npm - @vybestack/llxprt-code-core - Versions diffs - 0.1.19-beta → 0.1.19-gamma - Mend

@vybestack/llxprt-code-core 0.1.19-beta → 0.1.19-gamma

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (475) hide show

package/dist/src/auth/qwen-device-flow.d.ts ADDED Viewed

@@ -0,0 +1,45 @@
+/**
+ * @license
+ * Copyright 2025 Vybestack LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { DeviceCodeResponse, OAuthToken } from './types.js';
+/**
+ * Configuration for Qwen device flow authentication
+ */
+export interface DeviceFlowConfig {
+    clientId: string;
+    authorizationEndpoint: string;
+    tokenEndpoint: string;
+    scopes: string[];
+}
+/**
+ * Qwen OAuth device flow implementation
+ */
+export declare class QwenDeviceFlow {
+    private config;
+    private pkceVerifier;
+    constructor(config: DeviceFlowConfig);
+    /**
+     * Initiates the device authorization flow
+     * @returns Promise resolving to device code response
+     */
+    initiateDeviceFlow(): Promise<DeviceCodeResponse>;
+    /**
+     * Polls the authorization server for an access token
+     * @param deviceCode Device code from initiation response
+     * @returns Promise resolving to OAuth token
+     */
+    pollForToken(deviceCode: string): Promise<OAuthToken>;
+    /**
+     * Refreshes an expired access token
+     * @param refreshToken Valid refresh token
+     * @returns Promise resolving to new OAuth token
+     */
+    refreshToken(refreshToken: string): Promise<OAuthToken>;
+    /**
+     * Generates PKCE code verifier and challenge
+     * @returns Object containing verifier and challenge strings
+     */
+    private generatePKCE;
+}

package/dist/src/auth/qwen-device-flow.js ADDED Viewed

@@ -0,0 +1,179 @@
+/**
+ * @license
+ * Copyright 2025 Vybestack LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { randomBytes, createHash } from 'crypto';
+import { DeviceCodeResponseSchema, TokenResponseSchema, } from './types.js';
+/**
+ * Qwen OAuth device flow implementation
+ */
+export class QwenDeviceFlow {
+    config;
+    pkceVerifier = '';
+    constructor(config) {
+        this.config = config;
+    }
+    /**
+     * Initiates the device authorization flow
+     * @returns Promise resolving to device code response
+     */
+    async initiateDeviceFlow() {
+        // Generate PKCE parameters
+        const pkce = this.generatePKCE();
+        this.pkceVerifier = pkce.verifier;
+        // Prepare request parameters
+        const params = new URLSearchParams({
+            client_id: this.config.clientId,
+            code_challenge: pkce.challenge,
+            code_challenge_method: 'S256',
+        });
+        // Only add scope if it's not empty
+        if (this.config.scopes && this.config.scopes.length > 0) {
+            params.append('scope', this.config.scopes.join(' '));
+        }
+        // Make HTTP request
+        const response = await fetch(this.config.authorizationEndpoint, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+                Accept: 'application/json',
+            },
+            body: params.toString(),
+        });
+        if (!response.ok) {
+            throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+        }
+        const data = await response.json();
+        // Validate response with Zod schema
+        const validatedResponse = DeviceCodeResponseSchema.parse(data);
+        return validatedResponse;
+    }
+    /**
+     * Polls the authorization server for an access token
+     * @param deviceCode Device code from initiation response
+     * @returns Promise resolving to OAuth token
+     */
+    async pollForToken(deviceCode) {
+        const maxDuration = 15 * 60 * 1000; // 15 minutes in milliseconds
+        const startTime = Date.now();
+        let interval = 5000; // Start with 5 seconds
+        while (Date.now() - startTime < maxDuration) {
+            const params = new URLSearchParams({
+                grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
+                device_code: deviceCode,
+                client_id: this.config.clientId,
+                code_verifier: this.pkceVerifier,
+            });
+            try {
+                const response = await fetch(this.config.tokenEndpoint, {
+                    method: 'POST',
+                    headers: {
+                        'Content-Type': 'application/x-www-form-urlencoded',
+                        Accept: 'application/json',
+                    },
+                    body: params.toString(),
+                });
+                if (response.ok) {
+                    const data = await response.json();
+                    // Validate response with Zod schema
+                    const validatedResponse = TokenResponseSchema.parse(data);
+                    // Calculate expiry timestamp
+                    const now = Math.floor(Date.now() / 1000);
+                    const expiresIn = validatedResponse.expires_in || 3600; // Default to 1 hour if not provided
+                    const expiry = now + expiresIn;
+                    return {
+                        access_token: validatedResponse.access_token,
+                        token_type: 'Bearer',
+                        expiry,
+                        refresh_token: validatedResponse.refresh_token,
+                        scope: validatedResponse.scope || undefined, // Convert null to undefined
+                        resource_url: validatedResponse.resource_url, // Include the API endpoint from Qwen
+                    };
+                }
+                // Handle error responses
+                const errorData = await response.json();
+                if (errorData.error === 'authorization_pending') {
+                    // Continue polling - wait for the interval before next attempt
+                    await new Promise((resolve) => setTimeout(resolve, interval));
+                    continue;
+                }
+                else if (errorData.error === 'slow_down') {
+                    // Increase polling interval by 5 seconds and continue
+                    interval += 5000;
+                    await new Promise((resolve) => setTimeout(resolve, interval));
+                    continue;
+                }
+                else if (errorData.error === 'access_denied') {
+                    throw new Error('access_denied');
+                }
+                else if (errorData.error === 'expired_token') {
+                    throw new Error('expired_token');
+                }
+                throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+            }
+            catch (error) {
+                // For network errors, apply exponential backoff
+                if (error instanceof Error && error.message.includes('fetch failed')) {
+                    interval = Math.min(interval * 1.5, 60000); // Max 60 seconds
+                    await new Promise((resolve) => setTimeout(resolve, interval));
+                    continue;
+                }
+                // Re-throw other errors (like access_denied, expired_token)
+                throw error;
+            }
+        }
+        // If we reach here, we've exceeded the maximum polling duration
+        throw new Error('Polling timeout exceeded');
+    }
+    /**
+     * Refreshes an expired access token
+     * @param refreshToken Valid refresh token
+     * @returns Promise resolving to new OAuth token
+     */
+    async refreshToken(refreshToken) {
+        const params = new URLSearchParams({
+            grant_type: 'refresh_token',
+            refresh_token: refreshToken,
+            client_id: this.config.clientId,
+        });
+        const response = await fetch(this.config.tokenEndpoint, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+                Accept: 'application/json',
+            },
+            body: params.toString(),
+        });
+        if (!response.ok) {
+            throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+        }
+        const data = await response.json();
+        // Validate response with Zod schema
+        const validatedResponse = TokenResponseSchema.parse(data);
+        // Calculate expiry timestamp with 30-second buffer
+        const now = Math.floor(Date.now() / 1000);
+        const expiresIn = validatedResponse.expires_in || 3600; // Default to 1 hour if not provided
+        const expiry = now + expiresIn - 30; // 30-second buffer
+        return {
+            access_token: validatedResponse.access_token,
+            token_type: 'Bearer',
+            expiry,
+            refresh_token: validatedResponse.refresh_token || refreshToken, // Use new refresh token if provided, otherwise keep the old one
+            scope: validatedResponse.scope || undefined, // Convert null to undefined
+            resource_url: validatedResponse.resource_url, // Include the API endpoint from Qwen
+        };
+    }
+    /**
+     * Generates PKCE code verifier and challenge
+     * @returns Object containing verifier and challenge strings
+     */
+    generatePKCE() {
+        // Generate 32 random bytes for verifier
+        const verifier = randomBytes(32).toString('base64url');
+        // Create SHA-256 hash of verifier for challenge
+        const challenge = createHash('sha256').update(verifier).digest('base64url');
+        return { verifier, challenge };
+    }
+}
+//# sourceMappingURL=qwen-device-flow.js.map

package/dist/src/auth/qwen-device-flow.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"qwen-device-flow.js","sourceRoot":"","sources":["../../../src/auth/qwen-device-flow.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AACjD,OAAO,EAGL,wBAAwB,EACxB,mBAAmB,GACpB,MAAM,YAAY,CAAC;AAYpB;;GAEG;AACH,MAAM,OAAO,cAAc;IACjB,MAAM,CAAmB;IACzB,YAAY,GAAW,EAAE,CAAC;IAElC,YAAY,MAAwB;QAClC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,kBAAkB;QACtB,2BAA2B;QAC3B,MAAM,IAAI,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;QACjC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,QAAQ,CAAC;QAElC,6BAA6B;QAC7B,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;YAC/B,cAAc,EAAE,IAAI,CAAC,SAAS;YAC9B,qBAAqB,EAAE,MAAM;SAC9B,CAAC,CAAC;QAEH,mCAAmC;QACnC,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxD,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QACvD,CAAC;QAED,oBAAoB;QACpB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,qBAAqB,EAAE;YAC9D,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,mCAAmC;gBACnD,MAAM,EAAE,kBAAkB;aAC3B;YACD,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;SACxB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,QAAQ,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;QACrE,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAEnC,oCAAoC;QACpC,MAAM,iBAAiB,GAAG,wBAAwB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC/D,OAAO,iBAAiB,CAAC;IAC3B,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,YAAY,CAAC,UAAkB;QACnC,MAAM,WAAW,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,6BAA6B;QACjE,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,IAAI,QAAQ,GAAG,IAAI,CAAC,CAAC,uBAAuB;QAE5C,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,WAAW,EAAE,CAAC;YAC5C,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;gBACjC,UAAU,EAAE,8CAA8C;gBAC1D,WAAW,EAAE,UAAU;gBACvB,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAC/B,aAAa,EAAE,IAAI,CAAC,YAAY;aACjC,CAAC,CAAC;YAEH,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE;oBACtD,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE;wBACP,cAAc,EAAE,mCAAmC;wBACnD,MAAM,EAAE,kBAAkB;qBAC3B;oBACD,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;iBACxB,CAAC,CAAC;gBAEH,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;oBAChB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;oBAEnC,oCAAoC;oBACpC,MAAM,iBAAiB,GAAG,mBAAmB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;oBAE1D,6BAA6B;oBAC7B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;oBAC1C,MAAM,SAAS,GAAG,iBAAiB,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC,oCAAoC;oBAC5F,MAAM,MAAM,GAAG,GAAG,GAAG,SAAS,CAAC;oBAE/B,OAAO;wBACL,YAAY,EAAE,iBAAiB,CAAC,YAAY;wBAC5C,UAAU,EAAE,QAAQ;wBACpB,MAAM;wBACN,aAAa,EAAE,iBAAiB,CAAC,aAAa;wBAC9C,KAAK,EAAE,iBAAiB,CAAC,KAAK,IAAI,SAAS,EAAE,4BAA4B;wBACzE,YAAY,EAAE,iBAAiB,CAAC,YAAY,EAAE,qCAAqC;qBACpF,CAAC;gBACJ,CAAC;gBAED,yBAAyB;gBACzB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;gBAExC,IAAI,SAAS,CAAC,KAAK,KAAK,uBAAuB,EAAE,CAAC;oBAChD,+DAA+D;oBAC/D,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;oBAC9D,SAAS;gBACX,CAAC;qBAAM,IAAI,SAAS,CAAC,KAAK,KAAK,WAAW,EAAE,CAAC;oBAC3C,sDAAsD;oBACtD,QAAQ,IAAI,IAAI,CAAC;oBACjB,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;oBAC9D,SAAS;gBACX,CAAC;qBAAM,IAAI,SAAS,CAAC,KAAK,KAAK,eAAe,EAAE,CAAC;oBAC/C,MAAM,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC;gBACnC,CAAC;qBAAM,IAAI,SAAS,CAAC,KAAK,KAAK,eAAe,EAAE,CAAC;oBAC/C,MAAM,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC;gBACnC,CAAC;gBAED,MAAM,IAAI,KAAK,CAAC,QAAQ,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;YACrE,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,gDAAgD;gBAChD,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;oBACrE,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,GAAG,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC,iBAAiB;oBAC7D,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;oBAC9D,SAAS;gBACX,CAAC;gBAED,4DAA4D;gBAC5D,MAAM,KAAK,CAAC;YACd,CAAC;QACH,CAAC;QAED,gEAAgE;QAChE,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;IAC9C,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,YAAY,CAAC,YAAoB;QACrC,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,UAAU,EAAE,eAAe;YAC3B,aAAa,EAAE,YAAY;YAC3B,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;SAChC,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE;YACtD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,mCAAmC;gBACnD,MAAM,EAAE,kBAAkB;aAC3B;YACD,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;SACxB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,QAAQ,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;QACrE,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAEnC,oCAAoC;QACpC,MAAM,iBAAiB,GAAG,mBAAmB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAE1D,mDAAmD;QACnD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,SAAS,GAAG,iBAAiB,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC,oCAAoC;QAC5F,MAAM,MAAM,GAAG,GAAG,GAAG,SAAS,GAAG,EAAE,CAAC,CAAC,mBAAmB;QAExD,OAAO;YACL,YAAY,EAAE,iBAAiB,CAAC,YAAY;YAC5C,UAAU,EAAE,QAAQ;YACpB,MAAM;YACN,aAAa,EAAE,iBAAiB,CAAC,aAAa,IAAI,YAAY,EAAE,gEAAgE;YAChI,KAAK,EAAE,iBAAiB,CAAC,KAAK,IAAI,SAAS,EAAE,4BAA4B;YACzE,YAAY,EAAE,iBAAiB,CAAC,YAAY,EAAE,qCAAqC;SACpF,CAAC;IACJ,CAAC;IAED;;;OAGG;IACK,YAAY;QAClB,wCAAwC;QACxC,MAAM,QAAQ,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAEvD,gDAAgD;QAChD,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAE5E,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;IACjC,CAAC;CACF"}

package/dist/src/auth/token-store.d.ts ADDED Viewed

@@ -0,0 +1,66 @@
+/**
+ * @license
+ * Copyright 2025 Vybestack LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { OAuthToken } from './types.js';
+/**
+ * Interface for multi-provider OAuth token storage
+ */
+export interface TokenStore {
+    /**
+     * Save an OAuth token for a specific provider
+     * @param provider - The provider name (e.g., 'gemini', 'qwen')
+     * @param token - The OAuth token to save
+     */
+    saveToken(provider: string, token: OAuthToken): Promise<void>;
+    /**
+     * Retrieve an OAuth token for a specific provider
+     * @param provider - The provider name
+     * @returns The token if found, null otherwise
+     */
+    getToken(provider: string): Promise<OAuthToken | null>;
+    /**
+     * Remove an OAuth token for a specific provider
+     * @param provider - The provider name
+     */
+    removeToken(provider: string): Promise<void>;
+    /**
+     * List all providers that have stored tokens
+     * @returns Array of provider names with stored tokens
+     */
+    listProviders(): Promise<string[]>;
+}
+/**
+ * Implementation of multi-provider token storage
+ * Stores tokens securely in ~/.llxprt/oauth/ directory
+ */
+export declare class MultiProviderTokenStore implements TokenStore {
+    private readonly basePath;
+    constructor();
+    /**
+     * Save an OAuth token for a specific provider
+     */
+    saveToken(provider: string, token: OAuthToken): Promise<void>;
+    /**
+     * Retrieve an OAuth token for a specific provider
+     */
+    getToken(provider: string): Promise<OAuthToken | null>;
+    /**
+     * Remove an OAuth token for a specific provider
+     */
+    removeToken(provider: string): Promise<void>;
+    /**
+     * List all providers that have stored tokens
+     */
+    listProviders(): Promise<string[]>;
+    /**
+     * Ensure the OAuth directory exists with secure permissions
+     */
+    private ensureDirectory;
+    /**
+     * Generate secure file path for a provider token
+     * Uses path.join to prevent path traversal attacks
+     */
+    private getTokenPath;
+}

package/dist/src/auth/token-store.js ADDED Viewed

@@ -0,0 +1,151 @@
+/**
+ * @license
+ * Copyright 2025 Vybestack LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { promises as fs } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+import { OAuthTokenSchema } from './types.js';
+/**
+ * Implementation of multi-provider token storage
+ * Stores tokens securely in ~/.llxprt/oauth/ directory
+ */
+export class MultiProviderTokenStore {
+    basePath;
+    constructor() {
+        this.basePath = join(homedir(), '.llxprt', 'oauth');
+    }
+    /**
+     * Save an OAuth token for a specific provider
+     */
+    async saveToken(provider, token) {
+        // Validate provider name
+        if (!provider || provider.trim() === '') {
+            throw new Error('Provider name cannot be empty');
+        }
+        // Validate token structure
+        const validatedToken = OAuthTokenSchema.parse(token);
+        // Ensure directory exists with secure permissions
+        await this.ensureDirectory();
+        // Generate file paths
+        const tokenPath = this.getTokenPath(provider);
+        const tempPath = `${tokenPath}.tmp-${Date.now()}-${Math.random().toString(36).substring(2, 8)}`;
+        try {
+            // Write to temporary file first (atomic operation)
+            await fs.writeFile(tempPath, JSON.stringify(validatedToken, null, 2), {
+                mode: 0o600,
+            });
+            // Set secure permissions explicitly (skip on Windows)
+            if (process.platform !== 'win32') {
+                await fs.chmod(tempPath, 0o600);
+            }
+            // Atomic rename to final location
+            await fs.rename(tempPath, tokenPath);
+        }
+        catch (error) {
+            // Cleanup temp file if it exists
+            try {
+                await fs.unlink(tempPath);
+            }
+            catch {
+                // Ignore cleanup errors
+            }
+            throw error;
+        }
+    }
+    /**
+     * Retrieve an OAuth token for a specific provider
+     */
+    async getToken(provider) {
+        try {
+            const tokenPath = this.getTokenPath(provider);
+            const content = await fs.readFile(tokenPath, 'utf8');
+            const parsed = JSON.parse(content);
+            // Validate token structure
+            const validatedToken = OAuthTokenSchema.parse(parsed);
+            return validatedToken;
+        }
+        catch {
+            // Return null for any error (file not found, invalid JSON, validation failure, etc.)
+            return null;
+        }
+    }
+    /**
+     * Remove an OAuth token for a specific provider
+     */
+    async removeToken(provider) {
+        try {
+            const tokenPath = this.getTokenPath(provider);
+            await fs.unlink(tokenPath);
+        }
+        catch (error) {
+            // Check if error is because file doesn't exist
+            if (error &&
+                typeof error === 'object' &&
+                'code' in error &&
+                error.code === 'ENOENT') {
+                // File doesn't exist - operation succeeds silently
+                return;
+            }
+            // Re-throw other errors
+            throw error;
+        }
+    }
+    /**
+     * List all providers that have stored tokens
+     */
+    async listProviders() {
+        try {
+            const files = await fs.readdir(this.basePath);
+            const providers = files
+                .filter((file) => file.endsWith('.json'))
+                .map((file) => file.replace('.json', ''))
+                .sort();
+            return providers;
+        }
+        catch (error) {
+            // If directory doesn't exist, return empty array
+            if (error &&
+                typeof error === 'object' &&
+                'code' in error &&
+                error.code === 'ENOENT') {
+                return [];
+            }
+            throw error;
+        }
+    }
+    /**
+     * Ensure the OAuth directory exists with secure permissions
+     */
+    async ensureDirectory() {
+        try {
+            await fs.mkdir(this.basePath, { recursive: true, mode: 0o700 });
+            // Ensure permissions are correct even if directory already existed (skip on Windows)
+            if (process.platform !== 'win32') {
+                await fs.chmod(this.basePath, 0o700);
+                // Also ensure parent .llxprt directory has secure permissions
+                const parentDir = join(homedir(), '.llxprt');
+                await fs.chmod(parentDir, 0o700);
+            }
+        }
+        catch (error) {
+            // If chmod fails because directory doesn't exist, that's fine
+            if (error &&
+                typeof error === 'object' &&
+                'code' in error &&
+                error.code === 'ENOENT') {
+                return;
+            }
+            throw error;
+        }
+    }
+    /**
+     * Generate secure file path for a provider token
+     * Uses path.join to prevent path traversal attacks
+     */
+    getTokenPath(provider) {
+        return join(this.basePath, `${provider}.json`);
+    }
+}
+//# sourceMappingURL=token-store.js.map

package/dist/src/auth/token-store.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"token-store.js","sourceRoot":"","sources":["../../../src/auth/token-store.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,IAAI,CAAC;AACpC,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAC7B,OAAO,EAAc,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAiC1D;;;GAGG;AACH,MAAM,OAAO,uBAAuB;IACjB,QAAQ,CAAS;IAElC;QACE,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;IACtD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,SAAS,CAAC,QAAgB,EAAE,KAAiB;QACjD,yBAAyB;QACzB,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YACxC,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;QACnD,CAAC;QAED,2BAA2B;QAC3B,MAAM,cAAc,GAAG,gBAAgB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAErD,kDAAkD;QAClD,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;QAE7B,sBAAsB;QACtB,MAAM,SAAS,GAAG,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;QAC9C,MAAM,QAAQ,GAAG,GAAG,SAAS,QAAQ,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;QAEhG,IAAI,CAAC;YACH,mDAAmD;YACnD,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE;gBACpE,IAAI,EAAE,KAAK;aACZ,CAAC,CAAC;YAEH,sDAAsD;YACtD,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;gBACjC,MAAM,EAAE,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;YAClC,CAAC;YAED,kCAAkC;YAClC,MAAM,EAAE,CAAC,MAAM,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;QACvC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,iCAAiC;YACjC,IAAI,CAAC;gBACH,MAAM,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAC5B,CAAC;YAAC,MAAM,CAAC;gBACP,wBAAwB;YAC1B,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,QAAQ,CAAC,QAAgB;QAC7B,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;YAC9C,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;YACrD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAEnC,2BAA2B;YAC3B,MAAM,cAAc,GAAG,gBAAgB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YACtD,OAAO,cAAc,CAAC;QACxB,CAAC;QAAC,MAAM,CAAC;YACP,qFAAqF;YACrF,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW,CAAC,QAAgB;QAChC,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;YAC9C,MAAM,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC7B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,+CAA+C;YAC/C,IACE,KAAK;gBACL,OAAO,KAAK,KAAK,QAAQ;gBACzB,MAAM,IAAI,KAAK;gBACf,KAAK,CAAC,IAAI,KAAK,QAAQ,EACvB,CAAC;gBACD,mDAAmD;gBACnD,OAAO;YACT,CAAC;YACD,wBAAwB;YACxB,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa;QACjB,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC9C,MAAM,SAAS,GAAG,KAAK;iBACpB,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;iBACxC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;iBACxC,IAAI,EAAE,CAAC;YACV,OAAO,SAAS,CAAC;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,iDAAiD;YACjD,IACE,KAAK;gBACL,OAAO,KAAK,KAAK,QAAQ;gBACzB,MAAM,IAAI,KAAK;gBACf,KAAK,CAAC,IAAI,KAAK,QAAQ,EACvB,CAAC;gBACD,OAAO,EAAE,CAAC;YACZ,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,eAAe;QAC3B,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;YAEhE,qFAAqF;YACrF,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;gBACjC,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;gBAErC,8DAA8D;gBAC9D,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,CAAC;gBAC7C,MAAM,EAAE,CAAC,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,8DAA8D;YAC9D,IACE,KAAK;gBACL,OAAO,KAAK,KAAK,QAAQ;gBACzB,MAAM,IAAI,KAAK;gBACf,KAAK,CAAC,IAAI,KAAK,QAAQ,EACvB,CAAC;gBACD,OAAO;YACT,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;OAGG;IACK,YAAY,CAAC,QAAgB;QACnC,OAAO,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,QAAQ,OAAO,CAAC,CAAC;IACjD,CAAC;CACF"}

package/dist/src/auth/types.d.ts ADDED Viewed

@@ -0,0 +1,130 @@
+/**
+ * @license
+ * Copyright 2025 Vybestack LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { z } from 'zod';
+/**
+ * OAuth token storage schema
+ */
+export declare const OAuthTokenSchema: z.ZodObject<{
+    access_token: z.ZodString;
+    refresh_token: z.ZodOptional<z.ZodString>;
+    expiry: z.ZodNumber;
+    scope: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    token_type: z.ZodLiteral<"Bearer">;
+    resource_url: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    token_type: "Bearer";
+    access_token: string;
+    expiry: number;
+    scope?: string | null | undefined;
+    refresh_token?: string | undefined;
+    resource_url?: string | undefined;
+}, {
+    token_type: "Bearer";
+    access_token: string;
+    expiry: number;
+    scope?: string | null | undefined;
+    refresh_token?: string | undefined;
+    resource_url?: string | undefined;
+}>;
+/**
+ * Provider OAuth configuration schema
+ */
+export declare const ProviderOAuthConfigSchema: z.ZodObject<{
+    provider: z.ZodEnum<["gemini", "qwen"]>;
+    clientId: z.ZodString;
+    authorizationEndpoint: z.ZodString;
+    tokenEndpoint: z.ZodString;
+    scopes: z.ZodArray<z.ZodString, "many">;
+}, "strip", z.ZodTypeAny, {
+    clientId: string;
+    provider: "gemini" | "qwen";
+    scopes: string[];
+    authorizationEndpoint: string;
+    tokenEndpoint: string;
+}, {
+    clientId: string;
+    provider: "gemini" | "qwen";
+    scopes: string[];
+    authorizationEndpoint: string;
+    tokenEndpoint: string;
+}>;
+/**
+ * Device code response schema
+ */
+export declare const DeviceCodeResponseSchema: z.ZodObject<{
+    device_code: z.ZodString;
+    user_code: z.ZodString;
+    verification_uri: z.ZodString;
+    verification_uri_complete: z.ZodOptional<z.ZodString>;
+    expires_in: z.ZodNumber;
+    interval: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    device_code: string;
+    user_code: string;
+    verification_uri: string;
+    expires_in: number;
+    verification_uri_complete?: string | undefined;
+    interval?: number | undefined;
+}, {
+    device_code: string;
+    user_code: string;
+    verification_uri: string;
+    expires_in: number;
+    verification_uri_complete?: string | undefined;
+    interval?: number | undefined;
+}>;
+/**
+ * Token response schema
+ */
+export declare const TokenResponseSchema: z.ZodObject<{
+    access_token: z.ZodString;
+    token_type: z.ZodString;
+    expires_in: z.ZodOptional<z.ZodNumber>;
+    refresh_token: z.ZodOptional<z.ZodString>;
+    scope: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    resource_url: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    token_type: string;
+    access_token: string;
+    scope?: string | null | undefined;
+    refresh_token?: string | undefined;
+    resource_url?: string | undefined;
+    expires_in?: number | undefined;
+}, {
+    token_type: string;
+    access_token: string;
+    scope?: string | null | undefined;
+    refresh_token?: string | undefined;
+    resource_url?: string | undefined;
+    expires_in?: number | undefined;
+}>;
+/**
+ * Auth status schema
+ */
+export declare const AuthStatusSchema: z.ZodObject<{
+    provider: z.ZodString;
+    authenticated: z.ZodBoolean;
+    authType: z.ZodEnum<["oauth", "api-key", "none"]>;
+    expiresIn: z.ZodOptional<z.ZodNumber>;
+    oauthEnabled: z.ZodOptional<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+    authType: "none" | "oauth" | "api-key";
+    provider: string;
+    authenticated: boolean;
+    expiresIn?: number | undefined;
+    oauthEnabled?: boolean | undefined;
+}, {
+    authType: "none" | "oauth" | "api-key";
+    provider: string;
+    authenticated: boolean;
+    expiresIn?: number | undefined;
+    oauthEnabled?: boolean | undefined;
+}>;
+export type OAuthToken = z.infer<typeof OAuthTokenSchema>;
+export type ProviderOAuthConfig = z.infer<typeof ProviderOAuthConfigSchema>;
+export type DeviceCodeResponse = z.infer<typeof DeviceCodeResponseSchema>;
+export type TokenResponse = z.infer<typeof TokenResponseSchema>;
+export type AuthStatus = z.infer<typeof AuthStatusSchema>;

package/dist/src/auth/types.js ADDED Viewed

@@ -0,0 +1,60 @@
+/**
+ * @license
+ * Copyright 2025 Vybestack LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { z } from 'zod';
+/**
+ * OAuth token storage schema
+ */
+export const OAuthTokenSchema = z.object({
+    access_token: z.string(),
+    refresh_token: z.string().optional(),
+    expiry: z.number(), // Unix timestamp
+    scope: z.string().nullable().optional(),
+    token_type: z.literal('Bearer'),
+    resource_url: z.string().optional(), // For Qwen OAuth - indicates the API endpoint to use
+});
+/**
+ * Provider OAuth configuration schema
+ */
+export const ProviderOAuthConfigSchema = z.object({
+    provider: z.enum(['gemini', 'qwen']),
+    clientId: z.string(),
+    authorizationEndpoint: z.string().url(),
+    tokenEndpoint: z.string().url(),
+    scopes: z.array(z.string()),
+});
+/**
+ * Device code response schema
+ */
+export const DeviceCodeResponseSchema = z.object({
+    device_code: z.string(),
+    user_code: z.string(),
+    verification_uri: z.string().url(),
+    verification_uri_complete: z.string().url().optional(),
+    expires_in: z.number(),
+    interval: z.number().optional(), // Qwen doesn't include this field
+});
+/**
+ * Token response schema
+ */
+export const TokenResponseSchema = z.object({
+    access_token: z.string(),
+    token_type: z.string(),
+    expires_in: z.number().optional(),
+    refresh_token: z.string().optional(),
+    scope: z.string().nullable().optional(), // Qwen may return null for scope
+    resource_url: z.string().optional(), // Qwen OAuth returns the API endpoint to use
+});
+/**
+ * Auth status schema
+ */
+export const AuthStatusSchema = z.object({
+    provider: z.string(),
+    authenticated: z.boolean(),
+    authType: z.enum(['oauth', 'api-key', 'none']),
+    expiresIn: z.number().optional(), // seconds until expiry
+    oauthEnabled: z.boolean().optional(), // whether OAuth is enabled for this provider
+});
+//# sourceMappingURL=types.js.map

package/dist/src/auth/types.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/auth/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IACvC,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE;IACxB,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACpC,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,iBAAiB;IACrC,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IACvC,UAAU,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC;IAC/B,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,qDAAqD;CAC3F,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,CAAC,MAAM,CAAC;IAChD,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IACpC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE;IACpB,qBAAqB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IACvC,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IAC/B,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;CAC5B,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/C,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE;IACvB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;IACrB,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IAClC,yBAAyB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACtD,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;IACtB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,kCAAkC;CACpE,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC1C,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE;IACxB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;IACtB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACpC,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE,EAAE,iCAAiC;IAC1E,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,6CAA6C;CACnF,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IACvC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE;IACpB,aAAa,EAAE,CAAC,CAAC,OAAO,EAAE;IAC1B,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;IAC9C,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,uBAAuB;IACzD,YAAY,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,EAAE,6CAA6C;CACpF,CAAC,CAAC"}