npm - @ouro.bot/cli - Versions diffs - 0.1.0-alpha.123 → 0.1.0-alpha.124 - Mend

@ouro.bot/cli 0.1.0-alpha.123 → 0.1.0-alpha.124

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/changelog.json +6 -0
package/dist/heart/daemon/auth-flow.js +2 -0
package/dist/heart/providers/anthropic-token.js +163 -0
package/dist/heart/providers/anthropic.js +70 -11
package/package.json +1 -1

package/changelog.json CHANGED Viewed

@@ -1,6 +1,12 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.124",
+      "changes": [
+        "Anthropic OAuth tokens now auto-refresh before expiry. The provider checks token freshness before each turn, exchanges the refresh token for a new access token, and persists the result. No more 400 errors from expired setup tokens."
+      ]
+    },
     {
       "version": "0.1.0-alpha.123",
       "changes": [

package/dist/heart/daemon/auth-flow.js CHANGED Viewed

@@ -65,6 +65,8 @@ const DEFAULT_SECRETS_TEMPLATE = {
         anthropic: {
             model: "claude-opus-4-6",
             setupToken: "",
+            refreshToken: "",
+            expiresAt: 0,
         },
         "openai-codex": {
             model: "gpt-5.4",

package/dist/heart/providers/anthropic-token.js ADDED Viewed

@@ -0,0 +1,163 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.needsRefresh = needsRefresh;
+exports.refreshAnthropicToken = refreshAnthropicToken;
+exports.persistTokenState = persistTokenState;
+exports.ensureFreshToken = ensureFreshToken;
+/* v8 ignore start -- OAuth token lifecycle: requires live API calls, tested via integration @preserve */
+const fs = __importStar(require("fs"));
+const runtime_1 = require("../../nerves/runtime");
+const identity_1 = require("../identity");
+const OAUTH_TOKEN_ENDPOINT = "https://console.anthropic.com/v1/oauth/token";
+const OAUTH_CLIENT_ID = "9d1c250a-e61b-44d9-88ed-5944d1962f5e";
+const REFRESH_MARGIN_MS = 5 * 60 * 1000; // refresh 5 minutes before expiry
+/**
+ * Check if the Anthropic OAuth token needs refreshing.
+ * Returns true if no expiresAt is set (legacy token) or if within 5 min of expiry.
+ */
+function needsRefresh(expiresAt) {
+    if (!expiresAt)
+        return true; // legacy token with no expiry — always try refresh
+    return Date.now() > expiresAt - REFRESH_MARGIN_MS;
+}
+/**
+ * Refresh an Anthropic OAuth access token using the refresh token.
+ * Returns the new token state or null if refresh fails.
+ */
+async function refreshAnthropicToken(refreshToken, fetchImpl = fetch) {
+    try {
+        const response = await fetchImpl(OAUTH_TOKEN_ENDPOINT, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                grant_type: "refresh_token",
+                refresh_token: refreshToken,
+                client_id: OAUTH_CLIENT_ID,
+            }),
+        });
+        if (!response.ok) {
+            (0, runtime_1.emitNervesEvent)({
+                level: "warn",
+                component: "engine",
+                event: "engine.anthropic_token_refresh_failed",
+                message: `token refresh failed: ${response.status}`,
+                meta: { status: response.status },
+            });
+            return null;
+        }
+        const json = await response.json();
+        if (!json.access_token) {
+            (0, runtime_1.emitNervesEvent)({
+                level: "warn",
+                component: "engine",
+                event: "engine.anthropic_token_refresh_failed",
+                message: "token refresh returned no access_token",
+                meta: {},
+            });
+            return null;
+        }
+        const state = {
+            accessToken: json.access_token,
+            refreshToken: json.refresh_token ?? refreshToken, // keep old if not returned
+            expiresAt: Date.now() + (json.expires_in ?? 28800) * 1000, // default 8h
+        };
+        (0, runtime_1.emitNervesEvent)({
+            component: "engine",
+            event: "engine.anthropic_token_refreshed",
+            message: "anthropic OAuth token refreshed",
+            meta: { expiresAt: new Date(state.expiresAt).toISOString() },
+        });
+        return state;
+    }
+    catch (error) {
+        (0, runtime_1.emitNervesEvent)({
+            level: "warn",
+            component: "engine",
+            event: "engine.anthropic_token_refresh_error",
+            message: "token refresh threw",
+            meta: { error: error instanceof Error ? error.message : String(error) },
+        });
+        return null;
+    }
+}
+/**
+ * Persist refreshed token state back to secrets.json.
+ */
+function persistTokenState(agentName, state) {
+    try {
+        const secretsPath = (0, identity_1.getAgentSecretsPath)(agentName);
+        const raw = fs.readFileSync(secretsPath, "utf-8");
+        const secrets = JSON.parse(raw);
+        secrets.providers = secrets.providers ?? {};
+        secrets.providers.anthropic = secrets.providers.anthropic ?? {};
+        secrets.providers.anthropic.setupToken = state.accessToken;
+        secrets.providers.anthropic.refreshToken = state.refreshToken;
+        secrets.providers.anthropic.expiresAt = state.expiresAt;
+        fs.writeFileSync(secretsPath, JSON.stringify(secrets, null, 2) + "\n", "utf-8");
+        /* v8 ignore start -- defensive: persistence failure must not crash the provider @preserve */
+    }
+    catch (error) {
+        (0, runtime_1.emitNervesEvent)({
+            level: "warn",
+            component: "engine",
+            event: "engine.anthropic_token_persist_error",
+            message: "failed to persist refreshed token",
+            meta: { error: error instanceof Error ? error.message : String(error) },
+        });
+    }
+    /* v8 ignore stop */
+}
+/**
+ * Ensure the Anthropic token is fresh. If expired, refresh and persist.
+ * Returns the current valid access token, or null if refresh failed and
+ * the existing token is expired.
+ */
+async function ensureFreshToken(currentToken, refreshToken, expiresAt, agentName, fetchImpl) {
+    if (!needsRefresh(expiresAt)) {
+        return currentToken; // still fresh
+    }
+    if (!refreshToken) {
+        // No refresh token — use the current token as-is (may be expired)
+        return currentToken;
+    }
+    const newState = await refreshAnthropicToken(refreshToken, fetchImpl);
+    if (!newState) {
+        return currentToken; // refresh failed — try the old token
+    }
+    persistTokenState(agentName, newState);
+    return newState.accessToken;
+}
+/* v8 ignore stop */

package/dist/heart/providers/anthropic.js CHANGED Viewed

@@ -1,4 +1,37 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
@@ -389,18 +422,43 @@ function createAnthropicProviderRuntime(config) {
     if (modelCaps.reasoningEffort)
         capabilities.add("reasoning-effort");
     const credential = resolveAnthropicSetupTokenCredential();
-    const client = new sdk_1.default({
-        authToken: credential.token,
-        timeout: 30000,
-        maxRetries: 0,
-        defaultHeaders: {
-            "anthropic-beta": ANTHROPIC_OAUTH_BETA_HEADER,
-        },
-    });
+    const fullConfig = config ?? (0, config_1.getAnthropicConfig)();
+    const refreshToken = fullConfig.refreshToken;
+    const expiresAt = fullConfig.expiresAt;
+    function createClient(token) {
+        return new sdk_1.default({
+            authToken: token,
+            timeout: 30000,
+            maxRetries: 0,
+            defaultHeaders: {
+                "anthropic-beta": ANTHROPIC_OAUTH_BETA_HEADER,
+            },
+        });
+    }
+    let currentToken = credential.token;
+    let client = createClient(currentToken);
+    /* v8 ignore start -- token refresh: dynamic import + ensureFreshToken, tested via integration @preserve */
+    async function ensureClient() {
+        try {
+            const { ensureFreshToken } = await Promise.resolve().then(() => __importStar(require("./anthropic-token")));
+            const { getAgentName } = await Promise.resolve().then(() => __importStar(require("../identity")));
+            const freshToken = await ensureFreshToken(currentToken, refreshToken, expiresAt, getAgentName());
+            if (freshToken !== currentToken) {
+                currentToken = freshToken;
+                client = createClient(freshToken);
+            }
+        }
+        catch {
+            // refresh failed — use existing client
+        }
+        return client;
+    }
+    /* v8 ignore stop */
     return {
         id: "anthropic",
         model: anthropicConfig.model,
-        client,
+        /* v8 ignore next -- getter: returns mutable client ref @preserve */
+        get client() { return client; },
         capabilities,
         supportedReasoningEfforts: modelCaps.reasoningEffort,
         resetTurnState(_messages) {
@@ -409,8 +467,9 @@ function createAnthropicProviderRuntime(config) {
         appendToolOutput(_callId, _output) {
             // Anthropic uses canonical messages for tool_result tracking.
         },
-        streamTurn(request) {
-            return streamAnthropicMessages(client, anthropicConfig.model, request);
+        async streamTurn(request) {
+            const freshClient = await ensureClient();
+            return streamAnthropicMessages(freshClient, anthropicConfig.model, request);
         },
         /* v8 ignore next 3 -- delegation: classification logic tested via classifyAnthropicError @preserve */
         classifyError(error) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.123",
+  "version": "0.1.0-alpha.124",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",