@eminent337/aery 0.67.68 → 0.74.1

package/dist/core/auth-storage.d.ts

@@ -0,0 +1,142 @@
+/**
+ * Credential storage for API keys and OAuth tokens.
+ * Handles loading, saving, and refreshing credentials from auth.json.
+ *
+ * Uses file locking to prevent race conditions when multiple pi instances
+ * try to refresh tokens simultaneously.
+ */
+import { type OAuthCredentials, type OAuthLoginCallbacks, type OAuthProviderId } from "@eminent337/aery-ai";
+export type ApiKeyCredential = {
+    type: "api_key";
+    key: string;
+    accountId?: string;
+};
+export type OAuthCredential = {
+    type: "oauth";
+} & OAuthCredentials;
+export type AuthCredential = ApiKeyCredential | OAuthCredential;
+export type AuthStorageData = Record<string, AuthCredential>;
+export type AuthStatus = {
+    configured: boolean;
+    source?: "stored" | "runtime" | "environment" | "fallback" | "models_json_key" | "models_json_command";
+    label?: string;
+};
+type LockResult<T> = {
+    result: T;
+    next?: string;
+};
+export interface AuthStorageBackend {
+    withLock<T>(fn: (current: string | undefined) => LockResult<T>): T;
+    withLockAsync<T>(fn: (current: string | undefined) => Promise<LockResult<T>>): Promise<T>;
+}
+export declare class FileAuthStorageBackend implements AuthStorageBackend {
+    private authPath;
+    constructor(authPath?: string);
+    private ensureParentDir;
+    private ensureFileExists;
+    private acquireLockSyncWithRetry;
+    withLock<T>(fn: (current: string | undefined) => LockResult<T>): T;
+    withLockAsync<T>(fn: (current: string | undefined) => Promise<LockResult<T>>): Promise<T>;
+}
+export declare class InMemoryAuthStorageBackend implements AuthStorageBackend {
+    private value;
+    withLock<T>(fn: (current: string | undefined) => LockResult<T>): T;
+    withLockAsync<T>(fn: (current: string | undefined) => Promise<LockResult<T>>): Promise<T>;
+}
+/**
+ * Credential storage backed by a JSON file.
+ */
+export declare class AuthStorage {
+    private storage;
+    private data;
+    private runtimeOverrides;
+    private fallbackResolver?;
+    private loadError;
+    private errors;
+    private constructor();
+    static create(authPath?: string): AuthStorage;
+    static fromStorage(storage: AuthStorageBackend): AuthStorage;
+    static inMemory(data?: AuthStorageData): AuthStorage;
+    /**
+     * Set a runtime API key override (not persisted to disk).
+     * Used for CLI --api-key flag.
+     */
+    setRuntimeApiKey(provider: string, apiKey: string): void;
+    /**
+     * Remove a runtime API key override.
+     */
+    removeRuntimeApiKey(provider: string): void;
+    /**
+     * Set a fallback resolver for API keys not found in auth.json or env vars.
+     * Used for custom provider keys from models.json.
+     */
+    setFallbackResolver(resolver: (provider: string) => string | undefined): void;
+    private recordError;
+    private parseStorageData;
+    /**
+     * Reload credentials from storage.
+     */
+    reload(): void;
+    private persistProviderChange;
+    /**
+     * Get credential for a provider.
+     */
+    get(provider: string): AuthCredential | undefined;
+    /**
+     * Set credential for a provider.
+     */
+    set(provider: string, credential: AuthCredential): void;
+    /**
+     * Remove credential for a provider.
+     */
+    remove(provider: string): void;
+    /**
+     * List all providers with credentials.
+     */
+    list(): string[];
+    /**
+     * Check if credentials exist for a provider in auth.json.
+     */
+    has(provider: string): boolean;
+    /**
+     * Check if any form of auth is configured for a provider.
+     * Unlike getApiKey(), this doesn't refresh OAuth tokens.
+     */
+    hasAuth(provider: string): boolean;
+    /**
+     * Return auth status without exposing credential values or refreshing tokens.
+     */
+    getAuthStatus(provider: string): AuthStatus;
+    /**
+     * Get all credentials (for passing to getOAuthApiKey).
+     */
+    getAll(): AuthStorageData;
+    drainErrors(): Error[];
+    /**
+     * Login to an OAuth provider.
+     */
+    login(providerId: OAuthProviderId, callbacks: OAuthLoginCallbacks): Promise<void>;
+    /**
+     * Logout from a provider.
+     */
+    logout(provider: string): void;
+    private refreshOAuthTokenWithLock;
+    /**
+     * Get API key for a provider.
+     * Priority:
+     * 1. Runtime override (CLI --api-key)
+     * 2. API key from auth.json
+     * 3. OAuth token from auth.json (auto-refreshed with locking)
+     * 4. Environment variable
+     * 5. Fallback resolver (models.json custom providers)
+     */
+    getApiKey(providerId: string, options?: {
+        includeFallback?: boolean;
+    }): Promise<string | undefined>;
+    /**
+     * Get all registered OAuth providers
+     */
+    getOAuthProviders(): import("@eminent337/aery-ai").OAuthProviderInterface[];
+}
+export {};
+//# sourceMappingURL=auth-storage.d.ts.map

package/dist/core/auth-storage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-storage.d.ts","sourceRoot":"","sources":["../../src/core/auth-storage.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAGN,KAAK,gBAAgB,EACrB,KAAK,mBAAmB,EACxB,KAAK,eAAe,EACpB,MAAM,qBAAqB,CAAC;AAQ7B,MAAM,MAAM,gBAAgB,GAAG;IAC9B,IAAI,EAAE,SAAS,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,eAAe,GAAG;IAC7B,IAAI,EAAE,OAAO,CAAC;CACd,GAAG,gBAAgB,CAAC;AAErB,MAAM,MAAM,cAAc,GAAG,gBAAgB,GAAG,eAAe,CAAC;AAEhE,MAAM,MAAM,eAAe,GAAG,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;AAE7D,MAAM,MAAM,UAAU,GAAG;IACxB,UAAU,EAAE,OAAO,CAAC;IACpB,MAAM,CAAC,EAAE,QAAQ,GAAG,SAAS,GAAG,aAAa,GAAG,UAAU,GAAG,iBAAiB,GAAG,qBAAqB,CAAC;IACvG,KAAK,CAAC,EAAE,MAAM,CAAC;CACf,CAAC;AAEF,KAAK,UAAU,CAAC,CAAC,IAAI;IACpB,MAAM,EAAE,CAAC,CAAC;IACV,IAAI,CAAC,EAAE,MAAM,CAAC;CACd,CAAC;AAEF,MAAM,WAAW,kBAAkB;IAClC,QAAQ,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,KAAK,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACnE,aAAa,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,KAAK,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;CAC1F;AAED,qBAAa,sBAAuB,YAAW,kBAAkB;IACpD,OAAO,CAAC,QAAQ;IAA5B,YAAoB,QAAQ,GAAE,MAAyC,EAAI;IAE3E,OAAO,CAAC,eAAe;IAOvB,OAAO,CAAC,gBAAgB;IAOxB,OAAO,CAAC,wBAAwB;IA2BhC,QAAQ,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,KAAK,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAmBjE;IAEK,aAAa,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,KAAK,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAgD9F;CACD;AAED,qBAAa,0BAA2B,YAAW,kBAAkB;IACpE,OAAO,CAAC,KAAK,CAAqB;IAElC,QAAQ,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,KAAK,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAMjE;IAEK,aAAa,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,KAAK,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAM9F;CACD;AAED;;GAEG;AACH,qBAAa,WAAW;IAOH,OAAO,CAAC,OAAO;IANnC,OAAO,CAAC,IAAI,CAAuB;IACnC,OAAO,CAAC,gBAAgB,CAAkC;IAC1D,OAAO,CAAC,gBAAgB,CAAC,CAA2C;IACpE,OAAO,CAAC,SAAS,CAAsB;IACvC,OAAO,CAAC,MAAM,CAAe;IAE7B,OAAO,eAEN;IAED,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,WAAW,CAE5C;IAED,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,kBAAkB,GAAG,WAAW,CAE3D;IAED,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAE,eAAoB,GAAG,WAAW,CAIvD;IAED;;;OAGG;IACH,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAEvD;IAED;;OAEG;IACH,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAE1C;IAED;;;OAGG;IACH,mBAAmB,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,GAAG,IAAI,CAE5E;IAED,OAAO,CAAC,WAAW;IAKnB,OAAO,CAAC,gBAAgB;IAOxB;;OAEG;IACH,MAAM,IAAI,IAAI,CAab;IAED,OAAO,CAAC,qBAAqB;IAqB7B;;OAEG;IACH,GAAG,CAAC,QAAQ,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS,CAEhD;IAED;;OAEG;IACH,GAAG,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,cAAc,GAAG,IAAI,CAGtD;IAED;;OAEG;IACH,MAAM,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAG7B;IAED;;OAEG;IACH,IAAI,IAAI,MAAM,EAAE,CAEf;IAED;;OAEG;IACH,GAAG,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAE7B;IAED;;;OAGG;IACH,OAAO,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAMjC;IAED;;OAEG;IACH,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,UAAU,CAmB1C;IAED;;OAEG;IACH,MAAM,IAAI,eAAe,CAExB;IAED,WAAW,IAAI,KAAK,EAAE,CAIrB;IAED;;OAEG;IACG,KAAK,CAAC,UAAU,EAAE,eAAe,EAAE,SAAS,EAAE,mBAAmB,GAAG,OAAO,CAAC,IAAI,CAAC,CAQtF;IAED;;OAEG;IACH,MAAM,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAE7B;YAMa,yBAAyB;IA8CvC;;;;;;;;OAQG;IACG,SAAS,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;QAAE,eAAe,CAAC,EAAE,OAAO,CAAA;KAAE,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CA6DxG;IAED;;OAEG;IACH,iBAAiB,2DAEhB;CACD","sourcesContent":["/**\n * Credential storage for API keys and OAuth tokens.\n * Handles loading, saving, and refreshing credentials from auth.json.\n *\n * Uses file locking to prevent race conditions when multiple pi instances\n * try to refresh tokens simultaneously.\n */\n\nimport {\n\tfindEnvKeys,\n\tgetEnvApiKey,\n\ttype OAuthCredentials,\n\ttype OAuthLoginCallbacks,\n\ttype OAuthProviderId,\n} from \"@eminent337/aery-ai\";\nimport { getOAuthApiKey, getOAuthProvider, getOAuthProviders } from \"@eminent337/aery-ai/oauth\";\nimport { chmodSync, existsSync, mkdirSync, readFileSync, writeFileSync } from \"fs\";\nimport { dirname, join } from \"path\";\nimport lockfile from \"proper-lockfile\";\nimport { getAgentDir } from \"../config.js\";\nimport { resolveConfigValue } from \"./resolve-config-value.js\";\n\nexport type ApiKeyCredential = {\n\ttype: \"api_key\";\n\tkey: string;\n\taccountId?: string;\n};\n\nexport type OAuthCredential = {\n\ttype: \"oauth\";\n} & OAuthCredentials;\n\nexport type AuthCredential = ApiKeyCredential | OAuthCredential;\n\nexport type AuthStorageData = Record<string, AuthCredential>;\n\nexport type AuthStatus = {\n\tconfigured: boolean;\n\tsource?: \"stored\" | \"runtime\" | \"environment\" | \"fallback\" | \"models_json_key\" | \"models_json_command\";\n\tlabel?: string;\n};\n\ntype LockResult<T> = {\n\tresult: T;\n\tnext?: string;\n};\n\nexport interface AuthStorageBackend {\n\twithLock<T>(fn: (current: string | undefined) => LockResult<T>): T;\n\twithLockAsync<T>(fn: (current: string | undefined) => Promise<LockResult<T>>): Promise<T>;\n}\n\nexport class FileAuthStorageBackend implements AuthStorageBackend {\n\tconstructor(private authPath: string = join(getAgentDir(), \"auth.json\")) {}\n\n\tprivate ensureParentDir(): void {\n\t\tconst dir = dirname(this.authPath);\n\t\tif (!existsSync(dir)) {\n\t\t\tmkdirSync(dir, { recursive: true, mode: 0o700 });\n\t\t}\n\t}\n\n\tprivate ensureFileExists(): void {\n\t\tif (!existsSync(this.authPath)) {\n\t\t\twriteFileSync(this.authPath, \"{}\", \"utf-8\");\n\t\t\tchmodSync(this.authPath, 0o600);\n\t\t}\n\t}\n\n\tprivate acquireLockSyncWithRetry(path: string): () => void {\n\t\tconst maxAttempts = 10;\n\t\tconst delayMs = 20;\n\t\tlet lastError: unknown;\n\n\t\tfor (let attempt = 1; attempt <= maxAttempts; attempt++) {\n\t\t\ttry {\n\t\t\t\treturn lockfile.lockSync(path, { realpath: false });\n\t\t\t} catch (error) {\n\t\t\t\tconst code =\n\t\t\t\t\ttypeof error === \"object\" && error !== null && \"code\" in error\n\t\t\t\t\t\t? String((error as { code?: unknown }).code)\n\t\t\t\t\t\t: undefined;\n\t\t\t\tif (code !== \"ELOCKED\" || attempt === maxAttempts) {\n\t\t\t\t\tthrow error;\n\t\t\t\t}\n\t\t\t\tlastError = error;\n\t\t\t\tconst start = Date.now();\n\t\t\t\twhile (Date.now() - start < delayMs) {\n\t\t\t\t\t// Sleep synchronously to avoid changing callers to async.\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tthrow (lastError as Error) ?? new Error(\"Failed to acquire auth storage lock\");\n\t}\n\n\twithLock<T>(fn: (current: string | undefined) => LockResult<T>): T {\n\t\tthis.ensureParentDir();\n\t\tthis.ensureFileExists();\n\n\t\tlet release: (() => void) | undefined;\n\t\ttry {\n\t\t\trelease = this.acquireLockSyncWithRetry(this.authPath);\n\t\t\tconst current = existsSync(this.authPath) ? readFileSync(this.authPath, \"utf-8\") : undefined;\n\t\t\tconst { result, next } = fn(current);\n\t\t\tif (next !== undefined) {\n\t\t\t\twriteFileSync(this.authPath, next, \"utf-8\");\n\t\t\t\tchmodSync(this.authPath, 0o600);\n\t\t\t}\n\t\t\treturn result;\n\t\t} finally {\n\t\t\tif (release) {\n\t\t\t\trelease();\n\t\t\t}\n\t\t}\n\t}\n\n\tasync withLockAsync<T>(fn: (current: string | undefined) => Promise<LockResult<T>>): Promise<T> {\n\t\tthis.ensureParentDir();\n\t\tthis.ensureFileExists();\n\n\t\tlet release: (() => Promise<void>) | undefined;\n\t\tlet lockCompromised = false;\n\t\tlet lockCompromisedError: Error | undefined;\n\t\tconst throwIfCompromised = () => {\n\t\t\tif (lockCompromised) {\n\t\t\t\tthrow lockCompromisedError ?? new Error(\"Auth storage lock was compromised\");\n\t\t\t}\n\t\t};\n\n\t\ttry {\n\t\t\trelease = await lockfile.lock(this.authPath, {\n\t\t\t\tretries: {\n\t\t\t\t\tretries: 10,\n\t\t\t\t\tfactor: 2,\n\t\t\t\t\tminTimeout: 100,\n\t\t\t\t\tmaxTimeout: 10000,\n\t\t\t\t\trandomize: true,\n\t\t\t\t},\n\t\t\t\tstale: 30000,\n\t\t\t\tonCompromised: (err) => {\n\t\t\t\t\tlockCompromised = true;\n\t\t\t\t\tlockCompromisedError = err;\n\t\t\t\t},\n\t\t\t});\n\n\t\t\tthrowIfCompromised();\n\t\t\tconst current = existsSync(this.authPath) ? readFileSync(this.authPath, \"utf-8\") : undefined;\n\t\t\tconst { result, next } = await fn(current);\n\t\t\tthrowIfCompromised();\n\t\t\tif (next !== undefined) {\n\t\t\t\twriteFileSync(this.authPath, next, \"utf-8\");\n\t\t\t\tchmodSync(this.authPath, 0o600);\n\t\t\t}\n\t\t\tthrowIfCompromised();\n\t\t\treturn result;\n\t\t} finally {\n\t\t\tif (release) {\n\t\t\t\ttry {\n\t\t\t\t\tawait release();\n\t\t\t\t} catch {\n\t\t\t\t\t// Ignore unlock errors when lock is compromised.\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n}\n\nexport class InMemoryAuthStorageBackend implements AuthStorageBackend {\n\tprivate value: string | undefined;\n\n\twithLock<T>(fn: (current: string | undefined) => LockResult<T>): T {\n\t\tconst { result, next } = fn(this.value);\n\t\tif (next !== undefined) {\n\t\t\tthis.value = next;\n\t\t}\n\t\treturn result;\n\t}\n\n\tasync withLockAsync<T>(fn: (current: string | undefined) => Promise<LockResult<T>>): Promise<T> {\n\t\tconst { result, next } = await fn(this.value);\n\t\tif (next !== undefined) {\n\t\t\tthis.value = next;\n\t\t}\n\t\treturn result;\n\t}\n}\n\n/**\n * Credential storage backed by a JSON file.\n */\nexport class AuthStorage {\n\tprivate data: AuthStorageData = {};\n\tprivate runtimeOverrides: Map<string, string> = new Map();\n\tprivate fallbackResolver?: (provider: string) => string | undefined;\n\tprivate loadError: Error | null = null;\n\tprivate errors: Error[] = [];\n\n\tprivate constructor(private storage: AuthStorageBackend) {\n\t\tthis.reload();\n\t}\n\n\tstatic create(authPath?: string): AuthStorage {\n\t\treturn new AuthStorage(new FileAuthStorageBackend(authPath ?? join(getAgentDir(), \"auth.json\")));\n\t}\n\n\tstatic fromStorage(storage: AuthStorageBackend): AuthStorage {\n\t\treturn new AuthStorage(storage);\n\t}\n\n\tstatic inMemory(data: AuthStorageData = {}): AuthStorage {\n\t\tconst storage = new InMemoryAuthStorageBackend();\n\t\tstorage.withLock(() => ({ result: undefined, next: JSON.stringify(data, null, 2) }));\n\t\treturn AuthStorage.fromStorage(storage);\n\t}\n\n\t/**\n\t * Set a runtime API key override (not persisted to disk).\n\t * Used for CLI --api-key flag.\n\t */\n\tsetRuntimeApiKey(provider: string, apiKey: string): void {\n\t\tthis.runtimeOverrides.set(provider, apiKey);\n\t}\n\n\t/**\n\t * Remove a runtime API key override.\n\t */\n\tremoveRuntimeApiKey(provider: string): void {\n\t\tthis.runtimeOverrides.delete(provider);\n\t}\n\n\t/**\n\t * Set a fallback resolver for API keys not found in auth.json or env vars.\n\t * Used for custom provider keys from models.json.\n\t */\n\tsetFallbackResolver(resolver: (provider: string) => string | undefined): void {\n\t\tthis.fallbackResolver = resolver;\n\t}\n\n\tprivate recordError(error: unknown): void {\n\t\tconst normalizedError = error instanceof Error ? error : new Error(String(error));\n\t\tthis.errors.push(normalizedError);\n\t}\n\n\tprivate parseStorageData(content: string | undefined): AuthStorageData {\n\t\tif (!content) {\n\t\t\treturn {};\n\t\t}\n\t\treturn JSON.parse(content) as AuthStorageData;\n\t}\n\n\t/**\n\t * Reload credentials from storage.\n\t */\n\treload(): void {\n\t\tlet content: string | undefined;\n\t\ttry {\n\t\t\tthis.storage.withLock((current) => {\n\t\t\t\tcontent = current;\n\t\t\t\treturn { result: undefined };\n\t\t\t});\n\t\t\tthis.data = this.parseStorageData(content);\n\t\t\tthis.loadError = null;\n\t\t} catch (error) {\n\t\t\tthis.loadError = error as Error;\n\t\t\tthis.recordError(error);\n\t\t}\n\t}\n\n\tprivate persistProviderChange(provider: string, credential: AuthCredential | undefined): void {\n\t\tif (this.loadError) {\n\t\t\treturn;\n\t\t}\n\n\t\ttry {\n\t\t\tthis.storage.withLock((current) => {\n\t\t\t\tconst currentData = this.parseStorageData(current);\n\t\t\t\tconst merged: AuthStorageData = { ...currentData };\n\t\t\t\tif (credential) {\n\t\t\t\t\tmerged[provider] = credential;\n\t\t\t\t} else {\n\t\t\t\t\tdelete merged[provider];\n\t\t\t\t}\n\t\t\t\treturn { result: undefined, next: JSON.stringify(merged, null, 2) };\n\t\t\t});\n\t\t} catch (error) {\n\t\t\tthis.recordError(error);\n\t\t}\n\t}\n\n\t/**\n\t * Get credential for a provider.\n\t */\n\tget(provider: string): AuthCredential | undefined {\n\t\treturn this.data[provider] ?? undefined;\n\t}\n\n\t/**\n\t * Set credential for a provider.\n\t */\n\tset(provider: string, credential: AuthCredential): void {\n\t\tthis.data[provider] = credential;\n\t\tthis.persistProviderChange(provider, credential);\n\t}\n\n\t/**\n\t * Remove credential for a provider.\n\t */\n\tremove(provider: string): void {\n\t\tdelete this.data[provider];\n\t\tthis.persistProviderChange(provider, undefined);\n\t}\n\n\t/**\n\t * List all providers with credentials.\n\t */\n\tlist(): string[] {\n\t\treturn Object.keys(this.data);\n\t}\n\n\t/**\n\t * Check if credentials exist for a provider in auth.json.\n\t */\n\thas(provider: string): boolean {\n\t\treturn provider in this.data;\n\t}\n\n\t/**\n\t * Check if any form of auth is configured for a provider.\n\t * Unlike getApiKey(), this doesn't refresh OAuth tokens.\n\t */\n\thasAuth(provider: string): boolean {\n\t\tif (this.runtimeOverrides.has(provider)) return true;\n\t\tif (this.data[provider]) return true;\n\t\tif (getEnvApiKey(provider)) return true;\n\t\tif (this.fallbackResolver?.(provider)) return true;\n\t\treturn false;\n\t}\n\n\t/**\n\t * Return auth status without exposing credential values or refreshing tokens.\n\t */\n\tgetAuthStatus(provider: string): AuthStatus {\n\t\tif (this.data[provider]) {\n\t\t\treturn { configured: true, source: \"stored\" };\n\t\t}\n\n\t\tif (this.runtimeOverrides.has(provider)) {\n\t\t\treturn { configured: false, source: \"runtime\", label: \"--api-key\" };\n\t\t}\n\n\t\tconst envKeys = findEnvKeys(provider);\n\t\tif (envKeys?.[0]) {\n\t\t\treturn { configured: false, source: \"environment\", label: envKeys[0] };\n\t\t}\n\n\t\tif (this.fallbackResolver?.(provider)) {\n\t\t\treturn { configured: false, source: \"fallback\", label: \"custom provider config\" };\n\t\t}\n\n\t\treturn { configured: false };\n\t}\n\n\t/**\n\t * Get all credentials (for passing to getOAuthApiKey).\n\t */\n\tgetAll(): AuthStorageData {\n\t\treturn { ...this.data };\n\t}\n\n\tdrainErrors(): Error[] {\n\t\tconst drained = [...this.errors];\n\t\tthis.errors = [];\n\t\treturn drained;\n\t}\n\n\t/**\n\t * Login to an OAuth provider.\n\t */\n\tasync login(providerId: OAuthProviderId, callbacks: OAuthLoginCallbacks): Promise<void> {\n\t\tconst provider = getOAuthProvider(providerId);\n\t\tif (!provider) {\n\t\t\tthrow new Error(`Unknown OAuth provider: ${providerId}`);\n\t\t}\n\n\t\tconst credentials = await provider.login(callbacks);\n\t\tthis.set(providerId, { type: \"oauth\", ...credentials });\n\t}\n\n\t/**\n\t * Logout from a provider.\n\t */\n\tlogout(provider: string): void {\n\t\tthis.remove(provider);\n\t}\n\n\t/**\n\t * Refresh OAuth token with backend locking to prevent race conditions.\n\t * Multiple pi instances may try to refresh simultaneously when tokens expire.\n\t */\n\tprivate async refreshOAuthTokenWithLock(\n\t\tproviderId: OAuthProviderId,\n\t): Promise<{ apiKey: string; newCredentials: OAuthCredentials } | null> {\n\t\tconst provider = getOAuthProvider(providerId);\n\t\tif (!provider) {\n\t\t\treturn null;\n\t\t}\n\n\t\tconst result = await this.storage.withLockAsync(async (current) => {\n\t\t\tconst currentData = this.parseStorageData(current);\n\t\t\tthis.data = currentData;\n\t\t\tthis.loadError = null;\n\n\t\t\tconst cred = currentData[providerId];\n\t\t\tif (cred?.type !== \"oauth\") {\n\t\t\t\treturn { result: null };\n\t\t\t}\n\n\t\t\tif (Date.now() < cred.expires) {\n\t\t\t\treturn { result: { apiKey: provider.getApiKey(cred), newCredentials: cred } };\n\t\t\t}\n\n\t\t\tconst oauthCreds: Record<string, OAuthCredentials> = {};\n\t\t\tfor (const [key, value] of Object.entries(currentData)) {\n\t\t\t\tif (value.type === \"oauth\") {\n\t\t\t\t\toauthCreds[key] = value;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tconst refreshed = await getOAuthApiKey(providerId, oauthCreds);\n\t\t\tif (!refreshed) {\n\t\t\t\treturn { result: null };\n\t\t\t}\n\n\t\t\tconst merged: AuthStorageData = {\n\t\t\t\t...currentData,\n\t\t\t\t[providerId]: { type: \"oauth\", ...refreshed.newCredentials },\n\t\t\t};\n\t\t\tthis.data = merged;\n\t\t\tthis.loadError = null;\n\t\t\treturn { result: refreshed, next: JSON.stringify(merged, null, 2) };\n\t\t});\n\n\t\treturn result;\n\t}\n\n\t/**\n\t * Get API key for a provider.\n\t * Priority:\n\t * 1. Runtime override (CLI --api-key)\n\t * 2. API key from auth.json\n\t * 3. OAuth token from auth.json (auto-refreshed with locking)\n\t * 4. Environment variable\n\t * 5. Fallback resolver (models.json custom providers)\n\t */\n\tasync getApiKey(providerId: string, options?: { includeFallback?: boolean }): Promise<string | undefined> {\n\t\t// Runtime override takes highest priority\n\t\tconst runtimeKey = this.runtimeOverrides.get(providerId);\n\t\tif (runtimeKey) {\n\t\t\treturn runtimeKey;\n\t\t}\n\n\t\tconst cred = this.data[providerId];\n\n\t\tif (cred?.type === \"api_key\") {\n\t\t\treturn resolveConfigValue(cred.key);\n\t\t}\n\n\t\tif (cred?.type === \"oauth\") {\n\t\t\tconst provider = getOAuthProvider(providerId);\n\t\t\tif (!provider) {\n\t\t\t\t// Unknown OAuth provider, can't get API key\n\t\t\t\treturn undefined;\n\t\t\t}\n\n\t\t\t// Check if token needs refresh\n\t\t\tconst needsRefresh = Date.now() >= cred.expires;\n\n\t\t\tif (needsRefresh) {\n\t\t\t\t// Use locked refresh to prevent race conditions\n\t\t\t\ttry {\n\t\t\t\t\tconst result = await this.refreshOAuthTokenWithLock(providerId);\n\t\t\t\t\tif (result) {\n\t\t\t\t\t\treturn result.apiKey;\n\t\t\t\t\t}\n\t\t\t\t} catch (error) {\n\t\t\t\t\tthis.recordError(error);\n\t\t\t\t\t// Refresh failed - re-read file to check if another instance succeeded\n\t\t\t\t\tthis.reload();\n\t\t\t\t\tconst updatedCred = this.data[providerId];\n\n\t\t\t\t\tif (updatedCred?.type === \"oauth\" && Date.now() < updatedCred.expires) {\n\t\t\t\t\t\t// Another instance refreshed successfully, use those credentials\n\t\t\t\t\t\treturn provider.getApiKey(updatedCred);\n\t\t\t\t\t}\n\n\t\t\t\t\t// Refresh truly failed - return undefined so model discovery skips this provider\n\t\t\t\t\t// User can /login to re-authenticate (credentials preserved for retry)\n\t\t\t\t\treturn undefined;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\t// Token not expired, use current access token\n\t\t\t\treturn provider.getApiKey(cred);\n\t\t\t}\n\t\t}\n\n\t\t// Fall back to environment variable\n\t\tconst envKey = getEnvApiKey(providerId);\n\t\tif (envKey) return envKey;\n\n\t\t// Fall back to custom resolver (e.g., models.json custom providers)\n\t\tif (options?.includeFallback !== false) {\n\t\t\treturn this.fallbackResolver?.(providerId) ?? undefined;\n\t\t}\n\n\t\treturn undefined;\n\t}\n\n\t/**\n\t * Get all registered OAuth providers\n\t */\n\tgetOAuthProviders() {\n\t\treturn getOAuthProviders();\n\t}\n}\n"]}

package/dist/core/auth-storage.js

@@ -0,0 +1,441 @@
+/**
+ * Credential storage for API keys and OAuth tokens.
+ * Handles loading, saving, and refreshing credentials from auth.json.
+ *
+ * Uses file locking to prevent race conditions when multiple pi instances
+ * try to refresh tokens simultaneously.
+ */
+import { findEnvKeys, getEnvApiKey, } from "@eminent337/aery-ai";
+import { getOAuthApiKey, getOAuthProvider, getOAuthProviders } from "@eminent337/aery-ai/oauth";
+import { chmodSync, existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
+import { dirname, join } from "path";
+import lockfile from "proper-lockfile";
+import { getAgentDir } from "../config.js";
+import { resolveConfigValue } from "./resolve-config-value.js";
+export class FileAuthStorageBackend {
+    authPath;
+    constructor(authPath = join(getAgentDir(), "auth.json")) {
+        this.authPath = authPath;
+    }
+    ensureParentDir() {
+        const dir = dirname(this.authPath);
+        if (!existsSync(dir)) {
+            mkdirSync(dir, { recursive: true, mode: 0o700 });
+        }
+    }
+    ensureFileExists() {
+        if (!existsSync(this.authPath)) {
+            writeFileSync(this.authPath, "{}", "utf-8");
+            chmodSync(this.authPath, 0o600);
+        }
+    }
+    acquireLockSyncWithRetry(path) {
+        const maxAttempts = 10;
+        const delayMs = 20;
+        let lastError;
+        for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+            try {
+                return lockfile.lockSync(path, { realpath: false });
+            }
+            catch (error) {
+                const code = typeof error === "object" && error !== null && "code" in error
+                    ? String(error.code)
+                    : undefined;
+                if (code !== "ELOCKED" || attempt === maxAttempts) {
+                    throw error;
+                }
+                lastError = error;
+                const start = Date.now();
+                while (Date.now() - start < delayMs) {
+                    // Sleep synchronously to avoid changing callers to async.
+                }
+            }
+        }
+        throw lastError ?? new Error("Failed to acquire auth storage lock");
+    }
+    withLock(fn) {
+        this.ensureParentDir();
+        this.ensureFileExists();
+        let release;
+        try {
+            release = this.acquireLockSyncWithRetry(this.authPath);
+            const current = existsSync(this.authPath) ? readFileSync(this.authPath, "utf-8") : undefined;
+            const { result, next } = fn(current);
+            if (next !== undefined) {
+                writeFileSync(this.authPath, next, "utf-8");
+                chmodSync(this.authPath, 0o600);
+            }
+            return result;
+        }
+        finally {
+            if (release) {
+                release();
+            }
+        }
+    }
+    async withLockAsync(fn) {
+        this.ensureParentDir();
+        this.ensureFileExists();
+        let release;
+        let lockCompromised = false;
+        let lockCompromisedError;
+        const throwIfCompromised = () => {
+            if (lockCompromised) {
+                throw lockCompromisedError ?? new Error("Auth storage lock was compromised");
+            }
+        };
+        try {
+            release = await lockfile.lock(this.authPath, {
+                retries: {
+                    retries: 10,
+                    factor: 2,
+                    minTimeout: 100,
+                    maxTimeout: 10000,
+                    randomize: true,
+                },
+                stale: 30000,
+                onCompromised: (err) => {
+                    lockCompromised = true;
+                    lockCompromisedError = err;
+                },
+            });
+            throwIfCompromised();
+            const current = existsSync(this.authPath) ? readFileSync(this.authPath, "utf-8") : undefined;
+            const { result, next } = await fn(current);
+            throwIfCompromised();
+            if (next !== undefined) {
+                writeFileSync(this.authPath, next, "utf-8");
+                chmodSync(this.authPath, 0o600);
+            }
+            throwIfCompromised();
+            return result;
+        }
+        finally {
+            if (release) {
+                try {
+                    await release();
+                }
+                catch {
+                    // Ignore unlock errors when lock is compromised.
+                }
+            }
+        }
+    }
+}
+export class InMemoryAuthStorageBackend {
+    value;
+    withLock(fn) {
+        const { result, next } = fn(this.value);
+        if (next !== undefined) {
+            this.value = next;
+        }
+        return result;
+    }
+    async withLockAsync(fn) {
+        const { result, next } = await fn(this.value);
+        if (next !== undefined) {
+            this.value = next;
+        }
+        return result;
+    }
+}
+/**
+ * Credential storage backed by a JSON file.
+ */
+export class AuthStorage {
+    storage;
+    data = {};
+    runtimeOverrides = new Map();
+    fallbackResolver;
+    loadError = null;
+    errors = [];
+    constructor(storage) {
+        this.storage = storage;
+        this.reload();
+    }
+    static create(authPath) {
+        return new AuthStorage(new FileAuthStorageBackend(authPath ?? join(getAgentDir(), "auth.json")));
+    }
+    static fromStorage(storage) {
+        return new AuthStorage(storage);
+    }
+    static inMemory(data = {}) {
+        const storage = new InMemoryAuthStorageBackend();
+        storage.withLock(() => ({ result: undefined, next: JSON.stringify(data, null, 2) }));
+        return AuthStorage.fromStorage(storage);
+    }
+    /**
+     * Set a runtime API key override (not persisted to disk).
+     * Used for CLI --api-key flag.
+     */
+    setRuntimeApiKey(provider, apiKey) {
+        this.runtimeOverrides.set(provider, apiKey);
+    }
+    /**
+     * Remove a runtime API key override.
+     */
+    removeRuntimeApiKey(provider) {
+        this.runtimeOverrides.delete(provider);
+    }
+    /**
+     * Set a fallback resolver for API keys not found in auth.json or env vars.
+     * Used for custom provider keys from models.json.
+     */
+    setFallbackResolver(resolver) {
+        this.fallbackResolver = resolver;
+    }
+    recordError(error) {
+        const normalizedError = error instanceof Error ? error : new Error(String(error));
+        this.errors.push(normalizedError);
+    }
+    parseStorageData(content) {
+        if (!content) {
+            return {};
+        }
+        return JSON.parse(content);
+    }
+    /**
+     * Reload credentials from storage.
+     */
+    reload() {
+        let content;
+        try {
+            this.storage.withLock((current) => {
+                content = current;
+                return { result: undefined };
+            });
+            this.data = this.parseStorageData(content);
+            this.loadError = null;
+        }
+        catch (error) {
+            this.loadError = error;
+            this.recordError(error);
+        }
+    }
+    persistProviderChange(provider, credential) {
+        if (this.loadError) {
+            return;
+        }
+        try {
+            this.storage.withLock((current) => {
+                const currentData = this.parseStorageData(current);
+                const merged = { ...currentData };
+                if (credential) {
+                    merged[provider] = credential;
+                }
+                else {
+                    delete merged[provider];
+                }
+                return { result: undefined, next: JSON.stringify(merged, null, 2) };
+            });
+        }
+        catch (error) {
+            this.recordError(error);
+        }
+    }
+    /**
+     * Get credential for a provider.
+     */
+    get(provider) {
+        return this.data[provider] ?? undefined;
+    }
+    /**
+     * Set credential for a provider.
+     */
+    set(provider, credential) {
+        this.data[provider] = credential;
+        this.persistProviderChange(provider, credential);
+    }
+    /**
+     * Remove credential for a provider.
+     */
+    remove(provider) {
+        delete this.data[provider];
+        this.persistProviderChange(provider, undefined);
+    }
+    /**
+     * List all providers with credentials.
+     */
+    list() {
+        return Object.keys(this.data);
+    }
+    /**
+     * Check if credentials exist for a provider in auth.json.
+     */
+    has(provider) {
+        return provider in this.data;
+    }
+    /**
+     * Check if any form of auth is configured for a provider.
+     * Unlike getApiKey(), this doesn't refresh OAuth tokens.
+     */
+    hasAuth(provider) {
+        if (this.runtimeOverrides.has(provider))
+            return true;
+        if (this.data[provider])
+            return true;
+        if (getEnvApiKey(provider))
+            return true;
+        if (this.fallbackResolver?.(provider))
+            return true;
+        return false;
+    }
+    /**
+     * Return auth status without exposing credential values or refreshing tokens.
+     */
+    getAuthStatus(provider) {
+        if (this.data[provider]) {
+            return { configured: true, source: "stored" };
+        }
+        if (this.runtimeOverrides.has(provider)) {
+            return { configured: false, source: "runtime", label: "--api-key" };
+        }
+        const envKeys = findEnvKeys(provider);
+        if (envKeys?.[0]) {
+            return { configured: false, source: "environment", label: envKeys[0] };
+        }
+        if (this.fallbackResolver?.(provider)) {
+            return { configured: false, source: "fallback", label: "custom provider config" };
+        }
+        return { configured: false };
+    }
+    /**
+     * Get all credentials (for passing to getOAuthApiKey).
+     */
+    getAll() {
+        return { ...this.data };
+    }
+    drainErrors() {
+        const drained = [...this.errors];
+        this.errors = [];
+        return drained;
+    }
+    /**
+     * Login to an OAuth provider.
+     */
+    async login(providerId, callbacks) {
+        const provider = getOAuthProvider(providerId);
+        if (!provider) {
+            throw new Error(`Unknown OAuth provider: ${providerId}`);
+        }
+        const credentials = await provider.login(callbacks);
+        this.set(providerId, { type: "oauth", ...credentials });
+    }
+    /**
+     * Logout from a provider.
+     */
+    logout(provider) {
+        this.remove(provider);
+    }
+    /**
+     * Refresh OAuth token with backend locking to prevent race conditions.
+     * Multiple pi instances may try to refresh simultaneously when tokens expire.
+     */
+    async refreshOAuthTokenWithLock(providerId) {
+        const provider = getOAuthProvider(providerId);
+        if (!provider) {
+            return null;
+        }
+        const result = await this.storage.withLockAsync(async (current) => {
+            const currentData = this.parseStorageData(current);
+            this.data = currentData;
+            this.loadError = null;
+            const cred = currentData[providerId];
+            if (cred?.type !== "oauth") {
+                return { result: null };
+            }
+            if (Date.now() < cred.expires) {
+                return { result: { apiKey: provider.getApiKey(cred), newCredentials: cred } };
+            }
+            const oauthCreds = {};
+            for (const [key, value] of Object.entries(currentData)) {
+                if (value.type === "oauth") {
+                    oauthCreds[key] = value;
+                }
+            }
+            const refreshed = await getOAuthApiKey(providerId, oauthCreds);
+            if (!refreshed) {
+                return { result: null };
+            }
+            const merged = {
+                ...currentData,
+                [providerId]: { type: "oauth", ...refreshed.newCredentials },
+            };
+            this.data = merged;
+            this.loadError = null;
+            return { result: refreshed, next: JSON.stringify(merged, null, 2) };
+        });
+        return result;
+    }
+    /**
+     * Get API key for a provider.
+     * Priority:
+     * 1. Runtime override (CLI --api-key)
+     * 2. API key from auth.json
+     * 3. OAuth token from auth.json (auto-refreshed with locking)
+     * 4. Environment variable
+     * 5. Fallback resolver (models.json custom providers)
+     */
+    async getApiKey(providerId, options) {
+        // Runtime override takes highest priority
+        const runtimeKey = this.runtimeOverrides.get(providerId);
+        if (runtimeKey) {
+            return runtimeKey;
+        }
+        const cred = this.data[providerId];
+        if (cred?.type === "api_key") {
+            return resolveConfigValue(cred.key);
+        }
+        if (cred?.type === "oauth") {
+            const provider = getOAuthProvider(providerId);
+            if (!provider) {
+                // Unknown OAuth provider, can't get API key
+                return undefined;
+            }
+            // Check if token needs refresh
+            const needsRefresh = Date.now() >= cred.expires;
+            if (needsRefresh) {
+                // Use locked refresh to prevent race conditions
+                try {
+                    const result = await this.refreshOAuthTokenWithLock(providerId);
+                    if (result) {
+                        return result.apiKey;
+                    }
+                }
+                catch (error) {
+                    this.recordError(error);
+                    // Refresh failed - re-read file to check if another instance succeeded
+                    this.reload();
+                    const updatedCred = this.data[providerId];
+                    if (updatedCred?.type === "oauth" && Date.now() < updatedCred.expires) {
+                        // Another instance refreshed successfully, use those credentials
+                        return provider.getApiKey(updatedCred);
+                    }
+                    // Refresh truly failed - return undefined so model discovery skips this provider
+                    // User can /login to re-authenticate (credentials preserved for retry)
+                    return undefined;
+                }
+            }
+            else {
+                // Token not expired, use current access token
+                return provider.getApiKey(cred);
+            }
+        }
+        // Fall back to environment variable
+        const envKey = getEnvApiKey(providerId);
+        if (envKey)
+            return envKey;
+        // Fall back to custom resolver (e.g., models.json custom providers)
+        if (options?.includeFallback !== false) {
+            return this.fallbackResolver?.(providerId) ?? undefined;
+        }
+        return undefined;
+    }
+    /**
+     * Get all registered OAuth providers
+     */
+    getOAuthProviders() {
+        return getOAuthProviders();
+    }
+}
+//# sourceMappingURL=auth-storage.js.map