@kaitranntt/ccs 7.77.1 → 7.78.0

package/dist/cliproxy/auth/oauth-trace/diagnose-failure.js

@@ -0,0 +1,159 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.formatErrorMessage = exports.diagnoseFailure = void 0;
+const trace_events_1 = require("./trace-events");
+const BROWSER_OPEN_HEURISTIC_MS = 5000;
+/**
+ * Pure function: read a recorder snapshot and decide which failure branch fits best.
+ * No side effects, no console writes.
+ */
+function diagnoseFailure(snapshot) {
+    if (snapshot.length === 0) {
+        return { branchId: 'UNKNOWN', data: {} };
+    }
+    const has = (phase) => snapshot.some((e) => e.phase === phase);
+    const last = (phase) => [...snapshot].reverse().find((e) => e.phase === phase);
+    const lastError = [...snapshot].reverse().find((e) => e.phase === trace_events_1.OAuthTracePhase.Error);
+    // Provider gate aborts (highest priority — explicit error code)
+    if (lastError?.error?.code === 'GEMINI_PLUS_MISSING_CRED') {
+        return { branchId: 'GEMINI_PLUS_MISSING_CRED', data: lastError.data ?? {} };
+    }
+    if (lastError?.error?.code === 'AGY_RESPONSIBILITY_DECLINED') {
+        return { branchId: 'AGY_RESPONSIBILITY_DECLINED', data: lastError.data ?? {} };
+    }
+    if (lastError?.error?.code === 'CALLBACK_REJECTED') {
+        return {
+            branchId: 'TOKEN_EXCHANGE_REJECTED',
+            data: { upstreamError: lastError.error.message, ...(lastError.data ?? {}) },
+        };
+    }
+    if (has(trace_events_1.OAuthTracePhase.PasteCallbackInvalid)) {
+        const ev = last(trace_events_1.OAuthTracePhase.PasteCallbackInvalid);
+        return { branchId: 'PASTE_INVALID', data: ev?.data ?? {} };
+    }
+    if (has(trace_events_1.OAuthTracePhase.Cancelled)) {
+        return { branchId: 'SESSION_CANCELLED', data: {} };
+    }
+    if (has(trace_events_1.OAuthTracePhase.Timeout)) {
+        const ev = last(trace_events_1.OAuthTracePhase.Timeout);
+        return { branchId: 'TIMEOUT', data: ev?.data ?? {} };
+    }
+    const exitEv = last(trace_events_1.OAuthTracePhase.BinaryExit);
+    if (exitEv) {
+        const code = exitEv.data?.code ?? null;
+        if (code !== null && code !== 0) {
+            return {
+                branchId: 'BINARY_ERROR_EXIT',
+                data: {
+                    code,
+                    stderrTail: exitEv.data?.stderrTail ?? '',
+                },
+            };
+        }
+    }
+    // exit=0 (or no exit) plus token-file states
+    if (has(trace_events_1.OAuthTracePhase.TokenFileMissing)) {
+        return { branchId: 'TOKEN_FILE_MISSING_POST_EXIT', data: {} };
+    }
+    if (!has(trace_events_1.OAuthTracePhase.AuthUrlDisplayed)) {
+        return { branchId: 'URL_NOT_DISPLAYED', data: {} };
+    }
+    // URL was displayed: did browser open within heuristic window?
+    if (!has(trace_events_1.OAuthTracePhase.BrowserOpened)) {
+        const urlEv = last(trace_events_1.OAuthTracePhase.AuthUrlDisplayed);
+        const lastTs = snapshot[snapshot.length - 1].ts;
+        if (urlEv && lastTs - urlEv.ts >= BROWSER_OPEN_HEURISTIC_MS) {
+            return { branchId: 'BROWSER_NOT_OPENED', data: {} };
+        }
+    }
+    if (has(trace_events_1.OAuthTracePhase.BrowserOpened) &&
+        !has(trace_events_1.OAuthTracePhase.CallbackObservedHeuristic) &&
+        has(trace_events_1.OAuthTracePhase.BinaryExit)) {
+        return { branchId: 'CALLBACK_NEVER_OBSERVED', data: {} };
+    }
+    return { branchId: 'UNKNOWN', data: {} };
+}
+exports.diagnoseFailure = diagnoseFailure;
+/**
+ * Map a diagnosed branch to user-facing message lines (ASCII only, no emojis).
+ * Always ends with a concrete next-step command.
+ */
+function formatErrorMessage(result, opts) {
+    const { branchId, data } = result;
+    const { provider, callbackPort, platform, verbose } = opts;
+    const lines = [];
+    switch (branchId) {
+        case 'URL_NOT_DISPLAYED':
+            lines.push('OAuth URL was never produced.');
+            lines.push('The CLIProxy binary may have failed to start or exited too early.');
+            lines.push(`Try: ccs ${provider} --auth --verbose`);
+            break;
+        case 'BROWSER_NOT_OPENED':
+            lines.push('OAuth URL was displayed but the browser did not open.');
+            lines.push('Copy the URL above and open it manually in any browser.');
+            break;
+        case 'CALLBACK_NEVER_OBSERVED':
+            lines.push(`Browser completed login but no callback reached localhost:${callbackPort ?? '?'}.`);
+            lines.push('Common cause: firewall, antivirus, or browser on a different machine.');
+            lines.push(`Try paste-callback mode: ccs ${provider} --auth --no-browser`);
+            if (platform === 'win32' && callbackPort) {
+                lines.push('On Windows, try as Administrator:');
+                lines.push(`  netsh advfirewall firewall add rule name="CCS OAuth" dir=in action=allow protocol=TCP localport=${callbackPort}`);
+            }
+            break;
+        case 'BINARY_ERROR_EXIT': {
+            const code = data['code'] ?? '?';
+            lines.push(`CLIProxy binary exited with code ${code}.`);
+            const tail = String(data['stderrTail'] ?? '').trim();
+            if (tail)
+                lines.push(`  ${tail}`);
+            lines.push(`Try: ccs ${provider} --auth --verbose`);
+            break;
+        }
+        case 'TOKEN_FILE_MISSING_POST_EXIT':
+            lines.push('Authentication appeared to succeed but no token file was created.');
+            lines.push('Update CLIProxy and retry: ccs update');
+            break;
+        case 'TIMEOUT': {
+            const min = data['timeoutMs'] ? Math.round(data['timeoutMs'] / 60000) : '?';
+            lines.push(`OAuth flow timed out after ${min} minutes.`);
+            lines.push(`Re-run and complete login faster: ccs ${provider} --auth`);
+            break;
+        }
+        case 'SESSION_CANCELLED':
+            lines.push('OAuth flow was cancelled.');
+            break;
+        case 'TOKEN_EXCHANGE_REJECTED':
+            lines.push(`Token exchange rejected by provider: ${String(data['upstreamError'] ?? 'unknown')}.`);
+            lines.push(`Try: ccs ${provider} --auth --verbose`);
+            break;
+        case 'PASTE_INVALID':
+            lines.push(`Pasted callback URL invalid: ${String(data['reason'] ?? 'unknown')}.`);
+            lines.push('Re-run and paste the full URL after browser login.');
+            break;
+        case 'GEMINI_PLUS_MISSING_CRED':
+            lines.push('Gemini-plus OAuth credentials missing.');
+            lines.push('See: docs/providers/gemini.md');
+            break;
+        case 'AGY_RESPONSIBILITY_DECLINED':
+            lines.push('Antigravity responsibility prompt was declined.');
+            lines.push(`Re-run and accept to proceed: ccs ${provider} --auth`);
+            break;
+        case 'UNKNOWN':
+        default:
+            lines.push('Token not found after authentication');
+            lines.push('Common causes:');
+            lines.push('  1. OAuth session timed out');
+            lines.push('  2. Callback server could not receive the redirect');
+            lines.push('  3. Browser did not redirect to localhost properly');
+            lines.push(`Try: ccs ${provider} --auth --verbose`);
+            break;
+    }
+    if (verbose) {
+        lines.push('');
+        lines.push('Run with --verbose for the trace summary.');
+    }
+    return lines;
+}
+exports.formatErrorMessage = formatErrorMessage;
+//# sourceMappingURL=diagnose-failure.js.map

package/dist/cliproxy/auth/oauth-trace/diagnose-failure.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"diagnose-failure.js","sourceRoot":"","sources":["../../../../src/cliproxy/auth/oauth-trace/diagnose-failure.ts"],"names":[],"mappings":";;;AAAA,iDAAkE;AAqBlE,MAAM,yBAAyB,GAAG,IAAI,CAAC;AAEvC;;;GAGG;AACH,SAAgB,eAAe,CAAC,QAA2B;IACzD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;IAC3C,CAAC;IAED,MAAM,GAAG,GAAG,CAAC,KAAsB,EAAE,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,KAAK,CAAC,CAAC;IAChF,MAAM,IAAI,GAAG,CAAC,KAAsB,EAAE,EAAE,CAAC,CAAC,GAAG,QAAQ,CAAC,CAAC,OAAO,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,KAAK,CAAC,CAAC;IAChG,MAAM,SAAS,GAAG,CAAC,GAAG,QAAQ,CAAC,CAAC,OAAO,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,8BAAe,CAAC,KAAK,CAAC,CAAC;IAEzF,gEAAgE;IAChE,IAAI,SAAS,EAAE,KAAK,EAAE,IAAI,KAAK,0BAA0B,EAAE,CAAC;QAC1D,OAAO,EAAE,QAAQ,EAAE,0BAA0B,EAAE,IAAI,EAAE,SAAS,CAAC,IAAI,IAAI,EAAE,EAAE,CAAC;IAC9E,CAAC;IACD,IAAI,SAAS,EAAE,KAAK,EAAE,IAAI,KAAK,6BAA6B,EAAE,CAAC;QAC7D,OAAO,EAAE,QAAQ,EAAE,6BAA6B,EAAE,IAAI,EAAE,SAAS,CAAC,IAAI,IAAI,EAAE,EAAE,CAAC;IACjF,CAAC;IACD,IAAI,SAAS,EAAE,KAAK,EAAE,IAAI,KAAK,mBAAmB,EAAE,CAAC;QACnD,OAAO;YACL,QAAQ,EAAE,yBAAyB;YACnC,IAAI,EAAE,EAAE,aAAa,EAAE,SAAS,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,SAAS,CAAC,IAAI,IAAI,EAAE,CAAC,EAAE;SAC5E,CAAC;IACJ,CAAC;IAED,IAAI,GAAG,CAAC,8BAAe,CAAC,oBAAoB,CAAC,EAAE,CAAC;QAC9C,MAAM,EAAE,GAAG,IAAI,CAAC,8BAAe,CAAC,oBAAoB,CAAC,CAAC;QACtD,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,IAAI,EAAE,EAAE,CAAC;IAC7D,CAAC;IAED,IAAI,GAAG,CAAC,8BAAe,CAAC,SAAS,CAAC,EAAE,CAAC;QACnC,OAAO,EAAE,QAAQ,EAAE,mBAAmB,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;IACrD,CAAC;IAED,IAAI,GAAG,CAAC,8BAAe,CAAC,OAAO,CAAC,EAAE,CAAC;QACjC,MAAM,EAAE,GAAG,IAAI,CAAC,8BAAe,CAAC,OAAO,CAAC,CAAC;QACzC,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,IAAI,EAAE,EAAE,CAAC;IACvD,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,CAAC,8BAAe,CAAC,UAAU,CAAC,CAAC;IAChD,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,IAAI,GAAI,MAAM,CAAC,IAAI,EAAE,IAA2B,IAAI,IAAI,CAAC;QAC/D,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;YAChC,OAAO;gBACL,QAAQ,EAAE,mBAAmB;gBAC7B,IAAI,EAAE;oBACJ,IAAI;oBACJ,UAAU,EAAE,MAAM,CAAC,IAAI,EAAE,UAAU,IAAI,EAAE;iBAC1C;aACF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,6CAA6C;IAC7C,IAAI,GAAG,CAAC,8BAAe,CAAC,gBAAgB,CAAC,EAAE,CAAC;QAC1C,OAAO,EAAE,QAAQ,EAAE,8BAA8B,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;IAChE,CAAC;IAED,IAAI,CAAC,GAAG,CAAC,8BAAe,CAAC,gBAAgB,CAAC,EAAE,CAAC;QAC3C,OAAO,EAAE,QAAQ,EAAE,mBAAmB,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;IACrD,CAAC;IAED,+DAA+D;IAC/D,IAAI,CAAC,GAAG,CAAC,8BAAe,CAAC,aAAa,CAAC,EAAE,CAAC;QACxC,MAAM,KAAK,GAAG,IAAI,CAAC,8BAAe,CAAC,gBAAgB,CAAC,CAAC;QACrD,MAAM,MAAM,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;QAChD,IAAI,KAAK,IAAI,MAAM,GAAG,KAAK,CAAC,EAAE,IAAI,yBAAyB,EAAE,CAAC;YAC5D,OAAO,EAAE,QAAQ,EAAE,oBAAoB,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;QACtD,CAAC;IACH,CAAC;IAED,IACE,GAAG,CAAC,8BAAe,CAAC,aAAa,CAAC;QAClC,CAAC,GAAG,CAAC,8BAAe,CAAC,yBAAyB,CAAC;QAC/C,GAAG,CAAC,8BAAe,CAAC,UAAU,CAAC,EAC/B,CAAC;QACD,OAAO,EAAE,QAAQ,EAAE,yBAAyB,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;IAC3D,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;AAC3C,CAAC;AA9ED,0CA8EC;AASD;;;GAGG;AACH,SAAgB,kBAAkB,CAAC,MAAuB,EAAE,IAAwB;IAClF,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,MAAM,CAAC;IAClC,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IAC3D,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,mBAAmB;YACtB,KAAK,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;YAC5C,KAAK,CAAC,IAAI,CAAC,mEAAmE,CAAC,CAAC;YAChF,KAAK,CAAC,IAAI,CAAC,YAAY,QAAQ,mBAAmB,CAAC,CAAC;YACpD,MAAM;QAER,KAAK,oBAAoB;YACvB,KAAK,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;YACpE,KAAK,CAAC,IAAI,CAAC,yDAAyD,CAAC,CAAC;YACtE,MAAM;QAER,KAAK,yBAAyB;YAC5B,KAAK,CAAC,IAAI,CACR,6DAA6D,YAAY,IAAI,GAAG,GAAG,CACpF,CAAC;YACF,KAAK,CAAC,IAAI,CAAC,uEAAuE,CAAC,CAAC;YACpF,KAAK,CAAC,IAAI,CAAC,gCAAgC,QAAQ,sBAAsB,CAAC,CAAC;YAC3E,IAAI,QAAQ,KAAK,OAAO,IAAI,YAAY,EAAE,CAAC;gBACzC,KAAK,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;gBAChD,KAAK,CAAC,IAAI,CACR,qGAAqG,YAAY,EAAE,CACpH,CAAC;YACJ,CAAC;YACD,MAAM;QAER,KAAK,mBAAmB,CAAC,CAAC,CAAC;YACzB,MAAM,IAAI,GAAI,IAAI,CAAC,MAAM,CAAwB,IAAI,GAAG,CAAC;YACzD,KAAK,CAAC,IAAI,CAAC,oCAAoC,IAAI,GAAG,CAAC,CAAC;YACxD,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YACrD,IAAI,IAAI;gBAAE,KAAK,CAAC,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC;YAClC,KAAK,CAAC,IAAI,CAAC,YAAY,QAAQ,mBAAmB,CAAC,CAAC;YACpD,MAAM;QACR,CAAC;QAED,KAAK,8BAA8B;YACjC,KAAK,CAAC,IAAI,CAAC,mEAAmE,CAAC,CAAC;YAChF,KAAK,CAAC,IAAI,CAAC,uCAAuC,CAAC,CAAC;YACpD,MAAM;QAER,KAAK,SAAS,CAAC,CAAC,CAAC;YACf,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAE,IAAI,CAAC,WAAW,CAAY,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;YACxF,KAAK,CAAC,IAAI,CAAC,8BAA8B,GAAG,WAAW,CAAC,CAAC;YACzD,KAAK,CAAC,IAAI,CAAC,yCAAyC,QAAQ,SAAS,CAAC,CAAC;YACvE,MAAM;QACR,CAAC;QAED,KAAK,mBAAmB;YACtB,KAAK,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;YACxC,MAAM;QAER,KAAK,yBAAyB;YAC5B,KAAK,CAAC,IAAI,CACR,wCAAwC,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,IAAI,SAAS,CAAC,GAAG,CACtF,CAAC;YACF,KAAK,CAAC,IAAI,CAAC,YAAY,QAAQ,mBAAmB,CAAC,CAAC;YACpD,MAAM;QAER,KAAK,eAAe;YAClB,KAAK,CAAC,IAAI,CAAC,gCAAgC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,GAAG,CAAC,CAAC;YACnF,KAAK,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;YACjE,MAAM;QAER,KAAK,0BAA0B;YAC7B,KAAK,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAC;YACrD,KAAK,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;YAC5C,MAAM;QAER,KAAK,6BAA6B;YAChC,KAAK,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;YAC9D,KAAK,CAAC,IAAI,CAAC,qCAAqC,QAAQ,SAAS,CAAC,CAAC;YACnE,MAAM;QAER,KAAK,SAAS,CAAC;QACf;YACE,KAAK,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;YACnD,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YAC7B,KAAK,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC;YAC3C,KAAK,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;YAClE,KAAK,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;YAClE,KAAK,CAAC,IAAI,CAAC,YAAY,QAAQ,mBAAmB,CAAC,CAAC;YACpD,MAAM;IACV,CAAC;IAED,IAAI,OAAO,EAAE,CAAC;QACZ,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;IAC1D,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AA/FD,gDA+FC"}

package/dist/cliproxy/auth/oauth-trace/index.d.ts

@@ -0,0 +1,4 @@
+export { OAuthTracePhase, type OAuthTraceEvent, type OAuthTraceSink } from './trace-events';
+export { createOAuthTraceRecorder, type OAuthTraceRecorder, type OAuthTraceRecorderOptions, } from './trace-recorder';
+export { redactString, redactUrl, redactJsonShallow, redactBearer, REDACTED_PLACEHOLDER, } from './redactor';
+//# sourceMappingURL=index.d.ts.map

package/dist/cliproxy/auth/oauth-trace/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/cliproxy/auth/oauth-trace/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,KAAK,eAAe,EAAE,KAAK,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAC5F,OAAO,EACL,wBAAwB,EACxB,KAAK,kBAAkB,EACvB,KAAK,yBAAyB,GAC/B,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,YAAY,EACZ,SAAS,EACT,iBAAiB,EACjB,YAAY,EACZ,oBAAoB,GACrB,MAAM,YAAY,CAAC"}

package/dist/cliproxy/auth/oauth-trace/index.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.REDACTED_PLACEHOLDER = exports.redactBearer = exports.redactJsonShallow = exports.redactUrl = exports.redactString = exports.createOAuthTraceRecorder = exports.OAuthTracePhase = void 0;
+var trace_events_1 = require("./trace-events");
+Object.defineProperty(exports, "OAuthTracePhase", { enumerable: true, get: function () { return trace_events_1.OAuthTracePhase; } });
+var trace_recorder_1 = require("./trace-recorder");
+Object.defineProperty(exports, "createOAuthTraceRecorder", { enumerable: true, get: function () { return trace_recorder_1.createOAuthTraceRecorder; } });
+var redactor_1 = require("./redactor");
+Object.defineProperty(exports, "redactString", { enumerable: true, get: function () { return redactor_1.redactString; } });
+Object.defineProperty(exports, "redactUrl", { enumerable: true, get: function () { return redactor_1.redactUrl; } });
+Object.defineProperty(exports, "redactJsonShallow", { enumerable: true, get: function () { return redactor_1.redactJsonShallow; } });
+Object.defineProperty(exports, "redactBearer", { enumerable: true, get: function () { return redactor_1.redactBearer; } });
+Object.defineProperty(exports, "REDACTED_PLACEHOLDER", { enumerable: true, get: function () { return redactor_1.REDACTED_PLACEHOLDER; } });
+//# sourceMappingURL=index.js.map

package/dist/cliproxy/auth/oauth-trace/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/cliproxy/auth/oauth-trace/index.ts"],"names":[],"mappings":";;;AAAA,+CAA4F;AAAnF,+GAAA,eAAe,OAAA;AACxB,mDAI0B;AAHxB,0HAAA,wBAAwB,OAAA;AAI1B,uCAMoB;AALlB,wGAAA,YAAY,OAAA;AACZ,qGAAA,SAAS,OAAA;AACT,6GAAA,iBAAiB,OAAA;AACjB,wGAAA,YAAY,OAAA;AACZ,gHAAA,oBAAoB,OAAA"}

package/dist/cliproxy/auth/oauth-trace/redactor.d.ts

@@ -0,0 +1,22 @@
+/**
+ * OAuth secret redactor — single choke point.
+ *
+ * Every value reaching any sink passes through these helpers first.
+ * Adding a new sensitive key here is the only place it has to change.
+ *
+ * DEFERRED: per-event syscall throttling; fsync / file-size cap on file sink.
+ */
+/** Redact sensitive query-param values inside any string. Idempotent. */
+export declare function redactString(s: string): string;
+/** Redact a parsed URL by name; returns redacted href or original on parse error. */
+export declare function redactUrl(u: string): string;
+/**
+ * Shallow-redact a plain object. Returns a new object; original is not mutated.
+ * Arrays are recursed so token arrays (e.g. `{tokens:[{access_token:'AT'}]}`)
+ * do not bypass redaction.
+ */
+export declare function redactJsonShallow(input: Record<string, unknown>): Record<string, unknown>;
+/** Redact an Authorization header value. */
+export declare function redactBearer(header: string): string;
+export declare const REDACTED_PLACEHOLDER = "***REDACTED***";
+//# sourceMappingURL=redactor.d.ts.map

package/dist/cliproxy/auth/oauth-trace/redactor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"redactor.d.ts","sourceRoot":"","sources":["../../../../src/cliproxy/auth/oauth-trace/redactor.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAmCH,yEAAyE;AACzE,wBAAgB,YAAY,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAK9C;AAED,qFAAqF;AACrF,wBAAgB,SAAS,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAiC3C;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAoBzF;AAED,4CAA4C;AAC5C,wBAAgB,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAEnD;AAED,eAAO,MAAM,oBAAoB,mBAAW,CAAC"}

package/dist/cliproxy/auth/oauth-trace/redactor.js

@@ -0,0 +1,112 @@
+"use strict";
+/**
+ * OAuth secret redactor — single choke point.
+ *
+ * Every value reaching any sink passes through these helpers first.
+ * Adding a new sensitive key here is the only place it has to change.
+ *
+ * DEFERRED: per-event syscall throttling; fsync / file-size cap on file sink.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.REDACTED_PLACEHOLDER = exports.redactBearer = exports.redactJsonShallow = exports.redactUrl = exports.redactString = void 0;
+const SENSITIVE_QUERY_KEYS = [
+    'code',
+    'state',
+    'access_token',
+    'refresh_token',
+    'id_token',
+    'client_secret',
+    'authorization',
+    // PKCE / device-flow / assertion keys
+    'code_verifier',
+    'device_code',
+    'assertion',
+    'subject_token',
+];
+const SENSITIVE_OBJECT_KEYS = new Set(SENSITIVE_QUERY_KEYS.map((k) => k.toLowerCase()).concat(['authorization', 'bearer', 'token']));
+const REDACTED = '***REDACTED***';
+/**
+ * Matches sensitive keys in query strings, fragments, and standard params.
+ * Lookbehind covers: `?`, `&`, `#`, and `&#` (fragment-then-amp) delimiters.
+ * Keys are decoded before matching to catch URL-encoded bypass attempts.
+ */
+const QUERY_PARAM_REGEX = new RegExp(`(?<=[?&#])(${SENSITIVE_QUERY_KEYS.join('|')})=[^&#\\s]+`, 'gi');
+const BEARER_REGEX = /Bearer\s+[A-Za-z0-9._\-~+/=]+/gi;
+/** Redact sensitive query-param values inside any string. Idempotent. */
+function redactString(s) {
+    if (!s)
+        return s;
+    return s
+        .replace(QUERY_PARAM_REGEX, (_full, key) => `${key}=${REDACTED}`)
+        .replace(BEARER_REGEX, `Bearer ${REDACTED}`);
+}
+exports.redactString = redactString;
+/** Redact a parsed URL by name; returns redacted href or original on parse error. */
+function redactUrl(u) {
+    try {
+        const url = new URL(u);
+        // Redact query params — URL parser already decoded keys, compare decoded.
+        for (const key of SENSITIVE_QUERY_KEYS) {
+            if (url.searchParams.has(key))
+                url.searchParams.set(key, REDACTED);
+        }
+        // Also catch URL-encoded key names that URL.searchParams may not normalise
+        // (e.g. `?%63%6F%64%65=SECRET`). Decode all keys and re-check.
+        for (const [rawKey, rawVal] of [...url.searchParams.entries()]) {
+            const decoded = decodeURIComponent(rawKey).toLowerCase();
+            if ((SENSITIVE_OBJECT_KEYS.has(decoded) || SENSITIVE_QUERY_KEYS.includes(decoded)) &&
+                rawVal !== REDACTED) {
+                url.searchParams.set(rawKey, REDACTED);
+            }
+        }
+        // Redact fragment — strip leading `#`, prepend `?` so QUERY_PARAM_REGEX
+        // matches the first param (lookbehind requires `?`, `&`, or `#`).
+        if (url.hash) {
+            const bare = url.hash.slice(1); // remove leading '#'
+            const fakeQuery = `?${bare}`;
+            const redacted = redactString(fakeQuery);
+            url.hash = redacted.slice(1); // put back without the fake '?'
+        }
+        return url.toString();
+    }
+    catch {
+        return redactString(u);
+    }
+}
+exports.redactUrl = redactUrl;
+/**
+ * Shallow-redact a plain object. Returns a new object; original is not mutated.
+ * Arrays are recursed so token arrays (e.g. `{tokens:[{access_token:'AT'}]}`)
+ * do not bypass redaction.
+ */
+function redactJsonShallow(input) {
+    const out = {};
+    for (const [key, value] of Object.entries(input)) {
+        if (SENSITIVE_OBJECT_KEYS.has(key.toLowerCase())) {
+            out[key] = REDACTED;
+        }
+        else if (typeof value === 'string') {
+            out[key] = redactString(value);
+        }
+        else if (Array.isArray(value)) {
+            out[key] = value.map((item) => item && typeof item === 'object' && !Array.isArray(item)
+                ? redactJsonShallow(item)
+                : item);
+        }
+        else if (value && typeof value === 'object') {
+            out[key] = redactJsonShallow(value);
+        }
+        else {
+            out[key] = value;
+        }
+    }
+    return out;
+}
+exports.redactJsonShallow = redactJsonShallow;
+/** Redact an Authorization header value. */
+function redactBearer(header) {
+    return header.replace(BEARER_REGEX, `Bearer ${REDACTED}`);
+}
+exports.redactBearer = redactBearer;
+exports.REDACTED_PLACEHOLDER = REDACTED;
+//# sourceMappingURL=redactor.js.map

package/dist/cliproxy/auth/oauth-trace/redactor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"redactor.js","sourceRoot":"","sources":["../../../../src/cliproxy/auth/oauth-trace/redactor.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAEH,MAAM,oBAAoB,GAAG;IAC3B,MAAM;IACN,OAAO;IACP,cAAc;IACd,eAAe;IACf,UAAU;IACV,eAAe;IACf,eAAe;IACf,sCAAsC;IACtC,eAAe;IACf,aAAa;IACb,WAAW;IACX,eAAe;CACP,CAAC;AAEX,MAAM,qBAAqB,GAAG,IAAI,GAAG,CACnC,oBAAoB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,eAAe,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC,CAC9F,CAAC;AAEF,MAAM,QAAQ,GAAG,gBAAgB,CAAC;AAElC;;;;GAIG;AACH,MAAM,iBAAiB,GAAG,IAAI,MAAM,CAClC,cAAc,oBAAoB,CAAC,IAAI,CAAC,GAAG,CAAC,aAAa,EACzD,IAAI,CACL,CAAC;AAEF,MAAM,YAAY,GAAG,iCAAiC,CAAC;AAEvD,yEAAyE;AACzE,SAAgB,YAAY,CAAC,CAAS;IACpC,IAAI,CAAC,CAAC;QAAE,OAAO,CAAC,CAAC;IACjB,OAAO,CAAC;SACL,OAAO,CAAC,iBAAiB,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,CAAC,GAAG,GAAG,IAAI,QAAQ,EAAE,CAAC;SAChE,OAAO,CAAC,YAAY,EAAE,UAAU,QAAQ,EAAE,CAAC,CAAC;AACjD,CAAC;AALD,oCAKC;AAED,qFAAqF;AACrF,SAAgB,SAAS,CAAC,CAAS;IACjC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC;QAEvB,0EAA0E;QAC1E,KAAK,MAAM,GAAG,IAAI,oBAAoB,EAAE,CAAC;YACvC,IAAI,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC;gBAAE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QACrE,CAAC;QACD,2EAA2E;QAC3E,+DAA+D;QAC/D,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;YAC/D,MAAM,OAAO,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC,WAAW,EAAE,CAAC;YACzD,IACE,CAAC,qBAAqB,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,oBAAoB,CAAC,QAAQ,CAAC,OAAgB,CAAC,CAAC;gBACvF,MAAM,KAAK,QAAQ,EACnB,CAAC;gBACD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;YACzC,CAAC;QACH,CAAC;QAED,wEAAwE;QACxE,kEAAkE;QAClE,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;YACb,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,qBAAqB;YACrD,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;YAC7B,MAAM,QAAQ,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;YACzC,GAAG,CAAC,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,gCAAgC;QAChE,CAAC;QAED,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;IACzB,CAAC;AACH,CAAC;AAjCD,8BAiCC;AAED;;;;GAIG;AACH,SAAgB,iBAAiB,CAAC,KAA8B;IAC9D,MAAM,GAAG,GAA4B,EAAE,CAAC;IACxC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACjD,IAAI,qBAAqB,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YACjD,GAAG,CAAC,GAAG,CAAC,GAAG,QAAQ,CAAC;QACtB,CAAC;aAAM,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YACrC,GAAG,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;QACjC,CAAC;aAAM,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAChC,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAC5B,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;gBACtD,CAAC,CAAC,iBAAiB,CAAC,IAA+B,CAAC;gBACpD,CAAC,CAAC,IAAI,CACT,CAAC;QACJ,CAAC;aAAM,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9C,GAAG,CAAC,GAAG,CAAC,GAAG,iBAAiB,CAAC,KAAgC,CAAC,CAAC;QACjE,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACnB,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AApBD,8CAoBC;AAED,4CAA4C;AAC5C,SAAgB,YAAY,CAAC,MAAc;IACzC,OAAO,MAAM,CAAC,OAAO,CAAC,YAAY,EAAE,UAAU,QAAQ,EAAE,CAAC,CAAC;AAC5D,CAAC;AAFD,oCAEC;AAEY,QAAA,oBAAoB,GAAG,QAAQ,CAAC"}

package/dist/cliproxy/auth/oauth-trace/sink-file.d.ts

@@ -0,0 +1,18 @@
+import { OAuthTraceSink } from './trace-events';
+/**
+ * Append-mode JSONL file sink. Off by default; enabled when callers pass an instance.
+ *
+ * - File path: `${dir}/oauth-YYYYMMDD.log` (date from `now()` per write call).
+ * - Permissions: dir 0o700, file 0o600 (user-only). World-readable would leak machine info.
+ * - Failure-tolerant: if write fails (disk full, perm denied), logs once to stderr and
+ *   keeps dropping events silently — sink must never throw out of `write()`.
+ */
+export interface FileSinkOptions {
+    dir: string;
+    /** Test seam — defaults to `() => new Date()`. */
+    now?: () => Date;
+    /** Test seam — error notifier (defaults to one-shot stderr write). */
+    onError?: (msg: string) => void;
+}
+export declare function createFileSink(options: FileSinkOptions): OAuthTraceSink;
+//# sourceMappingURL=sink-file.d.ts.map

package/dist/cliproxy/auth/oauth-trace/sink-file.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sink-file.d.ts","sourceRoot":"","sources":["../../../../src/cliproxy/auth/oauth-trace/sink-file.ts"],"names":[],"mappings":"AAEA,OAAO,EAAmB,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAEjE;;;;;;;GAOG;AACH,MAAM,WAAW,eAAe;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,kDAAkD;IAClD,GAAG,CAAC,EAAE,MAAM,IAAI,CAAC;IACjB,sEAAsE;IACtE,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CACjC;AAED,wBAAgB,cAAc,CAAC,OAAO,EAAE,eAAe,GAAG,cAAc,CA+DvE"}

package/dist/cliproxy/auth/oauth-trace/sink-file.js

@@ -0,0 +1,90 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createFileSink = void 0;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+function createFileSink(options) {
+    const now = options.now ?? (() => new Date());
+    let warned = false;
+    const onError = options.onError ??
+        ((msg) => {
+            if (!warned) {
+                warned = true;
+                process.stderr.write(`[oauth-trace] file sink disabled: ${msg}\n`);
+            }
+        });
+    let cachedDate = null;
+    function ensureDir() {
+        fs.mkdirSync(options.dir, { recursive: true, mode: 0o700 });
+    }
+    function dateStr(d) {
+        const yyyy = d.getFullYear().toString().padStart(4, '0');
+        const mm = (d.getMonth() + 1).toString().padStart(2, '0');
+        const dd = d.getDate().toString().padStart(2, '0');
+        return `${yyyy}${mm}${dd}`;
+    }
+    function pathForToday() {
+        const ds = dateStr(now());
+        cachedDate = ds;
+        return path.join(options.dir, `oauth-${ds}.log`);
+    }
+    function appendOne(event) {
+        const file = pathForToday();
+        const line = JSON.stringify(event) + '\n';
+        let fd = null;
+        try {
+            ensureDir();
+            fd = fs.openSync(file, 'a', 0o600);
+            fs.writeSync(fd, line);
+        }
+        finally {
+            if (fd !== null) {
+                try {
+                    fs.closeSync(fd);
+                }
+                catch {
+                    // ignore
+                }
+            }
+        }
+    }
+    return {
+        write(event) {
+            try {
+                appendOne(event);
+            }
+            catch (err) {
+                onError(err.message);
+            }
+        },
+        async flush() {
+            // appendSync paths are flushed per-write; no buffer to drain.
+            void cachedDate;
+        },
+    };
+}
+exports.createFileSink = createFileSink;
+//# sourceMappingURL=sink-file.js.map

package/dist/cliproxy/auth/oauth-trace/sink-file.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sink-file.js","sourceRoot":"","sources":["../../../../src/cliproxy/auth/oauth-trace/sink-file.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AACzB,2CAA6B;AAmB7B,SAAgB,cAAc,CAAC,OAAwB;IACrD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;IAC9C,IAAI,MAAM,GAAG,KAAK,CAAC;IACnB,MAAM,OAAO,GACX,OAAO,CAAC,OAAO;QACf,CAAC,CAAC,GAAW,EAAE,EAAE;YACf,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,GAAG,IAAI,CAAC;gBACd,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,qCAAqC,GAAG,IAAI,CAAC,CAAC;YACrE,CAAC;QACH,CAAC,CAAC,CAAC;IAEL,IAAI,UAAU,GAAkB,IAAI,CAAC;IAErC,SAAS,SAAS;QAChB,EAAE,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC9D,CAAC;IAED,SAAS,OAAO,CAAC,CAAO;QACtB,MAAM,IAAI,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QACzD,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QAC1D,MAAM,EAAE,GAAG,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QACnD,OAAO,GAAG,IAAI,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC;IAC7B,CAAC;IAED,SAAS,YAAY;QACnB,MAAM,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;QAC1B,UAAU,GAAG,EAAE,CAAC;QAChB,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;IACnD,CAAC;IAED,SAAS,SAAS,CAAC,KAAsB;QACvC,MAAM,IAAI,GAAG,YAAY,EAAE,CAAC;QAC5B,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC;QAC1C,IAAI,EAAE,GAAkB,IAAI,CAAC;QAC7B,IAAI,CAAC;YACH,SAAS,EAAE,CAAC;YACZ,EAAE,GAAG,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;YACnC,EAAE,CAAC,SAAS,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;QACzB,CAAC;gBAAS,CAAC;YACT,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;gBAChB,IAAI,CAAC;oBACH,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;gBACnB,CAAC;gBAAC,MAAM,CAAC;oBACP,SAAS;gBACX,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,KAAK,CAAC,KAAK;YACT,IAAI,CAAC;gBACH,SAAS,CAAC,KAAK,CAAC,CAAC;YACnB,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAE,GAAa,CAAC,OAAO,CAAC,CAAC;YAClC,CAAC;QACH,CAAC;QACD,KAAK,CAAC,KAAK;YACT,8DAA8D;YAC9D,KAAK,UAAU,CAAC;QAClB,CAAC;KACF,CAAC;AACJ,CAAC;AA/DD,wCA+DC"}

package/dist/cliproxy/auth/oauth-trace/sink-memory.d.ts

@@ -0,0 +1,13 @@
+import { OAuthTraceEvent, OAuthTraceSink } from './trace-events';
+/** Default ring-buffer capacity. Keeps latest N events; oldest are dropped. */
+export declare const MEMORY_SINK_MAX_EVENTS = 1000;
+/**
+ * In-memory ring buffer sink. Used for diagnose-failure analysis after a flow ends.
+ * Caps at MAX_EVENTS to bound memory; oldest are dropped when full.
+ * `droppedCount` tracks how many events were discarded so callers know data loss occurred.
+ */
+export declare function createMemorySink(maxEvents?: number): OAuthTraceSink & {
+    snapshot(): OAuthTraceEvent[];
+    droppedCount(): number;
+};
+//# sourceMappingURL=sink-memory.d.ts.map

package/dist/cliproxy/auth/oauth-trace/sink-memory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sink-memory.d.ts","sourceRoot":"","sources":["../../../../src/cliproxy/auth/oauth-trace/sink-memory.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAEjE,+EAA+E;AAC/E,eAAO,MAAM,sBAAsB,OAAO,CAAC;AAE3C;;;;GAIG;AACH,wBAAgB,gBAAgB,CAC9B,SAAS,SAAyB,GACjC,cAAc,GAAG;IAAE,QAAQ,IAAI,eAAe,EAAE,CAAC;IAAC,YAAY,IAAI,MAAM,CAAA;CAAE,CAkB5E"}

package/dist/cliproxy/auth/oauth-trace/sink-memory.js

@@ -0,0 +1,31 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createMemorySink = exports.MEMORY_SINK_MAX_EVENTS = void 0;
+/** Default ring-buffer capacity. Keeps latest N events; oldest are dropped. */
+exports.MEMORY_SINK_MAX_EVENTS = 1000;
+/**
+ * In-memory ring buffer sink. Used for diagnose-failure analysis after a flow ends.
+ * Caps at MAX_EVENTS to bound memory; oldest are dropped when full.
+ * `droppedCount` tracks how many events were discarded so callers know data loss occurred.
+ */
+function createMemorySink(maxEvents = exports.MEMORY_SINK_MAX_EVENTS) {
+    const events = [];
+    let dropped = 0;
+    return {
+        write(event) {
+            if (events.length >= maxEvents) {
+                events.shift();
+                dropped++;
+            }
+            events.push(event);
+        },
+        snapshot() {
+            return events.slice();
+        },
+        droppedCount() {
+            return dropped;
+        },
+    };
+}
+exports.createMemorySink = createMemorySink;
+//# sourceMappingURL=sink-memory.js.map

package/dist/cliproxy/auth/oauth-trace/sink-memory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sink-memory.js","sourceRoot":"","sources":["../../../../src/cliproxy/auth/oauth-trace/sink-memory.ts"],"names":[],"mappings":";;;AAEA,+EAA+E;AAClE,QAAA,sBAAsB,GAAG,IAAI,CAAC;AAE3C;;;;GAIG;AACH,SAAgB,gBAAgB,CAC9B,SAAS,GAAG,8BAAsB;IAElC,MAAM,MAAM,GAAsB,EAAE,CAAC;IACrC,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,OAAO;QACL,KAAK,CAAC,KAAK;YACT,IAAI,MAAM,CAAC,MAAM,IAAI,SAAS,EAAE,CAAC;gBAC/B,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,OAAO,EAAE,CAAC;YACZ,CAAC;YACD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrB,CAAC;QACD,QAAQ;YACN,OAAO,MAAM,CAAC,KAAK,EAAE,CAAC;QACxB,CAAC;QACD,YAAY;YACV,OAAO,OAAO,CAAC;QACjB,CAAC;KACF,CAAC;AACJ,CAAC;AApBD,4CAoBC"}

package/dist/cliproxy/auth/oauth-trace/sink-verbose-stdout.d.ts

@@ -0,0 +1,11 @@
+import { OAuthTraceSink } from './trace-events';
+/**
+ * Verbose stdout sink. Writes one ASCII line per event when verbose=true.
+ * Format: `[oauth-trace] +{elapsedMs}ms {phase} {key=val ...}`
+ * No emojis (CCS terminal rule). Goes to stderr to avoid mingling with normal stdout.
+ */
+export declare function createVerboseStdoutSink(opts: {
+    enabled: boolean;
+    out?: (line: string) => void;
+}): OAuthTraceSink;
+//# sourceMappingURL=sink-verbose-stdout.d.ts.map

package/dist/cliproxy/auth/oauth-trace/sink-verbose-stdout.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sink-verbose-stdout.d.ts","sourceRoot":"","sources":["../../../../src/cliproxy/auth/oauth-trace/sink-verbose-stdout.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAEhD;;;;GAIG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,EAAE;IAC5C,OAAO,EAAE,OAAO,CAAC;IACjB,GAAG,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,CAAC;CAC9B,GAAG,cAAc,CAoBjB"}

package/dist/cliproxy/auth/oauth-trace/sink-verbose-stdout.js

@@ -0,0 +1,47 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createVerboseStdoutSink = void 0;
+/**
+ * Verbose stdout sink. Writes one ASCII line per event when verbose=true.
+ * Format: `[oauth-trace] +{elapsedMs}ms {phase} {key=val ...}`
+ * No emojis (CCS terminal rule). Goes to stderr to avoid mingling with normal stdout.
+ */
+function createVerboseStdoutSink(opts) {
+    const out = opts.out ?? ((line) => process.stderr.write(line + '\n'));
+    return {
+        write(event) {
+            if (!opts.enabled)
+                return;
+            const parts = [];
+            parts.push(`[oauth-trace] +${event.elapsedMs}ms ${event.phase}`);
+            if (event.data) {
+                for (const [k, v] of Object.entries(event.data)) {
+                    if (v === undefined)
+                        continue;
+                    parts.push(`${k}=${formatValue(v)}`);
+                }
+            }
+            if (event.error) {
+                parts.push(`error_code=${event.error.code ?? 'unknown'}`);
+                parts.push(`error_msg="${event.error.message.replace(/"/g, "'")}"`);
+            }
+            out(parts.join(' '));
+        },
+    };
+}
+exports.createVerboseStdoutSink = createVerboseStdoutSink;
+function formatValue(v) {
+    if (v === null)
+        return 'null';
+    if (typeof v === 'string')
+        return v.includes(' ') ? `"${v.replace(/"/g, "'")}"` : v;
+    if (typeof v === 'number' || typeof v === 'boolean')
+        return String(v);
+    try {
+        return JSON.stringify(v);
+    }
+    catch {
+        return '[unserializable]';
+    }
+}
+//# sourceMappingURL=sink-verbose-stdout.js.map

package/dist/cliproxy/auth/oauth-trace/sink-verbose-stdout.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sink-verbose-stdout.js","sourceRoot":"","sources":["../../../../src/cliproxy/auth/oauth-trace/sink-verbose-stdout.ts"],"names":[],"mappings":";;;AAEA;;;;GAIG;AACH,SAAgB,uBAAuB,CAAC,IAGvC;IACC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC,IAAY,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC;IAC9E,OAAO;QACL,KAAK,CAAC,KAAK;YACT,IAAI,CAAC,IAAI,CAAC,OAAO;gBAAE,OAAO;YAC1B,MAAM,KAAK,GAAa,EAAE,CAAC;YAC3B,KAAK,CAAC,IAAI,CAAC,kBAAkB,KAAK,CAAC,SAAS,MAAM,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;YACjE,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC;gBACf,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;oBAChD,IAAI,CAAC,KAAK,SAAS;wBAAE,SAAS;oBAC9B,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;gBACvC,CAAC;YACH,CAAC;YACD,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;gBAChB,KAAK,CAAC,IAAI,CAAC,cAAc,KAAK,CAAC,KAAK,CAAC,IAAI,IAAI,SAAS,EAAE,CAAC,CAAC;gBAC1D,KAAK,CAAC,IAAI,CAAC,cAAc,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC;YACtE,CAAC;YACD,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QACvB,CAAC;KACF,CAAC;AACJ,CAAC;AAvBD,0DAuBC;AAED,SAAS,WAAW,CAAC,CAAU;IAC7B,IAAI,CAAC,KAAK,IAAI;QAAE,OAAO,MAAM,CAAC;IAC9B,IAAI,OAAO,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACpF,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,OAAO,CAAC,KAAK,SAAS;QAAE,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC;IACtE,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,kBAAkB,CAAC;IAC5B,CAAC;AACH,CAAC"}

package/dist/cliproxy/auth/oauth-trace/trace-events.d.ts

@@ -0,0 +1,51 @@
+/**
+ * OAuth trace event taxonomy.
+ *
+ * Single source of truth for phase IDs that flow through the OAuth pipeline.
+ * Additive only — never remove or renumber.
+ */
+export declare enum OAuthTracePhase {
+    PreflightStart = "preflight.start",
+    PreflightOk = "preflight.ok",
+    PreflightPortBlocked = "preflight.port_blocked",
+    BinarySpawn = "binary.spawn",
+    BinaryStdout = "binary.stdout",
+    BinaryStderr = "binary.stderr",
+    BinaryExit = "binary.exit",
+    AuthUrlDisplayed = "auth.url_displayed",
+    BrowserOpened = "browser.opened",
+    CallbackObservedHeuristic = "callback.observed_heuristic",
+    PasteCallbackPrompted = "paste.prompted",
+    PasteCallbackReceived = "paste.received",
+    PasteCallbackInvalid = "paste.invalid",
+    PasteCallbackSubmitted = "paste.submitted",
+    TokenExchangePending = "token.exchange_pending",
+    TokenFileAppeared = "token.file_appeared",
+    TokenFileMissing = "token.file_missing",
+    ProjectSelectionPrompted = "project.selection_prompted",
+    ProjectSelectionResolved = "project.selection_resolved",
+    AgyResponsibilityPrompted = "agy.responsibility_prompted",
+    AgyResponsibilityResolved = "agy.responsibility_resolved",
+    Timeout = "timeout",
+    Cancelled = "cancelled",
+    Error = "error"
+}
+/** A single OAuth trace event. `data` MUST be redacted before construction. */
+export interface OAuthTraceEvent {
+    sessionId: string;
+    provider: string;
+    phase: OAuthTracePhase;
+    ts: number;
+    elapsedMs: number;
+    data?: Record<string, unknown>;
+    error?: {
+        code?: string;
+        message: string;
+    };
+}
+/** Sink interface — accept events that have already been redacted. */
+export interface OAuthTraceSink {
+    write(event: OAuthTraceEvent): void;
+    flush?(): Promise<void>;
+}
+//# sourceMappingURL=trace-events.d.ts.map