@gajae-code/ai 0.1.1

package/src/utils/oauth/kimi.ts

@@ -0,0 +1,254 @@
+/**
+ * Kimi Code OAuth flow (device authorization grant)
+ */
+
+import * as crypto from "node:crypto";
+import * as fs from "node:fs";
+import * as os from "node:os";
+import * as path from "node:path";
+import { scheduler } from "node:timers/promises";
+import { $env, getAgentDir, isEnoent } from "@gajae-code/utils";
+import packageJson from "../../../package.json" with { type: "json" };
+import type { OAuthController, OAuthCredentials } from "./types";
+
+const CLIENT_ID = "17e5f671-d194-4dfb-9706-5516cb48c098";
+const DEFAULT_OAUTH_HOST = "https://auth.kimi.com";
+const DEVICE_ID_FILENAME = "kimi-device-id";
+const DEFAULT_POLL_INTERVAL_MS = 5000;
+const DEFAULT_DEVICE_FLOW_TTL_MS = 15 * 60 * 1000;
+const OAUTH_EXPIRY_SKEW_MS = 5 * 60 * 1000;
+
+interface DeviceAuthorizationResponse {
+	user_code?: string;
+	device_code?: string;
+	verification_uri?: string;
+	verification_uri_complete?: string;
+	expires_in?: number;
+	interval?: number;
+}
+
+interface TokenResponse {
+	access_token?: string;
+	refresh_token?: string;
+	expires_in?: number;
+	scope?: string;
+	token_type?: string;
+	error?: string;
+	error_description?: string;
+	interval?: number;
+}
+
+function resolveOAuthHost(): string {
+	return $env.KIMI_CODE_OAUTH_HOST || $env.KIMI_OAUTH_HOST || DEFAULT_OAUTH_HOST;
+}
+
+function formatDeviceModel(system: string, release: string, arch: string): string {
+	return [system, release, arch].filter(Boolean).join(" ").trim();
+}
+
+function getDeviceModel(): string {
+	const platform = os.platform();
+	const release = os.release();
+	const arch = os.arch();
+	if (platform === "darwin") return formatDeviceModel("macOS", release, arch);
+	if (platform === "win32") return formatDeviceModel("Windows", release, arch);
+	const label = platform === "linux" ? "Linux" : platform;
+	return formatDeviceModel(label, release, arch);
+}
+
+let getDeviceId = (): string => {
+	const deviceIdPath = path.join(getAgentDir(), DEVICE_ID_FILENAME);
+	try {
+		const existing = fs.readFileSync(deviceIdPath, "utf-8");
+		const trimmed = existing.trim();
+		if (trimmed) {
+			getDeviceId = () => trimmed;
+			return trimmed;
+		}
+	} catch (error) {
+		if (!isEnoent(error)) throw error;
+	}
+
+	const deviceId = crypto.randomUUID().replace(/-/g, "");
+	fs.writeFileSync(deviceIdPath, `${deviceId}\n`, { mode: 0o600 });
+	getDeviceId = () => deviceId;
+	return deviceId;
+};
+
+export let getKimiCommonHeaders = () => {
+	const headers = Object.freeze({
+		"User-Agent": `KimiCLI/${packageJson.version}`,
+		"X-Msh-Platform": "kimi_cli",
+		"X-Msh-Version": packageJson.version,
+		"X-Msh-Device-Name": os.hostname(),
+		"X-Msh-Device-Model": getDeviceModel(),
+		"X-Msh-Os-Version": os.version(),
+		"X-Msh-Device-Id": getDeviceId(),
+	});
+	getKimiCommonHeaders = () => headers;
+	return headers;
+};
+
+async function requestDeviceAuthorization(): Promise<{
+	userCode: string;
+	deviceCode: string;
+	verificationUri: string;
+	verificationUriComplete: string;
+	expiresInMs: number;
+	intervalMs: number;
+}> {
+	const response = await fetch(`${resolveOAuthHost()}/api/oauth/device_authorization`, {
+		method: "POST",
+		headers: {
+			"Content-Type": "application/x-www-form-urlencoded",
+			...getKimiCommonHeaders(),
+		},
+		body: new URLSearchParams({ client_id: CLIENT_ID }),
+	});
+
+	if (!response.ok) {
+		const text = await response.text();
+		throw new Error(`Kimi device authorization failed: ${response.status} ${text}`);
+	}
+
+	const payload = (await response.json()) as DeviceAuthorizationResponse;
+	const userCode = payload.user_code;
+	const deviceCode = payload.device_code;
+	const verificationUri = payload.verification_uri;
+	const verificationUriComplete = payload.verification_uri_complete;
+
+	if (!userCode || !deviceCode || !verificationUri) {
+		throw new Error("Kimi device authorization response missing required fields");
+	}
+
+	const expiresInMs = typeof payload.expires_in === "number" ? payload.expires_in * 1000 : DEFAULT_DEVICE_FLOW_TTL_MS;
+	const intervalMs =
+		typeof payload.interval === "number" && payload.interval > 0 ? payload.interval * 1000 : DEFAULT_POLL_INTERVAL_MS;
+
+	return {
+		userCode,
+		deviceCode,
+		verificationUri,
+		verificationUriComplete: verificationUriComplete || verificationUri,
+		expiresInMs,
+		intervalMs,
+	};
+}
+
+function parseTokenPayload(payload: TokenResponse, refreshTokenFallback?: string): OAuthCredentials {
+	if (!payload.access_token || typeof payload.expires_in !== "number") {
+		throw new Error("Kimi token response missing required fields");
+	}
+
+	const refresh = payload.refresh_token ?? refreshTokenFallback;
+	if (!refresh) {
+		throw new Error("Kimi token response missing refresh token");
+	}
+
+	return {
+		access: payload.access_token,
+		refresh,
+		expires: Date.now() + payload.expires_in * 1000 - OAUTH_EXPIRY_SKEW_MS,
+	};
+}
+
+async function pollForToken(
+	deviceCode: string,
+	intervalMs: number,
+	expiresInMs: number,
+	signal?: AbortSignal,
+): Promise<OAuthCredentials> {
+	const deadline = Date.now() + expiresInMs;
+	let waitMs = Math.max(1000, intervalMs);
+
+	while (Date.now() < deadline) {
+		if (signal?.aborted) {
+			throw new Error("Login cancelled");
+		}
+
+		const response = await fetch(`${resolveOAuthHost()}/api/oauth/token`, {
+			method: "POST",
+			headers: {
+				"Content-Type": "application/x-www-form-urlencoded",
+				...getKimiCommonHeaders(),
+			},
+			body: new URLSearchParams({
+				client_id: CLIENT_ID,
+				device_code: deviceCode,
+				grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+			}),
+		});
+
+		const payload = (await response.json()) as TokenResponse;
+		if (response.ok && payload.access_token) {
+			return parseTokenPayload(payload);
+		}
+
+		const error = payload.error;
+		if (error === "authorization_pending") {
+			await scheduler.wait(waitMs, { signal });
+			continue;
+		}
+
+		if (error === "slow_down") {
+			waitMs += 5000;
+			const retryAfter = typeof payload.interval === "number" ? payload.interval * 1000 : undefined;
+			if (retryAfter && retryAfter > waitMs) waitMs = retryAfter;
+			await scheduler.wait(waitMs, { signal });
+			continue;
+		}
+
+		if (error === "expired_token") {
+			throw new Error("Kimi device authorization expired");
+		}
+
+		if (error === "access_denied") {
+			throw new Error("Kimi device authorization denied");
+		}
+
+		const description = payload.error_description ? `: ${payload.error_description}` : "";
+		throw new Error(`Kimi device flow failed: ${error ?? response.status}${description}`);
+	}
+
+	throw new Error("Kimi device flow timed out");
+}
+
+/**
+ * Login with Kimi Code OAuth (device code flow).
+ */
+export async function loginKimi(options: OAuthController): Promise<OAuthCredentials> {
+	const device = await requestDeviceAuthorization();
+	options.onAuth?.({
+		url: device.verificationUriComplete,
+		instructions: `Enter code: ${device.userCode}`,
+	});
+
+	return pollForToken(device.deviceCode, device.intervalMs, device.expiresInMs, options.signal);
+}
+
+/**
+ * Refresh Kimi OAuth token.
+ */
+export async function refreshKimiToken(refreshToken: string): Promise<OAuthCredentials> {
+	const response = await fetch(`${resolveOAuthHost()}/api/oauth/token`, {
+		method: "POST",
+		headers: {
+			"Content-Type": "application/x-www-form-urlencoded",
+			...getKimiCommonHeaders(),
+		},
+		body: new URLSearchParams({
+			grant_type: "refresh_token",
+			refresh_token: refreshToken,
+			client_id: CLIENT_ID,
+		}),
+	});
+
+	if (!response.ok) {
+		const payload = (await response.json().catch(() => undefined)) as TokenResponse | undefined;
+		const description = payload?.error_description ? `: ${payload.error_description}` : "";
+		throw new Error(`Kimi token refresh failed: ${response.status}${description}`);
+	}
+
+	const payload = (await response.json()) as TokenResponse;
+	return parseTokenPayload(payload, refreshToken);
+}

package/src/utils/oauth/litellm.ts

@@ -0,0 +1,47 @@
+/**
+ * LiteLLM login flow.
+ *
+ * LiteLLM is an OpenAI-compatible proxy that routes requests to many upstream providers.
+ *
+ * This is not OAuth - it's a simple API key flow:
+ * 1. Open browser to LiteLLM docs/dashboard
+ * 2. User copies their LiteLLM API key
+ * 3. User pastes the API key into the CLI
+ */
+
+import type { OAuthController } from "./types";
+
+const AUTH_URL = "https://docs.litellm.ai/docs/proxy/deploy";
+
+/**
+ * Login to LiteLLM.
+ *
+ * Opens browser to LiteLLM setup docs, prompts user to paste their API key.
+ * Returns the API key directly (not OAuthCredentials - this isn't OAuth).
+ */
+export async function loginLiteLLM(options: OAuthController): Promise<string> {
+	if (!options.onPrompt) {
+		throw new Error("LiteLLM login requires onPrompt callback");
+	}
+
+	options.onAuth?.({
+		url: AUTH_URL,
+		instructions: "Run LiteLLM proxy (default http://localhost:4000/v1), then copy your master key or virtual key",
+	});
+
+	const apiKey = await options.onPrompt({
+		message: "Paste your LiteLLM API key (master key or virtual key)",
+		placeholder: "sk-...",
+	});
+
+	if (options.signal?.aborted) {
+		throw new Error("Login cancelled");
+	}
+
+	const trimmed = apiKey.trim();
+	if (!trimmed) {
+		throw new Error("API key is required");
+	}
+
+	return trimmed;
+}

package/src/utils/oauth/lm-studio.ts

@@ -0,0 +1,38 @@
+/**
+ * LM Studio login flow.
+ *
+ * LM Studio provides an OpenAI-compatible API at a local base URL.
+ * It usually runs unauthenticated but can be configured to require a bearer token.
+ *
+ * This flow stores an API-key-style credential used by `/login` and auth storage.
+ */
+
+import type { OAuthController, OAuthProvider } from "./types";
+
+const PROVIDER_ID: OAuthProvider = "lm-studio";
+export const DEFAULT_LOCAL_TOKEN = "lm-studio-local";
+
+/**
+ * Login to LM Studio.
+ *
+ * Opens LM Studio API docs, prompts for an optional token,
+ * and returns a stored key value.
+ */
+export async function loginLmStudio(options: OAuthController): Promise<string> {
+	if (!options.onPrompt) {
+		throw new Error(`${PROVIDER_ID} login requires onPrompt callback`);
+	}
+
+	const apiKey = await options.onPrompt({
+		message: "Optional: Paste LM Studio API key (to customize endpoint URL, set LM_STUDIO_BASE_URL env var)",
+		placeholder: DEFAULT_LOCAL_TOKEN,
+		allowEmpty: true,
+	});
+
+	if (options.signal?.aborted) {
+		throw new Error("Login cancelled");
+	}
+
+	const trimmed = apiKey.trim();
+	return trimmed || DEFAULT_LOCAL_TOKEN;
+}

package/src/utils/oauth/minimax-code.ts

@@ -0,0 +1,78 @@
+/**
+ * MiniMax Coding Plan login flow.
+ *
+ * MiniMax Coding Plan is a subscription service that provides access to
+ * MiniMax models (M2, M2.1) through an OpenAI-compatible API.
+ *
+ * This is not OAuth - it's a simple API key flow:
+ * 1. Open browser to https://platform.minimax.io/subscribe/coding-plan
+ * 2. User subscribes and copies their API key
+ * 3. User pastes the API key back into the CLI
+ *
+ * International: https://api.minimax.io/v1
+ * China: https://api.minimaxi.com/v1
+ */
+
+import { validateOpenAICompatibleApiKey } from "./api-key-validation";
+import type { OAuthController } from "./types";
+
+const AUTH_URL = "https://platform.minimax.io/subscribe/coding-plan";
+const API_BASE_URL_INTL = "https://api.minimax.io/v1";
+const API_BASE_URL_CN = "https://api.minimaxi.com/v1";
+const VALIDATION_MODEL = "MiniMax-M2";
+
+/**
+ * Login to MiniMax Coding Plan (international).
+ *
+ * Opens browser to subscription page, prompts user to paste their API key.
+ * Returns the API key directly (not OAuthCredentials - this isn't OAuth).
+ */
+export async function loginMiniMaxCode(options: OAuthController): Promise<string> {
+	return loginMiniMaxCodeWithBaseUrl(options, API_BASE_URL_INTL, "MiniMax Coding Plan");
+}
+
+async function loginMiniMaxCodeWithBaseUrl(
+	options: OAuthController,
+	baseUrl: string,
+	providerName: string,
+): Promise<string> {
+	if (!options.onPrompt) {
+		throw new Error("MiniMax Coding Plan login requires onPrompt callback");
+	}
+	// Open browser to subscription page
+	options.onAuth?.({
+		url: AUTH_URL,
+		instructions: "Subscribe to Coding Plan and copy your API key",
+	});
+	// Prompt user to paste their API key
+	const apiKey = await options.onPrompt({
+		message: "Paste your MiniMax Coding Plan API key",
+		placeholder: "sk-...",
+	});
+	if (options.signal?.aborted) {
+		throw new Error("Login cancelled");
+	}
+	const trimmed = apiKey.trim();
+	if (!trimmed) {
+		throw new Error("API key is required");
+	}
+
+	options.onProgress?.("Validating API key...");
+	await validateOpenAICompatibleApiKey({
+		provider: providerName,
+		apiKey: trimmed,
+		baseUrl,
+		model: VALIDATION_MODEL,
+		signal: options.signal,
+	});
+	return trimmed;
+}
+
+/**
+ * Login to MiniMax Coding Plan (China).
+ *
+ * Same flow as international but uses China endpoint.
+ */
+export async function loginMiniMaxCodeCn(options: OAuthController): Promise<string> {
+	return loginMiniMaxCodeWithBaseUrl(options, API_BASE_URL_CN, "MiniMax Coding Plan (China)");
+}

package/src/utils/oauth/moonshot.ts

@@ -0,0 +1,16 @@
+/** Moonshot login flow (API key paste against https://api.moonshot.ai/v1). */
+import { createApiKeyLogin } from "./api-key-login";
+
+export const loginMoonshot = createApiKeyLogin({
+	providerLabel: "Moonshot",
+	authUrl: "https://platform.moonshot.ai/console/api-keys",
+	instructions: "Copy your API key from the Moonshot dashboard",
+	promptMessage: "Paste your Moonshot API key",
+	placeholder: "sk-...",
+	validation: {
+		kind: "chat-completions",
+		provider: "moonshot",
+		baseUrl: "https://api.moonshot.ai/v1",
+		model: "kimi-k2.5",
+	},
+});

package/src/utils/oauth/nanogpt.ts

@@ -0,0 +1,15 @@
+/** NanoGPT login flow (API key paste, validated via /models). */
+import { createApiKeyLogin } from "./api-key-login";
+
+export const loginNanoGPT = createApiKeyLogin({
+	providerLabel: "NanoGPT",
+	authUrl: "https://nano-gpt.com/api",
+	instructions: "Create or copy your NanoGPT API key",
+	promptMessage: "Paste your NanoGPT API key",
+	placeholder: "sk-...",
+	validation: {
+		kind: "models-endpoint",
+		provider: "NanoGPT",
+		modelsUrl: "https://nano-gpt.com/api/v1/models",
+	},
+});

package/src/utils/oauth/nvidia.ts

@@ -0,0 +1,70 @@
+/**
+ * NVIDIA login flow.
+ *
+ * NVIDIA provides OpenAI-compatible models via https://integrate.api.nvidia.com/v1.
+ *
+ * This is not OAuth - it's a simple API key flow:
+ * 1. Open browser to NVIDIA NGC catalog
+ * 2. User copies their API key
+ * 3. User pastes the API key into the CLI
+ */
+
+import { validateOpenAICompatibleApiKey } from "./api-key-validation";
+import type { OAuthController } from "./types";
+
+const AUTH_URL = "https://org.ngc.nvidia.com/setup/personal-keys";
+const API_BASE_URL = "https://integrate.api.nvidia.com/v1";
+const VALIDATION_MODEL = "nvidia/llama-3.1-nemotron-70b-instruct";
+const PROVIDER_ID = "nvidia";
+
+/**
+ * Login to NVIDIA.
+ *
+ * Opens browser to NVIDIA dashboard, prompts user to paste their API key.
+ * Returns the API key directly (not OAuthCredentials - this isn't OAuth).
+ */
+export async function loginNvidia(options: OAuthController): Promise<string> {
+	if (!options.onPrompt) {
+		throw new Error("NVIDIA login requires onPrompt callback");
+	}
+
+	options.onAuth?.({
+		url: AUTH_URL,
+		instructions: "Copy your API key from NVIDIA NGC Personal Keys",
+	});
+
+	const apiKey = await options.onPrompt({
+		message: "Paste your NVIDIA API key",
+		placeholder: "nvapi-...",
+	});
+
+	if (options.signal?.aborted) {
+		throw new Error("Login cancelled");
+	}
+
+	const trimmed = apiKey.trim();
+	if (!trimmed) {
+		throw new Error("API key is required");
+	}
+
+	options.onProgress?.("Validating API key (optional)...");
+	try {
+		await validateOpenAICompatibleApiKey({
+			provider: PROVIDER_ID,
+			apiKey: trimmed,
+			baseUrl: API_BASE_URL,
+			model: VALIDATION_MODEL,
+			signal: options.signal,
+		});
+	} catch (error) {
+		const message = error instanceof Error ? error.message : String(error);
+		const statusMatch = message.match(/\((\d{3})\)/);
+		const statusCode = statusMatch?.[1];
+		if (statusCode === "401" || statusCode === "403") {
+			throw error;
+		}
+		options.onProgress?.("Skipping NVIDIA validation endpoint; continuing with provided API key.");
+	}
+
+	return trimmed;
+}