npm - @oh-my-pi/pi-ai - Versions diffs - 6.8.0 → 6.8.2 - Mend

@oh-my-pi/pi-ai 6.8.0 → 6.8.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/package.json +2 -2
package/src/cli.ts +12 -0
package/src/providers/google-gemini-cli.ts +6 -1
package/src/providers/openai-codex-responses.ts +3 -2
package/src/storage.ts +9 -3
package/src/utils/oauth/anthropic.ts +6 -1
package/src/utils/oauth/callback-server.ts +22 -13
package/src/utils/oauth/cursor.ts +6 -2
package/src/utils/oauth/github-copilot.ts +15 -3
package/src/utils/oauth/openai-codex.ts +54 -108

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
 	"name": "@oh-my-pi/pi-ai",
-	"version": "6.8.0",
+	"version": "6.8.2",
 	"description": "Unified LLM API with automatic model discovery and provider configuration",
 	"type": "module",
 	"main": "./src/index.ts",
@@ -17,7 +17,7 @@
 		"test": "bun test"
 	},
 	"dependencies": {
-		"@oh-my-pi/pi-utils": "6.8.0",
+		"@oh-my-pi/pi-utils": "6.8.2",
 		"@anthropic-ai/sdk": "0.71.2",
 		"@aws-sdk/client-bedrock-runtime": "^3.968.0",
 		"@bufbuild/protobuf": "^2.10.2",

package/src/cli.ts CHANGED Viewed

@@ -3,6 +3,7 @@ import { createInterface } from "readline";
 import { CliAuthStorage } from "./storage";
 import "./utils/migrate-env";
 import { loginAnthropic } from "./utils/oauth/anthropic";
+import { loginCursor } from "./utils/oauth/cursor";
 import { loginGitHubCopilot } from "./utils/oauth/github-copilot";
 import { loginAntigravity } from "./utils/oauth/google-antigravity";
 import { loginGeminiCli } from "./utils/oauth/google-gemini-cli";
@@ -88,6 +89,17 @@ async function login(provider: OAuthProvider): Promise<void> {
 				});
 				break;
+			case "cursor":
+				credentials = await loginCursor(
+					(url) => {
+						console.log(`\nOpen this URL in your browser:\n${url}\n`);
+					},
+					() => {
+						console.log("Waiting for browser authentication...");
+					},
+				);
+				break;
 			default:
 				throw new Error(`Unknown provider: ${provider}`);
 		}

package/src/providers/google-gemini-cli.ts CHANGED Viewed

@@ -753,7 +753,12 @@ export const streamGoogleGeminiCli: StreamFunction<"google-gemini-cli"> = (
 				if (emptyAttempt > 0) {
 					const backoffMs = EMPTY_STREAM_BASE_DELAY_MS * 2 ** (emptyAttempt - 1);
-					await abortableSleep(backoffMs, options?.signal);
+					try {
+						await abortableSleep(backoffMs, options?.signal);
+					} catch {
+						// Normalize AbortError to expected message for consistent error handling
+						throw new Error("Request was aborted");
+					}
 					if (!requestUrl) {
 						throw new Error("Missing request URL");

package/src/providers/openai-codex-responses.ts CHANGED Viewed

@@ -1,4 +1,5 @@
 import os from "node:os";
+import { abortableSleep } from "@oh-my-pi/pi-utils";
 import type {
 	ResponseFunctionToolCall,
 	ResponseInput,
@@ -440,13 +441,13 @@ async function fetchWithRetry(url: string, init: RequestInit, signal?: AbortSign
 			}
 			if (signal?.aborted) return response;
 			const delay = getRetryDelayMs(response, attempt);
-			await Bun.sleep(delay);
+			await abortableSleep(delay, signal);
 		} catch (error) {
 			if (attempt >= CODEX_MAX_RETRIES || signal?.aborted) {
 				throw error;
 			}
 			const delay = CODEX_RETRY_DELAY_MS * (attempt + 1);
-			await Bun.sleep(delay);
+			await abortableSleep(delay, signal);
 		}
 		attempt += 1;
 	}

package/src/storage.ts CHANGED Viewed

@@ -4,7 +4,7 @@
  */
 import { Database } from "bun:sqlite";
-import { existsSync, mkdirSync } from "node:fs";
+import { chmodSync, existsSync, mkdirSync } from "node:fs";
 import { homedir } from "node:os";
 import { dirname, join } from "node:path";
 import type { OAuthCredentials } from "./utils/oauth/types";
@@ -88,13 +88,19 @@ export class CliAuthStorage {
 	private deleteByProviderStmt: ReturnType<Database["prepare"]>;
 	constructor(dbPath: string = getAgentDbPath()) {
-		// Ensure directory exists
+		// Ensure directory exists with secure permissions
 		const dir = dirname(dbPath);
 		if (!existsSync(dir)) {
-			mkdirSync(dir, { recursive: true });
+			mkdirSync(dir, { recursive: true, mode: 0o700 });
 		}
 		this.db = new Database(dbPath);
+		// Harden database file permissions to prevent credential leakage
+		try {
+			chmodSync(dbPath, 0o600);
+		} catch {
+			// Ignore chmod failures (e.g., Windows)
+		}
 		this.initializeSchema();
 		this.insertStmt = this.db.prepare(

package/src/utils/oauth/anthropic.ts CHANGED Viewed

@@ -63,7 +63,12 @@ class AnthropicOAuthFlow extends OAuthCallbackFlow {
 		});
 		if (!tokenResponse.ok) {
-			const error = await tokenResponse.text();
+			let error: string;
+			try {
+				error = await tokenResponse.text();
+			} catch {
+				error = `HTTP ${tokenResponse.status}`;
+			}
 			throw new Error(`Token exchange failed: ${error}`);
 		}

package/src/utils/oauth/callback-server.ts CHANGED Viewed

@@ -158,12 +158,14 @@ export abstract class OAuthCallbackFlow {
 			resultState = { ok: true, code, state };
 		}
-		// Signal to waitForCallback
+		// Signal to waitForCallback - capture refs before they could be cleared
+		const resolve = this.callbackResolve;
+		const reject = this.callbackReject;
 		queueMicrotask(() => {
 			if (resultState.ok) {
-				this.callbackResolve?.({ code: resultState.code, state: resultState.state });
+				resolve?.({ code: resultState.code, state: resultState.state });
 			} else {
-				this.callbackReject?.(resultState.error ?? "Unknown error");
+				reject?.(resultState.error ?? "Unknown error");
 			}
 		});
@@ -195,17 +197,24 @@ export abstract class OAuthCallbackFlow {
 		});
 		// Manual input race (if supported)
+		// Errors from manual input should not abort the flow - only successful input wins the race
 		if (this.ctrl.onManualCodeInput) {
-			const manualPromise = this.ctrl.onManualCodeInput().then((input): CallbackResult => {
-				const parsed = parseCallbackInput(input);
-				if (!parsed.code) {
-					throw new Error("No authorization code found in input");
-				}
-				if (expectedState && parsed.state && parsed.state !== expectedState) {
-					throw new Error("State mismatch - possible CSRF attack");
-				}
-				return { code: parsed.code, state: parsed.state ?? "" };
-			});
+			const manualPromise = this.ctrl
+				.onManualCodeInput()
+				.then((input): CallbackResult => {
+					const parsed = parseCallbackInput(input);
+					if (!parsed.code) {
+						throw new Error("No authorization code found in input");
+					}
+					if (expectedState && parsed.state && parsed.state !== expectedState) {
+						throw new Error("State mismatch - possible CSRF attack");
+					}
+					return { code: parsed.code, state: parsed.state ?? "" };
+				})
+				.catch((): Promise<CallbackResult> => {
+					// On manual input error, wait forever - let callback or abort signal win
+					return new Promise(() => {});
+				});
 			return Promise.race([callbackPromise, manualPromise]);
 		}

package/src/utils/oauth/cursor.ts CHANGED Viewed

@@ -126,12 +126,16 @@ export async function refreshCursorToken(apiKeyOrRefreshToken: string): Promise<
 function getTokenExpiry(token: string): number {
 	try {
-		const [, payload] = token.split(".");
+		const parts = token.split(".");
+		if (parts.length !== 3) {
+			return Date.now() + 3600 * 1000;
+		}
+		const payload = parts[1];
 		if (!payload) {
 			return Date.now() + 3600 * 1000;
 		}
 		const decoded = JSON.parse(atob(payload.replace(/-/g, "+").replace(/_/g, "/")));
-		if (decoded.exp) {
+		if (decoded && typeof decoded === "object" && typeof decoded.exp === "number") {
 			return decoded.exp * 1000 - 5 * 60 * 1000;
 		}
 	} catch {

package/src/utils/oauth/github-copilot.ts CHANGED Viewed

@@ -174,20 +174,32 @@ async function pollForGitHubAccessToken(
 		if (raw && typeof raw === "object" && typeof (raw as DeviceTokenErrorResponse).error === "string") {
 			const err = (raw as DeviceTokenErrorResponse).error;
 			if (err === "authorization_pending") {
-				await abortableSleep(intervalMs, signal);
+				try {
+					await abortableSleep(intervalMs, signal);
+				} catch {
+					throw new Error("Login cancelled");
+				}
 				continue;
 			}
 			if (err === "slow_down") {
 				intervalMs += 5000;
-				await abortableSleep(intervalMs, signal);
+				try {
+					await abortableSleep(intervalMs, signal);
+				} catch {
+					throw new Error("Login cancelled");
+				}
 				continue;
 			}
 			throw new Error(`Device flow failed: ${err}`);
 		}
-		await abortableSleep(intervalMs, signal);
+		try {
+			await abortableSleep(intervalMs, signal);
+		} catch {
+			throw new Error("Login cancelled");
+		}
 	}
 	throw new Error("Device flow timed out");

package/src/utils/oauth/openai-codex.ts CHANGED Viewed

@@ -2,7 +2,7 @@
  * OpenAI Codex (ChatGPT OAuth) flow
  */
-import { OAuthCallbackFlow, parseCallbackInput } from "./callback-server";
+import { OAuthCallbackFlow } from "./callback-server";
 import { generatePKCE } from "./pkce";
 import type { OAuthController, OAuthCredentials } from "./types";
@@ -40,11 +40,16 @@ function getAccountId(accessToken: string): string | null {
 	return typeof accountId === "string" && accountId.length > 0 ? accountId : null;
 }
-class OpenAICodexOAuthFlow extends OAuthCallbackFlow {
-	private verifier: string = "";
-	private challenge: string = "";
+interface PKCE {
+	verifier: string;
+	challenge: string;
+}
-	constructor(ctrl: OAuthController) {
+class OpenAICodexOAuthFlow extends OAuthCallbackFlow {
+	constructor(
+		ctrl: OAuthController,
+		private readonly pkce: PKCE,
+	) {
 		super(ctrl, CALLBACK_PORT, CALLBACK_PATH);
 	}
@@ -52,16 +57,12 @@ class OpenAICodexOAuthFlow extends OAuthCallbackFlow {
 		state: string,
 		redirectUri: string,
 	): Promise<{ url: string; instructions?: string }> {
-		const pkce = await generatePKCE();
-		this.verifier = pkce.verifier;
-		this.challenge = pkce.challenge;
 		const searchParams = new URLSearchParams({
 			response_type: "code",
 			client_id: CLIENT_ID,
 			redirect_uri: redirectUri,
 			scope: SCOPE,
-			code_challenge: this.challenge,
+			code_challenge: this.pkce.challenge,
 			code_challenge_method: "S256",
 			state,
 			id_token_add_organizations: "true",
@@ -74,113 +75,58 @@ class OpenAICodexOAuthFlow extends OAuthCallbackFlow {
 	}
 	protected async exchangeToken(code: string, _state: string, redirectUri: string): Promise<OAuthCredentials> {
-		const tokenResponse = await fetch(TOKEN_URL, {
-			method: "POST",
-			headers: { "Content-Type": "application/x-www-form-urlencoded" },
-			body: new URLSearchParams({
-				grant_type: "authorization_code",
-				client_id: CLIENT_ID,
-				code,
-				code_verifier: this.verifier,
-				redirect_uri: redirectUri,
-			}),
-		});
+		return exchangeCodeForToken(code, this.pkce.verifier, redirectUri);
+	}
+}
+async function exchangeCodeForToken(code: string, verifier: string, redirectUri: string): Promise<OAuthCredentials> {
+	const tokenResponse = await fetch(TOKEN_URL, {
+		method: "POST",
+		headers: { "Content-Type": "application/x-www-form-urlencoded" },
+		body: new URLSearchParams({
+			grant_type: "authorization_code",
+			client_id: CLIENT_ID,
+			code,
+			code_verifier: verifier,
+			redirect_uri: redirectUri,
+		}),
+	});
+	if (!tokenResponse.ok) {
+		throw new Error(`Token exchange failed: ${tokenResponse.status}`);
+	}
+	const tokenData = (await tokenResponse.json()) as {
+		access_token?: string;
+		refresh_token?: string;
+		expires_in?: number;
+	};
+	if (!tokenData.access_token || !tokenData.refresh_token || typeof tokenData.expires_in !== "number") {
+		throw new Error("Token response missing required fields");
+	}
-		if (!tokenResponse.ok) {
-			throw new Error(`Token exchange failed: ${tokenResponse.status}`);
-		}
-		const tokenData = (await tokenResponse.json()) as {
-			access_token?: string;
-			refresh_token?: string;
-			expires_in?: number;
-		};
-		if (!tokenData.access_token || !tokenData.refresh_token || typeof tokenData.expires_in !== "number") {
-			throw new Error("Token response missing required fields");
-		}
-		const accountId = getAccountId(tokenData.access_token);
-		if (!accountId) {
-			throw new Error("Failed to extract accountId from token");
-		}
-		return {
-			access: tokenData.access_token,
-			refresh: tokenData.refresh_token,
-			expires: Date.now() + tokenData.expires_in * 1000,
-			accountId,
-		};
+	const accountId = getAccountId(tokenData.access_token);
+	if (!accountId) {
+		throw new Error("Failed to extract accountId from token");
 	}
+	return {
+		access: tokenData.access_token,
+		refresh: tokenData.refresh_token,
+		expires: Date.now() + tokenData.expires_in * 1000,
+		accountId,
+	};
 }
 /**
  * Login with OpenAI Codex OAuth
  */
 export async function loginOpenAICodex(ctrl: OAuthController): Promise<OAuthCredentials> {
-	const flow = new OpenAICodexOAuthFlow(ctrl);
-	try {
-		return await flow.login();
-	} catch (error) {
-		// Callback failed - fall back to onPrompt if available
-		if (!ctrl.onPrompt) {
-			throw error;
-		}
-		ctrl.onProgress?.("Callback server failed, falling back to manual input");
+	const pkce = await generatePKCE();
+	const flow = new OpenAICodexOAuthFlow(ctrl, pkce);
-		const input = await ctrl.onPrompt({
-			message: "Paste the authorization code (or full redirect URL):",
-		});
-		const parsed = parseCallbackInput(input);
-		if (!parsed.code) {
-			throw new Error("No authorization code found in input");
-		}
-		const redirectUri = `http://localhost:${CALLBACK_PORT}${CALLBACK_PATH}`;
-		// Manual token exchange
-		const pkce = await generatePKCE();
-		const tokenResponse = await fetch(TOKEN_URL, {
-			method: "POST",
-			headers: { "Content-Type": "application/x-www-form-urlencoded" },
-			body: new URLSearchParams({
-				grant_type: "authorization_code",
-				client_id: CLIENT_ID,
-				code: parsed.code,
-				code_verifier: pkce.verifier,
-				redirect_uri: redirectUri,
-			}),
-		});
-		if (!tokenResponse.ok) {
-			throw new Error(`Token exchange failed: ${tokenResponse.status}`);
-		}
-		const tokenData = (await tokenResponse.json()) as {
-			access_token?: string;
-			refresh_token?: string;
-			expires_in?: number;
-		};
-		if (!tokenData.access_token || !tokenData.refresh_token || typeof tokenData.expires_in !== "number") {
-			throw new Error("Token response missing required fields");
-		}
-		const accountId = getAccountId(tokenData.access_token);
-		if (!accountId) {
-			throw new Error("Failed to extract accountId from token");
-		}
-		return {
-			access: tokenData.access_token,
-			refresh: tokenData.refresh_token,
-			expires: Date.now() + tokenData.expires_in * 1000,
-			accountId,
-		};
-	}
+	return flow.login();
 }
 /**