@noxsoft/anima 5.1.2 → 6.5.0

package/dist/{auth-profiles-BF5x9Ej0.js → auth-profiles-Brxz2ojJ.js}

@@ -2,7 +2,7 @@ import { n as __exportAll } from "./chunk-BXK9XSlF.js";
 import { Q as resolveOAuthPath, o as createSubsystemLogger } from "./entry.js";
 import { t as formatCliCommand } from "./command-format-kLw3YIIu.js";
 import { y as resolveUserPath } from "./utils-D1VGbO3C.js";
-import { c as normalizeProviderId } from "./model-selection-DFbDH9o2.js";
+import { c as normalizeProviderId } from "./model-selection-DcO3qJOu.js";
 import { t as withFileLock } from "./file-lock-CxXn285m.js";
 import { t as resolveAnimaAgentDir } from "./agent-paths-niQrLbGc.js";
 import { execFileSync, execSync } from "node:child_process";
@@ -91,7 +91,6 @@ const CLAUDE_CLI_CREDENTIALS_RELATIVE_PATH = ".claude/.credentials.json";
 const CODEX_CLI_AUTH_FILENAME = "auth.json";
 const QWEN_CLI_CREDENTIALS_RELATIVE_PATH = ".qwen/oauth_creds.json";
 const MINIMAX_CLI_CREDENTIALS_RELATIVE_PATH = ".minimax/oauth_creds.json";
-const OPENCLAW_AUTH_PROFILES_PATH = ".openclaw/agents/main/agent/auth-profiles.json";
 const CLAUDE_CLI_KEYCHAIN_SERVICE = "Claude Code-credentials";
 const WINDOWS_CREDENTIAL_TARGET = "Claude Code-credentials";
 let codexCliCache = null;
@@ -210,43 +209,6 @@ function readMiniMaxCliCredentials(options) {
 	return readPortalCliOauthCredentials(resolveMiniMaxCliCredentialsPath(options?.homeDir), "minimax-portal");
 }
 /**
-* Read Claude Code credentials from the OpenClaw auth-profiles.json store.
-*
-* OpenClaw (which shares the same auth infrastructure) stores the Claude Code
-* OAuth token in ~/.openclaw/agents/main/agent/auth-profiles.json.
-* This is the most reliable source on Windows where the Keychain is unavailable.
-*/
-function readOpenClawCredentials(options) {
-	const baseDir = options?.homeDir ?? resolveUserPath("~");
-	const raw = loadJsonFile(path.join(baseDir, OPENCLAW_AUTH_PROFILES_PATH));
-	if (!raw || typeof raw !== "object") return null;
-	const profiles = raw.profiles;
-	if (!profiles) return null;
-	const anthropicProfile = profiles["anthropic:default"];
-	if (!anthropicProfile || anthropicProfile.provider !== "anthropic") return null;
-	if (anthropicProfile.type === "token" && typeof anthropicProfile.token === "string") {
-		const token = anthropicProfile.token;
-		log.info("read anthropic credentials from openclaw auth-profiles", { type: "token" });
-		return {
-			type: "token",
-			provider: "anthropic",
-			token,
-			expires: Date.now() + 365 * 24 * 60 * 60 * 1e3
-		};
-	}
-	if (anthropicProfile.type === "oauth" && typeof anthropicProfile.access === "string" && typeof anthropicProfile.refresh === "string" && typeof anthropicProfile.expires === "number") {
-		log.info("read anthropic oauth credentials from openclaw auth-profiles");
-		return {
-			type: "oauth",
-			provider: "anthropic",
-			access: anthropicProfile.access,
-			refresh: anthropicProfile.refresh,
-			expires: anthropicProfile.expires
-		};
-	}
-	return null;
-}
-/**
 * Read Claude Code credentials from Windows Credential Manager.
 *
 * On Windows, the Claude CLI stores its OAuth token via the Windows
@@ -317,8 +279,6 @@ function readClaudeCliCredentials(options) {
 			return parsed;
 		}
 	}
-	const openClawCreds = readOpenClawCredentials({ homeDir: options?.homeDir });
-	if (openClawCreds) return openClawCreds;
 	return null;
 }
 function readCodexCliCredentials(options) {
@@ -687,6 +647,26 @@ function saveAuthProfileStore(store, agentDir) {
 
 //#endregion
 //#region src/agents/auth-profiles/profiles.ts
+async function setAuthProfileOrder(params) {
+	const providerKey = normalizeProviderId(params.provider);
+	const sanitized = params.order && Array.isArray(params.order) ? params.order.map((entry) => String(entry).trim()).filter(Boolean) : [];
+	const deduped = [];
+	for (const entry of sanitized) if (!deduped.includes(entry)) deduped.push(entry);
+	return await updateAuthProfileStoreWithLock({
+		agentDir: params.agentDir,
+		updater: (store) => {
+			store.order = store.order ?? {};
+			if (deduped.length === 0) {
+				if (!store.order[providerKey]) return false;
+				delete store.order[providerKey];
+				if (Object.keys(store.order).length === 0) store.order = void 0;
+				return true;
+			}
+			store.order[providerKey] = deduped;
+			return true;
+		}
+	});
+}
 function upsertAuthProfile(params) {
 	const credential = params.credential.type === "api_key" ? {
 		...params.credential,
@@ -703,6 +683,32 @@ function listProfilesForProvider(store, provider) {
 	const providerKey = normalizeProviderId(provider);
 	return Object.entries(store.profiles).filter(([, cred]) => normalizeProviderId(cred.provider) === providerKey).map(([id]) => id);
 }
+async function markAuthProfileGood(params) {
+	const { store, provider, profileId, agentDir } = params;
+	const updated = await updateAuthProfileStoreWithLock({
+		agentDir,
+		updater: (freshStore) => {
+			const profile = freshStore.profiles[profileId];
+			if (!profile || profile.provider !== provider) return false;
+			freshStore.lastGood = {
+				...freshStore.lastGood,
+				[provider]: profileId
+			};
+			return true;
+		}
+	});
+	if (updated) {
+		store.lastGood = updated.lastGood;
+		return;
+	}
+	const profile = store.profiles[profileId];
+	if (!profile || profile.provider !== provider) return;
+	store.lastGood = {
+		...store.lastGood,
+		[provider]: profileId
+	};
+	saveAuthProfileStore(store, agentDir);
+}
 
 //#endregion
 //#region src/agents/auth-profiles/repair.ts
@@ -1004,11 +1010,156 @@ function isProfileInCooldown(store, profileId) {
 	const unusableUntil = resolveProfileUnusableUntil$1(stats);
 	return unusableUntil ? Date.now() < unusableUntil : false;
 }
+/**
+* Mark a profile as successfully used. Resets error count and updates lastUsed.
+* Uses store lock to avoid overwriting concurrent usage updates.
+*/
+async function markAuthProfileUsed(params) {
+	const { store, profileId, agentDir } = params;
+	const updated = await updateAuthProfileStoreWithLock({
+		agentDir,
+		updater: (freshStore) => {
+			if (!freshStore.profiles[profileId]) return false;
+			freshStore.usageStats = freshStore.usageStats ?? {};
+			freshStore.usageStats[profileId] = {
+				...freshStore.usageStats[profileId],
+				lastUsed: Date.now(),
+				errorCount: 0,
+				cooldownUntil: void 0,
+				disabledUntil: void 0,
+				disabledReason: void 0,
+				failureCounts: void 0
+			};
+			return true;
+		}
+	});
+	if (updated) {
+		store.usageStats = updated.usageStats;
+		return;
+	}
+	if (!store.profiles[profileId]) return;
+	store.usageStats = store.usageStats ?? {};
+	store.usageStats[profileId] = {
+		...store.usageStats[profileId],
+		lastUsed: Date.now(),
+		errorCount: 0,
+		cooldownUntil: void 0,
+		disabledUntil: void 0,
+		disabledReason: void 0,
+		failureCounts: void 0
+	};
+	saveAuthProfileStore(store, agentDir);
+}
+function calculateAuthProfileCooldownMs(errorCount) {
+	const normalized = Math.max(1, errorCount);
+	return Math.min(3600 * 1e3, 60 * 1e3 * 5 ** Math.min(normalized - 1, 3));
+}
+function resolveAuthCooldownConfig(params) {
+	const defaults = {
+		billingBackoffHours: 5,
+		billingMaxHours: 24,
+		failureWindowHours: 24
+	};
+	const resolveHours = (value, fallback) => typeof value === "number" && Number.isFinite(value) && value > 0 ? value : fallback;
+	const cooldowns = params.cfg?.auth?.cooldowns;
+	const billingBackoffHours = resolveHours((() => {
+		const map = cooldowns?.billingBackoffHoursByProvider;
+		if (!map) return;
+		for (const [key, value] of Object.entries(map)) if (normalizeProviderId(key) === params.providerId) return value;
+	})() ?? cooldowns?.billingBackoffHours, defaults.billingBackoffHours);
+	const billingMaxHours = resolveHours(cooldowns?.billingMaxHours, defaults.billingMaxHours);
+	const failureWindowHours = resolveHours(cooldowns?.failureWindowHours, defaults.failureWindowHours);
+	return {
+		billingBackoffMs: billingBackoffHours * 60 * 60 * 1e3,
+		billingMaxMs: billingMaxHours * 60 * 60 * 1e3,
+		failureWindowMs: failureWindowHours * 60 * 60 * 1e3
+	};
+}
+function calculateAuthProfileBillingDisableMsWithConfig(params) {
+	const normalized = Math.max(1, params.errorCount);
+	const baseMs = Math.max(6e4, params.baseMs);
+	const maxMs = Math.max(baseMs, params.maxMs);
+	const raw = baseMs * 2 ** Math.min(normalized - 1, 10);
+	return Math.min(maxMs, raw);
+}
 function resolveProfileUnusableUntilForDisplay(store, profileId) {
 	const stats = store.usageStats?.[profileId];
 	if (!stats) return null;
 	return resolveProfileUnusableUntil$1(stats);
 }
+function computeNextProfileUsageStats(params) {
+	const windowMs = params.cfgResolved.failureWindowMs;
+	const windowExpired = typeof params.existing.lastFailureAt === "number" && params.existing.lastFailureAt > 0 && params.now - params.existing.lastFailureAt > windowMs;
+	const nextErrorCount = (windowExpired ? 0 : params.existing.errorCount ?? 0) + 1;
+	const failureCounts = windowExpired ? {} : { ...params.existing.failureCounts };
+	failureCounts[params.reason] = (failureCounts[params.reason] ?? 0) + 1;
+	const updatedStats = {
+		...params.existing,
+		errorCount: nextErrorCount,
+		failureCounts,
+		lastFailureAt: params.now
+	};
+	if (params.reason === "billing") {
+		const backoffMs = calculateAuthProfileBillingDisableMsWithConfig({
+			errorCount: failureCounts.billing ?? 1,
+			baseMs: params.cfgResolved.billingBackoffMs,
+			maxMs: params.cfgResolved.billingMaxMs
+		});
+		updatedStats.disabledUntil = params.now + backoffMs;
+		updatedStats.disabledReason = "billing";
+	} else {
+		const backoffMs = calculateAuthProfileCooldownMs(nextErrorCount);
+		updatedStats.cooldownUntil = params.now + backoffMs;
+	}
+	return updatedStats;
+}
+/**
+* Mark a profile as failed for a specific reason. Billing failures are treated
+* as "disabled" (longer backoff) vs the regular cooldown window.
+*/
+async function markAuthProfileFailure(params) {
+	const { store, profileId, reason, agentDir, cfg } = params;
+	const updated = await updateAuthProfileStoreWithLock({
+		agentDir,
+		updater: (freshStore) => {
+			const profile = freshStore.profiles[profileId];
+			if (!profile) return false;
+			freshStore.usageStats = freshStore.usageStats ?? {};
+			const existing = freshStore.usageStats[profileId] ?? {};
+			const now = Date.now();
+			const cfgResolved = resolveAuthCooldownConfig({
+				cfg,
+				providerId: normalizeProviderId(profile.provider)
+			});
+			freshStore.usageStats[profileId] = computeNextProfileUsageStats({
+				existing,
+				now,
+				reason,
+				cfgResolved
+			});
+			return true;
+		}
+	});
+	if (updated) {
+		store.usageStats = updated.usageStats;
+		return;
+	}
+	if (!store.profiles[profileId]) return;
+	store.usageStats = store.usageStats ?? {};
+	const existing = store.usageStats[profileId] ?? {};
+	const now = Date.now();
+	const cfgResolved = resolveAuthCooldownConfig({
+		cfg,
+		providerId: normalizeProviderId(store.profiles[profileId]?.provider ?? "")
+	});
+	store.usageStats[profileId] = computeNextProfileUsageStats({
+		existing,
+		now,
+		reason,
+		cfgResolved
+	});
+	saveAuthProfileStore(store, agentDir);
+}
 
 //#endregion
 //#region src/agents/auth-profiles/order.ts
@@ -1106,4 +1257,4 @@ function orderProfilesByMode(order, store) {
 var auth_profiles_exports = /* @__PURE__ */ __exportAll({ ensureAuthProfileStore: () => ensureAuthProfileStore });
 
 //#endregion
-export { CLAUDE_CLI_PROFILE_ID as C, resolveAuthProfileDisplayLabel as S, readOpenClawCredentials as _, resolveApiKeyForProfile as a, normalizeOptionalSecretInput as b, upsertAuthProfile as c, saveAuthProfileStore as d, updateAuthProfileStoreWithLock as f, readCodexCliCredentialsCached as g, readClaudeCliCredentials as h, resolveProfileUnusableUntilForDisplay as i, ensureAuthProfileStore as l, resolveAuthStorePathForDisplay as m, resolveAuthProfileOrder as n, repairOAuthProfileIdMismatch as o, resolveAuthStorePath as p, isProfileInCooldown as r, listProfilesForProvider as s, auth_profiles_exports as t, loadAuthProfileStore as u, loadJsonFile as v, CODEX_CLI_PROFILE_ID as w, normalizeSecretInput as x, saveJsonFile as y };
+export { normalizeOptionalSecretInput as C, CODEX_CLI_PROFILE_ID as D, CLAUDE_CLI_PROFILE_ID as E, saveJsonFile as S, resolveAuthProfileDisplayLabel as T, resolveAuthStorePath as _, markAuthProfileUsed as a, readCodexCliCredentialsCached as b, repairOAuthProfileIdMismatch as c, setAuthProfileOrder as d, upsertAuthProfile as f, updateAuthProfileStoreWithLock as g, saveAuthProfileStore as h, markAuthProfileFailure as i, listProfilesForProvider as l, loadAuthProfileStore as m, resolveAuthProfileOrder as n, resolveProfileUnusableUntilForDisplay as o, ensureAuthProfileStore as p, isProfileInCooldown as r, resolveApiKeyForProfile as s, auth_profiles_exports as t, markAuthProfileGood as u, resolveAuthStorePathForDisplay as v, normalizeSecretInput as w, loadJsonFile as x, readClaudeCliCredentials as y };

package/dist/{auth-profiles-DjCH4kWT.js → auth-profiles-C-LuhW6c.js}

@@ -1,9 +1,9 @@
 import { n as __exportAll } from "./chunk-BXK9XSlF.js";
 import { m as resolveStateDir, p as resolveOAuthPath } from "./paths-zhVksOvm.js";
-import { t as createSubsystemLogger } from "./subsystem-BMsbqSb4.js";
-import { b as resolveUserPath } from "./utils-B60lF9Wq.js";
+import { t as createSubsystemLogger } from "./subsystem-BAADN1B8.js";
+import { b as resolveUserPath } from "./utils-CLYlhJuc.js";
 import { n as DEFAULT_AGENT_ID } from "./session-key-DAZmp8ll.js";
-import { c as normalizeProviderId } from "./model-selection-wCaVeFbb.js";
+import { c as normalizeProviderId } from "./model-selection-CY6r_3wt.js";
 import { t as formatCliCommand } from "./command-format-BCtkuvqF.js";
 import { t as withFileLock } from "./file-lock-Z53aFHvY.js";
 import fs from "node:fs";
@@ -92,7 +92,6 @@ const CLAUDE_CLI_CREDENTIALS_RELATIVE_PATH = ".claude/.credentials.json";
 const CODEX_CLI_AUTH_FILENAME = "auth.json";
 const QWEN_CLI_CREDENTIALS_RELATIVE_PATH = ".qwen/oauth_creds.json";
 const MINIMAX_CLI_CREDENTIALS_RELATIVE_PATH = ".minimax/oauth_creds.json";
-const OPENCLAW_AUTH_PROFILES_PATH = ".openclaw/agents/main/agent/auth-profiles.json";
 const CLAUDE_CLI_KEYCHAIN_SERVICE = "Claude Code-credentials";
 const WINDOWS_CREDENTIAL_TARGET = "Claude Code-credentials";
 let codexCliCache = null;
@@ -211,43 +210,6 @@ function readMiniMaxCliCredentials(options) {
 	return readPortalCliOauthCredentials(resolveMiniMaxCliCredentialsPath(options?.homeDir), "minimax-portal");
 }
 /**
-* Read Claude Code credentials from the OpenClaw auth-profiles.json store.
-*
-* OpenClaw (which shares the same auth infrastructure) stores the Claude Code
-* OAuth token in ~/.openclaw/agents/main/agent/auth-profiles.json.
-* This is the most reliable source on Windows where the Keychain is unavailable.
-*/
-function readOpenClawCredentials(options) {
-	const baseDir = options?.homeDir ?? resolveUserPath("~");
-	const raw = loadJsonFile(path.join(baseDir, OPENCLAW_AUTH_PROFILES_PATH));
-	if (!raw || typeof raw !== "object") return null;
-	const profiles = raw.profiles;
-	if (!profiles) return null;
-	const anthropicProfile = profiles["anthropic:default"];
-	if (!anthropicProfile || anthropicProfile.provider !== "anthropic") return null;
-	if (anthropicProfile.type === "token" && typeof anthropicProfile.token === "string") {
-		const token = anthropicProfile.token;
-		log.info("read anthropic credentials from openclaw auth-profiles", { type: "token" });
-		return {
-			type: "token",
-			provider: "anthropic",
-			token,
-			expires: Date.now() + 365 * 24 * 60 * 60 * 1e3
-		};
-	}
-	if (anthropicProfile.type === "oauth" && typeof anthropicProfile.access === "string" && typeof anthropicProfile.refresh === "string" && typeof anthropicProfile.expires === "number") {
-		log.info("read anthropic oauth credentials from openclaw auth-profiles");
-		return {
-			type: "oauth",
-			provider: "anthropic",
-			access: anthropicProfile.access,
-			refresh: anthropicProfile.refresh,
-			expires: anthropicProfile.expires
-		};
-	}
-	return null;
-}
-/**
 * Read Claude Code credentials from Windows Credential Manager.
 *
 * On Windows, the Claude CLI stores its OAuth token via the Windows
@@ -318,8 +280,6 @@ function readClaudeCliCredentials(options) {
 			return parsed;
 		}
 	}
-	const openClawCreds = readOpenClawCredentials({ homeDir: options?.homeDir });
-	if (openClawCreds) return openClawCreds;
 	return null;
 }
 function readCodexCliCredentials(options) {
@@ -696,6 +656,26 @@ function saveAuthProfileStore(store, agentDir) {
 
 //#endregion
 //#region src/agents/auth-profiles/profiles.ts
+async function setAuthProfileOrder(params) {
+	const providerKey = normalizeProviderId(params.provider);
+	const sanitized = params.order && Array.isArray(params.order) ? params.order.map((entry) => String(entry).trim()).filter(Boolean) : [];
+	const deduped = [];
+	for (const entry of sanitized) if (!deduped.includes(entry)) deduped.push(entry);
+	return await updateAuthProfileStoreWithLock({
+		agentDir: params.agentDir,
+		updater: (store) => {
+			store.order = store.order ?? {};
+			if (deduped.length === 0) {
+				if (!store.order[providerKey]) return false;
+				delete store.order[providerKey];
+				if (Object.keys(store.order).length === 0) store.order = void 0;
+				return true;
+			}
+			store.order[providerKey] = deduped;
+			return true;
+		}
+	});
+}
 function upsertAuthProfile(params) {
 	const credential = params.credential.type === "api_key" ? {
 		...params.credential,
@@ -712,6 +692,32 @@ function listProfilesForProvider(store, provider) {
 	const providerKey = normalizeProviderId(provider);
 	return Object.entries(store.profiles).filter(([, cred]) => normalizeProviderId(cred.provider) === providerKey).map(([id]) => id);
 }
+async function markAuthProfileGood(params) {
+	const { store, provider, profileId, agentDir } = params;
+	const updated = await updateAuthProfileStoreWithLock({
+		agentDir,
+		updater: (freshStore) => {
+			const profile = freshStore.profiles[profileId];
+			if (!profile || profile.provider !== provider) return false;
+			freshStore.lastGood = {
+				...freshStore.lastGood,
+				[provider]: profileId
+			};
+			return true;
+		}
+	});
+	if (updated) {
+		store.lastGood = updated.lastGood;
+		return;
+	}
+	const profile = store.profiles[profileId];
+	if (!profile || profile.provider !== provider) return;
+	store.lastGood = {
+		...store.lastGood,
+		[provider]: profileId
+	};
+	saveAuthProfileStore(store, agentDir);
+}
 
 //#endregion
 //#region src/agents/auth-profiles/repair.ts
@@ -1013,11 +1019,156 @@ function isProfileInCooldown(store, profileId) {
 	const unusableUntil = resolveProfileUnusableUntil$1(stats);
 	return unusableUntil ? Date.now() < unusableUntil : false;
 }
+/**
+* Mark a profile as successfully used. Resets error count and updates lastUsed.
+* Uses store lock to avoid overwriting concurrent usage updates.
+*/
+async function markAuthProfileUsed(params) {
+	const { store, profileId, agentDir } = params;
+	const updated = await updateAuthProfileStoreWithLock({
+		agentDir,
+		updater: (freshStore) => {
+			if (!freshStore.profiles[profileId]) return false;
+			freshStore.usageStats = freshStore.usageStats ?? {};
+			freshStore.usageStats[profileId] = {
+				...freshStore.usageStats[profileId],
+				lastUsed: Date.now(),
+				errorCount: 0,
+				cooldownUntil: void 0,
+				disabledUntil: void 0,
+				disabledReason: void 0,
+				failureCounts: void 0
+			};
+			return true;
+		}
+	});
+	if (updated) {
+		store.usageStats = updated.usageStats;
+		return;
+	}
+	if (!store.profiles[profileId]) return;
+	store.usageStats = store.usageStats ?? {};
+	store.usageStats[profileId] = {
+		...store.usageStats[profileId],
+		lastUsed: Date.now(),
+		errorCount: 0,
+		cooldownUntil: void 0,
+		disabledUntil: void 0,
+		disabledReason: void 0,
+		failureCounts: void 0
+	};
+	saveAuthProfileStore(store, agentDir);
+}
+function calculateAuthProfileCooldownMs(errorCount) {
+	const normalized = Math.max(1, errorCount);
+	return Math.min(3600 * 1e3, 60 * 1e3 * 5 ** Math.min(normalized - 1, 3));
+}
+function resolveAuthCooldownConfig(params) {
+	const defaults = {
+		billingBackoffHours: 5,
+		billingMaxHours: 24,
+		failureWindowHours: 24
+	};
+	const resolveHours = (value, fallback) => typeof value === "number" && Number.isFinite(value) && value > 0 ? value : fallback;
+	const cooldowns = params.cfg?.auth?.cooldowns;
+	const billingBackoffHours = resolveHours((() => {
+		const map = cooldowns?.billingBackoffHoursByProvider;
+		if (!map) return;
+		for (const [key, value] of Object.entries(map)) if (normalizeProviderId(key) === params.providerId) return value;
+	})() ?? cooldowns?.billingBackoffHours, defaults.billingBackoffHours);
+	const billingMaxHours = resolveHours(cooldowns?.billingMaxHours, defaults.billingMaxHours);
+	const failureWindowHours = resolveHours(cooldowns?.failureWindowHours, defaults.failureWindowHours);
+	return {
+		billingBackoffMs: billingBackoffHours * 60 * 60 * 1e3,
+		billingMaxMs: billingMaxHours * 60 * 60 * 1e3,
+		failureWindowMs: failureWindowHours * 60 * 60 * 1e3
+	};
+}
+function calculateAuthProfileBillingDisableMsWithConfig(params) {
+	const normalized = Math.max(1, params.errorCount);
+	const baseMs = Math.max(6e4, params.baseMs);
+	const maxMs = Math.max(baseMs, params.maxMs);
+	const raw = baseMs * 2 ** Math.min(normalized - 1, 10);
+	return Math.min(maxMs, raw);
+}
 function resolveProfileUnusableUntilForDisplay(store, profileId) {
 	const stats = store.usageStats?.[profileId];
 	if (!stats) return null;
 	return resolveProfileUnusableUntil$1(stats);
 }
+function computeNextProfileUsageStats(params) {
+	const windowMs = params.cfgResolved.failureWindowMs;
+	const windowExpired = typeof params.existing.lastFailureAt === "number" && params.existing.lastFailureAt > 0 && params.now - params.existing.lastFailureAt > windowMs;
+	const nextErrorCount = (windowExpired ? 0 : params.existing.errorCount ?? 0) + 1;
+	const failureCounts = windowExpired ? {} : { ...params.existing.failureCounts };
+	failureCounts[params.reason] = (failureCounts[params.reason] ?? 0) + 1;
+	const updatedStats = {
+		...params.existing,
+		errorCount: nextErrorCount,
+		failureCounts,
+		lastFailureAt: params.now
+	};
+	if (params.reason === "billing") {
+		const backoffMs = calculateAuthProfileBillingDisableMsWithConfig({
+			errorCount: failureCounts.billing ?? 1,
+			baseMs: params.cfgResolved.billingBackoffMs,
+			maxMs: params.cfgResolved.billingMaxMs
+		});
+		updatedStats.disabledUntil = params.now + backoffMs;
+		updatedStats.disabledReason = "billing";
+	} else {
+		const backoffMs = calculateAuthProfileCooldownMs(nextErrorCount);
+		updatedStats.cooldownUntil = params.now + backoffMs;
+	}
+	return updatedStats;
+}
+/**
+* Mark a profile as failed for a specific reason. Billing failures are treated
+* as "disabled" (longer backoff) vs the regular cooldown window.
+*/
+async function markAuthProfileFailure(params) {
+	const { store, profileId, reason, agentDir, cfg } = params;
+	const updated = await updateAuthProfileStoreWithLock({
+		agentDir,
+		updater: (freshStore) => {
+			const profile = freshStore.profiles[profileId];
+			if (!profile) return false;
+			freshStore.usageStats = freshStore.usageStats ?? {};
+			const existing = freshStore.usageStats[profileId] ?? {};
+			const now = Date.now();
+			const cfgResolved = resolveAuthCooldownConfig({
+				cfg,
+				providerId: normalizeProviderId(profile.provider)
+			});
+			freshStore.usageStats[profileId] = computeNextProfileUsageStats({
+				existing,
+				now,
+				reason,
+				cfgResolved
+			});
+			return true;
+		}
+	});
+	if (updated) {
+		store.usageStats = updated.usageStats;
+		return;
+	}
+	if (!store.profiles[profileId]) return;
+	store.usageStats = store.usageStats ?? {};
+	const existing = store.usageStats[profileId] ?? {};
+	const now = Date.now();
+	const cfgResolved = resolveAuthCooldownConfig({
+		cfg,
+		providerId: normalizeProviderId(store.profiles[profileId]?.provider ?? "")
+	});
+	store.usageStats[profileId] = computeNextProfileUsageStats({
+		existing,
+		now,
+		reason,
+		cfgResolved
+	});
+	saveAuthProfileStore(store, agentDir);
+}
 
 //#endregion
 //#region src/agents/auth-profiles/order.ts
@@ -1115,4 +1266,4 @@ function orderProfilesByMode(order, store) {
 var auth_profiles_exports = /* @__PURE__ */ __exportAll({ ensureAuthProfileStore: () => ensureAuthProfileStore });
 
 //#endregion
-export { CODEX_CLI_PROFILE_ID as C, CLAUDE_CLI_PROFILE_ID as S, normalizeSecretInput as T, readCodexCliCredentialsCached as _, resolveApiKeyForProfile as a, saveJsonFile as b, upsertAuthProfile as c, saveAuthProfileStore as d, updateAuthProfileStoreWithLock as f, readClaudeCliCredentials as g, resolveAnimaAgentDir as h, resolveProfileUnusableUntilForDisplay as i, ensureAuthProfileStore as l, resolveAuthStorePathForDisplay as m, resolveAuthProfileOrder as n, repairOAuthProfileIdMismatch as o, resolveAuthStorePath as p, isProfileInCooldown as r, listProfilesForProvider as s, auth_profiles_exports as t, loadAuthProfileStore as u, readOpenClawCredentials as v, normalizeOptionalSecretInput as w, resolveAuthProfileDisplayLabel as x, loadJsonFile as y };
+export { saveJsonFile as C, normalizeOptionalSecretInput as D, CODEX_CLI_PROFILE_ID as E, normalizeSecretInput as O, loadJsonFile as S, CLAUDE_CLI_PROFILE_ID as T, resolveAuthStorePath as _, markAuthProfileUsed as a, readClaudeCliCredentials as b, repairOAuthProfileIdMismatch as c, setAuthProfileOrder as d, upsertAuthProfile as f, updateAuthProfileStoreWithLock as g, saveAuthProfileStore as h, markAuthProfileFailure as i, listProfilesForProvider as l, loadAuthProfileStore as m, resolveAuthProfileOrder as n, resolveProfileUnusableUntilForDisplay as o, ensureAuthProfileStore as p, isProfileInCooldown as r, resolveApiKeyForProfile as s, auth_profiles_exports as t, markAuthProfileGood as u, resolveAuthStorePathForDisplay as v, resolveAuthProfileDisplayLabel as w, readCodexCliCredentialsCached as x, resolveAnimaAgentDir as y };