@javargasm/opencode-kiro-auth 0.1.0 → 0.2.0

package/dist/index.js

@@ -1,12 +1,16 @@
 import { createRequire } from "node:module";
 var __defProp = Object.defineProperty;
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, {
       get: all[name],
       enumerable: true,
       configurable: true,
-      set: (newValue) => all[name] = () => newValue
+      set: __exportSetter.bind(all, name)
     });
 };
 var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
@@ -113,13 +117,430 @@ var init_debug = __esm(() => {
   };
 });
 
+// src/models.ts
+var exports_models = {};
+__export(exports_models, {
+  setCachedDynamicModels: () => setCachedDynamicModels,
+  seedProfileArn: () => seedProfileArn,
+  resolveProfileArn: () => resolveProfileArn,
+  resolveKiroModel: () => resolveKiroModel,
+  resolveApiRegion: () => resolveApiRegion,
+  resetProfileArnCache: () => resetProfileArnCache,
+  kiroModels: () => kiroModels,
+  getCachedDynamicModels: () => getCachedDynamicModels,
+  fetchAvailableModels: () => fetchAvailableModels,
+  dotToDash: () => dotToDash,
+  buildModelsFromApi: () => buildModelsFromApi,
+  KIRO_MODEL_IDS: () => KIRO_MODEL_IDS
+});
+function dotToDash(modelId) {
+  return modelId.replace(/(\d)\.(\d)/g, "$1-$2");
+}
+function resolveKiroModel(modelId) {
+  const kiroId = modelId.replace(/(\d)-(\d)/g, "$1.$2");
+  if (!KIRO_MODEL_IDS.has(kiroId)) {
+    throw new Error(`Unknown Kiro model ID: ${modelId}`);
+  }
+  return kiroId;
+}
+function resolveApiRegion(ssoRegion) {
+  if (!ssoRegion)
+    return "us-east-1";
+  return API_REGION_MAP[ssoRegion] ?? ssoRegion;
+}
+function resetProfileArnCache(skipResolution = false) {
+  cachedProfileArn = null;
+  profileArnSkipResolution = skipResolution;
+}
+function seedProfileArn(arn) {
+  cachedProfileArn = arn;
+}
+async function resolveProfileArn(accessToken, apiRegion) {
+  if (profileArnSkipResolution)
+    return null;
+  if (cachedProfileArn !== null)
+    return cachedProfileArn;
+  const endpoint = `https://management.${apiRegion}.kiro.dev/`;
+  const resp = await fetch(endpoint, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${accessToken}`,
+      "Content-Type": "application/x-amz-json-1.0",
+      "X-Amz-Target": "AmazonCodeWhispererService.ListAvailableProfiles",
+      "user-agent": "aws-sdk-rust/1.3.15 ua/2.1 api/codewhispererruntime/0.1.16551 os/macos lang/rust/1.92.0 md/appVersion-2.7.1 app/AmazonQ-For-CLI"
+    },
+    body: "{}"
+  });
+  if (!resp || !resp.ok)
+    return null;
+  const data = await resp.json();
+  const profiles = data.profiles ?? [];
+  const kiroProfile = profiles.find((p) => p.profileType === "KIRO" && p.status === "ACTIVE");
+  const arn = kiroProfile?.arn ?? profiles[0]?.arn ?? null;
+  if (arn) {
+    cachedProfileArn = arn;
+  }
+  return arn;
+}
+async function fetchAvailableModels(accessToken, apiRegion, profileArn) {
+  const url = `https://management.${apiRegion}.kiro.dev/?origin=KIRO_CLI&profileArn=${encodeURIComponent(profileArn)}`;
+  const resp = await fetch(url, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${accessToken}`,
+      "Content-Type": "application/x-amz-json-1.0",
+      "X-Amz-Target": "AmazonCodeWhispererService.ListAvailableModels",
+      "user-agent": "aws-sdk-rust/1.3.15 ua/2.1 api/codewhispererruntime/0.1.16551 os/macos lang/rust/1.92.0 md/appVersion-2.7.1 app/AmazonQ-For-CLI"
+    },
+    body: "{}"
+  });
+  if (!resp.ok) {
+    throw new Error(`ListAvailableModels failed: HTTP ${resp.status}`);
+  }
+  const data = await resp.json();
+  return (data.models ?? []).filter((m) => m.modelId !== "auto");
+}
+function isReasoningModel(dotId) {
+  for (const family of REASONING_FAMILIES) {
+    if (dotId.startsWith(family))
+      return true;
+  }
+  return false;
+}
+function firstTokenTimeout(dotId) {
+  if (dotId.startsWith("claude-fable") || dotId.startsWith("claude-opus"))
+    return 180000;
+  return 90000;
+}
+function buildModelsFromApi(apiModels) {
+  return apiModels.map((m) => {
+    KIRO_MODEL_IDS.add(m.modelId);
+    const dashId = dotToDash(m.modelId);
+    const supportedTypes = m.supportedInputTypes ?? ["TEXT"];
+    const input = supportedTypes.includes("IMAGE") ? ["text", "image"] : ["text"];
+    const effortEnum = m.additionalModelRequestFieldsSchema?.properties?.output_config?.properties?.effort?.enum;
+    const supportedEfforts = Array.isArray(effortEnum) && effortEnum.length > 0 ? effortEnum : undefined;
+    const supportsThinkingConfig = !!m.additionalModelRequestFieldsSchema?.properties?.thinking;
+    return {
+      ...KIRO_DEFAULTS,
+      id: dashId,
+      name: m.modelName,
+      reasoning: isReasoningModel(m.modelId),
+      input,
+      contextWindow: m.tokenLimits?.maxInputTokens ?? 200000,
+      maxTokens: m.tokenLimits?.maxOutputTokens ?? 8192,
+      firstTokenTimeout: firstTokenTimeout(m.modelId),
+      ...supportedEfforts ? { supportedEfforts } : {},
+      ...supportsThinkingConfig ? { supportsThinkingConfig } : {}
+    };
+  });
+}
+function getCachedDynamicModels() {
+  return cachedDynamicModels;
+}
+function setCachedDynamicModels(models) {
+  cachedDynamicModels = models;
+}
+var KIRO_MODEL_IDS, API_REGION_MAP, BASE_URL = "https://runtime.us-east-1.kiro.dev", ZERO_COST, KIRO_DEFAULTS, MULTIMODAL, TEXT_ONLY, kiroModels, cachedProfileArn = null, profileArnSkipResolution = false, REASONING_FAMILIES, cachedDynamicModels = null;
+var init_models = __esm(() => {
+  KIRO_MODEL_IDS = new Set([
+    "claude-fable-5",
+    "claude-opus-4.8",
+    "claude-opus-4.7",
+    "claude-opus-4.6",
+    "claude-opus-4.6-1m",
+    "claude-sonnet-4.6",
+    "claude-sonnet-4.6-1m",
+    "claude-opus-4.5",
+    "claude-sonnet-4.5",
+    "claude-sonnet-4.5-1m",
+    "claude-sonnet-4",
+    "claude-haiku-4.5",
+    "deepseek-3.2",
+    "kimi-k2.5",
+    "minimax-m2.1",
+    "minimax-m2.5",
+    "glm-4.7",
+    "glm-4.7-flash",
+    "qwen3-coder-next",
+    "agi-nova-beta-1m",
+    "qwen3-coder-480b",
+    "auto"
+  ]);
+  API_REGION_MAP = {
+    "us-west-1": "us-east-1",
+    "us-west-2": "us-east-1",
+    "us-east-2": "us-east-1",
+    "eu-west-1": "eu-central-1",
+    "eu-west-2": "eu-central-1",
+    "eu-west-3": "eu-central-1",
+    "eu-north-1": "eu-central-1",
+    "eu-south-1": "eu-central-1",
+    "eu-south-2": "eu-central-1",
+    "eu-central-2": "eu-central-1",
+    "ap-northeast-1": "us-east-1",
+    "ap-northeast-2": "us-east-1",
+    "ap-northeast-3": "us-east-1",
+    "ap-southeast-1": "us-east-1",
+    "ap-southeast-2": "us-east-1",
+    "ap-south-1": "us-east-1",
+    "ap-east-1": "us-east-1",
+    "ap-south-2": "us-east-1",
+    "ap-southeast-3": "us-east-1",
+    "ap-southeast-4": "us-east-1"
+  };
+  ZERO_COST = Object.freeze({ input: 0, output: 0, cacheRead: 0, cacheWrite: 0 });
+  KIRO_DEFAULTS = {
+    api: "kiro-api",
+    provider: "kiro",
+    baseUrl: BASE_URL,
+    cost: ZERO_COST
+  };
+  MULTIMODAL = ["text", "image"];
+  TEXT_ONLY = ["text"];
+  kiroModels = [
+    {
+      ...KIRO_DEFAULTS,
+      id: "claude-fable-5",
+      name: "Claude Fable 5",
+      reasoning: true,
+      input: MULTIMODAL,
+      contextWindow: 1e6,
+      maxTokens: 128000,
+      firstTokenTimeout: 180000,
+      supportedEfforts: ["low", "medium", "high", "xhigh", "max"],
+      supportsThinkingConfig: true
+    },
+    {
+      ...KIRO_DEFAULTS,
+      id: "claude-opus-4-8",
+      name: "Claude Opus 4.8",
+      reasoning: true,
+      input: MULTIMODAL,
+      contextWindow: 1e6,
+      maxTokens: 128000,
+      firstTokenTimeout: 180000,
+      supportedEfforts: ["low", "medium", "high", "xhigh", "max"],
+      supportsThinkingConfig: true
+    },
+    {
+      ...KIRO_DEFAULTS,
+      id: "claude-opus-4-7",
+      name: "Claude Opus 4.7",
+      reasoning: true,
+      input: MULTIMODAL,
+      contextWindow: 1e6,
+      maxTokens: 128000,
+      firstTokenTimeout: 180000,
+      supportedEfforts: ["low", "medium", "high", "xhigh", "max"],
+      supportsThinkingConfig: true
+    },
+    {
+      ...KIRO_DEFAULTS,
+      id: "claude-opus-4-6",
+      name: "Claude Opus 4.6",
+      reasoning: true,
+      input: MULTIMODAL,
+      contextWindow: 1e6,
+      maxTokens: 64000,
+      supportedEfforts: ["low", "medium", "high", "max"],
+      supportsThinkingConfig: true
+    },
+    {
+      ...KIRO_DEFAULTS,
+      id: "claude-opus-4-6-1m",
+      name: "Claude Opus 4.6 (1M)",
+      reasoning: true,
+      input: MULTIMODAL,
+      contextWindow: 1e6,
+      maxTokens: 64000,
+      supportedEfforts: ["low", "medium", "high", "max"],
+      supportsThinkingConfig: true
+    },
+    {
+      ...KIRO_DEFAULTS,
+      id: "claude-sonnet-4-6",
+      name: "Claude Sonnet 4.6",
+      reasoning: true,
+      input: MULTIMODAL,
+      contextWindow: 1e6,
+      maxTokens: 64000,
+      supportedEfforts: ["low", "medium", "high", "max"],
+      supportsThinkingConfig: true
+    },
+    {
+      ...KIRO_DEFAULTS,
+      id: "claude-sonnet-4-6-1m",
+      name: "Claude Sonnet 4.6 (1M)",
+      reasoning: true,
+      input: MULTIMODAL,
+      contextWindow: 1e6,
+      maxTokens: 64000,
+      supportedEfforts: ["low", "medium", "high", "max"],
+      supportsThinkingConfig: true
+    },
+    {
+      ...KIRO_DEFAULTS,
+      id: "claude-opus-4-5",
+      name: "Claude Opus 4.5",
+      reasoning: true,
+      input: MULTIMODAL,
+      contextWindow: 200000,
+      maxTokens: 64000
+    },
+    {
+      ...KIRO_DEFAULTS,
+      id: "claude-sonnet-4-5",
+      name: "Claude Sonnet 4.5",
+      reasoning: true,
+      input: MULTIMODAL,
+      contextWindow: 200000,
+      maxTokens: 65536
+    },
+    {
+      ...KIRO_DEFAULTS,
+      id: "claude-sonnet-4-5-1m",
+      name: "Claude Sonnet 4.5 (1M)",
+      reasoning: true,
+      input: MULTIMODAL,
+      contextWindow: 1e6,
+      maxTokens: 65536
+    },
+    {
+      ...KIRO_DEFAULTS,
+      id: "claude-sonnet-4",
+      name: "Claude Sonnet 4",
+      reasoning: true,
+      input: MULTIMODAL,
+      contextWindow: 200000,
+      maxTokens: 65536
+    },
+    {
+      ...KIRO_DEFAULTS,
+      id: "claude-haiku-4-5",
+      name: "Claude Haiku 4.5",
+      reasoning: false,
+      input: MULTIMODAL,
+      contextWindow: 200000,
+      maxTokens: 65536
+    },
+    {
+      ...KIRO_DEFAULTS,
+      id: "deepseek-3-2",
+      name: "DeepSeek 3.2",
+      reasoning: true,
+      input: TEXT_ONLY,
+      contextWindow: 128000,
+      maxTokens: 8192
+    },
+    {
+      ...KIRO_DEFAULTS,
+      id: "kimi-k2-5",
+      name: "Kimi K2.5",
+      reasoning: true,
+      input: TEXT_ONLY,
+      contextWindow: 200000,
+      maxTokens: 8192
+    },
+    {
+      ...KIRO_DEFAULTS,
+      id: "minimax-m2-5",
+      name: "MiniMax M2.5",
+      reasoning: false,
+      input: TEXT_ONLY,
+      contextWindow: 196000,
+      maxTokens: 64000
+    },
+    {
+      ...KIRO_DEFAULTS,
+      id: "minimax-m2-1",
+      name: "MiniMax M2.1",
+      reasoning: false,
+      input: MULTIMODAL,
+      contextWindow: 196000,
+      maxTokens: 64000
+    },
+    {
+      ...KIRO_DEFAULTS,
+      id: "glm-4-7",
+      name: "GLM 4.7",
+      reasoning: true,
+      input: TEXT_ONLY,
+      contextWindow: 128000,
+      maxTokens: 8192
+    },
+    {
+      ...KIRO_DEFAULTS,
+      id: "glm-4-7-flash",
+      name: "GLM 4.7 Flash",
+      reasoning: false,
+      input: TEXT_ONLY,
+      contextWindow: 128000,
+      maxTokens: 8192
+    },
+    {
+      ...KIRO_DEFAULTS,
+      id: "qwen3-coder-next",
+      name: "Qwen3 Coder Next",
+      reasoning: true,
+      input: MULTIMODAL,
+      contextWindow: 256000,
+      maxTokens: 64000
+    },
+    {
+      ...KIRO_DEFAULTS,
+      id: "qwen3-coder-480b",
+      name: "Qwen3 Coder 480B",
+      reasoning: true,
+      input: TEXT_ONLY,
+      contextWindow: 128000,
+      maxTokens: 8192
+    },
+    {
+      ...KIRO_DEFAULTS,
+      id: "agi-nova-beta-1m",
+      name: "AGI Nova Beta (1M)",
+      reasoning: true,
+      input: MULTIMODAL,
+      contextWindow: 1e6,
+      maxTokens: 65536
+    },
+    {
+      ...KIRO_DEFAULTS,
+      id: "auto",
+      name: "Auto",
+      reasoning: true,
+      input: MULTIMODAL,
+      contextWindow: 200000,
+      maxTokens: 65536
+    }
+  ];
+  REASONING_FAMILIES = new Set([
+    "claude-fable",
+    "claude-sonnet",
+    "claude-opus",
+    "deepseek",
+    "kimi",
+    "glm",
+    "qwen",
+    "agi-nova",
+    "minimax"
+  ]);
+});
+
 // src/kiro-cli-sync.ts
 var exports_kiro_cli_sync = {};
 __export(exports_kiro_cli_sync, {
-  importFromKiroCli: () => importFromKiroCli
+  selectKiroTokenRowForWrite: () => selectKiroTokenRowForWrite,
+  saveKiroCliCredentials: () => saveKiroCliCredentials,
+  sameKiroCliCredential: () => sameKiroCliCredential,
+  importFromKiroSsoCache: () => importFromKiroSsoCache,
+  importFromKiroCli: () => importFromKiroCli,
+  getKiroCliCredentialsAllowExpired: () => getKiroCliCredentialsAllowExpired
 });
 import { homedir } from "node:os";
 import { join } from "node:path";
+import { spawn } from "node:child_process";
 import { existsSync, readFileSync } from "node:fs";
 function getKiroDbPath() {
   const home = homedir();
@@ -151,6 +572,105 @@ function safeJsonParse(value) {
     return null;
   }
 }
+function sqliteQuote(value) {
+  return `'${value.replaceAll("'", "''")}'`;
+}
+function runSqliteCli(dbPath, sql, options) {
+  return new Promise((resolve2) => {
+    const args = [
+      ...options.readonly ? ["-readonly"] : [],
+      "-cmd",
+      `.timeout ${SQLITE_CLI_TIMEOUT_MS}`,
+      ...options.json ? ["-json"] : [],
+      dbPath
+    ];
+    const child = spawn("sqlite3", args, { stdio: "pipe" });
+    let stdout = "";
+    let settled = false;
+    const finish = (result) => {
+      if (settled)
+        return;
+      settled = true;
+      clearTimeout(timeout);
+      resolve2(result);
+    };
+    const timeout = setTimeout(() => {
+      child.kill();
+      log.debug("sqlite3 CLI timed out while reading Kiro DB");
+      finish(null);
+    }, SQLITE_CLI_TIMEOUT_MS);
+    child.stdout?.setEncoding("utf8");
+    child.stdout?.on("data", (chunk) => {
+      stdout += chunk;
+    });
+    child.on("error", () => {
+      log.debug("sqlite3 CLI unavailable for Kiro DB access");
+      finish(null);
+    });
+    child.on("close", (code) => {
+      if (code === 0)
+        finish(stdout);
+      else {
+        log.debug("sqlite3 CLI failed while accessing Kiro DB");
+        finish(null);
+      }
+    });
+    child.stdin?.end(`${sql}
+`);
+  });
+}
+function parseAuthKvRows(value) {
+  if (!Array.isArray(value))
+    return null;
+  const rows = [];
+  for (const item of value) {
+    if (!item || typeof item !== "object")
+      continue;
+    const record = item;
+    if (typeof record.key === "string" && typeof record.value === "string") {
+      rows.push({ key: record.key, value: record.value });
+    }
+  }
+  return rows;
+}
+function extractActiveProfileArnFromStateRows(value) {
+  if (!Array.isArray(value))
+    return;
+  const first = value[0];
+  if (!first || typeof first !== "object")
+    return;
+  const record = first;
+  const parsed = safeJsonParse(record.value);
+  const arn = parsed?.arn || parsed?.profileArn || parsed?.profile_arn;
+  return typeof arn === "string" && arn.trim() ? arn.trim() : undefined;
+}
+function parseSqliteChanges(value) {
+  if (!Array.isArray(value))
+    return 0;
+  const first = value[0];
+  if (!first || typeof first !== "object")
+    return 0;
+  const changes = first.changes;
+  return typeof changes === "number" ? changes : 0;
+}
+async function readKiroAuthKvRowsWithSqliteCli(dbPath) {
+  const rowsRaw = await runSqliteCli(dbPath, "SELECT key, value FROM auth_kv", { readonly: true, json: true });
+  if (!rowsRaw)
+    return null;
+  return parseAuthKvRows(safeJsonParse(rowsRaw));
+}
+async function readKiroDbWithSqliteCli(dbPath) {
+  const rows = await readKiroAuthKvRowsWithSqliteCli(dbPath);
+  if (!rows)
+    return null;
+  const stateRaw = await runSqliteCli(dbPath, "SELECT value FROM state WHERE key = 'api.codewhisperer.profile'", { readonly: true, json: true });
+  const activeProfileArn = stateRaw ? extractActiveProfileArnFromStateRows(safeJsonParse(stateRaw)) : undefined;
+  return { rows, activeProfileArn };
+}
+async function writeKiroDbWithSqliteCli(dbPath, tokenKey, updatedValue) {
+  const resultRaw = await runSqliteCli(dbPath, `UPDATE auth_kv SET value = ${sqliteQuote(updatedValue)} WHERE key = ${sqliteQuote(tokenKey)}; ` + "SELECT changes() AS changes", { readonly: false, json: true });
+  return parseSqliteChanges(safeJsonParse(resultRaw)) > 0;
+}
 function findClientCreds(obj) {
   if (!obj || typeof obj !== "object")
     return {};
@@ -169,6 +689,23 @@ function findClientCreds(obj) {
 function isIdcTokenKey(key) {
   return key.includes("odic") || key.includes("oidc") || key.includes("idc");
 }
+function isTokenRow(row) {
+  return row.key.includes(":token");
+}
+function tokenReadRank(row) {
+  return isIdcTokenKey(row.key) ? 0 : 1;
+}
+function selectKiroTokenRowForWrite(rows, creds) {
+  const tokenRows = rows.filter(isTokenRow);
+  if (!creds.tokenKey)
+    return;
+  return tokenRows.find((row) => row.key === creds.tokenKey);
+}
+function sameKiroCliCredential(left, right) {
+  if (!left || !right)
+    return false;
+  return left.source === right.source && left.tokenKey === right.tokenKey && left.accessToken === right.accessToken && left.refreshToken === right.refreshToken && left.region === right.region && left.authMethod === right.authMethod;
+}
 function extractRegionFromArn(arn) {
   if (!arn)
     return;
@@ -185,37 +722,56 @@ async function importFromKiroDb() {
     return null;
   }
   try {
-    const { Database } = await import("bun:sqlite");
-    const db = new Database(dbPath, { readonly: true });
-    try {
-      db.exec("PRAGMA busy_timeout = 5000");
-    } catch {}
     let rows;
+    let activeProfileArn;
+    let Database = null;
     try {
-      rows = db.prepare("SELECT key, value FROM auth_kv").all();
+      Database = (await import("bun:sqlite")).Database;
     } catch {
-      log.debug("Failed to read auth_kv table from Kiro DB");
+      try {
+        Database = (await import("better-sqlite3")).default;
+      } catch {
+        log.debug("No SQLite driver available (need bun:sqlite or better-sqlite3); trying sqlite3 CLI");
+      }
+    }
+    if (Database) {
+      const db = new Database(dbPath, { readonly: true });
+      try {
+        db.run?.("PRAGMA busy_timeout = 5000") ?? db.exec?.("PRAGMA busy_timeout = 5000");
+      } catch {}
+      try {
+        const stmt = db.prepare("SELECT key, value FROM auth_kv");
+        rows = stmt.all();
+      } catch {
+        log.debug("Failed to read auth_kv table from Kiro DB");
+        try {
+          db.close();
+        } catch {}
+        return null;
+      }
+      try {
+        const stateStmt = db.prepare("SELECT value FROM state WHERE key = ?");
+        const stateRow = stateStmt.get("api.codewhisperer.profile");
+        const parsed = safeJsonParse(stateRow?.value);
+        const arn = parsed?.arn || parsed?.profileArn || parsed?.profile_arn;
+        if (typeof arn === "string" && arn.trim()) {
+          activeProfileArn = arn.trim();
+        }
+      } catch {}
       try {
         db.close();
       } catch {}
-      return null;
+    } else {
+      const snapshot = await readKiroDbWithSqliteCli(dbPath);
+      if (!snapshot)
+        return null;
+      rows = snapshot.rows;
+      activeProfileArn = snapshot.activeProfileArn;
     }
-    let activeProfileArn;
-    try {
-      const stateRow = db.prepare("SELECT value FROM state WHERE key = ?").get("api.codewhisperer.profile");
-      const parsed = safeJsonParse(stateRow?.value);
-      const arn = parsed?.arn || parsed?.profileArn || parsed?.profile_arn;
-      if (typeof arn === "string" && arn.trim()) {
-        activeProfileArn = arn.trim();
-      }
-    } catch {}
-    try {
-      db.close();
-    } catch {}
     const deviceRegRow = rows.find((r) => typeof r?.key === "string" && r.key.includes("device-registration"));
     const deviceReg = safeJsonParse(deviceRegRow?.value);
     const regCreds = deviceReg ? findClientCreds(deviceReg) : {};
-    const tokenRows = rows.filter((r) => r.key.includes(":token")).sort((a, b) => (isIdcTokenKey(a.key) ? 0 : 1) - (isIdcTokenKey(b.key) ? 0 : 1));
+    const tokenRows = rows.filter(isTokenRow).sort((a, b) => tokenReadRank(a) - tokenReadRank(b));
     for (const row of tokenRows) {
       const data = safeJsonParse(row.value);
       if (!data)
@@ -228,16 +784,19 @@ async function importFromKiroDb() {
       const authMethod = isIdc ? "idc" : "desktop";
       const oidcRegion = data.region || "us-east-1";
       let profileArn = data.profile_arn || data.profileArn;
-      if (!profileArn)
+      if (!profileArn && isIdc) {
         profileArn = activeProfileArn;
+      }
       const serviceRegion = extractRegionFromArn(profileArn) || oidcRegion;
       const result = {
         accessToken: accessToken || "",
         refreshToken: refreshToken || "",
         region: serviceRegion,
         authMethod,
+        profileArn,
         email: data.email || data.emailAddress,
-        profileArn
+        source: "kiro-cli-db",
+        tokenKey: row.key
       };
       if (isIdc && regCreds.clientId) {
         result.clientId = regCreds.clientId;
@@ -253,30 +812,48 @@ async function importFromKiroDb() {
     return null;
   }
 }
+function mapSsoCacheAuthMethod(value) {
+  if (typeof value !== "string")
+    return "idc";
+  const v = value.toLowerCase();
+  if (v === "builderid" || v === "builder-id")
+    return "desktop";
+  return "idc";
+}
 async function importFromKiroSsoCache() {
-  const cachePath = getKiroSsoCachePath();
-  if (!existsSync(cachePath)) {
-    log.debug(`Kiro SSO cache not found at ${cachePath}`);
+  const path = getKiroSsoCachePath();
+  if (!existsSync(path)) {
+    log.debug(`Kiro SSO cache not found at ${path}`);
     return null;
   }
   let raw;
   try {
-    raw = readFileSync(cachePath, "utf8");
+    raw = readFileSync(path, "utf8");
   } catch (err) {
-    log.warn(`Failed to read Kiro SSO cache at ${cachePath}: ${err}`);
+    log.warn(`Failed to read Kiro SSO cache at ${path}: ${err}`);
     return null;
   }
   const token = safeJsonParse(raw);
-  if (!token || typeof token !== "object")
+  if (!token || typeof token !== "object") {
+    log.debug(`Kiro SSO cache at ${path} is not valid JSON`);
     return null;
+  }
   const accessToken = typeof token.accessToken === "string" ? token.accessToken : "";
   const refreshToken = typeof token.refreshToken === "string" ? token.refreshToken : "";
-  if (!accessToken && !refreshToken)
+  if (!accessToken && !refreshToken) {
+    log.debug(`Kiro SSO cache at ${path} has no tokens`);
     return null;
+  }
   const region = typeof token.region === "string" && token.region.length > 0 ? token.region : "us-east-1";
-  const authMethod = "desktop";
-  log.info(`Imported Kiro SSO cache credentials (region=${region})`);
-  return { accessToken, refreshToken, region, authMethod };
+  const authMethod = mapSsoCacheAuthMethod(token.authMethod);
+  log.info(`Imported Kiro SSO cache credentials (method=${authMethod}, region=${region})`);
+  return {
+    accessToken,
+    refreshToken,
+    region,
+    authMethod,
+    source: "kiro-sso-cache"
+  };
 }
 async function importFromKiroCli() {
   const dbResult = await importFromKiroDb();
@@ -284,6 +861,98 @@ async function importFromKiroCli() {
     return dbResult;
   return importFromKiroSsoCache();
 }
+async function getKiroCliCredentialsAllowExpired(exclude) {
+  const imported = await importFromKiroCli();
+  return sameKiroCliCredential(imported, exclude ?? null) ? null : imported;
+}
+async function saveKiroCliCredentials(creds) {
+  if (creds.source !== "kiro-cli-db" || !creds.tokenKey) {
+    log.debug("Credential write-back skipped: credential did not originate from kiro-cli DB");
+    return false;
+  }
+  const dbPath = getKiroDbPath();
+  if (!existsSync(dbPath)) {
+    log.debug(`Kiro CLI DB not found at ${dbPath} — cannot save credentials`);
+    return false;
+  }
+  try {
+    let Database = null;
+    try {
+      Database = (await import("bun:sqlite")).Database;
+    } catch {
+      try {
+        Database = (await import("better-sqlite3")).default;
+      } catch {
+        log.debug("No SQLite driver available for credential write-back; trying sqlite3 CLI");
+      }
+    }
+    let rows;
+    let db = null;
+    if (Database) {
+      db = new Database(dbPath);
+      try {
+        db.run?.("PRAGMA busy_timeout = 5000") ?? db.exec?.("PRAGMA busy_timeout = 5000");
+      } catch {}
+      try {
+        const stmt = db.prepare("SELECT key, value FROM auth_kv");
+        rows = stmt.all();
+      } catch {
+        log.debug("Failed to read auth_kv table for credential write-back");
+        try {
+          db.close();
+        } catch {}
+        return false;
+      }
+    } else {
+      const cliRows = await readKiroAuthKvRowsWithSqliteCli(dbPath);
+      if (!cliRows)
+        return false;
+      rows = cliRows;
+    }
+    const tokenRow = selectKiroTokenRowForWrite(rows, creds);
+    if (!tokenRow) {
+      log.debug("No matching token entry found in auth_kv — cannot write back");
+      try {
+        db?.close();
+      } catch {}
+      return false;
+    }
+    const existing = safeJsonParse(tokenRow.value) ?? {};
+    const updated = {
+      ...existing,
+      accessToken: creds.accessToken,
+      access_token: creds.accessToken,
+      refreshToken: creds.refreshToken,
+      refresh_token: creds.refreshToken
+    };
+    const updatedValue = JSON.stringify(updated);
+    if (db) {
+      try {
+        const updateStmt = db.prepare("UPDATE auth_kv SET value = ? WHERE key = ?");
+        updateStmt.run(updatedValue, tokenRow.key);
+      } catch (err) {
+        log.warn(`Failed to write credentials back to Kiro CLI DB: ${err}`);
+        try {
+          db.close();
+        } catch {}
+        return false;
+      }
+      try {
+        db.close();
+      } catch {}
+    } else {
+      const wrote = await writeKiroDbWithSqliteCli(dbPath, tokenRow.key, updatedValue);
+      if (!wrote)
+        return false;
+    }
+    log.info("Wrote refreshed credentials back to Kiro CLI DB");
+    return true;
+  } catch (err) {
+    log.warn(`Failed to save credentials to Kiro CLI: ${err}`);
+    return false;
+  }
+}
+var SQLITE_CLI_TIMEOUT_MS = 5000;
 var init_kiro_cli_sync = __esm(() => {
   init_debug();
 });
@@ -612,372 +1281,8 @@ function isPermanentError(reason) {
   return PERMANENT_PATTERNS.some((p) => reason.includes(p));
 }
 
-// src/models.ts
-var KIRO_MODEL_IDS = new Set([
-  "claude-fable-5",
-  "claude-opus-4.8",
-  "claude-opus-4.7",
-  "claude-opus-4.6",
-  "claude-opus-4.6-1m",
-  "claude-sonnet-4.6",
-  "claude-sonnet-4.6-1m",
-  "claude-opus-4.5",
-  "claude-sonnet-4.5",
-  "claude-sonnet-4.5-1m",
-  "claude-sonnet-4",
-  "claude-haiku-4.5",
-  "deepseek-3.2",
-  "kimi-k2.5",
-  "minimax-m2.1",
-  "minimax-m2.5",
-  "glm-4.7",
-  "glm-4.7-flash",
-  "qwen3-coder-next",
-  "agi-nova-beta-1m",
-  "qwen3-coder-480b",
-  "auto"
-]);
-function dotToDash(modelId) {
-  return modelId.replace(/(\d)\.(\d)/g, "$1-$2");
-}
-function resolveKiroModel(modelId) {
-  const kiroId = modelId.replace(/(\d)-(\d)/g, "$1.$2");
-  if (!KIRO_MODEL_IDS.has(kiroId)) {
-    throw new Error(`Unknown Kiro model ID: ${modelId}`);
-  }
-  return kiroId;
-}
-var API_REGION_MAP = {
-  "us-west-1": "us-east-1",
-  "us-west-2": "us-east-1",
-  "us-east-2": "us-east-1",
-  "eu-west-1": "eu-central-1",
-  "eu-west-2": "eu-central-1",
-  "eu-west-3": "eu-central-1",
-  "eu-north-1": "eu-central-1",
-  "eu-south-1": "eu-central-1",
-  "eu-south-2": "eu-central-1",
-  "eu-central-2": "eu-central-1",
-  "ap-northeast-1": "us-east-1",
-  "ap-northeast-2": "us-east-1",
-  "ap-northeast-3": "us-east-1",
-  "ap-southeast-1": "us-east-1",
-  "ap-southeast-2": "us-east-1",
-  "ap-south-1": "us-east-1",
-  "ap-east-1": "us-east-1",
-  "ap-south-2": "us-east-1",
-  "ap-southeast-3": "us-east-1",
-  "ap-southeast-4": "us-east-1"
-};
-function resolveApiRegion(ssoRegion) {
-  if (!ssoRegion)
-    return "us-east-1";
-  return API_REGION_MAP[ssoRegion] ?? ssoRegion;
-}
-var BASE_URL = "https://runtime.us-east-1.kiro.dev";
-var ZERO_COST = Object.freeze({ input: 0, output: 0, cacheRead: 0, cacheWrite: 0 });
-var KIRO_DEFAULTS = {
-  api: "kiro-api",
-  provider: "kiro",
-  baseUrl: BASE_URL,
-  cost: ZERO_COST
-};
-var MULTIMODAL = ["text", "image"];
-var TEXT_ONLY = ["text"];
-var kiroModels = [
-  {
-    ...KIRO_DEFAULTS,
-    id: "claude-fable-5",
-    name: "Claude Fable 5",
-    reasoning: true,
-    input: MULTIMODAL,
-    contextWindow: 1e6,
-    maxTokens: 128000,
-    firstTokenTimeout: 180000,
-    supportedEfforts: ["low", "medium", "high", "xhigh", "max"],
-    supportsThinkingConfig: true
-  },
-  {
-    ...KIRO_DEFAULTS,
-    id: "claude-opus-4-8",
-    name: "Claude Opus 4.8",
-    reasoning: true,
-    input: MULTIMODAL,
-    contextWindow: 1e6,
-    maxTokens: 128000,
-    firstTokenTimeout: 180000,
-    supportedEfforts: ["low", "medium", "high", "xhigh", "max"],
-    supportsThinkingConfig: true
-  },
-  {
-    ...KIRO_DEFAULTS,
-    id: "claude-opus-4-7",
-    name: "Claude Opus 4.7",
-    reasoning: true,
-    input: MULTIMODAL,
-    contextWindow: 1e6,
-    maxTokens: 128000,
-    firstTokenTimeout: 180000,
-    supportedEfforts: ["low", "medium", "high", "xhigh", "max"],
-    supportsThinkingConfig: true
-  },
-  {
-    ...KIRO_DEFAULTS,
-    id: "claude-opus-4-6",
-    name: "Claude Opus 4.6",
-    reasoning: true,
-    input: MULTIMODAL,
-    contextWindow: 1e6,
-    maxTokens: 64000,
-    supportedEfforts: ["low", "medium", "high", "max"],
-    supportsThinkingConfig: true
-  },
-  {
-    ...KIRO_DEFAULTS,
-    id: "claude-opus-4-6-1m",
-    name: "Claude Opus 4.6 (1M)",
-    reasoning: true,
-    input: MULTIMODAL,
-    contextWindow: 1e6,
-    maxTokens: 64000,
-    supportedEfforts: ["low", "medium", "high", "max"],
-    supportsThinkingConfig: true
-  },
-  {
-    ...KIRO_DEFAULTS,
-    id: "claude-sonnet-4-6",
-    name: "Claude Sonnet 4.6",
-    reasoning: true,
-    input: MULTIMODAL,
-    contextWindow: 1e6,
-    maxTokens: 64000,
-    supportedEfforts: ["low", "medium", "high", "max"],
-    supportsThinkingConfig: true
-  },
-  {
-    ...KIRO_DEFAULTS,
-    id: "claude-sonnet-4-6-1m",
-    name: "Claude Sonnet 4.6 (1M)",
-    reasoning: true,
-    input: MULTIMODAL,
-    contextWindow: 1e6,
-    maxTokens: 64000,
-    supportedEfforts: ["low", "medium", "high", "max"],
-    supportsThinkingConfig: true
-  },
-  {
-    ...KIRO_DEFAULTS,
-    id: "claude-opus-4-5",
-    name: "Claude Opus 4.5",
-    reasoning: true,
-    input: MULTIMODAL,
-    contextWindow: 200000,
-    maxTokens: 64000
-  },
-  {
-    ...KIRO_DEFAULTS,
-    id: "claude-sonnet-4-5",
-    name: "Claude Sonnet 4.5",
-    reasoning: true,
-    input: MULTIMODAL,
-    contextWindow: 200000,
-    maxTokens: 65536
-  },
-  {
-    ...KIRO_DEFAULTS,
-    id: "claude-sonnet-4-5-1m",
-    name: "Claude Sonnet 4.5 (1M)",
-    reasoning: true,
-    input: MULTIMODAL,
-    contextWindow: 1e6,
-    maxTokens: 65536
-  },
-  {
-    ...KIRO_DEFAULTS,
-    id: "claude-sonnet-4",
-    name: "Claude Sonnet 4",
-    reasoning: true,
-    input: MULTIMODAL,
-    contextWindow: 200000,
-    maxTokens: 65536
-  },
-  {
-    ...KIRO_DEFAULTS,
-    id: "claude-haiku-4-5",
-    name: "Claude Haiku 4.5",
-    reasoning: false,
-    input: MULTIMODAL,
-    contextWindow: 200000,
-    maxTokens: 65536
-  },
-  {
-    ...KIRO_DEFAULTS,
-    id: "deepseek-3-2",
-    name: "DeepSeek 3.2",
-    reasoning: true,
-    input: TEXT_ONLY,
-    contextWindow: 128000,
-    maxTokens: 8192
-  },
-  {
-    ...KIRO_DEFAULTS,
-    id: "kimi-k2-5",
-    name: "Kimi K2.5",
-    reasoning: true,
-    input: TEXT_ONLY,
-    contextWindow: 200000,
-    maxTokens: 8192
-  },
-  {
-    ...KIRO_DEFAULTS,
-    id: "minimax-m2-5",
-    name: "MiniMax M2.5",
-    reasoning: false,
-    input: TEXT_ONLY,
-    contextWindow: 196000,
-    maxTokens: 64000
-  },
-  {
-    ...KIRO_DEFAULTS,
-    id: "minimax-m2-1",
-    name: "MiniMax M2.1",
-    reasoning: false,
-    input: MULTIMODAL,
-    contextWindow: 196000,
-    maxTokens: 64000
-  },
-  {
-    ...KIRO_DEFAULTS,
-    id: "glm-4-7",
-    name: "GLM 4.7",
-    reasoning: true,
-    input: TEXT_ONLY,
-    contextWindow: 128000,
-    maxTokens: 8192
-  },
-  {
-    ...KIRO_DEFAULTS,
-    id: "glm-4-7-flash",
-    name: "GLM 4.7 Flash",
-    reasoning: false,
-    input: TEXT_ONLY,
-    contextWindow: 128000,
-    maxTokens: 8192
-  },
-  {
-    ...KIRO_DEFAULTS,
-    id: "qwen3-coder-next",
-    name: "Qwen3 Coder Next",
-    reasoning: true,
-    input: MULTIMODAL,
-    contextWindow: 256000,
-    maxTokens: 64000
-  },
-  {
-    ...KIRO_DEFAULTS,
-    id: "qwen3-coder-480b",
-    name: "Qwen3 Coder 480B",
-    reasoning: true,
-    input: TEXT_ONLY,
-    contextWindow: 128000,
-    maxTokens: 8192
-  },
-  {
-    ...KIRO_DEFAULTS,
-    id: "agi-nova-beta-1m",
-    name: "AGI Nova Beta (1M)",
-    reasoning: true,
-    input: MULTIMODAL,
-    contextWindow: 1e6,
-    maxTokens: 65536
-  },
-  {
-    ...KIRO_DEFAULTS,
-    id: "auto",
-    name: "Auto",
-    reasoning: true,
-    input: MULTIMODAL,
-    contextWindow: 200000,
-    maxTokens: 65536
-  }
-];
-async function fetchAvailableModels(accessToken, apiRegion, fallbackProfileArn) {
-  const runtimeUrl = `https://runtime.${apiRegion}.kiro.dev/`;
-  let profileArn = await resolveProfileArn(accessToken, runtimeUrl);
-  if (!profileArn && fallbackProfileArn) {
-    profileArn = fallbackProfileArn;
-  }
-  if (!profileArn) {
-    throw new Error("Missing profileArn: cannot fetch available models.");
-  }
-  const url = `https://management.${apiRegion}.kiro.dev/ListAvailableModels?origin=KIRO_CLI&profileArn=${encodeURIComponent(profileArn)}`;
-  const resp = await fetch(url, {
-    method: "GET",
-    headers: {
-      Authorization: `Bearer ${accessToken}`,
-      Accept: "application/json",
-      "User-Agent": "opencode-kiro"
-    }
-  });
-  if (!resp.ok) {
-    throw new Error(`ListAvailableModels failed: HTTP ${resp.status}`);
-  }
-  const data = await resp.json();
-  return (data.models ?? []).filter((m) => m.modelId !== "auto");
-}
-var REASONING_FAMILIES = new Set([
-  "claude-fable",
-  "claude-sonnet",
-  "claude-opus",
-  "deepseek",
-  "kimi",
-  "glm",
-  "qwen",
-  "agi-nova",
-  "minimax"
-]);
-function isReasoningModel(dotId) {
-  for (const family of REASONING_FAMILIES) {
-    if (dotId.startsWith(family))
-      return true;
-  }
-  return false;
-}
-function firstTokenTimeout(dotId) {
-  if (dotId.startsWith("claude-fable") || dotId.startsWith("claude-opus"))
-    return 180000;
-  return 90000;
-}
-function buildModelsFromApi(apiModels) {
-  return apiModels.map((m) => {
-    KIRO_MODEL_IDS.add(m.modelId);
-    const dashId = dotToDash(m.modelId);
-    const supportedTypes = m.supportedInputTypes ?? ["TEXT"];
-    const input = supportedTypes.includes("IMAGE") ? ["text", "image"] : ["text"];
-    const effortEnum = m.additionalModelRequestFieldsSchema?.properties?.output_config?.properties?.effort?.enum;
-    const supportedEfforts = Array.isArray(effortEnum) && effortEnum.length > 0 ? effortEnum : undefined;
-    const supportsThinkingConfig = !!m.additionalModelRequestFieldsSchema?.properties?.thinking;
-    return {
-      ...KIRO_DEFAULTS,
-      id: dashId,
-      name: m.modelName,
-      reasoning: isReasoningModel(m.modelId),
-      input,
-      contextWindow: m.tokenLimits?.maxInputTokens ?? 200000,
-      maxTokens: m.tokenLimits?.maxOutputTokens ?? 8192,
-      firstTokenTimeout: firstTokenTimeout(m.modelId),
-      ...supportedEfforts ? { supportedEfforts } : {},
-      ...supportsThinkingConfig ? { supportsThinkingConfig } : {}
-    };
-  });
-}
-var cachedDynamicModels = null;
-function getCachedDynamicModels() {
-  return cachedDynamicModels;
-}
-function setCachedDynamicModels(models) {
-  cachedDynamicModels = models;
-}
+// src/stream.ts
+init_models();
 
 // src/thinking-parser.ts
 init_debug();
@@ -1214,7 +1519,9 @@ function countTokens(text) {
 
 // src/oauth.ts
 init_debug();
-var BUILDER_ID_START_URL = "https://view.awsapps.com/start";
+init_models();
+import { createServer } from "node:http";
+import { randomBytes, createHash } from "node:crypto";
 var BUILDER_ID_REGION = "us-east-1";
 var SSO_SCOPES = [
   "codewhisperer:completions",
@@ -1333,10 +1640,12 @@ async function refreshKiroToken(refreshTokenPacked, region, authMethod) {
   const refreshToken = parts[0] ?? "";
   const clientId = parts[1] ?? "";
   const clientSecret = parts[2] ?? "";
+  const source = parts[4] ?? "";
+  const tokenKey = parts[5] ?? "";
   if (!refreshToken || !region) {
     throw new Error("Refresh token or region is missing — re-login required");
   }
-  if (authMethod === "desktop") {
+  if (authMethod === "desktop" || authMethod === "social") {
     const desktopEndpoint = `https://prod.${region}.auth.desktop.kiro.dev/refreshToken`;
     const resp2 = await fetch(desktopEndpoint, {
       method: "POST",
@@ -1348,9 +1657,23 @@ async function refreshKiroToken(refreshTokenPacked, region, authMethod) {
       throw new Error(`Desktop token refresh failed: ${resp2.status} ${body}`);
     }
     const data2 = await resp2.json();
+    const newPacked2 = `${data2.refreshToken}|||${authMethod}|${source}|${tokenKey}`;
+    if (source === "kiro-cli-db" && tokenKey) {
+      const { saveKiroCliCredentials: saveKiroCliCredentials2 } = await Promise.resolve().then(() => (init_kiro_cli_sync(), exports_kiro_cli_sync));
+      await saveKiroCliCredentials2({
+        accessToken: data2.accessToken,
+        refreshToken: data2.refreshToken,
+        clientId: "",
+        clientSecret: "",
+        region,
+        authMethod,
+        source: "kiro-cli-db",
+        tokenKey
+      });
+    }
     return {
       access: data2.accessToken,
-      refresh: `${data2.refreshToken}|||desktop`,
+      refresh: newPacked2,
       expires: Date.now() + (data2.expiresIn ?? 3600) * 1000 - EXPIRES_BUFFER_MS
     };
   }
@@ -1368,15 +1691,411 @@ async function refreshKiroToken(refreshTokenPacked, region, authMethod) {
     throw new Error(`Token refresh failed: ${resp.status} ${body}`);
   }
   const data = await resp.json();
+  const newPacked = `${data.refreshToken}|${clientId}|${clientSecret}|${authMethod}|${source}|${tokenKey}`;
+  if (source === "kiro-cli-db" && tokenKey) {
+    const { saveKiroCliCredentials: saveKiroCliCredentials2 } = await Promise.resolve().then(() => (init_kiro_cli_sync(), exports_kiro_cli_sync));
+    await saveKiroCliCredentials2({
+      accessToken: data.accessToken,
+      refreshToken: data.refreshToken,
+      clientId,
+      clientSecret,
+      region,
+      authMethod,
+      source: "kiro-cli-db",
+      tokenKey
+    });
+  }
   return {
     access: data.accessToken,
-    refresh: `${data.refreshToken}|${clientId}|${clientSecret}|${authMethod}`,
+    refresh: newPacked,
     expires: Date.now() + (data.expiresIn ?? 3600) * 1000 - EXPIRES_BUFFER_MS
   };
 }
+var KIRO_SOCIAL_PORTAL = "https://app.kiro.dev";
+var KIRO_SOCIAL_AUTH_ENDPOINT = `https://prod.${BUILDER_ID_REGION}.auth.desktop.kiro.dev`;
+var SOCIAL_REDIRECT_PORT = 49153;
+var SOCIAL_REDIRECT_URI = `http://localhost:${SOCIAL_REDIRECT_PORT}`;
+function generateRandomState() {
+  return randomBytes(16).toString("base64url");
+}
+function generateCodeVerifier() {
+  return randomBytes(32).toString("base64url");
+}
+function generateCodeChallenge(verifier) {
+  return createHash("sha256").update(verifier).digest("base64url");
+}
+function buildSocialSignInURL(redirectUri, codeChallenge, state) {
+  const params = new URLSearchParams;
+  params.set("code_challenge", codeChallenge);
+  params.set("code_challenge_method", "S256");
+  params.set("redirect_from", "kirocli");
+  params.set("redirect_uri", redirectUri);
+  params.set("state", state);
+  return `${KIRO_SOCIAL_PORTAL}/signin?${params.toString()}`;
+}
+function buildTokenRedirectUri(callbackPath, loginOption) {
+  const path = callbackPath || "/oauth/callback";
+  const base = `${SOCIAL_REDIRECT_URI}${path}`;
+  if (loginOption) {
+    return `${base}?login_option=${encodeURIComponent(loginOption)}`;
+  }
+  return base;
+}
+function oauthCallbackPage(kind, title, message, redirectUrl = "https://app.kiro.dev") {
+  const borderColor = kind === "success" ? "#22c55e" : "#ef4444";
+  const iconSvg = kind === "success" ? `<svg width="20" height="20" viewBox="0 0 20 20" fill="none"><path d="M16.67 5L7.5 14.17 3.33 10" stroke="#22c55e" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/></svg>` : `<svg width="20" height="20" viewBox="0 0 20 20" fill="none"><path d="M15 5L5 15M5 5l10 10" stroke="#ef4444" stroke-width="2" stroke-linecap="round"/></svg>`;
+  const ghostSvg = `<svg width="56" height="56" viewBox="0 0 100 100" fill="none" xmlns="http://www.w3.org/2000/svg">
+    <path d="M50 5C28.5 5 11 22.5 11 44v36c0 2.8 1.2 5.4 3.2 7.2 2 1.8 4.7 2.6 7.4 2.2l3.4-.5c3.2-.5 6.5.4 9 2.5l2.2 1.8c2.4 2 5.4 3 8.5 3h10.6c3.1 0 6.1-1.1 8.5-3l2.2-1.8c2.5-2.1 5.8-3 9-2.5l3.4.5c2.7.4 5.4-.4 7.4-2.2 2-1.8 3.2-4.4 3.2-7.2V44C89 22.5 71.5 5 50 5z" fill="white"/>
+    <circle cx="37" cy="45" r="7" fill="#0a0a0a"/>
+    <circle cx="63" cy="45" r="7" fill="#0a0a0a"/>
+  </svg>`;
+  const redirectHost = (() => {
+    try {
+      return new URL(redirectUrl).hostname;
+    } catch {
+      return redirectUrl;
+    }
+  })();
+  const countdownHtml = kind === "success" ? `
+    <div class="countdown" id="countdown">
+      <svg class="ring" viewBox="0 0 60 60">
+        <circle cx="30" cy="30" r="26" stroke="#1a1a1a" stroke-width="3" fill="none"/>
+        <circle id="ring-progress" cx="30" cy="30" r="26" stroke="#22c55e" stroke-width="3" fill="none"
+          stroke-dasharray="163.36" stroke-dashoffset="0" stroke-linecap="round"
+          transform="rotate(-90 30 30)" style="transition:stroke-dashoffset 1s linear"/>
+      </svg>
+      <span class="countdown-num" id="countdown-num">3</span>
+    </div>
+    <p class="subtitle">Redirecting to <strong>${redirectHost}</strong>…</p>
+    <script>
+      (function(){
+        var n=3, el=document.getElementById('countdown-num'),
+            ring=document.getElementById('ring-progress'), circ=163.36;
+        function tick(){
+          if(n<=0){window.location.href=${JSON.stringify(redirectUrl)};return}
+          el.textContent=n;
+          ring.setAttribute('stroke-dashoffset', String(circ*(1-n/3)));
+          n--;
+          setTimeout(tick,1000);
+        }
+        tick();
+      })();
+    </script>` : `<p class="subtitle">Please close this window and try again</p>`;
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>OPENCODE-KIRO — Authentication</title>
+  <style>
+    *{margin:0;padding:0;box-sizing:border-box}
+    body{background:#0a0a0a;color:#e5e5e5;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;display:flex;align-items:center;justify-content:center;min-height:100vh;text-align:center}
+    .container{max-width:420px;padding:2rem}
+    .logo{display:flex;align-items:center;justify-content:center;gap:16px;margin-bottom:48px}
+    .logo-text{font-size:32px;font-weight:700;letter-spacing:4px;color:#7c3aed;font-family:'Courier New',monospace}
+    .status-box{border:1.5px solid ${borderColor};border-radius:12px;padding:20px 28px;display:flex;align-items:flex-start;gap:14px;text-align:left;margin-bottom:20px;background:rgba(${kind === "success" ? "34,197,94" : "239,68,68"},0.04)}
+    .status-icon{flex-shrink:0;margin-top:2px}
+    .status-title{font-size:15px;font-weight:600;color:${borderColor};margin-bottom:4px}
+    .status-msg{font-size:13px;color:#a3a3a3;line-height:1.4}
+    .subtitle{font-size:13px;color:#737373;margin-top:4px}
+    .subtitle strong{color:#a3a3a3}
+    .countdown{position:relative;width:60px;height:60px;margin:24px auto 12px}
+    .ring{width:60px;height:60px}
+    .countdown-num{position:absolute;inset:0;display:flex;align-items:center;justify-content:center;font-size:24px;font-weight:700;color:#22c55e;font-variant-numeric:tabular-nums}
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="logo">
+      ${ghostSvg}
+      <span class="logo-text">OPENCODE-KIRO</span>
+    </div>
+    <div class="status-box">
+      <span class="status-icon">${iconSvg}</span>
+      <div>
+        <div class="status-title">${title}</div>
+        <div class="status-msg">${message}</div>
+      </div>
+    </div>
+    ${countdownHtml}
+  </div>
+</body>
+</html>`;
+}
+function oauthIdcDelegationPage() {
+  const ghostSvg = `<svg width="56" height="56" viewBox="0 0 100 100" fill="none" xmlns="http://www.w3.org/2000/svg">
+    <path d="M50 5C28.5 5 11 22.5 11 44v36c0 2.8 1.2 5.4 3.2 7.2 2 1.8 4.7 2.6 7.4 2.2l3.4-.5c3.2-.5 6.5.4 9 2.5l2.2 1.8c2.4 2 5.4 3 8.5 3h10.6c3.1 0 6.1-1.1 8.5-3l2.2-1.8c2.5-2.1 5.8-3 9-2.5l3.4.5c2.7.4 5.4-.4 7.4-2.2 2-1.8 3.2-4.4 3.2-7.2V44C89 22.5 71.5 5 50 5z" fill="white"/>
+    <circle cx="37" cy="45" r="7" fill="#0a0a0a"/>
+    <circle cx="63" cy="45" r="7" fill="#0a0a0a"/>
+  </svg>`;
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>OPENCODE-KIRO — Enterprise Sign-In</title>
+  <style>
+    *{margin:0;padding:0;box-sizing:border-box}
+    body{background:#0a0a0a;color:#e5e5e5;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;display:flex;align-items:center;justify-content:center;min-height:100vh;text-align:center}
+    .container{max-width:420px;padding:2rem}
+    .logo{display:flex;align-items:center;justify-content:center;gap:16px;margin-bottom:48px}
+    .logo-text{font-size:32px;font-weight:700;letter-spacing:4px;color:#7c3aed;font-family:'Courier New',monospace}
+    .status-box{border:1.5px solid #22c55e;border-radius:12px;padding:20px 28px;display:flex;align-items:flex-start;gap:14px;text-align:left;margin-bottom:20px;background:rgba(34,197,94,0.04)}
+    .status-icon{flex-shrink:0;margin-top:2px}
+    .status-title{font-size:15px;font-weight:600;color:#22c55e;margin-bottom:4px}
+    .status-msg{font-size:13px;color:#a3a3a3;line-height:1.4}
+    .subtitle{font-size:13px;color:#737373;margin-top:4px}
+    .subtitle strong{color:#a3a3a3}
+    .spinner{width:28px;height:28px;border:3px solid #1a1a1a;border-top-color:#22c55e;border-radius:50%;animation:spin 0.8s linear infinite;margin:24px auto 12px}
+    @keyframes spin{to{transform:rotate(360deg)}}
+    .countdown{position:relative;width:60px;height:60px;margin:24px auto 12px;display:none}
+    .ring{width:60px;height:60px}
+    .countdown-num{position:absolute;inset:0;display:flex;align-items:center;justify-content:center;font-size:24px;font-weight:700;color:#22c55e;font-variant-numeric:tabular-nums}
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="logo">
+      ${ghostSvg}
+      <span class="logo-text">OPENCODE-KIRO</span>
+    </div>
+    <div class="status-box">
+      <span class="status-icon"><svg width="20" height="20" viewBox="0 0 20 20" fill="none"><path d="M16.67 5L7.5 14.17 3.33 10" stroke="#22c55e" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/></svg></span>
+      <div>
+        <div class="status-title">Enterprise sign-in</div>
+        <div class="status-msg" id="status-msg">Preparing device authorization…</div>
+      </div>
+    </div>
+    <div class="spinner" id="spinner"></div>
+    <div class="countdown" id="countdown">
+      <svg class="ring" viewBox="0 0 60 60">
+        <circle cx="30" cy="30" r="26" stroke="#1a1a1a" stroke-width="3" fill="none"/>
+        <circle id="ring-progress" cx="30" cy="30" r="26" stroke="#22c55e" stroke-width="3" fill="none"
+          stroke-dasharray="163.36" stroke-dashoffset="0" stroke-linecap="round"
+          transform="rotate(-90 30 30)" style="transition:stroke-dashoffset 1s linear"/>
+      </svg>
+      <span class="countdown-num" id="countdown-num">3</span>
+    </div>
+    <p class="subtitle" id="subtitle">Waiting for device authorization…</p>
+    <script>
+      (function(){
+        var msg=document.getElementById('status-msg'),
+            spinner=document.getElementById('spinner'),
+            cd=document.getElementById('countdown'),
+            cdNum=document.getElementById('countdown-num'),
+            ring=document.getElementById('ring-progress'),
+            sub=document.getElementById('subtitle'),
+            circ=163.36;
+
+        function poll(){
+          fetch('/idc-verify').then(function(r){return r.json()}).then(function(d){
+            if(d.url){
+              spinner.style.display='none';
+              cd.style.display='block';
+              msg.textContent='Device authorization ready';
+              try{sub.innerHTML='Redirecting to <strong>'+new URL(d.url).hostname+'</strong>…'}catch(e){}
+              countdown(3,d.url);
+            } else {
+              setTimeout(poll,500);
+            }
+          }).catch(function(){setTimeout(poll,1000)});
+        }
+
+        function countdown(n,url){
+          if(n<=0){window.location.href=url;return}
+          cdNum.textContent=n;
+          ring.setAttribute('stroke-dashoffset',String(circ*(1-n/3)));
+          setTimeout(function(){countdown(n-1,url)},1000);
+        }
+
+        poll();
+      })();
+    </script>
+  </div>
+</body>
+</html>`;
+}
+function startCallbackServer(expectedState) {
+  return new Promise((resolve2, reject) => {
+    let settleWait;
+    const waitForCodePromise = new Promise((res) => {
+      settleWait = res;
+    });
+    let idcVerifyUrl = null;
+    const server = createServer((req, res) => {
+      try {
+        const url = new URL(req.url ?? "", SOCIAL_REDIRECT_URI);
+        if (url.pathname === "/idc-verify") {
+          res.writeHead(200, {
+            "Content-Type": "application/json",
+            "Access-Control-Allow-Origin": "*",
+            "Cache-Control": "no-store"
+          });
+          res.end(JSON.stringify({ url: idcVerifyUrl }));
+          return;
+        }
+        const code = url.searchParams.get("code");
+        const state = url.searchParams.get("state");
+        const loginOption = url.searchParams.get("login_option");
+        const issuerUrl = url.searchParams.get("issuer_url");
+        const idcRegion = url.searchParams.get("idc_region");
+        const isIdcDelegation = loginOption === "awsidc" && !!issuerUrl && !!state;
+        if (!state || !code && !isIdcDelegation) {
+          res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+          res.end("");
+          return;
+        }
+        if (state !== expectedState) {
+          res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
+          res.end(oauthCallbackPage("error", "State mismatch", "The OAuth state parameter did not match. Please try logging in again."));
+          return;
+        }
+        res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+        if (isIdcDelegation) {
+          res.end(oauthIdcDelegationPage());
+        } else {
+          res.end(oauthCallbackPage("success", "Request approved", "OPENCODE-KIRO has been given requested permissions."));
+        }
+        settleWait?.({
+          code,
+          state,
+          callbackPath: url.pathname,
+          loginOption,
+          issuerUrl: issuerUrl ?? undefined,
+          idcRegion: idcRegion ?? undefined
+        });
+      } catch {
+        res.writeHead(500, { "Content-Type": "text/plain; charset=utf-8" });
+        res.end("Internal error");
+      }
+    });
+    server.on("error", (err) => {
+      reject(err);
+    });
+    server.listen(SOCIAL_REDIRECT_PORT, "localhost", () => {
+      resolve2({
+        server,
+        redirectUri: SOCIAL_REDIRECT_URI,
+        cancelWait: () => {
+          settleWait?.(null);
+        },
+        waitForCode: () => waitForCodePromise,
+        setIdcVerifyUrl: (url) => {
+          idcVerifyUrl = url;
+        }
+      });
+    });
+  });
+}
+async function startSocialLogin() {
+  const verifier = generateCodeVerifier();
+  const challenge = generateCodeChallenge(verifier);
+  const state = generateRandomState();
+  const callbackServer = await startCallbackServer(state);
+  const signInUrl = buildSocialSignInURL(callbackServer.redirectUri, challenge, state);
+  const waitForCredentials = async () => {
+    try {
+      const result = await callbackServer.waitForCode();
+      if (result?.loginOption === "awsidc" && result.issuerUrl) {
+        log.info("[social-login] Enterprise IdC delegation detected");
+        const idcRegion = result.idcRegion || BUILDER_ID_REGION;
+        const regions = [idcRegion];
+        let regResult = null;
+        let detectedRegion = "";
+        for (const region of regions) {
+          regResult = await tryRegisterAndAuthorize(result.issuerUrl, region);
+          if (regResult) {
+            detectedRegion = region;
+            break;
+          }
+        }
+        if (!regResult || !detectedRegion) {
+          throw new Error(`Could not authorize ${result.issuerUrl} in ${regions.join(", ")}. Check your start URL and region and try again.`);
+        }
+        callbackServer.setIdcVerifyUrl(regResult.devAuth.verificationUriComplete);
+        log.info(`[social-login] IdC device auth ready, verification URL sent to browser`);
+        const tok = await pollForToken(regResult.oidcEndpoint, regResult.clientId, regResult.clientSecret, regResult.devAuth, undefined);
+        if (!tok.accessToken || !tok.refreshToken) {
+          throw new Error("IdC authorization completed but no tokens returned");
+        }
+        let profileArn;
+        try {
+          const apiRegion = resolveApiRegion(detectedRegion);
+          const { resolveProfileArn: resolveProfileArn2 } = await Promise.resolve().then(() => (init_models(), exports_models));
+          const resolved = await resolveProfileArn2(tok.accessToken, apiRegion);
+          if (resolved) {
+            profileArn = resolved;
+            try {
+              const apiModels = await fetchAvailableModels(tok.accessToken, apiRegion, profileArn);
+              setCachedDynamicModels(buildModelsFromApi(apiModels));
+              log.info(`[social-login] IdC: fetched and cached ${apiModels.length} models`);
+            } catch (err) {
+              log.warn(`[social-login] IdC: failed to fetch models: ${err}`);
+            }
+          }
+        } catch (err) {
+          log.warn(`[social-login] IdC: failed to resolve profileArn: ${err}`);
+        }
+        return {
+          accessToken: tok.accessToken,
+          refreshToken: tok.refreshToken,
+          refreshPacked: `${tok.refreshToken}|${regResult.clientId}|${regResult.clientSecret}|idc`,
+          profileArn,
+          region: detectedRegion,
+          authMethod: "idc",
+          expiresAt: Date.now() + (tok.expiresIn ?? 3600) * 1000 - EXPIRES_BUFFER_MS
+        };
+      }
+      if (!result?.code) {
+        throw new Error("Missing authorization code — sign-in was not completed");
+      }
+      const tokenRedirectUri = buildTokenRedirectUri(result.callbackPath, result.loginOption);
+      log.info("[social-login] Exchanging authorization code…");
+      const resp = await fetch(`${KIRO_SOCIAL_AUTH_ENDPOINT}/oauth/token`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json", "User-Agent": "opencode-kiro" },
+        body: JSON.stringify({
+          code: result.code,
+          code_verifier: verifier,
+          redirect_uri: tokenRedirectUri
+        })
+      });
+      if (!resp.ok) {
+        const body = await resp.text().catch(() => "");
+        throw new Error(`Token exchange failed: ${resp.status} ${body}`);
+      }
+      const data = await resp.json();
+      if (!data.accessToken || !data.refreshToken) {
+        throw new Error("Token exchange returned no tokens");
+      }
+      if (data.profileArn) {
+        try {
+          const apiRegion = resolveApiRegion(BUILDER_ID_REGION);
+          const apiModels = await fetchAvailableModels(data.accessToken, apiRegion, data.profileArn);
+          setCachedDynamicModels(buildModelsFromApi(apiModels));
+          log.info(`[social-login] Fetched and cached ${apiModels.length} models`);
+        } catch (err) {
+          log.warn(`[social-login] Failed to fetch models: ${err}`);
+        }
+      }
+      return {
+        accessToken: data.accessToken,
+        refreshToken: data.refreshToken,
+        refreshPacked: `${data.refreshToken}|||social`,
+        profileArn: data.profileArn,
+        region: BUILDER_ID_REGION,
+        authMethod: "social",
+        expiresAt: Date.now() + (data.expiresIn ?? 3600) * 1000 - EXPIRES_BUFFER_MS
+      };
+    } finally {
+      callbackServer.server.close();
+    }
+  };
+  return { signInUrl, waitForCredentials };
+}
 
 // src/transform.ts
-import { createHash } from "node:crypto";
+import { createHash as createHash2 } from "node:crypto";
 
 // src/kiro-defaults.ts
 var SYSTEM_SEED_INSTRUCTION = `Follow this instruction: # Kiro CLI Default Agent
@@ -1459,7 +2178,7 @@ var KIRO_TOOL_USE_ID_RE = /^tooluse_[A-Za-z0-9]+$/;
 function toKiroToolUseId(id) {
   if (KIRO_TOOL_USE_ID_RE.test(id))
     return id;
-  const digest = createHash("sha256").update(id).digest("hex").slice(0, 22);
+  const digest = createHash2("sha256").update(id).digest("hex").slice(0, 22);
   return `tooluse_${digest}`;
 }
 var ALLOWED_SCHEMA_KEYS = new Set([
@@ -1790,49 +2509,6 @@ function emitHiddenReasoningLate(output, stream) {
     partial: output
   });
 }
-var profileArnCache = new Map;
-var profileArnSkipResolution = false;
-function seedProfileArn(endpoint, arn) {
-  profileArnCache.set(endpoint, arn);
-}
-async function resolveProfileArn(accessToken, endpoint) {
-  if (profileArnSkipResolution)
-    return;
-  const cached = profileArnCache.get(endpoint);
-  if (cached !== undefined)
-    return cached;
-  try {
-    const ep = new URL(endpoint);
-    ep.hostname = ep.hostname.replace("runtime.", "management.");
-    ep.pathname = "/";
-    ep.search = "";
-    ep.hash = "";
-    const resp = await fetch(ep.toString(), {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/x-amz-json-1.0",
-        Authorization: `Bearer ${accessToken}`,
-        "X-Amz-Target": "AmazonCodeWhispererService.ListAvailableProfiles"
-      },
-      body: "{}"
-    });
-    if (!resp.ok) {
-      log.debug(`profileArn resolution failed: ${resp.status} ${resp.statusText}`);
-      return;
-    }
-    const j = await resp.json();
-    const arn = j.profiles?.find((p) => p.arn)?.arn;
-    if (!arn) {
-      log.debug("profileArn resolution returned no profile ARN");
-      return;
-    }
-    profileArnCache.set(endpoint, arn);
-    return arn;
-  } catch (error) {
-    log.debug(`profileArn resolution threw: ${error instanceof Error ? error.message : String(error)}`);
-    return;
-  }
-}
 function emitToolCall(state, output, stream) {
   if (!state.input.trim())
     state.input = "{}";
@@ -2115,8 +2791,9 @@ ${currentContent}`;
         let transientRetryCount = 0;
         let contextTruncationAttempt = 0;
         while (true) {
-          const mid = crypto.randomUUID().replace(/-/g, "");
-          const ua = `aws-sdk-rust/1.0.0 ua/2.1 os/other lang/rust api/codewhispererstreaming#1.28.3 m/E app/AmazonQ-For-CLI md/appVersion-1.28.3-${mid}`;
+          const osName = resolveOS();
+          const ua = `aws-sdk-rust/1.3.15 ua/2.1 api/codewhispererstreaming/0.1.16551 os/${osName} lang/rust/1.92.0 md/appVersion-2.7.1 app/AmazonQ-For-CLI`;
+          const xAmzUa = `aws-sdk-rust/1.3.15 ua/2.1 api/codewhispererstreaming/0.1.16551 os/${osName} lang/rust/1.92.0 m/F app/AmazonQ-For-CLI`;
           const requestBody = JSON.stringify(request);
           log.debug("request.send", {
             attempt: retryCount,
@@ -2137,15 +2814,17 @@ ${currentContent}`;
             method: "POST",
             headers: {
               "Content-Type": "application/x-amz-json-1.0",
-              Accept: "application/json",
+              Accept: "*/*",
+              "Accept-Encoding": "gzip",
               Authorization: `Bearer ${accessToken}`,
               "X-Amz-Target": "AmazonCodeWhispererStreamingService.GenerateAssistantResponse",
               "x-amzn-codewhisperer-optout": "true",
               "amz-sdk-invocation-id": crypto.randomUUID(),
-              "amz-sdk-request": "attempt=1; max=1",
-              "x-amzn-kiro-agent-mode": "vibe",
-              "x-amz-user-agent": ua,
-              "user-agent": ua
+              "amz-sdk-request": "attempt=1; max=3",
+              "user-agent": ua,
+              "x-amz-user-agent": xAmzUa,
+              Pragma: "no-cache",
+              "Cache-Control": "no-cache"
             },
             body: requestBody,
             signal: options?.signal
@@ -2195,12 +2874,12 @@ ${currentContent}`;
           if (response.status === 401) {
             const permanent = isPermanentError(errText);
             if (permanent) {
-              profileArnCache.delete(endpoint);
+              resetProfileArnCache();
               throw new Error(`Kiro API error: credentials permanently invalid — run /login kiro to re-authenticate. ${errText}`);
             }
           }
           if (response.status === 403) {
-            profileArnCache.delete(endpoint);
+            resetProfileArnCache();
             throw new Error(`Kiro API error: access token rejected (403) — run /login kiro to re-authenticate. ${errText}`);
           }
           throw new Error(`Kiro API error: ${response.status} ${response.statusText} ${errText}`);
@@ -2508,6 +3187,8 @@ ${currentContent}`;
 
 // src/server.ts
 init_debug();
+init_models();
+init_models();
 
 // src/dashboard-stats.ts
 var MAX_HISTORY = 100;
@@ -2880,11 +3561,29 @@ async function initGatewayAuth() {
       expiresAt: Date.now() + 3500000
     };
     log.info(`[gateway-auth] Initialized (method=${imported.authMethod}, region=${imported.region})`);
+    let activeAccessToken = imported.accessToken;
+    if (imported.refreshToken) {
+      try {
+        log.info("[gateway-auth] Refreshing token at startup…");
+        const refreshed = await refreshKiroToken(_creds.refreshPacked, _creds.region, _creds.authMethod);
+        _creds.accessToken = refreshed.access;
+        _creds.refreshPacked = refreshed.refresh;
+        _creds.expiresAt = refreshed.expires;
+        activeAccessToken = refreshed.access;
+        log.info("[gateway-auth] Token refreshed on startup successfully");
+      } catch (err) {
+        log.warn("[gateway-auth] Startup token refresh failed, trying with existing token", err);
+      }
+    }
     try {
-      const apiModels = await fetchAvailableModels(imported.accessToken, imported.region, imported.profileArn);
-      const built = buildModelsFromApi(apiModels);
-      setCachedDynamicModels(built);
-      log.info(`[kiro-models.fetched] Found ${built.length} available models`);
+      if (imported.profileArn) {
+        const apiModels = await fetchAvailableModels(activeAccessToken, imported.region, imported.profileArn);
+        const built = buildModelsFromApi(apiModels);
+        setCachedDynamicModels(built);
+        log.info(`[kiro-models.fetched] Found ${built.length} available models`);
+      } else {
+        log.info(`[kiro-models.fetched] Skipping fetch, no profileArn available`);
+      }
     } catch (err) {
       log.warn("[gateway-auth] Failed to fetch dynamic models (will fallback to static list)", err);
     }
@@ -2945,6 +3644,36 @@ function startGatewayServer(port = 0) {
             headers: { "Content-Type": "application/json" }
           });
         }
+        if (url.pathname === "/auth/login" && req.method === "GET") {
+          try {
+            const { signInUrl, waitForCredentials } = await startSocialLogin();
+            log.info("[gateway] Social login initiated, redirecting to Kiro sign-in");
+            waitForCredentials().then((creds) => {
+              _creds = {
+                accessToken: creds.accessToken,
+                refreshPacked: creds.refreshPacked,
+                region: creds.region,
+                authMethod: creds.authMethod,
+                profileArn: creds.profileArn,
+                expiresAt: creds.expiresAt
+              };
+              if (creds.profileArn) {
+                seedProfileArn(creds.profileArn);
+              }
+              log.info(`[gateway] Login completed (${creds.authMethod}) — credentials updated`);
+            }).catch((err) => {
+              log.error("[gateway] Login failed:", err);
+            });
+            return new Response(null, {
+              status: 302,
+              headers: { Location: signInUrl }
+            });
+          } catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            log.error("[gateway] Failed to start social login:", msg);
+            return anthropicError(500, "api_error", `Failed to start login: ${msg}`);
+          }
+        }
         if ((url.pathname === "/v1/messages" || url.pathname === "/messages") && req.method === "POST") {
           let accessToken;
           try {
@@ -2996,7 +3725,7 @@ function startGatewayServer(port = 0) {
             const reasoningEffort = body.output_config?.effort ?? body.reasoning_effort ?? undefined;
             log.info(`[gateway] → ${kiroEndpoint} model=${anthropicModelId} region=${apiRegion} stream=${streamRequested}`);
             if (_creds.profileArn) {
-              seedProfileArn(kiroEndpoint, _creds.profileArn);
+              seedProfileArn(_creds.profileArn);
             }
             const kiroStream = streamKiro(piModel, context, {
               apiKey: accessToken,
@@ -3367,6 +4096,7 @@ function translateAnthropicToolsToPi(tools) {
 
 // src/index.ts
 init_debug();
+init_models();
 process.env.KIRO_LOG = process.env.KIRO_LOG || "debug";
 process.env.KIRO_LOG_FILE = process.env.KIRO_LOG_FILE || "/tmp/opencode-kiro.log";
 var gatewayServer = null;
@@ -3415,30 +4145,28 @@ var KiroPlugin = async (input) => {
           label: "AWS Builder ID (personal account)",
           prompts: [],
           authorize: async () => {
-            const result = await tryRegisterAndAuthorize(BUILDER_ID_START_URL, BUILDER_ID_REGION);
-            if (!result) {
-              throw new Error("Could not authorize with AWS Builder ID.");
-            }
+            const { signInUrl, waitForCredentials } = await startSocialLogin();
             return {
-              url: result.devAuth.verificationUriComplete,
-              instructions: `AWS Verification Code: ${result.devAuth.userCode}
-Complete authorization in your browser, then OpenCode will continue automatically.`,
+              url: signInUrl,
+              instructions: "Complete sign-in in your browser. OpenCode will continue automatically.",
               method: "auto",
               callback: async () => {
-                const tok = await pollForToken(result.oidcEndpoint, result.clientId, result.clientSecret, result.devAuth, undefined);
-                if (!tok.accessToken || !tok.refreshToken) {
+                try {
+                  const creds = await waitForCredentials();
+                  return {
+                    type: "success",
+                    access: creds.accessToken,
+                    refresh: creds.refreshPacked,
+                    expires: creds.expiresAt,
+                    metadata: {
+                      region: creds.region,
+                      authMethod: creds.authMethod,
+                      profileArn: creds.profileArn
+                    }
+                  };
+                } catch {
                   return { type: "failed" };
                 }
-                return {
-                  type: "success",
-                  access: tok.accessToken,
-                  refresh: `${tok.refreshToken}|${result.clientId}|${result.clientSecret}|builder-id`,
-                  expires: Date.now() + (tok.expiresIn ?? 3600) * 1000 - EXPIRES_BUFFER_MS,
-                  metadata: {
-                    region: BUILDER_ID_REGION,
-                    authMethod: "builder-id"
-                  }
-                };
               }
             };
           }
@@ -3489,14 +4217,25 @@ Complete authorization in your browser, then OpenCode will continue automaticall
                 if (!tok.accessToken || !tok.refreshToken) {
                   return { type: "failed" };
                 }
+                const apiRegion = resolveApiRegion(detectedRegion);
+                const arn = await resolveProfileArn(tok.accessToken, apiRegion);
+                if (arn) {
+                  try {
+                    const models = await fetchAvailableModels(tok.accessToken, apiRegion, arn);
+                    setCachedDynamicModels(buildModelsFromApi(models));
+                  } catch (e) {
+                    log.warn("Failed to precache models", e);
+                  }
+                }
                 return {
                   type: "success",
                   access: tok.accessToken,
-                  refresh: `${tok.refreshToken}|${result.clientId}|${result.clientSecret}|idc`,
+                  refresh: `${tok.refreshToken}|${result.clientId}|${result.clientSecret}|idc||`,
                   expires: Date.now() + (tok.expiresIn ?? 3600) * 1000 - EXPIRES_BUFFER_MS,
                   metadata: {
                     region: detectedRegion,
-                    authMethod: "idc"
+                    authMethod: "idc",
+                    profileArn: arn
                   }
                 };
               }
@@ -3520,7 +4259,9 @@ Make sure Kiro CLI or IDE is installed and you're logged in, then try again.`);
               imported.refreshToken,
               imported.clientId || "",
               imported.clientSecret || "",
-              authMethod
+              authMethod,
+              imported.source || "",
+              imported.tokenKey || ""
             ];
             return {
               url: "",
@@ -3576,7 +4317,7 @@ Make sure Kiro CLI or IDE is installed and you're logged in, then try again.`);
               throw new Error("No refresh token provided.");
             }
             const region = inputs.region?.trim() || "us-east-1";
-            const packed = `${refreshToken}|||desktop`;
+            const packed = `${refreshToken}|||desktop||`;
             return {
               url: "",
               method: "auto",
@@ -3604,7 +4345,7 @@ Make sure Kiro CLI or IDE is installed and you're logged in, then try again.`);
       cfg.provider = cfg.provider ?? {};
       cfg.provider.kiro = cfg.provider.kiro ?? {};
       const kiro = cfg.provider.kiro;
-      kiro.name = kiro.name ?? "Kiro";
+      kiro.name = kiro.name ?? "Kiro AWS";
       kiro.npm = kiro.npm ?? "@ai-sdk/anthropic";
       kiro.api = kiro.api ?? `http://127.0.0.1:${localPort}/v1`;
       kiro.models = kiro.models ?? {};