npm - @gajae-code/ai - Versions diffs - 0.1.1 - Mend

@gajae-code/ai 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (349) hide show

package/CHANGELOG.md +2644 -0
package/README.md +1181 -0
package/dist/types/api-registry.d.ts +30 -0
package/dist/types/auth-broker/client.d.ts +66 -0
package/dist/types/auth-broker/index.d.ts +5 -0
package/dist/types/auth-broker/refresher.d.ts +25 -0
package/dist/types/auth-broker/remote-store.d.ts +96 -0
package/dist/types/auth-broker/server.d.ts +32 -0
package/dist/types/auth-broker/types.d.ts +105 -0
package/dist/types/auth-broker/wire-schemas.d.ts +412 -0
package/dist/types/auth-gateway/http.d.ts +39 -0
package/dist/types/auth-gateway/index.d.ts +3 -0
package/dist/types/auth-gateway/server.d.ts +17 -0
package/dist/types/auth-gateway/types.d.ts +115 -0
package/dist/types/auth-storage.d.ts +641 -0
package/dist/types/cli.d.ts +2 -0
package/dist/types/index.d.ts +49 -0
package/dist/types/model-cache.d.ts +17 -0
package/dist/types/model-manager.d.ts +62 -0
package/dist/types/model-thinking.d.ts +71 -0
package/dist/types/models.d.ts +12 -0
package/dist/types/provider-details.d.ts +24 -0
package/dist/types/provider-models/bundled-references.d.ts +4 -0
package/dist/types/provider-models/descriptors.d.ts +48 -0
package/dist/types/provider-models/google.d.ts +20 -0
package/dist/types/provider-models/index.d.ts +5 -0
package/dist/types/provider-models/ollama.d.ts +7 -0
package/dist/types/provider-models/openai-compat.d.ts +237 -0
package/dist/types/provider-models/special.d.ts +16 -0
package/dist/types/providers/amazon-bedrock.d.ts +36 -0
package/dist/types/providers/anthropic-messages-server-schema.d.ts +450 -0
package/dist/types/providers/anthropic-messages-server.d.ts +17 -0
package/dist/types/providers/anthropic.d.ts +188 -0
package/dist/types/providers/aws-credentials.d.ts +43 -0
package/dist/types/providers/aws-eventstream.d.ts +38 -0
package/dist/types/providers/aws-sigv4.d.ts +55 -0
package/dist/types/providers/azure-openai-responses.d.ts +15 -0
package/dist/types/providers/cursor/gen/agent_pb.d.ts +13022 -0
package/dist/types/providers/cursor.d.ts +42 -0
package/dist/types/providers/error-message.d.ts +27 -0
package/dist/types/providers/github-copilot-headers.d.ts +40 -0
package/dist/types/providers/gitlab-duo.d.ts +27 -0
package/dist/types/providers/google-auth.d.ts +24 -0
package/dist/types/providers/google-gemini-cli.d.ts +72 -0
package/dist/types/providers/google-gemini-headers.d.ts +18 -0
package/dist/types/providers/google-shared.d.ts +163 -0
package/dist/types/providers/google-types.d.ts +138 -0
package/dist/types/providers/google-vertex.d.ts +7 -0
package/dist/types/providers/google.d.ts +4 -0
package/dist/types/providers/grammar.d.ts +1 -0
package/dist/types/providers/kimi.d.ts +27 -0
package/dist/types/providers/mock.d.ts +175 -0
package/dist/types/providers/ollama.d.ts +6 -0
package/dist/types/providers/openai-anthropic-shim.d.ts +31 -0
package/dist/types/providers/openai-chat-server-schema.d.ts +814 -0
package/dist/types/providers/openai-chat-server.d.ts +16 -0
package/dist/types/providers/openai-codex/constants.d.ts +26 -0
package/dist/types/providers/openai-codex/request-transformer.d.ts +49 -0
package/dist/types/providers/openai-codex/response-handler.d.ts +17 -0
package/dist/types/providers/openai-codex-responses.d.ts +67 -0
package/dist/types/providers/openai-completions-compat.d.ts +25 -0
package/dist/types/providers/openai-completions.d.ts +33 -0
package/dist/types/providers/openai-responses-server-schema.d.ts +392 -0
package/dist/types/providers/openai-responses-server.d.ts +17 -0
package/dist/types/providers/openai-responses-shared.d.ts +89 -0
package/dist/types/providers/openai-responses.d.ts +32 -0
package/dist/types/providers/pi-native-client.d.ts +13 -0
package/dist/types/providers/pi-native-server.d.ts +68 -0
package/dist/types/providers/register-builtins.d.ts +31 -0
package/dist/types/providers/synthetic.d.ts +26 -0
package/dist/types/providers/transform-messages.d.ts +12 -0
package/dist/types/providers/vision-guard.d.ts +8 -0
package/dist/types/rate-limit-utils.d.ts +19 -0
package/dist/types/stream.d.ts +24 -0
package/dist/types/types.d.ts +746 -0
package/dist/types/usage/claude.d.ts +3 -0
package/dist/types/usage/gemini.d.ts +2 -0
package/dist/types/usage/github-copilot.d.ts +7 -0
package/dist/types/usage/google-antigravity.d.ts +2 -0
package/dist/types/usage/kimi.d.ts +2 -0
package/dist/types/usage/minimax-code.d.ts +2 -0
package/dist/types/usage/openai-codex.d.ts +3 -0
package/dist/types/usage/shared.d.ts +1 -0
package/dist/types/usage/zai.d.ts +2 -0
package/dist/types/usage.d.ts +258 -0
package/dist/types/utils/abort.d.ts +19 -0
package/dist/types/utils/anthropic-auth.d.ts +31 -0
package/dist/types/utils/discovery/antigravity.d.ts +61 -0
package/dist/types/utils/discovery/codex.d.ts +38 -0
package/dist/types/utils/discovery/cursor.d.ts +23 -0
package/dist/types/utils/discovery/gemini.d.ts +25 -0
package/dist/types/utils/discovery/index.d.ts +4 -0
package/dist/types/utils/discovery/openai-compatible.d.ts +72 -0
package/dist/types/utils/event-stream.d.ts +28 -0
package/dist/types/utils/fireworks-model-id.d.ts +10 -0
package/dist/types/utils/foundry.d.ts +1 -0
package/dist/types/utils/h2-fetch.d.ts +22 -0
package/dist/types/utils/http-inspector.d.ts +31 -0
package/dist/types/utils/idle-iterator.d.ts +67 -0
package/dist/types/utils/json-parse.d.ts +10 -0
package/dist/types/utils/oauth/alibaba-coding-plan.d.ts +18 -0
package/dist/types/utils/oauth/anthropic.d.ts +22 -0
package/dist/types/utils/oauth/api-key-login.d.ts +35 -0
package/dist/types/utils/oauth/api-key-validation.d.ts +27 -0
package/dist/types/utils/oauth/callback-server.d.ts +57 -0
package/dist/types/utils/oauth/cerebras.d.ts +1 -0
package/dist/types/utils/oauth/cloudflare-ai-gateway.d.ts +18 -0
package/dist/types/utils/oauth/cursor.d.ts +15 -0
package/dist/types/utils/oauth/deepseek.d.ts +10 -0
package/dist/types/utils/oauth/firepass.d.ts +1 -0
package/dist/types/utils/oauth/fireworks.d.ts +1 -0
package/dist/types/utils/oauth/github-copilot.d.ts +38 -0
package/dist/types/utils/oauth/gitlab-duo.d.ts +3 -0
package/dist/types/utils/oauth/google-antigravity.d.ts +11 -0
package/dist/types/utils/oauth/google-gemini-cli.d.ts +10 -0
package/dist/types/utils/oauth/google-oauth-shared.d.ts +28 -0
package/dist/types/utils/oauth/huggingface.d.ts +19 -0
package/dist/types/utils/oauth/index.d.ts +38 -0
package/dist/types/utils/oauth/kagi.d.ts +17 -0
package/dist/types/utils/oauth/kilo.d.ts +5 -0
package/dist/types/utils/oauth/kimi.d.ts +21 -0
package/dist/types/utils/oauth/litellm.d.ts +18 -0
package/dist/types/utils/oauth/lm-studio.d.ts +17 -0
package/dist/types/utils/oauth/minimax-code.d.ts +28 -0
package/dist/types/utils/oauth/moonshot.d.ts +1 -0
package/dist/types/utils/oauth/nanogpt.d.ts +1 -0
package/dist/types/utils/oauth/nvidia.d.ts +18 -0
package/dist/types/utils/oauth/ollama-cloud.d.ts +2 -0
package/dist/types/utils/oauth/ollama.d.ts +18 -0
package/dist/types/utils/oauth/openai-codex.d.ts +21 -0
package/dist/types/utils/oauth/opencode.d.ts +18 -0
package/dist/types/utils/oauth/parallel.d.ts +17 -0
package/dist/types/utils/oauth/perplexity.d.ts +9 -0
package/dist/types/utils/oauth/pkce.d.ts +8 -0
package/dist/types/utils/oauth/qianfan.d.ts +17 -0
package/dist/types/utils/oauth/qwen-portal.d.ts +19 -0
package/dist/types/utils/oauth/synthetic.d.ts +1 -0
package/dist/types/utils/oauth/tavily.d.ts +17 -0
package/dist/types/utils/oauth/together.d.ts +1 -0
package/dist/types/utils/oauth/types.d.ts +44 -0
package/dist/types/utils/oauth/venice.d.ts +18 -0
package/dist/types/utils/oauth/vercel-ai-gateway.d.ts +18 -0
package/dist/types/utils/oauth/vllm.d.ts +16 -0
package/dist/types/utils/oauth/xiaomi.d.ts +19 -0
package/dist/types/utils/oauth/zai.d.ts +18 -0
package/dist/types/utils/oauth/zenmux.d.ts +1 -0
package/dist/types/utils/overflow.d.ts +54 -0
package/dist/types/utils/parse-bind.d.ts +23 -0
package/dist/types/utils/provider-response.d.ts +3 -0
package/dist/types/utils/retry-after.d.ts +3 -0
package/dist/types/utils/retry.d.ts +26 -0
package/dist/types/utils/schema/adapt.d.ts +24 -0
package/dist/types/utils/schema/compatibility.d.ts +30 -0
package/dist/types/utils/schema/dereference.d.ts +11 -0
package/dist/types/utils/schema/draft.d.ts +10 -0
package/dist/types/utils/schema/equality.d.ts +4 -0
package/dist/types/utils/schema/fields.d.ts +49 -0
package/dist/types/utils/schema/index.d.ts +13 -0
package/dist/types/utils/schema/json-schema-validator.d.ts +12 -0
package/dist/types/utils/schema/meta-validator.d.ts +2 -0
package/dist/types/utils/schema/normalize.d.ts +93 -0
package/dist/types/utils/schema/spill.d.ts +8 -0
package/dist/types/utils/schema/stamps.d.ts +25 -0
package/dist/types/utils/schema/types.d.ts +4 -0
package/dist/types/utils/schema/wire.d.ts +54 -0
package/dist/types/utils/schema/zod-decontaminate.d.ts +31 -0
package/dist/types/utils/sse-debug.d.ts +10 -0
package/dist/types/utils/tool-call-healing.d.ts +71 -0
package/dist/types/utils/tool-choice.d.ts +50 -0
package/dist/types/utils/validation.d.ts +17 -0
package/dist/types/utils.d.ts +28 -0
package/package.json +146 -0
package/src/api-registry.ts +96 -0
package/src/auth-broker/client.ts +358 -0
package/src/auth-broker/index.ts +5 -0
package/src/auth-broker/refresher.ts +127 -0
package/src/auth-broker/remote-store.ts +623 -0
package/src/auth-broker/server.ts +644 -0
package/src/auth-broker/types.ts +127 -0
package/src/auth-broker/wire-schemas.ts +200 -0
package/src/auth-gateway/http.ts +194 -0
package/src/auth-gateway/index.ts +3 -0
package/src/auth-gateway/server.ts +717 -0
package/src/auth-gateway/types.ts +134 -0
package/src/auth-storage.ts +4104 -0
package/src/cli.ts +262 -0
package/src/index.ts +54 -0
package/src/model-cache.ts +129 -0
package/src/model-manager.ts +450 -0
package/src/model-thinking.ts +691 -0
package/src/models.json +73853 -0
package/src/models.json.d.ts +9 -0
package/src/models.ts +56 -0
package/src/prompts/turn-aborted-guidance.md +4 -0
package/src/provider-details.ts +90 -0
package/src/provider-models/bundled-references.ts +38 -0
package/src/provider-models/descriptors.ts +308 -0
package/src/provider-models/google.ts +91 -0
package/src/provider-models/index.ts +5 -0
package/src/provider-models/ollama.ts +153 -0
package/src/provider-models/openai-compat.ts +2275 -0
package/src/provider-models/special.ts +67 -0
package/src/providers/amazon-bedrock.ts +849 -0
package/src/providers/anthropic-messages-server-schema.ts +229 -0
package/src/providers/anthropic-messages-server.ts +677 -0
package/src/providers/anthropic.ts +2696 -0
package/src/providers/aws-credentials.ts +501 -0
package/src/providers/aws-eventstream.ts +185 -0
package/src/providers/aws-sigv4.ts +218 -0
package/src/providers/azure-openai-responses.ts +337 -0
package/src/providers/cursor/gen/agent_pb.ts +15274 -0
package/src/providers/cursor/proto/agent.proto +3526 -0
package/src/providers/cursor/proto/buf.gen.yaml +6 -0
package/src/providers/cursor/proto/buf.yaml +17 -0
package/src/providers/cursor.ts +2561 -0
package/src/providers/error-message.ts +21 -0
package/src/providers/github-copilot-headers.ts +140 -0
package/src/providers/gitlab-duo.ts +372 -0
package/src/providers/google-auth.ts +252 -0
package/src/providers/google-gemini-cli.ts +795 -0
package/src/providers/google-gemini-headers.ts +41 -0
package/src/providers/google-shared.ts +902 -0
package/src/providers/google-types.ts +167 -0
package/src/providers/google-vertex.ts +88 -0
package/src/providers/google.ts +41 -0
package/src/providers/grammar.ts +70 -0
package/src/providers/kimi.ts +52 -0
package/src/providers/mock.ts +500 -0
package/src/providers/ollama.ts +544 -0
package/src/providers/openai-anthropic-shim.ts +138 -0
package/src/providers/openai-chat-server-schema.ts +243 -0
package/src/providers/openai-chat-server.ts +628 -0
package/src/providers/openai-codex/constants.ts +43 -0
package/src/providers/openai-codex/request-transformer.ts +161 -0
package/src/providers/openai-codex/response-handler.ts +81 -0
package/src/providers/openai-codex-responses.ts +2598 -0
package/src/providers/openai-completions-compat.ts +279 -0
package/src/providers/openai-completions.ts +1853 -0
package/src/providers/openai-responses-server-schema.ts +290 -0
package/src/providers/openai-responses-server.ts +1183 -0
package/src/providers/openai-responses-shared.ts +800 -0
package/src/providers/openai-responses.ts +621 -0
package/src/providers/pi-native-client.ts +228 -0
package/src/providers/pi-native-server.ts +210 -0
package/src/providers/register-builtins.ts +412 -0
package/src/providers/synthetic.ts +50 -0
package/src/providers/transform-messages.ts +309 -0
package/src/providers/vision-guard.ts +31 -0
package/src/rate-limit-utils.ts +84 -0
package/src/stream.ts +895 -0
package/src/types.ts +884 -0
package/src/usage/claude.ts +431 -0
package/src/usage/gemini.ts +250 -0
package/src/usage/github-copilot.ts +421 -0
package/src/usage/google-antigravity.ts +201 -0
package/src/usage/kimi.ts +271 -0
package/src/usage/minimax-code.ts +31 -0
package/src/usage/openai-codex.ts +503 -0
package/src/usage/shared.ts +10 -0
package/src/usage/zai.ts +247 -0
package/src/usage.ts +183 -0
package/src/utils/abort.ts +51 -0
package/src/utils/anthropic-auth.ts +87 -0
package/src/utils/discovery/antigravity.ts +261 -0
package/src/utils/discovery/codex.ts +371 -0
package/src/utils/discovery/cursor.ts +306 -0
package/src/utils/discovery/gemini.ts +248 -0
package/src/utils/discovery/index.ts +4 -0
package/src/utils/discovery/openai-compatible.ts +224 -0
package/src/utils/event-stream.ts +142 -0
package/src/utils/fireworks-model-id.ts +30 -0
package/src/utils/foundry.ts +8 -0
package/src/utils/h2-fetch.ts +60 -0
package/src/utils/http-inspector.ts +176 -0
package/src/utils/idle-iterator.ts +250 -0
package/src/utils/json-parse.ts +148 -0
package/src/utils/oauth/alibaba-coding-plan.ts +59 -0
package/src/utils/oauth/anthropic.ts +200 -0
package/src/utils/oauth/api-key-login.ts +87 -0
package/src/utils/oauth/api-key-validation.ts +92 -0
package/src/utils/oauth/callback-server.ts +276 -0
package/src/utils/oauth/cerebras.ts +16 -0
package/src/utils/oauth/cloudflare-ai-gateway.ts +48 -0
package/src/utils/oauth/cursor.ts +157 -0
package/src/utils/oauth/deepseek.ts +53 -0
package/src/utils/oauth/firepass.ts +24 -0
package/src/utils/oauth/fireworks.ts +15 -0
package/src/utils/oauth/github-copilot.ts +362 -0
package/src/utils/oauth/gitlab-duo.ts +123 -0
package/src/utils/oauth/google-antigravity.ts +200 -0
package/src/utils/oauth/google-gemini-cli.ts +256 -0
package/src/utils/oauth/google-oauth-shared.ts +110 -0
package/src/utils/oauth/huggingface.ts +62 -0
package/src/utils/oauth/index.ts +444 -0
package/src/utils/oauth/kagi.ts +47 -0
package/src/utils/oauth/kilo.ts +87 -0
package/src/utils/oauth/kimi.ts +254 -0
package/src/utils/oauth/litellm.ts +47 -0
package/src/utils/oauth/lm-studio.ts +38 -0
package/src/utils/oauth/minimax-code.ts +78 -0
package/src/utils/oauth/moonshot.ts +16 -0
package/src/utils/oauth/nanogpt.ts +15 -0
package/src/utils/oauth/nvidia.ts +70 -0
package/src/utils/oauth/oauth.html +199 -0
package/src/utils/oauth/ollama-cloud.ts +28 -0
package/src/utils/oauth/ollama.ts +47 -0
package/src/utils/oauth/openai-codex.ts +299 -0
package/src/utils/oauth/opencode.ts +49 -0
package/src/utils/oauth/parallel.ts +46 -0
package/src/utils/oauth/perplexity.ts +206 -0
package/src/utils/oauth/pkce.ts +18 -0
package/src/utils/oauth/qianfan.ts +58 -0
package/src/utils/oauth/qwen-portal.ts +60 -0
package/src/utils/oauth/synthetic.ts +16 -0
package/src/utils/oauth/tavily.ts +46 -0
package/src/utils/oauth/together.ts +16 -0
package/src/utils/oauth/types.ts +94 -0
package/src/utils/oauth/venice.ts +59 -0
package/src/utils/oauth/vercel-ai-gateway.ts +47 -0
package/src/utils/oauth/vllm.ts +40 -0
package/src/utils/oauth/xiaomi.ts +137 -0
package/src/utils/oauth/zai.ts +60 -0
package/src/utils/oauth/zenmux.ts +15 -0
package/src/utils/overflow.ts +137 -0
package/src/utils/parse-bind.ts +54 -0
package/src/utils/provider-response.ts +30 -0
package/src/utils/retry-after.ts +110 -0
package/src/utils/retry.ts +54 -0
package/src/utils/schema/CONSTRAINTS.md +164 -0
package/src/utils/schema/adapt.ts +36 -0
package/src/utils/schema/compatibility.ts +435 -0
package/src/utils/schema/dereference.ts +98 -0
package/src/utils/schema/draft.ts +341 -0
package/src/utils/schema/equality.ts +97 -0
package/src/utils/schema/fields.ts +190 -0
package/src/utils/schema/index.ts +13 -0
package/src/utils/schema/json-schema-validator.ts +577 -0
package/src/utils/schema/meta-validator.ts +167 -0
package/src/utils/schema/normalize.ts +1588 -0
package/src/utils/schema/spill.ts +43 -0
package/src/utils/schema/stamps.ts +97 -0
package/src/utils/schema/types.ts +11 -0
package/src/utils/schema/wire.ts +213 -0
package/src/utils/schema/zod-decontaminate.ts +331 -0
package/src/utils/sse-debug.ts +289 -0
package/src/utils/tool-call-healing.ts +271 -0
package/src/utils/tool-choice.ts +99 -0
package/src/utils/validation.ts +1019 -0
package/src/utils.ts +166 -0

package/src/auth-broker/client.ts ADDED Viewed

@@ -0,0 +1,358 @@
+/**
+ * HTTP client for the gjc auth-broker server.
+ *
+ * Used by {@link RemoteAuthCredentialStore} (snapshot pulls) and by
+ * `gjc auth-broker status` (liveness checks). All endpoints except
+ * `/v1/healthz` require a bearer token.
+ */
+import { readSseEvents } from "@gajae-code/utils";
+import type { ZodType, infer as zInfer } from "zod/v4";
+import type { AuthCredential } from "../auth-storage";
+import type {
+	CredentialDisableRequest,
+	CredentialDisableResponse,
+	CredentialRefreshResponse,
+	CredentialUploadRequest,
+	CredentialUploadResponse,
+	HealthzResponse,
+	SnapshotResponse,
+	SnapshotStreamEvent,
+	UsageResponse,
+} from "./types";
+import {
+	credentialDisableResponseSchema,
+	credentialRefreshResponseSchema,
+	credentialUploadResponseSchema,
+	healthzResponseSchema,
+	snapshotResponseSchema,
+	snapshotStreamEventSchema,
+	usageResponseSchema,
+} from "./wire-schemas";
+export interface AuthBrokerClientOptions {
+	/** Base URL (e.g. `https://broker.tailnet:8765`). Trailing slashes are trimmed. */
+	url: string;
+	/** Bearer token used for everything except `healthz`. */
+	token: string;
+	/** Per-request timeout in milliseconds. Default 10s. */
+	timeoutMs?: number;
+	/** Retry connection errors this many times. Default 1. */
+	maxRetries?: number;
+	/** Override fetch (used in tests). Default global `fetch`. */
+	fetchImpl?: typeof fetch;
+}
+export class AuthBrokerError extends Error {
+	readonly status: number | undefined;
+	readonly body: string | undefined;
+	constructor(message: string, opts: { status?: number; body?: string; cause?: unknown } = {}) {
+		super(message, { cause: opts.cause });
+		this.name = "AuthBrokerError";
+		this.status = opts.status;
+		this.body = opts.body;
+	}
+}
+/**
+ * Thrown when a broker responds 404 to `GET /v1/snapshot/stream` — old
+ * brokers that predate the SSE endpoint. Callers (`RemoteAuthCredentialStore`)
+ * detect this sentinel to fall back to long-polling permanently.
+ */
+export class AuthBrokerStreamUnsupportedError extends AuthBrokerError {
+	constructor(message = "Auth broker does not support /v1/snapshot/stream") {
+		super(message, { status: 404 });
+		this.name = "AuthBrokerStreamUnsupportedError";
+	}
+}
+export interface FetchSnapshotOptions {
+	ifGenerationGt?: number;
+	waitMs?: number;
+	signal?: AbortSignal;
+}
+export type FetchSnapshotResult =
+	| { status: 200; snapshot: SnapshotResponse; generation: number }
+	| { status: 304; generation: number };
+function parseGenerationTag(header: string | null): number | undefined {
+	if (!header) return undefined;
+	let value = header.trim();
+	if (value.startsWith("W/")) value = value.slice(2).trim();
+	if (value.startsWith('"') && value.endsWith('"') && value.length >= 2) {
+		value = value.slice(1, -1);
+	}
+	const generation = Number(value);
+	if (!Number.isInteger(generation) || generation < 0) return undefined;
+	return generation;
+}
+const DEFAULT_TIMEOUT_MS = 10_000;
+const DEFAULT_MAX_RETRIES = 1;
+export class AuthBrokerClient {
+	readonly #baseUrl: string;
+	readonly #token: string;
+	readonly #timeoutMs: number;
+	readonly #maxRetries: number;
+	readonly #fetch: typeof fetch;
+	constructor(opts: AuthBrokerClientOptions) {
+		this.#baseUrl = opts.url.replace(/\/+$/, "");
+		this.#token = opts.token;
+		this.#timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+		this.#maxRetries = opts.maxRetries ?? DEFAULT_MAX_RETRIES;
+		this.#fetch = opts.fetchImpl ?? fetch;
+	}
+	healthz(signal?: AbortSignal): Promise<HealthzResponse> {
+		return this.#request("GET", "/v1/healthz", { schema: healthzResponseSchema, auth: false, signal });
+	}
+	async fetchSnapshot(opts: FetchSnapshotOptions = {}): Promise<FetchSnapshotResult> {
+		return this.#fetchSnapshotResult(opts);
+	}
+	async #fetchSnapshotResult(opts: FetchSnapshotOptions): Promise<FetchSnapshotResult> {
+		const query = new URLSearchParams();
+		if (opts.waitMs !== undefined) query.set("wait", String(opts.waitMs));
+		const path = `/v1/snapshot${query.size > 0 ? `?${query.toString()}` : ""}`;
+		const headers: Record<string, string> = {};
+		if (opts.ifGenerationGt !== undefined) headers["If-None-Match"] = `"${opts.ifGenerationGt}"`;
+		const timeoutMs =
+			opts.waitMs !== undefined && opts.waitMs > 0 ? Math.max(this.#timeoutMs, opts.waitMs + 1000) : undefined;
+		const response = await this.#fetchRaw("GET", path, {
+			auth: true,
+			headers,
+			signal: opts.signal,
+			timeoutMs,
+		});
+		const etagGeneration = parseGenerationTag(response.headers.get("etag"));
+		if (response.status === 304) {
+			return { status: 304, generation: etagGeneration ?? opts.ifGenerationGt ?? 0 };
+		}
+		const text = await response.text();
+		const raw = this.#parseJson(text, response.status);
+		const validated = snapshotResponseSchema.safeParse(raw);
+		if (!validated.success) {
+			throw new AuthBrokerError("Auth broker response failed schema validation", {
+				status: response.status,
+				body: validated.error.message,
+			});
+		}
+		const snapshot = validated.data as SnapshotResponse;
+		return { status: 200, snapshot, generation: etagGeneration ?? snapshot.generation };
+	}
+	/**
+	 * Subscribe to the broker's SSE snapshot stream. The first frame is always
+	 * a full `snapshot`; subsequent frames are `entry` upserts / refreshes or
+	 * `removed` deletes. Caller controls lifecycle via `opts.signal`.
+	 *
+	 * Throws {@link AuthBrokerStreamUnsupportedError} when the broker responds
+	 * 404 — older brokers predate this endpoint and the caller should fall back
+	 * to long-polling for the remainder of its lifetime.
+	 */
+	async *openSnapshotStream(opts: { signal?: AbortSignal } = {}): AsyncGenerator<SnapshotStreamEvent> {
+		const url = `${this.#baseUrl}/v1/snapshot/stream`;
+		const headers: Record<string, string> = {
+			Accept: "text/event-stream",
+			Authorization: `Bearer ${this.#token}`,
+		};
+		if (opts.signal?.aborted) {
+			throw new AuthBrokerError("Auth broker request aborted", { cause: opts.signal.reason });
+		}
+		// No timeout: this connection is intentionally long-lived. Caller's signal
+		// is the only cancel path.
+		const response = await this.#fetch(url, { method: "GET", headers, signal: opts.signal });
+		if (response.status === 404) {
+			// Drain the body so the socket can be reused; tiny payload.
+			await response.text().catch(() => {});
+			throw new AuthBrokerStreamUnsupportedError();
+		}
+		if (!response.ok) {
+			const text = await response.text().catch(() => "");
+			throw new AuthBrokerError(`Auth broker stream failed: ${response.status} ${response.statusText}`, {
+				status: response.status,
+				body: text,
+			});
+		}
+		if (!response.body) {
+			throw new AuthBrokerError("Auth broker stream response had no body", { status: response.status });
+		}
+		const contentType = response.headers.get("content-type")?.toLowerCase();
+		if (contentType?.split(";", 1)[0].trim() !== "text/event-stream") {
+			await response.body.cancel().catch(() => {});
+			throw new AuthBrokerError("Auth broker stream returned non-SSE response", {
+				status: response.status,
+				body: contentType ?? "",
+			});
+		}
+		let sawFirstEvent = false;
+		for await (const sse of readSseEvents(response.body, opts.signal)) {
+			if (sse.event === null && sse.data === "") continue; // keepalive comment frames
+			let parsed: unknown;
+			try {
+				parsed = JSON.parse(sse.data);
+			} catch (err) {
+				throw new AuthBrokerError("Auth broker stream returned malformed JSON", {
+					body: sse.data,
+					cause: err,
+				});
+			}
+			const validated = snapshotStreamEventSchema.safeParse(parsed);
+			if (!validated.success) {
+				throw new AuthBrokerError("Auth broker stream event failed schema validation", {
+					body: validated.error.message,
+				});
+			}
+			const event = validated.data;
+			if (!sawFirstEvent) {
+				sawFirstEvent = true;
+				if (event.kind !== "snapshot") {
+					throw new AuthBrokerError("Auth broker stream did not start with snapshot", { body: sse.data });
+				}
+			}
+			yield event;
+		}
+		if (!opts.signal?.aborted) {
+			throw new AuthBrokerError(
+				sawFirstEvent
+					? "Auth broker stream ended unexpectedly"
+					: "Auth broker stream ended before initial snapshot",
+				{ status: response.status },
+			);
+		}
+	}
+	fetchUsage(signal?: AbortSignal): Promise<UsageResponse> {
+		// Validates the envelope (`generatedAt`, `reports[].provider`, `limits`,
+		// `metadata`) but leaves provider-specific extension fields permissive so
+		// the broker can ship new shapes ahead of the client. `raw` is accepted
+		// but normally stripped by the broker before send.
+		return this.#request("GET", "/v1/usage", { schema: usageResponseSchema, signal }) as Promise<UsageResponse>;
+	}
+	async refreshCredential(id: number, signal?: AbortSignal): Promise<CredentialRefreshResponse> {
+		return this.#request("POST", `/v1/credential/${id}/refresh`, {
+			schema: credentialRefreshResponseSchema,
+			signal,
+		}) as Promise<CredentialRefreshResponse>;
+	}
+	async disableCredential(id: number, cause: string, signal?: AbortSignal): Promise<CredentialDisableResponse> {
+		const body: CredentialDisableRequest = { cause };
+		return this.#request("POST", `/v1/credential/${id}/disable`, {
+			body,
+			schema: credentialDisableResponseSchema,
+			signal,
+		});
+	}
+	async uploadCredential(
+		provider: string,
+		credential: AuthCredential,
+		signal?: AbortSignal,
+	): Promise<CredentialUploadResponse> {
+		const body: CredentialUploadRequest = { provider, credential };
+		return this.#request("POST", "/v1/credential", {
+			body,
+			schema: credentialUploadResponseSchema,
+			signal,
+		}) as Promise<CredentialUploadResponse>;
+	}
+	async #request<TSchema extends ZodType>(
+		method: "GET" | "POST",
+		path: string,
+		opts: { schema: TSchema; auth?: boolean; body?: unknown; signal?: AbortSignal },
+	): Promise<zInfer<TSchema>> {
+		const response = await this.#fetchRaw(method, path, opts);
+		const text = await response.text();
+		const raw = this.#parseJson(text, response.status);
+		const validated = opts.schema.safeParse(raw);
+		if (!validated.success) {
+			throw new AuthBrokerError("Auth broker response failed schema validation", {
+				status: response.status,
+				body: validated.error.message,
+			});
+		}
+		return validated.data;
+	}
+	#parseJson(text: string, status: number): unknown {
+		try {
+			return text.length === 0 ? null : JSON.parse(text);
+		} catch (parseError) {
+			throw new AuthBrokerError("Auth broker returned malformed JSON", {
+				status,
+				body: text,
+				cause: parseError,
+			});
+		}
+	}
+	async #fetchRaw(
+		method: "GET" | "POST",
+		path: string,
+		opts: {
+			auth?: boolean;
+			body?: unknown;
+			signal?: AbortSignal;
+			headers?: Record<string, string>;
+			timeoutMs?: number;
+		},
+	): Promise<Response> {
+		const auth = opts.auth ?? true;
+		const url = `${this.#baseUrl}${path}`;
+		const headers: Record<string, string> = { Accept: "application/json", ...(opts.headers ?? {}) };
+		if (auth) headers.Authorization = `Bearer ${this.#token}`;
+		let payload: string | undefined;
+		if (opts.body !== undefined) {
+			payload = JSON.stringify(opts.body);
+			headers["Content-Type"] = "application/json";
+		}
+		// Fast-fail when the caller's signal is already aborted — avoids spinning
+		// up a fetch + timer that the first `await` would just abort anyway.
+		if (opts.signal?.aborted) {
+			throw new AuthBrokerError("Auth broker request aborted", { cause: opts.signal.reason });
+		}
+		let lastError: unknown;
+		for (let attempt = 0; attempt <= this.#maxRetries; attempt += 1) {
+			const timeoutSignal = AbortSignal.timeout(opts.timeoutMs ?? this.#timeoutMs);
+			const signal = opts.signal ? AbortSignal.any([opts.signal, timeoutSignal]) : timeoutSignal;
+			try {
+				const response = await this.#fetch(url, {
+					method,
+					headers,
+					body: payload,
+					signal,
+				});
+				if (!response.ok && response.status !== 304) {
+					const text = await response.text();
+					throw new AuthBrokerError(`Auth broker request failed: ${response.status} ${response.statusText}`, {
+						status: response.status,
+						body: text,
+					});
+				}
+				return response;
+			} catch (error) {
+				lastError = error;
+				// Caller-driven abort wins over retry — the caller said stop.
+				if (opts.signal?.aborted) {
+					throw new AuthBrokerError("Auth broker request aborted", { cause: opts.signal.reason });
+				}
+				if (error instanceof AuthBrokerError && error.status !== undefined) {
+					// HTTP errors (4xx/5xx) don't retry — caller knows what to do.
+					throw error;
+				}
+				if (attempt >= this.#maxRetries) break;
+			}
+		}
+		throw new AuthBrokerError(`Auth broker request failed after ${this.#maxRetries + 1} attempt(s)`, {
+			cause: lastError,
+		});
+	}
+}

package/src/auth-broker/index.ts ADDED Viewed

@@ -0,0 +1,5 @@
+export * from "./client";
+export * from "./refresher";
+export * from "./remote-store";
+export * from "./server";
+export * from "./types";

package/src/auth-broker/refresher.ts ADDED Viewed

@@ -0,0 +1,127 @@
+/**
+ * Background OAuth refresh loop for the auth-broker server.
+ *
+ * Iterates active OAuth credentials at `refreshIntervalMs` cadence, refreshing
+ * any whose `expires - Date.now() < refreshSkewMs`. Refresh single-flight
+ * lives in {@link AuthStorage} so manual and background refreshes share the
+ * same upstream attempt.
+ * Definitively-failed credentials (invalid_grant / 401 not from network blip)
+ * are disabled via {@link AuthStorage.disableCredentialById} so the next
+ * snapshot pull surfaces a clean delete on the client.
+ */
+import { logger } from "@gajae-code/utils";
+import type { AuthStorage } from "../auth-storage";
+import { DEFAULT_REFRESH_INTERVAL_MS, DEFAULT_REFRESH_SKEW_MS } from "./types";
+export interface AuthBrokerRefresherOptions {
+	storage: AuthStorage;
+	/** Refresh credentials expiring within this window. Default 5 min. */
+	refreshSkewMs?: number;
+	/** Loop cadence. Default 60s. */
+	refreshIntervalMs?: number;
+	/** Override clock (tests). */
+	now?: () => number;
+}
+const INVALID_GRANT_REGEX = /invalid_grant|invalid_token|revoked|unauthorized|expired.*refresh|refresh.*expired/i;
+const TRANSIENT_REGEX = /timeout|network|fetch failed|ECONNREFUSED/i;
+const HTTP_401_403_REGEX = /\b(401|403)\b/;
+function isDefinitiveFailure(errorMsg: string): boolean {
+	if (INVALID_GRANT_REGEX.test(errorMsg)) return true;
+	if (HTTP_401_403_REGEX.test(errorMsg) && !TRANSIENT_REGEX.test(errorMsg)) return true;
+	return false;
+}
+export interface AuthBrokerRefresherSchedule {
+	enabled: boolean;
+	intervalMs: number;
+	skewMs: number;
+	nextSweepAt: number;
+}
+export class AuthBrokerRefresher {
+	readonly #storage: AuthStorage;
+	readonly #refreshSkewMs: number;
+	readonly #refreshIntervalMs: number;
+	readonly #now: () => number;
+	#timer: NodeJS.Timeout | undefined;
+	#running = false;
+	#nextSweepAt: number;
+	constructor(opts: AuthBrokerRefresherOptions) {
+		this.#storage = opts.storage;
+		this.#refreshSkewMs = opts.refreshSkewMs ?? DEFAULT_REFRESH_SKEW_MS;
+		this.#refreshIntervalMs = opts.refreshIntervalMs ?? DEFAULT_REFRESH_INTERVAL_MS;
+		this.#now = opts.now ?? Date.now;
+		this.#nextSweepAt = this.#now();
+	}
+	start(): void {
+		if (this.#timer !== undefined) return;
+		// Refresh sweep is best-effort; kick once immediately so freshly-booted
+		// brokers don't hand out near-expired tokens for the first interval.
+		this.#nextSweepAt = this.#now();
+		void this.tick();
+		this.#timer = setInterval(() => {
+			void this.tick();
+		}, this.#refreshIntervalMs);
+	}
+	stop(): void {
+		if (this.#timer !== undefined) {
+			clearInterval(this.#timer);
+			this.#timer = undefined;
+		}
+	}
+	getSchedule(): AuthBrokerRefresherSchedule {
+		return {
+			enabled: true,
+			intervalMs: this.#refreshIntervalMs,
+			skewMs: this.#refreshSkewMs,
+			nextSweepAt: this.#nextSweepAt,
+		};
+	}
+	/** Run one sweep. Exposed for tests. */
+	async tick(): Promise<void> {
+		if (this.#running) return;
+		this.#running = true;
+		this.#nextSweepAt = this.#now();
+		try {
+			await this.#storage.reload();
+			const snapshot = this.#storage.exportSnapshot();
+			const now = this.#now();
+			const deadline = now + this.#refreshSkewMs;
+			const targets: number[] = [];
+			for (const entry of snapshot.credentials) {
+				if (entry.credential.type !== "oauth") continue;
+				const expires = entry.credential.expires;
+				if (typeof expires !== "number" || !Number.isFinite(expires)) continue;
+				if (expires > deadline) continue;
+				targets.push(entry.id);
+			}
+			await Promise.all(targets.map(id => this.#refreshOne(id)));
+		} finally {
+			this.#running = false;
+			this.#nextSweepAt = this.#now() + this.#refreshIntervalMs;
+		}
+	}
+	async #refreshOne(id: number): Promise<void> {
+		try {
+			await this.#storage.refreshCredentialById(id);
+		} catch (error) {
+			const errorMsg = String(error);
+			if (isDefinitiveFailure(errorMsg)) {
+				logger.warn("auth-broker refresh failed definitively; disabling credential", {
+					id,
+					error: errorMsg,
+				});
+				this.#storage.disableCredentialById(id, `auth-broker refresh failed: ${errorMsg}`);
+			} else {
+				logger.debug("auth-broker refresh failed (transient)", { id, error: errorMsg });
+			}
+		}
+	}
+}