@gajae-code/ai 0.1.1

package/src/utils/oauth/oauth.html

@@ -0,0 +1,199 @@
+<!doctype html>
+<html lang="en">
+	<head>
+		<meta charset="UTF-8" />
+		<meta name="viewport" content="width=device-width, initial-scale=1.0" />
+		<title>Authentication</title>
+		<style>
+			:root {
+				--bg: #09090b;
+				--card-bg: #18181b;
+				--text-main: #fafafa;
+				--text-muted: #a1a1aa;
+				--success: #22c55e;
+				--error: #ef4444;
+				--border: #27272a;
+			}
+			body {
+				font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif;
+				background-color: var(--bg);
+				color: var(--text-main);
+				display: flex;
+				align-items: center;
+				justify-content: center;
+				height: 100vh;
+				margin: 0;
+				overflow: hidden;
+			}
+			.container {
+				background: var(--card-bg);
+				border: 1px solid var(--border);
+				border-radius: 12px;
+				padding: 2.5rem;
+				width: 100%;
+				max-width: 400px;
+				text-align: center;
+				box-shadow:
+					0 20px 25px -5px rgba(0, 0, 0, 0.1),
+					0 10px 10px -5px rgba(0, 0, 0, 0.04);
+				opacity: 0;
+				transform: translateY(10px);
+				animation: fadeIn 0.4s ease-out forwards;
+			}
+			@keyframes fadeIn {
+				to {
+					opacity: 1;
+					transform: translateY(0);
+				}
+			}
+			.icon-circle {
+				position: relative;
+				width: 64px;
+				height: 64px;
+				border-radius: 50%;
+				display: flex;
+				align-items: center;
+				justify-content: center;
+				margin: 0 auto 1.5rem;
+				background: rgba(255, 255, 255, 0.05);
+			}
+			.icon {
+				width: 32px;
+				height: 32px;
+				z-index: 2;
+			}
+			.timer-svg {
+				position: absolute;
+				top: -2px;
+				left: -2px;
+				width: 68px;
+				height: 68px;
+				transform: rotate(-90deg);
+				z-index: 1;
+				pointer-events: none;
+			}
+			.timer-circle {
+				fill: none;
+				stroke-width: 2;
+				stroke-linecap: round;
+				stroke-dasharray: 201;
+				stroke-dashoffset: 0;
+			}
+			.countdown .timer-circle {
+				animation: countdown 3s linear forwards;
+			}
+			@keyframes countdown {
+				to {
+					stroke-dashoffset: 201;
+				}
+			}
+			h1 {
+				font-size: 1.5rem;
+				font-weight: 600;
+				margin: 0 0 0.75rem;
+				letter-spacing: -0.025em;
+			}
+			p {
+				color: var(--text-muted);
+				line-height: 1.5;
+				margin: 0 0 1.5rem;
+				font-size: 0.95rem;
+			}
+			.btn {
+				display: inline-block;
+				background: var(--text-main);
+				color: var(--bg);
+				font-weight: 500;
+				padding: 0.6rem 1.2rem;
+				border-radius: 6px;
+				text-decoration: none;
+				font-size: 0.9rem;
+				transition: opacity 0.2s;
+				cursor: pointer;
+				border: none;
+			}
+			.btn:hover {
+				opacity: 0.9;
+			}
+
+			/* State: success */
+			.success .icon-circle {
+				background: rgba(34, 197, 94, 0.1);
+			}
+			.success .icon {
+				color: var(--success);
+			}
+			.success .timer-circle {
+				stroke: var(--success);
+			}
+			.success .icon-error {
+				display: none;
+			}
+
+			/* State: error */
+			.error .icon-circle {
+				background: rgba(239, 68, 68, 0.1);
+			}
+			.error .icon {
+				color: var(--error);
+			}
+			.error .timer-circle {
+				stroke: var(--error);
+			}
+			.error .icon-success,
+			.error .timer-svg {
+				display: none;
+			}
+		</style>
+	</head>
+	<body>
+		<div id="app" class="container">
+			<div class="icon-circle">
+				<svg class="timer-svg" viewBox="0 0 68 68">
+					<circle class="timer-circle" cx="34" cy="34" r="32"></circle>
+				</svg>
+				<svg class="icon icon-success" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2">
+					<path stroke-linecap="round" stroke-linejoin="round" d="M5 13l4 4L19 7" />
+				</svg>
+				<svg class="icon icon-error" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2">
+					<path stroke-linecap="round" stroke-linejoin="round" d="M6 18L18 6M6 6l12 12" />
+				</svg>
+			</div>
+			<h1 id="title">Authentication</h1>
+			<p id="message"></p>
+			<button onclick="window.close()" class="btn">Close Window</button>
+		</div>
+
+		<script id="server-state" type="application/json">
+			__OAUTH_STATE__
+		</script>
+
+		<script>
+			let serverState;
+			try {
+				serverState = JSON.parse(document.getElementById("server-state").textContent);
+			} catch {
+				const params = new URLSearchParams(window.location.search);
+				serverState = {
+					ok: params.get("ok") === "1",
+					error: params.get("error") || "Authentication failed",
+				};
+			}
+
+			const app = document.getElementById("app");
+			const title = document.getElementById("title");
+			const message = document.getElementById("message");
+
+			if (serverState.ok) {
+				app.classList.add("success", "countdown");
+				title.textContent = "Authentication Successful";
+				message.innerHTML = "You have successfully logged in.<br>This window will close automatically.";
+				setTimeout(() => window.close(), 3000);
+			} else {
+				app.classList.add("error");
+				title.textContent = "Authentication Failed";
+				message.textContent = serverState.error || "An error occurred";
+			}
+		</script>
+	</body>
+</html>

package/src/utils/oauth/ollama-cloud.ts

@@ -0,0 +1,28 @@
+import type { OAuthController } from "./types";
+
+const OLLAMA_CLOUD_KEYS_URL = "https://ollama.com/settings/keys";
+
+export async function loginOllamaCloud(options: OAuthController): Promise<string> {
+	if (options.signal?.aborted) {
+		throw new Error("Login cancelled");
+	}
+	if (!options.onPrompt) {
+		throw new Error("Interactive prompt is required for Ollama Cloud login");
+	}
+	options.onAuth?.({
+		url: OLLAMA_CLOUD_KEYS_URL,
+		instructions: "Create an Ollama Cloud API key, then paste it here.",
+	});
+	const apiKey = await options.onPrompt({
+		message: "Paste your Ollama Cloud API key",
+		placeholder: "ollama-cloud-api-key",
+	});
+	if (options.signal?.aborted) {
+		throw new Error("Login cancelled");
+	}
+	const trimmed = apiKey.trim();
+	if (!trimmed) {
+		throw new Error("Ollama Cloud API key is required");
+	}
+	return trimmed;
+}

package/src/utils/oauth/ollama.ts

@@ -0,0 +1,47 @@
+/**
+ * Ollama login flow.
+ *
+ * Ollama is typically used locally without authentication, but some hosted
+ * deployments require a bearer token/API key.
+ *
+ * This flow is API-key based (not OAuth):
+ * 1. Optionally open Ollama docs
+ * 2. Prompt user for API key/token (optional)
+ * 3. Persist key only when provided
+ */
+
+import type { OAuthController } from "./types";
+
+const OLLAMA_DOCS_URL = "https://github.com/ollama/ollama/blob/main/docs/api.md";
+
+/**
+ * Login to Ollama.
+ *
+ * Returns a trimmed API key/token string. Empty string means local no-auth mode.
+ */
+export async function loginOllama(options: OAuthController): Promise<string> {
+	if (options.signal?.aborted) {
+		throw new Error("Login cancelled");
+	}
+	if (!options.onPrompt) {
+		return "";
+	}
+
+	options.onAuth?.({
+		url: OLLAMA_DOCS_URL,
+		instructions:
+			"Optional: paste an Ollama API key/token for authenticated hosts. Leave empty for local no-auth mode.",
+	});
+
+	const apiKey = await options.onPrompt({
+		message: "Paste your Ollama API key/token (optional)",
+		placeholder: "ollama-local",
+		allowEmpty: true,
+	});
+
+	if (options.signal?.aborted) {
+		throw new Error("Login cancelled");
+	}
+
+	return apiKey.trim();
+}

package/src/utils/oauth/openai-codex.ts

@@ -0,0 +1,299 @@
+/**
+ * OpenAI code provider (ChatGPT OAuth) flow — browser and device-code flows.
+ */
+import { OAuthCallbackFlow, type OAuthCallbackFlowOptions } from "./callback-server";
+import { generatePKCE } from "./pkce";
+import type { OAuthController, OAuthCredentials } from "./types";
+
+const CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
+const AUTHORIZE_URL = "https://auth.openai.com/oauth/authorize";
+const TOKEN_URL = "https://auth.openai.com/oauth/token";
+const CALLBACK_PORT = 1455;
+const CALLBACK_PATH = "/auth/callback";
+const SCOPE = "openid profile email offline_access";
+const JWT_CLAIM_PATH = "https://api.openai.com/auth";
+const JWT_PROFILE_CLAIM = "https://api.openai.com/profile";
+const TOKEN_REQUEST_TIMEOUT_MS = 15_000;
+const DEVICE_USERCODE_URL = "https://auth.openai.com/api/accounts/deviceauth/usercode";
+const DEVICE_TOKEN_URL = "https://auth.openai.com/api/accounts/deviceauth/token";
+const DEVICE_REDIRECT_URI = "https://auth.openai.com/deviceauth/callback";
+const DEVICE_AUTH_URL = "https://auth.openai.com/codex/device";
+const DEVICE_POLL_INTERVAL_MS = 5_000;
+const DEVICE_POLL_SAFETY_MARGIN_MS = 3_000;
+/** Upper bound on device-code polling to avoid infinite loops on server errors. */
+const DEVICE_MAX_POLLS = 120;
+
+type JwtPayload = {
+	[JWT_CLAIM_PATH]?: {
+		chatgpt_account_id?: string;
+	};
+	[JWT_PROFILE_CLAIM]?: {
+		email?: string;
+	};
+	[key: string]: unknown;
+};
+
+export function decodeJwt<T = Record<string, unknown>>(token: string): T | null {
+	try {
+		const parts = token.split(".");
+		if (parts.length !== 3) return null;
+		const payload = parts[1] ?? "";
+		const decoded = Buffer.from(payload, "base64").toString("utf-8");
+		return JSON.parse(decoded) as T;
+	} catch {
+		return null;
+	}
+}
+
+function getTokenProfile(accessToken: string): { accountId?: string; email?: string } {
+	const payload = decodeJwt<JwtPayload>(accessToken);
+	const auth = payload?.[JWT_CLAIM_PATH];
+	const accountId = auth?.chatgpt_account_id;
+	const email = payload?.[JWT_PROFILE_CLAIM]?.email?.trim().toLowerCase();
+	return {
+		accountId: typeof accountId === "string" && accountId.length > 0 ? accountId : undefined,
+		email: typeof email === "string" && email.length > 0 ? email : undefined,
+	};
+}
+
+interface PKCE {
+	verifier: string;
+	challenge: string;
+}
+
+class OpenAICodexOAuthFlow extends OAuthCallbackFlow {
+	constructor(
+		ctrl: OAuthController,
+		private readonly pkce: PKCE,
+		private readonly originator: string,
+	) {
+		super(ctrl, {
+			preferredPort: CALLBACK_PORT,
+			callbackPath: CALLBACK_PATH,
+			// Enforce the fixed port: OpenAI only allows http://localhost:1455/auth/callback.
+			// Without this, a busy port 1455 falls back to a random port, and the token
+			// exchange would fail with 403 because the redirect_uri no longer matches the
+			// registered allowlist entry.
+			redirectUri: `http://localhost:${CALLBACK_PORT}${CALLBACK_PATH}`,
+		} satisfies OAuthCallbackFlowOptions);
+	}
+
+	async generateAuthUrl(state: string, redirectUri: string): Promise<{ url: string; instructions?: string }> {
+		const searchParams = new URLSearchParams({
+			response_type: "code",
+			client_id: CLIENT_ID,
+			redirect_uri: redirectUri,
+			scope: SCOPE,
+			code_challenge: this.pkce.challenge,
+			code_challenge_method: "S256",
+			state,
+			id_token_add_organizations: "true",
+			codex_cli_simplified_flow: "true",
+			originator: this.originator,
+		});
+
+		const url = `${AUTHORIZE_URL}?${searchParams.toString()}`;
+		return { url, instructions: "A browser window should open. Complete login to finish." };
+	}
+
+	async exchangeToken(code: string, _state: string, redirectUri: string): Promise<OAuthCredentials> {
+		return exchangeCodeForToken(code, this.pkce.verifier, redirectUri);
+	}
+}
+
+async function exchangeCodeForToken(code: string, verifier: string, redirectUri: string): Promise<OAuthCredentials> {
+	const tokenResponse = await fetch(TOKEN_URL, {
+		method: "POST",
+		headers: { "Content-Type": "application/x-www-form-urlencoded" },
+		body: new URLSearchParams({
+			grant_type: "authorization_code",
+			client_id: CLIENT_ID,
+			code,
+			code_verifier: verifier,
+			redirect_uri: redirectUri,
+		}),
+		signal: AbortSignal.timeout(TOKEN_REQUEST_TIMEOUT_MS),
+	});
+
+	if (!tokenResponse.ok) {
+		let detail = `${tokenResponse.status}`;
+		try {
+			const body = (await tokenResponse.json()) as { error?: string; error_description?: string };
+			if (body.error)
+				detail = `${tokenResponse.status} ${body.error}${body.error_description ? `: ${body.error_description}` : ""}`;
+		} catch {}
+		throw new Error(`Token exchange failed: ${detail}`);
+	}
+
+	const tokenData = (await tokenResponse.json()) as {
+		access_token?: string;
+		refresh_token?: string;
+		expires_in?: number;
+	};
+
+	if (!tokenData.access_token || !tokenData.refresh_token || typeof tokenData.expires_in !== "number") {
+		throw new Error("Token response missing required fields");
+	}
+
+	const { accountId, email } = getTokenProfile(tokenData.access_token);
+	if (!accountId) {
+		throw new Error("Failed to extract accountId from token");
+	}
+
+	return {
+		access: tokenData.access_token,
+		refresh: tokenData.refresh_token,
+		expires: Date.now() + tokenData.expires_in * 1000,
+		accountId,
+		email,
+	};
+}
+
+/**
+ * Login with OpenAI code provider OAuth
+ */
+export type OpenAICodexLoginOptions = OAuthController & {
+	/** Optional originator value for OpenAI code provider OAuth. Default: "opencode". */
+	originator?: string;
+};
+
+export async function loginOpenAICodex(options: OpenAICodexLoginOptions): Promise<OAuthCredentials> {
+	const pkce = await generatePKCE();
+	const originator = options.originator?.trim() || "opencode";
+	const flow = new OpenAICodexOAuthFlow(options, pkce, originator);
+
+	return flow.login();
+}
+
+/**
+ * Login with OpenAI code provider using the device-code (headless) flow.
+ *
+ * Avoids a local callback server entirely — useful when port 1455 is unavailable
+ * or when the browser callback flow fails with 403 (e.g. network/proxy issues).
+ */
+export async function loginOpenAICodexDevice(ctrl: OAuthController): Promise<OAuthCredentials> {
+	ctrl.onProgress?.("Initiating device authorization…");
+
+	const initResponse = await fetch(DEVICE_USERCODE_URL, {
+		method: "POST",
+		headers: { "Content-Type": "application/json" },
+		body: JSON.stringify({ client_id: CLIENT_ID }),
+		signal: AbortSignal.timeout(TOKEN_REQUEST_TIMEOUT_MS),
+	});
+
+	if (!initResponse.ok) {
+		throw new Error(`Device authorization initiation failed: ${initResponse.status}`);
+	}
+
+	const initData = (await initResponse.json()) as {
+		device_auth_id?: string;
+		user_code?: string;
+		interval?: string | number;
+	};
+
+	if (!initData.device_auth_id || !initData.user_code) {
+		throw new Error("Device authorization response missing required fields");
+	}
+
+	const userCode = initData.user_code;
+	const pollIntervalMs =
+		(typeof initData.interval === "number"
+			? initData.interval
+			: parseInt(String(initData.interval ?? "5"), 10) || 5) *
+			1000 +
+		DEVICE_POLL_SAFETY_MARGIN_MS;
+
+	ctrl.onAuth?.({
+		url: DEVICE_AUTH_URL,
+		instructions: `Enter code: ${userCode}`,
+	});
+
+	ctrl.onProgress?.(`Waiting for browser authorization (code: ${userCode})…`);
+
+	for (let poll = 0; poll < DEVICE_MAX_POLLS; poll++) {
+		await Bun.sleep(poll === 0 ? Math.min(pollIntervalMs, DEVICE_POLL_INTERVAL_MS) : pollIntervalMs);
+
+		if (ctrl.signal?.aborted) {
+			throw new Error("Device authorization cancelled");
+		}
+
+		const pollResponse = await fetch(DEVICE_TOKEN_URL, {
+			method: "POST",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({
+				device_auth_id: initData.device_auth_id,
+				user_code: userCode,
+			}),
+			signal: AbortSignal.timeout(TOKEN_REQUEST_TIMEOUT_MS),
+		});
+
+		// 403/404 = authorization pending, keep polling
+		if (pollResponse.status === 403 || pollResponse.status === 404) {
+			continue;
+		}
+
+		if (!pollResponse.ok) {
+			throw new Error(`Device token polling failed: ${pollResponse.status}`);
+		}
+
+		const pollData = (await pollResponse.json()) as {
+			authorization_code?: string;
+			code_verifier?: string;
+		};
+
+		if (!pollData.authorization_code || !pollData.code_verifier) {
+			throw new Error("Device token response missing authorization_code or code_verifier");
+		}
+
+		ctrl.onProgress?.("Exchanging authorization code for tokens…");
+		return exchangeCodeForToken(pollData.authorization_code, pollData.code_verifier, DEVICE_REDIRECT_URI);
+	}
+
+	throw new Error("Device authorization timed out — user did not complete login in time");
+}
+
+/**
+ * Refresh OpenAI code provider OAuth token
+ */
+export async function refreshOpenAICodexToken(refreshToken: string): Promise<OAuthCredentials> {
+	const response = await fetch(TOKEN_URL, {
+		method: "POST",
+		headers: { "Content-Type": "application/x-www-form-urlencoded" },
+		body: new URLSearchParams({
+			grant_type: "refresh_token",
+			refresh_token: refreshToken,
+			client_id: CLIENT_ID,
+		}),
+		signal: AbortSignal.timeout(TOKEN_REQUEST_TIMEOUT_MS),
+	});
+
+	if (!response.ok) {
+		let detail = `${response.status}`;
+		try {
+			const body = (await response.json()) as { error?: string; error_description?: string };
+			if (body.error)
+				detail = `${response.status} ${body.error}${body.error_description ? `: ${body.error_description}` : ""}`;
+		} catch {}
+		throw new Error(`OpenAI Codex token refresh failed: ${detail}`);
+	}
+
+	const tokenData = (await response.json()) as {
+		access_token?: string;
+		refresh_token?: string;
+		expires_in?: number;
+	};
+
+	if (!tokenData.access_token || !tokenData.refresh_token || typeof tokenData.expires_in !== "number") {
+		throw new Error("Token response missing required fields");
+	}
+
+	const { accountId, email } = getTokenProfile(tokenData.access_token);
+
+	return {
+		access: tokenData.access_token,
+		refresh: tokenData.refresh_token || refreshToken,
+		expires: Date.now() + tokenData.expires_in * 1000,
+		accountId: accountId ?? undefined,
+		email,
+	};
+}

package/src/utils/oauth/opencode.ts

@@ -0,0 +1,49 @@
+/**
+ * OpenCode Zen login flow.
+ *
+ * OpenCode Zen is a subscription service that provides access to various AI models
+ * (GPT-5.x, Anthropic model 4.x, Gemini 3, etc.) through a unified API at opencode.ai/zen.
+ * This is not OAuth - it's a simple API key flow:
+ * 1. Open browser to https://opencode.ai/auth
+ * 2. User logs in and copies their API key
+ * 3. User pastes the API key back into the CLI
+ */
+
+import type { OAuthController } from "./types";
+
+const AUTH_URL = "https://opencode.ai/auth";
+
+/**
+ * Login to OpenCode Zen.
+ *
+ * Opens browser to auth page, prompts user to paste their API key.
+ * Returns the API key directly (not OAuthCredentials - this isn't OAuth).
+ */
+export async function loginOpenCode(options: OAuthController): Promise<string> {
+	if (!options.onPrompt) {
+		throw new Error("OpenCode Zen login requires onPrompt callback");
+	}
+
+	// Open browser to auth page
+	options.onAuth?.({
+		url: AUTH_URL,
+		instructions: "Log in and copy your API key",
+	});
+
+	// Prompt user to paste their API key
+	const apiKey = await options.onPrompt({
+		message: "Paste your OpenCode Zen API key",
+		placeholder: "sk-...",
+	});
+
+	if (options.signal?.aborted) {
+		throw new Error("Login cancelled");
+	}
+
+	const trimmed = apiKey.trim();
+	if (!trimmed) {
+		throw new Error("API key is required");
+	}
+
+	return trimmed;
+}

package/src/utils/oauth/parallel.ts

@@ -0,0 +1,46 @@
+/**
+ * Parallel login flow.
+ *
+ * Parallel uses an API key from the account settings page.
+ * This is an API key flow:
+ * 1. Open browser to Parallel API key settings
+ * 2. User copies API key
+ * 3. User pastes key into the CLI/TUI
+ */
+
+import type { OAuthController } from "./types";
+
+const AUTH_URL = "https://platform.parallel.ai/settings?tab=api-keys";
+
+/**
+ * Login to Parallel.
+ *
+ * Opens browser to the API keys page, prompts the user to paste their API key,
+ * and returns the API key directly.
+ */
+export async function loginParallel(options: OAuthController): Promise<string> {
+	if (!options.onPrompt) {
+		throw new Error("Parallel login requires onPrompt callback");
+	}
+
+	options.onAuth?.({
+		url: AUTH_URL,
+		instructions: "Copy your Parallel API key from the Parallel settings page.",
+	});
+
+	const apiKey = await options.onPrompt({
+		message: "Paste your Parallel API key",
+		placeholder: "sk_...",
+	});
+
+	if (options.signal?.aborted) {
+		throw new Error("Login cancelled");
+	}
+
+	const trimmed = apiKey.trim();
+	if (!trimmed) {
+		throw new Error("API key is required");
+	}
+
+	return trimmed;
+}