@prestyj/core 5.1.1 → 5.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.js CHANGED
@@ -1,15 +1,42 @@
1
1
  import {
2
+ AuthStorage,
2
3
  DEFAULT_MAX_VIDEO_BYTES,
3
4
  MODELS,
5
+ MOONSHOT_OAUTH_KEY,
6
+ NotLoggedInError,
7
+ XIAOMI_CREDITS_KEY,
8
+ closeLogger,
9
+ generatePKCE,
10
+ getAuthStorageKey,
11
+ getAuthStorageKeys,
12
+ getClaudeCliUserAgent,
13
+ getClaudeCodeVersion,
4
14
  getContextWindow,
5
15
  getDefaultModel,
6
16
  getMaxThinkingLevel,
7
17
  getModel,
8
18
  getModelsForProvider,
19
+ getSessionId,
9
20
  getSummaryModel,
10
21
  getVideoByteLimit,
11
- usesOpenAICodexTransport
12
- } from "./chunk-GRBEFHTI.js";
22
+ isKimiCodingEndpoint,
23
+ isLoggerOpen,
24
+ kimiCodeBaseUrl,
25
+ kimiCodingHeaders,
26
+ log,
27
+ loginAnthropic,
28
+ loginGemini,
29
+ loginKimi,
30
+ loginOpenAI,
31
+ openLog,
32
+ refreshAnthropicToken,
33
+ refreshGeminiToken,
34
+ refreshKimiToken,
35
+ refreshOpenAIToken,
36
+ registerLogCleanup,
37
+ usesOpenAICodexTransport,
38
+ withFileLock
39
+ } from "./chunk-5GGCATYH.js";
13
40
  import {
14
41
  getAppPaths
15
42
  } from "./chunk-WQFTKHPJ.js";
@@ -40,7 +67,7 @@ function isAnthropicOpus48Or47Model(provider, model) {
40
67
  return provider === "anthropic" && /opus-4-8|opus-4-7/.test(model);
41
68
  }
42
69
  function isAnthropicAdaptiveModel(provider, model) {
43
- return provider === "anthropic" && /opus-4-8|opus-4-7|opus-4-6|sonnet-4-6|fable-5|mythos-5/.test(model);
70
+ return provider === "anthropic" && /opus-4-8|opus-4-7|opus-4-6|sonnet-5|fable-5|mythos-5/.test(model);
44
71
  }
45
72
  function getSupportedThinkingLevels(provider, model) {
46
73
  const maxLevel = getMaxThinkingLevel(model);
@@ -75,1341 +102,6 @@ function getNextThinkingLevel(provider, model, current) {
75
102
  return supportedLevels[index + 1];
76
103
  }
77
104
 
78
- // src/logger.ts
79
- import fs from "fs";
80
- import path from "path";
81
- import { randomBytes } from "crypto";
82
- var MAX_BYTES = 10 * 1024 * 1024;
83
- var fd = null;
84
- var sessionId = "";
85
- var appName = "app";
86
- var cleanups = [];
87
- function rotateIfNeeded(filePath) {
88
- try {
89
- const st = fs.statSync(filePath);
90
- if (st.size < MAX_BYTES) return;
91
- const rotated = `${filePath}.1`;
92
- try {
93
- fs.unlinkSync(rotated);
94
- } catch {
95
- }
96
- fs.renameSync(filePath, rotated);
97
- } catch {
98
- }
99
- }
100
- function openLog(filePath, name) {
101
- if (fd !== null) return false;
102
- appName = name;
103
- try {
104
- fs.mkdirSync(path.dirname(filePath), { recursive: true, mode: 448 });
105
- } catch {
106
- }
107
- rotateIfNeeded(filePath);
108
- try {
109
- fd = fs.openSync(filePath, "a");
110
- } catch {
111
- return false;
112
- }
113
- sessionId = randomBytes(4).toString("hex");
114
- try {
115
- fs.writeSync(fd, "\n");
116
- } catch {
117
- }
118
- return true;
119
- }
120
- function getSessionId() {
121
- return sessionId;
122
- }
123
- function isLoggerOpen() {
124
- return fd !== null;
125
- }
126
- function log(level, category, message, data) {
127
- if (fd === null) return;
128
- const ts = (/* @__PURE__ */ new Date()).toISOString();
129
- let line = `[${ts}] [sid=${sessionId}] [${level}] [${category}] ${message}`;
130
- if (data) {
131
- const pairs = Object.entries(data).map(([k, v]) => `${k}=${typeof v === "string" ? v : JSON.stringify(v)}`).join(" ");
132
- if (pairs) line += ` ${pairs}`;
133
- }
134
- line += "\n";
135
- try {
136
- fs.writeSync(fd, line);
137
- } catch {
138
- }
139
- }
140
- function registerLogCleanup(fn) {
141
- cleanups.push(fn);
142
- }
143
- function closeLogger(opts) {
144
- if (fd === null) return;
145
- if (opts?.shutdownLine !== false) log("INFO", "shutdown", `${appName} shutting down`);
146
- try {
147
- fs.closeSync(fd);
148
- } catch {
149
- }
150
- fd = null;
151
- for (const unsub of cleanups) unsub();
152
- cleanups = [];
153
- }
154
-
155
- // src/file-lock.ts
156
- import fs2 from "fs/promises";
157
- import { setTimeout as setTimeout2 } from "timers/promises";
158
- var STALE_TIMEOUT_MS = 1e4;
159
- var RETRY_INTERVAL_MS = 50;
160
- var MAX_WAIT_MS = 5e3;
161
- async function withFileLock(filePath, fn) {
162
- const lockPath = filePath + ".lock";
163
- await acquireLock(lockPath);
164
- try {
165
- return await fn();
166
- } finally {
167
- await releaseLock(lockPath);
168
- }
169
- }
170
- async function acquireLock(lockPath) {
171
- const startTime = Date.now();
172
- while (true) {
173
- try {
174
- const info = { pid: process.pid, timestamp: Date.now() };
175
- await fs2.writeFile(lockPath, JSON.stringify(info), { flag: "wx" });
176
- return;
177
- } catch (err) {
178
- if (err.code !== "EEXIST") throw err;
179
- try {
180
- const content = await fs2.readFile(lockPath, "utf-8");
181
- const info = JSON.parse(content);
182
- const isProcessAlive = isAlive(info.pid);
183
- const isStale = Date.now() - info.timestamp > STALE_TIMEOUT_MS;
184
- if (!isProcessAlive || isStale) {
185
- await fs2.unlink(lockPath).catch(() => {
186
- });
187
- continue;
188
- }
189
- } catch {
190
- await fs2.unlink(lockPath).catch(() => {
191
- });
192
- continue;
193
- }
194
- if (Date.now() - startTime > MAX_WAIT_MS) {
195
- await fs2.unlink(lockPath).catch(() => {
196
- });
197
- continue;
198
- }
199
- await setTimeout2(RETRY_INTERVAL_MS);
200
- }
201
- }
202
- }
203
- async function releaseLock(lockPath) {
204
- await fs2.unlink(lockPath).catch(() => {
205
- });
206
- }
207
- function isAlive(pid) {
208
- try {
209
- process.kill(pid, 0);
210
- return true;
211
- } catch (err) {
212
- if (err.code === "EPERM") return true;
213
- return false;
214
- }
215
- }
216
-
217
- // src/claude-code-version.ts
218
- import fs3 from "fs/promises";
219
- import path2 from "path";
220
- var NPM_LATEST_URL = "https://registry.npmjs.org/@anthropic-ai/claude-code/latest";
221
- var CACHE_TTL_MS = 24 * 60 * 60 * 1e3;
222
- var FETCH_TIMEOUT_MS = 3e3;
223
- var FALLBACK_VERSION = "2.1.88";
224
- var memoryCache = null;
225
- var inflight = null;
226
- function cachePath() {
227
- return path2.join(getAppPaths().agentDir, "claude-code-version.json");
228
- }
229
- async function readDiskCache() {
230
- try {
231
- const raw = await fs3.readFile(cachePath(), "utf-8");
232
- const parsed = JSON.parse(raw);
233
- if (typeof parsed.version === "string" && typeof parsed.fetchedAt === "number") {
234
- return parsed;
235
- }
236
- return null;
237
- } catch {
238
- return null;
239
- }
240
- }
241
- async function writeDiskCache(data) {
242
- try {
243
- await fs3.mkdir(getAppPaths().agentDir, { recursive: true, mode: 448 });
244
- await fs3.writeFile(cachePath(), JSON.stringify(data), { mode: 384 });
245
- } catch (err) {
246
- log(
247
- "WARN",
248
- "claude-code-version",
249
- `Failed to write cache: ${err instanceof Error ? err.message : String(err)}`
250
- );
251
- }
252
- }
253
- async function fetchLatest() {
254
- const controller = new AbortController();
255
- const timer = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS);
256
- try {
257
- const response = await fetch(NPM_LATEST_URL, { signal: controller.signal });
258
- if (!response.ok) return null;
259
- const data = await response.json();
260
- if (typeof data.version === "string" && /^\d/.test(data.version)) {
261
- return data.version;
262
- }
263
- return null;
264
- } catch {
265
- return null;
266
- } finally {
267
- clearTimeout(timer);
268
- }
269
- }
270
- async function getClaudeCodeVersion() {
271
- if (memoryCache && Date.now() < memoryCache.expiresAt) {
272
- return memoryCache.version;
273
- }
274
- if (inflight) return inflight;
275
- inflight = (async () => {
276
- const disk = await readDiskCache();
277
- const diskFresh = disk && Date.now() - disk.fetchedAt < CACHE_TTL_MS;
278
- if (disk && diskFresh) {
279
- memoryCache = { version: disk.version, expiresAt: Date.now() + CACHE_TTL_MS };
280
- return disk.version;
281
- }
282
- const fetched = await fetchLatest();
283
- if (fetched) {
284
- await writeDiskCache({ version: fetched, fetchedAt: Date.now() });
285
- memoryCache = { version: fetched, expiresAt: Date.now() + CACHE_TTL_MS };
286
- return fetched;
287
- }
288
- const resolved = disk?.version ?? FALLBACK_VERSION;
289
- memoryCache = { version: resolved, expiresAt: Date.now() + 5 * 60 * 1e3 };
290
- log(
291
- "WARN",
292
- "claude-code-version",
293
- `Failed to fetch latest Claude Code version; using ${resolved}`
294
- );
295
- return resolved;
296
- })();
297
- try {
298
- return await inflight;
299
- } finally {
300
- inflight = null;
301
- }
302
- }
303
- async function getClaudeCliUserAgent() {
304
- const version = await getClaudeCodeVersion();
305
- return `claude-cli/${version} (external, cli)`;
306
- }
307
-
308
- // src/auth-storage.ts
309
- import fs4 from "fs/promises";
310
- import crypto5 from "crypto";
311
-
312
- // src/oauth/anthropic.ts
313
- import crypto2 from "crypto";
314
-
315
- // src/oauth/pkce.ts
316
- function base64urlEncode(bytes) {
317
- let binary = "";
318
- for (const byte of bytes) {
319
- binary += String.fromCharCode(byte);
320
- }
321
- return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
322
- }
323
- async function generatePKCE() {
324
- const verifierBytes = new Uint8Array(32);
325
- crypto.getRandomValues(verifierBytes);
326
- const verifier = base64urlEncode(verifierBytes);
327
- const data = new TextEncoder().encode(verifier);
328
- const hashBuffer = await crypto.subtle.digest("SHA-256", data);
329
- const challenge = base64urlEncode(new Uint8Array(hashBuffer));
330
- return { verifier, challenge };
331
- }
332
-
333
- // src/oauth/anthropic.ts
334
- var CLIENT_ID = atob("OWQxYzI1MGEtZTYxYi00NGQ5LTg4ZWQtNTk0NGQxOTYyZjVl");
335
- var AUTHORIZE_URL = "https://claude.ai/oauth/authorize";
336
- var TOKEN_URLS = [
337
- "https://platform.claude.com/v1/oauth/token",
338
- "https://console.anthropic.com/v1/oauth/token"
339
- ];
340
- var REDIRECT_URI = "https://platform.claude.com/oauth/code/callback";
341
- var SCOPES = "org:create_api_key user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload";
342
- async function postTokenRequest(body, label) {
343
- const encoded = JSON.stringify(body);
344
- const headers = {
345
- "Content-Type": "application/json",
346
- "User-Agent": await getClaudeCliUserAgent(),
347
- "anthropic-beta": "oauth-2025-04-20"
348
- };
349
- let lastError = null;
350
- for (const url of TOKEN_URLS) {
351
- let response;
352
- try {
353
- response = await fetch(url, { method: "POST", headers, body: encoded });
354
- } catch (err) {
355
- lastError = err instanceof Error ? err : new Error(String(err));
356
- continue;
357
- }
358
- if (response.ok) {
359
- return await response.json();
360
- }
361
- const text = await response.text();
362
- if (response.status >= 400 && response.status < 500) {
363
- throw new Error(`Anthropic ${label} failed (${response.status}): ${text}`);
364
- }
365
- lastError = new Error(`Anthropic ${label} failed (${response.status}): ${text}`);
366
- }
367
- throw lastError ?? new Error(`Anthropic ${label} failed: all endpoints unreachable`);
368
- }
369
- function toCredentials(data) {
370
- return {
371
- accessToken: data.access_token,
372
- refreshToken: data.refresh_token,
373
- expiresAt: Date.now() + data.expires_in * 1e3 - 5 * 60 * 1e3
374
- };
375
- }
376
- async function loginAnthropic(callbacks) {
377
- const { verifier, challenge } = await generatePKCE();
378
- const state = crypto2.randomBytes(16).toString("hex");
379
- const params = new URLSearchParams({
380
- code: "true",
381
- client_id: CLIENT_ID,
382
- response_type: "code",
383
- redirect_uri: REDIRECT_URI,
384
- scope: SCOPES,
385
- code_challenge: challenge,
386
- code_challenge_method: "S256",
387
- state
388
- });
389
- const authUrl = `${AUTHORIZE_URL}?${params}`;
390
- callbacks.onOpenUrl(authUrl);
391
- const raw = await callbacks.onPromptCode("Paste the code from the browser (format: code#state):");
392
- const parts = raw.trim().split("#");
393
- if (parts.length !== 2 || !parts[0] || parts[1] !== state) {
394
- throw new Error("Invalid code or state mismatch. Please try again.");
395
- }
396
- return exchangeAnthropicCode(parts[0], parts[1], verifier);
397
- }
398
- async function exchangeAnthropicCode(code, state, verifier) {
399
- const data = await postTokenRequest(
400
- {
401
- grant_type: "authorization_code",
402
- client_id: CLIENT_ID,
403
- code,
404
- state,
405
- redirect_uri: REDIRECT_URI,
406
- code_verifier: verifier
407
- },
408
- "token exchange"
409
- );
410
- return toCredentials(data);
411
- }
412
- async function refreshAnthropicToken(refreshToken) {
413
- const data = await postTokenRequest(
414
- {
415
- grant_type: "refresh_token",
416
- client_id: CLIENT_ID,
417
- refresh_token: refreshToken
418
- },
419
- "token refresh"
420
- );
421
- return toCredentials(data);
422
- }
423
-
424
- // src/oauth/openai.ts
425
- import http from "http";
426
- import crypto3 from "crypto";
427
- var CLIENT_ID2 = "app_EMoamEEZ73f0CkXaXp7hrann";
428
- var AUTHORIZE_URL2 = "https://auth.openai.com/oauth/authorize";
429
- var TOKEN_URL = "https://auth.openai.com/oauth/token";
430
- var REDIRECT_URI2 = "http://localhost:1455/auth/callback";
431
- var SCOPE = "openid profile email offline_access api.connectors.read api.connectors.invoke";
432
- var JWT_CLAIM_PATH = "https://api.openai.com/auth";
433
- async function loginOpenAI(callbacks) {
434
- const { verifier, challenge } = await generatePKCE();
435
- const state = crypto3.randomBytes(16).toString("hex");
436
- const url = new URL(AUTHORIZE_URL2);
437
- url.searchParams.set("response_type", "code");
438
- url.searchParams.set("client_id", CLIENT_ID2);
439
- url.searchParams.set("redirect_uri", REDIRECT_URI2);
440
- url.searchParams.set("scope", SCOPE);
441
- url.searchParams.set("code_challenge", challenge);
442
- url.searchParams.set("code_challenge_method", "S256");
443
- url.searchParams.set("state", state);
444
- url.searchParams.set("prompt", "login");
445
- url.searchParams.set("id_token_add_organizations", "true");
446
- url.searchParams.set("codex_cli_simplified_flow", "true");
447
- url.searchParams.set("originator", "ezcoder");
448
- let code;
449
- try {
450
- code = await loginWithServer(url.toString(), state, callbacks);
451
- } catch {
452
- callbacks.onOpenUrl(url.toString());
453
- const raw = await callbacks.onPromptCode(
454
- "Could not start local server. Paste the callback URL or code from the browser:"
455
- );
456
- const parsed = parseAuthorizationInput(raw);
457
- if (!parsed.code) {
458
- throw new Error("No authorization code found in input.");
459
- }
460
- code = parsed.code;
461
- }
462
- const creds = await exchangeOpenAICode(code, verifier);
463
- const accountId = getAccountId(creds.accessToken);
464
- if (!accountId) {
465
- throw new Error("Failed to extract accountId from OpenAI token.");
466
- }
467
- creds.accountId = accountId;
468
- return creds;
469
- }
470
- function parseAuthorizationInput(input) {
471
- const value = input.trim();
472
- if (!value) return {};
473
- try {
474
- const url = new URL(value);
475
- return {
476
- code: url.searchParams.get("code") ?? void 0,
477
- state: url.searchParams.get("state") ?? void 0
478
- };
479
- } catch {
480
- }
481
- if (value.includes("#")) {
482
- const [code, state] = value.split("#", 2);
483
- return { code, state };
484
- }
485
- if (value.includes("code=")) {
486
- const params = new URLSearchParams(value);
487
- return {
488
- code: params.get("code") ?? void 0,
489
- state: params.get("state") ?? void 0
490
- };
491
- }
492
- return { code: value };
493
- }
494
- function decodeJwt(token) {
495
- try {
496
- const parts = token.split(".");
497
- if (parts.length !== 3) return null;
498
- const decoded = atob(parts[1]);
499
- return JSON.parse(decoded);
500
- } catch {
501
- return null;
502
- }
503
- }
504
- function getAccountId(accessToken) {
505
- const payload = decodeJwt(accessToken);
506
- const auth = payload?.[JWT_CLAIM_PATH];
507
- const accountId = auth?.chatgpt_account_id;
508
- return typeof accountId === "string" && accountId.length > 0 ? accountId : null;
509
- }
510
- async function loginWithServer(authUrl, expectedState, callbacks) {
511
- return new Promise((resolve, reject) => {
512
- let receivedCode = null;
513
- const server = http.createServer((req, res) => {
514
- const url = new URL(req.url || "", "http://localhost");
515
- if (url.pathname !== "/auth/callback") {
516
- res.statusCode = 404;
517
- res.end("Not found");
518
- return;
519
- }
520
- if (url.searchParams.get("state") !== expectedState) {
521
- res.statusCode = 400;
522
- res.end("State mismatch");
523
- return;
524
- }
525
- receivedCode = url.searchParams.get("code");
526
- res.writeHead(200, { "Content-Type": "text/html" });
527
- res.end("<html><body><h1>Login successful!</h1><p>You can close this tab.</p></body></html>");
528
- server.close();
529
- });
530
- server.on("error", (err) => {
531
- reject(err);
532
- });
533
- server.listen(1455, "127.0.0.1", () => {
534
- callbacks.onOpenUrl(authUrl);
535
- callbacks.onStatus("Waiting for browser callback...");
536
- });
537
- const timeout = setTimeout(() => {
538
- if (!receivedCode) {
539
- server.close();
540
- }
541
- }, 12e4);
542
- timeout.unref();
543
- server.on("close", () => {
544
- clearTimeout(timeout);
545
- if (receivedCode) {
546
- resolve(receivedCode);
547
- } else {
548
- reject(new Error("Server closed without receiving code"));
549
- }
550
- });
551
- });
552
- }
553
- async function exchangeOpenAICode(code, verifier) {
554
- const response = await fetch(TOKEN_URL, {
555
- method: "POST",
556
- headers: { "Content-Type": "application/x-www-form-urlencoded" },
557
- body: new URLSearchParams({
558
- grant_type: "authorization_code",
559
- client_id: CLIENT_ID2,
560
- code,
561
- redirect_uri: REDIRECT_URI2,
562
- code_verifier: verifier
563
- })
564
- });
565
- if (!response.ok) {
566
- const text = await response.text();
567
- throw new Error(`OpenAI token exchange failed (${response.status}): ${text}`);
568
- }
569
- const data = await response.json();
570
- return {
571
- accessToken: data.access_token,
572
- refreshToken: data.refresh_token,
573
- expiresAt: Date.now() + data.expires_in * 1e3
574
- };
575
- }
576
- async function refreshOpenAIToken(refreshToken) {
577
- const response = await fetch(TOKEN_URL, {
578
- method: "POST",
579
- headers: { "Content-Type": "application/x-www-form-urlencoded" },
580
- body: new URLSearchParams({
581
- grant_type: "refresh_token",
582
- refresh_token: refreshToken,
583
- client_id: CLIENT_ID2
584
- })
585
- });
586
- if (!response.ok) {
587
- const text = await response.text();
588
- throw new Error(`OpenAI token refresh failed (${response.status}): ${text}`);
589
- }
590
- const data = await response.json();
591
- const creds = {
592
- accessToken: data.access_token,
593
- refreshToken: data.refresh_token,
594
- expiresAt: Date.now() + data.expires_in * 1e3
595
- };
596
- const accountId = getAccountId(creds.accessToken);
597
- if (accountId) {
598
- creds.accountId = accountId;
599
- }
600
- return creds;
601
- }
602
-
603
- // src/oauth/gemini.ts
604
- import http2 from "http";
605
- import crypto4 from "crypto";
606
- var CLIENT_ID_ENV = "GGCODER_GEMINI_OAUTH_CLIENT_ID";
607
- var CLIENT_SECRET_ENV = "GGCODER_GEMINI_OAUTH_CLIENT_SECRET";
608
- var DEFAULT_CLIENT_ID = "681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com";
609
- var DEFAULT_CLIENT_SECRET = "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";
610
- var AUTHORIZE_URL3 = "https://accounts.google.com/o/oauth2/v2/auth";
611
- var TOKEN_URL2 = "https://oauth2.googleapis.com/token";
612
- var CODE_ASSIST_BASE_URL = "https://cloudcode-pa.googleapis.com";
613
- var CODE_ASSIST_API_VERSION = "v1internal";
614
- var CODE_ASSIST_POST_RETRIES = 3;
615
- var CODE_ASSIST_POST_RETRY_DELAY_MS = 100;
616
- var SCOPE2 = [
617
- "https://www.googleapis.com/auth/cloud-platform",
618
- "https://www.googleapis.com/auth/userinfo.email",
619
- "https://www.googleapis.com/auth/userinfo.profile"
620
- ].join(" ");
621
- var USER_TIER_FREE = "free-tier";
622
- var USER_TIER_LEGACY = "legacy-tier";
623
- var USER_TIER_STANDARD = "standard-tier";
624
- var VALIDATION_REQUIRED_REASON = "VALIDATION_REQUIRED";
625
- var VPC_SC_REASON = "SECURITY_POLICY_VIOLATED";
626
- var CodeAssistHttpError = class extends Error {
627
- status;
628
- body;
629
- constructor(label, status, body) {
630
- super(`Gemini Code Assist ${label} failed (${status}): ${body}`);
631
- this.name = "CodeAssistHttpError";
632
- this.status = status;
633
- this.body = body;
634
- }
635
- };
636
- async function loginGemini(callbacks) {
637
- const { clientId, clientSecret } = getGeminiOAuthClientCredentials();
638
- const { verifier, challenge } = await generatePKCE();
639
- const state = crypto4.randomBytes(32).toString("hex");
640
- const redirectUri = await getLoopbackRedirectUri();
641
- const url = new URL(AUTHORIZE_URL3);
642
- url.searchParams.set("response_type", "code");
643
- url.searchParams.set("client_id", clientId);
644
- url.searchParams.set("redirect_uri", redirectUri);
645
- url.searchParams.set("scope", SCOPE2);
646
- url.searchParams.set("access_type", "offline");
647
- url.searchParams.set("prompt", "consent");
648
- url.searchParams.set("code_challenge", challenge);
649
- url.searchParams.set("code_challenge_method", "S256");
650
- url.searchParams.set("state", state);
651
- let code;
652
- try {
653
- code = await loginWithServer2(url.toString(), redirectUri, state, callbacks);
654
- } catch {
655
- callbacks.onOpenUrl(url.toString());
656
- const raw = await callbacks.onPromptCode(
657
- "Could not start local server. Paste the callback URL or code from the browser:"
658
- );
659
- const parsed = parseAuthorizationInput2(raw);
660
- if (!parsed.code) {
661
- throw new Error("No authorization code found in input.");
662
- }
663
- if (parsed.state && parsed.state !== state) {
664
- throw new Error("Invalid state. Please try again.");
665
- }
666
- code = parsed.code;
667
- }
668
- const creds = await exchangeGeminiCode(code, verifier, redirectUri, clientId, clientSecret);
669
- callbacks.onStatus("Setting up Gemini Code Assist access...");
670
- const projectId = await setupCodeAssistProject(creds.accessToken, callbacks);
671
- return {
672
- ...creds,
673
- projectId
674
- };
675
- }
676
- async function refreshGeminiToken(refreshToken) {
677
- const { clientId, clientSecret } = getGeminiOAuthClientCredentials();
678
- const data = await postTokenRequest2({
679
- grant_type: "refresh_token",
680
- refresh_token: refreshToken,
681
- client_id: clientId,
682
- client_secret: clientSecret
683
- });
684
- return {
685
- accessToken: data.access_token,
686
- refreshToken: data.refresh_token ?? refreshToken,
687
- expiresAt: Date.now() + data.expires_in * 1e3 - 5 * 60 * 1e3
688
- };
689
- }
690
- function getGeminiOAuthClientCredentials() {
691
- const clientId = process.env[CLIENT_ID_ENV]?.trim() || DEFAULT_CLIENT_ID;
692
- const clientSecret = process.env[CLIENT_SECRET_ENV]?.trim() || DEFAULT_CLIENT_SECRET;
693
- return { clientId, clientSecret };
694
- }
695
- async function getLoopbackRedirectUri() {
696
- return new Promise((resolve, reject) => {
697
- const server = http2.createServer();
698
- server.listen(0, "127.0.0.1", () => {
699
- const addr = server.address();
700
- server.close(() => {
701
- if (addr && typeof addr === "object") {
702
- resolve(`http://127.0.0.1:${addr.port}/oauth2callback`);
703
- } else {
704
- reject(new Error("Failed to allocate OAuth callback port."));
705
- }
706
- });
707
- });
708
- server.on("error", reject);
709
- });
710
- }
711
- function parseAuthorizationInput2(input) {
712
- const value = input.trim();
713
- if (!value) return {};
714
- try {
715
- const url = new URL(value);
716
- return {
717
- code: url.searchParams.get("code") ?? void 0,
718
- state: url.searchParams.get("state") ?? void 0
719
- };
720
- } catch {
721
- }
722
- if (value.includes("code=")) {
723
- const params = new URLSearchParams(value);
724
- return {
725
- code: params.get("code") ?? void 0,
726
- state: params.get("state") ?? void 0
727
- };
728
- }
729
- return { code: value };
730
- }
731
- async function loginWithServer2(authUrl, redirectUri, expectedState, callbacks) {
732
- const redirect = new URL(redirectUri);
733
- const port = Number(redirect.port);
734
- return new Promise((resolve, reject) => {
735
- let receivedCode = null;
736
- const server = http2.createServer((req, res) => {
737
- const url = new URL(req.url || "", redirect.origin);
738
- if (url.pathname !== redirect.pathname) {
739
- res.statusCode = 404;
740
- res.end("Not found");
741
- return;
742
- }
743
- if (url.searchParams.get("state") !== expectedState) {
744
- res.statusCode = 400;
745
- res.end("State mismatch");
746
- return;
747
- }
748
- receivedCode = url.searchParams.get("code");
749
- res.writeHead(200, { "Content-Type": "text/html", Connection: "close" });
750
- res.end("<html><body><h1>Login successful!</h1><p>You can close this tab.</p></body></html>");
751
- server.close();
752
- });
753
- server.on("error", (err) => reject(err));
754
- server.listen(port, "127.0.0.1", () => {
755
- callbacks.onOpenUrl(authUrl);
756
- callbacks.onStatus("Waiting for browser callback...");
757
- });
758
- const timeout = setTimeout(() => {
759
- if (!receivedCode) server.close();
760
- }, 12e4);
761
- timeout.unref();
762
- server.on("close", () => {
763
- clearTimeout(timeout);
764
- if (receivedCode) {
765
- resolve(receivedCode);
766
- } else {
767
- reject(new Error("Server closed without receiving code."));
768
- }
769
- });
770
- });
771
- }
772
- async function exchangeGeminiCode(code, verifier, redirectUri, clientId, clientSecret) {
773
- const data = await postTokenRequest2({
774
- grant_type: "authorization_code",
775
- client_id: clientId,
776
- client_secret: clientSecret,
777
- code,
778
- redirect_uri: redirectUri,
779
- code_verifier: verifier
780
- });
781
- if (!data.refresh_token) {
782
- throw new Error("Gemini OAuth did not return a refresh token. Please try login again.");
783
- }
784
- return {
785
- accessToken: data.access_token,
786
- refreshToken: data.refresh_token,
787
- expiresAt: Date.now() + data.expires_in * 1e3 - 5 * 60 * 1e3
788
- };
789
- }
790
- async function postTokenRequest2(body) {
791
- const response = await fetch(TOKEN_URL2, {
792
- method: "POST",
793
- headers: { "Content-Type": "application/x-www-form-urlencoded" },
794
- body: new URLSearchParams(body)
795
- });
796
- if (!response.ok) {
797
- const text = await response.text();
798
- throw new Error(`Gemini token request failed (${response.status}): ${text}`);
799
- }
800
- return await response.json();
801
- }
802
- async function setupCodeAssistProject(accessToken, callbacks) {
803
- const envProject = process.env.GOOGLE_CLOUD_PROJECT ?? process.env.GOOGLE_CLOUD_PROJECT_ID;
804
- if (envProject && /^\d+$/.test(envProject)) {
805
- throw new Error("GOOGLE_CLOUD_PROJECT must be a project ID, not a numeric project number.");
806
- }
807
- const coreMetadata = {
808
- ideType: "IDE_UNSPECIFIED",
809
- platform: "PLATFORM_UNSPECIFIED",
810
- pluginType: "GEMINI"
811
- };
812
- const projectMetadata = {
813
- ...coreMetadata,
814
- ...envProject ? { duetProject: envProject } : {}
815
- };
816
- let loadRes;
817
- while (true) {
818
- loadRes = await loadCodeAssist(accessToken, envProject, projectMetadata);
819
- const validation = getValidationRequiredTier(loadRes);
820
- if (!validation) break;
821
- callbacks.onStatus(
822
- `Gemini Code Assist requires account validation${validation.reasonMessage ? `: ${validation.reasonMessage}` : ""}`
823
- );
824
- callbacks.onOpenUrl(validation.validationUrl);
825
- const answer = await callbacks.onPromptCode(
826
- "Complete validation in the browser, then press Enter to retry (or type cancel):"
827
- );
828
- if (answer.trim().toLowerCase() === "cancel") {
829
- throw new Error("Gemini Code Assist account validation was cancelled.");
830
- }
831
- }
832
- if (loadRes.currentTier) {
833
- const project2 = loadRes.cloudaicompanionProject ?? envProject;
834
- if (!project2) throwProjectError(loadRes);
835
- return project2;
836
- }
837
- const tier = getOnboardTier(loadRes);
838
- const onboardReq = tier.id === USER_TIER_FREE ? {
839
- tierId: tier.id,
840
- cloudaicompanionProject: void 0,
841
- metadata: coreMetadata
842
- } : {
843
- tierId: tier.id,
844
- cloudaicompanionProject: envProject,
845
- metadata: projectMetadata
846
- };
847
- let operation = await codeAssistPost(
848
- accessToken,
849
- "onboardUser",
850
- onboardReq
851
- );
852
- while (!operation.done && operation.name) {
853
- await new Promise((resolve) => setTimeout(resolve, 5e3));
854
- operation = await codeAssistGet(accessToken, operation.name);
855
- }
856
- const project = operation.response?.cloudaicompanionProject?.id ?? envProject;
857
- if (!project) throwProjectError(loadRes);
858
- return project;
859
- }
860
- async function loadCodeAssist(accessToken, envProject, metadata) {
861
- try {
862
- return await codeAssistPost(accessToken, "loadCodeAssist", {
863
- ...envProject ? { cloudaicompanionProject: envProject } : {},
864
- metadata
865
- });
866
- } catch (err) {
867
- if (err instanceof CodeAssistHttpError && isVpcScAffectedError(err)) {
868
- return { currentTier: { id: USER_TIER_STANDARD } };
869
- }
870
- if (err instanceof CodeAssistHttpError && err.status === 403 && envProject === "cloudshell-gca") {
871
- throw new Error(
872
- "Access to the default Cloud Shell Gemini project was denied.\nPlease set your own Google Cloud project by running:\ngcloud config set project [PROJECT_ID]\nor setting export GOOGLE_CLOUD_PROJECT=...",
873
- { cause: err }
874
- );
875
- }
876
- throw err;
877
- }
878
- }
879
- function getValidationRequiredTier(response) {
880
- return response.ineligibleTiers?.find(
881
- (tier) => tier.reasonCode === VALIDATION_REQUIRED_REASON && typeof tier.validationUrl === "string"
882
- );
883
- }
884
- function getOnboardTier(response) {
885
- const defaultTier = response.allowedTiers?.find((tier) => tier.isDefault);
886
- return defaultTier ?? { id: USER_TIER_LEGACY, name: "" };
887
- }
888
- function throwProjectError(response) {
889
- const reasons = response.ineligibleTiers?.map((tier) => tier.reasonMessage ?? tier.tierName).filter((reason) => Boolean(reason));
890
- if (reasons && reasons.length > 0) {
891
- throw new Error(`Gemini Code Assist setup failed: ${reasons.join(", ")}`);
892
- }
893
- throw new Error(
894
- "Gemini requires a Google Cloud project for this account. Set GOOGLE_CLOUD_PROJECT and try again."
895
- );
896
- }
897
- async function codeAssistPost(accessToken, method, body) {
898
- let lastError;
899
- for (let attempt = 0; attempt <= CODE_ASSIST_POST_RETRIES; attempt++) {
900
- try {
901
- return await codeAssistRequest(getCodeAssistMethodUrl(method), accessToken, method, {
902
- method: "POST",
903
- body: JSON.stringify(body)
904
- });
905
- } catch (err) {
906
- if (!(err instanceof CodeAssistHttpError) || attempt === CODE_ASSIST_POST_RETRIES || !shouldRetryCodeAssistStatus(err.status)) {
907
- throw err;
908
- }
909
- lastError = err;
910
- }
911
- await new Promise((resolve) => setTimeout(resolve, CODE_ASSIST_POST_RETRY_DELAY_MS));
912
- }
913
- throw lastError ?? new Error(`Gemini Code Assist ${method} failed.`);
914
- }
915
- async function codeAssistGet(accessToken, operationName) {
916
- return codeAssistRequest(getCodeAssistOperationUrl(operationName), accessToken, "operation", {
917
- method: "GET"
918
- });
919
- }
920
- async function codeAssistRequest(url, accessToken, label, init) {
921
- const response = await fetch(url, {
922
- ...init,
923
- headers: codeAssistHeaders(accessToken)
924
- });
925
- if (!response.ok) {
926
- const text = await response.text();
927
- throw new CodeAssistHttpError(label, response.status, text);
928
- }
929
- return await response.json();
930
- }
931
- function getCodeAssistBaseUrl() {
932
- const endpoint = process.env.CODE_ASSIST_ENDPOINT ?? CODE_ASSIST_BASE_URL;
933
- const version = process.env.CODE_ASSIST_API_VERSION || CODE_ASSIST_API_VERSION;
934
- return `${endpoint}/${version}`;
935
- }
936
- function getCodeAssistMethodUrl(method) {
937
- return `${getCodeAssistBaseUrl()}:${method}`;
938
- }
939
- function getCodeAssistOperationUrl(operationName) {
940
- return `${getCodeAssistBaseUrl()}/${operationName}`;
941
- }
942
- function shouldRetryCodeAssistStatus(status) {
943
- return status === 429 || status === 499 || status >= 500 && status <= 599;
944
- }
945
- function isVpcScAffectedError(error) {
946
- try {
947
- const parsed = JSON.parse(error.body);
948
- if (!parsed || typeof parsed !== "object" || !("error" in parsed)) return false;
949
- const details = parsed.error?.details;
950
- return Array.isArray(details) ? details.some(
951
- (detail) => detail != null && typeof detail === "object" && "reason" in detail && detail.reason === VPC_SC_REASON
952
- ) : false;
953
- } catch {
954
- return false;
955
- }
956
- }
957
- function codeAssistHeaders(accessToken) {
958
- return {
959
- Authorization: `Bearer ${accessToken}`,
960
- "Content-Type": "application/json",
961
- "User-Agent": "google-gemini-cli",
962
- "X-Goog-Api-Client": "gemini-cli/0.0.0"
963
- };
964
- }
965
-
966
- // src/oauth/kimi.ts
967
- import { execFileSync } from "child_process";
968
- import { randomUUID } from "crypto";
969
- import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
970
- import { arch, hostname, release, type } from "os";
971
- import path3 from "path";
972
- var CLIENT_ID3 = "17e5f671-d194-4dfb-9706-5516cb48c098";
973
- var DEFAULT_OAUTH_HOST = "https://auth.kimi.com";
974
- var DEFAULT_CODING_BASE_URL = "https://api.kimi.com/coding/v1";
975
- var KIMI_PLATFORM = "kimi_code_cli";
976
- var DEFAULT_KIMI_VERSION = "1.0.11";
977
- var DEVICE_TIMEOUT_MS = 15 * 60 * 1e3;
978
- function oauthHost() {
979
- const host = process.env.KIMI_CODE_OAUTH_HOST ?? process.env.KIMI_OAUTH_HOST ?? DEFAULT_OAUTH_HOST;
980
- return host.replace(/\/+$/, "");
981
- }
982
- function kimiCodeBaseUrl() {
983
- return (process.env.KIMI_CODE_BASE_URL ?? DEFAULT_CODING_BASE_URL).replace(/\/+$/, "");
984
- }
985
- function kimiVersion() {
986
- const v = process.env.KIMI_CODE_VERSION ?? DEFAULT_KIMI_VERSION;
987
- return asciiHeader(v, DEFAULT_KIMI_VERSION);
988
- }
989
- function asciiHeader(value, fallback = "unknown") {
990
- const cleaned = value.replace(/[^\u0020-\u007E]/g, "").trim();
991
- return cleaned.length > 0 ? cleaned : fallback;
992
- }
993
- function macOsProductVersion() {
994
- try {
995
- const version = execFileSync("/usr/bin/sw_vers", ["-productVersion"], {
996
- encoding: "utf-8",
997
- timeout: 1e3
998
- }).trim();
999
- return version.length > 0 ? version : void 0;
1000
- } catch {
1001
- return void 0;
1002
- }
1003
- }
1004
- function deviceModel() {
1005
- const os = type();
1006
- const version = release();
1007
- const osArch = arch();
1008
- if (os === "Darwin") return `macOS ${macOsProductVersion() ?? version} ${osArch}`;
1009
- if (os === "Windows_NT") return `Windows ${version} ${osArch}`;
1010
- return `${os} ${version} ${osArch}`.trim();
1011
- }
1012
- function deviceId() {
1013
- const idPath = path3.join(getAppPaths().agentDir, "kimi_device_id");
1014
- if (existsSync(idPath)) {
1015
- try {
1016
- const text = readFileSync(idPath, "utf-8").trim();
1017
- if (text.length > 0) return text;
1018
- } catch {
1019
- }
1020
- }
1021
- const id = randomUUID();
1022
- try {
1023
- mkdirSync(getAppPaths().agentDir, { recursive: true, mode: 448 });
1024
- writeFileSync(idPath, id, { encoding: "utf-8", mode: 384 });
1025
- } catch {
1026
- }
1027
- return id;
1028
- }
1029
- function deviceHeaders() {
1030
- return {
1031
- "X-Msh-Platform": KIMI_PLATFORM,
1032
- "X-Msh-Version": kimiVersion(),
1033
- "X-Msh-Device-Name": asciiHeader(hostname()),
1034
- "X-Msh-Device-Model": asciiHeader(deviceModel()),
1035
- "X-Msh-Os-Version": asciiHeader(release()),
1036
- "X-Msh-Device-Id": deviceId()
1037
- };
1038
- }
1039
- function kimiCodingHeaders() {
1040
- return {
1041
- "User-Agent": `kimi-code-cli/${kimiVersion()}`,
1042
- ...deviceHeaders()
1043
- };
1044
- }
1045
- function isKimiCodingEndpoint(baseUrl) {
1046
- if (typeof baseUrl !== "string" || baseUrl.length === 0) return false;
1047
- const normalized = baseUrl.replace(/\/+$/, "");
1048
- return normalized === kimiCodeBaseUrl() || /(^|\.)kimi\.com/i.test(normalized);
1049
- }
1050
- async function postForm(endpoint, params) {
1051
- const response = await fetch(`${oauthHost()}${endpoint}`, {
1052
- method: "POST",
1053
- headers: {
1054
- ...deviceHeaders(),
1055
- "Content-Type": "application/x-www-form-urlencoded",
1056
- Accept: "application/json"
1057
- },
1058
- body: new URLSearchParams(params).toString()
1059
- });
1060
- let data = {};
1061
- try {
1062
- const parsed = await response.json();
1063
- if (parsed && typeof parsed === "object") data = parsed;
1064
- } catch {
1065
- }
1066
- return { status: response.status, data };
1067
- }
1068
- function errorDetail(data) {
1069
- const desc = data.error_description ?? data.message ?? data.error;
1070
- return typeof desc === "string" && desc.length > 0 ? desc : "unknown error";
1071
- }
1072
- function credsFromTokenResponse(data, opts) {
1073
- const accessToken = data.access_token;
1074
- const responseRefreshToken = data.refresh_token;
1075
- const expiresIn = Number(data.expires_in);
1076
- if (typeof accessToken !== "string" || accessToken.length === 0) {
1077
- throw new Error("Kimi OAuth response missing access_token.");
1078
- }
1079
- const refreshToken = typeof responseRefreshToken === "string" && responseRefreshToken.length > 0 ? responseRefreshToken : opts?.fallbackRefreshToken ?? "";
1080
- if (refreshToken.length === 0) {
1081
- throw new Error("Kimi OAuth response missing refresh_token.");
1082
- }
1083
- if (!Number.isFinite(expiresIn) || expiresIn <= 0) {
1084
- throw new Error("Kimi OAuth response missing or invalid expires_in.");
1085
- }
1086
- return {
1087
- accessToken,
1088
- refreshToken,
1089
- expiresAt: Date.now() + expiresIn * 1e3,
1090
- baseUrl: kimiCodeBaseUrl()
1091
- };
1092
- }
1093
- async function requestDeviceAuthorization() {
1094
- const { status, data } = await postForm("/api/oauth/device_authorization", {
1095
- client_id: CLIENT_ID3
1096
- });
1097
- if (status !== 200) {
1098
- throw new Error(`Kimi device authorization failed (${status}): ${errorDetail(data)}`);
1099
- }
1100
- const userCode = data.user_code;
1101
- const deviceCode = data.device_code;
1102
- const verificationUriComplete = data.verification_uri_complete;
1103
- if (typeof userCode !== "string" || typeof deviceCode !== "string") {
1104
- throw new Error("Kimi device authorization response missing user_code/device_code.");
1105
- }
1106
- return {
1107
- userCode,
1108
- deviceCode,
1109
- verificationUri: typeof data.verification_uri === "string" ? data.verification_uri : "",
1110
- verificationUriComplete: typeof verificationUriComplete === "string" ? verificationUriComplete : "",
1111
- interval: Number(data.interval ?? 5) || 5
1112
- };
1113
- }
1114
- async function pollDeviceToken(deviceCode) {
1115
- const { status, data } = await postForm("/api/oauth/token", {
1116
- client_id: CLIENT_ID3,
1117
- device_code: deviceCode,
1118
- grant_type: "urn:ietf:params:oauth:grant-type:device_code"
1119
- });
1120
- if (status === 200 && typeof data.access_token === "string") {
1121
- return { kind: "success", creds: credsFromTokenResponse(data) };
1122
- }
1123
- if (status >= 500) {
1124
- throw new Error(`Kimi token polling server error (${status}): ${errorDetail(data)}`);
1125
- }
1126
- const errorCode = typeof data.error === "string" ? data.error : "unknown_error";
1127
- switch (errorCode) {
1128
- case "authorization_pending":
1129
- return { kind: "pending" };
1130
- case "slow_down":
1131
- return { kind: "slow_down" };
1132
- case "expired_token":
1133
- return { kind: "expired" };
1134
- case "access_denied":
1135
- return { kind: "denied" };
1136
- default:
1137
- throw new Error(`Kimi token polling failed (${status}): ${errorDetail(data)}`);
1138
- }
1139
- }
1140
- function sleep(ms) {
1141
- return new Promise((resolve) => {
1142
- setTimeout(resolve, ms);
1143
- });
1144
- }
1145
- async function loginKimi(callbacks) {
1146
- const auth = await requestDeviceAuthorization();
1147
- callbacks.onStatus(
1148
- `Visit ${auth.verificationUri || auth.verificationUriComplete} and enter code: ${auth.userCode}`
1149
- );
1150
- callbacks.onOpenUrl(auth.verificationUriComplete || auth.verificationUri);
1151
- callbacks.onStatus("Waiting for you to authorize in the browser...");
1152
- const deadline = Date.now() + DEVICE_TIMEOUT_MS;
1153
- let interval = Math.max(auth.interval, 1);
1154
- while (Date.now() < deadline) {
1155
- await sleep(interval * 1e3);
1156
- const result = await pollDeviceToken(auth.deviceCode);
1157
- if (result.kind === "success") return result.creds;
1158
- if (result.kind === "denied") {
1159
- throw new Error("Kimi authorization was denied.");
1160
- }
1161
- if (result.kind === "expired") {
1162
- throw new Error("Kimi device code expired. Please run login again.");
1163
- }
1164
- if (result.kind === "slow_down") {
1165
- interval += 5;
1166
- }
1167
- }
1168
- throw new Error("Kimi login timed out. Please run login again.");
1169
- }
1170
- async function refreshKimiToken(refreshToken) {
1171
- const { status, data } = await postForm("/api/oauth/token", {
1172
- client_id: CLIENT_ID3,
1173
- grant_type: "refresh_token",
1174
- refresh_token: refreshToken
1175
- });
1176
- if (status === 200 && typeof data.access_token === "string") {
1177
- return credsFromTokenResponse(data, { fallbackRefreshToken: refreshToken });
1178
- }
1179
- const errorCode = typeof data.error === "string" ? data.error : "";
1180
- throw new Error(`Kimi token refresh failed (${status}): ${errorCode || errorDetail(data)}`);
1181
- }
1182
-
1183
- // src/auth-storage.ts
1184
- var MOONSHOT_OAUTH_KEY = "moonshot-oauth";
1185
- var REFRESH_SKEW_MS = 6e4;
1186
- var STATIC_API_KEY_PROVIDERS = /* @__PURE__ */ new Set([
1187
- "glm",
1188
- "moonshot",
1189
- "xiaomi",
1190
- "minimax",
1191
- "deepseek",
1192
- "openrouter",
1193
- "sakana"
1194
- ]);
1195
- var AuthStorage = class {
1196
- data = {};
1197
- filePath;
1198
- loaded = false;
1199
- /** Per-provider lock to serialize concurrent refresh calls. */
1200
- refreshLocks = /* @__PURE__ */ new Map();
1201
- constructor(filePath) {
1202
- this.filePath = filePath ?? getAppPaths().authFile;
1203
- }
1204
- /** Path to the on-disk auth file. Useful for status output. */
1205
- get path() {
1206
- return this.filePath;
1207
- }
1208
- /** List provider keys with stored credentials. */
1209
- async listProviders() {
1210
- await this.ensureLoaded();
1211
- return Object.keys(this.data);
1212
- }
1213
- /** True if credentials exist for `provider`. */
1214
- async hasCredentials(provider) {
1215
- await this.ensureLoaded();
1216
- return Boolean(this.data[provider]);
1217
- }
1218
- /**
1219
- * True if the user has any usable auth for the logical provider. For
1220
- * `moonshot` this is satisfied by either the Kimi OAuth credential or the
1221
- * Moonshot API key.
1222
- */
1223
- async hasProviderAuth(provider) {
1224
- await this.ensureLoaded();
1225
- if (provider === "moonshot") {
1226
- return Boolean(this.data[MOONSHOT_OAUTH_KEY] || this.data["moonshot"]);
1227
- }
1228
- return Boolean(this.data[provider]);
1229
- }
1230
- /**
1231
- * True if the active credential for `provider` is a static API key with no
1232
- * refresh mechanism. For `moonshot` this is only true when the Kimi OAuth
1233
- * credential is absent (a present OAuth credential is refreshable).
1234
- */
1235
- async isStaticApiKey(provider) {
1236
- await this.ensureLoaded();
1237
- if (provider === "moonshot" && this.data[MOONSHOT_OAUTH_KEY]) {
1238
- return false;
1239
- }
1240
- return STATIC_API_KEY_PROVIDERS.has(provider);
1241
- }
1242
- async load() {
1243
- await withFileLock(this.filePath, async () => {
1244
- try {
1245
- const content = await fs4.readFile(this.filePath, "utf-8");
1246
- this.data = JSON.parse(content);
1247
- log("INFO", "auth", `Loaded credentials from ${this.filePath}`, {
1248
- providers: Object.keys(this.data).join(",") || "(none)"
1249
- });
1250
- } catch (err) {
1251
- this.data = {};
1252
- const code = err.code;
1253
- if (code === "ENOENT") {
1254
- log("INFO", "auth", `No auth file found at ${this.filePath} (first run)`);
1255
- } else {
1256
- log(
1257
- "ERROR",
1258
- "auth",
1259
- `Failed to load auth file: ${err instanceof Error ? err.message : String(err)}`,
1260
- { path: this.filePath, code: code ?? "unknown" }
1261
- );
1262
- }
1263
- }
1264
- });
1265
- this.loaded = true;
1266
- }
1267
- async ensureLoaded() {
1268
- if (!this.loaded) await this.load();
1269
- }
1270
- /**
1271
- * Force a re-read from disk, discarding the in-memory cache. Needed when
1272
- * another process mutates the auth file out-of-band — e.g. the desktop app
1273
- * writes API keys natively (Rust → ~/.ezcoder/auth.json) without going through
1274
- * this instance, so a long-lived daemon's cache would otherwise stay stale and
1275
- * never see a newly added provider key.
1276
- */
1277
- async reload() {
1278
- this.loaded = false;
1279
- await this.load();
1280
- }
1281
- async getCredentials(provider) {
1282
- await this.ensureLoaded();
1283
- return this.data[provider];
1284
- }
1285
- async setCredentials(provider, creds) {
1286
- await this.ensureLoaded();
1287
- this.data[provider] = creds;
1288
- await this.save();
1289
- }
1290
- async clearCredentials(provider) {
1291
- await this.ensureLoaded();
1292
- delete this.data[provider];
1293
- await this.save();
1294
- }
1295
- async clearAll() {
1296
- this.data = {};
1297
- await this.save();
1298
- }
1299
- /**
1300
- * Returns valid credentials, auto-refreshing if expired.
1301
- * If `forceRefresh` is true, refreshes even if the token hasn't expired
1302
- * (useful when the provider rejects a token with 401 before its stored expiry).
1303
- * Throws if not logged in.
1304
- */
1305
- async resolveCredentials(provider, opts) {
1306
- await this.ensureLoaded();
1307
- if (provider === "moonshot" && this.data[MOONSHOT_OAUTH_KEY]) {
1308
- try {
1309
- return await this.resolveCredentials(MOONSHOT_OAUTH_KEY, opts);
1310
- } catch (err) {
1311
- if (err instanceof NotLoggedInError && this.data["moonshot"]) {
1312
- log(
1313
- "WARN",
1314
- "auth",
1315
- 'Kimi OAuth credential is no longer valid \u2014 falling back to the Moonshot API key. Run "ezcoder login" and choose Kimi OAuth to restore OAuth auth.'
1316
- );
1317
- return this.data["moonshot"];
1318
- }
1319
- throw err;
1320
- }
1321
- }
1322
- const creds = this.data[provider];
1323
- if (!creds) {
1324
- throw new NotLoggedInError(provider);
1325
- }
1326
- if (STATIC_API_KEY_PROVIDERS.has(provider)) {
1327
- return creds;
1328
- }
1329
- if (!opts?.forceRefresh && Date.now() < creds.expiresAt - REFRESH_SKEW_MS) {
1330
- return creds;
1331
- }
1332
- const existing = this.refreshLocks.get(provider);
1333
- if (existing) return existing;
1334
- const refreshPromise = withFileLock(this.filePath, async () => {
1335
- try {
1336
- const content = await fs4.readFile(this.filePath, "utf-8");
1337
- const freshData = JSON.parse(content);
1338
- const freshCreds = freshData[provider];
1339
- if (freshCreds && !opts?.forceRefresh && Date.now() < freshCreds.expiresAt - REFRESH_SKEW_MS) {
1340
- this.data[provider] = freshCreds;
1341
- return freshCreds;
1342
- }
1343
- } catch {
1344
- }
1345
- const refreshFn = provider === "anthropic" ? refreshAnthropicToken : provider === "gemini" ? refreshGeminiToken : provider === MOONSHOT_OAUTH_KEY ? refreshKimiToken : refreshOpenAIToken;
1346
- let refreshed;
1347
- try {
1348
- refreshed = await refreshFn(creds.refreshToken);
1349
- } catch (err) {
1350
- const msg = err instanceof Error ? err.message : String(err);
1351
- const isAuthFailure = /\((401|400)\)/.test(msg) || /invalid_grant|invalid_token|invalid.*refresh/i.test(msg) || /unauthorized/i.test(msg);
1352
- if (isAuthFailure) {
1353
- delete this.data[provider];
1354
- await atomicWriteFile(this.filePath, JSON.stringify(this.data, null, 2));
1355
- throw new NotLoggedInError(provider);
1356
- }
1357
- throw err;
1358
- }
1359
- if (!refreshed.accountId && creds.accountId) {
1360
- refreshed.accountId = creds.accountId;
1361
- }
1362
- if (!refreshed.projectId && creds.projectId) {
1363
- refreshed.projectId = creds.projectId;
1364
- }
1365
- if (!refreshed.baseUrl && creds.baseUrl) {
1366
- refreshed.baseUrl = creds.baseUrl;
1367
- }
1368
- this.data[provider] = refreshed;
1369
- await atomicWriteFile(this.filePath, JSON.stringify(this.data, null, 2));
1370
- return refreshed;
1371
- });
1372
- this.refreshLocks.set(provider, refreshPromise);
1373
- try {
1374
- return await refreshPromise;
1375
- } finally {
1376
- this.refreshLocks.delete(provider);
1377
- }
1378
- }
1379
- /**
1380
- * Returns a valid access token, auto-refreshing if expired.
1381
- * Throws if not logged in.
1382
- */
1383
- async resolveToken(provider) {
1384
- const creds = await this.resolveCredentials(provider);
1385
- return creds.accessToken;
1386
- }
1387
- async save() {
1388
- await withFileLock(this.filePath, async () => {
1389
- await atomicWriteFile(this.filePath, JSON.stringify(this.data, null, 2));
1390
- });
1391
- }
1392
- };
1393
- async function atomicWriteFile(filePath, content) {
1394
- const tmpPath = `${filePath}.${process.pid}.${Date.now()}.${crypto5.randomUUID().slice(0, 8)}.tmp`;
1395
- try {
1396
- await fs4.writeFile(tmpPath, content, { encoding: "utf-8", mode: 384 });
1397
- await fs4.rename(tmpPath, filePath);
1398
- } catch (err) {
1399
- await fs4.unlink(tmpPath).catch(() => {
1400
- });
1401
- throw err;
1402
- }
1403
- }
1404
- var NotLoggedInError = class extends Error {
1405
- provider;
1406
- constructor(provider) {
1407
- super(`Not logged in to ${provider}. Run "ezcoder login" to authenticate.`);
1408
- this.name = "NotLoggedInError";
1409
- this.provider = provider;
1410
- }
1411
- };
1412
-
1413
105
  // src/telegram.ts
1414
106
  var TELEGRAM_API = "https://api.telegram.org";
1415
107
  var MAX_MESSAGE_LENGTH = 4096;
@@ -1463,7 +155,7 @@ var TelegramBot = class {
1463
155
  } catch (err) {
1464
156
  if (!this.running) break;
1465
157
  console.error(`[telegram] Poll error: ${err instanceof Error ? err.message : err}`);
1466
- await sleep2(3e3);
158
+ await sleep(3e3);
1467
159
  }
1468
160
  }
1469
161
  }
@@ -1633,7 +325,7 @@ function splitMessage(text) {
1633
325
  }
1634
326
  return chunks;
1635
327
  }
1636
- function sleep2(ms) {
328
+ function sleep(ms) {
1637
329
  return new Promise((r) => setTimeout(r, ms));
1638
330
  }
1639
331
 
@@ -1719,10 +411,10 @@ async function transcribeVoice(fileUrl) {
1719
411
 
1720
412
  // src/auto-update.ts
1721
413
  import { spawn } from "child_process";
1722
- import fs5 from "fs";
1723
- import path4 from "path";
414
+ import fs from "fs";
415
+ import path from "path";
1724
416
  var CHECK_INTERVAL_MS = 60 * 60 * 1e3;
1725
- var FETCH_TIMEOUT_MS2 = 1e4;
417
+ var FETCH_TIMEOUT_MS = 1e4;
1726
418
  function compareVersions(a, b) {
1727
419
  const pa = a.split(".").map(Number);
1728
420
  const pb = b.split(".").map(Number);
@@ -1753,7 +445,7 @@ function createAutoUpdater(config) {
1753
445
  }
1754
446
  function readState() {
1755
447
  try {
1756
- const raw = fs5.readFileSync(stateFilePath(), "utf-8");
448
+ const raw = fs.readFileSync(stateFilePath(), "utf-8");
1757
449
  return JSON.parse(raw);
1758
450
  } catch {
1759
451
  return null;
@@ -1762,8 +454,8 @@ function createAutoUpdater(config) {
1762
454
  function writeState(state) {
1763
455
  try {
1764
456
  const filePath = stateFilePath();
1765
- fs5.mkdirSync(path4.dirname(filePath), { recursive: true, mode: 448 });
1766
- fs5.writeFileSync(filePath, JSON.stringify(state));
457
+ fs.mkdirSync(path.dirname(filePath), { recursive: true, mode: 448 });
458
+ fs.writeFileSync(filePath, JSON.stringify(state));
1767
459
  } catch {
1768
460
  }
1769
461
  }
@@ -1792,7 +484,7 @@ function createAutoUpdater(config) {
1792
484
  async function fetchLatestVersion() {
1793
485
  try {
1794
486
  const controller = new AbortController();
1795
- const timeout = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS2);
487
+ const timeout = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS);
1796
488
  const response = await fetch(REGISTRY_URL, { signal: controller.signal });
1797
489
  clearTimeout(timeout);
1798
490
  const data = await response.json();
@@ -1892,12 +584,15 @@ export {
1892
584
  MOONSHOT_OAUTH_KEY,
1893
585
  NotLoggedInError,
1894
586
  TelegramBot,
587
+ XIAOMI_CREDITS_KEY,
1895
588
  closeLogger,
1896
589
  createAutoUpdater,
1897
590
  decodeOggOpus,
1898
591
  downmixToMono,
1899
592
  generatePKCE,
1900
593
  getAppPaths,
594
+ getAuthStorageKey,
595
+ getAuthStorageKeys,
1901
596
  getClaudeCliUserAgent,
1902
597
  getClaudeCodeVersion,
1903
598
  getContextWindow,