
+}
+/**
+ * Build an `AccountCredentialRecord` and persist it via `saveAccount`.
+ * Returns the canonical record (with `createdAt`/`updatedAt` filled).
+ */
+function persistAccount(args) {
+    const now = Date.now();
+    const record = {
+        id: args.accountId,
+        providerId: args.providerId,
+        label: args.label,
+        source: "oauth",
+        credentials: {
+            access: args.access,
+            refresh: args.refresh,
+            expires: args.expires,
+        },
+        createdAt: now,
+        updatedAt: now,
+        ...(args.organizationId ? { organizationId: args.organizationId } : {}),
+        ...(args.email ? { email: args.email } : {}),
+    };
+    saveAccount(record);
+    return record;
+}
+// Anthropic.
+/**
+ * Start a programmatic Anthropic OAuth flow. Anthropic's redirect URI
+ * is hardcoded to `console.anthropic.com/oauth/code/callback` — the
+ * UI must surface the auth URL, prompt the user to copy the
+ * `code#state` blob, and call `submitCode()` with it. Once the code is
+ * submitted, the token exchange runs and the account is persisted.
+ */
+export function startAnthropicOAuthFlow(opts) {
+    return startGenericFlow({
+        providerId: "anthropic-subscription",
+        opts,
+        needsCodeSubmission: true,
+        begin: async () => {
+            const raw = await startAnthropicOAuthFlowRaw();
+            const completion = (async () => {
+                const creds = await raw.completion;
+                return { creds };
+            })();
+            return {
+                authUrl: raw.authUrl,
+                completion,
+                submitCode: raw.submitCode,
+                cancel: raw.cancel,
+            };
+        },
+    });
+}
+// Codex (OpenAI ChatGPT subscription).
+/**
+ * Start a programmatic Codex OAuth flow. Codex has a loopback listener
+ * on :1455, so the user just signs in in the browser and the listener
+ * picks up the redirect — `submitCode()` is a no-op. The accountId
+ * baked into the JWT is preserved on `LinkedAccountConfig.organizationId`
+ * (used by the Codex usage probe via the `ChatGPT-Account-Id` header).
+ */
+export function startCodexOAuthFlow(opts) {
+    return startGenericFlow({
+        providerId: "openai-codex",
+        opts,
+        needsCodeSubmission: false,
+        begin: async () => {
+            const flow = await startCodexLogin();
+            const completion = (async () => {
+                const creds = await flow.credentials;
+                return { creds, codexFlow: flow };
+            })();
+            return {
+                authUrl: flow.authUrl,
+                completion,
+                submitCode: (code) => flow.submitCode(code),
+                cancel: () => flow.close(),
+            };
+        },
+    });
+}
+async function startGenericFlow(args) {
+    const { providerId, opts, needsCodeSubmission, begin } = args;
+    const sessionId = newSessionId();
+    const accountId = resolveAccountId(opts);
+    const vendor = await begin();
+    const startedAt = Date.now();
+    const initialState = {
+        sessionId,
+        providerId,
+        status: "pending",
+        authUrl: vendor.authUrl,
+        needsCodeSubmission,
+        startedAt,
+    };
+    let resolveCompletion;
+    let rejectCompletion;
+    const completion = new Promise((resolve, reject) => {
+        resolveCompletion = resolve;
+        rejectCompletion = reject;
+    });
+    const entry = {
+        state: initialState,
+        handle: {}, // filled below
+        listeners: new Set(),
+    };
+    flows.set(sessionId, entry);
+    const setTerminal = (next) => {
+        if (entry.state.status !== "pending")
+            return;
+        entry.state = {
+            ...entry.state,
+            ...next,
+            endedAt: Date.now(),
+        };
+        emit(entry);
+        scheduleGc(sessionId);
+    };
+    const timer = setTimeout(() => {
+        const err = new Error("OAuth flow timed out after 5 minutes");
+        try {
+            vendor.cancel("timeout");
+        }
+        catch (cancelErr) {
+            logger.debug(`[oauth-flow] cancel during timeout failed: ${String(cancelErr)}`);
+        }
+        setTerminal({ status: "timeout", error: err.message });
+        rejectCompletion(err);
+    }, FLOW_TIMEOUT_MS);
+    // Drive the vendor completion through to account-save and listener emit.
+    void (async () => {
+        try {
+            const { creds } = await vendor.completion;
+            clearTimeout(timer);
+            let organizationId;
+            // Codex bakes the account_id into the JWT — pull it back out for
+            // the usage probe header.
+            if (providerId === "openai-codex") {
+                const codexAccountId = extractCodexAccountId(creds.access);
+                if (codexAccountId)
+                    organizationId = codexAccountId;
+            }
+            const record = persistAccount({
+                providerId,
+                accountId,
+                label: opts.label,
+                access: creds.access,
+                refresh: creds.refresh,
+                expires: creds.expires,
+                ...(organizationId ? { organizationId } : {}),
+            });
+            if (opts.onAccountSaved) {
+                await opts.onAccountSaved(record);
+            }
+            setTerminal({ status: "success", account: record });
+            resolveCompletion({ account: record });
+        }
+        catch (err) {
+            clearTimeout(timer);
+            const message = err instanceof Error ? err.message : String(err);
+            setTerminal({ status: "error", error: message });
+            rejectCompletion(err instanceof Error ? err : new Error(message));
+        }
+    })();
+    const handle = {
+        sessionId,
+        authUrl: vendor.authUrl,
+        needsCodeSubmission,
+        completion,
+        submitCode: (code) => {
+            vendor.submitCode(code);
+        },
+        cancel: (reason = "Cancelled") => {
+            if (entry.state.status !== "pending")
+                return;
+            try {
+                vendor.cancel(reason);
+            }
+            catch (err) {
+                logger.debug(`[oauth-flow] vendor cancel failed: ${String(err)}`);
+            }
+            clearTimeout(timer);
+            const error = new Error(reason);
+            setTerminal({ status: "cancelled", error: reason });
+            rejectCompletion(error);
+        },
+    };
+    entry.handle = handle;
+    emit(entry);
+    return handle;
+}
+// Registry surface used by the SSE / cancel routes.
+export function getFlowState(sessionId) {
+    const entry = flows.get(sessionId);
+    return entry ? entry.state : null;
+}
+export function getFlowHandle(sessionId) {
+    const entry = flows.get(sessionId);
+    return entry ? entry.handle : null;
+}
+/**
+ * Subscribe to status updates for a flow. Replays the current state
+ * synchronously so SSE consumers always receive an immediate frame.
+ * Returns an unsubscribe function.
+ */
+export function subscribeFlow(sessionId, listener) {
+    const entry = flows.get(sessionId);
+    if (!entry)
+        return () => { };
+    entry.listeners.add(listener);
+    // Replay current state.
+    listener(entry.state);
+    return () => {
+        entry.listeners.delete(listener);
+    };
+}
+export function cancelFlow(sessionId, reason) {
+    const entry = flows.get(sessionId);
+    if (!entry)
+        return false;
+    if (entry.state.status !== "pending")
+        return false;
+    entry.handle.cancel(reason);
+    return true;
+}
+export function submitFlowCode(sessionId, code) {
+    const entry = flows.get(sessionId);
+    if (!entry)
+        return false;
+    if (entry.state.status !== "pending")
+        return false;
+    if (!entry.state.needsCodeSubmission)
+        return false;
+    entry.handle.submitCode(code);
+    return true;
+}
+/**
+ * Remove every flow from the registry. Tests use this to reset
+ * between cases without resetting the whole module.
+ */
+export function _resetFlowRegistry() {
+    for (const entry of flows.values()) {
+        if (entry.gcTimer)
+            clearTimeout(entry.gcTimer);
+    }
+    flows.clear();
+}
+/**
+ * Test-only helper to seed a synthetic flow without going through the
+ * vendor layer. Used by `accounts-routes.test.ts` to assert the SSE
+ * surface streams `success` / `error` payloads correctly.
+ */
+export function _registerSyntheticFlow(args) {
+    const sessionId = args.sessionId ?? newSessionId();
+    const state = {
+        sessionId,
+        providerId: args.providerId,
+        status: "pending",
+        authUrl: args.authUrl,
+        needsCodeSubmission: Boolean(args.needsCodeSubmission),
+        startedAt: Date.now(),
+    };
+    const entry = {
+        state,
+        handle: {
+            sessionId,
+            authUrl: args.authUrl,
+            needsCodeSubmission: Boolean(args.needsCodeSubmission),
+            completion: new Promise(() => undefined),
+            submitCode: () => undefined,
+            cancel: () => undefined,
+        },
+        listeners: new Set(),
+    };
+    flows.set(sessionId, entry);
+    const complete = (next) => {
+        entry.state = { ...next, endedAt: next.endedAt ?? Date.now() };
+        emit(entry);
+        scheduleGc(sessionId);
+    };
+    return { sessionId, complete };
+}
+/** OpenAI Codex JWT carries `chatgpt_account_id` under a vendor claim. */
+function extractCodexAccountId(accessToken) {
+    try {
+        const parts = accessToken.split(".");
+        if (parts.length !== 3)
+            return null;
+        const payload = parts[1];
+        const decoded = JSON.parse(Buffer.from(payload, "base64").toString("utf-8"));
+        const claim = decoded["https://api.openai.com/auth"];
+        if (!claim || typeof claim !== "object")
+            return null;
+        const accountId = claim.chatgpt_account_id;
+        return typeof accountId === "string" && accountId.length > 0
+            ? accountId
+            : null;
+    }
+    catch {
+        return null;
+    }
+}

package/packages/agent/src/auth/vendor/pi-oauth/anthropic-login.d.ts

@@ -1,15 +1,47 @@
 /**
  * Anthropic OAuth (Claude Pro/Max) — authorization code + PKCE.
  * Inlined OAuth flow (MIT) — vendored to avoid a runtime dependency.
+ *
+ * Anthropic's OAuth uses a fixed redirect URI on `console.anthropic.com`
+ * that displays the auth code on completion — there's no loopback
+ * listener. The flow surfaces an `authUrl` plus a `submitCode()` hook
+ * the UI / CLI calls once the user has copied the code.
  */
 export interface AnthropicOAuthCredentials {
     refresh: string;
     access: string;
     expires: number;
 }
+/**
+ * Programmatic Anthropic OAuth flow.
+ *
+ * `authUrl` is ready immediately. The caller MUST eventually call
+ * either `submitCode(code)` (after the user has pasted the
+ * `code#state` blob from the redirect page) or `cancel()`. The
+ * `completion` promise rejects if the flow is cancelled.
+ */
+export interface AnthropicOAuthFlowHandle {
+    authUrl: string;
+    /** Pass `code#state` from the redirect page. */
+    submitCode: (code: string) => void;
+    /** Resolves with credentials once `submitCode` lands and the token exchange succeeds. */
+    completion: Promise<AnthropicOAuthCredentials>;
+    cancel: (reason?: string) => void;
+}
+/**
+ * Start an Anthropic OAuth flow. Returns immediately with the auth
+ * URL and a `submitCode` hook. The token exchange happens inside
+ * `completion` once the caller submits the code.
+ */
+export declare function startAnthropicOAuthFlowRaw(): Promise<AnthropicOAuthFlowHandle>;
 /**
  * @param onAuthUrl - Receives the browser authorization URL
  * @param onPromptCode - Resolves with pasted code (format: code#state)
+ *
+ * Thin compatibility wrapper around `startAnthropicOAuthFlowRaw` for
+ * the CLI entrypoint and any older callers. New code should use
+ * `startAnthropicOAuthFlowRaw` (or the higher-level
+ * `startAnthropicOAuthFlow` in `auth/oauth-flow.ts`) directly.
  */
 export declare function loginAnthropic(onAuthUrl: (url: string) => void, onPromptCode: () => Promise<string>): Promise<AnthropicOAuthCredentials>;
 export declare function refreshAnthropicToken(refreshToken: string): Promise<AnthropicOAuthCredentials>;

package/packages/agent/src/auth/vendor/pi-oauth/anthropic-login.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"anthropic-login.d.ts","sourceRoot":"","sources":["../../../../../../../src/auth/vendor/pi-oauth/anthropic-login.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAWH,MAAM,WAAW,yBAAyB;IACxC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAClC,SAAS,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,EAChC,YAAY,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,GAClC,OAAO,CAAC,yBAAyB,CAAC,CA6CpC;AAED,wBAAsB,qBAAqB,CACzC,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,yBAAyB,CAAC,CAwBpC"}
+{"version":3,"file":"anthropic-login.d.ts","sourceRoot":"","sources":["../../../../../../../src/auth/vendor/pi-oauth/anthropic-login.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAWH,MAAM,WAAW,yBAAyB;IACxC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,MAAM,CAAC;IAChB,gDAAgD;IAChD,UAAU,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,CAAC;IACnC,yFAAyF;IACzF,UAAU,EAAE,OAAO,CAAC,yBAAyB,CAAC,CAAC;IAC/C,MAAM,EAAE,CAAC,MAAM,CAAC,EAAE,MAAM,KAAK,IAAI,CAAC;CACnC;AAED;;;;GAIG;AACH,wBAAsB,0BAA0B,IAAI,OAAO,CAAC,wBAAwB,CAAC,CA6DpF;AAED;;;;;;;;GAQG;AACH,wBAAsB,cAAc,CAClC,SAAS,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,EAChC,YAAY,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,GAClC,OAAO,CAAC,yBAAyB,CAAC,CAMpC;AAED,wBAAsB,qBAAqB,CACzC,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,yBAAyB,CAAC,CAwBpC"}

package/packages/agent/src/auth/vendor/pi-oauth/anthropic-login.js

@@ -1,6 +1,11 @@
 /**
  * Anthropic OAuth (Claude Pro/Max) — authorization code + PKCE.
  * Inlined OAuth flow (MIT) — vendored to avoid a runtime dependency.
+ *
+ * Anthropic's OAuth uses a fixed redirect URI on `console.anthropic.com`
+ * that displays the auth code on completion — there's no loopback
+ * listener. The flow surfaces an `authUrl` plus a `submitCode()` hook
+ * the UI / CLI calls once the user has copied the code.
  */
 import { generatePKCE } from "./pkce.js";
 const decode = (s) => atob(s);
@@ -10,10 +15,11 @@ const TOKEN_URL = "https://console.anthropic.com/v1/oauth/token";
 const REDIRECT_URI = "https://console.anthropic.com/oauth/code/callback";
 const SCOPES = "org:create_api_key user:profile user:inference";
 /**
- * @param onAuthUrl - Receives the browser authorization URL
- * @param onPromptCode - Resolves with pasted code (format: code#state)
+ * Start an Anthropic OAuth flow. Returns immediately with the auth
+ * URL and a `submitCode` hook. The token exchange happens inside
+ * `completion` once the caller submits the code.
  */
-export async function loginAnthropic(onAuthUrl, onPromptCode) {
+export async function startAnthropicOAuthFlowRaw() {
     const { verifier, challenge } = await generatePKCE();
     const authParams = new URLSearchParams({
         code: "true",
@@ -26,35 +32,64 @@ export async function loginAnthropic(onAuthUrl, onPromptCode) {
         state: verifier,
     });
     const authUrl = `${AUTHORIZE_URL}?${authParams.toString()}`;
-    onAuthUrl(authUrl);
-    const authCode = await onPromptCode();
-    const splits = authCode.split("#");
-    const code = splits[0];
-    const state = splits[1];
-    const tokenResponse = await fetch(TOKEN_URL, {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({
-            grant_type: "authorization_code",
-            client_id: CLIENT_ID,
-            code,
-            state,
-            redirect_uri: REDIRECT_URI,
-            code_verifier: verifier,
-        }),
+    let resolveCode = null;
+    let rejectCode = null;
+    const codePromise = new Promise((resolve, reject) => {
+        resolveCode = resolve;
+        rejectCode = reject;
     });
-    if (!tokenResponse.ok) {
-        const errText = await tokenResponse.text();
-        throw new Error(`Token exchange failed: ${errText}`);
-    }
-    const tokenData = (await tokenResponse.json());
-    const expiresAt = Date.now() + tokenData.expires_in * 1000 - 5 * 60 * 1000;
+    const completion = (async () => {
+        const authCode = await codePromise;
+        const splits = authCode.split("#");
+        const code = splits[0];
+        const state = splits[1];
+        const tokenResponse = await fetch(TOKEN_URL, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                grant_type: "authorization_code",
+                client_id: CLIENT_ID,
+                code,
+                state,
+                redirect_uri: REDIRECT_URI,
+                code_verifier: verifier,
+            }),
+        });
+        if (!tokenResponse.ok) {
+            const errText = await tokenResponse.text();
+            throw new Error(`Token exchange failed: ${errText}`);
+        }
+        const tokenData = (await tokenResponse.json());
+        const expiresAt = Date.now() + tokenData.expires_in * 1000 - 5 * 60 * 1000;
+        return {
+            refresh: tokenData.refresh_token,
+            access: tokenData.access_token,
+            expires: expiresAt,
+        };
+    })();
     return {
-        refresh: tokenData.refresh_token,
-        access: tokenData.access_token,
-        expires: expiresAt,
+        authUrl,
+        submitCode: (code) => resolveCode?.(code),
+        completion,
+        cancel: (reason = "Cancelled") => rejectCode?.(new Error(reason)),
     };
 }
+/**
+ * @param onAuthUrl - Receives the browser authorization URL
+ * @param onPromptCode - Resolves with pasted code (format: code#state)
+ *
+ * Thin compatibility wrapper around `startAnthropicOAuthFlowRaw` for
+ * the CLI entrypoint and any older callers. New code should use
+ * `startAnthropicOAuthFlowRaw` (or the higher-level
+ * `startAnthropicOAuthFlow` in `auth/oauth-flow.ts`) directly.
+ */
+export async function loginAnthropic(onAuthUrl, onPromptCode) {
+    const handle = await startAnthropicOAuthFlowRaw();
+    onAuthUrl(handle.authUrl);
+    const code = await onPromptCode();
+    handle.submitCode(code);
+    return handle.completion;
+}
 export async function refreshAnthropicToken(refreshToken) {
     const response = await fetch(TOKEN_URL, {
         method: "POST",

package/packages/agent/src/config/schema.js

@@ -413,7 +413,7 @@ const FIELD_HELP = {
     "diagnostics.cacheTrace.includePrompt": "Include prompt text in trace output (default: true).",
     "diagnostics.cacheTrace.includeSystem": "Include system prompt in trace output (default: true).",
     "tools.exec.applyPatch.enabled": "Experimental. Enables apply_patch for OpenAI models when allowed by tool policy.",
-    "tools.exec.applyPatch.allowModels": 'Optional allowlist of model ids (e.g. "gpt-5.4" or "openai/gpt-5.4").',
+    "tools.exec.applyPatch.allowModels": 'Optional allowlist of model ids (e.g. "gpt-5.5" or "openai/gpt-5.5").',
     "tools.exec.notifyOnExit": "When true (default), backgrounded exec sessions enqueue a system event and request a heartbeat on exit.",
     "tools.exec.pathPrepend": "Directories to prepend to PATH for exec runs (gateway/sandbox).",
     "tools.exec.safeBins": "Allow stdin-only safe binaries to run without explicit allowlist entries.",

package/packages/agent/src/config/types.messages.d.ts

@@ -123,7 +123,7 @@ export type MessagesConfig = {
      * - special value: `"auto"` derives `[{agents.list[].identity.name}]` for the routed agent (when set)
      *
      * Supported template variables (case-insensitive):
-     * - `{model}` - short model name (e.g., `claude-opus-4-7`, `gpt-5.4`)
+     * - `{model}` - short model name (e.g., `claude-opus-4-7`, `gpt-5.5`)
      * - `{modelFull}` - full model identifier (e.g., `anthropic/claude-opus-4.7`)
      * - `{provider}` - provider name (e.g., `anthropic`, `openai`)
      * - `{thinkingLevel}` or `{think}` - current thinking level (`high`, `low`, `off`)

package/packages/agent/src/config/types.tools.d.ts

@@ -141,7 +141,7 @@ export type ExecToolConfig = {
         enabled?: boolean;
         /**
          * Optional allowlist of model ids that can use apply_patch.
-         * Accepts either raw ids (e.g. "gpt-5.4") or full ids (e.g. "openai/gpt-5.4").
+         * Accepts either raw ids (e.g. "gpt-5.5") or full ids (e.g. "openai/gpt-5.5").
          */
         allowModels?: string[];
     };

package/packages/agent/src/runtime/eliza.js

@@ -464,8 +464,8 @@ function isLikelyOpenAiTextModel(value) {
  * Normalize known-bad provider compatibility shims before plugin resolution.
  *
  * A common failure mode is routing the OpenAI plugin through Groq's
- * OpenAI-compatible base URL while leaving OpenAI defaults (`gpt-5.4`,
- * `gpt-5.4-mini`) in place. Structured XML/object generation then fails during
+ * OpenAI-compatible base URL while leaving OpenAI defaults (`gpt-5.5`,
+ * `gpt-5.5-mini`) in place. Structured XML/object generation then fails during
  * message handling because Groq does not serve those model IDs.
  *
  * When we can confidently detect that state, rewrite the effective runtime
@@ -1036,7 +1036,7 @@ export function applyCloudConfigToEnv(config) {
     const llmText = resolveServiceRoutingInConfig(config)?.llmText;
     const models = config.models;
     if (effectivelyEnabled) {
-        const nano = llmText?.nanoModel || models?.nano || "openai/gpt-5.4-nano";
+        const nano = llmText?.nanoModel || models?.nano || "openai/gpt-5.5-nano";
         const small = llmText?.smallModel || models?.small || "minimax/minimax-m2.7";
         const medium = llmText?.mediumModel || models?.medium || small;
         const large = llmText?.largeModel || models?.large || "anthropic/claude-opus-4-7";

package/packages/app-core/src/components/conversations/conversation-utils.js

@@ -104,10 +104,10 @@ export function isNonChatModelLabel(model) {
 export function estimateTokenCost(promptTokens, completionTokens, model) {
     const normalizedModel = (model ?? "").toLowerCase();
     const pricingByMillion = {
-        "gpt-5.4-pro": [30.0, 180.0],
-        "gpt-5.4-mini": [0.75, 4.5],
-        "gpt-5.4-nano": [0.2, 1.25],
-        "gpt-5.4": [2.5, 15.0],
+        "gpt-5.5-pro": [30.0, 180.0],
+        "gpt-5.5-mini": [0.75, 4.5],
+        "gpt-5.5-nano": [0.2, 1.25],
+        "gpt-5.5": [2.5, 15.0],
         "gpt-4.1": [2.0, 8.0],
         "gpt-4o": [2.5, 10.0],
         "gpt-4": [30.0, 60.0],

package/packages/app-core/src/components/settings/ProviderSwitcher.js

@@ -168,7 +168,7 @@ export function ProviderSwitcher(props = {}) {
                 const providerId = getOnboardingProviderOption(llmText?.backend)?.id;
                 const elizaCloudEnabledCfg = llmText?.transport === "cloud-proxy" && providerId === "elizacloud";
                 const defaults = {
-                    nano: "openai/gpt-5.4-nano",
+                    nano: "openai/gpt-5.5-nano",
                     small: "minimax/minimax-m2.7",
                     medium: "anthropic/claude-sonnet-4.6",
                     large: "moonshotai/kimi-k2.5",

package/packages/app-core/src/state/useOnboardingState.js

@@ -121,7 +121,7 @@ function createInitialState(cloudOnly) {
         apiKey: "",
         voiceProvider: "",
         voiceApiKey: "",
-        nanoModel: "openai/gpt-5.4-nano",
+        nanoModel: "openai/gpt-5.5-nano",
         smallModel: "minimax/minimax-m2.7",
         mediumModel: "anthropic/claude-sonnet-4.6",
         largeModel: "anthropic/claude-opus-4-7",