@oh-my-pi/pi-ai 15.2.3 → 15.3.0

package/CHANGELOG.md

@@ -2,6 +2,23 @@
 
 ## [Unreleased]
 
+## [15.3.0] - 2026-05-25
+
+### Added
+
+- Added DeepSeek to the built-in API-key login provider catalog so `omp login deepseek` stores a reusable `DEEPSEEK_API_KEY` credential for the bundled DeepSeek models.
+
+## [15.2.4] - 2026-05-22
+
+### Fixed
+
+- Fixed ChatGPT Plus/Pro (Codex) OAuth login returning `Token exchange failed: 403` on Windows. When port 1455 was in use, the callback server silently fell back to a random port; OpenAI's authorization endpoint accepts any localhost redirect URI (loose validation), so the browser callback succeeds and shows "Authentication Successful", but the token endpoint rejects the non-registered port with 403. The `OpenAICodexOAuthFlow` now enforces a fixed `redirectUri` option so a busy port immediately surfaces as "port unavailable" instead of producing a confusing 403 ([#1277](https://github.com/can1357/oh-my-pi/issues/1277)).
+- Improved `exchangeCodeForToken` error diagnostics: the 403 response body (`error` / `error_description` fields) is now included in the thrown message, matching the existing `refreshOpenAICodexToken` behaviour.
+
+### Added
+
+- Added `ChatGPT Plus/Pro (Codex, headless/device)` (`openai-codex-device`) as an alternative login method for the Codex provider. Uses OpenAI's device-code flow (`/api/accounts/deviceauth/usercode` → poll `/api/accounts/deviceauth/token`), which avoids a local callback server and port 1455 entirely. Credentials are stored under the existing `openai-codex` provider key so all models and tooling continue to work without reconfiguration ([#1277](https://github.com/can1357/oh-my-pi/issues/1277)).
+
 ## [15.2.2] - 2026-05-22
 
 ### Fixed
@@ -57,6 +74,7 @@
 
 ### Fixed
 
+- Fixed OpenCode-Go and OpenCode-Zen chat-completions replay to omit stored reasoning fields on Kimi assistant tool-call messages, avoiding provider 400s for rejected `messages[].reasoning` payloads. ([#1157](https://github.com/can1357/oh-my-pi/issues/1157))
 - Fixed OpenAI Responses and Codex tool schema normalization to emit `properties: {}` for no-argument object schemas without rewriting literal payloads. ([#1147](https://github.com/can1357/oh-my-pi/issues/1147))
 - Fixed Anthropic 400 (`unexpected tool_use_id found in tool_result blocks ... Each tool_result block must have a corresponding tool_use block in the previous message`) when handoff/compaction folds an assistant `tool_use` into the handoff summary string but leaves the matching user-side `tool_result` message in the history. `transformMessages` now indexes every `tool_use` id surviving the first pass and drops orphan `tool_result` messages whose originator was compacted away, preserving the text payload as a user-level `<stale-tool-result>` note so the model still sees what the tool returned. The note is emitted with `role: "user"` rather than `role: "developer"` so providers that elevate developer-role messages (Ollama: `developer` → `system`; OpenAI chat-completions reasoning models: `developer` → `developer`) cannot lift stale tool output to an instruction-priority tier above the surrounding user/developer messages.
 - Fixed streaming authentication retry to trigger when a provider emits a 401 `error` event after a `start` event but before any replay-unsafe content is emitted

package/dist/types/provider-models/openai-compat.d.ts

@@ -165,7 +165,7 @@ export interface XiaomiModelManagerConfig {
     apiKey?: string;
     baseUrl?: string;
 }
-export declare function xiaomiModelManagerOptions(config?: XiaomiModelManagerConfig): ModelManagerOptions<"anthropic-messages">;
+export declare function xiaomiModelManagerOptions(config?: XiaomiModelManagerConfig): ModelManagerOptions<"openai-completions">;
 export interface LiteLLMModelManagerConfig {
     apiKey?: string;
     baseUrl?: string;

package/dist/types/providers/openai-completions.d.ts

@@ -18,7 +18,7 @@ export declare function isOpenAICompletionsProgressChunk(chunk: unknown): boolea
 export interface OpenAICompletionsOptions extends StreamOptions {
     toolChoice?: ToolChoice;
     reasoning?: "minimal" | "low" | "medium" | "high" | "xhigh";
-    /** Force-disable reasoning for OpenRouter-format requests (sends `reasoning: { enabled: false }`). */
+    /** Force-disable reasoning where supported, or request the lowest effort on generic effort endpoints. */
     disableReasoning?: boolean;
     serviceTier?: ServiceTier;
 }

package/dist/types/types.d.ts

@@ -242,9 +242,9 @@ export interface SimpleStreamOptions extends StreamOptions {
      * Force-disable reasoning for the request even when the model supports it.
      * Takes precedence over `reasoning`. Useful for fast utility calls
      * (e.g. title generation) where the model would otherwise burn the entire
-     * output budget on internal thinking. Currently honored by OpenRouter
-     * (sends `reasoning: { enabled: false }`); other providers already behave
-     * this way when `reasoning` is undefined.
+     * output budget on internal thinking. Provider support is format-specific:
+     * some transports can disable reasoning directly, while generic
+     * effort-based OpenAI-compatible endpoints use the lowest supported effort.
      */
     disableReasoning?: boolean;
     /**

package/dist/types/utils/oauth/deepseek.d.ts

@@ -0,0 +1 @@
+export declare const loginDeepSeek: (options: import("./types").OAuthController) => Promise<string>;

package/dist/types/utils/oauth/openai-codex.d.ts

@@ -8,6 +8,13 @@ export type OpenAICodexLoginOptions = OAuthController & {
     originator?: string;
 };
 export declare function loginOpenAICodex(options: OpenAICodexLoginOptions): Promise<OAuthCredentials>;
+/**
+ * Login with OpenAI Codex using the device-code (headless) flow.
+ *
+ * Avoids a local callback server entirely — useful when port 1455 is unavailable
+ * or when the browser callback flow fails with 403 (e.g. network/proxy issues).
+ */
+export declare function loginOpenAICodexDevice(ctrl: OAuthController): Promise<OAuthCredentials>;
 /**
  * Refresh OpenAI Codex OAuth token
  */

package/dist/types/utils/oauth/types.d.ts

@@ -7,7 +7,7 @@ export type OAuthCredentials = {
     email?: string;
     accountId?: string;
 };
-export type OAuthProvider = "alibaba-coding-plan" | "anthropic" | "cerebras" | "cloudflare-ai-gateway" | "cursor" | "fireworks" | "firepass" | "github-copilot" | "google-gemini-cli" | "google-antigravity" | "gitlab-duo" | "huggingface" | "kimi-code" | "kilo" | "kagi" | "litellm" | "lm-studio" | "minimax-code" | "minimax-code-cn" | "moonshot" | "nvidia" | "nanogpt" | "ollama" | "ollama-cloud" | "openai-codex" | "opencode-go" | "opencode-zen" | "parallel" | "perplexity" | "qianfan" | "qwen-portal" | "synthetic" | "tavily" | "together" | "venice" | "vercel-ai-gateway" | "vllm" | "xiaomi" | "zenmux" | "zai";
+export type OAuthProvider = "alibaba-coding-plan" | "anthropic" | "cerebras" | "cloudflare-ai-gateway" | "cursor" | "deepseek" | "fireworks" | "firepass" | "github-copilot" | "google-gemini-cli" | "google-antigravity" | "gitlab-duo" | "huggingface" | "kimi-code" | "kilo" | "kagi" | "litellm" | "lm-studio" | "minimax-code" | "minimax-code-cn" | "moonshot" | "nvidia" | "nanogpt" | "ollama" | "ollama-cloud" | "openai-codex" | "openai-codex-device" | "opencode-go" | "opencode-zen" | "parallel" | "perplexity" | "qianfan" | "qwen-portal" | "synthetic" | "tavily" | "together" | "venice" | "vercel-ai-gateway" | "vllm" | "xiaomi" | "zenmux" | "zai";
 export type OAuthProviderId = OAuthProvider | (string & {});
 export type OAuthPrompt = {
     message: string;

package/dist/types/utils/oauth/xiaomi.d.ts

@@ -1,8 +1,8 @@
 /**
  * Xiaomi MiMo login flow.
  *
- * Xiaomi MiMo provides Anthropic-compatible models via
- * https://api.xiaomimimo.com/anthropic.
+ * Xiaomi MiMo provides OpenAI-compatible models via
+ * https://api.xiaomimimo.com/v1.
  *
  * This is not OAuth - it's a simple API key flow:
  * 1. Open browser to Xiaomi MiMo API key console

package/package.json

@@ -1,7 +1,7 @@
 {
 	"type": "module",
 	"name": "@oh-my-pi/pi-ai",
-	"version": "15.2.3",
+	"version": "15.3.0",
 	"description": "Unified LLM API with automatic model discovery and provider configuration",
 	"homepage": "https://omp.sh",
 	"author": "Can Boluk",
@@ -43,7 +43,7 @@
 	"dependencies": {
 		"@anthropic-ai/sdk": "^0.94.0",
 		"@bufbuild/protobuf": "^2.12.0",
-		"@oh-my-pi/pi-utils": "15.2.3",
+		"@oh-my-pi/pi-utils": "15.3.0",
 		"openai": "^6.36.0",
 		"partial-json": "^0.1.7",
 		"zod": "4.4.3"

package/src/auth-storage.ts

@@ -29,6 +29,8 @@ import { kimiUsageProvider } from "./usage/kimi";
 import { codexRankingStrategy, openaiCodexUsageProvider } from "./usage/openai-codex";
 import { zaiUsageProvider } from "./usage/zai";
 import { getOAuthApiKey, getOAuthProvider, refreshOAuthToken } from "./utils/oauth";
+import { loginDeepSeek } from "./utils/oauth/deepseek";
+import { loginOpenAICodexDevice } from "./utils/oauth/openai-codex";
 import type { OAuthController, OAuthCredentials, OAuthProvider, OAuthProviderId } from "./utils/oauth/types";
 
 // ─────────────────────────────────────────────────────────────────────────────
@@ -1298,6 +1300,14 @@ export class AuthStorage {
 				});
 				break;
 			}
+			case "openai-codex-device": {
+				// Device/headless flow — stores credentials under "openai-codex" so the
+				// provider can pick them up without a separate provider configuration.
+				const deviceCredentials = await loginOpenAICodexDevice(ctrl);
+				const newCredential: OAuthCredential = { type: "oauth", ...deviceCredentials };
+				await this.#upsertOAuthCredential("openai-codex", newCredential);
+				return;
+			}
 			case "gitlab-duo": {
 				const { loginGitLabDuo } = await import("./utils/oauth/gitlab-duo");
 				credentials = await loginGitLabDuo({
@@ -1369,6 +1379,11 @@ export class AuthStorage {
 				await saveApiKeyCredential(apiKey);
 				return;
 			}
+			case "deepseek": {
+				const apiKey = await loginDeepSeek(ctrl);
+				await saveApiKeyCredential(apiKey);
+				return;
+			}
 			case "fireworks": {
 				const { loginFireworks } = await import("./utils/oauth/fireworks");
 				const apiKey = await loginFireworks(ctrl);

package/src/cli.ts

@@ -109,6 +109,7 @@ Providers:
   kagi              Kagi
   tavily            Tavily
   zai               Z.AI (GLM Coding Plan)
+  deepseek          DeepSeek
   nanogpt           NanoGPT
   minimax-code      MiniMax Coding Plan (International)
   minimax-code-cn   MiniMax Coding Plan (China)

package/src/models.json

@@ -52450,9 +52450,9 @@
 		"mimo-v2-flash": {
 			"id": "mimo-v2-flash",
 			"name": "MiMo-V2-Flash",
-			"api": "anthropic-messages",
+			"api": "openai-completions",
 			"provider": "xiaomi",
-			"baseUrl": "https://api.xiaomimimo.com/anthropic",
+			"baseUrl": "https://api.xiaomimimo.com/v1",
 			"reasoning": true,
 			"input": [
 				"text"
@@ -52474,9 +52474,9 @@
 		"mimo-v2-omni": {
 			"id": "mimo-v2-omni",
 			"name": "MiMo-V2-Omni",
-			"api": "anthropic-messages",
+			"api": "openai-completions",
 			"provider": "xiaomi",
-			"baseUrl": "https://api.xiaomimimo.com/anthropic",
+			"baseUrl": "https://api.xiaomimimo.com/v1",
 			"reasoning": true,
 			"input": [
 				"text",
@@ -52499,9 +52499,9 @@
 		"mimo-v2-pro": {
 			"id": "mimo-v2-pro",
 			"name": "MiMo-V2-Pro",
-			"api": "anthropic-messages",
+			"api": "openai-completions",
 			"provider": "xiaomi",
-			"baseUrl": "https://api.xiaomimimo.com/anthropic",
+			"baseUrl": "https://api.xiaomimimo.com/v1",
 			"reasoning": true,
 			"input": [
 				"text"
@@ -52523,9 +52523,9 @@
 		"mimo-v2.5": {
 			"id": "mimo-v2.5",
 			"name": "MiMo-V2.5",
-			"api": "anthropic-messages",
+			"api": "openai-completions",
 			"provider": "xiaomi",
-			"baseUrl": "https://api.xiaomimimo.com/anthropic",
+			"baseUrl": "https://api.xiaomimimo.com/v1",
 			"reasoning": true,
 			"input": [
 				"text",
@@ -52548,9 +52548,9 @@
 		"mimo-v2.5-pro": {
 			"id": "mimo-v2.5-pro",
 			"name": "MiMo-V2.5-Pro",
-			"api": "anthropic-messages",
+			"api": "openai-completions",
 			"provider": "xiaomi",
-			"baseUrl": "https://api.xiaomimimo.com/anthropic",
+			"baseUrl": "https://api.xiaomimimo.com/v1",
 			"reasoning": true,
 			"input": [
 				"text"

package/src/provider-models/openai-compat.ts

@@ -1408,28 +1408,26 @@ export interface XiaomiModelManagerConfig {
 
 export function xiaomiModelManagerOptions(
 	config?: XiaomiModelManagerConfig,
-): ModelManagerOptions<"anthropic-messages"> {
+): ModelManagerOptions<"openai-completions"> {
 	const apiKey = config?.apiKey;
 	// Xiaomi splits API keys across two backends: standard `sk-` keys hit
-	// api.xiaomimimo.com; "token plan" `tp-` keys hit the EU token-plan host.
-	// Both expose the same Anthropic-compat layout under /anthropic/v1/*.
-	const defaultBaseUrl = apiKey?.startsWith("tp-")
-		? "https://token-plan-ams.xiaomimimo.com/anthropic"
-		: "https://api.xiaomimimo.com/anthropic";
-	const baseUrl = normalizeAnthropicBaseUrl(config?.baseUrl, defaultBaseUrl);
-	// Xiaomi hosts chat completions under /anthropic/* but exposes model
-	// discovery at the OpenAI-style /v1/models endpoint on the root host.
-	const discoveryRoot = baseUrl.endsWith("/anthropic") ? baseUrl.slice(0, -"/anthropic".length) : baseUrl;
-	const discoveryBaseUrl = toAnthropicDiscoveryBaseUrl(discoveryRoot);
-	const references = createBundledReferenceMap<"anthropic-messages">("xiaomi");
+	// api.xiaomimimo.com; "token plan" `tp-` keys hit either the SG or EU
+	// token-plan host. Try SGP first; if discovery fails, retry AMS.
+	const TOKEN_PLAN_SGP_BASE_URL = "https://token-plan-sgp.xiaomimimo.com/v1";
+	const TOKEN_PLAN_AMS_BASE_URL = "https://token-plan-ams.xiaomimimo.com/v1";
+	const defaultBaseUrl = apiKey?.startsWith("tp-") ? TOKEN_PLAN_SGP_BASE_URL : "https://api.xiaomimimo.com/v1";
+	// Token-plan keys always use the TP baseUrl; config?.baseUrl (from catalog)
+	// would incorrectly pin to the standard endpoint (api.xiaomimimo.com).
+	const baseUrl = apiKey?.startsWith("tp-") ? defaultBaseUrl : (config?.baseUrl ?? defaultBaseUrl);
+	const references = createBundledReferenceMap<"openai-completions">("xiaomi");
 	return {
 		providerId: "xiaomi",
 		...(apiKey && {
-			fetchDynamicModels: () =>
-				fetchOpenAICompatibleModels({
-					api: "anthropic-messages",
+			fetchDynamicModels: async () => {
+				const sgpResult = await fetchOpenAICompatibleModels({
+					api: "openai-completions",
 					provider: "xiaomi",
-					baseUrl: discoveryBaseUrl,
+					baseUrl,
 					apiKey,
 					filterModel: (_entry, model) => !model.id.includes("-tts"),
 					mapModel: (entry, defaults) => {
@@ -1438,10 +1436,29 @@ export function xiaomiModelManagerOptions(
 						return {
 							...model,
 							name: toModelName(entry.display_name, model.name),
-							baseUrl,
 						};
 					},
-				}),
+				});
+				if (sgpResult || !apiKey?.startsWith("tp-")) {
+					return sgpResult;
+				}
+				// Token-plan discovery failed with SGP; retry with AMS
+				return fetchOpenAICompatibleModels({
+					api: "openai-completions",
+					provider: "xiaomi",
+					baseUrl: TOKEN_PLAN_AMS_BASE_URL,
+					apiKey,
+					filterModel: (_entry, model) => !model.id.includes("-tts"),
+					mapModel: (entry, defaults) => {
+						const reference = references.get(defaults.id);
+						const model = mapWithBundledReference(entry, defaults, reference);
+						return {
+							...model,
+							name: toModelName(entry.display_name, model.name),
+						};
+					},
+				});
+			},
 		}),
 	};
 }

package/src/providers/openai-completions-compat.ts

@@ -171,7 +171,13 @@ export function detectOpenAICompat(model: Model<"openai-completions">, resolvedB
 						high: "high",
 						xhigh: "max",
 					} satisfies Partial<Record<OpenAIReasoningEffort, string>>)
-				: {};
+				: isFireworks
+					? ({
+							// Fireworks' OpenAI-compatible endpoint rejects OpenAI's
+							// `minimal` literal but accepts `none` for the lowest setting.
+							minimal: "none",
+						} satisfies Partial<Record<OpenAIReasoningEffort, string>>)
+					: {};
 
 	return {
 		supportsStore: !isNonStandard,

package/src/providers/openai-completions.ts

@@ -10,7 +10,7 @@ import type {
 	ChatCompletionToolMessageParam,
 } from "openai/resources/chat/completions";
 import packageJson from "../../package.json" with { type: "json" };
-import type { Effort } from "../model-thinking";
+import { type Effort, getSupportedEfforts } from "../model-thinking";
 import { calculateCost } from "../models";
 import { getEnvApiKey } from "../stream";
 import {
@@ -219,7 +219,7 @@ export function isOpenAICompletionsProgressChunk(chunk: unknown): boolean {
 export interface OpenAICompletionsOptions extends StreamOptions {
 	toolChoice?: ToolChoice;
 	reasoning?: "minimal" | "low" | "medium" | "high" | "xhigh";
-	/** Force-disable reasoning for OpenRouter-format requests (sends `reasoning: { enabled: false }`). */
+	/** Force-disable reasoning where supported, or request the lowest effort on generic effort endpoints. */
 	disableReasoning?: boolean;
 	serviceTier?: ServiceTier;
 }
@@ -1177,6 +1177,21 @@ function buildParams(
 	) {
 		// OpenAI-style reasoning_effort
 		params.reasoning_effort = mapReasoningEffort(options.reasoning, compat.reasoningEffortMap) as Effort;
+	} else if (
+		supportsReasoningParams &&
+		options?.disableReasoning &&
+		!options?.reasoning &&
+		model.reasoning &&
+		compat.supportsReasoningEffort
+	) {
+		// Generic OpenAI-compatible effort endpoints do not expose a true off
+		// switch. Use the model's lowest supported effort as the closest
+		// transport-level approximation when callers request disabled reasoning.
+		const minEffort = getSupportedEfforts(model)[0];
+		if (minEffort === undefined) {
+			throw new Error(`Model ${model.provider}/${model.id} has no supported reasoning efforts`);
+		}
+		params.reasoning_effort = mapReasoningEffort(minEffort, compat.reasoningEffortMap) as Effort;
 	}
 
 	if (compat.disableReasoningOnToolChoice && params.tool_choice !== undefined) {
@@ -1484,7 +1499,7 @@ export function convertMessages(
 					} else {
 						assistantMsg.content = [{ type: "text", text: thinkingText }];
 					}
-				} else {
+				} else if (compat.requiresReasoningContentForToolCalls) {
 					// Use the signature from the first thinking block if available, but only for
 					// recognized OpenAI-compat reasoning field names. Opaque signatures from other
 					// providers (Anthropic encrypted, OpenAI Responses JSON) are not valid property names.
@@ -1496,7 +1511,7 @@ export function convertMessages(
 				}
 			}
 
-			if (compat.thinkingFormat === "openai") {
+			if (compat.thinkingFormat === "openai" && compat.requiresReasoningContentForToolCalls) {
 				const streamedReasoningField = nonEmptyThinkingBlocks[0]?.thinkingSignature;
 				const reasoningField =
 					streamedReasoningField === "reasoning_content" ||

package/src/providers/openai-responses.ts

@@ -391,10 +391,24 @@ function buildParams(
 	const messages: ResponseInput = [...conversationMessages];
 
 	const systemPrompts = normalizeSystemPrompts(context.systemPrompt);
+	let systemInstructions: string | undefined;
 	if (systemPrompts.length > 0) {
-		const role: "developer" | "system" =
-			model.reasoning && supportsDeveloperRole(resolvedBaseUrl ?? model) ? "developer" : "system";
-		messages.unshift(...systemPrompts.map(systemPrompt => ({ role, content: systemPrompt })));
+		const needsDeveloperRole = model.reasoning && supportsDeveloperRole(resolvedBaseUrl ?? model);
+		if (needsDeveloperRole) {
+			// Reasoning models on known OpenAI-compatible endpoints require the
+			// `developer` role. Send all system prompts inline in `input`.
+			messages.unshift(
+				...systemPrompts.map(systemPrompt => ({ role: "developer" as const, content: systemPrompt })),
+			);
+		} else {
+			// All other endpoints (including third-party /v1/responses proxies) use
+			// the canonical top-level `instructions` field so that proxies that
+			// reject `input[{role:"system"}]` work out of the box.
+			systemInstructions = systemPrompts[0];
+			if (systemPrompts.length > 1) {
+				messages.unshift(...systemPrompts.slice(1).map(p => ({ role: "system" as const, content: p })));
+			}
+		}
 	}
 
 	const cacheRetention = resolveCacheRetention(options?.cacheRetention);
@@ -402,6 +416,7 @@ function buildParams(
 	const params: OpenAIResponsesSamplingParams = {
 		model: model.id,
 		input: messages,
+		instructions: systemInstructions,
 		stream: true,
 		prompt_cache_key: promptCacheKey,
 		prompt_cache_retention: promptCacheKey ? getPromptCacheRetention(model.baseUrl, cacheRetention) : undefined,

package/src/types.ts

@@ -375,9 +375,9 @@ export interface SimpleStreamOptions extends StreamOptions {
 	 * Force-disable reasoning for the request even when the model supports it.
 	 * Takes precedence over `reasoning`. Useful for fast utility calls
 	 * (e.g. title generation) where the model would otherwise burn the entire
-	 * output budget on internal thinking. Currently honored by OpenRouter
-	 * (sends `reasoning: { enabled: false }`); other providers already behave
-	 * this way when `reasoning` is undefined.
+	 * output budget on internal thinking. Provider support is format-specific:
+	 * some transports can disable reasoning directly, while generic
+	 * effort-based OpenAI-compatible endpoints use the lowest supported effort.
 	 */
 	disableReasoning?: boolean;
 	/**

package/src/utils/oauth/deepseek.ts

@@ -0,0 +1,16 @@
+/** DeepSeek login flow (API key paste against https://api.deepseek.com). */
+import { createApiKeyLogin } from "./api-key-login";
+
+export const loginDeepSeek = createApiKeyLogin({
+	providerLabel: "DeepSeek",
+	authUrl: "https://platform.deepseek.com/api_keys",
+	instructions: "Create or copy your API key from the DeepSeek dashboard",
+	promptMessage: "Paste your DeepSeek API key",
+	placeholder: "sk-...",
+	validation: {
+		kind: "chat-completions",
+		provider: "deepseek",
+		baseUrl: "https://api.deepseek.com/v1",
+		model: "deepseek-v4-pro",
+	},
+});

package/src/utils/oauth/index.ts

@@ -25,6 +25,11 @@ const builtInOAuthProviders: OAuthProviderInfo[] = [
 		name: "ChatGPT Plus/Pro (Codex Subscription)",
 		available: true,
 	},
+	{
+		id: "openai-codex-device",
+		name: "ChatGPT Plus/Pro (Codex, headless/device)",
+		available: true,
+	},
 	{
 		id: "gitlab-duo",
 		name: "GitLab Duo",
@@ -50,6 +55,11 @@ const builtInOAuthProviders: OAuthProviderInfo[] = [
 		name: "Cerebras",
 		available: true,
 	},
+	{
+		id: "deepseek",
+		name: "DeepSeek",
+		available: true,
+	},
 	{
 		id: "fireworks",
 		name: "Fireworks",
@@ -279,7 +289,8 @@ export async function refreshOAuthToken(
 			newCredentials = await refreshAntigravityToken(credentials.refresh, credentials.projectId);
 			break;
 		}
-		case "openai-codex": {
+		case "openai-codex":
+		case "openai-codex-device": {
 			const { refreshOpenAICodexToken } = await import("./openai-codex");
 			newCredentials = await refreshOpenAICodexToken(credentials.refresh);
 			break;

package/src/utils/oauth/openai-codex.ts

@@ -1,7 +1,7 @@
 /**
- * OpenAI Codex (ChatGPT OAuth) flow
+ * OpenAI Codex (ChatGPT OAuth) flow — browser and device-code flows.
  */
-import { OAuthCallbackFlow } from "./callback-server";
+import { OAuthCallbackFlow, type OAuthCallbackFlowOptions } from "./callback-server";
 import { generatePKCE } from "./pkce";
 import type { OAuthController, OAuthCredentials } from "./types";
 
@@ -14,6 +14,14 @@ const SCOPE = "openid profile email offline_access";
 const JWT_CLAIM_PATH = "https://api.openai.com/auth";
 const JWT_PROFILE_CLAIM = "https://api.openai.com/profile";
 const TOKEN_REQUEST_TIMEOUT_MS = 15_000;
+const DEVICE_USERCODE_URL = "https://auth.openai.com/api/accounts/deviceauth/usercode";
+const DEVICE_TOKEN_URL = "https://auth.openai.com/api/accounts/deviceauth/token";
+const DEVICE_REDIRECT_URI = "https://auth.openai.com/deviceauth/callback";
+const DEVICE_AUTH_URL = "https://auth.openai.com/codex/device";
+const DEVICE_POLL_INTERVAL_MS = 5_000;
+const DEVICE_POLL_SAFETY_MARGIN_MS = 3_000;
+/** Upper bound on device-code polling to avoid infinite loops on server errors. */
+const DEVICE_MAX_POLLS = 120;
 
 type JwtPayload = {
 	[JWT_CLAIM_PATH]?: {
@@ -59,7 +67,15 @@ class OpenAICodexOAuthFlow extends OAuthCallbackFlow {
 		private readonly pkce: PKCE,
 		private readonly originator: string,
 	) {
-		super(ctrl, CALLBACK_PORT, CALLBACK_PATH);
+		super(ctrl, {
+			preferredPort: CALLBACK_PORT,
+			callbackPath: CALLBACK_PATH,
+			// Enforce the fixed port: OpenAI only allows http://localhost:1455/auth/callback.
+			// Without this, a busy port 1455 falls back to a random port, and the token
+			// exchange would fail with 403 because the redirect_uri no longer matches the
+			// registered allowlist entry.
+			redirectUri: `http://localhost:${CALLBACK_PORT}${CALLBACK_PATH}`,
+		} satisfies OAuthCallbackFlowOptions);
 	}
 
 	async generateAuthUrl(state: string, redirectUri: string): Promise<{ url: string; instructions?: string }> {
@@ -100,7 +116,13 @@ async function exchangeCodeForToken(code: string, verifier: string, redirectUri:
 	});
 
 	if (!tokenResponse.ok) {
-		throw new Error(`Token exchange failed: ${tokenResponse.status}`);
+		let detail = `${tokenResponse.status}`;
+		try {
+			const body = (await tokenResponse.json()) as { error?: string; error_description?: string };
+			if (body.error)
+				detail = `${tokenResponse.status} ${body.error}${body.error_description ? `: ${body.error_description}` : ""}`;
+		} catch {}
+		throw new Error(`Token exchange failed: ${detail}`);
 	}
 
 	const tokenData = (await tokenResponse.json()) as {
@@ -143,6 +165,93 @@ export async function loginOpenAICodex(options: OpenAICodexLoginOptions): Promis
 	return flow.login();
 }
 
+/**
+ * Login with OpenAI Codex using the device-code (headless) flow.
+ *
+ * Avoids a local callback server entirely — useful when port 1455 is unavailable
+ * or when the browser callback flow fails with 403 (e.g. network/proxy issues).
+ */
+export async function loginOpenAICodexDevice(ctrl: OAuthController): Promise<OAuthCredentials> {
+	ctrl.onProgress?.("Initiating device authorization…");
+
+	const initResponse = await fetch(DEVICE_USERCODE_URL, {
+		method: "POST",
+		headers: { "Content-Type": "application/json" },
+		body: JSON.stringify({ client_id: CLIENT_ID }),
+		signal: AbortSignal.timeout(TOKEN_REQUEST_TIMEOUT_MS),
+	});
+
+	if (!initResponse.ok) {
+		throw new Error(`Device authorization initiation failed: ${initResponse.status}`);
+	}
+
+	const initData = (await initResponse.json()) as {
+		device_auth_id?: string;
+		user_code?: string;
+		interval?: string | number;
+	};
+
+	if (!initData.device_auth_id || !initData.user_code) {
+		throw new Error("Device authorization response missing required fields");
+	}
+
+	const userCode = initData.user_code;
+	const pollIntervalMs =
+		(typeof initData.interval === "number"
+			? initData.interval
+			: parseInt(String(initData.interval ?? "5"), 10) || 5) *
+			1000 +
+		DEVICE_POLL_SAFETY_MARGIN_MS;
+
+	ctrl.onAuth?.({
+		url: DEVICE_AUTH_URL,
+		instructions: `Enter code: ${userCode}`,
+	});
+
+	ctrl.onProgress?.(`Waiting for browser authorization (code: ${userCode})…`);
+
+	for (let poll = 0; poll < DEVICE_MAX_POLLS; poll++) {
+		await Bun.sleep(poll === 0 ? Math.min(pollIntervalMs, DEVICE_POLL_INTERVAL_MS) : pollIntervalMs);
+
+		if (ctrl.signal?.aborted) {
+			throw new Error("Device authorization cancelled");
+		}
+
+		const pollResponse = await fetch(DEVICE_TOKEN_URL, {
+			method: "POST",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({
+				device_auth_id: initData.device_auth_id,
+				user_code: userCode,
+			}),
+			signal: AbortSignal.timeout(TOKEN_REQUEST_TIMEOUT_MS),
+		});
+
+		// 403/404 = authorization pending, keep polling
+		if (pollResponse.status === 403 || pollResponse.status === 404) {
+			continue;
+		}
+
+		if (!pollResponse.ok) {
+			throw new Error(`Device token polling failed: ${pollResponse.status}`);
+		}
+
+		const pollData = (await pollResponse.json()) as {
+			authorization_code?: string;
+			code_verifier?: string;
+		};
+
+		if (!pollData.authorization_code || !pollData.code_verifier) {
+			throw new Error("Device token response missing authorization_code or code_verifier");
+		}
+
+		ctrl.onProgress?.("Exchanging authorization code for tokens…");
+		return exchangeCodeForToken(pollData.authorization_code, pollData.code_verifier, DEVICE_REDIRECT_URI);
+	}
+
+	throw new Error("Device authorization timed out — user did not complete login in time");
+}
+
 /**
  * Refresh OpenAI Codex OAuth token
  */

package/src/utils/oauth/types.ts

@@ -14,6 +14,7 @@ export type OAuthProvider =
 	| "cerebras"
 	| "cloudflare-ai-gateway"
 	| "cursor"
+	| "deepseek"
 	| "fireworks"
 	| "firepass"
 	| "github-copilot"
@@ -34,6 +35,7 @@ export type OAuthProvider =
 	| "ollama"
 	| "ollama-cloud"
 	| "openai-codex"
+	| "openai-codex-device"
 	| "opencode-go"
 	| "opencode-zen"
 	| "parallel"

package/src/utils/oauth/xiaomi.ts

@@ -1,8 +1,8 @@
 /**
  * Xiaomi MiMo login flow.
  *
- * Xiaomi MiMo provides Anthropic-compatible models via
- * https://api.xiaomimimo.com/anthropic.
+ * Xiaomi MiMo provides OpenAI-compatible models via
+ * https://api.xiaomimimo.com/v1.
  *
  * This is not OAuth - it's a simple API key flow:
  * 1. Open browser to Xiaomi MiMo API key console
@@ -15,8 +15,9 @@ import type { OAuthController } from "./types";
 const PROVIDER_ID = "xiaomi";
 const PROVIDER_NAME = "Xiaomi MiMo";
 const STANDARD_AUTH_URL = "https://platform.xiaomimimo.com/#/console/api-keys";
-const STANDARD_API_BASE_URL = "https://api.xiaomimimo.com/anthropic";
-const TOKEN_PLAN_API_BASE_URL = "https://token-plan-ams.xiaomimimo.com/anthropic";
+const STANDARD_API_BASE_URL = "https://api.xiaomimimo.com/v1";
+const TOKEN_PLAN_SGP_API_BASE_URL = "https://token-plan-sgp.xiaomimimo.com/v1";
+const TOKEN_PLAN_AMS_API_BASE_URL = "https://token-plan-ams.xiaomimimo.com/v1";
 const TOKEN_PLAN_KEY_PREFIX = "tp-";
 const STANDARD_VALIDATION_MODEL = "mimo-v2-flash";
 const TOKEN_PLAN_VALIDATION_MODEL = "mimo-v2.5";
@@ -25,50 +26,81 @@ function isTokenPlanKey(apiKey: string): boolean {
 	return apiKey.startsWith(TOKEN_PLAN_KEY_PREFIX);
 }
 
-function resolveEndpoint(apiKey: string): { baseUrl: string; model: string } {
-	if (isTokenPlanKey(apiKey)) {
-		return { baseUrl: TOKEN_PLAN_API_BASE_URL, model: TOKEN_PLAN_VALIDATION_MODEL };
-	}
-	return { baseUrl: STANDARD_API_BASE_URL, model: STANDARD_VALIDATION_MODEL };
-}
-const ANTHROPIC_VERSION = "2023-06-01";
 const VALIDATION_TIMEOUT_MS = 15_000;
 
 async function validateXiaomiApiKey(apiKey: string, signal?: AbortSignal): Promise<void> {
 	const timeoutSignal = AbortSignal.timeout(VALIDATION_TIMEOUT_MS);
 	const requestSignal = signal ? AbortSignal.any([signal, timeoutSignal]) : timeoutSignal;
-	const { baseUrl, model } = resolveEndpoint(apiKey);
 
-	const response = await fetch(`${baseUrl}/v1/messages`, {
-		method: "POST",
-		headers: {
-			"Content-Type": "application/json",
-			"x-api-key": apiKey,
-			"anthropic-version": ANTHROPIC_VERSION,
-		},
-		body: JSON.stringify({
-			model,
-			max_tokens: 1,
-			messages: [{ role: "user", content: "ping" }],
-		}),
-		signal: requestSignal,
-	});
+	// For token-plan keys try SGP first, then AMS as fallback.
+	// Standard sk- keys only hit the one endpoint.
+	const endpoints = isTokenPlanKey(apiKey)
+		? [
+				{ baseUrl: TOKEN_PLAN_SGP_API_BASE_URL, model: TOKEN_PLAN_VALIDATION_MODEL },
+				{ baseUrl: TOKEN_PLAN_AMS_API_BASE_URL, model: TOKEN_PLAN_VALIDATION_MODEL },
+			]
+		: [{ baseUrl: STANDARD_API_BASE_URL, model: STANDARD_VALIDATION_MODEL }];
 
-	if (response.ok) {
-		return;
-	}
+	let lastError: Error | null = null;
 
-	let details = "";
-	try {
-		details = (await response.text()).trim();
-	} catch {
-		// ignore body parse errors, status is enough
-	}
+	for (const ep of endpoints) {
+		try {
+			const response = await fetch(`${ep.baseUrl}/chat/completions`, {
+				method: "POST",
+				headers: {
+					"Content-Type": "application/json",
+					"x-api-key": apiKey,
+				},
+				body: JSON.stringify({
+					model: ep.model,
+					max_tokens: 1,
+					messages: [{ role: "user", content: "ping" }],
+				}),
+				signal: requestSignal,
+			});
+
+			if (response.ok) {
+				return;
+			}
 
-	const message = details
-		? `${PROVIDER_NAME} API key validation failed (${response.status}): ${details}`
-		: `${PROVIDER_NAME} API key validation failed (${response.status})`;
-	throw new Error(message);
+			// 401 means this endpoint didn't accept the key; try the next one
+			if (response.status === 401) {
+				let details = "";
+				try {
+					details = (await response.text()).trim();
+				} catch {
+					// ignore body parse errors, status is enough
+				}
+				lastError = new Error(
+					details
+						? `${PROVIDER_NAME} API key validation failed (${response.status}): ${details}`
+						: `${PROVIDER_NAME} API key validation failed (${response.status})`,
+				);
+				continue;
+			}
+
+			// Non-auth errors are real failures
+			let details = "";
+			try {
+				details = (await response.text()).trim();
+			} catch {
+				// ignore body parse errors, status is enough
+			}
+			const message = details
+				? `${PROVIDER_NAME} API key validation failed (${response.status}): ${details}`
+				: `${PROVIDER_NAME} API key validation failed (${response.status})`;
+			throw new Error(message);
+		} catch (e) {
+			// Only re-throw AbortError when the caller explicitly cancelled.
+			// Timeout aborts (from AbortSignal.timeout) should fall through to
+			// the next endpoint so SGP→AMS fallback works during regional outages.
+			if (e instanceof DOMException && e.name === "AbortError" && signal?.aborted) {
+				throw e;
+			}
+			lastError = e instanceof Error ? e : new Error(String(e));
+		}
+	}
+	throw lastError ?? new Error(`${PROVIDER_NAME} API key validation failed`);
 }
 
 /**