@elizaos/app-core 2.0.0-alpha.413 → 2.0.0-alpha.414

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elizaos/app-core",
-  "version": "2.0.0-alpha.413",
+  "version": "2.0.0-alpha.414",
   "description": "Shared application core for elizaOS white-label agent apps.",
   "type": "module",
   "license": "MIT",
@@ -464,7 +464,7 @@
     "@capacitor/preferences": "^8.0.1",
     "@capacitor/push-notifications": "^8.0.0",
     "@clack/prompts": "^1.0.0",
-    "@elizaos/agent": "^2.0.0-alpha.413",
+    "@elizaos/agent": "^2.0.0-alpha.414",
     "@elizaos/app-companion": "^0.0.0",
     "@elizaos/app-elizamaker": "^0.0.0",
     "@elizaos/app-lifeops": "^0.0.0",
@@ -473,12 +473,12 @@
     "@elizaos/app-task-coordinator": "^0.0.0",
     "@elizaos/app-training": "^0.0.1",
     "@elizaos/app-vincent": "^0.0.0",
-    "@elizaos/core": "^2.0.0-alpha.413",
+    "@elizaos/core": "^2.0.0-alpha.414",
     "@elizaos/plugin-browser-bridge": "^0.1.0",
     "@elizaos/plugin-sql": "^2.0.0-alpha.19",
     "@elizaos/plugin-wechat": "^0.1.0",
-    "@elizaos/shared": "^2.0.0-alpha.413",
-    "@elizaos/ui": "^2.0.0-alpha.413",
+    "@elizaos/shared": "^2.0.0-alpha.414",
+    "@elizaos/ui": "^2.0.0-alpha.414",
     "@node-rs/argon2": "^2.0.2",
     "@radix-ui/react-checkbox": "^1.3.3",
     "@radix-ui/react-dialog": "^1.1.15",

package/packages/agent/src/api/model-provider-helpers.js

@@ -34,28 +34,28 @@ export function getModelOptions() {
         },
         // OpenAI
         {
-            id: "openai/gpt-5.4-pro",
-            name: "GPT-5.4 Pro",
+            id: "openai/gpt-5.5-pro",
+            name: "GPT-5.5 Pro",
             provider: "OpenAI",
-            description: "Highest-precision GPT-5.4 variant.",
+            description: "Highest-precision GPT-5.5 variant.",
         },
         {
-            id: "openai/gpt-5.4",
-            name: "GPT-5.4",
+            id: "openai/gpt-5.5",
+            name: "GPT-5.5",
             provider: "OpenAI",
             description: "Flagship OpenAI model for coding and reasoning.",
         },
         {
-            id: "openai/gpt-5.4-mini",
-            name: "GPT-5.4 Mini",
+            id: "openai/gpt-5.5-mini",
+            name: "GPT-5.5 Mini",
             provider: "OpenAI",
             description: "High-volume OpenAI mini model.",
         },
         {
-            id: "openai/gpt-5.4-nano",
-            name: "GPT-5.4 Nano",
+            id: "openai/gpt-5.5-nano",
+            name: "GPT-5.5 Nano",
             provider: "OpenAI",
-            description: "Cheapest GPT-5.4 tier for fast routing and gating.",
+            description: "Cheapest GPT-5.5 tier for fast routing and gating.",
         },
         // Google
         {

package/packages/agent/src/api/provider-switch-config.js

@@ -281,9 +281,9 @@ const PROVIDER_DEFAULT_MODELS = {
     },
     openai: {
         smallKey: "OPENAI_SMALL_MODEL",
-        smallVal: "gpt-5.4-mini",
+        smallVal: "gpt-5.5-mini",
         largeKey: "OPENAI_LARGE_MODEL",
-        largeVal: "gpt-5.4",
+        largeVal: "gpt-5.5",
     },
     google: {
         smallKey: "GOOGLE_SMALL_MODEL",

package/packages/agent/src/auth/index.d.ts

@@ -1,6 +1,8 @@
+export * from "./account-storage.js";
 export * from "./anthropic.js";
 export * from "./claude-code-stealth.js";
 export * from "./credentials.js";
+export * from "./oauth-flow.js";
 export * from "./openai-codex.js";
 export * from "./types.js";
 //# sourceMappingURL=index.d.ts.map

package/packages/agent/src/auth/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../../agent/src/auth/index.ts"],"names":[],"mappings":"AAAA,cAAc,gBAAgB,CAAC;AAC/B,cAAc,0BAA0B,CAAC;AACzC,cAAc,kBAAkB,CAAC;AACjC,cAAc,mBAAmB,CAAC;AAClC,cAAc,YAAY,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../../agent/src/auth/index.ts"],"names":[],"mappings":"AAAA,cAAc,sBAAsB,CAAC;AACrC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,0BAA0B,CAAC;AACzC,cAAc,kBAAkB,CAAC;AACjC,cAAc,iBAAiB,CAAC;AAChC,cAAc,mBAAmB,CAAC;AAClC,cAAc,YAAY,CAAC"}

package/packages/agent/src/auth/index.js

@@ -1,5 +1,7 @@
+export * from "./account-storage.js";
 export * from "./anthropic.js";
 export * from "./claude-code-stealth.js";
 export * from "./credentials.js";
+export * from "./oauth-flow.js";
 export * from "./openai-codex.js";
 export * from "./types.js";

package/packages/agent/src/auth/oauth-flow.d.ts

@@ -0,0 +1,106 @@
+/**
+ * OAuth flow orchestration registry.
+ *
+ * Wraps the provider-specific programmatic OAuth helpers
+ * (`startAnthropicOAuthFlowRaw` from
+ * `vendor/pi-oauth/anthropic-login.ts` and the loopback-listener flow
+ * in `openai-codex.ts`) with:
+ *
+ *   - a 5-minute timeout per flow,
+ *   - automatic `saveAccount(...)` after token exchange,
+ *   - an in-memory registry keyed by `sessionId` so the HTTP API can
+ *     stream progress over SSE and the CLI can `await` completion,
+ *   - garbage collection 10 minutes after a flow reaches a terminal
+ *     state.
+ *
+ * Both the CLI and the new accounts-routes HTTP endpoints drive flows
+ * through this module — there is no direct caller of the vendor-level
+ * OAuth helpers anymore.
+ */
+import { type AccountCredentialRecord } from "./account-storage.js";
+import type { SubscriptionProvider } from "./types.js";
+/** Server-tracked status of an in-flight OAuth flow. */
+export type FlowStatus = "pending" | "success" | "error" | "cancelled" | "timeout";
+export interface FlowState {
+    sessionId: string;
+    providerId: SubscriptionProvider;
+    status: FlowStatus;
+    /** Set on `pending` (so the UI can re-open the browser) and on `success`. */
+    authUrl?: string;
+    /** Anthropic only — the user must paste `code#state`; Codex uses the loopback callback. */
+    needsCodeSubmission: boolean;
+    account?: AccountCredentialRecord;
+    error?: string;
+    startedAt: number;
+    endedAt?: number;
+}
+export interface OAuthFlowHandle {
+    sessionId: string;
+    authUrl: string;
+    /** Codex flows resolve via the loopback listener; Anthropic requires `submitCode`. */
+    needsCodeSubmission: boolean;
+    /** Resolves with the saved AccountCredentialRecord; rejects on cancel/timeout/error. */
+    completion: Promise<{
+        account: AccountCredentialRecord;
+    }>;
+    /** Anthropic only — submit `code#state` from the redirect page. No-op for Codex. */
+    submitCode: (code: string) => void;
+    cancel: (reason?: string) => void;
+}
+interface StartOptions {
+    label: string;
+    accountId?: string;
+    /**
+     * Called after the account is saved on disk. Used by the HTTP
+     * route layer to also write a `LinkedAccountConfig` row into
+     * `milady.json`. Failures here propagate as flow `error`.
+     */
+    onAccountSaved?: (account: AccountCredentialRecord) => void | Promise<void>;
+}
+/**
+ * Start a programmatic Anthropic OAuth flow. Anthropic's redirect URI
+ * is hardcoded to `console.anthropic.com/oauth/code/callback` — the
+ * UI must surface the auth URL, prompt the user to copy the
+ * `code#state` blob, and call `submitCode()` with it. Once the code is
+ * submitted, the token exchange runs and the account is persisted.
+ */
+export declare function startAnthropicOAuthFlow(opts: StartOptions): Promise<OAuthFlowHandle>;
+/**
+ * Start a programmatic Codex OAuth flow. Codex has a loopback listener
+ * on :1455, so the user just signs in in the browser and the listener
+ * picks up the redirect — `submitCode()` is a no-op. The accountId
+ * baked into the JWT is preserved on `LinkedAccountConfig.organizationId`
+ * (used by the Codex usage probe via the `ChatGPT-Account-Id` header).
+ */
+export declare function startCodexOAuthFlow(opts: StartOptions): Promise<OAuthFlowHandle>;
+export declare function getFlowState(sessionId: string): FlowState | null;
+export declare function getFlowHandle(sessionId: string): OAuthFlowHandle | null;
+/**
+ * Subscribe to status updates for a flow. Replays the current state
+ * synchronously so SSE consumers always receive an immediate frame.
+ * Returns an unsubscribe function.
+ */
+export declare function subscribeFlow(sessionId: string, listener: (state: FlowState) => void): () => void;
+export declare function cancelFlow(sessionId: string, reason?: string): boolean;
+export declare function submitFlowCode(sessionId: string, code: string): boolean;
+/**
+ * Remove every flow from the registry. Tests use this to reset
+ * between cases without resetting the whole module.
+ */
+export declare function _resetFlowRegistry(): void;
+/**
+ * Test-only helper to seed a synthetic flow without going through the
+ * vendor layer. Used by `accounts-routes.test.ts` to assert the SSE
+ * surface streams `success` / `error` payloads correctly.
+ */
+export declare function _registerSyntheticFlow(args: {
+    sessionId?: string;
+    providerId: SubscriptionProvider;
+    authUrl: string;
+    needsCodeSubmission?: boolean;
+}): {
+    sessionId: string;
+    complete: (state: FlowState) => void;
+};
+export {};
+//# sourceMappingURL=oauth-flow.d.ts.map

package/packages/agent/src/auth/oauth-flow.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-flow.d.ts","sourceRoot":"","sources":["../../../../../../agent/src/auth/oauth-flow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAIH,OAAO,EACL,KAAK,uBAAuB,EAE7B,MAAM,sBAAsB,CAAC;AAG9B,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAMvD,wDAAwD;AACxD,MAAM,MAAM,UAAU,GAClB,SAAS,GACT,SAAS,GACT,OAAO,GACP,WAAW,GACX,SAAS,CAAC;AAEd,MAAM,WAAW,SAAS;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,oBAAoB,CAAC;IACjC,MAAM,EAAE,UAAU,CAAC;IACnB,6EAA6E;IAC7E,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,2FAA2F;IAC3F,mBAAmB,EAAE,OAAO,CAAC;IAC7B,OAAO,CAAC,EAAE,uBAAuB,CAAC;IAClC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,eAAe;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,sFAAsF;IACtF,mBAAmB,EAAE,OAAO,CAAC;IAC7B,wFAAwF;IACxF,UAAU,EAAE,OAAO,CAAC;QAAE,OAAO,EAAE,uBAAuB,CAAA;KAAE,CAAC,CAAC;IAC1D,oFAAoF;IACpF,UAAU,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,CAAC;IACnC,MAAM,EAAE,CAAC,MAAM,CAAC,EAAE,MAAM,KAAK,IAAI,CAAC;CACnC;AAuED,UAAU,YAAY;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;OAIG;IACH,cAAc,CAAC,EAAE,CAAC,OAAO,EAAE,uBAAuB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7E;AAID;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CACrC,IAAI,EAAE,YAAY,GACjB,OAAO,CAAC,eAAe,CAAC,CAqB1B;AAID;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CACjC,IAAI,EAAE,YAAY,GACjB,OAAO,CAAC,eAAe,CAAC,CAmB1B;AA2ID,wBAAgB,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,CAGhE;AAED,wBAAgB,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,eAAe,GAAG,IAAI,CAGvE;AAED;;;;GAIG;AACH,wBAAgB,aAAa,CAC3B,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,CAAC,KAAK,EAAE,SAAS,KAAK,IAAI,GACnC,MAAM,IAAI,CASZ;AAED,wBAAgB,UAAU,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAMtE;AAED,wBAAgB,cAAc,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAOvE;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,IAAI,IAAI,CAKzC;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE;IAC3C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,oBAAoB,CAAC;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,mBAAmB,CAAC,EAAE,OAAO,CAAC;CAC/B,GAAG;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,CAAC,KAAK,EAAE,SAAS,KAAK,IAAI,CAAA;CAAE,CA+B9D"}

package/packages/agent/src/auth/oauth-flow.js

@@ -0,0 +1,349 @@
+/**
+ * OAuth flow orchestration registry.
+ *
+ * Wraps the provider-specific programmatic OAuth helpers
+ * (`startAnthropicOAuthFlowRaw` from
+ * `vendor/pi-oauth/anthropic-login.ts` and the loopback-listener flow
+ * in `openai-codex.ts`) with:
+ *
+ *   - a 5-minute timeout per flow,
+ *   - automatic `saveAccount(...)` after token exchange,
+ *   - an in-memory registry keyed by `sessionId` so the HTTP API can
+ *     stream progress over SSE and the CLI can `await` completion,
+ *   - garbage collection 10 minutes after a flow reaches a terminal
+ *     state.
+ *
+ * Both the CLI and the new accounts-routes HTTP endpoints drive flows
+ * through this module — there is no direct caller of the vendor-level
+ * OAuth helpers anymore.
+ */
+import crypto from "node:crypto";
+import { logger } from "@elizaos/core";
+import { saveAccount, } from "./account-storage.js";
+import { startCodexLogin } from "./openai-codex.js";
+import { startAnthropicOAuthFlowRaw, } from "./vendor/pi-oauth/anthropic-login.js";
+const FLOW_TIMEOUT_MS = 5 * 60 * 1000;
+const FLOW_GC_MS = 10 * 60 * 1000;
+const flows = new Map();
+function newSessionId() {
+    return crypto.randomUUID();
+}
+function emit(entry) {
+    for (const listener of entry.listeners) {
+        listener(entry.state);
+    }
+}
+function scheduleGc(sessionId) {
+    const entry = flows.get(sessionId);
+    if (!entry)
+        return;
+    if (entry.gcTimer)
+        clearTimeout(entry.gcTimer);
+    entry.gcTimer = setTimeout(() => {
+        flows.delete(sessionId);
+    }, FLOW_GC_MS);
+}
+function resolveAccountId(opts) {
+    return opts.accountId?.trim() || crypto.randomUUID();
+}
+/**
+ * Build an `AccountCredentialRecord` and persist it via `saveAccount`.
+ * Returns the canonical record (with `createdAt`/`updatedAt` filled).
+ */
+function persistAccount(args) {
+    const now = Date.now();
+    const record = {
+        id: args.accountId,
+        providerId: args.providerId,
+        label: args.label,
+        source: "oauth",
+        credentials: {
+            access: args.access,
+            refresh: args.refresh,
+            expires: args.expires,
+        },
+        createdAt: now,
+        updatedAt: now,
+        ...(args.organizationId ? { organizationId: args.organizationId } : {}),
+        ...(args.email ? { email: args.email } : {}),
+    };
+    saveAccount(record);
+    return record;
+}
+// Anthropic.
+/**
+ * Start a programmatic Anthropic OAuth flow. Anthropic's redirect URI
+ * is hardcoded to `console.anthropic.com/oauth/code/callback` — the
+ * UI must surface the auth URL, prompt the user to copy the
+ * `code#state` blob, and call `submitCode()` with it. Once the code is
+ * submitted, the token exchange runs and the account is persisted.
+ */
+export function startAnthropicOAuthFlow(opts) {
+    return startGenericFlow({
+        providerId: "anthropic-subscription",
+        opts,
+        needsCodeSubmission: true,
+        begin: async () => {
+            const raw = await startAnthropicOAuthFlowRaw();
+            const completion = (async () => {
+                const creds = await raw.completion;
+                return { creds };
+            })();
+            return {
+                authUrl: raw.authUrl,
+                completion,
+                submitCode: raw.submitCode,
+                cancel: raw.cancel,
+            };
+        },
+    });
+}
+// Codex (OpenAI ChatGPT subscription).
+/**
+ * Start a programmatic Codex OAuth flow. Codex has a loopback listener
+ * on :1455, so the user just signs in in the browser and the listener
+ * picks up the redirect — `submitCode()` is a no-op. The accountId
+ * baked into the JWT is preserved on `LinkedAccountConfig.organizationId`
+ * (used by the Codex usage probe via the `ChatGPT-Account-Id` header).
+ */
+export function startCodexOAuthFlow(opts) {
+    return startGenericFlow({
+        providerId: "openai-codex",
+        opts,
+        needsCodeSubmission: false,
+        begin: async () => {
+            const flow = await startCodexLogin();
+            const completion = (async () => {
+                const creds = await flow.credentials;
+                return { creds, codexFlow: flow };
+            })();
+            return {
+                authUrl: flow.authUrl,
+                completion,
+                submitCode: (code) => flow.submitCode(code),
+                cancel: () => flow.close(),
+            };
+        },
+    });
+}
+async function startGenericFlow(args) {
+    const { providerId, opts, needsCodeSubmission, begin } = args;
+    const sessionId = newSessionId();
+    const accountId = resolveAccountId(opts);
+    const vendor = await begin();
+    const startedAt = Date.now();
+    const initialState = {
+        sessionId,
+        providerId,
+        status: "pending",
+        authUrl: vendor.authUrl,
+        needsCodeSubmission,
+        startedAt,
+    };
+    let resolveCompletion;
+    let rejectCompletion;
+    const completion = new Promise((resolve, reject) => {
+        resolveCompletion = resolve;
+        rejectCompletion = reject;
+    });
+    const entry = {
+        state: initialState,
+        handle: {}, // filled below
+        listeners: new Set(),
+    };
+    flows.set(sessionId, entry);
+    const setTerminal = (next) => {
+        if (entry.state.status !== "pending")
+            return;
+        entry.state = {
+            ...entry.state,
+            ...next,
+            endedAt: Date.now(),
+        };
+        emit(entry);
+        scheduleGc(sessionId);
+    };
+    const timer = setTimeout(() => {
+        const err = new Error("OAuth flow timed out after 5 minutes");
+        try {
+            vendor.cancel("timeout");
+        }
+        catch (cancelErr) {
+            logger.debug(`[oauth-flow] cancel during timeout failed: ${String(cancelErr)}`);
+        }
+        setTerminal({ status: "timeout", error: err.message });
+        rejectCompletion(err);
+    }, FLOW_TIMEOUT_MS);
+    // Drive the vendor completion through to account-save and listener emit.
+    void (async () => {
+        try {
+            const { creds } = await vendor.completion;
+            clearTimeout(timer);
+            let organizationId;
+            // Codex bakes the account_id into the JWT — pull it back out for
+            // the usage probe header.
+            if (providerId === "openai-codex") {
+                const codexAccountId = extractCodexAccountId(creds.access);
+                if (codexAccountId)
+                    organizationId = codexAccountId;
+            }
+            const record = persistAccount({
+                providerId,
+                accountId,
+                label: opts.label,
+                access: creds.access,
+                refresh: creds.refresh,
+                expires: creds.expires,
+                ...(organizationId ? { organizationId } : {}),
+            });
+            if (opts.onAccountSaved) {
+                await opts.onAccountSaved(record);
+            }
+            setTerminal({ status: "success", account: record });
+            resolveCompletion({ account: record });
+        }
+        catch (err) {
+            clearTimeout(timer);
+            const message = err instanceof Error ? err.message : String(err);
+            setTerminal({ status: "error", error: message });
+            rejectCompletion(err instanceof Error ? err : new Error(message));
+        }
+    })();
+    const handle = {
+        sessionId,
+        authUrl: vendor.authUrl,
+        needsCodeSubmission,
+        completion,
+        submitCode: (code) => {
+            vendor.submitCode(code);
+        },
+        cancel: (reason = "Cancelled") => {
+            if (entry.state.status !== "pending")
+                return;
+            try {
+                vendor.cancel(reason);
+            }
+            catch (err) {
+                logger.debug(`[oauth-flow] vendor cancel failed: ${String(err)}`);
+            }
+            clearTimeout(timer);
+            const error = new Error(reason);
+            setTerminal({ status: "cancelled", error: reason });
+            rejectCompletion(error);
+        },
+    };
+    entry.handle = handle;
+    emit(entry);
+    return handle;
+}
+// Registry surface used by the SSE / cancel routes.
+export function getFlowState(sessionId) {
+    const entry = flows.get(sessionId);
+    return entry ? entry.state : null;
+}
+export function getFlowHandle(sessionId) {
+    const entry = flows.get(sessionId);
+    return entry ? entry.handle : null;
+}
+/**
+ * Subscribe to status updates for a flow. Replays the current state
+ * synchronously so SSE consumers always receive an immediate frame.
+ * Returns an unsubscribe function.
+ */
+export function subscribeFlow(sessionId, listener) {
+    const entry = flows.get(sessionId);
+    if (!entry)
+        return () => { };
+    entry.listeners.add(listener);
+    // Replay current state.
+    listener(entry.state);
+    return () => {
+        entry.listeners.delete(listener);
+    };
+}
+export function cancelFlow(sessionId, reason) {
+    const entry = flows.get(sessionId);
+    if (!entry)
+        return false;
+    if (entry.state.status !== "pending")
+        return false;
+    entry.handle.cancel(reason);
+    return true;
+}
+export function submitFlowCode(sessionId, code) {
+    const entry = flows.get(sessionId);
+    if (!entry)
+        return false;
+    if (entry.state.status !== "pending")
+        return false;
+    if (!entry.state.needsCodeSubmission)
+        return false;
+    entry.handle.submitCode(code);
+    return true;
+}
+/**
+ * Remove every flow from the registry. Tests use this to reset
+ * between cases without resetting the whole module.
+ */
+export function _resetFlowRegistry() {
+    for (const entry of flows.values()) {
+        if (entry.gcTimer)
+            clearTimeout(entry.gcTimer);
+    }
+    flows.clear();
+}
+/**
+ * Test-only helper to seed a synthetic flow without going through the
+ * vendor layer. Used by `accounts-routes.test.ts` to assert the SSE
+ * surface streams `success` / `error` payloads correctly.
+ */
+export function _registerSyntheticFlow(args) {
+    const sessionId = args.sessionId ?? newSessionId();
+    const state = {
+        sessionId,
+        providerId: args.providerId,
+        status: "pending",
+        authUrl: args.authUrl,
+        needsCodeSubmission: Boolean(args.needsCodeSubmission),
+        startedAt: Date.now(),
+    };
+    const entry = {
+        state,
+        handle: {
+            sessionId,
+            authUrl: args.authUrl,
+            needsCodeSubmission: Boolean(args.needsCodeSubmission),
+            completion: new Promise(() => undefined),
+            submitCode: () => undefined,
+            cancel: () => undefined,
+        },
+        listeners: new Set(),
+    };
+    flows.set(sessionId, entry);
+    const complete = (next) => {
+        entry.state = { ...next, endedAt: next.endedAt ?? Date.now() };
+        emit(entry);
+        scheduleGc(sessionId);
+    };
+    return { sessionId, complete };
+}
+/** OpenAI Codex JWT carries `chatgpt_account_id` under a vendor claim. */
+function extractCodexAccountId(accessToken) {
+    try {
+        const parts = accessToken.split(".");
+        if (parts.length !== 3)
+            return null;
+        const payload = parts[1];
+        const decoded = JSON.parse(Buffer.from(payload, "base64").toString("utf-8"));
+        const claim = decoded["https://api.openai.com/auth"];
+        if (!claim || typeof claim !== "object")
+            return null;
+        const accountId = claim.chatgpt_account_id;
+        return typeof accountId === "string" && accountId.length > 0
+            ? accountId
+            : null;
+    }
+    catch {
+        return null;
+    }
+}

package/packages/agent/src/auth/vendor/pi-oauth/anthropic-login.d.ts

@@ -1,15 +1,47 @@
 /**
  * Anthropic OAuth (Claude Pro/Max) — authorization code + PKCE.
  * Inlined OAuth flow (MIT) — vendored to avoid a runtime dependency.
+ *
+ * Anthropic's OAuth uses a fixed redirect URI on `console.anthropic.com`
+ * that displays the auth code on completion — there's no loopback
+ * listener. The flow surfaces an `authUrl` plus a `submitCode()` hook
+ * the UI / CLI calls once the user has copied the code.
  */
 export interface AnthropicOAuthCredentials {
     refresh: string;
     access: string;
     expires: number;
 }
+/**
+ * Programmatic Anthropic OAuth flow.
+ *
+ * `authUrl` is ready immediately. The caller MUST eventually call
+ * either `submitCode(code)` (after the user has pasted the
+ * `code#state` blob from the redirect page) or `cancel()`. The
+ * `completion` promise rejects if the flow is cancelled.
+ */
+export interface AnthropicOAuthFlowHandle {
+    authUrl: string;
+    /** Pass `code#state` from the redirect page. */
+    submitCode: (code: string) => void;
+    /** Resolves with credentials once `submitCode` lands and the token exchange succeeds. */
+    completion: Promise<AnthropicOAuthCredentials>;
+    cancel: (reason?: string) => void;
+}
+/**
+ * Start an Anthropic OAuth flow. Returns immediately with the auth
+ * URL and a `submitCode` hook. The token exchange happens inside
+ * `completion` once the caller submits the code.
+ */
+export declare function startAnthropicOAuthFlowRaw(): Promise<AnthropicOAuthFlowHandle>;
 /**
  * @param onAuthUrl - Receives the browser authorization URL
  * @param onPromptCode - Resolves with pasted code (format: code#state)
+ *
+ * Thin compatibility wrapper around `startAnthropicOAuthFlowRaw` for
+ * the CLI entrypoint and any older callers. New code should use
+ * `startAnthropicOAuthFlowRaw` (or the higher-level
+ * `startAnthropicOAuthFlow` in `auth/oauth-flow.ts`) directly.
  */
 export declare function loginAnthropic(onAuthUrl: (url: string) => void, onPromptCode: () => Promise<string>): Promise<AnthropicOAuthCredentials>;
 export declare function refreshAnthropicToken(refreshToken: string): Promise<AnthropicOAuthCredentials>;

package/packages/agent/src/auth/vendor/pi-oauth/anthropic-login.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"anthropic-login.d.ts","sourceRoot":"","sources":["../../../../../../../../agent/src/auth/vendor/pi-oauth/anthropic-login.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAWH,MAAM,WAAW,yBAAyB;IACxC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAClC,SAAS,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,EAChC,YAAY,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,GAClC,OAAO,CAAC,yBAAyB,CAAC,CA6CpC;AAED,wBAAsB,qBAAqB,CACzC,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,yBAAyB,CAAC,CAwBpC"}
+{"version":3,"file":"anthropic-login.d.ts","sourceRoot":"","sources":["../../../../../../../../agent/src/auth/vendor/pi-oauth/anthropic-login.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAWH,MAAM,WAAW,yBAAyB;IACxC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,MAAM,CAAC;IAChB,gDAAgD;IAChD,UAAU,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,CAAC;IACnC,yFAAyF;IACzF,UAAU,EAAE,OAAO,CAAC,yBAAyB,CAAC,CAAC;IAC/C,MAAM,EAAE,CAAC,MAAM,CAAC,EAAE,MAAM,KAAK,IAAI,CAAC;CACnC;AAED;;;;GAIG;AACH,wBAAsB,0BAA0B,IAAI,OAAO,CAAC,wBAAwB,CAAC,CA6DpF;AAED;;;;;;;;GAQG;AACH,wBAAsB,cAAc,CAClC,SAAS,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,EAChC,YAAY,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,GAClC,OAAO,CAAC,yBAAyB,CAAC,CAMpC;AAED,wBAAsB,qBAAqB,CACzC,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,yBAAyB,CAAC,CAwBpC"}