npm - @javargasm/pi-kiro - Versions diffs - 0.4.4 → 0.4.6 - Mend

@javargasm/pi-kiro 0.4.4 → 0.4.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/extension.js CHANGED Viewed

@@ -899,6 +899,24 @@ var kiroModels = [
     maxTokens: 65536
   }
 ];
+async function resolveProfileArn(accessToken, apiRegion) {
+  const resp = await fetch(`https://management.${apiRegion}.kiro.dev/`, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${accessToken}`,
+      "Content-Type": "application/x-amz-json-1.0",
+      "X-Amz-Target": "AmazonCodeWhispererService.ListAvailableProfiles",
+      "User-Agent": "pi-kiro"
+    },
+    body: "{}"
+  });
+  if (!resp || !resp.ok)
+    return null;
+  const data = await resp.json();
+  const profiles = data.profiles ?? [];
+  const kiroProfile = profiles.find((p) => p.profileType === "KIRO" && p.status === "ACTIVE");
+  return kiroProfile?.arn ?? profiles[0]?.arn ?? null;
+}
 async function fetchAvailableModels(accessToken, apiRegion, profileArn) {
   const url = `https://management.${apiRegion}.kiro.dev/?origin=KIRO_CLI&profileArn=${encodeURIComponent(profileArn)}`;
   const resp = await fetch(url, {
@@ -918,7 +936,9 @@ async function fetchAvailableModels(accessToken, apiRegion, profileArn) {
     },
     body: JSON.stringify({ origin: "KIRO_CLI", profileArn })
   });
-  if (!resp.ok) {
+  if (!resp || !resp.ok) {
+    if (!resp)
+      throw new Error("ListAvailableModels failed: fetch returned no response");
     const body = await resp.text().catch(() => "");
     if (resp.status === 401 || resp.status === 400 && body.includes("Invalid token")) {
       throw new Error(`Authentication failed: 401 ListAvailableModels failed - ${body}`);
@@ -983,6 +1003,8 @@ function setCachedDynamicModels(models) {
 // src/oauth.ts
 init_debug();
+import { createServer } from "node:http";
+import { randomBytes, createHash } from "node:crypto";
 var BUILDER_ID_START_URL = "https://view.awsapps.com/start";
 var BUILDER_ID_REGION = "us-east-1";
 var SSO_SCOPES = [
@@ -1092,6 +1114,417 @@ async function pollForToken(oidcEndpoint, clientId, clientSecret, devAuth, signa
   }
   throw new Error("Authorization timed out");
 }
+var KIRO_SOCIAL_PORTAL = "https://app.kiro.dev";
+var KIRO_SOCIAL_AUTH_ENDPOINT = `https://prod.${BUILDER_ID_REGION}.auth.desktop.kiro.dev`;
+var SOCIAL_REDIRECT_PORT = 49153;
+var SOCIAL_REDIRECT_URI = `http://localhost:${SOCIAL_REDIRECT_PORT}`;
+function generateRandomState() {
+  return randomBytes(16).toString("base64url");
+}
+function generateCodeVerifier() {
+  return randomBytes(32).toString("base64url");
+}
+function generateCodeChallenge(verifier) {
+  return createHash("sha256").update(verifier).digest("base64url");
+}
+function buildSocialSignInURL(redirectUri, codeChallenge, state) {
+  const params = new URLSearchParams;
+  params.set("code_challenge", codeChallenge);
+  params.set("code_challenge_method", "S256");
+  params.set("redirect_from", "kirocli");
+  params.set("redirect_uri", redirectUri);
+  params.set("state", state);
+  return `${KIRO_SOCIAL_PORTAL}/signin?${params.toString()}`;
+}
+function parseAuthRedirectInput(input) {
+  const trimmed = input.trim();
+  if (!trimmed)
+    return {};
+  try {
+    const url = new URL(trimmed);
+    return {
+      code: url.searchParams.get("code") ?? undefined,
+      state: url.searchParams.get("state") ?? undefined
+    };
+  } catch {
+    return { code: trimmed };
+  }
+}
+function buildTokenRedirectUri(callbackPath, loginOption) {
+  const path = callbackPath || "/oauth/callback";
+  const base = `${SOCIAL_REDIRECT_URI}${path}`;
+  if (loginOption) {
+    return `${base}?login_option=${encodeURIComponent(loginOption)}`;
+  }
+  return base;
+}
+function oauthCallbackPage(kind, title, message, redirectUrl = "https://app.kiro.dev") {
+  const borderColor = kind === "success" ? "#22c55e" : "#ef4444";
+  const iconSvg = kind === "success" ? `<svg width="20" height="20" viewBox="0 0 20 20" fill="none"><path d="M16.67 5L7.5 14.17 3.33 10" stroke="#22c55e" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/></svg>` : `<svg width="20" height="20" viewBox="0 0 20 20" fill="none"><path d="M15 5L5 15M5 5l10 10" stroke="#ef4444" stroke-width="2" stroke-linecap="round"/></svg>`;
+  const ghostSvg = `<svg width="56" height="56" viewBox="0 0 100 100" fill="none" xmlns="http://www.w3.org/2000/svg">
+    <path d="M50 5C28.5 5 11 22.5 11 44v36c0 2.8 1.2 5.4 3.2 7.2 2 1.8 4.7 2.6 7.4 2.2l3.4-.5c3.2-.5 6.5.4 9 2.5l2.2 1.8c2.4 2 5.4 3 8.5 3h10.6c3.1 0 6.1-1.1 8.5-3l2.2-1.8c2.5-2.1 5.8-3 9-2.5l3.4.5c2.7.4 5.4-.4 7.4-2.2 2-1.8 3.2-4.4 3.2-7.2V44C89 22.5 71.5 5 50 5z" fill="white"/>
+    <circle cx="37" cy="45" r="7" fill="#0a0a0a"/>
+    <circle cx="63" cy="45" r="7" fill="#0a0a0a"/>
+  </svg>`;
+  const redirectHost = (() => {
+    try {
+      return new URL(redirectUrl).hostname;
+    } catch {
+      return redirectUrl;
+    }
+  })();
+  const countdownHtml = kind === "success" ? `
+    <div class="countdown" id="countdown">
+      <svg class="ring" viewBox="0 0 60 60">
+        <circle cx="30" cy="30" r="26" stroke="#1a1a1a" stroke-width="3" fill="none"/>
+        <circle id="ring-progress" cx="30" cy="30" r="26" stroke="#22c55e" stroke-width="3" fill="none"
+          stroke-dasharray="163.36" stroke-dashoffset="0" stroke-linecap="round"
+          transform="rotate(-90 30 30)" style="transition:stroke-dashoffset 1s linear"/>
+      </svg>
+      <span class="countdown-num" id="countdown-num">3</span>
+    </div>
+    <p class="subtitle">Redirecting to <strong>${redirectHost}</strong>…</p>
+    <script>
+      (function(){
+        var n=3, el=document.getElementById('countdown-num'),
+            ring=document.getElementById('ring-progress'), circ=163.36;
+        function tick(){
+          if(n<=0){window.location.href=${JSON.stringify(redirectUrl)};return}
+          el.textContent=n;
+          ring.setAttribute('stroke-dashoffset', String(circ*(1-n/3)));
+          n--;
+          setTimeout(tick,1000);
+        }
+        tick();
+      })();
+    </script>` : `<p class="subtitle">Please close this window and try again</p>`;
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>PI-KIRO — Authentication</title>
+  <style>
+    *{margin:0;padding:0;box-sizing:border-box}
+    body{background:#0a0a0a;color:#e5e5e5;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;display:flex;align-items:center;justify-content:center;min-height:100vh;text-align:center}
+    .container{max-width:420px;padding:2rem}
+    .logo{display:flex;align-items:center;justify-content:center;gap:16px;margin-bottom:48px}
+    .logo-text{font-size:42px;font-weight:700;letter-spacing:6px;color:#7c3aed;font-family:'Courier New',monospace}
+    .status-box{border:1.5px solid ${borderColor};border-radius:12px;padding:20px 28px;display:flex;align-items:flex-start;gap:14px;text-align:left;margin-bottom:20px;background:rgba(${kind === "success" ? "34,197,94" : "239,68,68"},0.04)}
+    .status-icon{flex-shrink:0;margin-top:2px}
+    .status-title{font-size:15px;font-weight:600;color:${borderColor};margin-bottom:4px}
+    .status-msg{font-size:13px;color:#a3a3a3;line-height:1.4}
+    .subtitle{font-size:13px;color:#737373;margin-top:4px}
+    .subtitle strong{color:#a3a3a3}
+    .countdown{position:relative;width:60px;height:60px;margin:24px auto 12px}
+    .ring{width:60px;height:60px}
+    .countdown-num{position:absolute;inset:0;display:flex;align-items:center;justify-content:center;font-size:24px;font-weight:700;color:#22c55e;font-variant-numeric:tabular-nums}
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="logo">
+      ${ghostSvg}
+      <span class="logo-text">PI-KIRO</span>
+    </div>
+    <div class="status-box">
+      <span class="status-icon">${iconSvg}</span>
+      <div>
+        <div class="status-title">${title}</div>
+        <div class="status-msg">${message}</div>
+      </div>
+    </div>
+    ${countdownHtml}
+  </div>
+</body>
+</html>`;
+}
+function oauthIdcDelegationPage() {
+  const ghostSvg = `<svg width="56" height="56" viewBox="0 0 100 100" fill="none" xmlns="http://www.w3.org/2000/svg">
+    <path d="M50 5C28.5 5 11 22.5 11 44v36c0 2.8 1.2 5.4 3.2 7.2 2 1.8 4.7 2.6 7.4 2.2l3.4-.5c3.2-.5 6.5.4 9 2.5l2.2 1.8c2.4 2 5.4 3 8.5 3h10.6c3.1 0 6.1-1.1 8.5-3l2.2-1.8c2.5-2.1 5.8-3 9-2.5l3.4.5c2.7.4 5.4-.4 7.4-2.2 2-1.8 3.2-4.4 3.2-7.2V44C89 22.5 71.5 5 50 5z" fill="white"/>
+    <circle cx="37" cy="45" r="7" fill="#0a0a0a"/>
+    <circle cx="63" cy="45" r="7" fill="#0a0a0a"/>
+  </svg>`;
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>PI-KIRO — Enterprise Sign-In</title>
+  <style>
+    *{margin:0;padding:0;box-sizing:border-box}
+    body{background:#0a0a0a;color:#e5e5e5;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;display:flex;align-items:center;justify-content:center;min-height:100vh;text-align:center}
+    .container{max-width:420px;padding:2rem}
+    .logo{display:flex;align-items:center;justify-content:center;gap:16px;margin-bottom:48px}
+    .logo-text{font-size:42px;font-weight:700;letter-spacing:6px;color:#7c3aed;font-family:'Courier New',monospace}
+    .status-box{border:1.5px solid #22c55e;border-radius:12px;padding:20px 28px;display:flex;align-items:flex-start;gap:14px;text-align:left;margin-bottom:20px;background:rgba(34,197,94,0.04)}
+    .status-icon{flex-shrink:0;margin-top:2px}
+    .status-title{font-size:15px;font-weight:600;color:#22c55e;margin-bottom:4px}
+    .status-msg{font-size:13px;color:#a3a3a3;line-height:1.4}
+    .subtitle{font-size:13px;color:#737373;margin-top:4px}
+    .subtitle strong{color:#a3a3a3}
+    .spinner{width:28px;height:28px;border:3px solid #1a1a1a;border-top-color:#22c55e;border-radius:50%;animation:spin 0.8s linear infinite;margin:24px auto 12px}
+    @keyframes spin{to{transform:rotate(360deg)}}
+    .countdown{position:relative;width:60px;height:60px;margin:24px auto 12px;display:none}
+    .ring{width:60px;height:60px}
+    .countdown-num{position:absolute;inset:0;display:flex;align-items:center;justify-content:center;font-size:24px;font-weight:700;color:#22c55e;font-variant-numeric:tabular-nums}
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="logo">
+      ${ghostSvg}
+      <span class="logo-text">PI-KIRO</span>
+    </div>
+    <div class="status-box">
+      <span class="status-icon"><svg width="20" height="20" viewBox="0 0 20 20" fill="none"><path d="M16.67 5L7.5 14.17 3.33 10" stroke="#22c55e" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/></svg></span>
+      <div>
+        <div class="status-title">Enterprise sign-in</div>
+        <div class="status-msg" id="status-msg">Preparing device authorization…</div>
+      </div>
+    </div>
+    <div class="spinner" id="spinner"></div>
+    <div class="countdown" id="countdown">
+      <svg class="ring" viewBox="0 0 60 60">
+        <circle cx="30" cy="30" r="26" stroke="#1a1a1a" stroke-width="3" fill="none"/>
+        <circle id="ring-progress" cx="30" cy="30" r="26" stroke="#22c55e" stroke-width="3" fill="none"
+          stroke-dasharray="163.36" stroke-dashoffset="0" stroke-linecap="round"
+          transform="rotate(-90 30 30)" style="transition:stroke-dashoffset 1s linear"/>
+      </svg>
+      <span class="countdown-num" id="countdown-num">3</span>
+    </div>
+    <p class="subtitle" id="subtitle">Waiting for device authorization…</p>
+    <script>
+      (function(){
+        var msg=document.getElementById('status-msg'),
+            spinner=document.getElementById('spinner'),
+            cd=document.getElementById('countdown'),
+            cdNum=document.getElementById('countdown-num'),
+            ring=document.getElementById('ring-progress'),
+            sub=document.getElementById('subtitle'),
+            circ=163.36;
+        function poll(){
+          fetch('/idc-verify').then(function(r){return r.json()}).then(function(d){
+            if(d.url){
+              spinner.style.display='none';
+              cd.style.display='block';
+              msg.textContent='Device authorization ready';
+              try{sub.innerHTML='Redirecting to <strong>'+new URL(d.url).hostname+'</strong>…'}catch(e){}
+              countdown(3,d.url);
+            } else {
+              setTimeout(poll,500);
+            }
+          }).catch(function(){setTimeout(poll,1000)});
+        }
+        function countdown(n,url){
+          if(n<=0){window.location.href=url;return}
+          cdNum.textContent=n;
+          ring.setAttribute('stroke-dashoffset',String(circ*(1-n/3)));
+          setTimeout(function(){countdown(n-1,url)},1000);
+        }
+        poll();
+      })();
+    </script>
+  </div>
+</body>
+</html>`;
+}
+function startCallbackServer(expectedState) {
+  return new Promise((resolve2, reject) => {
+    let settleWait;
+    const waitForCodePromise = new Promise((res) => {
+      settleWait = res;
+    });
+    let idcVerifyUrl = null;
+    const server = createServer((req, res) => {
+      try {
+        const url = new URL(req.url ?? "", SOCIAL_REDIRECT_URI);
+        if (url.pathname === "/idc-verify") {
+          res.writeHead(200, {
+            "Content-Type": "application/json",
+            "Access-Control-Allow-Origin": "*",
+            "Cache-Control": "no-store"
+          });
+          res.end(JSON.stringify({ url: idcVerifyUrl }));
+          return;
+        }
+        const code = url.searchParams.get("code");
+        const state = url.searchParams.get("state");
+        const loginOption = url.searchParams.get("login_option");
+        const issuerUrl = url.searchParams.get("issuer_url");
+        const idcRegion = url.searchParams.get("idc_region");
+        const isIdcDelegation = loginOption === "awsidc" && !!issuerUrl && !!state;
+        if (!state || !code && !isIdcDelegation) {
+          res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+          res.end("");
+          return;
+        }
+        if (state !== expectedState) {
+          res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
+          res.end(oauthCallbackPage("error", "State mismatch", "The OAuth state parameter did not match. Please try logging in again."));
+          return;
+        }
+        res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+        if (isIdcDelegation) {
+          res.end(oauthIdcDelegationPage());
+        } else {
+          res.end(oauthCallbackPage("success", "Request approved", "PI-KIRO has been given requested permissions."));
+        }
+        settleWait?.({
+          code,
+          state,
+          callbackPath: url.pathname,
+          loginOption,
+          issuerUrl: issuerUrl ?? undefined,
+          idcRegion: idcRegion ?? undefined
+        });
+      } catch {
+        res.writeHead(500, { "Content-Type": "text/plain; charset=utf-8" });
+        res.end("Internal error");
+      }
+    });
+    server.on("error", (err) => {
+      reject(err);
+    });
+    server.listen(SOCIAL_REDIRECT_PORT, "localhost", () => {
+      resolve2({
+        server,
+        redirectUri: SOCIAL_REDIRECT_URI,
+        cancelWait: () => {
+          settleWait?.(null);
+        },
+        waitForCode: () => waitForCodePromise,
+        setIdcVerifyUrl: (url) => {
+          idcVerifyUrl = url;
+        }
+      });
+    });
+  });
+}
+async function runSocialSignInFlow(callbacks) {
+  const verifier = generateCodeVerifier();
+  const challenge = generateCodeChallenge(verifier);
+  const state = generateRandomState();
+  const callbackServer = await startCallbackServer(state);
+  try {
+    const signInUrl = buildSocialSignInURL(callbackServer.redirectUri, challenge, state);
+    callbacks.onAuth({
+      url: signInUrl,
+      instructions: "Complete sign-in in your browser."
+    });
+    callbacks.onProgress?.("Waiting for browser sign-in…");
+    let code;
+    let tokenRedirectUri = SOCIAL_REDIRECT_URI;
+    let callbackResult = null;
+    if (callbacks.onManualCodeInput) {
+      let manualInput;
+      let manualError;
+      const manualPromise = callbacks.onManualCodeInput().then((input) => {
+        manualInput = input;
+        callbackServer.cancelWait();
+      }).catch((err) => {
+        manualError = err instanceof Error ? err : new Error(String(err));
+        callbackServer.cancelWait();
+      });
+      callbackResult = await callbackServer.waitForCode();
+      if (manualError)
+        throw manualError;
+      if (callbackResult?.loginOption !== "awsidc" || !callbackResult.issuerUrl) {
+        if (callbackResult?.code) {
+          code = callbackResult.code;
+          tokenRedirectUri = buildTokenRedirectUri(callbackResult.callbackPath, callbackResult.loginOption);
+        } else if (manualInput) {
+          code = parseAuthRedirectInput(manualInput).code;
+        }
+        if (!code) {
+          await manualPromise;
+          if (manualError)
+            throw manualError;
+          if (manualInput) {
+            code = parseAuthRedirectInput(manualInput).code;
+          }
+        }
+      }
+    } else {
+      callbackResult = await callbackServer.waitForCode();
+      if (callbackResult?.code) {
+        code = callbackResult.code;
+        tokenRedirectUri = buildTokenRedirectUri(callbackResult.callbackPath, callbackResult.loginOption);
+      }
+    }
+    if (callbackResult?.loginOption === "awsidc" && callbackResult.issuerUrl) {
+      callbacks.onProgress?.("Enterprise sign-in detected — starting device authorization…");
+      const idcRegion = callbackResult.idcRegion || BUILDER_ID_REGION;
+      const wrappedCallbacks = {
+        ...callbacks,
+        onAuth: (info) => {
+          callbackServer.setIdcVerifyUrl(info.url);
+          if (info.instructions) {
+            callbacks.onProgress?.(info.instructions);
+          }
+        }
+      };
+      try {
+        return await runDeviceCodeFlow(wrappedCallbacks, callbackResult.issuerUrl, [idcRegion], "idc");
+      } finally {
+        callbackServer.server.close();
+      }
+    }
+    if (!code) {
+      const input = await callbacks.onPrompt({
+        message: "Paste the authorization code or the full redirect URL:",
+        placeholder: SOCIAL_REDIRECT_URI
+      });
+      code = parseAuthRedirectInput(input).code;
+    }
+    if (!code) {
+      throw new Error("Missing authorization code — sign-in was not completed");
+    }
+    callbacks.onProgress?.("Exchanging authorization code…");
+    const resp = await fetch(`${KIRO_SOCIAL_AUTH_ENDPOINT}/oauth/token`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json", "User-Agent": "pi-kiro" },
+      body: JSON.stringify({
+        code,
+        code_verifier: verifier,
+        redirect_uri: tokenRedirectUri
+      })
+    });
+    if (!resp.ok) {
+      const body = await resp.text().catch(() => "");
+      throw new Error(`Token exchange failed: ${resp.status} ${body}`);
+    }
+    const data = await resp.json();
+    if (!data.accessToken || !data.refreshToken) {
+      throw new Error("Token exchange returned no tokens");
+    }
+    if (data.profileArn) {
+      try {
+        const apiRegion = resolveApiRegion(BUILDER_ID_REGION);
+        const apiModels = await fetchAvailableModels(data.accessToken, apiRegion, data.profileArn);
+        setCachedDynamicModels(buildModelsFromApi(apiModels));
+        log.info(`Fetched and cached ${apiModels.length} models after social sign-in`);
+      } catch (err) {
+        log.warn(`Failed to fetch models after social sign-in: ${err}`);
+      }
+    }
+    return {
+      refresh: `${data.refreshToken}|||social`,
+      access: data.accessToken,
+      expires: Date.now() + (data.expiresIn ?? 3600) * 1000 - EXPIRES_BUFFER_MS,
+      clientId: "",
+      clientSecret: "",
+      region: BUILDER_ID_REGION,
+      authMethod: "social",
+      profileArn: data.profileArn
+    };
+  } finally {
+    callbackServer.server.close();
+  }
+}
 async function loginKiro(callbacks) {
   const method = await callbacks.onSelect({
     message: "Select login method:",
@@ -1111,7 +1544,7 @@ async function loginKiro(callbacks) {
     return loginDesktopManual(callbacks);
   }
   if (method === "builder-id") {
-    return runDeviceCodeFlow(callbacks, BUILDER_ID_START_URL, [BUILDER_ID_REGION], "builder-id");
+    return runSocialSignInFlow(callbacks);
   }
   const startUrl = (await callbacks.onPrompt({
     message: "Paste your IAM Identity Center start URL:",
@@ -1208,6 +1641,27 @@ Complete authorization within 10 minutes.`
   if (!tok.accessToken || !tok.refreshToken) {
     throw new Error("Authorization completed but no tokens returned");
   }
+  callbacks.onProgress?.("Resolving Kiro profile…");
+  let profileArn;
+  try {
+    const apiRegion = resolveApiRegion(detectedRegion);
+    const resolved = await resolveProfileArn(tok.accessToken, apiRegion);
+    if (resolved) {
+      profileArn = resolved;
+      log.info(`Resolved profileArn during login: ${profileArn}`);
+      try {
+        const apiModels = await fetchAvailableModels(tok.accessToken, apiRegion, profileArn);
+        setCachedDynamicModels(buildModelsFromApi(apiModels));
+        log.info(`Fetched and cached ${apiModels.length} models after login`);
+      } catch (err) {
+        log.warn(`Failed to fetch models during login: ${err}`);
+      }
+    } else {
+      log.warn("Could not resolve profileArn during login");
+    }
+  } catch (err) {
+    log.warn(`Failed to resolve profileArn during login: ${err}`);
+  }
   return {
     refresh: `${tok.refreshToken}|${result.clientId}|${result.clientSecret}|${authMethod}`,
     access: tok.accessToken,
@@ -1215,7 +1669,8 @@ Complete authorization within 10 minutes.`
     clientId: result.clientId,
     clientSecret: result.clientSecret,
     region: detectedRegion,
-    authMethod
+    authMethod,
+    ...profileArn ? { profileArn } : {}
   };
 }
 async function syncBackToKiroCli(result) {
@@ -1229,7 +1684,7 @@ async function syncBackToKiroCli(result) {
       accessToken: result.access,
       refreshToken: result.refresh.split("|")[0] ?? "",
       region: result.region,
-      authMethod: result.authMethod === "builder-id" ? "idc" : result.authMethod,
+      authMethod: result.authMethod === "builder-id" || result.authMethod === "social" ? "desktop" : result.authMethod,
       source: result.kiroSyncSource,
       tokenKey: result.kiroSyncTokenKey
     });
@@ -1266,10 +1721,10 @@ async function refreshTokenInner(credentials) {
   if (!refreshToken || !region) {
     throw new Error("Refresh token is missing region — re-login required");
   }
-  if (authMethod !== "desktop" && (!clientId || !clientSecret)) {
+  if (authMethod !== "desktop" && authMethod !== "social" && (!clientId || !clientSecret)) {
     throw new Error("Refresh token is missing clientId/clientSecret — re-login required");
   }
-  if (authMethod === "desktop") {
+  if (authMethod === "desktop" || authMethod === "social") {
     const desktopEndpoint = `https://prod.${region}.auth.desktop.kiro.dev/refreshToken`;
     const resp2 = await fetch(desktopEndpoint, {
       method: "POST",
@@ -1281,10 +1736,23 @@ async function refreshTokenInner(credentials) {
       throw new Error(`Desktop token refresh failed: ${resp2.status} ${body}`);
     }
     const data2 = await resp2.json();
-    if (credentials.profileArn) {
+    let profileArn2 = credentials.profileArn;
+    if (!profileArn2) {
       try {
         const apiRegion = resolveApiRegion(region);
-        const apiModels = await fetchAvailableModels(data2.accessToken, apiRegion, credentials.profileArn);
+        const resolved = await resolveProfileArn(data2.accessToken, apiRegion);
+        if (resolved) {
+          profileArn2 = resolved;
+          log.info(`Resolved profileArn during desktop refresh: ${profileArn2}`);
+        }
+      } catch (err) {
+        log.warn(`Failed to resolve profileArn during desktop refresh: ${err}`);
+      }
+    }
+    if (profileArn2) {
+      try {
+        const apiRegion = resolveApiRegion(region);
+        const apiModels = await fetchAvailableModels(data2.accessToken, apiRegion, profileArn2);
         setCachedDynamicModels(buildModelsFromApi(apiModels));
         log.info(`Fetched and cached ${apiModels.length} models after desktop token refresh`);
       } catch (err) {
@@ -1292,14 +1760,14 @@ async function refreshTokenInner(credentials) {
       }
     }
     return {
-      refresh: `${data2.refreshToken}|||desktop`,
+      refresh: `${data2.refreshToken}|||${authMethod}`,
       access: data2.accessToken,
       expires: Date.now() + (data2.expiresIn ?? 3600) * 1000 - EXPIRES_BUFFER_MS,
       clientId: "",
       clientSecret: "",
       region,
-      authMethod: "desktop",
-      profileArn: credentials.profileArn,
+      authMethod,
+      profileArn: profileArn2,
       kiroSyncSource: credentials.kiroSyncSource,
       kiroSyncTokenKey: credentials.kiroSyncTokenKey
     };
@@ -1315,10 +1783,23 @@ async function refreshTokenInner(credentials) {
     throw new Error(`Token refresh failed: ${resp.status} ${body}`);
   }
   const data = await resp.json();
-  if (credentials.profileArn) {
+  let profileArn = credentials.profileArn;
+  if (!profileArn) {
     try {
       const apiRegion = resolveApiRegion(region);
-      const apiModels = await fetchAvailableModels(data.accessToken, apiRegion, credentials.profileArn);
+      const resolved = await resolveProfileArn(data.accessToken, apiRegion);
+      if (resolved) {
+        profileArn = resolved;
+        log.info(`Resolved profileArn during OIDC refresh: ${profileArn}`);
+      }
+    } catch (err) {
+      log.warn(`Failed to resolve profileArn during OIDC refresh: ${err}`);
+    }
+  }
+  if (profileArn) {
+    try {
+      const apiRegion = resolveApiRegion(region);
+      const apiModels = await fetchAvailableModels(data.accessToken, apiRegion, profileArn);
       setCachedDynamicModels(buildModelsFromApi(apiModels));
       log.info(`Fetched and cached ${apiModels.length} models after token refresh`);
     } catch (err) {
@@ -1333,15 +1814,15 @@ async function refreshTokenInner(credentials) {
     clientSecret,
     region,
     authMethod,
-    profileArn: credentials.profileArn,
+    profileArn,
     kiroSyncSource: credentials.kiroSyncSource,
     kiroSyncTokenKey: credentials.kiroSyncTokenKey
   };
 }
 async function refreshKiroToken(credentials) {
   const inputMethod = credentials.authMethod;
-  const authMethod = inputMethod === "builder-id" || inputMethod === "idc" || inputMethod === "desktop" ? inputMethod : "idc";
-  if (inputMethod !== undefined && inputMethod !== "builder-id" && inputMethod !== "idc" && inputMethod !== "desktop") {
+  const authMethod = inputMethod === "builder-id" || inputMethod === "idc" || inputMethod === "desktop" || inputMethod === "social" ? inputMethod : "idc";
+  if (inputMethod !== undefined && inputMethod !== "builder-id" && inputMethod !== "idc" && inputMethod !== "desktop" && inputMethod !== "social") {
     log.warn(`refreshKiroToken: unrecognized authMethod "${String(inputMethod)}" — defaulting to "idc"`);
   }
   const baseCreds = {
@@ -1872,7 +2353,7 @@ function countTokens(text) {
 }
 // src/transform.ts
-import { createHash } from "node:crypto";
+import { createHash as createHash2 } from "node:crypto";
 function normalizeMessages(messages) {
   return messages.filter((msg) => msg.role !== "assistant" || msg.stopReason !== "error" && msg.stopReason !== "aborted");
 }
@@ -1925,7 +2406,7 @@ var KIRO_TOOL_USE_ID_RE = /^tooluse_[A-Za-z0-9]+$/;
 function toKiroToolUseId(id) {
   if (KIRO_TOOL_USE_ID_RE.test(id))
     return id;
-  const digest = createHash("sha256").update(id).digest("hex").slice(0, 22);
+  const digest = createHash2("sha256").update(id).digest("hex").slice(0, 22);
   return `tooluse_${digest}`;
 }
 function convertImagesToKiro(images) {
@@ -3012,10 +3493,22 @@ function writeKiroCredentials(refreshed) {
     log.warn(`Failed to persist refreshed credentials: ${err}`);
   }
 }
+function writeKiroCredentialsPartial(fields) {
+  try {
+    const authPath = join2(homedir2(), ".pi", "agent", "auth.json");
+    const raw = existsSync2(authPath) ? readFileSync2(authPath, "utf-8") : "{}";
+    const data = JSON.parse(raw);
+    const existing = data["kiro"] ?? {};
+    data["kiro"] = { ...existing, ...fields };
+    writeFileSync(authPath, JSON.stringify(data, null, 2), { mode: 384 });
+  } catch (err) {
+    log.warn(`Failed to persist partial credentials: ${err}`);
+  }
+}
 async function extension_default(pi) {
   let modelDefs = toProviderModels(kiroModels);
   const creds = readKiroCredentials();
-  if (creds?.profileArn) {
+  if (creds?.access || creds?.refresh) {
     let accessToken = creds.access;
     if (creds.refresh) {
       try {
@@ -3027,16 +3520,34 @@ async function extension_default(pi) {
         log.warn(`Startup token refresh failed, trying with existing token: ${err}`);
       }
     }
-    try {
-      const apiRegion = resolveApiRegion(creds.region);
-      seedProfileArn(creds.profileArn);
-      const apiModels = await fetchAvailableModels(accessToken, apiRegion, creds.profileArn);
-      const dynamicDefs = buildModelsFromApi(apiModels);
-      setCachedDynamicModels(dynamicDefs);
-      modelDefs = toProviderModels(dynamicDefs);
-      log.info(`Loaded ${modelDefs.length} models dynamically from Kiro API`);
-    } catch (err) {
-      log.warn(`Failed to fetch models at startup, using hardcoded fallback: ${err}`);
+    let profileArn = creds.profileArn;
+    if (!profileArn && accessToken) {
+      try {
+        const apiRegion = resolveApiRegion(creds.region);
+        log.info("profileArn missing, resolving via ListAvailableProfiles…");
+        profileArn = await resolveProfileArn(accessToken, apiRegion) ?? undefined;
+        if (profileArn) {
+          log.info(`Resolved profileArn: ${profileArn}`);
+          writeKiroCredentialsPartial({ profileArn });
+        } else {
+          log.warn("Could not resolve profileArn — model fetch and streaming will fail");
+        }
+      } catch (err) {
+        log.warn(`profileArn resolution failed: ${err}`);
+      }
+    }
+    if (profileArn) {
+      seedProfileArn(profileArn);
+      try {
+        const apiRegion = resolveApiRegion(creds.region);
+        const apiModels = await fetchAvailableModels(accessToken, apiRegion, profileArn);
+        const dynamicDefs = buildModelsFromApi(apiModels);
+        setCachedDynamicModels(dynamicDefs);
+        modelDefs = toProviderModels(dynamicDefs);
+        log.info(`Loaded ${modelDefs.length} models dynamically from Kiro API`);
+      } catch (err) {
+        log.warn(`Failed to fetch models at startup, using hardcoded fallback: ${err}`);
+      }
     }
   } else {
     log.warn("Run 'kiro login' to authenticate and fetch models dynamically. Note: This extension does not have the same authentication mechanism as other Kiro tools.");