@lobu/gateway 2.8.0

package/dist/auth/chatgpt/chatgpt-oauth-module.d.ts

@@ -0,0 +1,34 @@
+import type { ModelOption } from "../../modules/module-system";
+import { BaseProviderModule } from "../base-provider-module";
+import type { AgentSettingsStore } from "../settings/agent-settings-store";
+/**
+ * ChatGPT OAuth Module - Handles device code authentication for ChatGPT.
+ * Stores the access token in auth profiles.
+ */
+export declare class ChatGPTOAuthModule extends BaseProviderModule {
+    private deviceCodeClient;
+    constructor(agentSettingsStore: AgentSettingsStore);
+    buildCredentialPlaceholder(agentId: string): Promise<string>;
+    getCliBackendConfig(): {
+        name: string;
+        command: string;
+        args: string[];
+        modelArg: string;
+    };
+    getModelOptions(agentId: string, _userId: string): Promise<ModelOption[]>;
+    startDeviceCode(agentId: string): Promise<{
+        userCode: string;
+        deviceAuthId: string;
+        interval: number;
+        verificationUrl: string;
+    }>;
+    pollDeviceCode(agentId: string, payload: {
+        deviceAuthId: string;
+        userCode: string;
+    }): Promise<{
+        status: "pending" | "success";
+        error?: string;
+        accountId?: string;
+    }>;
+}
+//# sourceMappingURL=chatgpt-oauth-module.d.ts.map

package/dist/auth/chatgpt/chatgpt-oauth-module.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"chatgpt-oauth-module.d.ts","sourceRoot":"","sources":["../../../src/auth/chatgpt/chatgpt-oauth-module.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,6BAA6B,CAAC;AAC/D,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAC7D,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAC;AAS3E;;;GAGG;AACH,qBAAa,kBAAmB,SAAQ,kBAAkB;IACxD,OAAO,CAAC,gBAAgB,CAA0B;gBAEtC,kBAAkB,EAAE,kBAAkB;IA2B5C,0BAA0B,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAyBlE,mBAAmB;;;;;;IASb,eAAe,CACnB,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,WAAW,EAAE,CAAC;IAkCnB,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC;QAC9C,QAAQ,EAAE,MAAM,CAAC;QACjB,YAAY,EAAE,MAAM,CAAC;QACrB,QAAQ,EAAE,MAAM,CAAC;QACjB,eAAe,EAAE,MAAM,CAAC;KACzB,CAAC;IAgBI,cAAc,CAClB,OAAO,EAAE,MAAM,EACf,OAAO,EAAE;QAAE,YAAY,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,GAClD,OAAO,CAAC;QACT,MAAM,EAAE,SAAS,GAAG,SAAS,CAAC;QAC9B,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,SAAS,CAAC,EAAE,MAAM,CAAC;KACpB,CAAC;CAuCH"}

package/dist/auth/chatgpt/chatgpt-oauth-module.js

@@ -0,0 +1,136 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ChatGPTOAuthModule = void 0;
+const core_1 = require("@lobu/core");
+const base_provider_module_1 = require("../base-provider-module");
+const auth_profiles_manager_1 = require("../settings/auth-profiles-manager");
+const device_code_client_1 = require("./device-code-client");
+const logger = (0, core_1.createLogger)("chatgpt-oauth-module");
+/**
+ * ChatGPT OAuth Module - Handles device code authentication for ChatGPT.
+ * Stores the access token in auth profiles.
+ */
+class ChatGPTOAuthModule extends base_provider_module_1.BaseProviderModule {
+    constructor(agentSettingsStore) {
+        const authProfilesManager = new auth_profiles_manager_1.AuthProfilesManager(agentSettingsStore);
+        super({
+            providerId: "chatgpt",
+            providerDisplayName: "ChatGPT",
+            providerIconUrl: "https://www.google.com/s2/favicons?domain=chatgpt.com&sz=128",
+            credentialEnvVarName: "OPENAI_API_KEY",
+            secretEnvVarNames: ["OPENAI_API_KEY"],
+            slug: "openai-codex",
+            upstreamBaseUrl: "https://chatgpt.com/backend-api",
+            baseUrlEnvVarName: "OPENAI_BASE_URL",
+            authType: "device-code",
+            supportedAuthTypes: ["device-code", "api-key"],
+            apiKeyInstructions: 'Enter your <a href="https://platform.openai.com/api-keys" target="_blank" class="text-blue-600 underline">OpenAI API key</a>:',
+            apiKeyPlaceholder: "sk-...",
+            catalogDescription: "OpenAI's ChatGPT with device code authentication",
+        }, authProfilesManager);
+        // Preserve existing module name
+        this.name = "chatgpt-oauth";
+        this.deviceCodeClient = new device_code_client_1.ChatGPTDeviceCodeClient();
+    }
+    async buildCredentialPlaceholder(agentId) {
+        var _a;
+        const profile = await this.authProfilesManager.getBestProfile(agentId, this.providerId);
+        // Try metadata first, then extract from the stored credential JWT
+        let accountId = (_a = profile === null || profile === void 0 ? void 0 : profile.metadata) === null || _a === void 0 ? void 0 : _a.accountId;
+        if (!accountId && (profile === null || profile === void 0 ? void 0 : profile.credential)) {
+            accountId = this.deviceCodeClient.extractAccountId(profile.credential);
+        }
+        if (!accountId)
+            return "lobu-proxy";
+        // Minimal JWT with the chatgpt_account_id claim.
+        // Not a valid credential — only used by the codex backend to extract accountId.
+        const header = Buffer.from(JSON.stringify({ alg: "none", typ: "JWT" })).toString("base64url");
+        const payload = Buffer.from(JSON.stringify({
+            "https://api.openai.com/auth": { chatgpt_account_id: accountId },
+        })).toString("base64url");
+        return `${header}.${payload}.placeholder`;
+    }
+    getCliBackendConfig() {
+        return {
+            name: "codex",
+            command: "npx",
+            args: ["-y", "acpx@latest", "codex", "--quiet"],
+            modelArg: "--model",
+        };
+    }
+    async getModelOptions(agentId, _userId) {
+        const token = await this.getCredential(agentId);
+        if (!token)
+            return [];
+        const response = await fetch("https://chatgpt.com/backend-api/models", {
+            headers: {
+                Accept: "application/json",
+                Authorization: `Bearer ${token}`,
+            },
+        }).catch(() => null);
+        if (!response || !response.ok) {
+            return [];
+        }
+        const payload = (await response.json().catch(() => ({})));
+        return (payload.models || [])
+            .map((model) => {
+            var _a, _b;
+            const slug = (_a = model.slug) === null || _a === void 0 ? void 0 : _a.trim();
+            if (!slug)
+                return null;
+            return {
+                value: `openai-codex/${slug}`,
+                label: ((_b = model.title) === null || _b === void 0 ? void 0 : _b.trim()) || slug,
+            };
+        })
+            .filter((item) => Boolean(item));
+    }
+    async startDeviceCode(agentId) {
+        try {
+            logger.info("Starting ChatGPT device code flow", { agentId });
+            const result = await this.deviceCodeClient.requestDeviceCode();
+            return {
+                userCode: result.userCode,
+                deviceAuthId: result.deviceAuthId,
+                interval: result.interval,
+                verificationUrl: "https://auth.openai.com/codex/device",
+            };
+        }
+        catch (error) {
+            logger.error("Failed to start device code flow", { error });
+            throw new Error("Failed to start device code flow");
+        }
+    }
+    async pollDeviceCode(agentId, payload) {
+        try {
+            const result = await this.deviceCodeClient.pollForToken(payload.deviceAuthId, payload.userCode);
+            if (!result) {
+                return { status: "pending" };
+            }
+            await this.authProfilesManager.upsertProfile({
+                agentId,
+                provider: this.providerId,
+                credential: result.accessToken,
+                authType: "device-code",
+                label: (0, auth_profiles_manager_1.createAuthProfileLabel)(this.providerDisplayName, result.accessToken, result.accountId),
+                metadata: {
+                    accountId: result.accountId,
+                    refreshToken: result.refreshToken,
+                    expiresAt: Date.now() + result.expiresIn * 1000,
+                },
+                makePrimary: true,
+            });
+            logger.info(`ChatGPT token saved for agent ${agentId}`);
+            return {
+                status: "success",
+                accountId: result.accountId,
+            };
+        }
+        catch (error) {
+            logger.error("Failed to poll for token", { error });
+            throw new Error("Failed to poll for token");
+        }
+    }
+}
+exports.ChatGPTOAuthModule = ChatGPTOAuthModule;
+//# sourceMappingURL=chatgpt-oauth-module.js.map

package/dist/auth/chatgpt/chatgpt-oauth-module.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"chatgpt-oauth-module.js","sourceRoot":"","sources":["../../../src/auth/chatgpt/chatgpt-oauth-module.ts"],"names":[],"mappings":";;;AAAA,qCAA0C;AAE1C,kEAA6D;AAE7D,6EAG2C;AAC3C,6DAA+D;AAE/D,MAAM,MAAM,GAAG,IAAA,mBAAY,EAAC,sBAAsB,CAAC,CAAC;AAEpD;;;GAGG;AACH,MAAa,kBAAmB,SAAQ,yCAAkB;IAGxD,YAAY,kBAAsC;QAChD,MAAM,mBAAmB,GAAG,IAAI,2CAAmB,CAAC,kBAAkB,CAAC,CAAC;QACxE,KAAK,CACH;YACE,UAAU,EAAE,SAAS;YACrB,mBAAmB,EAAE,SAAS;YAC9B,eAAe,EACb,8DAA8D;YAChE,oBAAoB,EAAE,gBAAgB;YACtC,iBAAiB,EAAE,CAAC,gBAAgB,CAAC;YACrC,IAAI,EAAE,cAAc;YACpB,eAAe,EAAE,iCAAiC;YAClD,iBAAiB,EAAE,iBAAiB;YACpC,QAAQ,EAAE,aAAa;YACvB,kBAAkB,EAAE,CAAC,aAAa,EAAE,SAAS,CAAC;YAC9C,kBAAkB,EAChB,+HAA+H;YACjI,iBAAiB,EAAE,QAAQ;YAC3B,kBAAkB,EAAE,kDAAkD;SACvE,EACD,mBAAmB,CACpB,CAAC;QACF,gCAAgC;QAChC,IAAI,CAAC,IAAI,GAAG,eAAe,CAAC;QAC5B,IAAI,CAAC,gBAAgB,GAAG,IAAI,4CAAuB,EAAE,CAAC;IACxD,CAAC;IAED,KAAK,CAAC,0BAA0B,CAAC,OAAe;;QAC9C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,mBAAmB,CAAC,cAAc,CAC3D,OAAO,EACP,IAAI,CAAC,UAAU,CAChB,CAAC;QACF,kEAAkE;QAClE,IAAI,SAAS,GAAG,MAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,QAAQ,0CAAE,SAA+B,CAAC;QACnE,IAAI,CAAC,SAAS,KAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,UAAU,CAAA,EAAE,CAAC;YACtC,SAAS,GAAG,IAAI,CAAC,gBAAgB,CAAC,gBAAgB,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QACzE,CAAC;QACD,IAAI,CAAC,SAAS;YAAE,OAAO,YAAY,CAAC;QAEpC,iDAAiD;QACjD,gFAAgF;QAChF,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CACxB,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAC5C,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACxB,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CACzB,IAAI,CAAC,SAAS,CAAC;YACb,6BAA6B,EAAE,EAAE,kBAAkB,EAAE,SAAS,EAAE;SACjE,CAAC,CACH,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACxB,OAAO,GAAG,MAAM,IAAI,OAAO,cAAc,CAAC;IAC5C,CAAC;IAED,mBAAmB;QACjB,OAAO;YACL,IAAI,EAAE,OAAO;YACb,OAAO,EAAE,KAAK;YACd,IAAI,EAAE,CAAC,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,SAAS,CAAC;YAC/C,QAAQ,EAAE,SAAS;SACpB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,eAAe,CACnB,OAAe,EACf,OAAe;QAEf,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;QAChD,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,CAAC;QAEtB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,wCAAwC,EAAE;YACrE,OAAO,EAAE;gBACP,MAAM,EAAE,kBAAkB;gBAC1B,aAAa,EAAE,UAAU,KAAK,EAAE;aACjC;SACF,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QAErB,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YAC9B,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,OAAO,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAKvD,CAAC;QAEF,OAAO,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC;aAC1B,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;;YACb,MAAM,IAAI,GAAG,MAAA,KAAK,CAAC,IAAI,0CAAE,IAAI,EAAE,CAAC;YAChC,IAAI,CAAC,IAAI;gBAAE,OAAO,IAAI,CAAC;YACvB,OAAO;gBACL,KAAK,EAAE,gBAAgB,IAAI,EAAE;gBAC7B,KAAK,EAAE,CAAA,MAAA,KAAK,CAAC,KAAK,0CAAE,IAAI,EAAE,KAAI,IAAI;aACb,CAAC;QAC1B,CAAC,CAAC;aACD,MAAM,CAAC,CAAC,IAAI,EAAuB,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IAC1D,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,OAAe;QAMnC,IAAI,CAAC;YACH,MAAM,CAAC,IAAI,CAAC,mCAAmC,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;YAC9D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,iBAAiB,EAAE,CAAC;YAC/D,OAAO;gBACL,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,YAAY,EAAE,MAAM,CAAC,YAAY;gBACjC,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,eAAe,EAAE,sCAAsC;aACxD,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,kCAAkC,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;YAC5D,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;IAED,KAAK,CAAC,cAAc,CAClB,OAAe,EACf,OAAmD;QAMnD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,YAAY,CACrD,OAAO,CAAC,YAAY,EACpB,OAAO,CAAC,QAAQ,CACjB,CAAC;YAEF,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;YAC/B,CAAC;YAED,MAAM,IAAI,CAAC,mBAAmB,CAAC,aAAa,CAAC;gBAC3C,OAAO;gBACP,QAAQ,EAAE,IAAI,CAAC,UAAU;gBACzB,UAAU,EAAE,MAAM,CAAC,WAAW;gBAC9B,QAAQ,EAAE,aAAa;gBACvB,KAAK,EAAE,IAAA,8CAAsB,EAC3B,IAAI,CAAC,mBAAmB,EACxB,MAAM,CAAC,WAAW,EAClB,MAAM,CAAC,SAAS,CACjB;gBACD,QAAQ,EAAE;oBACR,SAAS,EAAE,MAAM,CAAC,SAAS;oBAC3B,YAAY,EAAE,MAAM,CAAC,YAAY;oBACjC,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,GAAG,IAAI;iBAChD;gBACD,WAAW,EAAE,IAAI;aAClB,CAAC,CAAC;YAEH,MAAM,CAAC,IAAI,CAAC,iCAAiC,OAAO,EAAE,CAAC,CAAC;YACxD,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,SAAS,EAAE,MAAM,CAAC,SAAS;aAC5B,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,0BAA0B,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;YACpD,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;CACF;AAxKD,gDAwKC"}

package/dist/auth/chatgpt/device-code-client.d.ts

@@ -0,0 +1,40 @@
+export interface DeviceCodeResponse {
+    userCode: string;
+    deviceAuthId: string;
+    interval: number;
+}
+export interface DeviceTokenResult {
+    accessToken: string;
+    refreshToken: string;
+    expiresIn: number;
+    accountId?: string;
+}
+/**
+ * Client for OpenAI device code authentication flow.
+ * Based on sub-bridge's device code implementation.
+ */
+export declare class ChatGPTDeviceCodeClient {
+    /**
+     * Request a device code from OpenAI.
+     * Returns user_code for display and device_auth_id for polling.
+     */
+    requestDeviceCode(): Promise<DeviceCodeResponse>;
+    /**
+     * Poll for token after user has authorized the device code.
+     * Returns null if still pending, throws on permanent failure.
+     */
+    pollForToken(deviceAuthId: string, userCode: string): Promise<DeviceTokenResult | null>;
+    /**
+     * Exchange authorization code for access/refresh tokens.
+     */
+    private exchangeCode;
+    /**
+     * Extract account ID from JWT access token (informational only).
+     * Decodes the JWT payload without signature verification because the token
+     * was obtained directly from OpenAI's token endpoint over HTTPS.
+     * The extracted accountId is used only for logging/display, not for
+     * authorization decisions.
+     */
+    extractAccountId(accessToken: string): string | undefined;
+}
+//# sourceMappingURL=device-code-client.d.ts.map

package/dist/auth/chatgpt/device-code-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-code-client.d.ts","sourceRoot":"","sources":["../../../src/auth/chatgpt/device-code-client.ts"],"names":[],"mappings":"AAiCA,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;GAGG;AACH,qBAAa,uBAAuB;IAClC;;;OAGG;IACG,iBAAiB,IAAI,OAAO,CAAC,kBAAkB,CAAC;IAgCtD;;;OAGG;IACG,YAAY,CAChB,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC;IA0CpC;;OAEG;YACW,YAAY;IA+C1B;;;;;;OAMG;IACH,gBAAgB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS;CAwB1D"}

package/dist/auth/chatgpt/device-code-client.js

@@ -0,0 +1,165 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ChatGPTDeviceCodeClient = void 0;
+const core_1 = require("@lobu/core");
+const logger = (0, core_1.createLogger)("chatgpt-device-code");
+const CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
+const DEVICE_CODE_URL = "https://auth.openai.com/api/accounts/deviceauth/usercode";
+const DEVICE_TOKEN_URL = "https://auth.openai.com/api/accounts/deviceauth/token";
+const TOKEN_EXCHANGE_URL = "https://auth.openai.com/oauth/token";
+const DEVICE_REDIRECT_URI = "https://auth.openai.com/deviceauth/callback";
+const OAUTH_SCOPE = process.env.OPENAI_OAUTH_SCOPE ||
+    [
+        "openid",
+        "profile",
+        "email",
+        "offline_access",
+        "api.model.read",
+        "api.model.request",
+        "api.model.image.request",
+        "api.model.audio.request",
+    ].join(" ");
+const JWT_CLAIM_PATH = "https://api.openai.com/auth";
+const DEVICE_HEADERS = {
+    "Content-Type": "application/json",
+    "User-Agent": "reqwest/0.12.24",
+};
+const TOKEN_HEADERS = {
+    "Content-Type": "application/x-www-form-urlencoded",
+    "User-Agent": "reqwest/0.12.24",
+};
+/**
+ * Client for OpenAI device code authentication flow.
+ * Based on sub-bridge's device code implementation.
+ */
+class ChatGPTDeviceCodeClient {
+    /**
+     * Request a device code from OpenAI.
+     * Returns user_code for display and device_auth_id for polling.
+     */
+    async requestDeviceCode() {
+        const response = await fetch(DEVICE_CODE_URL, {
+            method: "POST",
+            headers: DEVICE_HEADERS,
+            body: JSON.stringify({
+                client_id: CLIENT_ID,
+                scope: OAUTH_SCOPE,
+            }),
+        });
+        if (!response.ok) {
+            const text = await response.text().catch(() => "");
+            logger.error("Device code request failed", {
+                status: response.status,
+                body: text,
+            });
+            throw new Error(`Device code request failed: ${response.status}`);
+        }
+        const data = (await response.json());
+        return {
+            userCode: data.user_code,
+            deviceAuthId: data.device_auth_id,
+            interval: typeof data.interval === "number" ? data.interval : 5,
+        };
+    }
+    /**
+     * Poll for token after user has authorized the device code.
+     * Returns null if still pending, throws on permanent failure.
+     */
+    async pollForToken(deviceAuthId, userCode) {
+        const response = await fetch(DEVICE_TOKEN_URL, {
+            method: "POST",
+            headers: DEVICE_HEADERS,
+            body: JSON.stringify({
+                device_auth_id: deviceAuthId,
+                user_code: userCode,
+            }),
+        });
+        // 403/404/429 = user hasn't authorized yet
+        if (response.status === 403 ||
+            response.status === 404 ||
+            response.status === 429) {
+            return null;
+        }
+        if (!response.ok) {
+            const text = await response.text().catch(() => "");
+            logger.error("Device token poll failed", {
+                status: response.status,
+                body: text,
+            });
+            throw new Error(`Device token poll failed: ${response.status}`);
+        }
+        const data = (await response.json());
+        if (!data.authorization_code || !data.code_verifier) {
+            logger.warn("Poll response missing authorization fields, still pending");
+            return null;
+        }
+        // Exchange authorization code for access token
+        return this.exchangeCode(data.authorization_code, data.code_verifier);
+    }
+    /**
+     * Exchange authorization code for access/refresh tokens.
+     */
+    async exchangeCode(authorizationCode, codeVerifier) {
+        const response = await fetch(TOKEN_EXCHANGE_URL, {
+            method: "POST",
+            headers: TOKEN_HEADERS,
+            body: new URLSearchParams({
+                grant_type: "authorization_code",
+                client_id: CLIENT_ID,
+                code: authorizationCode,
+                code_verifier: codeVerifier,
+                redirect_uri: DEVICE_REDIRECT_URI,
+                scope: OAUTH_SCOPE,
+            }).toString(),
+        });
+        if (!response.ok) {
+            const text = await response.text().catch(() => "");
+            logger.error("Token exchange failed", {
+                status: response.status,
+                body: text,
+            });
+            throw new Error(`Token exchange failed: ${response.status}`);
+        }
+        const data = (await response.json());
+        if (!data.access_token || !data.refresh_token) {
+            throw new Error("Token response missing required fields");
+        }
+        const accountId = this.extractAccountId(data.access_token);
+        return {
+            accessToken: data.access_token,
+            refreshToken: data.refresh_token,
+            expiresIn: data.expires_in,
+            accountId,
+        };
+    }
+    /**
+     * Extract account ID from JWT access token (informational only).
+     * Decodes the JWT payload without signature verification because the token
+     * was obtained directly from OpenAI's token endpoint over HTTPS.
+     * The extracted accountId is used only for logging/display, not for
+     * authorization decisions.
+     */
+    extractAccountId(accessToken) {
+        try {
+            const parts = accessToken.split(".");
+            if (parts.length < 2)
+                return undefined;
+            const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString("utf-8"));
+            // OpenAI stores account info under the JWT_CLAIM_PATH
+            const authClaim = payload[JWT_CLAIM_PATH];
+            if (authClaim === null || authClaim === void 0 ? void 0 : authClaim.organization_id) {
+                return authClaim.organization_id;
+            }
+            if (authClaim === null || authClaim === void 0 ? void 0 : authClaim.chatgpt_account_id) {
+                return authClaim.chatgpt_account_id;
+            }
+            return undefined;
+        }
+        catch (error) {
+            logger.warn("Failed to extract account ID from JWT", { error });
+            return undefined;
+        }
+    }
+}
+exports.ChatGPTDeviceCodeClient = ChatGPTDeviceCodeClient;
+//# sourceMappingURL=device-code-client.js.map

package/dist/auth/chatgpt/device-code-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-code-client.js","sourceRoot":"","sources":["../../../src/auth/chatgpt/device-code-client.ts"],"names":[],"mappings":";;;AAAA,qCAA0C;AAE1C,MAAM,MAAM,GAAG,IAAA,mBAAY,EAAC,qBAAqB,CAAC,CAAC;AAEnD,MAAM,SAAS,GAAG,8BAA8B,CAAC;AACjD,MAAM,eAAe,GACnB,0DAA0D,CAAC;AAC7D,MAAM,gBAAgB,GACpB,uDAAuD,CAAC;AAC1D,MAAM,kBAAkB,GAAG,qCAAqC,CAAC;AACjE,MAAM,mBAAmB,GAAG,6CAA6C,CAAC;AAC1E,MAAM,WAAW,GACf,OAAO,CAAC,GAAG,CAAC,kBAAkB;IAC9B;QACE,QAAQ;QACR,SAAS;QACT,OAAO;QACP,gBAAgB;QAChB,gBAAgB;QAChB,mBAAmB;QACnB,yBAAyB;QACzB,yBAAyB;KAC1B,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACd,MAAM,cAAc,GAAG,6BAA6B,CAAC;AACrD,MAAM,cAAc,GAAG;IACrB,cAAc,EAAE,kBAAkB;IAClC,YAAY,EAAE,iBAAiB;CAChC,CAAC;AACF,MAAM,aAAa,GAAG;IACpB,cAAc,EAAE,mCAAmC;IACnD,YAAY,EAAE,iBAAiB;CAChC,CAAC;AAeF;;;GAGG;AACH,MAAa,uBAAuB;IAClC;;;OAGG;IACH,KAAK,CAAC,iBAAiB;QACrB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,eAAe,EAAE;YAC5C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,cAAc;YACvB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,SAAS,EAAE,SAAS;gBACpB,KAAK,EAAE,WAAW;aACnB,CAAC;SACH,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;YACnD,MAAM,CAAC,KAAK,CAAC,4BAA4B,EAAE;gBACzC,MAAM,EAAE,QAAQ,CAAC,MAAM;gBACvB,IAAI,EAAE,IAAI;aACX,CAAC,CAAC;YACH,MAAM,IAAI,KAAK,CAAC,+BAA+B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QACpE,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAIlC,CAAC;QAEF,OAAO;YACL,QAAQ,EAAE,IAAI,CAAC,SAAS;YACxB,YAAY,EAAE,IAAI,CAAC,cAAc;YACjC,QAAQ,EAAE,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;SAChE,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,YAAY,CAChB,YAAoB,EACpB,QAAgB;QAEhB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,gBAAgB,EAAE;YAC7C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,cAAc;YACvB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,cAAc,EAAE,YAAY;gBAC5B,SAAS,EAAE,QAAQ;aACpB,CAAC;SACH,CAAC,CAAC;QAEH,2CAA2C;QAC3C,IACE,QAAQ,CAAC,MAAM,KAAK,GAAG;YACvB,QAAQ,CAAC,MAAM,KAAK,GAAG;YACvB,QAAQ,CAAC,MAAM,KAAK,GAAG,EACvB,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;YACnD,MAAM,CAAC,KAAK,CAAC,0BAA0B,EAAE;gBACvC,MAAM,EAAE,QAAQ,CAAC,MAAM;gBACvB,IAAI,EAAE,IAAI;aACX,CAAC,CAAC;YACH,MAAM,IAAI,KAAK,CAAC,6BAA6B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QAClE,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAGlC,CAAC;QAEF,IAAI,CAAC,IAAI,CAAC,kBAAkB,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;YACpD,MAAM,CAAC,IAAI,CAAC,2DAA2D,CAAC,CAAC;YACzE,OAAO,IAAI,CAAC;QACd,CAAC;QAED,+CAA+C;QAC/C,OAAO,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,kBAAkB,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC;IACxE,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,YAAY,CACxB,iBAAyB,EACzB,YAAoB;QAEpB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,kBAAkB,EAAE;YAC/C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,aAAa;YACtB,IAAI,EAAE,IAAI,eAAe,CAAC;gBACxB,UAAU,EAAE,oBAAoB;gBAChC,SAAS,EAAE,SAAS;gBACpB,IAAI,EAAE,iBAAiB;gBACvB,aAAa,EAAE,YAAY;gBAC3B,YAAY,EAAE,mBAAmB;gBACjC,KAAK,EAAE,WAAW;aACnB,CAAC,CAAC,QAAQ,EAAE;SACd,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;YACnD,MAAM,CAAC,KAAK,CAAC,uBAAuB,EAAE;gBACpC,MAAM,EAAE,QAAQ,CAAC,MAAM;gBACvB,IAAI,EAAE,IAAI;aACX,CAAC,CAAC;YACH,MAAM,IAAI,KAAK,CAAC,0BAA0B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QAC/D,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAKlC,CAAC;QAEF,IAAI,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;YAC9C,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QAC5D,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAE3D,OAAO;YACL,WAAW,EAAE,IAAI,CAAC,YAAY;YAC9B,YAAY,EAAE,IAAI,CAAC,aAAa;YAChC,SAAS,EAAE,IAAI,CAAC,UAAU;YAC1B,SAAS;SACV,CAAC;IACJ,CAAC;IAED;;;;;;OAMG;IACH,gBAAgB,CAAC,WAAmB;QAClC,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACrC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;gBAAE,OAAO,SAAS,CAAC;YAEvC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CACxB,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CACtD,CAAC;YAEF,sDAAsD;YACtD,MAAM,SAAS,GAAG,OAAO,CAAC,cAAc,CAAC,CAAC;YAC1C,IAAI,SAAS,aAAT,SAAS,uBAAT,SAAS,CAAE,eAAe,EAAE,CAAC;gBAC/B,OAAO,SAAS,CAAC,eAAe,CAAC;YACnC,CAAC;YACD,IAAI,SAAS,aAAT,SAAS,uBAAT,SAAS,CAAE,kBAAkB,EAAE,CAAC;gBAClC,OAAO,SAAS,CAAC,kBAAkB,CAAC;YACtC,CAAC;YAED,OAAO,SAAS,CAAC;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,CAAC,uCAAuC,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;YAChE,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;CACF;AAvKD,0DAuKC"}

package/dist/auth/chatgpt/index.d.ts

@@ -0,0 +1,2 @@
+export { ChatGPTOAuthModule } from "./chatgpt-oauth-module";
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/chatgpt/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/auth/chatgpt/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC"}

package/dist/auth/chatgpt/index.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ChatGPTOAuthModule = void 0;
+var chatgpt_oauth_module_1 = require("./chatgpt-oauth-module");
+Object.defineProperty(exports, "ChatGPTOAuthModule", { enumerable: true, get: function () { return chatgpt_oauth_module_1.ChatGPTOAuthModule; } });
+//# sourceMappingURL=index.js.map

package/dist/auth/chatgpt/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/auth/chatgpt/index.ts"],"names":[],"mappings":";;;AAAA,+DAA4D;AAAnD,0HAAA,kBAAkB,OAAA"}

package/dist/auth/claude/oauth-module.d.ts

@@ -0,0 +1,29 @@
+import type { ModelOption } from "../../modules/module-system";
+import { BaseProviderModule } from "../base-provider-module";
+import { type AuthProfilesManager } from "../settings/auth-profiles-manager";
+import type { ModelPreferenceStore } from "../settings/model-preference-store";
+/**
+ * Claude OAuth Module - Handles credential injection and model preferences for Claude.
+ * OAuth login/logout is handled by the generic settings web page routes.
+ */
+export declare class ClaudeOAuthModule extends BaseProviderModule {
+    private modelPreferenceStore;
+    constructor(authProfilesManager: AuthProfilesManager, modelPreferenceStore: ModelPreferenceStore);
+    hasSystemKey(): boolean;
+    injectSystemKeyFallback(envVars: Record<string, string>): Record<string, string>;
+    buildEnvVars(agentId: string, envVars: Record<string, string>): Promise<Record<string, string>>;
+    getCliBackendConfig(): {
+        name: string;
+        command: string;
+        args: string[];
+        modelArg: string;
+        sessionArg: string;
+    };
+    getModelOptions(agentId: string, userId: string): Promise<ModelOption[]>;
+    setCredentials(agentId: string, credentials: unknown): Promise<void>;
+    deleteCredentials(agentId: string): Promise<void>;
+    private saveOAuthCredentials;
+    private static readonly FALLBACK_MODELS;
+    private fetchClaudeModels;
+}
+//# sourceMappingURL=oauth-module.d.ts.map

package/dist/auth/claude/oauth-module.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-module.d.ts","sourceRoot":"","sources":["../../../src/auth/claude/oauth-module.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,6BAA6B,CAAC;AAC/D,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAG7D,OAAO,EACL,KAAK,mBAAmB,EAEzB,MAAM,mCAAmC,CAAC;AAC3C,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,oCAAoC,CAAC;AAI/E;;;GAGG;AACH,qBAAa,iBAAkB,SAAQ,kBAAkB;IACvD,OAAO,CAAC,oBAAoB,CAAuB;gBAGjD,mBAAmB,EAAE,mBAAmB,EACxC,oBAAoB,EAAE,oBAAoB;IAiCnC,YAAY,IAAI,OAAO;IAOvB,uBAAuB,CAC9B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC9B,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAiBV,YAAY,CACzB,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC9B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAqBlC,mBAAmB;;;;;;;IAUb,eAAe,CACnB,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,WAAW,EAAE,CAAC;IAoCnB,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC;IAIpE,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;YAOzC,oBAAoB;IAqBlC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,eAAe,CAoBrC;YAEY,iBAAiB;CAuEhC"}

package/dist/auth/claude/oauth-module.js

@@ -0,0 +1,201 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ClaudeOAuthModule = void 0;
+const core_1 = require("@lobu/core");
+const base_provider_module_1 = require("../base-provider-module");
+const string_substitution_1 = require("../mcp/string-substitution");
+const auth_profiles_manager_1 = require("../settings/auth-profiles-manager");
+const logger = (0, core_1.createLogger)("claude-oauth-module");
+/**
+ * Claude OAuth Module - Handles credential injection and model preferences for Claude.
+ * OAuth login/logout is handled by the generic settings web page routes.
+ */
+class ClaudeOAuthModule extends base_provider_module_1.BaseProviderModule {
+    constructor(authProfilesManager, modelPreferenceStore) {
+        super({
+            providerId: "claude",
+            providerDisplayName: "Claude",
+            providerIconUrl: "https://www.google.com/s2/favicons?domain=anthropic.com&sz=128",
+            credentialEnvVarName: "CLAUDE_CODE_OAUTH_TOKEN",
+            secretEnvVarNames: [
+                "ANTHROPIC_API_KEY",
+                "ANTHROPIC_AUTH_TOKEN",
+                "CLAUDE_CODE_OAUTH_TOKEN",
+            ],
+            slug: "anthropic",
+            upstreamBaseUrl: "https://api.anthropic.com",
+            baseUrlEnvVarName: "ANTHROPIC_BASE_URL",
+            authType: "oauth",
+            supportedAuthTypes: ["oauth", "api-key"],
+            apiKeyInstructions: 'Enter your <a href="https://console.anthropic.com/settings/keys" target="_blank" class="text-blue-600 underline">Anthropic API key</a>:',
+            apiKeyPlaceholder: "sk-ant-...",
+            catalogDescription: "Anthropic's Claude AI with OAuth authentication",
+        }, authProfilesManager);
+        // Preserve existing module name
+        this.name = "claude-oauth";
+        this.modelPreferenceStore = modelPreferenceStore;
+    }
+    // ---- Overrides for multi-env-var logic ----
+    hasSystemKey() {
+        return !!((0, string_substitution_1.resolveEnv)("ANTHROPIC_AUTH_TOKEN") ||
+            (0, string_substitution_1.resolveEnv)("CLAUDE_CODE_OAUTH_TOKEN"));
+    }
+    injectSystemKeyFallback(envVars) {
+        if (!envVars.ANTHROPIC_API_KEY && !envVars.CLAUDE_CODE_OAUTH_TOKEN) {
+            // Prefer ANTHROPIC_AUTH_TOKEN (explicit user config in .env) over
+            // ANTHROPIC_API_KEY (which may be injected by Claude Code's shell env).
+            const systemApiKey = (0, string_substitution_1.resolveEnv)("ANTHROPIC_AUTH_TOKEN") || (0, string_substitution_1.resolveEnv)("ANTHROPIC_API_KEY");
+            const systemOAuthToken = (0, string_substitution_1.resolveEnv)("CLAUDE_CODE_OAUTH_TOKEN");
+            if (systemApiKey) {
+                envVars.ANTHROPIC_API_KEY = systemApiKey;
+            }
+            else if (systemOAuthToken) {
+                envVars.CLAUDE_CODE_OAUTH_TOKEN = systemOAuthToken;
+            }
+        }
+        return envVars;
+    }
+    async buildEnvVars(agentId, envVars) {
+        const profile = await this.authProfilesManager.getBestProfile(agentId, this.providerId);
+        if (profile === null || profile === void 0 ? void 0 : profile.credential) {
+            logger.info(`Injecting ${profile.authType} profile for space ${agentId}`);
+            if (profile.authType === "oauth") {
+                envVars.CLAUDE_CODE_OAUTH_TOKEN = profile.credential;
+            }
+            else {
+                envVars.ANTHROPIC_API_KEY = profile.credential;
+            }
+        }
+        // AGENT_DEFAULT_MODEL is now delivered dynamically via session context.
+        // No longer baked into static container env vars.
+        return envVars;
+    }
+    getCliBackendConfig() {
+        return {
+            name: "claude-code",
+            command: "npx",
+            args: ["-y", "acpx@latest", "claude", "--print"],
+            modelArg: "--model",
+            sessionArg: "--session",
+        };
+    }
+    async getModelOptions(agentId, userId) {
+        const availableModels = await this.fetchClaudeModels(agentId);
+        if (availableModels.length === 0)
+            return [];
+        const preferredModel = await this.modelPreferenceStore.getModelPreference(userId);
+        logger.debug("Building Claude model options", {
+            agentId,
+            userId,
+            preferredModel,
+        });
+        const defaultModel = preferredModel ||
+            process.env.AGENT_DEFAULT_MODEL ||
+            "claude-sonnet-4-20250514";
+        const options = [];
+        const seen = new Set();
+        const addOption = (value, label) => {
+            if (seen.has(value))
+                return;
+            seen.add(value);
+            options.push({ value, label });
+        };
+        const defaultEntry = availableModels.find((m) => m.id === defaultModel);
+        if (defaultEntry) {
+            addOption(defaultModel, defaultEntry.display_name || defaultModel);
+        }
+        for (const model of availableModels) {
+            addOption(model.id, model.display_name || model.id);
+        }
+        return options;
+    }
+    async setCredentials(agentId, credentials) {
+        await this.saveOAuthCredentials(agentId, credentials);
+    }
+    async deleteCredentials(agentId) {
+        await this.authProfilesManager.deleteProviderProfiles(agentId, this.providerId);
+    }
+    async saveOAuthCredentials(agentId, credentials) {
+        await this.authProfilesManager.upsertProfile({
+            agentId,
+            provider: this.providerId,
+            credential: credentials.accessToken,
+            authType: "oauth",
+            label: (0, auth_profiles_manager_1.createAuthProfileLabel)(this.providerDisplayName, credentials.accessToken),
+            metadata: {
+                refreshToken: credentials.refreshToken,
+                expiresAt: credentials.expiresAt,
+            },
+            makePrimary: true,
+        });
+    }
+    async fetchClaudeModels(agentId) {
+        const profile = await this.authProfilesManager.getBestProfile(agentId, this.providerId);
+        const oauthToken = (profile === null || profile === void 0 ? void 0 : profile.authType) === "oauth" ? profile.credential : undefined;
+        const apiKey = (profile === null || profile === void 0 ? void 0 : profile.authType) !== "oauth"
+            ? profile === null || profile === void 0 ? void 0 : profile.credential
+            : process.env.ANTHROPIC_AUTH_TOKEN || process.env.ANTHROPIC_API_KEY;
+        const headers = {
+            Accept: "application/json",
+            "anthropic-version": "2023-06-01",
+        };
+        if (oauthToken) {
+            headers.Authorization = `Bearer ${oauthToken}`;
+        }
+        else if (apiKey) {
+            headers["x-api-key"] = apiKey;
+        }
+        else {
+            return ClaudeOAuthModule.FALLBACK_MODELS;
+        }
+        const response = await fetch("https://api.anthropic.com/v1/models", {
+            headers,
+        }).catch((err) => {
+            logger.warn({ error: err === null || err === void 0 ? void 0 : err.message, agentId }, "fetchClaudeModels: fetch failed");
+            return null;
+        });
+        if (!response || !response.ok) {
+            logger.warn({
+                agentId,
+                status: response === null || response === void 0 ? void 0 : response.status,
+                hasOauth: !!oauthToken,
+                hasApiKey: !!apiKey,
+            }, "fetchClaudeModels: non-ok response, using fallback models");
+            return ClaudeOAuthModule.FALLBACK_MODELS;
+        }
+        const payload = (await response.json().catch(() => ({})));
+        const models = (payload.data || [])
+            .map((item) => {
+            var _a;
+            const id = (_a = item.id) === null || _a === void 0 ? void 0 : _a.trim();
+            if (!id)
+                return null;
+            return {
+                id,
+                display_name: item.display_name || id,
+                type: item.type || "model",
+            };
+        })
+            .filter((item) => Boolean(item));
+        return models.length > 0 ? models : ClaudeOAuthModule.FALLBACK_MODELS;
+    }
+}
+exports.ClaudeOAuthModule = ClaudeOAuthModule;
+ClaudeOAuthModule.FALLBACK_MODELS = [
+    {
+        id: "claude-sonnet-4-20250514",
+        display_name: "Claude Sonnet 4",
+        type: "model",
+    },
+    {
+        id: "claude-opus-4-20250514",
+        display_name: "Claude Opus 4",
+        type: "model",
+    },
+    {
+        id: "claude-haiku-3-5-20241022",
+        display_name: "Claude Haiku 3.5",
+        type: "model",
+    },
+];
+//# sourceMappingURL=oauth-module.js.map