npm - @qwen-code/qwen-code - Versions diffs - 0.18.0-preview.2 → 0.18.1 - Mend

@qwen-code/qwen-code 0.18.0-preview.2 → 0.18.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (143) hide show

package/bundled/loop/SKILL.md +2 -1
package/bundled/qc-helper/docs/_meta.ts +1 -0
package/bundled/qc-helper/docs/configuration/auth.md +1 -1
package/bundled/qc-helper/docs/configuration/model-providers.md +12 -5
package/bundled/qc-helper/docs/configuration/settings.md +33 -32
package/bundled/qc-helper/docs/features/approval-mode.md +10 -14
package/bundled/qc-helper/docs/features/commands.md +33 -11
package/bundled/qc-helper/docs/features/dual-output.md +37 -3
package/bundled/qc-helper/docs/features/followup-suggestions.md +2 -2
package/bundled/qc-helper/docs/features/skills.md +29 -3
package/bundled/qc-helper/docs/features/sub-agents.md +34 -12
package/bundled/qc-helper/docs/qwen-serve-deploy-local.md +221 -0
package/bundled/qc-helper/docs/qwen-serve.md +246 -28
package/chunks/{agent-QB7TZ4HW.js → agent-XT7NHZ5H.js} +25 -24
package/chunks/agent-headless-LNRE63ZL.js +51 -0
package/chunks/{anthropicContentGenerator-M45EVVRM.js → anthropicContentGenerator-DCI26OQF.js} +7 -7
package/chunks/{askUserQuestion-WM2KHM3K.js → askUserQuestion-ITYUTWLR.js} +45 -3
package/chunks/{ca-BARBRL6N.js → ca-RK4QPLIX.js} +18 -1
package/chunks/{chunk-CWV3SJZS.js → chunk-3NRO6NHX.js} +2 -2
package/chunks/{chunk-BNESGOSJ.js → chunk-55ZMG67I.js} +1 -1
package/chunks/{chunk-QCG6KPNM.js → chunk-6T7Y7USE.js} +18017 -11621
package/chunks/{chunk-CNHFPN7T.js → chunk-7KPZFE5A.js} +1 -1
package/chunks/{chunk-2ZTWI7KH.js → chunk-A2ZIEEGJ.js} +30 -22
package/chunks/{chunk-JUGRPQAB.js → chunk-B4ZF2KSI.js} +1 -1
package/chunks/chunk-BJ5HQ23U.js +178 -0
package/chunks/{chunk-HXJE7VOG.js → chunk-BXYRCW2C.js} +1074 -144
package/chunks/{chunk-ICOI4E4S.js → chunk-CPVI5J2L.js} +101 -23
package/chunks/{chunk-HV3ZZ7G4.js → chunk-DHZREJTG.js} +2 -2
package/chunks/{chunk-GX7VH5JQ.js → chunk-FIQECJTQ.js} +1 -1
package/chunks/{chunk-SZOEIL6S.js → chunk-H6BD2ELD.js} +1 -0
package/chunks/{chunk-JXAZUMDW.js → chunk-HA2UEYZP.js} +7 -4
package/chunks/{chunk-USE2VQ5P.js → chunk-HED55F43.js} +26 -1
package/chunks/{chunk-PAEBHDIO.js → chunk-HQUWWSSP.js} +1 -1
package/chunks/{chunk-MVIVIPCU.js → chunk-IDYDPBBN.js} +361 -583
package/chunks/{chunk-JVQOQ3OU.js → chunk-IQHSD7K5.js} +1 -1
package/chunks/{chunk-NW5QBUYO.js → chunk-IS7UA4W3.js} +14 -14
package/chunks/{chunk-UAMOBVVW.js → chunk-LXYWINWF.js} +1 -1
package/chunks/{chunk-P4J26VDS.js → chunk-LYRSMKLS.js} +2 -2
package/chunks/{chunk-Y7R6H6FT.js → chunk-LYSND7KR.js} +9 -4
package/chunks/{chunk-LR62TEET.js → chunk-NNIYWQIS.js} +1 -1
package/chunks/chunk-OMX7CUOE.js +356 -0
package/chunks/{chunk-CNSMKPK6.js → chunk-QILTEBWS.js} +1 -1
package/chunks/chunk-QQDPRDVW.js +25 -0
package/chunks/{chunk-ZK4AMNIU.js → chunk-RON7LFNH.js} +1294 -314
package/chunks/chunk-SFRV6BGY.js +243 -0
package/chunks/{chunk-AVW55ZCO.js → chunk-WJ3SND6W.js} +37 -16
package/chunks/{chunk-HGJPQK33.js → chunk-WPTCDQN6.js} +188 -534
package/chunks/{chunk-7YKXFA3D.js → chunk-XZTNBSMW.js} +11 -11
package/chunks/{chunk-C6WMLUNB.js → chunk-Y7KMDUEP.js} +1 -1
package/chunks/{chunk-WFVXF3OM.js → chunk-Z2Z3GUXZ.js} +1 -0
package/chunks/{chunk-KC6ZMJ5X.js → chunk-ZMIBJS45.js} +1 -1
package/chunks/chunk-ZOFNJQNJ.js +607 -0
package/chunks/computer-use-4YX3JGBV.js +2052 -0
package/chunks/contextCommand-KS2H7MW5.js +53 -0
package/chunks/cron-create-CAPUKK7I.js +184 -0
package/chunks/{cron-delete-ZGUXWBTG.js → cron-delete-G3KAR26Q.js} +28 -5
package/chunks/{cron-list-QNNZGMN3.js → cron-list-ZA4ZIUS5.js} +40 -7
package/chunks/{de-YGKK2BC4.js → de-FGPM4KW5.js} +18 -1
package/chunks/{devtools-IXE4UP72.js → devtools-FM6GJPYG.js} +1 -1
package/chunks/{dist-ZMQ4TXD5.js → dist-7YWFWOCJ.js} +2 -2
package/chunks/{dist-R2SXPG74.js → dist-VEGFONCF.js} +2 -2
package/chunks/{dist-TE5QKMGR.js → dist-X4EXN7W6.js} +1 -1
package/chunks/{dist-BXDUQ2QY.js → dist-YLS6NI7H.js} +1 -1
package/chunks/{edit-6UBTS2J5.js → edit-2ARPEO4B.js} +26 -25
package/chunks/{en-HSQQNQUB.js → en-VP6XPGEC.js} +9 -2
package/chunks/{enter-worktree-NN7LIXCM.js → enter-worktree-IXNXNAW5.js} +25 -24
package/chunks/enterPlanMode-TAKAGAYP.js +159 -0
package/chunks/{exit-worktree-GGSS5KIE.js → exit-worktree-LHTRV7ML.js} +25 -24
package/chunks/exitPlanMode-MK5UAITL.js +743 -0
package/chunks/{fr-JXBKPJKQ.js → fr-ATYBVCLT.js} +18 -1
package/chunks/{geminiContentGenerator-I4H2NLJG.js → geminiContentGenerator-HFJIGO77.js} +7 -7
package/chunks/{getMachineId-bsd-F7GNPTER.js → getMachineId-bsd-4CASPIU4.js} +1 -1
package/chunks/{getMachineId-darwin-T73DJL27.js → getMachineId-darwin-HPQPEMZR.js} +1 -1
package/chunks/{getMachineId-linux-MKQTFPQM.js → getMachineId-linux-AUARKYHL.js} +1 -1
package/chunks/{getMachineId-unsupported-MUR5KOQE.js → getMachineId-unsupported-S32ZDA2T.js} +1 -1
package/chunks/{getMachineId-win-CDYFC6ZM.js → getMachineId-win-4EFLHYIJ.js} +1 -1
package/chunks/{glob-OLCX57MD.js → glob-I2USLUSC.js} +25 -24
package/chunks/{grep-7HXIMDOW.js → grep-WBIF7THR.js} +37 -30
package/chunks/{ja-TGPZSP2B.js → ja-W2QEA2OI.js} +18 -1
package/chunks/{keychain-token-storage-LB46DAEK.js → keychain-token-storage-QSTRHKKL.js} +3 -3
package/chunks/{ls-6PEZUK6O.js → ls-2R5RHLX5.js} +4 -4
package/chunks/{lsp-JZSJOVT7.js → lsp-XKH6ZIAN.js} +3 -3
package/chunks/{monitor-SQO7MVAV.js → monitor-WU7UFATU.js} +25 -24
package/chunks/{notebook-edit-72L3EBAL.js → notebook-edit-KUHYPXEM.js} +26 -25
package/chunks/{openaiContentGenerator-FTR7CDWF.js → openaiContentGenerator-5PLHYJQL.js} +15 -15
package/chunks/{pt-TIBG6BIO.js → pt-ZKEWJFBW.js} +18 -1
package/chunks/{qwenContentGenerator-U5UFQ566.js → qwenContentGenerator-TSKW73KY.js} +27 -26
package/chunks/{qwenOAuth2-EFSECGHF.js → qwenOAuth2-KK433U33.js} +6 -5
package/chunks/{read-file-UA64EEQC.js → read-file-VIPF2PS6.js} +11 -11
package/chunks/ripGrep-XLIZTYE7.js +49 -0
package/chunks/{ru-JBCHCK4L.js → ru-VEKTPJ74.js} +18 -1
package/chunks/{scheduler-VBASHOCA.js → scheduler-O66SLJGU.js} +25 -24
package/chunks/{send-message-OYJZ5TPG.js → send-message-CTME7DXD.js} +3 -3
package/chunks/{serve-A7E2OJDR.js → serve-BWOLYT62.js} +13164 -3840
package/chunks/{shell-3NFOT6F5.js → shell-XE7UYKOO.js} +25 -24
package/chunks/{skill-RA5YUREY.js → skill-RZWM6XMC.js} +64 -113
package/chunks/{src-NFCMARMT.js → src-L5P7K4MH.js} +176 -44
package/chunks/{syntheticOutput-DETQ2YM6.js → syntheticOutput-ZJGSU7OQ.js} +4 -4
package/chunks/{task-create-Y3ZKTJIG.js → task-create-EE6JEM7G.js} +8 -7
package/chunks/{task-list-ONXJ3I3A.js → task-list-EESYAC65.js} +7 -6
package/chunks/{task-stop-UHDC4N5B.js → task-stop-XZVCFFYY.js} +3 -3
package/chunks/{task-update-TCNOU3P5.js → task-update-EIO4HNE3.js} +21 -9
package/chunks/{team-create-6SR4OVRG.js → team-create-R2H7Y3SG.js} +28 -26
package/chunks/{team-delete-EJ4U4DDP.js → team-delete-A7LXPGV7.js} +9 -6
package/chunks/{todoWrite-TEYDRS5L.js → todoWrite-VRKSGAWM.js} +5 -5
package/chunks/{tool-search-OD435A3X.js → tool-search-USSQMTMS.js} +11 -11
package/chunks/{web-fetch-6W67H5PO.js → web-fetch-GHAZUA54.js} +5 -5
package/chunks/workflow-5LNNLNUR.js +1414 -0
package/chunks/{write-file-475L5OPP.js → write-file-2I7HP24C.js} +26 -25
package/chunks/{zh-VCLWO26Y.js → zh-OIXDDQHB.js} +10 -3
package/chunks/{zh-TW-G3HFHVVT.js → zh-TW-6YFNCKTA.js} +10 -3
package/cli-entry.js +19 -0
package/cli.js +11064 -6628
package/examples/starter/QWEN.md +30 -0
package/examples/starter/README.md +59 -0
package/examples/starter/agents/diary.md +86 -0
package/examples/starter/commands/writing/polish.md +13 -0
package/examples/starter/example.ts +64 -0
package/examples/starter/package.json +18 -0
package/examples/starter/qwen-extension.json +12 -0
package/examples/starter/skills/synonyms/SKILL.md +48 -0
package/examples/starter/tsconfig.json +13 -0
package/fzfWorker.js +1083 -0
package/locales/ca.js +20 -2
package/locales/de.js +21 -2
package/locales/en.js +13 -4
package/locales/fr.js +22 -2
package/locales/ja.js +22 -2
package/locales/pt.js +21 -2
package/locales/ru.js +20 -2
package/locales/zh-TW.js +11 -4
package/locales/zh.js +11 -4
package/package.json +5 -3
package/chunks/agent-headless-APVHH7QM.js +0 -50
package/chunks/chunk-AJIR24J2.js +0 -59
package/chunks/chunk-SKBPNJEW.js +0 -45
package/chunks/chunk-XBFVXFB2.js +0 -216
package/chunks/computer-use-B7VIUI7F.js +0 -825
package/chunks/contextCommand-63RZ3O5R.js +0 -52
package/chunks/cron-create-FI5LJVUS.js +0 -140
package/chunks/exitPlanMode-H323NHB2.js +0 -235
package/chunks/ripGrep-WSYCWZVK.js +0 -48
package/chunks/workflow-62DHH4EO.js +0 -708

package/chunks/{chunk-MVIVIPCU.js → chunk-IDYDPBBN.js} RENAMED Viewed

@@ -2,14 +2,17 @@
 "use strict";
 import {
   formatFetchErrorForUser
-} from "./chunk-GX7VH5JQ.js";
+} from "./chunk-FIQECJTQ.js";
+import {
+  combineAbortSignals
+} from "./chunk-64WXLC72.js";
 import {
   atomicWriteFile
-} from "./chunk-UAMOBVVW.js";
+} from "./chunk-LXYWINWF.js";
 import {
   Storage,
   createDebugLogger
-} from "./chunk-JXAZUMDW.js";
+} from "./chunk-HA2UEYZP.js";
 import {
   init_esbuild_shims
 } from "./chunk-A4BMJM77.js";
@@ -20,546 +23,294 @@ import {
 // packages/core/src/qwen/qwenOAuth2.ts
 init_esbuild_shims();
 import crypto from "crypto";
-import path3 from "node:path";
-import { promises as fs7 } from "node:fs";
-// node_modules/open/index.js
-init_esbuild_shims();
-import process7 from "node:process";
-import { Buffer } from "node:buffer";
-import path from "node:path";
-import { fileURLToPath } from "node:url";
-import { promisify as promisify5 } from "node:util";
-import childProcess from "node:child_process";
-import fs5, { constants as fsConstants2 } from "node:fs/promises";
-// node_modules/wsl-utils/index.js
-init_esbuild_shims();
-import process3 from "node:process";
-import fs4, { constants as fsConstants } from "node:fs/promises";
-// node_modules/is-wsl/index.js
-init_esbuild_shims();
-import process2 from "node:process";
-import os from "node:os";
-import fs3 from "node:fs";
+import path2 from "node:path";
+import { promises as fs2 } from "node:fs";
+import { EventEmitter } from "events";
+import { randomUUID as randomUUID2 } from "node:crypto";
-// node_modules/is-inside-container/index.js
+// packages/core/src/utils/secure-browser-launcher.ts
 init_esbuild_shims();
-import fs2 from "node:fs";
+import { execFile, spawn } from "node:child_process";
+import { promisify } from "node:util";
+import { platform } from "node:os";
+import { resolve } from "node:path";
+import { URL, fileURLToPath } from "node:url";
-// node_modules/is-docker/index.js
+// packages/core/src/utils/browser.ts
 init_esbuild_shims();
-import fs from "node:fs";
-var isDockerCached;
-function hasDockerEnv() {
-  try {
-    fs.statSync("/.dockerenv");
-    return true;
-  } catch {
-    return false;
-  }
-}
-__name(hasDockerEnv, "hasDockerEnv");
-function hasDockerCGroup() {
-  try {
-    return fs.readFileSync("/proc/self/cgroup", "utf8").includes("docker");
-  } catch {
-    return false;
-  }
-}
-__name(hasDockerCGroup, "hasDockerCGroup");
-function isDocker() {
-  if (isDockerCached === void 0) {
-    isDockerCached = hasDockerEnv() || hasDockerCGroup();
-  }
-  return isDockerCached;
+var browserBlocklist = ["www-browser"];
+function isBrowserCommandBlocked(command) {
+  const commandName = command.replace(/\\/g, "/").split("/").pop();
+  return !!commandName && browserBlocklist.includes(commandName);
 }
-__name(isDocker, "isDocker");
-// node_modules/is-inside-container/index.js
-var cachedResult;
-var hasContainerEnv = /* @__PURE__ */ __name(() => {
-  try {
-    fs2.statSync("/run/.containerenv");
-    return true;
-  } catch {
+__name(isBrowserCommandBlocked, "isBrowserCommandBlocked");
+function shouldAttemptBrowserLaunch(options = {}) {
+  const browserEnv = process.env["BROWSER"]?.trim();
+  const browserCommand = browserEnv?.match(/^\S+/)?.[0];
+  if (!options.ignoreBrowserBlocklist && process.platform !== "win32" && browserCommand && isBrowserCommandBlocked(browserCommand)) {
     return false;
   }
-}, "hasContainerEnv");
-function isInsideContainer() {
-  if (cachedResult === void 0) {
-    cachedResult = hasContainerEnv() || isDocker();
-  }
-  return cachedResult;
-}
-__name(isInsideContainer, "isInsideContainer");
-// node_modules/is-wsl/index.js
-var isWsl = /* @__PURE__ */ __name(() => {
-  if (process2.platform !== "linux") {
+  if (process.env["CI"] || process.env["DEBIAN_FRONTEND"] === "noninteractive") {
     return false;
   }
-  if (os.release().toLowerCase().includes("microsoft")) {
-    if (isInsideContainer()) {
+  const isSSH = !!process.env["SSH_CONNECTION"];
+  if (process.platform === "linux") {
+    const displayVariables = ["DISPLAY", "WAYLAND_DISPLAY", "MIR_SOCKET"];
+    const hasDisplay = displayVariables.some((v) => !!process.env[v]);
+    if (!hasDisplay) {
       return false;
     }
-    return true;
   }
-  try {
-    return fs3.readFileSync("/proc/version", "utf8").toLowerCase().includes("microsoft") ? !isInsideContainer() : false;
-  } catch {
+  if (isSSH && process.platform !== "linux") {
     return false;
   }
-}, "isWsl");
-var is_wsl_default = process2.env.__IS_WSL_TEST__ ? isWsl : isWsl();
-// node_modules/wsl-utils/index.js
-var wslDrivesMountPoint = /* @__PURE__ */ (() => {
-  const defaultMountPoint = "/mnt/";
-  let mountPoint;
-  return async function() {
-    if (mountPoint) {
-      return mountPoint;
-    }
-    const configFilePath = "/etc/wsl.conf";
-    let isConfigFileExists = false;
-    try {
-      await fs4.access(configFilePath, fsConstants.F_OK);
-      isConfigFileExists = true;
-    } catch {
-    }
-    if (!isConfigFileExists) {
-      return defaultMountPoint;
-    }
-    const configContent = await fs4.readFile(configFilePath, { encoding: "utf8" });
-    const configMountPoint = /(?<!#.*)root\s*=\s*(?<mountPoint>.*)/g.exec(configContent);
-    if (!configMountPoint) {
-      return defaultMountPoint;
-    }
-    mountPoint = configMountPoint.groups.mountPoint.trim();
-    mountPoint = mountPoint.endsWith("/") ? mountPoint : `${mountPoint}/`;
-    return mountPoint;
-  };
-})();
-var powerShellPathFromWsl = /* @__PURE__ */ __name(async () => {
-  const mountPoint = await wslDrivesMountPoint();
-  return `${mountPoint}c/Windows/System32/WindowsPowerShell/v1.0/powershell.exe`;
-}, "powerShellPathFromWsl");
-var powerShellPath = /* @__PURE__ */ __name(async () => {
-  if (is_wsl_default) {
-    return powerShellPathFromWsl();
-  }
-  return `${process3.env.SYSTEMROOT || process3.env.windir || String.raw`C:\Windows`}\\System32\\WindowsPowerShell\\v1.0\\powershell.exe`;
-}, "powerShellPath");
-// node_modules/define-lazy-prop/index.js
-init_esbuild_shims();
-function defineLazyProperty(object, propertyName, valueGetter) {
-  const define = /* @__PURE__ */ __name((value) => Object.defineProperty(object, propertyName, { value, enumerable: true, writable: true }), "define");
-  Object.defineProperty(object, propertyName, {
-    configurable: true,
-    enumerable: true,
-    get() {
-      const result = valueGetter();
-      define(result);
-      return result;
-    },
-    set(value) {
-      define(value);
-    }
-  });
-  return object;
+  return true;
 }
-__name(defineLazyProperty, "defineLazyProperty");
-// node_modules/default-browser/index.js
-init_esbuild_shims();
-import { promisify as promisify4 } from "node:util";
-import process6 from "node:process";
-import { execFile as execFile4 } from "node:child_process";
+__name(shouldAttemptBrowserLaunch, "shouldAttemptBrowserLaunch");
-// node_modules/default-browser-id/index.js
-init_esbuild_shims();
-import { promisify } from "node:util";
-import process4 from "node:process";
-import { execFile } from "node:child_process";
+// packages/core/src/utils/secure-browser-launcher.ts
 var execFileAsync = promisify(execFile);
-async function defaultBrowserId() {
-  if (process4.platform !== "darwin") {
-    throw new Error("macOS only");
+function validateUrl(url, { allowFile = false, allowedFilePaths } = {}) {
+  let parsedUrl;
+  try {
+    parsedUrl = new URL(url);
+  } catch (_error) {
+    throw new Error(`Invalid URL: ${url}`);
   }
-  const { stdout } = await execFileAsync("defaults", ["read", "com.apple.LaunchServices/com.apple.launchservices.secure", "LSHandlers"]);
-  const match = /LSHandlerRoleAll = "(?!-)(?<id>[^"]+?)";\s+?LSHandlerURLScheme = (?:http|https);/.exec(stdout);
-  return match?.groups.id ?? "com.apple.Safari";
-}
-__name(defaultBrowserId, "defaultBrowserId");
-// node_modules/bundle-name/index.js
-init_esbuild_shims();
-// node_modules/run-applescript/index.js
-init_esbuild_shims();
-import process5 from "node:process";
-import { promisify as promisify2 } from "node:util";
-import { execFile as execFile2, execFileSync } from "node:child_process";
-var execFileAsync2 = promisify2(execFile2);
-async function runAppleScript(script, { humanReadableOutput = true } = {}) {
-  if (process5.platform !== "darwin") {
-    throw new Error("macOS only");
-  }
-  const outputArguments = humanReadableOutput ? [] : ["-ss"];
-  const { stdout } = await execFileAsync2("osascript", ["-e", script, outputArguments]);
-  return stdout.trim();
-}
-__name(runAppleScript, "runAppleScript");
-// node_modules/bundle-name/index.js
-async function bundleName(bundleId) {
-  return runAppleScript(`tell application "Finder" to set app_path to application file id "${bundleId}" as string
-tell application "System Events" to get value of property list item "CFBundleName" of property list file (app_path & ":Contents:Info.plist")`);
-}
-__name(bundleName, "bundleName");
-// node_modules/default-browser/windows.js
-init_esbuild_shims();
-import { promisify as promisify3 } from "node:util";
-import { execFile as execFile3 } from "node:child_process";
-var execFileAsync3 = promisify3(execFile3);
-var windowsBrowserProgIds = {
-  AppXq0fevzme2pys62n3e0fbqa7peapykr8v: { name: "Edge", id: "com.microsoft.edge.old" },
-  MSEdgeDHTML: { name: "Edge", id: "com.microsoft.edge" },
-  // On macOS, it's "com.microsoft.edgemac"
-  MSEdgeHTM: { name: "Edge", id: "com.microsoft.edge" },
-  // Newer Edge/Win10 releases
-  "IE.HTTP": { name: "Internet Explorer", id: "com.microsoft.ie" },
-  FirefoxURL: { name: "Firefox", id: "org.mozilla.firefox" },
-  ChromeHTML: { name: "Chrome", id: "com.google.chrome" },
-  BraveHTML: { name: "Brave", id: "com.brave.Browser" },
-  BraveBHTML: { name: "Brave Beta", id: "com.brave.Browser.beta" },
-  BraveSSHTM: { name: "Brave Nightly", id: "com.brave.Browser.nightly" }
-};
-var UnknownBrowserError = class extends Error {
-  static {
-    __name(this, "UnknownBrowserError");
+  const allowedProtocols = allowFile ? ["http:", "https:", "file:"] : ["http:", "https:"];
+  if (!allowedProtocols.includes(parsedUrl.protocol)) {
+    throw new Error(
+      `Unsafe protocol: ${parsedUrl.protocol}. Only ${allowedProtocols.join(
+        ", "
+      )} are allowed.`
+    );
+  }
+  if (parsedUrl.protocol === "file:" && allowFile) {
+    if (!allowedFilePaths?.length) {
+      throw new Error("allowedFilePaths is required when allowFile is true");
+    }
+    const requestedPath = resolve(fileURLToPath(parsedUrl));
+    const allowed = allowedFilePaths.map((filePath) => resolve(filePath));
+    if (!allowed.includes(requestedPath)) {
+      throw new Error("File URL is not in the allowed file set");
+    }
+  }
+  if (/[\r\n\x00-\x1f]/.test(url)) {
+    throw new Error("URL contains invalid characters");
   }
-};
-async function defaultBrowser(_execFileAsync = execFileAsync3) {
-  const { stdout } = await _execFileAsync("reg", [
-    "QUERY",
-    " HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http\\UserChoice",
-    "/v",
-    "ProgId"
-  ]);
-  const match = /ProgId\s*REG_SZ\s*(?<id>\S+)/.exec(stdout);
-  if (!match) {
-    throw new UnknownBrowserError(`Cannot find Windows browser in stdout: ${JSON.stringify(stdout)}`);
-  }
-  const { id } = match.groups;
-  const browser = windowsBrowserProgIds[id];
-  if (!browser) {
-    throw new UnknownBrowserError(`Unknown browser ID: ${id}`);
-  }
-  return browser;
-}
-__name(defaultBrowser, "defaultBrowser");
-// node_modules/default-browser/index.js
-var execFileAsync4 = promisify4(execFile4);
-var titleize = /* @__PURE__ */ __name((string) => string.toLowerCase().replaceAll(/(?:^|\s|-)\S/g, (x) => x.toUpperCase()), "titleize");
-async function defaultBrowser2() {
-  if (process6.platform === "darwin") {
-    const id = await defaultBrowserId();
-    const name = await bundleName(id);
-    return { name, id };
-  }
-  if (process6.platform === "linux") {
-    const { stdout } = await execFileAsync4("xdg-mime", ["query", "default", "x-scheme-handler/http"]);
-    const id = stdout.trim();
-    const name = titleize(id.replace(/.desktop$/, "").replace("-", " "));
-    return { name, id };
-  }
-  if (process6.platform === "win32") {
-    return defaultBrowser();
-  }
-  throw new Error("Only macOS, Linux, and Windows are supported");
-}
-__name(defaultBrowser2, "defaultBrowser");
-// node_modules/open/index.js
-var execFile5 = promisify5(childProcess.execFile);
-var __dirname = path.dirname(fileURLToPath(import.meta.url));
-var localXdgOpenPath = path.join(__dirname, "xdg-open");
-var { platform, arch } = process7;
-async function getWindowsDefaultBrowserFromWsl() {
-  const powershellPath = await powerShellPath();
-  const rawCommand = String.raw`(Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice").ProgId`;
-  const encodedCommand = Buffer.from(rawCommand, "utf16le").toString("base64");
-  const { stdout } = await execFile5(
-    powershellPath,
-    [
-      "-NoProfile",
-      "-NonInteractive",
-      "-ExecutionPolicy",
-      "Bypass",
-      "-EncodedCommand",
-      encodedCommand
-    ],
-    { encoding: "utf8" }
-  );
-  const progId = stdout.trim();
-  const browserMap = {
-    ChromeHTML: "com.google.chrome",
-    BraveHTML: "com.brave.Browser",
-    MSEdgeHTM: "com.microsoft.edge",
-    FirefoxURL: "org.mozilla.firefox"
-  };
-  return browserMap[progId] ? { id: browserMap[progId] } : {};
 }
-__name(getWindowsDefaultBrowserFromWsl, "getWindowsDefaultBrowserFromWsl");
-var pTryEach = /* @__PURE__ */ __name(async (array, mapper) => {
-  let latestError;
-  for (const item of array) {
+__name(validateUrl, "validateUrl");
+async function openBrowserSecurely(url, browserOptions = {}) {
+  validateUrl(url, browserOptions);
+  const platformName = platform();
+  let command;
+  let args;
+  const browserEnv = process.env["BROWSER"]?.trim();
+  const browserCommand = platformName === "win32" ? void 0 : buildBrowserCommand(browserEnv, url);
+  if (browserCommand) {
     try {
-      return await mapper(item);
-    } catch (error) {
-      latestError = error;
+      await launchDetached(browserCommand.command, browserCommand.args);
+      return;
+    } catch (_error) {
+      console.warn(
+        `Failed to open BROWSER command ${browserCommand.command}: ${formatLaunchError(
+          _error
+        )}. Falling back to the platform browser opener.`
+      );
     }
   }
-  throw latestError;
-}, "pTryEach");
-var baseOpen = /* @__PURE__ */ __name(async (options) => {
-  options = {
-    wait: false,
-    background: false,
-    newInstance: false,
-    allowNonzeroExitCode: false,
-    ...options
+  if (!shouldAttemptBrowserLaunch({ ignoreBrowserBlocklist: true })) {
+    console.warn(
+      `Browser launch is not available in this environment. Please open this URL manually: ${url}`
+    );
+    return;
+  }
+  {
+    switch (platformName) {
+      case "darwin":
+        command = "open";
+        args = [url];
+        break;
+      case "win32":
+        command = "powershell.exe";
+        args = [
+          "-NoProfile",
+          "-NonInteractive",
+          "-WindowStyle",
+          "Hidden",
+          "-Command",
+          `Start-Process '${url.replace(/'/g, "''")}'`
+        ];
+        break;
+      case "linux":
+      case "freebsd":
+      case "openbsd":
+        command = "xdg-open";
+        args = [url];
+        break;
+      default:
+        throw new Error(`Unsupported platform: ${platformName}`);
+    }
+  }
+  const execOptions = {
+    // Don't inherit parent's environment to avoid potential issues
+    env: {
+      ...process.env,
+      // Ensure we're not in a shell that might interpret special characters
+      SHELL: void 0
+    },
+    // Detach the browser process so it doesn't block
+    detached: true,
+    stdio: "ignore"
   };
-  if (Array.isArray(options.app)) {
-    return pTryEach(options.app, (singleApp) => baseOpen({
-      ...options,
-      app: singleApp
-    }));
-  }
-  let { name: app, arguments: appArguments = [] } = options.app ?? {};
-  appArguments = [...appArguments];
-  if (Array.isArray(app)) {
-    return pTryEach(app, (appName) => baseOpen({
-      ...options,
-      app: {
-        name: appName,
-        arguments: appArguments
-      }
-    }));
-  }
-  if (app === "browser" || app === "browserPrivate") {
-    const ids = {
-      "com.google.chrome": "chrome",
-      "google-chrome.desktop": "chrome",
-      "com.brave.Browser": "brave",
-      "org.mozilla.firefox": "firefox",
-      "firefox.desktop": "firefox",
-      "com.microsoft.msedge": "edge",
-      "com.microsoft.edge": "edge",
-      "com.microsoft.edgemac": "edge",
-      "microsoft-edge.desktop": "edge"
-    };
-    const flags = {
-      chrome: "--incognito",
-      brave: "--incognito",
-      firefox: "--private-window",
-      edge: "--inPrivate"
-    };
-    const browser = is_wsl_default ? await getWindowsDefaultBrowserFromWsl() : await defaultBrowser2();
-    if (browser.id in ids) {
-      const browserName = ids[browser.id];
-      if (app === "browserPrivate") {
-        appArguments.push(flags[browserName]);
-      }
-      return baseOpen({
-        ...options,
-        app: {
-          name: apps[browserName],
-          arguments: appArguments
+  try {
+    await execFileAsync(command, args, execOptions);
+  } catch (_error) {
+    if ((platformName === "linux" || platformName === "freebsd" || platformName === "openbsd") && command === "xdg-open") {
+      const fallbackCommands = [
+        { command: "gnome-open", detached: false },
+        { command: "kde-open", detached: false },
+        { command: "firefox", detached: true },
+        { command: "chromium", detached: true },
+        { command: "google-chrome", detached: true },
+        { command: "microsoft-edge", detached: true }
+      ];
+      for (const { command: fallbackCommand, detached } of fallbackCommands) {
+        try {
+          if (detached) {
+            await launchDetached(fallbackCommand, [url]);
+          } else {
+            await execFileAsync(fallbackCommand, [url], execOptions);
+          }
+          return;
+        } catch {
+          continue;
         }
-      });
+      }
     }
-    throw new Error(`${browser.name} is not supported as a default browser`);
+    console.warn(
+      `Failed to open browser automatically. Please open this URL manually: ${url}`
+    );
+    return;
   }
-  let command;
-  const cliArguments = [];
-  const childProcessOptions = {};
-  if (platform === "darwin") {
-    command = "open";
-    if (options.wait) {
-      cliArguments.push("--wait-apps");
-    }
-    if (options.background) {
-      cliArguments.push("--background");
-    }
-    if (options.newInstance) {
-      cliArguments.push("--new");
-    }
-    if (app) {
-      cliArguments.push("-a", app);
-    }
-  } else if (platform === "win32" || is_wsl_default && !isInsideContainer() && !app) {
-    command = await powerShellPath();
-    cliArguments.push(
-      "-NoProfile",
-      "-NonInteractive",
-      "-ExecutionPolicy",
-      "Bypass",
-      "-EncodedCommand"
+}
+__name(openBrowserSecurely, "openBrowserSecurely");
+async function launchDetached(command, args) {
+  const spawnOptions = {
+    env: {
+      ...process.env,
+      SHELL: void 0
+    },
+    detached: true,
+    stdio: "ignore"
+  };
+  await new Promise((resolve2, reject) => {
+    const child = spawn(command, args, spawnOptions);
+    let settled = false;
+    child.once("error", (error) => {
+      if (settled) {
+        return;
+      }
+      settled = true;
+      reject(error);
+    });
+    child.once("spawn", () => {
+      if (settled) {
+        return;
+      }
+      settled = true;
+      child.unref();
+      resolve2();
+    });
+  });
+}
+__name(launchDetached, "launchDetached");
+function formatLaunchError(error) {
+  return error instanceof Error ? error.message : String(error);
+}
+__name(formatLaunchError, "formatLaunchError");
+function buildBrowserCommand(browserEnv, url) {
+  if (!browserEnv) {
+    return void 0;
+  }
+  const browserCommand = parseBrowserCommand(browserEnv);
+  if (!browserCommand) {
+    console.warn(
+      "Invalid BROWSER environment variable, falling back to platform default."
     );
-    if (!is_wsl_default) {
-      childProcessOptions.windowsVerbatimArguments = true;
-    }
-    const encodedArguments = ["Start"];
-    if (options.wait) {
-      encodedArguments.push("-Wait");
+    return void 0;
+  }
+  if (isBrowserCommandBlocked(browserCommand.command)) {
+    return void 0;
+  }
+  let usedPlaceholder = false;
+  const args = browserCommand.args.map((arg) => {
+    if (!arg.includes("%s")) {
+      return arg;
     }
-    if (app) {
-      encodedArguments.push(`"\`"${app}\`""`);
-      if (options.target) {
-        appArguments.push(options.target);
+    usedPlaceholder = true;
+    return arg.replace(/%s/g, () => url);
+  });
+  if (!usedPlaceholder) {
+    args.push(url);
+  }
+  return { command: browserCommand.command, args };
+}
+__name(buildBrowserCommand, "buildBrowserCommand");
+function parseBrowserCommand(browserEnv) {
+  const parts = [];
+  let current = "";
+  let quote;
+  for (const char of browserEnv) {
+    if (quote) {
+      if (char === quote) {
+        quote = void 0;
+      } else {
+        current += char;
       }
-    } else if (options.target) {
-      encodedArguments.push(`"${options.target}"`);
+      continue;
     }
-    if (appArguments.length > 0) {
-      appArguments = appArguments.map((argument) => `"\`"${argument}\`""`);
-      encodedArguments.push("-ArgumentList", appArguments.join(","));
+    if (char === '"' || char === "'") {
+      quote = char;
+      continue;
     }
-    options.target = Buffer.from(encodedArguments.join(" "), "utf16le").toString("base64");
-  } else {
-    if (app) {
-      command = app;
-    } else {
-      const isBundled = !__dirname || __dirname === "/";
-      let exeLocalXdgOpen = false;
-      try {
-        await fs5.access(localXdgOpenPath, fsConstants2.X_OK);
-        exeLocalXdgOpen = true;
-      } catch {
+    if (/\s/.test(char)) {
+      if (current) {
+        parts.push(current);
+        current = "";
       }
-      const useSystemXdgOpen = process7.versions.electron ?? (platform === "android" || isBundled || !exeLocalXdgOpen);
-      command = useSystemXdgOpen ? "xdg-open" : localXdgOpenPath;
-    }
-    if (appArguments.length > 0) {
-      cliArguments.push(...appArguments);
-    }
-    if (!options.wait) {
-      childProcessOptions.stdio = "ignore";
-      childProcessOptions.detached = true;
+      continue;
     }
+    current += char;
   }
-  if (platform === "darwin" && appArguments.length > 0) {
-    cliArguments.push("--args", ...appArguments);
+  if (quote) {
+    return void 0;
   }
-  if (options.target) {
-    cliArguments.push(options.target);
+  if (current) {
+    parts.push(current);
   }
-  const subprocess = childProcess.spawn(command, cliArguments, childProcessOptions);
-  if (options.wait) {
-    return new Promise((resolve, reject) => {
-      subprocess.once("error", reject);
-      subprocess.once("close", (exitCode) => {
-        if (!options.allowNonzeroExitCode && exitCode > 0) {
-          reject(new Error(`Exited with code ${exitCode}`));
-          return;
-        }
-        resolve(subprocess);
-      });
-    });
-  }
-  subprocess.unref();
-  return subprocess;
-}, "baseOpen");
-var open = /* @__PURE__ */ __name((target, options) => {
-  if (typeof target !== "string") {
-    throw new TypeError("Expected a `target`");
-  }
-  return baseOpen({
-    ...options,
-    target
-  });
-}, "open");
-function detectArchBinary(binary) {
-  if (typeof binary === "string" || Array.isArray(binary)) {
-    return binary;
-  }
-  const { [arch]: archBinary } = binary;
-  if (!archBinary) {
-    throw new Error(`${arch} is not supported`);
+  const [command, ...args] = parts;
+  if (!command) {
+    return void 0;
   }
-  return archBinary;
+  return { command, args };
 }
-__name(detectArchBinary, "detectArchBinary");
-function detectPlatformBinary({ [platform]: platformBinary }, { wsl }) {
-  if (wsl && is_wsl_default) {
-    return detectArchBinary(wsl);
-  }
-  if (!platformBinary) {
-    throw new Error(`${platform} is not supported`);
-  }
-  return detectArchBinary(platformBinary);
+__name(parseBrowserCommand, "parseBrowserCommand");
+function shouldLaunchBrowser() {
+  return shouldAttemptBrowserLaunch();
 }
-__name(detectPlatformBinary, "detectPlatformBinary");
-var apps = {};
-defineLazyProperty(apps, "chrome", () => detectPlatformBinary({
-  darwin: "google chrome",
-  win32: "chrome",
-  linux: ["google-chrome", "google-chrome-stable", "chromium"]
-}, {
-  wsl: {
-    ia32: "/mnt/c/Program Files (x86)/Google/Chrome/Application/chrome.exe",
-    x64: ["/mnt/c/Program Files/Google/Chrome/Application/chrome.exe", "/mnt/c/Program Files (x86)/Google/Chrome/Application/chrome.exe"]
-  }
-}));
-defineLazyProperty(apps, "brave", () => detectPlatformBinary({
-  darwin: "brave browser",
-  win32: "brave",
-  linux: ["brave-browser", "brave"]
-}, {
-  wsl: {
-    ia32: "/mnt/c/Program Files (x86)/BraveSoftware/Brave-Browser/Application/brave.exe",
-    x64: ["/mnt/c/Program Files/BraveSoftware/Brave-Browser/Application/brave.exe", "/mnt/c/Program Files (x86)/BraveSoftware/Brave-Browser/Application/brave.exe"]
-  }
-}));
-defineLazyProperty(apps, "firefox", () => detectPlatformBinary({
-  darwin: "firefox",
-  win32: String.raw`C:\Program Files\Mozilla Firefox\firefox.exe`,
-  linux: "firefox"
-}, {
-  wsl: "/mnt/c/Program Files/Mozilla Firefox/firefox.exe"
-}));
-defineLazyProperty(apps, "edge", () => detectPlatformBinary({
-  darwin: "microsoft edge",
-  win32: "msedge",
-  linux: ["microsoft-edge", "microsoft-edge-dev"]
-}, {
-  wsl: "/mnt/c/Program Files (x86)/Microsoft/Edge/Application/msedge.exe"
-}));
-defineLazyProperty(apps, "browser", () => "browser");
-defineLazyProperty(apps, "browserPrivate", () => "browserPrivate");
-var open_default = open;
-// packages/core/src/qwen/qwenOAuth2.ts
-import { EventEmitter } from "events";
-import { randomUUID as randomUUID2 } from "node:crypto";
+__name(shouldLaunchBrowser, "shouldLaunchBrowser");
 // packages/core/src/qwen/sharedTokenManager.ts
 init_esbuild_shims();
-import path2 from "node:path";
-import { promises as fs6, unlinkSync } from "node:fs";
+import path from "node:path";
+import { promises as fs, unlinkSync } from "node:fs";
 import { randomUUID } from "node:crypto";
 var debugLogger = createDebugLogger("QWEN_OAUTH");
 var QWEN_CREDENTIAL_FILENAME = "oauth_creds.json";
 var QWEN_LOCK_FILENAME = "oauth_creds.lock";
 var TOKEN_REFRESH_BUFFER_MS = 30 * 1e3;
-var LOCK_TIMEOUT_MS = 1e4;
+var LOCK_TIMEOUT_MS = 35e3;
 var CACHE_CHECK_INTERVAL_MS = 5e3;
 var DEFAULT_LOCK_CONFIG = {
   maxAttempts: 20,
@@ -766,7 +517,7 @@ var SharedTokenManager = class _SharedTokenManager {
     try {
       const filePath = this.getCredentialFilePath();
       const stats = await this.withTimeout(
-        fs6.stat(filePath),
+        fs.stat(filePath),
         3e3,
         "File operation"
       );
@@ -793,7 +544,7 @@ var SharedTokenManager = class _SharedTokenManager {
   async forceFileCheck(qwenClient) {
     try {
       const filePath = this.getCredentialFilePath();
-      const stats = await fs6.stat(filePath);
+      const stats = await fs.stat(filePath);
       const fileModTime = stats.mtimeMs;
       if (fileModTime > this.memoryCache.fileModTime) {
         await this.reloadCredentialsFromFile(qwenClient);
@@ -818,7 +569,7 @@ var SharedTokenManager = class _SharedTokenManager {
   async reloadCredentialsFromFile(qwenClient) {
     try {
       const filePath = this.getCredentialFilePath();
-      const content = await fs6.readFile(filePath, "utf-8");
+      const content = await fs.readFile(filePath, "utf-8");
       const parsedData = JSON.parse(content);
       const credentials = validateCredentials(parsedData);
       const previousCredentials = this.memoryCache.credentials;
@@ -946,10 +697,10 @@ var SharedTokenManager = class _SharedTokenManager {
    */
   async saveCredentialsToFile(credentials) {
     const filePath = this.getCredentialFilePath();
-    const dirPath = path2.dirname(filePath);
+    const dirPath = path.dirname(filePath);
     try {
       await this.withTimeout(
-        fs6.mkdir(dirPath, { recursive: true, mode: 448 }),
+        fs.mkdir(dirPath, { recursive: true, mode: 448 }),
         5e3,
         "File operation"
       );
@@ -968,7 +719,7 @@ var SharedTokenManager = class _SharedTokenManager {
         noFollow: true
       });
       const stats = await this.withTimeout(
-        fs6.stat(filePath),
+        fs.stat(filePath),
         5e3,
         "File operation"
       );
@@ -999,7 +750,7 @@ var SharedTokenManager = class _SharedTokenManager {
    * @returns The absolute path to the credentials file
    */
   getCredentialFilePath() {
-    return path2.join(Storage.getGlobalQwenDir(), QWEN_CREDENTIAL_FILENAME);
+    return path.join(Storage.getGlobalQwenDir(), QWEN_CREDENTIAL_FILENAME);
   }
   /**
    * Get the full path to the lock file
@@ -1007,7 +758,7 @@ var SharedTokenManager = class _SharedTokenManager {
    * @returns The absolute path to the lock file
    */
   getLockFilePath() {
-    return path2.join(Storage.getGlobalQwenDir(), QWEN_LOCK_FILENAME);
+    return path.join(Storage.getGlobalQwenDir(), QWEN_LOCK_FILENAME);
   }
   /**
    * Acquire a file lock to prevent other processes from refreshing tokens simultaneously
@@ -1021,18 +772,18 @@ var SharedTokenManager = class _SharedTokenManager {
     let currentInterval = attemptInterval;
     for (let attempt = 0; attempt < maxAttempts; attempt++) {
       try {
-        await fs6.writeFile(lockPath, lockId, { flag: "wx" });
+        await fs.writeFile(lockPath, lockId, { flag: "wx" });
         return;
       } catch (error) {
         if (error.code === "EEXIST") {
           try {
-            const stats = await fs6.stat(lockPath);
+            const stats = await fs.stat(lockPath);
             const lockAge = Date.now() - stats.mtimeMs;
             if (lockAge > LOCK_TIMEOUT_MS) {
               const tempPath = `${lockPath}.stale.${randomUUID()}`;
               try {
-                await fs6.rename(lockPath, tempPath);
-                await fs6.unlink(tempPath);
+                await fs.rename(lockPath, tempPath);
+                await fs.unlink(tempPath);
                 debugLogger.warn(
                   `Removed stale lock file: ${lockPath} (age: ${lockAge}ms)`
                 );
@@ -1048,7 +799,7 @@ var SharedTokenManager = class _SharedTokenManager {
               `Failed to stat lock file ${lockPath}: ${statError instanceof Error ? statError.message : String(statError)}`
             );
           }
-          await new Promise((resolve) => setTimeout(resolve, currentInterval));
+          await new Promise((resolve2) => setTimeout(resolve2, currentInterval));
           currentInterval = Math.min(currentInterval * 1.5, maxInterval);
         } else {
           throw new TokenManagerError(
@@ -1071,7 +822,7 @@ var SharedTokenManager = class _SharedTokenManager {
    */
   async releaseLock(lockPath) {
     try {
-      await fs6.unlink(lockPath);
+      await fs.unlink(lockPath);
     } catch (error) {
       if (error.code !== "ENOENT") {
         debugLogger.warn(
@@ -1164,6 +915,7 @@ var QWEN_OAUTH_TOKEN_ENDPOINT = `${QWEN_OAUTH_BASE_URL}/api/v1/oauth2/token`;
 var QWEN_OAUTH_CLIENT_ID = "f0304373b74a44d2b584a3fb70ca9e56";
 var QWEN_OAUTH_SCOPE = "openid profile email model.completion";
 var QWEN_OAUTH_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:device_code";
+var QWEN_OAUTH_REFRESH_TIMEOUT_MS = 3e4;
 var QWEN_CREDENTIAL_FILENAME2 = "oauth_creds.json";
 function generateCodeVerifier() {
   return crypto.randomBytes(32).toString("base64url");
@@ -1185,6 +937,16 @@ function objectToUrlEncoded(data) {
   return Object.keys(data).map((key) => `${encodeURIComponent(key)}=${encodeURIComponent(data[key])}`).join("&");
 }
 __name(objectToUrlEncoded, "objectToUrlEncoded");
+function createTokenRefreshNetworkError(error, timedOut) {
+  const prefix = timedOut ? "Token refresh timeout" : "Token refresh failed";
+  return new Error(
+    `${prefix}: ${formatFetchErrorForUser(error, {
+      url: QWEN_OAUTH_TOKEN_ENDPOINT
+    })}`,
+    { cause: error }
+  );
+}
+__name(createTokenRefreshNetworkError, "createTokenRefreshNetworkError");
 var CredentialsClearRequiredError = class extends Error {
   constructor(message, originalError) {
     super(message);
@@ -1362,59 +1124,78 @@ var QwenOAuth2Client = class {
       refresh_token: this.credentials.refresh_token,
       client_id: QWEN_OAUTH_CLIENT_ID
     };
-    const response = await fetch(QWEN_OAUTH_TOKEN_ENDPOINT, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/x-www-form-urlencoded",
-        Accept: "application/json"
-      },
-      body: objectToUrlEncoded(bodyData)
+    const { signal, cleanup } = combineAbortSignals([], {
+      timeoutMs: QWEN_OAUTH_REFRESH_TIMEOUT_MS
     });
-    if (!response.ok) {
-      const errorData = await response.text();
-      if (response.status === 400 || response.status === 401) {
-        await clearQwenCredentials();
-        throw new CredentialsClearRequiredError(
-          "Refresh token expired or invalid. Please use '/auth' to re-authenticate.",
-          { status: response.status, response: errorData }
+    debugLogger2.debug("Refreshing access token...");
+    try {
+      let response;
+      try {
+        response = await fetch(QWEN_OAUTH_TOKEN_ENDPOINT, {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/x-www-form-urlencoded",
+            Accept: "application/json"
+          },
+          body: objectToUrlEncoded(bodyData),
+          signal
+        });
+      } catch (error) {
+        throw createTokenRefreshNetworkError(error, signal.aborted);
+      }
+      if (!response.ok) {
+        let errorData;
+        try {
+          errorData = await response.text();
+        } catch (error) {
+          throw createTokenRefreshNetworkError(error, signal.aborted);
+        }
+        if (response.status === 400 || response.status === 401) {
+          await clearQwenCredentials();
+          throw new CredentialsClearRequiredError(
+            "Refresh token expired or invalid. Please use '/auth' to re-authenticate.",
+            { status: response.status, response: errorData }
+          );
+        }
+        throw new Error(
+          `Token refresh failed: ${response.status} ${response.statusText}. Response: ${errorData}`
         );
       }
-      throw new Error(
-        `Token refresh failed: ${response.status} ${response.statusText}. Response: ${errorData}`
-      );
-    }
-    let responseText;
-    try {
-      responseText = await response.text();
-    } catch {
-      responseText = "";
-    }
-    let responseData;
-    try {
-      responseData = JSON.parse(responseText);
-    } catch {
-      throw new Error(
-        `Qwen OAuth refresh returned invalid JSON: ${responseText || "(empty response body)"}`
-      );
-    }
-    if (isErrorResponse(responseData)) {
-      const errorData = responseData;
-      throw new Error(
-        `Token refresh failed: ${errorData?.error || "Unknown error"} - ${errorData?.error_description || "No details provided"}`
-      );
+      let responseText;
+      try {
+        responseText = await response.text();
+      } catch (error) {
+        throw createTokenRefreshNetworkError(error, signal.aborted);
+      }
+      let responseData;
+      try {
+        responseData = JSON.parse(responseText);
+      } catch {
+        throw new Error(
+          `Qwen OAuth refresh returned invalid JSON: ${responseText || "(empty response body)"}`
+        );
+      }
+      if (isErrorResponse(responseData)) {
+        const errorData = responseData;
+        throw new Error(
+          `Token refresh failed: ${errorData?.error || "Unknown error"} - ${errorData?.error_description || "No details provided"}`
+        );
+      }
+      const tokenData = responseData;
+      const tokens = {
+        access_token: tokenData.access_token,
+        token_type: tokenData.token_type,
+        // Use new refresh token if provided, otherwise preserve existing one
+        refresh_token: tokenData.refresh_token || this.credentials.refresh_token,
+        resource_url: tokenData.resource_url,
+        // Include resource_url if provided
+        expiry_date: Date.now() + tokenData.expires_in * 1e3
+      };
+      this.setCredentials(tokens);
+      return responseData;
+    } finally {
+      cleanup();
     }
-    const tokenData = responseData;
-    const tokens = {
-      access_token: tokenData.access_token,
-      token_type: tokenData.token_type,
-      // Use new refresh token if provided, otherwise preserve existing one
-      refresh_token: tokenData.refresh_token || this.credentials.refresh_token,
-      resource_url: tokenData.resource_url,
-      // Include resource_url if provided
-      expiry_date: Date.now() + tokenData.expires_in * 1e3
-    };
-    this.setCredentials(tokens);
-    return responseData;
   }
 };
 var QwenOAuth2Event = /* @__PURE__ */ ((QwenOAuth2Event2) => {
@@ -1572,19 +1353,8 @@ async function authWithQwenDeviceFlow(client, config) {
     qwenOAuth2Events.emit("auth-progress" /* AuthProgress */, status, message);
   }, "emitAuthProgress");
   const launchBrowser = /* @__PURE__ */ __name(async (url) => {
-    let childProcess2;
     try {
-      childProcess2 = await open_default(url);
-      if (childProcess2 && typeof childProcess2.on === "function") {
-        childProcess2.on("error", (err) => {
-          debugLogger2.warn(`Browser launch process error: ${err.message}`);
-          debugLogger2.info(`Please open this URL manually: ${url}`);
-        });
-      } else {
-        debugLogger2.debug(
-          "open() did not return a valid child process object."
-        );
-      }
+      await openBrowserSecurely(url);
     } catch (err) {
       const errorMessage = err instanceof Error ? err.message : String(err);
       debugLogger2.warn(`Failed to open browser automatically: ${errorMessage}`);
@@ -1664,19 +1434,19 @@ Server requested to slow down, increasing poll interval to ${pollInterval}ms'`
             "polling",
             `Polling... (attempt ${attempt + 1}/${maxAttempts})`
           );
-          await new Promise((resolve) => {
+          await new Promise((resolve2) => {
             const checkInterval = 100;
             let elapsedTime = 0;
             const intervalId = setInterval(() => {
               elapsedTime += checkInterval;
               if (isCancelled) {
                 clearInterval(intervalId);
-                resolve();
+                resolve2();
                 return;
               }
               if (elapsedTime >= pollInterval) {
                 clearInterval(intervalId);
-                resolve();
+                resolve2();
                 return;
               }
             }, checkInterval);
@@ -1722,7 +1492,7 @@ Server requested to slow down, increasing poll interval to ${pollInterval}ms'`
         }
         const message = `Error polling for token: ${errorMessage}`;
         emitAuthProgress("error", message);
-        await new Promise((resolve) => setTimeout(resolve, pollInterval));
+        await new Promise((resolve2) => setTimeout(resolve2, pollInterval));
       }
     }
     const timeoutMessage = "Authorization timeout, please restart the process.";
@@ -1744,16 +1514,16 @@ var QWEN_CREDENTIAL_FILE_MODE = 384;
 async function cacheQwenCredentials(credentials, opts) {
   const filePath = getQwenCachedCredentialPath();
   try {
-    await fs7.mkdir(path3.dirname(filePath), { recursive: true });
+    await fs2.mkdir(path2.dirname(filePath), { recursive: true });
     const credString = JSON.stringify(credentials, null, 2);
     const tempPath = `${filePath}.tmp.${process.pid}.${randomUUID2()}`;
     try {
-      await fs7.writeFile(tempPath, credString, {
+      await fs2.writeFile(tempPath, credString, {
         mode: QWEN_CREDENTIAL_FILE_MODE,
         ...opts?.signal ? { signal: opts.signal } : {}
       });
       try {
-        await fs7.chmod(tempPath, QWEN_CREDENTIAL_FILE_MODE);
+        await fs2.chmod(tempPath, QWEN_CREDENTIAL_FILE_MODE);
       } catch (chmodErr) {
         if (process.platform !== "win32") {
           throw new Error(
@@ -1764,10 +1534,10 @@ async function cacheQwenCredentials(credentials, opts) {
           `cacheQwenCredentials: chmod 0o${QWEN_CREDENTIAL_FILE_MODE.toString(8)} on Windows temp file ${tempPath} failed; relying on NTFS ACL: ${chmodErr instanceof Error ? chmodErr.message : String(chmodErr)}`
         );
       }
-      await fs7.rename(tempPath, filePath);
+      await fs2.rename(tempPath, filePath);
     } catch (writeErr) {
       try {
-        await fs7.unlink(tempPath);
+        await fs2.unlink(tempPath);
       } catch {
       }
       throw writeErr;
@@ -1788,7 +1558,7 @@ async function cacheQwenCredentials(credentials, opts) {
       );
     }
     throw new Error(
-      `Failed to cache credentials: error when creating folder \`${path3.dirname(filePath)}\` and writing to \`${filePath}\`. ${errorMessage}. Please check permissions.`
+      `Failed to cache credentials: error when creating folder \`${path2.dirname(filePath)}\` and writing to \`${filePath}\`. ${errorMessage}. Please check permissions.`
     );
   }
 }
@@ -1796,7 +1566,7 @@ __name(cacheQwenCredentials, "cacheQwenCredentials");
 async function clearQwenCredentials() {
   try {
     const filePath = getQwenCachedCredentialPath();
-    await fs7.unlink(filePath);
+    await fs2.unlink(filePath);
     debugLogger2.debug("Cached Qwen credentials cleared successfully.");
   } catch (error) {
     if (error instanceof Error && "code" in error && error.code === "ENOENT") {
@@ -1815,13 +1585,16 @@ async function clearQwenCredentials() {
 }
 __name(clearQwenCredentials, "clearQwenCredentials");
 function getQwenCachedCredentialPath() {
-  return path3.join(Storage.getGlobalQwenDir(), QWEN_CREDENTIAL_FILENAME2);
+  return path2.join(Storage.getGlobalQwenDir(), QWEN_CREDENTIAL_FILENAME2);
 }
 __name(getQwenCachedCredentialPath, "getQwenCachedCredentialPath");
 var clearCachedCredentialFile = clearQwenCredentials;
 export {
-  open_default,
+  isBrowserCommandBlocked,
+  shouldAttemptBrowserLaunch,
+  openBrowserSecurely,
+  shouldLaunchBrowser,
   SharedTokenManager,
   generateCodeVerifier,
   generateCodeChallenge,
@@ -1841,6 +1614,11 @@ export {
   clearQwenCredentials,
   clearCachedCredentialFile
 };
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
 /**
  * @license
  * Copyright 2025 Qwen