npm - @kaitranntt/ccs - Versions diffs - 7.66.1 → 7.67.0-dev.10 - Mend

@kaitranntt/ccs 7.66.1 → 7.67.0-dev.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (365) hide show

package/dist/cliproxy/auth/auth-types.d.ts CHANGED Viewed

@@ -11,25 +11,40 @@ import type { AccountInfo } from '../account-manager';
  * - aws-authcode: AWS Builder ID via Authorization Code flow (CLI flag only)
  * - google: Social OAuth via Google
  * - github: Social OAuth via GitHub (management API only)
+ * - idc: IAM Identity Center (IDC) via CLI flags with start URL + region
  */
-export declare const KIRO_AUTH_METHODS: readonly ["aws", "aws-authcode", "google", "github"];
+export declare const KIRO_AUTH_METHODS: readonly ["aws", "aws-authcode", "google", "github", "idc"];
 export type KiroAuthMethod = (typeof KIRO_AUTH_METHODS)[number];
 /** CLI binary supports these Kiro methods directly via flags. */
-export declare const KIRO_CLI_AUTH_METHODS: readonly ["aws", "aws-authcode", "google"];
+export declare const KIRO_CLI_AUTH_METHODS: readonly ["aws", "aws-authcode", "google", "idc"];
 export type KiroCLIAuthMethod = (typeof KIRO_CLI_AUTH_METHODS)[number];
+export declare const KIRO_IDC_FLOWS: readonly ["authcode", "device"];
+export type KiroIDCFlow = (typeof KIRO_IDC_FLOWS)[number];
+export declare const DEFAULT_KIRO_IDC_FLOW: KiroIDCFlow;
 /** Default Kiro method for CCS UX and AWS Organization support. */
 export declare const DEFAULT_KIRO_AUTH_METHOD: KiroAuthMethod;
 export declare function isKiroAuthMethod(value: string): value is KiroAuthMethod;
 export declare function isKiroCLIAuthMethod(value: string): value is KiroCLIAuthMethod;
+export declare function isKiroIDCFlow(value: string): value is KiroIDCFlow;
 export declare function normalizeKiroAuthMethod(value?: string): KiroAuthMethod;
-export declare function isKiroDeviceCodeMethod(method: KiroAuthMethod): boolean;
-export declare function getKiroCallbackPort(method: KiroAuthMethod): number | null;
+export declare function normalizeKiroIDCFlow(value?: string): KiroIDCFlow;
+export declare function isKiroDeviceCodeMethod(method: KiroAuthMethod, options?: {
+    idcFlow?: KiroIDCFlow;
+}): boolean;
+export declare function getKiroCallbackPort(method: KiroAuthMethod, options?: {
+    idcFlow?: KiroIDCFlow;
+}): number | null;
 export declare function getKiroCLIAuthFlag(method: KiroCLIAuthMethod): string;
+export declare function getKiroCLIAuthArgs(method: KiroCLIAuthMethod, options?: {
+    idcStartUrl?: string;
+    idcRegion?: string;
+    idcFlow?: KiroIDCFlow;
+}): string[];
 /**
  * Kiro method for CLIProxyAPI management endpoint:
  * GET /v0/management/kiro-auth-url?method=<value>
  */
-export declare function toKiroManagementMethod(method: KiroAuthMethod): 'aws' | 'google' | 'github';
+export declare function toKiroManagementMethod(method: KiroAuthMethod): 'aws' | 'google' | 'github' | null;
 /**
  * OAuth callback ports used by CLIProxyAPI (hardcoded in binary)
  * See: https://github.com/router-for-me/CLIProxyAPI/tree/main/internal/auth
@@ -108,7 +123,9 @@ export declare const CLIPROXY_CALLBACK_PROVIDER_MAP: Record<CLIProxyProvider, st
  */
 export declare const CLIPROXY_AUTH_URL_PROVIDER_MAP: Record<CLIProxyProvider, string>;
 export declare function getManagementAuthUrlPath(provider: CLIProxyProvider): string;
-export declare function getPasteCallbackStartPath(provider: CLIProxyProvider): string;
+export declare function getPasteCallbackStartPath(provider: CLIProxyProvider, options?: {
+    kiroMethod?: KiroAuthMethod;
+}): string | null;
 export declare function getManagementOAuthCallbackPath(): string;
 /**
  * Get OAuth config for provider
@@ -127,6 +144,12 @@ export interface OAuthOptions {
     acceptAgyRisk?: boolean;
     /** Kiro auth method override (CLI + Dashboard parity). */
     kiroMethod?: KiroAuthMethod;
+    /** Kiro IDC start URL (required when kiroMethod=idc). */
+    kiroIDCStartUrl?: string;
+    /** Kiro IDC region override. */
+    kiroIDCRegion?: string;
+    /** Kiro IDC flow override (authcode or device). */
+    kiroIDCFlow?: KiroIDCFlow;
     /** If true, triggered from Web UI (enables project selection prompt) */
     fromUI?: boolean;
     /** If true, use --no-incognito flag (Kiro only - use normal browser instead of incognito) */

package/dist/cliproxy/auth/auth-types.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"auth-types.d.ts","sourceRoot":"","sources":["../../../src/cliproxy/auth/auth-types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAC5C,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAWtD~~;;;;;;GAMG~~;AACH,eAAO,MAAM,iBAAiB,~~sDAAuD~~,CAAC;~~AACtF~~,MAAM,MAAM,cAAc,GAAG,CAAC,OAAO,iBAAiB,CAAC,CAAC,MAAM,CAAC,CAAC;AAEhE,iEAAiE;AACjE,eAAO,MAAM,qBAAqB,~~4CAA6C~~,CAAC;~~AAChF~~,MAAM,MAAM,iBAAiB,GAAG,CAAC,OAAO,qBAAqB,CAAC,CAAC,MAAM,CAAC,CAAC;AAEvE,mEAAmE;AACnE,eAAO,MAAM,wBAAwB,EAAE,cAAsB,CAAC;AAE9D,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,KAAK,IAAI,cAAc,CAEvE;AAED,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,KAAK,IAAI,iBAAiB,CAE7E;AAED,wBAAgB,uBAAuB,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,cAAc,CAItE;AAED,wBAAgB,~~sBAAsB~~,CAAC,MAAM,EAAE,cAAc,~~GAAG~~,OAAO,~~CAEtE~~;AAED,wBAAgB,mBAAmB,~~CAAC~~,MAAM,EAAE,cAAc,~~GAAG~~,MAAM,GAAG,IAAI,~~CAEzE~~;AAED,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,iBAAiB,GAAG,MAAM,~~CASpE~~;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,cAAc,GAAG,KAAK,GAAG,QAAQ,GAAG,QAAQ,~~CAY1F~~;AAED;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,oBAAoB,EAAE,OAAO,CAAC,MAAM,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAUxE,CAAC;AAEJ;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,oBAAoB;IACpB,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,oCAAoC;IACpC,aAAa,EAAE,OAAO,CAAC;IACvB,8BAA8B;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,6BAA6B;IAC7B,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,yCAAyC;IACzC,QAAQ,CAAC,EAAE,IAAI,CAAC;IAChB,oEAAoE;IACpE,QAAQ,EAAE,WAAW,EAAE,CAAC;IACxB,yBAAyB;IACzB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,0BAA0B;IAC1B,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,mBAAmB;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,gDAAgD;IAChD,OAAO,EAAE,MAAM,CAAC;IAChB,sBAAsB;IACtB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,wBAAwB;IACxB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;GAGG;AACH,eAAO,MAAM,aAAa,EAAE,MAAM,CAAC,gBAAgB,EAAE,mBAAmB,CAkEvE,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,EAAE,MAAM,CAAC,gBAAgB,EAAE,MAAM,EAAE,CAErE,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,oBAAoB,EAAE,MAAM,CAAC,gBAAgB,EAAE,MAAM,EAAE,CAEnE,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,8BAA8B,EAAE,MAAM,CAAC,gBAAgB,EAAE,MAAM,CAE3E,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,8BAA8B,EAAE,MAAM,CAAC,gBAAgB,EAAE,MAAM,CAE3E,CAAC;AAEF,wBAAgB,wBAAwB,CAAC,QAAQ,EAAE,gBAAgB,GAAG,MAAM,CAG3E;AAED,wBAAgB,yBAAyB,~~CAAC~~,QAAQ,EAAE,gBAAgB,~~GAAG~~,MAAM,~~CAM5E~~;AAED,wBAAgB,8BAA8B,IAAI,MAAM,CAEvD;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,gBAAgB,GAAG,mBAAmB,CAM9E;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,0FAA0F;IAC1F,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,0DAA0D;IAC1D,UAAU,CAAC,EAAE,cAAc,CAAC;IAC5B,wEAAwE;IACxE,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,6FAA6F;IAC7F,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,8EAA8E;IAC9E,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,8EAA8E;IAC9E,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,8EAA8E;IAC9E,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB"}
1	+ {"version":3,"file":"auth-types.d.ts","sourceRoot":"","sources":["../../../src/cliproxy/auth/auth-types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAC5C,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAWtD;;;;;;;GAOG;AACH,eAAO,MAAM,iBAAiB,6DAA8D,CAAC;AAC7F,MAAM,MAAM,cAAc,GAAG,CAAC,OAAO,iBAAiB,CAAC,CAAC,MAAM,CAAC,CAAC;AAEhE,iEAAiE;AACjE,eAAO,MAAM,qBAAqB,mDAAoD,CAAC;AACvF,MAAM,MAAM,iBAAiB,GAAG,CAAC,OAAO,qBAAqB,CAAC,CAAC,MAAM,CAAC,CAAC;AAEvE,eAAO,MAAM,cAAc,iCAAkC,CAAC;AAC9D,MAAM,MAAM,WAAW,GAAG,CAAC,OAAO,cAAc,CAAC,CAAC,MAAM,CAAC,CAAC;AAC1D,eAAO,MAAM,qBAAqB,EAAE,WAAwB,CAAC;AAE7D,mEAAmE;AACnE,eAAO,MAAM,wBAAwB,EAAE,cAAsB,CAAC;AAE9D,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,KAAK,IAAI,cAAc,CAEvE;AAED,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,KAAK,IAAI,iBAAiB,CAE7E;AAED,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,KAAK,IAAI,WAAW,CAEjE;AAED,wBAAgB,uBAAuB,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,cAAc,CAItE;AAED,wBAAgB,oBAAoB,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,WAAW,CAIhE;AAED,wBAAgB,sBAAsB,CACpC,MAAM,EAAE,cAAc,EACtB,OAAO,CAAC,EAAE;IAAE,OAAO,CAAC,EAAE,WAAW,CAAA;CAAE,GAClC,OAAO,CAQT;AAED,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,cAAc,EACtB,OAAO,CAAC,EAAE;IAAE,OAAO,CAAC,EAAE,WAAW,CAAA;CAAE,GAClC,MAAM,GAAG,IAAI,CAEf;AAED,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,iBAAiB,GAAG,MAAM,CAWpE;AAED,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,iBAAiB,EACzB,OAAO,CAAC,EAAE;IACR,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,WAAW,CAAC;CACvB,GACA,MAAM,EAAE,CAiBV;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,cAAc,GAAG,KAAK,GAAG,QAAQ,GAAG,QAAQ,GAAG,IAAI,CAcjG;AAED;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,oBAAoB,EAAE,OAAO,CAAC,MAAM,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAUxE,CAAC;AAEJ;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,oBAAoB;IACpB,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,oCAAoC;IACpC,aAAa,EAAE,OAAO,CAAC;IACvB,8BAA8B;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,6BAA6B;IAC7B,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,yCAAyC;IACzC,QAAQ,CAAC,EAAE,IAAI,CAAC;IAChB,oEAAoE;IACpE,QAAQ,EAAE,WAAW,EAAE,CAAC;IACxB,yBAAyB;IACzB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,0BAA0B;IAC1B,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,mBAAmB;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,gDAAgD;IAChD,OAAO,EAAE,MAAM,CAAC;IAChB,sBAAsB;IACtB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,wBAAwB;IACxB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;GAGG;AACH,eAAO,MAAM,aAAa,EAAE,MAAM,CAAC,gBAAgB,EAAE,mBAAmB,CAkEvE,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,EAAE,MAAM,CAAC,gBAAgB,EAAE,MAAM,EAAE,CAErE,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,oBAAoB,EAAE,MAAM,CAAC,gBAAgB,EAAE,MAAM,EAAE,CAEnE,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,8BAA8B,EAAE,MAAM,CAAC,gBAAgB,EAAE,MAAM,CAE3E,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,8BAA8B,EAAE,MAAM,CAAC,gBAAgB,EAAE,MAAM,CAE3E,CAAC;AAEF,wBAAgB,wBAAwB,CAAC,QAAQ,EAAE,gBAAgB,GAAG,MAAM,CAG3E;AAED,wBAAgB,yBAAyB,CACvC,QAAQ,EAAE,gBAAgB,EAC1B,OAAO,CAAC,EAAE;IAAE,UAAU,CAAC,EAAE,cAAc,CAAA;CAAE,GACxC,MAAM,GAAG,IAAI,CAaf;AAED,wBAAgB,8BAA8B,IAAI,MAAM,CAEvD;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,gBAAgB,GAAG,mBAAmB,CAM9E;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,0FAA0F;IAC1F,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,0DAA0D;IAC1D,UAAU,CAAC,EAAE,cAAc,CAAC;IAC5B,yDAAyD;IACzD,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,gCAAgC;IAChC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,mDAAmD;IACnD,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,wEAAwE;IACxE,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,6FAA6F;IAC7F,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,8EAA8E;IAC9E,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,8EAA8E;IAC9E,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,8EAA8E;IAC9E,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB"}

package/dist/cliproxy/auth/auth-types.js CHANGED Viewed

@@ -5,7 +5,7 @@
  * Type definitions and OAuth configurations for CLIProxy authentication.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getOAuthConfig = exports.getManagementOAuthCallbackPath = exports.getPasteCallbackStartPath = exports.getManagementAuthUrlPath = exports.CLIPROXY_AUTH_URL_PROVIDER_MAP = exports.CLIPROXY_CALLBACK_PROVIDER_MAP = exports.PROVIDER_TYPE_VALUES = exports.PROVIDER_AUTH_PREFIXES = exports.OAUTH_CONFIGS = exports.OAUTH_CALLBACK_PORTS = exports.toKiroManagementMethod = exports.getKiroCLIAuthFlag = exports.getKiroCallbackPort = exports.isKiroDeviceCodeMethod = exports.normalizeKiroAuthMethod = exports.isKiroCLIAuthMethod = exports.isKiroAuthMethod = exports.DEFAULT_KIRO_AUTH_METHOD = exports.KIRO_CLI_AUTH_METHODS = exports.KIRO_AUTH_METHODS = void 0;
+exports.getOAuthConfig = exports.getManagementOAuthCallbackPath = exports.getPasteCallbackStartPath = exports.getManagementAuthUrlPath = exports.CLIPROXY_AUTH_URL_PROVIDER_MAP = exports.CLIPROXY_CALLBACK_PROVIDER_MAP = exports.PROVIDER_TYPE_VALUES = exports.PROVIDER_AUTH_PREFIXES = exports.OAUTH_CONFIGS = exports.OAUTH_CALLBACK_PORTS = exports.toKiroManagementMethod = exports.getKiroCLIAuthArgs = exports.getKiroCLIAuthFlag = exports.getKiroCallbackPort = exports.isKiroDeviceCodeMethod = exports.normalizeKiroIDCFlow = exports.normalizeKiroAuthMethod = exports.isKiroIDCFlow = exports.isKiroCLIAuthMethod = exports.isKiroAuthMethod = exports.DEFAULT_KIRO_AUTH_METHOD = exports.DEFAULT_KIRO_IDC_FLOW = exports.KIRO_IDC_FLOWS = exports.KIRO_CLI_AUTH_METHODS = exports.KIRO_AUTH_METHODS = void 0;
 const provider_capabilities_1 = require("../provider-capabilities");
 /**
  * Kiro authentication methods supported by CLIProxyAPIPlus.
@@ -13,10 +13,13 @@ const provider_capabilities_1 = require("../provider-capabilities");
  * - aws-authcode: AWS Builder ID via Authorization Code flow (CLI flag only)
  * - google: Social OAuth via Google
  * - github: Social OAuth via GitHub (management API only)
+ * - idc: IAM Identity Center (IDC) via CLI flags with start URL + region
  */
-exports.KIRO_AUTH_METHODS = ['aws', 'aws-authcode', 'google', 'github'];
+exports.KIRO_AUTH_METHODS = ['aws', 'aws-authcode', 'google', 'github', 'idc'];
 /** CLI binary supports these Kiro methods directly via flags. */
-exports.KIRO_CLI_AUTH_METHODS = ['aws', 'aws-authcode', 'google'];
+exports.KIRO_CLI_AUTH_METHODS = ['aws', 'aws-authcode', 'google', 'idc'];
+exports.KIRO_IDC_FLOWS = ['authcode', 'device'];
+exports.DEFAULT_KIRO_IDC_FLOW = 'authcode';
 /** Default Kiro method for CCS UX and AWS Organization support. */
 exports.DEFAULT_KIRO_AUTH_METHOD = 'aws';
 function isKiroAuthMethod(value) {
@@ -27,6 +30,10 @@ function isKiroCLIAuthMethod(value) {
     return exports.KIRO_CLI_AUTH_METHODS.includes(value);
 }
 exports.isKiroCLIAuthMethod = isKiroCLIAuthMethod;
+function isKiroIDCFlow(value) {
+    return exports.KIRO_IDC_FLOWS.includes(value);
+}
+exports.isKiroIDCFlow = isKiroIDCFlow;
 function normalizeKiroAuthMethod(value) {
     if (!value)
         return exports.DEFAULT_KIRO_AUTH_METHOD;
@@ -34,12 +41,25 @@ function normalizeKiroAuthMethod(value) {
     return isKiroAuthMethod(normalized) ? normalized : exports.DEFAULT_KIRO_AUTH_METHOD;
 }
 exports.normalizeKiroAuthMethod = normalizeKiroAuthMethod;
-function isKiroDeviceCodeMethod(method) {
-    return method === 'aws';
+function normalizeKiroIDCFlow(value) {
+    if (!value)
+        return exports.DEFAULT_KIRO_IDC_FLOW;
+    const normalized = value.trim().toLowerCase();
+    return isKiroIDCFlow(normalized) ? normalized : exports.DEFAULT_KIRO_IDC_FLOW;
+}
+exports.normalizeKiroIDCFlow = normalizeKiroIDCFlow;
+function isKiroDeviceCodeMethod(method, options) {
+    if (method === 'aws') {
+        return true;
+    }
+    if (method === 'idc') {
+        return normalizeKiroIDCFlow(options?.idcFlow) === 'device';
+    }
+    return false;
 }
 exports.isKiroDeviceCodeMethod = isKiroDeviceCodeMethod;
-function getKiroCallbackPort(method) {
-    return isKiroDeviceCodeMethod(method) ? null : 9876;
+function getKiroCallbackPort(method, options) {
+    return isKiroDeviceCodeMethod(method, options) ? null : 9876;
 }
 exports.getKiroCallbackPort = getKiroCallbackPort;
 function getKiroCLIAuthFlag(method) {
@@ -50,9 +70,28 @@ function getKiroCLIAuthFlag(method) {
             return '--kiro-aws-authcode';
         case 'google':
             return '--kiro-google-login';
+        case 'idc':
+            return '--kiro-idc-login';
     }
 }
 exports.getKiroCLIAuthFlag = getKiroCLIAuthFlag;
+function getKiroCLIAuthArgs(method, options) {
+    if (method !== 'idc') {
+        return [getKiroCLIAuthFlag(method)];
+    }
+    const startUrl = options?.idcStartUrl?.trim();
+    if (!startUrl) {
+        throw new Error('Kiro IDC login requires --kiro-idc-start-url');
+    }
+    const args = [getKiroCLIAuthFlag('idc'), '--kiro-idc-start-url', startUrl];
+    const region = options?.idcRegion?.trim();
+    if (region) {
+        args.push('--kiro-idc-region', region);
+    }
+    args.push('--kiro-idc-flow', normalizeKiroIDCFlow(options?.idcFlow));
+    return args;
+}
+exports.getKiroCLIAuthArgs = getKiroCLIAuthArgs;
 /**
  * Kiro method for CLIProxyAPI management endpoint:
  * GET /v0/management/kiro-auth-url?method=<value>
@@ -63,6 +102,8 @@ function toKiroManagementMethod(method) {
             return 'google';
         case 'github':
             return 'github';
+        case 'idc':
+            return null;
         case 'aws-authcode':
             return 'aws';
         case 'aws':
@@ -191,10 +232,17 @@ function getManagementAuthUrlPath(provider) {
     return `/v0/management/${authUrlProvider}-auth-url?is_webui=true`;
 }
 exports.getManagementAuthUrlPath = getManagementAuthUrlPath;
-function getPasteCallbackStartPath(provider) {
-    // Kiro CLI auth methods still use the legacy start route.
+function getPasteCallbackStartPath(provider, options) {
     if (provider === 'kiro') {
-        return `/oauth/${provider}/start`;
+        const kiroMethod = options?.kiroMethod ?? normalizeKiroAuthMethod();
+        if (kiroMethod === 'aws-authcode' || kiroMethod === 'idc') {
+            return null;
+        }
+        const managementMethod = toKiroManagementMethod(kiroMethod);
+        if (!managementMethod) {
+            return null;
+        }
+        return `${getManagementAuthUrlPath(provider)}&method=${encodeURIComponent(managementMethod)}`;
     }
     return getManagementAuthUrlPath(provider);
 }

package/dist/cliproxy/auth/auth-types.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"auth-types.js","sourceRoot":"","sources":["../../../src/cliproxy/auth/auth-types.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAIH,oEAQkC;AAElC~~;;;;;;GAMG~~;AACU,QAAA,iBAAiB,GAAG,CAAC,KAAK,EAAE,cAAc,EAAE,QAAQ,EAAE,QAAQ,CAAU,CAAC;~~AAGtF~~,iEAAiE;AACpD,QAAA,qBAAqB,GAAG,CAAC,KAAK,EAAE,cAAc,EAAE,QAAQ,CAAU,CAAC;~~AAGhF~~,mEAAmE;AACtD,QAAA,wBAAwB,GAAmB,KAAK,CAAC;AAE9D,SAAgB,gBAAgB,CAAC,KAAa;IAC5C,OAAO,yBAAiB,CAAC,QAAQ,CAAC,KAAuB,CAAC,CAAC;AAC7D,CAAC;AAFD,4CAEC;AAED,SAAgB,mBAAmB,CAAC,KAAa;IAC/C,OAAO,6BAAqB,CAAC,QAAQ,CAAC,KAA0B,CAAC,CAAC;AACpE,CAAC;AAFD,kDAEC;AAED,SAAgB,uBAAuB,CAAC,KAAc;IACpD,IAAI,CAAC,KAAK;QAAE,OAAO,gCAAwB,CAAC;IAC5C,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC9C,OAAO,gBAAgB,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,gCAAwB,CAAC;AAC9E,CAAC;AAJD,0DAIC;AAED,SAAgB,~~sBAAsB~~,CAAC,MAAsB;~~IAC3D~~,OAAO,MAAM,KAAK,KAAK,CAAC;~~AAC1B~~,CAAC;~~AAFD~~,~~wDAEC~~;AAED,SAAgB,mBAAmB,~~CAAC~~,MAAsB;~~IACxD~~,OAAO,sBAAsB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;~~AACtD~~,CAAC;~~AAFD~~,~~kDAEC~~;AAED,SAAgB,kBAAkB,CAAC,MAAyB;IAC1D,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,KAAK;YACR,OAAO,kBAAkB,CAAC;QAC5B,KAAK,cAAc;YACjB,OAAO,qBAAqB,CAAC;QAC/B,KAAK,QAAQ;YACX,OAAO,qBAAqB,CAAC;~~IACjC~~,CAAC;AACH,CAAC;~~AATD~~,~~gDASC~~;AAED;;;GAGG;AACH,SAAgB,sBAAsB,CAAC,MAAsB;IAC3D,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,QAAQ;YACX,OAAO,QAAQ,CAAC;QAClB,KAAK,QAAQ;YACX,OAAO,QAAQ,CAAC;QAClB,KAAK,cAAc;YACjB,OAAO,KAAK,CAAC;QACf,KAAK,KAAK,CAAC;QACX;YACE,OAAO,KAAK,CAAC;IACjB,CAAC;AACH,CAAC;~~AAZD~~,~~wDAYC~~;AAED;;;;;;;;;;;;;;GAcG;AACU,QAAA,oBAAoB,GAC/B,6CAAqB,CAAC,MAAM,CAC1B,CAAC,GAAG,EAAE,QAAQ,EAAE,EAAE;IAChB,MAAM,YAAY,GAAG,IAAA,4CAAoB,EAAC,QAAQ,CAAC,CAAC;IACpD,IAAI,YAAY,KAAK,IAAI,EAAE,CAAC;QAC1B,GAAG,CAAC,QAAQ,CAAC,GAAG,YAAY,CAAC;IAC/B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC,EACD,EAA+C,CAChD,CAAC;AAsCJ;;;GAGG;AACU,QAAA,aAAa,GAAkD;IAC1E,MAAM,EAAE;QACN,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,eAAe;QAC5B,OAAO,EAAE,8CAA8C;QACvD,MAAM,EAAE,CAAC,qDAAqD,CAAC;QAC/D,QAAQ,EAAE,SAAS;KACpB;IACD,KAAK,EAAE;QACL,QAAQ,EAAE,OAAO;QACjB,WAAW,EAAE,OAAO;QACpB,OAAO,EAAE,mCAAmC;QAC5C,MAAM,EAAE,CAAC,QAAQ,EAAE,SAAS,CAAC;QAC7B,QAAQ,EAAE,eAAe;KAC1B;IACD,GAAG,EAAE;QACH,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,aAAa;QAC1B,OAAO,EAAE,wCAAwC;QACjD,MAAM,EAAE,CAAC,KAAK,CAAC;QACf,QAAQ,EAAE,qBAAqB;KAChC;IACD,IAAI,EAAE;QACJ,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,WAAW;QACxB,OAAO,EAAE,gDAAgD;QACzD,MAAM,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,kBAAkB,CAAC;QAC1D,QAAQ,EAAE,cAAc;KACzB;IACD,KAAK,EAAE;QACL,QAAQ,EAAE,OAAO;QACjB,WAAW,EAAE,OAAO;QACpB,OAAO,EAAE,wBAAwB;QACjC,MAAM,EAAE,CAAC,OAAO,EAAE,SAAS,EAAE,OAAO,CAAC;QACrC,QAAQ,EAAE,eAAe;KAC1B;IACD,IAAI,EAAE;QACJ,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,YAAY;QACzB,OAAO,EAAE,sCAAsC;QAC/C,MAAM,EAAE,CAAC,2BAA2B,EAAE,6BAA6B,CAAC;QACpE,uEAAuE;QACvE,0EAA0E;QAC1E,QAAQ,EAAE,kBAAkB;KAC7B;IACD,IAAI,EAAE;QACJ,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,wBAAwB;QACrC,OAAO,EAAE,sCAAsC;QAC/C,MAAM,EAAE,CAAC,SAAS,CAAC;QACnB,QAAQ,EAAE,wBAAwB;KACnC;IACD,MAAM,EAAE;QACN,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,oBAAoB;QACjC,OAAO,EAAE,+CAA+C;QACxD,MAAM,EAAE,CAAC,gBAAgB,EAAE,cAAc,CAAC;QAC1C,QAAQ,EAAE,gBAAgB;KAC3B;IACD,IAAI,EAAE;QACJ,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,iBAAiB;QAC9B,OAAO,EAAE,sDAAsD;QAC/D,MAAM,EAAE,CAAC,KAAK,CAAC;QACf,QAAQ,EAAE,cAAc;KACzB;CACF,CAAC;AAEF;;;;GAIG;AACU,QAAA,sBAAsB,GAAuC,IAAA,wCAAgB,EACxF,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,GAAG,IAAA,mDAA2B,EAAC,QAAQ,CAAC,CAAC,CACzD,CAAC;AAEF;;;GAGG;AACU,QAAA,oBAAoB,GAAuC,IAAA,wCAAgB,EACtF,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,GAAG,IAAA,kDAA0B,EAAC,QAAQ,CAAC,CAAC,CACxD,CAAC;AAEF;;;GAGG;AACU,QAAA,8BAA8B,GAAqC,IAAA,wCAAgB,EAC9F,CAAC,QAAQ,EAAE,EAAE,CAAC,IAAA,uDAA+B,EAAC,QAAQ,CAAC,CACxD,CAAC;AAEF;;;;GAIG;AACU,QAAA,8BAA8B,GAAqC,IAAA,wCAAgB,EAC9F,CAAC,QAAQ,EAAE,EAAE,CAAC,IAAA,sDAA8B,EAAC,QAAQ,CAAC,CACvD,CAAC;AAEF,SAAgB,wBAAwB,CAAC,QAA0B;IACjE,MAAM,eAAe,GAAG,sCAA8B,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC;IAC7E,OAAO,kBAAkB,eAAe,yBAAyB,CAAC;AACpE,CAAC;AAHD,4DAGC;AAED,SAAgB,yBAAyB,~~CAAC~~,QAA0B~~;IAClE~~,~~0DAA0D~~;~~IAC1D~~,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;QACxB,OAAO,UAAU,~~QAAQ~~,QAAQ,CAAC;~~IACpC~~,CAAC;IACD,OAAO,wBAAwB,CAAC,QAAQ,CAAC,CAAC;AAC5C,CAAC;~~AAND~~,~~8DAMC~~;AAED,SAAgB,8BAA8B;IAC5C,OAAO,+BAA+B,CAAC;AACzC,CAAC;AAFD,wEAEC;AAED;;GAEG;AACH,SAAgB,cAAc,CAAC,QAA0B;IACvD,MAAM,MAAM,GAAG,qBAAa,CAAC,QAAQ,CAAC,CAAC;IACvC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,qBAAqB,QAAQ,EAAE,CAAC,CAAC;IACnD,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAND,wCAMC"}
1	+ {"version":3,"file":"auth-types.js","sourceRoot":"","sources":["../../../src/cliproxy/auth/auth-types.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAIH,oEAQkC;AAElC;;;;;;;GAOG;AACU,QAAA,iBAAiB,GAAG,CAAC,KAAK,EAAE,cAAc,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,CAAU,CAAC;AAG7F,iEAAiE;AACpD,QAAA,qBAAqB,GAAG,CAAC,KAAK,EAAE,cAAc,EAAE,QAAQ,EAAE,KAAK,CAAU,CAAC;AAG1E,QAAA,cAAc,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAU,CAAC;AAEjD,QAAA,qBAAqB,GAAgB,UAAU,CAAC;AAE7D,mEAAmE;AACtD,QAAA,wBAAwB,GAAmB,KAAK,CAAC;AAE9D,SAAgB,gBAAgB,CAAC,KAAa;IAC5C,OAAO,yBAAiB,CAAC,QAAQ,CAAC,KAAuB,CAAC,CAAC;AAC7D,CAAC;AAFD,4CAEC;AAED,SAAgB,mBAAmB,CAAC,KAAa;IAC/C,OAAO,6BAAqB,CAAC,QAAQ,CAAC,KAA0B,CAAC,CAAC;AACpE,CAAC;AAFD,kDAEC;AAED,SAAgB,aAAa,CAAC,KAAa;IACzC,OAAO,sBAAc,CAAC,QAAQ,CAAC,KAAoB,CAAC,CAAC;AACvD,CAAC;AAFD,sCAEC;AAED,SAAgB,uBAAuB,CAAC,KAAc;IACpD,IAAI,CAAC,KAAK;QAAE,OAAO,gCAAwB,CAAC;IAC5C,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC9C,OAAO,gBAAgB,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,gCAAwB,CAAC;AAC9E,CAAC;AAJD,0DAIC;AAED,SAAgB,oBAAoB,CAAC,KAAc;IACjD,IAAI,CAAC,KAAK;QAAE,OAAO,6BAAqB,CAAC;IACzC,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC9C,OAAO,aAAa,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,6BAAqB,CAAC;AACxE,CAAC;AAJD,oDAIC;AAED,SAAgB,sBAAsB,CACpC,MAAsB,EACtB,OAAmC;IAEnC,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;QACrB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;QACrB,OAAO,oBAAoB,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,QAAQ,CAAC;IAC7D,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAXD,wDAWC;AAED,SAAgB,mBAAmB,CACjC,MAAsB,EACtB,OAAmC;IAEnC,OAAO,sBAAsB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;AAC/D,CAAC;AALD,kDAKC;AAED,SAAgB,kBAAkB,CAAC,MAAyB;IAC1D,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,KAAK;YACR,OAAO,kBAAkB,CAAC;QAC5B,KAAK,cAAc;YACjB,OAAO,qBAAqB,CAAC;QAC/B,KAAK,QAAQ;YACX,OAAO,qBAAqB,CAAC;QAC/B,KAAK,KAAK;YACR,OAAO,kBAAkB,CAAC;IAC9B,CAAC;AACH,CAAC;AAXD,gDAWC;AAED,SAAgB,kBAAkB,CAChC,MAAyB,EACzB,OAIC;IAED,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;QACrB,OAAO,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAC;IACtC,CAAC;IAED,MAAM,QAAQ,GAAG,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;IAC9C,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,kBAAkB,CAAC,KAAK,CAAC,EAAE,sBAAsB,EAAE,QAAQ,CAAC,CAAC;IAC3E,MAAM,MAAM,GAAG,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IAC1C,IAAI,MAAM,EAAE,CAAC;QACX,IAAI,CAAC,IAAI,CAAC,mBAAmB,EAAE,MAAM,CAAC,CAAC;IACzC,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,oBAAoB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;IACrE,OAAO,IAAI,CAAC;AACd,CAAC;AAxBD,gDAwBC;AAED;;;GAGG;AACH,SAAgB,sBAAsB,CAAC,MAAsB;IAC3D,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,QAAQ;YACX,OAAO,QAAQ,CAAC;QAClB,KAAK,QAAQ;YACX,OAAO,QAAQ,CAAC;QAClB,KAAK,KAAK;YACR,OAAO,IAAI,CAAC;QACd,KAAK,cAAc;YACjB,OAAO,KAAK,CAAC;QACf,KAAK,KAAK,CAAC;QACX;YACE,OAAO,KAAK,CAAC;IACjB,CAAC;AACH,CAAC;AAdD,wDAcC;AAED;;;;;;;;;;;;;;GAcG;AACU,QAAA,oBAAoB,GAC/B,6CAAqB,CAAC,MAAM,CAC1B,CAAC,GAAG,EAAE,QAAQ,EAAE,EAAE;IAChB,MAAM,YAAY,GAAG,IAAA,4CAAoB,EAAC,QAAQ,CAAC,CAAC;IACpD,IAAI,YAAY,KAAK,IAAI,EAAE,CAAC;QAC1B,GAAG,CAAC,QAAQ,CAAC,GAAG,YAAY,CAAC;IAC/B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC,EACD,EAA+C,CAChD,CAAC;AAsCJ;;;GAGG;AACU,QAAA,aAAa,GAAkD;IAC1E,MAAM,EAAE;QACN,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,eAAe;QAC5B,OAAO,EAAE,8CAA8C;QACvD,MAAM,EAAE,CAAC,qDAAqD,CAAC;QAC/D,QAAQ,EAAE,SAAS;KACpB;IACD,KAAK,EAAE;QACL,QAAQ,EAAE,OAAO;QACjB,WAAW,EAAE,OAAO;QACpB,OAAO,EAAE,mCAAmC;QAC5C,MAAM,EAAE,CAAC,QAAQ,EAAE,SAAS,CAAC;QAC7B,QAAQ,EAAE,eAAe;KAC1B;IACD,GAAG,EAAE;QACH,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,aAAa;QAC1B,OAAO,EAAE,wCAAwC;QACjD,MAAM,EAAE,CAAC,KAAK,CAAC;QACf,QAAQ,EAAE,qBAAqB;KAChC;IACD,IAAI,EAAE;QACJ,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,WAAW;QACxB,OAAO,EAAE,gDAAgD;QACzD,MAAM,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,kBAAkB,CAAC;QAC1D,QAAQ,EAAE,cAAc;KACzB;IACD,KAAK,EAAE;QACL,QAAQ,EAAE,OAAO;QACjB,WAAW,EAAE,OAAO;QACpB,OAAO,EAAE,wBAAwB;QACjC,MAAM,EAAE,CAAC,OAAO,EAAE,SAAS,EAAE,OAAO,CAAC;QACrC,QAAQ,EAAE,eAAe;KAC1B;IACD,IAAI,EAAE;QACJ,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,YAAY;QACzB,OAAO,EAAE,sCAAsC;QAC/C,MAAM,EAAE,CAAC,2BAA2B,EAAE,6BAA6B,CAAC;QACpE,uEAAuE;QACvE,0EAA0E;QAC1E,QAAQ,EAAE,kBAAkB;KAC7B;IACD,IAAI,EAAE;QACJ,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,wBAAwB;QACrC,OAAO,EAAE,sCAAsC;QAC/C,MAAM,EAAE,CAAC,SAAS,CAAC;QACnB,QAAQ,EAAE,wBAAwB;KACnC;IACD,MAAM,EAAE;QACN,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,oBAAoB;QACjC,OAAO,EAAE,+CAA+C;QACxD,MAAM,EAAE,CAAC,gBAAgB,EAAE,cAAc,CAAC;QAC1C,QAAQ,EAAE,gBAAgB;KAC3B;IACD,IAAI,EAAE;QACJ,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,iBAAiB;QAC9B,OAAO,EAAE,sDAAsD;QAC/D,MAAM,EAAE,CAAC,KAAK,CAAC;QACf,QAAQ,EAAE,cAAc;KACzB;CACF,CAAC;AAEF;;;;GAIG;AACU,QAAA,sBAAsB,GAAuC,IAAA,wCAAgB,EACxF,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,GAAG,IAAA,mDAA2B,EAAC,QAAQ,CAAC,CAAC,CACzD,CAAC;AAEF;;;GAGG;AACU,QAAA,oBAAoB,GAAuC,IAAA,wCAAgB,EACtF,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,GAAG,IAAA,kDAA0B,EAAC,QAAQ,CAAC,CAAC,CACxD,CAAC;AAEF;;;GAGG;AACU,QAAA,8BAA8B,GAAqC,IAAA,wCAAgB,EAC9F,CAAC,QAAQ,EAAE,EAAE,CAAC,IAAA,uDAA+B,EAAC,QAAQ,CAAC,CACxD,CAAC;AAEF;;;;GAIG;AACU,QAAA,8BAA8B,GAAqC,IAAA,wCAAgB,EAC9F,CAAC,QAAQ,EAAE,EAAE,CAAC,IAAA,sDAA8B,EAAC,QAAQ,CAAC,CACvD,CAAC;AAEF,SAAgB,wBAAwB,CAAC,QAA0B;IACjE,MAAM,eAAe,GAAG,sCAA8B,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC;IAC7E,OAAO,kBAAkB,eAAe,yBAAyB,CAAC;AACpE,CAAC;AAHD,4DAGC;AAED,SAAgB,yBAAyB,CACvC,QAA0B,EAC1B,OAAyC;IAEzC,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;QACxB,MAAM,UAAU,GAAG,OAAO,EAAE,UAAU,IAAI,uBAAuB,EAAE,CAAC;QACpE,IAAI,UAAU,KAAK,cAAc,IAAI,UAAU,KAAK,KAAK,EAAE,CAAC;YAC1D,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,gBAAgB,GAAG,sBAAsB,CAAC,UAAU,CAAC,CAAC;QAC5D,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,GAAG,wBAAwB,CAAC,QAAQ,CAAC,WAAW,kBAAkB,CAAC,gBAAgB,CAAC,EAAE,CAAC;IAChG,CAAC;IACD,OAAO,wBAAwB,CAAC,QAAQ,CAAC,CAAC;AAC5C,CAAC;AAhBD,8DAgBC;AAED,SAAgB,8BAA8B;IAC5C,OAAO,+BAA+B,CAAC;AACzC,CAAC;AAFD,wEAEC;AAED;;GAEG;AACH,SAAgB,cAAc,CAAC,QAA0B;IACvD,MAAM,MAAM,GAAG,qBAAa,CAAC,QAAQ,CAAC,CAAC;IACvC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,qBAAqB,QAAQ,EAAE,CAAC,CAAC;IACnD,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAND,wCAMC"}

package/dist/cliproxy/auth/oauth-handler.d.ts CHANGED Viewed

@@ -12,6 +12,7 @@
 import { CLIProxyProvider } from '../types';
 import { AccountInfo } from '../account-manager';
 import { OAuthOptions } from './auth-types';
+import { ProviderTokenSnapshot } from './token-manager';
 import { type ProxyTarget } from '../proxy-target-resolver';
 interface PasteCallbackStartData {
     url?: string;
@@ -19,9 +20,13 @@ interface PasteCallbackStartData {
     state?: string;
     status?: string;
 }
-export declare function requestPasteCallbackStart(provider: CLIProxyProvider, target: ProxyTarget): Promise<PasteCallbackStartData>;
+export declare function requestPasteCallbackStart(provider: CLIProxyProvider, target: ProxyTarget, options?: {
+    kiroMethod?: OAuthOptions['kiroMethod'];
+}): Promise<PasteCallbackStartData>;
 export declare function getCliAuthNicknameError(provider: CLIProxyProvider, nickname: string | undefined, existingAccounts: Array<Pick<AccountInfo, 'id' | 'nickname'>>, allowExistingAccountId?: string): string | null;
+export declare function findNewTokenSnapshotForManualAuth(provider: CLIProxyProvider, tokenDir: string, knownTokenFiles: ProviderTokenSnapshot[], expectedAccountId?: string): ProviderTokenSnapshot | null;
 export declare function resolvePasteCallbackAuthUrl(target: ProxyTarget, startData: PasteCallbackStartData, timeoutMs: number, pollIntervalMs?: number): Promise<string | null>;
+export declare function usesKiroLocalCallbackReplay(method: OAuthOptions['kiroMethod'], idcFlow: OAuthOptions['kiroIDCFlow']): boolean;
 /**
  * Trigger OAuth flow for provider
  * Auto-detects headless environment and uses --no-browser flag accordingly

package/dist/cliproxy/auth/oauth-handler.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"oauth-handler.d.ts","sourceRoot":"","sources":["../../../src/cliproxy/auth/oauth-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAMH,OAAO,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAC5C,OAAO,EACL,WAAW,EAQZ,MAAM,oBAAoB,CAAC;AAK5B,OAAO,EACL,YAAY,~~EAYb~~,MAAM,cAAc,CAAC;~~AAKtB~~,OAAO,EAIL,KAAK,WAAW,EACjB,MAAM,0BAA0B,CAAC;AASlC,UAAU,sBAAsB;IAC9B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;~~AAID~~,wBAAsB,yBAAyB,CAC7C,QAAQ,EAAE,gBAAgB,EAC1B,MAAM,EAAE,WAAW,~~GAClB~~,OAAO,CAAC,sBAAsB,CAAC,~~CAejC~~;AAED,wBAAgB,uBAAuB,CACrC,QAAQ,EAAE,gBAAgB,EAC1B,QAAQ,EAAE,MAAM,GAAG,SAAS,EAC5B,gBAAgB,EAAE,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,GAAG,UAAU,CAAC,CAAC,EAC7D,sBAAsB,CAAC,EAAE,MAAM,GAC9B,MAAM,GAAG,IAAI,CAef;~~AAMD~~,wBAAsB,2BAA2B,CAC/C,MAAM,EAAE,WAAW,EACnB,SAAS,EAAE,sBAAsB,EACjC,SAAS,EAAE,MAAM,EACjB,cAAc,GAAE,MAAiD,GAChE,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAwCxB;~~AAySD~~;;;;;GAKG;AACH,wBAAsB,YAAY,CAChC,QAAQ,EAAE,gBAAgB,EAC1B,OAAO,GAAE,YAAiB,GACzB,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,~~CAqN7B~~;AAED;;;GAGG;AACH,wBAAsB,UAAU,CAC9B,QAAQ,EAAE,gBAAgB,EAC1B,OAAO,GAAE;IAAE,OAAO,CAAC,EAAE,OAAO,CAAC;IAAC,QAAQ,CAAC,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAA;CAAO,GACxE,OAAO,CAAC,OAAO,CAAC,CAiBlB"}
1	+ {"version":3,"file":"oauth-handler.d.ts","sourceRoot":"","sources":["../../../src/cliproxy/auth/oauth-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAMH,OAAO,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAC5C,OAAO,EACL,WAAW,EAQZ,MAAM,oBAAoB,CAAC;AAK5B,OAAO,EACL,YAAY,EAcb,MAAM,cAAc,CAAC;AAEtB,OAAO,EACL,qBAAqB,EAMtB,MAAM,iBAAiB,CAAC;AAGzB,OAAO,EAIL,KAAK,WAAW,EACjB,MAAM,0BAA0B,CAAC;AASlC,UAAU,sBAAsB;IAC9B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAKD,wBAAsB,yBAAyB,CAC7C,QAAQ,EAAE,gBAAgB,EAC1B,MAAM,EAAE,WAAW,EACnB,OAAO,CAAC,EAAE;IAAE,UAAU,CAAC,EAAE,YAAY,CAAC,YAAY,CAAC,CAAA;CAAE,GACpD,OAAO,CAAC,sBAAsB,CAAC,CAkBjC;AAED,wBAAgB,uBAAuB,CACrC,QAAQ,EAAE,gBAAgB,EAC1B,QAAQ,EAAE,MAAM,GAAG,SAAS,EAC5B,gBAAgB,EAAE,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,GAAG,UAAU,CAAC,CAAC,EAC7D,sBAAsB,CAAC,EAAE,MAAM,GAC9B,MAAM,GAAG,IAAI,CAef;AAkBD,wBAAgB,iCAAiC,CAC/C,QAAQ,EAAE,gBAAgB,EAC1B,QAAQ,EAAE,MAAM,EAChB,eAAe,EAAE,qBAAqB,EAAE,EACxC,iBAAiB,CAAC,EAAE,MAAM,GACzB,qBAAqB,GAAG,IAAI,CAE9B;AAkED,wBAAsB,2BAA2B,CAC/C,MAAM,EAAE,WAAW,EACnB,SAAS,EAAE,sBAAsB,EACjC,SAAS,EAAE,MAAM,EACjB,cAAc,GAAE,MAAiD,GAChE,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAwCxB;AAgLD,wBAAgB,2BAA2B,CACzC,MAAM,EAAE,YAAY,CAAC,YAAY,CAAC,EAClC,OAAO,EAAE,YAAY,CAAC,aAAa,CAAC,GACnC,OAAO,CAMT;AA0MD;;;;;GAKG;AACH,wBAAsB,YAAY,CAChC,QAAQ,EAAE,gBAAgB,EAC1B,OAAO,GAAE,YAAiB,GACzB,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CA6N7B;AAED;;;GAGG;AACH,wBAAsB,UAAU,CAC9B,QAAQ,EAAE,gBAAgB,EAC1B,OAAO,GAAE;IAAE,OAAO,CAAC,EAAE,OAAO,CAAC;IAAC,QAAQ,CAAC,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAA;CAAO,GACxE,OAAO,CAAC,OAAO,CAAC,CAiBlB"}

package/dist/cliproxy/auth/oauth-handler.js CHANGED Viewed

@@ -34,7 +34,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ensureAuth = exports.triggerOAuth = exports.resolvePasteCallbackAuthUrl = exports.getCliAuthNicknameError = exports.requestPasteCallbackStart = void 0;
+exports.ensureAuth = exports.triggerOAuth = exports.usesKiroLocalCallbackReplay = exports.resolvePasteCallbackAuthUrl = exports.findNewTokenSnapshotForManualAuth = exports.getCliAuthNicknameError = exports.requestPasteCallbackStart = void 0;
 const fs = __importStar(require("fs"));
 const ui_1 = require("../../utils/ui");
 const binary_manager_1 = require("../binary-manager");
@@ -50,13 +50,16 @@ const proxy_target_resolver_1 = require("../proxy-target-resolver");
 const account_safety_1 = require("../account-safety");
 const antigravity_responsibility_1 = require("../antigravity-responsibility");
 const PASTE_CALLBACK_AUTH_URL_POLL_INTERVAL_MS = 3000;
-async function requestPasteCallbackStart(provider, target) {
-    const startPath = (0, auth_types_1.getPasteCallbackStartPath)(provider);
+const POLLED_AUTH_LOCAL_TOKEN_GRACE_MS = 15 * 1000;
+async function requestPasteCallbackStart(provider, target, options) {
+    const startPath = (0, auth_types_1.getPasteCallbackStartPath)(provider, {
+        kiroMethod: options?.kiroMethod,
+    });
+    if (!startPath) {
+        throw new Error(`Paste-callback start is not available for ${provider} with the selected method`);
+    }
     const response = await fetch((0, proxy_target_resolver_1.buildProxyUrl)(target, startPath), {
-        ...(provider === 'kiro' ? { method: 'POST' } : {}),
-        headers: provider === 'kiro'
-            ? (0, proxy_target_resolver_1.buildManagementHeaders)(target, { 'Content-Type': 'application/json' })
-            : (0, proxy_target_resolver_1.buildManagementHeaders)(target),
+        headers: (0, proxy_target_resolver_1.buildManagementHeaders)(target),
     });
     if (!response.ok) {
         throw new Error(`OAuth start failed with status ${response.status}`);
@@ -81,6 +84,55 @@ exports.getCliAuthNicknameError = getCliAuthNicknameError;
 function sleep(ms) {
     return new Promise((resolve) => setTimeout(resolve, ms));
 }
+function parseAuthUrlState(url) {
+    if (!url) {
+        return null;
+    }
+    try {
+        return new URL(url).searchParams.get('state');
+    }
+    catch {
+        return null;
+    }
+}
+function findNewTokenSnapshotForManualAuth(provider, tokenDir, knownTokenFiles, expectedAccountId) {
+    return (0, token_manager_1.findNewTokenSnapshotForAuthAttempt)(provider, tokenDir, knownTokenFiles, expectedAccountId);
+}
+exports.findNewTokenSnapshotForManualAuth = findNewTokenSnapshotForManualAuth;
+async function waitForManualCallbackToken(provider, target, tokenDir, oauthState, knownTokenFiles, expectedAccountId, timeoutMs, pollIntervalMs = PASTE_CALLBACK_AUTH_URL_POLL_INTERVAL_MS) {
+    const deadline = Date.now() + timeoutMs;
+    let upstreamCompletedAt = null;
+    while (Date.now() < deadline) {
+        const tokenSnapshot = findNewTokenSnapshotForManualAuth(provider, tokenDir, knownTokenFiles, expectedAccountId);
+        if (tokenSnapshot) {
+            return { tokenSnapshot };
+        }
+        if (oauthState) {
+            const response = await fetch((0, proxy_target_resolver_1.buildProxyUrl)(target, `/v0/management/get-auth-status?state=${encodeURIComponent(oauthState)}`), { headers: (0, proxy_target_resolver_1.buildManagementHeaders)(target) });
+            if (response.ok) {
+                const data = (await response.json());
+                if (data.status === 'error') {
+                    return {
+                        tokenSnapshot: null,
+                        error: data.error || 'Authentication failed while waiting for local token persistence',
+                    };
+                }
+                if (data.status === 'ok' && upstreamCompletedAt === null) {
+                    upstreamCompletedAt = Date.now();
+                }
+            }
+        }
+        if (upstreamCompletedAt !== null &&
+            Date.now() - upstreamCompletedAt >= POLLED_AUTH_LOCAL_TOKEN_GRACE_MS) {
+            break;
+        }
+        if (Date.now() + pollIntervalMs >= deadline) {
+            break;
+        }
+        await sleep(pollIntervalMs);
+    }
+    return { tokenSnapshot: null };
+}
 async function resolvePasteCallbackAuthUrl(target, startData, timeoutMs, pollIntervalMs = PASTE_CALLBACK_AUTH_URL_POLL_INTERVAL_MS) {
     const authUrl = startData.url || startData.auth_url;
     if (authUrl) {
@@ -223,11 +275,43 @@ async function prepareBinary(provider, verbose) {
         throw error;
     }
 }
+function buildOAuthArgs(provider, configPath, headless, noIncognito, options = {}) {
+    const args = ['--config', configPath];
+    if (provider === 'kiro') {
+        const method = (0, auth_types_1.normalizeKiroAuthMethod)(options.kiroMethod);
+        if (!(0, auth_types_1.isKiroCLIAuthMethod)(method)) {
+            throw new Error(`Kiro auth method '${method}' is not supported by CLI flow.`);
+        }
+        args.push(...(0, auth_types_1.getKiroCLIAuthArgs)(method, {
+            idcStartUrl: options.kiroIDCStartUrl,
+            idcRegion: options.kiroIDCRegion,
+            idcFlow: options.kiroIDCFlow,
+        }));
+    }
+    else {
+        args.push((0, auth_types_1.getOAuthConfig)(provider).authFlag);
+    }
+    if (headless) {
+        args.push('--no-browser');
+    }
+    if (provider === 'kiro' && noIncognito) {
+        args.push('--no-incognito');
+    }
+    return args;
+}
+function usesKiroLocalCallbackReplay(method, idcFlow) {
+    const normalizedMethod = (0, auth_types_1.normalizeKiroAuthMethod)(method);
+    if (normalizedMethod === 'aws-authcode') {
+        return true;
+    }
+    return normalizedMethod === 'idc' && (0, auth_types_1.normalizeKiroIDCFlow)(idcFlow) === 'authcode';
+}
+exports.usesKiroLocalCallbackReplay = usesKiroLocalCallbackReplay;
 /**
  * Handle paste-callback mode: show auth URL, prompt for callback paste
  * Uses proxy target resolver to connect to correct CLIProxyAPI instance (local or remote)
  */
-async function handlePasteCallbackMode(provider, oauthConfig, verbose, tokenDir, nickname, expectedAccountId) {
+async function handlePasteCallbackMode(provider, oauthConfig, verbose, tokenDir, nickname, expectedAccountId, options) {
     // Resolve CLIProxyAPI target (local or remote based on config)
     const target = (0, proxy_target_resolver_1.getProxyTarget)();
     // OAuth state timeout (10 minutes, matches CLIProxyAPI state TTL)
@@ -235,12 +319,13 @@ async function handlePasteCallbackMode(provider, oauthConfig, verbose, tokenDir,
     console.log('');
     console.log((0, ui_1.info)(`Starting ${oauthConfig.displayName} OAuth (paste-callback mode)...`));
     try {
-        // Request auth URL from CLIProxyAPI.
-        // Kiro keeps its legacy start route because CLI auth methods do not share the generic
-        // management auth-url contract used by providers like Claude.
+        // Request auth URL from CLIProxyAPI management endpoints when the selected
+        // provider/method supports the manual start-url contract.
         let startData;
         try {
-            startData = await requestPasteCallbackStart(provider, target);
+            startData = await requestPasteCallbackStart(provider, target, {
+                kiroMethod: options?.kiroMethod,
+            });
         }
         catch (error) {
             const startError = error.message;
@@ -253,6 +338,8 @@ async function handlePasteCallbackMode(provider, oauthConfig, verbose, tokenDir,
             console.log((0, ui_1.fail)('No authorization URL received'));
             return null;
         }
+        const oauthState = startData.state || parseAuthUrlState(authUrl);
+        const knownTokenFiles = (0, token_manager_1.listProviderTokenSnapshots)(provider, tokenDir);
         // Display auth URL in box
         console.log('');
         console.log('  ╔══════════════════════════════════════════════════════════════╗');
@@ -328,8 +415,23 @@ async function handlePasteCallbackMode(provider, oauthConfig, verbose, tokenDir,
             (0, account_safety_1.warnPossible403Ban)(provider, callbackError);
             return null;
         }
+        console.log((0, ui_1.info)('Callback submitted. Waiting for token exchange...'));
+        const { tokenSnapshot, error: tokenWaitError } = await waitForManualCallbackToken(provider, target, tokenDir, oauthState, knownTokenFiles, expectedAccountId, OAUTH_STATE_TIMEOUT_MS);
+        if (tokenWaitError) {
+            console.log((0, ui_1.fail)(tokenWaitError));
+            (0, account_safety_1.warnPossible403Ban)(provider, tokenWaitError);
+            return null;
+        }
+        if (!tokenSnapshot) {
+            console.log((0, ui_1.fail)('Authentication completed upstream, but no new local token was saved for this account. Update CCS/CLIProxy and retry.'));
+            return null;
+        }
+        const account = (0, token_manager_1.registerAccountFromToken)(provider, tokenDir, nickname, verbose, tokenSnapshot.file);
+        if (!account) {
+            console.log((0, ui_1.fail)('Authenticated token could not be matched to the requested account. Retry the flow.'));
+            return null;
+        }
         console.log((0, ui_1.ok)('Authentication successful!'));
-        const account = (0, token_manager_1.registerAccountFromToken)(provider, tokenDir, nickname, verbose, expectedAccountId);
         // Account safety: check for cross-provider conflicts
         if (account?.email) {
             const conflicts = (0, account_safety_1.checkNewAccountConflict)(provider, account.email);
@@ -362,6 +464,7 @@ async function triggerOAuth(provider, options = {}) {
     const acceptAgyRisk = options.acceptAgyRisk === true;
     const { nickname } = options;
     const resolvedKiroMethod = provider === 'kiro' ? (0, auth_types_1.normalizeKiroAuthMethod)(options.kiroMethod) : auth_types_1.DEFAULT_KIRO_AUTH_METHOD;
+    const resolvedKiroIDCFlow = provider === 'kiro' ? (0, auth_types_1.normalizeKiroIDCFlow)(options.kiroIDCFlow) : auth_types_1.DEFAULT_KIRO_IDC_FLOW;
     if (provider === 'agy') {
         if (fromUI && !acceptAgyRisk) {
             console.log((0, ui_1.fail)('Antigravity OAuth blocked: responsibility acknowledgement is missing.'));
@@ -388,11 +491,6 @@ async function triggerOAuth(provider, options = {}) {
         console.log((0, ui_1.fail)(nicknameError));
         return null;
     }
-    // Handle paste-callback mode
-    if (options.pasteCallback) {
-        const tokenDir = (0, token_manager_1.getProviderTokenDir)(provider);
-        return handlePasteCallbackMode(provider, oauthConfig, verbose, tokenDir, nickname, existingNameMatch?.id);
-    }
     // Handle --import flag: skip OAuth and import from Kiro IDE directly
     if (options.import && provider === 'kiro') {
         const tokenDir = (0, token_manager_1.getProviderTokenDir)(provider);
@@ -407,34 +505,38 @@ async function triggerOAuth(provider, options = {}) {
         console.log('    Use: ccs config -> Accounts -> Add Kiro account -> Method: GitHub OAuth');
         return null;
     }
-    const callbackPort = provider === 'kiro' ? (0, auth_types_1.getKiroCallbackPort)(resolvedKiroMethod) : oauth_port_diagnostics_1.OAUTH_CALLBACK_PORTS[provider];
+    const callbackPort = provider === 'kiro'
+        ? (0, auth_types_1.getKiroCallbackPort)(resolvedKiroMethod, { idcFlow: resolvedKiroIDCFlow })
+        : oauth_port_diagnostics_1.OAUTH_CALLBACK_PORTS[provider];
     const isCLI = !fromUI;
     const headless = options.headless ?? (0, environment_detector_1.isHeadlessEnvironment)();
-    const isDeviceCodeFlow = provider === 'kiro' ? (0, auth_types_1.isKiroDeviceCodeMethod)(resolvedKiroMethod) : callbackPort === null;
-    let authFlag = oauthConfig.authFlag;
-    if (provider === 'kiro') {
-        if (!(0, auth_types_1.isKiroCLIAuthMethod)(resolvedKiroMethod)) {
-            console.log((0, ui_1.fail)(`Kiro auth method '${resolvedKiroMethod}' is not supported by CLI flow.`));
-            console.log('    Use Dashboard management OAuth for this method.');
-            return null;
-        }
-        authFlag = (0, auth_types_1.getKiroCLIAuthFlag)(resolvedKiroMethod);
+    const isDeviceCodeFlow = provider === 'kiro'
+        ? (0, auth_types_1.isKiroDeviceCodeMethod)(resolvedKiroMethod, { idcFlow: resolvedKiroIDCFlow })
+        : callbackPort === null;
+    let selectedPasteCallback = options.pasteCallback === true;
+    if (provider === 'kiro' && !(0, auth_types_1.isKiroCLIAuthMethod)(resolvedKiroMethod)) {
+        console.log((0, ui_1.fail)(`Kiro auth method '${resolvedKiroMethod}' is not supported by CLI flow.`));
+        console.log('    Use Dashboard management OAuth for this method.');
+        return null;
     }
     // Interactive mode selection for headless environments
     // Skip if explicit mode flag provided or device code flow (no callback needed)
-    if (headless && !options.pasteCallback && !options.portForward && !isDeviceCodeFlow) {
+    if (headless && !selectedPasteCallback && !options.portForward && !isDeviceCodeFlow) {
         // Non-interactive environment (piped input) - default to paste mode
         if (!process.stdin.isTTY) {
-            const tokenDir = (0, token_manager_1.getProviderTokenDir)(provider);
-            return handlePasteCallbackMode(provider, oauthConfig, verbose, tokenDir, nickname, existingNameMatch?.id);
+            selectedPasteCallback = true;
         }
-        const mode = await promptOAuthModeChoice(callbackPort);
-        if (mode === 'paste') {
-            const tokenDir = (0, token_manager_1.getProviderTokenDir)(provider);
-            return handlePasteCallbackMode(provider, oauthConfig, verbose, tokenDir, nickname, existingNameMatch?.id);
+        else {
+            const mode = await promptOAuthModeChoice(callbackPort);
+            if (mode === 'paste') {
+                selectedPasteCallback = true;
+            }
         }
-        // mode === 'forward' continues to existing port-forwarding flow below
     }
+    const useSelectedKiroLocalPasteCallback = selectedPasteCallback &&
+        provider === 'kiro' &&
+        usesKiroLocalCallbackReplay(resolvedKiroMethod, resolvedKiroIDCFlow);
+    const useSelectedKiroDirectCliFlow = provider === 'kiro' && (isDeviceCodeFlow || useSelectedKiroLocalPasteCallback);
     if (existingAccounts.length > 0 && !add) {
         console.log('');
         console.log((0, ui_1.info)(`${existingAccounts.length} account(s) already authenticated for ${oauthConfig.displayName}`));
@@ -443,6 +545,10 @@ async function triggerOAuth(provider, options = {}) {
             return null;
         }
     }
+    if (selectedPasteCallback && !useSelectedKiroDirectCliFlow) {
+        const tokenDir = (0, token_manager_1.getProviderTokenDir)(provider);
+        return handlePasteCallbackMode(provider, oauthConfig, verbose, tokenDir, nickname, existingNameMatch?.id, { kiroMethod: provider === 'kiro' ? resolvedKiroMethod : undefined });
+    }
     // Pre-flight checks (skip for device code flows which don't need callback ports)
     if (!isDeviceCodeFlow && !(await runPreflightChecks(provider, oauthConfig))) {
         return null;
@@ -461,14 +567,19 @@ async function triggerOAuth(provider, options = {}) {
             console.error(`[auth] Freed port ${localCallbackPort} for OAuth callback`);
         }
     }
-    // Build args
-    const args = ['--config', configPath, authFlag];
-    if (headless) {
-        args.push('--no-browser');
+    const processHeadless = selectedPasteCallback && provider === 'kiro' ? true : headless;
+    let args;
+    try {
+        args = buildOAuthArgs(provider, configPath, processHeadless, noIncognito, {
+            kiroMethod: provider === 'kiro' ? resolvedKiroMethod : undefined,
+            kiroIDCStartUrl: options.kiroIDCStartUrl,
+            kiroIDCRegion: options.kiroIDCRegion,
+            kiroIDCFlow: provider === 'kiro' ? resolvedKiroIDCFlow : undefined,
+        });
     }
-    // Kiro-specific: --no-incognito to use normal browser (saves login credentials)
-    if (provider === 'kiro' && noIncognito) {
-        args.push('--no-incognito');
+    catch (error) {
+        console.log((0, ui_1.fail)(error.message));
+        return null;
     }
     // Show step based on flow type
     if (isDeviceCodeFlow) {
@@ -479,7 +590,13 @@ async function triggerOAuth(provider, options = {}) {
     else {
         (0, environment_detector_1.showStep)(2, 4, 'progress', `Starting callback server on port ${callbackPort}...`);
         // Show headless instructions (only for authorization code flows)
-        if (headless) {
+        if (useSelectedKiroLocalPasteCallback) {
+            console.log('');
+            console.log((0, ui_1.info)('Paste-callback mode enabled for Kiro CLI auth.'));
+            console.log('    CCS will print the authorization URL and wait for you to paste the final callback URL.');
+            console.log('');
+        }
+        else if (headless) {
             console.log('');
             console.log((0, ui_1.warn)('PORT FORWARDING REQUIRED'));
             console.log(`    OAuth callback uses localhost:${callbackPort} which must be reachable.`);
@@ -496,11 +613,14 @@ async function triggerOAuth(provider, options = {}) {
         tokenDir,
         oauthConfig,
         callbackPort,
-        headless,
+        headless: processHeadless,
         verbose,
         isCLI,
         nickname,
         expectedAccountId: existingNameMatch?.id,
+        authFlowType: isDeviceCodeFlow ? 'device_code' : 'authorization_code',
+        kiroMethod: provider === 'kiro' ? resolvedKiroMethod : undefined,
+        manualCallback: useSelectedKiroLocalPasteCallback,
     });
     // Show hint for Kiro users about --no-incognito option (first-time auth only)
     if (account && provider === 'kiro' && !noIncognito) {