@vybestack/llxprt-code-core 0.1.19-alpha → 0.1.19-gamma

package/dist/src/auth/qwen-device-flow.d.ts

@@ -0,0 +1,45 @@
+/**
+ * @license
+ * Copyright 2025 Vybestack LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { DeviceCodeResponse, OAuthToken } from './types.js';
+/**
+ * Configuration for Qwen device flow authentication
+ */
+export interface DeviceFlowConfig {
+    clientId: string;
+    authorizationEndpoint: string;
+    tokenEndpoint: string;
+    scopes: string[];
+}
+/**
+ * Qwen OAuth device flow implementation
+ */
+export declare class QwenDeviceFlow {
+    private config;
+    private pkceVerifier;
+    constructor(config: DeviceFlowConfig);
+    /**
+     * Initiates the device authorization flow
+     * @returns Promise resolving to device code response
+     */
+    initiateDeviceFlow(): Promise<DeviceCodeResponse>;
+    /**
+     * Polls the authorization server for an access token
+     * @param deviceCode Device code from initiation response
+     * @returns Promise resolving to OAuth token
+     */
+    pollForToken(deviceCode: string): Promise<OAuthToken>;
+    /**
+     * Refreshes an expired access token
+     * @param refreshToken Valid refresh token
+     * @returns Promise resolving to new OAuth token
+     */
+    refreshToken(refreshToken: string): Promise<OAuthToken>;
+    /**
+     * Generates PKCE code verifier and challenge
+     * @returns Object containing verifier and challenge strings
+     */
+    private generatePKCE;
+}

package/dist/src/auth/qwen-device-flow.js

@@ -0,0 +1,179 @@
+/**
+ * @license
+ * Copyright 2025 Vybestack LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { randomBytes, createHash } from 'crypto';
+import { DeviceCodeResponseSchema, TokenResponseSchema, } from './types.js';
+/**
+ * Qwen OAuth device flow implementation
+ */
+export class QwenDeviceFlow {
+    config;
+    pkceVerifier = '';
+    constructor(config) {
+        this.config = config;
+    }
+    /**
+     * Initiates the device authorization flow
+     * @returns Promise resolving to device code response
+     */
+    async initiateDeviceFlow() {
+        // Generate PKCE parameters
+        const pkce = this.generatePKCE();
+        this.pkceVerifier = pkce.verifier;
+        // Prepare request parameters
+        const params = new URLSearchParams({
+            client_id: this.config.clientId,
+            code_challenge: pkce.challenge,
+            code_challenge_method: 'S256',
+        });
+        // Only add scope if it's not empty
+        if (this.config.scopes && this.config.scopes.length > 0) {
+            params.append('scope', this.config.scopes.join(' '));
+        }
+        // Make HTTP request
+        const response = await fetch(this.config.authorizationEndpoint, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+                Accept: 'application/json',
+            },
+            body: params.toString(),
+        });
+        if (!response.ok) {
+            throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+        }
+        const data = await response.json();
+        // Validate response with Zod schema
+        const validatedResponse = DeviceCodeResponseSchema.parse(data);
+        return validatedResponse;
+    }
+    /**
+     * Polls the authorization server for an access token
+     * @param deviceCode Device code from initiation response
+     * @returns Promise resolving to OAuth token
+     */
+    async pollForToken(deviceCode) {
+        const maxDuration = 15 * 60 * 1000; // 15 minutes in milliseconds
+        const startTime = Date.now();
+        let interval = 5000; // Start with 5 seconds
+        while (Date.now() - startTime < maxDuration) {
+            const params = new URLSearchParams({
+                grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
+                device_code: deviceCode,
+                client_id: this.config.clientId,
+                code_verifier: this.pkceVerifier,
+            });
+            try {
+                const response = await fetch(this.config.tokenEndpoint, {
+                    method: 'POST',
+                    headers: {
+                        'Content-Type': 'application/x-www-form-urlencoded',
+                        Accept: 'application/json',
+                    },
+                    body: params.toString(),
+                });
+                if (response.ok) {
+                    const data = await response.json();
+                    // Validate response with Zod schema
+                    const validatedResponse = TokenResponseSchema.parse(data);
+                    // Calculate expiry timestamp
+                    const now = Math.floor(Date.now() / 1000);
+                    const expiresIn = validatedResponse.expires_in || 3600; // Default to 1 hour if not provided
+                    const expiry = now + expiresIn;
+                    return {
+                        access_token: validatedResponse.access_token,
+                        token_type: 'Bearer',
+                        expiry,
+                        refresh_token: validatedResponse.refresh_token,
+                        scope: validatedResponse.scope || undefined, // Convert null to undefined
+                        resource_url: validatedResponse.resource_url, // Include the API endpoint from Qwen
+                    };
+                }
+                // Handle error responses
+                const errorData = await response.json();
+                if (errorData.error === 'authorization_pending') {
+                    // Continue polling - wait for the interval before next attempt
+                    await new Promise((resolve) => setTimeout(resolve, interval));
+                    continue;
+                }
+                else if (errorData.error === 'slow_down') {
+                    // Increase polling interval by 5 seconds and continue
+                    interval += 5000;
+                    await new Promise((resolve) => setTimeout(resolve, interval));
+                    continue;
+                }
+                else if (errorData.error === 'access_denied') {
+                    throw new Error('access_denied');
+                }
+                else if (errorData.error === 'expired_token') {
+                    throw new Error('expired_token');
+                }
+                throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+            }
+            catch (error) {
+                // For network errors, apply exponential backoff
+                if (error instanceof Error && error.message.includes('fetch failed')) {
+                    interval = Math.min(interval * 1.5, 60000); // Max 60 seconds
+                    await new Promise((resolve) => setTimeout(resolve, interval));
+                    continue;
+                }
+                // Re-throw other errors (like access_denied, expired_token)
+                throw error;
+            }
+        }
+        // If we reach here, we've exceeded the maximum polling duration
+        throw new Error('Polling timeout exceeded');
+    }
+    /**
+     * Refreshes an expired access token
+     * @param refreshToken Valid refresh token
+     * @returns Promise resolving to new OAuth token
+     */
+    async refreshToken(refreshToken) {
+        const params = new URLSearchParams({
+            grant_type: 'refresh_token',
+            refresh_token: refreshToken,
+            client_id: this.config.clientId,
+        });
+        const response = await fetch(this.config.tokenEndpoint, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+                Accept: 'application/json',
+            },
+            body: params.toString(),
+        });
+        if (!response.ok) {
+            throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+        }
+        const data = await response.json();
+        // Validate response with Zod schema
+        const validatedResponse = TokenResponseSchema.parse(data);
+        // Calculate expiry timestamp with 30-second buffer
+        const now = Math.floor(Date.now() / 1000);
+        const expiresIn = validatedResponse.expires_in || 3600; // Default to 1 hour if not provided
+        const expiry = now + expiresIn - 30; // 30-second buffer
+        return {
+            access_token: validatedResponse.access_token,
+            token_type: 'Bearer',
+            expiry,
+            refresh_token: validatedResponse.refresh_token || refreshToken, // Use new refresh token if provided, otherwise keep the old one
+            scope: validatedResponse.scope || undefined, // Convert null to undefined
+            resource_url: validatedResponse.resource_url, // Include the API endpoint from Qwen
+        };
+    }
+    /**
+     * Generates PKCE code verifier and challenge
+     * @returns Object containing verifier and challenge strings
+     */
+    generatePKCE() {
+        // Generate 32 random bytes for verifier
+        const verifier = randomBytes(32).toString('base64url');
+        // Create SHA-256 hash of verifier for challenge
+        const challenge = createHash('sha256').update(verifier).digest('base64url');
+        return { verifier, challenge };
+    }
+}
+//# sourceMappingURL=qwen-device-flow.js.map

package/dist/src/auth/qwen-device-flow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"qwen-device-flow.js","sourceRoot":"","sources":["../../../src/auth/qwen-device-flow.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AACjD,OAAO,EAGL,wBAAwB,EACxB,mBAAmB,GACpB,MAAM,YAAY,CAAC;AAYpB;;GAEG;AACH,MAAM,OAAO,cAAc;IACjB,MAAM,CAAmB;IACzB,YAAY,GAAW,EAAE,CAAC;IAElC,YAAY,MAAwB;QAClC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,kBAAkB;QACtB,2BAA2B;QAC3B,MAAM,IAAI,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;QACjC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,QAAQ,CAAC;QAElC,6BAA6B;QAC7B,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;YAC/B,cAAc,EAAE,IAAI,CAAC,SAAS;YAC9B,qBAAqB,EAAE,MAAM;SAC9B,CAAC,CAAC;QAEH,mCAAmC;QACnC,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxD,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QACvD,CAAC;QAED,oBAAoB;QACpB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,qBAAqB,EAAE;YAC9D,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,mCAAmC;gBACnD,MAAM,EAAE,kBAAkB;aAC3B;YACD,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;SACxB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,QAAQ,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;QACrE,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAEnC,oCAAoC;QACpC,MAAM,iBAAiB,GAAG,wBAAwB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC/D,OAAO,iBAAiB,CAAC;IAC3B,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,YAAY,CAAC,UAAkB;QACnC,MAAM,WAAW,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,6BAA6B;QACjE,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,IAAI,QAAQ,GAAG,IAAI,CAAC,CAAC,uBAAuB;QAE5C,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,WAAW,EAAE,CAAC;YAC5C,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;gBACjC,UAAU,EAAE,8CAA8C;gBAC1D,WAAW,EAAE,UAAU;gBACvB,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAC/B,aAAa,EAAE,IAAI,CAAC,YAAY;aACjC,CAAC,CAAC;YAEH,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE;oBACtD,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE;wBACP,cAAc,EAAE,mCAAmC;wBACnD,MAAM,EAAE,kBAAkB;qBAC3B;oBACD,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;iBACxB,CAAC,CAAC;gBAEH,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;oBAChB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;oBAEnC,oCAAoC;oBACpC,MAAM,iBAAiB,GAAG,mBAAmB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;oBAE1D,6BAA6B;oBAC7B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;oBAC1C,MAAM,SAAS,GAAG,iBAAiB,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC,oCAAoC;oBAC5F,MAAM,MAAM,GAAG,GAAG,GAAG,SAAS,CAAC;oBAE/B,OAAO;wBACL,YAAY,EAAE,iBAAiB,CAAC,YAAY;wBAC5C,UAAU,EAAE,QAAQ;wBACpB,MAAM;wBACN,aAAa,EAAE,iBAAiB,CAAC,aAAa;wBAC9C,KAAK,EAAE,iBAAiB,CAAC,KAAK,IAAI,SAAS,EAAE,4BAA4B;wBACzE,YAAY,EAAE,iBAAiB,CAAC,YAAY,EAAE,qCAAqC;qBACpF,CAAC;gBACJ,CAAC;gBAED,yBAAyB;gBACzB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;gBAExC,IAAI,SAAS,CAAC,KAAK,KAAK,uBAAuB,EAAE,CAAC;oBAChD,+DAA+D;oBAC/D,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;oBAC9D,SAAS;gBACX,CAAC;qBAAM,IAAI,SAAS,CAAC,KAAK,KAAK,WAAW,EAAE,CAAC;oBAC3C,sDAAsD;oBACtD,QAAQ,IAAI,IAAI,CAAC;oBACjB,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;oBAC9D,SAAS;gBACX,CAAC;qBAAM,IAAI,SAAS,CAAC,KAAK,KAAK,eAAe,EAAE,CAAC;oBAC/C,MAAM,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC;gBACnC,CAAC;qBAAM,IAAI,SAAS,CAAC,KAAK,KAAK,eAAe,EAAE,CAAC;oBAC/C,MAAM,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC;gBACnC,CAAC;gBAED,MAAM,IAAI,KAAK,CAAC,QAAQ,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;YACrE,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,gDAAgD;gBAChD,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;oBACrE,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,GAAG,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC,iBAAiB;oBAC7D,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;oBAC9D,SAAS;gBACX,CAAC;gBAED,4DAA4D;gBAC5D,MAAM,KAAK,CAAC;YACd,CAAC;QACH,CAAC;QAED,gEAAgE;QAChE,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;IAC9C,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,YAAY,CAAC,YAAoB;QACrC,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,UAAU,EAAE,eAAe;YAC3B,aAAa,EAAE,YAAY;YAC3B,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;SAChC,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE;YACtD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,mCAAmC;gBACnD,MAAM,EAAE,kBAAkB;aAC3B;YACD,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;SACxB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,QAAQ,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;QACrE,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAEnC,oCAAoC;QACpC,MAAM,iBAAiB,GAAG,mBAAmB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAE1D,mDAAmD;QACnD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,SAAS,GAAG,iBAAiB,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC,oCAAoC;QAC5F,MAAM,MAAM,GAAG,GAAG,GAAG,SAAS,GAAG,EAAE,CAAC,CAAC,mBAAmB;QAExD,OAAO;YACL,YAAY,EAAE,iBAAiB,CAAC,YAAY;YAC5C,UAAU,EAAE,QAAQ;YACpB,MAAM;YACN,aAAa,EAAE,iBAAiB,CAAC,aAAa,IAAI,YAAY,EAAE,gEAAgE;YAChI,KAAK,EAAE,iBAAiB,CAAC,KAAK,IAAI,SAAS,EAAE,4BAA4B;YACzE,YAAY,EAAE,iBAAiB,CAAC,YAAY,EAAE,qCAAqC;SACpF,CAAC;IACJ,CAAC;IAED;;;OAGG;IACK,YAAY;QAClB,wCAAwC;QACxC,MAAM,QAAQ,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAEvD,gDAAgD;QAChD,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAE5E,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;IACjC,CAAC;CACF"}

package/dist/src/auth/token-store.d.ts

@@ -0,0 +1,66 @@
+/**
+ * @license
+ * Copyright 2025 Vybestack LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { OAuthToken } from './types.js';
+/**
+ * Interface for multi-provider OAuth token storage
+ */
+export interface TokenStore {
+    /**
+     * Save an OAuth token for a specific provider
+     * @param provider - The provider name (e.g., 'gemini', 'qwen')
+     * @param token - The OAuth token to save
+     */
+    saveToken(provider: string, token: OAuthToken): Promise<void>;
+    /**
+     * Retrieve an OAuth token for a specific provider
+     * @param provider - The provider name
+     * @returns The token if found, null otherwise
+     */
+    getToken(provider: string): Promise<OAuthToken | null>;
+    /**
+     * Remove an OAuth token for a specific provider
+     * @param provider - The provider name
+     */
+    removeToken(provider: string): Promise<void>;
+    /**
+     * List all providers that have stored tokens
+     * @returns Array of provider names with stored tokens
+     */
+    listProviders(): Promise<string[]>;
+}
+/**
+ * Implementation of multi-provider token storage
+ * Stores tokens securely in ~/.llxprt/oauth/ directory
+ */
+export declare class MultiProviderTokenStore implements TokenStore {
+    private readonly basePath;
+    constructor();
+    /**
+     * Save an OAuth token for a specific provider
+     */
+    saveToken(provider: string, token: OAuthToken): Promise<void>;
+    /**
+     * Retrieve an OAuth token for a specific provider
+     */
+    getToken(provider: string): Promise<OAuthToken | null>;
+    /**
+     * Remove an OAuth token for a specific provider
+     */
+    removeToken(provider: string): Promise<void>;
+    /**
+     * List all providers that have stored tokens
+     */
+    listProviders(): Promise<string[]>;
+    /**
+     * Ensure the OAuth directory exists with secure permissions
+     */
+    private ensureDirectory;
+    /**
+     * Generate secure file path for a provider token
+     * Uses path.join to prevent path traversal attacks
+     */
+    private getTokenPath;
+}

package/dist/src/auth/token-store.js

@@ -0,0 +1,151 @@
+/**
+ * @license
+ * Copyright 2025 Vybestack LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { promises as fs } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+import { OAuthTokenSchema } from './types.js';
+/**
+ * Implementation of multi-provider token storage
+ * Stores tokens securely in ~/.llxprt/oauth/ directory
+ */
+export class MultiProviderTokenStore {
+    basePath;
+    constructor() {
+        this.basePath = join(homedir(), '.llxprt', 'oauth');
+    }
+    /**
+     * Save an OAuth token for a specific provider
+     */
+    async saveToken(provider, token) {
+        // Validate provider name
+        if (!provider || provider.trim() === '') {
+            throw new Error('Provider name cannot be empty');
+        }
+        // Validate token structure
+        const validatedToken = OAuthTokenSchema.parse(token);
+        // Ensure directory exists with secure permissions
+        await this.ensureDirectory();
+        // Generate file paths
+        const tokenPath = this.getTokenPath(provider);
+        const tempPath = `${tokenPath}.tmp-${Date.now()}-${Math.random().toString(36).substring(2, 8)}`;
+        try {
+            // Write to temporary file first (atomic operation)
+            await fs.writeFile(tempPath, JSON.stringify(validatedToken, null, 2), {
+                mode: 0o600,
+            });
+            // Set secure permissions explicitly (skip on Windows)
+            if (process.platform !== 'win32') {
+                await fs.chmod(tempPath, 0o600);
+            }
+            // Atomic rename to final location
+            await fs.rename(tempPath, tokenPath);
+        }
+        catch (error) {
+            // Cleanup temp file if it exists
+            try {
+                await fs.unlink(tempPath);
+            }
+            catch {
+                // Ignore cleanup errors
+            }
+            throw error;
+        }
+    }
+    /**
+     * Retrieve an OAuth token for a specific provider
+     */
+    async getToken(provider) {
+        try {
+            const tokenPath = this.getTokenPath(provider);
+            const content = await fs.readFile(tokenPath, 'utf8');
+            const parsed = JSON.parse(content);
+            // Validate token structure
+            const validatedToken = OAuthTokenSchema.parse(parsed);
+            return validatedToken;
+        }
+        catch {
+            // Return null for any error (file not found, invalid JSON, validation failure, etc.)
+            return null;
+        }
+    }
+    /**
+     * Remove an OAuth token for a specific provider
+     */
+    async removeToken(provider) {
+        try {
+            const tokenPath = this.getTokenPath(provider);
+            await fs.unlink(tokenPath);
+        }
+        catch (error) {
+            // Check if error is because file doesn't exist
+            if (error &&
+                typeof error === 'object' &&
+                'code' in error &&
+                error.code === 'ENOENT') {
+                // File doesn't exist - operation succeeds silently
+                return;
+            }
+            // Re-throw other errors
+            throw error;
+        }
+    }
+    /**
+     * List all providers that have stored tokens
+     */
+    async listProviders() {
+        try {
+            const files = await fs.readdir(this.basePath);
+            const providers = files
+                .filter((file) => file.endsWith('.json'))
+                .map((file) => file.replace('.json', ''))
+                .sort();
+            return providers;
+        }
+        catch (error) {
+            // If directory doesn't exist, return empty array
+            if (error &&
+                typeof error === 'object' &&
+                'code' in error &&
+                error.code === 'ENOENT') {
+                return [];
+            }
+            throw error;
+        }
+    }
+    /**
+     * Ensure the OAuth directory exists with secure permissions
+     */
+    async ensureDirectory() {
+        try {
+            await fs.mkdir(this.basePath, { recursive: true, mode: 0o700 });
+            // Ensure permissions are correct even if directory already existed (skip on Windows)
+            if (process.platform !== 'win32') {
+                await fs.chmod(this.basePath, 0o700);
+                // Also ensure parent .llxprt directory has secure permissions
+                const parentDir = join(homedir(), '.llxprt');
+                await fs.chmod(parentDir, 0o700);
+            }
+        }
+        catch (error) {
+            // If chmod fails because directory doesn't exist, that's fine
+            if (error &&
+                typeof error === 'object' &&
+                'code' in error &&
+                error.code === 'ENOENT') {
+                return;
+            }
+            throw error;
+        }
+    }
+    /**
+     * Generate secure file path for a provider token
+     * Uses path.join to prevent path traversal attacks
+     */
+    getTokenPath(provider) {
+        return join(this.basePath, `${provider}.json`);
+    }
+}
+//# sourceMappingURL=token-store.js.map

package/dist/src/auth/token-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-store.js","sourceRoot":"","sources":["../../../src/auth/token-store.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,IAAI,CAAC;AACpC,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAC7B,OAAO,EAAc,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAiC1D;;;GAGG;AACH,MAAM,OAAO,uBAAuB;IACjB,QAAQ,CAAS;IAElC;QACE,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;IACtD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,SAAS,CAAC,QAAgB,EAAE,KAAiB;QACjD,yBAAyB;QACzB,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YACxC,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;QACnD,CAAC;QAED,2BAA2B;QAC3B,MAAM,cAAc,GAAG,gBAAgB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAErD,kDAAkD;QAClD,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;QAE7B,sBAAsB;QACtB,MAAM,SAAS,GAAG,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;QAC9C,MAAM,QAAQ,GAAG,GAAG,SAAS,QAAQ,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;QAEhG,IAAI,CAAC;YACH,mDAAmD;YACnD,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE;gBACpE,IAAI,EAAE,KAAK;aACZ,CAAC,CAAC;YAEH,sDAAsD;YACtD,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;gBACjC,MAAM,EAAE,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;YAClC,CAAC;YAED,kCAAkC;YAClC,MAAM,EAAE,CAAC,MAAM,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;QACvC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,iCAAiC;YACjC,IAAI,CAAC;gBACH,MAAM,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAC5B,CAAC;YAAC,MAAM,CAAC;gBACP,wBAAwB;YAC1B,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,QAAQ,CAAC,QAAgB;QAC7B,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;YAC9C,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;YACrD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAEnC,2BAA2B;YAC3B,MAAM,cAAc,GAAG,gBAAgB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YACtD,OAAO,cAAc,CAAC;QACxB,CAAC;QAAC,MAAM,CAAC;YACP,qFAAqF;YACrF,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW,CAAC,QAAgB;QAChC,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;YAC9C,MAAM,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC7B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,+CAA+C;YAC/C,IACE,KAAK;gBACL,OAAO,KAAK,KAAK,QAAQ;gBACzB,MAAM,IAAI,KAAK;gBACf,KAAK,CAAC,IAAI,KAAK,QAAQ,EACvB,CAAC;gBACD,mDAAmD;gBACnD,OAAO;YACT,CAAC;YACD,wBAAwB;YACxB,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa;QACjB,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC9C,MAAM,SAAS,GAAG,KAAK;iBACpB,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;iBACxC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;iBACxC,IAAI,EAAE,CAAC;YACV,OAAO,SAAS,CAAC;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,iDAAiD;YACjD,IACE,KAAK;gBACL,OAAO,KAAK,KAAK,QAAQ;gBACzB,MAAM,IAAI,KAAK;gBACf,KAAK,CAAC,IAAI,KAAK,QAAQ,EACvB,CAAC;gBACD,OAAO,EAAE,CAAC;YACZ,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,eAAe;QAC3B,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;YAEhE,qFAAqF;YACrF,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;gBACjC,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;gBAErC,8DAA8D;gBAC9D,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,CAAC;gBAC7C,MAAM,EAAE,CAAC,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,8DAA8D;YAC9D,IACE,KAAK;gBACL,OAAO,KAAK,KAAK,QAAQ;gBACzB,MAAM,IAAI,KAAK;gBACf,KAAK,CAAC,IAAI,KAAK,QAAQ,EACvB,CAAC;gBACD,OAAO;YACT,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;OAGG;IACK,YAAY,CAAC,QAAgB;QACnC,OAAO,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,QAAQ,OAAO,CAAC,CAAC;IACjD,CAAC;CACF"}

package/dist/src/auth/types.d.ts

@@ -0,0 +1,130 @@
+/**
+ * @license
+ * Copyright 2025 Vybestack LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { z } from 'zod';
+/**
+ * OAuth token storage schema
+ */
+export declare const OAuthTokenSchema: z.ZodObject<{
+    access_token: z.ZodString;
+    refresh_token: z.ZodOptional<z.ZodString>;
+    expiry: z.ZodNumber;
+    scope: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    token_type: z.ZodLiteral<"Bearer">;
+    resource_url: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    token_type: "Bearer";
+    access_token: string;
+    expiry: number;
+    scope?: string | null | undefined;
+    refresh_token?: string | undefined;
+    resource_url?: string | undefined;
+}, {
+    token_type: "Bearer";
+    access_token: string;
+    expiry: number;
+    scope?: string | null | undefined;
+    refresh_token?: string | undefined;
+    resource_url?: string | undefined;
+}>;
+/**
+ * Provider OAuth configuration schema
+ */
+export declare const ProviderOAuthConfigSchema: z.ZodObject<{
+    provider: z.ZodEnum<["gemini", "qwen"]>;
+    clientId: z.ZodString;
+    authorizationEndpoint: z.ZodString;
+    tokenEndpoint: z.ZodString;
+    scopes: z.ZodArray<z.ZodString, "many">;
+}, "strip", z.ZodTypeAny, {
+    clientId: string;
+    provider: "gemini" | "qwen";
+    scopes: string[];
+    authorizationEndpoint: string;
+    tokenEndpoint: string;
+}, {
+    clientId: string;
+    provider: "gemini" | "qwen";
+    scopes: string[];
+    authorizationEndpoint: string;
+    tokenEndpoint: string;
+}>;
+/**
+ * Device code response schema
+ */
+export declare const DeviceCodeResponseSchema: z.ZodObject<{
+    device_code: z.ZodString;
+    user_code: z.ZodString;
+    verification_uri: z.ZodString;
+    verification_uri_complete: z.ZodOptional<z.ZodString>;
+    expires_in: z.ZodNumber;
+    interval: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    device_code: string;
+    user_code: string;
+    verification_uri: string;
+    expires_in: number;
+    verification_uri_complete?: string | undefined;
+    interval?: number | undefined;
+}, {
+    device_code: string;
+    user_code: string;
+    verification_uri: string;
+    expires_in: number;
+    verification_uri_complete?: string | undefined;
+    interval?: number | undefined;
+}>;
+/**
+ * Token response schema
+ */
+export declare const TokenResponseSchema: z.ZodObject<{
+    access_token: z.ZodString;
+    token_type: z.ZodString;
+    expires_in: z.ZodOptional<z.ZodNumber>;
+    refresh_token: z.ZodOptional<z.ZodString>;
+    scope: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    resource_url: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    token_type: string;
+    access_token: string;
+    scope?: string | null | undefined;
+    refresh_token?: string | undefined;
+    resource_url?: string | undefined;
+    expires_in?: number | undefined;
+}, {
+    token_type: string;
+    access_token: string;
+    scope?: string | null | undefined;
+    refresh_token?: string | undefined;
+    resource_url?: string | undefined;
+    expires_in?: number | undefined;
+}>;
+/**
+ * Auth status schema
+ */
+export declare const AuthStatusSchema: z.ZodObject<{
+    provider: z.ZodString;
+    authenticated: z.ZodBoolean;
+    authType: z.ZodEnum<["oauth", "api-key", "none"]>;
+    expiresIn: z.ZodOptional<z.ZodNumber>;
+    oauthEnabled: z.ZodOptional<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+    authType: "none" | "oauth" | "api-key";
+    provider: string;
+    authenticated: boolean;
+    expiresIn?: number | undefined;
+    oauthEnabled?: boolean | undefined;
+}, {
+    authType: "none" | "oauth" | "api-key";
+    provider: string;
+    authenticated: boolean;
+    expiresIn?: number | undefined;
+    oauthEnabled?: boolean | undefined;
+}>;
+export type OAuthToken = z.infer<typeof OAuthTokenSchema>;
+export type ProviderOAuthConfig = z.infer<typeof ProviderOAuthConfigSchema>;
+export type DeviceCodeResponse = z.infer<typeof DeviceCodeResponseSchema>;
+export type TokenResponse = z.infer<typeof TokenResponseSchema>;
+export type AuthStatus = z.infer<typeof AuthStatusSchema>;

package/dist/src/auth/types.js

@@ -0,0 +1,60 @@
+/**
+ * @license
+ * Copyright 2025 Vybestack LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { z } from 'zod';
+/**
+ * OAuth token storage schema
+ */
+export const OAuthTokenSchema = z.object({
+    access_token: z.string(),
+    refresh_token: z.string().optional(),
+    expiry: z.number(), // Unix timestamp
+    scope: z.string().nullable().optional(),
+    token_type: z.literal('Bearer'),
+    resource_url: z.string().optional(), // For Qwen OAuth - indicates the API endpoint to use
+});
+/**
+ * Provider OAuth configuration schema
+ */
+export const ProviderOAuthConfigSchema = z.object({
+    provider: z.enum(['gemini', 'qwen']),
+    clientId: z.string(),
+    authorizationEndpoint: z.string().url(),
+    tokenEndpoint: z.string().url(),
+    scopes: z.array(z.string()),
+});
+/**
+ * Device code response schema
+ */
+export const DeviceCodeResponseSchema = z.object({
+    device_code: z.string(),
+    user_code: z.string(),
+    verification_uri: z.string().url(),
+    verification_uri_complete: z.string().url().optional(),
+    expires_in: z.number(),
+    interval: z.number().optional(), // Qwen doesn't include this field
+});
+/**
+ * Token response schema
+ */
+export const TokenResponseSchema = z.object({
+    access_token: z.string(),
+    token_type: z.string(),
+    expires_in: z.number().optional(),
+    refresh_token: z.string().optional(),
+    scope: z.string().nullable().optional(), // Qwen may return null for scope
+    resource_url: z.string().optional(), // Qwen OAuth returns the API endpoint to use
+});
+/**
+ * Auth status schema
+ */
+export const AuthStatusSchema = z.object({
+    provider: z.string(),
+    authenticated: z.boolean(),
+    authType: z.enum(['oauth', 'api-key', 'none']),
+    expiresIn: z.number().optional(), // seconds until expiry
+    oauthEnabled: z.boolean().optional(), // whether OAuth is enabled for this provider
+});
+//# sourceMappingURL=types.js.map

package/dist/src/auth/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/auth/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IACvC,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE;IACxB,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACpC,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,iBAAiB;IACrC,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IACvC,UAAU,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC;IAC/B,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,qDAAqD;CAC3F,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,CAAC,MAAM,CAAC;IAChD,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IACpC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE;IACpB,qBAAqB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IACvC,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IAC/B,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;CAC5B,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/C,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE;IACvB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;IACrB,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IAClC,yBAAyB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACtD,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;IACtB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,kCAAkC;CACpE,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC1C,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE;IACxB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;IACtB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACpC,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE,EAAE,iCAAiC;IAC1E,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,6CAA6C;CACnF,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IACvC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE;IACpB,aAAa,EAAE,CAAC,CAAC,OAAO,EAAE;IAC1B,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;IAC9C,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,uBAAuB;IACzD,YAAY,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,EAAE,6CAA6C;CACpF,CAAC,CAAC"}

package/dist/src/code_assist/converter.d.ts

@@ -3,7 +3,7 @@
  * Copyright 2025 Google LLC
  * SPDX-License-Identifier: Apache-2.0
  */
-import { Content, GenerateContentParameters, CountTokensParameters, CountTokensResponse, GenerateContentResponse, GenerationConfigRoutingConfig, MediaResolution, Candidate, ModelSelectionConfig, GenerateContentResponsePromptFeedback, GenerateContentResponseUsageMetadata, SafetySetting, SchemaUnion, SpeechConfigUnion, ThinkingConfig, ToolListUnion, ToolConfig } from '@google/genai';
+import { Content, ContentListUnion, GenerateContentParameters, CountTokensParameters, CountTokensResponse, GenerateContentResponse, GenerationConfigRoutingConfig, MediaResolution, Candidate, ModelSelectionConfig, GenerateContentResponsePromptFeedback, GenerateContentResponseUsageMetadata, SafetySetting, SchemaUnion, SpeechConfigUnion, ThinkingConfig, ToolListUnion, ToolConfig } from '@google/genai';
 export interface CAGenerateContentRequest {
     model: string;
     project?: string;
@@ -66,4 +66,5 @@ export declare function toCountTokenRequest(req: CountTokensParameters): CaCount
 export declare function fromCountTokenResponse(res: CaCountTokenResponse): CountTokensResponse;
 export declare function toGenerateContentRequest(req: GenerateContentParameters, userPromptId: string, project?: string, sessionId?: string): CAGenerateContentRequest;
 export declare function fromGenerateContentResponse(res: CaGenerateContentResponse): GenerateContentResponse;
+export declare function toContents(contents: ContentListUnion): Content[];
 export {};