@javargasm/pi-kiro 0.3.0 → 0.4.2

package/CHANGELOG.md

@@ -1,5 +1,23 @@
 # Changelog
 
+## 0.4.2
+
+### Patch Changes
+
+- 615afc2: Align stream request headers with real Kiro CLI traffic. Updates User-Agent to match the current AWS SDK Rust client format, sets `Accept: */*` and `Accept-Encoding: gzip`, bumps `amz-sdk-request` max attempts to 3, adds `Pragma`/`Cache-Control: no-cache`, and removes the `x-amzn-kiro-agent-mode` header that is no longer sent by the real client.
+
+## 0.4.1
+
+### Patch Changes
+
+- Fix Kiro CLI/IDE token import and refresh sync. Node runtimes now fall back to the system sqlite3 CLI for local DB access, refresh write-back only updates the exact imported CLI token row, and IDE/desktop refresh tokens are never written into kiro-cli storage.
+
+## 0.4.0
+
+### Minor Changes
+
+- Import from Kiro now reads the real kiro-cli SQLite DB at `data.sqlite3` in the platform's standard data directory (previously a non-existent `~/.kiro/db/kiro.db` path inherited from the old `pi-provider-kiro`). When the kiro-cli DB is unavailable, falls back to the AWS SSO OIDC cache JSON at `~/.aws/sso/cache/kiro-auth-token.json` (the file Kiro IDE writes). The primary path now also includes the OIDC clientId/secret when present, so users with kiro-cli installed can refresh via the OIDC endpoint instead of the desktop endpoint.
+
 ## 0.3.0
 
 ### Minor Changes

package/dist/core.js

@@ -120,19 +120,37 @@ var init_debug = __esm(() => {
 // src/kiro-cli-sync.ts
 var exports_kiro_cli_sync = {};
 __export(exports_kiro_cli_sync, {
+  selectKiroTokenRowForWrite: () => selectKiroTokenRowForWrite,
   saveKiroCliCredentials: () => saveKiroCliCredentials,
+  sameKiroCliCredential: () => sameKiroCliCredential,
+  importFromKiroSsoCache: () => importFromKiroSsoCache,
   importFromKiroCli: () => importFromKiroCli,
   getKiroCliCredentialsAllowExpired: () => getKiroCliCredentialsAllowExpired
 });
 import { homedir } from "node:os";
 import { join } from "node:path";
-import { existsSync } from "node:fs";
+import { spawn } from "node:child_process";
+import { existsSync, readFileSync } from "node:fs";
 function getKiroDbPath() {
   const home = homedir();
+  if (process.platform === "darwin") {
+    return join(home, "Library", "Application Support", "kiro-cli", "data.sqlite3");
+  }
   if (process.platform === "win32") {
-    return join(process.env.APPDATA || join(home, "AppData", "Roaming"), "kiro", "db", "kiro.db");
+    return join(process.env.APPDATA || join(home, "AppData", "Roaming"), "kiro-cli", "data.sqlite3");
+  }
+  const xdgData = process.env.XDG_DATA_HOME;
+  if (xdgData && xdgData.length > 0) {
+    return join(xdgData, "kiro-cli", "data.sqlite3");
   }
-  return join(home, ".kiro", "db", "kiro.db");
+  return join(home, ".local", "share", "kiro-cli", "data.sqlite3");
+}
+function getKiroSsoCachePath() {
+  const home = homedir();
+  if (process.platform === "win32") {
+    return join(process.env.USERPROFILE || home, ".aws", "sso", "cache", "kiro-auth-token.json");
+  }
+  return join(home, ".aws", "sso", "cache", "kiro-auth-token.json");
 }
 function safeJsonParse(value) {
   if (typeof value !== "string")
@@ -143,11 +161,112 @@ function safeJsonParse(value) {
     return null;
   }
 }
+function sqliteQuote(value) {
+  return `'${value.replaceAll("'", "''")}'`;
+}
+function runSqliteCli(dbPath, sql, options) {
+  return new Promise((resolve2) => {
+    const args = [
+      ...options.readonly ? ["-readonly"] : [],
+      "-cmd",
+      `.timeout ${SQLITE_CLI_TIMEOUT_MS}`,
+      ...options.json ? ["-json"] : [],
+      dbPath
+    ];
+    const child = spawn("sqlite3", args, { stdio: "pipe" });
+    let stdout = "";
+    let settled = false;
+    const finish = (result) => {
+      if (settled)
+        return;
+      settled = true;
+      clearTimeout(timeout);
+      resolve2(result);
+    };
+    const timeout = setTimeout(() => {
+      child.kill();
+      log.debug("sqlite3 CLI timed out while reading Kiro DB");
+      finish(null);
+    }, SQLITE_CLI_TIMEOUT_MS);
+    child.stdout?.setEncoding("utf8");
+    child.stdout?.on("data", (chunk) => {
+      stdout += chunk;
+    });
+    child.on("error", () => {
+      log.debug("sqlite3 CLI unavailable for Kiro DB access");
+      finish(null);
+    });
+    child.on("close", (code) => {
+      if (code === 0)
+        finish(stdout);
+      else {
+        log.debug("sqlite3 CLI failed while accessing Kiro DB");
+        finish(null);
+      }
+    });
+    child.stdin?.end(`${sql}
+`);
+  });
+}
+function parseAuthKvRows(value) {
+  if (!Array.isArray(value))
+    return null;
+  const rows = [];
+  for (const item of value) {
+    if (!item || typeof item !== "object")
+      continue;
+    const record = item;
+    if (typeof record.key === "string" && typeof record.value === "string") {
+      rows.push({ key: record.key, value: record.value });
+    }
+  }
+  return rows;
+}
+function extractActiveProfileArnFromStateRows(value) {
+  if (!Array.isArray(value))
+    return;
+  const first = value[0];
+  if (!first || typeof first !== "object")
+    return;
+  const record = first;
+  const parsed = safeJsonParse(record.value);
+  const arn = parsed?.arn || parsed?.profileArn || parsed?.profile_arn;
+  return typeof arn === "string" && arn.trim() ? arn.trim() : undefined;
+}
+function parseSqliteChanges(value) {
+  if (!Array.isArray(value))
+    return 0;
+  const first = value[0];
+  if (!first || typeof first !== "object")
+    return 0;
+  const changes = first.changes;
+  return typeof changes === "number" ? changes : 0;
+}
+async function readKiroAuthKvRowsWithSqliteCli(dbPath) {
+  const rowsRaw = await runSqliteCli(dbPath, "SELECT key, value FROM auth_kv", { readonly: true, json: true });
+  if (!rowsRaw)
+    return null;
+  return parseAuthKvRows(safeJsonParse(rowsRaw));
+}
+async function readKiroDbWithSqliteCli(dbPath) {
+  const rows = await readKiroAuthKvRowsWithSqliteCli(dbPath);
+  if (!rows)
+    return null;
+  const stateRaw = await runSqliteCli(dbPath, "SELECT value FROM state WHERE key = 'api.codewhisperer.profile'", { readonly: true, json: true });
+  const activeProfileArn = stateRaw ? extractActiveProfileArnFromStateRows(safeJsonParse(stateRaw)) : undefined;
+  return { rows, activeProfileArn };
+}
+async function writeKiroDbWithSqliteCli(dbPath, tokenKey, updatedValue) {
+  const resultRaw = await runSqliteCli(dbPath, `UPDATE auth_kv SET value = ${sqliteQuote(updatedValue)} WHERE key = ${sqliteQuote(tokenKey)}; ` + "SELECT changes() AS changes", { readonly: false, json: true });
+  return parseSqliteChanges(safeJsonParse(resultRaw)) > 0;
+}
 function findClientCreds(obj) {
   if (!obj || typeof obj !== "object")
     return {};
-  if (typeof obj.clientId === "string" && typeof obj.clientSecret === "string") {
-    return { clientId: obj.clientId, clientSecret: obj.clientSecret };
+  const id = obj.clientId ?? obj.client_id;
+  const secret = obj.clientSecret ?? obj.client_secret;
+  if (typeof id === "string" && typeof secret === "string") {
+    return { clientId: id, clientSecret: secret };
   }
   for (const key of Object.keys(obj)) {
     const result = findClientCreds(obj[key]);
@@ -156,6 +275,26 @@ function findClientCreds(obj) {
   }
   return {};
 }
+function isIdcTokenKey(key) {
+  return key.includes("odic") || key.includes("oidc") || key.includes("idc");
+}
+function isTokenRow(row) {
+  return row.key.includes(":token");
+}
+function tokenReadRank(row) {
+  return isIdcTokenKey(row.key) ? 0 : 1;
+}
+function selectKiroTokenRowForWrite(rows, creds) {
+  const tokenRows = rows.filter(isTokenRow);
+  if (!creds.tokenKey)
+    return;
+  return tokenRows.find((row) => row.key === creds.tokenKey);
+}
+function sameKiroCliCredential(left, right) {
+  if (!left || !right)
+    return false;
+  return left.source === right.source && left.tokenKey === right.tokenKey && left.accessToken === right.accessToken && left.refreshToken === right.refreshToken && left.region === right.region && left.authMethod === right.authMethod;
+}
 function extractRegionFromArn(arn) {
   if (!arn)
     return;
@@ -165,55 +304,64 @@ function extractRegionFromArn(arn) {
   const region = parts[3];
   return region && region.length > 0 ? region : undefined;
 }
-async function importFromKiroCli() {
+async function importFromKiroDb() {
   const dbPath = getKiroDbPath();
   if (!existsSync(dbPath)) {
     log.debug(`Kiro CLI DB not found at ${dbPath}`);
     return null;
   }
   try {
-    let Database;
+    let rows;
+    let activeProfileArn;
+    let Database = null;
     try {
       Database = (await import("bun:sqlite")).Database;
     } catch {
       try {
         Database = (await import("better-sqlite3")).default;
       } catch {
-        log.debug("No SQLite driver available (need bun:sqlite or better-sqlite3)");
-        return null;
+        log.debug("No SQLite driver available (need bun:sqlite or better-sqlite3); trying sqlite3 CLI");
       }
     }
-    const db = new Database(dbPath, { readonly: true });
-    try {
-      db.run?.("PRAGMA busy_timeout = 5000") ?? db.exec?.("PRAGMA busy_timeout = 5000");
-    } catch {}
-    let rows;
-    try {
-      const stmt = db.prepare("SELECT key, value FROM auth_kv");
-      rows = stmt.all();
-    } catch {
-      log.debug("Failed to read auth_kv table from Kiro DB");
+    if (Database) {
+      const db = new Database(dbPath, { readonly: true });
+      try {
+        db.run?.("PRAGMA busy_timeout = 5000") ?? db.exec?.("PRAGMA busy_timeout = 5000");
+      } catch {}
+      try {
+        const stmt = db.prepare("SELECT key, value FROM auth_kv");
+        rows = stmt.all();
+      } catch {
+        log.debug("Failed to read auth_kv table from Kiro DB");
+        try {
+          db.close();
+        } catch {}
+        return null;
+      }
+      try {
+        const stateStmt = db.prepare("SELECT value FROM state WHERE key = ?");
+        const stateRow = stateStmt.get("api.codewhisperer.profile");
+        const parsed = safeJsonParse(stateRow?.value);
+        const arn = parsed?.arn || parsed?.profileArn || parsed?.profile_arn;
+        if (typeof arn === "string" && arn.trim()) {
+          activeProfileArn = arn.trim();
+        }
+      } catch {}
       try {
         db.close();
       } catch {}
-      return null;
+    } else {
+      const snapshot = await readKiroDbWithSqliteCli(dbPath);
+      if (!snapshot)
+        return null;
+      rows = snapshot.rows;
+      activeProfileArn = snapshot.activeProfileArn;
     }
-    let activeProfileArn;
-    try {
-      const stateStmt = db.prepare("SELECT value FROM state WHERE key = ?");
-      const stateRow = stateStmt.get("api.codewhisperer.profile");
-      const parsed = safeJsonParse(stateRow?.value);
-      const arn = parsed?.arn || parsed?.profileArn || parsed?.profile_arn;
-      if (typeof arn === "string" && arn.trim()) {
-        activeProfileArn = arn.trim();
-      }
-    } catch {}
     const deviceRegRow = rows.find((r) => typeof r?.key === "string" && r.key.includes("device-registration"));
     const deviceReg = safeJsonParse(deviceRegRow?.value);
     const regCreds = deviceReg ? findClientCreds(deviceReg) : {};
-    for (const row of rows) {
-      if (!row.key.includes(":token"))
-        continue;
+    const tokenRows = rows.filter(isTokenRow).sort((a, b) => tokenReadRank(a) - tokenReadRank(b));
+    for (const row of tokenRows) {
       const data = safeJsonParse(row.value);
       if (!data)
         continue;
@@ -221,7 +369,7 @@ async function importFromKiroCli() {
       const refreshToken = data.refreshToken || data.refresh_token;
       if (!accessToken && !refreshToken)
         continue;
-      const isIdc = row.key.includes("oidc") || row.key.includes("idc");
+      const isIdc = isIdcTokenKey(row.key);
       const authMethod = isIdc ? "idc" : "desktop";
       const oidcRegion = data.region || "us-east-1";
       let profileArn = data.profile_arn || data.profileArn;
@@ -235,21 +383,17 @@ async function importFromKiroCli() {
         region: serviceRegion,
         authMethod,
         profileArn,
-        email: data.email || data.emailAddress
+        email: data.email || data.emailAddress,
+        source: "kiro-cli-db",
+        tokenKey: row.key
       };
       if (isIdc && regCreds.clientId) {
         result.clientId = regCreds.clientId;
         result.clientSecret = regCreds.clientSecret;
       }
-      try {
-        db.close();
-      } catch {}
       log.info(`Imported Kiro CLI credentials (method=${authMethod}, region=${serviceRegion}${result.email ? `, email=${result.email}` : ""})`);
       return result;
     }
-    try {
-      db.close();
-    } catch {}
     log.debug("No valid token entries found in Kiro CLI DB");
     return null;
   } catch (err) {
@@ -257,47 +401,108 @@ async function importFromKiroCli() {
     return null;
   }
 }
-async function getKiroCliCredentialsAllowExpired() {
-  return importFromKiroCli();
+function mapSsoCacheAuthMethod(value) {
+  if (typeof value !== "string")
+    return "idc";
+  const v = value.toLowerCase();
+  if (v === "builderid" || v === "builder-id")
+    return "desktop";
+  return "idc";
+}
+async function importFromKiroSsoCache() {
+  const path = getKiroSsoCachePath();
+  if (!existsSync(path)) {
+    log.debug(`Kiro SSO cache not found at ${path}`);
+    return null;
+  }
+  let raw;
+  try {
+    raw = readFileSync(path, "utf8");
+  } catch (err) {
+    log.warn(`Failed to read Kiro SSO cache at ${path}: ${err}`);
+    return null;
+  }
+  const token = safeJsonParse(raw);
+  if (!token || typeof token !== "object") {
+    log.debug(`Kiro SSO cache at ${path} is not valid JSON`);
+    return null;
+  }
+  const accessToken = typeof token.accessToken === "string" ? token.accessToken : "";
+  const refreshToken = typeof token.refreshToken === "string" ? token.refreshToken : "";
+  if (!accessToken && !refreshToken) {
+    log.debug(`Kiro SSO cache at ${path} has no tokens`);
+    return null;
+  }
+  const region = typeof token.region === "string" && token.region.length > 0 ? token.region : "us-east-1";
+  const authMethod = mapSsoCacheAuthMethod(token.authMethod);
+  log.info(`Imported Kiro SSO cache credentials (method=${authMethod}, region=${region})`);
+  return {
+    accessToken,
+    refreshToken,
+    region,
+    authMethod,
+    source: "kiro-sso-cache"
+  };
+}
+async function importFromKiroCli() {
+  const dbResult = await importFromKiroDb();
+  if (dbResult)
+    return dbResult;
+  return importFromKiroSsoCache();
+}
+async function getKiroCliCredentialsAllowExpired(exclude) {
+  const imported = await importFromKiroCli();
+  return sameKiroCliCredential(imported, exclude ?? null) ? null : imported;
 }
 async function saveKiroCliCredentials(creds) {
+  if (creds.source !== "kiro-cli-db" || !creds.tokenKey) {
+    log.debug("Credential write-back skipped: credential did not originate from kiro-cli DB");
+    return false;
+  }
   const dbPath = getKiroDbPath();
   if (!existsSync(dbPath)) {
     log.debug(`Kiro CLI DB not found at ${dbPath} — cannot save credentials`);
     return false;
   }
   try {
-    let Database;
+    let Database = null;
     try {
       Database = (await import("bun:sqlite")).Database;
     } catch {
       try {
         Database = (await import("better-sqlite3")).default;
       } catch {
-        log.debug("No SQLite driver available for credential write-back");
-        return false;
+        log.debug("No SQLite driver available for credential write-back; trying sqlite3 CLI");
       }
     }
-    const db = new Database(dbPath);
-    try {
-      db.run?.("PRAGMA busy_timeout = 5000") ?? db.exec?.("PRAGMA busy_timeout = 5000");
-    } catch {}
     let rows;
-    try {
-      const stmt = db.prepare("SELECT key, value FROM auth_kv");
-      rows = stmt.all();
-    } catch {
-      log.debug("Failed to read auth_kv table for credential write-back");
+    let db = null;
+    if (Database) {
+      db = new Database(dbPath);
       try {
-        db.close();
+        db.run?.("PRAGMA busy_timeout = 5000") ?? db.exec?.("PRAGMA busy_timeout = 5000");
       } catch {}
-      return false;
+      try {
+        const stmt = db.prepare("SELECT key, value FROM auth_kv");
+        rows = stmt.all();
+      } catch {
+        log.debug("Failed to read auth_kv table for credential write-back");
+        try {
+          db.close();
+        } catch {}
+        return false;
+      }
+    } else {
+      const cliRows = await readKiroAuthKvRowsWithSqliteCli(dbPath);
+      if (!cliRows)
+        return false;
+      rows = cliRows;
     }
-    const tokenRow = rows.find((r) => r.key.includes(":token"));
+    const tokenRow = selectKiroTokenRowForWrite(rows, creds);
     if (!tokenRow) {
-      log.debug("No token entry found in auth_kv — cannot write back");
+      log.debug("No matching token entry found in auth_kv — cannot write back");
       try {
-        db.close();
+        db?.close();
       } catch {}
       return false;
     }
@@ -309,19 +514,26 @@ async function saveKiroCliCredentials(creds) {
       refreshToken: creds.refreshToken,
       refresh_token: creds.refreshToken
     };
-    try {
-      const updateStmt = db.prepare("UPDATE auth_kv SET value = ? WHERE key = ?");
-      updateStmt.run(JSON.stringify(updated), tokenRow.key);
-    } catch (err) {
-      log.warn(`Failed to write credentials back to Kiro CLI DB: ${err}`);
+    const updatedValue = JSON.stringify(updated);
+    if (db) {
+      try {
+        const updateStmt = db.prepare("UPDATE auth_kv SET value = ? WHERE key = ?");
+        updateStmt.run(updatedValue, tokenRow.key);
+      } catch (err) {
+        log.warn(`Failed to write credentials back to Kiro CLI DB: ${err}`);
+        try {
+          db.close();
+        } catch {}
+        return false;
+      }
       try {
         db.close();
       } catch {}
-      return false;
+    } else {
+      const wrote = await writeKiroDbWithSqliteCli(dbPath, tokenRow.key, updatedValue);
+      if (!wrote)
+        return false;
     }
-    try {
-      db.close();
-    } catch {}
     log.info("Wrote refreshed credentials back to Kiro CLI DB");
     return true;
   } catch (err) {
@@ -329,6 +541,7 @@ async function saveKiroCliCredentials(creds) {
     return false;
   }
 }
+var SQLITE_CLI_TIMEOUT_MS = 5000;
 var init_kiro_cli_sync = __esm(() => {
   init_debug();
 });
@@ -1611,8 +1824,9 @@ ${currentContent}`;
         let transientRetryCount = 0;
         let contextTruncationAttempt = 0;
         while (true) {
-          const mid = crypto.randomUUID().replace(/-/g, "");
-          const ua = `aws-sdk-rust/1.0.0 ua/2.1 os/other lang/rust api/codewhispererstreaming#1.28.3 m/E app/AmazonQ-For-CLI md/appVersion-1.28.3-${mid}`;
+          const osName = resolveOS();
+          const ua = `aws-sdk-rust/1.3.15 ua/2.1 api/codewhispererstreaming/0.1.16551 os/${osName} lang/rust/1.92.0 md/appVersion-2.7.1 app/AmazonQ-For-CLI`;
+          const xAmzUa = `aws-sdk-rust/1.3.15 ua/2.1 api/codewhispererstreaming/0.1.16551 os/${osName} lang/rust/1.92.0 m/F app/AmazonQ-For-CLI`;
           const requestBody = JSON.stringify(request);
           const requestShape = log.isDebug() ? summarizeKiroRequest(request, requestBody) : undefined;
           if (requestShape)
@@ -1630,15 +1844,17 @@ ${currentContent}`;
             method: "POST",
             headers: {
               "Content-Type": "application/x-amz-json-1.0",
-              Accept: "application/json",
+              Accept: "*/*",
+              "Accept-Encoding": "gzip",
               Authorization: `Bearer ${accessToken}`,
               "X-Amz-Target": "AmazonCodeWhispererStreamingService.GenerateAssistantResponse",
               "x-amzn-codewhisperer-optout": "true",
               "amz-sdk-invocation-id": crypto.randomUUID(),
-              "amz-sdk-request": "attempt=1; max=1",
-              "x-amzn-kiro-agent-mode": "vibe",
-              "x-amz-user-agent": ua,
-              "user-agent": ua
+              "amz-sdk-request": "attempt=1; max=3",
+              "user-agent": ua,
+              "x-amz-user-agent": xAmzUa,
+              Pragma: "no-cache",
+              "Cache-Control": "no-cache"
             },
             body: requestBody,
             signal: options?.signal
@@ -2518,7 +2734,7 @@ async function loginKiro(callbacks) {
     options: [
       { id: "builder-id", label: "AWS Builder ID (personal account)" },
       { id: "idc", label: "IAM Identity Center (enterprise SSO)" },
-      { id: "sync", label: "Import from Kiro IDE (auto-sync local DB)" },
+      { id: "sync", label: "Import from Kiro CLI/IDE (auto-sync local DB)" },
       { id: "desktop", label: "Desktop refresh token (manual)" }
     ]
   });
@@ -2570,16 +2786,7 @@ Alternatively, use 'desktop' to paste a refresh token manually.`);
   } catch (err) {
     log.warn(`Failed to fetch models after CLI sync: ${err}`);
   }
-  const refreshPacked = imported.clientId ? `${imported.refreshToken}|${imported.clientId}|${imported.clientSecret ?? ""}|${imported.authMethod}` : `${imported.refreshToken}|||desktop`;
-  return {
-    refresh: refreshPacked,
-    access: imported.accessToken,
-    expires: Date.now() + 3600000 - EXPIRES_BUFFER_MS,
-    clientId: imported.clientId ?? "",
-    clientSecret: imported.clientSecret ?? "",
-    region: imported.region,
-    authMethod: imported.authMethod
-  };
+  return kiroCredsFromCliImport(imported);
 }
 async function loginDesktopManual(callbacks) {
   const refreshRaw = await callbacks.onPrompt({
@@ -2654,13 +2861,19 @@ Complete authorization within 10 minutes.`
   };
 }
 async function syncBackToKiroCli(result) {
+  if (result.kiroSyncSource !== "kiro-cli-db" || !result.kiroSyncTokenKey) {
+    log.debug("Credential sync-back skipped: credential did not originate from kiro-cli DB");
+    return;
+  }
   try {
     const { saveKiroCliCredentials: saveKiroCliCredentials2 } = await Promise.resolve().then(() => (init_kiro_cli_sync(), exports_kiro_cli_sync));
     const synced = await saveKiroCliCredentials2({
       accessToken: result.access,
       refreshToken: result.refresh.split("|")[0] ?? "",
       region: result.region,
-      authMethod: result.authMethod === "builder-id" ? "idc" : result.authMethod
+      authMethod: result.authMethod === "builder-id" ? "idc" : result.authMethod,
+      source: result.kiroSyncSource,
+      tokenKey: result.kiroSyncTokenKey
     });
     if (synced)
       log.info("Synced refreshed credentials back to Kiro CLI DB");
@@ -2669,8 +2882,9 @@ async function syncBackToKiroCli(result) {
   }
 }
 function kiroCredsFromCliImport(imported) {
-  const authMethod = imported.authMethod === "idc" ? "idc" : "desktop";
-  const refreshPacked = imported.clientId ? `${imported.refreshToken}|${imported.clientId}|${imported.clientSecret ?? ""}|${authMethod}` : `${imported.refreshToken}|||desktop`;
+  const hasOidcCreds = !!imported.clientId && !!imported.clientSecret;
+  const authMethod = hasOidcCreds && imported.authMethod === "idc" ? "idc" : "desktop";
+  const refreshPacked = hasOidcCreds ? `${imported.refreshToken}|${imported.clientId}|${imported.clientSecret ?? ""}|${authMethod}` : `${imported.refreshToken}|||desktop`;
   return {
     refresh: refreshPacked,
     access: imported.accessToken,
@@ -2678,7 +2892,9 @@ function kiroCredsFromCliImport(imported) {
     clientId: imported.clientId ?? "",
     clientSecret: imported.clientSecret ?? "",
     region: imported.region,
-    authMethod
+    authMethod,
+    kiroSyncSource: imported.source,
+    kiroSyncTokenKey: imported.tokenKey
   };
 }
 async function refreshTokenInner(credentials) {
@@ -2721,7 +2937,9 @@ async function refreshTokenInner(credentials) {
       clientId: "",
       clientSecret: "",
       region,
-      authMethod: "desktop"
+      authMethod: "desktop",
+      kiroSyncSource: credentials.kiroSyncSource,
+      kiroSyncTokenKey: credentials.kiroSyncTokenKey
     };
   }
   const endpoint = `https://oidc.${region}.amazonaws.com/token`;
@@ -2750,7 +2968,9 @@ async function refreshTokenInner(credentials) {
     clientId,
     clientSecret,
     region,
-    authMethod
+    authMethod,
+    kiroSyncSource: credentials.kiroSyncSource,
+    kiroSyncTokenKey: credentials.kiroSyncTokenKey
   };
 }
 async function refreshKiroToken(credentials) {
@@ -2812,14 +3032,15 @@ async function refreshKiroToken(credentials) {
   try {
     log.debug("refresh.cascade: layer 4 — expired kiro-cli import");
     const { getKiroCliCredentialsAllowExpired: getKiroCliCredentialsAllowExpired2 } = await Promise.resolve().then(() => (init_kiro_cli_sync(), exports_kiro_cli_sync));
-    expiredImport = await getKiroCliCredentialsAllowExpired2();
-    if (expiredImport?.accessToken && expiredImport !== freshImport) {
+    expiredImport = await getKiroCliCredentialsAllowExpired2(freshImport);
+    if (expiredImport?.accessToken) {
       const result = kiroCredsFromCliImport(expiredImport);
       log.info("refresh.cascade: layer 4 succeeded — using expired kiro-cli credentials");
       return result;
+    } else {
+      errors.push("L4(expired-import): no different expired credentials");
+      log.debug("refresh.cascade: layer 4 — no additional expired credentials");
     }
-    errors.push("L4(expired-import): no different expired credentials");
-    log.debug("refresh.cascade: layer 4 — no additional expired credentials");
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
     errors.push(`L4(expired-import): ${msg}`);