@jsonstudio/rcc 0.89.2239 → 0.90.1

package/dist/providers/auth/oauth-lifecycle.js

@@ -4,77 +4,28 @@ import fs from 'fs/promises';
 import fsSync from 'fs';
 import path from 'path';
 import os from 'os';
+import { spawnSync } from 'node:child_process';
 import { fetchIFlowUserInfo, mergeIFlowTokenData } from './iflow-userinfo-helper.js';
 import { fetchQwenUserInfo, mergeQwenTokenData } from './qwen-userinfo-helper.js';
 import { fetchGeminiCLIUserInfo, fetchGeminiCLIProjects, mergeGeminiCLITokenData, getDefaultProjectId } from './gemini-cli-userinfo-helper.js';
 import { parseTokenSequenceFromPath } from './token-scanner/index.js';
 import { logOAuthDebug } from './oauth-logger.js';
+import { formatOAuthErrorMessage } from './oauth-error-message.js';
 import { fetchAntigravityProjectId } from './antigravity-userinfo-helper.js';
 import { HTTP_PROTOCOLS, LOCAL_HOSTS } from '../../constants/index.js';
 import { withOAuthRepairEnv } from './oauth-repair-env.js';
 import { markInteractiveOAuthRepairAttempt, markInteractiveOAuthRepairSuccess, shouldSkipInteractiveOAuthRepair } from './oauth-repair-cooldown.js';
 import { openAuthInCamoufox } from '../core/config/camoufox-launcher.js';
-import { isGeminiCliFamily, resolveTokenFilePath, resolveCamoufoxAliasForAuth, resolveIflowCredentialCandidates } from './oauth-lifecycle/path-resolver.js';
-import { keyFor, shouldThrottle, updateThrottle, inFlight, interactiveTail } from './oauth-lifecycle/throttle.js';
+import { isGeminiCliFamily, resolveTokenFilePath, resolveCamoufoxAliasForAuth } from './oauth-lifecycle/path-resolver.js';
+import { keyFor, shouldThrottle, updateThrottle, lastRunAt, inFlight, interactiveTail } from './oauth-lifecycle/throttle.js';
 import { extractStatusCode, isGoogleAccountVerificationRequiredMessage, extractGoogleAccountVerificationUrl } from './oauth-lifecycle/error-detection.js';
 import { hasNonEmptyString, extractAccessToken, extractApiKey, hasApiKeyField, hasStableQwenApiKey, hasAccessToken, getExpiresAt, resolveProjectId, coerceExpiryTimestampSeconds, hasNoRefreshFlag, evaluateTokenState } from './oauth-lifecycle/token-helpers.js';
-import { normalizeGeminiCliAccountToken, sanitizeToken, readTokenFromFile, backupTokenFile, restoreTokenFileFromBackup, discardBackupFile, readRawTokenFile } from './oauth-lifecycle/token-io.js';
+import { normalizeGeminiCliAccountToken, sanitizeToken, readTokenFromFile, backupTokenFile, restoreTokenFileFromBackup, discardBackupFile, clearTokenFile, readRawTokenFile } from './oauth-lifecycle/token-io.js';
+const OAUTH_INTERACTIVE_LOCK_FILE = path.join(os.homedir(), '.routecodex', 'auth', '.oauth-interactive.lock.json');
+const IFLOW_AUTO_FAILURE_FILE = path.join(os.homedir(), '.routecodex', 'auth', '.iflow-auto-failures.json');
+const OAUTH_THROTTLE_WINDOW_MS = 60_000;
+const IFLOW_REFRESH_FAILURE_BACKOFF_MS = 5 * 60_000;
 const TOKEN_REFRESH_SKEW_MS = 60_000;
-async function selectBestIflowTokenCandidate(targetTokenFilePath) {
-    const targetResolved = path.resolve(targetTokenFilePath);
-    const candidates = resolveIflowCredentialCandidates();
-    let best = null;
-    for (const candidatePath of candidates) {
-        if (!candidatePath) {
-            continue;
-        }
-        const resolved = path.resolve(candidatePath);
-        if (resolved === targetResolved) {
-            continue;
-        }
-        const token = await readTokenFromFile(candidatePath);
-        if (!token) {
-            continue;
-        }
-        const state = evaluateTokenState(token, 'iflow');
-        if (!state.validAccess) {
-            continue;
-        }
-        const expiresAt = state.expiresAt ?? null;
-        if (!best) {
-            best = { token, sourcePath: candidatePath, expiresAt };
-            continue;
-        }
-        const bestExpiry = best.expiresAt ?? -1;
-        const currentExpiry = expiresAt ?? -1;
-        if (currentExpiry > bestExpiry) {
-            best = { token, sourcePath: candidatePath, expiresAt };
-        }
-    }
-    return best;
-}
-async function maybeAdoptIflowExternalToken(strategy, tokenFilePath, existingToken) {
-    const currentState = evaluateTokenState(existingToken, 'iflow');
-    if (currentState.validAccess) {
-        return existingToken;
-    }
-    const bestCandidate = await selectBestIflowTokenCandidate(tokenFilePath);
-    if (!bestCandidate) {
-        return existingToken;
-    }
-    // Keep per-alias token files in RouteCodex, but adopt fresh credentials from iFlow-native stores when available.
-    const prepared = await prepareTokenForStorage('iflow', tokenFilePath, bestCandidate.token);
-    if (typeof strategy.saveToken === 'function') {
-        await strategy.saveToken(prepared);
-    }
-    else {
-        await fs.mkdir(path.dirname(tokenFilePath), { recursive: true });
-        await fs.writeFile(tokenFilePath, `${JSON.stringify(prepared, null, 2)}\n`, 'utf8');
-    }
-    const normalized = sanitizeToken(prepared) ?? bestCandidate.token;
-    logOAuthDebug(`[OAuth] iflow token adopted from ${bestCandidate.sourcePath} -> ${tokenFilePath}`);
-    return normalized;
-}
 async function openGoogleAccountVerificationInCamoufox(args) {
     const providerType = args.providerType;
     const url = args.url;
@@ -126,6 +77,129 @@ async function openGoogleAccountVerificationInCamoufox(args) {
         }
     }
 }
+function isIflowRefreshEndpointRejectionMessage(message) {
+    const normalized = (message || '').toLowerCase();
+    if (!normalized) {
+        return false;
+    }
+    return (normalized.includes('oauth token endpoint rejected request') ||
+        (normalized.includes('token refresh failed') && normalized.includes('iflow.cn/oauth/token')));
+}
+function isIflowAkBlockedMessage(message) {
+    const normalized = (message || '').toLowerCase();
+    if (!normalized) {
+        return false;
+    }
+    return normalized.includes('access to the current ak has been blocked due to unauthorized requests');
+}
+function shouldClearIflowTokenOnRefreshFailure(message) {
+    const normalized = (message || '').toLowerCase();
+    if (!normalized) {
+        return false;
+    }
+    if (isIflowAkBlockedMessage(normalized)) {
+        return false;
+    }
+    if (normalized.includes('oauth error: invalid_grant')) {
+        return true;
+    }
+    if (normalized.includes('oauth error: invalid_client')) {
+        return true;
+    }
+    if (normalized.includes('oauth error: unauthorized_client')) {
+        return true;
+    }
+    if (normalized.includes('oauth error: invalid_request') &&
+        (normalized.includes('refresh token') ||
+            normalized.includes('refresh_token') ||
+            normalized.includes('client_id'))) {
+        return true;
+    }
+    return false;
+}
+function applyRefreshFailureBackoff(cacheKey, providerType, message) {
+    if (providerType !== 'iflow' || !isIflowRefreshEndpointRejectionMessage(message)) {
+        return;
+    }
+    // For iFlow refresh endpoint 500/generic failures, avoid hammering token endpoint
+    // from preflight/retry loops. Keep a longer cooldown before next refresh attempt.
+    lastRunAt.set(cacheKey, Date.now() + IFLOW_REFRESH_FAILURE_BACKOFF_MS - OAUTH_THROTTLE_WINDOW_MS);
+}
+function isElementMissingAutomationFailure(message) {
+    const normalized = String(message || '').toLowerCase();
+    if (!normalized) {
+        return false;
+    }
+    return (normalized.includes('element not found') ||
+        normalized.includes('element_not_found') ||
+        normalized.includes('required but not matched'));
+}
+async function runInteractiveRepairWithAutoFallback(args) {
+    const { providerType, auth, ensureValid, opts } = args;
+    const autoModeAtStart = String(process.env.ROUTECODEX_CAMOUFOX_AUTO_MODE || '').trim();
+    try {
+        await ensureValid(providerType, auth, opts);
+        return;
+    }
+    catch (error) {
+        if (!autoModeAtStart) {
+            throw error;
+        }
+        const msg = error instanceof Error ? error.message : String(error || '');
+        const selectorFailure = isElementMissingAutomationFailure(msg);
+        let tokenFilePath = '';
+        try {
+            tokenFilePath = resolveTokenFilePath(auth, providerType);
+        }
+        catch {
+            tokenFilePath = '';
+        }
+        if (tokenFilePath) {
+            closeOAuthAuthResources(providerType, tokenFilePath);
+        }
+        console.warn(`[OAuth] Camoufox auto OAuth failed (${providerType}, autoMode=${autoModeAtStart}): ${msg}. Falling back to headful manual mode once.`);
+        if (selectorFailure) {
+            console.warn(`[OAuth] Camoufox auto selector step failed; switched to headful manual mode (provider=${providerType}${tokenFilePath ? ` tokenFile=${tokenFilePath}` : ''}).`);
+        }
+    }
+    const prevAutoMode = process.env.ROUTECODEX_CAMOUFOX_AUTO_MODE;
+    const prevAutoConfirm = process.env.ROUTECODEX_OAUTH_AUTO_CONFIRM;
+    const prevDevMode = process.env.ROUTECODEX_CAMOUFOX_DEV_MODE;
+    const prevOpenOnly = process.env.ROUTECODEX_CAMOUFOX_OPEN_ONLY;
+    try {
+        delete process.env.ROUTECODEX_CAMOUFOX_AUTO_MODE;
+        delete process.env.ROUTECODEX_OAUTH_AUTO_CONFIRM;
+        process.env.ROUTECODEX_CAMOUFOX_DEV_MODE = '1';
+        process.env.ROUTECODEX_CAMOUFOX_OPEN_ONLY = '1';
+        await ensureValid(providerType, auth, opts);
+    }
+    finally {
+        if (prevAutoMode === undefined) {
+            delete process.env.ROUTECODEX_CAMOUFOX_AUTO_MODE;
+        }
+        else {
+            process.env.ROUTECODEX_CAMOUFOX_AUTO_MODE = prevAutoMode;
+        }
+        if (prevAutoConfirm === undefined) {
+            delete process.env.ROUTECODEX_OAUTH_AUTO_CONFIRM;
+        }
+        else {
+            process.env.ROUTECODEX_OAUTH_AUTO_CONFIRM = prevAutoConfirm;
+        }
+        if (prevDevMode === undefined) {
+            delete process.env.ROUTECODEX_CAMOUFOX_DEV_MODE;
+        }
+        else {
+            process.env.ROUTECODEX_CAMOUFOX_DEV_MODE = prevDevMode;
+        }
+        if (prevOpenOnly === undefined) {
+            delete process.env.ROUTECODEX_CAMOUFOX_OPEN_ONLY;
+        }
+        else {
+            process.env.ROUTECODEX_CAMOUFOX_OPEN_ONLY = prevOpenOnly;
+        }
+    }
+}
 function isOAuthConfig(auth) {
     return Boolean(auth && typeof auth.type === 'string' && auth.type.toLowerCase().includes('oauth'));
 }
@@ -396,7 +470,7 @@ function buildHeaderOverrides(defaults, providerType) {
     if (providerType === 'iflow') {
         return {
             ...baseHeaders,
-            'User-Agent': 'iflow-cli/2.0',
+            'User-Agent': 'iFlow-Cli',
             'X-Requested-With': 'XMLHttpRequest',
             'Origin': 'https://iflow.cn',
             'Referer': 'https://iflow.cn/oauth',
@@ -489,7 +563,7 @@ async function maybeEnrichToken(providerType, tokenData, tokenFilePath) {
             return mergeQwenTokenData(tokenData, userInfo);
         }
         catch (error) {
-            const msg = error instanceof Error ? error.message : String(error);
+            const msg = formatOAuthErrorMessage(error);
             // If userInfo endpoint is unavailable (404), treat access_token as api_key to avoid repeated lookups.
             if (/\bHTTP\s+404\b/i.test(msg) || /\bnot\s+found\b/i.test(msg)) {
                 logOAuthDebug('[OAuth] Qwen: userInfo endpoint unavailable (404); using access_token as api_key fallback');
@@ -511,7 +585,7 @@ async function maybeEnrichToken(providerType, tokenData, tokenFilePath) {
             return mergeIFlowTokenData(tokenData, userInfo);
         }
         catch (error) {
-            console.error(`[OAuth] iFlow: failed to fetch API Key - ${error instanceof Error ? error.message : String(error)}`);
+            console.error(`[OAuth] iFlow: failed to fetch API Key - ${formatOAuthErrorMessage(error)}`);
             return tokenData;
         }
     }
@@ -532,7 +606,7 @@ async function maybeEnrichToken(providerType, tokenData, tokenFilePath) {
             return merged;
         }
         catch (error) {
-            const msg = error instanceof Error ? error.message : String(error);
+            const msg = formatOAuthErrorMessage(error);
             console.error(`[OAuth] Antigravity: failed to fetch metadata - ${msg}`);
             const normalized = msg.toLowerCase();
             const isAuthError = normalized.includes('401') ||
@@ -560,7 +634,7 @@ async function maybeEnrichToken(providerType, tokenData, tokenFilePath) {
                 projects = await fetchGeminiCLIProjects(accessToken);
             }
             catch (projectsError) {
-                const msg = projectsError instanceof Error ? projectsError.message : String(projectsError);
+                const msg = formatOAuthErrorMessage(projectsError);
                 console.error(`[OAuth] ${label}: failed to fetch Projects - ${msg}`);
                 projects = [];
             }
@@ -580,7 +654,7 @@ async function maybeEnrichToken(providerType, tokenData, tokenFilePath) {
             return merged;
         }
         catch (error) {
-            const msg = error instanceof Error ? error.message : String(error);
+            const msg = formatOAuthErrorMessage(error);
             console.error(`[OAuth] ${label}: failed to fetch UserInfo - ${msg}`);
             // 将明确的 401/invalid token 视为凭证失效，由调用方决定是否触发重新授权。
             const normalized = msg.toLowerCase();
@@ -615,6 +689,255 @@ function logOAuthSetup(providerType, defaults, overrides, endpoints, client, tok
 function createStrategy(providerType, overrides, tokenFilePath) {
     return createProviderOAuthStrategy(providerType, overrides, tokenFilePath);
 }
+function resolveCamoCommand() {
+    const configured = String(process.env.ROUTECODEX_CAMO_CLI_PATH || process.env.RCC_CAMO_CLI_PATH || '').trim();
+    return configured || 'camo';
+}
+function isTruthyFlag(value) {
+    const raw = String(value || '').trim().toLowerCase();
+    return raw === '1' || raw === 'true' || raw === 'yes' || raw === 'on';
+}
+function resolveOAuthProfileId(providerType, tokenFilePath) {
+    const parsed = parseTokenSequenceFromPath(tokenFilePath);
+    const alias = String(parsed?.alias || 'default').trim().toLowerCase();
+    const normalizedAlias = alias.replace(/[^a-z0-9._-]+/gi, '-');
+    const normalizedProvider = String(providerType || '').trim().toLowerCase();
+    const providerFamily = normalizedProvider === 'gemini-cli' || normalizedProvider === 'antigravity'
+        ? 'gemini'
+        : normalizedProvider;
+    const base = providerFamily ? `${providerFamily}.${normalizedAlias || 'default'}` : (normalizedAlias || 'default');
+    const profile = `rc-${base}`;
+    return profile.length > 64 ? profile.slice(0, 64) : profile;
+}
+function closeOAuthAuthResources(providerType, tokenFilePath) {
+    const profileId = resolveOAuthProfileId(providerType, tokenFilePath);
+    try {
+        const result = spawnSync(resolveCamoCommand(), ['stop', profileId], {
+            stdio: 'ignore',
+            env: process.env
+        });
+        if (result.status === 0) {
+            logOAuthDebug(`[OAuth] auth cleanup: stopped camo profile=${profileId}`);
+        }
+        else {
+            logOAuthDebug(`[OAuth] auth cleanup: camo stop profile=${profileId} status=${result.status ?? 'n/a'}`);
+        }
+    }
+    catch (error) {
+        logOAuthDebug(`[OAuth] auth cleanup failed profile=${profileId}: ${error instanceof Error ? error.message : String(error)}`);
+    }
+}
+function shouldAutoCloseOAuthBrowserSession() {
+    const raw = String(process.env.ROUTECODEX_OAUTH_AUTO_CLOSE_BROWSER ??
+        process.env.RCC_OAUTH_AUTO_CLOSE_BROWSER ??
+        '').trim().toLowerCase();
+    if (!raw) {
+        // Default: keep browser session alive and rely on camo idle-timeout cleanup.
+        return false;
+    }
+    return raw === '1' || raw === 'true' || raw === 'yes' || raw === 'on';
+}
+function readInteractiveOAuthLock() {
+    try {
+        if (!fsSync.existsSync(OAUTH_INTERACTIVE_LOCK_FILE)) {
+            return null;
+        }
+        const raw = fsSync.readFileSync(OAUTH_INTERACTIVE_LOCK_FILE, 'utf8');
+        const parsed = JSON.parse(raw);
+        if (!parsed || typeof parsed !== 'object') {
+            return null;
+        }
+        const node = parsed;
+        if (typeof node.pid !== 'number' || typeof node.tokenFile !== 'string' || typeof node.providerType !== 'string') {
+            return null;
+        }
+        return {
+            pid: node.pid,
+            tokenFile: node.tokenFile,
+            providerType: node.providerType,
+            startedAt: typeof node.startedAt === 'number' ? node.startedAt : Date.now(),
+            callbackPort: typeof node.callbackPort === 'number' ? node.callbackPort : undefined
+        };
+    }
+    catch {
+        return null;
+    }
+}
+function isSameInteractiveOAuthLock(left, right) {
+    return (left.pid === right.pid &&
+        left.providerType === right.providerType &&
+        path.resolve(left.tokenFile) === path.resolve(right.tokenFile));
+}
+function isProcessAlive(pid) {
+    if (!Number.isFinite(pid) || pid <= 0) {
+        return false;
+    }
+    try {
+        process.kill(pid, 0);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+async function forceReclaimInteractiveOAuthLock(lock) {
+    try {
+        const existing = readInteractiveOAuthLock();
+        if (!existing || !isSameInteractiveOAuthLock(existing, lock)) {
+            return false;
+        }
+        await fs.unlink(OAUTH_INTERACTIVE_LOCK_FILE);
+        logOAuthDebug(`[OAuth] interactive lock reclaimed pid=${lock.pid} token=${lock.tokenFile} provider=${lock.providerType}`);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+async function notifyOAuthLockCancel(lock) {
+    if (!lock.callbackPort || !Number.isFinite(lock.callbackPort) || lock.callbackPort <= 0) {
+        return;
+    }
+    const url = `http://127.0.0.1:${lock.callbackPort}/oauth2callback?error=cancelled_by_new_auth`;
+    try {
+        await fetch(url, { method: 'GET' });
+        logOAuthDebug(`[OAuth] interactive lock cancel signal sent port=${lock.callbackPort}`);
+    }
+    catch (error) {
+        logOAuthDebug(`[OAuth] interactive lock cancel signal failed port=${lock.callbackPort}: ${error instanceof Error ? error.message : String(error)}`);
+    }
+}
+async function acquireInteractiveOAuthLock(providerType, tokenFilePath) {
+    await fs.mkdir(path.dirname(OAUTH_INTERACTIVE_LOCK_FILE), { recursive: true });
+    const current = {
+        pid: process.pid,
+        providerType,
+        tokenFile: path.resolve(tokenFilePath),
+        startedAt: Date.now()
+    };
+    const maxAttempts = 20;
+    for (let attempt = 1; attempt <= maxAttempts; attempt += 1) {
+        try {
+            await fs.writeFile(OAUTH_INTERACTIVE_LOCK_FILE, `${JSON.stringify(current, null, 2)}\n`, { flag: 'wx' });
+            process.env.ROUTECODEX_OAUTH_INTERACTIVE_LOCK_FILE = OAUTH_INTERACTIVE_LOCK_FILE;
+            return () => {
+                try {
+                    const lock = readInteractiveOAuthLock();
+                    if (lock && lock.pid === process.pid && path.resolve(lock.tokenFile) === current.tokenFile) {
+                        fsSync.unlinkSync(OAUTH_INTERACTIVE_LOCK_FILE);
+                    }
+                }
+                catch {
+                    // ignore release errors
+                }
+                finally {
+                    if (process.env.ROUTECODEX_OAUTH_INTERACTIVE_LOCK_FILE === OAUTH_INTERACTIVE_LOCK_FILE) {
+                        delete process.env.ROUTECODEX_OAUTH_INTERACTIVE_LOCK_FILE;
+                    }
+                }
+            };
+        }
+        catch (error) {
+            const code = error?.code || '';
+            if (code !== 'EEXIST') {
+                throw error;
+            }
+            const existing = readInteractiveOAuthLock();
+            if (!existing) {
+                try {
+                    await fs.unlink(OAUTH_INTERACTIVE_LOCK_FILE);
+                }
+                catch {
+                    // ignore
+                }
+                continue;
+            }
+            if (!isProcessAlive(existing.pid)) {
+                try {
+                    await fs.unlink(OAUTH_INTERACTIVE_LOCK_FILE);
+                }
+                catch {
+                    // ignore
+                }
+                continue;
+            }
+            const sameToken = path.resolve(existing.tokenFile) === current.tokenFile;
+            if (sameToken) {
+                await notifyOAuthLockCancel(existing);
+                await new Promise((resolve) => setTimeout(resolve, 300));
+                const afterCancel = readInteractiveOAuthLock();
+                const stuckOnSameLock = !!afterCancel && isSameInteractiveOAuthLock(afterCancel, existing);
+                if (stuckOnSameLock) {
+                    const lockAgeMs = Math.max(0, Date.now() - (afterCancel.startedAt || Date.now()));
+                    const shouldForceReclaim = attempt >= 3 || lockAgeMs >= 15_000;
+                    if (shouldForceReclaim) {
+                        await forceReclaimInteractiveOAuthLock(afterCancel);
+                    }
+                }
+                continue;
+            }
+            throw new Error(`Interactive OAuth is already running for token=${existing.tokenFile}. Concurrent auth is disabled.`);
+        }
+    }
+    throw new Error('Failed to acquire interactive OAuth lock after multiple attempts');
+}
+function readIflowAutoFailureState() {
+    try {
+        if (!fsSync.existsSync(IFLOW_AUTO_FAILURE_FILE)) {
+            return {};
+        }
+        const raw = fsSync.readFileSync(IFLOW_AUTO_FAILURE_FILE, 'utf8');
+        const parsed = JSON.parse(raw);
+        if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
+            return {};
+        }
+        return parsed;
+    }
+    catch {
+        return {};
+    }
+}
+function writeIflowAutoFailureState(state) {
+    try {
+        fsSync.mkdirSync(path.dirname(IFLOW_AUTO_FAILURE_FILE), { recursive: true });
+        fsSync.writeFileSync(IFLOW_AUTO_FAILURE_FILE, `${JSON.stringify(state, null, 2)}\n`, 'utf8');
+    }
+    catch {
+        // ignore persistence failures
+    }
+}
+function resolveIflowFailureKey(tokenFilePath) {
+    return path.resolve(tokenFilePath);
+}
+function clearIflowAutoFailureState(tokenFilePath) {
+    const state = readIflowAutoFailureState();
+    const key = resolveIflowFailureKey(tokenFilePath);
+    if (!state[key]) {
+        return;
+    }
+    delete state[key];
+    writeIflowAutoFailureState(state);
+}
+function markIflowAutoFailureState(tokenFilePath, maxAttempts, errorText) {
+    const state = readIflowAutoFailureState();
+    const key = resolveIflowFailureKey(tokenFilePath);
+    const previous = state[key];
+    const nextCount = (previous?.count || 0) + 1;
+    const record = {
+        count: nextCount,
+        manualRequired: nextCount >= maxAttempts,
+        updatedAt: Date.now(),
+        lastError: errorText
+    };
+    state[key] = record;
+    writeIflowAutoFailureState(state);
+    return record;
+}
+function getIflowAutoFailureState(tokenFilePath) {
+    const state = readIflowAutoFailureState();
+    const key = resolveIflowFailureKey(tokenFilePath);
+    return state[key] || null;
+}
 async function runInteractiveAuthorizationFlow(providerType, overrides, tokenFilePath, openBrowser, forceTokenReset, forceReauth) {
     const execute = async () => {
         let backupFile = null;
@@ -633,6 +956,10 @@ async function runInteractiveAuthorizationFlow(providerType, overrides, tokenFil
                 await finalizeTokenWrite(providerType, strategy, tokenFilePath, authed, 'acquired');
             }
             await discardBackupFile(backupFile);
+            if (openBrowser && shouldAutoCloseOAuthBrowserSession()) {
+                // Optional: close only after token is fully written; never close browser on failed auth.
+                closeOAuthAuthResources(providerType, tokenFilePath);
+            }
         }
         catch (error) {
             await restoreTokenFileFromBackup(backupFile, tokenFilePath);
@@ -650,10 +977,12 @@ async function runInteractiveAuthorizationFlow(providerType, overrides, tokenFil
     })
         .then(async () => {
         logOAuthDebug(`[OAuth] interactive queue enter ${label}`);
+        const releaseLock = await acquireInteractiveOAuthLock(providerType, tokenFilePath);
         try {
             await execute();
         }
         finally {
+            releaseLock();
             logOAuthDebug(`[OAuth] interactive queue leave ${label}`);
         }
     });
@@ -662,6 +991,12 @@ async function runInteractiveAuthorizationFlow(providerType, overrides, tokenFil
 }
 async function runIflowAuthorizationSequence(providerType, overrides, tokenFilePath, forceReauth) {
     const authCodeOverrides = { ...overrides, flowType: OAuthFlowType.AUTHORIZATION_CODE };
+    const autoMode = String(process.env.ROUTECODEX_CAMOUFOX_AUTO_MODE || '').trim().toLowerCase();
+    if (autoMode === 'iflow') {
+        // Auto mode should stay single-path to keep retry lifecycle deterministic.
+        await executeAuthFlow(providerType, authCodeOverrides, tokenFilePath, forceReauth);
+        return;
+    }
     try {
         await executeAuthFlow(providerType, authCodeOverrides, tokenFilePath, forceReauth);
         return;
@@ -673,9 +1008,58 @@ async function runIflowAuthorizationSequence(providerType, overrides, tokenFileP
     await executeAuthFlow(providerType, deviceOverrides, tokenFilePath, forceReauth);
 }
 async function executeAuthFlow(providerType, overrides, tokenFilePath, forceReauth) {
-    const strategy = createStrategy(providerType, overrides, tokenFilePath);
-    const authed = await strategy.authenticate?.({ openBrowser: true, forceReauthorize: forceReauth });
-    await finalizeTokenWrite(providerType, strategy, tokenFilePath, authed, overrides.flowType ? `acquired (${String(overrides.flowType)})` : 'acquired');
+    const runOnce = async () => {
+        const strategy = createStrategy(providerType, overrides, tokenFilePath);
+        const authed = await strategy.authenticate?.({ openBrowser: true, forceReauthorize: forceReauth });
+        await finalizeTokenWrite(providerType, strategy, tokenFilePath, authed, overrides.flowType ? `acquired (${String(overrides.flowType)})` : 'acquired');
+    };
+    const autoMode = String(process.env.ROUTECODEX_CAMOUFOX_AUTO_MODE || '').trim().toLowerCase();
+    const iflowAutoEnabled = providerType === 'iflow' && autoMode === 'iflow';
+    if (!iflowAutoEnabled) {
+        await runOnce();
+        if (providerType === 'iflow') {
+            clearIflowAutoFailureState(tokenFilePath);
+        }
+        return;
+    }
+    const headfulMode = isTruthyFlag(process.env.ROUTECODEX_CAMOUFOX_DEV_MODE);
+    const maxAutoAttemptsRaw = Number.parseInt(String(process.env.ROUTECODEX_IFLOW_AUTO_MAX_ATTEMPTS || '').trim(), 10);
+    const maxAutoAttempts = Number.isFinite(maxAutoAttemptsRaw) && maxAutoAttemptsRaw > 0 ? maxAutoAttemptsRaw : 3;
+    const retryDelayRaw = Number.parseInt(String(process.env.ROUTECODEX_IFLOW_AUTO_RETRY_DELAY_MS || '').trim(), 10);
+    const retryDelayMs = Number.isFinite(retryDelayRaw) && retryDelayRaw >= 0 ? retryDelayRaw : 1000;
+    // Headful run is considered manual trigger; successful manual run clears auto failure gate.
+    if (headfulMode) {
+        await runOnce();
+        clearIflowAutoFailureState(tokenFilePath);
+        return;
+    }
+    const existingFailure = getIflowAutoFailureState(tokenFilePath);
+    if (existingFailure?.manualRequired) {
+        throw new Error(`[OAuth] iflow auto auth is disabled for token=${tokenFilePath} after ${existingFailure.count} failures. Manual trigger required.`);
+    }
+    let lastError = null;
+    for (let attempt = 1; attempt <= maxAutoAttempts; attempt += 1) {
+        try {
+            await runOnce();
+            clearIflowAutoFailureState(tokenFilePath);
+            return;
+        }
+        catch (error) {
+            lastError = error;
+            const msg = error instanceof Error ? error.message : String(error || '');
+            const record = markIflowAutoFailureState(tokenFilePath, maxAutoAttempts, msg);
+            logOAuthDebug(`[OAuth] iflow auto auth attempt ${attempt}/${maxAutoAttempts} failed: ${msg} ` +
+                `(failureCount=${record.count} manualRequired=${record.manualRequired ? '1' : '0'})`);
+            if (attempt < maxAutoAttempts) {
+                await new Promise((resolve) => setTimeout(resolve, retryDelayMs));
+            }
+        }
+    }
+    const finalRecord = getIflowAutoFailureState(tokenFilePath);
+    if (finalRecord?.manualRequired) {
+        throw new Error(`[OAuth] iflow auto auth failed ${finalRecord.count} times; manual trigger is required and auto retries are suspended.`);
+    }
+    throw (lastError instanceof Error ? lastError : new Error(String(lastError || 'iflow auto auth failed')));
 }
 export async function ensureValidOAuthToken(providerType, auth, opts = {}) {
     if (!isOAuthConfig(auth)) {
@@ -714,9 +1098,6 @@ export async function ensureValidOAuthToken(providerType, auth, opts = {}) {
         logOAuthSetup(providerType, defaults, overrides, endpoints, client, tokenFilePath, openBrowser, forceReauth);
         const strategy = createStrategy(providerType, overrides, tokenFilePath);
         let token = await readTokenFromFile(tokenFilePath);
-        if (providerType === 'iflow') {
-            token = await maybeAdoptIflowExternalToken(strategy, tokenFilePath, token);
-        }
         const hadExistingTokenFile = token !== null;
         // Qwen: ensure api_key is present even when access_token is still valid.
         // Qwen OpenAI-compatible endpoints may require api_key (not access_token) for business requests.
@@ -787,13 +1168,27 @@ export async function ensureValidOAuthToken(providerType, auth, opts = {}) {
                 return;
             }
             catch (error) {
+                const message = error instanceof Error ? error.message : String(error || '');
+                applyRefreshFailureBackoff(cacheKey, providerType, message);
+                if (providerType === 'iflow' && shouldClearIflowTokenOnRefreshFailure(message)) {
+                    // Only clear token file for permanent refresh-credential failures.
+                    await clearTokenFile(tokenFilePath);
+                }
                 if (!opts.forceReacquireIfRefreshFails) {
                     throw error;
                 }
+                logOAuthDebug(`[OAuth] refresh failed (${providerType}): ${message}`);
                 logOAuthDebug('[OAuth] refresh failed, attempting interactive authorization...');
             }
         }
         try {
+            const flowTypeRaw = String(overrides.flowType || defaults.flowType || '').trim().toLowerCase();
+            const authorizationCodeFlow = flowTypeRaw === String(OAuthFlowType.AUTHORIZATION_CODE).trim().toLowerCase();
+            if (!openBrowser && authorizationCodeFlow) {
+                // Non-interactive contexts must never enter auth-code callback/manual prompts.
+                // Let callers decide whether to retry in explicit interactive mode.
+                throw new Error(`[OAuth] interactive authorization requires openBrowser=true for ${providerType} (flow=${flowTypeRaw || 'authorization_code'})`);
+            }
             await runInteractiveAuthorizationFlow(providerType, overrides, tokenFilePath, openBrowser, forceReauth || hadExistingTokenFile, forceReauth);
             updateThrottle(cacheKey);
         }
@@ -868,22 +1263,25 @@ export async function handleUpstreamInvalidOAuthToken(providerType, auth, upstre
                 }
                 return false;
             }
-            try {
-                await withOAuthRepairEnv(providerType, async () => {
-                    await ensureValid(providerType, auth, {
-                        forceReacquireIfRefreshFails: false,
-                        openBrowser: false,
-                        forceReauthorize: false
+            const refreshRejectedForIflow = pt === 'iflow' && isIflowRefreshEndpointRejectionMessage(lower);
+            if (!refreshRejectedForIflow) {
+                try {
+                    await withOAuthRepairEnv(providerType, async () => {
+                        await ensureValid(providerType, auth, {
+                            forceReacquireIfRefreshFails: false,
+                            openBrowser: false,
+                            forceReauthorize: false
+                        });
                     });
-                });
-                await markInteractiveOAuthRepairSuccess({
-                    providerType,
-                    tokenFile: tokenFilePath
-                });
-                return true;
-            }
-            catch {
-                // ignore silent refresh errors; fall through to background interactive flow
+                    await markInteractiveOAuthRepairSuccess({
+                        providerType,
+                        tokenFile: tokenFilePath
+                    });
+                    return true;
+                }
+                catch {
+                    // ignore silent refresh errors; fall through to background interactive flow
+                }
             }
             const interactiveOpts = {
                 forceReacquireIfRefreshFails: true,
@@ -893,7 +1291,12 @@ export async function handleUpstreamInvalidOAuthToken(providerType, auth, upstre
                 forceReauthorize: pt === 'gemini' || pt === 'gemini-cli' || pt === 'antigravity' || pt === 'iflow' || pt === 'qwen'
             };
             void withOAuthRepairEnv(providerType, async () => {
-                await ensureValid(providerType, auth, interactiveOpts);
+                await runInteractiveRepairWithAutoFallback({
+                    providerType,
+                    auth,
+                    ensureValid,
+                    opts: interactiveOpts
+                });
             }).catch(() => {
                 // background repair failure must never block requests
             });
@@ -907,7 +1310,12 @@ export async function handleUpstreamInvalidOAuthToken(providerType, auth, upstre
             forceReauthorize: pt === 'gemini' || pt === 'gemini-cli' || pt === 'antigravity' || pt === 'iflow' || pt === 'qwen'
         };
         await withOAuthRepairEnv(providerType, async () => {
-            await ensureValid(providerType, auth, opts);
+            await runInteractiveRepairWithAutoFallback({
+                providerType,
+                auth,
+                ensureValid,
+                opts
+            });
         });
         await markInteractiveOAuthRepairSuccess({
             providerType,
@@ -928,6 +1336,10 @@ export function shouldTriggerInteractiveOAuthRepair(providerType, upstreamError)
             : String(upstreamError || '');
     const lower = msg.toLowerCase();
     const statusCode = extractStatusCode(upstreamError);
+    if (pt === 'iflow' && (statusCode === 434 || isIflowAkBlockedMessage(lower))) {
+        // iFlow 434 是账号级封禁，必须人工恢复，不走自动修复。
+        return false;
+    }
     // 基本令牌失效判定：只看典型 OAuth 文案
     let looksInvalid = /invalid[_-]?token|invalid[_-]?grant|unauthenticated|unauthorized|token has expired|access token expired/.test(lower);
     // 对于 iflow / qwen，保留基于 401/403 的宽松判定，避免破坏既有行为。
@@ -938,6 +1350,9 @@ export function shouldTriggerInteractiveOAuthRepair(providerType, upstreamError)
             looksInvalid = true;
         }
     }
+    if (!looksInvalid && pt === 'iflow' && isIflowRefreshEndpointRejectionMessage(lower)) {
+        looksInvalid = true;
+    }
     // 对于 gemini / gemini-cli / antigravity，排除纯服务开关类错误，
     // 但如果明确提示缺少 project_id 或需要重新 OAuth，则视为令牌失效。
     if (pt === 'gemini' || pt === 'gemini-cli' || pt === 'antigravity') {