@kervnet/opencode-kiro-auth 1.5.1

package/README.md

@@ -0,0 +1,159 @@
+# OpenCode Kiro Auth Plugin
+
+[![npm version](https://img.shields.io/npm/v/@zhafron/opencode-kiro-auth)](https://www.npmjs.com/package/@zhafron/opencode-kiro-auth)
+[![npm downloads](https://img.shields.io/npm/dm/@zhafron/opencode-kiro-auth)](https://www.npmjs.com/package/@zhafron/opencode-kiro-auth)
+[![license](https://img.shields.io/npm/l/@zhafron/opencode-kiro-auth)](https://www.npmjs.com/package/@zhafron/opencode-kiro-auth)
+
+OpenCode plugin for AWS Kiro (CodeWhisperer) providing access to Claude Sonnet and Haiku models with substantial trial quotas.
+
+## Features
+
+- **Multiple Auth Methods**: Supports AWS Builder ID (IDC), Kiro Desktop (CLI-based), and AWS SSO authentication.
+- **Auto-Sync Kiro CLI**: Automatically imports and synchronizes active sessions from your local `kiro-cli` SQLite database.
+- **Auto-Sync AWS SSO**: Automatically imports credentials from `~/.aws/sso/cache` for seamless integration with AWS profiles.
+- **Gradual Context Truncation**: Intelligently prevents error 400 by reducing context size dynamically during retries.
+- **Intelligent Account Rotation**: Prioritizes multi-account usage based on lowest available quota.
+- **High-Performance Storage**: Efficient account and usage management using native Bun SQLite.
+- **Native Thinking Mode**: Full support for Claude reasoning capabilities via virtual model mappings.
+- **Automated Recovery**: Exponential backoff for rate limits and automated token refresh.
+
+## Installation
+
+Add the plugin to your `opencode.json` or `opencode.jsonc`:
+
+```json
+{
+  "plugin": ["@zhafron/opencode-kiro-auth"],
+  "provider": {
+    "kiro": {
+      "models": {
+        "claude-sonnet-4-5": {
+          "name": "Claude Sonnet 4.5",
+          "limit": { "context": 200000, "output": 64000 },
+          "modalities": { "input": ["text", "image", "pdf"], "output": ["text"] }
+        },
+        "claude-sonnet-4-5-thinking": {
+          "name": "Claude Sonnet 4.5 Thinking",
+          "limit": { "context": 200000, "output": 64000 },
+          "modalities": { "input": ["text", "image", "pdf"], "output": ["text"] },
+          "variants": {
+            "low": { "thinkingConfig": { "thinkingBudget": 8192 } },
+            "medium": { "thinkingConfig": { "thinkingBudget": 16384 } },
+            "max": { "thinkingConfig": { "thinkingBudget": 32768 } }
+          }
+        },
+        "claude-haiku-4-5": {
+          "name": "Claude Haiku 4.5",
+          "limit": { "context": 200000, "output": 64000 },
+          "modalities": { "input": ["text", "image"], "output": ["text"] }
+        },
+        "claude-opus-4-5": {
+          "name": "Claude Opus 4.5",
+          "limit": { "context": 200000, "output": 64000 },
+          "modalities": { "input": ["text", "image", "pdf"], "output": ["text"] }
+        },
+        "claude-opus-4-5-thinking": {
+          "name": "Claude Opus 4.5 Thinking",
+          "limit": { "context": 200000, "output": 64000 },
+          "modalities": { "input": ["text", "image", "pdf"], "output": ["text"] },
+          "variants": {
+            "low": { "thinkingConfig": { "thinkingBudget": 8192 } },
+            "medium": { "thinkingConfig": { "thinkingBudget": 16384 } },
+            "max": { "thinkingConfig": { "thinkingBudget": 32768 } }
+          }
+        }
+      }
+    }
+  }
+}
+```
+
+## Setup
+
+1. **Authentication via Kiro CLI (Recommended)**:
+   - Perform login directly in your terminal using `kiro-cli login`.
+   - The plugin will automatically detect and import your session on startup.
+   - For AWS IAM Identity Center (SSO/IDC), the plugin imports both the token and device registration (OIDC client credentials) from the `kiro-cli` database.
+2. **Authentication via AWS SSO**:
+   - Ensure you have AWS SSO configured in `~/.aws/config` with active sessions.
+   - The plugin automatically imports credentials from `~/.aws/sso/cache` on startup.
+   - No additional configuration needed - just use your existing AWS SSO profiles.
+3. **Direct Authentication**:
+   - Run `opencode auth login`.
+   - Select `Other`, type `kiro`, and press enter.
+   - Follow the instructions for **AWS Builder ID (IDC)**.
+4. Configuration will be automatically managed at `~/.config/opencode/kiro.db`.
+
+## Troubleshooting
+
+### Error: No accounts
+
+This happens when the plugin has no records in `~/.config/opencode/kiro.db`.
+
+1. Ensure `kiro-cli login` succeeds.
+2. Ensure `auto_sync_kiro_cli` is `true` in `~/.config/opencode/kiro.json`.
+3. Retry the request; the plugin will attempt a Kiro CLI sync when it detects zero accounts.
+
+Note for IDC/SSO (ODIC): the plugin may temporarily create an account with a placeholder email if it cannot fetch the real email during sync (e.g. offline). It will replace it with the real email once usage/email lookup succeeds.
+
+## Configuration
+
+The plugin supports extensive configuration options. Edit `~/.config/opencode/kiro.json`:
+
+```json
+{
+  "auto_sync_kiro_cli": true,
+  "auto_sync_aws_sso": true,
+  "account_selection_strategy": "lowest-usage",
+  "default_region": "us-east-1",
+  "rate_limit_retry_delay_ms": 5000,
+  "rate_limit_max_retries": 3,
+  "max_request_iterations": 20,
+  "request_timeout_ms": 120000,
+  "token_expiry_buffer_ms": 120000,
+  "usage_sync_max_retries": 3,
+  "auth_server_port_start": 19847,
+  "auth_server_port_range": 10,
+  "usage_tracking_enabled": true,
+  "enable_log_api_request": false
+}
+```
+
+### Configuration Options
+
+- `auto_sync_kiro_cli`: Automatically sync sessions from Kiro CLI (default: `true`).
+- `auto_sync_aws_sso`: Automatically sync credentials from AWS SSO cache (default: `true`).
+- `account_selection_strategy`: Account rotation strategy (`sticky`, `round-robin`, `lowest-usage`).
+- `default_region`: AWS region (`us-east-1`, `us-west-2`).
+- `rate_limit_retry_delay_ms`: Delay between rate limit retries (1000-60000ms).
+- `rate_limit_max_retries`: Maximum retry attempts for rate limits (0-10).
+- `max_request_iterations`: Maximum loop iterations to prevent hangs (10-1000).
+- `request_timeout_ms`: Request timeout in milliseconds (60000-600000ms).
+- `token_expiry_buffer_ms`: Token refresh buffer time (30000-300000ms).
+- `usage_sync_max_retries`: Retry attempts for usage sync (0-5).
+- `auth_server_port_start`: Starting port for auth server (1024-65535).
+- `auth_server_port_range`: Number of ports to try (1-100).
+- `usage_tracking_enabled`: Enable usage tracking and toast notifications.
+- `enable_log_api_request`: Enable detailed API request logging.
+
+## Storage
+
+**Linux/macOS:**
+
+- SQLite Database: `~/.config/opencode/kiro.db`
+- Plugin Config: `~/.config/opencode/kiro.json`
+
+**Windows:**
+
+- SQLite Database: `%APPDATA%\opencode\kiro.db`
+- Plugin Config: `%APPDATA%\opencode\kiro.json`
+
+## Acknowledgements
+
+Special thanks to [AIClient-2-API](https://github.com/justlovemaki/AIClient-2-API) for providing the foundational Kiro authentication logic and request patterns.
+
+## Disclaimer
+
+This plugin is provided strictly for learning and educational purposes. It is an independent implementation and is not affiliated with, endorsed by, or supported by Amazon Web Services (AWS) or Anthropic. Use of this plugin is at your own risk.
+
+Feel free to open a PR to optimize this plugin further.

package/dist/constants.d.ts

@@ -0,0 +1,24 @@
+import type { KiroRegion } from './plugin/types';
+export declare function isValidRegion(region: string): region is KiroRegion;
+export declare function normalizeRegion(region: string | undefined): KiroRegion;
+export declare function buildUrl(template: string, region: KiroRegion): string;
+export declare const KIRO_CONSTANTS: {
+    REFRESH_URL: string;
+    REFRESH_IDC_URL: string;
+    BASE_URL: string;
+    USAGE_LIMITS_URL: string;
+    DEFAULT_REGION: KiroRegion;
+    AXIOS_TIMEOUT: number;
+    USER_AGENT: string;
+    KIRO_VERSION: string;
+    CHAT_TRIGGER_TYPE_MANUAL: string;
+    ORIGIN_AI_EDITOR: string;
+};
+export declare const MODEL_MAPPING: Record<string, string>;
+export declare const SUPPORTED_MODELS: string[];
+export declare const KIRO_AUTH_SERVICE: {
+    ENDPOINT: string;
+    SSO_OIDC_ENDPOINT: string;
+    BUILDER_ID_START_URL: string;
+    SCOPES: string[];
+};

package/dist/constants.js

@@ -0,0 +1,55 @@
+const VALID_REGIONS = ['us-east-1', 'us-west-2'];
+export function isValidRegion(region) {
+    return VALID_REGIONS.includes(region);
+}
+export function normalizeRegion(region) {
+    if (!region || !isValidRegion(region)) {
+        return 'us-east-1';
+    }
+    return region;
+}
+export function buildUrl(template, region) {
+    const url = template.replace('{{region}}', region);
+    try {
+        new URL(url);
+        return url;
+    }
+    catch {
+        throw new Error(`Invalid URL generated: ${url}`);
+    }
+}
+export const KIRO_CONSTANTS = {
+    REFRESH_URL: 'https://prod.{{region}}.auth.desktop.kiro.dev/refreshToken',
+    REFRESH_IDC_URL: 'https://oidc.{{region}}.amazonaws.com/token',
+    BASE_URL: 'https://q.{{region}}.amazonaws.com/generateAssistantResponse',
+    USAGE_LIMITS_URL: 'https://q.{{region}}.amazonaws.com/getUsageLimits',
+    DEFAULT_REGION: 'us-east-1',
+    AXIOS_TIMEOUT: 120000,
+    USER_AGENT: 'KiroIDE',
+    KIRO_VERSION: '0.7.5',
+    CHAT_TRIGGER_TYPE_MANUAL: 'MANUAL',
+    ORIGIN_AI_EDITOR: 'AI_EDITOR'
+};
+export const MODEL_MAPPING = {
+    'claude-haiku-4-5': 'claude-haiku-4.5',
+    'claude-sonnet-4-5': 'CLAUDE_SONNET_4_5_20250929_V1_0',
+    'claude-sonnet-4-5-thinking': 'CLAUDE_SONNET_4_5_20250929_V1_0',
+    'claude-sonnet-4-5-20250929': 'CLAUDE_SONNET_4_5_20250929_V1_0',
+    'claude-opus-4-5': 'CLAUDE_OPUS_4_5_20251101_V1_0',
+    'claude-opus-4-5-thinking': 'CLAUDE_OPUS_4_5_20251101_V1_0',
+    'claude-sonnet-4-20250514': 'CLAUDE_SONNET_4_20250514_V1_0',
+    'claude-3-7-sonnet-20250219': 'CLAUDE_3_7_SONNET_20250219_V1_0'
+};
+export const SUPPORTED_MODELS = Object.keys(MODEL_MAPPING);
+export const KIRO_AUTH_SERVICE = {
+    ENDPOINT: 'https://prod.{{region}}.auth.desktop.kiro.dev',
+    SSO_OIDC_ENDPOINT: 'https://oidc.{{region}}.amazonaws.com',
+    BUILDER_ID_START_URL: 'https://view.awsapps.com/start',
+    SCOPES: [
+        'codewhisperer:completions',
+        'codewhisperer:analysis',
+        'codewhisperer:conversations',
+        'codewhisperer:transformations',
+        'codewhisperer:taskassist'
+    ]
+};

package/dist/core/account/account-selector.d.ts

@@ -0,0 +1,25 @@
+import type { AccountRepository } from '../../infrastructure/database/account-repository';
+import type { AccountManager } from '../../plugin/accounts';
+import type { ManagedAccount } from '../../plugin/types';
+type ToastFunction = (message: string, variant: 'info' | 'warning' | 'success' | 'error') => void;
+interface AccountSelectorConfig {
+    auto_sync_kiro_cli: boolean;
+    account_selection_strategy: 'sticky' | 'round-robin' | 'lowest-usage';
+}
+export declare class AccountSelector {
+    private accountManager;
+    private config;
+    private syncFromKiroCli;
+    private repository;
+    private triedEmptySync;
+    private circuitBreakerTrips;
+    private lastCircuitBreakerReset;
+    constructor(accountManager: AccountManager, config: AccountSelectorConfig, syncFromKiroCli: () => Promise<void>, repository: AccountRepository);
+    selectHealthyAccount(showToast: ToastFunction): Promise<ManagedAccount | null>;
+    private handleEmptyAccounts;
+    private formatUsageMessage;
+    private checkCircuitBreaker;
+    private resetCircuitBreaker;
+    private sleep;
+}
+export {};

package/dist/core/account/account-selector.js

@@ -0,0 +1,84 @@
+export class AccountSelector {
+    accountManager;
+    config;
+    syncFromKiroCli;
+    repository;
+    triedEmptySync = false;
+    circuitBreakerTrips = 0;
+    lastCircuitBreakerReset = Date.now();
+    constructor(accountManager, config, syncFromKiroCli, repository) {
+        this.accountManager = accountManager;
+        this.config = config;
+        this.syncFromKiroCli = syncFromKiroCli;
+        this.repository = repository;
+    }
+    async selectHealthyAccount(showToast) {
+        this.checkCircuitBreaker();
+        let count = this.accountManager.getAccountCount();
+        if (count === 0 && this.config.auto_sync_kiro_cli && !this.triedEmptySync) {
+            this.triedEmptySync = true;
+            await this.handleEmptyAccounts();
+            count = this.accountManager.getAccountCount();
+        }
+        if (count === 0) {
+            throw new Error('No accounts');
+        }
+        let acc = this.accountManager.getCurrentOrNext();
+        if (!acc) {
+            this.circuitBreakerTrips++;
+            const wait = this.accountManager.getMinWaitTime();
+            if (wait > 0 && wait < 30000) {
+                if (this.accountManager.shouldShowToast()) {
+                    showToast(`All accounts rate-limited. Waiting ${Math.ceil(wait / 1000)}s...`, 'warning');
+                }
+                await this.sleep(wait);
+                return null;
+            }
+            throw new Error('All accounts are unhealthy or rate-limited');
+        }
+        this.resetCircuitBreaker();
+        if (this.accountManager.shouldShowToast()) {
+            showToast(`Using ${acc.email} (${this.accountManager.getAccounts().indexOf(acc) + 1}/${count})`, 'info');
+        }
+        if (this.accountManager.shouldShowUsageToast() &&
+            acc.usedCount !== undefined &&
+            acc.limitCount !== undefined) {
+            const p = acc.limitCount > 0 ? (acc.usedCount / acc.limitCount) * 100 : 0;
+            showToast(this.formatUsageMessage(acc.usedCount, acc.limitCount, acc.email), p >= 80 ? 'warning' : 'info');
+        }
+        return acc;
+    }
+    async handleEmptyAccounts() {
+        await this.syncFromKiroCli();
+        this.repository.invalidateCache();
+        const accounts = await this.repository.findAll();
+        for (const a of accounts) {
+            this.accountManager.addAccount(a);
+        }
+    }
+    formatUsageMessage(usedCount, limitCount, email) {
+        if (limitCount > 0) {
+            const percentage = Math.round((usedCount / limitCount) * 100);
+            return `Usage (${email}): ${usedCount}/${limitCount} (${percentage}%)`;
+        }
+        return `Usage (${email}): ${usedCount}`;
+    }
+    checkCircuitBreaker() {
+        if (Date.now() - this.lastCircuitBreakerReset > 60000) {
+            this.circuitBreakerTrips = 0;
+            this.lastCircuitBreakerReset = Date.now();
+        }
+        if (this.circuitBreakerTrips >= 10) {
+            throw new Error('Circuit breaker tripped: Too many consecutive failures selecting accounts');
+        }
+    }
+    resetCircuitBreaker() {
+        if (this.circuitBreakerTrips > 0) {
+            this.circuitBreakerTrips = 0;
+            this.lastCircuitBreakerReset = Date.now();
+        }
+    }
+    sleep(ms) {
+        return new Promise((r) => setTimeout(r, ms));
+    }
+}

package/dist/core/account/usage-tracker.d.ts

@@ -0,0 +1,17 @@
+import type { AccountRepository } from '../../infrastructure/database/account-repository';
+import type { AccountManager } from '../../plugin/accounts';
+import type { KiroAuthDetails, ManagedAccount } from '../../plugin/types';
+interface UsageTrackerConfig {
+    usage_tracking_enabled: boolean;
+    usage_sync_max_retries: number;
+}
+export declare class UsageTracker {
+    private config;
+    private accountManager;
+    private repository;
+    constructor(config: UsageTrackerConfig, accountManager: AccountManager, repository: AccountRepository);
+    syncUsage(account: ManagedAccount, auth: KiroAuthDetails): Promise<void>;
+    private syncWithRetry;
+    private sleep;
+}
+export {};

package/dist/core/account/usage-tracker.js

@@ -0,0 +1,39 @@
+import { fetchUsageLimits, updateAccountQuota } from '../../plugin/usage';
+export class UsageTracker {
+    config;
+    accountManager;
+    repository;
+    constructor(config, accountManager, repository) {
+        this.config = config;
+        this.accountManager = accountManager;
+        this.repository = repository;
+    }
+    async syncUsage(account, auth) {
+        if (!this.config.usage_tracking_enabled) {
+            return;
+        }
+        this.syncWithRetry(account, auth, 0).catch(() => { });
+    }
+    async syncWithRetry(account, auth, attempt) {
+        try {
+            const u = await fetchUsageLimits(auth);
+            updateAccountQuota(account, u, this.accountManager);
+            await this.repository.batchSave(this.accountManager.getAccounts());
+        }
+        catch (e) {
+            if (attempt < this.config.usage_sync_max_retries) {
+                await this.sleep(1000 * Math.pow(2, attempt));
+                return this.syncWithRetry(account, auth, attempt + 1);
+            }
+            if (e.message?.includes('403') ||
+                e.message?.includes('invalid') ||
+                e.message?.includes('bearer token')) {
+                this.accountManager.markUnhealthy(account, e.message);
+                this.repository.save(account).catch(() => { });
+            }
+        }
+    }
+    sleep(ms) {
+        return new Promise((r) => setTimeout(r, ms));
+    }
+}

package/dist/core/auth/auth-handler.d.ts

@@ -0,0 +1,15 @@
+import type { AccountRepository } from '../../infrastructure/database/account-repository.js';
+export declare class AuthHandler {
+    private config;
+    private repository;
+    private accountManager?;
+    constructor(config: any, repository: AccountRepository);
+    initialize(): Promise<void>;
+    setAccountManager(am: any): void;
+    getMethods(): Array<{
+        id: string;
+        label: string;
+        type: 'oauth';
+        authorize: (inputs?: any) => Promise<any>;
+    }>;
+}

package/dist/core/auth/auth-handler.js

@@ -0,0 +1,43 @@
+import { IdcAuthMethod } from './idc-auth-method.js';
+export class AuthHandler {
+    config;
+    repository;
+    accountManager;
+    constructor(config, repository) {
+        this.config = config;
+        this.repository = repository;
+    }
+    async initialize() {
+        const { syncFromKiroCli } = await import('../../plugin/sync/kiro-cli.js');
+        const { syncFromAwsSso } = await import('../../plugin/sync/aws-sso.js');
+        if (this.config.auto_sync_kiro_cli) {
+            await syncFromKiroCli();
+        }
+        if (this.config.auto_sync_aws_sso !== false) {
+            const ssoAccounts = await syncFromAwsSso();
+            if (ssoAccounts.length > 0 && this.accountManager) {
+                for (const acc of ssoAccounts) {
+                    this.accountManager.addAccount(acc);
+                }
+                await this.accountManager.saveToDisk();
+            }
+        }
+    }
+    setAccountManager(am) {
+        this.accountManager = am;
+    }
+    getMethods() {
+        if (!this.accountManager) {
+            return [];
+        }
+        const idcMethod = new IdcAuthMethod(this.config, this.repository);
+        return [
+            {
+                id: 'idc',
+                label: 'AWS Builder ID (IDC)',
+                type: 'oauth',
+                authorize: (inputs) => idcMethod.authorize(inputs)
+            }
+        ];
+    }
+}

package/dist/core/auth/idc-auth-method.d.ts

@@ -0,0 +1,17 @@
+import type { AccountRepository } from '../../infrastructure/database/account-repository.js';
+export declare class IdcAuthMethod {
+    private config;
+    private repository;
+    constructor(config: any, repository: AccountRepository);
+    authorize(inputs?: any): Promise<{
+        url: string;
+        instructions: string;
+        method: 'auto';
+        callback: () => Promise<{
+            type: 'success' | 'failed';
+            key?: string;
+        }>;
+    }>;
+    private handleMultipleLogin;
+    private handleSingleLogin;
+}