@open-vibe-lab/open-sub-auth 0.1.0

package/dist/index.mjs

@@ -0,0 +1,827 @@
+import { createCipheriv, createDecipheriv, createHash, pbkdf2Sync, randomBytes } from "node:crypto";
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { homedir, hostname, platform, userInfo } from "node:os";
+import { dirname, join } from "node:path";
+import { execFile } from "node:child_process";
+import { createServer } from "node:http";
+import { createInterface } from "node:readline";
+//#region src/errors.ts
+var OpenSubAuthError = class extends Error {
+	constructor(message) {
+		super(message);
+		this.name = "OpenSubAuthError";
+	}
+};
+var AuthenticationError = class extends OpenSubAuthError {
+	constructor(message, provider) {
+		super(message);
+		this.provider = provider;
+		this.name = "AuthenticationError";
+	}
+};
+var TokenExpiredError = class extends OpenSubAuthError {
+	constructor(provider) {
+		super(`Access token for "${provider}" has expired and no refresh token is available. Please login again.`);
+		this.provider = provider;
+		this.name = "TokenExpiredError";
+	}
+};
+var TokenRefreshError = class extends OpenSubAuthError {
+	constructor(provider, cause_) {
+		super(`Failed to refresh token for "${provider}": ${cause_ instanceof Error ? cause_.message : String(cause_)}`);
+		this.provider = provider;
+		this.cause_ = cause_;
+		this.name = "TokenRefreshError";
+	}
+};
+var ProviderNotFoundError = class extends OpenSubAuthError {
+	constructor(providerName) {
+		super(`Provider "${providerName}" is not registered. Available providers can be listed with listProviders().`);
+		this.providerName = providerName;
+		this.name = "ProviderNotFoundError";
+	}
+};
+var NoCredentialError = class extends OpenSubAuthError {
+	constructor(provider, accountId) {
+		const msg = accountId ? `No stored credential for "${provider}" account "${accountId}". Please login first.` : `No stored credential for "${provider}". Please login first.`;
+		super(msg);
+		this.provider = provider;
+		this.accountId = accountId;
+		this.name = "NoCredentialError";
+	}
+};
+var OAuthCallbackError = class extends OpenSubAuthError {
+	constructor(message) {
+		super(message);
+		this.name = "OAuthCallbackError";
+	}
+};
+var OAuthTimeoutError = class extends OpenSubAuthError {
+	constructor(timeoutMs) {
+		super(`OAuth login timed out after ${Math.round(timeoutMs / 1e3)} seconds. Please try again.`);
+		this.timeoutMs = timeoutMs;
+		this.name = "OAuthTimeoutError";
+	}
+};
+var StateMismatchError = class extends OpenSubAuthError {
+	constructor() {
+		super("OAuth state parameter mismatch — possible CSRF attack. Please try again.");
+		this.name = "StateMismatchError";
+	}
+};
+//#endregion
+//#region src/providers/registry.ts
+const providers = /* @__PURE__ */ new Map();
+/** Register a provider factory */
+function registerProvider(name, factory) {
+	providers.set(name, factory);
+}
+/** Get a provider instance by name */
+function getProvider(name) {
+	const factory = providers.get(name);
+	if (!factory) throw new ProviderNotFoundError(name);
+	return factory();
+}
+/** List all registered provider names */
+function listProviders() {
+	return Array.from(providers.keys());
+}
+//#endregion
+//#region src/token/manager.ts
+/** Buffer time before expiry to trigger refresh (5 minutes) */
+const REFRESH_BUFFER_MS = 300 * 1e3;
+/** Central token lifecycle manager */
+var TokenManager = class {
+	store;
+	/** Per-provider+account mutex to prevent concurrent refreshes */
+	refreshLocks = /* @__PURE__ */ new Map();
+	constructor(store) {
+		this.store = store;
+	}
+	/** Run the interactive login flow for a provider, store the tokens */
+	async login(providerName, options) {
+		const provider = getProvider(providerName);
+		const tokenSet = await provider.login(options);
+		const accountId = provider.getAccountId(tokenSet);
+		const accountLabel = provider.getAccountLabel?.(tokenSet);
+		const now = Date.now();
+		const credential = {
+			tokenSet,
+			metadata: {
+				provider: providerName,
+				accountId,
+				accountLabel,
+				createdAt: now,
+				lastRefreshedAt: now
+			}
+		};
+		await this.store.set(providerName, accountId, credential);
+		return credential;
+	}
+	/** Get a valid access token, refreshing if needed */
+	async getToken(providerName, accountId) {
+		const credential = await this.resolveCredential(providerName, accountId);
+		const { tokenSet } = credential;
+		if (this.isTokenValid(tokenSet.expiresAt)) return tokenSet.accessToken;
+		if (!tokenSet.refreshToken) throw new TokenExpiredError(providerName);
+		await this.refreshWithLock(providerName, credential);
+		const refreshed = await this.store.get(providerName, credential.metadata.accountId);
+		if (!refreshed) throw new TokenExpiredError(providerName);
+		return refreshed.tokenSet.accessToken;
+	}
+	/** Get authenticated headers for API calls */
+	async getAuthHeaders(providerName, accountId) {
+		const token = await this.getToken(providerName, accountId);
+		return getProvider(providerName).getAuthHeaders(token);
+	}
+	/** Remove stored tokens for a provider */
+	async logout(providerName, accountId) {
+		if (accountId) await this.store.delete(providerName, accountId);
+		else {
+			const credentials = await this.store.list(providerName);
+			for (const cred of credentials) await this.store.delete(providerName, cred.metadata.accountId);
+		}
+	}
+	/** Get status of all stored credentials */
+	async status() {
+		return (await this.store.list()).map((cred) => {
+			let displayName = cred.metadata.provider;
+			try {
+				displayName = getProvider(cred.metadata.provider).config.displayName;
+			} catch {}
+			return {
+				provider: cred.metadata.provider,
+				displayName,
+				accountId: cred.metadata.accountId,
+				accountLabel: cred.metadata.accountLabel,
+				isExpired: !this.isTokenValid(cred.tokenSet.expiresAt),
+				expiresAt: cred.tokenSet.expiresAt,
+				hasRefreshToken: cred.tokenSet.refreshToken !== null
+			};
+		});
+	}
+	isTokenValid(expiresAt) {
+		return Date.now() + REFRESH_BUFFER_MS < expiresAt;
+	}
+	async resolveCredential(providerName, accountId) {
+		if (accountId) {
+			const credential = await this.store.get(providerName, accountId);
+			if (!credential) throw new NoCredentialError(providerName, accountId);
+			return credential;
+		}
+		const credentials = await this.store.list(providerName);
+		if (credentials.length === 0) throw new NoCredentialError(providerName);
+		return credentials.sort((a, b) => b.metadata.lastRefreshedAt - a.metadata.lastRefreshedAt)[0];
+	}
+	async refreshWithLock(providerName, credential) {
+		const lockKey = `${providerName}::${credential.metadata.accountId}`;
+		const existingLock = this.refreshLocks.get(lockKey);
+		if (existingLock) {
+			await existingLock;
+			return;
+		}
+		const refreshPromise = this.doRefresh(providerName, credential);
+		this.refreshLocks.set(lockKey, refreshPromise);
+		try {
+			await refreshPromise;
+		} finally {
+			this.refreshLocks.delete(lockKey);
+		}
+	}
+	async doRefresh(providerName, credential) {
+		const provider = getProvider(providerName);
+		const { refreshToken } = credential.tokenSet;
+		if (!refreshToken) throw new TokenExpiredError(providerName);
+		let newTokenSet;
+		try {
+			newTokenSet = await provider.refresh(refreshToken);
+		} catch (err) {
+			throw new TokenRefreshError(providerName, err);
+		}
+		if (!newTokenSet.refreshToken && refreshToken) newTokenSet.refreshToken = refreshToken;
+		const updatedCredential = {
+			tokenSet: newTokenSet,
+			metadata: {
+				...credential.metadata,
+				lastRefreshedAt: Date.now()
+			}
+		};
+		await this.store.set(providerName, credential.metadata.accountId, updatedCredential);
+	}
+};
+//#endregion
+//#region src/storage/file-store.ts
+const ALGORITHM = "aes-256-gcm";
+const KEY_LENGTH = 32;
+const IV_LENGTH = 12;
+const SALT_LENGTH = 16;
+const PBKDF2_ITERATIONS = 1e5;
+const AUTH_TAG_LENGTH = 16;
+/** Token store backed by an encrypted JSON file */
+var FileStore = class {
+	filePath;
+	constructor(filePath) {
+		this.filePath = filePath ?? join(process.env.OPEN_SUB_AUTH_HOME ?? join(homedir$1(), ".open-sub-auth"), "credentials.json");
+	}
+	async get(provider, accountId) {
+		const data = this.readFile();
+		const key = `${provider}::${accountId}`;
+		const entry = data.credentials[key];
+		if (!entry) return null;
+		try {
+			const decrypted = this.decrypt(entry);
+			return JSON.parse(decrypted);
+		} catch {
+			return null;
+		}
+	}
+	async set(provider, accountId, credential) {
+		const data = this.readFile();
+		const key = `${provider}::${accountId}`;
+		data.credentials[key] = this.encrypt(JSON.stringify(credential));
+		this.writeFile(data);
+	}
+	async delete(provider, accountId) {
+		const data = this.readFile();
+		const key = `${provider}::${accountId}`;
+		delete data.credentials[key];
+		this.writeFile(data);
+	}
+	async list(provider) {
+		const data = this.readFile();
+		const results = [];
+		for (const [key, entry] of Object.entries(data.credentials)) {
+			const [keyProvider] = key.split("::");
+			if (provider && keyProvider !== provider) continue;
+			try {
+				const decrypted = this.decrypt(entry);
+				results.push(JSON.parse(decrypted));
+			} catch {}
+		}
+		return results;
+	}
+	deriveKey(salt) {
+		return pbkdf2Sync(`${hostname()}:${userInfo().username}`, salt, PBKDF2_ITERATIONS, KEY_LENGTH, "sha512");
+	}
+	encrypt(plaintext) {
+		const salt = randomBytes(SALT_LENGTH);
+		const key = this.deriveKey(salt);
+		const iv = randomBytes(IV_LENGTH);
+		const cipher = createCipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });
+		return {
+			data: Buffer.concat([
+				cipher.update(plaintext, "utf8"),
+				cipher.final(),
+				cipher.getAuthTag()
+			]).toString("base64"),
+			iv: iv.toString("base64"),
+			salt: salt.toString("base64")
+		};
+	}
+	decrypt(entry) {
+		const salt = Buffer.from(entry.salt, "base64");
+		const key = this.deriveKey(salt);
+		const iv = Buffer.from(entry.iv, "base64");
+		const raw = Buffer.from(entry.data, "base64");
+		const authTag = raw.subarray(raw.length - AUTH_TAG_LENGTH);
+		const ciphertext = raw.subarray(0, raw.length - AUTH_TAG_LENGTH);
+		const decipher = createDecipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });
+		decipher.setAuthTag(authTag);
+		return decipher.update(ciphertext) + decipher.final("utf8");
+	}
+	readFile() {
+		try {
+			const content = readFileSync(this.filePath, "utf8");
+			return JSON.parse(content);
+		} catch {
+			return {
+				version: 1,
+				credentials: {}
+			};
+		}
+	}
+	writeFile(data) {
+		mkdirSync(dirname(this.filePath), {
+			recursive: true,
+			mode: 448
+		});
+		writeFileSync(this.filePath, JSON.stringify(data, null, 2), { mode: 384 });
+	}
+};
+function homedir$1() {
+	return process.env.HOME ?? process.env.USERPROFILE ?? "/tmp";
+}
+//#endregion
+//#region src/storage/keychain-store.ts
+const SERVICE_NAME = "open-sub-auth";
+const INDEX_ACCOUNT = "__index__";
+/** Token store backed by the OS keychain via cross-keychain */
+var KeychainStore = class {
+	keychain = null;
+	async getKeychain() {
+		if (!this.keychain) this.keychain = await import("cross-keychain");
+		return this.keychain;
+	}
+	makeKey(provider, accountId) {
+		return `${provider}__${accountId}`;
+	}
+	async get(provider, accountId) {
+		const kc = await this.getKeychain();
+		try {
+			const value = await kc.getPassword(SERVICE_NAME, this.makeKey(provider, accountId));
+			if (!value) return null;
+			return JSON.parse(value);
+		} catch {
+			return null;
+		}
+	}
+	async set(provider, accountId, credential) {
+		const kc = await this.getKeychain();
+		const key = this.makeKey(provider, accountId);
+		const value = JSON.stringify(credential);
+		try {
+			await kc.deletePassword(SERVICE_NAME, key);
+		} catch {}
+		await kc.setPassword(SERVICE_NAME, key, value);
+		await this.addToIndex(key);
+	}
+	async delete(provider, accountId) {
+		const kc = await this.getKeychain();
+		const key = this.makeKey(provider, accountId);
+		try {
+			await kc.deletePassword(SERVICE_NAME, key);
+		} catch {}
+		await this.removeFromIndex(key);
+	}
+	async list(provider) {
+		const index = await this.getIndex();
+		const results = [];
+		for (const key of index) {
+			const [keyProvider, keyAccountId] = key.split("__");
+			if (provider && keyProvider !== provider) continue;
+			if (!keyProvider || !keyAccountId) continue;
+			const credential = await this.get(keyProvider, keyAccountId);
+			if (credential) results.push(credential);
+		}
+		return results;
+	}
+	async getIndex() {
+		const kc = await this.getKeychain();
+		try {
+			const value = await kc.getPassword(SERVICE_NAME, INDEX_ACCOUNT);
+			if (!value) return [];
+			return JSON.parse(value);
+		} catch {
+			return [];
+		}
+	}
+	async setIndex(index) {
+		const kc = await this.getKeychain();
+		try {
+			await kc.deletePassword(SERVICE_NAME, INDEX_ACCOUNT);
+		} catch {}
+		await kc.setPassword(SERVICE_NAME, INDEX_ACCOUNT, JSON.stringify(index));
+	}
+	async addToIndex(key) {
+		const index = await this.getIndex();
+		if (!index.includes(key)) {
+			index.push(key);
+			await this.setIndex(index);
+		}
+	}
+	async removeFromIndex(key) {
+		const filtered = (await this.getIndex()).filter((k) => k !== key);
+		await this.setIndex(filtered);
+	}
+};
+//#endregion
+//#region src/storage/store.ts
+/**
+* Create a token store, preferring the OS keychain with encrypted file fallback.
+* @param preferKeychain - If true (default), try keychain first
+*/
+async function createTokenStore(preferKeychain = true) {
+	if (preferKeychain) try {
+		const store = new KeychainStore();
+		await store.get("__probe__", "__probe__");
+		return store;
+	} catch {}
+	return new FileStore();
+}
+//#endregion
+//#region src/core/browser.ts
+/** Open a URL in the user's default browser. Does not throw on failure. */
+function openBrowser(url) {
+	const os = platform();
+	try {
+		if (os === "darwin") execFile("open", [url]);
+		else if (os === "win32") execFile("cmd", [
+			"/c",
+			"start",
+			"",
+			url
+		]);
+		else execFile("xdg-open", [url]);
+	} catch {}
+}
+//#endregion
+//#region src/core/callback-server.ts
+const SUCCESS_HTML = `<!DOCTYPE html>
+<html><head><meta charset="utf-8"><title>Authorization Successful</title>
+<style>body{font-family:system-ui,sans-serif;display:flex;justify-content:center;align-items:center;height:100vh;margin:0;background:#f8f9fa}
+.card{text-align:center;padding:2rem;border-radius:12px;background:white;box-shadow:0 2px 8px rgba(0,0,0,0.1)}
+h1{color:#22c55e;font-size:1.5rem}p{color:#666}</style></head>
+<body><div class="card"><h1>Authorization Successful</h1><p>You can close this window and return to the terminal.</p></div></body></html>`;
+const ERROR_HTML = `<!DOCTYPE html>
+<html><head><meta charset="utf-8"><title>Authorization Failed</title>
+<style>body{font-family:system-ui,sans-serif;display:flex;justify-content:center;align-items:center;height:100vh;margin:0;background:#f8f9fa}
+.card{text-align:center;padding:2rem;border-radius:12px;background:white;box-shadow:0 2px 8px rgba(0,0,0,0.1)}
+h1{color:#ef4444;font-size:1.5rem}p{color:#666}</style></head>
+<body><div class="card"><h1>Authorization Failed</h1><p>Something went wrong. Please try again.</p></div></body></html>`;
+/** Start a local HTTP server to receive the OAuth callback redirect */
+function startCallbackServer(options) {
+	const { expectedState, timeout = 12e4, path = "/callback" } = options;
+	const port = options.port ?? 0;
+	return new Promise((resolveSetup, _rejectSetup) => {
+		let server;
+		let timeoutId;
+		const resultPromise = new Promise((resolveResult, rejectResult) => {
+			server = createServer((req, res) => {
+				const url = new URL(req.url ?? "/", `http://localhost`);
+				if (url.pathname !== path) {
+					res.writeHead(404);
+					res.end("Not found");
+					return;
+				}
+				const code = url.searchParams.get("code");
+				const state = url.searchParams.get("state");
+				const error = url.searchParams.get("error");
+				if (error) {
+					const errorDesc = url.searchParams.get("error_description") ?? error;
+					res.writeHead(200, { "Content-Type": "text/html" });
+					res.end(ERROR_HTML);
+					cleanup();
+					rejectResult(new OAuthCallbackError(`OAuth error: ${errorDesc}`));
+					return;
+				}
+				if (!code) {
+					res.writeHead(200, { "Content-Type": "text/html" });
+					res.end(ERROR_HTML);
+					cleanup();
+					rejectResult(new OAuthCallbackError("No authorization code in callback"));
+					return;
+				}
+				if (state && state !== expectedState) {
+					res.writeHead(200, { "Content-Type": "text/html" });
+					res.end(ERROR_HTML);
+					cleanup();
+					rejectResult(new OAuthCallbackError("State mismatch — possible CSRF attack. Please try again."));
+					return;
+				}
+				res.writeHead(200, { "Content-Type": "text/html" });
+				res.end(SUCCESS_HTML);
+				cleanup();
+				resolveResult({
+					code,
+					state: state ?? expectedState
+				});
+			});
+			const cleanup = () => {
+				if (timeoutId) clearTimeout(timeoutId);
+				server.close();
+			};
+			timeoutId = setTimeout(() => {
+				cleanup();
+				rejectResult(new OAuthTimeoutError(timeout));
+			}, timeout);
+			server.on("error", (err) => {
+				cleanup();
+				rejectResult(new OAuthCallbackError(`Callback server error: ${err.message}`));
+			});
+			server.listen(port, "127.0.0.1", () => {
+				const addr = server.address();
+				resolveSetup({
+					result: resultPromise,
+					port: typeof addr === "object" && addr ? addr.port : port,
+					close: cleanup
+				});
+			});
+		});
+	});
+}
+//#endregion
+//#region src/core/crypto.ts
+/** Generate a cryptographically random PKCE code verifier (43-128 chars, base64url) */
+function generateCodeVerifier() {
+	return randomBytes(32).toString("base64url");
+}
+/** Generate a PKCE code challenge from a verifier using S256 method */
+function generateCodeChallenge(verifier) {
+	return createHash("sha256").update(verifier).digest("base64url");
+}
+/** Generate both PKCE code verifier and challenge */
+function generatePKCE() {
+	const codeVerifier = generateCodeVerifier();
+	return {
+		codeVerifier,
+		codeChallenge: generateCodeChallenge(codeVerifier)
+	};
+}
+/** Generate a random state parameter for CSRF protection */
+function generateState() {
+	return randomBytes(32).toString("base64url");
+}
+//#endregion
+//#region src/core/manual-code-input.ts
+/**
+* Parse a "code#state" string (Anthropic's manual paste format).
+* Also supports a plain authorization code (state validated separately).
+*/
+function parseCodeAndState(input, expectedState) {
+	const trimmed = input.trim();
+	if (!trimmed) throw new OAuthCallbackError("Empty authorization code input");
+	const hashIndex = trimmed.indexOf("#");
+	if (hashIndex !== -1) {
+		const code = trimmed.slice(0, hashIndex);
+		const state = trimmed.slice(hashIndex + 1);
+		if (!code) throw new OAuthCallbackError("Empty authorization code in code#state input");
+		if (state !== expectedState) throw new StateMismatchError();
+		return {
+			code,
+			state
+		};
+	}
+	return {
+		code: trimmed,
+		state: expectedState
+	};
+}
+/** Prompt the user to paste the authorization code from their browser */
+function promptForCode(expectedState) {
+	return new Promise((resolve, reject) => {
+		const rl = createInterface({
+			input: process.stdin,
+			output: process.stderr
+		});
+		rl.question("Paste the authorization code (or code#state) from your browser: ", (answer) => {
+			rl.close();
+			try {
+				resolve(parseCodeAndState(answer, expectedState));
+			} catch (err) {
+				reject(err);
+			}
+		});
+	});
+}
+//#endregion
+//#region src/core/oauth-pkce.ts
+/** Build the full OAuth authorization URL with PKCE and state params */
+function buildAuthorizationUrl(config, codeChallenge, state, redirectUri) {
+	if (!config.authorizationEndpoint) throw new OAuthCallbackError(`Provider "${config.name}" has no authorization endpoint`);
+	const url = new URL(config.authorizationEndpoint);
+	url.searchParams.set("response_type", "code");
+	url.searchParams.set("client_id", config.clientId);
+	url.searchParams.set("redirect_uri", redirectUri);
+	url.searchParams.set("code_challenge", codeChallenge);
+	url.searchParams.set("code_challenge_method", "S256");
+	url.searchParams.set("state", state);
+	if (config.scopes?.length) url.searchParams.set("scope", config.scopes.join(" "));
+	return url.toString();
+}
+/** Exchange an authorization code for tokens */
+async function exchangeCode(config, code, codeVerifier, redirectUri, state) {
+	const useJson = config.tokenBodyFormat === "json";
+	const params = {
+		grant_type: "authorization_code",
+		code,
+		code_verifier: codeVerifier,
+		client_id: config.clientId,
+		redirect_uri: redirectUri
+	};
+	if (state !== void 0) params.state = state;
+	const response = await fetch(config.tokenEndpoint, {
+		method: "POST",
+		headers: { "Content-Type": useJson ? "application/json" : "application/x-www-form-urlencoded" },
+		body: useJson ? JSON.stringify(params) : new URLSearchParams(params).toString()
+	});
+	if (!response.ok) {
+		const errorText = await response.text();
+		throw new OAuthCallbackError(`Token exchange failed (${response.status}): ${errorText}`);
+	}
+	return parseTokenResponse(await response.json());
+}
+/** Refresh an access token using a refresh token */
+async function refreshAccessToken(config, refreshToken) {
+	const useJson = config.tokenBodyFormat === "json";
+	const params = {
+		grant_type: "refresh_token",
+		refresh_token: refreshToken,
+		client_id: config.clientId
+	};
+	const response = await fetch(config.tokenEndpoint, {
+		method: "POST",
+		headers: { "Content-Type": useJson ? "application/json" : "application/x-www-form-urlencoded" },
+		body: useJson ? JSON.stringify(params) : new URLSearchParams(params).toString()
+	});
+	if (!response.ok) {
+		const errorText = await response.text();
+		throw new OAuthCallbackError(`Token refresh failed (${response.status}): ${errorText}`);
+	}
+	return parseTokenResponse(await response.json());
+}
+/** Execute the full PKCE flow: generate params, open browser, wait for callback, exchange code */
+async function executePKCEFlow(options) {
+	const { config, loginOptions } = options;
+	const { codeVerifier, codeChallenge } = generatePKCE();
+	const state = config.stateIsVerifier ? codeVerifier : generateState();
+	const manual = loginOptions?.manual ?? false;
+	let authResult;
+	let redirectUri;
+	if (manual && options.manualRedirectUri) {
+		redirectUri = options.manualRedirectUri;
+		const authUrl = buildAuthorizationUrl(config, codeChallenge, state, redirectUri);
+		if (loginOptions?.onOpenBrowser) loginOptions.onOpenBrowser(authUrl);
+		else openBrowser(authUrl);
+		process.stderr.write(`\nOpen this URL in your browser if it didn't open automatically:\n${authUrl}\n\n`);
+		authResult = await promptForCode(state);
+	} else {
+		const server = await startCallbackServer({
+			port: loginOptions?.port ?? 0,
+			expectedState: state,
+			timeout: loginOptions?.timeout ?? 12e4
+		});
+		redirectUri = `http://127.0.0.1:${server.port}/callback`;
+		const authUrl = buildAuthorizationUrl(config, codeChallenge, state, redirectUri);
+		if (loginOptions?.onOpenBrowser) loginOptions.onOpenBrowser(authUrl);
+		else openBrowser(authUrl);
+		process.stderr.write(`\nOpen this URL in your browser if it didn't open automatically:\n${authUrl}\n\nWaiting for authorization...\n`);
+		try {
+			authResult = await server.result;
+		} catch (err) {
+			server.close();
+			throw err;
+		}
+	}
+	const exchangeState = config.tokenBodyFormat === "json" ? authResult.state : void 0;
+	return exchangeCode(config, authResult.code, codeVerifier, redirectUri, exchangeState);
+}
+function parseTokenResponse(data) {
+	const accessToken = data.access_token;
+	if (!accessToken) throw new OAuthCallbackError("No access_token in token response");
+	const expiresIn = data.expires_in ?? 3600;
+	const expiresAt = Date.now() + expiresIn * 1e3;
+	return {
+		accessToken,
+		refreshToken: data.refresh_token ?? null,
+		expiresAt,
+		idToken: data.id_token,
+		tokenType: (data.token_type ?? "bearer").toLowerCase(),
+		scopes: data.scope ? data.scope.split(" ") : void 0,
+		raw: data
+	};
+}
+//#endregion
+//#region src/providers/claude.ts
+const CLAUDE_CONFIG = {
+	name: "claude",
+	displayName: "Claude Pro/Max",
+	authorizationEndpoint: "https://claude.ai/oauth/authorize",
+	tokenEndpoint: "https://console.anthropic.com/v1/oauth/token",
+	clientId: "9d1c250a-e61b-44d9-88ed-5944d1962f5e",
+	scopes: [
+		"org:create_api_key",
+		"user:profile",
+		"user:inference"
+	],
+	grantType: "authorization_code",
+	tokenBodyFormat: "json",
+	stateIsVerifier: true
+};
+/** Redirect URI used in manual/headless mode (user copies code from browser) */
+const MANUAL_REDIRECT_URI = "https://console.anthropic.com/oauth/code/callback";
+var ClaudeProvider = class {
+	config = CLAUDE_CONFIG;
+	async login(options) {
+		return executePKCEFlow({
+			config: this.config,
+			loginOptions: {
+				...options,
+				manual: true
+			},
+			manualRedirectUri: MANUAL_REDIRECT_URI
+		});
+	}
+	async refresh(refreshToken) {
+		return refreshAccessToken(this.config, refreshToken);
+	}
+	getAuthHeaders(accessToken) {
+		return {
+			authorization: `Bearer ${accessToken}`,
+			"anthropic-version": "2023-06-01",
+			"anthropic-beta": "oauth-2025-04-20",
+			"content-type": "application/json"
+		};
+	}
+	getAccountId(tokenSet) {
+		const source = tokenSet.refreshToken ?? tokenSet.accessToken;
+		return createHash("sha256").update(source).digest("hex").slice(0, 16);
+	}
+	getAccountLabel(_tokenSet) {}
+};
+registerProvider("claude", () => new ClaudeProvider());
+//#endregion
+//#region src/token/jwt.ts
+/**
+* Decode a JWT token's payload without verifying the signature.
+* Used to extract user info from id_tokens (e.g., OpenAI).
+*/
+function decodeJWT(token) {
+	const parts = token.split(".");
+	if (parts.length !== 3) throw new Error("Invalid JWT format: expected 3 parts");
+	const payload = parts[1];
+	if (!payload) throw new Error("Invalid JWT: empty payload");
+	const padded = payload.replace(/-/g, "+").replace(/_/g, "/");
+	const decoded = Buffer.from(padded, "base64").toString("utf8");
+	return JSON.parse(decoded);
+}
+//#endregion
+//#region src/providers/openai-codex.ts
+const OPENAI_CODEX_CONFIG = {
+	name: "openai-codex",
+	displayName: "OpenAI ChatGPT Plus/Pro",
+	authorizationEndpoint: "https://auth.openai.com/oauth/authorize",
+	tokenEndpoint: "https://auth.openai.com/oauth/token",
+	clientId: "app_EMoamEEZ73f0CkXaXp7hrann",
+	redirectUri: "http://localhost:1455/auth/callback",
+	scopes: [
+		"openid",
+		"profile",
+		"email",
+		"offline_access"
+	],
+	grantType: "authorization_code"
+};
+var OpenAICodexProvider = class {
+	config = OPENAI_CODEX_CONFIG;
+	async login(options) {
+		return executePKCEFlow({
+			config: this.config,
+			loginOptions: {
+				...options,
+				port: options?.port ?? 1455
+			}
+		});
+	}
+	async refresh(refreshToken) {
+		return refreshAccessToken(this.config, refreshToken);
+	}
+	getAuthHeaders(accessToken) {
+		return {
+			authorization: `Bearer ${accessToken}`,
+			"content-type": "application/json"
+		};
+	}
+	getAccountId(tokenSet) {
+		if (tokenSet.idToken) try {
+			const claims = decodeJWT(tokenSet.idToken);
+			if (claims.sub) return claims.sub;
+		} catch {}
+		return createHash("sha256").update(tokenSet.accessToken).digest("hex").slice(0, 16);
+	}
+	getAccountLabel(tokenSet) {
+		if (tokenSet.idToken) try {
+			const claims = decodeJWT(tokenSet.idToken);
+			if (claims.email) return claims.email;
+		} catch {}
+	}
+};
+/**
+* Import tokens from an existing Codex CLI installation.
+* Reads from ~/.codex/auth.json or $CODEX_HOME/auth.json.
+*/
+function importFromCodexCli() {
+	const paths = [process.env.CODEX_HOME ? join(process.env.CODEX_HOME, "auth.json") : null, join(homedir(), ".codex", "auth.json")].filter(Boolean);
+	for (const filePath of paths) {
+		if (!existsSync(filePath)) continue;
+		try {
+			const content = readFileSync(filePath, "utf8");
+			const data = JSON.parse(content);
+			if (!data.tokens?.access_token) continue;
+			return {
+				accessToken: data.tokens.access_token,
+				refreshToken: data.tokens.refresh_token ?? null,
+				expiresAt: Date.now() + 36e5,
+				idToken: data.tokens.id_token,
+				tokenType: "bearer"
+			};
+		} catch {
+			continue;
+		}
+	}
+	return null;
+}
+registerProvider("openai-codex", () => new OpenAICodexProvider());
+//#endregion
+export { AuthenticationError, ClaudeProvider, FileStore, KeychainStore, NoCredentialError, OAuthCallbackError, OAuthTimeoutError, OpenAICodexProvider, OpenSubAuthError, ProviderNotFoundError, StateMismatchError, TokenExpiredError, TokenManager, TokenRefreshError, buildAuthorizationUrl, createTokenStore, decodeJWT, exchangeCode, executePKCEFlow, generateCodeChallenge, generateCodeVerifier, generatePKCE, generateState, getProvider, importFromCodexCli, listProviders, openBrowser, parseCodeAndState, promptForCode, refreshAccessToken, registerProvider, startCallbackServer };
+
+//# sourceMappingURL=index.mjs.map