@vybestack/llxprt-code-auth 0.10.0-nightly.260613.1adad3b34

package/dist/src/flows/qwen-device-flow.js

@@ -0,0 +1,183 @@
+/**
+ * @license
+ * Copyright 2025 Vybestack LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { randomBytes, createHash } from 'crypto';
+import { DeviceCodeResponseSchema, TokenResponseSchema, } from '../types.js';
+/**
+ * Qwen OAuth device flow implementation
+ */
+export class QwenDeviceFlow {
+    config;
+    pkceVerifier = '';
+    constructor(config) {
+        this.config = config;
+    }
+    /**
+     * Initiates the device authorization flow
+     * @returns Promise resolving to device code response
+     */
+    async initiateDeviceFlow() {
+        // Generate PKCE parameters
+        const pkce = this.generatePKCE();
+        this.pkceVerifier = pkce.verifier;
+        // Prepare request parameters
+        const params = new URLSearchParams({
+            client_id: this.config.clientId,
+            code_challenge: pkce.challenge,
+            code_challenge_method: 'S256',
+        });
+        // Only add scope if it's not empty
+        if (this.config.scopes.length > 0) {
+            params.append('scope', this.config.scopes.join(' '));
+        }
+        // Make HTTP request
+        const response = await fetch(this.config.authorizationEndpoint, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+                Accept: 'application/json',
+            },
+            body: params.toString(),
+        });
+        if (!response.ok) {
+            throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+        }
+        const data = await response.json();
+        // Validate response with Zod schema
+        const validatedResponse = DeviceCodeResponseSchema.parse(data);
+        return validatedResponse;
+    }
+    /**
+     * Polls the authorization server for an access token
+     * @param deviceCode Device code from initiation response
+     * @returns Promise resolving to OAuth token
+     */
+    async pollForToken(deviceCode) {
+        const maxDuration = 15 * 60 * 1000; // 15 minutes in milliseconds
+        const startTime = Date.now();
+        let interval = 5000; // Start with 5 seconds
+        while (Date.now() - startTime < maxDuration) {
+            const params = new URLSearchParams({
+                grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
+                device_code: deviceCode,
+                client_id: this.config.clientId,
+                code_verifier: this.pkceVerifier,
+            });
+            try {
+                const response = await fetch(this.config.tokenEndpoint, {
+                    method: 'POST',
+                    headers: {
+                        'Content-Type': 'application/x-www-form-urlencoded',
+                        Accept: 'application/json',
+                    },
+                    body: params.toString(),
+                });
+                if (response.ok) {
+                    const data = await response.json();
+                    // Validate response with Zod schema
+                    const validatedResponse = TokenResponseSchema.parse(data);
+                    // Calculate expiry timestamp
+                    const now = Math.floor(Date.now() / 1000);
+                    const expiresIn = validatedResponse.expires_in === undefined ||
+                        validatedResponse.expires_in === 0
+                        ? 3600
+                        : validatedResponse.expires_in; // Default to 1 hour if not provided
+                    const expiry = now + expiresIn;
+                    return {
+                        access_token: validatedResponse.access_token,
+                        token_type: 'Bearer',
+                        expiry,
+                        refresh_token: validatedResponse.refresh_token,
+                        scope: validatedResponse.scope ?? undefined, // Convert null to undefined
+                        resource_url: validatedResponse.resource_url, // Include the API endpoint from Qwen
+                    };
+                }
+                // Handle error responses
+                const errorData = (await response.json());
+                if (errorData.error === 'access_denied') {
+                    throw new Error('access_denied');
+                }
+                else if (errorData.error === 'expired_token') {
+                    throw new Error('expired_token');
+                }
+                else if (errorData.error === 'slow_down') {
+                    // Increase polling interval by 5 seconds and continue
+                    interval += 5000;
+                }
+                else if (errorData.error !== 'authorization_pending') {
+                    throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+                }
+                // Continue polling - wait for the interval before next attempt
+                await new Promise((resolve) => setTimeout(resolve, interval));
+            }
+            catch (error) {
+                // For network errors, apply exponential backoff
+                if (error instanceof Error && error.message.includes('fetch failed')) {
+                    interval = Math.min(interval * 1.5, 60000); // Max 60 seconds
+                    await new Promise((resolve) => setTimeout(resolve, interval));
+                    continue;
+                }
+                // Re-throw other errors (like access_denied, expired_token)
+                throw error;
+            }
+        }
+        // If we reach here, we've exceeded the maximum polling duration
+        throw new Error('Polling timeout exceeded');
+    }
+    /**
+     * Refreshes an expired access token
+     * @param refreshToken Valid refresh token
+     * @returns Promise resolving to new OAuth token
+     */
+    async refreshToken(refreshToken) {
+        const params = new URLSearchParams({
+            grant_type: 'refresh_token',
+            refresh_token: refreshToken,
+            client_id: this.config.clientId,
+        });
+        const response = await fetch(this.config.tokenEndpoint, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+                Accept: 'application/json',
+            },
+            body: params.toString(),
+        });
+        if (!response.ok) {
+            throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+        }
+        const data = await response.json();
+        // Validate response with Zod schema
+        const validatedResponse = TokenResponseSchema.parse(data);
+        // Calculate expiry timestamp with 30-second buffer
+        const now = Math.floor(Date.now() / 1000);
+        const expiresIn = validatedResponse.expires_in === undefined ||
+            validatedResponse.expires_in === 0
+            ? 3600
+            : validatedResponse.expires_in; // Default to 1 hour if not provided
+        const expiry = now + expiresIn - 30; // 30-second buffer
+        return {
+            access_token: validatedResponse.access_token,
+            token_type: 'Bearer',
+            expiry,
+            // eslint-disable-next-line @typescript-eslint/prefer-nullish-coalescing -- intentional falsy coalescing: empty string refresh_token means "not provided"
+            refresh_token: validatedResponse.refresh_token || refreshToken,
+            scope: validatedResponse.scope ?? undefined, // Convert null to undefined
+            resource_url: validatedResponse.resource_url, // Include the API endpoint from Qwen
+        };
+    }
+    /**
+     * Generates PKCE code verifier and challenge
+     * @returns Object containing verifier and challenge strings
+     */
+    generatePKCE() {
+        // Generate 32 random bytes for verifier
+        const verifier = randomBytes(32).toString('base64url');
+        // Create SHA-256 hash of verifier for challenge
+        const challenge = createHash('sha256').update(verifier).digest('base64url');
+        return { verifier, challenge };
+    }
+}
+//# sourceMappingURL=qwen-device-flow.js.map

package/dist/src/flows/qwen-device-flow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"qwen-device-flow.js","sourceRoot":"","sources":["../../../src/flows/qwen-device-flow.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AACjD,OAAO,EAGL,wBAAwB,EACxB,mBAAmB,GACpB,MAAM,aAAa,CAAC;AAYrB;;GAEG;AACH,MAAM,OAAO,cAAc;IACjB,MAAM,CAAmB;IACzB,YAAY,GAAW,EAAE,CAAC;IAElC,YAAY,MAAwB;QAClC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,kBAAkB;QACtB,2BAA2B;QAC3B,MAAM,IAAI,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;QACjC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,QAAQ,CAAC;QAElC,6BAA6B;QAC7B,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;YAC/B,cAAc,EAAE,IAAI,CAAC,SAAS;YAC9B,qBAAqB,EAAE,MAAM;SAC9B,CAAC,CAAC;QAEH,mCAAmC;QACnC,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClC,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QACvD,CAAC;QAED,oBAAoB;QACpB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,qBAAqB,EAAE;YAC9D,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,mCAAmC;gBACnD,MAAM,EAAE,kBAAkB;aAC3B;YACD,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;SACxB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,QAAQ,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;QACrE,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAEnC,oCAAoC;QACpC,MAAM,iBAAiB,GAAG,wBAAwB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC/D,OAAO,iBAAiB,CAAC;IAC3B,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,YAAY,CAAC,UAAkB;QACnC,MAAM,WAAW,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,6BAA6B;QACjE,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,IAAI,QAAQ,GAAG,IAAI,CAAC,CAAC,uBAAuB;QAE5C,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,WAAW,EAAE,CAAC;YAC5C,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;gBACjC,UAAU,EAAE,8CAA8C;gBAC1D,WAAW,EAAE,UAAU;gBACvB,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAC/B,aAAa,EAAE,IAAI,CAAC,YAAY;aACjC,CAAC,CAAC;YAEH,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE;oBACtD,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE;wBACP,cAAc,EAAE,mCAAmC;wBACnD,MAAM,EAAE,kBAAkB;qBAC3B;oBACD,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;iBACxB,CAAC,CAAC;gBAEH,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;oBAChB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;oBAEnC,oCAAoC;oBACpC,MAAM,iBAAiB,GAAG,mBAAmB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;oBAE1D,6BAA6B;oBAC7B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;oBAC1C,MAAM,SAAS,GACb,iBAAiB,CAAC,UAAU,KAAK,SAAS;wBAC1C,iBAAiB,CAAC,UAAU,KAAK,CAAC;wBAChC,CAAC,CAAC,IAAI;wBACN,CAAC,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC,oCAAoC;oBACxE,MAAM,MAAM,GAAG,GAAG,GAAG,SAAS,CAAC;oBAE/B,OAAO;wBACL,YAAY,EAAE,iBAAiB,CAAC,YAAY;wBAC5C,UAAU,EAAE,QAAQ;wBACpB,MAAM;wBACN,aAAa,EAAE,iBAAiB,CAAC,aAAa;wBAC9C,KAAK,EAAE,iBAAiB,CAAC,KAAK,IAAI,SAAS,EAAE,4BAA4B;wBACzE,YAAY,EAAE,iBAAiB,CAAC,YAAY,EAAE,qCAAqC;qBACpF,CAAC;gBACJ,CAAC;gBAED,yBAAyB;gBACzB,MAAM,SAAS,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAC;gBAErE,IAAI,SAAS,CAAC,KAAK,KAAK,eAAe,EAAE,CAAC;oBACxC,MAAM,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC;gBACnC,CAAC;qBAAM,IAAI,SAAS,CAAC,KAAK,KAAK,eAAe,EAAE,CAAC;oBAC/C,MAAM,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC;gBACnC,CAAC;qBAAM,IAAI,SAAS,CAAC,KAAK,KAAK,WAAW,EAAE,CAAC;oBAC3C,sDAAsD;oBACtD,QAAQ,IAAI,IAAI,CAAC;gBACnB,CAAC;qBAAM,IAAI,SAAS,CAAC,KAAK,KAAK,uBAAuB,EAAE,CAAC;oBACvD,MAAM,IAAI,KAAK,CAAC,QAAQ,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;gBACrE,CAAC;gBAED,+DAA+D;gBAC/D,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;YAChE,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,gDAAgD;gBAChD,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;oBACrE,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,GAAG,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC,iBAAiB;oBAC7D,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;oBAC9D,SAAS;gBACX,CAAC;gBAED,4DAA4D;gBAC5D,MAAM,KAAK,CAAC;YACd,CAAC;QACH,CAAC;QAED,gEAAgE;QAChE,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;IAC9C,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,YAAY,CAAC,YAAoB;QACrC,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,UAAU,EAAE,eAAe;YAC3B,aAAa,EAAE,YAAY;YAC3B,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;SAChC,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE;YACtD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,mCAAmC;gBACnD,MAAM,EAAE,kBAAkB;aAC3B;YACD,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;SACxB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,QAAQ,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;QACrE,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAEnC,oCAAoC;QACpC,MAAM,iBAAiB,GAAG,mBAAmB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAE1D,mDAAmD;QACnD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,SAAS,GACb,iBAAiB,CAAC,UAAU,KAAK,SAAS;YAC1C,iBAAiB,CAAC,UAAU,KAAK,CAAC;YAChC,CAAC,CAAC,IAAI;YACN,CAAC,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC,oCAAoC;QACxE,MAAM,MAAM,GAAG,GAAG,GAAG,SAAS,GAAG,EAAE,CAAC,CAAC,mBAAmB;QAExD,OAAO;YACL,YAAY,EAAE,iBAAiB,CAAC,YAAY;YAC5C,UAAU,EAAE,QAAQ;YACpB,MAAM;YACN,yJAAyJ;YACzJ,aAAa,EAAE,iBAAiB,CAAC,aAAa,IAAI,YAAY;YAC9D,KAAK,EAAE,iBAAiB,CAAC,KAAK,IAAI,SAAS,EAAE,4BAA4B;YACzE,YAAY,EAAE,iBAAiB,CAAC,YAAY,EAAE,qCAAqC;SACpF,CAAC;IACJ,CAAC;IAED;;;OAGG;IACK,YAAY;QAClB,wCAAwC;QACxC,MAAM,QAAQ,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAEvD,gDAAgD;QAChD,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAE5E,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;IACjC,CAAC;CACF"}

package/dist/src/index.d.ts

@@ -0,0 +1,34 @@
+/**
+ * @plan:PLAN-20260608-ISSUE1586.P03
+ * @plan:PLAN-20260608-ISSUE1586.P09
+ * @requirement:REQ-AUTH-001.2, REQ-AUTH-001.3, REQ-API-001.4
+ */
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+export type * from './interfaces/index.js';
+export type { OAuthToken, CodexOAuthToken, AuthStatus, BucketStats, DeviceCodeResponse, } from './types.js';
+export { OAuthTokenSchema, CodexOAuthTokenSchema, AuthStatusSchema, BucketStatsSchema, DeviceCodeResponseSchema, } from './types.js';
+export type { TokenStore } from './token-store.js';
+export { KeyringTokenStore } from './keyring-token-store.js';
+export { OAuthError, OAuthErrorFactory, OAuthErrorCategory, OAuthErrorType, RetryHandler, GracefulErrorHandler, } from './oauth-errors.js';
+export type { RetryConfig } from './oauth-errors.js';
+export { mergeRefreshedToken } from './token-merge.js';
+export type { OAuthTokenWithExtras } from './token-merge.js';
+export { sanitizeTokenForProxy } from './token-sanitization.js';
+export type { SanitizedOAuthToken } from './token-sanitization.js';
+export { AuthPrecedenceResolver } from './auth-precedence-resolver.js';
+export { flushRuntimeAuthScope, resolveProfileId, buildCacheKey, ensureRuntimeState, recordCacheHit, recordCacheMiss, getValidCachedEntry, registerSettingsSubscriptions, invalidateMatchingEntries, storeRuntimeScopedToken, invalidateEntry, runtimeScopedStates, } from './precedence.js';
+export type { AuthPrecedenceConfig, OAuthManager, OAuthTokenRequestMetadata, RuntimeAuthScopeFlushResult, RuntimeAuthScopeCacheEntrySummary, RuntimeScopedAuthEntry, RuntimeScopedState, } from './precedence.js';
+export { AnthropicDeviceFlow } from './flows/anthropic-device-flow.js';
+export { CodexDeviceFlow, CODEX_CONFIG } from './flows/codex-device-flow.js';
+export { QwenDeviceFlow } from './flows/qwen-device-flow.js';
+export type { DeviceFlowConfig } from './flows/qwen-device-flow.js';
+export { encodeFrame, FrameDecoder, FrameError, MAX_FRAME_SIZE, PARTIAL_FRAME_TIMEOUT_MS, } from './proxy/framing.js';
+export type { FrameDecoderOptions } from './proxy/framing.js';
+export { ProxySocketClient, REQUEST_TIMEOUT_MS, IDLE_TIMEOUT_MS, PROTOCOL_VERSION, } from './proxy/proxy-socket-client.js';
+export type { ProxyResponse } from './proxy/proxy-socket-client.js';
+export { ProxyTokenStore } from './proxy/proxy-token-store.js';
+export { ProxyProviderKeyStorage } from './proxy/proxy-provider-key-storage.js';

package/dist/src/index.js

@@ -0,0 +1,26 @@
+/**
+ * @plan:PLAN-20260608-ISSUE1586.P03
+ * @plan:PLAN-20260608-ISSUE1586.P09
+ * @requirement:REQ-AUTH-001.2, REQ-AUTH-001.3, REQ-API-001.4
+ */
+export { OAuthTokenSchema, CodexOAuthTokenSchema, AuthStatusSchema, BucketStatsSchema, DeviceCodeResponseSchema, } from './types.js';
+// ─── Keyring Token Store ─────────────────────────────────────────────────────
+export { KeyringTokenStore } from './keyring-token-store.js';
+// ─── OAuth Errors ────────────────────────────────────────────────────────────
+export { OAuthError, OAuthErrorFactory, OAuthErrorCategory, OAuthErrorType, RetryHandler, GracefulErrorHandler, } from './oauth-errors.js';
+// ─── Token Utilities ─────────────────────────────────────────────────────────
+export { mergeRefreshedToken } from './token-merge.js';
+export { sanitizeTokenForProxy } from './token-sanitization.js';
+// ─── Precedence / Auth Resolution ────────────────────────────────────────────
+export { AuthPrecedenceResolver } from './auth-precedence-resolver.js';
+export { flushRuntimeAuthScope, resolveProfileId, buildCacheKey, ensureRuntimeState, recordCacheHit, recordCacheMiss, getValidCachedEntry, registerSettingsSubscriptions, invalidateMatchingEntries, storeRuntimeScopedToken, invalidateEntry, runtimeScopedStates, } from './precedence.js';
+// ─── Device Flows ────────────────────────────────────────────────────────────
+export { AnthropicDeviceFlow } from './flows/anthropic-device-flow.js';
+export { CodexDeviceFlow, CODEX_CONFIG } from './flows/codex-device-flow.js';
+export { QwenDeviceFlow } from './flows/qwen-device-flow.js';
+// ─── Proxy Infrastructure ────────────────────────────────────────────────────
+export { encodeFrame, FrameDecoder, FrameError, MAX_FRAME_SIZE, PARTIAL_FRAME_TIMEOUT_MS, } from './proxy/framing.js';
+export { ProxySocketClient, REQUEST_TIMEOUT_MS, IDLE_TIMEOUT_MS, PROTOCOL_VERSION, } from './proxy/proxy-socket-client.js';
+export { ProxyTokenStore } from './proxy/proxy-token-store.js';
+export { ProxyProviderKeyStorage } from './proxy/proxy-provider-key-storage.js';
+//# sourceMappingURL=index.js.map

package/dist/src/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAsBH,OAAO,EACL,gBAAgB,EAChB,qBAAqB,EACrB,gBAAgB,EAChB,iBAAiB,EACjB,wBAAwB,GACzB,MAAM,YAAY,CAAC;AAKpB,gFAAgF;AAChF,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAE7D,gFAAgF;AAChF,OAAO,EACL,UAAU,EACV,iBAAiB,EACjB,kBAAkB,EAClB,cAAc,EACd,YAAY,EACZ,oBAAoB,GACrB,MAAM,mBAAmB,CAAC;AAG3B,gFAAgF;AAChF,OAAO,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAGvD,OAAO,EAAE,qBAAqB,EAAE,MAAM,yBAAyB,CAAC;AAGhE,gFAAgF;AAChF,OAAO,EAAE,sBAAsB,EAAE,MAAM,+BAA+B,CAAC;AAEvE,OAAO,EACL,qBAAqB,EACrB,gBAAgB,EAChB,aAAa,EACb,kBAAkB,EAClB,cAAc,EACd,eAAe,EACf,mBAAmB,EACnB,6BAA6B,EAC7B,yBAAyB,EACzB,uBAAuB,EACvB,eAAe,EACf,mBAAmB,GACpB,MAAM,iBAAiB,CAAC;AAYzB,gFAAgF;AAChF,OAAO,EAAE,mBAAmB,EAAE,MAAM,kCAAkC,CAAC;AACvE,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,8BAA8B,CAAC;AAC7E,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAG7D,gFAAgF;AAChF,OAAO,EACL,WAAW,EACX,YAAY,EACZ,UAAU,EACV,cAAc,EACd,wBAAwB,GACzB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EACL,iBAAiB,EACjB,kBAAkB,EAClB,eAAe,EACf,gBAAgB,GACjB,MAAM,gCAAgC,CAAC;AAGxC,OAAO,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAC;AAC/D,OAAO,EAAE,uBAAuB,EAAE,MAAM,uCAAuC,CAAC"}

package/dist/src/interfaces/debug-logger.d.ts

@@ -0,0 +1,31 @@
+/**
+ * @plan:PLAN-20260608-ISSUE1586.P06
+ * @requirement:REQ-INTF-001.4
+ */
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+/**
+ * Interface for debug/error/warn logging, replacing direct DebugLogger imports.
+ *
+ * The method shape is derived from P00a preflight grep of actual logger usages
+ * in auth-relevant files (auth-precedence-resolver.ts, precedence.ts,
+ * keyring-token-store.ts, codex-device-flow.ts). Core's DebugLogger structurally
+ * satisfies this interface.
+ *
+ * The module-level debugLogger singleton (from ../utils/debugLogger.js) and
+ * DebugLogger class constructor (from ../debug/index.js) are core factory
+ * concerns — auth receives an IDebugLogger instance via DI injection, not
+ * the factory.
+ *
+ * @plan:PLAN-20260608-ISSUE1586.P06
+ * @requirement:REQ-INTF-001.4
+ */
+export interface IDebugLogger {
+    debug(...args: unknown[]): void;
+    error(...args: unknown[]): void;
+    warn(...args: unknown[]): void;
+    log(...args: unknown[]): void;
+}

package/dist/src/interfaces/debug-logger.js

@@ -0,0 +1,6 @@
+/**
+ * @plan:PLAN-20260608-ISSUE1586.P06
+ * @requirement:REQ-INTF-001.4
+ */
+export {};
+//# sourceMappingURL=debug-logger.js.map

package/dist/src/interfaces/debug-logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"debug-logger.js","sourceRoot":"","sources":["../../../src/interfaces/debug-logger.ts"],"names":[],"mappings":"AAAA;;;GAGG"}

package/dist/src/interfaces/index.d.ts

@@ -0,0 +1,18 @@
+/**
+ * @plan:PLAN-20260608-ISSUE1586.P06
+ * @requirement:REQ-INTF-001.1
+ * @requirement:REQ-INTF-001.2
+ * @requirement:REQ-INTF-001.3
+ * @requirement:REQ-INTF-001.4
+ * @requirement:REQ-INTF-001.5
+ */
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+export type { ISecureStore, ISecureStoreError, SecureStoreErrorCode, } from './secure-store.js';
+export type { ISettingsService } from './settings-service.js';
+export type { IProviderKeyStorage } from './provider-key-storage.js';
+export type { IDebugLogger } from './debug-logger.js';
+export type { IProviderRuntimeContext, GetActiveRuntimeContext, } from './runtime-context.js';

package/dist/src/interfaces/index.js

@@ -0,0 +1,10 @@
+/**
+ * @plan:PLAN-20260608-ISSUE1586.P06
+ * @requirement:REQ-INTF-001.1
+ * @requirement:REQ-INTF-001.2
+ * @requirement:REQ-INTF-001.3
+ * @requirement:REQ-INTF-001.4
+ * @requirement:REQ-INTF-001.5
+ */
+export {};
+//# sourceMappingURL=index.js.map

package/dist/src/interfaces/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/interfaces/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG"}

package/dist/src/interfaces/provider-key-storage.d.ts

@@ -0,0 +1,26 @@
+/**
+ * @plan:PLAN-20260608-ISSUE1586.P06
+ * @requirement:REQ-INTF-001.3
+ */
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+/**
+ * Instance contract for provider key storage.
+ *
+ * This interface defines the shape of a provider key storage object.
+ * AuthPrecedenceResolver accepts an IProviderKeyStorage instance via
+ * DI injection. Core's getProviderKeyStorage() factory produces an
+ * object satisfying this interface — the factory is a core concern,
+ * not an auth interface.
+ *
+ * @plan:PLAN-20260608-ISSUE1586.P06
+ * @requirement:REQ-INTF-001.3
+ */
+export interface IProviderKeyStorage {
+    getKey(provider: string): Promise<string | null>;
+    listKeys(): Promise<string[]>;
+    hasKey(provider: string): Promise<boolean>;
+}

package/dist/src/interfaces/provider-key-storage.js

@@ -0,0 +1,6 @@
+/**
+ * @plan:PLAN-20260608-ISSUE1586.P06
+ * @requirement:REQ-INTF-001.3
+ */
+export {};
+//# sourceMappingURL=provider-key-storage.js.map

package/dist/src/interfaces/provider-key-storage.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider-key-storage.js","sourceRoot":"","sources":["../../../src/interfaces/provider-key-storage.ts"],"names":[],"mappings":"AAAA;;;GAGG"}

package/dist/src/interfaces/runtime-context.d.ts

@@ -0,0 +1,37 @@
+/**
+ * @plan:PLAN-20260608-ISSUE1586.P06
+ * @requirement:REQ-INTF-001.5
+ */
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import type { ISettingsService } from './settings-service.js';
+/**
+ * Interface for provider runtime context, replacing direct ProviderRuntimeContext imports.
+ *
+ * Used by precedence.ts (type-only) and auth-precedence-resolver.ts (type + function call).
+ * Includes metadata field per P02b remediation (C-CB-06 alignment).
+ *
+ * The injected function `getActiveRuntimeContext?: () => IProviderRuntimeContext | null`
+ * replaces the static `getActiveProviderRuntimeContext()` import from core.
+ *
+ * @plan:PLAN-20260608-ISSUE1586.P06
+ * @requirement:REQ-INTF-001.5
+ */
+export interface IProviderRuntimeContext {
+    settingsService: ISettingsService;
+    config?: unknown;
+    runtimeId?: string;
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Factory type for obtaining the active runtime context.
+ * Injected into AuthPrecedenceResolver via DI to decouple from
+ * core's getActiveProviderRuntimeContext static import.
+ *
+ * @plan:PLAN-20260608-ISSUE1586.P06
+ * @requirement:REQ-INTF-001.5
+ */
+export type GetActiveRuntimeContext = (() => IProviderRuntimeContext | null) | undefined;

package/dist/src/interfaces/runtime-context.js

@@ -0,0 +1,6 @@
+/**
+ * @plan:PLAN-20260608-ISSUE1586.P06
+ * @requirement:REQ-INTF-001.5
+ */
+export {};
+//# sourceMappingURL=runtime-context.js.map

package/dist/src/interfaces/runtime-context.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"runtime-context.js","sourceRoot":"","sources":["../../../src/interfaces/runtime-context.ts"],"names":[],"mappings":"AAAA;;;GAGG"}

package/dist/src/interfaces/secure-store.d.ts

@@ -0,0 +1,47 @@
+/**
+ * @plan:PLAN-20260608-ISSUE1586.P06
+ * @requirement:REQ-INTF-001.1
+ */
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+/**
+ * Error codes for secure store operations.
+ * Derived from core SecureStore error handling evidence (P01 dependency-audit).
+ */
+export type SecureStoreErrorCode = 'UNAVAILABLE' | 'LOCKED' | 'DENIED' | 'CORRUPT' | 'TIMEOUT' | 'NOT_FOUND';
+/**
+ * Error shape thrown/rejected by ISecureStore operations.
+ * Matches core's SecureStoreError structure used in keyring-token-store.ts
+ * catch blocks (error.code, error.remediation).
+ */
+export interface ISecureStoreError extends Error {
+    code: SecureStoreErrorCode;
+    remediation: string;
+}
+/**
+ * Interface for persistent secure token storage.
+ *
+ * KeyringTokenStore delegates storage operations to an ISecureStore instance
+ * injected via DI. Core provides the concrete SecureStore implementation
+ * backed by @napi-rs/keyring.
+ *
+ * Method signatures match core SecureStore's public API:
+ * - get (L347 usage in keyring-token-store.ts)
+ * - set (L330 usage)
+ * - delete (L395 usage)
+ * - list (L414, L437 usage)
+ * - has (L657 in core SecureStore)
+ *
+ * @plan:PLAN-20260608-ISSUE1586.P06
+ * @requirement:REQ-INTF-001.1
+ */
+export interface ISecureStore {
+    get(key: string): Promise<string | null>;
+    set(key: string, value: string): Promise<void>;
+    delete(key: string): Promise<boolean>;
+    list(): Promise<string[]>;
+    has(key: string): Promise<boolean>;
+}

package/dist/src/interfaces/secure-store.js

@@ -0,0 +1,6 @@
+/**
+ * @plan:PLAN-20260608-ISSUE1586.P06
+ * @requirement:REQ-INTF-001.1
+ */
+export {};
+//# sourceMappingURL=secure-store.js.map

package/dist/src/interfaces/secure-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secure-store.js","sourceRoot":"","sources":["../../../src/interfaces/secure-store.ts"],"names":[],"mappings":"AAAA;;;GAGG"}

package/dist/src/interfaces/settings-service.d.ts

@@ -0,0 +1,25 @@
+/**
+ * @plan:PLAN-20260608-ISSUE1586.P06
+ * @requirement:REQ-INTF-001.2
+ */
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+/**
+ * Interface for settings access, replacing direct SettingsService imports.
+ *
+ * AuthPrecedenceResolver uses ISettingsService to look up provider settings
+ * and listen for settings change events. Core's SettingsService structurally
+ * satisfies this interface — no adapter needed.
+ *
+ * @plan:PLAN-20260608-ISSUE1586.P06
+ * @requirement:REQ-INTF-001.2
+ */
+export interface ISettingsService {
+    get(key: string): unknown;
+    getProviderSettings(providerName: string): Record<string, unknown>;
+    on(event: string, handler: (...args: unknown[]) => void): void;
+    off(event: string, handler: (...args: unknown[]) => void): void;
+}

package/dist/src/interfaces/settings-service.js

@@ -0,0 +1,6 @@
+/**
+ * @plan:PLAN-20260608-ISSUE1586.P06
+ * @requirement:REQ-INTF-001.2
+ */
+export {};
+//# sourceMappingURL=settings-service.js.map

package/dist/src/interfaces/settings-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"settings-service.js","sourceRoot":"","sources":["../../../src/interfaces/settings-service.ts"],"names":[],"mappings":"AAAA;;;GAGG"}

package/dist/src/keyring-token-store.d.ts

@@ -0,0 +1,96 @@
+/**
+ * @license
+ * Copyright 2025 Vybestack LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { type OAuthToken, type BucketStats } from './types.js';
+import { type TokenStore } from './token-store.js';
+import { type ISecureStore } from './interfaces/secure-store.js';
+import { type IDebugLogger } from './interfaces/debug-logger.js';
+/**
+ * Keyring-backed token store with filesystem advisory locks.
+ *
+ * @internal **DO NOT instantiate directly in consumer code.**
+ * Use `createTokenStore()` from `credential-store-factory.ts` instead.
+ *
+ * @plan PLAN-20260213-KEYRINGTOKENSTORE.P06, PLAN-20260608-ISSUE1586.P11
+ * @plan PLAN-20250214-CREDPROXY.P36
+ */
+export declare class KeyringTokenStore implements TokenStore {
+    private static readonly NO_OP_LOGGER;
+    private readonly secureStore;
+    private readonly logger;
+    private readonly lockDir;
+    constructor(options?: {
+        secureStore?: ISecureStore;
+        logger?: IDebugLogger;
+        lockDir?: string;
+    });
+    private validateName;
+    private accountKey;
+    /**
+     * Non-cryptographic FNV-1a hash for debug log identifiers.
+     */
+    private hashIdentifier;
+    private lockFilePath;
+    private authLockFilePath;
+    /**
+     * Ensures the lock directory exists.
+     */
+    private ensureLockDir;
+    /**
+     * Shared lock acquisition logic used by both refresh and auth locks.
+     */
+    private acquireLock;
+    private tryCreateLock;
+    private checkExistingLock;
+    private releaseLock;
+    /**
+     * Validates and persists an OAuth token to ISecureStore.
+     */
+    saveToken(provider: string, token: OAuthToken, bucket?: string): Promise<void>;
+    /**
+     * Retrieves and validates an OAuth token from ISecureStore.
+     */
+    getToken(provider: string, bucket?: string): Promise<OAuthToken | null>;
+    /**
+     * Removes a token from ISecureStore. Best-effort — errors are swallowed.
+     */
+    removeToken(provider: string, bucket?: string): Promise<void>;
+    /**
+     * Lists all unique provider names from ISecureStore keys.
+     */
+    listProviders(): Promise<string[]>;
+    /**
+     * Lists all bucket names for a given provider.
+     */
+    listBuckets(provider: string): Promise<string[]>;
+    /**
+     * Returns placeholder bucket statistics if a token exists for the given bucket.
+     */
+    getBucketStats(provider: string, bucket: string): Promise<BucketStats | null>;
+    /**
+     * Acquires a filesystem-based advisory lock for token refresh.
+     */
+    acquireRefreshLock(provider: string, options?: {
+        waitMs?: number;
+        staleMs?: number;
+        bucket?: string;
+    }): Promise<boolean>;
+    /**
+     * Releases a filesystem-based advisory lock. Idempotent.
+     */
+    releaseRefreshLock(provider: string, bucket?: string): Promise<void>;
+    /**
+     * Acquires a filesystem-based advisory lock for interactive authentication.
+     */
+    acquireAuthLock(provider: string, options?: {
+        waitMs?: number;
+        staleMs?: number;
+        bucket?: string;
+    }): Promise<boolean>;
+    /**
+     * Releases the auth lock for a provider. Idempotent.
+     */
+    releaseAuthLock(provider: string, bucket?: string): Promise<void>;
+}