@elizaos/ui 2.0.0-alpha.411 → 2.0.0-alpha.414

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (64) hide show
  1. package/apps/app-companion/src/components/companion/CompanionAppView.d.ts.map +1 -1
  2. package/apps/app-companion/src/components/companion/CompanionAppView.js +5 -5
  3. package/apps/app-companion/src/components/companion/CompanionView.d.ts.map +1 -1
  4. package/apps/app-companion/src/components/companion/CompanionView.js +5 -5
  5. package/package.json +1 -1
  6. package/packages/agent/src/api/model-provider-helpers.js +10 -10
  7. package/packages/agent/src/api/provider-switch-config.d.ts +3 -3
  8. package/packages/agent/src/api/provider-switch-config.d.ts.map +1 -1
  9. package/packages/agent/src/api/provider-switch-config.js +2 -2
  10. package/packages/agent/src/auth/account-storage.d.ts +48 -0
  11. package/packages/agent/src/auth/account-storage.d.ts.map +1 -0
  12. package/packages/agent/src/auth/account-storage.js +238 -0
  13. package/packages/agent/src/auth/credentials.d.ts +44 -25
  14. package/packages/agent/src/auth/credentials.d.ts.map +1 -1
  15. package/packages/agent/src/auth/credentials.js +175 -137
  16. package/packages/agent/src/auth/index.d.ts +2 -0
  17. package/packages/agent/src/auth/index.d.ts.map +1 -1
  18. package/packages/agent/src/auth/index.js +2 -0
  19. package/packages/agent/src/auth/oauth-flow.d.ts +106 -0
  20. package/packages/agent/src/auth/oauth-flow.d.ts.map +1 -0
  21. package/packages/agent/src/auth/oauth-flow.js +349 -0
  22. package/packages/agent/src/auth/refresh-mutex.d.ts +19 -0
  23. package/packages/agent/src/auth/refresh-mutex.d.ts.map +1 -0
  24. package/packages/agent/src/auth/refresh-mutex.js +33 -0
  25. package/packages/agent/src/auth/vendor/pi-oauth/anthropic-login.d.ts +32 -0
  26. package/packages/agent/src/auth/vendor/pi-oauth/anthropic-login.d.ts.map +1 -1
  27. package/packages/agent/src/auth/vendor/pi-oauth/anthropic-login.js +63 -28
  28. package/packages/agent/src/config/schema.js +1 -1
  29. package/packages/agent/src/config/types.eliza.d.ts +8 -3
  30. package/packages/agent/src/config/types.eliza.d.ts.map +1 -1
  31. package/packages/agent/src/config/types.messages.d.ts +1 -1
  32. package/packages/agent/src/config/types.tools.d.ts +1 -1
  33. package/packages/agent/src/runtime/eliza.js +3 -3
  34. package/packages/app-core/src/components/apps/launch-history.d.ts.map +1 -1
  35. package/packages/app-core/src/components/auth/LoginView.d.ts +1 -1
  36. package/packages/app-core/src/components/auth/LoginView.d.ts.map +1 -1
  37. package/packages/app-core/src/components/auth/LoginView.js +1 -1
  38. package/packages/app-core/src/components/conversations/conversation-utils.js +4 -4
  39. package/packages/app-core/src/components/pages/AppDetailsView.d.ts.map +1 -1
  40. package/packages/app-core/src/components/pages/AppDetailsView.js +10 -10
  41. package/packages/app-core/src/components/pages/AppsView.d.ts.map +1 -1
  42. package/packages/app-core/src/components/pages/AppsView.js +1 -0
  43. package/packages/app-core/src/components/pages/AutomationsView.d.ts.map +1 -1
  44. package/packages/app-core/src/components/pages/AutomationsView.js +0 -1
  45. package/packages/app-core/src/components/settings/ProviderSwitcher.d.ts.map +1 -1
  46. package/packages/app-core/src/components/settings/ProviderSwitcher.js +1 -1
  47. package/packages/app-core/src/components/settings/SubscriptionStatus.d.ts +2 -0
  48. package/packages/app-core/src/components/settings/SubscriptionStatus.d.ts.map +1 -1
  49. package/packages/app-core/src/onboarding-config.d.ts +2 -2
  50. package/packages/app-core/src/onboarding-config.d.ts.map +1 -1
  51. package/packages/app-core/src/services/auth-store.d.ts.map +1 -1
  52. package/packages/app-core/src/shell/AppWindowRenderer.d.ts.map +1 -1
  53. package/packages/app-core/src/shell/AppWindowRenderer.js +11 -17
  54. package/packages/app-core/src/shell/DetachedShellRoot.d.ts.map +1 -1
  55. package/packages/app-core/src/state/startup-phase-poll.js +1 -1
  56. package/packages/app-core/src/state/useOnboardingState.js +1 -1
  57. package/packages/shared/src/config/types.eliza.d.ts +8 -3
  58. package/packages/shared/src/config/types.eliza.d.ts.map +1 -1
  59. package/packages/shared/src/contracts/onboarding.d.ts +10 -2
  60. package/packages/shared/src/contracts/onboarding.d.ts.map +1 -1
  61. package/packages/shared/src/contracts/onboarding.js +2 -2
  62. package/packages/shared/src/contracts/service-routing.d.ts +87 -3
  63. package/packages/shared/src/contracts/service-routing.d.ts.map +1 -1
  64. package/packages/shared/src/contracts/service-routing.js +171 -3
@@ -0,0 +1,349 @@
1
+ /**
2
+ * OAuth flow orchestration registry.
3
+ *
4
+ * Wraps the provider-specific programmatic OAuth helpers
5
+ * (`startAnthropicOAuthFlowRaw` from
6
+ * `vendor/pi-oauth/anthropic-login.ts` and the loopback-listener flow
7
+ * in `openai-codex.ts`) with:
8
+ *
9
+ * - a 5-minute timeout per flow,
10
+ * - automatic `saveAccount(...)` after token exchange,
11
+ * - an in-memory registry keyed by `sessionId` so the HTTP API can
12
+ * stream progress over SSE and the CLI can `await` completion,
13
+ * - garbage collection 10 minutes after a flow reaches a terminal
14
+ * state.
15
+ *
16
+ * Both the CLI and the new accounts-routes HTTP endpoints drive flows
17
+ * through this module — there is no direct caller of the vendor-level
18
+ * OAuth helpers anymore.
19
+ */
20
+ import crypto from "node:crypto";
21
+ import { logger } from "@elizaos/core";
22
+ import { saveAccount, } from "./account-storage.js";
23
+ import { startCodexLogin } from "./openai-codex.js";
24
+ import { startAnthropicOAuthFlowRaw, } from "./vendor/pi-oauth/anthropic-login.js";
25
+ const FLOW_TIMEOUT_MS = 5 * 60 * 1000;
26
+ const FLOW_GC_MS = 10 * 60 * 1000;
27
+ const flows = new Map();
28
+ function newSessionId() {
29
+ return crypto.randomUUID();
30
+ }
31
+ function emit(entry) {
32
+ for (const listener of entry.listeners) {
33
+ listener(entry.state);
34
+ }
35
+ }
36
+ function scheduleGc(sessionId) {
37
+ const entry = flows.get(sessionId);
38
+ if (!entry)
39
+ return;
40
+ if (entry.gcTimer)
41
+ clearTimeout(entry.gcTimer);
42
+ entry.gcTimer = setTimeout(() => {
43
+ flows.delete(sessionId);
44
+ }, FLOW_GC_MS);
45
+ }
46
+ function resolveAccountId(opts) {
47
+ return opts.accountId?.trim() || crypto.randomUUID();
48
+ }
49
+ /**
50
+ * Build an `AccountCredentialRecord` and persist it via `saveAccount`.
51
+ * Returns the canonical record (with `createdAt`/`updatedAt` filled).
52
+ */
53
+ function persistAccount(args) {
54
+ const now = Date.now();
55
+ const record = {
56
+ id: args.accountId,
57
+ providerId: args.providerId,
58
+ label: args.label,
59
+ source: "oauth",
60
+ credentials: {
61
+ access: args.access,
62
+ refresh: args.refresh,
63
+ expires: args.expires,
64
+ },
65
+ createdAt: now,
66
+ updatedAt: now,
67
+ ...(args.organizationId ? { organizationId: args.organizationId } : {}),
68
+ ...(args.email ? { email: args.email } : {}),
69
+ };
70
+ saveAccount(record);
71
+ return record;
72
+ }
73
+ // Anthropic.
74
+ /**
75
+ * Start a programmatic Anthropic OAuth flow. Anthropic's redirect URI
76
+ * is hardcoded to `console.anthropic.com/oauth/code/callback` — the
77
+ * UI must surface the auth URL, prompt the user to copy the
78
+ * `code#state` blob, and call `submitCode()` with it. Once the code is
79
+ * submitted, the token exchange runs and the account is persisted.
80
+ */
81
+ export function startAnthropicOAuthFlow(opts) {
82
+ return startGenericFlow({
83
+ providerId: "anthropic-subscription",
84
+ opts,
85
+ needsCodeSubmission: true,
86
+ begin: async () => {
87
+ const raw = await startAnthropicOAuthFlowRaw();
88
+ const completion = (async () => {
89
+ const creds = await raw.completion;
90
+ return { creds };
91
+ })();
92
+ return {
93
+ authUrl: raw.authUrl,
94
+ completion,
95
+ submitCode: raw.submitCode,
96
+ cancel: raw.cancel,
97
+ };
98
+ },
99
+ });
100
+ }
101
+ // Codex (OpenAI ChatGPT subscription).
102
+ /**
103
+ * Start a programmatic Codex OAuth flow. Codex has a loopback listener
104
+ * on :1455, so the user just signs in in the browser and the listener
105
+ * picks up the redirect — `submitCode()` is a no-op. The accountId
106
+ * baked into the JWT is preserved on `LinkedAccountConfig.organizationId`
107
+ * (used by the Codex usage probe via the `ChatGPT-Account-Id` header).
108
+ */
109
+ export function startCodexOAuthFlow(opts) {
110
+ return startGenericFlow({
111
+ providerId: "openai-codex",
112
+ opts,
113
+ needsCodeSubmission: false,
114
+ begin: async () => {
115
+ const flow = await startCodexLogin();
116
+ const completion = (async () => {
117
+ const creds = await flow.credentials;
118
+ return { creds, codexFlow: flow };
119
+ })();
120
+ return {
121
+ authUrl: flow.authUrl,
122
+ completion,
123
+ submitCode: (code) => flow.submitCode(code),
124
+ cancel: () => flow.close(),
125
+ };
126
+ },
127
+ });
128
+ }
129
+ async function startGenericFlow(args) {
130
+ const { providerId, opts, needsCodeSubmission, begin } = args;
131
+ const sessionId = newSessionId();
132
+ const accountId = resolveAccountId(opts);
133
+ const vendor = await begin();
134
+ const startedAt = Date.now();
135
+ const initialState = {
136
+ sessionId,
137
+ providerId,
138
+ status: "pending",
139
+ authUrl: vendor.authUrl,
140
+ needsCodeSubmission,
141
+ startedAt,
142
+ };
143
+ let resolveCompletion;
144
+ let rejectCompletion;
145
+ const completion = new Promise((resolve, reject) => {
146
+ resolveCompletion = resolve;
147
+ rejectCompletion = reject;
148
+ });
149
+ const entry = {
150
+ state: initialState,
151
+ handle: {}, // filled below
152
+ listeners: new Set(),
153
+ };
154
+ flows.set(sessionId, entry);
155
+ const setTerminal = (next) => {
156
+ if (entry.state.status !== "pending")
157
+ return;
158
+ entry.state = {
159
+ ...entry.state,
160
+ ...next,
161
+ endedAt: Date.now(),
162
+ };
163
+ emit(entry);
164
+ scheduleGc(sessionId);
165
+ };
166
+ const timer = setTimeout(() => {
167
+ const err = new Error("OAuth flow timed out after 5 minutes");
168
+ try {
169
+ vendor.cancel("timeout");
170
+ }
171
+ catch (cancelErr) {
172
+ logger.debug(`[oauth-flow] cancel during timeout failed: ${String(cancelErr)}`);
173
+ }
174
+ setTerminal({ status: "timeout", error: err.message });
175
+ rejectCompletion(err);
176
+ }, FLOW_TIMEOUT_MS);
177
+ // Drive the vendor completion through to account-save and listener emit.
178
+ void (async () => {
179
+ try {
180
+ const { creds } = await vendor.completion;
181
+ clearTimeout(timer);
182
+ let organizationId;
183
+ // Codex bakes the account_id into the JWT — pull it back out for
184
+ // the usage probe header.
185
+ if (providerId === "openai-codex") {
186
+ const codexAccountId = extractCodexAccountId(creds.access);
187
+ if (codexAccountId)
188
+ organizationId = codexAccountId;
189
+ }
190
+ const record = persistAccount({
191
+ providerId,
192
+ accountId,
193
+ label: opts.label,
194
+ access: creds.access,
195
+ refresh: creds.refresh,
196
+ expires: creds.expires,
197
+ ...(organizationId ? { organizationId } : {}),
198
+ });
199
+ if (opts.onAccountSaved) {
200
+ await opts.onAccountSaved(record);
201
+ }
202
+ setTerminal({ status: "success", account: record });
203
+ resolveCompletion({ account: record });
204
+ }
205
+ catch (err) {
206
+ clearTimeout(timer);
207
+ const message = err instanceof Error ? err.message : String(err);
208
+ setTerminal({ status: "error", error: message });
209
+ rejectCompletion(err instanceof Error ? err : new Error(message));
210
+ }
211
+ })();
212
+ const handle = {
213
+ sessionId,
214
+ authUrl: vendor.authUrl,
215
+ needsCodeSubmission,
216
+ completion,
217
+ submitCode: (code) => {
218
+ vendor.submitCode(code);
219
+ },
220
+ cancel: (reason = "Cancelled") => {
221
+ if (entry.state.status !== "pending")
222
+ return;
223
+ try {
224
+ vendor.cancel(reason);
225
+ }
226
+ catch (err) {
227
+ logger.debug(`[oauth-flow] vendor cancel failed: ${String(err)}`);
228
+ }
229
+ clearTimeout(timer);
230
+ const error = new Error(reason);
231
+ setTerminal({ status: "cancelled", error: reason });
232
+ rejectCompletion(error);
233
+ },
234
+ };
235
+ entry.handle = handle;
236
+ emit(entry);
237
+ return handle;
238
+ }
239
+ // Registry surface used by the SSE / cancel routes.
240
+ export function getFlowState(sessionId) {
241
+ const entry = flows.get(sessionId);
242
+ return entry ? entry.state : null;
243
+ }
244
+ export function getFlowHandle(sessionId) {
245
+ const entry = flows.get(sessionId);
246
+ return entry ? entry.handle : null;
247
+ }
248
+ /**
249
+ * Subscribe to status updates for a flow. Replays the current state
250
+ * synchronously so SSE consumers always receive an immediate frame.
251
+ * Returns an unsubscribe function.
252
+ */
253
+ export function subscribeFlow(sessionId, listener) {
254
+ const entry = flows.get(sessionId);
255
+ if (!entry)
256
+ return () => { };
257
+ entry.listeners.add(listener);
258
+ // Replay current state.
259
+ listener(entry.state);
260
+ return () => {
261
+ entry.listeners.delete(listener);
262
+ };
263
+ }
264
+ export function cancelFlow(sessionId, reason) {
265
+ const entry = flows.get(sessionId);
266
+ if (!entry)
267
+ return false;
268
+ if (entry.state.status !== "pending")
269
+ return false;
270
+ entry.handle.cancel(reason);
271
+ return true;
272
+ }
273
+ export function submitFlowCode(sessionId, code) {
274
+ const entry = flows.get(sessionId);
275
+ if (!entry)
276
+ return false;
277
+ if (entry.state.status !== "pending")
278
+ return false;
279
+ if (!entry.state.needsCodeSubmission)
280
+ return false;
281
+ entry.handle.submitCode(code);
282
+ return true;
283
+ }
284
+ /**
285
+ * Remove every flow from the registry. Tests use this to reset
286
+ * between cases without resetting the whole module.
287
+ */
288
+ export function _resetFlowRegistry() {
289
+ for (const entry of flows.values()) {
290
+ if (entry.gcTimer)
291
+ clearTimeout(entry.gcTimer);
292
+ }
293
+ flows.clear();
294
+ }
295
+ /**
296
+ * Test-only helper to seed a synthetic flow without going through the
297
+ * vendor layer. Used by `accounts-routes.test.ts` to assert the SSE
298
+ * surface streams `success` / `error` payloads correctly.
299
+ */
300
+ export function _registerSyntheticFlow(args) {
301
+ const sessionId = args.sessionId ?? newSessionId();
302
+ const state = {
303
+ sessionId,
304
+ providerId: args.providerId,
305
+ status: "pending",
306
+ authUrl: args.authUrl,
307
+ needsCodeSubmission: Boolean(args.needsCodeSubmission),
308
+ startedAt: Date.now(),
309
+ };
310
+ const entry = {
311
+ state,
312
+ handle: {
313
+ sessionId,
314
+ authUrl: args.authUrl,
315
+ needsCodeSubmission: Boolean(args.needsCodeSubmission),
316
+ completion: new Promise(() => undefined),
317
+ submitCode: () => undefined,
318
+ cancel: () => undefined,
319
+ },
320
+ listeners: new Set(),
321
+ };
322
+ flows.set(sessionId, entry);
323
+ const complete = (next) => {
324
+ entry.state = { ...next, endedAt: next.endedAt ?? Date.now() };
325
+ emit(entry);
326
+ scheduleGc(sessionId);
327
+ };
328
+ return { sessionId, complete };
329
+ }
330
+ /** OpenAI Codex JWT carries `chatgpt_account_id` under a vendor claim. */
331
+ function extractCodexAccountId(accessToken) {
332
+ try {
333
+ const parts = accessToken.split(".");
334
+ if (parts.length !== 3)
335
+ return null;
336
+ const payload = parts[1];
337
+ const decoded = JSON.parse(Buffer.from(payload, "base64").toString("utf-8"));
338
+ const claim = decoded["https://api.openai.com/auth"];
339
+ if (!claim || typeof claim !== "object")
340
+ return null;
341
+ const accountId = claim.chatgpt_account_id;
342
+ return typeof accountId === "string" && accountId.length > 0
343
+ ? accountId
344
+ : null;
345
+ }
346
+ catch {
347
+ return null;
348
+ }
349
+ }
@@ -0,0 +1,19 @@
1
+ /**
2
+ * Async mutex keyed by string. Single in-flight operation per key.
3
+ *
4
+ * Used to serialize OAuth refresh attempts per `{providerId}:{accountId}`
5
+ * pair so concurrent `getAccessToken` calls don't race on file writes
6
+ * (and don't burn refresh-token grants).
7
+ */
8
+ export declare class KeyedMutex {
9
+ private readonly inflight;
10
+ /**
11
+ * Run `fn` while holding the lock for `key`. Concurrent callers with
12
+ * the same key wait for the in-flight promise to settle, then run
13
+ * their own attempt — they do NOT share the result. The caller is
14
+ * expected to re-check state (e.g. re-read credentials) after acquire.
15
+ */
16
+ acquire<T>(key: string, fn: () => Promise<T>): Promise<T>;
17
+ }
18
+ export declare const accountRefreshMutex: KeyedMutex;
19
+ //# sourceMappingURL=refresh-mutex.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"refresh-mutex.d.ts","sourceRoot":"","sources":["../../../../../../agent/src/auth/refresh-mutex.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,qBAAa,UAAU;IACrB,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAuC;IAEhE;;;;;OAKG;IACG,OAAO,CAAC,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC;CAehE;AAED,eAAO,MAAM,mBAAmB,YAAmB,CAAC"}
@@ -0,0 +1,33 @@
1
+ /**
2
+ * Async mutex keyed by string. Single in-flight operation per key.
3
+ *
4
+ * Used to serialize OAuth refresh attempts per `{providerId}:{accountId}`
5
+ * pair so concurrent `getAccessToken` calls don't race on file writes
6
+ * (and don't burn refresh-token grants).
7
+ */
8
+ export class KeyedMutex {
9
+ inflight = new Map();
10
+ /**
11
+ * Run `fn` while holding the lock for `key`. Concurrent callers with
12
+ * the same key wait for the in-flight promise to settle, then run
13
+ * their own attempt — they do NOT share the result. The caller is
14
+ * expected to re-check state (e.g. re-read credentials) after acquire.
15
+ */
16
+ async acquire(key, fn) {
17
+ const previous = this.inflight.get(key);
18
+ if (previous) {
19
+ await previous.catch(() => { });
20
+ }
21
+ const next = (async () => fn())();
22
+ this.inflight.set(key, next);
23
+ try {
24
+ return await next;
25
+ }
26
+ finally {
27
+ if (this.inflight.get(key) === next) {
28
+ this.inflight.delete(key);
29
+ }
30
+ }
31
+ }
32
+ }
33
+ export const accountRefreshMutex = new KeyedMutex();
@@ -1,15 +1,47 @@
1
1
  /**
2
2
  * Anthropic OAuth (Claude Pro/Max) — authorization code + PKCE.
3
3
  * Inlined OAuth flow (MIT) — vendored to avoid a runtime dependency.
4
+ *
5
+ * Anthropic's OAuth uses a fixed redirect URI on `console.anthropic.com`
6
+ * that displays the auth code on completion — there's no loopback
7
+ * listener. The flow surfaces an `authUrl` plus a `submitCode()` hook
8
+ * the UI / CLI calls once the user has copied the code.
4
9
  */
5
10
  export interface AnthropicOAuthCredentials {
6
11
  refresh: string;
7
12
  access: string;
8
13
  expires: number;
9
14
  }
15
+ /**
16
+ * Programmatic Anthropic OAuth flow.
17
+ *
18
+ * `authUrl` is ready immediately. The caller MUST eventually call
19
+ * either `submitCode(code)` (after the user has pasted the
20
+ * `code#state` blob from the redirect page) or `cancel()`. The
21
+ * `completion` promise rejects if the flow is cancelled.
22
+ */
23
+ export interface AnthropicOAuthFlowHandle {
24
+ authUrl: string;
25
+ /** Pass `code#state` from the redirect page. */
26
+ submitCode: (code: string) => void;
27
+ /** Resolves with credentials once `submitCode` lands and the token exchange succeeds. */
28
+ completion: Promise<AnthropicOAuthCredentials>;
29
+ cancel: (reason?: string) => void;
30
+ }
31
+ /**
32
+ * Start an Anthropic OAuth flow. Returns immediately with the auth
33
+ * URL and a `submitCode` hook. The token exchange happens inside
34
+ * `completion` once the caller submits the code.
35
+ */
36
+ export declare function startAnthropicOAuthFlowRaw(): Promise<AnthropicOAuthFlowHandle>;
10
37
  /**
11
38
  * @param onAuthUrl - Receives the browser authorization URL
12
39
  * @param onPromptCode - Resolves with pasted code (format: code#state)
40
+ *
41
+ * Thin compatibility wrapper around `startAnthropicOAuthFlowRaw` for
42
+ * the CLI entrypoint and any older callers. New code should use
43
+ * `startAnthropicOAuthFlowRaw` (or the higher-level
44
+ * `startAnthropicOAuthFlow` in `auth/oauth-flow.ts`) directly.
13
45
  */
14
46
  export declare function loginAnthropic(onAuthUrl: (url: string) => void, onPromptCode: () => Promise<string>): Promise<AnthropicOAuthCredentials>;
15
47
  export declare function refreshAnthropicToken(refreshToken: string): Promise<AnthropicOAuthCredentials>;
@@ -1 +1 @@
1
- {"version":3,"file":"anthropic-login.d.ts","sourceRoot":"","sources":["../../../../../../../../agent/src/auth/vendor/pi-oauth/anthropic-login.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAWH,MAAM,WAAW,yBAAyB;IACxC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAClC,SAAS,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,EAChC,YAAY,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,GAClC,OAAO,CAAC,yBAAyB,CAAC,CA6CpC;AAED,wBAAsB,qBAAqB,CACzC,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,yBAAyB,CAAC,CAwBpC"}
1
+ {"version":3,"file":"anthropic-login.d.ts","sourceRoot":"","sources":["../../../../../../../../agent/src/auth/vendor/pi-oauth/anthropic-login.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAWH,MAAM,WAAW,yBAAyB;IACxC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,MAAM,CAAC;IAChB,gDAAgD;IAChD,UAAU,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,CAAC;IACnC,yFAAyF;IACzF,UAAU,EAAE,OAAO,CAAC,yBAAyB,CAAC,CAAC;IAC/C,MAAM,EAAE,CAAC,MAAM,CAAC,EAAE,MAAM,KAAK,IAAI,CAAC;CACnC;AAED;;;;GAIG;AACH,wBAAsB,0BAA0B,IAAI,OAAO,CAAC,wBAAwB,CAAC,CA6DpF;AAED;;;;;;;;GAQG;AACH,wBAAsB,cAAc,CAClC,SAAS,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,EAChC,YAAY,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,GAClC,OAAO,CAAC,yBAAyB,CAAC,CAMpC;AAED,wBAAsB,qBAAqB,CACzC,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,yBAAyB,CAAC,CAwBpC"}
@@ -1,6 +1,11 @@
1
1
  /**
2
2
  * Anthropic OAuth (Claude Pro/Max) — authorization code + PKCE.
3
3
  * Inlined OAuth flow (MIT) — vendored to avoid a runtime dependency.
4
+ *
5
+ * Anthropic's OAuth uses a fixed redirect URI on `console.anthropic.com`
6
+ * that displays the auth code on completion — there's no loopback
7
+ * listener. The flow surfaces an `authUrl` plus a `submitCode()` hook
8
+ * the UI / CLI calls once the user has copied the code.
4
9
  */
5
10
  import { generatePKCE } from "./pkce.js";
6
11
  const decode = (s) => atob(s);
@@ -10,10 +15,11 @@ const TOKEN_URL = "https://console.anthropic.com/v1/oauth/token";
10
15
  const REDIRECT_URI = "https://console.anthropic.com/oauth/code/callback";
11
16
  const SCOPES = "org:create_api_key user:profile user:inference";
12
17
  /**
13
- * @param onAuthUrl - Receives the browser authorization URL
14
- * @param onPromptCode - Resolves with pasted code (format: code#state)
18
+ * Start an Anthropic OAuth flow. Returns immediately with the auth
19
+ * URL and a `submitCode` hook. The token exchange happens inside
20
+ * `completion` once the caller submits the code.
15
21
  */
16
- export async function loginAnthropic(onAuthUrl, onPromptCode) {
22
+ export async function startAnthropicOAuthFlowRaw() {
17
23
  const { verifier, challenge } = await generatePKCE();
18
24
  const authParams = new URLSearchParams({
19
25
  code: "true",
@@ -26,35 +32,64 @@ export async function loginAnthropic(onAuthUrl, onPromptCode) {
26
32
  state: verifier,
27
33
  });
28
34
  const authUrl = `${AUTHORIZE_URL}?${authParams.toString()}`;
29
- onAuthUrl(authUrl);
30
- const authCode = await onPromptCode();
31
- const splits = authCode.split("#");
32
- const code = splits[0];
33
- const state = splits[1];
34
- const tokenResponse = await fetch(TOKEN_URL, {
35
- method: "POST",
36
- headers: { "Content-Type": "application/json" },
37
- body: JSON.stringify({
38
- grant_type: "authorization_code",
39
- client_id: CLIENT_ID,
40
- code,
41
- state,
42
- redirect_uri: REDIRECT_URI,
43
- code_verifier: verifier,
44
- }),
35
+ let resolveCode = null;
36
+ let rejectCode = null;
37
+ const codePromise = new Promise((resolve, reject) => {
38
+ resolveCode = resolve;
39
+ rejectCode = reject;
45
40
  });
46
- if (!tokenResponse.ok) {
47
- const errText = await tokenResponse.text();
48
- throw new Error(`Token exchange failed: ${errText}`);
49
- }
50
- const tokenData = (await tokenResponse.json());
51
- const expiresAt = Date.now() + tokenData.expires_in * 1000 - 5 * 60 * 1000;
41
+ const completion = (async () => {
42
+ const authCode = await codePromise;
43
+ const splits = authCode.split("#");
44
+ const code = splits[0];
45
+ const state = splits[1];
46
+ const tokenResponse = await fetch(TOKEN_URL, {
47
+ method: "POST",
48
+ headers: { "Content-Type": "application/json" },
49
+ body: JSON.stringify({
50
+ grant_type: "authorization_code",
51
+ client_id: CLIENT_ID,
52
+ code,
53
+ state,
54
+ redirect_uri: REDIRECT_URI,
55
+ code_verifier: verifier,
56
+ }),
57
+ });
58
+ if (!tokenResponse.ok) {
59
+ const errText = await tokenResponse.text();
60
+ throw new Error(`Token exchange failed: ${errText}`);
61
+ }
62
+ const tokenData = (await tokenResponse.json());
63
+ const expiresAt = Date.now() + tokenData.expires_in * 1000 - 5 * 60 * 1000;
64
+ return {
65
+ refresh: tokenData.refresh_token,
66
+ access: tokenData.access_token,
67
+ expires: expiresAt,
68
+ };
69
+ })();
52
70
  return {
53
- refresh: tokenData.refresh_token,
54
- access: tokenData.access_token,
55
- expires: expiresAt,
71
+ authUrl,
72
+ submitCode: (code) => resolveCode?.(code),
73
+ completion,
74
+ cancel: (reason = "Cancelled") => rejectCode?.(new Error(reason)),
56
75
  };
57
76
  }
77
+ /**
78
+ * @param onAuthUrl - Receives the browser authorization URL
79
+ * @param onPromptCode - Resolves with pasted code (format: code#state)
80
+ *
81
+ * Thin compatibility wrapper around `startAnthropicOAuthFlowRaw` for
82
+ * the CLI entrypoint and any older callers. New code should use
83
+ * `startAnthropicOAuthFlowRaw` (or the higher-level
84
+ * `startAnthropicOAuthFlow` in `auth/oauth-flow.ts`) directly.
85
+ */
86
+ export async function loginAnthropic(onAuthUrl, onPromptCode) {
87
+ const handle = await startAnthropicOAuthFlowRaw();
88
+ onAuthUrl(handle.authUrl);
89
+ const code = await onPromptCode();
90
+ handle.submitCode(code);
91
+ return handle.completion;
92
+ }
58
93
  export async function refreshAnthropicToken(refreshToken) {
59
94
  const response = await fetch(TOKEN_URL, {
60
95
  method: "POST",
@@ -413,7 +413,7 @@ const FIELD_HELP = {
413
413
  "diagnostics.cacheTrace.includePrompt": "Include prompt text in trace output (default: true).",
414
414
  "diagnostics.cacheTrace.includeSystem": "Include system prompt in trace output (default: true).",
415
415
  "tools.exec.applyPatch.enabled": "Experimental. Enables apply_patch for OpenAI models when allowed by tool policy.",
416
- "tools.exec.applyPatch.allowModels": 'Optional allowlist of model ids (e.g. "gpt-5.4" or "openai/gpt-5.4").',
416
+ "tools.exec.applyPatch.allowModels": 'Optional allowlist of model ids (e.g. "gpt-5.5" or "openai/gpt-5.5").',
417
417
  "tools.exec.notifyOnExit": "When true (default), backgrounded exec sessions enqueue a system event and request a heartbeat on exit.",
418
418
  "tools.exec.pathPrepend": "Directories to prepend to PATH for exec runs (gateway/sandbox).",
419
419
  "tools.exec.safeBins": "Allow stdin-only safe binaries to run without explicit allowlist entries.",
@@ -1,6 +1,6 @@
1
1
  import type { RolesConfig, SessionConfig, SessionSendPolicyConfig } from "@elizaos/core";
2
2
  import type { CustomActionDef, DatabaseProviderType, MediaConfig, ReleaseChannel } from "../contracts/config.js";
3
- import type { DeploymentTargetConfig, LinkedAccountsConfig, ServiceRoutingConfig } from "../contracts/service-routing.js";
3
+ import type { DeploymentTargetConfig, LinkedAccountFlagsConfig, ServiceRoutingConfig } from "../contracts/service-routing.js";
4
4
  import type { AgentBinding, AgentsConfig } from "./types.agents.js";
5
5
  import type { DiscoveryConfig, GatewayConfig, TalkConfig } from "./types.gateway.js";
6
6
  import type { HooksConfig } from "./types.hooks.js";
@@ -649,8 +649,13 @@ export type ElizaConfig = {
649
649
  };
650
650
  /** Deployment target for the current agent runtime. */
651
651
  deploymentTarget?: DeploymentTargetConfig;
652
- /** Linked external accounts that can be used by routing decisions. */
653
- linkedAccounts?: LinkedAccountsConfig;
652
+ /**
653
+ * Legacy linked-account flags persisted in `milady.json` (e.g.
654
+ * `linkedAccounts.elizacloud.status === "linked"`). Per-account
655
+ * credential records live under `~/.eliza/auth/{providerId}/...`
656
+ * and are surfaced via the WS3 accounts API, not this config.
657
+ */
658
+ linkedAccounts?: LinkedAccountFlagsConfig;
654
659
  /** Canonical per-capability routing for AI and cloud-backed services. */
655
660
  serviceRouting?: ServiceRoutingConfig;
656
661
  /** CUA (Computer Use Agent) cloud sandbox configuration. */