@phi-code-admin/phi-code 0.74.2 → 0.75.0

package/dist/core/api-key-store.d.ts

@@ -0,0 +1,87 @@
+/**
+ * API Key Store - Centralized storage and hot-reload for provider API keys.
+ *
+ * Per Q5 strategy C: explicit /keys command + file watcher both supported.
+ * Per Q6 strategy A: keys stored in plain text in ~/.phi/agent/models.json
+ * with chmod 0600 on Unix and clear warnings to users.
+ *
+ * Storage format: models.json providers.<id>.apiKey contains the key value
+ * directly (not an env var reference). Resolution priority:
+ *   1. Value in models.json (if non-empty)
+ *   2. process.env[envVar] (legacy fallback)
+ *
+ * Events emitted via the EventEmitter:
+ *   - "key_changed" { provider, key }  : when setKey() or external edit detected
+ *   - "key_removed" { provider }       : when removeKey() called
+ *   - "store_reloaded"                 : when reloadFromDisk() succeeds
+ */
+import { EventEmitter } from "node:events";
+export interface ProviderConfigPersisted {
+    baseUrl?: string;
+    api?: string;
+    apiKey?: string;
+    headers?: Record<string, string>;
+    authHeader?: boolean;
+    models?: unknown[];
+    modelOverrides?: Record<string, unknown>;
+}
+export interface ModelsConfigPersisted {
+    $comment?: string;
+    providers: Record<string, ProviderConfigPersisted>;
+}
+export interface ApiKeyStoreOptions {
+    configPath?: string;
+}
+export declare class ApiKeyStore extends EventEmitter {
+    readonly configPath: string;
+    private config;
+    private loaded;
+    constructor(options?: ApiKeyStoreOptions);
+    /**
+     * Load config from disk. Creates an empty file if missing.
+     */
+    load(): ModelsConfigPersisted;
+    /**
+     * Reload from disk and emit "store_reloaded".
+     */
+    reloadFromDisk(): void;
+    /**
+     * Get the API key for a provider, with env-var fallback.
+     * Returns undefined if neither source has a value.
+     */
+    getKey(providerId: string, envVar?: string): string | undefined;
+    /**
+     * Get the full provider config block for a provider.
+     */
+    getProvider(providerId: string): ProviderConfigPersisted | undefined;
+    /**
+     * List all configured provider IDs.
+     */
+    listProviders(): string[];
+    /**
+     * Set the API key for a provider. Creates the provider entry if missing.
+     * Performs atomic write (tmp + rename) and chmod 0600 on Unix.
+     * Emits "key_changed" event.
+     */
+    setKey(providerId: string, key: string, providerConfig?: Partial<ProviderConfigPersisted>): void;
+    /**
+     * Remove the API key for a provider (but keep the rest of the provider config).
+     * Emits "key_removed" event.
+     */
+    removeKey(providerId: string): void;
+    /**
+     * Mask an API key for display (preserves length info without exposing the secret).
+     */
+    static maskKey(key: string | undefined): string;
+    /**
+     * Atomic write of the config to disk:
+     *   1. Ensure parent dir exists
+     *   2. Write to <path>.tmp
+     *   3. Rename to <path> (atomic on POSIX)
+     *   4. Apply chmod 0600 on Unix (silently skip on Windows)
+     */
+    private persist;
+}
+export declare function getApiKeyStore(options?: ApiKeyStoreOptions): ApiKeyStore;
+export declare function _resetApiKeyStore(): void;
+//# sourceMappingURL=api-key-store.d.ts.map

package/dist/core/api-key-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-key-store.d.ts","sourceRoot":"","sources":["../../src/core/api-key-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAK3C,MAAM,WAAW,uBAAuB;IACvC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,MAAM,CAAC,EAAE,OAAO,EAAE,CAAC;IACnB,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACzC;AAED,MAAM,WAAW,qBAAqB;IACrC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,uBAAuB,CAAC,CAAC;CACnD;AAED,MAAM,WAAW,kBAAkB;IAClC,UAAU,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,qBAAa,WAAY,SAAQ,YAAY;IAC5C,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,OAAO,CAAC,MAAM,CAA4C;IAC1D,OAAO,CAAC,MAAM,CAAS;IAEvB,YAAY,OAAO,GAAE,kBAAuB,EAG3C;IAED;;OAEG;IACH,IAAI,IAAI,qBAAqB,CAgB5B;IAED;;OAEG;IACH,cAAc,IAAI,IAAI,CAGrB;IAED;;;OAGG;IACH,MAAM,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAM9D;IAED;;OAEG;IACH,WAAW,CAAC,UAAU,EAAE,MAAM,GAAG,uBAAuB,GAAG,SAAS,CAGnE;IAED;;OAEG;IACH,aAAa,IAAI,MAAM,EAAE,CAGxB;IAED;;;;OAIG;IACH,MAAM,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,cAAc,CAAC,EAAE,OAAO,CAAC,uBAAuB,CAAC,GAAG,IAAI,CAU/F;IAED;;;OAGG;IACH,SAAS,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAQlC;IAED;;OAEG;IACH,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,CAM9C;IAED;;;;;;OAMG;IACH,OAAO,CAAC,OAAO;CAef;AAID,wBAAgB,cAAc,CAAC,OAAO,CAAC,EAAE,kBAAkB,GAAG,WAAW,CAKxE;AAED,wBAAgB,iBAAiB,IAAI,IAAI,CAExC","sourcesContent":["/**\n * API Key Store - Centralized storage and hot-reload for provider API keys.\n *\n * Per Q5 strategy C: explicit /keys command + file watcher both supported.\n * Per Q6 strategy A: keys stored in plain text in ~/.phi/agent/models.json\n * with chmod 0600 on Unix and clear warnings to users.\n *\n * Storage format: models.json providers.<id>.apiKey contains the key value\n * directly (not an env var reference). Resolution priority:\n *   1. Value in models.json (if non-empty)\n *   2. process.env[envVar] (legacy fallback)\n *\n * Events emitted via the EventEmitter:\n *   - \"key_changed\" { provider, key }  : when setKey() or external edit detected\n *   - \"key_removed\" { provider }       : when removeKey() called\n *   - \"store_reloaded\"                 : when reloadFromDisk() succeeds\n */\n\nimport { EventEmitter } from \"node:events\";\nimport { chmodSync, existsSync, mkdirSync, readFileSync, renameSync, writeFileSync } from \"node:fs\";\nimport { homedir } from \"node:os\";\nimport { dirname, join } from \"node:path\";\n\nexport interface ProviderConfigPersisted {\n\tbaseUrl?: string;\n\tapi?: string;\n\tapiKey?: string;\n\theaders?: Record<string, string>;\n\tauthHeader?: boolean;\n\tmodels?: unknown[];\n\tmodelOverrides?: Record<string, unknown>;\n}\n\nexport interface ModelsConfigPersisted {\n\t$comment?: string;\n\tproviders: Record<string, ProviderConfigPersisted>;\n}\n\nexport interface ApiKeyStoreOptions {\n\tconfigPath?: string;\n}\n\nexport class ApiKeyStore extends EventEmitter {\n\treadonly configPath: string;\n\tprivate config: ModelsConfigPersisted = { providers: {} };\n\tprivate loaded = false;\n\n\tconstructor(options: ApiKeyStoreOptions = {}) {\n\t\tsuper();\n\t\tthis.configPath = options.configPath ?? join(homedir(), \".phi\", \"agent\", \"models.json\");\n\t}\n\n\t/**\n\t * Load config from disk. Creates an empty file if missing.\n\t */\n\tload(): ModelsConfigPersisted {\n\t\ttry {\n\t\t\tif (!existsSync(this.configPath)) {\n\t\t\t\treturn this.config;\n\t\t\t}\n\t\t\tconst raw = readFileSync(this.configPath, \"utf-8\");\n\t\t\tconst parsed = JSON.parse(raw) as ModelsConfigPersisted;\n\t\t\tif (!parsed.providers || typeof parsed.providers !== \"object\") {\n\t\t\t\tparsed.providers = {};\n\t\t\t}\n\t\t\tthis.config = parsed;\n\t\t\tthis.loaded = true;\n\t\t\treturn this.config;\n\t\t} catch (err) {\n\t\t\tthrow new Error(`Failed to load ${this.configPath}: ${err instanceof Error ? err.message : String(err)}`);\n\t\t}\n\t}\n\n\t/**\n\t * Reload from disk and emit \"store_reloaded\".\n\t */\n\treloadFromDisk(): void {\n\t\tthis.load();\n\t\tthis.emit(\"store_reloaded\");\n\t}\n\n\t/**\n\t * Get the API key for a provider, with env-var fallback.\n\t * Returns undefined if neither source has a value.\n\t */\n\tgetKey(providerId: string, envVar?: string): string | undefined {\n\t\tif (!this.loaded) this.load();\n\t\tconst stored = this.config.providers[providerId]?.apiKey?.trim();\n\t\tif (stored && stored.length > 0 && !stored.startsWith(\"$\")) return stored;\n\t\tif (envVar) return process.env[envVar]?.trim() || undefined;\n\t\treturn undefined;\n\t}\n\n\t/**\n\t * Get the full provider config block for a provider.\n\t */\n\tgetProvider(providerId: string): ProviderConfigPersisted | undefined {\n\t\tif (!this.loaded) this.load();\n\t\treturn this.config.providers[providerId];\n\t}\n\n\t/**\n\t * List all configured provider IDs.\n\t */\n\tlistProviders(): string[] {\n\t\tif (!this.loaded) this.load();\n\t\treturn Object.keys(this.config.providers);\n\t}\n\n\t/**\n\t * Set the API key for a provider. Creates the provider entry if missing.\n\t * Performs atomic write (tmp + rename) and chmod 0600 on Unix.\n\t * Emits \"key_changed\" event.\n\t */\n\tsetKey(providerId: string, key: string, providerConfig?: Partial<ProviderConfigPersisted>): void {\n\t\tif (!this.loaded) this.load();\n\t\tconst existing = this.config.providers[providerId] ?? {};\n\t\tthis.config.providers[providerId] = {\n\t\t\t...existing,\n\t\t\t...providerConfig,\n\t\t\tapiKey: key,\n\t\t};\n\t\tthis.persist();\n\t\tthis.emit(\"key_changed\", { provider: providerId, key });\n\t}\n\n\t/**\n\t * Remove the API key for a provider (but keep the rest of the provider config).\n\t * Emits \"key_removed\" event.\n\t */\n\tremoveKey(providerId: string): void {\n\t\tif (!this.loaded) this.load();\n\t\tconst existing = this.config.providers[providerId];\n\t\tif (!existing) return;\n\t\tconst { apiKey: _removed, ...rest } = existing;\n\t\tthis.config.providers[providerId] = rest;\n\t\tthis.persist();\n\t\tthis.emit(\"key_removed\", { provider: providerId });\n\t}\n\n\t/**\n\t * Mask an API key for display (preserves length info without exposing the secret).\n\t */\n\tstatic maskKey(key: string | undefined): string {\n\t\tif (!key) return \"(not set)\";\n\t\tconst trimmed = key.trim();\n\t\tif (trimmed.length === 0) return \"(empty)\";\n\t\tif (trimmed.length <= 8) return \"********\";\n\t\treturn `${trimmed.slice(0, 6)}...${trimmed.slice(-4)}`;\n\t}\n\n\t/**\n\t * Atomic write of the config to disk:\n\t *   1. Ensure parent dir exists\n\t *   2. Write to <path>.tmp\n\t *   3. Rename to <path> (atomic on POSIX)\n\t *   4. Apply chmod 0600 on Unix (silently skip on Windows)\n\t */\n\tprivate persist(): void {\n\t\tconst parent = dirname(this.configPath);\n\t\tmkdirSync(parent, { recursive: true });\n\t\tconst tmpPath = `${this.configPath}.tmp`;\n\t\tconst payload = `${JSON.stringify(this.config, null, 2)}\\n`;\n\t\twriteFileSync(tmpPath, payload, \"utf-8\");\n\t\trenameSync(tmpPath, this.configPath);\n\t\tif (process.platform !== \"win32\") {\n\t\t\ttry {\n\t\t\t\tchmodSync(this.configPath, 0o600);\n\t\t\t} catch {\n\t\t\t\t// chmod may fail on some filesystems (eg WSL); non-critical\n\t\t\t}\n\t\t}\n\t}\n}\n\n/** Module-level singleton for convenience. */\nlet _singleton: ApiKeyStore | null = null;\nexport function getApiKeyStore(options?: ApiKeyStoreOptions): ApiKeyStore {\n\tif (!_singleton || (options?.configPath && _singleton.configPath !== options.configPath)) {\n\t\t_singleton = new ApiKeyStore(options);\n\t}\n\treturn _singleton;\n}\n\nexport function _resetApiKeyStore(): void {\n\t_singleton = null;\n}\n"]}

package/dist/core/api-key-store.js

@@ -0,0 +1,168 @@
+/**
+ * API Key Store - Centralized storage and hot-reload for provider API keys.
+ *
+ * Per Q5 strategy C: explicit /keys command + file watcher both supported.
+ * Per Q6 strategy A: keys stored in plain text in ~/.phi/agent/models.json
+ * with chmod 0600 on Unix and clear warnings to users.
+ *
+ * Storage format: models.json providers.<id>.apiKey contains the key value
+ * directly (not an env var reference). Resolution priority:
+ *   1. Value in models.json (if non-empty)
+ *   2. process.env[envVar] (legacy fallback)
+ *
+ * Events emitted via the EventEmitter:
+ *   - "key_changed" { provider, key }  : when setKey() or external edit detected
+ *   - "key_removed" { provider }       : when removeKey() called
+ *   - "store_reloaded"                 : when reloadFromDisk() succeeds
+ */
+import { EventEmitter } from "node:events";
+import { chmodSync, existsSync, mkdirSync, readFileSync, renameSync, writeFileSync } from "node:fs";
+import { homedir } from "node:os";
+import { dirname, join } from "node:path";
+export class ApiKeyStore extends EventEmitter {
+    configPath;
+    config = { providers: {} };
+    loaded = false;
+    constructor(options = {}) {
+        super();
+        this.configPath = options.configPath ?? join(homedir(), ".phi", "agent", "models.json");
+    }
+    /**
+     * Load config from disk. Creates an empty file if missing.
+     */
+    load() {
+        try {
+            if (!existsSync(this.configPath)) {
+                return this.config;
+            }
+            const raw = readFileSync(this.configPath, "utf-8");
+            const parsed = JSON.parse(raw);
+            if (!parsed.providers || typeof parsed.providers !== "object") {
+                parsed.providers = {};
+            }
+            this.config = parsed;
+            this.loaded = true;
+            return this.config;
+        }
+        catch (err) {
+            throw new Error(`Failed to load ${this.configPath}: ${err instanceof Error ? err.message : String(err)}`);
+        }
+    }
+    /**
+     * Reload from disk and emit "store_reloaded".
+     */
+    reloadFromDisk() {
+        this.load();
+        this.emit("store_reloaded");
+    }
+    /**
+     * Get the API key for a provider, with env-var fallback.
+     * Returns undefined if neither source has a value.
+     */
+    getKey(providerId, envVar) {
+        if (!this.loaded)
+            this.load();
+        const stored = this.config.providers[providerId]?.apiKey?.trim();
+        if (stored && stored.length > 0 && !stored.startsWith("$"))
+            return stored;
+        if (envVar)
+            return process.env[envVar]?.trim() || undefined;
+        return undefined;
+    }
+    /**
+     * Get the full provider config block for a provider.
+     */
+    getProvider(providerId) {
+        if (!this.loaded)
+            this.load();
+        return this.config.providers[providerId];
+    }
+    /**
+     * List all configured provider IDs.
+     */
+    listProviders() {
+        if (!this.loaded)
+            this.load();
+        return Object.keys(this.config.providers);
+    }
+    /**
+     * Set the API key for a provider. Creates the provider entry if missing.
+     * Performs atomic write (tmp + rename) and chmod 0600 on Unix.
+     * Emits "key_changed" event.
+     */
+    setKey(providerId, key, providerConfig) {
+        if (!this.loaded)
+            this.load();
+        const existing = this.config.providers[providerId] ?? {};
+        this.config.providers[providerId] = {
+            ...existing,
+            ...providerConfig,
+            apiKey: key,
+        };
+        this.persist();
+        this.emit("key_changed", { provider: providerId, key });
+    }
+    /**
+     * Remove the API key for a provider (but keep the rest of the provider config).
+     * Emits "key_removed" event.
+     */
+    removeKey(providerId) {
+        if (!this.loaded)
+            this.load();
+        const existing = this.config.providers[providerId];
+        if (!existing)
+            return;
+        const { apiKey: _removed, ...rest } = existing;
+        this.config.providers[providerId] = rest;
+        this.persist();
+        this.emit("key_removed", { provider: providerId });
+    }
+    /**
+     * Mask an API key for display (preserves length info without exposing the secret).
+     */
+    static maskKey(key) {
+        if (!key)
+            return "(not set)";
+        const trimmed = key.trim();
+        if (trimmed.length === 0)
+            return "(empty)";
+        if (trimmed.length <= 8)
+            return "********";
+        return `${trimmed.slice(0, 6)}...${trimmed.slice(-4)}`;
+    }
+    /**
+     * Atomic write of the config to disk:
+     *   1. Ensure parent dir exists
+     *   2. Write to <path>.tmp
+     *   3. Rename to <path> (atomic on POSIX)
+     *   4. Apply chmod 0600 on Unix (silently skip on Windows)
+     */
+    persist() {
+        const parent = dirname(this.configPath);
+        mkdirSync(parent, { recursive: true });
+        const tmpPath = `${this.configPath}.tmp`;
+        const payload = `${JSON.stringify(this.config, null, 2)}\n`;
+        writeFileSync(tmpPath, payload, "utf-8");
+        renameSync(tmpPath, this.configPath);
+        if (process.platform !== "win32") {
+            try {
+                chmodSync(this.configPath, 0o600);
+            }
+            catch {
+                // chmod may fail on some filesystems (eg WSL); non-critical
+            }
+        }
+    }
+}
+/** Module-level singleton for convenience. */
+let _singleton = null;
+export function getApiKeyStore(options) {
+    if (!_singleton || (options?.configPath && _singleton.configPath !== options.configPath)) {
+        _singleton = new ApiKeyStore(options);
+    }
+    return _singleton;
+}
+export function _resetApiKeyStore() {
+    _singleton = null;
+}
+//# sourceMappingURL=api-key-store.js.map

package/dist/core/api-key-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-key-store.js","sourceRoot":"","sources":["../../src/core/api-key-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACpG,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAqB1C,MAAM,OAAO,WAAY,SAAQ,YAAY;IACnC,UAAU,CAAS;IACpB,MAAM,GAA0B,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;IAClD,MAAM,GAAG,KAAK,CAAC;IAEvB,YAAY,OAAO,GAAuB,EAAE,EAAE;QAC7C,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,CAAC,CAAC;IAAA,CACxF;IAED;;OAEG;IACH,IAAI,GAA0B;QAC7B,IAAI,CAAC;YACJ,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;gBAClC,OAAO,IAAI,CAAC,MAAM,CAAC;YACpB,CAAC;YACD,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YACnD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAA0B,CAAC;YACxD,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;gBAC/D,MAAM,CAAC,SAAS,GAAG,EAAE,CAAC;YACvB,CAAC;YACD,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;YACrB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;YACnB,OAAO,IAAI,CAAC,MAAM,CAAC;QACpB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CAAC,kBAAkB,IAAI,CAAC,UAAU,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC3G,CAAC;IAAA,CACD;IAED;;OAEG;IACH,cAAc,GAAS;QACtB,IAAI,CAAC,IAAI,EAAE,CAAC;QACZ,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IAAA,CAC5B;IAED;;;OAGG;IACH,MAAM,CAAC,UAAkB,EAAE,MAAe,EAAsB;QAC/D,IAAI,CAAC,IAAI,CAAC,MAAM;YAAE,IAAI,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;QACjE,IAAI,MAAM,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO,MAAM,CAAC;QAC1E,IAAI,MAAM;YAAE,OAAO,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,IAAI,SAAS,CAAC;QAC5D,OAAO,SAAS,CAAC;IAAA,CACjB;IAED;;OAEG;IACH,WAAW,CAAC,UAAkB,EAAuC;QACpE,IAAI,CAAC,IAAI,CAAC,MAAM;YAAE,IAAI,CAAC,IAAI,EAAE,CAAC;QAC9B,OAAO,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IAAA,CACzC;IAED;;OAEG;IACH,aAAa,GAAa;QACzB,IAAI,CAAC,IAAI,CAAC,MAAM;YAAE,IAAI,CAAC,IAAI,EAAE,CAAC;QAC9B,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAAA,CAC1C;IAED;;;;OAIG;IACH,MAAM,CAAC,UAAkB,EAAE,GAAW,EAAE,cAAiD,EAAQ;QAChG,IAAI,CAAC,IAAI,CAAC,MAAM;YAAE,IAAI,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;QACzD,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,GAAG;YACnC,GAAG,QAAQ;YACX,GAAG,cAAc;YACjB,MAAM,EAAE,GAAG;SACX,CAAC;QACF,IAAI,CAAC,OAAO,EAAE,CAAC;QACf,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC,CAAC;IAAA,CACxD;IAED;;;OAGG;IACH,SAAS,CAAC,UAAkB,EAAQ;QACnC,IAAI,CAAC,IAAI,CAAC,MAAM;YAAE,IAAI,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QACnD,IAAI,CAAC,QAAQ;YAAE,OAAO;QACtB,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAE,GAAG,QAAQ,CAAC;QAC/C,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC;QACzC,IAAI,CAAC,OAAO,EAAE,CAAC;QACf,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC,CAAC;IAAA,CACnD;IAED;;OAEG;IACH,MAAM,CAAC,OAAO,CAAC,GAAuB,EAAU;QAC/C,IAAI,CAAC,GAAG;YAAE,OAAO,WAAW,CAAC;QAC7B,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;QAC3B,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,SAAS,CAAC;QAC3C,IAAI,OAAO,CAAC,MAAM,IAAI,CAAC;YAAE,OAAO,UAAU,CAAC;QAC3C,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAAA,CACvD;IAED;;;;;;OAMG;IACK,OAAO,GAAS;QACvB,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACxC,SAAS,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACvC,MAAM,OAAO,GAAG,GAAG,IAAI,CAAC,UAAU,MAAM,CAAC;QACzC,MAAM,OAAO,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC;QAC5D,aAAa,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;QACzC,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QACrC,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YAClC,IAAI,CAAC;gBACJ,SAAS,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;YACnC,CAAC;YAAC,MAAM,CAAC;gBACR,4DAA4D;YAC7D,CAAC;QACF,CAAC;IAAA,CACD;CACD;AAED,8CAA8C;AAC9C,IAAI,UAAU,GAAuB,IAAI,CAAC;AAC1C,MAAM,UAAU,cAAc,CAAC,OAA4B,EAAe;IACzE,IAAI,CAAC,UAAU,IAAI,CAAC,OAAO,EAAE,UAAU,IAAI,UAAU,CAAC,UAAU,KAAK,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;QAC1F,UAAU,GAAG,IAAI,WAAW,CAAC,OAAO,CAAC,CAAC;IACvC,CAAC;IACD,OAAO,UAAU,CAAC;AAAA,CAClB;AAED,MAAM,UAAU,iBAAiB,GAAS;IACzC,UAAU,GAAG,IAAI,CAAC;AAAA,CAClB","sourcesContent":["/**\n * API Key Store - Centralized storage and hot-reload for provider API keys.\n *\n * Per Q5 strategy C: explicit /keys command + file watcher both supported.\n * Per Q6 strategy A: keys stored in plain text in ~/.phi/agent/models.json\n * with chmod 0600 on Unix and clear warnings to users.\n *\n * Storage format: models.json providers.<id>.apiKey contains the key value\n * directly (not an env var reference). Resolution priority:\n *   1. Value in models.json (if non-empty)\n *   2. process.env[envVar] (legacy fallback)\n *\n * Events emitted via the EventEmitter:\n *   - \"key_changed\" { provider, key }  : when setKey() or external edit detected\n *   - \"key_removed\" { provider }       : when removeKey() called\n *   - \"store_reloaded\"                 : when reloadFromDisk() succeeds\n */\n\nimport { EventEmitter } from \"node:events\";\nimport { chmodSync, existsSync, mkdirSync, readFileSync, renameSync, writeFileSync } from \"node:fs\";\nimport { homedir } from \"node:os\";\nimport { dirname, join } from \"node:path\";\n\nexport interface ProviderConfigPersisted {\n\tbaseUrl?: string;\n\tapi?: string;\n\tapiKey?: string;\n\theaders?: Record<string, string>;\n\tauthHeader?: boolean;\n\tmodels?: unknown[];\n\tmodelOverrides?: Record<string, unknown>;\n}\n\nexport interface ModelsConfigPersisted {\n\t$comment?: string;\n\tproviders: Record<string, ProviderConfigPersisted>;\n}\n\nexport interface ApiKeyStoreOptions {\n\tconfigPath?: string;\n}\n\nexport class ApiKeyStore extends EventEmitter {\n\treadonly configPath: string;\n\tprivate config: ModelsConfigPersisted = { providers: {} };\n\tprivate loaded = false;\n\n\tconstructor(options: ApiKeyStoreOptions = {}) {\n\t\tsuper();\n\t\tthis.configPath = options.configPath ?? join(homedir(), \".phi\", \"agent\", \"models.json\");\n\t}\n\n\t/**\n\t * Load config from disk. Creates an empty file if missing.\n\t */\n\tload(): ModelsConfigPersisted {\n\t\ttry {\n\t\t\tif (!existsSync(this.configPath)) {\n\t\t\t\treturn this.config;\n\t\t\t}\n\t\t\tconst raw = readFileSync(this.configPath, \"utf-8\");\n\t\t\tconst parsed = JSON.parse(raw) as ModelsConfigPersisted;\n\t\t\tif (!parsed.providers || typeof parsed.providers !== \"object\") {\n\t\t\t\tparsed.providers = {};\n\t\t\t}\n\t\t\tthis.config = parsed;\n\t\t\tthis.loaded = true;\n\t\t\treturn this.config;\n\t\t} catch (err) {\n\t\t\tthrow new Error(`Failed to load ${this.configPath}: ${err instanceof Error ? err.message : String(err)}`);\n\t\t}\n\t}\n\n\t/**\n\t * Reload from disk and emit \"store_reloaded\".\n\t */\n\treloadFromDisk(): void {\n\t\tthis.load();\n\t\tthis.emit(\"store_reloaded\");\n\t}\n\n\t/**\n\t * Get the API key for a provider, with env-var fallback.\n\t * Returns undefined if neither source has a value.\n\t */\n\tgetKey(providerId: string, envVar?: string): string | undefined {\n\t\tif (!this.loaded) this.load();\n\t\tconst stored = this.config.providers[providerId]?.apiKey?.trim();\n\t\tif (stored && stored.length > 0 && !stored.startsWith(\"$\")) return stored;\n\t\tif (envVar) return process.env[envVar]?.trim() || undefined;\n\t\treturn undefined;\n\t}\n\n\t/**\n\t * Get the full provider config block for a provider.\n\t */\n\tgetProvider(providerId: string): ProviderConfigPersisted | undefined {\n\t\tif (!this.loaded) this.load();\n\t\treturn this.config.providers[providerId];\n\t}\n\n\t/**\n\t * List all configured provider IDs.\n\t */\n\tlistProviders(): string[] {\n\t\tif (!this.loaded) this.load();\n\t\treturn Object.keys(this.config.providers);\n\t}\n\n\t/**\n\t * Set the API key for a provider. Creates the provider entry if missing.\n\t * Performs atomic write (tmp + rename) and chmod 0600 on Unix.\n\t * Emits \"key_changed\" event.\n\t */\n\tsetKey(providerId: string, key: string, providerConfig?: Partial<ProviderConfigPersisted>): void {\n\t\tif (!this.loaded) this.load();\n\t\tconst existing = this.config.providers[providerId] ?? {};\n\t\tthis.config.providers[providerId] = {\n\t\t\t...existing,\n\t\t\t...providerConfig,\n\t\t\tapiKey: key,\n\t\t};\n\t\tthis.persist();\n\t\tthis.emit(\"key_changed\", { provider: providerId, key });\n\t}\n\n\t/**\n\t * Remove the API key for a provider (but keep the rest of the provider config).\n\t * Emits \"key_removed\" event.\n\t */\n\tremoveKey(providerId: string): void {\n\t\tif (!this.loaded) this.load();\n\t\tconst existing = this.config.providers[providerId];\n\t\tif (!existing) return;\n\t\tconst { apiKey: _removed, ...rest } = existing;\n\t\tthis.config.providers[providerId] = rest;\n\t\tthis.persist();\n\t\tthis.emit(\"key_removed\", { provider: providerId });\n\t}\n\n\t/**\n\t * Mask an API key for display (preserves length info without exposing the secret).\n\t */\n\tstatic maskKey(key: string | undefined): string {\n\t\tif (!key) return \"(not set)\";\n\t\tconst trimmed = key.trim();\n\t\tif (trimmed.length === 0) return \"(empty)\";\n\t\tif (trimmed.length <= 8) return \"********\";\n\t\treturn `${trimmed.slice(0, 6)}...${trimmed.slice(-4)}`;\n\t}\n\n\t/**\n\t * Atomic write of the config to disk:\n\t *   1. Ensure parent dir exists\n\t *   2. Write to <path>.tmp\n\t *   3. Rename to <path> (atomic on POSIX)\n\t *   4. Apply chmod 0600 on Unix (silently skip on Windows)\n\t */\n\tprivate persist(): void {\n\t\tconst parent = dirname(this.configPath);\n\t\tmkdirSync(parent, { recursive: true });\n\t\tconst tmpPath = `${this.configPath}.tmp`;\n\t\tconst payload = `${JSON.stringify(this.config, null, 2)}\\n`;\n\t\twriteFileSync(tmpPath, payload, \"utf-8\");\n\t\trenameSync(tmpPath, this.configPath);\n\t\tif (process.platform !== \"win32\") {\n\t\t\ttry {\n\t\t\t\tchmodSync(this.configPath, 0o600);\n\t\t\t} catch {\n\t\t\t\t// chmod may fail on some filesystems (eg WSL); non-critical\n\t\t\t}\n\t\t}\n\t}\n}\n\n/** Module-level singleton for convenience. */\nlet _singleton: ApiKeyStore | null = null;\nexport function getApiKeyStore(options?: ApiKeyStoreOptions): ApiKeyStore {\n\tif (!_singleton || (options?.configPath && _singleton.configPath !== options.configPath)) {\n\t\t_singleton = new ApiKeyStore(options);\n\t}\n\treturn _singleton;\n}\n\nexport function _resetApiKeyStore(): void {\n\t_singleton = null;\n}\n"]}

package/dist/core/auth-guidance.d.ts

@@ -0,0 +1,5 @@
+export declare function getProviderLoginHelp(): string;
+export declare function formatNoModelsAvailableMessage(): string;
+export declare function formatNoModelSelectedMessage(): string;
+export declare function formatNoApiKeyFoundMessage(provider: string): string;
+//# sourceMappingURL=auth-guidance.d.ts.map

package/dist/core/auth-guidance.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-guidance.d.ts","sourceRoot":"","sources":["../../src/core/auth-guidance.ts"],"names":[],"mappings":"AAKA,wBAAgB,oBAAoB,IAAI,MAAM,CAM7C;AAED,wBAAgB,8BAA8B,IAAI,MAAM,CAEvD;AAED,wBAAgB,4BAA4B,IAAI,MAAM,CAErD;AAED,wBAAgB,0BAA0B,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAGnE","sourcesContent":["import { join } from \"node:path\";\nimport { getDocsPath } from \"../config.js\";\n\nconst UNKNOWN_PROVIDER = \"unknown\";\n\nexport function getProviderLoginHelp(): string {\n\treturn [\n\t\t\"Use /login to log into a provider via OAuth or API key. See:\",\n\t\t`  ${join(getDocsPath(), \"providers.md\")}`,\n\t\t`  ${join(getDocsPath(), \"models.md\")}`,\n\t].join(\"\\n\");\n}\n\nexport function formatNoModelsAvailableMessage(): string {\n\treturn `No models available. ${getProviderLoginHelp()}`;\n}\n\nexport function formatNoModelSelectedMessage(): string {\n\treturn `No model selected.\\n\\n${getProviderLoginHelp()}\\n\\nThen use /model to select a model.`;\n}\n\nexport function formatNoApiKeyFoundMessage(provider: string): string {\n\tconst providerDisplay = provider === UNKNOWN_PROVIDER ? \"the selected model\" : provider;\n\treturn `No API key found for ${providerDisplay}.\\n\\n${getProviderLoginHelp()}`;\n}\n"]}

package/dist/core/auth-guidance.js

@@ -0,0 +1,21 @@
+import { join } from "node:path";
+import { getDocsPath } from "../config.js";
+const UNKNOWN_PROVIDER = "unknown";
+export function getProviderLoginHelp() {
+    return [
+        "Use /login to log into a provider via OAuth or API key. See:",
+        `  ${join(getDocsPath(), "providers.md")}`,
+        `  ${join(getDocsPath(), "models.md")}`,
+    ].join("\n");
+}
+export function formatNoModelsAvailableMessage() {
+    return `No models available. ${getProviderLoginHelp()}`;
+}
+export function formatNoModelSelectedMessage() {
+    return `No model selected.\n\n${getProviderLoginHelp()}\n\nThen use /model to select a model.`;
+}
+export function formatNoApiKeyFoundMessage(provider) {
+    const providerDisplay = provider === UNKNOWN_PROVIDER ? "the selected model" : provider;
+    return `No API key found for ${providerDisplay}.\n\n${getProviderLoginHelp()}`;
+}
+//# sourceMappingURL=auth-guidance.js.map

package/dist/core/auth-guidance.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-guidance.js","sourceRoot":"","sources":["../../src/core/auth-guidance.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAE3C,MAAM,gBAAgB,GAAG,SAAS,CAAC;AAEnC,MAAM,UAAU,oBAAoB,GAAW;IAC9C,OAAO;QACN,8DAA8D;QAC9D,KAAK,IAAI,CAAC,WAAW,EAAE,EAAE,cAAc,CAAC,EAAE;QAC1C,KAAK,IAAI,CAAC,WAAW,EAAE,EAAE,WAAW,CAAC,EAAE;KACvC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAAA,CACb;AAED,MAAM,UAAU,8BAA8B,GAAW;IACxD,OAAO,wBAAwB,oBAAoB,EAAE,EAAE,CAAC;AAAA,CACxD;AAED,MAAM,UAAU,4BAA4B,GAAW;IACtD,OAAO,yBAAyB,oBAAoB,EAAE,wCAAwC,CAAC;AAAA,CAC/F;AAED,MAAM,UAAU,0BAA0B,CAAC,QAAgB,EAAU;IACpE,MAAM,eAAe,GAAG,QAAQ,KAAK,gBAAgB,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,QAAQ,CAAC;IACxF,OAAO,wBAAwB,eAAe,QAAQ,oBAAoB,EAAE,EAAE,CAAC;AAAA,CAC/E","sourcesContent":["import { join } from \"node:path\";\nimport { getDocsPath } from \"../config.js\";\n\nconst UNKNOWN_PROVIDER = \"unknown\";\n\nexport function getProviderLoginHelp(): string {\n\treturn [\n\t\t\"Use /login to log into a provider via OAuth or API key. See:\",\n\t\t`  ${join(getDocsPath(), \"providers.md\")}`,\n\t\t`  ${join(getDocsPath(), \"models.md\")}`,\n\t].join(\"\\n\");\n}\n\nexport function formatNoModelsAvailableMessage(): string {\n\treturn `No models available. ${getProviderLoginHelp()}`;\n}\n\nexport function formatNoModelSelectedMessage(): string {\n\treturn `No model selected.\\n\\n${getProviderLoginHelp()}\\n\\nThen use /model to select a model.`;\n}\n\nexport function formatNoApiKeyFoundMessage(provider: string): string {\n\tconst providerDisplay = provider === UNKNOWN_PROVIDER ? \"the selected model\" : provider;\n\treturn `No API key found for ${providerDisplay}.\\n\\n${getProviderLoginHelp()}`;\n}\n"]}

package/dist/core/auth-storage.d.ts

@@ -15,6 +15,11 @@ export type OAuthCredential = {
 } & OAuthCredentials;
 export type AuthCredential = ApiKeyCredential | OAuthCredential;
 export type AuthStorageData = Record<string, AuthCredential>;
+export type AuthStatus = {
+    configured: boolean;
+    source?: "stored" | "runtime" | "environment" | "fallback" | "models_json_key" | "models_json_command";
+    label?: string;
+};
 type LockResult<T> = {
     result: T;
     next?: string;
@@ -97,6 +102,10 @@ export declare class AuthStorage {
      * Unlike getApiKey(), this doesn't refresh OAuth tokens.
      */
     hasAuth(provider: string): boolean;
+    /**
+     * Return auth status without exposing credential values or refreshing tokens.
+     */
+    getAuthStatus(provider: string): AuthStatus;
     /**
      * Get all credentials (for passing to getOAuthApiKey).
      */
@@ -110,10 +119,6 @@ export declare class AuthStorage {
      * Logout from a provider.
      */
     logout(provider: string): void;
-    /**
-     * Refresh OAuth token with backend locking to prevent race conditions.
-     * Multiple pi instances may try to refresh simultaneously when tokens expire.
-     */
     private refreshOAuthTokenWithLock;
     /**
      * Get API key for a provider.
@@ -124,7 +129,9 @@ export declare class AuthStorage {
      * 4. Environment variable
      * 5. Fallback resolver (models.json custom providers)
      */
-    getApiKey(providerId: string): Promise<string | undefined>;
+    getApiKey(providerId: string, options?: {
+        includeFallback?: boolean;
+    }): Promise<string | undefined>;
     /**
      * Get all registered OAuth providers
      */

package/dist/core/auth-storage.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-storage.d.ts","sourceRoot":"","sources":["../../src/core/auth-storage.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAEN,KAAK,gBAAgB,EACrB,KAAK,mBAAmB,EACxB,KAAK,eAAe,EACpB,MAAM,aAAa,CAAC;AAQrB,MAAM,MAAM,gBAAgB,GAAG;IAC9B,IAAI,EAAE,SAAS,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;CACZ,CAAC;AAEF,MAAM,MAAM,eAAe,GAAG;IAC7B,IAAI,EAAE,OAAO,CAAC;CACd,GAAG,gBAAgB,CAAC;AAErB,MAAM,MAAM,cAAc,GAAG,gBAAgB,GAAG,eAAe,CAAC;AAEhE,MAAM,MAAM,eAAe,GAAG,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;AAE7D,KAAK,UAAU,CAAC,CAAC,IAAI;IACpB,MAAM,EAAE,CAAC,CAAC;IACV,IAAI,CAAC,EAAE,MAAM,CAAC;CACd,CAAC;AAEF,MAAM,WAAW,kBAAkB;IAClC,QAAQ,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,KAAK,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACnE,aAAa,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,KAAK,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;CAC1F;AAED,qBAAa,sBAAuB,YAAW,kBAAkB;IACpD,OAAO,CAAC,QAAQ;gBAAR,QAAQ,GAAE,MAAyC;IAEvE,OAAO,CAAC,eAAe;IAOvB,OAAO,CAAC,gBAAgB;IAOxB,OAAO,CAAC,wBAAwB;IA2BhC,QAAQ,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,KAAK,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC;IAqB5D,aAAa,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,KAAK,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC;CAiD/F;AAED,qBAAa,0BAA2B,YAAW,kBAAkB;IACpE,OAAO,CAAC,KAAK,CAAqB;IAElC,QAAQ,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,KAAK,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC;IAQ5D,aAAa,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,KAAK,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC;CAO/F;AAED;;GAEG;AACH,qBAAa,WAAW;IAOH,OAAO,CAAC,OAAO;IANnC,OAAO,CAAC,IAAI,CAAuB;IACnC,OAAO,CAAC,gBAAgB,CAAkC;IAC1D,OAAO,CAAC,gBAAgB,CAAC,CAA2C;IACpE,OAAO,CAAC,SAAS,CAAsB;IACvC,OAAO,CAAC,MAAM,CAAe;IAE7B,OAAO;IAIP,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,WAAW;IAI7C,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,kBAAkB,GAAG,WAAW;IAI5D,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAE,eAAoB,GAAG,WAAW;IAMxD;;;OAGG;IACH,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI;IAIxD;;OAEG;IACH,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI;IAI3C;;;OAGG;IACH,mBAAmB,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,GAAG,IAAI;IAI7E,OAAO,CAAC,WAAW;IAKnB,OAAO,CAAC,gBAAgB;IAOxB;;OAEG;IACH,MAAM,IAAI,IAAI;IAed,OAAO,CAAC,qBAAqB;IAqB7B;;OAEG;IACH,GAAG,CAAC,QAAQ,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS;IAIjD;;OAEG;IACH,GAAG,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,cAAc,GAAG,IAAI;IAKvD;;OAEG;IACH,MAAM,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI;IAK9B;;OAEG;IACH,IAAI,IAAI,MAAM,EAAE;IAIhB;;OAEG;IACH,GAAG,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO;IAI9B;;;OAGG;IACH,OAAO,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO;IAQlC;;OAEG;IACH,MAAM,IAAI,eAAe;IAIzB,WAAW,IAAI,KAAK,EAAE;IAMtB;;OAEG;IACG,KAAK,CAAC,UAAU,EAAE,eAAe,EAAE,SAAS,EAAE,mBAAmB,GAAG,OAAO,CAAC,IAAI,CAAC;IAUvF;;OAEG;IACH,MAAM,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI;IAI9B;;;OAGG;YACW,yBAAyB;IA8CvC;;;;;;;;OAQG;IACG,SAAS,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IA2DhE;;OAEG;IACH,iBAAiB;CAGjB"}
+{"version":3,"file":"auth-storage.d.ts","sourceRoot":"","sources":["../../src/core/auth-storage.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,EAGN,KAAK,gBAAgB,EACrB,KAAK,mBAAmB,EACxB,KAAK,eAAe,EACpB,MAAM,aAAa,CAAC;AAMrB,MAAM,MAAM,gBAAgB,GAAG;IAC9B,IAAI,EAAE,SAAS,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;CACZ,CAAC;AAEF,MAAM,MAAM,eAAe,GAAG;IAC7B,IAAI,EAAE,OAAO,CAAC;CACd,GAAG,gBAAgB,CAAC;AAErB,MAAM,MAAM,cAAc,GAAG,gBAAgB,GAAG,eAAe,CAAC;AAEhE,MAAM,MAAM,eAAe,GAAG,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;AAE7D,MAAM,MAAM,UAAU,GAAG;IACxB,UAAU,EAAE,OAAO,CAAC;IACpB,MAAM,CAAC,EAAE,QAAQ,GAAG,SAAS,GAAG,aAAa,GAAG,UAAU,GAAG,iBAAiB,GAAG,qBAAqB,CAAC;IACvG,KAAK,CAAC,EAAE,MAAM,CAAC;CACf,CAAC;AAEF,KAAK,UAAU,CAAC,CAAC,IAAI;IACpB,MAAM,EAAE,CAAC,CAAC;IACV,IAAI,CAAC,EAAE,MAAM,CAAC;CACd,CAAC;AAEF,MAAM,WAAW,kBAAkB;IAClC,QAAQ,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,KAAK,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACnE,aAAa,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,KAAK,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;CAC1F;AAED,qBAAa,sBAAuB,YAAW,kBAAkB;IACpD,OAAO,CAAC,QAAQ;IAA5B,YAAoB,QAAQ,GAAE,MAAyC,EAAI;IAE3E,OAAO,CAAC,eAAe;IAOvB,OAAO,CAAC,gBAAgB;IAOxB,OAAO,CAAC,wBAAwB;IA2BhC,QAAQ,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,KAAK,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAmBjE;IAEK,aAAa,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,KAAK,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAgD9F;CACD;AAED,qBAAa,0BAA2B,YAAW,kBAAkB;IACpE,OAAO,CAAC,KAAK,CAAqB;IAElC,QAAQ,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,KAAK,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAMjE;IAEK,aAAa,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,KAAK,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAM9F;CACD;AAED;;GAEG;AACH,qBAAa,WAAW;IAOH,OAAO,CAAC,OAAO;IANnC,OAAO,CAAC,IAAI,CAAuB;IACnC,OAAO,CAAC,gBAAgB,CAAkC;IAC1D,OAAO,CAAC,gBAAgB,CAAC,CAA2C;IACpE,OAAO,CAAC,SAAS,CAAsB;IACvC,OAAO,CAAC,MAAM,CAAe;IAE7B,OAAO,eAEN;IAED,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,WAAW,CAE5C;IAED,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,kBAAkB,GAAG,WAAW,CAE3D;IAED,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAE,eAAoB,GAAG,WAAW,CAIvD;IAED;;;OAGG;IACH,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAEvD;IAED;;OAEG;IACH,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAE1C;IAED;;;OAGG;IACH,mBAAmB,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,GAAG,IAAI,CAE5E;IAED,OAAO,CAAC,WAAW;IAKnB,OAAO,CAAC,gBAAgB;IAOxB;;OAEG;IACH,MAAM,IAAI,IAAI,CAab;IAED,OAAO,CAAC,qBAAqB;IAqB7B;;OAEG;IACH,GAAG,CAAC,QAAQ,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS,CAEhD;IAED;;OAEG;IACH,GAAG,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,cAAc,GAAG,IAAI,CAGtD;IAED;;OAEG;IACH,MAAM,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAG7B;IAED;;OAEG;IACH,IAAI,IAAI,MAAM,EAAE,CAEf;IAED;;OAEG;IACH,GAAG,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAE7B;IAED;;;OAGG;IACH,OAAO,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAMjC;IAED;;OAEG;IACH,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,UAAU,CAmB1C;IAED;;OAEG;IACH,MAAM,IAAI,eAAe,CAExB;IAED,WAAW,IAAI,KAAK,EAAE,CAIrB;IAED;;OAEG;IACG,KAAK,CAAC,UAAU,EAAE,eAAe,EAAE,SAAS,EAAE,mBAAmB,GAAG,OAAO,CAAC,IAAI,CAAC,CAQtF;IAED;;OAEG;IACH,MAAM,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAE7B;YAMa,yBAAyB;IA8CvC;;;;;;;;OAQG;IACG,SAAS,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;QAAE,eAAe,CAAC,EAAE,OAAO,CAAA;KAAE,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CA6DxG;IAED;;OAEG;IACH,iBAAiB,mDAEhB;CACD","sourcesContent":["/**\n * Credential storage for API keys and OAuth tokens.\n * Handles loading, saving, and refreshing credentials from auth.json.\n *\n * Uses file locking to prevent race conditions when multiple pi instances\n * try to refresh tokens simultaneously.\n */\n\nimport { chmodSync, existsSync, mkdirSync, readFileSync, writeFileSync } from \"fs\";\nimport { dirname, join } from \"path\";\nimport {\n\tfindEnvKeys,\n\tgetEnvApiKey,\n\ttype OAuthCredentials,\n\ttype OAuthLoginCallbacks,\n\ttype OAuthProviderId,\n} from \"phi-code-ai\";\nimport { getOAuthApiKey, getOAuthProvider, getOAuthProviders } from \"phi-code-ai/oauth\";\nimport lockfile from \"proper-lockfile\";\nimport { getAgentDir } from \"../config.js\";\nimport { resolveConfigValue } from \"./resolve-config-value.js\";\n\nexport type ApiKeyCredential = {\n\ttype: \"api_key\";\n\tkey: string;\n};\n\nexport type OAuthCredential = {\n\ttype: \"oauth\";\n} & OAuthCredentials;\n\nexport type AuthCredential = ApiKeyCredential | OAuthCredential;\n\nexport type AuthStorageData = Record<string, AuthCredential>;\n\nexport type AuthStatus = {\n\tconfigured: boolean;\n\tsource?: \"stored\" | \"runtime\" | \"environment\" | \"fallback\" | \"models_json_key\" | \"models_json_command\";\n\tlabel?: string;\n};\n\ntype LockResult<T> = {\n\tresult: T;\n\tnext?: string;\n};\n\nexport interface AuthStorageBackend {\n\twithLock<T>(fn: (current: string | undefined) => LockResult<T>): T;\n\twithLockAsync<T>(fn: (current: string | undefined) => Promise<LockResult<T>>): Promise<T>;\n}\n\nexport class FileAuthStorageBackend implements AuthStorageBackend {\n\tconstructor(private authPath: string = join(getAgentDir(), \"auth.json\")) {}\n\n\tprivate ensureParentDir(): void {\n\t\tconst dir = dirname(this.authPath);\n\t\tif (!existsSync(dir)) {\n\t\t\tmkdirSync(dir, { recursive: true, mode: 0o700 });\n\t\t}\n\t}\n\n\tprivate ensureFileExists(): void {\n\t\tif (!existsSync(this.authPath)) {\n\t\t\twriteFileSync(this.authPath, \"{}\", \"utf-8\");\n\t\t\tchmodSync(this.authPath, 0o600);\n\t\t}\n\t}\n\n\tprivate acquireLockSyncWithRetry(path: string): () => void {\n\t\tconst maxAttempts = 10;\n\t\tconst delayMs = 20;\n\t\tlet lastError: unknown;\n\n\t\tfor (let attempt = 1; attempt <= maxAttempts; attempt++) {\n\t\t\ttry {\n\t\t\t\treturn lockfile.lockSync(path, { realpath: false });\n\t\t\t} catch (error) {\n\t\t\t\tconst code =\n\t\t\t\t\ttypeof error === \"object\" && error !== null && \"code\" in error\n\t\t\t\t\t\t? String((error as { code?: unknown }).code)\n\t\t\t\t\t\t: undefined;\n\t\t\t\tif (code !== \"ELOCKED\" || attempt === maxAttempts) {\n\t\t\t\t\tthrow error;\n\t\t\t\t}\n\t\t\t\tlastError = error;\n\t\t\t\tconst start = Date.now();\n\t\t\t\twhile (Date.now() - start < delayMs) {\n\t\t\t\t\t// Sleep synchronously to avoid changing callers to async.\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tthrow (lastError as Error) ?? new Error(\"Failed to acquire auth storage lock\");\n\t}\n\n\twithLock<T>(fn: (current: string | undefined) => LockResult<T>): T {\n\t\tthis.ensureParentDir();\n\t\tthis.ensureFileExists();\n\n\t\tlet release: (() => void) | undefined;\n\t\ttry {\n\t\t\trelease = this.acquireLockSyncWithRetry(this.authPath);\n\t\t\tconst current = existsSync(this.authPath) ? readFileSync(this.authPath, \"utf-8\") : undefined;\n\t\t\tconst { result, next } = fn(current);\n\t\t\tif (next !== undefined) {\n\t\t\t\twriteFileSync(this.authPath, next, \"utf-8\");\n\t\t\t\tchmodSync(this.authPath, 0o600);\n\t\t\t}\n\t\t\treturn result;\n\t\t} finally {\n\t\t\tif (release) {\n\t\t\t\trelease();\n\t\t\t}\n\t\t}\n\t}\n\n\tasync withLockAsync<T>(fn: (current: string | undefined) => Promise<LockResult<T>>): Promise<T> {\n\t\tthis.ensureParentDir();\n\t\tthis.ensureFileExists();\n\n\t\tlet release: (() => Promise<void>) | undefined;\n\t\tlet lockCompromised = false;\n\t\tlet lockCompromisedError: Error | undefined;\n\t\tconst throwIfCompromised = () => {\n\t\t\tif (lockCompromised) {\n\t\t\t\tthrow lockCompromisedError ?? new Error(\"Auth storage lock was compromised\");\n\t\t\t}\n\t\t};\n\n\t\ttry {\n\t\t\trelease = await lockfile.lock(this.authPath, {\n\t\t\t\tretries: {\n\t\t\t\t\tretries: 10,\n\t\t\t\t\tfactor: 2,\n\t\t\t\t\tminTimeout: 100,\n\t\t\t\t\tmaxTimeout: 10000,\n\t\t\t\t\trandomize: true,\n\t\t\t\t},\n\t\t\t\tstale: 30000,\n\t\t\t\tonCompromised: (err) => {\n\t\t\t\t\tlockCompromised = true;\n\t\t\t\t\tlockCompromisedError = err;\n\t\t\t\t},\n\t\t\t});\n\n\t\t\tthrowIfCompromised();\n\t\t\tconst current = existsSync(this.authPath) ? readFileSync(this.authPath, \"utf-8\") : undefined;\n\t\t\tconst { result, next } = await fn(current);\n\t\t\tthrowIfCompromised();\n\t\t\tif (next !== undefined) {\n\t\t\t\twriteFileSync(this.authPath, next, \"utf-8\");\n\t\t\t\tchmodSync(this.authPath, 0o600);\n\t\t\t}\n\t\t\tthrowIfCompromised();\n\t\t\treturn result;\n\t\t} finally {\n\t\t\tif (release) {\n\t\t\t\ttry {\n\t\t\t\t\tawait release();\n\t\t\t\t} catch {\n\t\t\t\t\t// Ignore unlock errors when lock is compromised.\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n}\n\nexport class InMemoryAuthStorageBackend implements AuthStorageBackend {\n\tprivate value: string | undefined;\n\n\twithLock<T>(fn: (current: string | undefined) => LockResult<T>): T {\n\t\tconst { result, next } = fn(this.value);\n\t\tif (next !== undefined) {\n\t\t\tthis.value = next;\n\t\t}\n\t\treturn result;\n\t}\n\n\tasync withLockAsync<T>(fn: (current: string | undefined) => Promise<LockResult<T>>): Promise<T> {\n\t\tconst { result, next } = await fn(this.value);\n\t\tif (next !== undefined) {\n\t\t\tthis.value = next;\n\t\t}\n\t\treturn result;\n\t}\n}\n\n/**\n * Credential storage backed by a JSON file.\n */\nexport class AuthStorage {\n\tprivate data: AuthStorageData = {};\n\tprivate runtimeOverrides: Map<string, string> = new Map();\n\tprivate fallbackResolver?: (provider: string) => string | undefined;\n\tprivate loadError: Error | null = null;\n\tprivate errors: Error[] = [];\n\n\tprivate constructor(private storage: AuthStorageBackend) {\n\t\tthis.reload();\n\t}\n\n\tstatic create(authPath?: string): AuthStorage {\n\t\treturn new AuthStorage(new FileAuthStorageBackend(authPath ?? join(getAgentDir(), \"auth.json\")));\n\t}\n\n\tstatic fromStorage(storage: AuthStorageBackend): AuthStorage {\n\t\treturn new AuthStorage(storage);\n\t}\n\n\tstatic inMemory(data: AuthStorageData = {}): AuthStorage {\n\t\tconst storage = new InMemoryAuthStorageBackend();\n\t\tstorage.withLock(() => ({ result: undefined, next: JSON.stringify(data, null, 2) }));\n\t\treturn AuthStorage.fromStorage(storage);\n\t}\n\n\t/**\n\t * Set a runtime API key override (not persisted to disk).\n\t * Used for CLI --api-key flag.\n\t */\n\tsetRuntimeApiKey(provider: string, apiKey: string): void {\n\t\tthis.runtimeOverrides.set(provider, apiKey);\n\t}\n\n\t/**\n\t * Remove a runtime API key override.\n\t */\n\tremoveRuntimeApiKey(provider: string): void {\n\t\tthis.runtimeOverrides.delete(provider);\n\t}\n\n\t/**\n\t * Set a fallback resolver for API keys not found in auth.json or env vars.\n\t * Used for custom provider keys from models.json.\n\t */\n\tsetFallbackResolver(resolver: (provider: string) => string | undefined): void {\n\t\tthis.fallbackResolver = resolver;\n\t}\n\n\tprivate recordError(error: unknown): void {\n\t\tconst normalizedError = error instanceof Error ? error : new Error(String(error));\n\t\tthis.errors.push(normalizedError);\n\t}\n\n\tprivate parseStorageData(content: string | undefined): AuthStorageData {\n\t\tif (!content) {\n\t\t\treturn {};\n\t\t}\n\t\treturn JSON.parse(content) as AuthStorageData;\n\t}\n\n\t/**\n\t * Reload credentials from storage.\n\t */\n\treload(): void {\n\t\tlet content: string | undefined;\n\t\ttry {\n\t\t\tthis.storage.withLock((current) => {\n\t\t\t\tcontent = current;\n\t\t\t\treturn { result: undefined };\n\t\t\t});\n\t\t\tthis.data = this.parseStorageData(content);\n\t\t\tthis.loadError = null;\n\t\t} catch (error) {\n\t\t\tthis.loadError = error as Error;\n\t\t\tthis.recordError(error);\n\t\t}\n\t}\n\n\tprivate persistProviderChange(provider: string, credential: AuthCredential | undefined): void {\n\t\tif (this.loadError) {\n\t\t\treturn;\n\t\t}\n\n\t\ttry {\n\t\t\tthis.storage.withLock((current) => {\n\t\t\t\tconst currentData = this.parseStorageData(current);\n\t\t\t\tconst merged: AuthStorageData = { ...currentData };\n\t\t\t\tif (credential) {\n\t\t\t\t\tmerged[provider] = credential;\n\t\t\t\t} else {\n\t\t\t\t\tdelete merged[provider];\n\t\t\t\t}\n\t\t\t\treturn { result: undefined, next: JSON.stringify(merged, null, 2) };\n\t\t\t});\n\t\t} catch (error) {\n\t\t\tthis.recordError(error);\n\t\t}\n\t}\n\n\t/**\n\t * Get credential for a provider.\n\t */\n\tget(provider: string): AuthCredential | undefined {\n\t\treturn this.data[provider] ?? undefined;\n\t}\n\n\t/**\n\t * Set credential for a provider.\n\t */\n\tset(provider: string, credential: AuthCredential): void {\n\t\tthis.data[provider] = credential;\n\t\tthis.persistProviderChange(provider, credential);\n\t}\n\n\t/**\n\t * Remove credential for a provider.\n\t */\n\tremove(provider: string): void {\n\t\tdelete this.data[provider];\n\t\tthis.persistProviderChange(provider, undefined);\n\t}\n\n\t/**\n\t * List all providers with credentials.\n\t */\n\tlist(): string[] {\n\t\treturn Object.keys(this.data);\n\t}\n\n\t/**\n\t * Check if credentials exist for a provider in auth.json.\n\t */\n\thas(provider: string): boolean {\n\t\treturn provider in this.data;\n\t}\n\n\t/**\n\t * Check if any form of auth is configured for a provider.\n\t * Unlike getApiKey(), this doesn't refresh OAuth tokens.\n\t */\n\thasAuth(provider: string): boolean {\n\t\tif (this.runtimeOverrides.has(provider)) return true;\n\t\tif (this.data[provider]) return true;\n\t\tif (getEnvApiKey(provider)) return true;\n\t\tif (this.fallbackResolver?.(provider)) return true;\n\t\treturn false;\n\t}\n\n\t/**\n\t * Return auth status without exposing credential values or refreshing tokens.\n\t */\n\tgetAuthStatus(provider: string): AuthStatus {\n\t\tif (this.data[provider]) {\n\t\t\treturn { configured: true, source: \"stored\" };\n\t\t}\n\n\t\tif (this.runtimeOverrides.has(provider)) {\n\t\t\treturn { configured: false, source: \"runtime\", label: \"--api-key\" };\n\t\t}\n\n\t\tconst envKeys = findEnvKeys(provider);\n\t\tif (envKeys?.[0]) {\n\t\t\treturn { configured: false, source: \"environment\", label: envKeys[0] };\n\t\t}\n\n\t\tif (this.fallbackResolver?.(provider)) {\n\t\t\treturn { configured: false, source: \"fallback\", label: \"custom provider config\" };\n\t\t}\n\n\t\treturn { configured: false };\n\t}\n\n\t/**\n\t * Get all credentials (for passing to getOAuthApiKey).\n\t */\n\tgetAll(): AuthStorageData {\n\t\treturn { ...this.data };\n\t}\n\n\tdrainErrors(): Error[] {\n\t\tconst drained = [...this.errors];\n\t\tthis.errors = [];\n\t\treturn drained;\n\t}\n\n\t/**\n\t * Login to an OAuth provider.\n\t */\n\tasync login(providerId: OAuthProviderId, callbacks: OAuthLoginCallbacks): Promise<void> {\n\t\tconst provider = getOAuthProvider(providerId);\n\t\tif (!provider) {\n\t\t\tthrow new Error(`Unknown OAuth provider: ${providerId}`);\n\t\t}\n\n\t\tconst credentials = await provider.login(callbacks);\n\t\tthis.set(providerId, { type: \"oauth\", ...credentials });\n\t}\n\n\t/**\n\t * Logout from a provider.\n\t */\n\tlogout(provider: string): void {\n\t\tthis.remove(provider);\n\t}\n\n\t/**\n\t * Refresh OAuth token with backend locking to prevent race conditions.\n\t * Multiple pi instances may try to refresh simultaneously when tokens expire.\n\t */\n\tprivate async refreshOAuthTokenWithLock(\n\t\tproviderId: OAuthProviderId,\n\t): Promise<{ apiKey: string; newCredentials: OAuthCredentials } | null> {\n\t\tconst provider = getOAuthProvider(providerId);\n\t\tif (!provider) {\n\t\t\treturn null;\n\t\t}\n\n\t\tconst result = await this.storage.withLockAsync(async (current) => {\n\t\t\tconst currentData = this.parseStorageData(current);\n\t\t\tthis.data = currentData;\n\t\t\tthis.loadError = null;\n\n\t\t\tconst cred = currentData[providerId];\n\t\t\tif (cred?.type !== \"oauth\") {\n\t\t\t\treturn { result: null };\n\t\t\t}\n\n\t\t\tif (Date.now() < cred.expires) {\n\t\t\t\treturn { result: { apiKey: provider.getApiKey(cred), newCredentials: cred } };\n\t\t\t}\n\n\t\t\tconst oauthCreds: Record<string, OAuthCredentials> = {};\n\t\t\tfor (const [key, value] of Object.entries(currentData)) {\n\t\t\t\tif (value.type === \"oauth\") {\n\t\t\t\t\toauthCreds[key] = value;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tconst refreshed = await getOAuthApiKey(providerId, oauthCreds);\n\t\t\tif (!refreshed) {\n\t\t\t\treturn { result: null };\n\t\t\t}\n\n\t\t\tconst merged: AuthStorageData = {\n\t\t\t\t...currentData,\n\t\t\t\t[providerId]: { type: \"oauth\", ...refreshed.newCredentials },\n\t\t\t};\n\t\t\tthis.data = merged;\n\t\t\tthis.loadError = null;\n\t\t\treturn { result: refreshed, next: JSON.stringify(merged, null, 2) };\n\t\t});\n\n\t\treturn result;\n\t}\n\n\t/**\n\t * Get API key for a provider.\n\t * Priority:\n\t * 1. Runtime override (CLI --api-key)\n\t * 2. API key from auth.json\n\t * 3. OAuth token from auth.json (auto-refreshed with locking)\n\t * 4. Environment variable\n\t * 5. Fallback resolver (models.json custom providers)\n\t */\n\tasync getApiKey(providerId: string, options?: { includeFallback?: boolean }): Promise<string | undefined> {\n\t\t// Runtime override takes highest priority\n\t\tconst runtimeKey = this.runtimeOverrides.get(providerId);\n\t\tif (runtimeKey) {\n\t\t\treturn runtimeKey;\n\t\t}\n\n\t\tconst cred = this.data[providerId];\n\n\t\tif (cred?.type === \"api_key\") {\n\t\t\treturn resolveConfigValue(cred.key);\n\t\t}\n\n\t\tif (cred?.type === \"oauth\") {\n\t\t\tconst provider = getOAuthProvider(providerId);\n\t\t\tif (!provider) {\n\t\t\t\t// Unknown OAuth provider, can't get API key\n\t\t\t\treturn undefined;\n\t\t\t}\n\n\t\t\t// Check if token needs refresh\n\t\t\tconst needsRefresh = Date.now() >= cred.expires;\n\n\t\t\tif (needsRefresh) {\n\t\t\t\t// Use locked refresh to prevent race conditions\n\t\t\t\ttry {\n\t\t\t\t\tconst result = await this.refreshOAuthTokenWithLock(providerId);\n\t\t\t\t\tif (result) {\n\t\t\t\t\t\treturn result.apiKey;\n\t\t\t\t\t}\n\t\t\t\t} catch (error) {\n\t\t\t\t\tthis.recordError(error);\n\t\t\t\t\t// Refresh failed - re-read file to check if another instance succeeded\n\t\t\t\t\tthis.reload();\n\t\t\t\t\tconst updatedCred = this.data[providerId];\n\n\t\t\t\t\tif (updatedCred?.type === \"oauth\" && Date.now() < updatedCred.expires) {\n\t\t\t\t\t\t// Another instance refreshed successfully, use those credentials\n\t\t\t\t\t\treturn provider.getApiKey(updatedCred);\n\t\t\t\t\t}\n\n\t\t\t\t\t// Refresh truly failed - return undefined so model discovery skips this provider\n\t\t\t\t\t// User can /login to re-authenticate (credentials preserved for retry)\n\t\t\t\t\treturn undefined;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\t// Token not expired, use current access token\n\t\t\t\treturn provider.getApiKey(cred);\n\t\t\t}\n\t\t}\n\n\t\t// Fall back to environment variable\n\t\tconst envKey = getEnvApiKey(providerId);\n\t\tif (envKey) return envKey;\n\n\t\t// Fall back to custom resolver (e.g., models.json custom providers)\n\t\tif (options?.includeFallback !== false) {\n\t\t\treturn this.fallbackResolver?.(providerId) ?? undefined;\n\t\t}\n\n\t\treturn undefined;\n\t}\n\n\t/**\n\t * Get all registered OAuth providers\n\t */\n\tgetOAuthProviders() {\n\t\treturn getOAuthProviders();\n\t}\n}\n"]}

package/dist/core/auth-storage.js

@@ -5,14 +5,15 @@
  * Uses file locking to prevent race conditions when multiple pi instances
  * try to refresh tokens simultaneously.
  */
-import { getEnvApiKey, } from "phi-code-ai";
-import { getOAuthApiKey, getOAuthProvider, getOAuthProviders } from "phi-code-ai/oauth";
 import { chmodSync, existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
 import { dirname, join } from "path";
+import { findEnvKeys, getEnvApiKey, } from "phi-code-ai";
+import { getOAuthApiKey, getOAuthProvider, getOAuthProviders } from "phi-code-ai/oauth";
 import lockfile from "proper-lockfile";
 import { getAgentDir } from "../config.js";
 import { resolveConfigValue } from "./resolve-config-value.js";
 export class FileAuthStorageBackend {
+    authPath;
     constructor(authPath = join(getAgentDir(), "auth.json")) {
         this.authPath = authPath;
     }
@@ -122,6 +123,7 @@ export class FileAuthStorageBackend {
     }
 }
 export class InMemoryAuthStorageBackend {
+    value;
     withLock(fn) {
         const { result, next } = fn(this.value);
         if (next !== undefined) {
@@ -141,12 +143,14 @@ export class InMemoryAuthStorageBackend {
  * Credential storage backed by a JSON file.
  */
 export class AuthStorage {
+    storage;
+    data = {};
+    runtimeOverrides = new Map();
+    fallbackResolver;
+    loadError = null;
+    errors = [];
     constructor(storage) {
         this.storage = storage;
-        this.data = {};
-        this.runtimeOverrides = new Map();
-        this.loadError = null;
-        this.errors = [];
         this.reload();
     }
     static create(authPath) {
@@ -276,6 +280,25 @@ export class AuthStorage {
             return true;
         return false;
     }
+    /**
+     * Return auth status without exposing credential values or refreshing tokens.
+     */
+    getAuthStatus(provider) {
+        if (this.data[provider]) {
+            return { configured: true, source: "stored" };
+        }
+        if (this.runtimeOverrides.has(provider)) {
+            return { configured: false, source: "runtime", label: "--api-key" };
+        }
+        const envKeys = findEnvKeys(provider);
+        if (envKeys?.[0]) {
+            return { configured: false, source: "environment", label: envKeys[0] };
+        }
+        if (this.fallbackResolver?.(provider)) {
+            return { configured: false, source: "fallback", label: "custom provider config" };
+        }
+        return { configured: false };
+    }
     /**
      * Get all credentials (for passing to getOAuthApiKey).
      */
@@ -353,7 +376,7 @@ export class AuthStorage {
      * 4. Environment variable
      * 5. Fallback resolver (models.json custom providers)
      */
-    async getApiKey(providerId) {
+    async getApiKey(providerId, options) {
         // Runtime override takes highest priority
         const runtimeKey = this.runtimeOverrides.get(providerId);
         if (runtimeKey) {
@@ -403,7 +426,10 @@ export class AuthStorage {
         if (envKey)
             return envKey;
         // Fall back to custom resolver (e.g., models.json custom providers)
-        return this.fallbackResolver?.(providerId) ?? undefined;
+        if (options?.includeFallback !== false) {
+            return this.fallbackResolver?.(providerId) ?? undefined;
+        }
+        return undefined;
     }
     /**
      * Get all registered OAuth providers