npm - @jsonstudio/rcc - Versions diffs - 0.90.872 → 0.90.1270 - Mend

@jsonstudio/rcc 0.90.872 → 0.90.1270

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (837) hide show

package/dist/providers/auth/oauth-lifecycle.js CHANGED Viewed

@@ -5,8 +5,7 @@ import fsSync from 'fs';
 import path from 'path';
 import os from 'os';
 import { spawnSync } from 'node:child_process';
-import { fetchIFlowUserInfo, mergeIFlowTokenData } from './iflow-userinfo-helper.js';
-import { fetchQwenUserInfo, mergeQwenTokenData } from './qwen-userinfo-helper.js';
+import { fetchQwenUserInfo, mergeQwenTokenData, validateQwenAccessToken } from './qwen-userinfo-helper.js';
 import { fetchGeminiCLIUserInfo, fetchGeminiCLIProjects, mergeGeminiCLITokenData, getDefaultProjectId } from './gemini-cli-userinfo-helper.js';
 import { parseTokenSequenceFromPath } from './token-scanner/index.js';
 import { logOAuthDebug } from './oauth-logger.js';
@@ -22,12 +21,19 @@ import { extractStatusCode, isGoogleAccountVerificationRequiredMessage, extractG
 import { hasNonEmptyString, extractAccessToken, extractApiKey, hasApiKeyField, hasStableQwenApiKey, hasAccessToken, getExpiresAt, resolveProjectId, coerceExpiryTimestampSeconds, hasNoRefreshFlag, evaluateTokenState } from './oauth-lifecycle/token-helpers.js';
 import { normalizeGeminiCliAccountToken, sanitizeToken, readTokenFromFile, backupTokenFile, restoreTokenFileFromBackup, discardBackupFile, clearTokenFile, readRawTokenFile } from './oauth-lifecycle/token-io.js';
 import { resolveRccAuthDir } from '../../config/user-data-paths.js';
+import { isPermanentOAuthRefreshErrorMessage } from '../core/strategies/oauth-refresh-errors.js';
 const OAUTH_INTERACTIVE_LOCK_FILE = path.join(resolveRccAuthDir(), '.oauth-interactive.lock.json');
-const IFLOW_AUTO_FAILURE_FILE = path.join(resolveRccAuthDir(), '.iflow-auto-failures.json');
 const OAUTH_THROTTLE_WINDOW_MS = 60_000;
-const IFLOW_REFRESH_FAILURE_BACKOFF_MS = 5 * 60_000;
 const TOKEN_REFRESH_SKEW_MS = 60_000;
-function logOAuthLifecycleNonBlockingError(operation, error, details, options) {
+function logOAuthLifecycleNonBlocking(operation, error, details, options) {
+    const throttleKey = options?.throttleKey;
+    if (throttleKey) {
+        const throttleMs = options?.throttleMs ?? OAUTH_THROTTLE_WINDOW_MS;
+        if (shouldThrottle(throttleKey, throttleMs)) {
+            return;
+        }
+        updateThrottle(throttleKey);
+    }
     const reason = error instanceof Error ? error.message : String(error);
     const detailPairs = Object.entries(details || {})
         .map(([key, value]) => `${key}=${String(value)}`)
@@ -62,7 +68,7 @@ async function openGoogleAccountVerificationInCamoufox(args) {
         }
     }
     catch (error) {
-        logOAuthLifecycleNonBlockingError('openGoogleAccountVerificationInCamoufox', error, { providerType, alias, url }, { warn: true });
+        logOAuthLifecycleNonBlocking('openGoogleAccountVerificationInCamoufox', error, { providerType, alias, url }, { warn: true });
     }
     finally {
         if (prevBrowser === undefined) {
@@ -91,53 +97,143 @@ async function openGoogleAccountVerificationInCamoufox(args) {
         }
     }
 }
-function isIflowRefreshEndpointRejectionMessage(message) {
-    const normalized = (message || '').toLowerCase();
-    if (!normalized) {
-        return false;
+async function maybeMarkTokenFileNoRefresh(filePath) {
+    if (!filePath) {
+        return;
+    }
+    try {
+        const parsed = await readRawTokenFile(filePath);
+        if (!parsed || typeof parsed !== 'object') {
+            return;
+        }
+        const token = sanitizeToken(parsed);
+        const providerType = inferProviderTypeFromTokenFilePath(token, filePath);
+        if (providerType === 'qwen' && !hasStableQwenApiKey(token)) {
+            return;
+        }
+        const current = parsed.norefresh ??
+            parsed.noRefresh;
+        if (current === true ||
+            current === 'true' ||
+            current === '1' ||
+            current === 'yes') {
+            return;
+        }
+        const next = {
+            ...parsed,
+            norefresh: true,
+            noRefresh: true
+        };
+        await fs.writeFile(filePath, JSON.stringify(next, null, 2) + '\n', {
+            mode: 0o600
+        });
+    }
+    catch (error) {
+        logOAuthLifecycleNonBlocking('maybeMarkTokenFileNoRefresh', error, { filePath });
     }
-    return (normalized.includes('oauth token endpoint rejected request') ||
-        (normalized.includes('token refresh failed') && normalized.includes('iflow.cn/oauth/token')));
 }
-function isIflowAkBlockedMessage(message) {
-    const normalized = (message || '').toLowerCase();
-    if (!normalized) {
+async function hasTokenFileNoRefresh(filePath) {
+    if (!filePath) {
         return false;
     }
-    return normalized.includes('access to the current ak has been blocked due to unauthorized requests');
-}
-function shouldClearIflowTokenOnRefreshFailure(message) {
-    const normalized = (message || '').toLowerCase();
-    if (!normalized) {
+    const parsed = await readRawTokenFile(filePath);
+    const token = sanitizeToken(parsed);
+    const providerType = inferProviderTypeFromTokenFilePath(token, filePath);
+    const direct = parsed?.norefresh ??
+        parsed?.noRefresh;
+    const flagged = typeof direct === 'boolean'
+        ? direct
+        : typeof direct === 'string'
+            ? ['1', 'true', 'yes'].includes(direct.trim().toLowerCase())
+            : false;
+    if (!flagged) {
         return false;
     }
-    if (isIflowAkBlockedMessage(normalized)) {
+    if (providerType === 'qwen') {
+        return hasStableQwenApiKey(token);
+    }
+    return true;
+}
+function shouldHonorNoRefresh(providerType, token) {
+    if (!hasNoRefreshFlag(token)) {
         return false;
     }
-    if (normalized.includes('oauth error: invalid_grant')) {
-        return true;
+    return providerType.trim().toLowerCase() === 'qwen' ? hasStableQwenApiKey(token) : true;
+}
+function inferProviderTypeFromTokenFilePath(token, tokenFilePath) {
+    const fromToken = token && typeof token.type === 'string'
+        ? String(token.type).trim().toLowerCase()
+        : '';
+    if (fromToken) {
+        return fromToken;
     }
-    if (normalized.includes('oauth error: invalid_client')) {
-        return true;
+    const base = path.basename(String(tokenFilePath || '').trim()).toLowerCase();
+    if (base.startsWith('qwen-')) {
+        return 'qwen';
     }
-    if (normalized.includes('oauth error: unauthorized_client')) {
-        return true;
+    if (base.startsWith('gemini-')) {
+        return 'gemini';
     }
-    if (normalized.includes('oauth error: invalid_request') &&
-        (normalized.includes('refresh token') ||
-            normalized.includes('refresh_token') ||
-            normalized.includes('client_id'))) {
-        return true;
+    if (base.startsWith('antigravity-')) {
+        return 'antigravity';
     }
-    return false;
+    return '';
 }
-function applyRefreshFailureBackoff(cacheKey, providerType, message) {
-    if (providerType !== 'iflow' || !isIflowRefreshEndpointRejectionMessage(message)) {
-        return;
+function isQwenDefaultAliasTokenFile(providerType, tokenFilePath) {
+    if (providerType.trim().toLowerCase() !== 'qwen') {
+        return false;
+    }
+    const alias = resolveTokenAliasFromPath(tokenFilePath) ?? 'default';
+    return alias.trim().toLowerCase() === 'default';
+}
+function resolveOfficialQwenCodeTokenFile() {
+    const homeDir = String(process.env.HOME || '').trim() || os.homedir();
+    return path.join(homeDir, '.qwen', 'oauth_creds.json');
+}
+function extractRefreshTokenString(token) {
+    const value = token?.refresh_token;
+    return typeof value === 'string' ? value.trim() : '';
+}
+async function maybeAdoptOfficialQwenCodeToken(args) {
+    if (!isQwenDefaultAliasTokenFile(args.providerType, args.tokenFilePath)) {
+        return null;
+    }
+    const officialTokenFile = resolveOfficialQwenCodeTokenFile();
+    if (!officialTokenFile || officialTokenFile === args.tokenFilePath) {
+        return null;
     }
-    // For iFlow refresh endpoint 500/generic failures, avoid hammering token endpoint
-    // from preflight/retry loops. Keep a longer cooldown before next refresh attempt.
-    lastRunAt.set(cacheKey, Date.now() + IFLOW_REFRESH_FAILURE_BACKOFF_MS - OAUTH_THROTTLE_WINDOW_MS);
+    const officialRaw = await readRawTokenFile(officialTokenFile);
+    const officialToken = sanitizeToken(officialRaw);
+    if (!officialToken) {
+        return null;
+    }
+    const officialAccessToken = extractAccessToken(officialToken);
+    const officialRefreshToken = extractRefreshTokenString(officialToken);
+    if (!officialAccessToken && !officialRefreshToken) {
+        return null;
+    }
+    const currentAccessToken = extractAccessToken(args.currentToken);
+    const currentRefreshToken = extractRefreshTokenString(args.currentToken);
+    if (currentAccessToken === officialAccessToken &&
+        currentRefreshToken === officialRefreshToken) {
+        return args.currentToken ?? officialToken;
+    }
+    if (!args.force && args.currentToken) {
+        return null;
+    }
+    const prepared = await prepareTokenForStorage(args.providerType, args.tokenFilePath, officialRaw ?? officialToken);
+    if (typeof args.strategy.saveToken === 'function') {
+        await args.strategy.saveToken(prepared);
+    }
+    else {
+        await fs.writeFile(args.tokenFilePath, JSON.stringify(prepared, null, 2) + '\n', {
+            mode: 0o600
+        });
+    }
+    logOAuthDebug(`[OAuth] Qwen default: adopted official qwen code token ${officialTokenFile} -> ${args.tokenFilePath}`);
+    return sanitizeToken(prepared) ?? officialToken;
+}
+function applyRefreshFailureBackoff(_cacheKey, _providerType, _message) {
 }
 function isElementMissingAutomationFailure(message) {
     const normalized = String(message || '').toLowerCase();
@@ -148,6 +244,10 @@ function isElementMissingAutomationFailure(message) {
         normalized.includes('element_not_found') ||
         normalized.includes('required but not matched'));
 }
+function isAutoOAuthDisabledProvider(providerType) {
+    const normalized = String(providerType || '').trim().toLowerCase();
+    return normalized === 'qwen';
+}
 async function runInteractiveRepairWithAutoFallback(args) {
     const { providerType, auth, ensureValid, opts } = args;
     const autoModeAtStart = String(process.env.ROUTECODEX_CAMOUFOX_AUTO_MODE || '').trim();
@@ -159,6 +259,7 @@ async function runInteractiveRepairWithAutoFallback(args) {
         if (!autoModeAtStart) {
             throw error;
         }
+        const normalizedProviderType = String(providerType || '').trim().toLowerCase();
         const msg = error instanceof Error ? error.message : String(error || '');
         const selectorFailure = isElementMissingAutomationFailure(msg);
         let tokenFilePath = '';
@@ -166,12 +267,16 @@ async function runInteractiveRepairWithAutoFallback(args) {
             tokenFilePath = resolveTokenFilePath(auth, providerType);
         }
         catch (error) {
-            logOAuthLifecycleNonBlockingError('runInteractiveRepairWithAutoFallback.resolveTokenFilePath', error, { providerType });
+            logOAuthLifecycleNonBlocking('runInteractiveRepairWithAutoFallback.resolveTokenFilePath', error, { providerType });
             tokenFilePath = '';
         }
         if (tokenFilePath) {
             closeOAuthAuthResources(providerType, tokenFilePath);
         }
+        if (isAutoOAuthDisabledProvider(normalizedProviderType)) {
+            console.warn(`[OAuth] Camoufox auto OAuth failed (${providerType}, autoMode=${autoModeAtStart}): ${msg}. Auto OAuth is disabled for this provider; manual re-auth is required.`);
+            throw error;
+        }
         console.warn(`[OAuth] Camoufox auto OAuth failed (${providerType}, autoMode=${autoModeAtStart}): ${msg}. Falling back to headful manual mode once.`);
         if (selectorFailure) {
             console.warn(`[OAuth] Camoufox auto selector step failed; switched to headful manual mode (provider=${providerType}${tokenFilePath ? ` tokenFile=${tokenFilePath}` : ''}).`);
@@ -326,17 +431,66 @@ async function prepareTokenForStorage(providerType, tokenFilePath, tokenData) {
     if (isGeminiCliFamily(providerType)) {
         return await wrapGeminiCliTokenForStorage(tokenData, tokenFilePath);
     }
-    if (providerType === 'iflow') {
+    if (providerType === 'qwen') {
+        const rawExisting = await readRawTokenFile(tokenFilePath);
+        const existing = rawExisting && typeof rawExisting === 'object' ? rawExisting : null;
+        const resolvedAlias = resolveTokenAliasFromPath(tokenFilePath);
         const token = sanitizeToken(tokenData) ?? tokenData;
         const expiresAt = getExpiresAt(token);
-        if (typeof expiresAt === 'number' && Number.isFinite(expiresAt)) {
-            const expiresAtMs = expiresAt > 10_000_000_000 ? Math.floor(expiresAt) : Math.floor(expiresAt * 1000);
-            return {
-                ...tokenData,
-                expires_at: expiresAtMs,
-                expired: new Date(expiresAtMs).toISOString()
-            };
-        }
+        const expiresInRaw = token.expires_in;
+        const expiresIn = typeof expiresInRaw === 'number' && Number.isFinite(expiresInRaw)
+            ? expiresInRaw
+            : (expiresAt && expiresAt > 10_000_000_000
+                ? Math.max(1, Math.floor((expiresAt - Date.now()) / 1000))
+                : 21600);
+        const { resource_url: _dropLegacyResourceUrl, resourceUrl: _dropLegacyResourceUrlCamel, norefresh: _dropLegacyNoRefresh, noRefresh: _dropLegacyNoRefreshCamel, api_key: _dropLegacyApiKey, apiKey: _dropLegacyApiKeyCamel, ...existingWithoutLegacyQwenFields } = existing || {};
+        const { resource_url: _dropIncomingResourceUrl, resourceUrl: _dropIncomingResourceUrlCamel, norefresh: _dropIncomingNoRefresh, noRefresh: _dropIncomingNoRefreshCamel, api_key: _dropIncomingApiKey, apiKey: _dropIncomingApiKeyCamel, ...tokenDataWithoutLegacyQwenFields } = tokenData;
+        const rawResourceUrl = typeof tokenData.resource_url === 'string' &&
+            String(tokenData.resource_url).trim()
+            ? String(tokenData.resource_url).trim()
+            : typeof tokenData.resourceUrl === 'string' &&
+                String(tokenData.resourceUrl).trim()
+                ? String(tokenData.resourceUrl).trim()
+                : undefined;
+        const resourceUrl = (() => {
+            if (!rawResourceUrl) {
+                return undefined;
+            }
+            let normalized = rawResourceUrl;
+            if (!/^https?:\/\//i.test(normalized)) {
+                normalized = `https://${normalized}`;
+            }
+            normalized = normalized.replace(/\/+$/, '');
+            try {
+                const parsed = new URL(normalized);
+                const host = parsed.hostname.trim().toLowerCase();
+                const pathname = parsed.pathname.replace(/\/+$/, '');
+                const isOfficialQwenCodeHost = host === 'portal.qwen.ai' || host === 'chat.qwen.ai';
+                const isDashscopeCompatibleHost = host === 'dashscope.aliyuncs.com' && /^\/compatible-mode(?:\/v1)?$/i.test(pathname);
+                if (isOfficialQwenCodeHost && (!pathname || pathname === '/v1')) {
+                    return parsed.origin;
+                }
+                if (!isDashscopeCompatibleHost) {
+                    return undefined;
+                }
+                return `${parsed.origin}${pathname}`;
+            }
+            catch {
+                return undefined;
+            }
+        })();
+        const stableApiKey = hasStableQwenApiKey(token) ? extractApiKey(token) : undefined;
+        return {
+            ...existingWithoutLegacyQwenFields,
+            ...tokenDataWithoutLegacyQwenFields,
+            status: 'success',
+            type: 'qwen',
+            ...(resolvedAlias ? { alias: resolvedAlias } : {}),
+            expires_in: expiresIn,
+            access_token: String(token.access_token ?? ''),
+            ...(resourceUrl ? { resource_url: resourceUrl } : {}),
+            ...(stableApiKey ? { apiKey: stableApiKey, api_key: stableApiKey, norefresh: true, noRefresh: true } : {})
+        };
     }
     return tokenData;
 }
@@ -346,12 +500,9 @@ function logTokenSnapshot(providerType, token, endpoints) {
         const hasAccess = hasAccessToken(token);
         const expRaw = token?.expires_at ?? token?.expired ?? token?.expiry_date ?? null;
         logOAuthDebug(`[OAuth] token.read: provider=${providerType} exists=${Boolean(token)} hasApiKey=${hasApiKey} hasAccess=${hasAccess} expRaw=${String(expRaw)}`);
-        if (providerType === 'iflow') {
-            logOAuthDebug(`[OAuth] iflow endpoints: deviceCodeUrl=${String(endpoints.deviceCodeUrl)} tokenUrl=${String(endpoints.tokenUrl)}`);
-        }
     }
     catch (error) {
-        logOAuthLifecycleNonBlockingError('logTokenSnapshot', error, { providerType });
+        logOAuthLifecycleNonBlocking('logTokenSnapshot', error, { providerType });
     }
 }
 function buildEndpointOverrides(defaults, auth) {
@@ -370,25 +521,6 @@ function buildEndpointOverrides(defaults, auth) {
     }
     return overridden;
 }
-async function enrichIflowClientConfig(client) {
-    const next = { ...client };
-    if (hasNonEmptyString(process.env.IFLOW_CLIENT_ID)) {
-        next.clientId = process.env.IFLOW_CLIENT_ID.trim();
-    }
-    if (hasNonEmptyString(process.env.IFLOW_CLIENT_SECRET)) {
-        next.clientSecret = process.env.IFLOW_CLIENT_SECRET.trim();
-    }
-    if (!hasNonEmptyString(next.clientId) || !hasNonEmptyString(next.clientSecret)) {
-        const inferred = await inferIflowClientCredsFromLog();
-        if (inferred?.clientId && !hasNonEmptyString(next.clientId)) {
-            next.clientId = inferred.clientId;
-        }
-        if (inferred?.clientSecret && !hasNonEmptyString(next.clientSecret)) {
-            next.clientSecret = inferred.clientSecret;
-        }
-    }
-    return next;
-}
 async function buildClientOverrides(defaults, auth, providerType) {
     const base = { ...defaults.client };
     if (hasNonEmptyString(auth.clientId)) {
@@ -403,9 +535,6 @@ async function buildClientOverrides(defaults, auth, providerType) {
     if (hasNonEmptyString(auth.redirectUri)) {
         base.redirectUri = auth.redirectUri;
     }
-    if (providerType === 'iflow') {
-        return await enrichIflowClientConfig(base);
-    }
     return base;
 }
 async function ensureGeminiCLIServicesEnabled(accessToken, projectId) {
@@ -432,7 +561,7 @@ async function ensureGeminiCLIServicesEnabled(accessToken, projectId) {
                     }
                 }
                 catch (error) {
-                    logOAuthLifecycleNonBlockingError('ensureGeminiCLIServicesEnabled.parseCheckResponse', error, { service, projectId });
+                    logOAuthLifecycleNonBlocking('ensureGeminiCLIServicesEnabled.parseCheckResponse', error, { service, projectId });
                 }
             }
             else {
@@ -443,7 +572,7 @@ async function ensureGeminiCLIServicesEnabled(accessToken, projectId) {
             }
         }
         catch (error) {
-            logOAuthDebug(`[OAuth] Gemini CLI: failed to check service ${service} for project ${projectId} - ${error instanceof Error ? error.message : String(error)}`);
+            logOAuthLifecycleNonBlocking('ensureGeminiCLIServicesEnabled.checkService', error, { service, projectId });
             // best-effort; continue to try enable
         }
         // 2) 尝试启用服务
@@ -472,7 +601,7 @@ async function ensureGeminiCLIServicesEnabled(accessToken, projectId) {
             }
         }
         catch (error) {
-            logOAuthLifecycleNonBlockingError('ensureGeminiCLIServicesEnabled.parseEnableResponse', error, { service, projectId });
+            logOAuthLifecycleNonBlocking('ensureGeminiCLIServicesEnabled.parseEnableResponse', error, { service, projectId });
         }
         if (enableResp && (enableResp.ok || enableResp.status === 201)) {
             logOAuthDebug(`[OAuth] Gemini CLI: service ${service} enabled for project ${projectId} (status=${enableResp.status})`);
@@ -487,16 +616,6 @@ async function ensureGeminiCLIServicesEnabled(accessToken, projectId) {
 }
 function buildHeaderOverrides(defaults, providerType) {
     const baseHeaders = { ...(defaults.headers || {}) };
-    if (providerType === 'iflow') {
-        return {
-            ...baseHeaders,
-            'User-Agent': 'iFlow-Cli',
-            'X-Requested-With': 'XMLHttpRequest',
-            'Origin': 'https://iflow.cn',
-            'Referer': 'https://iflow.cn/oauth',
-            'Accept': 'application/json'
-        };
-    }
     return baseHeaders;
 }
 function resolveTokenAliasFromPath(tokenFilePath) {
@@ -552,18 +671,19 @@ async function buildOverrides(providerType, defaults, auth, openBrowser, tokenFi
     }
     return { overrides, endpoints, client };
 }
-async function finalizeTokenWrite(providerType, strategy, tokenFilePath, tokenData, reason) {
+async function finalizeTokenWrite(providerType, strategy, tokenFilePath, tokenData, reason, options) {
     if (!tokenData || typeof strategy.saveToken !== 'function') {
         return;
     }
-    const enriched = await maybeEnrichToken(providerType, tokenData, tokenFilePath);
+    const enriched = await maybeEnrichToken(providerType, tokenData, tokenFilePath, options);
     const prepared = await prepareTokenForStorage(providerType, tokenFilePath, enriched);
     await strategy.saveToken(prepared);
     logOAuthDebug(`[OAuth] Token ${reason} saved: ${tokenFilePath}`);
 }
-async function maybeEnrichToken(providerType, tokenData, tokenFilePath) {
+async function maybeEnrichToken(providerType, tokenData, tokenFilePath, options) {
     if (providerType === 'qwen') {
         const sanitized = sanitizeToken(tokenData) ?? tokenData;
+        const tokenRecord = tokenData;
         if (hasStableQwenApiKey(sanitized)) {
             return tokenData;
         }
@@ -572,6 +692,29 @@ async function maybeEnrichToken(providerType, tokenData, tokenFilePath) {
             logOAuthDebug('[OAuth] Qwen: no access_token found in auth result, skipping API Key fetch');
             return tokenData;
         }
+        if (options?.strictQwenValidation) {
+            try {
+                const resourceUrl = typeof sanitized.resource_url === 'string' && sanitized.resource_url.trim()
+                    ? sanitized.resource_url.trim()
+                    : typeof tokenRecord.resource_url === 'string' && tokenRecord.resource_url.trim()
+                        ? tokenRecord.resource_url.trim()
+                        : typeof tokenRecord.resourceUrl === 'string' && tokenRecord.resourceUrl.trim()
+                            ? tokenRecord.resourceUrl.trim()
+                            : undefined;
+                const model = typeof tokenRecord.model === 'string' && tokenRecord.model.trim()
+                    ? tokenRecord.model.trim()
+                    : undefined;
+                await validateQwenAccessToken({
+                    accessToken,
+                    resourceUrl,
+                    model
+                });
+            }
+            catch (error) {
+                const msg = formatOAuthErrorMessage(error);
+                throw new Error(`[OAuth] Qwen token validation failed after refresh/acquire: ${msg}`);
+            }
+        }
         try {
             const userInfo = await fetchQwenUserInfo(accessToken);
             if (userInfo.apiKey) {
@@ -583,29 +726,7 @@ async function maybeEnrichToken(providerType, tokenData, tokenFilePath) {
             return mergeQwenTokenData(tokenData, userInfo);
         }
         catch (error) {
-            const msg = formatOAuthErrorMessage(error);
-            // If userInfo endpoint is unavailable (404), treat access_token as api_key to avoid repeated lookups.
-            if (/\bHTTP\s+404\b/i.test(msg) || /\bnot\s+found\b/i.test(msg)) {
-                logOAuthDebug('[OAuth] Qwen: userInfo endpoint unavailable (404); using access_token as api_key fallback');
-                return mergeQwenTokenData(tokenData, { apiKey: accessToken });
-            }
-            logOAuthDebug(`[OAuth] Qwen: failed to fetch user info - ${msg}`);
-            return tokenData;
-        }
-    }
-    if (providerType === 'iflow') {
-        const accessToken = extractAccessToken(sanitizeToken(tokenData) ?? null);
-        if (!accessToken) {
-            logOAuthDebug('[OAuth] iFlow: no access_token found in auth result, skipping API Key fetch');
-            return tokenData;
-        }
-        try {
-            const userInfo = await fetchIFlowUserInfo(accessToken);
-            logOAuthDebug(`[OAuth] iFlow: successfully fetched API Key for ${userInfo.email}`);
-            return mergeIFlowTokenData(tokenData, userInfo);
-        }
-        catch (error) {
-            console.error(`[OAuth] iFlow: failed to fetch API Key - ${formatOAuthErrorMessage(error)}`);
+            logOAuthLifecycleNonBlocking('maybeEnrichToken.qwenUserInfo', error, { tokenFilePath, fallback: 'keep_token_data' });
             return tokenData;
         }
     }
@@ -668,7 +789,7 @@ async function maybeEnrichToken(providerType, tokenData, tokenFilePath) {
                 catch (error) {
                     const msg = error instanceof Error ? error.message : String(error);
                     logOAuthDebug(`[OAuth] ${label}: service enablement failed for project ${projectId} - ${msg}`);
-                    // 服务启用失败不再视为致命错误，后续真实调用时再由 providerErrorCenter 处理。
+                    // 服务启用失败不再视为致命错误，后续真实调用时再由 Virtual Router provider-runtime-ingress 处理。
                 }
             }
             return merged;
@@ -698,12 +819,9 @@ function logOAuthSetup(providerType, defaults, overrides, endpoints, client, tok
         if (endpoints.deviceCodeUrl || endpoints.authorizationUrl) {
             logOAuthDebug(`[OAuth] endpoints: deviceCodeUrl=${String(endpoints.deviceCodeUrl || '')} tokenUrl=${String(endpoints.tokenUrl)} authUrl=${String(endpoints.authorizationUrl || '')} userInfoUrl=${String(endpoints.userInfoUrl || '')}`);
         }
-        if (providerType === 'iflow') {
-            logOAuthDebug(`[OAuth] iflow client: id=${String(client.clientId || '(missing)')} secret=${client.clientSecret ? '(present)' : '(missing)'} redirect=${String(client.redirectUri || '(default)')}`);
-        }
     }
     catch (error) {
-        logOAuthLifecycleNonBlockingError('logEnsureContext', error, { providerType, tokenFilePath });
+        logOAuthLifecycleNonBlocking('logEnsureContext', error, { providerType, tokenFilePath });
     }
 }
 function createStrategy(providerType, overrides, tokenFilePath) {
@@ -780,7 +898,7 @@ function readInteractiveOAuthLock() {
         };
     }
     catch (error) {
-        logOAuthLifecycleNonBlockingError('readInteractiveOAuthLock', error, {
+        logOAuthLifecycleNonBlocking('readInteractiveOAuthLock', error, {
             lockFile: OAUTH_INTERACTIVE_LOCK_FILE
         });
         return null;
@@ -799,7 +917,8 @@ function isProcessAlive(pid) {
         process.kill(pid, 0);
         return true;
     }
-    catch {
+    catch (error) {
+        logOAuthLifecycleNonBlocking('isProcessAlive', error, { pid }, { throttleKey: keyFor('interactive-oauth-process-alive', String(pid)) });
         return false;
     }
 }
@@ -814,7 +933,7 @@ async function forceReclaimInteractiveOAuthLock(lock) {
         return true;
     }
     catch (error) {
-        logOAuthLifecycleNonBlockingError('forceReclaimInteractiveOAuthLock', error, {
+        logOAuthLifecycleNonBlocking('forceReclaimInteractiveOAuthLock', error, {
             pid: lock.pid,
             providerType: lock.providerType,
             tokenFile: lock.tokenFile
@@ -856,7 +975,7 @@ async function acquireInteractiveOAuthLock(providerType, tokenFilePath) {
                     }
                 }
                 catch (error) {
-                    logOAuthLifecycleNonBlockingError('acquireInteractiveOAuthLock.release', error, {
+                    logOAuthLifecycleNonBlocking('acquireInteractiveOAuthLock.release', error, {
                         lockFile: OAUTH_INTERACTIVE_LOCK_FILE,
                         providerType,
                         tokenFile: current.tokenFile
@@ -880,7 +999,7 @@ async function acquireInteractiveOAuthLock(providerType, tokenFilePath) {
                     await fs.unlink(OAUTH_INTERACTIVE_LOCK_FILE);
                 }
                 catch (error) {
-                    logOAuthLifecycleNonBlockingError('acquireInteractiveOAuthLock.removeStaleEmptyLock', error, {
+                    logOAuthLifecycleNonBlocking('acquireInteractiveOAuthLock.removeStaleEmptyLock', error, {
                         lockFile: OAUTH_INTERACTIVE_LOCK_FILE,
                         providerType,
                         tokenFile: current.tokenFile
@@ -893,7 +1012,7 @@ async function acquireInteractiveOAuthLock(providerType, tokenFilePath) {
                     await fs.unlink(OAUTH_INTERACTIVE_LOCK_FILE);
                 }
                 catch (error) {
-                    logOAuthLifecycleNonBlockingError('acquireInteractiveOAuthLock.removeDeadProcessLock', error, {
+                    logOAuthLifecycleNonBlocking('acquireInteractiveOAuthLock.removeDeadProcessLock', error, {
                         lockFile: OAUTH_INTERACTIVE_LOCK_FILE,
                         stalePid: existing.pid,
                         providerType: existing.providerType,
@@ -922,66 +1041,6 @@ async function acquireInteractiveOAuthLock(providerType, tokenFilePath) {
     }
     throw new Error('Failed to acquire interactive OAuth lock after multiple attempts');
 }
-function readIflowAutoFailureState() {
-    try {
-        if (!fsSync.existsSync(IFLOW_AUTO_FAILURE_FILE)) {
-            return {};
-        }
-        const raw = fsSync.readFileSync(IFLOW_AUTO_FAILURE_FILE, 'utf8');
-        const parsed = JSON.parse(raw);
-        if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
-            return {};
-        }
-        return parsed;
-    }
-    catch (error) {
-        logOAuthLifecycleNonBlockingError('readIflowAutoFailureState', error, {
-            file: IFLOW_AUTO_FAILURE_FILE
-        });
-        return {};
-    }
-}
-function writeIflowAutoFailureState(state) {
-    try {
-        fsSync.mkdirSync(path.dirname(IFLOW_AUTO_FAILURE_FILE), { recursive: true });
-        fsSync.writeFileSync(IFLOW_AUTO_FAILURE_FILE, `${JSON.stringify(state, null, 2)}\n`, 'utf8');
-    }
-    catch (error) {
-        logOAuthLifecycleNonBlockingError('writeIflowAutoFailureState', error, { file: IFLOW_AUTO_FAILURE_FILE }, { warn: true });
-    }
-}
-function resolveIflowFailureKey(tokenFilePath) {
-    return path.resolve(tokenFilePath);
-}
-function clearIflowAutoFailureState(tokenFilePath) {
-    const state = readIflowAutoFailureState();
-    const key = resolveIflowFailureKey(tokenFilePath);
-    if (!state[key]) {
-        return;
-    }
-    delete state[key];
-    writeIflowAutoFailureState(state);
-}
-function markIflowAutoFailureState(tokenFilePath, maxAttempts, errorText) {
-    const state = readIflowAutoFailureState();
-    const key = resolveIflowFailureKey(tokenFilePath);
-    const previous = state[key];
-    const nextCount = (previous?.count || 0) + 1;
-    const record = {
-        count: nextCount,
-        manualRequired: nextCount >= maxAttempts,
-        updatedAt: Date.now(),
-        lastError: errorText
-    };
-    state[key] = record;
-    writeIflowAutoFailureState(state);
-    return record;
-}
-function getIflowAutoFailureState(tokenFilePath) {
-    const state = readIflowAutoFailureState();
-    const key = resolveIflowFailureKey(tokenFilePath);
-    return state[key] || null;
-}
 async function runInteractiveAuthorizationFlow(providerType, overrides, tokenFilePath, openBrowser, forceTokenReset, forceReauth) {
     const execute = async () => {
         let backupFile = null;
@@ -991,14 +1050,11 @@ async function runInteractiveAuthorizationFlow(providerType, overrides, tokenFil
             backupFile = await backupTokenFile(tokenFilePath);
         }
         try {
-            if (providerType === 'iflow') {
-                await runIflowAuthorizationSequence(providerType, overrides, tokenFilePath, forceReauth);
-            }
-            else {
-                const strategy = createStrategy(providerType, overrides, tokenFilePath);
-                const authed = await strategy.authenticate?.({ openBrowser, forceReauthorize: forceReauth });
-                await finalizeTokenWrite(providerType, strategy, tokenFilePath, authed, 'acquired');
-            }
+            const strategy = createStrategy(providerType, overrides, tokenFilePath);
+            const authed = await strategy.authenticate?.({ openBrowser, forceReauthorize: forceReauth });
+            await finalizeTokenWrite(providerType, strategy, tokenFilePath, authed, 'acquired', {
+                strictQwenValidation: providerType === 'qwen'
+            });
             await discardBackupFile(backupFile);
             if (openBrowser && shouldAutoCloseOAuthBrowserSession()) {
                 // Optional: close only after token is fully written; never close browser on failed auth.
@@ -1033,78 +1089,6 @@ async function runInteractiveAuthorizationFlow(providerType, overrides, tokenFil
     interactiveTail.next = queued.then(() => undefined, () => undefined);
     await queued;
 }
-async function runIflowAuthorizationSequence(providerType, overrides, tokenFilePath, forceReauth) {
-    const authCodeOverrides = { ...overrides, flowType: OAuthFlowType.AUTHORIZATION_CODE };
-    const autoMode = String(process.env.ROUTECODEX_CAMOUFOX_AUTO_MODE || '').trim().toLowerCase();
-    if (autoMode === 'iflow') {
-        // Auto mode should stay single-path to keep retry lifecycle deterministic.
-        await executeAuthFlow(providerType, authCodeOverrides, tokenFilePath, forceReauth);
-        return;
-    }
-    try {
-        await executeAuthFlow(providerType, authCodeOverrides, tokenFilePath, forceReauth);
-        return;
-    }
-    catch (firstError) {
-        logOAuthDebug(`[OAuth] auth_code flow failed: ${firstError instanceof Error ? firstError.message : String(firstError || '')}`);
-    }
-    const deviceOverrides = { ...overrides, flowType: OAuthFlowType.DEVICE_CODE };
-    await executeAuthFlow(providerType, deviceOverrides, tokenFilePath, forceReauth);
-}
-async function executeAuthFlow(providerType, overrides, tokenFilePath, forceReauth) {
-    const runOnce = async () => {
-        const strategy = createStrategy(providerType, overrides, tokenFilePath);
-        const authed = await strategy.authenticate?.({ openBrowser: true, forceReauthorize: forceReauth });
-        await finalizeTokenWrite(providerType, strategy, tokenFilePath, authed, overrides.flowType ? `acquired (${String(overrides.flowType)})` : 'acquired');
-    };
-    const autoMode = String(process.env.ROUTECODEX_CAMOUFOX_AUTO_MODE || '').trim().toLowerCase();
-    const iflowAutoEnabled = providerType === 'iflow' && autoMode === 'iflow';
-    if (!iflowAutoEnabled) {
-        await runOnce();
-        if (providerType === 'iflow') {
-            clearIflowAutoFailureState(tokenFilePath);
-        }
-        return;
-    }
-    const headfulMode = isTruthyFlag(process.env.ROUTECODEX_CAMOUFOX_DEV_MODE);
-    const maxAutoAttemptsRaw = Number.parseInt(String(process.env.ROUTECODEX_IFLOW_AUTO_MAX_ATTEMPTS || '').trim(), 10);
-    const maxAutoAttempts = Number.isFinite(maxAutoAttemptsRaw) && maxAutoAttemptsRaw > 0 ? maxAutoAttemptsRaw : 3;
-    const retryDelayRaw = Number.parseInt(String(process.env.ROUTECODEX_IFLOW_AUTO_RETRY_DELAY_MS || '').trim(), 10);
-    const retryDelayMs = Number.isFinite(retryDelayRaw) && retryDelayRaw >= 0 ? retryDelayRaw : 1000;
-    // Headful run is considered manual trigger; successful manual run clears auto failure gate.
-    if (headfulMode) {
-        await runOnce();
-        clearIflowAutoFailureState(tokenFilePath);
-        return;
-    }
-    const existingFailure = getIflowAutoFailureState(tokenFilePath);
-    if (existingFailure?.manualRequired) {
-        throw new Error(`[OAuth] iflow auto auth is disabled for token=${tokenFilePath} after ${existingFailure.count} failures. Manual trigger required.`);
-    }
-    let lastError = null;
-    for (let attempt = 1; attempt <= maxAutoAttempts; attempt += 1) {
-        try {
-            await runOnce();
-            clearIflowAutoFailureState(tokenFilePath);
-            return;
-        }
-        catch (error) {
-            lastError = error;
-            const msg = error instanceof Error ? error.message : String(error || '');
-            const record = markIflowAutoFailureState(tokenFilePath, maxAutoAttempts, msg);
-            logOAuthDebug(`[OAuth] iflow auto auth attempt ${attempt}/${maxAutoAttempts} failed: ${msg} ` +
-                `(failureCount=${record.count} manualRequired=${record.manualRequired ? '1' : '0'})`);
-            if (attempt < maxAutoAttempts) {
-                await new Promise((resolve) => setTimeout(resolve, retryDelayMs));
-            }
-        }
-    }
-    const finalRecord = getIflowAutoFailureState(tokenFilePath);
-    if (finalRecord?.manualRequired) {
-        throw new Error(`[OAuth] iflow auto auth failed ${finalRecord.count} times; manual trigger is required and auto retries are suspended.`);
-    }
-    throw (lastError instanceof Error ? lastError : new Error(String(lastError || 'iflow auto auth failed')));
-}
 export async function ensureValidOAuthToken(providerType, auth, opts = {}) {
     if (!isOAuthConfig(auth)) {
         return;
@@ -1118,11 +1102,12 @@ export async function ensureValidOAuthToken(providerType, auth, opts = {}) {
     // Only treat "open browser" as explicit user intent when caller passed it explicitly.
     // This prevents background flows (daemon/provider init) from bypassing noRefresh due to env defaults.
     const openBrowserRequested = opts.openBrowser === true;
+    const forceRefreshRequested = opts.forceRefresh === true;
     // 当 opts.forceReauthorize 显式为 true 时，跳过节流检查，
     // 确保来自上游 401/406 等认证错误的修复请求不会被初始化阶段的调用吞掉。
     // Explicit user-triggered OAuth (openBrowser=true) must also bypass throttle,
     // otherwise repeated "Authorize" clicks in WebUI can become a silent no-op.
-    if (!opts.forceReauthorize && !openBrowserRequested && shouldThrottle(cacheKey)) {
+    if (!opts.forceReauthorize && !openBrowserRequested && !forceRefreshRequested && shouldThrottle(cacheKey)) {
         return;
     }
     const aliasInfo = parseTokenSequenceFromPath(tokenFilePath);
@@ -1142,6 +1127,14 @@ export async function ensureValidOAuthToken(providerType, auth, opts = {}) {
         logOAuthSetup(providerType, defaults, overrides, endpoints, client, tokenFilePath, openBrowser, forceReauth);
         const strategy = createStrategy(providerType, overrides, tokenFilePath);
         let token = await readTokenFromFile(tokenFilePath);
+        if (!token) {
+            token = await maybeAdoptOfficialQwenCodeToken({
+                providerType,
+                tokenFilePath,
+                currentToken: null,
+                strategy
+            });
+        }
         const hadExistingTokenFile = token !== null;
         // Qwen: ensure api_key is present even when access_token is still valid.
         // Qwen OpenAI-compatible endpoints may require api_key (not access_token) for business requests.
@@ -1189,35 +1182,60 @@ export async function ensureValidOAuthToken(providerType, auth, opts = {}) {
         }
         logTokenSnapshot(providerType, token, endpoints);
         const tokenState = evaluateTokenState(token, providerType);
-        const noRefresh = hasNoRefreshFlag(token);
-        if (noRefresh && !forceReauth && !openBrowserRequested) {
+        const noRefresh = shouldHonorNoRefresh(providerType, token);
+        if (noRefresh && !forceReauth && !openBrowserRequested && !forceRefreshRequested) {
             logOAuthDebug(`[OAuth] norefresh flag set for provider=${providerType} tokenFile=${tokenFilePath} - skip auto-refresh and re-authorization.`);
             updateThrottle(cacheKey);
             return;
         }
-        if (!forceReauth && tokenState.validAccess) {
+        if (!forceReauth && !forceRefreshRequested && tokenState.validAccess) {
             logOAuthDebug(`[OAuth] Using existing token (${tokenState.hasApiKey ? 'apiKey' : 'access_token'} valid). No authorization required.`);
             updateThrottle(cacheKey);
             return;
         }
         if (!forceReauth &&
-            tokenState.isExpiredOrNear &&
+            (forceRefreshRequested || tokenState.isExpiredOrNear) &&
             token?.refresh_token &&
             typeof strategy.refreshToken === 'function') {
             try {
-                logOAuthDebug('[OAuth] refreshing token...');
+                logOAuthDebug(forceRefreshRequested
+                    ? '[OAuth] refreshing token (forced by upstream invalid-token repair)...'
+                    : '[OAuth] refreshing token...');
                 const refreshed = await strategy.refreshToken(token.refresh_token);
-                await finalizeTokenWrite(providerType, strategy, tokenFilePath, refreshed, 'refreshed and saved');
+                await finalizeTokenWrite(providerType, strategy, tokenFilePath, refreshed, 'refreshed and saved', {
+                    strictQwenValidation: providerType === 'qwen'
+                });
                 updateThrottle(cacheKey);
                 return;
             }
             catch (error) {
                 const message = error instanceof Error ? error.message : String(error || '');
-                applyRefreshFailureBackoff(cacheKey, providerType, message);
-                if (providerType === 'iflow' && shouldClearIflowTokenOnRefreshFailure(message)) {
-                    // Only clear token file for permanent refresh-credential failures.
-                    await clearTokenFile(tokenFilePath);
+                if (providerType === 'qwen' &&
+                    isPermanentOAuthRefreshErrorMessage(message)) {
+                    try {
+                        const adopted = await maybeAdoptOfficialQwenCodeToken({
+                            providerType,
+                            tokenFilePath,
+                            currentToken: token,
+                            strategy,
+                            force: true
+                        });
+                        const adoptedRefreshToken = extractRefreshTokenString(adopted);
+                        if (adoptedRefreshToken && adoptedRefreshToken !== extractRefreshTokenString(token)) {
+                            logOAuthDebug('[OAuth] Qwen default: refresh failed, retrying with official qwen code token');
+                            const refreshed = await strategy.refreshToken(adoptedRefreshToken);
+                            await finalizeTokenWrite(providerType, strategy, tokenFilePath, refreshed, 'repaired from official qwen code token and saved', {
+                                strictQwenValidation: true
+                            });
+                            updateThrottle(cacheKey);
+                            return;
+                        }
+                    }
+                    catch (repairError) {
+                        logOAuthLifecycleNonBlocking('qwen_default_official_token_repair', repairError, { tokenFilePath });
+                    }
                 }
+                applyRefreshFailureBackoff(cacheKey, providerType, message);
                 if (!opts.forceReacquireIfRefreshFails) {
                     throw error;
                 }
@@ -1261,6 +1279,41 @@ export async function handleUpstreamInvalidOAuthToken(providerType, auth, upstre
     const pt = providerType.toLowerCase();
     const allowBlocking = options?.allowBlocking !== false;
     const ensureValid = options?.ensureValidOAuthToken ?? ensureValidOAuthToken;
+    let tokenFilePath;
+    const autoOAuthDisabled = isAutoOAuthDisabledProvider(providerType);
+    const attemptSilentRefreshOnly = async (lowerMessage) => {
+        try {
+            await withOAuthRepairEnv(providerType, async () => {
+                await ensureValid(providerType, auth, {
+                    forceReacquireIfRefreshFails: false,
+                    openBrowser: false,
+                    forceReauthorize: false,
+                    forceRefresh: pt === 'qwen'
+                });
+            });
+            if (tokenFilePath) {
+                await markInteractiveOAuthRepairSuccess({
+                    providerType,
+                    tokenFile: tokenFilePath
+                });
+            }
+            return true;
+        }
+        catch (error) {
+            const refreshMsg = error instanceof Error ? error.message : String(error);
+            if (pt === 'qwen' && isPermanentOAuthRefreshErrorMessage(refreshMsg)) {
+                await maybeMarkTokenFileNoRefresh(tokenFilePath || '');
+                logOAuthLifecycleNonBlocking('handleUpstreamInvalidOAuthToken.qwenPermanentRefreshFailure', new Error('qwen silent refresh permanently failed; standard re-auth required'), { providerType, tokenFilePath, reason: refreshMsg }, { warn: true, throttleKey: `qwen-permanent-refresh:${tokenFilePath || 'unknown'}` });
+                return false;
+            }
+            if (pt === 'qwen') {
+                logOAuthLifecycleNonBlocking('handleUpstreamInvalidOAuthToken.qwenSilentRefreshFailure', new Error('qwen silent refresh failed; standard re-auth required'), { providerType, tokenFilePath, reason: refreshMsg }, { warn: true, throttleKey: `qwen-silent-refresh:${tokenFilePath || 'unknown'}` });
+                return false;
+            }
+            logOAuthLifecycleNonBlocking('handleUpstreamInvalidOAuthToken.autoOAuthDisabled', new Error('auto OAuth has been removed for this provider; manual re-auth required'), { providerType, tokenFilePath, reason: refreshMsg }, { warn: true, throttleKey: `oauth-auto-disabled:${providerType}:${tokenFilePath || 'unknown'}` });
+            return false;
+        }
+    };
     try {
         if (!shouldTriggerInteractiveOAuthRepair(providerType, upstreamError)) {
             return false;
@@ -1272,7 +1325,14 @@ export async function handleUpstreamInvalidOAuthToken(providerType, auth, upstre
                 : String(upstreamError || '');
         const lower = msg.toLowerCase();
         const statusCode = extractStatusCode(upstreamError);
-        const tokenFilePath = resolveTokenFilePath(auth, providerType);
+        tokenFilePath = resolveTokenFilePath(auth, providerType);
+        if (pt === 'qwen' && await hasTokenFileNoRefresh(tokenFilePath)) {
+            logOAuthLifecycleNonBlocking('handleUpstreamInvalidOAuthToken.qwenNoRefresh', new Error('qwen auto-refresh disabled; standard re-auth required'), { providerType, tokenFilePath }, { warn: true, throttleKey: `qwen-norefresh:${tokenFilePath}` });
+            return false;
+        }
+        if (autoOAuthDisabled) {
+            return await attemptSilentRefreshOnly(lower);
+        }
         const cooldownReason = statusCode === 403 && isGoogleAccountVerificationRequiredMessage(lower) ? 'google_verify' : 'generic';
         const gate = await shouldSkipInteractiveOAuthRepair({
             providerType,
@@ -1309,32 +1369,39 @@ export async function handleUpstreamInvalidOAuthToken(providerType, auth, upstre
                 }
                 return false;
             }
-            const refreshRejectedForIflow = pt === 'iflow' && isIflowRefreshEndpointRejectionMessage(lower);
-            if (!refreshRejectedForIflow) {
-                try {
-                    await withOAuthRepairEnv(providerType, async () => {
-                        await ensureValid(providerType, auth, {
-                            forceReacquireIfRefreshFails: false,
-                            openBrowser: false,
-                            forceReauthorize: false
-                        });
-                    });
-                    await markInteractiveOAuthRepairSuccess({
-                        providerType,
-                        tokenFile: tokenFilePath
+            try {
+                await withOAuthRepairEnv(providerType, async () => {
+                    await ensureValid(providerType, auth, {
+                        forceReacquireIfRefreshFails: false,
+                        openBrowser: false,
+                        forceReauthorize: false,
+                        forceRefresh: pt === 'qwen'
                     });
-                    return true;
+                });
+                await markInteractiveOAuthRepairSuccess({
+                    providerType,
+                    tokenFile: tokenFilePath
+                });
+                return true;
+            }
+            catch (error) {
+                const refreshMsg = error instanceof Error ? error.message : String(error);
+                if (pt === 'qwen' && isPermanentOAuthRefreshErrorMessage(refreshMsg)) {
+                    await maybeMarkTokenFileNoRefresh(tokenFilePath);
+                    logOAuthLifecycleNonBlocking('handleUpstreamInvalidOAuthToken.qwenPermanentRefreshFailure', new Error('qwen silent refresh permanently failed; standard re-auth required'), { providerType, tokenFilePath, reason: refreshMsg }, { warn: true, throttleKey: `qwen-permanent-refresh:${tokenFilePath}` });
+                    return false;
                 }
-                catch (error) {
-                    logOAuthDebug(`[OAuth] silent refresh failed; falling back to background interactive repair (provider=${providerType}) - ${error instanceof Error ? error.message : String(error)}`);
+                if (pt === 'qwen') {
+                    logOAuthLifecycleNonBlocking('handleUpstreamInvalidOAuthToken.qwenSilentRefreshFailure', new Error('qwen silent refresh failed; standard re-auth required'), { providerType, tokenFilePath, reason: refreshMsg }, { warn: true, throttleKey: `qwen-silent-refresh:${tokenFilePath}` });
+                    return false;
                 }
+                logOAuthDebug(`[OAuth] silent refresh failed; falling back to background interactive repair (provider=${providerType}) - ${refreshMsg}`);
             }
             const interactiveOpts = {
                 forceReacquireIfRefreshFails: true,
                 openBrowser: true,
-                // 上游已经明确返回“认证失效”（包括 iflow 的 406/439），
                 // 此时强制跳过节流并允许走完整 OAuth 流程。
-                forceReauthorize: pt === 'gemini' || pt === 'gemini-cli' || pt === 'antigravity' || pt === 'iflow' || pt === 'qwen'
+                forceReauthorize: pt === 'gemini' || pt === 'gemini-cli' || pt === 'antigravity' || pt === 'qwen'
             };
             void withOAuthRepairEnv(providerType, async () => {
                 await runInteractiveRepairWithAutoFallback({
@@ -1351,9 +1418,8 @@ export async function handleUpstreamInvalidOAuthToken(providerType, auth, upstre
         const opts = {
             forceReacquireIfRefreshFails: true,
             openBrowser: true,
-            // 上游已经明确返回“认证失效”（包括 iflow 的 406/439），
             // 此时强制跳过节流并允许走完整 OAuth 流程。
-            forceReauthorize: pt === 'gemini' || pt === 'gemini-cli' || pt === 'antigravity' || pt === 'iflow' || pt === 'qwen'
+            forceReauthorize: pt === 'gemini' || pt === 'gemini-cli' || pt === 'antigravity' || pt === 'qwen'
         };
         await withOAuthRepairEnv(providerType, async () => {
             await runInteractiveRepairWithAutoFallback({
@@ -1370,7 +1436,10 @@ export async function handleUpstreamInvalidOAuthToken(providerType, auth, upstre
         return true;
     }
     catch (error) {
-        logOAuthDebug(`[OAuth] interactive repair flow failed (provider=${providerType}) - ${error instanceof Error ? error.message : String(error)}`);
+        logOAuthLifecycleNonBlocking('interactiveRepairFlow', error, {
+            providerType,
+            tokenFilePath
+        });
         return false;
     }
 }
@@ -1383,23 +1452,8 @@ export function shouldTriggerInteractiveOAuthRepair(providerType, upstreamError)
             : String(upstreamError || '');
     const lower = msg.toLowerCase();
     const statusCode = extractStatusCode(upstreamError);
-    if (pt === 'iflow' && (statusCode === 434 || isIflowAkBlockedMessage(lower))) {
-        // iFlow 434 是账号级封禁，必须人工恢复，不走自动修复。
-        return false;
-    }
     // 基本令牌失效判定：只看典型 OAuth 文案
     let looksInvalid = /invalid[_-]?token|invalid[_-]?grant|unauthenticated|unauthorized|token has expired|access token expired/.test(lower);
-    // 对于 iflow / qwen，保留基于 401/403 的宽松判定，避免破坏既有行为。
-    if (!looksInvalid && (pt === 'iflow' || pt === 'qwen')) {
-        if (statusCode === 401 ||
-            statusCode === 403 ||
-            /\b401\b|\b403\b|40308/.test(msg)) {
-            looksInvalid = true;
-        }
-    }
-    if (!looksInvalid && pt === 'iflow' && isIflowRefreshEndpointRejectionMessage(lower)) {
-        looksInvalid = true;
-    }
     // 对于 gemini / gemini-cli / antigravity，排除纯服务开关类错误，
     // 但如果明确提示缺少 project_id 或需要重新 OAuth，则视为令牌失效。
     if (pt === 'gemini' || pt === 'gemini-cli' || pt === 'antigravity') {
@@ -1420,44 +1474,7 @@ export function shouldTriggerInteractiveOAuthRepair(providerType, upstreamError)
     }
     return looksInvalid;
 }
-async function inferIflowClientCredsFromLog() {
-    try {
-        const file = path.join(resolveRccAuthDir(), 'iflow-oauth.log');
-        const txt = await fs.readFile(file, 'utf-8').catch((error) => {
-            logOAuthDebug(`[OAuth] failed to read iflow oauth log for client creds inference (non-blocking) file=${file}: ${error instanceof Error ? error.message : String(error)}`);
-            return '';
-        });
-        if (!txt) {
-            return null;
-        }
-        const lines = txt.split(/\r?\n/).filter((l) => l.trim().length > 0);
-        if (lines.length === 0) {
-            return null;
-        }
-        for (let i = lines.length - 1; i >= 0; i--) {
-            const line = lines[i];
-            try {
-                const obj = JSON.parse(line);
-                const decoded = typeof obj.decoded === 'string' ? obj.decoded : '';
-                if (!decoded.includes(':')) {
-                    continue;
-                }
-                const idx = decoded.indexOf(':');
-                const id = decoded.slice(0, idx).trim();
-                const secret = decoded.slice(idx + 1).trim();
-                if (id && secret) {
-                    return { clientId: id, clientSecret: secret };
-                }
-            }
-            catch {
-                // skip parse errors
-            }
-        }
-        return null;
-    }
-    catch (error) {
-        logOAuthDebug(`[OAuth] inferIflowClientCredsFromLog failed (non-blocking): ${error instanceof Error ? error.message : String(error)}`);
-        return null;
-    }
-}
+export const __oauthLifecycleTestables = {
+    isProcessAlive
+};
 //# sourceMappingURL=oauth-lifecycle.js.map