@nick3/copilot-api 1.10.29 → 1.10.34

package/dist/token-671YFxgv.js

@@ -0,0 +1,947 @@
+import { P as requestContext, b as HTTPError, g as getCopilotUsage, h as getDeviceCode, j as state, m as getGitHubUser, t as pollAccessToken, v as getProxyEnvDispatcher } from "./poll-access-token-GzVkiTH8.js";
+import { t as PATHS } from "./paths-Bpsb62LK.js";
+import { k as setProviderConfig, m as getRawProviderConfig, w as isResponsesApiWebSocketEnabled } from "./config-BaU_aWgi.js";
+import consola from "consola";
+import fs from "node:fs/promises";
+import { createHash, randomBytes } from "node:crypto";
+import path from "node:path";
+import { createServer } from "node:http";
+import { events } from "fetch-event-stream";
+import { WebSocket } from "undici";
+import { setTimeout as setTimeout$1 } from "node:timers/promises";
+//#region src/services/responses-websocket.ts
+const DEFAULT_WEBSOCKET_IDLE_TIMEOUT_MS = 6e4;
+const websocketPool = /* @__PURE__ */ new Map();
+const websocketActiveRequests = /* @__PURE__ */ new Map();
+const createWebSocketUrl = (url) => {
+	const websocketUrl = new URL(url);
+	if (websocketUrl.protocol === "https:") websocketUrl.protocol = "wss:";
+	else if (websocketUrl.protocol === "http:") websocketUrl.protocol = "ws:";
+	return websocketUrl.toString();
+};
+const createPooledWebSocketStream = (request, options) => runPooledWebSocketRequest(request, options);
+const runPooledWebSocketRequest = async function* (request, options) {
+	const { entry, pooled } = getPooledWebSocketRequestTarget(request, options);
+	const release = acquirePooledWebSocketEntry(request.poolKey, entry, pooled, options);
+	try {
+		const websocket = await getReadyPooledWebSocket(request.poolKey, entry, pooled, options);
+		websocket.send(JSON.stringify(request.payload));
+		for await (const data of createWebSocketMessageStream(websocket, options)) {
+			const chunk = options.createChunk(data);
+			yield chunk;
+			if (options.isTerminalChunk(chunk)) return;
+		}
+		removePooledWebSocketEntry(request.poolKey, entry);
+		throw new Error(options.terminalChunkMissingMessage);
+	} catch (error) {
+		removePooledWebSocketEntry(request.poolKey, entry);
+		throw toError(error);
+	} finally {
+		release();
+	}
+};
+const getPooledWebSocketRequestTarget = (request, options) => {
+	if (getPooledWebSocketActiveRequestCount(request.poolKey) > 0) return {
+		entry: createPooledWebSocketEntry(request, options),
+		pooled: false
+	};
+	const existing = websocketPool.get(request.poolKey);
+	if (existing && !existing.closed) {
+		clearPooledWebSocketIdleTimer(existing);
+		return {
+			entry: existing,
+			pooled: true
+		};
+	}
+	const entry = createPooledWebSocketEntry(request, options);
+	websocketPool.set(request.poolKey, entry);
+	return {
+		entry,
+		pooled: true
+	};
+};
+const createPooledWebSocketEntry = (request, options) => {
+	const entry = {
+		closed: false,
+		idleTimer: null,
+		requestCount: 0,
+		websocketPromise: openWebSocket({
+			headers: request.headers,
+			openErrorMessage: options.openErrorMessage,
+			url: request.url
+		})
+	};
+	entry.websocketPromise.then((websocket) => {
+		websocket.addEventListener("close", () => {
+			removePooledWebSocketEntry(request.poolKey, entry);
+		});
+		websocket.addEventListener("error", () => {
+			removePooledWebSocketEntry(request.poolKey, entry);
+		});
+	}).catch(() => {
+		removePooledWebSocketEntry(request.poolKey, entry);
+	});
+	return entry;
+};
+const acquirePooledWebSocketEntry = (poolKey, entry, pooled, options) => {
+	clearPooledWebSocketIdleTimer(entry);
+	incrementPooledWebSocketActiveRequestCount(poolKey);
+	entry.requestCount += 1;
+	let released = false;
+	return () => {
+		if (released) return;
+		released = true;
+		entry.requestCount -= 1;
+		decrementPooledWebSocketActiveRequestCount(poolKey);
+		if (entry.closed || entry.requestCount > 0) return;
+		if (pooled && websocketPool.get(poolKey) === entry) {
+			schedulePooledWebSocketIdleClose(poolKey, entry, options);
+			return;
+		}
+		removePooledWebSocketEntry(poolKey, entry);
+	};
+};
+const getReadyPooledWebSocket = async (poolKey, entry, pooled, options) => {
+	const unavailableErrorMessage = options?.unavailableErrorMessage ?? "Websocket connection became unavailable before the request started";
+	if (entry.closed) throw new Error(unavailableErrorMessage);
+	const websocket = await entry.websocketPromise;
+	if (entry.closed || pooled && websocketPool.get(poolKey) !== entry) throw new Error(unavailableErrorMessage);
+	if (websocket.readyState !== WebSocket.OPEN) {
+		removePooledWebSocketEntry(poolKey, entry);
+		throw new Error(unavailableErrorMessage);
+	}
+	return websocket;
+};
+const schedulePooledWebSocketIdleClose = (poolKey, entry, options) => {
+	clearPooledWebSocketIdleTimer(entry);
+	entry.idleTimer = setTimeout(() => {
+		removePooledWebSocketEntry(poolKey, entry);
+	}, options.idleTimeoutMs ?? DEFAULT_WEBSOCKET_IDLE_TIMEOUT_MS);
+	unrefTimer(entry.idleTimer);
+};
+const clearPooledWebSocketIdleTimer = (entry) => {
+	if (entry.idleTimer) {
+		clearTimeout(entry.idleTimer);
+		entry.idleTimer = null;
+	}
+};
+const getPooledWebSocketActiveRequestCount = (poolKey) => websocketActiveRequests.get(poolKey) ?? 0;
+const incrementPooledWebSocketActiveRequestCount = (poolKey) => {
+	websocketActiveRequests.set(poolKey, getPooledWebSocketActiveRequestCount(poolKey) + 1);
+};
+const decrementPooledWebSocketActiveRequestCount = (poolKey) => {
+	const nextCount = getPooledWebSocketActiveRequestCount(poolKey) - 1;
+	if (nextCount <= 0) {
+		websocketActiveRequests.delete(poolKey);
+		return;
+	}
+	websocketActiveRequests.set(poolKey, nextCount);
+};
+const removePooledWebSocketEntry = (poolKey, entry) => {
+	if (websocketPool.get(poolKey) === entry) websocketPool.delete(poolKey);
+	if (entry.closed) return;
+	entry.closed = true;
+	clearPooledWebSocketIdleTimer(entry);
+	entry.websocketPromise.then(closeWebSocket).catch(() => {});
+};
+const unrefTimer = (timer) => {
+	if (typeof timer === "object" && "unref" in timer && typeof timer.unref === "function") timer.unref();
+};
+const createWebSocketError = (message, event) => {
+	const reason = event?.error ?? event?.message;
+	if (reason === void 0 || reason === "") return new Error(message);
+	const cause = toError(reason);
+	return new Error(`${message}: ${cause.message}`, { cause });
+};
+const openWebSocket = async ({ headers, openErrorMessage, url }) => await new Promise((resolve, reject) => {
+	const dispatcher = getProxyEnvDispatcher();
+	const websocket = new WebSocket(url, dispatcher ? {
+		dispatcher,
+		headers
+	} : { headers });
+	const cleanup = () => {
+		websocket.removeEventListener("open", onOpen);
+		websocket.removeEventListener("error", onError);
+	};
+	const onOpen = () => {
+		cleanup();
+		resolve(websocket);
+	};
+	const onError = (event) => {
+		cleanup();
+		reject(createWebSocketError(openErrorMessage, event));
+	};
+	websocket.addEventListener("open", onOpen);
+	websocket.addEventListener("error", onError);
+});
+const createWebSocketMessageStream = async function* (websocket, options) {
+	const queue = [];
+	let closed = false;
+	let error = null;
+	let notify = null;
+	const wake = () => {
+		notify?.();
+		notify = null;
+	};
+	const onMessage = (event) => {
+		queue.push(normalizeWebSocketMessageData(event.data));
+		wake();
+	};
+	const onClose = () => {
+		closed = true;
+		wake();
+	};
+	const onError = (event) => {
+		error = createWebSocketError(options.streamErrorMessage, event);
+		wake();
+	};
+	websocket.addEventListener("message", onMessage);
+	websocket.addEventListener("close", onClose);
+	websocket.addEventListener("error", onError);
+	try {
+		while (true) {
+			const item = queue.shift();
+			if (item) {
+				yield await item;
+				continue;
+			}
+			if (error) throw toError(error);
+			if (closed) break;
+			await new Promise((resolve) => {
+				notify = resolve;
+			});
+		}
+	} finally {
+		websocket.removeEventListener("message", onMessage);
+		websocket.removeEventListener("close", onClose);
+		websocket.removeEventListener("error", onError);
+	}
+};
+const normalizeWebSocketMessageData = async (data) => {
+	if (typeof data === "string") return data;
+	if (data instanceof ArrayBuffer) return new TextDecoder().decode(data);
+	if (ArrayBuffer.isView(data)) {
+		const view = data;
+		return new TextDecoder().decode(new Uint8Array(view.buffer, view.byteOffset, view.byteLength));
+	}
+	if (isTextReadable(data)) return await data.text();
+	return String(data);
+};
+const isTextReadable = (value) => {
+	if (!value || typeof value !== "object" || !("text" in value)) return false;
+	return typeof value.text === "function";
+};
+const toError = (value) => {
+	if (value instanceof Error) return value;
+	return new Error(String(value));
+};
+const closeWebSocket = (websocket) => {
+	if (websocket.readyState === WebSocket.CONNECTING || websocket.readyState === WebSocket.OPEN) websocket.close();
+};
+//#endregion
+//#region src/services/codex/create-responses.ts
+const CODEX_API_BASE_URL = "https://chatgpt.com/backend-api";
+const STRIPPED_CODEX_REQUEST_HEADERS = new Set([
+	"authorization",
+	"connection",
+	"content-length",
+	"host",
+	"keep-alive",
+	"proxy-authenticate",
+	"proxy-authorization",
+	"te",
+	"trailer",
+	"transfer-encoding",
+	"upgrade",
+	"x-api-key"
+]);
+const STRIPPED_CODEX_WEBSOCKET_HEADERS = new Set(["accept", "content-type"]);
+const requireCodexAuthContext = () => {
+	const accessToken = state.codexAccessToken;
+	const accountId = state.codexAccountId;
+	if (!accessToken) throw new Error("Codex access token is not loaded");
+	if (!accountId) throw new Error("Codex account id is not loaded");
+	return {
+		accessToken,
+		accountId
+	};
+};
+function resolveCodexResponsesUrl(baseUrl = CODEX_API_BASE_URL) {
+	const normalized = baseUrl.trim().replace(/\/+$/, "");
+	if (!normalized) return `${CODEX_API_BASE_URL}/codex/responses`;
+	if (normalized.endsWith("/codex/responses")) return normalized;
+	if (normalized.endsWith("/codex")) return `${normalized}/responses`;
+	return `${normalized}/codex/responses`;
+}
+function buildCodexResponsesHeaders(requestHeaders, options = {}) {
+	const { accessToken, accountId } = requireCodexAuthContext();
+	const headers = new Headers();
+	for (const [headerName, headerValue] of requestHeaders) {
+		const headerNameLower = headerName.toLowerCase();
+		if (STRIPPED_CODEX_REQUEST_HEADERS.has(headerNameLower)) continue;
+		if (headerNameLower.includes("trace")) continue;
+		headers.set(headerName, headerValue);
+	}
+	if (!headers.has("accept")) headers.set("accept", options.stream ? "text/event-stream" : "application/json");
+	headers.set("authorization", `Bearer ${accessToken}`);
+	headers.set("chatgpt-account-id", accountId);
+	if (!headers.has("content-type")) headers.set("content-type", "application/json");
+	if (!headers.has("OpenAI-Beta")) headers.set("OpenAI-Beta", "responses=experimental");
+	if (!headers.has("originator")) headers.set("originator", "copilot-api");
+	if (!headers.has("user-agent")) headers.set("user-agent", "copilot-api");
+	if (headers.get("user-agent")?.startsWith("opencode")) {
+		headers.set("originator", "opencode");
+		const sessionId = requestContext.getStore()?.sessionAffinity;
+		if (sessionId) headers.set("session-id", sessionId);
+	}
+	return headers;
+}
+function resolveCodexResponsesTransport(transport) {
+	return transport ?? (isResponsesApiWebSocketEnabled() ? "websocket" : "http");
+}
+function buildCodexResponsesWebSocketHeaders(requestHeaders) {
+	const headers = buildCodexResponsesHeaders(requestHeaders);
+	for (const headerName of STRIPPED_CODEX_WEBSOCKET_HEADERS) headers.delete(headerName);
+	return Object.fromEntries(headers);
+}
+function buildCodexResponsesWebSocketPayload(payload) {
+	const websocketPayload = {
+		...normalizeCodexResponsesPayload(payload),
+		type: "response.create"
+	};
+	delete websocketPayload.stream;
+	return websocketPayload;
+}
+function buildCodexResponsesWebSocketUrl(baseUrl = CODEX_API_BASE_URL) {
+	return createWebSocketUrl(resolveCodexResponsesUrl(baseUrl));
+}
+function prepareCodexResponsesWebSocketRequest(payload, requestHeaders, baseUrl = CODEX_API_BASE_URL) {
+	const headers = buildCodexResponsesWebSocketHeaders(requestHeaders);
+	return {
+		headers,
+		payload: buildCodexResponsesWebSocketPayload(payload),
+		poolKey: buildCodexResponsesWebSocketPoolKey(payload, headers, baseUrl),
+		url: buildCodexResponsesWebSocketUrl(baseUrl)
+	};
+}
+async function forwardCodexResponses(payload, requestHeaders, baseUrl = CODEX_API_BASE_URL, options = {}) {
+	const transport = resolveCodexResponsesTransport(options.transport);
+	if (payload.stream && transport === "websocket") return forwardCodexResponsesOverWebSocket(payload, requestHeaders, baseUrl);
+	const normalizedPayload = normalizeCodexResponsesPayload(payload);
+	const response = await fetch(resolveCodexResponsesUrl(baseUrl), {
+		method: "POST",
+		headers: buildCodexResponsesHeaders(requestHeaders, { stream: normalizedPayload.stream }),
+		body: JSON.stringify(normalizedPayload)
+	});
+	if (!response.ok) throw new HTTPError("Failed to create codex responses", response);
+	if (normalizedPayload.stream) return events(response);
+	return await response.json();
+}
+const normalizeCodexResponsesPayload = (payload) => {
+	const normalizedPayload = {
+		...payload,
+		store: false
+	};
+	delete normalizedPayload.temperature;
+	delete normalizedPayload.top_p;
+	delete normalizedPayload.max_output_tokens;
+	delete normalizedPayload.metadata;
+	if (typeof normalizedPayload.instructions === "string" && normalizedPayload.instructions.trim().length > 0 || !Array.isArray(normalizedPayload.input)) return normalizedPayload;
+	const instructions = [];
+	let messageCount = 0;
+	const remainingInput = normalizedPayload.input.filter((inputItem) => {
+		const message = getResponseInputMessage(inputItem);
+		if (!message) return true;
+		messageCount += 1;
+		if (message.role !== "system" || messageCount > 3) return true;
+		const systemPrompt = getTextContent(message.content);
+		if (systemPrompt === void 0) return true;
+		if (systemPrompt.trim().length > 0) instructions.push(systemPrompt);
+		return false;
+	});
+	if (remainingInput.length === normalizedPayload.input.length) return normalizedPayload;
+	if (instructions.length > 0) normalizedPayload.instructions = instructions.join("\n\n");
+	if (remainingInput.length > 0) normalizedPayload.input = remainingInput;
+	else delete normalizedPayload.input;
+	return normalizedPayload;
+};
+const getResponseInputMessage = (inputItem) => {
+	if (typeof inputItem !== "object" || inputItem === null) return;
+	const { role, type } = inputItem;
+	if (typeof role !== "string" || type !== void 0 && type !== "message") return;
+	return inputItem;
+};
+const getTextContent = (content) => {
+	if (typeof content === "string") return content;
+	if (content === void 0) return "";
+	if (!Array.isArray(content)) return;
+	const textBlocks = [];
+	for (const contentBlock of content) {
+		const text = getTextBlock(contentBlock);
+		if (text === void 0) return;
+		if (text.length > 0) textBlocks.push(text);
+	}
+	return textBlocks.join("\n\n");
+};
+const getTextBlock = (contentBlock) => {
+	if (typeof contentBlock !== "object" || contentBlock === null) return;
+	const { text, type } = contentBlock;
+	if (type !== void 0 && type !== "input_text" && type !== "output_text") return;
+	return typeof text === "string" ? text : void 0;
+};
+const buildCodexResponsesWebSocketPoolKey = (payload, headers, baseUrl) => {
+	const authFingerprint = createHash("sha256").update(`${state.codexAccessToken ?? "missing-token"}:${state.codexAccountId ?? "missing-account"}`).digest("hex").slice(0, 16);
+	const headerFingerprint = createHash("sha256").update(JSON.stringify(Object.entries(headers).filter(([headerName]) => !headerName.toLowerCase().includes("trace")).sort(([left], [right]) => left.localeCompare(right)))).digest("hex").slice(0, 16);
+	return [
+		"codex",
+		resolveCodexResponsesUrl(baseUrl),
+		payload.model,
+		authFingerprint,
+		headerFingerprint
+	].map(encodePoolKeyPart).join("|");
+};
+const forwardCodexResponsesOverWebSocket = (payload, requestHeaders, baseUrl) => {
+	return createCodexResponsesWebSocketStream(prepareCodexResponsesWebSocketRequest(payload, requestHeaders, baseUrl));
+};
+const createCodexResponsesWebSocketStream = (request) => createCodexResponsesSafeStream(createPooledWebSocketStream(request, {
+	createChunk: createCodexResponsesWebSocketStreamChunk,
+	isTerminalChunk: isTerminalCodexResponsesWebSocketChunk,
+	openErrorMessage: "Failed to create codex responses websocket",
+	streamErrorMessage: "Codex responses websocket stream error",
+	terminalChunkMissingMessage: "Codex responses websocket ended without a terminal response"
+}));
+const createCodexResponsesSafeStream = async function* (source) {
+	try {
+		yield* source;
+	} catch (error) {
+		yield createResponsesErrorServerSentEventChunk(getErrorMessage(error));
+	}
+};
+const createCodexResponsesWebSocketStreamChunk = (data) => {
+	if (data === "[DONE]") return { data };
+	try {
+		const parsed = JSON.parse(data);
+		if (parsed.type === "error" && parsed.error) parsed.message = parsed.error.message;
+		return {
+			data: JSON.stringify(parsed),
+			event: typeof parsed.type === "string" ? parsed.type : void 0,
+			id: typeof parsed.id === "string" ? parsed.id : void 0
+		};
+	} catch {
+		return { data };
+	}
+};
+const isTerminalCodexResponsesWebSocketChunk = (chunk) => {
+	if (!chunk.data || chunk.data === "[DONE]") return false;
+	try {
+		const parsed = JSON.parse(chunk.data);
+		return parsed.type === "response.completed" || parsed.type === "response.failed" || parsed.type === "response.incomplete" || parsed.type === "error";
+	} catch {
+		return false;
+	}
+};
+const createResponsesErrorServerSentEventChunk = (message) => {
+	const errorEvent = {
+		code: null,
+		message,
+		param: null,
+		sequence_number: 0,
+		type: "error"
+	};
+	return {
+		data: JSON.stringify(errorEvent),
+		event: errorEvent.type
+	};
+};
+const getErrorMessage = (error) => {
+	if (error instanceof Error && error.message) return error.message;
+	return String(error);
+};
+const encodePoolKeyPart = (value) => encodeURIComponent(value);
+//#endregion
+//#region src/lib/oauth/codex.ts
+const CALLBACK_HOST = "127.0.0.1";
+const CALLBACK_PORT = 1455;
+const CALLBACK_PATH = "/auth/callback";
+const CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
+const AUTHORIZE_URL = "https://auth.openai.com/oauth/authorize";
+const TOKEN_URL = "https://auth.openai.com/oauth/token";
+const REDIRECT_URI = `http://localhost:${CALLBACK_PORT}${CALLBACK_PATH}`;
+const SCOPE = "openid profile email offline_access";
+const JWT_CLAIM_PATH = "https://api.openai.com/auth";
+const REFRESH_BUFFER_MS = 6e4;
+function base64UrlEncode(bytes) {
+	return Buffer.from(bytes).toString("base64url");
+}
+async function generatePkce() {
+	const verifierBytes = new Uint8Array(32);
+	crypto.getRandomValues(verifierBytes);
+	const verifier = base64UrlEncode(verifierBytes);
+	const hashBuffer = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(verifier));
+	return {
+		verifier,
+		challenge: base64UrlEncode(new Uint8Array(hashBuffer))
+	};
+}
+function createState() {
+	return randomBytes(16).toString("hex");
+}
+function parseAuthorizationInput(input) {
+	const value = input.trim();
+	if (!value) return {};
+	try {
+		const url = new URL(value);
+		return {
+			code: url.searchParams.get("code") ?? void 0,
+			state: url.searchParams.get("state") ?? void 0
+		};
+	} catch {}
+	if (value.includes("#")) {
+		const [code, state] = value.split("#", 2);
+		return {
+			code,
+			state
+		};
+	}
+	if (value.includes("code=")) {
+		const params = new URLSearchParams(value);
+		return {
+			code: params.get("code") ?? void 0,
+			state: params.get("state") ?? void 0
+		};
+	}
+	return { code: value };
+}
+function decodeJwt(accessToken) {
+	try {
+		const payload = accessToken.split(".")[1];
+		if (!payload) return null;
+		return JSON.parse(Buffer.from(payload, "base64url").toString("utf8"));
+	} catch {
+		return null;
+	}
+}
+function getAccountId(accessToken) {
+	const payload = decodeJwt(accessToken);
+	if (!payload) return null;
+	const authPayload = payload[JWT_CLAIM_PATH];
+	if (!authPayload || typeof authPayload !== "object") return null;
+	const accountId = authPayload.chatgpt_account_id;
+	return typeof accountId === "string" && accountId ? accountId : null;
+}
+function renderOAuthPage(options) {
+	return `<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>${escapeHtml(options.title)}</title>
+  <style>
+    body {
+      margin: 0;
+      min-height: 100vh;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      padding: 24px;
+      background: #09090b;
+      color: #fafafa;
+      font-family: system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
+      text-align: center;
+    }
+    main {
+      max-width: 560px;
+    }
+    h1 {
+      margin: 0 0 12px;
+      font-size: 28px;
+      line-height: 1.15;
+    }
+    p {
+      margin: 0;
+      color: #a1a1aa;
+      line-height: 1.6;
+    }
+  </style>
+</head>
+<body>
+  <main>
+    <h1>${escapeHtml(options.heading)}</h1>
+    <p>${escapeHtml(options.message)}</p>
+  </main>
+</body>
+</html>`;
+}
+function escapeHtml(value) {
+	return value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll("\"", "&quot;").replaceAll("'", "&#39;");
+}
+function renderOAuthSuccessPage(message) {
+	return renderOAuthPage({
+		title: "Authentication successful",
+		heading: "Authentication successful",
+		message
+	});
+}
+function renderOAuthErrorPage(message) {
+	return renderOAuthPage({
+		title: "Authentication failed",
+		heading: "Authentication failed",
+		message
+	});
+}
+async function exchangeAuthorizationCode(code, verifier) {
+	const response = await fetch(TOKEN_URL, {
+		method: "POST",
+		headers: { "Content-Type": "application/x-www-form-urlencoded" },
+		body: new URLSearchParams({
+			grant_type: "authorization_code",
+			client_id: CLIENT_ID,
+			code,
+			code_verifier: verifier,
+			redirect_uri: REDIRECT_URI
+		})
+	});
+	if (!response.ok) {
+		const details = await response.text().catch(() => "");
+		throw new Error(`Codex token exchange failed (${response.status}): ${details || response.statusText}`);
+	}
+	const payload = await response.json();
+	if (typeof payload.access_token !== "string" || typeof payload.refresh_token !== "string" || typeof payload.expires_in !== "number") throw new TypeError(`Codex token exchange response missing fields: ${JSON.stringify(payload)}`);
+	return {
+		accessToken: payload.access_token,
+		refreshToken: payload.refresh_token,
+		expiresAt: Date.now() + payload.expires_in * 1e3
+	};
+}
+async function refreshAccessToken(refreshToken) {
+	const response = await fetch(TOKEN_URL, {
+		method: "POST",
+		headers: { "Content-Type": "application/x-www-form-urlencoded" },
+		body: new URLSearchParams({
+			grant_type: "refresh_token",
+			refresh_token: refreshToken,
+			client_id: CLIENT_ID
+		})
+	});
+	if (!response.ok) {
+		const details = await response.text().catch(() => "");
+		throw new Error(`Codex token refresh failed (${response.status}): ${details || response.statusText}`);
+	}
+	const payload = await response.json();
+	if (typeof payload.access_token !== "string" || typeof payload.refresh_token !== "string" || typeof payload.expires_in !== "number") throw new TypeError(`Codex token refresh response missing fields: ${JSON.stringify(payload)}`);
+	return {
+		accessToken: payload.access_token,
+		refreshToken: payload.refresh_token,
+		expiresAt: Date.now() + payload.expires_in * 1e3
+	};
+}
+async function createAuthorizationFlow() {
+	const { verifier, challenge } = await generatePkce();
+	const state = createState();
+	const url = new URL(AUTHORIZE_URL);
+	url.searchParams.set("response_type", "code");
+	url.searchParams.set("client_id", CLIENT_ID);
+	url.searchParams.set("redirect_uri", REDIRECT_URI);
+	url.searchParams.set("scope", SCOPE);
+	url.searchParams.set("code_challenge", challenge);
+	url.searchParams.set("code_challenge_method", "S256");
+	url.searchParams.set("state", state);
+	url.searchParams.set("id_token_add_organizations", "true");
+	url.searchParams.set("codex_cli_simplified_flow", "true");
+	url.searchParams.set("originator", "copilot-api");
+	return {
+		verifier,
+		state,
+		url: url.toString()
+	};
+}
+async function waitForAuthorizationCode(state) {
+	let resolveCode;
+	const waitForCode = new Promise((resolve) => {
+		resolveCode = resolve;
+	});
+	const server = createServer((request, response) => {
+		try {
+			const url = new URL(request.url || "", "http://localhost");
+			if (url.pathname !== CALLBACK_PATH) {
+				response.statusCode = 404;
+				response.setHeader("Content-Type", "text/html; charset=utf-8");
+				response.end(renderOAuthErrorPage("Callback route not found."));
+				return;
+			}
+			if (url.searchParams.get("state") !== state) {
+				response.statusCode = 400;
+				response.setHeader("Content-Type", "text/html; charset=utf-8");
+				response.end(renderOAuthErrorPage("State mismatch."));
+				return;
+			}
+			const code = url.searchParams.get("code");
+			if (!code) {
+				response.statusCode = 400;
+				response.setHeader("Content-Type", "text/html; charset=utf-8");
+				response.end(renderOAuthErrorPage("Missing authorization code."));
+				return;
+			}
+			response.statusCode = 200;
+			response.setHeader("Content-Type", "text/html; charset=utf-8");
+			response.end(renderOAuthSuccessPage("OpenAI Codex authentication completed. You can close this window."));
+			resolveCode?.(code);
+		} catch {
+			response.statusCode = 500;
+			response.setHeader("Content-Type", "text/html; charset=utf-8");
+			response.end(renderOAuthErrorPage("Internal error while processing OAuth callback."));
+		}
+	});
+	try {
+		await new Promise((resolve, reject) => {
+			server.once("error", reject);
+			server.listen(CALLBACK_PORT, CALLBACK_HOST, () => {
+				server.off("error", reject);
+				resolve();
+			});
+		});
+	} catch {
+		return null;
+	}
+	try {
+		return await waitForCode;
+	} finally {
+		await new Promise((resolve, reject) => {
+			server.close((error) => {
+				if (error) {
+					reject(error);
+					return;
+				}
+				resolve();
+			});
+		}).catch(() => void 0);
+	}
+}
+async function loginCodex(options) {
+	const { verifier, state, url } = await createAuthorizationFlow();
+	options.onAuth({
+		url,
+		instructions: "Please complete the login in the browser. If the browser does not automatically redirect, please paste the callback URL or code back to the terminal."
+	});
+	options.onProgress?.("Waiting for Codex OAuth callback");
+	let code = await waitForAuthorizationCode(state);
+	if (!code) {
+		const parsed = parseAuthorizationInput(await options.onPrompt("Paste the authorization code or full redirect URL:"));
+		if (parsed.state && parsed.state !== state) throw new Error("Codex OAuth state mismatch");
+		code = parsed.code ?? null;
+	}
+	if (!code) throw new Error("Missing Codex authorization code");
+	const tokenResult = await exchangeAuthorizationCode(code, verifier);
+	const accountId = getAccountId(tokenResult.accessToken);
+	if (!accountId) throw new Error("Failed to extract Codex account id from access token");
+	return {
+		accessToken: tokenResult.accessToken,
+		refreshToken: tokenResult.refreshToken,
+		expiresAt: tokenResult.expiresAt,
+		accountId
+	};
+}
+async function refreshCodexCredentials(credentials) {
+	const tokenResult = await refreshAccessToken(credentials.refreshToken);
+	const accountId = getAccountId(tokenResult.accessToken);
+	if (!accountId) throw new Error("Failed to extract Codex account id from access token");
+	return {
+		accessToken: tokenResult.accessToken,
+		refreshToken: tokenResult.refreshToken,
+		expiresAt: tokenResult.expiresAt,
+		accountId
+	};
+}
+function isCodexCredentialsExpired(credentials, now = Date.now()) {
+	return credentials.expiresAt <= now + REFRESH_BUFFER_MS;
+}
+//#endregion
+//#region src/lib/credential-store.ts
+function isNodeError(error) {
+	return error instanceof Error && "code" in error;
+}
+async function readOptionalFile(filePath) {
+	try {
+		return await fs.readFile(filePath, "utf8");
+	} catch (error) {
+		if (isNodeError(error) && error.code === "ENOENT") return null;
+		throw error;
+	}
+}
+async function writeProtectedFile(filePath, content) {
+	await fs.mkdir(path.dirname(filePath), { recursive: true });
+	await fs.writeFile(filePath, content, "utf8");
+	try {
+		await fs.chmod(filePath, 384);
+	} catch {
+		return;
+	}
+}
+function normalizeCodexCredentials(credentials) {
+	if (!credentials || typeof credentials !== "object") return null;
+	const candidate = credentials;
+	if (typeof candidate.accessToken !== "string" || typeof candidate.refreshToken !== "string" || typeof candidate.expiresAt !== "number" || typeof candidate.accountId !== "string") return null;
+	return {
+		accessToken: candidate.accessToken,
+		refreshToken: candidate.refreshToken,
+		expiresAt: candidate.expiresAt,
+		accountId: candidate.accountId
+	};
+}
+async function readGitHubToken() {
+	return (await readOptionalFile(PATHS.GITHUB_TOKEN_PATH))?.trim() || null;
+}
+async function writeGitHubToken(token) {
+	await writeProtectedFile(PATHS.GITHUB_TOKEN_PATH, token.trim());
+}
+async function readCodexCredentials() {
+	const raw = await readOptionalFile(PATHS.CODEX_CREDENTIAL_PATH);
+	if (!raw?.trim()) return null;
+	let parsed;
+	try {
+		parsed = JSON.parse(raw);
+	} catch (error) {
+		throw new Error(`Codex credentials file is not valid JSON: ${PATHS.CODEX_CREDENTIAL_PATH}`, { cause: error });
+	}
+	const credentials = normalizeCodexCredentials(parsed);
+	if (!credentials) throw new Error(`Codex credentials file is missing required fields: ${PATHS.CODEX_CREDENTIAL_PATH}`);
+	return credentials;
+}
+async function writeCodexCredentials(credentials) {
+	await writeProtectedFile(PATHS.CODEX_CREDENTIAL_PATH, `${JSON.stringify(credentials, null, 2)}\n`);
+}
+//#endregion
+//#region src/lib/token.ts
+let codexRefreshLoopController = null;
+const stopCodexRefreshLoop = () => {
+	if (!codexRefreshLoopController) return;
+	codexRefreshLoopController.abort();
+	codexRefreshLoopController = null;
+};
+function applyCodexCredentials(credentials) {
+	state.codexAccessToken = credentials.accessToken;
+	state.codexRefreshToken = credentials.refreshToken;
+	state.codexExpiresAt = credentials.expiresAt;
+	state.codexAccountId = credentials.accountId;
+	consola.debug("Codex credentials loaded successfully");
+	if (state.showToken) consola.info("Codex access token:", credentials.accessToken);
+}
+function getLoadedCodexCredentials() {
+	if (!state.codexAccessToken || !state.codexRefreshToken || !state.codexExpiresAt || !state.codexAccountId) return null;
+	return {
+		accessToken: state.codexAccessToken,
+		refreshToken: state.codexRefreshToken,
+		expiresAt: state.codexExpiresAt,
+		accountId: state.codexAccountId
+	};
+}
+function syncCodexProviderConfig(options) {
+	const existingProviderConfig = getRawProviderConfig("codex") ?? {};
+	setProviderConfig("codex", {
+		...existingProviderConfig,
+		type: "openai-responses",
+		enabled: options?.enabled ?? existingProviderConfig.enabled,
+		baseUrl: CODEX_API_BASE_URL,
+		authType: "oauth2"
+	});
+}
+async function persistCodexCredentials(credentials, options) {
+	await writeCodexCredentials(credentials);
+	syncCodexProviderConfig({ enabled: options?.enableProvider ? true : void 0 });
+	applyCodexCredentials(credentials);
+}
+const setupCodexToken = async () => {
+	const loadedCredentials = getLoadedCodexCredentials();
+	if (loadedCredentials && !isCodexCredentialsExpired(loadedCredentials)) {
+		if (codexRefreshLoopController) return;
+		applyCodexCredentials(loadedCredentials);
+	}
+	const credentials = loadedCredentials ?? await readCodexCredentials();
+	if (!credentials) throw new Error(`Codex credentials not found. Run \`copilot-api auth login --provider codex\` first.`);
+	syncCodexProviderConfig();
+	let nextCredentials = credentials;
+	if (isCodexCredentialsExpired(credentials)) {
+		consola.debug("Refreshing expired Codex credentials");
+		nextCredentials = await refreshCodexCredentials(credentials);
+		await persistCodexCredentials(nextCredentials);
+	}
+	applyCodexCredentials(nextCredentials);
+	stopCodexRefreshLoop();
+	const controller = new AbortController();
+	codexRefreshLoopController = controller;
+	runCodexRefreshLoop(controller.signal).catch(() => {
+		consola.warn("Codex token refresh loop stopped");
+	}).finally(() => {
+		if (codexRefreshLoopController === controller) codexRefreshLoopController = null;
+	});
+};
+const REFRESH_POLL_INTERVAL_MS = 15e3;
+const EARLY_REFRESH_BUFFER_MS = 6e4;
+const RETRY_REFRESH_DELAY_MS = 15e3;
+const getRefreshPollDelayMs = (refreshAtMs, nowMs = Date.now()) => Math.min(Math.max(refreshAtMs - nowMs, 0), REFRESH_POLL_INTERVAL_MS);
+const runCodexRefreshLoop = async (signal) => {
+	let refreshAtMs = Math.max((state.codexExpiresAt ?? Date.now()) - EARLY_REFRESH_BUFFER_MS, Date.now());
+	while (!signal.aborted) {
+		const expiresAt = state.codexExpiresAt;
+		const refreshToken = state.codexRefreshToken;
+		if (!expiresAt || !refreshToken) return;
+		const nextDelayMs = getRefreshPollDelayMs(refreshAtMs);
+		if (nextDelayMs > 0) {
+			await setTimeout$1(nextDelayMs, void 0, { signal });
+			continue;
+		}
+		consola.debug("Refreshing Codex credentials");
+		try {
+			const credentials = await refreshCodexCredentials({
+				accessToken: state.codexAccessToken ?? "",
+				refreshToken,
+				expiresAt,
+				accountId: state.codexAccountId ?? ""
+			});
+			await persistCodexCredentials(credentials);
+			refreshAtMs = Math.max(credentials.expiresAt - EARLY_REFRESH_BUFFER_MS, Date.now());
+			consola.debug("Codex credentials refreshed");
+		} catch (error) {
+			consola.error("Failed to refresh Codex credentials:", error);
+			refreshAtMs = Date.now() + RETRY_REFRESH_DELAY_MS;
+			consola.warn(`Retrying Codex token refresh in ${RETRY_REFRESH_DELAY_MS / 1e3}s`);
+		}
+	}
+};
+async function setupGitHubToken(options) {
+	try {
+		const githubToken = await readGitHubToken();
+		if (githubToken && !options?.force) {
+			state.githubToken = githubToken;
+			if (state.showToken) consola.info("GitHub token:", githubToken);
+			await logUser();
+			return;
+		}
+		consola.info("Not logged in, getting new access token");
+		const response = await getDeviceCode();
+		consola.debug("Device code response:", response);
+		consola.info(`Please enter the code "${response.user_code}" in ${response.verification_uri}`);
+		const token = await pollAccessToken(response);
+		await writeGitHubToken(token);
+		state.githubToken = token;
+		if (state.showToken) consola.info("GitHub token:", token);
+		await logUser();
+	} catch (error) {
+		if (error instanceof HTTPError) {
+			consola.error("Failed to get GitHub token:", await error.response.json());
+			throw error;
+		}
+		consola.error("Failed to get GitHub token:", error);
+		throw error;
+	}
+}
+async function logUser() {
+	const user = await getGitHubUser();
+	state.userName = user.login;
+	consola.info(`Logged in as ${user.login}`);
+	state.copilotApiUrl = (await getCopilotUsage()).endpoints.api;
+}
+//#endregion
+export { forwardCodexResponses as a, loginCodex as i, setupCodexToken as n, setupGitHubToken as r, persistCodexCredentials as t };
+
+//# sourceMappingURL=token-671YFxgv.js.map