@gajae-code/ai 0.1.1

package/src/utils/oauth/api-key-login.ts

@@ -0,0 +1,87 @@
+/**
+ * Shared factory for API-key-paste "login" flows.
+ *
+ * Several providers (Cerebras, Synthetic, Moonshot, Together, NanoGPT, ZenMux)
+ * don't actually implement OAuth — they just ask the user to paste an API key,
+ * optionally validate it, and return the trimmed key.
+ */
+
+import { validateApiKeyAgainstModelsEndpoint, validateOpenAICompatibleApiKey } from "./api-key-validation";
+import type { OAuthController } from "./types";
+
+type ChatCompletionsValidation = {
+	kind: "chat-completions";
+	provider: string;
+	baseUrl: string;
+	model: string;
+};
+
+type ModelsEndpointValidation = {
+	kind: "models-endpoint";
+	provider: string;
+	modelsUrl: string;
+};
+
+export type ApiKeyLoginConfig = {
+	/** Display name used in error messages, e.g. "Cerebras", "NanoGPT". */
+	providerLabel: string;
+	/** URL opened in browser for the user to grab their key. */
+	authUrl: string;
+	/** Instructions shown with the onAuth callback. */
+	instructions: string;
+	/** Prompt message shown when asking for the key paste. */
+	promptMessage: string;
+	/** Placeholder string for the prompt (e.g. "sk-...", "csk-..."). */
+	placeholder: string;
+	/** Validation strategy, or `null` to skip validation. */
+	validation: ChatCompletionsValidation | ModelsEndpointValidation | null;
+};
+
+export function createApiKeyLogin(config: ApiKeyLoginConfig): (options: OAuthController) => Promise<string> {
+	return async function login(options: OAuthController): Promise<string> {
+		if (!options.onPrompt) {
+			throw new Error(`${config.providerLabel} login requires onPrompt callback`);
+		}
+
+		options.onAuth?.({
+			url: config.authUrl,
+			instructions: config.instructions,
+		});
+
+		const apiKey = await options.onPrompt({
+			message: config.promptMessage,
+			placeholder: config.placeholder,
+		});
+
+		if (options.signal?.aborted) {
+			throw new Error("Login cancelled");
+		}
+
+		const trimmed = apiKey.trim();
+		if (!trimmed) {
+			throw new Error("API key is required");
+		}
+
+		if (config.validation) {
+			options.onProgress?.("Validating API key...");
+			if (config.validation.kind === "chat-completions") {
+				await validateOpenAICompatibleApiKey({
+					provider: config.validation.provider,
+					apiKey: trimmed,
+					baseUrl: config.validation.baseUrl,
+					model: config.validation.model,
+					signal: options.signal,
+				});
+			} else {
+				await validateApiKeyAgainstModelsEndpoint({
+					provider: config.validation.provider,
+					apiKey: trimmed,
+					modelsUrl: config.validation.modelsUrl,
+					signal: options.signal,
+				});
+			}
+		}
+
+		return trimmed;
+	};
+}

package/src/utils/oauth/api-key-validation.ts

@@ -0,0 +1,92 @@
+type OpenAICompatibleValidationOptions = {
+	provider: string;
+	apiKey: string;
+	baseUrl: string;
+	model: string;
+	signal?: AbortSignal;
+};
+
+type ModelListValidationOptions = {
+	provider: string;
+	apiKey: string;
+	modelsUrl: string;
+	signal?: AbortSignal;
+};
+
+const VALIDATION_TIMEOUT_MS = 15_000;
+
+/**
+ * Validate an API key against an OpenAI-compatible chat completions endpoint.
+ *
+ * Performs a minimal request to verify credentials and endpoint access.
+ */
+export async function validateOpenAICompatibleApiKey(options: OpenAICompatibleValidationOptions): Promise<void> {
+	const timeoutSignal = AbortSignal.timeout(VALIDATION_TIMEOUT_MS);
+	const signal = options.signal ? AbortSignal.any([options.signal, timeoutSignal]) : timeoutSignal;
+
+	const response = await fetch(`${options.baseUrl}/chat/completions`, {
+		method: "POST",
+		headers: {
+			"Content-Type": "application/json",
+			Authorization: `Bearer ${options.apiKey}`,
+		},
+		body: JSON.stringify({
+			model: options.model,
+			messages: [{ role: "user", content: "ping" }],
+			max_tokens: 1,
+			temperature: 0,
+		}),
+		signal,
+	});
+
+	if (response.ok) {
+		return;
+	}
+
+	let details = "";
+	try {
+		details = (await response.text()).trim();
+	} catch {
+		// ignore body parse errors, status is enough
+	}
+
+	const message = details
+		? `${options.provider} API key validation failed (${response.status}): ${details}`
+		: `${options.provider} API key validation failed (${response.status})`;
+	throw new Error(message);
+}
+
+/**
+ * Validate an API key against a provider models endpoint.
+ *
+ * Useful for providers where access to specific models may vary by plan and
+ * should not block key validation.
+ */
+export async function validateApiKeyAgainstModelsEndpoint(options: ModelListValidationOptions): Promise<void> {
+	const timeoutSignal = AbortSignal.timeout(VALIDATION_TIMEOUT_MS);
+	const signal = options.signal ? AbortSignal.any([options.signal, timeoutSignal]) : timeoutSignal;
+
+	const response = await fetch(options.modelsUrl, {
+		method: "GET",
+		headers: {
+			Authorization: `Bearer ${options.apiKey}`,
+		},
+		signal,
+	});
+
+	if (response.ok) {
+		return;
+	}
+
+	let details = "";
+	try {
+		details = (await response.text()).trim();
+	} catch {
+		// ignore body parse errors, status is enough
+	}
+
+	const message = details
+		? `${options.provider} API key validation failed (${response.status}): ${details}`
+		: `${options.provider} API key validation failed (${response.status})`;
+	throw new Error(message);
+}

package/src/utils/oauth/callback-server.ts

@@ -0,0 +1,276 @@
+/**
+ * Abstract base class for OAuth flows with local callback servers.
+ *
+ * Handles:
+ * - Port allocation (tries expected port, falls back to random)
+ * - Callback server setup and request handling
+ * - Common OAuth flow logic
+ *
+ * Providers extend this and implement:
+ * - generateAuthUrl(): Build provider-specific authorization URL
+ * - exchangeToken(): Exchange authorization code for tokens
+ */
+import templateHtml from "./oauth.html" with { type: "text" };
+import type { OAuthController, OAuthCredentials } from "./types";
+
+const DEFAULT_TIMEOUT = 300_000;
+const DEFAULT_HOSTNAME = "localhost";
+const CALLBACK_PATH = "/callback";
+
+export type CallbackResult = { code: string; state: string };
+
+export interface OAuthCallbackFlowOptions {
+	preferredPort: number;
+	callbackPath?: string;
+	callbackHostname?: string;
+	/** Exact redirect URI advertised to the provider; disables port fallback. */
+	redirectUri?: string;
+}
+
+/**
+ * Abstract base class for OAuth flows with local callback servers.
+ */
+export abstract class OAuthCallbackFlow {
+	ctrl: OAuthController;
+	preferredPort: number;
+	callbackPath: string;
+	callbackHostname: string;
+	redirectUri?: string;
+	#callbackResolve?: (result: CallbackResult) => void;
+	#callbackReject?: (error: string) => void;
+
+	constructor(
+		ctrl: OAuthController,
+		preferredPortOrOptions: number | OAuthCallbackFlowOptions,
+		callbackPath: string = CALLBACK_PATH,
+	) {
+		this.ctrl = ctrl;
+		if (typeof preferredPortOrOptions === "number") {
+			this.preferredPort = preferredPortOrOptions;
+			this.callbackPath = callbackPath;
+			this.callbackHostname = DEFAULT_HOSTNAME;
+			return;
+		}
+
+		this.preferredPort = preferredPortOrOptions.preferredPort;
+		this.callbackPath = preferredPortOrOptions.callbackPath ?? CALLBACK_PATH;
+		this.callbackHostname = preferredPortOrOptions.callbackHostname ?? DEFAULT_HOSTNAME;
+		this.redirectUri = preferredPortOrOptions.redirectUri;
+	}
+
+	/**
+	 * Generate provider-specific authorization URL.
+	 * @param state - CSRF state token
+	 * @param redirectUri - The actual redirect URI to use (may differ from expected if port fallback occurred)
+	 * @returns Authorization URL and optional instructions
+	 */
+	abstract generateAuthUrl(state: string, redirectUri: string): Promise<{ url: string; instructions?: string }>;
+
+	/**
+	 * Exchange authorization code for OAuth tokens.
+	 * @param code - Authorization code from callback
+	 * @param state - CSRF state token
+	 * @param redirectUri - The actual redirect URI used (must match authorization request)
+	 * @returns OAuth credentials
+	 */
+	abstract exchangeToken(code: string, state: string, redirectUri: string): Promise<OAuthCredentials>;
+
+	/**
+	 * Generate CSRF state token. Override if provider needs custom state generation.
+	 */
+	generateState(): string {
+		const bytes = new Uint8Array(16);
+		crypto.getRandomValues(bytes);
+		return Array.from(bytes)
+			.map(value => value.toString(16).padStart(2, "0"))
+			.join("");
+	}
+
+	/**
+	 * Execute the OAuth login flow.
+	 */
+	async login(): Promise<OAuthCredentials> {
+		const state = this.generateState();
+
+		// Start callback server first to get actual redirect URI
+		const { server, redirectUri } = await this.#startCallbackServer(state);
+
+		try {
+			// Generate auth URL with the ACTUAL redirect URI (may differ from expected if port was busy)
+			const { url: authUrl, instructions } = await this.generateAuthUrl(state, redirectUri);
+
+			// Notify controller that auth is ready
+			this.ctrl.onAuth?.({ url: authUrl, instructions });
+			this.ctrl.onProgress?.("Waiting for browser authentication...");
+
+			// Wait for callback or manual input
+			const { code } = await this.#waitForCallback(state);
+
+			this.ctrl.onProgress?.("Exchanging authorization code for tokens...");
+
+			return await this.exchangeToken(code, state, redirectUri);
+		} finally {
+			server.stop();
+		}
+	}
+
+	/**
+	 * Start callback server, trying preferred port first, falling back to random.
+	 */
+	async #startCallbackServer(expectedState: string): Promise<{ server: Bun.Server<unknown>; redirectUri: string }> {
+		try {
+			const server = this.#createServer(this.preferredPort, expectedState);
+			if (this.redirectUri) {
+				return { server, redirectUri: this.redirectUri };
+			}
+			const redirectUri = `http://${this.callbackHostname}:${this.preferredPort}${this.callbackPath}`;
+			return { server, redirectUri };
+		} catch {
+			if (this.redirectUri) {
+				throw new Error(
+					`OAuth callback port ${this.preferredPort} unavailable; cannot fall back to a random port when oauth.redirectUri is set`,
+				);
+			}
+			const server = this.#createServer(0, expectedState);
+			const actualPort = server.port;
+			const redirectUri = `http://${this.callbackHostname}:${actualPort}${this.callbackPath}`;
+			this.ctrl.onProgress?.(`Preferred port ${this.preferredPort} unavailable, using port ${actualPort}`);
+			return { server, redirectUri };
+		}
+	}
+
+	/**
+	 * Create HTTP server for OAuth callback.
+	 */
+	#createServer(port: number, expectedState: string): Bun.Server<unknown> {
+		return Bun.serve({
+			hostname: this.callbackHostname,
+			port,
+			reusePort: false,
+			fetch: req => this.#handleCallback(req, expectedState),
+		});
+	}
+
+	/**
+	 * Handle OAuth callback HTTP request.
+	 */
+	#handleCallback(req: Request, expectedState: string): Response {
+		const url = new URL(req.url);
+
+		if (url.pathname !== this.callbackPath) {
+			return new Response("Not Found", { status: 404 });
+		}
+
+		const code = url.searchParams.get("code");
+		const state = url.searchParams.get("state") || "";
+		const error = url.searchParams.get("error") || "";
+		const errorDescription = url.searchParams.get("error_description") || error;
+
+		type OkState = { ok: true; code: string; state: string };
+		type ErrorState = { ok?: false; error?: string };
+		let resultState: OkState | ErrorState;
+
+		if (error) {
+			resultState = { ok: false, error: `Authorization failed: ${errorDescription}` };
+		} else if (!code) {
+			resultState = { ok: false, error: "Missing authorization code" };
+		} else if (expectedState && state !== expectedState) {
+			resultState = { ok: false, error: "State mismatch - possible CSRF attack" };
+		} else {
+			resultState = { ok: true, code, state };
+		}
+
+		// Signal to waitForCallback - capture refs before they could be cleared
+		const resolve = this.#callbackResolve;
+		const reject = this.#callbackReject;
+		queueMicrotask(() => {
+			if (resultState.ok) {
+				resolve?.({ code: resultState.code, state: resultState.state });
+			} else {
+				reject?.(resultState.error ?? "Unknown error");
+			}
+		});
+
+		return new Response(
+			(templateHtml as unknown as string).replaceAll("__OAUTH_STATE__", JSON.stringify(resultState)),
+			{
+				status: resultState.ok ? 200 : 500,
+				headers: { "Content-Type": "text/html" },
+			},
+		);
+	}
+
+	/**
+	 * Wait for OAuth callback or manual input (whichever comes first).
+	 */
+	#waitForCallback(expectedState: string): Promise<CallbackResult> {
+		const timeoutSignal = AbortSignal.timeout(DEFAULT_TIMEOUT);
+		const signal = this.ctrl.signal ? AbortSignal.any([this.ctrl.signal, timeoutSignal]) : timeoutSignal;
+
+		const callbackPromise = new Promise<CallbackResult>((resolve, reject) => {
+			this.#callbackResolve = resolve;
+			this.#callbackReject = reject;
+
+			signal.addEventListener("abort", () => {
+				this.#callbackResolve = undefined;
+				this.#callbackReject = undefined;
+				reject(new Error(`OAuth callback cancelled: ${signal.reason}`));
+			});
+		});
+
+		// Manual input race (if supported)
+		if (this.ctrl.onManualCodeInput) {
+			const requestManualInput = this.ctrl.onManualCodeInput;
+			const manualPromise = (async (): Promise<CallbackResult> => {
+				while (true) {
+					const result = await Promise.race([
+						callbackPromise,
+						requestManualInput()
+							.then((input): CallbackResult | null => {
+								const parsed = parseCallbackInput(input);
+								if (!parsed.code) return null;
+								if (expectedState && parsed.state && parsed.state !== expectedState) return null;
+								return { code: parsed.code, state: parsed.state ?? "" };
+							})
+							.catch((): CallbackResult | null => null),
+					]);
+					if (result) return result;
+				}
+			})();
+
+			return Promise.race([callbackPromise, manualPromise]);
+		}
+
+		return callbackPromise;
+	}
+}
+
+/**
+ * Parse a redirect URL or code string to extract code and state.
+ */
+export function parseCallbackInput(input: string): { code?: string; state?: string } {
+	const value = input.trim();
+	if (!value) return {};
+
+	try {
+		const url = new URL(value);
+		return {
+			code: url.searchParams.get("code") ?? undefined,
+			state: url.searchParams.get("state") ?? undefined,
+		};
+	} catch {
+		// Not a URL - check for query string format
+	}
+
+	if (value.includes("code=")) {
+		const params = new URLSearchParams(value.replace(/^[?#]/, ""));
+		return {
+			code: params.get("code") ?? undefined,
+			state: params.get("state") ?? undefined,
+		};
+	}
+
+	// Assume raw code, possibly with state after #
+	const [code, state] = value.split("#", 2);
+	return { code, state };
+}

package/src/utils/oauth/cerebras.ts

@@ -0,0 +1,16 @@
+/** Cerebras login flow (API key paste against https://api.cerebras.ai/v1). */
+import { createApiKeyLogin } from "./api-key-login";
+
+export const loginCerebras = createApiKeyLogin({
+	providerLabel: "Cerebras",
+	authUrl: "https://cloud.cerebras.ai/platform/",
+	instructions: "Copy your API key from the Cerebras dashboard",
+	promptMessage: "Paste your Cerebras API key",
+	placeholder: "csk-...",
+	validation: {
+		kind: "chat-completions",
+		provider: "Cerebras",
+		baseUrl: "https://api.cerebras.ai/v1",
+		model: "gpt-oss-120b",
+	},
+});

package/src/utils/oauth/cloudflare-ai-gateway.ts

@@ -0,0 +1,48 @@
+/**
+ * Cloudflare AI Gateway login flow.
+ *
+ * Cloudflare AI Gateway proxies upstream model providers.
+ *
+ * This is not OAuth - it's a simple API key flow:
+ * 1. Open Cloudflare AI Gateway docs/dashboard
+ * 2. User copies their Cloudflare AI Gateway token/API key
+ * 3. User pastes the API key into the CLI
+ */
+
+import type { OAuthController } from "./types";
+
+const AUTH_URL = "https://developers.cloudflare.com/ai-gateway/configuration/authentication/";
+
+/**
+ * Login to Cloudflare AI Gateway.
+ *
+ * Opens browser to Cloudflare AI Gateway authentication docs and prompts for a gateway token/API key.
+ * Returns the API key directly (not OAuthCredentials - this isn't OAuth).
+ */
+export async function loginCloudflareAiGateway(options: OAuthController): Promise<string> {
+	if (!options.onPrompt) {
+		throw new Error("Cloudflare AI Gateway login requires onPrompt callback");
+	}
+
+	options.onAuth?.({
+		url: AUTH_URL,
+		instructions:
+			"Copy your Cloudflare AI Gateway token/API key. Configure account/gateway base URL in models config.",
+	});
+
+	const apiKey = await options.onPrompt({
+		message: "Paste your Cloudflare AI Gateway token/API key",
+		placeholder: "cf-aig-...",
+	});
+
+	if (options.signal?.aborted) {
+		throw new Error("Login cancelled");
+	}
+
+	const trimmed = apiKey.trim();
+	if (!trimmed) {
+		throw new Error("API key is required");
+	}
+
+	return trimmed;
+}

package/src/utils/oauth/cursor.ts

@@ -0,0 +1,157 @@
+import { generatePKCE } from "./pkce";
+import type { OAuthCredentials } from "./types";
+
+const CURSOR_LOGIN_URL = "https://cursor.com/loginDeepControl";
+const CURSOR_POLL_URL = "https://api2.cursor.sh/auth/poll";
+const CURSOR_REFRESH_URL = "https://api2.cursor.sh/auth/exchange_user_api_key";
+
+const POLL_MAX_ATTEMPTS = 150;
+const POLL_BASE_DELAY = 1000;
+const POLL_MAX_DELAY = 10000;
+const POLL_BACKOFF_MULTIPLIER = 1.2;
+
+export interface CursorAuthParams {
+	verifier: string;
+	challenge: string;
+	uuid: string;
+	loginUrl: string;
+}
+
+export async function generateCursorAuthParams(): Promise<CursorAuthParams> {
+	const { verifier, challenge } = await generatePKCE();
+	const uuid = crypto.randomUUID();
+
+	const params = new URLSearchParams({
+		challenge,
+		uuid,
+		mode: "login",
+		redirectTarget: "cli",
+	});
+
+	const loginUrl = `${CURSOR_LOGIN_URL}?${params.toString()}`;
+
+	return { verifier, challenge, uuid, loginUrl };
+}
+
+export async function pollCursorAuth(
+	uuid: string,
+	verifier: string,
+): Promise<{ accessToken: string; refreshToken: string }> {
+	let delay = POLL_BASE_DELAY;
+	let consecutiveErrors = 0;
+
+	for (let attempt = 0; attempt < POLL_MAX_ATTEMPTS; attempt++) {
+		await Bun.sleep(delay);
+
+		try {
+			const response = await fetch(`${CURSOR_POLL_URL}?uuid=${uuid}&verifier=${verifier}`);
+
+			if (response.status === 404) {
+				consecutiveErrors = 0;
+				delay = Math.min(delay * POLL_BACKOFF_MULTIPLIER, POLL_MAX_DELAY);
+				continue;
+			}
+
+			if (response.ok) {
+				const data = (await response.json()) as {
+					accessToken: string;
+					refreshToken: string;
+				};
+				return {
+					accessToken: data.accessToken,
+					refreshToken: data.refreshToken,
+				};
+			}
+
+			throw new Error(`Poll failed: ${response.status}`);
+		} catch {
+			consecutiveErrors++;
+			if (consecutiveErrors >= 3) {
+				throw new Error("Too many consecutive errors during Cursor auth polling");
+			}
+		}
+	}
+
+	throw new Error("Cursor authentication polling timeout");
+}
+
+export async function loginCursor(
+	onAuthUrl: (url: string) => void,
+	onPollStart?: () => void,
+): Promise<OAuthCredentials> {
+	const { verifier, uuid, loginUrl } = await generateCursorAuthParams();
+
+	onAuthUrl(loginUrl);
+	onPollStart?.();
+
+	const { accessToken, refreshToken } = await pollCursorAuth(uuid, verifier);
+
+	const expiresAt = getTokenExpiry(accessToken);
+
+	return {
+		access: accessToken,
+		refresh: refreshToken,
+		expires: expiresAt,
+	};
+}
+
+export async function refreshCursorToken(apiKeyOrRefreshToken: string): Promise<OAuthCredentials> {
+	const response = await fetch(CURSOR_REFRESH_URL, {
+		method: "POST",
+		headers: {
+			Authorization: `Bearer ${apiKeyOrRefreshToken}`,
+			"Content-Type": "application/json",
+		},
+		body: "{}",
+	});
+
+	if (!response.ok) {
+		const error = await response.text();
+		throw new Error(`Cursor token refresh failed: ${error}`);
+	}
+
+	const data = (await response.json()) as {
+		accessToken: string;
+		refreshToken: string;
+	};
+
+	const expiresAt = getTokenExpiry(data.accessToken);
+
+	return {
+		access: data.accessToken,
+		refresh: data.refreshToken || apiKeyOrRefreshToken,
+		expires: expiresAt,
+	};
+}
+
+function getTokenExpiry(token: string): number {
+	try {
+		const parts = token.split(".");
+		if (parts.length !== 3) {
+			return Date.now() + 3600 * 1000;
+		}
+		const payload = parts[1];
+		if (!payload) {
+			return Date.now() + 3600 * 1000;
+		}
+		const decoded = JSON.parse(atob(payload.replace(/-/g, "+").replace(/_/g, "/")));
+		if (decoded && typeof decoded === "object" && typeof decoded.exp === "number") {
+			return decoded.exp * 1000 - 5 * 60 * 1000;
+		}
+	} catch {
+		// Ignore parsing errors
+	}
+	return Date.now() + 3600 * 1000;
+}
+
+export function isCursorTokenExpiringSoon(token: string, thresholdSeconds = 300): boolean {
+	try {
+		const [, payload] = token.split(".");
+		if (!payload) return true;
+		const decoded = JSON.parse(atob(payload.replace(/-/g, "+").replace(/_/g, "/")));
+		const currentTime = Math.floor(Date.now() / 1000);
+		return decoded.exp - currentTime < thresholdSeconds;
+	} catch {
+		return true;
+	}
+}