npm - @jsonstudio/rcc - Versions diffs - 0.89.2202 → 0.90.1 - Mend

@jsonstudio/rcc 0.89.2202 → 0.90.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (260) hide show

package/dist/providers/auth/oauth-lifecycle.js CHANGED Viewed

@@ -4,77 +4,28 @@ import fs from 'fs/promises';
 import fsSync from 'fs';
 import path from 'path';
 import os from 'os';
+import { spawnSync } from 'node:child_process';
 import { fetchIFlowUserInfo, mergeIFlowTokenData } from './iflow-userinfo-helper.js';
 import { fetchQwenUserInfo, mergeQwenTokenData } from './qwen-userinfo-helper.js';
 import { fetchGeminiCLIUserInfo, fetchGeminiCLIProjects, mergeGeminiCLITokenData, getDefaultProjectId } from './gemini-cli-userinfo-helper.js';
 import { parseTokenSequenceFromPath } from './token-scanner/index.js';
 import { logOAuthDebug } from './oauth-logger.js';
+import { formatOAuthErrorMessage } from './oauth-error-message.js';
 import { fetchAntigravityProjectId } from './antigravity-userinfo-helper.js';
 import { HTTP_PROTOCOLS, LOCAL_HOSTS } from '../../constants/index.js';
 import { withOAuthRepairEnv } from './oauth-repair-env.js';
 import { markInteractiveOAuthRepairAttempt, markInteractiveOAuthRepairSuccess, shouldSkipInteractiveOAuthRepair } from './oauth-repair-cooldown.js';
 import { openAuthInCamoufox } from '../core/config/camoufox-launcher.js';
-import { isGeminiCliFamily, resolveTokenFilePath, resolveCamoufoxAliasForAuth, resolveIflowCredentialCandidates } from './oauth-lifecycle/path-resolver.js';
-import { keyFor, shouldThrottle, updateThrottle, inFlight, interactiveTail } from './oauth-lifecycle/throttle.js';
+import { isGeminiCliFamily, resolveTokenFilePath, resolveCamoufoxAliasForAuth } from './oauth-lifecycle/path-resolver.js';
+import { keyFor, shouldThrottle, updateThrottle, lastRunAt, inFlight, interactiveTail } from './oauth-lifecycle/throttle.js';
 import { extractStatusCode, isGoogleAccountVerificationRequiredMessage, extractGoogleAccountVerificationUrl } from './oauth-lifecycle/error-detection.js';
 import { hasNonEmptyString, extractAccessToken, extractApiKey, hasApiKeyField, hasStableQwenApiKey, hasAccessToken, getExpiresAt, resolveProjectId, coerceExpiryTimestampSeconds, hasNoRefreshFlag, evaluateTokenState } from './oauth-lifecycle/token-helpers.js';
-import { normalizeGeminiCliAccountToken, sanitizeToken, readTokenFromFile, backupTokenFile, restoreTokenFileFromBackup, discardBackupFile, readRawTokenFile } from './oauth-lifecycle/token-io.js';
+import { normalizeGeminiCliAccountToken, sanitizeToken, readTokenFromFile, backupTokenFile, restoreTokenFileFromBackup, discardBackupFile, clearTokenFile, readRawTokenFile } from './oauth-lifecycle/token-io.js';
+const OAUTH_INTERACTIVE_LOCK_FILE = path.join(os.homedir(), '.routecodex', 'auth', '.oauth-interactive.lock.json');
+const IFLOW_AUTO_FAILURE_FILE = path.join(os.homedir(), '.routecodex', 'auth', '.iflow-auto-failures.json');
+const OAUTH_THROTTLE_WINDOW_MS = 60_000;
+const IFLOW_REFRESH_FAILURE_BACKOFF_MS = 5 * 60_000;
 const TOKEN_REFRESH_SKEW_MS = 60_000;
-async function selectBestIflowTokenCandidate(targetTokenFilePath) {
-    const targetResolved = path.resolve(targetTokenFilePath);
-    const candidates = resolveIflowCredentialCandidates();
-    let best = null;
-    for (const candidatePath of candidates) {
-        if (!candidatePath) {
-            continue;
-        }
-        const resolved = path.resolve(candidatePath);
-        if (resolved === targetResolved) {
-            continue;
-        }
-        const token = await readTokenFromFile(candidatePath);
-        if (!token) {
-            continue;
-        }
-        const state = evaluateTokenState(token, 'iflow');
-        if (!state.validAccess) {
-            continue;
-        }
-        const expiresAt = state.expiresAt ?? null;
-        if (!best) {
-            best = { token, sourcePath: candidatePath, expiresAt };
-            continue;
-        }
-        const bestExpiry = best.expiresAt ?? -1;
-        const currentExpiry = expiresAt ?? -1;
-        if (currentExpiry > bestExpiry) {
-            best = { token, sourcePath: candidatePath, expiresAt };
-        }
-    }
-    return best;
-}
-async function maybeAdoptIflowExternalToken(strategy, tokenFilePath, existingToken) {
-    const currentState = evaluateTokenState(existingToken, 'iflow');
-    if (currentState.validAccess) {
-        return existingToken;
-    }
-    const bestCandidate = await selectBestIflowTokenCandidate(tokenFilePath);
-    if (!bestCandidate) {
-        return existingToken;
-    }
-    // Keep per-alias token files in RouteCodex, but adopt fresh credentials from iFlow-native stores when available.
-    const prepared = await prepareTokenForStorage('iflow', tokenFilePath, bestCandidate.token);
-    if (typeof strategy.saveToken === 'function') {
-        await strategy.saveToken(prepared);
-    }
-    else {
-        await fs.mkdir(path.dirname(tokenFilePath), { recursive: true });
-        await fs.writeFile(tokenFilePath, `${JSON.stringify(prepared, null, 2)}\n`, 'utf8');
-    }
-    const normalized = sanitizeToken(prepared) ?? bestCandidate.token;
-    logOAuthDebug(`[OAuth] iflow token adopted from ${bestCandidate.sourcePath} -> ${tokenFilePath}`);
-    return normalized;
-}
 async function openGoogleAccountVerificationInCamoufox(args) {
     const providerType = args.providerType;
     const url = args.url;
@@ -126,6 +77,129 @@ async function openGoogleAccountVerificationInCamoufox(args) {
         }
     }
 }
+function isIflowRefreshEndpointRejectionMessage(message) {
+    const normalized = (message || '').toLowerCase();
+    if (!normalized) {
+        return false;
+    }
+    return (normalized.includes('oauth token endpoint rejected request') ||
+        (normalized.includes('token refresh failed') && normalized.includes('iflow.cn/oauth/token')));
+}
+function isIflowAkBlockedMessage(message) {
+    const normalized = (message || '').toLowerCase();
+    if (!normalized) {
+        return false;
+    }
+    return normalized.includes('access to the current ak has been blocked due to unauthorized requests');
+}
+function shouldClearIflowTokenOnRefreshFailure(message) {
+    const normalized = (message || '').toLowerCase();
+    if (!normalized) {
+        return false;
+    }
+    if (isIflowAkBlockedMessage(normalized)) {
+        return false;
+    }
+    if (normalized.includes('oauth error: invalid_grant')) {
+        return true;
+    }
+    if (normalized.includes('oauth error: invalid_client')) {
+        return true;
+    }
+    if (normalized.includes('oauth error: unauthorized_client')) {
+        return true;
+    }
+    if (normalized.includes('oauth error: invalid_request') &&
+        (normalized.includes('refresh token') ||
+            normalized.includes('refresh_token') ||
+            normalized.includes('client_id'))) {
+        return true;
+    }
+    return false;
+}
+function applyRefreshFailureBackoff(cacheKey, providerType, message) {
+    if (providerType !== 'iflow' || !isIflowRefreshEndpointRejectionMessage(message)) {
+        return;
+    }
+    // For iFlow refresh endpoint 500/generic failures, avoid hammering token endpoint
+    // from preflight/retry loops. Keep a longer cooldown before next refresh attempt.
+    lastRunAt.set(cacheKey, Date.now() + IFLOW_REFRESH_FAILURE_BACKOFF_MS - OAUTH_THROTTLE_WINDOW_MS);
+}
+function isElementMissingAutomationFailure(message) {
+    const normalized = String(message || '').toLowerCase();
+    if (!normalized) {
+        return false;
+    }
+    return (normalized.includes('element not found') ||
+        normalized.includes('element_not_found') ||
+        normalized.includes('required but not matched'));
+}
+async function runInteractiveRepairWithAutoFallback(args) {
+    const { providerType, auth, ensureValid, opts } = args;
+    const autoModeAtStart = String(process.env.ROUTECODEX_CAMOUFOX_AUTO_MODE || '').trim();
+    try {
+        await ensureValid(providerType, auth, opts);
+        return;
+    }
+    catch (error) {
+        if (!autoModeAtStart) {
+            throw error;
+        }
+        const msg = error instanceof Error ? error.message : String(error || '');
+        const selectorFailure = isElementMissingAutomationFailure(msg);
+        let tokenFilePath = '';
+        try {
+            tokenFilePath = resolveTokenFilePath(auth, providerType);
+        }
+        catch {
+            tokenFilePath = '';
+        }
+        if (tokenFilePath) {
+            closeOAuthAuthResources(providerType, tokenFilePath);
+        }
+        console.warn(`[OAuth] Camoufox auto OAuth failed (${providerType}, autoMode=${autoModeAtStart}): ${msg}. Falling back to headful manual mode once.`);
+        if (selectorFailure) {
+            console.warn(`[OAuth] Camoufox auto selector step failed; switched to headful manual mode (provider=${providerType}${tokenFilePath ? ` tokenFile=${tokenFilePath}` : ''}).`);
+        }
+    }
+    const prevAutoMode = process.env.ROUTECODEX_CAMOUFOX_AUTO_MODE;
+    const prevAutoConfirm = process.env.ROUTECODEX_OAUTH_AUTO_CONFIRM;
+    const prevDevMode = process.env.ROUTECODEX_CAMOUFOX_DEV_MODE;
+    const prevOpenOnly = process.env.ROUTECODEX_CAMOUFOX_OPEN_ONLY;
+    try {
+        delete process.env.ROUTECODEX_CAMOUFOX_AUTO_MODE;
+        delete process.env.ROUTECODEX_OAUTH_AUTO_CONFIRM;
+        process.env.ROUTECODEX_CAMOUFOX_DEV_MODE = '1';
+        process.env.ROUTECODEX_CAMOUFOX_OPEN_ONLY = '1';
+        await ensureValid(providerType, auth, opts);
+    }
+    finally {
+        if (prevAutoMode === undefined) {
+            delete process.env.ROUTECODEX_CAMOUFOX_AUTO_MODE;
+        }
+        else {
+            process.env.ROUTECODEX_CAMOUFOX_AUTO_MODE = prevAutoMode;
+        }
+        if (prevAutoConfirm === undefined) {
+            delete process.env.ROUTECODEX_OAUTH_AUTO_CONFIRM;
+        }
+        else {
+            process.env.ROUTECODEX_OAUTH_AUTO_CONFIRM = prevAutoConfirm;
+        }
+        if (prevDevMode === undefined) {
+            delete process.env.ROUTECODEX_CAMOUFOX_DEV_MODE;
+        }
+        else {
+            process.env.ROUTECODEX_CAMOUFOX_DEV_MODE = prevDevMode;
+        }
+        if (prevOpenOnly === undefined) {
+            delete process.env.ROUTECODEX_CAMOUFOX_OPEN_ONLY;
+        }
+        else {
+            process.env.ROUTECODEX_CAMOUFOX_OPEN_ONLY = prevOpenOnly;
+        }
+    }
+}
 function isOAuthConfig(auth) {
     return Boolean(auth && typeof auth.type === 'string' && auth.type.toLowerCase().includes('oauth'));
 }
@@ -396,7 +470,7 @@ function buildHeaderOverrides(defaults, providerType) {
     if (providerType === 'iflow') {
         return {
             ...baseHeaders,
-            'User-Agent': 'iflow-cli/2.0',
+            'User-Agent': 'iFlow-Cli',
             'X-Requested-With': 'XMLHttpRequest',
             'Origin': 'https://iflow.cn',
             'Referer': 'https://iflow.cn/oauth',
@@ -489,7 +563,7 @@ async function maybeEnrichToken(providerType, tokenData, tokenFilePath) {
             return mergeQwenTokenData(tokenData, userInfo);
         }
         catch (error) {
-            const msg = error instanceof Error ? error.message : String(error);
+            const msg = formatOAuthErrorMessage(error);
             // If userInfo endpoint is unavailable (404), treat access_token as api_key to avoid repeated lookups.
             if (/\bHTTP\s+404\b/i.test(msg) || /\bnot\s+found\b/i.test(msg)) {
                 logOAuthDebug('[OAuth] Qwen: userInfo endpoint unavailable (404); using access_token as api_key fallback');
@@ -511,7 +585,7 @@ async function maybeEnrichToken(providerType, tokenData, tokenFilePath) {
             return mergeIFlowTokenData(tokenData, userInfo);
         }
         catch (error) {
-            console.error(`[OAuth] iFlow: failed to fetch API Key - ${error instanceof Error ? error.message : String(error)}`);
+            console.error(`[OAuth] iFlow: failed to fetch API Key - ${formatOAuthErrorMessage(error)}`);
             return tokenData;
         }
     }
@@ -532,7 +606,7 @@ async function maybeEnrichToken(providerType, tokenData, tokenFilePath) {
             return merged;
         }
         catch (error) {
-            const msg = error instanceof Error ? error.message : String(error);
+            const msg = formatOAuthErrorMessage(error);
             console.error(`[OAuth] Antigravity: failed to fetch metadata - ${msg}`);
             const normalized = msg.toLowerCase();
             const isAuthError = normalized.includes('401') ||
@@ -560,7 +634,7 @@ async function maybeEnrichToken(providerType, tokenData, tokenFilePath) {
                 projects = await fetchGeminiCLIProjects(accessToken);
             }
             catch (projectsError) {
-                const msg = projectsError instanceof Error ? projectsError.message : String(projectsError);
+                const msg = formatOAuthErrorMessage(projectsError);
                 console.error(`[OAuth] ${label}: failed to fetch Projects - ${msg}`);
                 projects = [];
             }
@@ -580,7 +654,7 @@ async function maybeEnrichToken(providerType, tokenData, tokenFilePath) {
             return merged;
         }
         catch (error) {
-            const msg = error instanceof Error ? error.message : String(error);
+            const msg = formatOAuthErrorMessage(error);
             console.error(`[OAuth] ${label}: failed to fetch UserInfo - ${msg}`);
             // 将明确的 401/invalid token 视为凭证失效，由调用方决定是否触发重新授权。
             const normalized = msg.toLowerCase();
@@ -615,6 +689,255 @@ function logOAuthSetup(providerType, defaults, overrides, endpoints, client, tok
 function createStrategy(providerType, overrides, tokenFilePath) {
     return createProviderOAuthStrategy(providerType, overrides, tokenFilePath);
 }
+function resolveCamoCommand() {
+    const configured = String(process.env.ROUTECODEX_CAMO_CLI_PATH || process.env.RCC_CAMO_CLI_PATH || '').trim();
+    return configured || 'camo';
+}
+function isTruthyFlag(value) {
+    const raw = String(value || '').trim().toLowerCase();
+    return raw === '1' || raw === 'true' || raw === 'yes' || raw === 'on';
+}
+function resolveOAuthProfileId(providerType, tokenFilePath) {
+    const parsed = parseTokenSequenceFromPath(tokenFilePath);
+    const alias = String(parsed?.alias || 'default').trim().toLowerCase();
+    const normalizedAlias = alias.replace(/[^a-z0-9._-]+/gi, '-');
+    const normalizedProvider = String(providerType || '').trim().toLowerCase();
+    const providerFamily = normalizedProvider === 'gemini-cli' || normalizedProvider === 'antigravity'
+        ? 'gemini'
+        : normalizedProvider;
+    const base = providerFamily ? `${providerFamily}.${normalizedAlias || 'default'}` : (normalizedAlias || 'default');
+    const profile = `rc-${base}`;
+    return profile.length > 64 ? profile.slice(0, 64) : profile;
+}
+function closeOAuthAuthResources(providerType, tokenFilePath) {
+    const profileId = resolveOAuthProfileId(providerType, tokenFilePath);
+    try {
+        const result = spawnSync(resolveCamoCommand(), ['stop', profileId], {
+            stdio: 'ignore',
+            env: process.env
+        });
+        if (result.status === 0) {
+            logOAuthDebug(`[OAuth] auth cleanup: stopped camo profile=${profileId}`);
+        }
+        else {
+            logOAuthDebug(`[OAuth] auth cleanup: camo stop profile=${profileId} status=${result.status ?? 'n/a'}`);
+        }
+    }
+    catch (error) {
+        logOAuthDebug(`[OAuth] auth cleanup failed profile=${profileId}: ${error instanceof Error ? error.message : String(error)}`);
+    }
+}
+function shouldAutoCloseOAuthBrowserSession() {
+    const raw = String(process.env.ROUTECODEX_OAUTH_AUTO_CLOSE_BROWSER ??
+        process.env.RCC_OAUTH_AUTO_CLOSE_BROWSER ??
+        '').trim().toLowerCase();
+    if (!raw) {
+        // Default: keep browser session alive and rely on camo idle-timeout cleanup.
+        return false;
+    }
+    return raw === '1' || raw === 'true' || raw === 'yes' || raw === 'on';
+}
+function readInteractiveOAuthLock() {
+    try {
+        if (!fsSync.existsSync(OAUTH_INTERACTIVE_LOCK_FILE)) {
+            return null;
+        }
+        const raw = fsSync.readFileSync(OAUTH_INTERACTIVE_LOCK_FILE, 'utf8');
+        const parsed = JSON.parse(raw);
+        if (!parsed || typeof parsed !== 'object') {
+            return null;
+        }
+        const node = parsed;
+        if (typeof node.pid !== 'number' || typeof node.tokenFile !== 'string' || typeof node.providerType !== 'string') {
+            return null;
+        }
+        return {
+            pid: node.pid,
+            tokenFile: node.tokenFile,
+            providerType: node.providerType,
+            startedAt: typeof node.startedAt === 'number' ? node.startedAt : Date.now(),
+            callbackPort: typeof node.callbackPort === 'number' ? node.callbackPort : undefined
+        };
+    }
+    catch {
+        return null;
+    }
+}
+function isSameInteractiveOAuthLock(left, right) {
+    return (left.pid === right.pid &&
+        left.providerType === right.providerType &&
+        path.resolve(left.tokenFile) === path.resolve(right.tokenFile));
+}
+function isProcessAlive(pid) {
+    if (!Number.isFinite(pid) || pid <= 0) {
+        return false;
+    }
+    try {
+        process.kill(pid, 0);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+async function forceReclaimInteractiveOAuthLock(lock) {
+    try {
+        const existing = readInteractiveOAuthLock();
+        if (!existing || !isSameInteractiveOAuthLock(existing, lock)) {
+            return false;
+        }
+        await fs.unlink(OAUTH_INTERACTIVE_LOCK_FILE);
+        logOAuthDebug(`[OAuth] interactive lock reclaimed pid=${lock.pid} token=${lock.tokenFile} provider=${lock.providerType}`);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+async function notifyOAuthLockCancel(lock) {
+    if (!lock.callbackPort || !Number.isFinite(lock.callbackPort) || lock.callbackPort <= 0) {
+        return;
+    }
+    const url = `http://127.0.0.1:${lock.callbackPort}/oauth2callback?error=cancelled_by_new_auth`;
+    try {
+        await fetch(url, { method: 'GET' });
+        logOAuthDebug(`[OAuth] interactive lock cancel signal sent port=${lock.callbackPort}`);
+    }
+    catch (error) {
+        logOAuthDebug(`[OAuth] interactive lock cancel signal failed port=${lock.callbackPort}: ${error instanceof Error ? error.message : String(error)}`);
+    }
+}
+async function acquireInteractiveOAuthLock(providerType, tokenFilePath) {
+    await fs.mkdir(path.dirname(OAUTH_INTERACTIVE_LOCK_FILE), { recursive: true });
+    const current = {
+        pid: process.pid,
+        providerType,
+        tokenFile: path.resolve(tokenFilePath),
+        startedAt: Date.now()
+    };
+    const maxAttempts = 20;
+    for (let attempt = 1; attempt <= maxAttempts; attempt += 1) {
+        try {
+            await fs.writeFile(OAUTH_INTERACTIVE_LOCK_FILE, `${JSON.stringify(current, null, 2)}\n`, { flag: 'wx' });
+            process.env.ROUTECODEX_OAUTH_INTERACTIVE_LOCK_FILE = OAUTH_INTERACTIVE_LOCK_FILE;
+            return () => {
+                try {
+                    const lock = readInteractiveOAuthLock();
+                    if (lock && lock.pid === process.pid && path.resolve(lock.tokenFile) === current.tokenFile) {
+                        fsSync.unlinkSync(OAUTH_INTERACTIVE_LOCK_FILE);
+                    }
+                }
+                catch {
+                    // ignore release errors
+                }
+                finally {
+                    if (process.env.ROUTECODEX_OAUTH_INTERACTIVE_LOCK_FILE === OAUTH_INTERACTIVE_LOCK_FILE) {
+                        delete process.env.ROUTECODEX_OAUTH_INTERACTIVE_LOCK_FILE;
+                    }
+                }
+            };
+        }
+        catch (error) {
+            const code = error?.code || '';
+            if (code !== 'EEXIST') {
+                throw error;
+            }
+            const existing = readInteractiveOAuthLock();
+            if (!existing) {
+                try {
+                    await fs.unlink(OAUTH_INTERACTIVE_LOCK_FILE);
+                }
+                catch {
+                    // ignore
+                }
+                continue;
+            }
+            if (!isProcessAlive(existing.pid)) {
+                try {
+                    await fs.unlink(OAUTH_INTERACTIVE_LOCK_FILE);
+                }
+                catch {
+                    // ignore
+                }
+                continue;
+            }
+            const sameToken = path.resolve(existing.tokenFile) === current.tokenFile;
+            if (sameToken) {
+                await notifyOAuthLockCancel(existing);
+                await new Promise((resolve) => setTimeout(resolve, 300));
+                const afterCancel = readInteractiveOAuthLock();
+                const stuckOnSameLock = !!afterCancel && isSameInteractiveOAuthLock(afterCancel, existing);
+                if (stuckOnSameLock) {
+                    const lockAgeMs = Math.max(0, Date.now() - (afterCancel.startedAt || Date.now()));
+                    const shouldForceReclaim = attempt >= 3 || lockAgeMs >= 15_000;
+                    if (shouldForceReclaim) {
+                        await forceReclaimInteractiveOAuthLock(afterCancel);
+                    }
+                }
+                continue;
+            }
+            throw new Error(`Interactive OAuth is already running for token=${existing.tokenFile}. Concurrent auth is disabled.`);
+        }
+    }
+    throw new Error('Failed to acquire interactive OAuth lock after multiple attempts');
+}
+function readIflowAutoFailureState() {
+    try {
+        if (!fsSync.existsSync(IFLOW_AUTO_FAILURE_FILE)) {
+            return {};
+        }
+        const raw = fsSync.readFileSync(IFLOW_AUTO_FAILURE_FILE, 'utf8');
+        const parsed = JSON.parse(raw);
+        if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
+            return {};
+        }
+        return parsed;
+    }
+    catch {
+        return {};
+    }
+}
+function writeIflowAutoFailureState(state) {
+    try {
+        fsSync.mkdirSync(path.dirname(IFLOW_AUTO_FAILURE_FILE), { recursive: true });
+        fsSync.writeFileSync(IFLOW_AUTO_FAILURE_FILE, `${JSON.stringify(state, null, 2)}\n`, 'utf8');
+    }
+    catch {
+        // ignore persistence failures
+    }
+}
+function resolveIflowFailureKey(tokenFilePath) {
+    return path.resolve(tokenFilePath);
+}
+function clearIflowAutoFailureState(tokenFilePath) {
+    const state = readIflowAutoFailureState();
+    const key = resolveIflowFailureKey(tokenFilePath);
+    if (!state[key]) {
+        return;
+    }
+    delete state[key];
+    writeIflowAutoFailureState(state);
+}
+function markIflowAutoFailureState(tokenFilePath, maxAttempts, errorText) {
+    const state = readIflowAutoFailureState();
+    const key = resolveIflowFailureKey(tokenFilePath);
+    const previous = state[key];
+    const nextCount = (previous?.count || 0) + 1;
+    const record = {
+        count: nextCount,
+        manualRequired: nextCount >= maxAttempts,
+        updatedAt: Date.now(),
+        lastError: errorText
+    };
+    state[key] = record;
+    writeIflowAutoFailureState(state);
+    return record;
+}
+function getIflowAutoFailureState(tokenFilePath) {
+    const state = readIflowAutoFailureState();
+    const key = resolveIflowFailureKey(tokenFilePath);
+    return state[key] || null;
+}
 async function runInteractiveAuthorizationFlow(providerType, overrides, tokenFilePath, openBrowser, forceTokenReset, forceReauth) {
     const execute = async () => {
         let backupFile = null;
@@ -633,6 +956,10 @@ async function runInteractiveAuthorizationFlow(providerType, overrides, tokenFil
                 await finalizeTokenWrite(providerType, strategy, tokenFilePath, authed, 'acquired');
             }
             await discardBackupFile(backupFile);
+            if (openBrowser && shouldAutoCloseOAuthBrowserSession()) {
+                // Optional: close only after token is fully written; never close browser on failed auth.
+                closeOAuthAuthResources(providerType, tokenFilePath);
+            }
         }
         catch (error) {
             await restoreTokenFileFromBackup(backupFile, tokenFilePath);
@@ -650,10 +977,12 @@ async function runInteractiveAuthorizationFlow(providerType, overrides, tokenFil
     })
         .then(async () => {
         logOAuthDebug(`[OAuth] interactive queue enter ${label}`);
+        const releaseLock = await acquireInteractiveOAuthLock(providerType, tokenFilePath);
         try {
             await execute();
         }
         finally {
+            releaseLock();
             logOAuthDebug(`[OAuth] interactive queue leave ${label}`);
         }
     });
@@ -662,6 +991,12 @@ async function runInteractiveAuthorizationFlow(providerType, overrides, tokenFil
 }
 async function runIflowAuthorizationSequence(providerType, overrides, tokenFilePath, forceReauth) {
     const authCodeOverrides = { ...overrides, flowType: OAuthFlowType.AUTHORIZATION_CODE };
+    const autoMode = String(process.env.ROUTECODEX_CAMOUFOX_AUTO_MODE || '').trim().toLowerCase();
+    if (autoMode === 'iflow') {
+        // Auto mode should stay single-path to keep retry lifecycle deterministic.
+        await executeAuthFlow(providerType, authCodeOverrides, tokenFilePath, forceReauth);
+        return;
+    }
     try {
         await executeAuthFlow(providerType, authCodeOverrides, tokenFilePath, forceReauth);
         return;
@@ -673,9 +1008,58 @@ async function runIflowAuthorizationSequence(providerType, overrides, tokenFileP
     await executeAuthFlow(providerType, deviceOverrides, tokenFilePath, forceReauth);
 }
 async function executeAuthFlow(providerType, overrides, tokenFilePath, forceReauth) {
-    const strategy = createStrategy(providerType, overrides, tokenFilePath);
-    const authed = await strategy.authenticate?.({ openBrowser: true, forceReauthorize: forceReauth });
-    await finalizeTokenWrite(providerType, strategy, tokenFilePath, authed, overrides.flowType ? `acquired (${String(overrides.flowType)})` : 'acquired');
+    const runOnce = async () => {
+        const strategy = createStrategy(providerType, overrides, tokenFilePath);
+        const authed = await strategy.authenticate?.({ openBrowser: true, forceReauthorize: forceReauth });
+        await finalizeTokenWrite(providerType, strategy, tokenFilePath, authed, overrides.flowType ? `acquired (${String(overrides.flowType)})` : 'acquired');
+    };
+    const autoMode = String(process.env.ROUTECODEX_CAMOUFOX_AUTO_MODE || '').trim().toLowerCase();
+    const iflowAutoEnabled = providerType === 'iflow' && autoMode === 'iflow';
+    if (!iflowAutoEnabled) {
+        await runOnce();
+        if (providerType === 'iflow') {
+            clearIflowAutoFailureState(tokenFilePath);
+        }
+        return;
+    }
+    const headfulMode = isTruthyFlag(process.env.ROUTECODEX_CAMOUFOX_DEV_MODE);
+    const maxAutoAttemptsRaw = Number.parseInt(String(process.env.ROUTECODEX_IFLOW_AUTO_MAX_ATTEMPTS || '').trim(), 10);
+    const maxAutoAttempts = Number.isFinite(maxAutoAttemptsRaw) && maxAutoAttemptsRaw > 0 ? maxAutoAttemptsRaw : 3;
+    const retryDelayRaw = Number.parseInt(String(process.env.ROUTECODEX_IFLOW_AUTO_RETRY_DELAY_MS || '').trim(), 10);
+    const retryDelayMs = Number.isFinite(retryDelayRaw) && retryDelayRaw >= 0 ? retryDelayRaw : 1000;
+    // Headful run is considered manual trigger; successful manual run clears auto failure gate.
+    if (headfulMode) {
+        await runOnce();
+        clearIflowAutoFailureState(tokenFilePath);
+        return;
+    }
+    const existingFailure = getIflowAutoFailureState(tokenFilePath);
+    if (existingFailure?.manualRequired) {
+        throw new Error(`[OAuth] iflow auto auth is disabled for token=${tokenFilePath} after ${existingFailure.count} failures. Manual trigger required.`);
+    }
+    let lastError = null;
+    for (let attempt = 1; attempt <= maxAutoAttempts; attempt += 1) {
+        try {
+            await runOnce();
+            clearIflowAutoFailureState(tokenFilePath);
+            return;
+        }
+        catch (error) {
+            lastError = error;
+            const msg = error instanceof Error ? error.message : String(error || '');
+            const record = markIflowAutoFailureState(tokenFilePath, maxAutoAttempts, msg);
+            logOAuthDebug(`[OAuth] iflow auto auth attempt ${attempt}/${maxAutoAttempts} failed: ${msg} ` +
+                `(failureCount=${record.count} manualRequired=${record.manualRequired ? '1' : '0'})`);
+            if (attempt < maxAutoAttempts) {
+                await new Promise((resolve) => setTimeout(resolve, retryDelayMs));
+            }
+        }
+    }
+    const finalRecord = getIflowAutoFailureState(tokenFilePath);
+    if (finalRecord?.manualRequired) {
+        throw new Error(`[OAuth] iflow auto auth failed ${finalRecord.count} times; manual trigger is required and auto retries are suspended.`);
+    }
+    throw (lastError instanceof Error ? lastError : new Error(String(lastError || 'iflow auto auth failed')));
 }
 export async function ensureValidOAuthToken(providerType, auth, opts = {}) {
     if (!isOAuthConfig(auth)) {
@@ -714,9 +1098,6 @@ export async function ensureValidOAuthToken(providerType, auth, opts = {}) {
         logOAuthSetup(providerType, defaults, overrides, endpoints, client, tokenFilePath, openBrowser, forceReauth);
         const strategy = createStrategy(providerType, overrides, tokenFilePath);
         let token = await readTokenFromFile(tokenFilePath);
-        if (providerType === 'iflow') {
-            token = await maybeAdoptIflowExternalToken(strategy, tokenFilePath, token);
-        }
         const hadExistingTokenFile = token !== null;
         // Qwen: ensure api_key is present even when access_token is still valid.
         // Qwen OpenAI-compatible endpoints may require api_key (not access_token) for business requests.
@@ -787,13 +1168,27 @@ export async function ensureValidOAuthToken(providerType, auth, opts = {}) {
                 return;
             }
             catch (error) {
+                const message = error instanceof Error ? error.message : String(error || '');
+                applyRefreshFailureBackoff(cacheKey, providerType, message);
+                if (providerType === 'iflow' && shouldClearIflowTokenOnRefreshFailure(message)) {
+                    // Only clear token file for permanent refresh-credential failures.
+                    await clearTokenFile(tokenFilePath);
+                }
                 if (!opts.forceReacquireIfRefreshFails) {
                     throw error;
                 }
+                logOAuthDebug(`[OAuth] refresh failed (${providerType}): ${message}`);
                 logOAuthDebug('[OAuth] refresh failed, attempting interactive authorization...');
             }
         }
         try {
+            const flowTypeRaw = String(overrides.flowType || defaults.flowType || '').trim().toLowerCase();
+            const authorizationCodeFlow = flowTypeRaw === String(OAuthFlowType.AUTHORIZATION_CODE).trim().toLowerCase();
+            if (!openBrowser && authorizationCodeFlow) {
+                // Non-interactive contexts must never enter auth-code callback/manual prompts.
+                // Let callers decide whether to retry in explicit interactive mode.
+                throw new Error(`[OAuth] interactive authorization requires openBrowser=true for ${providerType} (flow=${flowTypeRaw || 'authorization_code'})`);
+            }
             await runInteractiveAuthorizationFlow(providerType, overrides, tokenFilePath, openBrowser, forceReauth || hadExistingTokenFile, forceReauth);
             updateThrottle(cacheKey);
         }
@@ -868,22 +1263,25 @@ export async function handleUpstreamInvalidOAuthToken(providerType, auth, upstre
                 }
                 return false;
             }
-            try {
-                await withOAuthRepairEnv(providerType, async () => {
-                    await ensureValid(providerType, auth, {
-                        forceReacquireIfRefreshFails: false,
-                        openBrowser: false,
-                        forceReauthorize: false
+            const refreshRejectedForIflow = pt === 'iflow' && isIflowRefreshEndpointRejectionMessage(lower);
+            if (!refreshRejectedForIflow) {
+                try {
+                    await withOAuthRepairEnv(providerType, async () => {
+                        await ensureValid(providerType, auth, {
+                            forceReacquireIfRefreshFails: false,
+                            openBrowser: false,
+                            forceReauthorize: false
+                        });
                     });
-                });
-                await markInteractiveOAuthRepairSuccess({
-                    providerType,
-                    tokenFile: tokenFilePath
-                });
-                return true;
-            }
-            catch {
-                // ignore silent refresh errors; fall through to background interactive flow
+                    await markInteractiveOAuthRepairSuccess({
+                        providerType,
+                        tokenFile: tokenFilePath
+                    });
+                    return true;
+                }
+                catch {
+                    // ignore silent refresh errors; fall through to background interactive flow
+                }
             }
             const interactiveOpts = {
                 forceReacquireIfRefreshFails: true,
@@ -893,7 +1291,12 @@ export async function handleUpstreamInvalidOAuthToken(providerType, auth, upstre
                 forceReauthorize: pt === 'gemini' || pt === 'gemini-cli' || pt === 'antigravity' || pt === 'iflow' || pt === 'qwen'
             };
             void withOAuthRepairEnv(providerType, async () => {
-                await ensureValid(providerType, auth, interactiveOpts);
+                await runInteractiveRepairWithAutoFallback({
+                    providerType,
+                    auth,
+                    ensureValid,
+                    opts: interactiveOpts
+                });
             }).catch(() => {
                 // background repair failure must never block requests
             });
@@ -907,7 +1310,12 @@ export async function handleUpstreamInvalidOAuthToken(providerType, auth, upstre
             forceReauthorize: pt === 'gemini' || pt === 'gemini-cli' || pt === 'antigravity' || pt === 'iflow' || pt === 'qwen'
         };
         await withOAuthRepairEnv(providerType, async () => {
-            await ensureValid(providerType, auth, opts);
+            await runInteractiveRepairWithAutoFallback({
+                providerType,
+                auth,
+                ensureValid,
+                opts
+            });
         });
         await markInteractiveOAuthRepairSuccess({
             providerType,
@@ -928,6 +1336,10 @@ export function shouldTriggerInteractiveOAuthRepair(providerType, upstreamError)
             : String(upstreamError || '');
     const lower = msg.toLowerCase();
     const statusCode = extractStatusCode(upstreamError);
+    if (pt === 'iflow' && (statusCode === 434 || isIflowAkBlockedMessage(lower))) {
+        // iFlow 434 是账号级封禁，必须人工恢复，不走自动修复。
+        return false;
+    }
     // 基本令牌失效判定：只看典型 OAuth 文案
     let looksInvalid = /invalid[_-]?token|invalid[_-]?grant|unauthenticated|unauthorized|token has expired|access token expired/.test(lower);
     // 对于 iflow / qwen，保留基于 401/403 的宽松判定，避免破坏既有行为。
@@ -938,6 +1350,9 @@ export function shouldTriggerInteractiveOAuthRepair(providerType, upstreamError)
             looksInvalid = true;
         }
     }
+    if (!looksInvalid && pt === 'iflow' && isIflowRefreshEndpointRejectionMessage(lower)) {
+        looksInvalid = true;
+    }
     // 对于 gemini / gemini-cli / antigravity，排除纯服务开关类错误，
     // 但如果明确提示缺少 project_id 或需要重新 OAuth，则视为令牌失效。
     if (pt === 'gemini' || pt === 'gemini-cli' || pt === 'antigravity') {