@vybestack/llxprt-code-auth 0.10.0-nightly.260613.1adad3b34

package/dist/src/flows/anthropic-device-flow.js

@@ -0,0 +1,231 @@
+/**
+ * Anthropic OAuth 2.0 Device Flow Implementation
+ *
+ * Implements OAuth 2.0 device authorization grant flow for Anthropic Claude API.
+ * Based on the OAuth 2.0 Device Authorization Grant specification (RFC 8628).
+ */
+import { createHash, randomBytes } from 'crypto';
+import { URL } from 'node:url';
+/**
+ * Anthropic-specific OAuth 2.0 device flow implementation.
+ * Handles authentication for Claude API access.
+ */
+export class AnthropicDeviceFlow {
+    config;
+    codeVerifier;
+    _codeChallenge;
+    state;
+    redirectUri;
+    revokeToken;
+    constructor(config) {
+        const defaultConfig = {
+            clientId: '9d1c250a-e61b-44d9-88ed-5944d1962f5e', // Anthropic's public OAuth client ID
+            authorizationEndpoint: 'https://claude.ai/oauth/authorize', // Use claude.ai like OpenCode's "max" mode
+            tokenEndpoint: 'https://console.anthropic.com/v1/oauth/token',
+            scopes: ['org:create_api_key', 'user:profile', 'user:inference'],
+        };
+        this.config = { ...defaultConfig, ...config };
+        this.redirectUri = 'https://console.anthropic.com/oauth/code/callback';
+    }
+    /**
+     * Generates PKCE code verifier and challenge using S256 method
+     */
+    generatePKCE() {
+        // Generate a random code verifier (43-128 characters)
+        const _verifier = randomBytes(32).toString('base64url');
+        this.codeVerifier = _verifier;
+        // Generate code challenge using S256 (SHA256 hash)
+        const challenge = createHash('sha256')
+            .update(_verifier)
+            .digest('base64url');
+        this._codeChallenge = challenge;
+        // Store challenge for potential future use
+        void this._codeChallenge;
+        return { verifier: _verifier, challenge };
+    }
+    /**
+     * Initiates the OAuth flow by constructing the authorization URL.
+     * Since Anthropic doesn't have a device flow, we simulate it with authorization code flow.
+     */
+    async initiateDeviceFlow(redirectUri) {
+        // Generate PKCE parameters
+        const { verifier, challenge } = this.generatePKCE();
+        // Use verifier as state like OpenCode does
+        this.state = verifier; // Store for later use in token exchange
+        this.redirectUri =
+            redirectUri ?? 'https://console.anthropic.com/oauth/code/callback';
+        // Build authorization URL with PKCE parameters
+        const params = new URLSearchParams({
+            code: 'true',
+            client_id: this.config.clientId,
+            response_type: 'code',
+            redirect_uri: this.redirectUri,
+            scope: this.config.scopes.join(' '),
+            code_challenge: challenge,
+            code_challenge_method: 'S256',
+            state: verifier, // Use verifier as state like OpenCode
+        });
+        const authUrl = `${this.config.authorizationEndpoint}?${params.toString()}`;
+        // Return a simulated device code response with the authorization URL
+        // The user will need to manually visit this URL and authorize
+        return {
+            device_code: verifier, // Use verifier as a tracking ID
+            user_code: 'ANTHROPIC', // Display code for user
+            verification_uri: 'https://console.anthropic.com/oauth/authorize',
+            verification_uri_complete: authUrl,
+            expires_in: 1800, // 30 minutes
+            interval: 5, // 5 seconds polling interval
+        };
+    }
+    /**
+     * Exchange authorization code for access token (PKCE flow)
+     */
+    async exchangeCodeForToken(authCodeWithState) {
+        if (!this.codeVerifier) {
+            throw new Error('No PKCE code verifier found - OAuth flow not initialized');
+        }
+        // OpenCode splits the code and state - format: code#state
+        const splits = authCodeWithState.split('#');
+        const authCode = splits[0];
+        const stateFromResponse = splits[1] || this.state; // Use state from response if available
+        // OpenCode sends JSON, not form-encoded!
+        const requestBody = {
+            grant_type: 'authorization_code',
+            code: authCode,
+            state: stateFromResponse, // Include state in the request
+            client_id: this.config.clientId,
+            redirect_uri: this.redirectUri,
+            code_verifier: this.codeVerifier,
+        };
+        const response = await fetch(this.config.tokenEndpoint, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json', // JSON, not form-encoded!
+            },
+            body: JSON.stringify(requestBody), // Send as JSON
+        });
+        if (!response.ok) {
+            const error = await response.text();
+            throw new Error(`Failed to exchange authorization code: ${error}`);
+        }
+        const data = (await response.json());
+        return this.mapTokenResponse(data);
+    }
+    getState() {
+        if (!this.state) {
+            throw new Error('OAuth flow not initialized');
+        }
+        return this.state;
+    }
+    buildAuthorizationUrl(redirectUri) {
+        if (!this._codeChallenge || !this.state) {
+            throw new Error('OAuth flow not initialized');
+        }
+        const redirect = new URL(redirectUri);
+        if (redirect.hostname !== '127.0.0.1' &&
+            redirect.hostname !== 'localhost') {
+            throw new Error('Only localhost redirect URIs are supported for Anthropic OAuth');
+        }
+        this.redirectUri = redirectUri;
+        const params = new URLSearchParams({
+            code: 'true',
+            client_id: this.config.clientId,
+            response_type: 'code',
+            redirect_uri: redirectUri,
+            scope: this.config.scopes.join(' '),
+            code_challenge: this._codeChallenge,
+            code_challenge_method: 'S256',
+            state: this.state,
+        });
+        return `${this.config.authorizationEndpoint}?${params.toString()}`;
+    }
+    /**
+     * Polls for the access token after user authorization.
+     */
+    async pollForToken(deviceCode) {
+        const startTime = Date.now();
+        const expiresIn = 1800 * 1000; // 30 minutes in milliseconds
+        const interval = 5000; // 5 seconds default polling interval
+        while (Date.now() - startTime < expiresIn) {
+            try {
+                const response = await fetch(this.config.tokenEndpoint, {
+                    method: 'POST',
+                    headers: {
+                        'Content-Type': 'application/x-www-form-urlencoded',
+                    },
+                    body: new URLSearchParams({
+                        grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
+                        device_code: deviceCode,
+                        client_id: this.config.clientId,
+                    }),
+                });
+                if (response.ok) {
+                    const data = (await response.json());
+                    return this.mapTokenResponse(data);
+                }
+                const error = (await response.json());
+                // Handle polling errors
+                let sleepMs = interval;
+                if (error.error === 'authorization_pending') {
+                    // Continue polling
+                }
+                else if (error.error === 'slow_down') {
+                    sleepMs = interval * 2;
+                }
+                else {
+                    // Handle other errors
+                    throw new Error(`Token polling failed: ${error.error_description ?? error.error}`);
+                }
+                await new Promise((resolve) => setTimeout(resolve, sleepMs));
+            }
+            catch (error) {
+                if (error instanceof Error &&
+                    error.message.includes('Token polling failed')) {
+                    throw error;
+                }
+                // Network errors - continue polling
+                await new Promise((resolve) => setTimeout(resolve, interval));
+            }
+        }
+        throw new Error('Authorization timeout - user did not complete authentication');
+    }
+    /**
+     * Refreshes an expired access token using a refresh token.
+     */
+    async refreshToken(refreshToken) {
+        const response = await fetch(this.config.tokenEndpoint, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+            },
+            body: new URLSearchParams({
+                grant_type: 'refresh_token',
+                refresh_token: refreshToken,
+                client_id: this.config.clientId,
+            }),
+        });
+        if (!response.ok) {
+            const error = await response.text();
+            throw new Error(`Failed to refresh Anthropic token: ${error}`);
+        }
+        const data = (await response.json());
+        return this.mapTokenResponse(data);
+    }
+    /**
+     * Maps Anthropic's token response to our standard OAuthToken format.
+     */
+    mapTokenResponse(data) {
+        const expiresIn = data.expires_in;
+        const expiresInSeconds = typeof expiresIn === 'number' && !isNaN(expiresIn) && expiresIn > 0
+            ? expiresIn
+            : 3600;
+        return {
+            access_token: data.access_token,
+            expiry: Math.floor(Date.now() / 1000) + expiresInSeconds,
+            refresh_token: data.refresh_token,
+            scope: data.scope,
+            token_type: 'Bearer',
+        };
+    }
+}
+//# sourceMappingURL=anthropic-device-flow.js.map

package/dist/src/flows/anthropic-device-flow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"anthropic-device-flow.js","sourceRoot":"","sources":["../../../src/flows/anthropic-device-flow.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AACjD,OAAO,EAAE,GAAG,EAAE,MAAM,UAAU,CAAC;AAY/B;;;GAGG;AACH,MAAM,OAAO,mBAAmB;IACtB,MAAM,CAAsB;IAC5B,YAAY,CAAU;IACtB,cAAc,CAAU;IACxB,KAAK,CAAU;IACf,WAAW,CAAS;IAC5B,WAAW,CAAoC;IAE/C,YAAY,MAAqC;QAC/C,MAAM,aAAa,GAAwB;YACzC,QAAQ,EAAE,sCAAsC,EAAE,qCAAqC;YACvF,qBAAqB,EAAE,mCAAmC,EAAE,2CAA2C;YACvG,aAAa,EAAE,8CAA8C;YAC7D,MAAM,EAAE,CAAC,oBAAoB,EAAE,cAAc,EAAE,gBAAgB,CAAC;SACjE,CAAC;QAEF,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,aAAa,EAAE,GAAG,MAAM,EAAE,CAAC;QAC9C,IAAI,CAAC,WAAW,GAAG,mDAAmD,CAAC;IACzE,CAAC;IAED;;OAEG;IACK,YAAY;QAClB,sDAAsD;QACtD,MAAM,SAAS,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACxD,IAAI,CAAC,YAAY,GAAG,SAAS,CAAC;QAE9B,mDAAmD;QACnD,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC;aACnC,MAAM,CAAC,SAAS,CAAC;aACjB,MAAM,CAAC,WAAW,CAAC,CAAC;QACvB,IAAI,CAAC,cAAc,GAAG,SAAS,CAAC;QAEhC,2CAA2C;QAC3C,KAAK,IAAI,CAAC,cAAc,CAAC;QAEzB,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;IAC5C,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,kBAAkB,CAAC,WAAoB;QAC3C,2BAA2B;QAC3B,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;QAEpD,2CAA2C;QAC3C,IAAI,CAAC,KAAK,GAAG,QAAQ,CAAC,CAAC,wCAAwC;QAC/D,IAAI,CAAC,WAAW;YACd,WAAW,IAAI,mDAAmD,CAAC;QAErE,+CAA+C;QAC/C,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,IAAI,EAAE,MAAM;YACZ,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;YAC/B,aAAa,EAAE,MAAM;YACrB,YAAY,EAAE,IAAI,CAAC,WAAW;YAC9B,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;YACnC,cAAc,EAAE,SAAS;YACzB,qBAAqB,EAAE,MAAM;YAC7B,KAAK,EAAE,QAAQ,EAAE,sCAAsC;SACxD,CAAC,CAAC;QAEH,MAAM,OAAO,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,qBAAqB,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;QAE5E,qEAAqE;QACrE,8DAA8D;QAC9D,OAAO;YACL,WAAW,EAAE,QAAQ,EAAE,gCAAgC;YACvD,SAAS,EAAE,WAAW,EAAE,wBAAwB;YAChD,gBAAgB,EAAE,+CAA+C;YACjE,yBAAyB,EAAE,OAAO;YAClC,UAAU,EAAE,IAAI,EAAE,aAAa;YAC/B,QAAQ,EAAE,CAAC,EAAE,6BAA6B;SAC3C,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,oBAAoB,CAAC,iBAAyB;QAClD,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CACb,0DAA0D,CAC3D,CAAC;QACJ,CAAC;QAED,0DAA0D;QAC1D,MAAM,MAAM,GAAG,iBAAiB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC5C,MAAM,QAAQ,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QAC3B,MAAM,iBAAiB,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC,uCAAuC;QAE1F,yCAAyC;QACzC,MAAM,WAAW,GAAG;YAClB,UAAU,EAAE,oBAAoB;YAChC,IAAI,EAAE,QAAQ;YACd,KAAK,EAAE,iBAAiB,EAAE,+BAA+B;YACzD,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;YAC/B,YAAY,EAAE,IAAI,CAAC,WAAW;YAC9B,aAAa,EAAE,IAAI,CAAC,YAAY;SACjC,CAAC;QAEF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE;YACtD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB,EAAE,0BAA0B;aAC/D;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,EAAE,eAAe;SACnD,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,0CAA0C,KAAK,EAAE,CAAC,CAAC;QACrE,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAC;QAChE,OAAO,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC;IACrC,CAAC;IAED,QAAQ;QACN,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAChD,CAAC;QACD,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IAED,qBAAqB,CAAC,WAAmB;QACvC,IAAI,CAAC,IAAI,CAAC,cAAc,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YACxC,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAChD,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;QACtC,IACE,QAAQ,CAAC,QAAQ,KAAK,WAAW;YACjC,QAAQ,CAAC,QAAQ,KAAK,WAAW,EACjC,CAAC;YACD,MAAM,IAAI,KAAK,CACb,gEAAgE,CACjE,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,IAAI,EAAE,MAAM;YACZ,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;YAC/B,aAAa,EAAE,MAAM;YACrB,YAAY,EAAE,WAAW;YACzB,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;YACnC,cAAc,EAAE,IAAI,CAAC,cAAc;YACnC,qBAAqB,EAAE,MAAM;YAC7B,KAAK,EAAE,IAAI,CAAC,KAAK;SAClB,CAAC,CAAC;QACH,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,qBAAqB,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;IACrE,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY,CAAC,UAAkB;QACnC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,MAAM,SAAS,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,6BAA6B;QAC5D,MAAM,QAAQ,GAAG,IAAI,CAAC,CAAC,qCAAqC;QAE5D,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,SAAS,EAAE,CAAC;YAC1C,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE;oBACtD,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE;wBACP,cAAc,EAAE,mCAAmC;qBACpD;oBACD,IAAI,EAAE,IAAI,eAAe,CAAC;wBACxB,UAAU,EAAE,8CAA8C;wBAC1D,WAAW,EAAE,UAAU;wBACvB,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;qBAChC,CAAC;iBACH,CAAC,CAAC;gBAEH,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;oBAChB,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAC;oBAChE,OAAO,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC;gBACrC,CAAC;gBAED,MAAM,KAAK,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAC;gBAEjE,wBAAwB;gBACxB,IAAI,OAAO,GAAG,QAAQ,CAAC;gBACvB,IAAI,KAAK,CAAC,KAAK,KAAK,uBAAuB,EAAE,CAAC;oBAC5C,mBAAmB;gBACrB,CAAC;qBAAM,IAAI,KAAK,CAAC,KAAK,KAAK,WAAW,EAAE,CAAC;oBACvC,OAAO,GAAG,QAAQ,GAAG,CAAC,CAAC;gBACzB,CAAC;qBAAM,CAAC;oBACN,sBAAsB;oBACtB,MAAM,IAAI,KAAK,CACb,yBAAyB,KAAK,CAAC,iBAAiB,IAAI,KAAK,CAAC,KAAK,EAAE,CAClE,CAAC;gBACJ,CAAC;gBACD,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;YAC/D,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IACE,KAAK,YAAY,KAAK;oBACtB,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAC,EAC9C,CAAC;oBACD,MAAM,KAAK,CAAC;gBACd,CAAC;gBACD,oCAAoC;gBACpC,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;YAChE,CAAC;QACH,CAAC;QAED,MAAM,IAAI,KAAK,CACb,8DAA8D,CAC/D,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY,CAAC,YAAoB;QACrC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE;YACtD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,mCAAmC;aACpD;YACD,IAAI,EAAE,IAAI,eAAe,CAAC;gBACxB,UAAU,EAAE,eAAe;gBAC3B,aAAa,EAAE,YAAY;gBAC3B,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;aAChC,CAAC;SACH,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,sCAAsC,KAAK,EAAE,CAAC,CAAC;QACjE,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAC;QAChE,OAAO,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC;IACrC,CAAC;IAED;;OAEG;IACK,gBAAgB,CAAC,IAA6B;QACpD,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC;QAClC,MAAM,gBAAgB,GACpB,OAAO,SAAS,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,IAAI,SAAS,GAAG,CAAC;YACjE,CAAC,CAAC,SAAS;YACX,CAAC,CAAC,IAAI,CAAC;QACX,OAAO;YACL,YAAY,EAAE,IAAI,CAAC,YAAsB;YACzC,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,gBAAgB;YACxD,aAAa,EAAE,IAAI,CAAC,aAAmC;YACvD,KAAK,EAAE,IAAI,CAAC,KAA2B;YACvC,UAAU,EAAE,QAAQ;SACrB,CAAC;IACJ,CAAC;CACF"}

package/dist/src/flows/codex-device-flow.d.ts

@@ -0,0 +1,114 @@
+/**
+ * @license
+ * Copyright 2025 Vybestack LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import type { IDebugLogger } from '../interfaces/debug-logger.js';
+import { type CodexOAuthToken } from '../types.js';
+/**
+ * Codex-specific OAuth configuration
+ * Exported for reuse by CLI and other consumers to ensure single source of truth
+ */
+export declare const CODEX_CONFIG: {
+    readonly clientId: "app_EMoamEEZ73f0CkXaXp7hrann";
+    readonly issuer: "https://auth.openai.com";
+    readonly tokenEndpoint: "https://auth.openai.com/oauth/token";
+    readonly authorizationEndpoint: "https://auth.openai.com/oauth/authorize";
+    readonly deviceAuthUserCodeEndpoint: "https://auth.openai.com/api/accounts/deviceauth/usercode";
+    readonly deviceAuthTokenEndpoint: "https://auth.openai.com/api/accounts/deviceauth/token";
+    readonly deviceAuthCallbackUri: "https://auth.openai.com/deviceauth/callback";
+    readonly scopes: readonly ["openid", "profile", "email", "offline_access"];
+    readonly originator: "codex_cli_rs";
+};
+/**
+ * Codex OAuth PKCE flow implementation
+ * Implements OAuth 2.0 Authorization Code flow with PKCE for Codex authentication
+ */
+export declare class CodexDeviceFlow {
+    private logger;
+    private codeVerifiers;
+    private static readonly NO_OP_LOGGER;
+    constructor(options?: {
+        logger?: IDebugLogger;
+    });
+    /**
+     * Build authorization URL for browser-based OAuth flow
+     * @param redirectUri Callback URL for OAuth redirect
+     * @param state Random state parameter for CSRF protection
+     * @returns Authorization URL to open in browser
+     */
+    buildAuthorizationUrl(redirectUri: string, state: string): string;
+    /**
+     * Exchange authorization code for OAuth tokens
+     * @param authCode Authorization code from OAuth callback
+     * @param redirectUri Callback URL (must match the one used in authorization request)
+     * @param state State parameter from OAuth callback
+     * @returns Validated CodexOAuthToken with account_id
+     * @throws Error if code verifier not found for state or token exchange fails
+     */
+    exchangeCodeForToken(authCode: string, redirectUri: string, state: string): Promise<CodexOAuthToken>;
+    /**
+     * POST to the token endpoint and return a validated CodexTokenResponse.
+     * @throws Error if the HTTP request fails or the response is not OK
+     */
+    private performTokenExchange;
+    /**
+     * Validate token response, extract account_id, and build a CodexOAuthToken.
+     * @throws Error if id_token is missing or account_id cannot be extracted
+     */
+    private buildCodexToken;
+    /**
+     * Refresh an expired access token using refresh token
+     * @param refreshToken Valid refresh token
+     * @returns New CodexOAuthToken with updated expiry
+     * @throws Error if refresh fails or id_token missing
+     */
+    refreshToken(refreshToken: string): Promise<CodexOAuthToken>;
+    /**
+     * Extract account_id from id_token JWT without external libraries
+     * JWT format: header.payload.signature (base64url encoded)
+     * @param idToken JWT id_token from OAuth response
+     * @returns account_id extracted from JWT claims
+     * @throws Error if JWT format invalid or account_id not found
+     */
+    private extractAccountIdFromIdToken;
+    /**
+     * Helper to throw error when id_token is missing
+     * @throws Error indicating id_token required
+     */
+    private throwMissingAccountId;
+    /**
+     * Request a user code for device authorization flow (browserless authentication)
+     * @returns Device code response with user_code and device_auth_id
+     */
+    requestDeviceCode(): Promise<{
+        device_auth_id: string;
+        user_code: string;
+        interval: number;
+    }>;
+    /**
+     * Poll for token using device authorization
+     * @param deviceAuthId Device authorization ID
+     * @param userCode User code from device flow
+     * @param intervalSeconds Polling interval in seconds
+     * @returns Authorization code and PKCE codes for token exchange
+     */
+    pollForDeviceToken(deviceAuthId: string, userCode: string, intervalSeconds?: number): Promise<{
+        authorization_code: string;
+        code_verifier: string;
+        code_challenge: string;
+    }>;
+    /**
+     * Complete device authorization flow by exchanging authorization code for tokens
+     * @param authorizationCode Authorization code from polling response
+     * @param codeVerifier PKCE code verifier from polling response
+     * @param redirectUri OAuth redirect URI
+     * @returns Complete OAuth token with access_token, refresh_token, etc.
+     */
+    completeDeviceAuth(authorizationCode: string, codeVerifier: string, redirectUri: string): Promise<CodexOAuthToken>;
+    /**
+     * Generate PKCE code verifier and challenge
+     * @returns Object containing verifier and challenge strings
+     */
+    private generatePKCE;
+}