@jsonstudio/rcc 0.89.2239 → 0.90.1

package/dist/providers/core/config/camoufox-launcher.js

@@ -5,7 +5,15 @@ import path from 'node:path';
 import os from 'node:os';
 import { fileURLToPath } from 'node:url';
 import { logOAuthDebug } from '../../auth/oauth-logger.js';
+import { CAMO_CLICK_TARGETS, clickCamoGoogleAccountByHint, hasCamoGoogleSignInPrompt, clickCamoGoogleSignInBySelector, clickCamoTarget, ensureCamoProfile, getActiveCamoPageUrl, gotoCamoUrl, startCamoSession, setDefaultCamoProfile } from './camoufox-actions.js';
 const activeLaunchers = new Set();
+let lastCamoufoxLaunchFailureReason = null;
+function setCamoufoxLaunchFailureReason(reason) {
+    lastCamoufoxLaunchFailureReason = reason && reason.trim().length > 0 ? reason.trim() : null;
+}
+export function getLastCamoufoxLaunchFailureReason() {
+    return lastCamoufoxLaunchFailureReason;
+}
 function registerLauncher(child) {
     const handle = { child };
     activeLaunchers.add(handle);
@@ -160,6 +168,47 @@ function getProviderFamily(provider) {
     }
     return rawProvider;
 }
+function isDisabledFlag(value) {
+    const raw = String(value || '').trim().toLowerCase();
+    return raw === '0' || raw === 'false' || raw === 'no' || raw === 'off';
+}
+export function shouldPreferCamoCliForOAuth(provider) {
+    if (isDisabledFlag(process.env.ROUTECODEX_OAUTH_CAMO_CLI) || isDisabledFlag(process.env.RCC_OAUTH_CAMO_CLI)) {
+        return false;
+    }
+    void provider;
+    return true;
+}
+function resolveCamoCliCommand() {
+    const configured = String(process.env.ROUTECODEX_CAMO_CLI_PATH || process.env.RCC_CAMO_CLI_PATH || '').trim();
+    return configured || 'camo';
+}
+function runCamoCliCheck() {
+    try {
+        const result = spawnSync(resolveCamoCliCommand(), ['--help'], {
+            stdio: 'ignore'
+        });
+        const code = result.error?.code;
+        if (code === 'ENOENT') {
+            return false;
+        }
+        return result.status === 0;
+    }
+    catch {
+        return false;
+    }
+}
+export function shouldRepairCamoufoxFingerprintForOAuth(providerFamily, navigatorPlatform, hostPlatform = process.platform) {
+    const family = String(providerFamily || '').trim().toLowerCase();
+    const platform = String(navigatorPlatform || '').trim().toLowerCase();
+    if (hostPlatform !== 'darwin') {
+        return false;
+    }
+    if (platform !== 'win32') {
+        return false;
+    }
+    return family === 'gemini' || family === 'iflow' || family === 'qwen';
+}
 export function sanitizeCamouConfigForOAuth(provider, fingerprintEnv) {
     const env = { ...(fingerprintEnv || {}) };
     const raw = env.CAMOU_CONFIG_1;
@@ -180,8 +229,12 @@ export function sanitizeCamouConfigForOAuth(provider, fingerprintEnv) {
         return env;
     }
     const family = getProviderFamily(provider);
-    if (family === 'iflow' && Object.prototype.hasOwnProperty.call(parsed, 'timezone')) {
-        delete parsed.timezone;
+    if (family === 'iflow') {
+        // iFlow OAuth 页面在部分指纹下会因 header 覆盖导致页面乱码；OAuth 场景统一移除该覆盖。
+        delete parsed['headers.Accept-Encoding'];
+        if (Object.prototype.hasOwnProperty.call(parsed, 'timezone')) {
+            delete parsed.timezone;
+        }
         env.CAMOU_CONFIG_1 = JSON.stringify(parsed);
     }
     return env;
@@ -317,7 +370,7 @@ function runCamoufoxPathCheck() {
     return execution.result?.status === 0;
 }
 export function isCamoufoxAvailable() {
-    return runCamoufoxPathCheck();
+    return runCamoCliCheck();
 }
 function installCamoufox() {
     const execution = runPythonWithLaunchers((launcher) => [...launcher.argsPrefix, '-m', 'pip', 'install', '--user', '-U', 'camoufox'], { stdio: 'inherit' });
@@ -331,31 +384,11 @@ function installCamoufox() {
     return execution.result.status === 0;
 }
 function ensureCamoufoxInstalled() {
-    if (runCamoufoxPathCheck()) {
+    if (runCamoCliCheck()) {
         return true;
     }
-    const autoInstallRaw = String(process.env.ROUTECODEX_CAMOUFOX_AUTO_INSTALL ||
-        process.env.RCC_CAMOUFOX_AUTO_INSTALL ||
-        '1')
-        .trim()
-        .toLowerCase();
-    const autoInstallEnabled = autoInstallRaw !== '0' && autoInstallRaw !== 'false' && autoInstallRaw !== 'no';
-    if (!autoInstallEnabled) {
-        logOAuthDebug('[OAuth] Camoufox: auto-install disabled; camoufox not available');
-        return false;
-    }
-    console.warn('[OAuth] Camoufox not detected. Installing via Python launcher ...');
-    logOAuthDebug('[OAuth] Camoufox: python module not available, attempting install...');
-    const installed = installCamoufox();
-    if (!installed) {
-        logOAuthDebug('[OAuth] Camoufox: auto-install failed or Python launcher unavailable');
-        return false;
-    }
-    const ready = runCamoufoxPathCheck();
-    if (!ready) {
-        logOAuthDebug('[OAuth] Camoufox: install completed but camoufox path still unresolved');
-    }
-    return ready;
+    logOAuthDebug('[OAuth] camo-cli not available');
+    return false;
 }
 export function ensureCamoufoxInstalledForInit() {
     return ensureCamoufoxInstalled();
@@ -488,8 +521,9 @@ function ensureFingerprintEnv(profileId, provider, alias) {
     }
     const scriptPath = resolveGenFingerprintScriptPath();
     if (!scriptPath) {
-        logOAuthDebug('[OAuth] Camoufox: fingerprint generator script not found; falling back to default fingerprint');
-        return {};
+        logOAuthDebug('[OAuth] Camoufox: fingerprint generator script not found; creating minimal fingerprint env');
+        const osPolicy = computeOsPolicy(provider, alias);
+        return writeMinimalFingerprintEnv(profileId, osPolicy);
     }
     const osPolicy = computeOsPolicy(provider, alias);
     const fpRoot = getFingerprintRoot();
@@ -545,163 +579,487 @@ export function ensureCamoufoxFingerprintForToken(provider, alias) {
         // fingerprint generation failures are non-fatal for token scanning
     }
 }
-export async function openAuthInCamoufox(options) {
-    logOAuthDebug(`[OAuth] Camoufox: launch requested url=${options.url} provider=${options.provider ?? ''} alias=${options.alias ?? ''}`);
-    if (!ensureCamoufoxInstalled()) {
-        try {
-            console.warn('[OAuth] Camoufox not available (Python launcher check failed). Falling back to system browser.');
-        }
-        catch {
-            // ignore
+function isTruthyFlag(value) {
+    const raw = String(value || '').trim().toLowerCase();
+    return raw === '1' || raw === 'true' || raw === 'yes' || raw === 'on';
+}
+function parsePositiveInt(value, fallbackValue) {
+    const parsed = Number.parseInt(String(value || '').trim(), 10);
+    return Number.isFinite(parsed) && parsed > 0 ? parsed : fallbackValue;
+}
+function isTokenPortalUrl(rawUrl) {
+    if (!rawUrl || typeof rawUrl !== 'string') {
+        return false;
+    }
+    try {
+        const parsed = new URL(rawUrl);
+        const pathName = parsed.pathname || '';
+        return pathName === '/token-auth/demo' || pathName.startsWith('/token-auth/demo/');
+    }
+    catch {
+        return rawUrl.includes('/token-auth/demo');
+    }
+}
+function resolvePortalOauthUrl(rawUrl) {
+    if (!isTokenPortalUrl(rawUrl)) {
+        return null;
+    }
+    try {
+        const parsed = new URL(rawUrl);
+        const oauthUrl = parsed.searchParams.get('oauthUrl');
+        if (!oauthUrl || typeof oauthUrl !== 'string') {
+            return null;
         }
-        logOAuthDebug('[OAuth] Camoufox: installation missing; falling back to default browser');
+        const normalized = oauthUrl.trim();
+        return normalized || null;
+    }
+    catch {
+        return null;
+    }
+}
+async function maybeAdvanceTokenPortal(options) {
+    if (!isTokenPortalUrl(options.launchUrl)) {
+        return true;
+    }
+    const autoMode = String(process.env.ROUTECODEX_CAMOUFOX_AUTO_MODE || '').trim();
+    const autoModeEnabled = autoMode.length > 0;
+    if (!autoModeEnabled) {
+        return true;
+    }
+    const activeUrl = getActiveCamoPageUrl(options.actionContext);
+    if (activeUrl && !isTokenPortalUrl(activeUrl)) {
+        logOAuthDebug(`[OAuth] camo-cli portal advance skipped (active page is non-portal): ${activeUrl}`);
+        return true;
+    }
+    if (isTruthyFlag(process.env.ROUTECODEX_CAMOUFOX_OPEN_ONLY) || isTruthyFlag(process.env.RCC_CAMOUFOX_OPEN_ONLY)) {
+        logOAuthDebug('[OAuth] camo-cli portal advance skipped (open-only mode)');
+        return true;
+    }
+    const retryCount = parsePositiveInt(process.env.ROUTECODEX_CAMOUFOX_PORTAL_CLICK_RETRIES, autoModeEnabled ? 8 : 2);
+    const retryDelayMs = parsePositiveInt(process.env.ROUTECODEX_CAMOUFOX_PORTAL_CLICK_RETRY_DELAY_MS, 350);
+    return clickCamoTarget(options.actionContext, CAMO_CLICK_TARGETS.tokenPortalContinue, {
+        retries: retryCount,
+        retryDelayMs,
+        required: autoModeEnabled
+    });
+}
+function isIflowOAuthUrl(rawUrl) {
+    if (!rawUrl || typeof rawUrl !== 'string') {
         return false;
     }
-    const scriptPath = resolveCamoufoxScriptPath();
-    if (!scriptPath) {
-        try {
-            console.warn('[OAuth] Camoufox launcher script not found. Falling back to system browser.');
+    try {
+        const parsed = new URL(rawUrl);
+        return /(?:^|\.)iflow\.cn$/i.test(parsed.hostname) && parsed.pathname === '/oauth';
+    }
+    catch {
+        return rawUrl.includes('iflow.cn/oauth');
+    }
+}
+function isQwenAuthorizeUrl(rawUrl) {
+    if (!rawUrl || typeof rawUrl !== 'string') {
+        return false;
+    }
+    try {
+        const parsed = new URL(rawUrl);
+        return /(?:^|\.)chat\.qwen\.ai$/i.test(parsed.hostname) && parsed.pathname.startsWith('/authorize');
+    }
+    catch {
+        return rawUrl.includes('chat.qwen.ai/authorize');
+    }
+}
+function isGoogleAuthUrl(rawUrl) {
+    if (!rawUrl || typeof rawUrl !== 'string') {
+        return false;
+    }
+    try {
+        const parsed = new URL(rawUrl);
+        if (!/(?:^|\.)accounts\.google\.com$/i.test(parsed.hostname)) {
+            return false;
         }
-        catch {
-            // ignore
+        return parsed.pathname.includes('/signin/') || parsed.pathname.includes('/oauth');
+    }
+    catch {
+        return rawUrl.includes('accounts.google.com');
+    }
+}
+async function maybeAdvanceQwenAuthorization(options) {
+    const provider = String(options.provider || '').trim().toLowerCase();
+    if (provider !== 'qwen') {
+        return true;
+    }
+    let activeUrl = getActiveCamoPageUrl(options.actionContext);
+    if (activeUrl && !isQwenAuthorizeUrl(activeUrl) && isTokenPortalUrl(activeUrl)) {
+        const settleTimeoutMs = parsePositiveInt(process.env.ROUTECODEX_CAMOUFOX_QWEN_OAUTH_SETTLE_MS, 8000);
+        const pollIntervalMs = parsePositiveInt(process.env.ROUTECODEX_CAMOUFOX_QWEN_OAUTH_POLL_MS, 250);
+        const deadline = Date.now() + settleTimeoutMs;
+        while (Date.now() <= deadline) {
+            const currentUrl = getActiveCamoPageUrl(options.actionContext);
+            if (currentUrl) {
+                activeUrl = currentUrl;
+                if (isQwenAuthorizeUrl(currentUrl) || isGoogleAuthUrl(currentUrl)) {
+                    break;
+                }
+            }
+            await new Promise((resolve) => setTimeout(resolve, pollIntervalMs));
+        }
+    }
+    if (!activeUrl || !isQwenAuthorizeUrl(activeUrl)) {
+        return true;
+    }
+    const autoMode = String(process.env.ROUTECODEX_CAMOUFOX_AUTO_MODE || '').trim().toLowerCase();
+    const autoModeEnabled = autoMode === 'qwen';
+    if (!autoModeEnabled) {
+        return true;
+    }
+    const retryCount = parsePositiveInt(process.env.ROUTECODEX_CAMOUFOX_QWEN_CLICK_RETRIES, autoModeEnabled ? 6 : 2);
+    const retryDelayMs = parsePositiveInt(process.env.ROUTECODEX_CAMOUFOX_QWEN_CLICK_RETRY_DELAY_MS, 350);
+    // Try direct confirm first; if not present, fall back to Google entry button.
+    await clickCamoTarget(options.actionContext, CAMO_CLICK_TARGETS.qwenAuthorizeConfirm, {
+        retries: retryCount,
+        retryDelayMs,
+        required: false
+    });
+    await clickCamoTarget(options.actionContext, CAMO_CLICK_TARGETS.qwenGoogleContinue, {
+        retries: retryCount,
+        retryDelayMs,
+        required: false
+    });
+    return true;
+}
+async function maybeAdvanceIflowAccountSelection(options) {
+    const provider = String(options.provider || '').trim().toLowerCase();
+    if (provider !== 'iflow') {
+        return true;
+    }
+    const autoMode = String(process.env.ROUTECODEX_CAMOUFOX_AUTO_MODE || '').trim().toLowerCase();
+    const autoModeEnabled = autoMode === 'iflow';
+    if (!autoModeEnabled) {
+        return true;
+    }
+    let activeUrl = getActiveCamoPageUrl(options.actionContext);
+    if (activeUrl && !isIflowOAuthUrl(activeUrl) && isTokenPortalUrl(activeUrl)) {
+        const settleTimeoutMs = parsePositiveInt(process.env.ROUTECODEX_CAMOUFOX_IFLOW_OAUTH_SETTLE_MS, 7000);
+        const pollIntervalMs = parsePositiveInt(process.env.ROUTECODEX_CAMOUFOX_IFLOW_OAUTH_POLL_MS, 250);
+        const waited = await waitForIflowOAuthPage({
+            actionContext: options.actionContext,
+            settleTimeoutMs,
+            pollIntervalMs
+        });
+        if (!waited) {
+            logOAuthDebug(`[OAuth] camo-cli iflow account advance skipped (iflow oauth page not ready): ${activeUrl || 'n/a'}`);
+            return true;
+        }
+        activeUrl = waited;
+    }
+    if (!activeUrl || !isIflowOAuthUrl(activeUrl)) {
+        return true;
+    }
+    logOAuthDebug(`[OAuth] camo-cli iflow oauth page ready: ${activeUrl}`);
+    const retryCount = parsePositiveInt(process.env.ROUTECODEX_CAMOUFOX_IFLOW_ACCOUNT_CLICK_RETRIES, autoModeEnabled ? 6 : 2);
+    const retryDelayMs = parsePositiveInt(process.env.ROUTECODEX_CAMOUFOX_IFLOW_ACCOUNT_CLICK_RETRY_DELAY_MS, 400);
+    return clickCamoTarget(options.actionContext, CAMO_CLICK_TARGETS.iflowAccountSelect, {
+        retries: retryCount,
+        retryDelayMs,
+        required: autoModeEnabled
+    });
+}
+async function waitForGoogleAuthPage(options) {
+    const timeoutMs = options.settleTimeoutMs > 0 ? options.settleTimeoutMs : 7000;
+    const intervalMs = options.pollIntervalMs > 0 ? options.pollIntervalMs : 250;
+    const deadline = Date.now() + timeoutMs;
+    let lastUrl = null;
+    while (Date.now() <= deadline) {
+        const activeUrl = getActiveCamoPageUrl(options.actionContext);
+        if (activeUrl) {
+            lastUrl = activeUrl;
+            if (isGoogleAuthUrl(activeUrl)) {
+                return activeUrl;
+            }
+        }
+        await new Promise((resolve) => setTimeout(resolve, intervalMs));
+    }
+    return isGoogleAuthUrl(lastUrl || '') ? lastUrl : null;
+}
+async function waitForGoogleSignInPrompt(options) {
+    const timeoutMs = options.settleTimeoutMs > 0 ? options.settleTimeoutMs : 12_000;
+    const intervalMs = options.pollIntervalMs > 0 ? options.pollIntervalMs : 400;
+    const deadline = Date.now() + timeoutMs;
+    let lastUrl = null;
+    while (Date.now() <= deadline) {
+        const activeUrl = getActiveCamoPageUrl(options.actionContext);
+        if (activeUrl) {
+            lastUrl = activeUrl;
+            if (!isGoogleAuthUrl(activeUrl)) {
+                return { activeUrl, promptDetected: false };
+            }
+            if (hasCamoGoogleSignInPrompt(options.actionContext)) {
+                return { activeUrl, promptDetected: true };
+            }
+        }
+        await new Promise((resolve) => setTimeout(resolve, intervalMs));
+    }
+    return {
+        activeUrl: lastUrl,
+        promptDetected: !!lastUrl && isGoogleAuthUrl(lastUrl) && hasCamoGoogleSignInPrompt(options.actionContext)
+    };
+}
+async function maybeAdvanceGoogleAuth(options) {
+    const provider = String(options.provider || '').trim().toLowerCase();
+    if (provider !== 'gemini-cli' && provider !== 'antigravity' && provider !== 'qwen') {
+        return true;
+    }
+    const autoMode = String(process.env.ROUTECODEX_CAMOUFOX_AUTO_MODE || '').trim().toLowerCase();
+    const autoModeEnabled = autoMode === 'gemini' || autoMode === 'antigravity' || autoMode === 'qwen';
+    if (!autoModeEnabled) {
+        return true;
+    }
+    let activeUrl = getActiveCamoPageUrl(options.actionContext);
+    const needsGooglePageWait = !!activeUrl && !isGoogleAuthUrl(activeUrl) && (isQwenAuthorizeUrl(activeUrl) || isTokenPortalUrl(activeUrl));
+    if (needsGooglePageWait) {
+        const settleTimeoutMs = parsePositiveInt(process.env.ROUTECODEX_CAMOUFOX_GOOGLE_OAUTH_SETTLE_MS, 7000);
+        const pollIntervalMs = parsePositiveInt(process.env.ROUTECODEX_CAMOUFOX_GOOGLE_OAUTH_POLL_MS, 250);
+        activeUrl = await waitForGoogleAuthPage({
+            actionContext: options.actionContext,
+            settleTimeoutMs,
+            pollIntervalMs
+        });
+    }
+    if (!activeUrl || !isGoogleAuthUrl(activeUrl)) {
+        return true;
+    }
+    const retryCount = parsePositiveInt(process.env.ROUTECODEX_CAMOUFOX_GOOGLE_CLICK_RETRIES, autoModeEnabled ? 4 : 2);
+    const retryDelayMs = parsePositiveInt(process.env.ROUTECODEX_CAMOUFOX_GOOGLE_CLICK_RETRY_DELAY_MS, 350);
+    const signInRetryCount = parsePositiveInt(process.env.ROUTECODEX_CAMOUFOX_GOOGLE_SIGNIN_RETRIES, autoModeEnabled ? 12 : retryCount);
+    const signInRetryDelayMs = parsePositiveInt(process.env.ROUTECODEX_CAMOUFOX_GOOGLE_SIGNIN_RETRY_DELAY_MS, autoModeEnabled ? 500 : retryDelayMs);
+    const accountHint = String(process.env.ROUTECODEX_CAMOUFOX_ACCOUNT_TEXT ||
+        process.env.RCC_CAMOUFOX_ACCOUNT_TEXT ||
+        options.alias ||
+        '').trim();
+    const hasEmailHint = accountHint.includes('@');
+    if (accountHint) {
+        const hintClicked = await clickCamoGoogleAccountByHint(options.actionContext, accountHint, {
+            retries: retryCount,
+            retryDelayMs,
+            required: autoModeEnabled && hasEmailHint
+        });
+        if (!hintClicked) {
+            return false;
         }
-        logOAuthDebug('[OAuth] Camoufox: launcher script not resolved; falling back to default browser');
+    }
+    // If we matched a concrete email hint, do not run generic account fallback.
+    if (!hasEmailHint) {
+        const accountFallbackClicked = await clickCamoTarget(options.actionContext, CAMO_CLICK_TARGETS.googleAccountSelect, {
+            retries: retryCount,
+            retryDelayMs,
+            required: autoModeEnabled
+        });
+        if (!accountFallbackClicked) {
+            return false;
+        }
+    }
+    const signInUrl = getActiveCamoPageUrl(options.actionContext);
+    if (!signInUrl) {
+        logOAuthDebug('[OAuth] camo-cli google sign-in step failed: active page unavailable (session may be closed)');
         return false;
     }
+    if (!isGoogleAuthUrl(signInUrl)) {
+        logOAuthDebug(`[OAuth] camo-cli google sign-in step skipped (active page is non-google): ${signInUrl || 'n/a'}`);
+        return true;
+    }
+    const strictRequired = provider === 'gemini-cli' || provider === 'antigravity';
+    const signInSettleMs = parsePositiveInt(process.env.ROUTECODEX_CAMOUFOX_GOOGLE_SIGNIN_SETTLE_MS, strictRequired ? 16_000 : 8_000);
+    const signInPollMs = parsePositiveInt(process.env.ROUTECODEX_CAMOUFOX_GOOGLE_SIGNIN_POLL_MS, 400);
+    const signInProbe = await waitForGoogleSignInPrompt({
+        actionContext: options.actionContext,
+        settleTimeoutMs: signInSettleMs,
+        pollIntervalMs: signInPollMs
+    });
+    if (signInProbe.promptDetected) {
+        const signInClicked = await clickCamoGoogleSignInBySelector(options.actionContext, {
+            retries: signInRetryCount,
+            retryDelayMs: signInRetryDelayMs,
+            required: true
+        });
+        if (!signInClicked) {
+            return false;
+        }
+    }
+    else if (strictRequired && signInProbe.activeUrl && isGoogleAuthUrl(signInProbe.activeUrl)) {
+        logOAuthDebug(`[OAuth] camo-cli google sign-in prompt not observed on strict provider=${provider} url=${signInProbe.activeUrl}`);
+        return false;
+    }
+    return true;
+}
+async function waitForTokenPortalPage(options) {
+    const timeoutMs = options.settleTimeoutMs > 0 ? options.settleTimeoutMs : 4000;
+    const intervalMs = options.pollIntervalMs > 0 ? options.pollIntervalMs : 250;
+    const deadline = Date.now() + timeoutMs;
+    while (Date.now() <= deadline) {
+        const activeUrl = getActiveCamoPageUrl(options.actionContext);
+        if (activeUrl && isTokenPortalUrl(activeUrl)) {
+            return true;
+        }
+        await new Promise((resolve) => setTimeout(resolve, intervalMs));
+    }
+    return false;
+}
+async function waitForIflowOAuthPage(options) {
+    const timeoutMs = options.settleTimeoutMs > 0 ? options.settleTimeoutMs : 7000;
+    const intervalMs = options.pollIntervalMs > 0 ? options.pollIntervalMs : 250;
+    const deadline = Date.now() + timeoutMs;
+    let lastUrl = null;
+    while (Date.now() <= deadline) {
+        const activeUrl = getActiveCamoPageUrl(options.actionContext);
+        if (activeUrl) {
+            lastUrl = activeUrl;
+            if (isIflowOAuthUrl(activeUrl)) {
+                return activeUrl;
+            }
+        }
+        await new Promise((resolve) => setTimeout(resolve, intervalMs));
+    }
+    return isIflowOAuthUrl(lastUrl || '') ? lastUrl : null;
+}
+export async function openAuthInCamoufox(options) {
+    setCamoufoxLaunchFailureReason(null);
+    logOAuthDebug(`[OAuth] Camoufox: launch requested url=${options.url} provider=${options.provider ?? ''} alias=${options.alias ?? ''}`);
     const url = options.url;
     if (!url || typeof url !== 'string') {
         logOAuthDebug('[OAuth] Camoufox: invalid or empty URL; falling back to default browser');
+        setCamoufoxLaunchFailureReason('invalid_launch_url');
         return false;
     }
     const launchUrl = applyGoogleLocaleHint(url);
-    const profileId = options.profileId && options.profileId.trim().length > 0
+    const derivedProfileId = buildProfileId(options.provider, options.alias);
+    const explicitProfileId = options.profileId && options.profileId.trim().length > 0
         ? options.profileId.trim()
-        : buildProfileId(options.provider, options.alias);
-    // Ensure profile directory exists ahead of launch so that fingerprint/profile data can be persisted per token.
-    ensureCamoufoxProfileDir(options.provider, options.alias);
-    // --- Safety guard: Google OAuth pages must be readable.
-    // Some Camoufox fingerprints (notably "windows" fonts) can render Google pages as garbled digits
-    // on macOS hosts. Auto-repair by re-generating the fingerprint using macos policy for this profileId.
-    try {
-        const autoRepairRaw = String(process.env.ROUTECODEX_CAMOUFOX_AUTO_REPAIR_OS_MISMATCH ||
-            process.env.RCC_CAMOUFOX_AUTO_REPAIR_OS_MISMATCH ||
-            '1')
-            .trim()
-            .toLowerCase();
-        const autoRepairEnabled = autoRepairRaw !== '0' && autoRepairRaw !== 'false' && autoRepairRaw !== 'no';
-        const family = getProviderFamily(options.provider);
-        const isGoogleFlow = family === 'gemini';
-        if (autoRepairEnabled && isGoogleFlow && process.platform === 'darwin') {
-            const fpPath = getFingerprintPath(profileId);
-            const existingEnv = loadFingerprintEnv(profileId);
-            const rawCfg = existingEnv?.CAMOU_CONFIG_1;
-            if (rawCfg) {
-                try {
-                    const cfg = JSON.parse(rawCfg);
-                    const platform = typeof cfg['navigator.platform'] === 'string' ? String(cfg['navigator.platform']) : '';
-                    const wantsRepair = platform.toLowerCase() === 'win32';
-                    if (wantsRepair) {
-                        const backupPath = `${fpPath}.bak.${Date.now()}`;
-                        console.warn(`[OAuth] Camoufox fingerprint OS mismatch (host=macos, fp=${platform}). ` +
-                            `Repairing to macos fingerprint for profileId=${profileId} (backup=${backupPath}).`);
-                        try {
-                            fs.renameSync(fpPath, backupPath);
-                        }
-                        catch {
-                            // If backup fails, do not delete/overwrite; just continue with existing fingerprint.
-                            console.warn('[OAuth] Camoufox fingerprint repair skipped (backup failed).');
-                        }
-                        const prevForcedOs = process.env.ROUTECODEX_CAMOUFOX_FORCE_OS;
-                        process.env.ROUTECODEX_CAMOUFOX_FORCE_OS = 'macos';
-                        try {
-                            // Re-generate fingerprint file for this profileId (best-effort).
-                            void ensureFingerprintEnv(profileId, options.provider, options.alias);
-                        }
-                        finally {
-                            if (prevForcedOs === undefined) {
-                                delete process.env.ROUTECODEX_CAMOUFOX_FORCE_OS;
-                            }
-                            else {
-                                process.env.ROUTECODEX_CAMOUFOX_FORCE_OS = prevForcedOs;
-                            }
-                        }
-                    }
-                }
-                catch {
-                    // ignore parse errors
-                }
-            }
-        }
+        : '';
+    const hasProviderAlias = String(options.provider || '').trim().length > 0 || String(options.alias || '').trim().length > 0;
+    const profileId = hasProviderAlias
+        ? derivedProfileId
+        : (explicitProfileId || derivedProfileId);
+    if (hasProviderAlias && explicitProfileId && explicitProfileId !== derivedProfileId) {
+        logOAuthDebug(`[OAuth] Camoufox profile override ignored: explicit=${explicitProfileId} derived=${derivedProfileId}`);
     }
-    catch {
-        // guardrail must never block OAuth
+    // Ensure profile directory exists ahead of launch so that fingerprint/profile data can be persisted per token.
+    const profileDir = ensureCamoufoxProfileDir(options.provider, options.alias);
+    const profileRoot = getProfileRoot();
+    const fingerprintRoot = getFingerprintRoot();
+    if (!shouldPreferCamoCliForOAuth(options.provider)) {
+        logOAuthDebug('[OAuth] camo-cli launch skipped (provider disabled)');
+        setCamoufoxLaunchFailureReason('provider_disabled');
+        return false;
     }
-    const rawFingerprintEnv = ensureFingerprintEnv(profileId, options.provider, options.alias);
-    const fingerprintEnv = sanitizeCamouConfigForOAuth(options.provider, rawFingerprintEnv);
-    const localeEnv = resolveCamoufoxLocaleEnv();
+    const devMode = String(process.env.ROUTECODEX_CAMOUFOX_DEV_MODE || '').trim().toLowerCase();
+    const headless = !(devMode === '1' || devMode === 'true' || devMode === 'yes' || devMode === 'on');
+    const camoCommand = resolveCamoCliCommand();
     try {
-        const autoMode = (process.env.ROUTECODEX_CAMOUFOX_AUTO_MODE || '').trim();
-        const devMode = (process.env.ROUTECODEX_CAMOUFOX_DEV_MODE || '').trim();
-        console.log(`[OAuth] Camoufox launcher spawn: profileId=${profileId} autoMode=${autoMode || '-'} devMode=${devMode || '0'}`);
-        logOAuthDebug(`[OAuth] Camoufox: spawning launcher script=${scriptPath} profileId=${profileId}`);
-        const args = [scriptPath, '--profile', profileId, '--url', launchUrl];
-        if (autoMode) {
-            args.push('--auto-mode', autoMode);
-        }
-        const child = spawn(process.execPath, args, {
-            detached: false,
-            stdio: 'inherit',
-            env: {
-                ...process.env,
-                ...fingerprintEnv,
-                ...localeEnv,
-                BROWSER_PROFILE_ID: profileId,
-                BROWSER_INITIAL_URL: launchUrl
+        console.log(`[OAuth] Camoufox launcher spawn via camo-cli: profileId=${profileId} headless=${headless ? '1' : '0'}`);
+        const fingerprintEnvRaw = ensureFingerprintEnv(profileId, options.provider, options.alias);
+        const fingerprintEnv = sanitizeCamouConfigForOAuth(options.provider, fingerprintEnvRaw);
+        const localeEnv = resolveCamoufoxLocaleEnv();
+        const sharedEnv = {
+            ...process.env,
+            ...localeEnv,
+            ...fingerprintEnv,
+            WEBAUTO_PATHS_PROFILES: profileRoot,
+            WEBAUTO_PATHS_FINGERPRINTS: fingerprintRoot,
+            BROWSER_PROFILE_ID: profileId,
+            BROWSER_PROFILE_DIR: profileDir,
+            BROWSER_INITIAL_URL: launchUrl
+        };
+        const actionContext = {
+            camoCommand,
+            profileId,
+            env: sharedEnv
+        };
+        if (!ensureCamoProfile(actionContext)) {
+            setCamoufoxLaunchFailureReason('profile_create_failed');
+            return false;
+        }
+        // camo currently resolves session routing by default profile in some paths.
+        if (!setDefaultCamoProfile(actionContext)) {
+            setCamoufoxLaunchFailureReason('profile_default_set_failed');
+            return false;
+        }
+        if (!startCamoSession(actionContext, headless)) {
+            setCamoufoxLaunchFailureReason('session_start_failed');
+            return false;
+        }
+        // Ensure we always navigate to the requested URL even when the session already exists.
+        let effectiveLaunchUrl = launchUrl;
+        let gotoOk = gotoCamoUrl(actionContext, effectiveLaunchUrl);
+        if (!gotoOk) {
+            const isPortalLaunch = isTokenPortalUrl(launchUrl);
+            if (!headless) {
+                logOAuthDebug('[OAuth] camo-cli goto returned non-zero in headful mode; keep session for manual portal/open-url continuation');
+                gotoOk = true;
             }
-        });
-        registerLauncher(child);
-        // If the launcher exits immediately with a non-zero code (missing python/camoufox/etc),
-        // report failure so the caller can fall back to the system browser.
-        const quickCheckMs = 800;
-        const ok = await new Promise((resolve) => {
-            let settled = false;
-            const settle = (value) => {
-                if (settled) {
-                    return;
+            if (isPortalLaunch) {
+                const settleTimeoutMs = parsePositiveInt(process.env.ROUTECODEX_CAMOUFOX_PORTAL_GOTO_SETTLE_MS, 4000);
+                const pollIntervalMs = parsePositiveInt(process.env.ROUTECODEX_CAMOUFOX_PORTAL_GOTO_POLL_MS, 250);
+                const portalSettled = await waitForTokenPortalPage({
+                    actionContext,
+                    settleTimeoutMs,
+                    pollIntervalMs
+                });
+                if (portalSettled) {
+                    logOAuthDebug('[OAuth] camo-cli portal goto returned non-zero but active page settled to portal; continue with portal flow');
+                    gotoOk = true;
                 }
-                settled = true;
-                clearTimeout(timer);
-                resolve(value);
-            };
-            const timer = setTimeout(() => settle(true), quickCheckMs);
-            if (typeof timer.unref === 'function') {
-                timer.unref();
             }
-            child.once('error', () => settle(false));
-            child.once('exit', (code) => {
-                if (typeof code === 'number' && code !== 0) {
-                    settle(false);
-                }
-                else {
-                    settle(true);
+            if (!gotoOk) {
+                const fallbackOauthUrl = resolvePortalOauthUrl(launchUrl);
+                if (fallbackOauthUrl && headless) {
+                    logOAuthDebug(`[OAuth] camo-cli portal goto failed; fallback to direct oauthUrl=${fallbackOauthUrl}`);
+                    effectiveLaunchUrl = fallbackOauthUrl;
+                    gotoOk = gotoCamoUrl(actionContext, effectiveLaunchUrl);
                 }
-            });
-        });
-        if (!ok) {
-            try {
-                console.warn('[OAuth] Camoufox launcher exited early; falling back to system browser.');
-            }
-            catch {
-                // ignore
             }
         }
-        // Do not keep the parent process alive solely for the launcher; interactive flows
-        // will keep running due to the callback server anyway. Cleanup will terminate it.
-        child.unref();
-        return ok;
+        if (!gotoOk) {
+            setCamoufoxLaunchFailureReason('goto_failed');
+            return false;
+        }
+        const portalAdvanced = await maybeAdvanceTokenPortal({
+            launchUrl,
+            actionContext
+        });
+        if (!portalAdvanced) {
+            setCamoufoxLaunchFailureReason('element_not_found:token_portal_continue');
+            return false;
+        }
+        const iflowAdvanced = await maybeAdvanceIflowAccountSelection({
+            provider: options.provider,
+            actionContext
+        });
+        if (!iflowAdvanced) {
+            setCamoufoxLaunchFailureReason('element_not_found:iflow_account_select');
+            return false;
+        }
+        const qwenAdvanced = await maybeAdvanceQwenAuthorization({
+            provider: options.provider,
+            actionContext
+        });
+        if (!qwenAdvanced) {
+            setCamoufoxLaunchFailureReason('element_not_found:qwen_authorization');
+            return false;
+        }
+        const googleAdvanced = await maybeAdvanceGoogleAuth({
+            provider: options.provider,
+            alias: options.alias,
+            actionContext
+        });
+        if (!googleAdvanced) {
+            setCamoufoxLaunchFailureReason('element_not_found:google_auth_step');
+            return false;
+        }
+        setCamoufoxLaunchFailureReason(null);
+        return true;
     }
     catch (error) {
-        logOAuthDebug(`[OAuth] Camoufox: failed to spawn launcher - ${error instanceof Error ? error.message : String(error)}`);
+        setCamoufoxLaunchFailureReason(`exception:${error instanceof Error ? error.message : String(error)}`);
+        logOAuthDebug(`[OAuth] camo-cli launch failed - ${error instanceof Error ? error.message : String(error)}`);
         return false;
     }
 }