@lobu/gateway 3.0.9 → 3.0.13

package/src/auth/api-key-provider-module.ts

@@ -1,213 +0,0 @@
-import type { ConfigProviderMeta } from "@lobu/core";
-import type { ModelOption } from "../modules/module-system";
-import { BaseProviderModule } from "./base-provider-module";
-import type { AgentSettingsStore } from "./settings/agent-settings-store";
-import { AuthProfilesManager } from "./settings/auth-profiles-manager";
-
-export interface ApiKeyProviderConfig {
-  providerId: string;
-  providerDisplayName: string;
-  providerIconUrl: string;
-  envVarName: string;
-  apiKeyInstructions: string;
-  apiKeyPlaceholder: string;
-  systemEnvVarName?: string;
-  /** Provider slug for proxy path routing (e.g. "gemini") */
-  slug?: string;
-  /** Upstream base URL for proxy forwarding (e.g. "https://generativelanguage.googleapis.com") */
-  upstreamBaseUrl?: string;
-  /** Explicit base URL env var name (defaults to envVarName with _KEY replaced by _BASE_URL) */
-  baseUrlEnvVarName?: string;
-  /** Relative path to fetch model list (e.g. "/v1/models"). Enables generic model fetching. */
-  modelsEndpoint?: string;
-  /** SDK compatibility — "openai" means OpenAI-compatible format. Also maps OPENAI_BASE_URL in proxy. */
-  sdkCompat?: "openai";
-  /** Default model ID when none is configured */
-  defaultModel?: string;
-  /** Override provider name for model registry lookup */
-  registryAlias?: string;
-  /** Whether to show in "Add Provider" catalog (default: true) */
-  catalogVisible?: boolean;
-  agentSettingsStore: AgentSettingsStore;
-}
-
-/**
- * Generic API-key provider module.
- * Any model provider that only needs a "paste your API key" flow
- * can be instantiated from this class without writing a full module.
- *
- * Config-driven providers (from system-skills.json) set sdkCompat,
- * defaultModel, and registryAlias to enable dynamic worker model resolution.
- */
-export class ApiKeyProviderModule extends BaseProviderModule {
-  protected readonly apiKeyConfig: ApiKeyProviderConfig;
-
-  constructor(config: ApiKeyProviderConfig) {
-    const authProfilesManager = new AuthProfilesManager(
-      config.agentSettingsStore
-    );
-    super(
-      {
-        providerId: config.providerId,
-        providerDisplayName: config.providerDisplayName,
-        providerIconUrl: config.providerIconUrl,
-        credentialEnvVarName: config.envVarName,
-        secretEnvVarNames: [config.envVarName],
-        systemEnvVarName: config.systemEnvVarName,
-        slug: config.slug || config.providerId,
-        upstreamBaseUrl: config.upstreamBaseUrl,
-        baseUrlEnvVarName:
-          config.baseUrlEnvVarName ||
-          config.envVarName.replace("_KEY", "_BASE_URL"),
-        authType: "api-key",
-        apiKeyInstructions: config.apiKeyInstructions,
-        apiKeyPlaceholder: config.apiKeyPlaceholder,
-        catalogVisible: config.catalogVisible,
-      },
-      authProfilesManager
-    );
-    this.apiKeyConfig = config;
-    this.name = `${config.providerId}-api-key`;
-  }
-
-  /**
-   * For openai-compatible providers, also map OPENAI_BASE_URL so the
-   * OpenAI SDK resolves through our proxy.
-   */
-  override getProxyBaseUrlMappings(
-    proxyUrl: string,
-    agentId?: string
-  ): Record<string, string> {
-    const mappings = super.getProxyBaseUrlMappings(proxyUrl, agentId);
-    if (this.apiKeyConfig.sdkCompat === "openai") {
-      const slug = this.providerConfig.slug || this.providerId;
-      const base = `${proxyUrl}/${slug}`;
-      mappings.OPENAI_BASE_URL = agentId ? `${base}/a/${agentId}` : base;
-    }
-    return mappings;
-  }
-
-  /**
-   * Returns metadata for config-driven providers (sdkCompat, defaultModel, etc.)
-   * so the worker can register them dynamically. Returns null for hardcoded providers.
-   */
-  getProviderMetadata(): ConfigProviderMeta | null {
-    if (
-      !this.apiKeyConfig.sdkCompat &&
-      !this.apiKeyConfig.defaultModel &&
-      !this.apiKeyConfig.registryAlias
-    ) {
-      return null;
-    }
-    return {
-      sdkCompat: this.apiKeyConfig.sdkCompat,
-      defaultModel: this.apiKeyConfig.defaultModel,
-      registryAlias: this.apiKeyConfig.registryAlias,
-      baseUrlEnvVar:
-        this.providerConfig.baseUrlEnvVarName ||
-        this.apiKeyConfig.envVarName.replace("_KEY", "_BASE_URL"),
-    };
-  }
-
-  async getModelOptions(
-    agentId: string,
-    _userId: string
-  ): Promise<ModelOption[]> {
-    const key = await this.getCredential(agentId);
-    if (!key) return [];
-
-    // Gemini uses a non-standard models endpoint with key-in-query auth
-    if (this.providerId === "gemini") {
-      return this.fetchGeminiModels(key);
-    }
-
-    // Generic modelsEndpoint: supports OpenAI format ({data:[{id}]}) and Ollama format ({models:[{name}]})
-    const modelsEndpoint = this.apiKeyConfig.modelsEndpoint;
-    if (modelsEndpoint && this.apiKeyConfig.upstreamBaseUrl) {
-      return this.fetchModelsGeneric(
-        key,
-        this.apiKeyConfig.upstreamBaseUrl,
-        modelsEndpoint
-      );
-    }
-
-    return [];
-  }
-
-  /**
-   * Generic model fetcher using Bearer auth. Works with OpenAI-compatible
-   * endpoints ({data:[{id}]}) and Ollama ({models:[{name}]}).
-   */
-  private async fetchModelsGeneric(
-    apiKey: string,
-    baseUrl: string,
-    endpoint: string
-  ): Promise<ModelOption[]> {
-    const url = `${baseUrl.replace(/\/$/, "")}${endpoint}`;
-    const response = await fetch(url, {
-      headers: {
-        Accept: "application/json",
-        Authorization: `Bearer ${apiKey}`,
-      },
-    }).catch(() => null);
-    if (!response || !response.ok) return [];
-
-    const payload = (await response.json().catch(() => ({}))) as {
-      data?: Array<{ id?: string }>;
-      models?: Array<{ name?: string; model?: string }>;
-    };
-
-    const prefix = this.providerId;
-
-    // OpenAI format: { data: [{ id: "model-name" }] }
-    if (payload.data && Array.isArray(payload.data)) {
-      return payload.data
-        .map((model) => {
-          const id = model.id?.trim();
-          if (!id) return null;
-          return { value: `${prefix}/${id}`, label: id } satisfies ModelOption;
-        })
-        .filter((item): item is ModelOption => Boolean(item));
-    }
-
-    // Ollama format: { models: [{ name: "model-name", model: "model-name" }] }
-    if (payload.models && Array.isArray(payload.models)) {
-      return payload.models
-        .map((model) => {
-          const id = (model.model || model.name)?.trim();
-          if (!id) return null;
-          return { value: `${prefix}/${id}`, label: id } satisfies ModelOption;
-        })
-        .filter((item): item is ModelOption => Boolean(item));
-    }
-
-    return [];
-  }
-
-  private async fetchGeminiModels(apiKey: string): Promise<ModelOption[]> {
-    const url = new URL(
-      "https://generativelanguage.googleapis.com/v1beta/models"
-    );
-    url.searchParams.set("key", apiKey);
-
-    const response = await fetch(url.toString(), {
-      headers: { Accept: "application/json" },
-    }).catch(() => null);
-    if (!response || !response.ok) return [];
-
-    const payload = (await response.json().catch(() => ({}))) as {
-      models?: Array<{ name?: string; displayName?: string }>;
-    };
-
-    return (payload.models || [])
-      .map((model) => {
-        const raw = model.name?.replace(/^models\//, "").trim();
-        if (!raw) return null;
-        return {
-          value: `gemini/${raw}`,
-          label: model.displayName || raw,
-        } satisfies ModelOption;
-      })
-      .filter((item): item is ModelOption => Boolean(item));
-  }
-}

package/src/auth/base-provider-module.ts

@@ -1,201 +0,0 @@
-import { createLogger } from "@lobu/core";
-import { Hono } from "hono";
-import {
-  BaseModule,
-  type ModelProviderModule,
-  type ProviderUpstreamConfig,
-} from "../modules/module-system";
-import { resolveEnv } from "./mcp/string-substitution";
-import type { AuthProfilesManager } from "./settings/auth-profiles-manager";
-
-const logger = createLogger("base-provider-module");
-
-export interface BaseProviderConfig {
-  providerId: string;
-  providerDisplayName: string;
-  providerIconUrl: string;
-  /** Env var name the SDK expects for the API credential (e.g. "ANTHROPIC_API_KEY") */
-  credentialEnvVarName: string;
-  /** All env vars this provider considers secrets */
-  secretEnvVarNames: string[];
-  /** Env var to check for system key (defaults to credentialEnvVarName) */
-  systemEnvVarName?: string;
-  /** Provider slug for proxy path routing (e.g. "anthropic") */
-  slug?: string;
-  /** Upstream base URL for proxy forwarding (e.g. "https://api.anthropic.com") */
-  upstreamBaseUrl?: string;
-  /** Explicit base URL env var name (defaults to slug-derived name) */
-  baseUrlEnvVarName?: string;
-  authType: "oauth" | "device-code" | "api-key";
-  supportedAuthTypes?: ("oauth" | "device-code" | "api-key")[];
-  apiKeyInstructions?: string;
-  apiKeyPlaceholder?: string;
-  catalogDescription?: string;
-  catalogVisible?: boolean;
-}
-
-/**
- * Base class for model provider modules.
- * Implements shared logic: credential lookup, proxy mappings, env var injection,
- * and Hono app management. Save-key and logout routes are handled by the
- * parameterized auth router in gateway.ts.
- *
- * Subclasses provide a config object and optionally override:
- * - `setupRoutes(app)` to add provider-specific routes
- * - `getModelOptions()` for model listing
- * - `buildEnvVars()` for custom env var injection
- * - `hasSystemKey()` / `injectSystemKeyFallback()` for multi-env-var logic
- */
-export abstract class BaseProviderModule
-  extends BaseModule
-  implements ModelProviderModule
-{
-  name: string;
-  providerId: string;
-  providerDisplayName: string;
-  providerIconUrl: string;
-  authType: "oauth" | "device-code" | "api-key";
-  supportedAuthTypes?: ("oauth" | "device-code" | "api-key")[];
-  apiKeyInstructions?: string;
-  apiKeyPlaceholder?: string;
-  catalogDescription?: string;
-  catalogVisible?: boolean;
-
-  protected readonly providerConfig: BaseProviderConfig;
-  protected readonly authProfilesManager: AuthProfilesManager;
-  protected readonly app: Hono;
-
-  constructor(
-    config: BaseProviderConfig,
-    authProfilesManager: AuthProfilesManager
-  ) {
-    super();
-    this.providerConfig = config;
-    this.authProfilesManager = authProfilesManager;
-
-    this.providerId = config.providerId;
-    this.name = `${config.providerId}-provider`;
-    this.providerDisplayName = config.providerDisplayName;
-    this.providerIconUrl = config.providerIconUrl;
-    this.authType = config.authType;
-    this.supportedAuthTypes = config.supportedAuthTypes;
-    this.apiKeyInstructions = config.apiKeyInstructions;
-    this.apiKeyPlaceholder = config.apiKeyPlaceholder;
-    this.catalogDescription = config.catalogDescription;
-    this.catalogVisible = config.catalogVisible;
-
-    this.app = new Hono();
-    this.setupRoutes();
-  }
-
-  isEnabled(): boolean {
-    return true;
-  }
-
-  getSecretEnvVarNames(): string[] {
-    return this.providerConfig.secretEnvVarNames;
-  }
-
-  getCredentialEnvVarName(): string {
-    return this.providerConfig.credentialEnvVarName;
-  }
-
-  getUpstreamConfig(): ProviderUpstreamConfig | null {
-    const { slug, upstreamBaseUrl, baseUrlEnvVarName } = this.providerConfig;
-    if (!slug || !upstreamBaseUrl) return null;
-    // Check env for base URL override (e.g., ANTHROPIC_BASE_URL=https://api.z.ai)
-    const envOverride = baseUrlEnvVarName
-      ? resolveEnv(baseUrlEnvVarName)
-      : undefined;
-    return { slug, upstreamBaseUrl: envOverride || upstreamBaseUrl };
-  }
-
-  async hasCredentials(agentId: string): Promise<boolean> {
-    return this.authProfilesManager.hasProviderProfiles(
-      agentId,
-      this.providerId
-    );
-  }
-
-  hasSystemKey(): boolean {
-    const envVar =
-      this.providerConfig.systemEnvVarName ||
-      this.providerConfig.credentialEnvVarName;
-    return !!resolveEnv(envVar);
-  }
-
-  getProxyBaseUrlMappings(
-    proxyUrl: string,
-    agentId?: string
-  ): Record<string, string> {
-    const { slug, baseUrlEnvVarName, credentialEnvVarName } =
-      this.providerConfig;
-    if (!slug) return {};
-    const envVar =
-      baseUrlEnvVarName || credentialEnvVarName.replace("_KEY", "_BASE_URL");
-    const base = `${proxyUrl}/${slug}`;
-    return { [envVar]: agentId ? `${base}/a/${agentId}` : base };
-  }
-
-  injectSystemKeyFallback(
-    envVars: Record<string, string>
-  ): Record<string, string> {
-    const credVar = this.providerConfig.credentialEnvVarName;
-    if (!envVars[credVar]) {
-      const sysVar = this.providerConfig.systemEnvVarName || credVar;
-      const systemKey = resolveEnv(sysVar);
-      if (systemKey) {
-        envVars[credVar] = systemKey;
-      }
-    }
-    return envVars;
-  }
-
-  async buildEnvVars(
-    agentId: string,
-    envVars: Record<string, string>
-  ): Promise<Record<string, string>> {
-    const credVar = this.providerConfig.credentialEnvVarName;
-    if (!envVars[credVar]) {
-      const profile = await this.authProfilesManager.getBestProfile(
-        agentId,
-        this.providerId
-      );
-      if (profile?.credential) {
-        logger.info(
-          `Injecting ${credVar} for agent ${agentId} (${this.providerId})`
-        );
-        envVars[credVar] = profile.credential;
-      }
-    }
-    return envVars;
-  }
-
-  getApp(): Hono {
-    return this.app;
-  }
-
-  protected async getCredential(agentId: string): Promise<string | null> {
-    const profile = await this.authProfilesManager.getBestProfile(
-      agentId,
-      this.providerId
-    );
-    if (profile?.credential) {
-      return profile.credential;
-    }
-    const sysVar =
-      this.providerConfig.systemEnvVarName ||
-      this.providerConfig.credentialEnvVarName;
-    return process.env[sysVar] || null;
-  }
-
-  /** Build a structured placeholder for proxy mode (default: "lobu-proxy"). */
-  buildCredentialPlaceholder(_agentId: string): Promise<string> | string {
-    return "lobu-proxy";
-  }
-
-  /** Override in subclasses to add provider-specific routes. */
-  protected setupRoutes(): void {
-    // Default: no extra routes
-  }
-}

package/src/auth/bedrock/provider-module.ts

@@ -1,110 +0,0 @@
-import type { ConfigProviderMeta } from "@lobu/core";
-import type { ModelOption } from "../../modules/module-system";
-import type { BedrockModelCatalog } from "../../services/bedrock-model-catalog";
-import { BaseProviderModule } from "../base-provider-module";
-import type { AuthProfilesManager } from "../settings/auth-profiles-manager";
-
-const BEDROCK_PROXY_CREDENTIAL = "bedrock-proxy";
-const BEDROCK_ROUTE_PREFIX = "/api/bedrock/openai";
-const BEDROCK_BASE_URL_ENV = "AMAZON_BEDROCK_BASE_URL";
-const BEDROCK_CREDENTIAL_ENV = "AMAZON_BEDROCK_API_KEY";
-const DEFAULT_BEDROCK_MODEL = "amazon.nova-lite-v1:0";
-
-function hasAwsCredentialHint(): boolean {
-  // Explicit opt-in always wins
-  if (process.env.BEDROCK_ENABLED === "true") return true;
-
-  // Only auto-enable when an actual credential source is present.
-  // Region alone is not sufficient — it doesn't provide authentication.
-  return Boolean(
-    process.env.AWS_PROFILE ||
-      process.env.AWS_ACCESS_KEY_ID ||
-      process.env.AWS_WEB_IDENTITY_TOKEN_FILE ||
-      process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI ||
-      process.env.AWS_CONTAINER_CREDENTIALS_FULL_URI ||
-      process.env.AWS_BEARER_TOKEN_BEDROCK
-  );
-}
-
-export class BedrockProviderModule extends BaseProviderModule {
-  constructor(
-    authProfilesManager: AuthProfilesManager,
-    private readonly modelCatalog: BedrockModelCatalog
-  ) {
-    super(
-      {
-        providerId: "amazon-bedrock",
-        providerDisplayName: "Amazon Bedrock",
-        providerIconUrl:
-          "https://www.google.com/s2/favicons?domain=aws.amazon.com&sz=128",
-        credentialEnvVarName: BEDROCK_CREDENTIAL_ENV,
-        secretEnvVarNames: [BEDROCK_CREDENTIAL_ENV],
-        authType: "api-key",
-        apiKeyInstructions:
-          "No end-user API key is required. Run the gateway on AWS with IAM credentials available to the gateway process and set AWS_REGION (or AWS_DEFAULT_REGION).",
-        apiKeyPlaceholder: "Not required",
-        catalogDescription:
-          "Use Amazon Bedrock models through gateway-owned AWS credentials",
-      },
-      authProfilesManager
-    );
-    this.name = "amazon-bedrock-provider";
-  }
-
-  override hasSystemKey(): boolean {
-    return hasAwsCredentialHint();
-  }
-
-  override injectSystemKeyFallback(
-    envVars: Record<string, string>
-  ): Record<string, string> {
-    if (!envVars[BEDROCK_CREDENTIAL_ENV]) {
-      envVars[BEDROCK_CREDENTIAL_ENV] = BEDROCK_PROXY_CREDENTIAL;
-    }
-    return envVars;
-  }
-
-  override async buildEnvVars(
-    _agentId: string,
-    envVars: Record<string, string>
-  ): Promise<Record<string, string>> {
-    if (!envVars[BEDROCK_CREDENTIAL_ENV]) {
-      envVars[BEDROCK_CREDENTIAL_ENV] = BEDROCK_PROXY_CREDENTIAL;
-    }
-    return envVars;
-  }
-
-  override getProxyBaseUrlMappings(
-    proxyUrl: string,
-    agentId?: string
-  ): Record<string, string> {
-    const gatewayBase = proxyUrl.replace(/\/api\/proxy\/?$/, "");
-    const base = `${gatewayBase}${BEDROCK_ROUTE_PREFIX}`;
-    return {
-      [BEDROCK_BASE_URL_ENV]: agentId ? `${base}/a/${agentId}` : base,
-    };
-  }
-
-  buildCredentialPlaceholder(): string {
-    return BEDROCK_PROXY_CREDENTIAL;
-  }
-
-  getProviderMetadata(): ConfigProviderMeta {
-    return {
-      sdkCompat: "openai",
-      defaultModel: DEFAULT_BEDROCK_MODEL,
-      baseUrlEnvVar: BEDROCK_BASE_URL_ENV,
-    };
-  }
-
-  async getModelOptions(
-    _agentId: string,
-    _userId: string
-  ): Promise<ModelOption[]> {
-    const models = await this.modelCatalog.listModelOptions();
-    return models.map((model) => ({
-      value: `amazon-bedrock/${model.id}`,
-      label: model.label,
-    }));
-  }
-}

package/src/auth/chatgpt/chatgpt-oauth-module.ts

@@ -1,185 +0,0 @@
-import { createLogger } from "@lobu/core";
-import type { ModelOption } from "../../modules/module-system";
-import { BaseProviderModule } from "../base-provider-module";
-import type { AgentSettingsStore } from "../settings/agent-settings-store";
-import {
-  AuthProfilesManager,
-  createAuthProfileLabel,
-} from "../settings/auth-profiles-manager";
-import { ChatGPTDeviceCodeClient } from "./device-code-client";
-
-const logger = createLogger("chatgpt-oauth-module");
-
-/**
- * ChatGPT OAuth Module - Handles device code authentication for ChatGPT.
- * Stores the access token in auth profiles.
- */
-export class ChatGPTOAuthModule extends BaseProviderModule {
-  private deviceCodeClient: ChatGPTDeviceCodeClient;
-
-  constructor(agentSettingsStore: AgentSettingsStore) {
-    const authProfilesManager = new AuthProfilesManager(agentSettingsStore);
-    super(
-      {
-        providerId: "chatgpt",
-        providerDisplayName: "ChatGPT",
-        providerIconUrl:
-          "https://www.google.com/s2/favicons?domain=chatgpt.com&sz=128",
-        credentialEnvVarName: "OPENAI_API_KEY",
-        secretEnvVarNames: ["OPENAI_API_KEY"],
-        slug: "openai-codex",
-        upstreamBaseUrl: "https://chatgpt.com/backend-api",
-        baseUrlEnvVarName: "OPENAI_BASE_URL",
-        authType: "device-code",
-        supportedAuthTypes: ["device-code", "api-key"],
-        apiKeyInstructions:
-          'Enter your <a href="https://platform.openai.com/api-keys" target="_blank" class="text-blue-600 underline">OpenAI API key</a>:',
-        apiKeyPlaceholder: "sk-...",
-        catalogDescription: "OpenAI's ChatGPT with device code authentication",
-      },
-      authProfilesManager
-    );
-    // Preserve existing module name
-    this.name = "chatgpt-oauth";
-    this.deviceCodeClient = new ChatGPTDeviceCodeClient();
-  }
-
-  async buildCredentialPlaceholder(agentId: string): Promise<string> {
-    const profile = await this.authProfilesManager.getBestProfile(
-      agentId,
-      this.providerId
-    );
-    // Try metadata first, then extract from the stored credential JWT
-    let accountId = profile?.metadata?.accountId as string | undefined;
-    if (!accountId && profile?.credential) {
-      accountId = this.deviceCodeClient.extractAccountId(profile.credential);
-    }
-    if (!accountId) return "lobu-proxy";
-
-    // Minimal JWT with the chatgpt_account_id claim.
-    // Not a valid credential — only used by the codex backend to extract accountId.
-    const header = Buffer.from(
-      JSON.stringify({ alg: "none", typ: "JWT" })
-    ).toString("base64url");
-    const payload = Buffer.from(
-      JSON.stringify({
-        "https://api.openai.com/auth": { chatgpt_account_id: accountId },
-      })
-    ).toString("base64url");
-    return `${header}.${payload}.placeholder`;
-  }
-
-  getCliBackendConfig() {
-    return {
-      name: "codex",
-      command: "npx",
-      args: ["-y", "acpx@latest", "codex", "--quiet"],
-      modelArg: "--model",
-    };
-  }
-
-  async getModelOptions(
-    agentId: string,
-    _userId: string
-  ): Promise<ModelOption[]> {
-    const token = await this.getCredential(agentId);
-    if (!token) return [];
-
-    const response = await fetch("https://chatgpt.com/backend-api/models", {
-      headers: {
-        Accept: "application/json",
-        Authorization: `Bearer ${token}`,
-      },
-    }).catch(() => null);
-
-    if (!response || !response.ok) {
-      return [];
-    }
-
-    const payload = (await response.json().catch(() => ({}))) as {
-      models?: Array<{
-        slug?: string;
-        title?: string;
-      }>;
-    };
-
-    return (payload.models || [])
-      .map((model) => {
-        const slug = model.slug?.trim();
-        if (!slug) return null;
-        return {
-          value: `openai-codex/${slug}`,
-          label: model.title?.trim() || slug,
-        } satisfies ModelOption;
-      })
-      .filter((item): item is ModelOption => Boolean(item));
-  }
-
-  async startDeviceCode(agentId: string): Promise<{
-    userCode: string;
-    deviceAuthId: string;
-    interval: number;
-    verificationUrl: string;
-  }> {
-    try {
-      logger.info("Starting ChatGPT device code flow", { agentId });
-      const result = await this.deviceCodeClient.requestDeviceCode();
-      return {
-        userCode: result.userCode,
-        deviceAuthId: result.deviceAuthId,
-        interval: result.interval,
-        verificationUrl: "https://auth.openai.com/codex/device",
-      };
-    } catch (error) {
-      logger.error("Failed to start device code flow", { error });
-      throw new Error("Failed to start device code flow");
-    }
-  }
-
-  async pollDeviceCode(
-    agentId: string,
-    payload: { deviceAuthId: string; userCode: string }
-  ): Promise<{
-    status: "pending" | "success";
-    error?: string;
-    accountId?: string;
-  }> {
-    try {
-      const result = await this.deviceCodeClient.pollForToken(
-        payload.deviceAuthId,
-        payload.userCode
-      );
-
-      if (!result) {
-        return { status: "pending" };
-      }
-
-      await this.authProfilesManager.upsertProfile({
-        agentId,
-        provider: this.providerId,
-        credential: result.accessToken,
-        authType: "device-code",
-        label: createAuthProfileLabel(
-          this.providerDisplayName,
-          result.accessToken,
-          result.accountId
-        ),
-        metadata: {
-          accountId: result.accountId,
-          refreshToken: result.refreshToken,
-          expiresAt: Date.now() + result.expiresIn * 1000,
-        },
-        makePrimary: true,
-      });
-
-      logger.info(`ChatGPT token saved for agent ${agentId}`);
-      return {
-        status: "success",
-        accountId: result.accountId,
-      };
-    } catch (error) {
-      logger.error("Failed to poll for token", { error });
-      throw new Error("Failed to poll for token");
-    }
-  }
-}