@nick3/copilot-api 1.0.8 → 1.1.3

package/dist/{server-BnJIteDi.js → server-2YTgFCW0.js}

@@ -1,4 +1,4 @@
-import { HTTPError, PATHS, accountFromState, accountsManager, copilotBaseUrl, copilotHeaders, forwardError, getAliasTargetSet, getConfig, getCopilotUsage, getExtraPromptForModel, getModelAliases, getModelAliasesInfo, getModelRefreshIntervalMs, getReasoningEffortForModel, getSmallModel, isForceAgentEnabled, isFreeModelLoadBalancingEnabled, isMessageStartInputTokensFallbackEnabled, isNullish, listAccountsFromRegistry, mergeConfigWithDefaults, shouldCompactUseSmallModel, sleep, state } from "./accounts-manager-CJtqVqDx.js";
+import { HTTPError, PATHS, accountFromState, accountsManager, copilotBaseUrl, copilotHeaders, forwardError, getAliasTargetSet, getConfig, getCopilotUsage, getExtraPromptForModel, getModelAliases, getModelAliasesInfo, getModelRefreshIntervalMs, getReasoningEffortForModel, getSmallModel, isForceAgentEnabled, isFreeModelLoadBalancingEnabled, isMessageStartInputTokensFallbackEnabled, isNullish, listAccountsFromRegistry, mergeConfigWithDefaults, shouldCompactUseSmallModel, sleep, state } from "./accounts-manager-CfBWqxBl.js";
 import consola from "consola";
 import fs, { readFile } from "node:fs/promises";
 import * as path$1 from "node:path";
@@ -14,27 +14,56 @@ import { streamSSE } from "hono/streaming";
 import util from "node:util";
 import { events } from "fetch-event-stream";
 
-//#region src/lib/api-key-auth.ts
-const API_KEY_ENV_VAR = "COPILOT_API_KEY";
-function resolveConfiguredApiKey() {
-	const envKey = process.env[API_KEY_ENV_VAR]?.trim();
-	if (envKey) return envKey;
-	const configKey = getConfig().apiKey?.trim();
-	if (configKey) return configKey;
-}
-function parseBearerToken(value) {
-	const trimmed = value.trim();
-	if (!trimmed.toLowerCase().startsWith("bearer ")) return void 0;
-	return trimmed.slice(7).trim() || void 0;
-}
-function extractRequestApiKey(headers) {
-	const headerToken = headers.get("x-api-key")?.trim();
-	if (headerToken) return headerToken;
-	const bearer = headers.get("authorization");
-	if (bearer) {
-		const token = parseBearerToken(bearer);
-		if (token) return token;
+//#region src/lib/request-auth.ts
+const LEGACY_API_KEY_ENV_VAR = "COPILOT_API_KEY";
+let warnedLegacyEnvFallback = false;
+let warnedLegacyConfigFallback = false;
+function normalizeApiKeys(apiKeys) {
+	if (!Array.isArray(apiKeys)) {
+		if (apiKeys !== void 0) consola.warn("Invalid auth.apiKeys config. Expected an array of strings.");
+		return [];
+	}
+	const normalizedKeys = apiKeys.filter((key) => typeof key === "string").map((key) => key.trim()).filter((key) => key.length > 0);
+	if (normalizedKeys.length !== apiKeys.length) consola.warn("Invalid auth.apiKeys entries found. Only non-empty strings are allowed.");
+	return [...new Set(normalizedKeys)];
+}
+function getConfiguredApiKeys() {
+	const config = getConfig();
+	const configuredApiKeys = normalizeApiKeys(config.auth?.apiKeys);
+	if (configuredApiKeys.length > 0) return configuredApiKeys;
+	const envApiKey = process.env[LEGACY_API_KEY_ENV_VAR]?.trim();
+	if (envApiKey) {
+		if (!warnedLegacyEnvFallback) {
+			warnedLegacyEnvFallback = true;
+			consola.warn(`Using legacy ${LEGACY_API_KEY_ENV_VAR}. Please migrate to config.auth.apiKeys.`);
+		}
+		return [envApiKey];
 	}
+	const legacyConfigApiKey = config.apiKey?.trim();
+	if (legacyConfigApiKey) {
+		if (!warnedLegacyConfigFallback) {
+			warnedLegacyConfigFallback = true;
+			consola.warn("Using deprecated config.apiKey. Please migrate to config.auth.apiKeys.");
+		}
+		return [legacyConfigApiKey];
+	}
+	return configuredApiKeys;
+}
+function extractRequestApiKey(c) {
+	const xApiKey = c.req.header("x-api-key")?.trim();
+	if (xApiKey) return xApiKey;
+	const authorization = c.req.header("authorization");
+	if (!authorization) return null;
+	const [scheme, ...rest] = authorization.trim().split(/\s+/);
+	if (scheme.toLowerCase() !== "bearer") return null;
+	return rest.join(" ").trim() || null;
+}
+function createUnauthorizedResponse(c) {
+	c.header("WWW-Authenticate", "Bearer realm=\"copilot-api\"");
+	return c.json({ error: {
+		message: "Unauthorized. Provide Authorization: Bearer <key> or x-api-key.",
+		type: "unauthorized"
+	} }, 401);
 }
 function normalizePathname(pathname) {
 	if (pathname.length > 1 && pathname.endsWith("/")) return pathname.slice(0, -1);
@@ -43,10 +72,6 @@ function normalizePathname(pathname) {
 function hasPrefixBoundary(pathname, prefix) {
 	return pathname === prefix || pathname.startsWith(`${prefix}/`);
 }
-function isProtectedPath(pathnameRaw) {
-	const pathname = normalizePathname(pathnameRaw);
-	return hasPrefixBoundary(pathname, "/v1") || hasPrefixBoundary(pathname, "/token") || hasPrefixBoundary(pathname, "/usage") || hasPrefixBoundary(pathname, "/chat/completions") || hasPrefixBoundary(pathname, "/embeddings") || hasPrefixBoundary(pathname, "/models") || hasPrefixBoundary(pathname, "/responses");
-}
 function timingSafeKeyCompare(a, b) {
 	try {
 		const aBuf = Buffer.from(a);
@@ -57,30 +82,21 @@ function timingSafeKeyCompare(a, b) {
 		return false;
 	}
 }
-function createApiKeyAuthMiddleware(options = {}) {
-	const getConfiguredKey = options.getConfiguredApiKey ?? resolveConfiguredApiKey;
-	const isPathProtected = options.isProtectedPath ?? isProtectedPath;
+function createAuthMiddleware(options = {}) {
+	const getApiKeys = options.getApiKeys ?? getConfiguredApiKeys;
+	const allowUnauthenticatedPaths = new Set((options.allowUnauthenticatedPaths ?? ["/"]).map((path$2) => normalizePathname(path$2)));
+	const allowUnauthenticatedPathPrefixes = (options.allowUnauthenticatedPathPrefixes ?? []).map((path$2) => normalizePathname(path$2));
+	const allowOptionsBypass = options.allowOptionsBypass ?? true;
 	return async (c, next) => {
-		if (c.req.method === "OPTIONS") {
-			await next();
-			return;
-		}
-		const url = new URL(c.req.url, "http://local");
-		if (!isPathProtected(url.pathname)) {
-			await next();
-			return;
-		}
-		const configuredKey = getConfiguredKey();
-		if (!configuredKey) {
-			await next();
-			return;
-		}
-		const providedKey = extractRequestApiKey(c.req.raw.headers);
-		if (!providedKey || !timingSafeKeyCompare(providedKey, configuredKey)) return c.json({ error: {
-			message: "Unauthorized. Provide Authorization: Bearer <key> or x-api-key.",
-			type: "unauthorized"
-		} }, 401);
-		await next();
+		if (allowOptionsBypass && c.req.method === "OPTIONS") return next();
+		const pathname = normalizePathname(new URL(c.req.url, "http://local").pathname);
+		if (allowUnauthenticatedPaths.has(pathname)) return next();
+		if (allowUnauthenticatedPathPrefixes.some((prefix) => hasPrefixBoundary(pathname, prefix))) return next();
+		const apiKeys = getApiKeys();
+		if (apiKeys.length === 0) return next();
+		const requestApiKey = extractRequestApiKey(c);
+		if (!(requestApiKey ? apiKeys.some((apiKey) => timingSafeKeyCompare(requestApiKey, apiKey)) : false)) return createUnauthorizedResponse(c);
+		return next();
 	};
 }
 
@@ -705,6 +721,7 @@ function parseTriStateBool(value) {
 	if (value === "0") return false;
 }
 const CONFIG_KEYS = new Set([
+	"auth",
 	"extraPrompts",
 	"smallModel",
 	"freeModelLoadBalancing",
@@ -755,6 +772,16 @@ function parseOptionalNonNegativeNumber(value, field) {
 	if (!Number.isFinite(value) || value < 0) return { error: `${field} must be a non-negative number` };
 	return { value };
 }
+function parseAuthConfig(value) {
+	if (value === null || value === void 0) return { clear: true };
+	if (!isPlainObject(value)) return { error: "auth must be an object" };
+	for (const key of Object.keys(value)) if (key !== "apiKeys") return { error: `auth.${key} is not supported` };
+	if (!("apiKeys" in value) || value.apiKeys === null || value.apiKeys === void 0) return { value: { apiKeys: [] } };
+	if (!Array.isArray(value.apiKeys)) return { error: "auth.apiKeys must be an array of strings" };
+	const normalizedApiKeys = value.apiKeys.filter((item) => typeof item === "string").map((item) => item.trim()).filter((item) => item.length > 0);
+	if (normalizedApiKeys.length !== value.apiKeys.length) return { error: "auth.apiKeys must contain non-empty strings only" };
+	return { value: { apiKeys: [...new Set(normalizedApiKeys)] } };
+}
 function parseStringRecord(value, field) {
 	if (value === null || value === void 0) return { clear: true };
 	if (!isPlainObject(value)) return { error: `${field} must be an object with string values` };
@@ -830,6 +857,15 @@ function applyOptionalString(next, key, value) {
 	}
 	next[key] = parsed.value;
 }
+function applyAuthConfig(next, value) {
+	const parsed = parseAuthConfig(value);
+	if ("error" in parsed) return parsed.error;
+	if ("clear" in parsed) {
+		delete next.auth;
+		return;
+	}
+	next.auth = parsed.value;
+}
 function applyOptionalBoolean(next, key, value) {
 	const parsed = parseOptionalBoolean(value, key);
 	if ("error" in parsed) return parsed.error;
@@ -875,51 +911,29 @@ function applyModelAliases(next, value) {
 	}
 	next.modelAliases = parsed.value;
 }
+const CONFIG_PATCH_HANDLERS = {
+	auth: applyAuthConfig,
+	extraPrompts: applyExtraPrompts,
+	smallModel: (next, value) => applyOptionalString(next, "smallModel", value),
+	freeModelLoadBalancing: (next, value) => applyOptionalBoolean(next, "freeModelLoadBalancing", value),
+	apiKey: (next, value) => applyOptionalString(next, "apiKey", value),
+	modelReasoningEfforts: applyReasoningEfforts,
+	modelAliases: applyModelAliases,
+	allowOriginalModelNamesForAliases: (next, value) => applyOptionalBoolean(next, "allowOriginalModelNamesForAliases", value),
+	useFunctionApplyPatch: (next, value) => applyOptionalBoolean(next, "useFunctionApplyPatch", value),
+	forceAgent: (next, value) => applyOptionalBoolean(next, "forceAgent", value),
+	compactUseSmallModel: (next, value) => applyOptionalBoolean(next, "compactUseSmallModel", value),
+	messageStartInputTokensFallback: (next, value) => applyOptionalBoolean(next, "messageStartInputTokensFallback", value),
+	modelRefreshIntervalHours: (next, value) => applyOptionalNumber(next, "modelRefreshIntervalHours", value)
+};
 function applyConfigPatch(base, input) {
 	const next = { ...base };
 	for (const [rawKey, value] of Object.entries(input)) {
 		const key = rawKey;
 		if (!CONFIG_KEYS.has(key)) return { error: `Unknown config key: ${rawKey}` };
-		let error;
-		switch (rawKey) {
-			case "extraPrompts":
-				error = applyExtraPrompts(next, value);
-				break;
-			case "smallModel":
-				error = applyOptionalString(next, "smallModel", value);
-				break;
-			case "freeModelLoadBalancing":
-				error = applyOptionalBoolean(next, "freeModelLoadBalancing", value);
-				break;
-			case "apiKey":
-				error = applyOptionalString(next, "apiKey", value);
-				break;
-			case "modelReasoningEfforts":
-				error = applyReasoningEfforts(next, value);
-				break;
-			case "modelAliases":
-				error = applyModelAliases(next, value);
-				break;
-			case "allowOriginalModelNamesForAliases":
-				error = applyOptionalBoolean(next, "allowOriginalModelNamesForAliases", value);
-				break;
-			case "useFunctionApplyPatch":
-				error = applyOptionalBoolean(next, "useFunctionApplyPatch", value);
-				break;
-			case "forceAgent":
-				error = applyOptionalBoolean(next, "forceAgent", value);
-				break;
-			case "compactUseSmallModel":
-				error = applyOptionalBoolean(next, "compactUseSmallModel", value);
-				break;
-			case "messageStartInputTokensFallback":
-				error = applyOptionalBoolean(next, "messageStartInputTokensFallback", value);
-				break;
-			case "modelRefreshIntervalHours":
-				error = applyOptionalNumber(next, "modelRefreshIntervalHours", value);
-				break;
-			default: return { error: `Unsupported config key: ${rawKey}` };
-		}
+		const handler = CONFIG_PATCH_HANDLERS[rawKey];
+		if (!handler) return { error: `Unsupported config key: ${rawKey}` };
+		const error = handler(next, value);
 		if (error) return { error };
 	}
 	return { config: next };
@@ -2237,11 +2251,12 @@ const createResponses = async (payload, { vision, initiator, upstreamRequestId }
 //#endregion
 //#region src/routes/messages/responses-translation.ts
 const MESSAGE_TYPE = "message";
+const CODEX_PHASE_MODEL = "gpt-5.3-codex";
 const THINKING_TEXT$1 = "Thinking...";
 const translateAnthropicMessagesToResponsesPayload = (payload, modelOverride) => {
 	const model = modelOverride ?? payload.model;
 	const input = [];
-	for (const message of payload.messages) input.push(...translateMessage(message));
+	for (const message of payload.messages) input.push(...translateMessage(message, payload.model));
 	const translatedTools = convertAnthropicTools(payload.tools);
 	const toolChoice = convertAnthropicToolChoice(payload.tool_choice);
 	const { safetyIdentifier, promptCacheKey } = parseUserId(payload.metadata?.user_id);
@@ -2267,9 +2282,9 @@ const translateAnthropicMessagesToResponsesPayload = (payload, modelOverride) =>
 		include: ["reasoning.encrypted_content"]
 	};
 };
-const translateMessage = (message) => {
+const translateMessage = (message, model) => {
 	if (message.role === "user") return translateUserMessage(message);
-	return translateAssistantMessage(message);
+	return translateAssistantMessage(message, model);
 };
 const translateUserMessage = (message) => {
 	if (typeof message.content === "string") return [createMessage("user", message.content)];
@@ -2278,36 +2293,46 @@ const translateUserMessage = (message) => {
 	const pendingContent = [];
 	for (const block of message.content) {
 		if (block.type === "tool_result") {
-			flushPendingContent("user", pendingContent, items);
+			flushPendingContent(pendingContent, items, { role: "user" });
 			items.push(createFunctionCallOutput(block));
 			continue;
 		}
 		const converted = translateUserContentBlock(block);
 		if (converted) pendingContent.push(converted);
 	}
-	flushPendingContent("user", pendingContent, items);
+	flushPendingContent(pendingContent, items, { role: "user" });
 	return items;
 };
-const translateAssistantMessage = (message) => {
-	if (typeof message.content === "string") return [createMessage("assistant", message.content)];
+const translateAssistantMessage = (message, model) => {
+	const assistantPhase = resolveAssistantPhase(model, message.content);
+	if (typeof message.content === "string") return [createMessage("assistant", message.content, assistantPhase)];
 	if (!Array.isArray(message.content)) return [];
 	const items = [];
 	const pendingContent = [];
 	for (const block of message.content) {
 		if (block.type === "tool_use") {
-			flushPendingContent("assistant", pendingContent, items);
+			flushPendingContent(pendingContent, items, {
+				role: "assistant",
+				phase: assistantPhase
+			});
 			items.push(createFunctionToolCall(block));
 			continue;
 		}
 		if (block.type === "thinking" && block.signature && block.signature.includes("@")) {
-			flushPendingContent("assistant", pendingContent, items);
+			flushPendingContent(pendingContent, items, {
+				role: "assistant",
+				phase: assistantPhase
+			});
 			items.push(createReasoningContent(block));
 			continue;
 		}
 		const converted = translateAssistantContentBlock(block);
 		if (converted) pendingContent.push(converted);
 	}
-	flushPendingContent("assistant", pendingContent, items);
+	flushPendingContent(pendingContent, items, {
+		role: "assistant",
+		phase: assistantPhase
+	});
 	return items;
 };
 const translateUserContentBlock = (block) => {
@@ -2323,17 +2348,26 @@ const translateAssistantContentBlock = (block) => {
 		default: return;
 	}
 };
-const flushPendingContent = (role, pendingContent, target) => {
+const flushPendingContent = (pendingContent, target, message) => {
 	if (pendingContent.length === 0) return;
 	const messageContent = [...pendingContent];
-	target.push(createMessage(role, messageContent));
+	target.push(createMessage(message.role, messageContent, message.phase));
 	pendingContent.length = 0;
 };
-const createMessage = (role, content) => ({
+const createMessage = (role, content, phase) => ({
 	type: MESSAGE_TYPE,
 	role,
-	content
+	content,
+	...role === "assistant" && phase ? { phase } : {}
 });
+const resolveAssistantPhase = (model, content) => {
+	if (!shouldApplyCodexPhase(model)) return;
+	if (typeof content === "string") return "final_answer";
+	if (!Array.isArray(content)) return;
+	if (!content.some((block) => block.type === "text")) return;
+	return content.some((block) => block.type === "tool_use") ? "commentary" : "final_answer";
+};
+const shouldApplyCodexPhase = (model) => model === CODEX_PHASE_MODEL;
 const createTextContent = (text) => ({
 	type: "input_text",
 	text
@@ -5635,7 +5669,7 @@ usageRoute.get("/:accountIndex", async (c) => {
 const server = new Hono();
 server.use(logger());
 server.use(cors());
-server.use("*", createApiKeyAuthMiddleware());
+server.use("*", createAuthMiddleware({ allowUnauthenticatedPathPrefixes: ["/admin", "/api/admin"] }));
 server.get("/", (c) => c.text("Server running"));
 server.route("/chat/completions", completionRoutes);
 server.route("/models", modelRoutes);
@@ -5653,4 +5687,4 @@ server.route("/v1/messages", messageRoutes);
 
 //#endregion
 export { server };
-//# sourceMappingURL=server-BnJIteDi.js.map
+//# sourceMappingURL=server-2YTgFCW0.js.map