@nick3/copilot-api 1.10.9 → 1.10.29

package/dist/{proxy-_U-hgwIn.js → responses-bridge-registry-BJ5Sbh6-.js}

@@ -1,538 +1,112 @@
-import { M as consumeOutboundHeadersSnapshot, N as requestContext, _ as HTTPError, g as getCopilotUsage, k as accountFromState, m as getGitHubUser, x as copilotModelsHeaders, y as copilotBaseUrl } from "./poll-access-token-BAgM2-7k.js";
-import { b as getCurrentIdentityEnvironment, c as isAccountEnabled, f as readLegacyToken, h as saveAccountToken, i as ensureAccountClientIdentity, l as listAccountsFromRegistry, o as hasLegacyToken, r as addAccountToRegistry, s as hasRegistry, u as loadAccountToken, v as buildIdentityKey, y as createAccountSessionId } from "./account-COtMmvzU.js";
-import { t as PATHS } from "./paths-CclKwouX.js";
-import { t as getCopilotToken } from "./get-copilot-token-8Rm-rVsp.js";
-import { c as getAdminDbUserVersion, i as getRequestOutboundStore, o as getAdminDb, s as getAdminDbPath } from "./request-outbound-Pu1kp2x8.js";
+import { A as accountFromState, N as consumeOutboundHeadersSnapshot, P as requestContext, S as copilotBaseUrl, _ as getCopilotToken, b as HTTPError, g as getCopilotUsage, m as getGitHubUser, w as copilotModelsHeaders } from "./poll-access-token-GzVkiTH8.js";
+import { b as getCurrentIdentityEnvironment, c as isAccountEnabled, f as readLegacyToken, h as saveAccountToken, i as ensureAccountClientIdentity, l as listAccountsFromRegistry, o as hasLegacyToken, r as addAccountToRegistry, s as hasRegistry, u as loadAccountToken, v as buildIdentityKey, y as createAccountSessionId } from "./account-DpW8RaT6.js";
+import { t as PATHS } from "./paths-Bpsb62LK.js";
+import { E as resolveModelAlias, a as getConfig, f as getQuotaRefreshConfig, h as getSessionAffinityRetentionMs } from "./config-CmhIPHn_.js";
+import { c as getAdminDbUserVersion, i as getRequestOutboundStore, o as getAdminDb, s as getAdminDbPath } from "./request-outbound-DZTxxtcx.js";
 import consola, { consola as consola$1 } from "consola";
 import fs from "node:fs/promises";
+import { timingSafeEqual } from "node:crypto";
 import fs$1 from "node:fs";
-import { Agent, ProxyAgent, setGlobalDispatcher } from "undici";
-import { getProxyForUrl } from "proxy-from-env";
-//#region src/lib/config.ts
-const PROVIDER_TYPE_ANTHROPIC = "anthropic";
-const gpt5ExplorationPrompt = `## Exploration and reading files
-- **Think first.** Before any tool call, decide ALL files/resources you will need.
-- **Batch everything.** If you need multiple files (even from different places), read them together.
-- **multi_tool_use.parallel** Use multi_tool_use.parallel to parallelize tool calls and only this.
-- **Only make sequential calls if you truly cannot know the next file without seeing a result first.**
-- **Workflow:** (a) plan all needed reads → (b) issue one parallel batch → (c) analyze results → (d) repeat if new, unpredictable reads arise.`;
-const DEFAULT_QUOTA_REFRESH_CONFIG = {
-	enabled: true,
-	intervalMinutes: 360,
-	startupDelaySeconds: 60,
-	staggerMinSeconds: 2,
-	staggerMaxSeconds: 5
-};
-const MIN_QUOTA_REFRESH_INTERVAL_MINUTES = 30;
-const gpt5CommentaryPrompt = `# Working with the user
-
-You interact with the user through a terminal. You have 2 ways of communicating with the users:  
-- Share intermediary updates in \`commentary\` channel.  
-- After you have completed all your work, send a message to the \`final\` channel.  
-
-## Intermediary updates
-
-- Intermediary updates go to the \`commentary\` channel.
-- User updates are short updates while you are working, they are NOT final answers.
-- You use 1-2 sentence user updates to communicate progress and new information to the user as you are doing work.
-- Do not begin responses with conversational interjections or meta commentary. Avoid openers such as acknowledgements (“Done —”, “Got it”, “Great question, ”) or framing phrases.
-- You provide user updates frequently, every 20s.
-- Before exploring or doing substantial work, you start with a user update acknowledging the request and explaining your first step. You should include your understanding of the user request and explain what you will do. Avoid commenting on the request or using starters such as "Got it -" or "Understood -" etc.
-- When exploring, e.g. searching, reading files, you provide user updates as you go, every 20s, explaining what context you are gathering and what you've learned. Vary your sentence structure when providing these updates to avoid sounding repetitive - in particular, don't start each sentence the same way.
-- After you have sufficient context, and the work is substantial, you provide a longer plan (this is the only user update that may be longer than 2 sentences and can contain formatting).
-- Before performing file edits of any kind, you provide updates explaining what edits you are making.
-- As you are thinking, you very frequently provide updates even if not taking any actions, informing the user of your progress. You interrupt your thinking and send multiple updates in a row if thinking for more than 100 words.
-- Tone of your updates MUST match your personality.`;
-const defaultConfig = {
-	auth: { apiKeys: [] },
-	providers: {},
-	extraPrompts: {
-		"gpt-5-mini": gpt5ExplorationPrompt,
-		"gpt-5.3-codex": gpt5CommentaryPrompt,
-		"gpt-5.4-mini": gpt5CommentaryPrompt,
-		"gpt-5.4": gpt5CommentaryPrompt,
-		"gpt-5.5": gpt5CommentaryPrompt
-	},
-	smallModel: "gpt-5-mini",
-	accountAffinity: true,
-	responsesApiContextManagementModels: [],
-	modelReasoningEfforts: {
-		"gpt-5-mini": "low",
-		"gpt-5.3-codex": "xhigh",
-		"gpt-5.4-mini": "xhigh",
-		"gpt-5.4": "xhigh",
-		"gpt-5.5": "xhigh"
-	},
-	allowOriginalModelNamesForAliases: false,
-	forceAgent: false,
-	compactUseSmallModel: true,
-	messageStartInputTokensFallback: false,
-	modelRefreshIntervalHours: 24,
-	sessionAffinityRetentionDays: 7,
-	useMessagesApi: true,
-	useResponsesApiWebSocket: true,
-	useResponsesApiWebSearch: true,
-	logLevel: "info",
-	devMode: {
-		enabled: false,
-		capture4xx: false,
-		capture5xx: false,
-		captureOther: false
-	},
-	quotaRefresh: DEFAULT_QUOTA_REFRESH_CONFIG
-};
-let cachedConfig = null;
-function isPlainObject(value) {
-	return typeof value === "object" && value !== null && !Array.isArray(value);
-}
-function normalizeAuthApiKeys(value) {
-	if (!Array.isArray(value)) return [];
-	return [...new Set(value.filter((item) => typeof item === "string").map((item) => item.trim()).filter((item) => item.length > 0))];
-}
-function normalizeNonNegativeNumber(value) {
-	if (typeof value !== "number") return void 0;
-	if (!Number.isFinite(value)) return void 0;
-	if (value < 0) return void 0;
-	return value;
-}
-function normalizeQuotaRefreshIntervalMinutes(value) {
-	const minutes = normalizeNonNegativeNumber(value) ?? DEFAULT_QUOTA_REFRESH_CONFIG.intervalMinutes;
-	if (minutes > 0 && minutes < MIN_QUOTA_REFRESH_INTERVAL_MINUTES) return MIN_QUOTA_REFRESH_INTERVAL_MINUTES;
-	return minutes;
-}
-function normalizeQuotaRefreshConfig(value) {
-	const raw = isPlainObject(value) ? value : {};
-	const staggerMinSeconds = normalizeNonNegativeNumber(raw.staggerMinSeconds) ?? DEFAULT_QUOTA_REFRESH_CONFIG.staggerMinSeconds;
-	const rawStaggerMaxSeconds = normalizeNonNegativeNumber(raw.staggerMaxSeconds) ?? DEFAULT_QUOTA_REFRESH_CONFIG.staggerMaxSeconds;
-	return {
-		enabled: typeof raw.enabled === "boolean" ? raw.enabled : DEFAULT_QUOTA_REFRESH_CONFIG.enabled,
-		intervalMinutes: normalizeQuotaRefreshIntervalMinutes(raw.intervalMinutes),
-		startupDelaySeconds: normalizeNonNegativeNumber(raw.startupDelaySeconds) ?? DEFAULT_QUOTA_REFRESH_CONFIG.startupDelaySeconds,
-		staggerMinSeconds,
-		staggerMaxSeconds: Math.max(staggerMinSeconds, rawStaggerMaxSeconds)
-	};
-}
-const LOG_LEVELS = new Set([
-	"error",
-	"warn",
-	"info",
-	"debug"
-]);
-function normalizeLogLevel(value) {
-	if (typeof value !== "string") return void 0;
-	return LOG_LEVELS.has(value) ? value : void 0;
-}
-function ensureConfigFile() {
-	try {
-		fs$1.accessSync(PATHS.CONFIG_PATH, fs$1.constants.R_OK);
-		return;
-	} catch {}
-	try {
-		fs$1.mkdirSync(PATHS.APP_DIR, { recursive: true });
-		fs$1.writeFileSync(PATHS.CONFIG_PATH, `${JSON.stringify(defaultConfig, null, 2)}\n`, "utf8");
-		try {
-			fs$1.chmodSync(PATHS.CONFIG_PATH, 384);
-		} catch {}
-	} catch {}
-}
-function readConfigFromDisk() {
-	ensureConfigFile();
-	try {
-		const raw = fs$1.readFileSync(PATHS.CONFIG_PATH, "utf8");
-		if (!raw.trim()) {
-			fs$1.writeFileSync(PATHS.CONFIG_PATH, `${JSON.stringify(defaultConfig, null, 2)}\n`, "utf8");
-			return defaultConfig;
+//#region src/lib/request-auth.ts
+const LEGACY_API_KEY_ENV_VAR = "COPILOT_API_KEY";
+let warnedLegacyEnvFallback = false;
+let warnedLegacyConfigFallback = false;
+function normalizeApiKeys(apiKeys) {
+	if (!Array.isArray(apiKeys)) {
+		if (apiKeys !== void 0) consola.warn("Invalid auth.apiKeys config. Expected an array of strings.");
+		return [];
+	}
+	const normalizedKeys = apiKeys.filter((key) => typeof key === "string").map((key) => key.trim()).filter((key) => key.length > 0);
+	if (normalizedKeys.length !== apiKeys.length) consola.warn("Invalid auth.apiKeys entries found. Only non-empty strings are allowed.");
+	return [...new Set(normalizedKeys)];
+}
+function getConfiguredApiKeys() {
+	const config = getConfig();
+	const configuredApiKeys = normalizeApiKeys(config.auth?.apiKeys);
+	if (configuredApiKeys.length > 0) return configuredApiKeys;
+	const envApiKey = process.env[LEGACY_API_KEY_ENV_VAR]?.trim();
+	if (envApiKey) {
+		if (!warnedLegacyEnvFallback) {
+			warnedLegacyEnvFallback = true;
+			consola.warn(`Using legacy ${LEGACY_API_KEY_ENV_VAR}. Please migrate to config.auth.apiKeys.`);
+		}
+		return [envApiKey];
+	}
+	const legacyConfigApiKey = config.apiKey?.trim();
+	if (legacyConfigApiKey) {
+		if (!warnedLegacyConfigFallback) {
+			warnedLegacyConfigFallback = true;
+			consola.warn("Using deprecated config.apiKey. Please migrate to config.auth.apiKeys.");
+		}
+		return [legacyConfigApiKey];
+	}
+	return configuredApiKeys;
+}
+function extractHeadersApiKey(headers) {
+	const xApiKey = headers.get("x-api-key")?.trim();
+	if (xApiKey) return xApiKey;
+	const authorization = headers.get("authorization");
+	if (!authorization) return null;
+	const [scheme, ...rest] = authorization.trim().split(/\s+/);
+	if (scheme.toLowerCase() !== "bearer") return null;
+	return rest.join(" ").trim() || null;
+}
+function isAuthorizedHeaders(headers, getApiKeys = getConfiguredApiKeys) {
+	const apiKeys = getApiKeys();
+	if (apiKeys.length === 0) return true;
+	const requestApiKey = extractHeadersApiKey(headers);
+	return requestApiKey ? apiKeys.some((apiKey) => timingSafeKeyCompare(requestApiKey, apiKey)) : false;
+}
+function createUnauthorizedRawResponse() {
+	return new Response(JSON.stringify({ error: {
+		message: "Unauthorized. Provide Authorization: Bearer <key> or x-api-key.",
+		type: "unauthorized"
+	} }), {
+		status: 401,
+		headers: {
+			"content-type": "application/json",
+			"WWW-Authenticate": "Bearer realm=\"copilot-api\""
 		}
-		return JSON.parse(raw);
-	} catch (error) {
-		consola.error("Failed to read config file, using default config", error);
-		return defaultConfig;
-	}
-}
-function mergeDefaultConfig(config) {
-	const extraPrompts = config.extraPrompts ?? {};
-	const defaultExtraPrompts = defaultConfig.extraPrompts ?? {};
-	const modelReasoningEfforts = config.modelReasoningEfforts ?? {};
-	const defaultModelReasoningEfforts = defaultConfig.modelReasoningEfforts ?? {};
-	const hasForceAgent = typeof config.forceAgent === "boolean";
-	const defaultForceAgent = defaultConfig.forceAgent ?? false;
-	const missingExtraPromptModels = Object.keys(defaultExtraPrompts).filter((model) => !Object.hasOwn(extraPrompts, model));
-	const missingReasoningEffortModels = Object.keys(defaultModelReasoningEfforts).filter((model) => !Object.hasOwn(modelReasoningEfforts, model));
-	const hasExtraPromptChanges = missingExtraPromptModels.length > 0;
-	const hasReasoningEffortChanges = missingReasoningEffortModels.length > 0;
-	if (!hasExtraPromptChanges && !hasReasoningEffortChanges && !!hasForceAgent) return {
-		mergedConfig: config,
-		changed: false
-	};
-	return {
-		mergedConfig: {
-			...config,
-			extraPrompts: {
-				...defaultExtraPrompts,
-				...extraPrompts
-			},
-			modelReasoningEfforts: {
-				...defaultModelReasoningEfforts,
-				...modelReasoningEfforts
-			},
-			forceAgent: hasForceAgent ? config.forceAgent : defaultForceAgent
-		},
-		changed: true
-	};
-}
-function mergeDefaultAuth(config) {
-	const authConfig = isPlainObject(config.auth) ? config.auth : void 0;
-	const nextAuth = { apiKeys: normalizeAuthApiKeys(Array.isArray(authConfig?.apiKeys) ? authConfig.apiKeys : void 0) };
-	if (authConfig && JSON.stringify(authConfig) === JSON.stringify(nextAuth)) return {
-		mergedConfig: config,
-		changed: false
-	};
-	return {
-		mergedConfig: {
-			...config,
-			auth: nextAuth
-		},
-		changed: true
-	};
-}
-function mergeDefaultAccountAffinity(config) {
-	const raw = config;
-	const hasOld = typeof raw.freeModelLoadBalancing === "boolean";
-	const hasNew = typeof config.accountAffinity === "boolean";
-	if (hasOld) {
-		const next = { ...config };
-		if (!hasNew) next.accountAffinity = raw.freeModelLoadBalancing;
-		delete next.freeModelLoadBalancing;
-		return {
-			mergedConfig: next,
-			changed: true
-		};
-	}
-	if (hasNew) return {
-		mergedConfig: config,
-		changed: false
-	};
-	return {
-		mergedConfig: {
-			...config,
-			accountAffinity: defaultConfig.accountAffinity ?? true
-		},
-		changed: true
-	};
-}
-function mergeDefaultModelRefreshInterval(config) {
-	if (normalizeNonNegativeNumber(config.modelRefreshIntervalHours) !== void 0) return {
-		mergedConfig: config,
-		changed: false
-	};
-	return {
-		mergedConfig: {
-			...config,
-			modelRefreshIntervalHours: defaultConfig.modelRefreshIntervalHours ?? 24
-		},
-		changed: true
-	};
-}
-function mergeDefaultSessionAffinityRetention(config) {
-	if (normalizeNonNegativeNumber(config.sessionAffinityRetentionDays) !== void 0) return {
-		mergedConfig: config,
-		changed: false
-	};
-	return {
-		mergedConfig: {
-			...config,
-			sessionAffinityRetentionDays: defaultConfig.sessionAffinityRetentionDays ?? 7
-		},
-		changed: true
-	};
-}
-function mergeDefaultLogLevel(config) {
-	if (normalizeLogLevel(config.logLevel) !== void 0) return {
-		mergedConfig: config,
-		changed: false
-	};
-	return {
-		mergedConfig: {
-			...config,
-			logLevel: defaultConfig.logLevel ?? "info"
-		},
-		changed: true
-	};
-}
-function mergeDefaultDevMode(config) {
-	const current = config.devMode;
-	if (current && typeof current.enabled === "boolean" && typeof current.capture4xx === "boolean" && typeof current.capture5xx === "boolean" && typeof current.captureOther === "boolean") return {
-		mergedConfig: config,
-		changed: false
-	};
-	return {
-		mergedConfig: {
-			...config,
-			devMode: {
-				enabled: current?.enabled === true,
-				capture4xx: current?.capture4xx === true,
-				capture5xx: current?.capture5xx === true,
-				captureOther: current?.captureOther === true
-			}
-		},
-		changed: true
-	};
-}
-function mergeDefaultQuotaRefresh(config) {
-	const quotaRefresh = normalizeQuotaRefreshConfig(config.quotaRefresh);
-	if (JSON.stringify(config.quotaRefresh) === JSON.stringify(quotaRefresh)) return {
-		mergedConfig: config,
-		changed: false
-	};
-	return {
-		mergedConfig: {
-			...config,
-			quotaRefresh
-		},
-		changed: true
-	};
-}
-function applyConfigMerges(config, mergeFns) {
-	return mergeFns.reduce((acc, mergeFn) => {
-		const result = mergeFn(acc.mergedConfig);
-		return {
-			mergedConfig: result.mergedConfig,
-			changed: acc.changed || result.changed
-		};
-	}, {
-		mergedConfig: config,
-		changed: false
 	});
 }
-function mergeConfigWithDefaults() {
-	const { mergedConfig, changed } = applyConfigMerges(readConfigFromDisk(), [
-		mergeDefaultAuth,
-		mergeDefaultConfig,
-		mergeDefaultAccountAffinity,
-		mergeDefaultModelRefreshInterval,
-		mergeDefaultSessionAffinityRetention,
-		mergeDefaultLogLevel,
-		mergeDefaultDevMode,
-		mergeDefaultQuotaRefresh
-	]);
-	if (changed) try {
-		fs$1.writeFileSync(PATHS.CONFIG_PATH, `${JSON.stringify(mergedConfig, null, 2)}\n`, "utf8");
-	} catch (writeError) {
-		consola.warn("Failed to write merged config defaults", writeError);
-	}
-	cachedConfig = mergedConfig;
-	return mergedConfig;
-}
-function getConfig() {
-	cachedConfig ??= mergeDefaultConfig(readConfigFromDisk()).mergedConfig;
-	return cachedConfig;
-}
-function normalizeAliasKey(value) {
-	const trimmed = value.trim().toLowerCase();
-	return trimmed.length > 0 ? trimmed : null;
-}
-function normalizeAliasTarget(value) {
-	const trimmed = value.trim();
-	return trimmed.length > 0 ? trimmed : null;
-}
-function normalizeAliasSpec(value) {
-	if (typeof value === "string") {
-		const normalizedTarget = normalizeAliasTarget(value);
-		return normalizedTarget ? { target: normalizedTarget } : null;
-	}
-	if (!value || typeof value !== "object") return null;
-	const targetValue = value.target;
-	if (typeof targetValue !== "string") return null;
-	const normalizedTarget = normalizeAliasTarget(targetValue);
-	if (!normalizedTarget) return null;
-	const allowOriginalValue = value.allowOriginal;
-	return {
-		target: normalizedTarget,
-		allowOriginal: typeof allowOriginalValue === "boolean" ? allowOriginalValue : void 0
-	};
-}
-function getModelAliasesInfo() {
-	const raw = getConfig().modelAliases ?? {};
-	const normalized = {};
-	for (const [alias, rawSpec] of Object.entries(raw)) {
-		const normalizedAlias = normalizeAliasKey(alias);
-		const normalizedSpec = normalizeAliasSpec(rawSpec);
-		if (!normalizedAlias || !normalizedSpec) continue;
-		if (!Object.hasOwn(normalized, normalizedAlias)) normalized[normalizedAlias] = normalizedSpec;
-	}
-	return normalized;
-}
-function getModelAliases() {
-	const info = getModelAliasesInfo();
-	const normalized = {};
-	for (const [alias, spec] of Object.entries(info)) normalized[alias] = spec.target;
-	return normalized;
-}
-function resolveModelAlias(modelId) {
-	const normalized = normalizeAliasKey(modelId);
-	if (!normalized) return modelId;
-	return getModelAliases()[normalized] ?? modelId;
-}
-function isOriginalModelNameAllowedForAliases() {
-	return getConfig().allowOriginalModelNamesForAliases ?? false;
-}
-function getAliasTargetSet() {
-	const aliases = getModelAliasesInfo();
-	const allowOriginalDefault = isOriginalModelNameAllowedForAliases();
-	const targetAllowMap = /* @__PURE__ */ new Map();
-	for (const { target, allowOriginal } of Object.values(aliases)) {
-		const normalizedTarget = target.toLowerCase();
-		const effectiveAllow = allowOriginal ?? allowOriginalDefault;
-		const currentAllow = targetAllowMap.get(normalizedTarget);
-		if (currentAllow === true) continue;
-		if (effectiveAllow) targetAllowMap.set(normalizedTarget, true);
-		else if (currentAllow === void 0) targetAllowMap.set(normalizedTarget, false);
-	}
-	const blockedTargets = /* @__PURE__ */ new Set();
-	for (const [target, allowed] of targetAllowMap.entries()) if (!allowed) blockedTargets.add(target);
-	return blockedTargets;
-}
-function isOriginalModelNameAllowedForTarget(modelId) {
-	const normalized = normalizeAliasKey(modelId);
-	if (!normalized) return true;
-	return !getAliasTargetSet().has(normalized);
-}
-function getPreferredAliasForTarget(modelId) {
-	return getAliasKeysForTarget(modelId, getModelAliases())[0] ?? null;
-}
-function getAliasKeysForTarget(target, aliases) {
-	const normalizedTarget = target.toLowerCase();
-	return Object.entries(aliases).filter(([, model]) => model.toLowerCase() === normalizedTarget).map(([alias]) => alias).sort();
-}
-function getAliasFallbackValue(record, modelId, aliases) {
-	if (!record) return void 0;
-	const aliasKeys = getAliasKeysForTarget(modelId, aliases);
-	if (aliasKeys.length === 0) return void 0;
-	const recordByAlias = /* @__PURE__ */ new Map();
-	for (const [key, value] of Object.entries(record)) {
-		const normalized = normalizeAliasKey(key);
-		if (normalized) recordByAlias.set(normalized, value);
-	}
-	for (const alias of aliasKeys) {
-		const value = recordByAlias.get(alias);
-		if (value !== void 0) return value;
-	}
-}
-function getExtraPromptForModel(model) {
-	const config = getConfig();
-	const direct = config.extraPrompts?.[model];
-	if (direct !== void 0) return direct;
-	const aliases = getModelAliases();
-	return getAliasFallbackValue(config.extraPrompts, model, aliases) ?? "";
-}
-function getSmallModel() {
-	const model = getConfig().smallModel ?? "gpt-5-mini";
-	if (isOriginalModelNameAllowedForTarget(model)) return model;
-	return getPreferredAliasForTarget(model) ?? model;
-}
-function getLogLevel() {
-	return normalizeLogLevel(getConfig().logLevel) ?? defaultConfig.logLevel ?? "info";
-}
-function isAccountAffinityEnabled() {
-	return getConfig().accountAffinity ?? true;
-}
-function getModelRefreshIntervalHours() {
-	return normalizeNonNegativeNumber(getConfig().modelRefreshIntervalHours) ?? defaultConfig.modelRefreshIntervalHours ?? 24;
-}
-function getModelRefreshIntervalMs() {
-	const hours = getModelRefreshIntervalHours();
-	if (!Number.isFinite(hours) || hours <= 0) return 0;
-	return hours * 60 * 60 * 1e3;
-}
-function getQuotaRefreshConfig() {
-	return normalizeQuotaRefreshConfig(getConfig().quotaRefresh);
-}
-function getSessionAffinityRetentionDays() {
-	return normalizeNonNegativeNumber(getConfig().sessionAffinityRetentionDays) ?? defaultConfig.sessionAffinityRetentionDays ?? 7;
-}
-function getSessionAffinityRetentionMs() {
-	const days = getSessionAffinityRetentionDays();
-	if (!Number.isFinite(days) || days <= 0) return 0;
-	return days * 24 * 60 * 60 * 1e3;
-}
-function isMessageStartInputTokensFallbackEnabled() {
-	return getConfig().messageStartInputTokensFallback ?? false;
+function createUnauthorizedResponse(c) {
+	c.header("WWW-Authenticate", "Bearer realm=\"copilot-api\"");
+	return c.json({ error: {
+		message: "Unauthorized. Provide Authorization: Bearer <key> or x-api-key.",
+		type: "unauthorized"
+	} }, 401);
 }
-function shouldCompactUseSmallModel() {
-	return getConfig().compactUseSmallModel ?? true;
+function normalizePathname(pathname) {
+	if (pathname.length > 1 && pathname.endsWith("/")) return pathname.slice(0, -1);
+	return pathname;
 }
-function getResponsesApiContextManagementModels() {
-	return getConfig().responsesApiContextManagementModels ?? defaultConfig.responsesApiContextManagementModels ?? [];
+function hasPrefixBoundary(pathname, prefix) {
+	return pathname === prefix || pathname.startsWith(`${prefix}/`);
 }
-function isResponsesApiContextManagementModel(model) {
-	return getResponsesApiContextManagementModels().includes(model);
-}
-function getReasoningEffortForModel(model) {
-	const config = getConfig();
-	const direct = config.modelReasoningEfforts?.[model];
-	if (direct !== void 0) return direct;
-	const aliases = getModelAliases();
-	return getAliasFallbackValue(config.modelReasoningEfforts, model, aliases) ?? "high";
-}
-function isForceAgentEnabled() {
-	return getConfig().forceAgent ?? false;
-}
-function normalizeProviderBaseUrl(url) {
-	return url.trim().replace(/\/+$/u, "");
-}
-function getDefaultProviderAuthType(providerType) {
-	return providerType === "openai-compatible" ? "authorization" : "x-api-key";
-}
-function resolveProviderAuthType(providerName, authType, providerType) {
-	if (authType === void 0) return getDefaultProviderAuthType(providerType);
-	if (authType === "x-api-key") return "x-api-key";
-	if (authType === "authorization") return authType;
-	consola.warn(`Provider ${providerName} has invalid authType '${authType}', falling back to ${getDefaultProviderAuthType(providerType)}`);
-	return getDefaultProviderAuthType(providerType);
-}
-function getProviderConfig(name) {
-	const providerName = name.trim();
-	if (!providerName) return null;
-	const provider = getConfig().providers?.[providerName];
-	if (!provider) return null;
-	if (provider.enabled === false) return null;
-	const type = provider.type ?? "anthropic";
-	if (type !== "anthropic" && type !== "openai-compatible") {
-		consola.warn(`Provider ${providerName} is ignored because type '${type}' is not supported`);
-		return null;
-	}
-	const baseUrl = normalizeProviderBaseUrl(provider.baseUrl ?? "");
-	const apiKey = (provider.apiKey ?? "").trim();
-	const authType = resolveProviderAuthType(providerName, provider.authType, type);
-	if (!baseUrl || !apiKey) {
-		consola.warn(`Provider ${providerName} is enabled but missing baseUrl or apiKey`);
-		return null;
-	}
-	return {
-		name: providerName,
-		type,
-		baseUrl,
-		apiKey,
-		authType,
-		models: provider.models,
-		adjustInputTokens: provider.adjustInputTokens
+function timingSafeKeyCompare(a, b) {
+	try {
+		const aBuf = Buffer.from(a);
+		const bBuf = Buffer.from(b);
+		if (aBuf.length !== bBuf.length) return false;
+		return timingSafeEqual(aBuf, bBuf);
+	} catch {
+		return false;
+	}
+}
+function createAuthMiddleware(options = {}) {
+	const getApiKeys = options.getApiKeys ?? getConfiguredApiKeys;
+	const allowUnauthenticatedPaths = new Set((options.allowUnauthenticatedPaths ?? ["/"]).map((path) => normalizePathname(path)));
+	const allowUnauthenticatedPathPrefixes = (options.allowUnauthenticatedPathPrefixes ?? []).map((path) => normalizePathname(path));
+	const allowOptionsBypass = options.allowOptionsBypass ?? true;
+	return async (c, next) => {
+		if (allowOptionsBypass && c.req.method === "OPTIONS") return next();
+		const pathname = normalizePathname(new URL(c.req.url, "http://local").pathname);
+		if (allowUnauthenticatedPaths.has(pathname)) return next();
+		if (allowUnauthenticatedPathPrefixes.some((prefix) => hasPrefixBoundary(pathname, prefix))) return next();
+		if (!isAuthorizedHeaders(c.req.raw.headers, getApiKeys)) return createUnauthorizedResponse(c);
+		return next();
 	};
 }
-function isMessagesApiEnabled() {
-	return getConfig().useMessagesApi ?? true;
-}
-function isResponsesApiWebSocketEnabled() {
-	return getConfig().useResponsesApiWebSocket ?? true;
-}
-function getAnthropicApiKey() {
-	return getConfig().anthropicApiKey ?? process.env.ANTHROPIC_API_KEY ?? void 0;
-}
-function isResponsesApiWebSearchEnabled() {
-	return getConfig().useResponsesApiWebSearch ?? true;
-}
-function getClaudeTokenMultiplier() {
-	return getConfig().claudeTokenMultiplier ?? 1.15;
-}
 //#endregion
 //#region src/lib/account-affinity.ts
 const DEFAULT_MAX_ENTRIES$1 = 1e4;
@@ -1629,7 +1203,7 @@ var RequestHistoryStore = class {
 		} catch (error) {
 			consola.debug("Failed to cleanup request_log retention", error);
 		}
-		import("./request-outbound-BJjWS_jF.js").then((m) => m.getRequestOutboundStore().cleanupOrphans()).catch(() => {});
+		import("./request-outbound-BkEA8Wgb.js").then((m) => m.getRequestOutboundStore().cleanupOrphans()).catch(() => {});
 	}
 	meta() {
 		return {
@@ -3257,59 +2831,24 @@ function updateQuotaRefreshSchedulerFromConfig() {
 	quotaRefreshScheduler.updateConfig(getQuotaRefreshConfig());
 }
 //#endregion
-//#region src/lib/proxy.ts
-let proxyEnvDispatcher;
-function getProxyEnvDispatcher() {
-	return proxyEnvDispatcher;
-}
-function initProxyFromEnv() {
+//#region src/services/copilot/responses-bridge-registry.ts
+const bridgeClosers = /* @__PURE__ */ new Map();
+const registerResponsesBridge = (bridgeId, closer) => {
+	bridgeClosers.set(bridgeId, closer);
+};
+const unregisterResponsesBridge = (bridgeId) => {
+	bridgeClosers.delete(bridgeId);
+};
+const closeResponsesBridge = (bridgeId) => {
+	const closer = bridgeClosers.get(bridgeId);
+	if (!closer) return;
 	try {
-		const direct = new Agent();
-		const proxies = /* @__PURE__ */ new Map();
-		proxyEnvDispatcher = {
-			dispatch(options, handler) {
-				try {
-					const origin = typeof options.origin === "string" ? new URL(options.origin) : options.origin;
-					const raw = getProxyForUrl(origin.toString());
-					const proxyUrl = raw && raw.length > 0 ? raw : void 0;
-					if (!proxyUrl) {
-						consola.debug(`HTTP proxy bypass: ${origin.hostname}`);
-						return direct.dispatch(options, handler);
-					}
-					let agent = proxies.get(proxyUrl);
-					if (!agent) {
-						agent = new ProxyAgent(proxyUrl);
-						proxies.set(proxyUrl, agent);
-					}
-					let label = proxyUrl;
-					try {
-						const u = new URL(proxyUrl);
-						label = `${u.protocol}//${u.host}`;
-					} catch {}
-					consola.debug(`HTTP proxy route: ${origin.hostname} via ${label}`);
-					return agent.dispatch(options, handler);
-				} catch {
-					return direct.dispatch(options, handler);
-				}
-			},
-			close() {
-				return direct.close();
-			},
-			destroy() {
-				return direct.destroy();
-			}
-		};
-		if (typeof Bun !== "undefined") {
-			consola.debug("WebSocket proxy configured from environment (per-URL)");
-			return;
-		}
-		setGlobalDispatcher(proxyEnvDispatcher);
-		consola.debug("HTTP proxy configured from environment (per-URL)");
-	} catch (err) {
-		consola.debug("Proxy setup skipped:", err);
+		closer();
+	} catch (error) {
+		consola.warn("Failed to close Responses websocket bridge:", error);
 	}
-}
+};
 //#endregion
-export { getModelRefreshIntervalMs as A, isResponsesApiWebSocketEnabled as B, getAnthropicApiKey as C, getLogLevel as D, getExtraPromptForModel as E, isForceAgentEnabled as F, resolveModelAlias as H, isMessageStartInputTokensFallbackEnabled as I, isMessagesApiEnabled as L, getReasoningEffortForModel as M, getSmallModel as N, getModelAliases as O, isAccountAffinityEnabled as P, isResponsesApiContextManagementModel as R, getAliasTargetSet as S, getConfig as T, shouldCompactUseSmallModel as U, mergeConfigWithDefaults as V, toLocalDateString as _, stopQuotaRefreshScheduler as a, isDevModeEnabled as b, applySharedSessionAffinityRetention as c, getClientIpInfo as d, getRequestHistoryStore as f, normalizeMessagesUsage as g, normalizeEmbeddingsUsage as h, startQuotaRefreshSchedulerFromConfig as i, getProviderConfig as j, getModelAliasesInfo as k, extractResponsesUsageFromResult as l, normalizeChatCompletionsUsage as m, initProxyFromEnv as n, updateQuotaRefreshSchedulerFromConfig as o, getStatsStore as p, registerQuotaRefreshSchedulerShutdownCleanup as r, accountsManager as s, getProxyEnvDispatcher as t, extractResponsesUsageFromStreamEvent as u, copilotFetch as v, getClaudeTokenMultiplier as w, PROVIDER_TYPE_ANTHROPIC as x, flushPendingCapture as y, isResponsesApiWebSearchEnabled as z };
+export { createUnauthorizedRawResponse as C, createAuthMiddleware as S, normalizeMessagesUsage as _, startQuotaRefreshSchedulerFromConfig as a, flushPendingCapture as b, accountsManager as c, extractResponsesUsageFromStreamEvent as d, getClientIpInfo as f, normalizeEmbeddingsUsage as g, normalizeChatCompletionsUsage as h, registerQuotaRefreshSchedulerShutdownCleanup as i, applySharedSessionAffinityRetention as l, getStatsStore as m, registerResponsesBridge as n, stopQuotaRefreshScheduler as o, getRequestHistoryStore as p, unregisterResponsesBridge as r, updateQuotaRefreshSchedulerFromConfig as s, closeResponsesBridge as t, extractResponsesUsageFromResult as u, toLocalDateString as v, isAuthorizedHeaders as w, isDevModeEnabled as x, copilotFetch as y };
 
-//# sourceMappingURL=proxy-_U-hgwIn.js.map
+//# sourceMappingURL=responses-bridge-registry-BJ5Sbh6-.js.map