@oh-my-pi/pi-ai 6.8.1 → 6.8.2

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@oh-my-pi/pi-ai",
-	"version": "6.8.1",
+	"version": "6.8.2",
 	"description": "Unified LLM API with automatic model discovery and provider configuration",
 	"type": "module",
 	"main": "./src/index.ts",
@@ -17,7 +17,7 @@
 		"test": "bun test"
 	},
 	"dependencies": {
-		"@oh-my-pi/pi-utils": "6.8.1",
+		"@oh-my-pi/pi-utils": "6.8.2",
 		"@anthropic-ai/sdk": "0.71.2",
 		"@aws-sdk/client-bedrock-runtime": "^3.968.0",
 		"@bufbuild/protobuf": "^2.10.2",

package/src/providers/google-gemini-cli.ts

@@ -753,7 +753,12 @@ export const streamGoogleGeminiCli: StreamFunction<"google-gemini-cli"> = (
 
 				if (emptyAttempt > 0) {
 					const backoffMs = EMPTY_STREAM_BASE_DELAY_MS * 2 ** (emptyAttempt - 1);
-					await abortableSleep(backoffMs, options?.signal);
+					try {
+						await abortableSleep(backoffMs, options?.signal);
+					} catch {
+						// Normalize AbortError to expected message for consistent error handling
+						throw new Error("Request was aborted");
+					}
 
 					if (!requestUrl) {
 						throw new Error("Missing request URL");

package/src/storage.ts

@@ -4,7 +4,7 @@
  */
 
 import { Database } from "bun:sqlite";
-import { existsSync, mkdirSync } from "node:fs";
+import { chmodSync, existsSync, mkdirSync } from "node:fs";
 import { homedir } from "node:os";
 import { dirname, join } from "node:path";
 import type { OAuthCredentials } from "./utils/oauth/types";
@@ -88,13 +88,19 @@ export class CliAuthStorage {
 	private deleteByProviderStmt: ReturnType<Database["prepare"]>;
 
 	constructor(dbPath: string = getAgentDbPath()) {
-		// Ensure directory exists
+		// Ensure directory exists with secure permissions
 		const dir = dirname(dbPath);
 		if (!existsSync(dir)) {
-			mkdirSync(dir, { recursive: true });
+			mkdirSync(dir, { recursive: true, mode: 0o700 });
 		}
 
 		this.db = new Database(dbPath);
+		// Harden database file permissions to prevent credential leakage
+		try {
+			chmodSync(dbPath, 0o600);
+		} catch {
+			// Ignore chmod failures (e.g., Windows)
+		}
 		this.initializeSchema();
 
 		this.insertStmt = this.db.prepare(

package/src/utils/oauth/callback-server.ts

@@ -197,17 +197,24 @@ export abstract class OAuthCallbackFlow {
 		});
 
 		// Manual input race (if supported)
+		// Errors from manual input should not abort the flow - only successful input wins the race
 		if (this.ctrl.onManualCodeInput) {
-			const manualPromise = this.ctrl.onManualCodeInput().then((input): CallbackResult => {
-				const parsed = parseCallbackInput(input);
-				if (!parsed.code) {
-					throw new Error("No authorization code found in input");
-				}
-				if (expectedState && parsed.state && parsed.state !== expectedState) {
-					throw new Error("State mismatch - possible CSRF attack");
-				}
-				return { code: parsed.code, state: parsed.state ?? "" };
-			});
+			const manualPromise = this.ctrl
+				.onManualCodeInput()
+				.then((input): CallbackResult => {
+					const parsed = parseCallbackInput(input);
+					if (!parsed.code) {
+						throw new Error("No authorization code found in input");
+					}
+					if (expectedState && parsed.state && parsed.state !== expectedState) {
+						throw new Error("State mismatch - possible CSRF attack");
+					}
+					return { code: parsed.code, state: parsed.state ?? "" };
+				})
+				.catch((): Promise<CallbackResult> => {
+					// On manual input error, wait forever - let callback or abort signal win
+					return new Promise(() => {});
+				});
 
 			return Promise.race([callbackPromise, manualPromise]);
 		}

package/src/utils/oauth/github-copilot.ts

@@ -174,20 +174,32 @@ async function pollForGitHubAccessToken(
 		if (raw && typeof raw === "object" && typeof (raw as DeviceTokenErrorResponse).error === "string") {
 			const err = (raw as DeviceTokenErrorResponse).error;
 			if (err === "authorization_pending") {
-				await abortableSleep(intervalMs, signal);
+				try {
+					await abortableSleep(intervalMs, signal);
+				} catch {
+					throw new Error("Login cancelled");
+				}
 				continue;
 			}
 
 			if (err === "slow_down") {
 				intervalMs += 5000;
-				await abortableSleep(intervalMs, signal);
+				try {
+					await abortableSleep(intervalMs, signal);
+				} catch {
+					throw new Error("Login cancelled");
+				}
 				continue;
 			}
 
 			throw new Error(`Device flow failed: ${err}`);
 		}
 
-		await abortableSleep(intervalMs, signal);
+		try {
+			await abortableSleep(intervalMs, signal);
+		} catch {
+			throw new Error("Login cancelled");
+		}
 	}
 
 	throw new Error("Device flow timed out");

package/src/utils/oauth/openai-codex.ts

@@ -2,7 +2,7 @@
  * OpenAI Codex (ChatGPT OAuth) flow
  */
 
-import { OAuthCallbackFlow, parseCallbackInput } from "./callback-server";
+import { OAuthCallbackFlow } from "./callback-server";
 import { generatePKCE } from "./pkce";
 import type { OAuthController, OAuthCredentials } from "./types";
 
@@ -125,28 +125,8 @@ async function exchangeCodeForToken(code: string, verifier: string, redirectUri:
 export async function loginOpenAICodex(ctrl: OAuthController): Promise<OAuthCredentials> {
 	const pkce = await generatePKCE();
 	const flow = new OpenAICodexOAuthFlow(ctrl, pkce);
-	const redirectUri = `http://localhost:${CALLBACK_PORT}${CALLBACK_PATH}`;
 
-	try {
-		return await flow.login();
-	} catch (error) {
-		if (!ctrl.onPrompt) {
-			throw error;
-		}
-
-		ctrl.onProgress?.("Callback server failed, falling back to manual input");
-
-		const input = await ctrl.onPrompt({
-			message: "Paste the authorization code (or full redirect URL):",
-		});
-
-		const parsed = parseCallbackInput(input);
-		if (!parsed.code) {
-			throw new Error("No authorization code found in input");
-		}
-
-		return exchangeCodeForToken(parsed.code, pkce.verifier, redirectUri);
-	}
+	return flow.login();
 }
 
 /**