@javargasm/pi-kiro 0.4.4 → 0.4.5

package/CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## 0.4.5
+
+### Patch Changes
+
+- fix: resolve profileArn automatically for Builder ID accounts
+
+  Builder ID device-code login never receives a profileArn, which prevented
+  model fetching and streaming. Now the startup resolves it via
+  `ListAvailableProfiles` and persists it to auth.json.
+
 ## 0.4.4
 
 ### Patch Changes

package/dist/core.js

@@ -897,6 +897,24 @@ var kiroModels = [
     maxTokens: 65536
   }
 ];
+async function resolveProfileArn(accessToken, apiRegion) {
+  const resp = await fetch(`https://management.${apiRegion}.kiro.dev/`, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${accessToken}`,
+      "Content-Type": "application/x-amz-json-1.0",
+      "X-Amz-Target": "AmazonCodeWhispererService.ListAvailableProfiles",
+      "User-Agent": "pi-kiro"
+    },
+    body: "{}"
+  });
+  if (!resp.ok)
+    return null;
+  const data = await resp.json();
+  const profiles = data.profiles ?? [];
+  const kiroProfile = profiles.find((p) => p.profileType === "KIRO" && p.status === "ACTIVE");
+  return kiroProfile?.arn ?? profiles[0]?.arn ?? null;
+}
 async function fetchAvailableModels(accessToken, apiRegion, profileArn) {
   const url = `https://management.${apiRegion}.kiro.dev/?origin=KIRO_CLI&profileArn=${encodeURIComponent(profileArn)}`;
   const resp = await fetch(url, {
@@ -980,6 +998,8 @@ function setCachedDynamicModels(models) {
 }
 
 // src/oauth.ts
+import { createServer } from "node:http";
+import { randomBytes, createHash } from "node:crypto";
 var BUILDER_ID_START_URL = "https://view.awsapps.com/start";
 var BUILDER_ID_REGION = "us-east-1";
 var SSO_SCOPES = [
@@ -1089,6 +1109,415 @@ async function pollForToken(oidcEndpoint, clientId, clientSecret, devAuth, signa
   }
   throw new Error("Authorization timed out");
 }
+var KIRO_SOCIAL_PORTAL = "https://app.kiro.dev";
+var KIRO_SOCIAL_AUTH_ENDPOINT = `https://prod.${BUILDER_ID_REGION}.auth.desktop.kiro.dev`;
+var SOCIAL_REDIRECT_PORT = 49153;
+var SOCIAL_REDIRECT_URI = `http://localhost:${SOCIAL_REDIRECT_PORT}`;
+function generateRandomState() {
+  return randomBytes(16).toString("base64url");
+}
+function generateCodeVerifier() {
+  return randomBytes(32).toString("base64url");
+}
+function generateCodeChallenge(verifier) {
+  return createHash("sha256").update(verifier).digest("base64url");
+}
+function buildSocialSignInURL(redirectUri, codeChallenge, state) {
+  const params = new URLSearchParams;
+  params.set("code_challenge", codeChallenge);
+  params.set("code_challenge_method", "S256");
+  params.set("redirect_from", "kirocli");
+  params.set("redirect_uri", redirectUri);
+  params.set("state", state);
+  return `${KIRO_SOCIAL_PORTAL}/signin?${params.toString()}`;
+}
+function parseAuthRedirectInput(input) {
+  const trimmed = input.trim();
+  if (!trimmed)
+    return {};
+  try {
+    const url = new URL(trimmed);
+    return {
+      code: url.searchParams.get("code") ?? undefined,
+      state: url.searchParams.get("state") ?? undefined
+    };
+  } catch {
+    return { code: trimmed };
+  }
+}
+function buildTokenRedirectUri(callbackPath, loginOption) {
+  const path = callbackPath || "/oauth/callback";
+  const base = `${SOCIAL_REDIRECT_URI}${path}`;
+  if (loginOption) {
+    return `${base}?login_option=${encodeURIComponent(loginOption)}`;
+  }
+  return base;
+}
+function oauthCallbackPage(kind, title, message, redirectUrl = "https://app.kiro.dev") {
+  const borderColor = kind === "success" ? "#22c55e" : "#ef4444";
+  const iconSvg = kind === "success" ? `<svg width="20" height="20" viewBox="0 0 20 20" fill="none"><path d="M16.67 5L7.5 14.17 3.33 10" stroke="#22c55e" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/></svg>` : `<svg width="20" height="20" viewBox="0 0 20 20" fill="none"><path d="M15 5L5 15M5 5l10 10" stroke="#ef4444" stroke-width="2" stroke-linecap="round"/></svg>`;
+  const ghostSvg = `<svg width="56" height="56" viewBox="0 0 100 100" fill="none" xmlns="http://www.w3.org/2000/svg">
+    <path d="M50 5C28.5 5 11 22.5 11 44v36c0 2.8 1.2 5.4 3.2 7.2 2 1.8 4.7 2.6 7.4 2.2l3.4-.5c3.2-.5 6.5.4 9 2.5l2.2 1.8c2.4 2 5.4 3 8.5 3h10.6c3.1 0 6.1-1.1 8.5-3l2.2-1.8c2.5-2.1 5.8-3 9-2.5l3.4.5c2.7.4 5.4-.4 7.4-2.2 2-1.8 3.2-4.4 3.2-7.2V44C89 22.5 71.5 5 50 5z" fill="white"/>
+    <circle cx="37" cy="45" r="7" fill="#0a0a0a"/>
+    <circle cx="63" cy="45" r="7" fill="#0a0a0a"/>
+  </svg>`;
+  const redirectHost = (() => {
+    try {
+      return new URL(redirectUrl).hostname;
+    } catch {
+      return redirectUrl;
+    }
+  })();
+  const countdownHtml = kind === "success" ? `
+    <div class="countdown" id="countdown">
+      <svg class="ring" viewBox="0 0 60 60">
+        <circle cx="30" cy="30" r="26" stroke="#1a1a1a" stroke-width="3" fill="none"/>
+        <circle id="ring-progress" cx="30" cy="30" r="26" stroke="#22c55e" stroke-width="3" fill="none"
+          stroke-dasharray="163.36" stroke-dashoffset="0" stroke-linecap="round"
+          transform="rotate(-90 30 30)" style="transition:stroke-dashoffset 1s linear"/>
+      </svg>
+      <span class="countdown-num" id="countdown-num">3</span>
+    </div>
+    <p class="subtitle">Redirecting to <strong>${redirectHost}</strong>…</p>
+    <script>
+      (function(){
+        var n=3, el=document.getElementById('countdown-num'),
+            ring=document.getElementById('ring-progress'), circ=163.36;
+        function tick(){
+          if(n<=0){window.location.href=${JSON.stringify(redirectUrl)};return}
+          el.textContent=n;
+          ring.setAttribute('stroke-dashoffset', String(circ*(1-n/3)));
+          n--;
+          setTimeout(tick,1000);
+        }
+        tick();
+      })();
+    </script>` : `<p class="subtitle">Please close this window and try again</p>`;
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>PI-KIRO — Authentication</title>
+  <style>
+    *{margin:0;padding:0;box-sizing:border-box}
+    body{background:#0a0a0a;color:#e5e5e5;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;display:flex;align-items:center;justify-content:center;min-height:100vh;text-align:center}
+    .container{max-width:420px;padding:2rem}
+    .logo{display:flex;align-items:center;justify-content:center;gap:16px;margin-bottom:48px}
+    .logo-text{font-size:42px;font-weight:700;letter-spacing:6px;color:#7c3aed;font-family:'Courier New',monospace}
+    .status-box{border:1.5px solid ${borderColor};border-radius:12px;padding:20px 28px;display:flex;align-items:flex-start;gap:14px;text-align:left;margin-bottom:20px;background:rgba(${kind === "success" ? "34,197,94" : "239,68,68"},0.04)}
+    .status-icon{flex-shrink:0;margin-top:2px}
+    .status-title{font-size:15px;font-weight:600;color:${borderColor};margin-bottom:4px}
+    .status-msg{font-size:13px;color:#a3a3a3;line-height:1.4}
+    .subtitle{font-size:13px;color:#737373;margin-top:4px}
+    .subtitle strong{color:#a3a3a3}
+    .countdown{position:relative;width:60px;height:60px;margin:24px auto 12px}
+    .ring{width:60px;height:60px}
+    .countdown-num{position:absolute;inset:0;display:flex;align-items:center;justify-content:center;font-size:24px;font-weight:700;color:#22c55e;font-variant-numeric:tabular-nums}
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="logo">
+      ${ghostSvg}
+      <span class="logo-text">PI-KIRO</span>
+    </div>
+    <div class="status-box">
+      <span class="status-icon">${iconSvg}</span>
+      <div>
+        <div class="status-title">${title}</div>
+        <div class="status-msg">${message}</div>
+      </div>
+    </div>
+    ${countdownHtml}
+  </div>
+</body>
+</html>`;
+}
+function oauthIdcDelegationPage() {
+  const ghostSvg = `<svg width="56" height="56" viewBox="0 0 100 100" fill="none" xmlns="http://www.w3.org/2000/svg">
+    <path d="M50 5C28.5 5 11 22.5 11 44v36c0 2.8 1.2 5.4 3.2 7.2 2 1.8 4.7 2.6 7.4 2.2l3.4-.5c3.2-.5 6.5.4 9 2.5l2.2 1.8c2.4 2 5.4 3 8.5 3h10.6c3.1 0 6.1-1.1 8.5-3l2.2-1.8c2.5-2.1 5.8-3 9-2.5l3.4.5c2.7.4 5.4-.4 7.4-2.2 2-1.8 3.2-4.4 3.2-7.2V44C89 22.5 71.5 5 50 5z" fill="white"/>
+    <circle cx="37" cy="45" r="7" fill="#0a0a0a"/>
+    <circle cx="63" cy="45" r="7" fill="#0a0a0a"/>
+  </svg>`;
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>PI-KIRO — Enterprise Sign-In</title>
+  <style>
+    *{margin:0;padding:0;box-sizing:border-box}
+    body{background:#0a0a0a;color:#e5e5e5;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;display:flex;align-items:center;justify-content:center;min-height:100vh;text-align:center}
+    .container{max-width:420px;padding:2rem}
+    .logo{display:flex;align-items:center;justify-content:center;gap:16px;margin-bottom:48px}
+    .logo-text{font-size:42px;font-weight:700;letter-spacing:6px;color:#7c3aed;font-family:'Courier New',monospace}
+    .status-box{border:1.5px solid #22c55e;border-radius:12px;padding:20px 28px;display:flex;align-items:flex-start;gap:14px;text-align:left;margin-bottom:20px;background:rgba(34,197,94,0.04)}
+    .status-icon{flex-shrink:0;margin-top:2px}
+    .status-title{font-size:15px;font-weight:600;color:#22c55e;margin-bottom:4px}
+    .status-msg{font-size:13px;color:#a3a3a3;line-height:1.4}
+    .subtitle{font-size:13px;color:#737373;margin-top:4px}
+    .subtitle strong{color:#a3a3a3}
+    .spinner{width:28px;height:28px;border:3px solid #1a1a1a;border-top-color:#22c55e;border-radius:50%;animation:spin 0.8s linear infinite;margin:24px auto 12px}
+    @keyframes spin{to{transform:rotate(360deg)}}
+    .countdown{position:relative;width:60px;height:60px;margin:24px auto 12px;display:none}
+    .ring{width:60px;height:60px}
+    .countdown-num{position:absolute;inset:0;display:flex;align-items:center;justify-content:center;font-size:24px;font-weight:700;color:#22c55e;font-variant-numeric:tabular-nums}
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="logo">
+      ${ghostSvg}
+      <span class="logo-text">PI-KIRO</span>
+    </div>
+    <div class="status-box">
+      <span class="status-icon"><svg width="20" height="20" viewBox="0 0 20 20" fill="none"><path d="M16.67 5L7.5 14.17 3.33 10" stroke="#22c55e" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/></svg></span>
+      <div>
+        <div class="status-title">Enterprise sign-in</div>
+        <div class="status-msg" id="status-msg">Preparing device authorization…</div>
+      </div>
+    </div>
+    <div class="spinner" id="spinner"></div>
+    <div class="countdown" id="countdown">
+      <svg class="ring" viewBox="0 0 60 60">
+        <circle cx="30" cy="30" r="26" stroke="#1a1a1a" stroke-width="3" fill="none"/>
+        <circle id="ring-progress" cx="30" cy="30" r="26" stroke="#22c55e" stroke-width="3" fill="none"
+          stroke-dasharray="163.36" stroke-dashoffset="0" stroke-linecap="round"
+          transform="rotate(-90 30 30)" style="transition:stroke-dashoffset 1s linear"/>
+      </svg>
+      <span class="countdown-num" id="countdown-num">3</span>
+    </div>
+    <p class="subtitle" id="subtitle">Waiting for device authorization…</p>
+    <script>
+      (function(){
+        var msg=document.getElementById('status-msg'),
+            spinner=document.getElementById('spinner'),
+            cd=document.getElementById('countdown'),
+            cdNum=document.getElementById('countdown-num'),
+            ring=document.getElementById('ring-progress'),
+            sub=document.getElementById('subtitle'),
+            circ=163.36;
+
+        function poll(){
+          fetch('/idc-verify').then(function(r){return r.json()}).then(function(d){
+            if(d.url){
+              spinner.style.display='none';
+              cd.style.display='block';
+              msg.textContent='Device authorization ready';
+              try{sub.innerHTML='Redirecting to <strong>'+new URL(d.url).hostname+'</strong>…'}catch(e){}
+              countdown(3,d.url);
+            } else {
+              setTimeout(poll,500);
+            }
+          }).catch(function(){setTimeout(poll,1000)});
+        }
+
+        function countdown(n,url){
+          if(n<=0){window.location.href=url;return}
+          cdNum.textContent=n;
+          ring.setAttribute('stroke-dashoffset',String(circ*(1-n/3)));
+          setTimeout(function(){countdown(n-1,url)},1000);
+        }
+
+        poll();
+      })();
+    </script>
+  </div>
+</body>
+</html>`;
+}
+function startCallbackServer(expectedState) {
+  return new Promise((resolve2, reject) => {
+    let settleWait;
+    const waitForCodePromise = new Promise((res) => {
+      settleWait = res;
+    });
+    let idcVerifyUrl = null;
+    const server = createServer((req, res) => {
+      try {
+        const url = new URL(req.url ?? "", SOCIAL_REDIRECT_URI);
+        if (url.pathname === "/idc-verify") {
+          res.writeHead(200, {
+            "Content-Type": "application/json",
+            "Access-Control-Allow-Origin": "*",
+            "Cache-Control": "no-store"
+          });
+          res.end(JSON.stringify({ url: idcVerifyUrl }));
+          return;
+        }
+        const code = url.searchParams.get("code");
+        const state = url.searchParams.get("state");
+        const loginOption = url.searchParams.get("login_option");
+        const issuerUrl = url.searchParams.get("issuer_url");
+        const idcRegion = url.searchParams.get("idc_region");
+        const isIdcDelegation = loginOption === "awsidc" && !!issuerUrl && !!state;
+        if (!state || !code && !isIdcDelegation) {
+          res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+          res.end("");
+          return;
+        }
+        if (state !== expectedState) {
+          res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
+          res.end(oauthCallbackPage("error", "State mismatch", "The OAuth state parameter did not match. Please try logging in again."));
+          return;
+        }
+        res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+        if (isIdcDelegation) {
+          res.end(oauthIdcDelegationPage());
+        } else {
+          res.end(oauthCallbackPage("success", "Request approved", "PI-KIRO has been given requested permissions."));
+        }
+        settleWait?.({
+          code,
+          state,
+          callbackPath: url.pathname,
+          loginOption,
+          issuerUrl: issuerUrl ?? undefined,
+          idcRegion: idcRegion ?? undefined
+        });
+      } catch {
+        res.writeHead(500, { "Content-Type": "text/plain; charset=utf-8" });
+        res.end("Internal error");
+      }
+    });
+    server.on("error", (err) => {
+      reject(err);
+    });
+    server.listen(SOCIAL_REDIRECT_PORT, "localhost", () => {
+      resolve2({
+        server,
+        redirectUri: SOCIAL_REDIRECT_URI,
+        cancelWait: () => {
+          settleWait?.(null);
+        },
+        waitForCode: () => waitForCodePromise,
+        setIdcVerifyUrl: (url) => {
+          idcVerifyUrl = url;
+        }
+      });
+    });
+  });
+}
+async function runSocialSignInFlow(callbacks) {
+  const verifier = generateCodeVerifier();
+  const challenge = generateCodeChallenge(verifier);
+  const state = generateRandomState();
+  const callbackServer = await startCallbackServer(state);
+  try {
+    const signInUrl = buildSocialSignInURL(callbackServer.redirectUri, challenge, state);
+    callbacks.onAuth({
+      url: signInUrl,
+      instructions: "Complete sign-in in your browser."
+    });
+    callbacks.onProgress?.("Waiting for browser sign-in…");
+    let code;
+    let tokenRedirectUri = SOCIAL_REDIRECT_URI;
+    let callbackResult = null;
+    if (callbacks.onManualCodeInput) {
+      let manualInput;
+      let manualError;
+      const manualPromise = callbacks.onManualCodeInput().then((input) => {
+        manualInput = input;
+        callbackServer.cancelWait();
+      }).catch((err) => {
+        manualError = err instanceof Error ? err : new Error(String(err));
+        callbackServer.cancelWait();
+      });
+      callbackResult = await callbackServer.waitForCode();
+      if (manualError)
+        throw manualError;
+      if (callbackResult?.loginOption !== "awsidc" || !callbackResult.issuerUrl) {
+        if (callbackResult?.code) {
+          code = callbackResult.code;
+          tokenRedirectUri = buildTokenRedirectUri(callbackResult.callbackPath, callbackResult.loginOption);
+        } else if (manualInput) {
+          code = parseAuthRedirectInput(manualInput).code;
+        }
+        if (!code) {
+          await manualPromise;
+          if (manualError)
+            throw manualError;
+          if (manualInput) {
+            code = parseAuthRedirectInput(manualInput).code;
+          }
+        }
+      }
+    } else {
+      callbackResult = await callbackServer.waitForCode();
+      if (callbackResult?.code) {
+        code = callbackResult.code;
+        tokenRedirectUri = buildTokenRedirectUri(callbackResult.callbackPath, callbackResult.loginOption);
+      }
+    }
+    if (callbackResult?.loginOption === "awsidc" && callbackResult.issuerUrl) {
+      callbacks.onProgress?.("Enterprise sign-in detected — starting device authorization…");
+      const idcRegion = callbackResult.idcRegion || BUILDER_ID_REGION;
+      const wrappedCallbacks = {
+        ...callbacks,
+        onAuth: (info) => {
+          callbackServer.setIdcVerifyUrl(info.url);
+          callbacks.onAuth(info);
+        }
+      };
+      try {
+        return await runDeviceCodeFlow(wrappedCallbacks, callbackResult.issuerUrl, [idcRegion], "idc");
+      } finally {
+        callbackServer.server.close();
+      }
+    }
+    if (!code) {
+      const input = await callbacks.onPrompt({
+        message: "Paste the authorization code or the full redirect URL:",
+        placeholder: SOCIAL_REDIRECT_URI
+      });
+      code = parseAuthRedirectInput(input).code;
+    }
+    if (!code) {
+      throw new Error("Missing authorization code — sign-in was not completed");
+    }
+    callbacks.onProgress?.("Exchanging authorization code…");
+    const resp = await fetch(`${KIRO_SOCIAL_AUTH_ENDPOINT}/oauth/token`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json", "User-Agent": "pi-kiro" },
+      body: JSON.stringify({
+        code,
+        code_verifier: verifier,
+        redirect_uri: tokenRedirectUri
+      })
+    });
+    if (!resp.ok) {
+      const body = await resp.text().catch(() => "");
+      throw new Error(`Token exchange failed: ${resp.status} ${body}`);
+    }
+    const data = await resp.json();
+    if (!data.accessToken || !data.refreshToken) {
+      throw new Error("Token exchange returned no tokens");
+    }
+    if (data.profileArn) {
+      try {
+        const apiRegion = resolveApiRegion(BUILDER_ID_REGION);
+        const apiModels = await fetchAvailableModels(data.accessToken, apiRegion, data.profileArn);
+        setCachedDynamicModels(buildModelsFromApi(apiModels));
+        log.info(`Fetched and cached ${apiModels.length} models after social sign-in`);
+      } catch (err) {
+        log.warn(`Failed to fetch models after social sign-in: ${err}`);
+      }
+    }
+    return {
+      refresh: `${data.refreshToken}|||social`,
+      access: data.accessToken,
+      expires: Date.now() + (data.expiresIn ?? 3600) * 1000 - EXPIRES_BUFFER_MS,
+      clientId: "",
+      clientSecret: "",
+      region: BUILDER_ID_REGION,
+      authMethod: "social",
+      profileArn: data.profileArn
+    };
+  } finally {
+    callbackServer.server.close();
+  }
+}
 async function loginKiro(callbacks) {
   const method = await callbacks.onSelect({
     message: "Select login method:",
@@ -1108,7 +1537,7 @@ async function loginKiro(callbacks) {
     return loginDesktopManual(callbacks);
   }
   if (method === "builder-id") {
-    return runDeviceCodeFlow(callbacks, BUILDER_ID_START_URL, [BUILDER_ID_REGION], "builder-id");
+    return runSocialSignInFlow(callbacks);
   }
   const startUrl = (await callbacks.onPrompt({
     message: "Paste your IAM Identity Center start URL:",
@@ -1226,7 +1655,7 @@ async function syncBackToKiroCli(result) {
       accessToken: result.access,
       refreshToken: result.refresh.split("|")[0] ?? "",
       region: result.region,
-      authMethod: result.authMethod === "builder-id" ? "idc" : result.authMethod,
+      authMethod: result.authMethod === "builder-id" || result.authMethod === "social" ? "desktop" : result.authMethod,
       source: result.kiroSyncSource,
       tokenKey: result.kiroSyncTokenKey
     });
@@ -1263,10 +1692,10 @@ async function refreshTokenInner(credentials) {
   if (!refreshToken || !region) {
     throw new Error("Refresh token is missing region — re-login required");
   }
-  if (authMethod !== "desktop" && (!clientId || !clientSecret)) {
+  if (authMethod !== "desktop" && authMethod !== "social" && (!clientId || !clientSecret)) {
     throw new Error("Refresh token is missing clientId/clientSecret — re-login required");
   }
-  if (authMethod === "desktop") {
+  if (authMethod === "desktop" || authMethod === "social") {
     const desktopEndpoint = `https://prod.${region}.auth.desktop.kiro.dev/refreshToken`;
     const resp2 = await fetch(desktopEndpoint, {
       method: "POST",
@@ -1289,13 +1718,13 @@ async function refreshTokenInner(credentials) {
       }
     }
     return {
-      refresh: `${data2.refreshToken}|||desktop`,
+      refresh: `${data2.refreshToken}|||${authMethod}`,
       access: data2.accessToken,
       expires: Date.now() + (data2.expiresIn ?? 3600) * 1000 - EXPIRES_BUFFER_MS,
       clientId: "",
       clientSecret: "",
       region,
-      authMethod: "desktop",
+      authMethod,
       profileArn: credentials.profileArn,
       kiroSyncSource: credentials.kiroSyncSource,
       kiroSyncTokenKey: credentials.kiroSyncTokenKey
@@ -1337,8 +1766,8 @@ async function refreshTokenInner(credentials) {
 }
 async function refreshKiroToken(credentials) {
   const inputMethod = credentials.authMethod;
-  const authMethod = inputMethod === "builder-id" || inputMethod === "idc" || inputMethod === "desktop" ? inputMethod : "idc";
-  if (inputMethod !== undefined && inputMethod !== "builder-id" && inputMethod !== "idc" && inputMethod !== "desktop") {
+  const authMethod = inputMethod === "builder-id" || inputMethod === "idc" || inputMethod === "desktop" || inputMethod === "social" ? inputMethod : "idc";
+  if (inputMethod !== undefined && inputMethod !== "builder-id" && inputMethod !== "idc" && inputMethod !== "desktop" && inputMethod !== "social") {
     log.warn(`refreshKiroToken: unrecognized authMethod "${String(inputMethod)}" — defaulting to "idc"`);
   }
   const baseCreds = {
@@ -1868,7 +2297,7 @@ function countTokens(text) {
 }
 
 // src/transform.ts
-import { createHash } from "node:crypto";
+import { createHash as createHash2 } from "node:crypto";
 function normalizeMessages(messages) {
   return messages.filter((msg) => msg.role !== "assistant" || msg.stopReason !== "error" && msg.stopReason !== "aborted");
 }
@@ -1921,7 +2350,7 @@ var KIRO_TOOL_USE_ID_RE = /^tooluse_[A-Za-z0-9]+$/;
 function toKiroToolUseId(id) {
   if (KIRO_TOOL_USE_ID_RE.test(id))
     return id;
-  const digest = createHash("sha256").update(id).digest("hex").slice(0, 22);
+  const digest = createHash2("sha256").update(id).digest("hex").slice(0, 22);
   return `tooluse_${digest}`;
 }
 function convertImagesToKiro(images) {

package/dist/extension.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"extension.d.ts","sourceRoot":"","sources":["../src/extension.ts"],"names":[],"mappings":"AAmBA,OAAO,KAAK,EACV,GAAG,EACH,2BAA2B,EAC3B,OAAO,EACP,KAAK,EACL,gBAAgB,EAChB,mBAAmB,EACnB,mBAAmB,EACpB,MAAM,uBAAuB,CAAC;AAsB/B,UAAU,mBAAmB;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,GAAG,CAAC;IACV,SAAS,EAAE,OAAO,CAAC;IACnB,KAAK,EAAE,CAAC,MAAM,GAAG,OAAO,CAAC,EAAE,CAAC;IAC5B,IAAI,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC;IAC/E,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,MAAM,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC;IAC9B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,gBAAgB,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC;CAC3D;AAED,UAAU,cAAc;IACtB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE,GAAG,CAAC;IACV,YAAY,CAAC,EAAE,CACb,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,EACjB,OAAO,EAAE,OAAO,EAChB,OAAO,CAAC,EAAE,mBAAmB,KAC1B,2BAA2B,CAAC;IACjC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,MAAM,CAAC,EAAE,mBAAmB,EAAE,CAAC;IAC/B,KAAK,CAAC,EAAE;QACN,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,EAAE,CAAC,SAAS,EAAE,mBAAmB,KAAK,OAAO,CAAC,gBAAgB,CAAC,CAAC;QACrE,YAAY,EAAE,CAAC,WAAW,EAAE,gBAAgB,KAAK,OAAO,CAAC,gBAAgB,CAAC,CAAC;QAC3E,SAAS,EAAE,CAAC,WAAW,EAAE,gBAAgB,KAAK,MAAM,CAAC;QACrD,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,WAAW,EAAE,gBAAgB,KAAK,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;KACtF,CAAC;CACH;AAED,UAAU,YAAY;IACpB,gBAAgB,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,cAAc,GAAG,IAAI,CAAC;CAC9D;AA8GD,yBAA+B,EAAE,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA+E9D"}
+{"version":3,"file":"extension.d.ts","sourceRoot":"","sources":["../src/extension.ts"],"names":[],"mappings":"AAmBA,OAAO,KAAK,EACV,GAAG,EACH,2BAA2B,EAC3B,OAAO,EACP,KAAK,EACL,gBAAgB,EAChB,mBAAmB,EACnB,mBAAmB,EACpB,MAAM,uBAAuB,CAAC;AAuB/B,UAAU,mBAAmB;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,GAAG,CAAC;IACV,SAAS,EAAE,OAAO,CAAC;IACnB,KAAK,EAAE,CAAC,MAAM,GAAG,OAAO,CAAC,EAAE,CAAC;IAC5B,IAAI,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC;IAC/E,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,MAAM,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC;IAC9B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,gBAAgB,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC;CAC3D;AAED,UAAU,cAAc;IACtB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE,GAAG,CAAC;IACV,YAAY,CAAC,EAAE,CACb,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,EACjB,OAAO,EAAE,OAAO,EAChB,OAAO,CAAC,EAAE,mBAAmB,KAC1B,2BAA2B,CAAC;IACjC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,MAAM,CAAC,EAAE,mBAAmB,EAAE,CAAC;IAC/B,KAAK,CAAC,EAAE;QACN,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,EAAE,CAAC,SAAS,EAAE,mBAAmB,KAAK,OAAO,CAAC,gBAAgB,CAAC,CAAC;QACrE,YAAY,EAAE,CAAC,WAAW,EAAE,gBAAgB,KAAK,OAAO,CAAC,gBAAgB,CAAC,CAAC;QAC3E,SAAS,EAAE,CAAC,WAAW,EAAE,gBAAgB,KAAK,MAAM,CAAC;QACrD,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,WAAW,EAAE,gBAAgB,KAAK,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;KACtF,CAAC;CACH;AAED,UAAU,YAAY;IACpB,gBAAgB,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,cAAc,GAAG,IAAI,CAAC;CAC9D;AA4HD,yBAA+B,EAAE,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAmG9D"}

package/dist/extension.js

@@ -899,6 +899,24 @@ var kiroModels = [
     maxTokens: 65536
   }
 ];
+async function resolveProfileArn(accessToken, apiRegion) {
+  const resp = await fetch(`https://management.${apiRegion}.kiro.dev/`, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${accessToken}`,
+      "Content-Type": "application/x-amz-json-1.0",
+      "X-Amz-Target": "AmazonCodeWhispererService.ListAvailableProfiles",
+      "User-Agent": "pi-kiro"
+    },
+    body: "{}"
+  });
+  if (!resp.ok)
+    return null;
+  const data = await resp.json();
+  const profiles = data.profiles ?? [];
+  const kiroProfile = profiles.find((p) => p.profileType === "KIRO" && p.status === "ACTIVE");
+  return kiroProfile?.arn ?? profiles[0]?.arn ?? null;
+}
 async function fetchAvailableModels(accessToken, apiRegion, profileArn) {
   const url = `https://management.${apiRegion}.kiro.dev/?origin=KIRO_CLI&profileArn=${encodeURIComponent(profileArn)}`;
   const resp = await fetch(url, {
@@ -983,6 +1001,8 @@ function setCachedDynamicModels(models) {
 
 // src/oauth.ts
 init_debug();
+import { createServer } from "node:http";
+import { randomBytes, createHash } from "node:crypto";
 var BUILDER_ID_START_URL = "https://view.awsapps.com/start";
 var BUILDER_ID_REGION = "us-east-1";
 var SSO_SCOPES = [
@@ -1092,6 +1112,415 @@ async function pollForToken(oidcEndpoint, clientId, clientSecret, devAuth, signa
   }
   throw new Error("Authorization timed out");
 }
+var KIRO_SOCIAL_PORTAL = "https://app.kiro.dev";
+var KIRO_SOCIAL_AUTH_ENDPOINT = `https://prod.${BUILDER_ID_REGION}.auth.desktop.kiro.dev`;
+var SOCIAL_REDIRECT_PORT = 49153;
+var SOCIAL_REDIRECT_URI = `http://localhost:${SOCIAL_REDIRECT_PORT}`;
+function generateRandomState() {
+  return randomBytes(16).toString("base64url");
+}
+function generateCodeVerifier() {
+  return randomBytes(32).toString("base64url");
+}
+function generateCodeChallenge(verifier) {
+  return createHash("sha256").update(verifier).digest("base64url");
+}
+function buildSocialSignInURL(redirectUri, codeChallenge, state) {
+  const params = new URLSearchParams;
+  params.set("code_challenge", codeChallenge);
+  params.set("code_challenge_method", "S256");
+  params.set("redirect_from", "kirocli");
+  params.set("redirect_uri", redirectUri);
+  params.set("state", state);
+  return `${KIRO_SOCIAL_PORTAL}/signin?${params.toString()}`;
+}
+function parseAuthRedirectInput(input) {
+  const trimmed = input.trim();
+  if (!trimmed)
+    return {};
+  try {
+    const url = new URL(trimmed);
+    return {
+      code: url.searchParams.get("code") ?? undefined,
+      state: url.searchParams.get("state") ?? undefined
+    };
+  } catch {
+    return { code: trimmed };
+  }
+}
+function buildTokenRedirectUri(callbackPath, loginOption) {
+  const path = callbackPath || "/oauth/callback";
+  const base = `${SOCIAL_REDIRECT_URI}${path}`;
+  if (loginOption) {
+    return `${base}?login_option=${encodeURIComponent(loginOption)}`;
+  }
+  return base;
+}
+function oauthCallbackPage(kind, title, message, redirectUrl = "https://app.kiro.dev") {
+  const borderColor = kind === "success" ? "#22c55e" : "#ef4444";
+  const iconSvg = kind === "success" ? `<svg width="20" height="20" viewBox="0 0 20 20" fill="none"><path d="M16.67 5L7.5 14.17 3.33 10" stroke="#22c55e" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/></svg>` : `<svg width="20" height="20" viewBox="0 0 20 20" fill="none"><path d="M15 5L5 15M5 5l10 10" stroke="#ef4444" stroke-width="2" stroke-linecap="round"/></svg>`;
+  const ghostSvg = `<svg width="56" height="56" viewBox="0 0 100 100" fill="none" xmlns="http://www.w3.org/2000/svg">
+    <path d="M50 5C28.5 5 11 22.5 11 44v36c0 2.8 1.2 5.4 3.2 7.2 2 1.8 4.7 2.6 7.4 2.2l3.4-.5c3.2-.5 6.5.4 9 2.5l2.2 1.8c2.4 2 5.4 3 8.5 3h10.6c3.1 0 6.1-1.1 8.5-3l2.2-1.8c2.5-2.1 5.8-3 9-2.5l3.4.5c2.7.4 5.4-.4 7.4-2.2 2-1.8 3.2-4.4 3.2-7.2V44C89 22.5 71.5 5 50 5z" fill="white"/>
+    <circle cx="37" cy="45" r="7" fill="#0a0a0a"/>
+    <circle cx="63" cy="45" r="7" fill="#0a0a0a"/>
+  </svg>`;
+  const redirectHost = (() => {
+    try {
+      return new URL(redirectUrl).hostname;
+    } catch {
+      return redirectUrl;
+    }
+  })();
+  const countdownHtml = kind === "success" ? `
+    <div class="countdown" id="countdown">
+      <svg class="ring" viewBox="0 0 60 60">
+        <circle cx="30" cy="30" r="26" stroke="#1a1a1a" stroke-width="3" fill="none"/>
+        <circle id="ring-progress" cx="30" cy="30" r="26" stroke="#22c55e" stroke-width="3" fill="none"
+          stroke-dasharray="163.36" stroke-dashoffset="0" stroke-linecap="round"
+          transform="rotate(-90 30 30)" style="transition:stroke-dashoffset 1s linear"/>
+      </svg>
+      <span class="countdown-num" id="countdown-num">3</span>
+    </div>
+    <p class="subtitle">Redirecting to <strong>${redirectHost}</strong>…</p>
+    <script>
+      (function(){
+        var n=3, el=document.getElementById('countdown-num'),
+            ring=document.getElementById('ring-progress'), circ=163.36;
+        function tick(){
+          if(n<=0){window.location.href=${JSON.stringify(redirectUrl)};return}
+          el.textContent=n;
+          ring.setAttribute('stroke-dashoffset', String(circ*(1-n/3)));
+          n--;
+          setTimeout(tick,1000);
+        }
+        tick();
+      })();
+    </script>` : `<p class="subtitle">Please close this window and try again</p>`;
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>PI-KIRO — Authentication</title>
+  <style>
+    *{margin:0;padding:0;box-sizing:border-box}
+    body{background:#0a0a0a;color:#e5e5e5;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;display:flex;align-items:center;justify-content:center;min-height:100vh;text-align:center}
+    .container{max-width:420px;padding:2rem}
+    .logo{display:flex;align-items:center;justify-content:center;gap:16px;margin-bottom:48px}
+    .logo-text{font-size:42px;font-weight:700;letter-spacing:6px;color:#7c3aed;font-family:'Courier New',monospace}
+    .status-box{border:1.5px solid ${borderColor};border-radius:12px;padding:20px 28px;display:flex;align-items:flex-start;gap:14px;text-align:left;margin-bottom:20px;background:rgba(${kind === "success" ? "34,197,94" : "239,68,68"},0.04)}
+    .status-icon{flex-shrink:0;margin-top:2px}
+    .status-title{font-size:15px;font-weight:600;color:${borderColor};margin-bottom:4px}
+    .status-msg{font-size:13px;color:#a3a3a3;line-height:1.4}
+    .subtitle{font-size:13px;color:#737373;margin-top:4px}
+    .subtitle strong{color:#a3a3a3}
+    .countdown{position:relative;width:60px;height:60px;margin:24px auto 12px}
+    .ring{width:60px;height:60px}
+    .countdown-num{position:absolute;inset:0;display:flex;align-items:center;justify-content:center;font-size:24px;font-weight:700;color:#22c55e;font-variant-numeric:tabular-nums}
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="logo">
+      ${ghostSvg}
+      <span class="logo-text">PI-KIRO</span>
+    </div>
+    <div class="status-box">
+      <span class="status-icon">${iconSvg}</span>
+      <div>
+        <div class="status-title">${title}</div>
+        <div class="status-msg">${message}</div>
+      </div>
+    </div>
+    ${countdownHtml}
+  </div>
+</body>
+</html>`;
+}
+function oauthIdcDelegationPage() {
+  const ghostSvg = `<svg width="56" height="56" viewBox="0 0 100 100" fill="none" xmlns="http://www.w3.org/2000/svg">
+    <path d="M50 5C28.5 5 11 22.5 11 44v36c0 2.8 1.2 5.4 3.2 7.2 2 1.8 4.7 2.6 7.4 2.2l3.4-.5c3.2-.5 6.5.4 9 2.5l2.2 1.8c2.4 2 5.4 3 8.5 3h10.6c3.1 0 6.1-1.1 8.5-3l2.2-1.8c2.5-2.1 5.8-3 9-2.5l3.4.5c2.7.4 5.4-.4 7.4-2.2 2-1.8 3.2-4.4 3.2-7.2V44C89 22.5 71.5 5 50 5z" fill="white"/>
+    <circle cx="37" cy="45" r="7" fill="#0a0a0a"/>
+    <circle cx="63" cy="45" r="7" fill="#0a0a0a"/>
+  </svg>`;
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>PI-KIRO — Enterprise Sign-In</title>
+  <style>
+    *{margin:0;padding:0;box-sizing:border-box}
+    body{background:#0a0a0a;color:#e5e5e5;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;display:flex;align-items:center;justify-content:center;min-height:100vh;text-align:center}
+    .container{max-width:420px;padding:2rem}
+    .logo{display:flex;align-items:center;justify-content:center;gap:16px;margin-bottom:48px}
+    .logo-text{font-size:42px;font-weight:700;letter-spacing:6px;color:#7c3aed;font-family:'Courier New',monospace}
+    .status-box{border:1.5px solid #22c55e;border-radius:12px;padding:20px 28px;display:flex;align-items:flex-start;gap:14px;text-align:left;margin-bottom:20px;background:rgba(34,197,94,0.04)}
+    .status-icon{flex-shrink:0;margin-top:2px}
+    .status-title{font-size:15px;font-weight:600;color:#22c55e;margin-bottom:4px}
+    .status-msg{font-size:13px;color:#a3a3a3;line-height:1.4}
+    .subtitle{font-size:13px;color:#737373;margin-top:4px}
+    .subtitle strong{color:#a3a3a3}
+    .spinner{width:28px;height:28px;border:3px solid #1a1a1a;border-top-color:#22c55e;border-radius:50%;animation:spin 0.8s linear infinite;margin:24px auto 12px}
+    @keyframes spin{to{transform:rotate(360deg)}}
+    .countdown{position:relative;width:60px;height:60px;margin:24px auto 12px;display:none}
+    .ring{width:60px;height:60px}
+    .countdown-num{position:absolute;inset:0;display:flex;align-items:center;justify-content:center;font-size:24px;font-weight:700;color:#22c55e;font-variant-numeric:tabular-nums}
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="logo">
+      ${ghostSvg}
+      <span class="logo-text">PI-KIRO</span>
+    </div>
+    <div class="status-box">
+      <span class="status-icon"><svg width="20" height="20" viewBox="0 0 20 20" fill="none"><path d="M16.67 5L7.5 14.17 3.33 10" stroke="#22c55e" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/></svg></span>
+      <div>
+        <div class="status-title">Enterprise sign-in</div>
+        <div class="status-msg" id="status-msg">Preparing device authorization…</div>
+      </div>
+    </div>
+    <div class="spinner" id="spinner"></div>
+    <div class="countdown" id="countdown">
+      <svg class="ring" viewBox="0 0 60 60">
+        <circle cx="30" cy="30" r="26" stroke="#1a1a1a" stroke-width="3" fill="none"/>
+        <circle id="ring-progress" cx="30" cy="30" r="26" stroke="#22c55e" stroke-width="3" fill="none"
+          stroke-dasharray="163.36" stroke-dashoffset="0" stroke-linecap="round"
+          transform="rotate(-90 30 30)" style="transition:stroke-dashoffset 1s linear"/>
+      </svg>
+      <span class="countdown-num" id="countdown-num">3</span>
+    </div>
+    <p class="subtitle" id="subtitle">Waiting for device authorization…</p>
+    <script>
+      (function(){
+        var msg=document.getElementById('status-msg'),
+            spinner=document.getElementById('spinner'),
+            cd=document.getElementById('countdown'),
+            cdNum=document.getElementById('countdown-num'),
+            ring=document.getElementById('ring-progress'),
+            sub=document.getElementById('subtitle'),
+            circ=163.36;
+
+        function poll(){
+          fetch('/idc-verify').then(function(r){return r.json()}).then(function(d){
+            if(d.url){
+              spinner.style.display='none';
+              cd.style.display='block';
+              msg.textContent='Device authorization ready';
+              try{sub.innerHTML='Redirecting to <strong>'+new URL(d.url).hostname+'</strong>…'}catch(e){}
+              countdown(3,d.url);
+            } else {
+              setTimeout(poll,500);
+            }
+          }).catch(function(){setTimeout(poll,1000)});
+        }
+
+        function countdown(n,url){
+          if(n<=0){window.location.href=url;return}
+          cdNum.textContent=n;
+          ring.setAttribute('stroke-dashoffset',String(circ*(1-n/3)));
+          setTimeout(function(){countdown(n-1,url)},1000);
+        }
+
+        poll();
+      })();
+    </script>
+  </div>
+</body>
+</html>`;
+}
+function startCallbackServer(expectedState) {
+  return new Promise((resolve2, reject) => {
+    let settleWait;
+    const waitForCodePromise = new Promise((res) => {
+      settleWait = res;
+    });
+    let idcVerifyUrl = null;
+    const server = createServer((req, res) => {
+      try {
+        const url = new URL(req.url ?? "", SOCIAL_REDIRECT_URI);
+        if (url.pathname === "/idc-verify") {
+          res.writeHead(200, {
+            "Content-Type": "application/json",
+            "Access-Control-Allow-Origin": "*",
+            "Cache-Control": "no-store"
+          });
+          res.end(JSON.stringify({ url: idcVerifyUrl }));
+          return;
+        }
+        const code = url.searchParams.get("code");
+        const state = url.searchParams.get("state");
+        const loginOption = url.searchParams.get("login_option");
+        const issuerUrl = url.searchParams.get("issuer_url");
+        const idcRegion = url.searchParams.get("idc_region");
+        const isIdcDelegation = loginOption === "awsidc" && !!issuerUrl && !!state;
+        if (!state || !code && !isIdcDelegation) {
+          res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+          res.end("");
+          return;
+        }
+        if (state !== expectedState) {
+          res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
+          res.end(oauthCallbackPage("error", "State mismatch", "The OAuth state parameter did not match. Please try logging in again."));
+          return;
+        }
+        res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+        if (isIdcDelegation) {
+          res.end(oauthIdcDelegationPage());
+        } else {
+          res.end(oauthCallbackPage("success", "Request approved", "PI-KIRO has been given requested permissions."));
+        }
+        settleWait?.({
+          code,
+          state,
+          callbackPath: url.pathname,
+          loginOption,
+          issuerUrl: issuerUrl ?? undefined,
+          idcRegion: idcRegion ?? undefined
+        });
+      } catch {
+        res.writeHead(500, { "Content-Type": "text/plain; charset=utf-8" });
+        res.end("Internal error");
+      }
+    });
+    server.on("error", (err) => {
+      reject(err);
+    });
+    server.listen(SOCIAL_REDIRECT_PORT, "localhost", () => {
+      resolve2({
+        server,
+        redirectUri: SOCIAL_REDIRECT_URI,
+        cancelWait: () => {
+          settleWait?.(null);
+        },
+        waitForCode: () => waitForCodePromise,
+        setIdcVerifyUrl: (url) => {
+          idcVerifyUrl = url;
+        }
+      });
+    });
+  });
+}
+async function runSocialSignInFlow(callbacks) {
+  const verifier = generateCodeVerifier();
+  const challenge = generateCodeChallenge(verifier);
+  const state = generateRandomState();
+  const callbackServer = await startCallbackServer(state);
+  try {
+    const signInUrl = buildSocialSignInURL(callbackServer.redirectUri, challenge, state);
+    callbacks.onAuth({
+      url: signInUrl,
+      instructions: "Complete sign-in in your browser."
+    });
+    callbacks.onProgress?.("Waiting for browser sign-in…");
+    let code;
+    let tokenRedirectUri = SOCIAL_REDIRECT_URI;
+    let callbackResult = null;
+    if (callbacks.onManualCodeInput) {
+      let manualInput;
+      let manualError;
+      const manualPromise = callbacks.onManualCodeInput().then((input) => {
+        manualInput = input;
+        callbackServer.cancelWait();
+      }).catch((err) => {
+        manualError = err instanceof Error ? err : new Error(String(err));
+        callbackServer.cancelWait();
+      });
+      callbackResult = await callbackServer.waitForCode();
+      if (manualError)
+        throw manualError;
+      if (callbackResult?.loginOption !== "awsidc" || !callbackResult.issuerUrl) {
+        if (callbackResult?.code) {
+          code = callbackResult.code;
+          tokenRedirectUri = buildTokenRedirectUri(callbackResult.callbackPath, callbackResult.loginOption);
+        } else if (manualInput) {
+          code = parseAuthRedirectInput(manualInput).code;
+        }
+        if (!code) {
+          await manualPromise;
+          if (manualError)
+            throw manualError;
+          if (manualInput) {
+            code = parseAuthRedirectInput(manualInput).code;
+          }
+        }
+      }
+    } else {
+      callbackResult = await callbackServer.waitForCode();
+      if (callbackResult?.code) {
+        code = callbackResult.code;
+        tokenRedirectUri = buildTokenRedirectUri(callbackResult.callbackPath, callbackResult.loginOption);
+      }
+    }
+    if (callbackResult?.loginOption === "awsidc" && callbackResult.issuerUrl) {
+      callbacks.onProgress?.("Enterprise sign-in detected — starting device authorization…");
+      const idcRegion = callbackResult.idcRegion || BUILDER_ID_REGION;
+      const wrappedCallbacks = {
+        ...callbacks,
+        onAuth: (info) => {
+          callbackServer.setIdcVerifyUrl(info.url);
+          callbacks.onAuth(info);
+        }
+      };
+      try {
+        return await runDeviceCodeFlow(wrappedCallbacks, callbackResult.issuerUrl, [idcRegion], "idc");
+      } finally {
+        callbackServer.server.close();
+      }
+    }
+    if (!code) {
+      const input = await callbacks.onPrompt({
+        message: "Paste the authorization code or the full redirect URL:",
+        placeholder: SOCIAL_REDIRECT_URI
+      });
+      code = parseAuthRedirectInput(input).code;
+    }
+    if (!code) {
+      throw new Error("Missing authorization code — sign-in was not completed");
+    }
+    callbacks.onProgress?.("Exchanging authorization code…");
+    const resp = await fetch(`${KIRO_SOCIAL_AUTH_ENDPOINT}/oauth/token`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json", "User-Agent": "pi-kiro" },
+      body: JSON.stringify({
+        code,
+        code_verifier: verifier,
+        redirect_uri: tokenRedirectUri
+      })
+    });
+    if (!resp.ok) {
+      const body = await resp.text().catch(() => "");
+      throw new Error(`Token exchange failed: ${resp.status} ${body}`);
+    }
+    const data = await resp.json();
+    if (!data.accessToken || !data.refreshToken) {
+      throw new Error("Token exchange returned no tokens");
+    }
+    if (data.profileArn) {
+      try {
+        const apiRegion = resolveApiRegion(BUILDER_ID_REGION);
+        const apiModels = await fetchAvailableModels(data.accessToken, apiRegion, data.profileArn);
+        setCachedDynamicModels(buildModelsFromApi(apiModels));
+        log.info(`Fetched and cached ${apiModels.length} models after social sign-in`);
+      } catch (err) {
+        log.warn(`Failed to fetch models after social sign-in: ${err}`);
+      }
+    }
+    return {
+      refresh: `${data.refreshToken}|||social`,
+      access: data.accessToken,
+      expires: Date.now() + (data.expiresIn ?? 3600) * 1000 - EXPIRES_BUFFER_MS,
+      clientId: "",
+      clientSecret: "",
+      region: BUILDER_ID_REGION,
+      authMethod: "social",
+      profileArn: data.profileArn
+    };
+  } finally {
+    callbackServer.server.close();
+  }
+}
 async function loginKiro(callbacks) {
   const method = await callbacks.onSelect({
     message: "Select login method:",
@@ -1111,7 +1540,7 @@ async function loginKiro(callbacks) {
     return loginDesktopManual(callbacks);
   }
   if (method === "builder-id") {
-    return runDeviceCodeFlow(callbacks, BUILDER_ID_START_URL, [BUILDER_ID_REGION], "builder-id");
+    return runSocialSignInFlow(callbacks);
   }
   const startUrl = (await callbacks.onPrompt({
     message: "Paste your IAM Identity Center start URL:",
@@ -1229,7 +1658,7 @@ async function syncBackToKiroCli(result) {
       accessToken: result.access,
       refreshToken: result.refresh.split("|")[0] ?? "",
       region: result.region,
-      authMethod: result.authMethod === "builder-id" ? "idc" : result.authMethod,
+      authMethod: result.authMethod === "builder-id" || result.authMethod === "social" ? "desktop" : result.authMethod,
       source: result.kiroSyncSource,
       tokenKey: result.kiroSyncTokenKey
     });
@@ -1266,10 +1695,10 @@ async function refreshTokenInner(credentials) {
   if (!refreshToken || !region) {
     throw new Error("Refresh token is missing region — re-login required");
   }
-  if (authMethod !== "desktop" && (!clientId || !clientSecret)) {
+  if (authMethod !== "desktop" && authMethod !== "social" && (!clientId || !clientSecret)) {
     throw new Error("Refresh token is missing clientId/clientSecret — re-login required");
   }
-  if (authMethod === "desktop") {
+  if (authMethod === "desktop" || authMethod === "social") {
     const desktopEndpoint = `https://prod.${region}.auth.desktop.kiro.dev/refreshToken`;
     const resp2 = await fetch(desktopEndpoint, {
       method: "POST",
@@ -1292,13 +1721,13 @@ async function refreshTokenInner(credentials) {
       }
     }
     return {
-      refresh: `${data2.refreshToken}|||desktop`,
+      refresh: `${data2.refreshToken}|||${authMethod}`,
       access: data2.accessToken,
       expires: Date.now() + (data2.expiresIn ?? 3600) * 1000 - EXPIRES_BUFFER_MS,
       clientId: "",
       clientSecret: "",
       region,
-      authMethod: "desktop",
+      authMethod,
       profileArn: credentials.profileArn,
       kiroSyncSource: credentials.kiroSyncSource,
       kiroSyncTokenKey: credentials.kiroSyncTokenKey
@@ -1340,8 +1769,8 @@ async function refreshTokenInner(credentials) {
 }
 async function refreshKiroToken(credentials) {
   const inputMethod = credentials.authMethod;
-  const authMethod = inputMethod === "builder-id" || inputMethod === "idc" || inputMethod === "desktop" ? inputMethod : "idc";
-  if (inputMethod !== undefined && inputMethod !== "builder-id" && inputMethod !== "idc" && inputMethod !== "desktop") {
+  const authMethod = inputMethod === "builder-id" || inputMethod === "idc" || inputMethod === "desktop" || inputMethod === "social" ? inputMethod : "idc";
+  if (inputMethod !== undefined && inputMethod !== "builder-id" && inputMethod !== "idc" && inputMethod !== "desktop" && inputMethod !== "social") {
     log.warn(`refreshKiroToken: unrecognized authMethod "${String(inputMethod)}" — defaulting to "idc"`);
   }
   const baseCreds = {
@@ -1872,7 +2301,7 @@ function countTokens(text) {
 }
 
 // src/transform.ts
-import { createHash } from "node:crypto";
+import { createHash as createHash2 } from "node:crypto";
 function normalizeMessages(messages) {
   return messages.filter((msg) => msg.role !== "assistant" || msg.stopReason !== "error" && msg.stopReason !== "aborted");
 }
@@ -1925,7 +2354,7 @@ var KIRO_TOOL_USE_ID_RE = /^tooluse_[A-Za-z0-9]+$/;
 function toKiroToolUseId(id) {
   if (KIRO_TOOL_USE_ID_RE.test(id))
     return id;
-  const digest = createHash("sha256").update(id).digest("hex").slice(0, 22);
+  const digest = createHash2("sha256").update(id).digest("hex").slice(0, 22);
   return `tooluse_${digest}`;
 }
 function convertImagesToKiro(images) {
@@ -3012,10 +3441,22 @@ function writeKiroCredentials(refreshed) {
     log.warn(`Failed to persist refreshed credentials: ${err}`);
   }
 }
+function writeKiroCredentialsPartial(fields) {
+  try {
+    const authPath = join2(homedir2(), ".pi", "agent", "auth.json");
+    const raw = existsSync2(authPath) ? readFileSync2(authPath, "utf-8") : "{}";
+    const data = JSON.parse(raw);
+    const existing = data["kiro"] ?? {};
+    data["kiro"] = { ...existing, ...fields };
+    writeFileSync(authPath, JSON.stringify(data, null, 2), { mode: 384 });
+  } catch (err) {
+    log.warn(`Failed to persist partial credentials: ${err}`);
+  }
+}
 async function extension_default(pi) {
   let modelDefs = toProviderModels(kiroModels);
   const creds = readKiroCredentials();
-  if (creds?.profileArn) {
+  if (creds?.access || creds?.refresh) {
     let accessToken = creds.access;
     if (creds.refresh) {
       try {
@@ -3027,16 +3468,34 @@ async function extension_default(pi) {
         log.warn(`Startup token refresh failed, trying with existing token: ${err}`);
       }
     }
-    try {
-      const apiRegion = resolveApiRegion(creds.region);
-      seedProfileArn(creds.profileArn);
-      const apiModels = await fetchAvailableModels(accessToken, apiRegion, creds.profileArn);
-      const dynamicDefs = buildModelsFromApi(apiModels);
-      setCachedDynamicModels(dynamicDefs);
-      modelDefs = toProviderModels(dynamicDefs);
-      log.info(`Loaded ${modelDefs.length} models dynamically from Kiro API`);
-    } catch (err) {
-      log.warn(`Failed to fetch models at startup, using hardcoded fallback: ${err}`);
+    let profileArn = creds.profileArn;
+    if (!profileArn && accessToken) {
+      try {
+        const apiRegion = resolveApiRegion(creds.region);
+        log.info("profileArn missing, resolving via ListAvailableProfiles…");
+        profileArn = await resolveProfileArn(accessToken, apiRegion) ?? undefined;
+        if (profileArn) {
+          log.info(`Resolved profileArn: ${profileArn}`);
+          writeKiroCredentialsPartial({ profileArn });
+        } else {
+          log.warn("Could not resolve profileArn — model fetch and streaming will fail");
+        }
+      } catch (err) {
+        log.warn(`profileArn resolution failed: ${err}`);
+      }
+    }
+    if (profileArn) {
+      seedProfileArn(profileArn);
+      try {
+        const apiRegion = resolveApiRegion(creds.region);
+        const apiModels = await fetchAvailableModels(accessToken, apiRegion, profileArn);
+        const dynamicDefs = buildModelsFromApi(apiModels);
+        setCachedDynamicModels(dynamicDefs);
+        modelDefs = toProviderModels(dynamicDefs);
+        log.info(`Loaded ${modelDefs.length} models dynamically from Kiro API`);
+      } catch (err) {
+        log.warn(`Failed to fetch models at startup, using hardcoded fallback: ${err}`);
+      }
     }
   } else {
     log.warn("Run 'kiro login' to authenticate and fetch models dynamically. Note: This extension does not have the same authentication mechanism as other Kiro tools.");

package/dist/models.d.ts

@@ -93,6 +93,12 @@ export interface KiroApiModel {
         };
     };
 }
+/**
+ * Resolve the Kiro profile ARN by calling ListAvailableProfiles.
+ * Builder ID device-code login doesn't receive a profileArn, so we
+ * discover it here. Returns null on failure (graceful fallback).
+ */
+export declare function resolveProfileArn(accessToken: string, apiRegion: string): Promise<string | null>;
 /**
  * Fetch the list of models actually available for this account from Kiro.
  * Filters out "auto" — it appears in ListAvailableModels but is rejected

package/dist/models.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"models.d.ts","sourceRoot":"","sources":["../src/models.ts"],"names":[],"mappings":"AAOA,gEAAgE;AAChE,eAAO,MAAM,cAAc,aAuBzB,CAAC;AAEH,0EAA0E;AAC1E,wBAAgB,SAAS,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAEjD;AAED,sEAAsE;AACtE,wBAAgB,SAAS,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAEjD;AAED,0EAA0E;AAC1E,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAMxD;AA8BD,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,CAGtE;AAiDD,wBAAgB,oBAAoB,CAAC,CAAC,SAAS;IAAE,EAAE,EAAE,MAAM,CAAA;CAAE,EAC3D,MAAM,EAAE,CAAC,EAAE,EACX,SAAS,EAAE,MAAM,GAChB,CAAC,EAAE,CASL;AAQD,wBAAgB,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAE3D;AAaD,KAAK,KAAK,GAAG,CAAC,MAAM,GAAG,OAAO,CAAC,EAAE,CAAC;AAIlC,MAAM,WAAW,SAAS;IACxB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,UAAU,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,OAAO,CAAC;IACnB,KAAK,EAAE,KAAK,CAAC;IACb,IAAI,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC;IAC/E,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,oEAAoE;IACpE,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B;;;;;;;;;;;;;;;;;;;;;;OAsBG;IACH,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B;;;;;OAKG;IACH,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,iEAAiE;IACjE,sBAAsB,CAAC,EAAE,OAAO,CAAC;CAClC;AAED,eAAO,MAAM,UAAU,EAAE,SAAS,EAwNjC,CAAC;AAIF,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE;QAAE,cAAc,CAAC,EAAE,MAAM,CAAC;QAAC,eAAe,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IACpE,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,qEAAqE;IACrE,kCAAkC,CAAC,EAAE;QACnC,UAAU,CAAC,EAAE;YACX,aAAa,CAAC,EAAE;gBAAE,UAAU,CAAC,EAAE;oBAAE,MAAM,CAAC,EAAE;wBAAE,IAAI,CAAC,EAAE,MAAM,EAAE,CAAA;qBAAE,CAAA;iBAAE,CAAA;aAAE,CAAC;YAClE,QAAQ,CAAC,EAAE;gBAAE,UAAU,CAAC,EAAE;oBAAE,IAAI,CAAC,EAAE;wBAAE,IAAI,CAAC,EAAE,MAAM,EAAE,CAAA;qBAAE,CAAA;iBAAE,CAAA;aAAE,CAAC;SAC5D,CAAC;KACH,CAAC;CACH;AAED;;;;GAIG;AACH,wBAAsB,oBAAoB,CACxC,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,YAAY,EAAE,CAAC,CA6BzB;AAqBD,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,OAAO,CAAC;IACnB,KAAK,EAAE,CAAC,MAAM,GAAG,OAAO,CAAC,EAAE,CAAC;IAC5B,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,sBAAsB,CAAC,EAAE,OAAO,CAAC;CAClC;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,YAAY,EAAE,GAAG,YAAY,EAAE,CAiC5E;AAKD,wBAAgB,sBAAsB,IAAI,YAAY,EAAE,GAAG,IAAI,CAE9D;AAED,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,YAAY,EAAE,GAAG,IAAI,GAAG,IAAI,CAE1E"}
+{"version":3,"file":"models.d.ts","sourceRoot":"","sources":["../src/models.ts"],"names":[],"mappings":"AAOA,gEAAgE;AAChE,eAAO,MAAM,cAAc,aAuBzB,CAAC;AAEH,0EAA0E;AAC1E,wBAAgB,SAAS,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAEjD;AAED,sEAAsE;AACtE,wBAAgB,SAAS,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAEjD;AAED,0EAA0E;AAC1E,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAMxD;AA8BD,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,CAGtE;AAiDD,wBAAgB,oBAAoB,CAAC,CAAC,SAAS;IAAE,EAAE,EAAE,MAAM,CAAA;CAAE,EAC3D,MAAM,EAAE,CAAC,EAAE,EACX,SAAS,EAAE,MAAM,GAChB,CAAC,EAAE,CASL;AAQD,wBAAgB,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAE3D;AAaD,KAAK,KAAK,GAAG,CAAC,MAAM,GAAG,OAAO,CAAC,EAAE,CAAC;AAIlC,MAAM,WAAW,SAAS;IACxB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,UAAU,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,OAAO,CAAC;IACnB,KAAK,EAAE,KAAK,CAAC;IACb,IAAI,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC;IAC/E,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,oEAAoE;IACpE,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B;;;;;;;;;;;;;;;;;;;;;;OAsBG;IACH,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B;;;;;OAKG;IACH,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,iEAAiE;IACjE,sBAAsB,CAAC,EAAE,OAAO,CAAC;CAClC;AAED,eAAO,MAAM,UAAU,EAAE,SAAS,EAwNjC,CAAC;AAIF,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE;QAAE,cAAc,CAAC,EAAE,MAAM,CAAC;QAAC,eAAe,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IACpE,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,qEAAqE;IACrE,kCAAkC,CAAC,EAAE;QACnC,UAAU,CAAC,EAAE;YACX,aAAa,CAAC,EAAE;gBAAE,UAAU,CAAC,EAAE;oBAAE,MAAM,CAAC,EAAE;wBAAE,IAAI,CAAC,EAAE,MAAM,EAAE,CAAA;qBAAE,CAAA;iBAAE,CAAA;aAAE,CAAC;YAClE,QAAQ,CAAC,EAAE;gBAAE,UAAU,CAAC,EAAE;oBAAE,IAAI,CAAC,EAAE;wBAAE,IAAI,CAAC,EAAE,MAAM,EAAE,CAAA;qBAAE,CAAA;iBAAE,CAAA;aAAE,CAAC;SAC5D,CAAC;KACH,CAAC;CACH;AAED;;;;GAIG;AACH,wBAAsB,iBAAiB,CACrC,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAmBxB;AAED;;;;GAIG;AACH,wBAAsB,oBAAoB,CACxC,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,YAAY,EAAE,CAAC,CA6BzB;AAqBD,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,OAAO,CAAC;IACnB,KAAK,EAAE,CAAC,MAAM,GAAG,OAAO,CAAC,EAAE,CAAC;IAC5B,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,sBAAsB,CAAC,EAAE,OAAO,CAAC;CAClC;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,YAAY,EAAE,GAAG,YAAY,EAAE,CAiC5E;AAKD,wBAAgB,sBAAsB,IAAI,YAAY,EAAE,GAAG,IAAI,CAE9D;AAED,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,YAAY,EAAE,GAAG,IAAI,GAAG,IAAI,CAE1E"}

package/dist/oauth.d.ts

@@ -21,7 +21,7 @@ export interface KiroCredentials extends OAuthCredentials {
      * - `idc`: IAM Identity Center (enterprise SSO, any region).
      * - `desktop`: Kiro IDE native install (bare refresh token, no clientId/clientSecret).
      */
-    authMethod: "builder-id" | "idc" | "desktop";
+    authMethod: "builder-id" | "idc" | "desktop" | "social";
     /** Profile ARN from Kiro, used to scope API calls. */
     profileArn?: string;
     /** Local Kiro source, used only to decide safe CLI DB write-back. */

package/dist/oauth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../src/oauth.ts"],"names":[],"mappings":"AAwBA,OAAO,KAAK,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AASnF,OAAO,KAAK,EAAsB,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAEhF,eAAO,MAAM,oBAAoB,mCAAmC,CAAC;AACrE,eAAO,MAAM,iBAAiB,cAAc,CAAC;AAC7C,eAAO,MAAM,UAAU,UAMtB,CAAC;AAmBF,MAAM,WAAW,eAAgB,SAAQ,gBAAgB;IACvD,QAAQ,EAAE,MAAM,CAAC;IACjB;;;;;;;OAOG;IACH,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf;;;;;OAKG;IACH,UAAU,EAAE,YAAY,GAAG,KAAK,GAAG,SAAS,CAAC;IAC7C,sDAAsD;IACtD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,qEAAqE;IACrE,cAAc,CAAC,EAAE,oBAAoB,CAAC;IACtC,yDAAyD;IACzD,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AA2ID;;;;;;;GAOG;AACH,wBAAsB,SAAS,CAAC,SAAS,EAAE,mBAAmB,GAAG,OAAO,CAAC,eAAe,CAAC,CAsDxF;AA8TD;;;;;;;;;;;;GAYG;AACH,wBAAsB,gBAAgB,CACpC,WAAW,EAAE,gBAAgB,GAC5B,OAAO,CAAC,eAAe,CAAC,CAiH1B"}
+{"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../src/oauth.ts"],"names":[],"mappings":"AAwBA,OAAO,KAAK,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AASnF,OAAO,KAAK,EAAsB,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAIhF,eAAO,MAAM,oBAAoB,mCAAmC,CAAC;AACrE,eAAO,MAAM,iBAAiB,cAAc,CAAC;AAC7C,eAAO,MAAM,UAAU,UAMtB,CAAC;AAmBF,MAAM,WAAW,eAAgB,SAAQ,gBAAgB;IACvD,QAAQ,EAAE,MAAM,CAAC;IACjB;;;;;;;OAOG;IACH,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf;;;;;OAKG;IACH,UAAU,EAAE,YAAY,GAAG,KAAK,GAAG,SAAS,GAAG,QAAQ,CAAC;IACxD,sDAAsD;IACtD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,qEAAqE;IACrE,cAAc,CAAC,EAAE,oBAAoB,CAAC;IACtC,yDAAyD;IACzD,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AA8pBD;;;;;;;GAOG;AACH,wBAAsB,SAAS,CAAC,SAAS,EAAE,mBAAmB,GAAG,OAAO,CAAC,eAAe,CAAC,CAsDxF;AA8TD;;;;;;;;;;;;GAYG;AACH,wBAAsB,gBAAgB,CACpC,WAAW,EAAE,gBAAgB,GAC5B,OAAO,CAAC,eAAe,CAAC,CAkH1B"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@javargasm/pi-kiro",
-  "version": "0.4.4",
+  "version": "0.4.5",
   "description": "Kiro provider for the pi coding agent: AWS Builder ID / IAM Identity Center login and the CodeWhisperer streaming API, exposing the Kiro Claude model family.",
   "type": "module",
   "license": "MIT",