@kenkaiiii/gg-core 5.1.2 → 5.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.js CHANGED
@@ -1,15 +1,42 @@
1
1
  import {
2
+ AuthStorage,
2
3
  DEFAULT_MAX_VIDEO_BYTES,
3
4
  MODELS,
5
+ MOONSHOT_OAUTH_KEY,
6
+ NotLoggedInError,
7
+ XIAOMI_CREDITS_KEY,
8
+ closeLogger,
9
+ generatePKCE,
10
+ getAuthStorageKey,
11
+ getAuthStorageKeys,
12
+ getClaudeCliUserAgent,
13
+ getClaudeCodeVersion,
4
14
  getContextWindow,
5
15
  getDefaultModel,
6
16
  getMaxThinkingLevel,
7
17
  getModel,
8
18
  getModelsForProvider,
19
+ getSessionId,
9
20
  getSummaryModel,
10
21
  getVideoByteLimit,
11
- usesOpenAICodexTransport
12
- } from "./chunk-7GQQLIPG.js";
22
+ isKimiCodingEndpoint,
23
+ isLoggerOpen,
24
+ kimiCodeBaseUrl,
25
+ kimiCodingHeaders,
26
+ log,
27
+ loginAnthropic,
28
+ loginGemini,
29
+ loginKimi,
30
+ loginOpenAI,
31
+ openLog,
32
+ refreshAnthropicToken,
33
+ refreshGeminiToken,
34
+ refreshKimiToken,
35
+ refreshOpenAIToken,
36
+ registerLogCleanup,
37
+ usesOpenAICodexTransport,
38
+ withFileLock
39
+ } from "./chunk-IFKGCWX2.js";
13
40
  import {
14
41
  getAppPaths
15
42
  } from "./chunk-KQJNZC6A.js";
@@ -40,7 +67,7 @@ function isAnthropicOpus48Or47Model(provider, model) {
40
67
  return provider === "anthropic" && /opus-4-8|opus-4-7/.test(model);
41
68
  }
42
69
  function isAnthropicAdaptiveModel(provider, model) {
43
- return provider === "anthropic" && /opus-4-8|opus-4-7|opus-4-6|sonnet-4-6|fable-5|mythos-5/.test(model);
70
+ return provider === "anthropic" && /opus-4-8|opus-4-7|opus-4-6|sonnet-5|fable-5|mythos-5/.test(model);
44
71
  }
45
72
  function getSupportedThinkingLevels(provider, model) {
46
73
  const maxLevel = getMaxThinkingLevel(model);
@@ -75,1330 +102,6 @@ function getNextThinkingLevel(provider, model, current) {
75
102
  return supportedLevels[index + 1];
76
103
  }
77
104
 
78
- // src/logger.ts
79
- import fs from "fs";
80
- import path from "path";
81
- import { randomBytes } from "crypto";
82
- var MAX_BYTES = 10 * 1024 * 1024;
83
- var fd = null;
84
- var sessionId = "";
85
- var appName = "app";
86
- var cleanups = [];
87
- function rotateIfNeeded(filePath) {
88
- try {
89
- const st = fs.statSync(filePath);
90
- if (st.size < MAX_BYTES) return;
91
- const rotated = `${filePath}.1`;
92
- try {
93
- fs.unlinkSync(rotated);
94
- } catch {
95
- }
96
- fs.renameSync(filePath, rotated);
97
- } catch {
98
- }
99
- }
100
- function openLog(filePath, name) {
101
- if (fd !== null) return false;
102
- appName = name;
103
- try {
104
- fs.mkdirSync(path.dirname(filePath), { recursive: true, mode: 448 });
105
- } catch {
106
- }
107
- rotateIfNeeded(filePath);
108
- try {
109
- fd = fs.openSync(filePath, "a");
110
- } catch {
111
- return false;
112
- }
113
- sessionId = randomBytes(4).toString("hex");
114
- try {
115
- fs.writeSync(fd, "\n");
116
- } catch {
117
- }
118
- return true;
119
- }
120
- function getSessionId() {
121
- return sessionId;
122
- }
123
- function isLoggerOpen() {
124
- return fd !== null;
125
- }
126
- function log(level, category, message, data) {
127
- if (fd === null) return;
128
- const ts = (/* @__PURE__ */ new Date()).toISOString();
129
- let line = `[${ts}] [sid=${sessionId}] [${level}] [${category}] ${message}`;
130
- if (data) {
131
- const pairs = Object.entries(data).map(([k, v]) => `${k}=${typeof v === "string" ? v : JSON.stringify(v)}`).join(" ");
132
- if (pairs) line += ` ${pairs}`;
133
- }
134
- line += "\n";
135
- try {
136
- fs.writeSync(fd, line);
137
- } catch {
138
- }
139
- }
140
- function registerLogCleanup(fn) {
141
- cleanups.push(fn);
142
- }
143
- function closeLogger(opts) {
144
- if (fd === null) return;
145
- if (opts?.shutdownLine !== false) log("INFO", "shutdown", `${appName} shutting down`);
146
- try {
147
- fs.closeSync(fd);
148
- } catch {
149
- }
150
- fd = null;
151
- for (const unsub of cleanups) unsub();
152
- cleanups = [];
153
- }
154
-
155
- // src/file-lock.ts
156
- import fs2 from "fs/promises";
157
- import { setTimeout as setTimeout2 } from "timers/promises";
158
- var STALE_TIMEOUT_MS = 1e4;
159
- var RETRY_INTERVAL_MS = 50;
160
- var MAX_WAIT_MS = 5e3;
161
- async function withFileLock(filePath, fn) {
162
- const lockPath = filePath + ".lock";
163
- await acquireLock(lockPath);
164
- try {
165
- return await fn();
166
- } finally {
167
- await releaseLock(lockPath);
168
- }
169
- }
170
- async function acquireLock(lockPath) {
171
- const startTime = Date.now();
172
- while (true) {
173
- try {
174
- const info = { pid: process.pid, timestamp: Date.now() };
175
- await fs2.writeFile(lockPath, JSON.stringify(info), { flag: "wx" });
176
- return;
177
- } catch (err) {
178
- if (err.code !== "EEXIST") throw err;
179
- try {
180
- const content = await fs2.readFile(lockPath, "utf-8");
181
- const info = JSON.parse(content);
182
- const isProcessAlive = isAlive(info.pid);
183
- const isStale = Date.now() - info.timestamp > STALE_TIMEOUT_MS;
184
- if (!isProcessAlive || isStale) {
185
- await fs2.unlink(lockPath).catch(() => {
186
- });
187
- continue;
188
- }
189
- } catch {
190
- await fs2.unlink(lockPath).catch(() => {
191
- });
192
- continue;
193
- }
194
- if (Date.now() - startTime > MAX_WAIT_MS) {
195
- await fs2.unlink(lockPath).catch(() => {
196
- });
197
- continue;
198
- }
199
- await setTimeout2(RETRY_INTERVAL_MS);
200
- }
201
- }
202
- }
203
- async function releaseLock(lockPath) {
204
- await fs2.unlink(lockPath).catch(() => {
205
- });
206
- }
207
- function isAlive(pid) {
208
- try {
209
- process.kill(pid, 0);
210
- return true;
211
- } catch (err) {
212
- if (err.code === "EPERM") return true;
213
- return false;
214
- }
215
- }
216
-
217
- // src/claude-code-version.ts
218
- import fs3 from "fs/promises";
219
- import path2 from "path";
220
- var NPM_LATEST_URL = "https://registry.npmjs.org/@anthropic-ai/claude-code/latest";
221
- var CACHE_TTL_MS = 24 * 60 * 60 * 1e3;
222
- var FETCH_TIMEOUT_MS = 3e3;
223
- var FALLBACK_VERSION = "2.1.88";
224
- var memoryCache = null;
225
- var inflight = null;
226
- function cachePath() {
227
- return path2.join(getAppPaths().agentDir, "claude-code-version.json");
228
- }
229
- async function readDiskCache() {
230
- try {
231
- const raw = await fs3.readFile(cachePath(), "utf-8");
232
- const parsed = JSON.parse(raw);
233
- if (typeof parsed.version === "string" && typeof parsed.fetchedAt === "number") {
234
- return parsed;
235
- }
236
- return null;
237
- } catch {
238
- return null;
239
- }
240
- }
241
- async function writeDiskCache(data) {
242
- try {
243
- await fs3.mkdir(getAppPaths().agentDir, { recursive: true, mode: 448 });
244
- await fs3.writeFile(cachePath(), JSON.stringify(data), { mode: 384 });
245
- } catch (err) {
246
- log(
247
- "WARN",
248
- "claude-code-version",
249
- `Failed to write cache: ${err instanceof Error ? err.message : String(err)}`
250
- );
251
- }
252
- }
253
- async function fetchLatest() {
254
- const controller = new AbortController();
255
- const timer = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS);
256
- try {
257
- const response = await fetch(NPM_LATEST_URL, { signal: controller.signal });
258
- if (!response.ok) return null;
259
- const data = await response.json();
260
- if (typeof data.version === "string" && /^\d/.test(data.version)) {
261
- return data.version;
262
- }
263
- return null;
264
- } catch {
265
- return null;
266
- } finally {
267
- clearTimeout(timer);
268
- }
269
- }
270
- async function getClaudeCodeVersion() {
271
- if (memoryCache && Date.now() < memoryCache.expiresAt) {
272
- return memoryCache.version;
273
- }
274
- if (inflight) return inflight;
275
- inflight = (async () => {
276
- const disk = await readDiskCache();
277
- const diskFresh = disk && Date.now() - disk.fetchedAt < CACHE_TTL_MS;
278
- if (disk && diskFresh) {
279
- memoryCache = { version: disk.version, expiresAt: Date.now() + CACHE_TTL_MS };
280
- return disk.version;
281
- }
282
- const fetched = await fetchLatest();
283
- if (fetched) {
284
- await writeDiskCache({ version: fetched, fetchedAt: Date.now() });
285
- memoryCache = { version: fetched, expiresAt: Date.now() + CACHE_TTL_MS };
286
- return fetched;
287
- }
288
- const resolved = disk?.version ?? FALLBACK_VERSION;
289
- memoryCache = { version: resolved, expiresAt: Date.now() + 5 * 60 * 1e3 };
290
- log(
291
- "WARN",
292
- "claude-code-version",
293
- `Failed to fetch latest Claude Code version; using ${resolved}`
294
- );
295
- return resolved;
296
- })();
297
- try {
298
- return await inflight;
299
- } finally {
300
- inflight = null;
301
- }
302
- }
303
- async function getClaudeCliUserAgent() {
304
- const version = await getClaudeCodeVersion();
305
- return `claude-cli/${version} (external, cli)`;
306
- }
307
-
308
- // src/auth-storage.ts
309
- import fs4 from "fs/promises";
310
- import crypto5 from "crypto";
311
-
312
- // src/oauth/anthropic.ts
313
- import crypto2 from "crypto";
314
-
315
- // src/oauth/pkce.ts
316
- function base64urlEncode(bytes) {
317
- let binary = "";
318
- for (const byte of bytes) {
319
- binary += String.fromCharCode(byte);
320
- }
321
- return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
322
- }
323
- async function generatePKCE() {
324
- const verifierBytes = new Uint8Array(32);
325
- crypto.getRandomValues(verifierBytes);
326
- const verifier = base64urlEncode(verifierBytes);
327
- const data = new TextEncoder().encode(verifier);
328
- const hashBuffer = await crypto.subtle.digest("SHA-256", data);
329
- const challenge = base64urlEncode(new Uint8Array(hashBuffer));
330
- return { verifier, challenge };
331
- }
332
-
333
- // src/oauth/anthropic.ts
334
- var CLIENT_ID = atob("OWQxYzI1MGEtZTYxYi00NGQ5LTg4ZWQtNTk0NGQxOTYyZjVl");
335
- var AUTHORIZE_URL = "https://claude.ai/oauth/authorize";
336
- var TOKEN_URLS = [
337
- "https://platform.claude.com/v1/oauth/token",
338
- "https://console.anthropic.com/v1/oauth/token"
339
- ];
340
- var REDIRECT_URI = "https://platform.claude.com/oauth/code/callback";
341
- var SCOPES = "org:create_api_key user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload";
342
- async function postTokenRequest(body, label) {
343
- const encoded = JSON.stringify(body);
344
- const headers = {
345
- "Content-Type": "application/json",
346
- "User-Agent": await getClaudeCliUserAgent(),
347
- "anthropic-beta": "oauth-2025-04-20"
348
- };
349
- let lastError = null;
350
- for (const url of TOKEN_URLS) {
351
- let response;
352
- try {
353
- response = await fetch(url, { method: "POST", headers, body: encoded });
354
- } catch (err) {
355
- lastError = err instanceof Error ? err : new Error(String(err));
356
- continue;
357
- }
358
- if (response.ok) {
359
- return await response.json();
360
- }
361
- const text = await response.text();
362
- if (response.status >= 400 && response.status < 500) {
363
- throw new Error(`Anthropic ${label} failed (${response.status}): ${text}`);
364
- }
365
- lastError = new Error(`Anthropic ${label} failed (${response.status}): ${text}`);
366
- }
367
- throw lastError ?? new Error(`Anthropic ${label} failed: all endpoints unreachable`);
368
- }
369
- function toCredentials(data) {
370
- return {
371
- accessToken: data.access_token,
372
- refreshToken: data.refresh_token,
373
- expiresAt: Date.now() + data.expires_in * 1e3 - 5 * 60 * 1e3
374
- };
375
- }
376
- async function loginAnthropic(callbacks) {
377
- const { verifier, challenge } = await generatePKCE();
378
- const state = crypto2.randomBytes(16).toString("hex");
379
- const params = new URLSearchParams({
380
- code: "true",
381
- client_id: CLIENT_ID,
382
- response_type: "code",
383
- redirect_uri: REDIRECT_URI,
384
- scope: SCOPES,
385
- code_challenge: challenge,
386
- code_challenge_method: "S256",
387
- state
388
- });
389
- const authUrl = `${AUTHORIZE_URL}?${params}`;
390
- callbacks.onOpenUrl(authUrl);
391
- const raw = await callbacks.onPromptCode("Paste the code from the browser (format: code#state):");
392
- const parts = raw.trim().split("#");
393
- if (parts.length !== 2 || !parts[0] || parts[1] !== state) {
394
- throw new Error("Invalid code or state mismatch. Please try again.");
395
- }
396
- return exchangeAnthropicCode(parts[0], parts[1], verifier);
397
- }
398
- async function exchangeAnthropicCode(code, state, verifier) {
399
- const data = await postTokenRequest(
400
- {
401
- grant_type: "authorization_code",
402
- client_id: CLIENT_ID,
403
- code,
404
- state,
405
- redirect_uri: REDIRECT_URI,
406
- code_verifier: verifier
407
- },
408
- "token exchange"
409
- );
410
- return toCredentials(data);
411
- }
412
- async function refreshAnthropicToken(refreshToken) {
413
- const data = await postTokenRequest(
414
- {
415
- grant_type: "refresh_token",
416
- client_id: CLIENT_ID,
417
- refresh_token: refreshToken
418
- },
419
- "token refresh"
420
- );
421
- return toCredentials(data);
422
- }
423
-
424
- // src/oauth/openai.ts
425
- import http from "http";
426
- import crypto3 from "crypto";
427
- var CLIENT_ID2 = "app_EMoamEEZ73f0CkXaXp7hrann";
428
- var AUTHORIZE_URL2 = "https://auth.openai.com/oauth/authorize";
429
- var TOKEN_URL = "https://auth.openai.com/oauth/token";
430
- var REDIRECT_URI2 = "http://localhost:1455/auth/callback";
431
- var SCOPE = "openid profile email offline_access api.connectors.read api.connectors.invoke";
432
- var JWT_CLAIM_PATH = "https://api.openai.com/auth";
433
- async function loginOpenAI(callbacks) {
434
- const { verifier, challenge } = await generatePKCE();
435
- const state = crypto3.randomBytes(16).toString("hex");
436
- const url = new URL(AUTHORIZE_URL2);
437
- url.searchParams.set("response_type", "code");
438
- url.searchParams.set("client_id", CLIENT_ID2);
439
- url.searchParams.set("redirect_uri", REDIRECT_URI2);
440
- url.searchParams.set("scope", SCOPE);
441
- url.searchParams.set("code_challenge", challenge);
442
- url.searchParams.set("code_challenge_method", "S256");
443
- url.searchParams.set("state", state);
444
- url.searchParams.set("prompt", "login");
445
- url.searchParams.set("id_token_add_organizations", "true");
446
- url.searchParams.set("codex_cli_simplified_flow", "true");
447
- url.searchParams.set("originator", "ggcoder");
448
- let code;
449
- try {
450
- code = await loginWithServer(url.toString(), state, callbacks);
451
- } catch {
452
- callbacks.onOpenUrl(url.toString());
453
- const raw = await callbacks.onPromptCode(
454
- "Could not start local server. Paste the callback URL or code from the browser:"
455
- );
456
- const parsed = parseAuthorizationInput(raw);
457
- if (!parsed.code) {
458
- throw new Error("No authorization code found in input.");
459
- }
460
- code = parsed.code;
461
- }
462
- const creds = await exchangeOpenAICode(code, verifier);
463
- const accountId = getAccountId(creds.accessToken);
464
- if (!accountId) {
465
- throw new Error("Failed to extract accountId from OpenAI token.");
466
- }
467
- creds.accountId = accountId;
468
- return creds;
469
- }
470
- function parseAuthorizationInput(input) {
471
- const value = input.trim();
472
- if (!value) return {};
473
- try {
474
- const url = new URL(value);
475
- return {
476
- code: url.searchParams.get("code") ?? void 0,
477
- state: url.searchParams.get("state") ?? void 0
478
- };
479
- } catch {
480
- }
481
- if (value.includes("#")) {
482
- const [code, state] = value.split("#", 2);
483
- return { code, state };
484
- }
485
- if (value.includes("code=")) {
486
- const params = new URLSearchParams(value);
487
- return {
488
- code: params.get("code") ?? void 0,
489
- state: params.get("state") ?? void 0
490
- };
491
- }
492
- return { code: value };
493
- }
494
- function decodeJwt(token) {
495
- try {
496
- const parts = token.split(".");
497
- if (parts.length !== 3) return null;
498
- const decoded = atob(parts[1]);
499
- return JSON.parse(decoded);
500
- } catch {
501
- return null;
502
- }
503
- }
504
- function getAccountId(accessToken) {
505
- const payload = decodeJwt(accessToken);
506
- const auth = payload?.[JWT_CLAIM_PATH];
507
- const accountId = auth?.chatgpt_account_id;
508
- return typeof accountId === "string" && accountId.length > 0 ? accountId : null;
509
- }
510
- async function loginWithServer(authUrl, expectedState, callbacks) {
511
- return new Promise((resolve, reject) => {
512
- let receivedCode = null;
513
- const server = http.createServer((req, res) => {
514
- const url = new URL(req.url || "", "http://localhost");
515
- if (url.pathname !== "/auth/callback") {
516
- res.statusCode = 404;
517
- res.end("Not found");
518
- return;
519
- }
520
- if (url.searchParams.get("state") !== expectedState) {
521
- res.statusCode = 400;
522
- res.end("State mismatch");
523
- return;
524
- }
525
- receivedCode = url.searchParams.get("code");
526
- res.writeHead(200, { "Content-Type": "text/html" });
527
- res.end("<html><body><h1>Login successful!</h1><p>You can close this tab.</p></body></html>");
528
- server.close();
529
- });
530
- server.on("error", (err) => {
531
- reject(err);
532
- });
533
- server.listen(1455, "127.0.0.1", () => {
534
- callbacks.onOpenUrl(authUrl);
535
- callbacks.onStatus("Waiting for browser callback...");
536
- });
537
- const timeout = setTimeout(() => {
538
- if (!receivedCode) {
539
- server.close();
540
- }
541
- }, 12e4);
542
- timeout.unref();
543
- server.on("close", () => {
544
- clearTimeout(timeout);
545
- if (receivedCode) {
546
- resolve(receivedCode);
547
- } else {
548
- reject(new Error("Server closed without receiving code"));
549
- }
550
- });
551
- });
552
- }
553
- async function exchangeOpenAICode(code, verifier) {
554
- const response = await fetch(TOKEN_URL, {
555
- method: "POST",
556
- headers: { "Content-Type": "application/x-www-form-urlencoded" },
557
- body: new URLSearchParams({
558
- grant_type: "authorization_code",
559
- client_id: CLIENT_ID2,
560
- code,
561
- redirect_uri: REDIRECT_URI2,
562
- code_verifier: verifier
563
- })
564
- });
565
- if (!response.ok) {
566
- const text = await response.text();
567
- throw new Error(`OpenAI token exchange failed (${response.status}): ${text}`);
568
- }
569
- const data = await response.json();
570
- return {
571
- accessToken: data.access_token,
572
- refreshToken: data.refresh_token,
573
- expiresAt: Date.now() + data.expires_in * 1e3
574
- };
575
- }
576
- async function refreshOpenAIToken(refreshToken) {
577
- const response = await fetch(TOKEN_URL, {
578
- method: "POST",
579
- headers: { "Content-Type": "application/x-www-form-urlencoded" },
580
- body: new URLSearchParams({
581
- grant_type: "refresh_token",
582
- refresh_token: refreshToken,
583
- client_id: CLIENT_ID2
584
- })
585
- });
586
- if (!response.ok) {
587
- const text = await response.text();
588
- throw new Error(`OpenAI token refresh failed (${response.status}): ${text}`);
589
- }
590
- const data = await response.json();
591
- const creds = {
592
- accessToken: data.access_token,
593
- refreshToken: data.refresh_token,
594
- expiresAt: Date.now() + data.expires_in * 1e3
595
- };
596
- const accountId = getAccountId(creds.accessToken);
597
- if (accountId) {
598
- creds.accountId = accountId;
599
- }
600
- return creds;
601
- }
602
-
603
- // src/oauth/gemini.ts
604
- import http2 from "http";
605
- import crypto4 from "crypto";
606
- var CLIENT_ID_ENV = "GGCODER_GEMINI_OAUTH_CLIENT_ID";
607
- var CLIENT_SECRET_ENV = "GGCODER_GEMINI_OAUTH_CLIENT_SECRET";
608
- var DEFAULT_CLIENT_ID = "681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com";
609
- var DEFAULT_CLIENT_SECRET = "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";
610
- var AUTHORIZE_URL3 = "https://accounts.google.com/o/oauth2/v2/auth";
611
- var TOKEN_URL2 = "https://oauth2.googleapis.com/token";
612
- var CODE_ASSIST_BASE_URL = "https://cloudcode-pa.googleapis.com";
613
- var CODE_ASSIST_API_VERSION = "v1internal";
614
- var CODE_ASSIST_POST_RETRIES = 3;
615
- var CODE_ASSIST_POST_RETRY_DELAY_MS = 100;
616
- var SCOPE2 = [
617
- "https://www.googleapis.com/auth/cloud-platform",
618
- "https://www.googleapis.com/auth/userinfo.email",
619
- "https://www.googleapis.com/auth/userinfo.profile"
620
- ].join(" ");
621
- var USER_TIER_FREE = "free-tier";
622
- var USER_TIER_LEGACY = "legacy-tier";
623
- var USER_TIER_STANDARD = "standard-tier";
624
- var VALIDATION_REQUIRED_REASON = "VALIDATION_REQUIRED";
625
- var VPC_SC_REASON = "SECURITY_POLICY_VIOLATED";
626
- var CodeAssistHttpError = class extends Error {
627
- status;
628
- body;
629
- constructor(label, status, body) {
630
- super(`Gemini Code Assist ${label} failed (${status}): ${body}`);
631
- this.name = "CodeAssistHttpError";
632
- this.status = status;
633
- this.body = body;
634
- }
635
- };
636
- async function loginGemini(callbacks) {
637
- const { clientId, clientSecret } = getGeminiOAuthClientCredentials();
638
- const { verifier, challenge } = await generatePKCE();
639
- const state = crypto4.randomBytes(32).toString("hex");
640
- const redirectUri = await getLoopbackRedirectUri();
641
- const url = new URL(AUTHORIZE_URL3);
642
- url.searchParams.set("response_type", "code");
643
- url.searchParams.set("client_id", clientId);
644
- url.searchParams.set("redirect_uri", redirectUri);
645
- url.searchParams.set("scope", SCOPE2);
646
- url.searchParams.set("access_type", "offline");
647
- url.searchParams.set("prompt", "consent");
648
- url.searchParams.set("code_challenge", challenge);
649
- url.searchParams.set("code_challenge_method", "S256");
650
- url.searchParams.set("state", state);
651
- let code;
652
- try {
653
- code = await loginWithServer2(url.toString(), redirectUri, state, callbacks);
654
- } catch {
655
- callbacks.onOpenUrl(url.toString());
656
- const raw = await callbacks.onPromptCode(
657
- "Could not start local server. Paste the callback URL or code from the browser:"
658
- );
659
- const parsed = parseAuthorizationInput2(raw);
660
- if (!parsed.code) {
661
- throw new Error("No authorization code found in input.");
662
- }
663
- if (parsed.state && parsed.state !== state) {
664
- throw new Error("Invalid state. Please try again.");
665
- }
666
- code = parsed.code;
667
- }
668
- const creds = await exchangeGeminiCode(code, verifier, redirectUri, clientId, clientSecret);
669
- callbacks.onStatus("Setting up Gemini Code Assist access...");
670
- const projectId = await setupCodeAssistProject(creds.accessToken, callbacks);
671
- return {
672
- ...creds,
673
- projectId
674
- };
675
- }
676
- async function refreshGeminiToken(refreshToken) {
677
- const { clientId, clientSecret } = getGeminiOAuthClientCredentials();
678
- const data = await postTokenRequest2({
679
- grant_type: "refresh_token",
680
- refresh_token: refreshToken,
681
- client_id: clientId,
682
- client_secret: clientSecret
683
- });
684
- return {
685
- accessToken: data.access_token,
686
- refreshToken: data.refresh_token ?? refreshToken,
687
- expiresAt: Date.now() + data.expires_in * 1e3 - 5 * 60 * 1e3
688
- };
689
- }
690
- function getGeminiOAuthClientCredentials() {
691
- const clientId = process.env[CLIENT_ID_ENV]?.trim() || DEFAULT_CLIENT_ID;
692
- const clientSecret = process.env[CLIENT_SECRET_ENV]?.trim() || DEFAULT_CLIENT_SECRET;
693
- return { clientId, clientSecret };
694
- }
695
- async function getLoopbackRedirectUri() {
696
- return new Promise((resolve, reject) => {
697
- const server = http2.createServer();
698
- server.listen(0, "127.0.0.1", () => {
699
- const addr = server.address();
700
- server.close(() => {
701
- if (addr && typeof addr === "object") {
702
- resolve(`http://127.0.0.1:${addr.port}/oauth2callback`);
703
- } else {
704
- reject(new Error("Failed to allocate OAuth callback port."));
705
- }
706
- });
707
- });
708
- server.on("error", reject);
709
- });
710
- }
711
- function parseAuthorizationInput2(input) {
712
- const value = input.trim();
713
- if (!value) return {};
714
- try {
715
- const url = new URL(value);
716
- return {
717
- code: url.searchParams.get("code") ?? void 0,
718
- state: url.searchParams.get("state") ?? void 0
719
- };
720
- } catch {
721
- }
722
- if (value.includes("code=")) {
723
- const params = new URLSearchParams(value);
724
- return {
725
- code: params.get("code") ?? void 0,
726
- state: params.get("state") ?? void 0
727
- };
728
- }
729
- return { code: value };
730
- }
731
- async function loginWithServer2(authUrl, redirectUri, expectedState, callbacks) {
732
- const redirect = new URL(redirectUri);
733
- const port = Number(redirect.port);
734
- return new Promise((resolve, reject) => {
735
- let receivedCode = null;
736
- const server = http2.createServer((req, res) => {
737
- const url = new URL(req.url || "", redirect.origin);
738
- if (url.pathname !== redirect.pathname) {
739
- res.statusCode = 404;
740
- res.end("Not found");
741
- return;
742
- }
743
- if (url.searchParams.get("state") !== expectedState) {
744
- res.statusCode = 400;
745
- res.end("State mismatch");
746
- return;
747
- }
748
- receivedCode = url.searchParams.get("code");
749
- res.writeHead(200, { "Content-Type": "text/html", Connection: "close" });
750
- res.end("<html><body><h1>Login successful!</h1><p>You can close this tab.</p></body></html>");
751
- server.close();
752
- });
753
- server.on("error", (err) => reject(err));
754
- server.listen(port, "127.0.0.1", () => {
755
- callbacks.onOpenUrl(authUrl);
756
- callbacks.onStatus("Waiting for browser callback...");
757
- });
758
- const timeout = setTimeout(() => {
759
- if (!receivedCode) server.close();
760
- }, 12e4);
761
- timeout.unref();
762
- server.on("close", () => {
763
- clearTimeout(timeout);
764
- if (receivedCode) {
765
- resolve(receivedCode);
766
- } else {
767
- reject(new Error("Server closed without receiving code."));
768
- }
769
- });
770
- });
771
- }
772
- async function exchangeGeminiCode(code, verifier, redirectUri, clientId, clientSecret) {
773
- const data = await postTokenRequest2({
774
- grant_type: "authorization_code",
775
- client_id: clientId,
776
- client_secret: clientSecret,
777
- code,
778
- redirect_uri: redirectUri,
779
- code_verifier: verifier
780
- });
781
- if (!data.refresh_token) {
782
- throw new Error("Gemini OAuth did not return a refresh token. Please try login again.");
783
- }
784
- return {
785
- accessToken: data.access_token,
786
- refreshToken: data.refresh_token,
787
- expiresAt: Date.now() + data.expires_in * 1e3 - 5 * 60 * 1e3
788
- };
789
- }
790
- async function postTokenRequest2(body) {
791
- const response = await fetch(TOKEN_URL2, {
792
- method: "POST",
793
- headers: { "Content-Type": "application/x-www-form-urlencoded" },
794
- body: new URLSearchParams(body)
795
- });
796
- if (!response.ok) {
797
- const text = await response.text();
798
- throw new Error(`Gemini token request failed (${response.status}): ${text}`);
799
- }
800
- return await response.json();
801
- }
802
- async function setupCodeAssistProject(accessToken, callbacks) {
803
- const envProject = process.env.GOOGLE_CLOUD_PROJECT ?? process.env.GOOGLE_CLOUD_PROJECT_ID;
804
- if (envProject && /^\d+$/.test(envProject)) {
805
- throw new Error("GOOGLE_CLOUD_PROJECT must be a project ID, not a numeric project number.");
806
- }
807
- const coreMetadata = {
808
- ideType: "IDE_UNSPECIFIED",
809
- platform: "PLATFORM_UNSPECIFIED",
810
- pluginType: "GEMINI"
811
- };
812
- const projectMetadata = {
813
- ...coreMetadata,
814
- ...envProject ? { duetProject: envProject } : {}
815
- };
816
- let loadRes;
817
- while (true) {
818
- loadRes = await loadCodeAssist(accessToken, envProject, projectMetadata);
819
- const validation = getValidationRequiredTier(loadRes);
820
- if (!validation) break;
821
- callbacks.onStatus(
822
- `Gemini Code Assist requires account validation${validation.reasonMessage ? `: ${validation.reasonMessage}` : ""}`
823
- );
824
- callbacks.onOpenUrl(validation.validationUrl);
825
- const answer = await callbacks.onPromptCode(
826
- "Complete validation in the browser, then press Enter to retry (or type cancel):"
827
- );
828
- if (answer.trim().toLowerCase() === "cancel") {
829
- throw new Error("Gemini Code Assist account validation was cancelled.");
830
- }
831
- }
832
- if (loadRes.currentTier) {
833
- const project2 = loadRes.cloudaicompanionProject ?? envProject;
834
- if (!project2) throwProjectError(loadRes);
835
- return project2;
836
- }
837
- const tier = getOnboardTier(loadRes);
838
- const onboardReq = tier.id === USER_TIER_FREE ? {
839
- tierId: tier.id,
840
- cloudaicompanionProject: void 0,
841
- metadata: coreMetadata
842
- } : {
843
- tierId: tier.id,
844
- cloudaicompanionProject: envProject,
845
- metadata: projectMetadata
846
- };
847
- let operation = await codeAssistPost(
848
- accessToken,
849
- "onboardUser",
850
- onboardReq
851
- );
852
- while (!operation.done && operation.name) {
853
- await new Promise((resolve) => setTimeout(resolve, 5e3));
854
- operation = await codeAssistGet(accessToken, operation.name);
855
- }
856
- const project = operation.response?.cloudaicompanionProject?.id ?? envProject;
857
- if (!project) throwProjectError(loadRes);
858
- return project;
859
- }
860
- async function loadCodeAssist(accessToken, envProject, metadata) {
861
- try {
862
- return await codeAssistPost(accessToken, "loadCodeAssist", {
863
- ...envProject ? { cloudaicompanionProject: envProject } : {},
864
- metadata
865
- });
866
- } catch (err) {
867
- if (err instanceof CodeAssistHttpError && isVpcScAffectedError(err)) {
868
- return { currentTier: { id: USER_TIER_STANDARD } };
869
- }
870
- if (err instanceof CodeAssistHttpError && err.status === 403 && envProject === "cloudshell-gca") {
871
- throw new Error(
872
- "Access to the default Cloud Shell Gemini project was denied.\nPlease set your own Google Cloud project by running:\ngcloud config set project [PROJECT_ID]\nor setting export GOOGLE_CLOUD_PROJECT=...",
873
- { cause: err }
874
- );
875
- }
876
- throw err;
877
- }
878
- }
879
- function getValidationRequiredTier(response) {
880
- return response.ineligibleTiers?.find(
881
- (tier) => tier.reasonCode === VALIDATION_REQUIRED_REASON && typeof tier.validationUrl === "string"
882
- );
883
- }
884
- function getOnboardTier(response) {
885
- const defaultTier = response.allowedTiers?.find((tier) => tier.isDefault);
886
- return defaultTier ?? { id: USER_TIER_LEGACY, name: "" };
887
- }
888
- function throwProjectError(response) {
889
- const reasons = response.ineligibleTiers?.map((tier) => tier.reasonMessage ?? tier.tierName).filter((reason) => Boolean(reason));
890
- if (reasons && reasons.length > 0) {
891
- throw new Error(`Gemini Code Assist setup failed: ${reasons.join(", ")}`);
892
- }
893
- throw new Error(
894
- "Gemini requires a Google Cloud project for this account. Set GOOGLE_CLOUD_PROJECT and try again."
895
- );
896
- }
897
- async function codeAssistPost(accessToken, method, body) {
898
- let lastError;
899
- for (let attempt = 0; attempt <= CODE_ASSIST_POST_RETRIES; attempt++) {
900
- try {
901
- return await codeAssistRequest(getCodeAssistMethodUrl(method), accessToken, method, {
902
- method: "POST",
903
- body: JSON.stringify(body)
904
- });
905
- } catch (err) {
906
- if (!(err instanceof CodeAssistHttpError) || attempt === CODE_ASSIST_POST_RETRIES || !shouldRetryCodeAssistStatus(err.status)) {
907
- throw err;
908
- }
909
- lastError = err;
910
- }
911
- await new Promise((resolve) => setTimeout(resolve, CODE_ASSIST_POST_RETRY_DELAY_MS));
912
- }
913
- throw lastError ?? new Error(`Gemini Code Assist ${method} failed.`);
914
- }
915
- async function codeAssistGet(accessToken, operationName) {
916
- return codeAssistRequest(getCodeAssistOperationUrl(operationName), accessToken, "operation", {
917
- method: "GET"
918
- });
919
- }
920
- async function codeAssistRequest(url, accessToken, label, init) {
921
- const response = await fetch(url, {
922
- ...init,
923
- headers: codeAssistHeaders(accessToken)
924
- });
925
- if (!response.ok) {
926
- const text = await response.text();
927
- throw new CodeAssistHttpError(label, response.status, text);
928
- }
929
- return await response.json();
930
- }
931
- function getCodeAssistBaseUrl() {
932
- const endpoint = process.env.CODE_ASSIST_ENDPOINT ?? CODE_ASSIST_BASE_URL;
933
- const version = process.env.CODE_ASSIST_API_VERSION || CODE_ASSIST_API_VERSION;
934
- return `${endpoint}/${version}`;
935
- }
936
- function getCodeAssistMethodUrl(method) {
937
- return `${getCodeAssistBaseUrl()}:${method}`;
938
- }
939
- function getCodeAssistOperationUrl(operationName) {
940
- return `${getCodeAssistBaseUrl()}/${operationName}`;
941
- }
942
- function shouldRetryCodeAssistStatus(status) {
943
- return status === 429 || status === 499 || status >= 500 && status <= 599;
944
- }
945
- function isVpcScAffectedError(error) {
946
- try {
947
- const parsed = JSON.parse(error.body);
948
- if (!parsed || typeof parsed !== "object" || !("error" in parsed)) return false;
949
- const details = parsed.error?.details;
950
- return Array.isArray(details) ? details.some(
951
- (detail) => detail != null && typeof detail === "object" && "reason" in detail && detail.reason === VPC_SC_REASON
952
- ) : false;
953
- } catch {
954
- return false;
955
- }
956
- }
957
- function codeAssistHeaders(accessToken) {
958
- return {
959
- Authorization: `Bearer ${accessToken}`,
960
- "Content-Type": "application/json",
961
- "User-Agent": "google-gemini-cli",
962
- "X-Goog-Api-Client": "gemini-cli/0.0.0"
963
- };
964
- }
965
-
966
- // src/oauth/kimi.ts
967
- import { execFileSync } from "child_process";
968
- import { randomUUID } from "crypto";
969
- import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
970
- import { arch, hostname, release, type } from "os";
971
- import path3 from "path";
972
- var CLIENT_ID3 = "17e5f671-d194-4dfb-9706-5516cb48c098";
973
- var DEFAULT_OAUTH_HOST = "https://auth.kimi.com";
974
- var DEFAULT_CODING_BASE_URL = "https://api.kimi.com/coding/v1";
975
- var KIMI_PLATFORM = "kimi_code_cli";
976
- var DEFAULT_KIMI_VERSION = "1.0.11";
977
- var DEVICE_TIMEOUT_MS = 15 * 60 * 1e3;
978
- function oauthHost() {
979
- const host = process.env.KIMI_CODE_OAUTH_HOST ?? process.env.KIMI_OAUTH_HOST ?? DEFAULT_OAUTH_HOST;
980
- return host.replace(/\/+$/, "");
981
- }
982
- function kimiCodeBaseUrl() {
983
- return (process.env.KIMI_CODE_BASE_URL ?? DEFAULT_CODING_BASE_URL).replace(/\/+$/, "");
984
- }
985
- function kimiVersion() {
986
- const v = process.env.KIMI_CODE_VERSION ?? DEFAULT_KIMI_VERSION;
987
- return asciiHeader(v, DEFAULT_KIMI_VERSION);
988
- }
989
- function asciiHeader(value, fallback = "unknown") {
990
- const cleaned = value.replace(/[^\u0020-\u007E]/g, "").trim();
991
- return cleaned.length > 0 ? cleaned : fallback;
992
- }
993
- function macOsProductVersion() {
994
- try {
995
- const version = execFileSync("/usr/bin/sw_vers", ["-productVersion"], {
996
- encoding: "utf-8",
997
- timeout: 1e3
998
- }).trim();
999
- return version.length > 0 ? version : void 0;
1000
- } catch {
1001
- return void 0;
1002
- }
1003
- }
1004
- function deviceModel() {
1005
- const os = type();
1006
- const version = release();
1007
- const osArch = arch();
1008
- if (os === "Darwin") return `macOS ${macOsProductVersion() ?? version} ${osArch}`;
1009
- if (os === "Windows_NT") return `Windows ${version} ${osArch}`;
1010
- return `${os} ${version} ${osArch}`.trim();
1011
- }
1012
- function deviceId() {
1013
- const idPath = path3.join(getAppPaths().agentDir, "kimi_device_id");
1014
- if (existsSync(idPath)) {
1015
- try {
1016
- const text = readFileSync(idPath, "utf-8").trim();
1017
- if (text.length > 0) return text;
1018
- } catch {
1019
- }
1020
- }
1021
- const id = randomUUID();
1022
- try {
1023
- mkdirSync(getAppPaths().agentDir, { recursive: true, mode: 448 });
1024
- writeFileSync(idPath, id, { encoding: "utf-8", mode: 384 });
1025
- } catch {
1026
- }
1027
- return id;
1028
- }
1029
- function deviceHeaders() {
1030
- return {
1031
- "X-Msh-Platform": KIMI_PLATFORM,
1032
- "X-Msh-Version": kimiVersion(),
1033
- "X-Msh-Device-Name": asciiHeader(hostname()),
1034
- "X-Msh-Device-Model": asciiHeader(deviceModel()),
1035
- "X-Msh-Os-Version": asciiHeader(release()),
1036
- "X-Msh-Device-Id": deviceId()
1037
- };
1038
- }
1039
- function kimiCodingHeaders() {
1040
- return {
1041
- "User-Agent": `kimi-code-cli/${kimiVersion()}`,
1042
- ...deviceHeaders()
1043
- };
1044
- }
1045
- function isKimiCodingEndpoint(baseUrl) {
1046
- if (typeof baseUrl !== "string" || baseUrl.length === 0) return false;
1047
- const normalized = baseUrl.replace(/\/+$/, "");
1048
- return normalized === kimiCodeBaseUrl() || /(^|\.)kimi\.com/i.test(normalized);
1049
- }
1050
- async function postForm(endpoint, params) {
1051
- const response = await fetch(`${oauthHost()}${endpoint}`, {
1052
- method: "POST",
1053
- headers: {
1054
- ...deviceHeaders(),
1055
- "Content-Type": "application/x-www-form-urlencoded",
1056
- Accept: "application/json"
1057
- },
1058
- body: new URLSearchParams(params).toString()
1059
- });
1060
- let data = {};
1061
- try {
1062
- const parsed = await response.json();
1063
- if (parsed && typeof parsed === "object") data = parsed;
1064
- } catch {
1065
- }
1066
- return { status: response.status, data };
1067
- }
1068
- function errorDetail(data) {
1069
- const desc = data.error_description ?? data.message ?? data.error;
1070
- return typeof desc === "string" && desc.length > 0 ? desc : "unknown error";
1071
- }
1072
- function credsFromTokenResponse(data, opts) {
1073
- const accessToken = data.access_token;
1074
- const responseRefreshToken = data.refresh_token;
1075
- const expiresIn = Number(data.expires_in);
1076
- if (typeof accessToken !== "string" || accessToken.length === 0) {
1077
- throw new Error("Kimi OAuth response missing access_token.");
1078
- }
1079
- const refreshToken = typeof responseRefreshToken === "string" && responseRefreshToken.length > 0 ? responseRefreshToken : opts?.fallbackRefreshToken ?? "";
1080
- if (refreshToken.length === 0) {
1081
- throw new Error("Kimi OAuth response missing refresh_token.");
1082
- }
1083
- if (!Number.isFinite(expiresIn) || expiresIn <= 0) {
1084
- throw new Error("Kimi OAuth response missing or invalid expires_in.");
1085
- }
1086
- return {
1087
- accessToken,
1088
- refreshToken,
1089
- expiresAt: Date.now() + expiresIn * 1e3,
1090
- baseUrl: kimiCodeBaseUrl()
1091
- };
1092
- }
1093
- async function requestDeviceAuthorization() {
1094
- const { status, data } = await postForm("/api/oauth/device_authorization", {
1095
- client_id: CLIENT_ID3
1096
- });
1097
- if (status !== 200) {
1098
- throw new Error(`Kimi device authorization failed (${status}): ${errorDetail(data)}`);
1099
- }
1100
- const userCode = data.user_code;
1101
- const deviceCode = data.device_code;
1102
- const verificationUriComplete = data.verification_uri_complete;
1103
- if (typeof userCode !== "string" || typeof deviceCode !== "string") {
1104
- throw new Error("Kimi device authorization response missing user_code/device_code.");
1105
- }
1106
- return {
1107
- userCode,
1108
- deviceCode,
1109
- verificationUri: typeof data.verification_uri === "string" ? data.verification_uri : "",
1110
- verificationUriComplete: typeof verificationUriComplete === "string" ? verificationUriComplete : "",
1111
- interval: Number(data.interval ?? 5) || 5
1112
- };
1113
- }
1114
- async function pollDeviceToken(deviceCode) {
1115
- const { status, data } = await postForm("/api/oauth/token", {
1116
- client_id: CLIENT_ID3,
1117
- device_code: deviceCode,
1118
- grant_type: "urn:ietf:params:oauth:grant-type:device_code"
1119
- });
1120
- if (status === 200 && typeof data.access_token === "string") {
1121
- return { kind: "success", creds: credsFromTokenResponse(data) };
1122
- }
1123
- if (status >= 500) {
1124
- throw new Error(`Kimi token polling server error (${status}): ${errorDetail(data)}`);
1125
- }
1126
- const errorCode = typeof data.error === "string" ? data.error : "unknown_error";
1127
- switch (errorCode) {
1128
- case "authorization_pending":
1129
- return { kind: "pending" };
1130
- case "slow_down":
1131
- return { kind: "slow_down" };
1132
- case "expired_token":
1133
- return { kind: "expired" };
1134
- case "access_denied":
1135
- return { kind: "denied" };
1136
- default:
1137
- throw new Error(`Kimi token polling failed (${status}): ${errorDetail(data)}`);
1138
- }
1139
- }
1140
- function sleep(ms) {
1141
- return new Promise((resolve) => {
1142
- setTimeout(resolve, ms);
1143
- });
1144
- }
1145
- async function loginKimi(callbacks) {
1146
- const auth = await requestDeviceAuthorization();
1147
- callbacks.onStatus(
1148
- `Visit ${auth.verificationUri || auth.verificationUriComplete} and enter code: ${auth.userCode}`
1149
- );
1150
- callbacks.onOpenUrl(auth.verificationUriComplete || auth.verificationUri);
1151
- callbacks.onStatus("Waiting for you to authorize in the browser...");
1152
- const deadline = Date.now() + DEVICE_TIMEOUT_MS;
1153
- let interval = Math.max(auth.interval, 1);
1154
- while (Date.now() < deadline) {
1155
- await sleep(interval * 1e3);
1156
- const result = await pollDeviceToken(auth.deviceCode);
1157
- if (result.kind === "success") return result.creds;
1158
- if (result.kind === "denied") {
1159
- throw new Error("Kimi authorization was denied.");
1160
- }
1161
- if (result.kind === "expired") {
1162
- throw new Error("Kimi device code expired. Please run login again.");
1163
- }
1164
- if (result.kind === "slow_down") {
1165
- interval += 5;
1166
- }
1167
- }
1168
- throw new Error("Kimi login timed out. Please run login again.");
1169
- }
1170
- async function refreshKimiToken(refreshToken) {
1171
- const { status, data } = await postForm("/api/oauth/token", {
1172
- client_id: CLIENT_ID3,
1173
- grant_type: "refresh_token",
1174
- refresh_token: refreshToken
1175
- });
1176
- if (status === 200 && typeof data.access_token === "string") {
1177
- return credsFromTokenResponse(data, { fallbackRefreshToken: refreshToken });
1178
- }
1179
- const errorCode = typeof data.error === "string" ? data.error : "";
1180
- throw new Error(`Kimi token refresh failed (${status}): ${errorCode || errorDetail(data)}`);
1181
- }
1182
-
1183
- // src/auth-storage.ts
1184
- var MOONSHOT_OAUTH_KEY = "moonshot-oauth";
1185
- var REFRESH_SKEW_MS = 6e4;
1186
- var STATIC_API_KEY_PROVIDERS = /* @__PURE__ */ new Set([
1187
- "glm",
1188
- "moonshot",
1189
- "xiaomi",
1190
- "minimax",
1191
- "deepseek",
1192
- "openrouter",
1193
- "sakana"
1194
- ]);
1195
- var AuthStorage = class {
1196
- data = {};
1197
- filePath;
1198
- loaded = false;
1199
- /** Per-provider lock to serialize concurrent refresh calls. */
1200
- refreshLocks = /* @__PURE__ */ new Map();
1201
- constructor(filePath) {
1202
- this.filePath = filePath ?? getAppPaths().authFile;
1203
- }
1204
- /** Path to the on-disk auth file. Useful for status output. */
1205
- get path() {
1206
- return this.filePath;
1207
- }
1208
- /** List provider keys with stored credentials. */
1209
- async listProviders() {
1210
- await this.ensureLoaded();
1211
- return Object.keys(this.data);
1212
- }
1213
- /** True if credentials exist for `provider`. */
1214
- async hasCredentials(provider) {
1215
- await this.ensureLoaded();
1216
- return Boolean(this.data[provider]);
1217
- }
1218
- /**
1219
- * True if the user has any usable auth for the logical provider. For
1220
- * `moonshot` this is satisfied by either the Kimi OAuth credential or the
1221
- * Moonshot API key.
1222
- */
1223
- async hasProviderAuth(provider) {
1224
- await this.ensureLoaded();
1225
- if (provider === "moonshot") {
1226
- return Boolean(this.data[MOONSHOT_OAUTH_KEY] || this.data["moonshot"]);
1227
- }
1228
- return Boolean(this.data[provider]);
1229
- }
1230
- /**
1231
- * True if the active credential for `provider` is a static API key with no
1232
- * refresh mechanism. For `moonshot` this is only true when the Kimi OAuth
1233
- * credential is absent (a present OAuth credential is refreshable).
1234
- */
1235
- async isStaticApiKey(provider) {
1236
- await this.ensureLoaded();
1237
- if (provider === "moonshot" && this.data[MOONSHOT_OAUTH_KEY]) {
1238
- return false;
1239
- }
1240
- return STATIC_API_KEY_PROVIDERS.has(provider);
1241
- }
1242
- async load() {
1243
- await withFileLock(this.filePath, async () => {
1244
- try {
1245
- const content = await fs4.readFile(this.filePath, "utf-8");
1246
- this.data = JSON.parse(content);
1247
- log("INFO", "auth", `Loaded credentials from ${this.filePath}`, {
1248
- providers: Object.keys(this.data).join(",") || "(none)"
1249
- });
1250
- } catch (err) {
1251
- this.data = {};
1252
- const code = err.code;
1253
- if (code === "ENOENT") {
1254
- log("INFO", "auth", `No auth file found at ${this.filePath} (first run)`);
1255
- } else {
1256
- log(
1257
- "ERROR",
1258
- "auth",
1259
- `Failed to load auth file: ${err instanceof Error ? err.message : String(err)}`,
1260
- { path: this.filePath, code: code ?? "unknown" }
1261
- );
1262
- }
1263
- }
1264
- });
1265
- this.loaded = true;
1266
- }
1267
- async ensureLoaded() {
1268
- if (!this.loaded) await this.load();
1269
- }
1270
- async getCredentials(provider) {
1271
- await this.ensureLoaded();
1272
- return this.data[provider];
1273
- }
1274
- async setCredentials(provider, creds) {
1275
- await this.ensureLoaded();
1276
- this.data[provider] = creds;
1277
- await this.save();
1278
- }
1279
- async clearCredentials(provider) {
1280
- await this.ensureLoaded();
1281
- delete this.data[provider];
1282
- await this.save();
1283
- }
1284
- async clearAll() {
1285
- this.data = {};
1286
- await this.save();
1287
- }
1288
- /**
1289
- * Returns valid credentials, auto-refreshing if expired.
1290
- * If `forceRefresh` is true, refreshes even if the token hasn't expired
1291
- * (useful when the provider rejects a token with 401 before its stored expiry).
1292
- * Throws if not logged in.
1293
- */
1294
- async resolveCredentials(provider, opts) {
1295
- await this.ensureLoaded();
1296
- if (provider === "moonshot" && this.data[MOONSHOT_OAUTH_KEY]) {
1297
- try {
1298
- return await this.resolveCredentials(MOONSHOT_OAUTH_KEY, opts);
1299
- } catch (err) {
1300
- if (err instanceof NotLoggedInError && this.data["moonshot"]) {
1301
- log(
1302
- "WARN",
1303
- "auth",
1304
- 'Kimi OAuth credential is no longer valid \u2014 falling back to the Moonshot API key. Run "ggcoder login" and choose Kimi OAuth to restore OAuth auth.'
1305
- );
1306
- return this.data["moonshot"];
1307
- }
1308
- throw err;
1309
- }
1310
- }
1311
- const creds = this.data[provider];
1312
- if (!creds) {
1313
- throw new NotLoggedInError(provider);
1314
- }
1315
- if (STATIC_API_KEY_PROVIDERS.has(provider)) {
1316
- return creds;
1317
- }
1318
- if (!opts?.forceRefresh && Date.now() < creds.expiresAt - REFRESH_SKEW_MS) {
1319
- return creds;
1320
- }
1321
- const existing = this.refreshLocks.get(provider);
1322
- if (existing) return existing;
1323
- const refreshPromise = withFileLock(this.filePath, async () => {
1324
- try {
1325
- const content = await fs4.readFile(this.filePath, "utf-8");
1326
- const freshData = JSON.parse(content);
1327
- const freshCreds = freshData[provider];
1328
- if (freshCreds && !opts?.forceRefresh && Date.now() < freshCreds.expiresAt - REFRESH_SKEW_MS) {
1329
- this.data[provider] = freshCreds;
1330
- return freshCreds;
1331
- }
1332
- } catch {
1333
- }
1334
- const refreshFn = provider === "anthropic" ? refreshAnthropicToken : provider === "gemini" ? refreshGeminiToken : provider === MOONSHOT_OAUTH_KEY ? refreshKimiToken : refreshOpenAIToken;
1335
- let refreshed;
1336
- try {
1337
- refreshed = await refreshFn(creds.refreshToken);
1338
- } catch (err) {
1339
- const msg = err instanceof Error ? err.message : String(err);
1340
- const isAuthFailure = /\((401|400)\)/.test(msg) || /invalid_grant|invalid_token|invalid.*refresh/i.test(msg) || /unauthorized/i.test(msg);
1341
- if (isAuthFailure) {
1342
- delete this.data[provider];
1343
- await atomicWriteFile(this.filePath, JSON.stringify(this.data, null, 2));
1344
- throw new NotLoggedInError(provider);
1345
- }
1346
- throw err;
1347
- }
1348
- if (!refreshed.accountId && creds.accountId) {
1349
- refreshed.accountId = creds.accountId;
1350
- }
1351
- if (!refreshed.projectId && creds.projectId) {
1352
- refreshed.projectId = creds.projectId;
1353
- }
1354
- if (!refreshed.baseUrl && creds.baseUrl) {
1355
- refreshed.baseUrl = creds.baseUrl;
1356
- }
1357
- this.data[provider] = refreshed;
1358
- await atomicWriteFile(this.filePath, JSON.stringify(this.data, null, 2));
1359
- return refreshed;
1360
- });
1361
- this.refreshLocks.set(provider, refreshPromise);
1362
- try {
1363
- return await refreshPromise;
1364
- } finally {
1365
- this.refreshLocks.delete(provider);
1366
- }
1367
- }
1368
- /**
1369
- * Returns a valid access token, auto-refreshing if expired.
1370
- * Throws if not logged in.
1371
- */
1372
- async resolveToken(provider) {
1373
- const creds = await this.resolveCredentials(provider);
1374
- return creds.accessToken;
1375
- }
1376
- async save() {
1377
- await withFileLock(this.filePath, async () => {
1378
- await atomicWriteFile(this.filePath, JSON.stringify(this.data, null, 2));
1379
- });
1380
- }
1381
- };
1382
- async function atomicWriteFile(filePath, content) {
1383
- const tmpPath = `${filePath}.${process.pid}.${Date.now()}.${crypto5.randomUUID().slice(0, 8)}.tmp`;
1384
- try {
1385
- await fs4.writeFile(tmpPath, content, { encoding: "utf-8", mode: 384 });
1386
- await fs4.rename(tmpPath, filePath);
1387
- } catch (err) {
1388
- await fs4.unlink(tmpPath).catch(() => {
1389
- });
1390
- throw err;
1391
- }
1392
- }
1393
- var NotLoggedInError = class extends Error {
1394
- provider;
1395
- constructor(provider) {
1396
- super(`Not logged in to ${provider}. Run "ggcoder login" to authenticate.`);
1397
- this.name = "NotLoggedInError";
1398
- this.provider = provider;
1399
- }
1400
- };
1401
-
1402
105
  // src/telegram.ts
1403
106
  var TELEGRAM_API = "https://api.telegram.org";
1404
107
  var MAX_MESSAGE_LENGTH = 4096;
@@ -1452,7 +155,7 @@ var TelegramBot = class {
1452
155
  } catch (err) {
1453
156
  if (!this.running) break;
1454
157
  console.error(`[telegram] Poll error: ${err instanceof Error ? err.message : err}`);
1455
- await sleep2(3e3);
158
+ await sleep(3e3);
1456
159
  }
1457
160
  }
1458
161
  }
@@ -1622,7 +325,7 @@ function splitMessage(text) {
1622
325
  }
1623
326
  return chunks;
1624
327
  }
1625
- function sleep2(ms) {
328
+ function sleep(ms) {
1626
329
  return new Promise((r) => setTimeout(r, ms));
1627
330
  }
1628
331
 
@@ -1708,10 +411,10 @@ async function transcribeVoice(fileUrl) {
1708
411
 
1709
412
  // src/auto-update.ts
1710
413
  import { spawn } from "child_process";
1711
- import fs5 from "fs";
1712
- import path4 from "path";
414
+ import fs from "fs";
415
+ import path from "path";
1713
416
  var CHECK_INTERVAL_MS = 60 * 60 * 1e3;
1714
- var FETCH_TIMEOUT_MS2 = 1e4;
417
+ var FETCH_TIMEOUT_MS = 1e4;
1715
418
  function compareVersions(a, b) {
1716
419
  const pa = a.split(".").map(Number);
1717
420
  const pb = b.split(".").map(Number);
@@ -1742,7 +445,7 @@ function createAutoUpdater(config) {
1742
445
  }
1743
446
  function readState() {
1744
447
  try {
1745
- const raw = fs5.readFileSync(stateFilePath(), "utf-8");
448
+ const raw = fs.readFileSync(stateFilePath(), "utf-8");
1746
449
  return JSON.parse(raw);
1747
450
  } catch {
1748
451
  return null;
@@ -1751,8 +454,8 @@ function createAutoUpdater(config) {
1751
454
  function writeState(state) {
1752
455
  try {
1753
456
  const filePath = stateFilePath();
1754
- fs5.mkdirSync(path4.dirname(filePath), { recursive: true, mode: 448 });
1755
- fs5.writeFileSync(filePath, JSON.stringify(state));
457
+ fs.mkdirSync(path.dirname(filePath), { recursive: true, mode: 448 });
458
+ fs.writeFileSync(filePath, JSON.stringify(state));
1756
459
  } catch {
1757
460
  }
1758
461
  }
@@ -1781,7 +484,7 @@ function createAutoUpdater(config) {
1781
484
  async function fetchLatestVersion() {
1782
485
  try {
1783
486
  const controller = new AbortController();
1784
- const timeout = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS2);
487
+ const timeout = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS);
1785
488
  const response = await fetch(REGISTRY_URL, { signal: controller.signal });
1786
489
  clearTimeout(timeout);
1787
490
  const data = await response.json();
@@ -1881,12 +584,15 @@ export {
1881
584
  MOONSHOT_OAUTH_KEY,
1882
585
  NotLoggedInError,
1883
586
  TelegramBot,
587
+ XIAOMI_CREDITS_KEY,
1884
588
  closeLogger,
1885
589
  createAutoUpdater,
1886
590
  decodeOggOpus,
1887
591
  downmixToMono,
1888
592
  generatePKCE,
1889
593
  getAppPaths,
594
+ getAuthStorageKey,
595
+ getAuthStorageKeys,
1890
596
  getClaudeCliUserAgent,
1891
597
  getClaudeCodeVersion,
1892
598
  getContextWindow,