@kervnet/opencode-kiro-auth 1.5.1

package/dist/plugin/token.js

@@ -0,0 +1,79 @@
+import crypto from 'node:crypto';
+import { decodeRefreshToken, encodeRefreshToken } from '../kiro/auth';
+import { KiroTokenRefreshError } from './errors';
+export async function refreshAccessToken(auth) {
+    const p = decodeRefreshToken(auth.refresh);
+    const isIdc = auth.authMethod === 'idc';
+    const isAwsSso = auth.authMethod === 'aws-sso';
+    const url = isIdc || isAwsSso
+        ? `https://oidc.${auth.region}.amazonaws.com/token`
+        : `https://prod.${auth.region}.auth.desktop.kiro.dev/refreshToken`;
+    if ((isIdc || isAwsSso) && (!p.clientId || !p.clientSecret)) {
+        throw new KiroTokenRefreshError('Missing creds', 'MISSING_CREDENTIALS');
+    }
+    const requestBody = isIdc || isAwsSso
+        ? {
+            refreshToken: p.refreshToken,
+            clientId: p.clientId,
+            clientSecret: p.clientSecret,
+            grantType: 'refresh_token'
+        }
+        : {
+            refreshToken: p.refreshToken
+        };
+    const machineId = crypto
+        .createHash('sha256')
+        .update(auth.profileArn || auth.clientId || 'KIRO_DEFAULT_MACHINE')
+        .digest('hex');
+    const ua = isIdc || isAwsSso ? 'aws-sdk-js/1.0.0' : `KiroIDE-0.7.45-${machineId}`;
+    try {
+        const res = await fetch(url, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                Accept: 'application/json',
+                'amz-sdk-request': 'attempt=1; max=1',
+                'x-amzn-kiro-agent-mode': 'vibe',
+                'user-agent': ua,
+                Connection: 'close'
+            },
+            body: JSON.stringify(requestBody)
+        });
+        if (!res.ok) {
+            const txt = await res.text();
+            let data = {};
+            try {
+                data = JSON.parse(txt);
+            }
+            catch {
+                data = { message: txt };
+            }
+            throw new KiroTokenRefreshError(`Refresh failed: ${data.message || data.error_description || txt}`, data.error || `HTTP_${res.status}`);
+        }
+        const d = await res.json();
+        const acc = d.access_token || d.accessToken;
+        if (!acc)
+            throw new KiroTokenRefreshError('No access token', 'INVALID_RESPONSE');
+        const upP = {
+            refreshToken: d.refresh_token || d.refreshToken || p.refreshToken,
+            clientId: p.clientId,
+            clientSecret: p.clientSecret,
+            authMethod: auth.authMethod
+        };
+        return {
+            refresh: encodeRefreshToken(upP),
+            access: acc,
+            expires: Date.now() + (d.expires_in || d.expiresIn || 3600) * 1000,
+            authMethod: auth.authMethod,
+            region: auth.region,
+            clientId: auth.clientId,
+            clientSecret: auth.clientSecret,
+            email: auth.email || d.userInfo?.email
+        };
+    }
+    catch (error) {
+        if (error instanceof KiroTokenRefreshError)
+            throw error;
+        throw new KiroTokenRefreshError(`Token refresh failed: ${error instanceof Error ? error.message : 'Unknown error'}`, 'NETWORK_ERROR', error instanceof Error ? error : undefined);
+    }
+}

package/dist/plugin/types.d.ts

@@ -0,0 +1,109 @@
+export type KiroAuthMethod = 'idc' | 'desktop' | 'aws-sso';
+export type KiroRegion = 'us-east-1' | 'us-west-2';
+export interface KiroAuthDetails {
+    refresh: string;
+    access: string;
+    expires: number;
+    authMethod: KiroAuthMethod;
+    region: KiroRegion;
+    clientId?: string;
+    clientSecret?: string;
+    email?: string;
+    profileArn?: string;
+}
+export interface RefreshParts {
+    refreshToken: string;
+    clientId?: string;
+    clientSecret?: string;
+    profileArn?: string;
+    authMethod?: KiroAuthMethod;
+}
+export interface ManagedAccount {
+    id: string;
+    email: string;
+    authMethod: KiroAuthMethod;
+    region: KiroRegion;
+    clientId?: string;
+    clientSecret?: string;
+    profileArn?: string;
+    refreshToken: string;
+    accessToken: string;
+    expiresAt: number;
+    rateLimitResetTime: number;
+    isHealthy: boolean;
+    unhealthyReason?: string;
+    recoveryTime?: number;
+    failCount: number;
+    usedCount?: number;
+    limitCount?: number;
+    lastSync?: number;
+    lastUsed?: number;
+}
+export interface CodeWhispererMessage {
+    userInputMessage?: {
+        content: string;
+        modelId: string;
+        origin: string;
+        images?: Array<{
+            format: string;
+            source: {
+                bytes: string;
+            };
+        }>;
+        userInputMessageContext?: {
+            toolResults?: Array<{
+                toolUseId: string;
+                content: Array<{
+                    text?: string;
+                }>;
+                status?: string;
+            }>;
+            tools?: Array<{
+                toolSpecification: {
+                    name: string;
+                    description: string;
+                    inputSchema: {
+                        json: Record<string, unknown>;
+                    };
+                };
+            }>;
+        };
+    };
+    assistantResponseMessage?: {
+        content: string;
+        toolUses?: Array<{
+            input: any;
+            name: string;
+            toolUseId: string;
+        }>;
+    };
+}
+export interface CodeWhispererRequest {
+    conversationState: {
+        chatTriggerType: string;
+        conversationId: string;
+        history?: CodeWhispererMessage[];
+        currentMessage: CodeWhispererMessage;
+    };
+    profileArn?: string;
+}
+export interface ToolCall {
+    toolUseId: string;
+    name: string;
+    input: string | Record<string, unknown>;
+}
+export interface ParsedResponse {
+    content: string;
+    toolCalls: ToolCall[];
+    stopReason?: string;
+    inputTokens?: number;
+    outputTokens?: number;
+}
+export interface PreparedRequest {
+    url: string;
+    init: RequestInit;
+    streaming: boolean;
+    effectiveModel: string;
+    conversationId: string;
+}
+export type AccountSelectionStrategy = 'sticky' | 'round-robin' | 'lowest-usage';

package/dist/plugin/usage.d.ts

@@ -0,0 +1,3 @@
+import { KiroAuthDetails, ManagedAccount } from './types';
+export declare function fetchUsageLimits(auth: KiroAuthDetails): Promise<any>;
+export declare function updateAccountQuota(account: ManagedAccount, usage: any, accountManager?: any): void;

package/dist/plugin/usage.js

@@ -0,0 +1,45 @@
+export async function fetchUsageLimits(auth) {
+    const url = `https://q.${auth.region}.amazonaws.com/getUsageLimits?isEmailRequired=true&origin=AI_EDITOR&resourceType=AGENTIC_REQUEST`;
+    try {
+        const res = await fetch(url, {
+            method: 'GET',
+            headers: {
+                Authorization: `Bearer ${auth.access}`,
+                'Content-Type': 'application/json',
+                'x-amzn-kiro-agent-mode': 'vibe',
+                'amz-sdk-request': 'attempt=1; max=1'
+            }
+        });
+        if (!res.ok)
+            throw new Error(`Status: ${res.status}`);
+        const data = await res.json();
+        let usedCount = 0, limitCount = 0;
+        if (Array.isArray(data.usageBreakdownList)) {
+            for (const s of data.usageBreakdownList) {
+                if (s.freeTrialInfo) {
+                    usedCount += s.freeTrialInfo.currentUsage || 0;
+                    limitCount += s.freeTrialInfo.usageLimit || 0;
+                }
+                usedCount += s.currentUsage || 0;
+                limitCount += s.usageLimit || 0;
+            }
+        }
+        return { usedCount, limitCount, email: data.userInfo?.email };
+    }
+    catch (e) {
+        throw e;
+    }
+}
+export function updateAccountQuota(account, usage, accountManager) {
+    const meta = {
+        usedCount: usage.usedCount || 0,
+        limitCount: usage.limitCount || 0,
+        email: usage.email
+    };
+    account.usedCount = meta.usedCount;
+    account.limitCount = meta.limitCount;
+    if (usage.email)
+        account.email = usage.email;
+    if (accountManager)
+        accountManager.updateUsage(account.id, meta);
+}

package/dist/plugin.d.ts

@@ -0,0 +1,32 @@
+export declare const createKiroPlugin: (id: string) => ({ client, directory }: any) => Promise<{
+    auth: {
+        provider: string;
+        loader: (getAuth: any) => Promise<{
+            apiKey: string;
+            baseURL: string;
+            fetch: (input: any, init?: any) => Promise<Response>;
+        }>;
+        methods: {
+            id: string;
+            label: string;
+            type: "oauth";
+            authorize: (inputs?: any) => Promise<any>;
+        }[];
+    };
+}>;
+export declare const KiroOAuthPlugin: ({ client, directory }: any) => Promise<{
+    auth: {
+        provider: string;
+        loader: (getAuth: any) => Promise<{
+            apiKey: string;
+            baseURL: string;
+            fetch: (input: any, init?: any) => Promise<Response>;
+        }>;
+        methods: {
+            id: string;
+            label: string;
+            type: "oauth";
+            authorize: (inputs?: any) => Promise<any>;
+        }[];
+    };
+}>;

package/dist/plugin.js

@@ -0,0 +1,37 @@
+import { KIRO_CONSTANTS } from './constants.js';
+import { AuthHandler } from './core/auth/auth-handler.js';
+import { RequestHandler } from './core/request/request-handler.js';
+import { AccountCache } from './infrastructure/database/account-cache.js';
+import { AccountRepository } from './infrastructure/database/account-repository.js';
+import { AccountManager } from './plugin/accounts.js';
+import { loadConfig } from './plugin/config/index.js';
+const KIRO_PROVIDER_ID = 'kiro';
+export const createKiroPlugin = (id) => async ({ client, directory }) => {
+    const config = loadConfig(directory);
+    const showToast = (message, variant) => {
+        client.tui.showToast({ body: { message, variant } }).catch(() => { });
+    };
+    const cache = new AccountCache(60000);
+    const repository = new AccountRepository(cache);
+    const authHandler = new AuthHandler(config, repository);
+    const accountManager = await AccountManager.loadFromDisk(config.account_selection_strategy);
+    authHandler.setAccountManager(accountManager);
+    // Sync AWS SSO before OpenCode checks for accounts
+    await authHandler.initialize();
+    const requestHandler = new RequestHandler(accountManager, config, repository);
+    return {
+        auth: {
+            provider: id,
+            loader: async (getAuth) => {
+                await getAuth();
+                return {
+                    apiKey: '',
+                    baseURL: KIRO_CONSTANTS.BASE_URL.replace('/generateAssistantResponse', '').replace('{{region}}', config.default_region || 'us-east-1'),
+                    fetch: (input, init) => requestHandler.handle(input, init, showToast)
+                };
+            },
+            methods: authHandler.getMethods()
+        }
+    };
+};
+export const KiroOAuthPlugin = createKiroPlugin(KIRO_PROVIDER_ID);

package/package.json

@@ -0,0 +1,65 @@
+{
+  "name": "@kervnet/opencode-kiro-auth",
+  "version": "1.5.1",
+  "description": "OpenCode plugin for AWS Kiro (CodeWhisperer) with IAM Identity Center profile support",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "scripts": {
+    "build": "tsc -p tsconfig.build.json",
+    "format": "prettier --write 'src/**/*.ts'",
+    "typecheck": "tsc --noEmit",
+    "prepare": "husky"
+  },
+  "keywords": [
+    "opencode",
+    "plugin",
+    "kiro",
+    "codewhisperer",
+    "aws",
+    "claude",
+    "ai",
+    "auth"
+  ],
+  "author": "tickernelz",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/tickernelz/opencode-kiro-auth.git"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "@opencode-ai/plugin": "^0.15.30",
+    "proper-lockfile": "^4.1.2",
+    "zod": "^3.24.0"
+  },
+  "devDependencies": {
+    "@types/node": "^20.0.0",
+    "@types/proper-lockfile": "^4.1.4",
+    "bun-types": "^1.3.6",
+    "husky": "^9.1.7",
+    "lint-staged": "^16.2.7",
+    "prettier": "^3.4.2",
+    "prettier-plugin-organize-imports": "^4.1.0",
+    "typescript": "^5.7.3"
+  },
+  "opencode": {
+    "type": "plugin",
+    "hooks": [
+      "auth",
+      "event"
+    ]
+  },
+  "files": [
+    "dist",
+    "package.json",
+    "README.md"
+  ],
+  "lint-staged": {
+    "*.ts": [
+      "prettier --write"
+    ]
+  }
+}