@kervnet/opencode-kiro-auth 1.5.1

package/dist/infrastructure/transformers/tool-call-parser.d.ts

@@ -0,0 +1,4 @@
+import type { ToolCall } from '../../plugin/types';
+export declare function parseBracketToolCalls(text: string): ToolCall[];
+export declare function deduplicateToolCalls(toolCalls: ToolCall[]): ToolCall[];
+export declare function cleanToolCallsFromText(text: string, toolCalls: ToolCall[]): string;

package/dist/infrastructure/transformers/tool-call-parser.js

@@ -0,0 +1,45 @@
+export function parseBracketToolCalls(text) {
+    const toolCalls = [];
+    const pattern = /\[Called\s+(\w+)\s+with\s+args:\s*(\{[^}]*(?:\{[^}]*\}[^}]*)*\})\]/gs;
+    let match;
+    while ((match = pattern.exec(text)) !== null) {
+        const funcName = match[1];
+        const argsStr = match[2];
+        if (!funcName || !argsStr)
+            continue;
+        try {
+            const args = JSON.parse(argsStr);
+            toolCalls.push({
+                toolUseId: `tool_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`,
+                name: funcName,
+                input: args
+            });
+        }
+        catch (e) {
+            continue;
+        }
+    }
+    return toolCalls;
+}
+export function deduplicateToolCalls(toolCalls) {
+    const seen = new Set();
+    const unique = [];
+    for (const tc of toolCalls) {
+        if (!seen.has(tc.toolUseId)) {
+            seen.add(tc.toolUseId);
+            unique.push(tc);
+        }
+    }
+    return unique;
+}
+export function cleanToolCallsFromText(text, toolCalls) {
+    let cleaned = text;
+    for (const tc of toolCalls) {
+        const funcName = tc.name;
+        const escapedName = funcName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+        const pattern = new RegExp(`\\[Called\\s+${escapedName}\\s+with\\s+args:\\s*\\{[^}]*(?:\\{[^}]*\\}[^}]*)*\\}\\]`, 'gs');
+        cleaned = cleaned.replace(pattern, '');
+    }
+    cleaned = cleaned.replace(/\s+/g, ' ').trim();
+    return cleaned;
+}

package/dist/infrastructure/transformers/tool-transformer.d.ts

@@ -0,0 +1,2 @@
+export declare function convertToolsToCodeWhisperer(tools: any[]): any[];
+export declare function deduplicateToolResults(trs: any[]): any[];

package/dist/infrastructure/transformers/tool-transformer.js

@@ -0,0 +1,19 @@
+export function convertToolsToCodeWhisperer(tools) {
+    return tools.map((t) => ({
+        toolSpecification: {
+            name: t.name || t.function?.name,
+            description: (t.description || t.function?.description || '').substring(0, 9216),
+            inputSchema: { json: t.input_schema || t.function?.parameters || {} }
+        }
+    }));
+}
+export function deduplicateToolResults(trs) {
+    const u = [], s = new Set();
+    for (const t of trs) {
+        if (!s.has(t.toolUseId)) {
+            s.add(t.toolUseId);
+            u.push(t);
+        }
+    }
+    return u;
+}

package/dist/kiro/auth.d.ts

@@ -0,0 +1,4 @@
+import type { KiroAuthDetails, RefreshParts } from '../plugin/types';
+export declare function decodeRefreshToken(refresh: string): RefreshParts;
+export declare function accessTokenExpired(auth: KiroAuthDetails, bufferMs?: number): boolean;
+export declare function encodeRefreshToken(parts: RefreshParts): string;

package/dist/kiro/auth.js

@@ -0,0 +1,25 @@
+export function decodeRefreshToken(refresh) {
+    const parts = refresh.split('|');
+    if (parts.length < 2)
+        return { refreshToken: parts[0], authMethod: 'desktop' };
+    const refreshToken = parts[0];
+    const authMethod = parts[parts.length - 1];
+    if (authMethod === 'idc')
+        return { refreshToken, clientId: parts[1], clientSecret: parts[2], authMethod: 'idc' };
+    if (authMethod === 'desktop')
+        return { refreshToken, authMethod: 'desktop' };
+    return { refreshToken, authMethod: 'desktop' };
+}
+export function accessTokenExpired(auth, bufferMs = 120000) {
+    if (!auth.access || !auth.expires)
+        return true;
+    return Date.now() >= auth.expires - bufferMs;
+}
+export function encodeRefreshToken(parts) {
+    if (parts.authMethod === 'idc') {
+        if (!parts.clientId || !parts.clientSecret)
+            throw new Error('Missing credentials');
+        return `${parts.refreshToken}|${parts.clientId}|${parts.clientSecret}|idc`;
+    }
+    return `${parts.refreshToken}|desktop`;
+}

package/dist/kiro/oauth-idc.d.ts

@@ -0,0 +1,24 @@
+import type { KiroRegion } from '../plugin/types';
+export interface KiroIDCAuthorization {
+    verificationUrl: string;
+    verificationUriComplete: string;
+    userCode: string;
+    deviceCode: string;
+    clientId: string;
+    clientSecret: string;
+    interval: number;
+    expiresIn: number;
+    region: KiroRegion;
+}
+export interface KiroIDCTokenResult {
+    refreshToken: string;
+    accessToken: string;
+    expiresAt: number;
+    email: string;
+    clientId: string;
+    clientSecret: string;
+    region: KiroRegion;
+    authMethod: 'idc';
+}
+export declare function authorizeKiroIDC(region?: KiroRegion): Promise<KiroIDCAuthorization>;
+export declare function pollKiroIDCToken(clientId: string, clientSecret: string, deviceCode: string, interval: number, expiresIn: number, region: KiroRegion): Promise<KiroIDCTokenResult>;

package/dist/kiro/oauth-idc.js

@@ -0,0 +1,151 @@
+import { KIRO_AUTH_SERVICE, KIRO_CONSTANTS, buildUrl, normalizeRegion } from '../constants';
+export async function authorizeKiroIDC(region) {
+    const effectiveRegion = normalizeRegion(region);
+    const ssoOIDCEndpoint = buildUrl(KIRO_AUTH_SERVICE.SSO_OIDC_ENDPOINT, effectiveRegion);
+    try {
+        const registerResponse = await fetch(`${ssoOIDCEndpoint}/client/register`, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'User-Agent': KIRO_CONSTANTS.USER_AGENT
+            },
+            body: JSON.stringify({
+                clientName: 'Kiro IDE',
+                clientType: 'public',
+                scopes: KIRO_AUTH_SERVICE.SCOPES,
+                grantTypes: ['urn:ietf:params:oauth:grant-type:device_code', 'refresh_token']
+            })
+        });
+        if (!registerResponse.ok) {
+            const errorText = await registerResponse.text().catch(() => '');
+            const error = new Error(`Client registration failed: ${registerResponse.status} ${errorText}`);
+            throw error;
+        }
+        const registerData = await registerResponse.json();
+        const { clientId, clientSecret } = registerData;
+        if (!clientId || !clientSecret) {
+            const error = new Error('Client registration response missing clientId or clientSecret');
+            throw error;
+        }
+        const deviceAuthResponse = await fetch(`${ssoOIDCEndpoint}/device_authorization`, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'User-Agent': KIRO_CONSTANTS.USER_AGENT
+            },
+            body: JSON.stringify({
+                clientId,
+                clientSecret,
+                startUrl: KIRO_AUTH_SERVICE.BUILDER_ID_START_URL
+            })
+        });
+        if (!deviceAuthResponse.ok) {
+            const errorText = await deviceAuthResponse.text().catch(() => '');
+            const error = new Error(`Device authorization failed: ${deviceAuthResponse.status} ${errorText}`);
+            throw error;
+        }
+        const deviceAuthData = await deviceAuthResponse.json();
+        const { verificationUri, verificationUriComplete, userCode, deviceCode, interval = 5, expiresIn = 600 } = deviceAuthData;
+        if (!deviceCode || !userCode || !verificationUri || !verificationUriComplete) {
+            const error = new Error('Device authorization response missing required fields');
+            throw error;
+        }
+        return {
+            verificationUrl: verificationUri,
+            verificationUriComplete,
+            userCode,
+            deviceCode,
+            clientId,
+            clientSecret,
+            interval,
+            expiresIn,
+            region: effectiveRegion
+        };
+    }
+    catch (error) {
+        throw error;
+    }
+}
+export async function pollKiroIDCToken(clientId, clientSecret, deviceCode, interval, expiresIn, region) {
+    if (!clientId || !clientSecret || !deviceCode) {
+        const error = new Error('Missing required parameters for token polling');
+        throw error;
+    }
+    const effectiveRegion = normalizeRegion(region);
+    const ssoOIDCEndpoint = buildUrl(KIRO_AUTH_SERVICE.SSO_OIDC_ENDPOINT, effectiveRegion);
+    const maxAttempts = Math.floor(expiresIn / interval);
+    let currentInterval = interval * 1000;
+    let attempts = 0;
+    while (attempts < maxAttempts) {
+        attempts++;
+        await new Promise((resolve) => setTimeout(resolve, currentInterval));
+        try {
+            const tokenResponse = await fetch(`${ssoOIDCEndpoint}/token`, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json',
+                    'User-Agent': KIRO_CONSTANTS.USER_AGENT
+                },
+                body: JSON.stringify({
+                    clientId,
+                    clientSecret,
+                    deviceCode,
+                    grantType: 'urn:ietf:params:oauth:grant-type:device_code'
+                })
+            });
+            const tokenData = await tokenResponse.json();
+            if (tokenData.error) {
+                const errorType = tokenData.error;
+                if (errorType === 'authorization_pending') {
+                    continue;
+                }
+                if (errorType === 'slow_down') {
+                    currentInterval += 5000;
+                    continue;
+                }
+                if (errorType === 'expired_token') {
+                    const error = new Error('Device code has expired. Please restart the authorization process.');
+                    throw error;
+                }
+                if (errorType === 'access_denied') {
+                    const error = new Error('Authorization was denied by the user.');
+                    throw error;
+                }
+                const error = new Error(`Token polling failed: ${errorType} - ${tokenData.error_description || ''}`);
+                throw error;
+            }
+            if (tokenData.accessToken && tokenData.refreshToken) {
+                const expiresInSeconds = tokenData.expiresIn || 3600;
+                const expiresAt = Date.now() + expiresInSeconds * 1000;
+                return {
+                    refreshToken: tokenData.refreshToken,
+                    accessToken: tokenData.accessToken,
+                    expiresAt,
+                    email: 'builder-id@aws.amazon.com',
+                    clientId,
+                    clientSecret,
+                    region: effectiveRegion,
+                    authMethod: 'idc'
+                };
+            }
+            if (!tokenResponse.ok) {
+                const error = new Error(`Token request failed with status: ${tokenResponse.status}`);
+                throw error;
+            }
+        }
+        catch (error) {
+            if (error instanceof Error &&
+                (error.message.includes('expired') ||
+                    error.message.includes('denied') ||
+                    error.message.includes('failed'))) {
+                throw error;
+            }
+            if (attempts >= maxAttempts) {
+                const finalError = new Error(`Token polling failed after ${attempts} attempts: ${error instanceof Error ? error.message : 'Unknown error'}`);
+                throw finalError;
+            }
+        }
+    }
+    const timeoutError = new Error('Token polling timed out. Authorization may have expired.');
+    throw timeoutError;
+}

package/dist/plugin/accounts.d.ts

@@ -0,0 +1,29 @@
+import type { AccountSelectionStrategy, KiroAuthDetails, ManagedAccount } from './types';
+export declare function createDeterministicAccountId(email: string, method: string, clientId?: string, profileArn?: string): string;
+export declare class AccountManager {
+    private accounts;
+    private cursor;
+    private strategy;
+    private lastToastTime;
+    private lastUsageToastTime;
+    constructor(accounts: ManagedAccount[], strategy?: AccountSelectionStrategy);
+    static loadFromDisk(strategy?: AccountSelectionStrategy): Promise<AccountManager>;
+    getAccountCount(): number;
+    getAccounts(): ManagedAccount[];
+    shouldShowToast(debounce?: number): boolean;
+    shouldShowUsageToast(debounce?: number): boolean;
+    getMinWaitTime(): number;
+    getCurrentOrNext(): ManagedAccount | null;
+    updateUsage(id: string, meta: {
+        usedCount: number;
+        limitCount: number;
+        email?: string;
+    }): void;
+    addAccount(a: ManagedAccount): void;
+    removeAccount(a: ManagedAccount): void;
+    updateFromAuth(a: ManagedAccount, auth: KiroAuthDetails): void;
+    markRateLimited(a: ManagedAccount, ms: number): void;
+    markUnhealthy(a: ManagedAccount, reason: string, recovery?: number): void;
+    saveToDisk(): Promise<void>;
+    toAuthDetails(a: ManagedAccount): KiroAuthDetails;
+}

package/dist/plugin/accounts.js

@@ -0,0 +1,235 @@
+import { createHash } from 'node:crypto';
+import { decodeRefreshToken, encodeRefreshToken } from '../kiro/auth';
+import { isPermanentError } from './health';
+import * as logger from './logger';
+import { kiroDb } from './storage/sqlite';
+import { writeToKiroCli } from './sync/kiro-cli';
+export function createDeterministicAccountId(email, method, clientId, profileArn) {
+    return createHash('sha256')
+        .update(`${email}:${method}:${clientId || ''}:${profileArn || ''}`)
+        .digest('hex');
+}
+export class AccountManager {
+    accounts;
+    cursor;
+    strategy;
+    lastToastTime = 0;
+    lastUsageToastTime = 0;
+    constructor(accounts, strategy = 'sticky') {
+        this.accounts = accounts;
+        this.cursor = 0;
+        this.strategy = strategy;
+    }
+    static async loadFromDisk(strategy) {
+        const rows = kiroDb.getAccounts();
+        const accounts = rows.map((r) => ({
+            id: r.id,
+            email: r.email,
+            authMethod: r.auth_method,
+            region: r.region,
+            clientId: r.client_id,
+            clientSecret: r.client_secret,
+            profileArn: r.profile_arn,
+            refreshToken: r.refresh_token,
+            accessToken: r.access_token,
+            expiresAt: r.expires_at,
+            rateLimitResetTime: r.rate_limit_reset,
+            isHealthy: r.is_healthy === 1,
+            unhealthyReason: r.unhealthy_reason,
+            recoveryTime: r.recovery_time,
+            failCount: r.fail_count || 0,
+            lastUsed: r.last_used,
+            usedCount: r.used_count,
+            limitCount: r.limit_count
+        }));
+        return new AccountManager(accounts, strategy || 'sticky');
+    }
+    getAccountCount() {
+        return this.accounts.length;
+    }
+    getAccounts() {
+        return [...this.accounts];
+    }
+    shouldShowToast(debounce = 10000) {
+        if (Date.now() - this.lastToastTime < debounce)
+            return false;
+        this.lastToastTime = Date.now();
+        return true;
+    }
+    shouldShowUsageToast(debounce = 10000) {
+        if (Date.now() - this.lastUsageToastTime < debounce)
+            return false;
+        this.lastUsageToastTime = Date.now();
+        return true;
+    }
+    getMinWaitTime() {
+        const now = Date.now();
+        const waits = this.accounts.map((a) => (a.rateLimitResetTime || 0) - now).filter((t) => t > 0);
+        return waits.length > 0 ? Math.min(...waits) : 0;
+    }
+    getCurrentOrNext() {
+        const now = Date.now();
+        const available = this.accounts.filter((a) => {
+            if (!a.isHealthy) {
+                if (isPermanentError(a.unhealthyReason)) {
+                    return false;
+                }
+                if (a.failCount < 10 && a.recoveryTime && now >= a.recoveryTime) {
+                    a.isHealthy = true;
+                    delete a.unhealthyReason;
+                    delete a.recoveryTime;
+                    return true;
+                }
+                return false;
+            }
+            return !(a.rateLimitResetTime && now < a.rateLimitResetTime);
+        });
+        let selected;
+        if (available.length > 0) {
+            if (this.strategy === 'sticky') {
+                selected = available.find((_, i) => i === this.cursor) || available[0];
+            }
+            else if (this.strategy === 'round-robin') {
+                selected = available[this.cursor % available.length];
+                this.cursor = (this.cursor + 1) % available.length;
+            }
+            else if (this.strategy === 'lowest-usage') {
+                selected = [...available].sort((a, b) => (a.usedCount || 0) - (b.usedCount || 0) || (a.lastUsed || 0) - (b.lastUsed || 0))[0];
+            }
+        }
+        if (!selected) {
+            const fallback = this.accounts
+                .filter((a) => !a.isHealthy && a.failCount < 10 && !isPermanentError(a.unhealthyReason))
+                .sort((a, b) => (a.usedCount || 0) - (b.usedCount || 0) || (a.lastUsed || 0) - (b.lastUsed || 0))[0];
+            if (fallback) {
+                fallback.isHealthy = true;
+                delete fallback.unhealthyReason;
+                delete fallback.recoveryTime;
+                selected = fallback;
+            }
+        }
+        if (selected) {
+            selected.lastUsed = now;
+            selected.usedCount = (selected.usedCount || 0) + 1;
+            this.cursor = this.accounts.indexOf(selected);
+            return selected;
+        }
+        return null;
+    }
+    updateUsage(id, meta) {
+        const a = this.accounts.find((x) => x.id === id);
+        if (a) {
+            a.usedCount = meta.usedCount;
+            a.limitCount = meta.limitCount;
+            if (meta.email)
+                a.email = meta.email;
+            if (!isPermanentError(a.unhealthyReason)) {
+                a.failCount = 0;
+                a.isHealthy = true;
+                delete a.unhealthyReason;
+                delete a.recoveryTime;
+            }
+            kiroDb.upsertAccount(a).catch(() => { });
+        }
+    }
+    addAccount(a) {
+        const i = this.accounts.findIndex((x) => x.id === a.id);
+        if (i === -1)
+            this.accounts.push(a);
+        else
+            this.accounts[i] = a;
+        kiroDb.upsertAccount(a).catch(() => { });
+    }
+    removeAccount(a) {
+        const removedIndex = this.accounts.findIndex((x) => x.id === a.id);
+        if (removedIndex === -1)
+            return;
+        this.accounts = this.accounts.filter((x) => x.id !== a.id);
+        kiroDb.deleteAccount(a.id).catch(() => { });
+        if (this.accounts.length === 0)
+            this.cursor = 0;
+        else if (this.cursor >= this.accounts.length)
+            this.cursor = this.accounts.length - 1;
+        else if (removedIndex <= this.cursor && this.cursor > 0)
+            this.cursor--;
+    }
+    updateFromAuth(a, auth) {
+        const acc = this.accounts.find((x) => x.id === a.id);
+        if (acc) {
+            acc.accessToken = auth.access;
+            acc.expiresAt = auth.expires;
+            acc.lastUsed = Date.now();
+            if (auth.email)
+                acc.email = auth.email;
+            const p = decodeRefreshToken(auth.refresh);
+            acc.refreshToken = p.refreshToken;
+            if (p.profileArn)
+                acc.profileArn = p.profileArn;
+            if (p.clientId)
+                acc.clientId = p.clientId;
+            acc.failCount = 0;
+            acc.isHealthy = true;
+            delete acc.unhealthyReason;
+            delete acc.recoveryTime;
+            kiroDb.upsertAccount(acc).catch(() => { });
+            writeToKiroCli(acc).catch(() => { });
+        }
+    }
+    markRateLimited(a, ms) {
+        const acc = this.accounts.find((x) => x.id === a.id);
+        if (acc) {
+            acc.rateLimitResetTime = Date.now() + ms;
+            kiroDb.upsertAccount(acc).catch(() => { });
+        }
+    }
+    markUnhealthy(a, reason, recovery) {
+        const acc = this.accounts.find((x) => x.id === a.id);
+        if (!acc)
+            return;
+        const isPermanent = isPermanentError(reason);
+        if (isPermanent) {
+            logger.warn('Account marked as permanently unhealthy', {
+                email: acc.email,
+                reason,
+                accountId: acc.id
+            });
+            acc.failCount = 10;
+            acc.isHealthy = false;
+            acc.unhealthyReason = reason;
+            delete acc.recoveryTime;
+        }
+        else {
+            acc.failCount = (acc.failCount || 0) + 1;
+            acc.unhealthyReason = reason;
+            acc.lastUsed = Date.now();
+            if (acc.failCount >= 10) {
+                acc.isHealthy = false;
+                acc.recoveryTime = recovery || Date.now() + 3600000;
+            }
+        }
+        kiroDb.upsertAccount(acc).catch(() => { });
+    }
+    async saveToDisk() {
+        await kiroDb.batchUpsertAccounts(this.accounts);
+    }
+    toAuthDetails(a) {
+        const p = {
+            refreshToken: a.refreshToken,
+            profileArn: a.profileArn,
+            clientId: a.clientId,
+            clientSecret: a.clientSecret,
+            authMethod: a.authMethod
+        };
+        return {
+            refresh: encodeRefreshToken(p),
+            access: a.accessToken,
+            expires: a.expiresAt,
+            authMethod: a.authMethod,
+            region: a.region,
+            profileArn: a.profileArn,
+            clientId: a.clientId,
+            clientSecret: a.clientSecret,
+            email: a.email
+        };
+    }
+}

package/dist/plugin/auth-page.d.ts

@@ -0,0 +1,3 @@
+export declare function getIDCAuthHtml(verificationUrl: string, userCode: string, statusUrl: string): string;
+export declare function getSuccessHtml(): string;
+export declare function getErrorHtml(message: string): string;