npm - @open-vibe-lab/open-sub-auth - Versions diffs - 0.1.0 - Mend

@open-vibe-lab/open-sub-auth 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (32) hide show

package/LICENSE +21 -0
package/README.md +218 -0
package/dist/cli/claude-3WKImhqM.mjs +56 -0
package/dist/cli/claude-3WKImhqM.mjs.map +1 -0
package/dist/cli/index.d.mts +2 -0
package/dist/cli/index.mjs +90 -0
package/dist/cli/index.mjs.map +1 -0
package/dist/cli/login-_HdTW5J_.mjs +33 -0
package/dist/cli/login-_HdTW5J_.mjs.map +1 -0
package/dist/cli/logout-CZm-tSVH.mjs +23 -0
package/dist/cli/logout-CZm-tSVH.mjs.map +1 -0
package/dist/cli/manager-CKGbp7Yz.mjs +331 -0
package/dist/cli/manager-CKGbp7Yz.mjs.map +1 -0
package/dist/cli/oauth-pkce-Bi02-h23.mjs +282 -0
package/dist/cli/oauth-pkce-Bi02-h23.mjs.map +1 -0
package/dist/cli/openai-codex-DJi_Q6Zm.mjs +102 -0
package/dist/cli/openai-codex-DJi_Q6Zm.mjs.map +1 -0
package/dist/cli/registry-Cp-_Ipc6.mjs +96 -0
package/dist/cli/registry-Cp-_Ipc6.mjs.map +1 -0
package/dist/cli/status-C-vkcjVM.mjs +47 -0
package/dist/cli/status-C-vkcjVM.mjs.map +1 -0
package/dist/cli/token-DF_-h4Rb.mjs +23 -0
package/dist/cli/token-DF_-h4Rb.mjs.map +1 -0
package/dist/cli/ui-CdGEuLwh.mjs +34 -0
package/dist/cli/ui-CdGEuLwh.mjs.map +1 -0
package/dist/index.cjs +859 -0
package/dist/index.cjs.map +1 -0
package/dist/index.d.cts +328 -0
package/dist/index.d.mts +328 -0
package/dist/index.mjs +827 -0
package/dist/index.mjs.map +1 -0
package/package.json +65 -0

package/dist/cli/manager-CKGbp7Yz.mjs ADDED Viewed

@@ -0,0 +1,331 @@
+#!/usr/bin/env node
+import { a as NoCredentialError, l as TokenExpiredError, t as getProvider, u as TokenRefreshError } from "./registry-Cp-_Ipc6.mjs";
+import { createCipheriv, createDecipheriv, pbkdf2Sync, randomBytes } from "node:crypto";
+import { mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { hostname, userInfo } from "node:os";
+import { dirname, join } from "node:path";
+//#region src/storage/file-store.ts
+const ALGORITHM = "aes-256-gcm";
+const KEY_LENGTH = 32;
+const IV_LENGTH = 12;
+const SALT_LENGTH = 16;
+const PBKDF2_ITERATIONS = 1e5;
+const AUTH_TAG_LENGTH = 16;
+/** Token store backed by an encrypted JSON file */
+var FileStore = class {
+	filePath;
+	constructor(filePath) {
+		this.filePath = filePath ?? join(process.env.OPEN_SUB_AUTH_HOME ?? join(homedir$1(), ".open-sub-auth"), "credentials.json");
+	}
+	async get(provider, accountId) {
+		const data = this.readFile();
+		const key = `${provider}::${accountId}`;
+		const entry = data.credentials[key];
+		if (!entry) return null;
+		try {
+			const decrypted = this.decrypt(entry);
+			return JSON.parse(decrypted);
+		} catch {
+			return null;
+		}
+	}
+	async set(provider, accountId, credential) {
+		const data = this.readFile();
+		const key = `${provider}::${accountId}`;
+		data.credentials[key] = this.encrypt(JSON.stringify(credential));
+		this.writeFile(data);
+	}
+	async delete(provider, accountId) {
+		const data = this.readFile();
+		const key = `${provider}::${accountId}`;
+		delete data.credentials[key];
+		this.writeFile(data);
+	}
+	async list(provider) {
+		const data = this.readFile();
+		const results = [];
+		for (const [key, entry] of Object.entries(data.credentials)) {
+			const [keyProvider] = key.split("::");
+			if (provider && keyProvider !== provider) continue;
+			try {
+				const decrypted = this.decrypt(entry);
+				results.push(JSON.parse(decrypted));
+			} catch {}
+		}
+		return results;
+	}
+	deriveKey(salt) {
+		return pbkdf2Sync(`${hostname()}:${userInfo().username}`, salt, PBKDF2_ITERATIONS, KEY_LENGTH, "sha512");
+	}
+	encrypt(plaintext) {
+		const salt = randomBytes(SALT_LENGTH);
+		const key = this.deriveKey(salt);
+		const iv = randomBytes(IV_LENGTH);
+		const cipher = createCipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });
+		return {
+			data: Buffer.concat([
+				cipher.update(plaintext, "utf8"),
+				cipher.final(),
+				cipher.getAuthTag()
+			]).toString("base64"),
+			iv: iv.toString("base64"),
+			salt: salt.toString("base64")
+		};
+	}
+	decrypt(entry) {
+		const salt = Buffer.from(entry.salt, "base64");
+		const key = this.deriveKey(salt);
+		const iv = Buffer.from(entry.iv, "base64");
+		const raw = Buffer.from(entry.data, "base64");
+		const authTag = raw.subarray(raw.length - AUTH_TAG_LENGTH);
+		const ciphertext = raw.subarray(0, raw.length - AUTH_TAG_LENGTH);
+		const decipher = createDecipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });
+		decipher.setAuthTag(authTag);
+		return decipher.update(ciphertext) + decipher.final("utf8");
+	}
+	readFile() {
+		try {
+			const content = readFileSync(this.filePath, "utf8");
+			return JSON.parse(content);
+		} catch {
+			return {
+				version: 1,
+				credentials: {}
+			};
+		}
+	}
+	writeFile(data) {
+		mkdirSync(dirname(this.filePath), {
+			recursive: true,
+			mode: 448
+		});
+		writeFileSync(this.filePath, JSON.stringify(data, null, 2), { mode: 384 });
+	}
+};
+function homedir$1() {
+	return process.env.HOME ?? process.env.USERPROFILE ?? "/tmp";
+}
+//#endregion
+//#region src/storage/keychain-store.ts
+const SERVICE_NAME = "open-sub-auth";
+const INDEX_ACCOUNT = "__index__";
+/** Token store backed by the OS keychain via cross-keychain */
+var KeychainStore = class {
+	keychain = null;
+	async getKeychain() {
+		if (!this.keychain) this.keychain = await import("cross-keychain");
+		return this.keychain;
+	}
+	makeKey(provider, accountId) {
+		return `${provider}__${accountId}`;
+	}
+	async get(provider, accountId) {
+		const kc = await this.getKeychain();
+		try {
+			const value = await kc.getPassword(SERVICE_NAME, this.makeKey(provider, accountId));
+			if (!value) return null;
+			return JSON.parse(value);
+		} catch {
+			return null;
+		}
+	}
+	async set(provider, accountId, credential) {
+		const kc = await this.getKeychain();
+		const key = this.makeKey(provider, accountId);
+		const value = JSON.stringify(credential);
+		try {
+			await kc.deletePassword(SERVICE_NAME, key);
+		} catch {}
+		await kc.setPassword(SERVICE_NAME, key, value);
+		await this.addToIndex(key);
+	}
+	async delete(provider, accountId) {
+		const kc = await this.getKeychain();
+		const key = this.makeKey(provider, accountId);
+		try {
+			await kc.deletePassword(SERVICE_NAME, key);
+		} catch {}
+		await this.removeFromIndex(key);
+	}
+	async list(provider) {
+		const index = await this.getIndex();
+		const results = [];
+		for (const key of index) {
+			const [keyProvider, keyAccountId] = key.split("__");
+			if (provider && keyProvider !== provider) continue;
+			if (!keyProvider || !keyAccountId) continue;
+			const credential = await this.get(keyProvider, keyAccountId);
+			if (credential) results.push(credential);
+		}
+		return results;
+	}
+	async getIndex() {
+		const kc = await this.getKeychain();
+		try {
+			const value = await kc.getPassword(SERVICE_NAME, INDEX_ACCOUNT);
+			if (!value) return [];
+			return JSON.parse(value);
+		} catch {
+			return [];
+		}
+	}
+	async setIndex(index) {
+		const kc = await this.getKeychain();
+		try {
+			await kc.deletePassword(SERVICE_NAME, INDEX_ACCOUNT);
+		} catch {}
+		await kc.setPassword(SERVICE_NAME, INDEX_ACCOUNT, JSON.stringify(index));
+	}
+	async addToIndex(key) {
+		const index = await this.getIndex();
+		if (!index.includes(key)) {
+			index.push(key);
+			await this.setIndex(index);
+		}
+	}
+	async removeFromIndex(key) {
+		const filtered = (await this.getIndex()).filter((k) => k !== key);
+		await this.setIndex(filtered);
+	}
+};
+//#endregion
+//#region src/storage/store.ts
+/**
+* Create a token store, preferring the OS keychain with encrypted file fallback.
+* @param preferKeychain - If true (default), try keychain first
+*/
+async function createTokenStore(preferKeychain = true) {
+	if (preferKeychain) try {
+		const store = new KeychainStore();
+		await store.get("__probe__", "__probe__");
+		return store;
+	} catch {}
+	return new FileStore();
+}
+//#endregion
+//#region src/token/manager.ts
+/** Buffer time before expiry to trigger refresh (5 minutes) */
+const REFRESH_BUFFER_MS = 300 * 1e3;
+/** Central token lifecycle manager */
+var TokenManager = class {
+	store;
+	/** Per-provider+account mutex to prevent concurrent refreshes */
+	refreshLocks = /* @__PURE__ */ new Map();
+	constructor(store) {
+		this.store = store;
+	}
+	/** Run the interactive login flow for a provider, store the tokens */
+	async login(providerName, options) {
+		const provider = getProvider(providerName);
+		const tokenSet = await provider.login(options);
+		const accountId = provider.getAccountId(tokenSet);
+		const accountLabel = provider.getAccountLabel?.(tokenSet);
+		const now = Date.now();
+		const credential = {
+			tokenSet,
+			metadata: {
+				provider: providerName,
+				accountId,
+				accountLabel,
+				createdAt: now,
+				lastRefreshedAt: now
+			}
+		};
+		await this.store.set(providerName, accountId, credential);
+		return credential;
+	}
+	/** Get a valid access token, refreshing if needed */
+	async getToken(providerName, accountId) {
+		const credential = await this.resolveCredential(providerName, accountId);
+		const { tokenSet } = credential;
+		if (this.isTokenValid(tokenSet.expiresAt)) return tokenSet.accessToken;
+		if (!tokenSet.refreshToken) throw new TokenExpiredError(providerName);
+		await this.refreshWithLock(providerName, credential);
+		const refreshed = await this.store.get(providerName, credential.metadata.accountId);
+		if (!refreshed) throw new TokenExpiredError(providerName);
+		return refreshed.tokenSet.accessToken;
+	}
+	/** Get authenticated headers for API calls */
+	async getAuthHeaders(providerName, accountId) {
+		const token = await this.getToken(providerName, accountId);
+		return getProvider(providerName).getAuthHeaders(token);
+	}
+	/** Remove stored tokens for a provider */
+	async logout(providerName, accountId) {
+		if (accountId) await this.store.delete(providerName, accountId);
+		else {
+			const credentials = await this.store.list(providerName);
+			for (const cred of credentials) await this.store.delete(providerName, cred.metadata.accountId);
+		}
+	}
+	/** Get status of all stored credentials */
+	async status() {
+		return (await this.store.list()).map((cred) => {
+			let displayName = cred.metadata.provider;
+			try {
+				displayName = getProvider(cred.metadata.provider).config.displayName;
+			} catch {}
+			return {
+				provider: cred.metadata.provider,
+				displayName,
+				accountId: cred.metadata.accountId,
+				accountLabel: cred.metadata.accountLabel,
+				isExpired: !this.isTokenValid(cred.tokenSet.expiresAt),
+				expiresAt: cred.tokenSet.expiresAt,
+				hasRefreshToken: cred.tokenSet.refreshToken !== null
+			};
+		});
+	}
+	isTokenValid(expiresAt) {
+		return Date.now() + REFRESH_BUFFER_MS < expiresAt;
+	}
+	async resolveCredential(providerName, accountId) {
+		if (accountId) {
+			const credential = await this.store.get(providerName, accountId);
+			if (!credential) throw new NoCredentialError(providerName, accountId);
+			return credential;
+		}
+		const credentials = await this.store.list(providerName);
+		if (credentials.length === 0) throw new NoCredentialError(providerName);
+		return credentials.sort((a, b) => b.metadata.lastRefreshedAt - a.metadata.lastRefreshedAt)[0];
+	}
+	async refreshWithLock(providerName, credential) {
+		const lockKey = `${providerName}::${credential.metadata.accountId}`;
+		const existingLock = this.refreshLocks.get(lockKey);
+		if (existingLock) {
+			await existingLock;
+			return;
+		}
+		const refreshPromise = this.doRefresh(providerName, credential);
+		this.refreshLocks.set(lockKey, refreshPromise);
+		try {
+			await refreshPromise;
+		} finally {
+			this.refreshLocks.delete(lockKey);
+		}
+	}
+	async doRefresh(providerName, credential) {
+		const provider = getProvider(providerName);
+		const { refreshToken } = credential.tokenSet;
+		if (!refreshToken) throw new TokenExpiredError(providerName);
+		let newTokenSet;
+		try {
+			newTokenSet = await provider.refresh(refreshToken);
+		} catch (err) {
+			throw new TokenRefreshError(providerName, err);
+		}
+		if (!newTokenSet.refreshToken && refreshToken) newTokenSet.refreshToken = refreshToken;
+		const updatedCredential = {
+			tokenSet: newTokenSet,
+			metadata: {
+				...credential.metadata,
+				lastRefreshedAt: Date.now()
+			}
+		};
+		await this.store.set(providerName, credential.metadata.accountId, updatedCredential);
+	}
+};
+//#endregion
+export { createTokenStore as n, TokenManager as t };
+//# sourceMappingURL=manager-CKGbp7Yz.mjs.map

package/dist/cli/manager-CKGbp7Yz.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"manager-CKGbp7Yz.mjs","names":["homedir"],"sources":["../../src/storage/file-store.ts","../../src/storage/keychain-store.ts","../../src/storage/store.ts","../../src/token/manager.ts"],"sourcesContent":["import { createCipheriv, createDecipheriv, pbkdf2Sync, randomBytes } from \"node:crypto\";\nimport { mkdirSync, readFileSync, writeFileSync } from \"node:fs\";\nimport { hostname, userInfo } from \"node:os\";\nimport { dirname, join } from \"node:path\";\nimport type { StoredCredential, TokenStore } from \"@/types.ts\";\n\nconst ALGORITHM = \"aes-256-gcm\";\nconst KEY_LENGTH = 32;\nconst IV_LENGTH = 12;\nconst SALT_LENGTH = 16;\nconst PBKDF2_ITERATIONS = 100_000;\nconst AUTH_TAG_LENGTH = 16;\n\ninterface EncryptedEntry {\n data: string; // base64 encoded ciphertext + auth tag\n iv: string; // base64\n salt: string; // base64\n}\n\ninterface FileStoreData {\n version: 1;\n credentials: Record<string, EncryptedEntry>;\n}\n\n/** Token store backed by an encrypted JSON file */\nexport class FileStore implements TokenStore {\n private readonly filePath: string;\n\n constructor(filePath?: string) {\n this.filePath =\n filePath ??\n join(process.env.OPEN_SUB_AUTH_HOME ?? join(homedir(), \".open-sub-auth\"), \"credentials.json\");\n }\n\n async get(provider: string, accountId: string): Promise<StoredCredential | null> {\n const data = this.readFile();\n const key = `${provider}::${accountId}`;\n const entry = data.credentials[key];\n if (!entry) return null;\n\n try {\n const decrypted = this.decrypt(entry);\n return JSON.parse(decrypted) as StoredCredential;\n } catch {\n return null;\n }\n }\n\n async set(provider: string, accountId: string, credential: StoredCredential): Promise<void> {\n const data = this.readFile();\n const key = `${provider}::${accountId}`;\n data.credentials[key] = this.encrypt(JSON.stringify(credential));\n this.writeFile(data);\n }\n\n async delete(provider: string, accountId: string): Promise<void> {\n const data = this.readFile();\n const key = `${provider}::${accountId}`;\n delete data.credentials[key];\n this.writeFile(data);\n }\n\n async list(provider?: string): Promise<StoredCredential[]> {\n const data = this.readFile();\n const results: StoredCredential[] = [];\n\n for (const [key, entry] of Object.entries(data.credentials)) {\n const [keyProvider] = key.split(\"::\");\n if (provider && keyProvider !== provider) continue;\n\n try {\n const decrypted = this.decrypt(entry);\n results.push(JSON.parse(decrypted) as StoredCredential);\n } catch {\n // Skip corrupted entries\n }\n }\n\n return results;\n }\n\n private deriveKey(salt: Buffer): Buffer {\n const machineId = `${hostname()}:${userInfo().username}`;\n return pbkdf2Sync(machineId, salt, PBKDF2_ITERATIONS, KEY_LENGTH, \"sha512\");\n }\n\n private encrypt(plaintext: string): EncryptedEntry {\n const salt = randomBytes(SALT_LENGTH);\n const key = this.deriveKey(salt);\n const iv = randomBytes(IV_LENGTH);\n\n const cipher = createCipheriv(ALGORITHM, key, iv, {\n authTagLength: AUTH_TAG_LENGTH,\n });\n const encrypted = Buffer.concat([\n cipher.update(plaintext, \"utf8\"),\n cipher.final(),\n cipher.getAuthTag(),\n ]);\n\n return {\n data: encrypted.toString(\"base64\"),\n iv: iv.toString(\"base64\"),\n salt: salt.toString(\"base64\"),\n };\n }\n\n private decrypt(entry: EncryptedEntry): string {\n const salt = Buffer.from(entry.salt, \"base64\");\n const key = this.deriveKey(salt);\n const iv = Buffer.from(entry.iv, \"base64\");\n const raw = Buffer.from(entry.data, \"base64\");\n\n const authTag = raw.subarray(raw.length - AUTH_TAG_LENGTH);\n const ciphertext = raw.subarray(0, raw.length - AUTH_TAG_LENGTH);\n\n const decipher = createDecipheriv(ALGORITHM, key, iv, {\n authTagLength: AUTH_TAG_LENGTH,\n });\n decipher.setAuthTag(authTag);\n\n return decipher.update(ciphertext) + decipher.final(\"utf8\");\n }\n\n private readFile(): FileStoreData {\n try {\n const content = readFileSync(this.filePath, \"utf8\");\n return JSON.parse(content) as FileStoreData;\n } catch {\n return { version: 1, credentials: {} };\n }\n }\n\n private writeFile(data: FileStoreData): void {\n mkdirSync(dirname(this.filePath), { recursive: true, mode: 0o700 });\n writeFileSync(this.filePath, JSON.stringify(data, null, 2), { mode: 0o600 });\n }\n}\n\nfunction homedir(): string {\n return process.env.HOME ?? process.env.USERPROFILE ?? \"/tmp\";\n}\n","import type { StoredCredential, TokenStore } from \"@/types.ts\";\n\nconst SERVICE_NAME = \"open-sub-auth\";\nconst INDEX_ACCOUNT = \"__index__\";\n\n/** Token store backed by the OS keychain via cross-keychain */\nexport class KeychainStore implements TokenStore {\n private keychain: typeof import(\"cross-keychain\") | null = null;\n\n private async getKeychain() {\n if (!this.keychain) {\n this.keychain = await import(\"cross-keychain\");\n }\n return this.keychain;\n }\n\n private makeKey(provider: string, accountId: string): string {\n return `${provider}__${accountId}`;\n }\n\n async get(provider: string, accountId: string): Promise<StoredCredential | null> {\n const kc = await this.getKeychain();\n try {\n const value = await kc.getPassword(SERVICE_NAME, this.makeKey(provider, accountId));\n if (!value) return null;\n return JSON.parse(value) as StoredCredential;\n } catch {\n return null;\n }\n }\n\n async set(provider: string, accountId: string, credential: StoredCredential): Promise<void> {\n const kc = await this.getKeychain();\n const key = this.makeKey(provider, accountId);\n const value = JSON.stringify(credential);\n\n try {\n await kc.deletePassword(SERVICE_NAME, key);\n } catch {\n // Ignore if it doesn't exist\n }\n await kc.setPassword(SERVICE_NAME, key, value);\n await this.addToIndex(key);\n }\n\n async delete(provider: string, accountId: string): Promise<void> {\n const kc = await this.getKeychain();\n const key = this.makeKey(provider, accountId);\n try {\n await kc.deletePassword(SERVICE_NAME, key);\n } catch {\n // Ignore if it doesn't exist\n }\n await this.removeFromIndex(key);\n }\n\n async list(provider?: string): Promise<StoredCredential[]> {\n const index = await this.getIndex();\n const results: StoredCredential[] = [];\n\n for (const key of index) {\n const [keyProvider, keyAccountId] = key.split(\"__\");\n if (provider && keyProvider !== provider) continue;\n if (!keyProvider || !keyAccountId) continue;\n\n const credential = await this.get(keyProvider, keyAccountId);\n if (credential) {\n results.push(credential);\n }\n }\n\n return results;\n }\n\n private async getIndex(): Promise<string[]> {\n const kc = await this.getKeychain();\n try {\n const value = await kc.getPassword(SERVICE_NAME, INDEX_ACCOUNT);\n if (!value) return [];\n return JSON.parse(value) as string[];\n } catch {\n return [];\n }\n }\n\n private async setIndex(index: string[]): Promise<void> {\n const kc = await this.getKeychain();\n try {\n await kc.deletePassword(SERVICE_NAME, INDEX_ACCOUNT);\n } catch {\n // Ignore\n }\n await kc.setPassword(SERVICE_NAME, INDEX_ACCOUNT, JSON.stringify(index));\n }\n\n private async addToIndex(key: string): Promise<void> {\n const index = await this.getIndex();\n if (!index.includes(key)) {\n index.push(key);\n await this.setIndex(index);\n }\n }\n\n private async removeFromIndex(key: string): Promise<void> {\n const index = await this.getIndex();\n const filtered = index.filter((k) => k !== key);\n await this.setIndex(filtered);\n }\n}\n","import type { TokenStore } from \"@/types.ts\";\nimport { FileStore } from \"@/storage/file-store.ts\";\nimport { KeychainStore } from \"@/storage/keychain-store.ts\";\n\n/**\n * Create a token store, preferring the OS keychain with encrypted file fallback.\n * @param preferKeychain - If true (default), try keychain first\n */\nexport async function createTokenStore(preferKeychain = true): Promise<TokenStore> {\n if (preferKeychain) {\n try {\n const store = new KeychainStore();\n // Probe if keychain is accessible\n await store.get(\"__probe__\", \"__probe__\");\n return store;\n } catch {\n // Keychain not available, fall through to file store\n }\n }\n return new FileStore();\n}\n\nexport { FileStore, KeychainStore };\n","import { NoCredentialError, TokenExpiredError, TokenRefreshError } from \"@/errors.ts\";\nimport { getProvider } from \"@/providers/registry.ts\";\nimport type {\n AuthHeaders,\n CredentialStatus,\n LoginOptions,\n StoredCredential,\n TokenStore,\n} from \"@/types.ts\";\n\n/** Buffer time before expiry to trigger refresh (5 minutes) */\nconst REFRESH_BUFFER_MS = 5 * 60 * 1000;\n\n/** Central token lifecycle manager */\nexport class TokenManager {\n private readonly store: TokenStore;\n /** Per-provider+account mutex to prevent concurrent refreshes */\n private readonly refreshLocks = new Map<string, Promise<void>>();\n\n constructor(store: TokenStore) {\n this.store = store;\n }\n\n /** Run the interactive login flow for a provider, store the tokens */\n async login(providerName: string, options?: LoginOptions): Promise<StoredCredential> {\n const provider = getProvider(providerName);\n const tokenSet = await provider.login(options);\n\n const accountId = provider.getAccountId(tokenSet);\n const accountLabel = provider.getAccountLabel?.(tokenSet);\n const now = Date.now();\n\n const credential: StoredCredential = {\n tokenSet,\n metadata: {\n provider: providerName,\n accountId,\n accountLabel,\n createdAt: now,\n lastRefreshedAt: now,\n },\n };\n\n await this.store.set(providerName, accountId, credential);\n return credential;\n }\n\n /** Get a valid access token, refreshing if needed */\n async getToken(providerName: string, accountId?: string): Promise<string> {\n const credential = await this.resolveCredential(providerName, accountId);\n const { tokenSet } = credential;\n\n if (this.isTokenValid(tokenSet.expiresAt)) {\n return tokenSet.accessToken;\n }\n\n // Token expired or near-expiry — try to refresh\n if (!tokenSet.refreshToken) {\n throw new TokenExpiredError(providerName);\n }\n\n await this.refreshWithLock(providerName, credential);\n\n // Re-read from store after refresh\n const refreshed = await this.store.get(providerName, credential.metadata.accountId);\n if (!refreshed) {\n throw new TokenExpiredError(providerName);\n }\n return refreshed.tokenSet.accessToken;\n }\n\n /** Get authenticated headers for API calls */\n async getAuthHeaders(providerName: string, accountId?: string): Promise<AuthHeaders> {\n const token = await this.getToken(providerName, accountId);\n const provider = getProvider(providerName);\n return provider.getAuthHeaders(token);\n }\n\n /** Remove stored tokens for a provider */\n async logout(providerName: string, accountId?: string): Promise<void> {\n if (accountId) {\n await this.store.delete(providerName, accountId);\n } else {\n const credentials = await this.store.list(providerName);\n for (const cred of credentials) {\n await this.store.delete(providerName, cred.metadata.accountId);\n }\n }\n }\n\n /** Get status of all stored credentials */\n async status(): Promise<CredentialStatus[]> {\n const credentials = await this.store.list();\n return credentials.map((cred) => {\n let displayName = cred.metadata.provider;\n try {\n const provider = getProvider(cred.metadata.provider);\n displayName = provider.config.displayName;\n } catch {\n // Unknown provider, use raw name\n }\n\n return {\n provider: cred.metadata.provider,\n displayName,\n accountId: cred.metadata.accountId,\n accountLabel: cred.metadata.accountLabel,\n isExpired: !this.isTokenValid(cred.tokenSet.expiresAt),\n expiresAt: cred.tokenSet.expiresAt,\n hasRefreshToken: cred.tokenSet.refreshToken !== null,\n };\n });\n }\n\n private isTokenValid(expiresAt: number): boolean {\n return Date.now() + REFRESH_BUFFER_MS < expiresAt;\n }\n\n private async resolveCredential(\n providerName: string,\n accountId?: string,\n ): Promise<StoredCredential> {\n if (accountId) {\n const credential = await this.store.get(providerName, accountId);\n if (!credential) {\n throw new NoCredentialError(providerName, accountId);\n }\n return credential;\n }\n\n // No account specified — find the most recently refreshed one\n const credentials = await this.store.list(providerName);\n if (credentials.length === 0) {\n throw new NoCredentialError(providerName);\n }\n\n return credentials.sort((a, b) => b.metadata.lastRefreshedAt - a.metadata.lastRefreshedAt)[0]!;\n }\n\n private async refreshWithLock(providerName: string, credential: StoredCredential): Promise<void> {\n const lockKey = `${providerName}::${credential.metadata.accountId}`;\n\n // If a refresh is already in progress for this account, wait for it\n const existingLock = this.refreshLocks.get(lockKey);\n if (existingLock) {\n await existingLock;\n return;\n }\n\n const refreshPromise = this.doRefresh(providerName, credential);\n this.refreshLocks.set(lockKey, refreshPromise);\n\n try {\n await refreshPromise;\n } finally {\n this.refreshLocks.delete(lockKey);\n }\n }\n\n private async doRefresh(providerName: string, credential: StoredCredential): Promise<void> {\n const provider = getProvider(providerName);\n const { refreshToken } = credential.tokenSet;\n\n if (!refreshToken) {\n throw new TokenExpiredError(providerName);\n }\n\n let newTokenSet;\n try {\n newTokenSet = await provider.refresh(refreshToken);\n } catch (err) {\n throw new TokenRefreshError(providerName, err);\n }\n\n // Preserve the refresh token if the new response doesn't include one\n if (!newTokenSet.refreshToken && refreshToken) {\n newTokenSet.refreshToken = refreshToken;\n }\n\n const updatedCredential: StoredCredential = {\n tokenSet: newTokenSet,\n metadata: {\n ...credential.metadata,\n lastRefreshedAt: Date.now(),\n },\n };\n\n await this.store.set(providerName, credential.metadata.accountId, updatedCredential);\n }\n}\n"],"mappings":";;;;;;;AAMA,MAAM,YAAY;AAClB,MAAM,aAAa;AACnB,MAAM,YAAY;AAClB,MAAM,cAAc;AACpB,MAAM,oBAAoB;AAC1B,MAAM,kBAAkB;;AAcxB,IAAa,YAAb,MAA6C;CAC3C;CAEA,YAAY,UAAmB;AAC7B,OAAK,WACH,YACA,KAAK,QAAQ,IAAI,sBAAsB,KAAKA,WAAS,EAAE,iBAAiB,EAAE,mBAAmB;;CAGjG,MAAM,IAAI,UAAkB,WAAqD;EAC/E,MAAM,OAAO,KAAK,UAAU;EAC5B,MAAM,MAAM,GAAG,SAAS,IAAI;EAC5B,MAAM,QAAQ,KAAK,YAAY;AAC/B,MAAI,CAAC,MAAO,QAAO;AAEnB,MAAI;GACF,MAAM,YAAY,KAAK,QAAQ,MAAM;AACrC,UAAO,KAAK,MAAM,UAAU;UACtB;AACN,UAAO;;;CAIX,MAAM,IAAI,UAAkB,WAAmB,YAA6C;EAC1F,MAAM,OAAO,KAAK,UAAU;EAC5B,MAAM,MAAM,GAAG,SAAS,IAAI;AAC5B,OAAK,YAAY,OAAO,KAAK,QAAQ,KAAK,UAAU,WAAW,CAAC;AAChE,OAAK,UAAU,KAAK;;CAGtB,MAAM,OAAO,UAAkB,WAAkC;EAC/D,MAAM,OAAO,KAAK,UAAU;EAC5B,MAAM,MAAM,GAAG,SAAS,IAAI;AAC5B,SAAO,KAAK,YAAY;AACxB,OAAK,UAAU,KAAK;;CAGtB,MAAM,KAAK,UAAgD;EACzD,MAAM,OAAO,KAAK,UAAU;EAC5B,MAAM,UAA8B,EAAE;AAEtC,OAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,KAAK,YAAY,EAAE;GAC3D,MAAM,CAAC,eAAe,IAAI,MAAM,KAAK;AACrC,OAAI,YAAY,gBAAgB,SAAU;AAE1C,OAAI;IACF,MAAM,YAAY,KAAK,QAAQ,MAAM;AACrC,YAAQ,KAAK,KAAK,MAAM,UAAU,CAAqB;WACjD;;AAKV,SAAO;;CAGT,UAAkB,MAAsB;AAEtC,SAAO,WADW,GAAG,UAAU,CAAC,GAAG,UAAU,CAAC,YACjB,MAAM,mBAAmB,YAAY,SAAS;;CAG7E,QAAgB,WAAmC;EACjD,MAAM,OAAO,YAAY,YAAY;EACrC,MAAM,MAAM,KAAK,UAAU,KAAK;EAChC,MAAM,KAAK,YAAY,UAAU;EAEjC,MAAM,SAAS,eAAe,WAAW,KAAK,IAAI,EAChD,eAAe,iBAChB,CAAC;AAOF,SAAO;GACL,MAPgB,OAAO,OAAO;IAC9B,OAAO,OAAO,WAAW,OAAO;IAChC,OAAO,OAAO;IACd,OAAO,YAAY;IACpB,CAAC,CAGgB,SAAS,SAAS;GAClC,IAAI,GAAG,SAAS,SAAS;GACzB,MAAM,KAAK,SAAS,SAAS;GAC9B;;CAGH,QAAgB,OAA+B;EAC7C,MAAM,OAAO,OAAO,KAAK,MAAM,MAAM,SAAS;EAC9C,MAAM,MAAM,KAAK,UAAU,KAAK;EAChC,MAAM,KAAK,OAAO,KAAK,MAAM,IAAI,SAAS;EAC1C,MAAM,MAAM,OAAO,KAAK,MAAM,MAAM,SAAS;EAE7C,MAAM,UAAU,IAAI,SAAS,IAAI,SAAS,gBAAgB;EAC1D,MAAM,aAAa,IAAI,SAAS,GAAG,IAAI,SAAS,gBAAgB;EAEhE,MAAM,WAAW,iBAAiB,WAAW,KAAK,IAAI,EACpD,eAAe,iBAChB,CAAC;AACF,WAAS,WAAW,QAAQ;AAE5B,SAAO,SAAS,OAAO,WAAW,GAAG,SAAS,MAAM,OAAO;;CAG7D,WAAkC;AAChC,MAAI;GACF,MAAM,UAAU,aAAa,KAAK,UAAU,OAAO;AACnD,UAAO,KAAK,MAAM,QAAQ;UACpB;AACN,UAAO;IAAE,SAAS;IAAG,aAAa,EAAE;IAAE;;;CAI1C,UAAkB,MAA2B;AAC3C,YAAU,QAAQ,KAAK,SAAS,EAAE;GAAE,WAAW;GAAM,MAAM;GAAO,CAAC;AACnE,gBAAc,KAAK,UAAU,KAAK,UAAU,MAAM,MAAM,EAAE,EAAE,EAAE,MAAM,KAAO,CAAC;;;AAIhF,SAASA,YAAkB;AACzB,QAAO,QAAQ,IAAI,QAAQ,QAAQ,IAAI,eAAe;;;;AC1IxD,MAAM,eAAe;AACrB,MAAM,gBAAgB;;AAGtB,IAAa,gBAAb,MAAiD;CAC/C,WAA2D;CAE3D,MAAc,cAAc;AAC1B,MAAI,CAAC,KAAK,SACR,MAAK,WAAW,MAAM,OAAO;AAE/B,SAAO,KAAK;;CAGd,QAAgB,UAAkB,WAA2B;AAC3D,SAAO,GAAG,SAAS,IAAI;;CAGzB,MAAM,IAAI,UAAkB,WAAqD;EAC/E,MAAM,KAAK,MAAM,KAAK,aAAa;AACnC,MAAI;GACF,MAAM,QAAQ,MAAM,GAAG,YAAY,cAAc,KAAK,QAAQ,UAAU,UAAU,CAAC;AACnF,OAAI,CAAC,MAAO,QAAO;AACnB,UAAO,KAAK,MAAM,MAAM;UAClB;AACN,UAAO;;;CAIX,MAAM,IAAI,UAAkB,WAAmB,YAA6C;EAC1F,MAAM,KAAK,MAAM,KAAK,aAAa;EACnC,MAAM,MAAM,KAAK,QAAQ,UAAU,UAAU;EAC7C,MAAM,QAAQ,KAAK,UAAU,WAAW;AAExC,MAAI;AACF,SAAM,GAAG,eAAe,cAAc,IAAI;UACpC;AAGR,QAAM,GAAG,YAAY,cAAc,KAAK,MAAM;AAC9C,QAAM,KAAK,WAAW,IAAI;;CAG5B,MAAM,OAAO,UAAkB,WAAkC;EAC/D,MAAM,KAAK,MAAM,KAAK,aAAa;EACnC,MAAM,MAAM,KAAK,QAAQ,UAAU,UAAU;AAC7C,MAAI;AACF,SAAM,GAAG,eAAe,cAAc,IAAI;UACpC;AAGR,QAAM,KAAK,gBAAgB,IAAI;;CAGjC,MAAM,KAAK,UAAgD;EACzD,MAAM,QAAQ,MAAM,KAAK,UAAU;EACnC,MAAM,UAA8B,EAAE;AAEtC,OAAK,MAAM,OAAO,OAAO;GACvB,MAAM,CAAC,aAAa,gBAAgB,IAAI,MAAM,KAAK;AACnD,OAAI,YAAY,gBAAgB,SAAU;AAC1C,OAAI,CAAC,eAAe,CAAC,aAAc;GAEnC,MAAM,aAAa,MAAM,KAAK,IAAI,aAAa,aAAa;AAC5D,OAAI,WACF,SAAQ,KAAK,WAAW;;AAI5B,SAAO;;CAGT,MAAc,WAA8B;EAC1C,MAAM,KAAK,MAAM,KAAK,aAAa;AACnC,MAAI;GACF,MAAM,QAAQ,MAAM,GAAG,YAAY,cAAc,cAAc;AAC/D,OAAI,CAAC,MAAO,QAAO,EAAE;AACrB,UAAO,KAAK,MAAM,MAAM;UAClB;AACN,UAAO,EAAE;;;CAIb,MAAc,SAAS,OAAgC;EACrD,MAAM,KAAK,MAAM,KAAK,aAAa;AACnC,MAAI;AACF,SAAM,GAAG,eAAe,cAAc,cAAc;UAC9C;AAGR,QAAM,GAAG,YAAY,cAAc,eAAe,KAAK,UAAU,MAAM,CAAC;;CAG1E,MAAc,WAAW,KAA4B;EACnD,MAAM,QAAQ,MAAM,KAAK,UAAU;AACnC,MAAI,CAAC,MAAM,SAAS,IAAI,EAAE;AACxB,SAAM,KAAK,IAAI;AACf,SAAM,KAAK,SAAS,MAAM;;;CAI9B,MAAc,gBAAgB,KAA4B;EAExD,MAAM,YADQ,MAAM,KAAK,UAAU,EACZ,QAAQ,MAAM,MAAM,IAAI;AAC/C,QAAM,KAAK,SAAS,SAAS;;;;;;;;;AClGjC,eAAsB,iBAAiB,iBAAiB,MAA2B;AACjF,KAAI,eACF,KAAI;EACF,MAAM,QAAQ,IAAI,eAAe;AAEjC,QAAM,MAAM,IAAI,aAAa,YAAY;AACzC,SAAO;SACD;AAIV,QAAO,IAAI,WAAW;;;;;ACRxB,MAAM,oBAAoB,MAAS;;AAGnC,IAAa,eAAb,MAA0B;CACxB;;CAEA,+BAAgC,IAAI,KAA4B;CAEhE,YAAY,OAAmB;AAC7B,OAAK,QAAQ;;;CAIf,MAAM,MAAM,cAAsB,SAAmD;EACnF,MAAM,WAAW,YAAY,aAAa;EAC1C,MAAM,WAAW,MAAM,SAAS,MAAM,QAAQ;EAE9C,MAAM,YAAY,SAAS,aAAa,SAAS;EACjD,MAAM,eAAe,SAAS,kBAAkB,SAAS;EACzD,MAAM,MAAM,KAAK,KAAK;EAEtB,MAAM,aAA+B;GACnC;GACA,UAAU;IACR,UAAU;IACV;IACA;IACA,WAAW;IACX,iBAAiB;IAClB;GACF;AAED,QAAM,KAAK,MAAM,IAAI,cAAc,WAAW,WAAW;AACzD,SAAO;;;CAIT,MAAM,SAAS,cAAsB,WAAqC;EACxE,MAAM,aAAa,MAAM,KAAK,kBAAkB,cAAc,UAAU;EACxE,MAAM,EAAE,aAAa;AAErB,MAAI,KAAK,aAAa,SAAS,UAAU,CACvC,QAAO,SAAS;AAIlB,MAAI,CAAC,SAAS,aACZ,OAAM,IAAI,kBAAkB,aAAa;AAG3C,QAAM,KAAK,gBAAgB,cAAc,WAAW;EAGpD,MAAM,YAAY,MAAM,KAAK,MAAM,IAAI,cAAc,WAAW,SAAS,UAAU;AACnF,MAAI,CAAC,UACH,OAAM,IAAI,kBAAkB,aAAa;AAE3C,SAAO,UAAU,SAAS;;;CAI5B,MAAM,eAAe,cAAsB,WAA0C;EACnF,MAAM,QAAQ,MAAM,KAAK,SAAS,cAAc,UAAU;AAE1D,SADiB,YAAY,aAAa,CAC1B,eAAe,MAAM;;;CAIvC,MAAM,OAAO,cAAsB,WAAmC;AACpE,MAAI,UACF,OAAM,KAAK,MAAM,OAAO,cAAc,UAAU;OAC3C;GACL,MAAM,cAAc,MAAM,KAAK,MAAM,KAAK,aAAa;AACvD,QAAK,MAAM,QAAQ,YACjB,OAAM,KAAK,MAAM,OAAO,cAAc,KAAK,SAAS,UAAU;;;;CAMpE,MAAM,SAAsC;AAE1C,UADoB,MAAM,KAAK,MAAM,MAAM,EACxB,KAAK,SAAS;GAC/B,IAAI,cAAc,KAAK,SAAS;AAChC,OAAI;AAEF,kBADiB,YAAY,KAAK,SAAS,SAAS,CAC7B,OAAO;WACxB;AAIR,UAAO;IACL,UAAU,KAAK,SAAS;IACxB;IACA,WAAW,KAAK,SAAS;IACzB,cAAc,KAAK,SAAS;IAC5B,WAAW,CAAC,KAAK,aAAa,KAAK,SAAS,UAAU;IACtD,WAAW,KAAK,SAAS;IACzB,iBAAiB,KAAK,SAAS,iBAAiB;IACjD;IACD;;CAGJ,aAAqB,WAA4B;AAC/C,SAAO,KAAK,KAAK,GAAG,oBAAoB;;CAG1C,MAAc,kBACZ,cACA,WAC2B;AAC3B,MAAI,WAAW;GACb,MAAM,aAAa,MAAM,KAAK,MAAM,IAAI,cAAc,UAAU;AAChE,OAAI,CAAC,WACH,OAAM,IAAI,kBAAkB,cAAc,UAAU;AAEtD,UAAO;;EAIT,MAAM,cAAc,MAAM,KAAK,MAAM,KAAK,aAAa;AACvD,MAAI,YAAY,WAAW,EACzB,OAAM,IAAI,kBAAkB,aAAa;AAG3C,SAAO,YAAY,MAAM,GAAG,MAAM,EAAE,SAAS,kBAAkB,EAAE,SAAS,gBAAgB,CAAC;;CAG7F,MAAc,gBAAgB,cAAsB,YAA6C;EAC/F,MAAM,UAAU,GAAG,aAAa,IAAI,WAAW,SAAS;EAGxD,MAAM,eAAe,KAAK,aAAa,IAAI,QAAQ;AACnD,MAAI,cAAc;AAChB,SAAM;AACN;;EAGF,MAAM,iBAAiB,KAAK,UAAU,cAAc,WAAW;AAC/D,OAAK,aAAa,IAAI,SAAS,eAAe;AAE9C,MAAI;AACF,SAAM;YACE;AACR,QAAK,aAAa,OAAO,QAAQ;;;CAIrC,MAAc,UAAU,cAAsB,YAA6C;EACzF,MAAM,WAAW,YAAY,aAAa;EAC1C,MAAM,EAAE,iBAAiB,WAAW;AAEpC,MAAI,CAAC,aACH,OAAM,IAAI,kBAAkB,aAAa;EAG3C,IAAI;AACJ,MAAI;AACF,iBAAc,MAAM,SAAS,QAAQ,aAAa;WAC3C,KAAK;AACZ,SAAM,IAAI,kBAAkB,cAAc,IAAI;;AAIhD,MAAI,CAAC,YAAY,gBAAgB,aAC/B,aAAY,eAAe;EAG7B,MAAM,oBAAsC;GAC1C,UAAU;GACV,UAAU;IACR,GAAG,WAAW;IACd,iBAAiB,KAAK,KAAK;IAC5B;GACF;AAED,QAAM,KAAK,MAAM,IAAI,cAAc,WAAW,SAAS,WAAW,kBAAkB"}

package/dist/cli/oauth-pkce-Bi02-h23.mjs ADDED Viewed

@@ -0,0 +1,282 @@
+#!/usr/bin/env node
+import { c as StateMismatchError, o as OAuthCallbackError, s as OAuthTimeoutError } from "./registry-Cp-_Ipc6.mjs";
+import { createInterface } from "node:readline";
+import { createHash, randomBytes } from "node:crypto";
+import { platform } from "node:os";
+import { execFile } from "node:child_process";
+import { createServer } from "node:http";
+//#region src/core/browser.ts
+/** Open a URL in the user's default browser. Does not throw on failure. */
+function openBrowser(url) {
+	const os = platform();
+	try {
+		if (os === "darwin") execFile("open", [url]);
+		else if (os === "win32") execFile("cmd", [
+			"/c",
+			"start",
+			"",
+			url
+		]);
+		else execFile("xdg-open", [url]);
+	} catch {}
+}
+//#endregion
+//#region src/core/callback-server.ts
+const SUCCESS_HTML = `<!DOCTYPE html>
+<html><head><meta charset="utf-8"><title>Authorization Successful</title>
+<style>body{font-family:system-ui,sans-serif;display:flex;justify-content:center;align-items:center;height:100vh;margin:0;background:#f8f9fa}
+.card{text-align:center;padding:2rem;border-radius:12px;background:white;box-shadow:0 2px 8px rgba(0,0,0,0.1)}
+h1{color:#22c55e;font-size:1.5rem}p{color:#666}</style></head>
+<body><div class="card"><h1>Authorization Successful</h1><p>You can close this window and return to the terminal.</p></div></body></html>`;
+const ERROR_HTML = `<!DOCTYPE html>
+<html><head><meta charset="utf-8"><title>Authorization Failed</title>
+<style>body{font-family:system-ui,sans-serif;display:flex;justify-content:center;align-items:center;height:100vh;margin:0;background:#f8f9fa}
+.card{text-align:center;padding:2rem;border-radius:12px;background:white;box-shadow:0 2px 8px rgba(0,0,0,0.1)}
+h1{color:#ef4444;font-size:1.5rem}p{color:#666}</style></head>
+<body><div class="card"><h1>Authorization Failed</h1><p>Something went wrong. Please try again.</p></div></body></html>`;
+/** Start a local HTTP server to receive the OAuth callback redirect */
+function startCallbackServer(options) {
+	const { expectedState, timeout = 12e4, path = "/callback" } = options;
+	const port = options.port ?? 0;
+	return new Promise((resolveSetup, _rejectSetup) => {
+		let server;
+		let timeoutId;
+		const resultPromise = new Promise((resolveResult, rejectResult) => {
+			server = createServer((req, res) => {
+				const url = new URL(req.url ?? "/", `http://localhost`);
+				if (url.pathname !== path) {
+					res.writeHead(404);
+					res.end("Not found");
+					return;
+				}
+				const code = url.searchParams.get("code");
+				const state = url.searchParams.get("state");
+				const error = url.searchParams.get("error");
+				if (error) {
+					const errorDesc = url.searchParams.get("error_description") ?? error;
+					res.writeHead(200, { "Content-Type": "text/html" });
+					res.end(ERROR_HTML);
+					cleanup();
+					rejectResult(new OAuthCallbackError(`OAuth error: ${errorDesc}`));
+					return;
+				}
+				if (!code) {
+					res.writeHead(200, { "Content-Type": "text/html" });
+					res.end(ERROR_HTML);
+					cleanup();
+					rejectResult(new OAuthCallbackError("No authorization code in callback"));
+					return;
+				}
+				if (state && state !== expectedState) {
+					res.writeHead(200, { "Content-Type": "text/html" });
+					res.end(ERROR_HTML);
+					cleanup();
+					rejectResult(new OAuthCallbackError("State mismatch — possible CSRF attack. Please try again."));
+					return;
+				}
+				res.writeHead(200, { "Content-Type": "text/html" });
+				res.end(SUCCESS_HTML);
+				cleanup();
+				resolveResult({
+					code,
+					state: state ?? expectedState
+				});
+			});
+			const cleanup = () => {
+				if (timeoutId) clearTimeout(timeoutId);
+				server.close();
+			};
+			timeoutId = setTimeout(() => {
+				cleanup();
+				rejectResult(new OAuthTimeoutError(timeout));
+			}, timeout);
+			server.on("error", (err) => {
+				cleanup();
+				rejectResult(new OAuthCallbackError(`Callback server error: ${err.message}`));
+			});
+			server.listen(port, "127.0.0.1", () => {
+				const addr = server.address();
+				resolveSetup({
+					result: resultPromise,
+					port: typeof addr === "object" && addr ? addr.port : port,
+					close: cleanup
+				});
+			});
+		});
+	});
+}
+//#endregion
+//#region src/core/crypto.ts
+/** Generate a cryptographically random PKCE code verifier (43-128 chars, base64url) */
+function generateCodeVerifier() {
+	return randomBytes(32).toString("base64url");
+}
+/** Generate a PKCE code challenge from a verifier using S256 method */
+function generateCodeChallenge(verifier) {
+	return createHash("sha256").update(verifier).digest("base64url");
+}
+/** Generate both PKCE code verifier and challenge */
+function generatePKCE() {
+	const codeVerifier = generateCodeVerifier();
+	return {
+		codeVerifier,
+		codeChallenge: generateCodeChallenge(codeVerifier)
+	};
+}
+/** Generate a random state parameter for CSRF protection */
+function generateState() {
+	return randomBytes(32).toString("base64url");
+}
+//#endregion
+//#region src/core/manual-code-input.ts
+/**
+* Parse a "code#state" string (Anthropic's manual paste format).
+* Also supports a plain authorization code (state validated separately).
+*/
+function parseCodeAndState(input, expectedState) {
+	const trimmed = input.trim();
+	if (!trimmed) throw new OAuthCallbackError("Empty authorization code input");
+	const hashIndex = trimmed.indexOf("#");
+	if (hashIndex !== -1) {
+		const code = trimmed.slice(0, hashIndex);
+		const state = trimmed.slice(hashIndex + 1);
+		if (!code) throw new OAuthCallbackError("Empty authorization code in code#state input");
+		if (state !== expectedState) throw new StateMismatchError();
+		return {
+			code,
+			state
+		};
+	}
+	return {
+		code: trimmed,
+		state: expectedState
+	};
+}
+/** Prompt the user to paste the authorization code from their browser */
+function promptForCode(expectedState) {
+	return new Promise((resolve, reject) => {
+		const rl = createInterface({
+			input: process.stdin,
+			output: process.stderr
+		});
+		rl.question("Paste the authorization code (or code#state) from your browser: ", (answer) => {
+			rl.close();
+			try {
+				resolve(parseCodeAndState(answer, expectedState));
+			} catch (err) {
+				reject(err);
+			}
+		});
+	});
+}
+//#endregion
+//#region src/core/oauth-pkce.ts
+/** Build the full OAuth authorization URL with PKCE and state params */
+function buildAuthorizationUrl(config, codeChallenge, state, redirectUri) {
+	if (!config.authorizationEndpoint) throw new OAuthCallbackError(`Provider "${config.name}" has no authorization endpoint`);
+	const url = new URL(config.authorizationEndpoint);
+	url.searchParams.set("response_type", "code");
+	url.searchParams.set("client_id", config.clientId);
+	url.searchParams.set("redirect_uri", redirectUri);
+	url.searchParams.set("code_challenge", codeChallenge);
+	url.searchParams.set("code_challenge_method", "S256");
+	url.searchParams.set("state", state);
+	if (config.scopes?.length) url.searchParams.set("scope", config.scopes.join(" "));
+	return url.toString();
+}
+/** Exchange an authorization code for tokens */
+async function exchangeCode(config, code, codeVerifier, redirectUri, state) {
+	const useJson = config.tokenBodyFormat === "json";
+	const params = {
+		grant_type: "authorization_code",
+		code,
+		code_verifier: codeVerifier,
+		client_id: config.clientId,
+		redirect_uri: redirectUri
+	};
+	if (state !== void 0) params.state = state;
+	const response = await fetch(config.tokenEndpoint, {
+		method: "POST",
+		headers: { "Content-Type": useJson ? "application/json" : "application/x-www-form-urlencoded" },
+		body: useJson ? JSON.stringify(params) : new URLSearchParams(params).toString()
+	});
+	if (!response.ok) {
+		const errorText = await response.text();
+		throw new OAuthCallbackError(`Token exchange failed (${response.status}): ${errorText}`);
+	}
+	return parseTokenResponse(await response.json());
+}
+/** Refresh an access token using a refresh token */
+async function refreshAccessToken(config, refreshToken) {
+	const useJson = config.tokenBodyFormat === "json";
+	const params = {
+		grant_type: "refresh_token",
+		refresh_token: refreshToken,
+		client_id: config.clientId
+	};
+	const response = await fetch(config.tokenEndpoint, {
+		method: "POST",
+		headers: { "Content-Type": useJson ? "application/json" : "application/x-www-form-urlencoded" },
+		body: useJson ? JSON.stringify(params) : new URLSearchParams(params).toString()
+	});
+	if (!response.ok) {
+		const errorText = await response.text();
+		throw new OAuthCallbackError(`Token refresh failed (${response.status}): ${errorText}`);
+	}
+	return parseTokenResponse(await response.json());
+}
+/** Execute the full PKCE flow: generate params, open browser, wait for callback, exchange code */
+async function executePKCEFlow(options) {
+	const { config, loginOptions } = options;
+	const { codeVerifier, codeChallenge } = generatePKCE();
+	const state = config.stateIsVerifier ? codeVerifier : generateState();
+	const manual = loginOptions?.manual ?? false;
+	let authResult;
+	let redirectUri;
+	if (manual && options.manualRedirectUri) {
+		redirectUri = options.manualRedirectUri;
+		const authUrl = buildAuthorizationUrl(config, codeChallenge, state, redirectUri);
+		if (loginOptions?.onOpenBrowser) loginOptions.onOpenBrowser(authUrl);
+		else openBrowser(authUrl);
+		process.stderr.write(`\nOpen this URL in your browser if it didn't open automatically:\n${authUrl}\n\n`);
+		authResult = await promptForCode(state);
+	} else {
+		const server = await startCallbackServer({
+			port: loginOptions?.port ?? 0,
+			expectedState: state,
+			timeout: loginOptions?.timeout ?? 12e4
+		});
+		redirectUri = `http://127.0.0.1:${server.port}/callback`;
+		const authUrl = buildAuthorizationUrl(config, codeChallenge, state, redirectUri);
+		if (loginOptions?.onOpenBrowser) loginOptions.onOpenBrowser(authUrl);
+		else openBrowser(authUrl);
+		process.stderr.write(`\nOpen this URL in your browser if it didn't open automatically:\n${authUrl}\n\nWaiting for authorization...\n`);
+		try {
+			authResult = await server.result;
+		} catch (err) {
+			server.close();
+			throw err;
+		}
+	}
+	const exchangeState = config.tokenBodyFormat === "json" ? authResult.state : void 0;
+	return exchangeCode(config, authResult.code, codeVerifier, redirectUri, exchangeState);
+}
+function parseTokenResponse(data) {
+	const accessToken = data.access_token;
+	if (!accessToken) throw new OAuthCallbackError("No access_token in token response");
+	const expiresIn = data.expires_in ?? 3600;
+	const expiresAt = Date.now() + expiresIn * 1e3;
+	return {
+		accessToken,
+		refreshToken: data.refresh_token ?? null,
+		expiresAt,
+		idToken: data.id_token,
+		tokenType: (data.token_type ?? "bearer").toLowerCase(),
+		scopes: data.scope ? data.scope.split(" ") : void 0,
+		raw: data
+	};
+}
+//#endregion
+export { refreshAccessToken as n, executePKCEFlow as t };
+//# sourceMappingURL=oauth-pkce-Bi02-h23.mjs.map