npm - @kervnet/opencode-kiro-auth - Versions diffs - 1.7.16 → 1.7.18 - Mend

@kervnet/opencode-kiro-auth 1.7.16 → 1.7.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/core/auth/auth-handler.js +13 -3
package/dist/core/auth/token-refresher.js +36 -21
package/dist/core/request/request-handler.d.ts +1 -0
package/dist/core/request/request-handler.js +29 -13
package/package.json +1 -1

package/dist/core/auth/auth-handler.js CHANGED Viewed

@@ -42,10 +42,20 @@ export class AuthHandler {
                         .get();
                     cliDb.close();
                     if (!tokenRow || !tokenRow.expires || tokenRow.expires < Date.now()) {
-                        logger.log('Background token refresh: kiro-cli token expired or missing, skipping');
-                        return;
+                        logger.log('Background token refresh: kiro-cli token expired, forcing refresh via kiro-cli whoami...');
+                        try {
+                            const { execSync } = await import('node:child_process');
+                            execSync('kiro-cli whoami', { timeout: 15000, stdio: 'pipe' });
+                            logger.log('Background token refresh: kiro-cli token refreshed successfully');
+                        }
+                        catch {
+                            logger.log('Background token refresh: kiro-cli refresh failed, skipping');
+                            return;
+                        }
+                    }
+                    else {
+                        logger.log(`Background token refresh: kiro-cli token valid until ${new Date(tokenRow.expires).toLocaleString()}`);
                     }
-                    logger.log(`Background token refresh: kiro-cli token valid until ${new Date(tokenRow.expires).toLocaleString()}`);
                 }
                 catch (e) {
                     logger.warn('Background token refresh: failed to check kiro-cli token status', e);

package/dist/core/auth/token-refresher.js CHANGED Viewed

@@ -18,60 +18,75 @@ export class TokenRefresher {
         if (!accessTokenExpired(auth, this.config.token_expiry_buffer_ms)) {
             return { account, shouldContinue: false };
         }
+        const logger = await import('../../plugin/logger.js');
+        logger.log(`[TokenRefresher] Access token expired for ${account.email}, attempting OIDC refresh...`);
         try {
             const newAuth = await refreshAccessToken(auth);
+            logger.log(`[TokenRefresher] OIDC refresh succeeded for ${account.email}`);
             this.accountManager.updateFromAuth(account, newAuth);
             await this.repository.batchSave(this.accountManager.getAccounts());
             return { account, shouldContinue: false };
         }
         catch (e) {
+            logger.log(`[TokenRefresher] OIDC refresh failed for ${account.email}: ${e.message}`);
             return await this.handleRefreshError(e, account, showToast);
         }
     }
     async handleRefreshError(error, account, showToast) {
-        // Only sync if cooldown period has passed
+        const logger = await import('../../plugin/logger.js');
         const now = Date.now();
         if (this.config.auto_sync_kiro_cli && now - this.lastSyncTime > this.SYNC_COOLDOWN_MS) {
             this.lastSyncTime = now;
-            // Force kiro-cli to refresh its token first
+            // Force kiro-cli to refresh its tokens
+            logger.log('[TokenRefresher] Forcing kiro-cli token refresh via whoami...');
             try {
-                const { exec } = await import('node:child_process');
-                await new Promise((resolve) => {
-                    exec('kiro-cli whoami', (error) => {
-                        resolve(); // Continue even if it fails
-                    });
-                });
+                const { execSync } = await import('node:child_process');
+                execSync('kiro-cli whoami', { timeout: 15000, stdio: 'pipe' });
+                logger.log('[TokenRefresher] kiro-cli whoami succeeded');
             }
             catch (e) {
-                // Silent fail - continue with sync anyway
+                logger.warn(`[TokenRefresher] kiro-cli whoami failed: ${e.message}`);
             }
+            logger.log('[TokenRefresher] Syncing accounts from kiro-cli DB...');
             await this.syncFromKiroCli();
+            // Reload fresh accounts from DB into accountManager
+            this.repository.invalidateCache();
+            const freshAccounts = await this.repository.findAll();
+            this.accountManager.replaceAccounts(freshAccounts);
         }
-        this.repository.invalidateCache();
-        const accounts = await this.repository.findAll();
+        else if (this.config.auto_sync_kiro_cli) {
+            logger.log(`[TokenRefresher] Sync cooldown active (${Math.ceil((this.SYNC_COOLDOWN_MS - (now - this.lastSyncTime)) / 1000)}s remaining)`);
+        }
+        // Re-check the account after sync
+        const accounts = this.accountManager.getAccounts();
         const stillAcc = accounts.find((a) => a.id === account.id);
-        if (stillAcc &&
-            !accessTokenExpired(this.accountManager.toAuthDetails(stillAcc), this.config.token_expiry_buffer_ms)) {
-            // Reset health status since we have fresh credentials
-            stillAcc.isHealthy = true;
-            stillAcc.failCount = 0;
-            stillAcc.unhealthyReason = undefined;
-            await this.repository.batchSave([stillAcc]);
-            showToast('Credentials recovered from Kiro CLI sync.', 'info');
-            return { account: stillAcc, shouldContinue: false };
+        if (stillAcc) {
+            const freshAuth = this.accountManager.toAuthDetails(stillAcc);
+            const stillExpired = accessTokenExpired(freshAuth, this.config.token_expiry_buffer_ms);
+            logger.log(`[TokenRefresher] After sync: account ${stillAcc.email} token expired=${stillExpired}`);
+            if (!stillExpired) {
+                stillAcc.isHealthy = true;
+                stillAcc.failCount = 0;
+                stillAcc.unhealthyReason = undefined;
+                await this.repository.batchSave([stillAcc]);
+                logger.log('[TokenRefresher] Recovery successful!');
+                return { account: stillAcc, shouldContinue: false };
+            }
         }
+        // Token still expired after sync — mark unhealthy
         if (error instanceof KiroTokenRefreshError &&
             (error.code === 'ExpiredTokenException' ||
                 error.code === 'InvalidTokenException' ||
                 error.code === 'HTTP_401' ||
                 error.message.includes('Invalid refresh token provided'))) {
+            logger.log(`[TokenRefresher] Marking account ${account.email} as permanently unhealthy: ${error.message}`);
             this.accountManager.markUnhealthy(account, error.message);
             await this.repository.batchSave(this.accountManager.getAccounts());
             return { account, shouldContinue: true };
         }
-        // For HTTP_403, only mark unhealthy after multiple failures
         if (error instanceof KiroTokenRefreshError && error.code === 'HTTP_403') {
             account.failCount = (account.failCount || 0) + 1;
+            logger.log(`[TokenRefresher] HTTP 403, failCount=${account.failCount}`);
             if (account.failCount >= 3) {
                 this.accountManager.markUnhealthy(account, error.message);
             }

package/dist/core/request/request-handler.d.ts CHANGED Viewed

@@ -22,6 +22,7 @@ export declare class RequestHandler {
     private logResponse;
     private logError;
     private allAccountsPermanentlyUnhealthy;
+    private forceKiroCliRefreshAndSync;
     private sleep;
 }
 export {};

package/dist/core/request/request-handler.js CHANGED Viewed

@@ -52,20 +52,8 @@ export class RequestHandler {
                 throw new Error(check.error);
             }
             if (this.allAccountsPermanentlyUnhealthy()) {
-                // Try to recover by syncing from kiro-cli
                 if (this.config.auto_sync_kiro_cli) {
-                    showToast('All accounts unhealthy. Attempting recovery from Kiro CLI...', 'warning');
-                    const { syncFromKiroCli } = await import('../../plugin/sync/kiro-cli.js');
-                    await syncFromKiroCli();
-                    // Reset all accounts to healthy and clear fail counts
-                    const accounts = this.accountManager.getAccounts();
-                    for (const acc of accounts) {
-                        acc.isHealthy = true;
-                        acc.failCount = 0;
-                        acc.unhealthyReason = undefined;
-                    }
-                    await this.repository.batchSave(accounts);
-                    // Give it one more chance
+                    await this.forceKiroCliRefreshAndSync(showToast);
                     continue;
                 }
                 throw new Error('All accounts are permanently unhealthy (quota exceeded or suspended)');
@@ -82,6 +70,7 @@ export class RequestHandler {
             const tokenResult = await this.tokenRefresher.refreshIfNeeded(acc, auth, showToast);
             if (tokenResult.shouldContinue) {
                 acc = tokenResult.account;
+                logger.log(`[RequestHandler] Token refresh returned shouldContinue=true for ${acc.email}, retrying in 500ms (iteration ${retryContext.iterations})`);
                 await this.sleep(500);
                 continue;
             }
@@ -209,6 +198,33 @@ export class RequestHandler {
         }
         return accounts.every((acc) => !acc.isHealthy && isPermanentError(acc.unhealthyReason));
     }
+    async forceKiroCliRefreshAndSync(showToast) {
+        logger.log('[RequestHandler] All accounts permanently unhealthy. Forcing kiro-cli token refresh...');
+        showToast('All accounts unhealthy. Forcing kiro-cli token refresh...', 'warning');
+        try {
+            const { execSync } = await import('node:child_process');
+            execSync('kiro-cli whoami', { timeout: 15000, stdio: 'pipe' });
+            logger.log('[RequestHandler] kiro-cli whoami succeeded');
+        }
+        catch (e) {
+            logger.warn(`[RequestHandler] kiro-cli whoami failed: ${e.message}`);
+            throw new Error('All accounts are unhealthy and kiro-cli token refresh failed. Please run: kiro-cli login');
+        }
+        const { syncFromKiroCli } = await import('../../plugin/sync/kiro-cli.js');
+        await syncFromKiroCli();
+        // Reload fresh accounts from DB into accountManager
+        this.repository.invalidateCache();
+        const freshAccounts = await this.repository.findAll();
+        this.accountManager.replaceAccounts(freshAccounts);
+        // Reset health on all accounts
+        const accounts = this.accountManager.getAccounts();
+        for (const acc of accounts) {
+            acc.isHealthy = true;
+            acc.failCount = 0;
+            acc.unhealthyReason = undefined;
+        }
+        await this.repository.batchSave(accounts);
+    }
     sleep(ms) {
         return new Promise((resolve) => setTimeout(resolve, ms));
     }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@kervnet/opencode-kiro-auth",
-  "version": "1.7.16",
+  "version": "1.7.18",
   "description": "OpenCode plugin for AWS Kiro (CodeWhisperer) with IAM Identity Center profile support",
   "type": "module",
   "main": "dist/index.js",