@elizaos/ui 2.0.0-alpha.411 → 2.0.0-alpha.414
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/apps/app-companion/src/components/companion/CompanionAppView.d.ts.map +1 -1
- package/apps/app-companion/src/components/companion/CompanionAppView.js +5 -5
- package/apps/app-companion/src/components/companion/CompanionView.d.ts.map +1 -1
- package/apps/app-companion/src/components/companion/CompanionView.js +5 -5
- package/package.json +1 -1
- package/packages/agent/src/api/model-provider-helpers.js +10 -10
- package/packages/agent/src/api/provider-switch-config.d.ts +3 -3
- package/packages/agent/src/api/provider-switch-config.d.ts.map +1 -1
- package/packages/agent/src/api/provider-switch-config.js +2 -2
- package/packages/agent/src/auth/account-storage.d.ts +48 -0
- package/packages/agent/src/auth/account-storage.d.ts.map +1 -0
- package/packages/agent/src/auth/account-storage.js +238 -0
- package/packages/agent/src/auth/credentials.d.ts +44 -25
- package/packages/agent/src/auth/credentials.d.ts.map +1 -1
- package/packages/agent/src/auth/credentials.js +175 -137
- package/packages/agent/src/auth/index.d.ts +2 -0
- package/packages/agent/src/auth/index.d.ts.map +1 -1
- package/packages/agent/src/auth/index.js +2 -0
- package/packages/agent/src/auth/oauth-flow.d.ts +106 -0
- package/packages/agent/src/auth/oauth-flow.d.ts.map +1 -0
- package/packages/agent/src/auth/oauth-flow.js +349 -0
- package/packages/agent/src/auth/refresh-mutex.d.ts +19 -0
- package/packages/agent/src/auth/refresh-mutex.d.ts.map +1 -0
- package/packages/agent/src/auth/refresh-mutex.js +33 -0
- package/packages/agent/src/auth/vendor/pi-oauth/anthropic-login.d.ts +32 -0
- package/packages/agent/src/auth/vendor/pi-oauth/anthropic-login.d.ts.map +1 -1
- package/packages/agent/src/auth/vendor/pi-oauth/anthropic-login.js +63 -28
- package/packages/agent/src/config/schema.js +1 -1
- package/packages/agent/src/config/types.eliza.d.ts +8 -3
- package/packages/agent/src/config/types.eliza.d.ts.map +1 -1
- package/packages/agent/src/config/types.messages.d.ts +1 -1
- package/packages/agent/src/config/types.tools.d.ts +1 -1
- package/packages/agent/src/runtime/eliza.js +3 -3
- package/packages/app-core/src/components/apps/launch-history.d.ts.map +1 -1
- package/packages/app-core/src/components/auth/LoginView.d.ts +1 -1
- package/packages/app-core/src/components/auth/LoginView.d.ts.map +1 -1
- package/packages/app-core/src/components/auth/LoginView.js +1 -1
- package/packages/app-core/src/components/conversations/conversation-utils.js +4 -4
- package/packages/app-core/src/components/pages/AppDetailsView.d.ts.map +1 -1
- package/packages/app-core/src/components/pages/AppDetailsView.js +10 -10
- package/packages/app-core/src/components/pages/AppsView.d.ts.map +1 -1
- package/packages/app-core/src/components/pages/AppsView.js +1 -0
- package/packages/app-core/src/components/pages/AutomationsView.d.ts.map +1 -1
- package/packages/app-core/src/components/pages/AutomationsView.js +0 -1
- package/packages/app-core/src/components/settings/ProviderSwitcher.d.ts.map +1 -1
- package/packages/app-core/src/components/settings/ProviderSwitcher.js +1 -1
- package/packages/app-core/src/components/settings/SubscriptionStatus.d.ts +2 -0
- package/packages/app-core/src/components/settings/SubscriptionStatus.d.ts.map +1 -1
- package/packages/app-core/src/onboarding-config.d.ts +2 -2
- package/packages/app-core/src/onboarding-config.d.ts.map +1 -1
- package/packages/app-core/src/services/auth-store.d.ts.map +1 -1
- package/packages/app-core/src/shell/AppWindowRenderer.d.ts.map +1 -1
- package/packages/app-core/src/shell/AppWindowRenderer.js +11 -17
- package/packages/app-core/src/shell/DetachedShellRoot.d.ts.map +1 -1
- package/packages/app-core/src/state/startup-phase-poll.js +1 -1
- package/packages/app-core/src/state/useOnboardingState.js +1 -1
- package/packages/shared/src/config/types.eliza.d.ts +8 -3
- package/packages/shared/src/config/types.eliza.d.ts.map +1 -1
- package/packages/shared/src/contracts/onboarding.d.ts +10 -2
- package/packages/shared/src/contracts/onboarding.d.ts.map +1 -1
- package/packages/shared/src/contracts/onboarding.js +2 -2
- package/packages/shared/src/contracts/service-routing.d.ts +87 -3
- package/packages/shared/src/contracts/service-routing.d.ts.map +1 -1
- package/packages/shared/src/contracts/service-routing.js +171 -3
|
@@ -0,0 +1,349 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* OAuth flow orchestration registry.
|
|
3
|
+
*
|
|
4
|
+
* Wraps the provider-specific programmatic OAuth helpers
|
|
5
|
+
* (`startAnthropicOAuthFlowRaw` from
|
|
6
|
+
* `vendor/pi-oauth/anthropic-login.ts` and the loopback-listener flow
|
|
7
|
+
* in `openai-codex.ts`) with:
|
|
8
|
+
*
|
|
9
|
+
* - a 5-minute timeout per flow,
|
|
10
|
+
* - automatic `saveAccount(...)` after token exchange,
|
|
11
|
+
* - an in-memory registry keyed by `sessionId` so the HTTP API can
|
|
12
|
+
* stream progress over SSE and the CLI can `await` completion,
|
|
13
|
+
* - garbage collection 10 minutes after a flow reaches a terminal
|
|
14
|
+
* state.
|
|
15
|
+
*
|
|
16
|
+
* Both the CLI and the new accounts-routes HTTP endpoints drive flows
|
|
17
|
+
* through this module — there is no direct caller of the vendor-level
|
|
18
|
+
* OAuth helpers anymore.
|
|
19
|
+
*/
|
|
20
|
+
import crypto from "node:crypto";
|
|
21
|
+
import { logger } from "@elizaos/core";
|
|
22
|
+
import { saveAccount, } from "./account-storage.js";
|
|
23
|
+
import { startCodexLogin } from "./openai-codex.js";
|
|
24
|
+
import { startAnthropicOAuthFlowRaw, } from "./vendor/pi-oauth/anthropic-login.js";
|
|
25
|
+
const FLOW_TIMEOUT_MS = 5 * 60 * 1000;
|
|
26
|
+
const FLOW_GC_MS = 10 * 60 * 1000;
|
|
27
|
+
const flows = new Map();
|
|
28
|
+
function newSessionId() {
|
|
29
|
+
return crypto.randomUUID();
|
|
30
|
+
}
|
|
31
|
+
function emit(entry) {
|
|
32
|
+
for (const listener of entry.listeners) {
|
|
33
|
+
listener(entry.state);
|
|
34
|
+
}
|
|
35
|
+
}
|
|
36
|
+
function scheduleGc(sessionId) {
|
|
37
|
+
const entry = flows.get(sessionId);
|
|
38
|
+
if (!entry)
|
|
39
|
+
return;
|
|
40
|
+
if (entry.gcTimer)
|
|
41
|
+
clearTimeout(entry.gcTimer);
|
|
42
|
+
entry.gcTimer = setTimeout(() => {
|
|
43
|
+
flows.delete(sessionId);
|
|
44
|
+
}, FLOW_GC_MS);
|
|
45
|
+
}
|
|
46
|
+
function resolveAccountId(opts) {
|
|
47
|
+
return opts.accountId?.trim() || crypto.randomUUID();
|
|
48
|
+
}
|
|
49
|
+
/**
|
|
50
|
+
* Build an `AccountCredentialRecord` and persist it via `saveAccount`.
|
|
51
|
+
* Returns the canonical record (with `createdAt`/`updatedAt` filled).
|
|
52
|
+
*/
|
|
53
|
+
function persistAccount(args) {
|
|
54
|
+
const now = Date.now();
|
|
55
|
+
const record = {
|
|
56
|
+
id: args.accountId,
|
|
57
|
+
providerId: args.providerId,
|
|
58
|
+
label: args.label,
|
|
59
|
+
source: "oauth",
|
|
60
|
+
credentials: {
|
|
61
|
+
access: args.access,
|
|
62
|
+
refresh: args.refresh,
|
|
63
|
+
expires: args.expires,
|
|
64
|
+
},
|
|
65
|
+
createdAt: now,
|
|
66
|
+
updatedAt: now,
|
|
67
|
+
...(args.organizationId ? { organizationId: args.organizationId } : {}),
|
|
68
|
+
...(args.email ? { email: args.email } : {}),
|
|
69
|
+
};
|
|
70
|
+
saveAccount(record);
|
|
71
|
+
return record;
|
|
72
|
+
}
|
|
73
|
+
// Anthropic.
|
|
74
|
+
/**
|
|
75
|
+
* Start a programmatic Anthropic OAuth flow. Anthropic's redirect URI
|
|
76
|
+
* is hardcoded to `console.anthropic.com/oauth/code/callback` — the
|
|
77
|
+
* UI must surface the auth URL, prompt the user to copy the
|
|
78
|
+
* `code#state` blob, and call `submitCode()` with it. Once the code is
|
|
79
|
+
* submitted, the token exchange runs and the account is persisted.
|
|
80
|
+
*/
|
|
81
|
+
export function startAnthropicOAuthFlow(opts) {
|
|
82
|
+
return startGenericFlow({
|
|
83
|
+
providerId: "anthropic-subscription",
|
|
84
|
+
opts,
|
|
85
|
+
needsCodeSubmission: true,
|
|
86
|
+
begin: async () => {
|
|
87
|
+
const raw = await startAnthropicOAuthFlowRaw();
|
|
88
|
+
const completion = (async () => {
|
|
89
|
+
const creds = await raw.completion;
|
|
90
|
+
return { creds };
|
|
91
|
+
})();
|
|
92
|
+
return {
|
|
93
|
+
authUrl: raw.authUrl,
|
|
94
|
+
completion,
|
|
95
|
+
submitCode: raw.submitCode,
|
|
96
|
+
cancel: raw.cancel,
|
|
97
|
+
};
|
|
98
|
+
},
|
|
99
|
+
});
|
|
100
|
+
}
|
|
101
|
+
// Codex (OpenAI ChatGPT subscription).
|
|
102
|
+
/**
|
|
103
|
+
* Start a programmatic Codex OAuth flow. Codex has a loopback listener
|
|
104
|
+
* on :1455, so the user just signs in in the browser and the listener
|
|
105
|
+
* picks up the redirect — `submitCode()` is a no-op. The accountId
|
|
106
|
+
* baked into the JWT is preserved on `LinkedAccountConfig.organizationId`
|
|
107
|
+
* (used by the Codex usage probe via the `ChatGPT-Account-Id` header).
|
|
108
|
+
*/
|
|
109
|
+
export function startCodexOAuthFlow(opts) {
|
|
110
|
+
return startGenericFlow({
|
|
111
|
+
providerId: "openai-codex",
|
|
112
|
+
opts,
|
|
113
|
+
needsCodeSubmission: false,
|
|
114
|
+
begin: async () => {
|
|
115
|
+
const flow = await startCodexLogin();
|
|
116
|
+
const completion = (async () => {
|
|
117
|
+
const creds = await flow.credentials;
|
|
118
|
+
return { creds, codexFlow: flow };
|
|
119
|
+
})();
|
|
120
|
+
return {
|
|
121
|
+
authUrl: flow.authUrl,
|
|
122
|
+
completion,
|
|
123
|
+
submitCode: (code) => flow.submitCode(code),
|
|
124
|
+
cancel: () => flow.close(),
|
|
125
|
+
};
|
|
126
|
+
},
|
|
127
|
+
});
|
|
128
|
+
}
|
|
129
|
+
async function startGenericFlow(args) {
|
|
130
|
+
const { providerId, opts, needsCodeSubmission, begin } = args;
|
|
131
|
+
const sessionId = newSessionId();
|
|
132
|
+
const accountId = resolveAccountId(opts);
|
|
133
|
+
const vendor = await begin();
|
|
134
|
+
const startedAt = Date.now();
|
|
135
|
+
const initialState = {
|
|
136
|
+
sessionId,
|
|
137
|
+
providerId,
|
|
138
|
+
status: "pending",
|
|
139
|
+
authUrl: vendor.authUrl,
|
|
140
|
+
needsCodeSubmission,
|
|
141
|
+
startedAt,
|
|
142
|
+
};
|
|
143
|
+
let resolveCompletion;
|
|
144
|
+
let rejectCompletion;
|
|
145
|
+
const completion = new Promise((resolve, reject) => {
|
|
146
|
+
resolveCompletion = resolve;
|
|
147
|
+
rejectCompletion = reject;
|
|
148
|
+
});
|
|
149
|
+
const entry = {
|
|
150
|
+
state: initialState,
|
|
151
|
+
handle: {}, // filled below
|
|
152
|
+
listeners: new Set(),
|
|
153
|
+
};
|
|
154
|
+
flows.set(sessionId, entry);
|
|
155
|
+
const setTerminal = (next) => {
|
|
156
|
+
if (entry.state.status !== "pending")
|
|
157
|
+
return;
|
|
158
|
+
entry.state = {
|
|
159
|
+
...entry.state,
|
|
160
|
+
...next,
|
|
161
|
+
endedAt: Date.now(),
|
|
162
|
+
};
|
|
163
|
+
emit(entry);
|
|
164
|
+
scheduleGc(sessionId);
|
|
165
|
+
};
|
|
166
|
+
const timer = setTimeout(() => {
|
|
167
|
+
const err = new Error("OAuth flow timed out after 5 minutes");
|
|
168
|
+
try {
|
|
169
|
+
vendor.cancel("timeout");
|
|
170
|
+
}
|
|
171
|
+
catch (cancelErr) {
|
|
172
|
+
logger.debug(`[oauth-flow] cancel during timeout failed: ${String(cancelErr)}`);
|
|
173
|
+
}
|
|
174
|
+
setTerminal({ status: "timeout", error: err.message });
|
|
175
|
+
rejectCompletion(err);
|
|
176
|
+
}, FLOW_TIMEOUT_MS);
|
|
177
|
+
// Drive the vendor completion through to account-save and listener emit.
|
|
178
|
+
void (async () => {
|
|
179
|
+
try {
|
|
180
|
+
const { creds } = await vendor.completion;
|
|
181
|
+
clearTimeout(timer);
|
|
182
|
+
let organizationId;
|
|
183
|
+
// Codex bakes the account_id into the JWT — pull it back out for
|
|
184
|
+
// the usage probe header.
|
|
185
|
+
if (providerId === "openai-codex") {
|
|
186
|
+
const codexAccountId = extractCodexAccountId(creds.access);
|
|
187
|
+
if (codexAccountId)
|
|
188
|
+
organizationId = codexAccountId;
|
|
189
|
+
}
|
|
190
|
+
const record = persistAccount({
|
|
191
|
+
providerId,
|
|
192
|
+
accountId,
|
|
193
|
+
label: opts.label,
|
|
194
|
+
access: creds.access,
|
|
195
|
+
refresh: creds.refresh,
|
|
196
|
+
expires: creds.expires,
|
|
197
|
+
...(organizationId ? { organizationId } : {}),
|
|
198
|
+
});
|
|
199
|
+
if (opts.onAccountSaved) {
|
|
200
|
+
await opts.onAccountSaved(record);
|
|
201
|
+
}
|
|
202
|
+
setTerminal({ status: "success", account: record });
|
|
203
|
+
resolveCompletion({ account: record });
|
|
204
|
+
}
|
|
205
|
+
catch (err) {
|
|
206
|
+
clearTimeout(timer);
|
|
207
|
+
const message = err instanceof Error ? err.message : String(err);
|
|
208
|
+
setTerminal({ status: "error", error: message });
|
|
209
|
+
rejectCompletion(err instanceof Error ? err : new Error(message));
|
|
210
|
+
}
|
|
211
|
+
})();
|
|
212
|
+
const handle = {
|
|
213
|
+
sessionId,
|
|
214
|
+
authUrl: vendor.authUrl,
|
|
215
|
+
needsCodeSubmission,
|
|
216
|
+
completion,
|
|
217
|
+
submitCode: (code) => {
|
|
218
|
+
vendor.submitCode(code);
|
|
219
|
+
},
|
|
220
|
+
cancel: (reason = "Cancelled") => {
|
|
221
|
+
if (entry.state.status !== "pending")
|
|
222
|
+
return;
|
|
223
|
+
try {
|
|
224
|
+
vendor.cancel(reason);
|
|
225
|
+
}
|
|
226
|
+
catch (err) {
|
|
227
|
+
logger.debug(`[oauth-flow] vendor cancel failed: ${String(err)}`);
|
|
228
|
+
}
|
|
229
|
+
clearTimeout(timer);
|
|
230
|
+
const error = new Error(reason);
|
|
231
|
+
setTerminal({ status: "cancelled", error: reason });
|
|
232
|
+
rejectCompletion(error);
|
|
233
|
+
},
|
|
234
|
+
};
|
|
235
|
+
entry.handle = handle;
|
|
236
|
+
emit(entry);
|
|
237
|
+
return handle;
|
|
238
|
+
}
|
|
239
|
+
// Registry surface used by the SSE / cancel routes.
|
|
240
|
+
export function getFlowState(sessionId) {
|
|
241
|
+
const entry = flows.get(sessionId);
|
|
242
|
+
return entry ? entry.state : null;
|
|
243
|
+
}
|
|
244
|
+
export function getFlowHandle(sessionId) {
|
|
245
|
+
const entry = flows.get(sessionId);
|
|
246
|
+
return entry ? entry.handle : null;
|
|
247
|
+
}
|
|
248
|
+
/**
|
|
249
|
+
* Subscribe to status updates for a flow. Replays the current state
|
|
250
|
+
* synchronously so SSE consumers always receive an immediate frame.
|
|
251
|
+
* Returns an unsubscribe function.
|
|
252
|
+
*/
|
|
253
|
+
export function subscribeFlow(sessionId, listener) {
|
|
254
|
+
const entry = flows.get(sessionId);
|
|
255
|
+
if (!entry)
|
|
256
|
+
return () => { };
|
|
257
|
+
entry.listeners.add(listener);
|
|
258
|
+
// Replay current state.
|
|
259
|
+
listener(entry.state);
|
|
260
|
+
return () => {
|
|
261
|
+
entry.listeners.delete(listener);
|
|
262
|
+
};
|
|
263
|
+
}
|
|
264
|
+
export function cancelFlow(sessionId, reason) {
|
|
265
|
+
const entry = flows.get(sessionId);
|
|
266
|
+
if (!entry)
|
|
267
|
+
return false;
|
|
268
|
+
if (entry.state.status !== "pending")
|
|
269
|
+
return false;
|
|
270
|
+
entry.handle.cancel(reason);
|
|
271
|
+
return true;
|
|
272
|
+
}
|
|
273
|
+
export function submitFlowCode(sessionId, code) {
|
|
274
|
+
const entry = flows.get(sessionId);
|
|
275
|
+
if (!entry)
|
|
276
|
+
return false;
|
|
277
|
+
if (entry.state.status !== "pending")
|
|
278
|
+
return false;
|
|
279
|
+
if (!entry.state.needsCodeSubmission)
|
|
280
|
+
return false;
|
|
281
|
+
entry.handle.submitCode(code);
|
|
282
|
+
return true;
|
|
283
|
+
}
|
|
284
|
+
/**
|
|
285
|
+
* Remove every flow from the registry. Tests use this to reset
|
|
286
|
+
* between cases without resetting the whole module.
|
|
287
|
+
*/
|
|
288
|
+
export function _resetFlowRegistry() {
|
|
289
|
+
for (const entry of flows.values()) {
|
|
290
|
+
if (entry.gcTimer)
|
|
291
|
+
clearTimeout(entry.gcTimer);
|
|
292
|
+
}
|
|
293
|
+
flows.clear();
|
|
294
|
+
}
|
|
295
|
+
/**
|
|
296
|
+
* Test-only helper to seed a synthetic flow without going through the
|
|
297
|
+
* vendor layer. Used by `accounts-routes.test.ts` to assert the SSE
|
|
298
|
+
* surface streams `success` / `error` payloads correctly.
|
|
299
|
+
*/
|
|
300
|
+
export function _registerSyntheticFlow(args) {
|
|
301
|
+
const sessionId = args.sessionId ?? newSessionId();
|
|
302
|
+
const state = {
|
|
303
|
+
sessionId,
|
|
304
|
+
providerId: args.providerId,
|
|
305
|
+
status: "pending",
|
|
306
|
+
authUrl: args.authUrl,
|
|
307
|
+
needsCodeSubmission: Boolean(args.needsCodeSubmission),
|
|
308
|
+
startedAt: Date.now(),
|
|
309
|
+
};
|
|
310
|
+
const entry = {
|
|
311
|
+
state,
|
|
312
|
+
handle: {
|
|
313
|
+
sessionId,
|
|
314
|
+
authUrl: args.authUrl,
|
|
315
|
+
needsCodeSubmission: Boolean(args.needsCodeSubmission),
|
|
316
|
+
completion: new Promise(() => undefined),
|
|
317
|
+
submitCode: () => undefined,
|
|
318
|
+
cancel: () => undefined,
|
|
319
|
+
},
|
|
320
|
+
listeners: new Set(),
|
|
321
|
+
};
|
|
322
|
+
flows.set(sessionId, entry);
|
|
323
|
+
const complete = (next) => {
|
|
324
|
+
entry.state = { ...next, endedAt: next.endedAt ?? Date.now() };
|
|
325
|
+
emit(entry);
|
|
326
|
+
scheduleGc(sessionId);
|
|
327
|
+
};
|
|
328
|
+
return { sessionId, complete };
|
|
329
|
+
}
|
|
330
|
+
/** OpenAI Codex JWT carries `chatgpt_account_id` under a vendor claim. */
|
|
331
|
+
function extractCodexAccountId(accessToken) {
|
|
332
|
+
try {
|
|
333
|
+
const parts = accessToken.split(".");
|
|
334
|
+
if (parts.length !== 3)
|
|
335
|
+
return null;
|
|
336
|
+
const payload = parts[1];
|
|
337
|
+
const decoded = JSON.parse(Buffer.from(payload, "base64").toString("utf-8"));
|
|
338
|
+
const claim = decoded["https://api.openai.com/auth"];
|
|
339
|
+
if (!claim || typeof claim !== "object")
|
|
340
|
+
return null;
|
|
341
|
+
const accountId = claim.chatgpt_account_id;
|
|
342
|
+
return typeof accountId === "string" && accountId.length > 0
|
|
343
|
+
? accountId
|
|
344
|
+
: null;
|
|
345
|
+
}
|
|
346
|
+
catch {
|
|
347
|
+
return null;
|
|
348
|
+
}
|
|
349
|
+
}
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Async mutex keyed by string. Single in-flight operation per key.
|
|
3
|
+
*
|
|
4
|
+
* Used to serialize OAuth refresh attempts per `{providerId}:{accountId}`
|
|
5
|
+
* pair so concurrent `getAccessToken` calls don't race on file writes
|
|
6
|
+
* (and don't burn refresh-token grants).
|
|
7
|
+
*/
|
|
8
|
+
export declare class KeyedMutex {
|
|
9
|
+
private readonly inflight;
|
|
10
|
+
/**
|
|
11
|
+
* Run `fn` while holding the lock for `key`. Concurrent callers with
|
|
12
|
+
* the same key wait for the in-flight promise to settle, then run
|
|
13
|
+
* their own attempt — they do NOT share the result. The caller is
|
|
14
|
+
* expected to re-check state (e.g. re-read credentials) after acquire.
|
|
15
|
+
*/
|
|
16
|
+
acquire<T>(key: string, fn: () => Promise<T>): Promise<T>;
|
|
17
|
+
}
|
|
18
|
+
export declare const accountRefreshMutex: KeyedMutex;
|
|
19
|
+
//# sourceMappingURL=refresh-mutex.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"refresh-mutex.d.ts","sourceRoot":"","sources":["../../../../../../agent/src/auth/refresh-mutex.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,qBAAa,UAAU;IACrB,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAuC;IAEhE;;;;;OAKG;IACG,OAAO,CAAC,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC;CAehE;AAED,eAAO,MAAM,mBAAmB,YAAmB,CAAC"}
|
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Async mutex keyed by string. Single in-flight operation per key.
|
|
3
|
+
*
|
|
4
|
+
* Used to serialize OAuth refresh attempts per `{providerId}:{accountId}`
|
|
5
|
+
* pair so concurrent `getAccessToken` calls don't race on file writes
|
|
6
|
+
* (and don't burn refresh-token grants).
|
|
7
|
+
*/
|
|
8
|
+
export class KeyedMutex {
|
|
9
|
+
inflight = new Map();
|
|
10
|
+
/**
|
|
11
|
+
* Run `fn` while holding the lock for `key`. Concurrent callers with
|
|
12
|
+
* the same key wait for the in-flight promise to settle, then run
|
|
13
|
+
* their own attempt — they do NOT share the result. The caller is
|
|
14
|
+
* expected to re-check state (e.g. re-read credentials) after acquire.
|
|
15
|
+
*/
|
|
16
|
+
async acquire(key, fn) {
|
|
17
|
+
const previous = this.inflight.get(key);
|
|
18
|
+
if (previous) {
|
|
19
|
+
await previous.catch(() => { });
|
|
20
|
+
}
|
|
21
|
+
const next = (async () => fn())();
|
|
22
|
+
this.inflight.set(key, next);
|
|
23
|
+
try {
|
|
24
|
+
return await next;
|
|
25
|
+
}
|
|
26
|
+
finally {
|
|
27
|
+
if (this.inflight.get(key) === next) {
|
|
28
|
+
this.inflight.delete(key);
|
|
29
|
+
}
|
|
30
|
+
}
|
|
31
|
+
}
|
|
32
|
+
}
|
|
33
|
+
export const accountRefreshMutex = new KeyedMutex();
|
|
@@ -1,15 +1,47 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* Anthropic OAuth (Claude Pro/Max) — authorization code + PKCE.
|
|
3
3
|
* Inlined OAuth flow (MIT) — vendored to avoid a runtime dependency.
|
|
4
|
+
*
|
|
5
|
+
* Anthropic's OAuth uses a fixed redirect URI on `console.anthropic.com`
|
|
6
|
+
* that displays the auth code on completion — there's no loopback
|
|
7
|
+
* listener. The flow surfaces an `authUrl` plus a `submitCode()` hook
|
|
8
|
+
* the UI / CLI calls once the user has copied the code.
|
|
4
9
|
*/
|
|
5
10
|
export interface AnthropicOAuthCredentials {
|
|
6
11
|
refresh: string;
|
|
7
12
|
access: string;
|
|
8
13
|
expires: number;
|
|
9
14
|
}
|
|
15
|
+
/**
|
|
16
|
+
* Programmatic Anthropic OAuth flow.
|
|
17
|
+
*
|
|
18
|
+
* `authUrl` is ready immediately. The caller MUST eventually call
|
|
19
|
+
* either `submitCode(code)` (after the user has pasted the
|
|
20
|
+
* `code#state` blob from the redirect page) or `cancel()`. The
|
|
21
|
+
* `completion` promise rejects if the flow is cancelled.
|
|
22
|
+
*/
|
|
23
|
+
export interface AnthropicOAuthFlowHandle {
|
|
24
|
+
authUrl: string;
|
|
25
|
+
/** Pass `code#state` from the redirect page. */
|
|
26
|
+
submitCode: (code: string) => void;
|
|
27
|
+
/** Resolves with credentials once `submitCode` lands and the token exchange succeeds. */
|
|
28
|
+
completion: Promise<AnthropicOAuthCredentials>;
|
|
29
|
+
cancel: (reason?: string) => void;
|
|
30
|
+
}
|
|
31
|
+
/**
|
|
32
|
+
* Start an Anthropic OAuth flow. Returns immediately with the auth
|
|
33
|
+
* URL and a `submitCode` hook. The token exchange happens inside
|
|
34
|
+
* `completion` once the caller submits the code.
|
|
35
|
+
*/
|
|
36
|
+
export declare function startAnthropicOAuthFlowRaw(): Promise<AnthropicOAuthFlowHandle>;
|
|
10
37
|
/**
|
|
11
38
|
* @param onAuthUrl - Receives the browser authorization URL
|
|
12
39
|
* @param onPromptCode - Resolves with pasted code (format: code#state)
|
|
40
|
+
*
|
|
41
|
+
* Thin compatibility wrapper around `startAnthropicOAuthFlowRaw` for
|
|
42
|
+
* the CLI entrypoint and any older callers. New code should use
|
|
43
|
+
* `startAnthropicOAuthFlowRaw` (or the higher-level
|
|
44
|
+
* `startAnthropicOAuthFlow` in `auth/oauth-flow.ts`) directly.
|
|
13
45
|
*/
|
|
14
46
|
export declare function loginAnthropic(onAuthUrl: (url: string) => void, onPromptCode: () => Promise<string>): Promise<AnthropicOAuthCredentials>;
|
|
15
47
|
export declare function refreshAnthropicToken(refreshToken: string): Promise<AnthropicOAuthCredentials>;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"anthropic-login.d.ts","sourceRoot":"","sources":["../../../../../../../../agent/src/auth/vendor/pi-oauth/anthropic-login.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"anthropic-login.d.ts","sourceRoot":"","sources":["../../../../../../../../agent/src/auth/vendor/pi-oauth/anthropic-login.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAWH,MAAM,WAAW,yBAAyB;IACxC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,MAAM,CAAC;IAChB,gDAAgD;IAChD,UAAU,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,CAAC;IACnC,yFAAyF;IACzF,UAAU,EAAE,OAAO,CAAC,yBAAyB,CAAC,CAAC;IAC/C,MAAM,EAAE,CAAC,MAAM,CAAC,EAAE,MAAM,KAAK,IAAI,CAAC;CACnC;AAED;;;;GAIG;AACH,wBAAsB,0BAA0B,IAAI,OAAO,CAAC,wBAAwB,CAAC,CA6DpF;AAED;;;;;;;;GAQG;AACH,wBAAsB,cAAc,CAClC,SAAS,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,EAChC,YAAY,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,GAClC,OAAO,CAAC,yBAAyB,CAAC,CAMpC;AAED,wBAAsB,qBAAqB,CACzC,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,yBAAyB,CAAC,CAwBpC"}
|
|
@@ -1,6 +1,11 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* Anthropic OAuth (Claude Pro/Max) — authorization code + PKCE.
|
|
3
3
|
* Inlined OAuth flow (MIT) — vendored to avoid a runtime dependency.
|
|
4
|
+
*
|
|
5
|
+
* Anthropic's OAuth uses a fixed redirect URI on `console.anthropic.com`
|
|
6
|
+
* that displays the auth code on completion — there's no loopback
|
|
7
|
+
* listener. The flow surfaces an `authUrl` plus a `submitCode()` hook
|
|
8
|
+
* the UI / CLI calls once the user has copied the code.
|
|
4
9
|
*/
|
|
5
10
|
import { generatePKCE } from "./pkce.js";
|
|
6
11
|
const decode = (s) => atob(s);
|
|
@@ -10,10 +15,11 @@ const TOKEN_URL = "https://console.anthropic.com/v1/oauth/token";
|
|
|
10
15
|
const REDIRECT_URI = "https://console.anthropic.com/oauth/code/callback";
|
|
11
16
|
const SCOPES = "org:create_api_key user:profile user:inference";
|
|
12
17
|
/**
|
|
13
|
-
*
|
|
14
|
-
*
|
|
18
|
+
* Start an Anthropic OAuth flow. Returns immediately with the auth
|
|
19
|
+
* URL and a `submitCode` hook. The token exchange happens inside
|
|
20
|
+
* `completion` once the caller submits the code.
|
|
15
21
|
*/
|
|
16
|
-
export async function
|
|
22
|
+
export async function startAnthropicOAuthFlowRaw() {
|
|
17
23
|
const { verifier, challenge } = await generatePKCE();
|
|
18
24
|
const authParams = new URLSearchParams({
|
|
19
25
|
code: "true",
|
|
@@ -26,35 +32,64 @@ export async function loginAnthropic(onAuthUrl, onPromptCode) {
|
|
|
26
32
|
state: verifier,
|
|
27
33
|
});
|
|
28
34
|
const authUrl = `${AUTHORIZE_URL}?${authParams.toString()}`;
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
const
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
const tokenResponse = await fetch(TOKEN_URL, {
|
|
35
|
-
method: "POST",
|
|
36
|
-
headers: { "Content-Type": "application/json" },
|
|
37
|
-
body: JSON.stringify({
|
|
38
|
-
grant_type: "authorization_code",
|
|
39
|
-
client_id: CLIENT_ID,
|
|
40
|
-
code,
|
|
41
|
-
state,
|
|
42
|
-
redirect_uri: REDIRECT_URI,
|
|
43
|
-
code_verifier: verifier,
|
|
44
|
-
}),
|
|
35
|
+
let resolveCode = null;
|
|
36
|
+
let rejectCode = null;
|
|
37
|
+
const codePromise = new Promise((resolve, reject) => {
|
|
38
|
+
resolveCode = resolve;
|
|
39
|
+
rejectCode = reject;
|
|
45
40
|
});
|
|
46
|
-
|
|
47
|
-
const
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
41
|
+
const completion = (async () => {
|
|
42
|
+
const authCode = await codePromise;
|
|
43
|
+
const splits = authCode.split("#");
|
|
44
|
+
const code = splits[0];
|
|
45
|
+
const state = splits[1];
|
|
46
|
+
const tokenResponse = await fetch(TOKEN_URL, {
|
|
47
|
+
method: "POST",
|
|
48
|
+
headers: { "Content-Type": "application/json" },
|
|
49
|
+
body: JSON.stringify({
|
|
50
|
+
grant_type: "authorization_code",
|
|
51
|
+
client_id: CLIENT_ID,
|
|
52
|
+
code,
|
|
53
|
+
state,
|
|
54
|
+
redirect_uri: REDIRECT_URI,
|
|
55
|
+
code_verifier: verifier,
|
|
56
|
+
}),
|
|
57
|
+
});
|
|
58
|
+
if (!tokenResponse.ok) {
|
|
59
|
+
const errText = await tokenResponse.text();
|
|
60
|
+
throw new Error(`Token exchange failed: ${errText}`);
|
|
61
|
+
}
|
|
62
|
+
const tokenData = (await tokenResponse.json());
|
|
63
|
+
const expiresAt = Date.now() + tokenData.expires_in * 1000 - 5 * 60 * 1000;
|
|
64
|
+
return {
|
|
65
|
+
refresh: tokenData.refresh_token,
|
|
66
|
+
access: tokenData.access_token,
|
|
67
|
+
expires: expiresAt,
|
|
68
|
+
};
|
|
69
|
+
})();
|
|
52
70
|
return {
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
71
|
+
authUrl,
|
|
72
|
+
submitCode: (code) => resolveCode?.(code),
|
|
73
|
+
completion,
|
|
74
|
+
cancel: (reason = "Cancelled") => rejectCode?.(new Error(reason)),
|
|
56
75
|
};
|
|
57
76
|
}
|
|
77
|
+
/**
|
|
78
|
+
* @param onAuthUrl - Receives the browser authorization URL
|
|
79
|
+
* @param onPromptCode - Resolves with pasted code (format: code#state)
|
|
80
|
+
*
|
|
81
|
+
* Thin compatibility wrapper around `startAnthropicOAuthFlowRaw` for
|
|
82
|
+
* the CLI entrypoint and any older callers. New code should use
|
|
83
|
+
* `startAnthropicOAuthFlowRaw` (or the higher-level
|
|
84
|
+
* `startAnthropicOAuthFlow` in `auth/oauth-flow.ts`) directly.
|
|
85
|
+
*/
|
|
86
|
+
export async function loginAnthropic(onAuthUrl, onPromptCode) {
|
|
87
|
+
const handle = await startAnthropicOAuthFlowRaw();
|
|
88
|
+
onAuthUrl(handle.authUrl);
|
|
89
|
+
const code = await onPromptCode();
|
|
90
|
+
handle.submitCode(code);
|
|
91
|
+
return handle.completion;
|
|
92
|
+
}
|
|
58
93
|
export async function refreshAnthropicToken(refreshToken) {
|
|
59
94
|
const response = await fetch(TOKEN_URL, {
|
|
60
95
|
method: "POST",
|
|
@@ -413,7 +413,7 @@ const FIELD_HELP = {
|
|
|
413
413
|
"diagnostics.cacheTrace.includePrompt": "Include prompt text in trace output (default: true).",
|
|
414
414
|
"diagnostics.cacheTrace.includeSystem": "Include system prompt in trace output (default: true).",
|
|
415
415
|
"tools.exec.applyPatch.enabled": "Experimental. Enables apply_patch for OpenAI models when allowed by tool policy.",
|
|
416
|
-
"tools.exec.applyPatch.allowModels": 'Optional allowlist of model ids (e.g. "gpt-5.
|
|
416
|
+
"tools.exec.applyPatch.allowModels": 'Optional allowlist of model ids (e.g. "gpt-5.5" or "openai/gpt-5.5").',
|
|
417
417
|
"tools.exec.notifyOnExit": "When true (default), backgrounded exec sessions enqueue a system event and request a heartbeat on exit.",
|
|
418
418
|
"tools.exec.pathPrepend": "Directories to prepend to PATH for exec runs (gateway/sandbox).",
|
|
419
419
|
"tools.exec.safeBins": "Allow stdin-only safe binaries to run without explicit allowlist entries.",
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import type { RolesConfig, SessionConfig, SessionSendPolicyConfig } from "@elizaos/core";
|
|
2
2
|
import type { CustomActionDef, DatabaseProviderType, MediaConfig, ReleaseChannel } from "../contracts/config.js";
|
|
3
|
-
import type { DeploymentTargetConfig,
|
|
3
|
+
import type { DeploymentTargetConfig, LinkedAccountFlagsConfig, ServiceRoutingConfig } from "../contracts/service-routing.js";
|
|
4
4
|
import type { AgentBinding, AgentsConfig } from "./types.agents.js";
|
|
5
5
|
import type { DiscoveryConfig, GatewayConfig, TalkConfig } from "./types.gateway.js";
|
|
6
6
|
import type { HooksConfig } from "./types.hooks.js";
|
|
@@ -649,8 +649,13 @@ export type ElizaConfig = {
|
|
|
649
649
|
};
|
|
650
650
|
/** Deployment target for the current agent runtime. */
|
|
651
651
|
deploymentTarget?: DeploymentTargetConfig;
|
|
652
|
-
/**
|
|
653
|
-
|
|
652
|
+
/**
|
|
653
|
+
* Legacy linked-account flags persisted in `milady.json` (e.g.
|
|
654
|
+
* `linkedAccounts.elizacloud.status === "linked"`). Per-account
|
|
655
|
+
* credential records live under `~/.eliza/auth/{providerId}/...`
|
|
656
|
+
* and are surfaced via the WS3 accounts API, not this config.
|
|
657
|
+
*/
|
|
658
|
+
linkedAccounts?: LinkedAccountFlagsConfig;
|
|
654
659
|
/** Canonical per-capability routing for AI and cloud-backed services. */
|
|
655
660
|
serviceRouting?: ServiceRoutingConfig;
|
|
656
661
|
/** CUA (Computer Use Agent) cloud sandbox configuration. */
|