@smithers-orchestrator/agents 0.16.9 → 0.18.0

package/src/KimiAgent.js

@@ -1,9 +1,190 @@
-import { mkdtempSync, cpSync, existsSync, rmSync } from "node:fs";
+import { mkdtempSync, cpSync, existsSync, readFileSync, writeFileSync, readdirSync, rmSync, renameSync } from "node:fs";
 import { randomUUID } from "node:crypto";
 import { join } from "node:path";
 import { tmpdir, homedir } from "node:os";
 import { BaseCliAgent, pushFlag, pushList, isRecord, asString, toolKindFromName, createSyntheticIdGenerator, } from "./BaseCliAgent/index.js";
 import { normalizeCapabilityStringList, } from "./capability-registry/index.js";
+import { SmithersError } from "@smithers-orchestrator/errors/SmithersError";
+
+/**
+ * The kimi CLI's OAuth refresh endpoint, mirroring the Python implementation
+ * in `kimi_cli.auth.oauth.refresh_token`. Honour the same env-var override
+ * the CLI uses (KIMI_OAUTH_HOST) so test/staging overrides keep working.
+ */
+function kimiOAuthHost() {
+    return process.env.KIMI_OAUTH_HOST?.replace(/\/+$/, "") || "https://auth.kimi.com";
+}
+
+/**
+ * Process-level dedup map: if multiple parallel KimiAgent invocations land in
+ * the refresh path concurrently, share one in-flight Promise so we issue a
+ * single POST instead of racing (kimi rotates refresh tokens — only one
+ * refresh wins, the other gets invalid_grant and would be wrongly classified
+ * as expired).
+ *
+ * @type {Map<string, Promise<void>>}
+ */
+const inflightRefreshes = new Map();
+
+async function refreshKimiTokenIfNeeded(credsDir, fileName) {
+    const path = join(credsDir, fileName);
+    /** @type {{access_token?: string, refresh_token?: string, expires_at?: number, token_type?: string, scope?: string} | null} */
+    let data = null;
+    try {
+        data = JSON.parse(readFileSync(path, "utf8"));
+    }
+    catch {
+        return { ok: false, reason: "unreadable", expiredAt: null };
+    }
+    if (!data || typeof data.expires_at !== "number") {
+        // Not an OAuth file — leave alone, kimi will handle.
+        return { ok: true, refreshed: false };
+    }
+    // Refresh proactively a bit before expiry to avoid races (matches the
+    // CLI's _refresh_threshold behaviour, simplified to a fixed 60s window).
+    const nowSec = Date.now() / 1000;
+    if (data.expires_at - 60 > nowSec) {
+        return { ok: true, refreshed: false };
+    }
+    if (typeof data.refresh_token !== "string" || data.refresh_token.length === 0) {
+        return { ok: false, reason: "no-refresh-token", expiredAt: new Date(data.expires_at * 1000).toISOString() };
+    }
+    // Dedupe concurrent refreshes per-credential-file within this process.
+    const flightKey = path;
+    const inflight = inflightRefreshes.get(flightKey);
+    if (inflight) {
+        try {
+            await inflight;
+            return { ok: true, refreshed: true, deduped: true };
+        }
+        catch (err) {
+            return { ok: false, reason: err?.message ?? "refresh-failed", expiredAt: new Date(data.expires_at * 1000).toISOString() };
+        }
+    }
+    const refresher = (async () => {
+        const tokenUrl = `${kimiOAuthHost()}/api/oauth/token`;
+        // client_id matches kimi_cli.auth.oauth.KIMI_CODE_CLIENT_ID. Without it the
+        // /api/oauth/token endpoint returns 400 invalid_request.
+        const body = new URLSearchParams({
+            client_id: "17e5f671-d194-4dfb-9706-5516cb48c098",
+            grant_type: "refresh_token",
+            refresh_token: data.refresh_token,
+        });
+        // Mirror kimi-cli's `_common_headers()` so the auth service treats this
+        // refresh as coming from a legitimate kimi-cli install. Some of these
+        // (notably X-Msh-Device-Id) appear to gate refresh acceptance.
+        const headers = {
+            "Content-Type": "application/x-www-form-urlencoded",
+            "X-Msh-Platform": "kimi_cli",
+            "X-Msh-Version": "1.37.0",
+            "X-Msh-Device-Name": "smithers-orchestrator",
+            "X-Msh-Device-Model": "smithers-orchestrator",
+            "X-Msh-Os-Version": process.platform,
+        };
+        try {
+            const deviceIdPath = join(credsDir, "..", "device_id");
+            if (existsSync(deviceIdPath)) {
+                const deviceId = readFileSync(deviceIdPath, "utf8").trim();
+                if (deviceId)
+                    headers["X-Msh-Device-Id"] = deviceId;
+            }
+        }
+        catch { /* device-id is optional */ }
+        const resp = await fetch(tokenUrl, {
+            method: "POST",
+            headers,
+            body,
+        });
+        if (!resp.ok) {
+            const text = await resp.text().catch(() => "");
+            const tag = resp.status === 401 ? "invalid_grant" : `http-${resp.status}`;
+            throw new Error(`kimi oauth refresh failed (${tag}): ${text.slice(0, 200)}`);
+        }
+        /** @type {any} */
+        const fresh = await resp.json();
+        if (typeof fresh?.access_token !== "string") {
+            throw new Error("kimi oauth refresh: missing access_token in response");
+        }
+        const expiresIn = typeof fresh.expires_in === "number"
+            ? fresh.expires_in
+            : 3600;
+        const merged = {
+            ...data,
+            access_token: fresh.access_token,
+            refresh_token: typeof fresh.refresh_token === "string" ? fresh.refresh_token : data.refresh_token,
+            token_type: typeof fresh.token_type === "string" ? fresh.token_type : data.token_type,
+            scope: typeof fresh.scope === "string" ? fresh.scope : data.scope,
+            expires_in: expiresIn,
+            expires_at: Math.floor(Date.now() / 1000) + expiresIn,
+        };
+        // Write atomically so kimi-cli reading concurrently never sees a torn file.
+        const tmp = `${path}.tmp-${process.pid}-${Date.now()}`;
+        writeFileSync(tmp, JSON.stringify(merged, null, 2), { mode: 0o600 });
+        renameSync(tmp, path);
+    })();
+    inflightRefreshes.set(flightKey, refresher);
+    try {
+        await refresher;
+        return { ok: true, refreshed: true };
+    }
+    catch (err) {
+        return { ok: false, reason: err?.message ?? "refresh-failed", expiredAt: new Date(data.expires_at * 1000).toISOString() };
+    }
+    finally {
+        inflightRefreshes.delete(flightKey);
+    }
+}
+
+/**
+ * Inspect the kimi CLI's on-disk OAuth credentials and, if any are expired,
+ * attempt a non-interactive refresh against `${KIMI_OAUTH_HOST or
+ * https://auth.kimi.com}/api/oauth/token` using the stored refresh_token.
+ * Only if refresh fails do we surface a clear, non-retryable
+ * AGENT_CONFIG_INVALID error.
+ *
+ * @param {string} shareDir
+ * @param {string} agentId
+ * @param {string} agentModel
+ */
+async function ensureKimiCredentialsUsable(shareDir, agentId, agentModel) {
+    const credsDir = join(shareDir, "credentials");
+    if (!existsSync(credsDir))
+        return; // No creds dir → kimi will print "LLM not set" which the BaseCliAgent classifier handles.
+    let entries;
+    try {
+        entries = readdirSync(credsDir);
+    }
+    catch {
+        return;
+    }
+    const tokenFiles = entries.filter((n) => n.endsWith(".json"));
+    if (tokenFiles.length === 0)
+        return;
+    let lastFailure = null;
+    let anyUsable = false;
+    for (const name of tokenFiles) {
+        const result = await refreshKimiTokenIfNeeded(credsDir, name);
+        if (result.ok) {
+            anyUsable = true;
+        }
+        else {
+            lastFailure = result;
+        }
+    }
+    if (!anyUsable && lastFailure) {
+        const reason = lastFailure.reason === "no-refresh-token"
+            ? `OAuth token expired at ${lastFailure.expiredAt} and no refresh_token is stored`
+            : `OAuth token expired at ${lastFailure.expiredAt}; auto-refresh failed: ${lastFailure.reason}`;
+        throw new SmithersError("AGENT_CONFIG_INVALID", `${reason}. Run \`kimi login\` to re-authenticate, then resume the run. (agent="${agentId}", model="${agentModel}", credentials="${credsDir}")`, {
+            failureRetryable: false,
+            agentId,
+            agentEngine: "kimi",
+            agentModel,
+            command: "kimi",
+            underlying: reason,
+        });
+    }
+}
 /** @typedef {import("./BaseCliAgent/BaseCliAgentOptions.ts").BaseCliAgentOptions} BaseCliAgentOptions */
 /** @typedef {import("./capability-registry/AgentCapabilityRegistry.ts").AgentCapabilityRegistry} AgentCapabilityRegistry */
 /** @typedef {import("./BaseCliAgent/CliOutputInterpreter.ts").CliOutputInterpreter} CliOutputInterpreter */
@@ -165,13 +346,18 @@ export class KimiAgent extends BaseCliAgent {
         let cleanup;
         // Isolate kimi metadata per invocation to avoid concurrent writes to
         // ~/.kimi/kimi.json across parallel tasks. If caller explicitly provides
-        // KIMI_SHARE_DIR in opts.env, preserve that override.
-        if (!this.opts.env?.KIMI_SHARE_DIR) {
-            const defaultShareDir = process.env.KIMI_SHARE_DIR ?? join(homedir(), ".kimi");
+        // configDir or KIMI_SHARE_DIR in opts.env, preserve that override.
+        const explicitShareDir = this.opts.configDir ?? this.opts.env?.KIMI_SHARE_DIR;
+        const sourceShareDir = explicitShareDir ?? process.env.KIMI_SHARE_DIR ?? join(homedir(), ".kimi");
+        // Refresh expired OAuth credentials in place using the stored refresh_token,
+        // and only fail fast (non-retryable) if the refresh itself fails. This avoids
+        // forcing the user to run `kimi login` every time their access_token rotates.
+        await ensureKimiCredentialsUsable(sourceShareDir, this.id ?? "<anonymous>", this.opts.model ?? this.model ?? "<unset>");
+        if (!explicitShareDir) {
             const isolatedShareDir = mkdtempSync(join(tmpdir(), "kimi-share-"));
-            if (existsSync(defaultShareDir)) {
+            if (existsSync(sourceShareDir)) {
                 for (const name of ["config.toml", "credentials", "device_id", "latest_version.txt"]) {
-                    const src = join(defaultShareDir, name);
+                    const src = join(sourceShareDir, name);
                     if (existsSync(src)) {
                         try {
                             cpSync(src, join(isolatedShareDir, name), { recursive: true });
@@ -187,6 +373,11 @@ export class KimiAgent extends BaseCliAgent {
                 rmSync(isolatedShareDir, { recursive: true, force: true });
             };
         }
+        else if (this.opts.configDir) {
+            // configDir takes precedence over any env-var inheritance: spawn the
+            // CLI with KIMI_SHARE_DIR pointing at the user-specified path.
+            commandEnv = { KIMI_SHARE_DIR: this.opts.configDir };
+        }
         // Print mode is required for non-interactive execution
         // Note: --print implicitly adds --yolo
         args.push("--print");
@@ -253,6 +444,20 @@ export class KimiAgent extends BaseCliAgent {
                 /^Interrupted by user$/i,
                 /^Unknown error:/i,
                 /^Error:/i,
+                // Auth failures kimi prints when OAuth/api-key is invalid or expired.
+                // BaseCliAgent's classifyNonRetryableAgentError treats these as
+                // non-retryable so the run does not waste turns on a 401 loop.
+                /Error code:\s*401\b[^\n]*/i,
+                /\binvalid_authentication_error\b/i,
+                /API\s*Key\s+appears to be invalid or may have expired/i,
+            ],
+            // The kimi CLI emits "To resume this session: kimi -r <id>" to stderr
+            // on every non-zero exit (it's a hint for interactive users, not the
+            // actual error). Strip it so the real underlying error surfaces — and
+            // when it's the only stderr content, our runner will fall back to a
+            // useful "exited with code N" message that the engine can retry.
+            benignStderrPatterns: [
+                /^\s*To resume this session: kimi -r [0-9a-f-]+\s*$/gim,
             ],
             errorOnBannerOnly: true,
         };

package/src/KimiAgentOptions.ts

@@ -18,4 +18,12 @@ export type KimiAgentOptions = BaseCliAgentOptions & {
   maxRalphIterations?: number;
   verbose?: boolean;
   debug?: boolean;
+  /**
+   * Path to an isolated Kimi share directory. Sets `KIMI_SHARE_DIR` on the
+   * spawned process so this invocation reads/writes credentials at
+   * `<configDir>/credentials` (instead of the user's default `~/.kimi/`).
+   * Equivalent to passing `env: { KIMI_SHARE_DIR: <path> }` but uniform with
+   * the other agents' `configDir` option.
+   */
+  configDir?: string;
 };

package/src/OpenAIAgent.js

@@ -1,8 +1,9 @@
 import { openai } from "@ai-sdk/openai";
-import { ToolLoopAgent, } from "ai";
+import { Output, ToolLoopAgent, } from "ai";
 import { resolveSdkModel } from "./resolveSdkModel.js";
 import { streamResultToGenerateResult } from "./streamResultToGenerateResult.js";
 /** @typedef {import("ai").AgentCallParameters} AgentCallParameters */
+/** @typedef {import("./BaseCliAgent/AgentGenerateOptions.ts").AgentGenerateOptions} AgentGenerateOptions */
 
 /**
  * @template CALL_OPTIONS, TOOLS
@@ -16,6 +17,7 @@ import { streamResultToGenerateResult } from "./streamResultToGenerateResult.js"
 
 export class OpenAIAgent extends ToolLoopAgent {
     hijackEngine = "openai-sdk";
+    supportsNativeStructuredOutput = true;
     /**
    * @param {OpenAIAgentOptions<CALL_OPTIONS, TOOLS>} opts
    */
@@ -27,18 +29,22 @@ export class OpenAIAgent extends ToolLoopAgent {
         });
     }
     /**
-   * @param {ExtendedGenerateArgs<CALL_OPTIONS, TOOLS>} args
+   * @param {AgentGenerateOptions} [args]
    * @returns {Promise<GenerateTextResult<TOOLS, never>>}
    */
-    generate(args) {
+    generate(args = {}) {
         const promptArgs = "messages" in args
             ? { messages: args.messages }
             : { prompt: args.prompt };
+        const outputArgs = args.outputSchema
+            ? { output: Output.object({ schema: args.outputSchema }) }
+            : {};
         if (!args.onStdout) {
             return super.generate({
                 options: args.options,
                 abortSignal: args.abortSignal,
                 ...promptArgs,
+                ...outputArgs,
                 timeout: args.timeout,
                 onStepFinish: args.onStepFinish,
             });
@@ -47,6 +53,7 @@ export class OpenAIAgent extends ToolLoopAgent {
             options: args.options,
             abortSignal: args.abortSignal,
             ...promptArgs,
+            ...outputArgs,
             timeout: args.timeout,
             onStepFinish: args.onStepFinish,
         }).then((stream) => streamResultToGenerateResult(stream, args.onStdout));