@mmmbuto/qwen-code-termux 0.16.1-termux → 0.18.0-termux

package/chunks/{chunk-GGNTZ2NH.js → chunk-2Y5SYSD3.js}

@@ -2,11 +2,17 @@
 "use strict";
 import {
   formatFetchErrorForUser
-} from "./chunk-KXZ4TJB4.js";
+} from "./chunk-SEGYWKIH.js";
+import {
+  combineAbortSignals
+} from "./chunk-64WXLC72.js";
+import {
+  atomicWriteFile
+} from "./chunk-B7HXHOHU.js";
 import {
   Storage,
   createDebugLogger
-} from "./chunk-XP27SJMH.js";
+} from "./chunk-HR7SV7AY.js";
 import {
   init_esbuild_shims
 } from "./chunk-A4BMJM77.js";
@@ -17,546 +23,294 @@ import {
 // packages/core/src/qwen/qwenOAuth2.ts
 init_esbuild_shims();
 import crypto from "crypto";
-import path3 from "node:path";
-import { promises as fs7 } from "node:fs";
-
-// node_modules/open/index.js
-init_esbuild_shims();
-import process7 from "node:process";
-import { Buffer } from "node:buffer";
-import path from "node:path";
-import { fileURLToPath } from "node:url";
-import { promisify as promisify5 } from "node:util";
-import childProcess from "node:child_process";
-import fs5, { constants as fsConstants2 } from "node:fs/promises";
-
-// node_modules/wsl-utils/index.js
-init_esbuild_shims();
-import process3 from "node:process";
-import fs4, { constants as fsConstants } from "node:fs/promises";
-
-// node_modules/is-wsl/index.js
-init_esbuild_shims();
-import process2 from "node:process";
-import os from "node:os";
-import fs3 from "node:fs";
+import path2 from "node:path";
+import { promises as fs2 } from "node:fs";
+import { EventEmitter } from "events";
+import { randomUUID as randomUUID2 } from "node:crypto";
 
-// node_modules/is-inside-container/index.js
+// packages/core/src/utils/secure-browser-launcher.ts
 init_esbuild_shims();
-import fs2 from "node:fs";
+import { execFile, spawn } from "node:child_process";
+import { promisify } from "node:util";
+import { platform } from "node:os";
+import { resolve } from "node:path";
+import { URL, fileURLToPath } from "node:url";
 
-// node_modules/is-docker/index.js
+// packages/core/src/utils/browser.ts
 init_esbuild_shims();
-import fs from "node:fs";
-var isDockerCached;
-function hasDockerEnv() {
-  try {
-    fs.statSync("/.dockerenv");
-    return true;
-  } catch {
-    return false;
-  }
+var browserBlocklist = ["www-browser"];
+function isBrowserCommandBlocked(command) {
+  const commandName = command.replace(/\\/g, "/").split("/").pop();
+  return !!commandName && browserBlocklist.includes(commandName);
 }
-__name(hasDockerEnv, "hasDockerEnv");
-function hasDockerCGroup() {
-  try {
-    return fs.readFileSync("/proc/self/cgroup", "utf8").includes("docker");
-  } catch {
+__name(isBrowserCommandBlocked, "isBrowserCommandBlocked");
+function shouldAttemptBrowserLaunch(options = {}) {
+  const browserEnv = process.env["BROWSER"]?.trim();
+  const browserCommand = browserEnv?.match(/^\S+/)?.[0];
+  if (!options.ignoreBrowserBlocklist && process.platform !== "win32" && browserCommand && isBrowserCommandBlocked(browserCommand)) {
     return false;
   }
-}
-__name(hasDockerCGroup, "hasDockerCGroup");
-function isDocker() {
-  if (isDockerCached === void 0) {
-    isDockerCached = hasDockerEnv() || hasDockerCGroup();
-  }
-  return isDockerCached;
-}
-__name(isDocker, "isDocker");
-
-// node_modules/is-inside-container/index.js
-var cachedResult;
-var hasContainerEnv = /* @__PURE__ */ __name(() => {
-  try {
-    fs2.statSync("/run/.containerenv");
-    return true;
-  } catch {
+  if (process.env["CI"] || process.env["DEBIAN_FRONTEND"] === "noninteractive") {
     return false;
   }
-}, "hasContainerEnv");
-function isInsideContainer() {
-  if (cachedResult === void 0) {
-    cachedResult = hasContainerEnv() || isDocker();
-  }
-  return cachedResult;
-}
-__name(isInsideContainer, "isInsideContainer");
-
-// node_modules/is-wsl/index.js
-var isWsl = /* @__PURE__ */ __name(() => {
-  if (process2.platform !== "linux") {
-    return false;
-  }
-  if (os.release().toLowerCase().includes("microsoft")) {
-    if (isInsideContainer()) {
+  const isSSH = !!process.env["SSH_CONNECTION"];
+  if (process.platform === "linux") {
+    const displayVariables = ["DISPLAY", "WAYLAND_DISPLAY", "MIR_SOCKET"];
+    const hasDisplay = displayVariables.some((v) => !!process.env[v]);
+    if (!hasDisplay) {
       return false;
     }
-    return true;
   }
-  try {
-    return fs3.readFileSync("/proc/version", "utf8").toLowerCase().includes("microsoft") ? !isInsideContainer() : false;
-  } catch {
+  if (isSSH && process.platform !== "linux") {
     return false;
   }
-}, "isWsl");
-var is_wsl_default = process2.env.__IS_WSL_TEST__ ? isWsl : isWsl();
-
-// node_modules/wsl-utils/index.js
-var wslDrivesMountPoint = /* @__PURE__ */ (() => {
-  const defaultMountPoint = "/mnt/";
-  let mountPoint;
-  return async function() {
-    if (mountPoint) {
-      return mountPoint;
-    }
-    const configFilePath = "/etc/wsl.conf";
-    let isConfigFileExists = false;
-    try {
-      await fs4.access(configFilePath, fsConstants.F_OK);
-      isConfigFileExists = true;
-    } catch {
-    }
-    if (!isConfigFileExists) {
-      return defaultMountPoint;
-    }
-    const configContent = await fs4.readFile(configFilePath, { encoding: "utf8" });
-    const configMountPoint = /(?<!#.*)root\s*=\s*(?<mountPoint>.*)/g.exec(configContent);
-    if (!configMountPoint) {
-      return defaultMountPoint;
-    }
-    mountPoint = configMountPoint.groups.mountPoint.trim();
-    mountPoint = mountPoint.endsWith("/") ? mountPoint : `${mountPoint}/`;
-    return mountPoint;
-  };
-})();
-var powerShellPathFromWsl = /* @__PURE__ */ __name(async () => {
-  const mountPoint = await wslDrivesMountPoint();
-  return `${mountPoint}c/Windows/System32/WindowsPowerShell/v1.0/powershell.exe`;
-}, "powerShellPathFromWsl");
-var powerShellPath = /* @__PURE__ */ __name(async () => {
-  if (is_wsl_default) {
-    return powerShellPathFromWsl();
-  }
-  return `${process3.env.SYSTEMROOT || process3.env.windir || String.raw`C:\Windows`}\\System32\\WindowsPowerShell\\v1.0\\powershell.exe`;
-}, "powerShellPath");
-
-// node_modules/define-lazy-prop/index.js
-init_esbuild_shims();
-function defineLazyProperty(object, propertyName, valueGetter) {
-  const define = /* @__PURE__ */ __name((value) => Object.defineProperty(object, propertyName, { value, enumerable: true, writable: true }), "define");
-  Object.defineProperty(object, propertyName, {
-    configurable: true,
-    enumerable: true,
-    get() {
-      const result = valueGetter();
-      define(result);
-      return result;
-    },
-    set(value) {
-      define(value);
-    }
-  });
-  return object;
+  return true;
 }
-__name(defineLazyProperty, "defineLazyProperty");
-
-// node_modules/default-browser/index.js
-init_esbuild_shims();
-import { promisify as promisify4 } from "node:util";
-import process6 from "node:process";
-import { execFile as execFile4 } from "node:child_process";
+__name(shouldAttemptBrowserLaunch, "shouldAttemptBrowserLaunch");
 
-// node_modules/default-browser-id/index.js
-init_esbuild_shims();
-import { promisify } from "node:util";
-import process4 from "node:process";
-import { execFile } from "node:child_process";
+// packages/core/src/utils/secure-browser-launcher.ts
 var execFileAsync = promisify(execFile);
-async function defaultBrowserId() {
-  if (process4.platform !== "darwin") {
-    throw new Error("macOS only");
+function validateUrl(url, { allowFile = false, allowedFilePaths } = {}) {
+  let parsedUrl;
+  try {
+    parsedUrl = new URL(url);
+  } catch (_error) {
+    throw new Error(`Invalid URL: ${url}`);
   }
-  const { stdout } = await execFileAsync("defaults", ["read", "com.apple.LaunchServices/com.apple.launchservices.secure", "LSHandlers"]);
-  const match = /LSHandlerRoleAll = "(?!-)(?<id>[^"]+?)";\s+?LSHandlerURLScheme = (?:http|https);/.exec(stdout);
-  return match?.groups.id ?? "com.apple.Safari";
-}
-__name(defaultBrowserId, "defaultBrowserId");
-
-// node_modules/bundle-name/index.js
-init_esbuild_shims();
-
-// node_modules/run-applescript/index.js
-init_esbuild_shims();
-import process5 from "node:process";
-import { promisify as promisify2 } from "node:util";
-import { execFile as execFile2, execFileSync } from "node:child_process";
-var execFileAsync2 = promisify2(execFile2);
-async function runAppleScript(script, { humanReadableOutput = true } = {}) {
-  if (process5.platform !== "darwin") {
-    throw new Error("macOS only");
-  }
-  const outputArguments = humanReadableOutput ? [] : ["-ss"];
-  const { stdout } = await execFileAsync2("osascript", ["-e", script, outputArguments]);
-  return stdout.trim();
-}
-__name(runAppleScript, "runAppleScript");
-
-// node_modules/bundle-name/index.js
-async function bundleName(bundleId) {
-  return runAppleScript(`tell application "Finder" to set app_path to application file id "${bundleId}" as string
-tell application "System Events" to get value of property list item "CFBundleName" of property list file (app_path & ":Contents:Info.plist")`);
-}
-__name(bundleName, "bundleName");
-
-// node_modules/default-browser/windows.js
-init_esbuild_shims();
-import { promisify as promisify3 } from "node:util";
-import { execFile as execFile3 } from "node:child_process";
-var execFileAsync3 = promisify3(execFile3);
-var windowsBrowserProgIds = {
-  AppXq0fevzme2pys62n3e0fbqa7peapykr8v: { name: "Edge", id: "com.microsoft.edge.old" },
-  MSEdgeDHTML: { name: "Edge", id: "com.microsoft.edge" },
-  // On macOS, it's "com.microsoft.edgemac"
-  MSEdgeHTM: { name: "Edge", id: "com.microsoft.edge" },
-  // Newer Edge/Win10 releases
-  "IE.HTTP": { name: "Internet Explorer", id: "com.microsoft.ie" },
-  FirefoxURL: { name: "Firefox", id: "org.mozilla.firefox" },
-  ChromeHTML: { name: "Chrome", id: "com.google.chrome" },
-  BraveHTML: { name: "Brave", id: "com.brave.Browser" },
-  BraveBHTML: { name: "Brave Beta", id: "com.brave.Browser.beta" },
-  BraveSSHTM: { name: "Brave Nightly", id: "com.brave.Browser.nightly" }
-};
-var UnknownBrowserError = class extends Error {
-  static {
-    __name(this, "UnknownBrowserError");
+  const allowedProtocols = allowFile ? ["http:", "https:", "file:"] : ["http:", "https:"];
+  if (!allowedProtocols.includes(parsedUrl.protocol)) {
+    throw new Error(
+      `Unsafe protocol: ${parsedUrl.protocol}. Only ${allowedProtocols.join(
+        ", "
+      )} are allowed.`
+    );
+  }
+  if (parsedUrl.protocol === "file:" && allowFile) {
+    if (!allowedFilePaths?.length) {
+      throw new Error("allowedFilePaths is required when allowFile is true");
+    }
+    const requestedPath = resolve(fileURLToPath(parsedUrl));
+    const allowed = allowedFilePaths.map((filePath) => resolve(filePath));
+    if (!allowed.includes(requestedPath)) {
+      throw new Error("File URL is not in the allowed file set");
+    }
+  }
+  if (/[\r\n\x00-\x1f]/.test(url)) {
+    throw new Error("URL contains invalid characters");
   }
-};
-async function defaultBrowser(_execFileAsync = execFileAsync3) {
-  const { stdout } = await _execFileAsync("reg", [
-    "QUERY",
-    " HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http\\UserChoice",
-    "/v",
-    "ProgId"
-  ]);
-  const match = /ProgId\s*REG_SZ\s*(?<id>\S+)/.exec(stdout);
-  if (!match) {
-    throw new UnknownBrowserError(`Cannot find Windows browser in stdout: ${JSON.stringify(stdout)}`);
-  }
-  const { id } = match.groups;
-  const browser = windowsBrowserProgIds[id];
-  if (!browser) {
-    throw new UnknownBrowserError(`Unknown browser ID: ${id}`);
-  }
-  return browser;
-}
-__name(defaultBrowser, "defaultBrowser");
-
-// node_modules/default-browser/index.js
-var execFileAsync4 = promisify4(execFile4);
-var titleize = /* @__PURE__ */ __name((string) => string.toLowerCase().replaceAll(/(?:^|\s|-)\S/g, (x) => x.toUpperCase()), "titleize");
-async function defaultBrowser2() {
-  if (process6.platform === "darwin") {
-    const id = await defaultBrowserId();
-    const name = await bundleName(id);
-    return { name, id };
-  }
-  if (process6.platform === "linux") {
-    const { stdout } = await execFileAsync4("xdg-mime", ["query", "default", "x-scheme-handler/http"]);
-    const id = stdout.trim();
-    const name = titleize(id.replace(/.desktop$/, "").replace("-", " "));
-    return { name, id };
-  }
-  if (process6.platform === "win32") {
-    return defaultBrowser();
-  }
-  throw new Error("Only macOS, Linux, and Windows are supported");
-}
-__name(defaultBrowser2, "defaultBrowser");
-
-// node_modules/open/index.js
-var execFile5 = promisify5(childProcess.execFile);
-var __dirname = path.dirname(fileURLToPath(import.meta.url));
-var localXdgOpenPath = path.join(__dirname, "xdg-open");
-var { platform, arch } = process7;
-async function getWindowsDefaultBrowserFromWsl() {
-  const powershellPath = await powerShellPath();
-  const rawCommand = String.raw`(Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice").ProgId`;
-  const encodedCommand = Buffer.from(rawCommand, "utf16le").toString("base64");
-  const { stdout } = await execFile5(
-    powershellPath,
-    [
-      "-NoProfile",
-      "-NonInteractive",
-      "-ExecutionPolicy",
-      "Bypass",
-      "-EncodedCommand",
-      encodedCommand
-    ],
-    { encoding: "utf8" }
-  );
-  const progId = stdout.trim();
-  const browserMap = {
-    ChromeHTML: "com.google.chrome",
-    BraveHTML: "com.brave.Browser",
-    MSEdgeHTM: "com.microsoft.edge",
-    FirefoxURL: "org.mozilla.firefox"
-  };
-  return browserMap[progId] ? { id: browserMap[progId] } : {};
 }
-__name(getWindowsDefaultBrowserFromWsl, "getWindowsDefaultBrowserFromWsl");
-var pTryEach = /* @__PURE__ */ __name(async (array, mapper) => {
-  let latestError;
-  for (const item of array) {
+__name(validateUrl, "validateUrl");
+async function openBrowserSecurely(url, browserOptions = {}) {
+  validateUrl(url, browserOptions);
+  const platformName = platform();
+  let command;
+  let args;
+  const browserEnv = process.env["BROWSER"]?.trim();
+  const browserCommand = platformName === "win32" ? void 0 : buildBrowserCommand(browserEnv, url);
+  if (browserCommand) {
     try {
-      return await mapper(item);
-    } catch (error) {
-      latestError = error;
+      await launchDetached(browserCommand.command, browserCommand.args);
+      return;
+    } catch (_error) {
+      console.warn(
+        `Failed to open BROWSER command ${browserCommand.command}: ${formatLaunchError(
+          _error
+        )}. Falling back to the platform browser opener.`
+      );
     }
   }
-  throw latestError;
-}, "pTryEach");
-var baseOpen = /* @__PURE__ */ __name(async (options) => {
-  options = {
-    wait: false,
-    background: false,
-    newInstance: false,
-    allowNonzeroExitCode: false,
-    ...options
+  if (!shouldAttemptBrowserLaunch({ ignoreBrowserBlocklist: true })) {
+    console.warn(
+      `Browser launch is not available in this environment. Please open this URL manually: ${url}`
+    );
+    return;
+  }
+  {
+    switch (platformName) {
+      case "darwin":
+        command = "open";
+        args = [url];
+        break;
+      case "win32":
+        command = "powershell.exe";
+        args = [
+          "-NoProfile",
+          "-NonInteractive",
+          "-WindowStyle",
+          "Hidden",
+          "-Command",
+          `Start-Process '${url.replace(/'/g, "''")}'`
+        ];
+        break;
+      case "linux":
+      case "freebsd":
+      case "openbsd":
+        command = "xdg-open";
+        args = [url];
+        break;
+      default:
+        throw new Error(`Unsupported platform: ${platformName}`);
+    }
+  }
+  const execOptions = {
+    // Don't inherit parent's environment to avoid potential issues
+    env: {
+      ...process.env,
+      // Ensure we're not in a shell that might interpret special characters
+      SHELL: void 0
+    },
+    // Detach the browser process so it doesn't block
+    detached: true,
+    stdio: "ignore"
   };
-  if (Array.isArray(options.app)) {
-    return pTryEach(options.app, (singleApp) => baseOpen({
-      ...options,
-      app: singleApp
-    }));
-  }
-  let { name: app, arguments: appArguments = [] } = options.app ?? {};
-  appArguments = [...appArguments];
-  if (Array.isArray(app)) {
-    return pTryEach(app, (appName) => baseOpen({
-      ...options,
-      app: {
-        name: appName,
-        arguments: appArguments
-      }
-    }));
-  }
-  if (app === "browser" || app === "browserPrivate") {
-    const ids = {
-      "com.google.chrome": "chrome",
-      "google-chrome.desktop": "chrome",
-      "com.brave.Browser": "brave",
-      "org.mozilla.firefox": "firefox",
-      "firefox.desktop": "firefox",
-      "com.microsoft.msedge": "edge",
-      "com.microsoft.edge": "edge",
-      "com.microsoft.edgemac": "edge",
-      "microsoft-edge.desktop": "edge"
-    };
-    const flags = {
-      chrome: "--incognito",
-      brave: "--incognito",
-      firefox: "--private-window",
-      edge: "--inPrivate"
-    };
-    const browser = is_wsl_default ? await getWindowsDefaultBrowserFromWsl() : await defaultBrowser2();
-    if (browser.id in ids) {
-      const browserName = ids[browser.id];
-      if (app === "browserPrivate") {
-        appArguments.push(flags[browserName]);
-      }
-      return baseOpen({
-        ...options,
-        app: {
-          name: apps[browserName],
-          arguments: appArguments
+  try {
+    await execFileAsync(command, args, execOptions);
+  } catch (_error) {
+    if ((platformName === "linux" || platformName === "freebsd" || platformName === "openbsd") && command === "xdg-open") {
+      const fallbackCommands = [
+        { command: "gnome-open", detached: false },
+        { command: "kde-open", detached: false },
+        { command: "firefox", detached: true },
+        { command: "chromium", detached: true },
+        { command: "google-chrome", detached: true },
+        { command: "microsoft-edge", detached: true }
+      ];
+      for (const { command: fallbackCommand, detached } of fallbackCommands) {
+        try {
+          if (detached) {
+            await launchDetached(fallbackCommand, [url]);
+          } else {
+            await execFileAsync(fallbackCommand, [url], execOptions);
+          }
+          return;
+        } catch {
+          continue;
         }
-      });
+      }
     }
-    throw new Error(`${browser.name} is not supported as a default browser`);
+    console.warn(
+      `Failed to open browser automatically. Please open this URL manually: ${url}`
+    );
+    return;
   }
-  let command;
-  const cliArguments = [];
-  const childProcessOptions = {};
-  if (platform === "darwin") {
-    command = "open";
-    if (options.wait) {
-      cliArguments.push("--wait-apps");
-    }
-    if (options.background) {
-      cliArguments.push("--background");
-    }
-    if (options.newInstance) {
-      cliArguments.push("--new");
-    }
-    if (app) {
-      cliArguments.push("-a", app);
-    }
-  } else if (platform === "win32" || is_wsl_default && !isInsideContainer() && !app) {
-    command = await powerShellPath();
-    cliArguments.push(
-      "-NoProfile",
-      "-NonInteractive",
-      "-ExecutionPolicy",
-      "Bypass",
-      "-EncodedCommand"
+}
+__name(openBrowserSecurely, "openBrowserSecurely");
+async function launchDetached(command, args) {
+  const spawnOptions = {
+    env: {
+      ...process.env,
+      SHELL: void 0
+    },
+    detached: true,
+    stdio: "ignore"
+  };
+  await new Promise((resolve2, reject) => {
+    const child = spawn(command, args, spawnOptions);
+    let settled = false;
+    child.once("error", (error) => {
+      if (settled) {
+        return;
+      }
+      settled = true;
+      reject(error);
+    });
+    child.once("spawn", () => {
+      if (settled) {
+        return;
+      }
+      settled = true;
+      child.unref();
+      resolve2();
+    });
+  });
+}
+__name(launchDetached, "launchDetached");
+function formatLaunchError(error) {
+  return error instanceof Error ? error.message : String(error);
+}
+__name(formatLaunchError, "formatLaunchError");
+function buildBrowserCommand(browserEnv, url) {
+  if (!browserEnv) {
+    return void 0;
+  }
+  const browserCommand = parseBrowserCommand(browserEnv);
+  if (!browserCommand) {
+    console.warn(
+      "Invalid BROWSER environment variable, falling back to platform default."
     );
-    if (!is_wsl_default) {
-      childProcessOptions.windowsVerbatimArguments = true;
-    }
-    const encodedArguments = ["Start"];
-    if (options.wait) {
-      encodedArguments.push("-Wait");
+    return void 0;
+  }
+  if (isBrowserCommandBlocked(browserCommand.command)) {
+    return void 0;
+  }
+  let usedPlaceholder = false;
+  const args = browserCommand.args.map((arg) => {
+    if (!arg.includes("%s")) {
+      return arg;
     }
-    if (app) {
-      encodedArguments.push(`"\`"${app}\`""`);
-      if (options.target) {
-        appArguments.push(options.target);
+    usedPlaceholder = true;
+    return arg.replace(/%s/g, () => url);
+  });
+  if (!usedPlaceholder) {
+    args.push(url);
+  }
+  return { command: browserCommand.command, args };
+}
+__name(buildBrowserCommand, "buildBrowserCommand");
+function parseBrowserCommand(browserEnv) {
+  const parts = [];
+  let current = "";
+  let quote;
+  for (const char of browserEnv) {
+    if (quote) {
+      if (char === quote) {
+        quote = void 0;
+      } else {
+        current += char;
       }
-    } else if (options.target) {
-      encodedArguments.push(`"${options.target}"`);
+      continue;
     }
-    if (appArguments.length > 0) {
-      appArguments = appArguments.map((argument) => `"\`"${argument}\`""`);
-      encodedArguments.push("-ArgumentList", appArguments.join(","));
+    if (char === '"' || char === "'") {
+      quote = char;
+      continue;
     }
-    options.target = Buffer.from(encodedArguments.join(" "), "utf16le").toString("base64");
-  } else {
-    if (app) {
-      command = app;
-    } else {
-      const isBundled = !__dirname || __dirname === "/";
-      let exeLocalXdgOpen = false;
-      try {
-        await fs5.access(localXdgOpenPath, fsConstants2.X_OK);
-        exeLocalXdgOpen = true;
-      } catch {
+    if (/\s/.test(char)) {
+      if (current) {
+        parts.push(current);
+        current = "";
       }
-      const useSystemXdgOpen = process7.versions.electron ?? (platform === "android" || isBundled || !exeLocalXdgOpen);
-      command = useSystemXdgOpen ? "xdg-open" : localXdgOpenPath;
-    }
-    if (appArguments.length > 0) {
-      cliArguments.push(...appArguments);
+      continue;
     }
-    if (!options.wait) {
-      childProcessOptions.stdio = "ignore";
-      childProcessOptions.detached = true;
-    }
-  }
-  if (platform === "darwin" && appArguments.length > 0) {
-    cliArguments.push("--args", ...appArguments);
-  }
-  if (options.target) {
-    cliArguments.push(options.target);
+    current += char;
   }
-  const subprocess = childProcess.spawn(command, cliArguments, childProcessOptions);
-  if (options.wait) {
-    return new Promise((resolve, reject) => {
-      subprocess.once("error", reject);
-      subprocess.once("close", (exitCode) => {
-        if (!options.allowNonzeroExitCode && exitCode > 0) {
-          reject(new Error(`Exited with code ${exitCode}`));
-          return;
-        }
-        resolve(subprocess);
-      });
-    });
-  }
-  subprocess.unref();
-  return subprocess;
-}, "baseOpen");
-var open = /* @__PURE__ */ __name((target, options) => {
-  if (typeof target !== "string") {
-    throw new TypeError("Expected a `target`");
+  if (quote) {
+    return void 0;
   }
-  return baseOpen({
-    ...options,
-    target
-  });
-}, "open");
-function detectArchBinary(binary) {
-  if (typeof binary === "string" || Array.isArray(binary)) {
-    return binary;
+  if (current) {
+    parts.push(current);
   }
-  const { [arch]: archBinary } = binary;
-  if (!archBinary) {
-    throw new Error(`${arch} is not supported`);
+  const [command, ...args] = parts;
+  if (!command) {
+    return void 0;
   }
-  return archBinary;
+  return { command, args };
 }
-__name(detectArchBinary, "detectArchBinary");
-function detectPlatformBinary({ [platform]: platformBinary }, { wsl }) {
-  if (wsl && is_wsl_default) {
-    return detectArchBinary(wsl);
-  }
-  if (!platformBinary) {
-    throw new Error(`${platform} is not supported`);
-  }
-  return detectArchBinary(platformBinary);
+__name(parseBrowserCommand, "parseBrowserCommand");
+function shouldLaunchBrowser() {
+  return shouldAttemptBrowserLaunch();
 }
-__name(detectPlatformBinary, "detectPlatformBinary");
-var apps = {};
-defineLazyProperty(apps, "chrome", () => detectPlatformBinary({
-  darwin: "google chrome",
-  win32: "chrome",
-  linux: ["google-chrome", "google-chrome-stable", "chromium"]
-}, {
-  wsl: {
-    ia32: "/mnt/c/Program Files (x86)/Google/Chrome/Application/chrome.exe",
-    x64: ["/mnt/c/Program Files/Google/Chrome/Application/chrome.exe", "/mnt/c/Program Files (x86)/Google/Chrome/Application/chrome.exe"]
-  }
-}));
-defineLazyProperty(apps, "brave", () => detectPlatformBinary({
-  darwin: "brave browser",
-  win32: "brave",
-  linux: ["brave-browser", "brave"]
-}, {
-  wsl: {
-    ia32: "/mnt/c/Program Files (x86)/BraveSoftware/Brave-Browser/Application/brave.exe",
-    x64: ["/mnt/c/Program Files/BraveSoftware/Brave-Browser/Application/brave.exe", "/mnt/c/Program Files (x86)/BraveSoftware/Brave-Browser/Application/brave.exe"]
-  }
-}));
-defineLazyProperty(apps, "firefox", () => detectPlatformBinary({
-  darwin: "firefox",
-  win32: String.raw`C:\Program Files\Mozilla Firefox\firefox.exe`,
-  linux: "firefox"
-}, {
-  wsl: "/mnt/c/Program Files/Mozilla Firefox/firefox.exe"
-}));
-defineLazyProperty(apps, "edge", () => detectPlatformBinary({
-  darwin: "microsoft edge",
-  win32: "msedge",
-  linux: ["microsoft-edge", "microsoft-edge-dev"]
-}, {
-  wsl: "/mnt/c/Program Files (x86)/Microsoft/Edge/Application/msedge.exe"
-}));
-defineLazyProperty(apps, "browser", () => "browser");
-defineLazyProperty(apps, "browserPrivate", () => "browserPrivate");
-var open_default = open;
-
-// packages/core/src/qwen/qwenOAuth2.ts
-import { EventEmitter } from "events";
-import { randomUUID as randomUUID2 } from "node:crypto";
+__name(shouldLaunchBrowser, "shouldLaunchBrowser");
 
 // packages/core/src/qwen/sharedTokenManager.ts
 init_esbuild_shims();
-import path2 from "node:path";
-import { promises as fs6, unlinkSync } from "node:fs";
+import path from "node:path";
+import { promises as fs, unlinkSync } from "node:fs";
 import { randomUUID } from "node:crypto";
 var debugLogger = createDebugLogger("QWEN_OAUTH");
 var QWEN_CREDENTIAL_FILENAME = "oauth_creds.json";
 var QWEN_LOCK_FILENAME = "oauth_creds.lock";
 var TOKEN_REFRESH_BUFFER_MS = 30 * 1e3;
-var LOCK_TIMEOUT_MS = 1e4;
+var LOCK_TIMEOUT_MS = 35e3;
 var CACHE_CHECK_INTERVAL_MS = 5e3;
 var DEFAULT_LOCK_CONFIG = {
   maxAttempts: 20,
@@ -763,7 +517,7 @@ var SharedTokenManager = class _SharedTokenManager {
     try {
       const filePath = this.getCredentialFilePath();
       const stats = await this.withTimeout(
-        fs6.stat(filePath),
+        fs.stat(filePath),
         3e3,
         "File operation"
       );
@@ -790,7 +544,7 @@ var SharedTokenManager = class _SharedTokenManager {
   async forceFileCheck(qwenClient) {
     try {
       const filePath = this.getCredentialFilePath();
-      const stats = await fs6.stat(filePath);
+      const stats = await fs.stat(filePath);
       const fileModTime = stats.mtimeMs;
       if (fileModTime > this.memoryCache.fileModTime) {
         await this.reloadCredentialsFromFile(qwenClient);
@@ -815,7 +569,7 @@ var SharedTokenManager = class _SharedTokenManager {
   async reloadCredentialsFromFile(qwenClient) {
     try {
       const filePath = this.getCredentialFilePath();
-      const content = await fs6.readFile(filePath, "utf-8");
+      const content = await fs.readFile(filePath, "utf-8");
       const parsedData = JSON.parse(content);
       const credentials = validateCredentials(parsedData);
       const previousCredentials = this.memoryCache.credentials;
@@ -943,11 +697,10 @@ var SharedTokenManager = class _SharedTokenManager {
    */
   async saveCredentialsToFile(credentials) {
     const filePath = this.getCredentialFilePath();
-    const dirPath = path2.dirname(filePath);
-    const tempPath = `${filePath}.tmp.${randomUUID()}`;
+    const dirPath = path.dirname(filePath);
     try {
       await this.withTimeout(
-        fs6.mkdir(dirPath, { recursive: true, mode: 448 }),
+        fs.mkdir(dirPath, { recursive: true, mode: 448 }),
         5e3,
         "File operation"
       );
@@ -960,27 +713,18 @@ var SharedTokenManager = class _SharedTokenManager {
     }
     const credString = JSON.stringify(credentials, null, 2);
     try {
-      await this.withTimeout(
-        fs6.writeFile(tempPath, credString, { mode: 384 }),
-        5e3,
-        "File operation"
-      );
-      await this.withTimeout(
-        fs6.rename(tempPath, filePath),
-        5e3,
-        "File operation"
-      );
+      await atomicWriteFile(filePath, credString, {
+        mode: 384,
+        forceMode: true,
+        noFollow: true
+      });
       const stats = await this.withTimeout(
-        fs6.stat(filePath),
+        fs.stat(filePath),
         5e3,
         "File operation"
       );
       this.memoryCache.fileModTime = stats.mtimeMs;
     } catch (error) {
-      try {
-        await this.withTimeout(fs6.unlink(tempPath), 1e3, "File operation");
-      } catch (_cleanupError) {
-      }
       throw new TokenManagerError(
         "FILE_ACCESS_ERROR" /* FILE_ACCESS_ERROR */,
         `Failed to write credentials file: ${error instanceof Error ? error.message : String(error)}`,
@@ -1006,7 +750,7 @@ var SharedTokenManager = class _SharedTokenManager {
    * @returns The absolute path to the credentials file
    */
   getCredentialFilePath() {
-    return path2.join(Storage.getGlobalQwenDir(), QWEN_CREDENTIAL_FILENAME);
+    return path.join(Storage.getGlobalQwenDir(), QWEN_CREDENTIAL_FILENAME);
   }
   /**
    * Get the full path to the lock file
@@ -1014,7 +758,7 @@ var SharedTokenManager = class _SharedTokenManager {
    * @returns The absolute path to the lock file
    */
   getLockFilePath() {
-    return path2.join(Storage.getGlobalQwenDir(), QWEN_LOCK_FILENAME);
+    return path.join(Storage.getGlobalQwenDir(), QWEN_LOCK_FILENAME);
   }
   /**
    * Acquire a file lock to prevent other processes from refreshing tokens simultaneously
@@ -1028,18 +772,18 @@ var SharedTokenManager = class _SharedTokenManager {
     let currentInterval = attemptInterval;
     for (let attempt = 0; attempt < maxAttempts; attempt++) {
       try {
-        await fs6.writeFile(lockPath, lockId, { flag: "wx" });
+        await fs.writeFile(lockPath, lockId, { flag: "wx" });
         return;
       } catch (error) {
         if (error.code === "EEXIST") {
           try {
-            const stats = await fs6.stat(lockPath);
+            const stats = await fs.stat(lockPath);
             const lockAge = Date.now() - stats.mtimeMs;
             if (lockAge > LOCK_TIMEOUT_MS) {
               const tempPath = `${lockPath}.stale.${randomUUID()}`;
               try {
-                await fs6.rename(lockPath, tempPath);
-                await fs6.unlink(tempPath);
+                await fs.rename(lockPath, tempPath);
+                await fs.unlink(tempPath);
                 debugLogger.warn(
                   `Removed stale lock file: ${lockPath} (age: ${lockAge}ms)`
                 );
@@ -1055,7 +799,7 @@ var SharedTokenManager = class _SharedTokenManager {
               `Failed to stat lock file ${lockPath}: ${statError instanceof Error ? statError.message : String(statError)}`
             );
           }
-          await new Promise((resolve) => setTimeout(resolve, currentInterval));
+          await new Promise((resolve2) => setTimeout(resolve2, currentInterval));
           currentInterval = Math.min(currentInterval * 1.5, maxInterval);
         } else {
           throw new TokenManagerError(
@@ -1078,7 +822,7 @@ var SharedTokenManager = class _SharedTokenManager {
    */
   async releaseLock(lockPath) {
     try {
-      await fs6.unlink(lockPath);
+      await fs.unlink(lockPath);
     } catch (error) {
       if (error.code !== "ENOENT") {
         debugLogger.warn(
@@ -1171,6 +915,7 @@ var QWEN_OAUTH_TOKEN_ENDPOINT = `${QWEN_OAUTH_BASE_URL}/api/v1/oauth2/token`;
 var QWEN_OAUTH_CLIENT_ID = "f0304373b74a44d2b584a3fb70ca9e56";
 var QWEN_OAUTH_SCOPE = "openid profile email model.completion";
 var QWEN_OAUTH_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:device_code";
+var QWEN_OAUTH_REFRESH_TIMEOUT_MS = 3e4;
 var QWEN_CREDENTIAL_FILENAME2 = "oauth_creds.json";
 function generateCodeVerifier() {
   return crypto.randomBytes(32).toString("base64url");
@@ -1192,6 +937,16 @@ function objectToUrlEncoded(data) {
   return Object.keys(data).map((key) => `${encodeURIComponent(key)}=${encodeURIComponent(data[key])}`).join("&");
 }
 __name(objectToUrlEncoded, "objectToUrlEncoded");
+function createTokenRefreshNetworkError(error, timedOut) {
+  const prefix = timedOut ? "Token refresh timeout" : "Token refresh failed";
+  return new Error(
+    `${prefix}: ${formatFetchErrorForUser(error, {
+      url: QWEN_OAUTH_TOKEN_ENDPOINT
+    })}`,
+    { cause: error }
+  );
+}
+__name(createTokenRefreshNetworkError, "createTokenRefreshNetworkError");
 var CredentialsClearRequiredError = class extends Error {
   constructor(message, originalError) {
     super(message);
@@ -1369,59 +1124,78 @@ var QwenOAuth2Client = class {
       refresh_token: this.credentials.refresh_token,
       client_id: QWEN_OAUTH_CLIENT_ID
     };
-    const response = await fetch(QWEN_OAUTH_TOKEN_ENDPOINT, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/x-www-form-urlencoded",
-        Accept: "application/json"
-      },
-      body: objectToUrlEncoded(bodyData)
+    const { signal, cleanup } = combineAbortSignals([], {
+      timeoutMs: QWEN_OAUTH_REFRESH_TIMEOUT_MS
     });
-    if (!response.ok) {
-      const errorData = await response.text();
-      if (response.status === 400 || response.status === 401) {
-        await clearQwenCredentials();
-        throw new CredentialsClearRequiredError(
-          "Refresh token expired or invalid. Please use '/auth' to re-authenticate.",
-          { status: response.status, response: errorData }
+    debugLogger2.debug("Refreshing access token...");
+    try {
+      let response;
+      try {
+        response = await fetch(QWEN_OAUTH_TOKEN_ENDPOINT, {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/x-www-form-urlencoded",
+            Accept: "application/json"
+          },
+          body: objectToUrlEncoded(bodyData),
+          signal
+        });
+      } catch (error) {
+        throw createTokenRefreshNetworkError(error, signal.aborted);
+      }
+      if (!response.ok) {
+        let errorData;
+        try {
+          errorData = await response.text();
+        } catch (error) {
+          throw createTokenRefreshNetworkError(error, signal.aborted);
+        }
+        if (response.status === 400 || response.status === 401) {
+          await clearQwenCredentials();
+          throw new CredentialsClearRequiredError(
+            "Refresh token expired or invalid. Please use '/auth' to re-authenticate.",
+            { status: response.status, response: errorData }
+          );
+        }
+        throw new Error(
+          `Token refresh failed: ${response.status} ${response.statusText}. Response: ${errorData}`
         );
       }
-      throw new Error(
-        `Token refresh failed: ${response.status} ${response.statusText}. Response: ${errorData}`
-      );
-    }
-    let responseText;
-    try {
-      responseText = await response.text();
-    } catch {
-      responseText = "";
-    }
-    let responseData;
-    try {
-      responseData = JSON.parse(responseText);
-    } catch {
-      throw new Error(
-        `Qwen OAuth refresh returned invalid JSON: ${responseText || "(empty response body)"}`
-      );
-    }
-    if (isErrorResponse(responseData)) {
-      const errorData = responseData;
-      throw new Error(
-        `Token refresh failed: ${errorData?.error || "Unknown error"} - ${errorData?.error_description || "No details provided"}`
-      );
+      let responseText;
+      try {
+        responseText = await response.text();
+      } catch (error) {
+        throw createTokenRefreshNetworkError(error, signal.aborted);
+      }
+      let responseData;
+      try {
+        responseData = JSON.parse(responseText);
+      } catch {
+        throw new Error(
+          `Qwen OAuth refresh returned invalid JSON: ${responseText || "(empty response body)"}`
+        );
+      }
+      if (isErrorResponse(responseData)) {
+        const errorData = responseData;
+        throw new Error(
+          `Token refresh failed: ${errorData?.error || "Unknown error"} - ${errorData?.error_description || "No details provided"}`
+        );
+      }
+      const tokenData = responseData;
+      const tokens = {
+        access_token: tokenData.access_token,
+        token_type: tokenData.token_type,
+        // Use new refresh token if provided, otherwise preserve existing one
+        refresh_token: tokenData.refresh_token || this.credentials.refresh_token,
+        resource_url: tokenData.resource_url,
+        // Include resource_url if provided
+        expiry_date: Date.now() + tokenData.expires_in * 1e3
+      };
+      this.setCredentials(tokens);
+      return responseData;
+    } finally {
+      cleanup();
     }
-    const tokenData = responseData;
-    const tokens = {
-      access_token: tokenData.access_token,
-      token_type: tokenData.token_type,
-      // Use new refresh token if provided, otherwise preserve existing one
-      refresh_token: tokenData.refresh_token || this.credentials.refresh_token,
-      resource_url: tokenData.resource_url,
-      // Include resource_url if provided
-      expiry_date: Date.now() + tokenData.expires_in * 1e3
-    };
-    this.setCredentials(tokens);
-    return responseData;
   }
 };
 var QwenOAuth2Event = /* @__PURE__ */ ((QwenOAuth2Event2) => {
@@ -1579,19 +1353,8 @@ async function authWithQwenDeviceFlow(client, config) {
     qwenOAuth2Events.emit("auth-progress" /* AuthProgress */, status, message);
   }, "emitAuthProgress");
   const launchBrowser = /* @__PURE__ */ __name(async (url) => {
-    let childProcess2;
     try {
-      childProcess2 = await open_default(url);
-      if (childProcess2 && typeof childProcess2.on === "function") {
-        childProcess2.on("error", (err) => {
-          debugLogger2.warn(`Browser launch process error: ${err.message}`);
-          debugLogger2.info(`Please open this URL manually: ${url}`);
-        });
-      } else {
-        debugLogger2.debug(
-          "open() did not return a valid child process object."
-        );
-      }
+      await openBrowserSecurely(url);
     } catch (err) {
       const errorMessage = err instanceof Error ? err.message : String(err);
       debugLogger2.warn(`Failed to open browser automatically: ${errorMessage}`);
@@ -1671,19 +1434,19 @@ Server requested to slow down, increasing poll interval to ${pollInterval}ms'`
             "polling",
             `Polling... (attempt ${attempt + 1}/${maxAttempts})`
           );
-          await new Promise((resolve) => {
+          await new Promise((resolve2) => {
             const checkInterval = 100;
             let elapsedTime = 0;
             const intervalId = setInterval(() => {
               elapsedTime += checkInterval;
               if (isCancelled) {
                 clearInterval(intervalId);
-                resolve();
+                resolve2();
                 return;
               }
               if (elapsedTime >= pollInterval) {
                 clearInterval(intervalId);
-                resolve();
+                resolve2();
                 return;
               }
             }, checkInterval);
@@ -1729,7 +1492,7 @@ Server requested to slow down, increasing poll interval to ${pollInterval}ms'`
         }
         const message = `Error polling for token: ${errorMessage}`;
         emitAuthProgress("error", message);
-        await new Promise((resolve) => setTimeout(resolve, pollInterval));
+        await new Promise((resolve2) => setTimeout(resolve2, pollInterval));
       }
     }
     const timeoutMessage = "Authorization timeout, please restart the process.";
@@ -1751,16 +1514,16 @@ var QWEN_CREDENTIAL_FILE_MODE = 384;
 async function cacheQwenCredentials(credentials, opts) {
   const filePath = getQwenCachedCredentialPath();
   try {
-    await fs7.mkdir(path3.dirname(filePath), { recursive: true });
+    await fs2.mkdir(path2.dirname(filePath), { recursive: true });
     const credString = JSON.stringify(credentials, null, 2);
     const tempPath = `${filePath}.tmp.${process.pid}.${randomUUID2()}`;
     try {
-      await fs7.writeFile(tempPath, credString, {
+      await fs2.writeFile(tempPath, credString, {
         mode: QWEN_CREDENTIAL_FILE_MODE,
         ...opts?.signal ? { signal: opts.signal } : {}
       });
       try {
-        await fs7.chmod(tempPath, QWEN_CREDENTIAL_FILE_MODE);
+        await fs2.chmod(tempPath, QWEN_CREDENTIAL_FILE_MODE);
       } catch (chmodErr) {
         if (process.platform !== "win32") {
           throw new Error(
@@ -1771,10 +1534,10 @@ async function cacheQwenCredentials(credentials, opts) {
           `cacheQwenCredentials: chmod 0o${QWEN_CREDENTIAL_FILE_MODE.toString(8)} on Windows temp file ${tempPath} failed; relying on NTFS ACL: ${chmodErr instanceof Error ? chmodErr.message : String(chmodErr)}`
         );
       }
-      await fs7.rename(tempPath, filePath);
+      await fs2.rename(tempPath, filePath);
     } catch (writeErr) {
       try {
-        await fs7.unlink(tempPath);
+        await fs2.unlink(tempPath);
       } catch {
       }
       throw writeErr;
@@ -1795,7 +1558,7 @@ async function cacheQwenCredentials(credentials, opts) {
       );
     }
     throw new Error(
-      `Failed to cache credentials: error when creating folder \`${path3.dirname(filePath)}\` and writing to \`${filePath}\`. ${errorMessage}. Please check permissions.`
+      `Failed to cache credentials: error when creating folder \`${path2.dirname(filePath)}\` and writing to \`${filePath}\`. ${errorMessage}. Please check permissions.`
     );
   }
 }
@@ -1803,7 +1566,7 @@ __name(cacheQwenCredentials, "cacheQwenCredentials");
 async function clearQwenCredentials() {
   try {
     const filePath = getQwenCachedCredentialPath();
-    await fs7.unlink(filePath);
+    await fs2.unlink(filePath);
     debugLogger2.debug("Cached Qwen credentials cleared successfully.");
   } catch (error) {
     if (error instanceof Error && "code" in error && error.code === "ENOENT") {
@@ -1822,13 +1585,16 @@ async function clearQwenCredentials() {
 }
 __name(clearQwenCredentials, "clearQwenCredentials");
 function getQwenCachedCredentialPath() {
-  return path3.join(Storage.getGlobalQwenDir(), QWEN_CREDENTIAL_FILENAME2);
+  return path2.join(Storage.getGlobalQwenDir(), QWEN_CREDENTIAL_FILENAME2);
 }
 __name(getQwenCachedCredentialPath, "getQwenCachedCredentialPath");
 var clearCachedCredentialFile = clearQwenCredentials;
 
 export {
-  open_default,
+  isBrowserCommandBlocked,
+  shouldAttemptBrowserLaunch,
+  openBrowserSecurely,
+  shouldLaunchBrowser,
   SharedTokenManager,
   generateCodeVerifier,
   generateCodeChallenge,
@@ -1848,6 +1614,11 @@ export {
   clearQwenCredentials,
   clearCachedCredentialFile
 };
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
 /**
  * @license
  * Copyright 2025 Qwen