@vybestack/llxprt-code 0.1.23 → 0.2.2-nightly.250908.7b895396

package/dist/src/auth/gemini-oauth-provider.js

@@ -1,33 +1,327 @@
 /**
  * Gemini OAuth Provider Implementation
  *
- * Note: This is a placeholder that signals to use the existing Gemini OAuth flow.
- * The actual OAuth is handled by the GeminiProvider itself using LOGIN_WITH_GOOGLE.
+ * Bridges to the existing Google OAuth infrastructure in oauth2.ts
+ * while maintaining compatibility with the LOGIN_WITH_GOOGLE flow.
  */
+import { clearOauthClientCache, OAuthError, OAuthErrorFactory, GracefulErrorHandler, RetryHandler, shouldLaunchBrowser, DebugLogger, } from '@vybestack/llxprt-code-core';
+import { promises as fs } from 'node:fs';
+import path from 'node:path';
+import os from 'node:os';
+var InitializationState;
+(function (InitializationState) {
+    InitializationState["NotStarted"] = "not-started";
+    InitializationState["InProgress"] = "in-progress";
+    InitializationState["Completed"] = "completed";
+    InitializationState["Failed"] = "failed";
+})(InitializationState || (InitializationState = {}));
 export class GeminiOAuthProvider {
     name = 'gemini';
     currentToken = null;
+    tokenStore;
+    initializationState = InitializationState.NotStarted;
+    initializationPromise;
+    initializationError;
+    errorHandler;
+    retryHandler;
+    logger;
+    constructor(tokenStore) {
+        this.tokenStore = tokenStore;
+        this.retryHandler = new RetryHandler();
+        this.errorHandler = new GracefulErrorHandler(this.retryHandler);
+        this.logger = new DebugLogger('llxprt:auth:gemini');
+        if (!tokenStore) {
+            console.warn(`DEPRECATION: ${this.name} OAuth provider created without TokenStore. ` +
+                `Token persistence will not work. Please update your code.`);
+        }
+        // DO NOT call initializeToken() - lazy initialization pattern
+    }
+    /**
+     * Lazy initialization with proper state management
+     * Ensures initialization only happens once and handles concurrent calls
+     */
+    async ensureInitialized() {
+        // If already completed, return immediately
+        if (this.initializationState === InitializationState.Completed) {
+            return;
+        }
+        // If failed, allow retry by resetting to NotStarted
+        if (this.initializationState === InitializationState.Failed) {
+            this.initializationState = InitializationState.NotStarted;
+            this.initializationPromise = undefined;
+            this.initializationError = undefined;
+        }
+        // If not started, start initialization
+        if (this.initializationState === InitializationState.NotStarted) {
+            this.initializationState = InitializationState.InProgress;
+            this.initializationPromise = this.initializeToken();
+        }
+        // Wait for initialization to complete (handles concurrent calls)
+        if (this.initializationPromise) {
+            try {
+                await this.initializationPromise;
+                this.initializationState = InitializationState.Completed;
+            }
+            catch (error) {
+                this.initializationState = InitializationState.Failed;
+                this.initializationError =
+                    error instanceof OAuthError
+                        ? error
+                        : OAuthErrorFactory.fromUnknown(this.name, error, 'ensureInitialized');
+                throw this.initializationError;
+            }
+        }
+    }
+    async initializeToken() {
+        if (!this.tokenStore) {
+            return;
+        }
+        return this.errorHandler.handleGracefully(async () => {
+            // Try to load from new location first
+            let savedToken = await this.tokenStore.getToken('gemini');
+            if (!savedToken) {
+                // Try to migrate from legacy locations
+                savedToken = await this.migrateFromLegacyTokens();
+            }
+            if (savedToken) {
+                this.currentToken = savedToken;
+            }
+        }, undefined, // No fallback needed - graceful failure is acceptable
+        this.name, 'initializeToken');
+    }
     async initiateAuth() {
-        // Signal that the existing LOGIN_WITH_GOOGLE flow should be used
-        // The GeminiProvider will handle this through its own OAuth mechanism
-        throw new Error('USE_EXISTING_GEMINI_OAUTH');
+        await this.ensureInitialized();
+        return this.errorHandler.wrapMethod(async () => {
+            // Import the existing Google OAuth infrastructure
+            const coreModule = await import('@vybestack/llxprt-code-core');
+            const { getOauthClient, AuthType } = coreModule;
+            // Create a minimal config for OAuth - use type assertion for test environment
+            // Type assertion is needed since we're creating a partial Config for test mode
+            const config = {
+                getProxy: () => undefined,
+                isBrowserLaunchSuppressed: () => !shouldLaunchBrowser(),
+            };
+            // Use the existing Google OAuth infrastructure to get a client
+            let client;
+            try {
+                client = await getOauthClient(AuthType.LOGIN_WITH_GOOGLE, config);
+            }
+            catch (error) {
+                // Handle browser auth cancellation or other auth failures
+                if (error instanceof Error) {
+                    // Check for specific cancellation messages
+                    if (error.message.includes('cancelled') ||
+                        error.message.includes('denied') ||
+                        error.message.includes('access_denied') ||
+                        error.message.includes('user_cancelled')) {
+                        // CRITICAL FIX: Trigger fallback flow instead of failing
+                        this.logger.debug(() => `Browser auth cancelled, triggering fallback: ${error.message}`);
+                        // Show fallback instructions to user
+                        console.log('\n' + '─'.repeat(60));
+                        console.log('Browser authentication was cancelled.');
+                        console.log('Fallback options:');
+                        console.log('1. Use API key: /keyfile <path-to-your-gemini-key>');
+                        console.log('2. Set environment: export GEMINI_API_KEY=<your-key>');
+                        console.log('3. Try OAuth again: /auth gemini enable');
+                        console.log('─'.repeat(60));
+                        // Throw a user-friendly error that doesn't hang the system
+                        throw OAuthErrorFactory.authenticationRequired(this.name, {
+                            reason: 'Browser authentication was cancelled. Please use one of the fallback options shown above.',
+                        });
+                    }
+                }
+                // Re-throw other authentication errors
+                throw error;
+            }
+            // The client should now have valid credentials
+            // Extract and cache the token
+            const credentials = client.credentials;
+            if (credentials && credentials.access_token) {
+                const token = this.credentialsToOAuthToken(credentials);
+                if (token && this.tokenStore) {
+                    try {
+                        await this.tokenStore.saveToken('gemini', token);
+                        this.currentToken = token;
+                    }
+                    catch (saveError) {
+                        throw OAuthErrorFactory.storageError(this.name, saveError instanceof Error ? saveError : undefined, {
+                            operation: 'saveToken',
+                        });
+                    }
+                }
+            }
+            else {
+                throw OAuthErrorFactory.authenticationRequired(this.name, {
+                    reason: 'No valid credentials received from Google OAuth',
+                });
+            }
+        }, this.name, 'initiateAuth')();
     }
     async getToken() {
-        return this.currentToken;
+        await this.ensureInitialized();
+        return this.errorHandler.handleGracefully(async () => {
+            // Try to get from memory first
+            let token = await this.refreshIfNeeded();
+            if (!token) {
+                // Try to get from existing Google OAuth infrastructure
+                token = await this.getTokenFromGoogleOAuth();
+                // Cache it if found
+                if (token && this.tokenStore) {
+                    try {
+                        await this.tokenStore.saveToken('gemini', token);
+                        this.currentToken = token;
+                    }
+                    catch (error) {
+                        // Non-critical - we can still return the token
+                        this.logger.debug(() => `Failed to cache token from Google OAuth: ${error}`);
+                    }
+                }
+            }
+            return token;
+        }, null, // Return null on error
+        this.name, 'getToken');
     }
     async refreshIfNeeded() {
+        await this.ensureInitialized();
         if (!this.currentToken) {
             return null;
         }
-        // Check if token needs refresh (30 second buffer)
-        const now = Date.now() / 1000;
-        const expiresAt = this.currentToken.expiry;
-        if (expiresAt && expiresAt - now < 30) {
-            // Token expires soon, refresh it
-            // TODO: Implement Gemini token refresh
-            console.log('Gemini token refresh needed');
+        return this.errorHandler.handleGracefully(async () => {
+            // Check if token needs refresh (30 second buffer)
+            const now = Date.now() / 1000;
+            const expiresAt = this.currentToken.expiry;
+            if (expiresAt && expiresAt <= now + 30) {
+                // Token is expired or expires soon
+                // Since actual Gemini OAuth refresh is handled by the GeminiProvider itself,
+                // we clear the expired token and return null to signal re-authentication is needed
+                this.currentToken = null;
+                if (this.tokenStore) {
+                    try {
+                        await this.tokenStore.removeToken('gemini');
+                    }
+                    catch (error) {
+                        throw OAuthErrorFactory.storageError(this.name, error instanceof Error ? error : undefined, {
+                            operation: 'removeExpiredToken',
+                        });
+                    }
+                }
+                return null;
+            }
+            return this.currentToken;
+        }, null, // Return null on error
+        this.name, 'refreshIfNeeded');
+    }
+    async logout() {
+        await this.ensureInitialized();
+        // NO ERROR SUPPRESSION - let it fail loudly
+        // Clear current token
+        this.currentToken = null;
+        // Remove from new token storage location - THIS MUST SUCCEED
+        if (this.tokenStore) {
+            await this.tokenStore.removeToken('gemini');
+        }
+        // Remove from legacy token locations
+        await this.clearLegacyTokens();
+        // CRITICAL SECURITY FIX: Clear OAuth client cache to prevent session leakage
+        // This ensures that subsequent authentication attempts require re-authentication
+        try {
+            clearOauthClientCache();
+        }
+        catch (error) {
+            // Log warning but don't fail logout if cache clearing fails
+            this.logger.debug(() => `Failed to clear OAuth client cache during Gemini logout: ${error}`);
+        }
+    }
+    /**
+     * Converts Google OAuth Credentials to our OAuthToken format
+     */
+    credentialsToOAuthToken(creds) {
+        if (!creds.access_token) {
+            return null;
+        }
+        const token = {
+            access_token: creds.access_token,
+            refresh_token: creds.refresh_token || undefined,
+            // Google OAuth uses expiry_date (milliseconds), we need expiry (seconds)
+            expiry: creds.expiry_date
+                ? Math.floor(creds.expiry_date / 1000)
+                : Math.floor(Date.now() / 1000) + 3600,
+            token_type: 'Bearer',
+            scope: creds.scope || undefined,
+        };
+        // Add id_token if available (some tests expect this)
+        if (creds.id_token && typeof creds === 'object' && creds.id_token) {
+            token.id_token = creds.id_token;
         }
-        return this.currentToken;
+        return token;
+    }
+    /**
+     * Gets token from the existing Google OAuth infrastructure
+     */
+    async getTokenFromGoogleOAuth() {
+        return this.errorHandler.handleGracefully(async () => {
+            // Try to read from the existing OAuth credentials file
+            const credPath = path.join(os.homedir(), '.llxprt', 'oauth_creds.json');
+            const credsJson = await fs.readFile(credPath, 'utf8');
+            const creds = JSON.parse(credsJson);
+            if (creds.refresh_token || creds.access_token) {
+                return this.credentialsToOAuthToken(creds);
+            }
+            return null;
+        }, null, // Return null if we can't read the file
+        this.name, 'getTokenFromGoogleOAuth');
+    }
+    /**
+     * Migrates tokens from legacy locations to new format
+     */
+    async migrateFromLegacyTokens() {
+        return this.errorHandler.handleGracefully(async () => {
+            // Try to get token from existing Google OAuth
+            const token = await this.getTokenFromGoogleOAuth();
+            if (token && this.tokenStore) {
+                try {
+                    // Save to new location
+                    await this.tokenStore.saveToken('gemini', token);
+                    this.logger.debug(() => 'Successfully migrated Gemini token from legacy location');
+                    return token;
+                }
+                catch (error) {
+                    throw OAuthErrorFactory.storageError(this.name, error instanceof Error ? error : undefined, {
+                        operation: 'migrateToken',
+                    });
+                }
+            }
+            return token;
+        }, null, // Return null if migration fails
+        this.name, 'migrateFromLegacyTokens');
+    }
+    /**
+     * Clears tokens from all legacy locations
+     */
+    async clearLegacyTokens() {
+        const legacyPaths = [
+            // Legacy OAuth credentials file
+            path.join(os.homedir(), '.llxprt', 'oauth_creds.json'),
+            // Legacy Google accounts file
+            path.join(os.homedir(), '.llxprt', 'google_accounts.json'),
+        ];
+        // Use Promise.allSettled to continue even if some paths fail
+        const results = await Promise.allSettled(legacyPaths.map(async (legacyPath) => {
+            try {
+                await fs.unlink(legacyPath);
+                this.logger.debug(() => `Cleared legacy token file: ${legacyPath}`);
+            }
+            catch (error) {
+                // File doesn't exist or can't be removed - that's fine for legacy cleanup
+                this.logger.debug(() => `Could not remove legacy token file ${legacyPath}: ${error}`);
+            }
+        }));
+        // Log any unexpected failures for debugging
+        results.forEach((result, index) => {
+            if (result.status === 'rejected') {
+                this.logger.debug(() => `Legacy cleanup failed for ${legacyPaths[index]}: ${result.reason}`);
+            }
+        });
     }
 }
 //# sourceMappingURL=gemini-oauth-provider.js.map

package/dist/src/auth/gemini-oauth-provider.js.map

@@ -1 +1 @@
-{"version":3,"file":"gemini-oauth-provider.js","sourceRoot":"","sources":["../../../src/auth/gemini-oauth-provider.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,MAAM,OAAO,mBAAmB;IAC9B,IAAI,GAAG,QAAQ,CAAC;IACR,YAAY,GAAsB,IAAI,CAAC;IAE/C,KAAK,CAAC,YAAY;QAChB,iEAAiE;QACjE,sEAAsE;QACtE,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;IAC/C,CAAC;IAED,KAAK,CAAC,QAAQ;QACZ,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;IAED,KAAK,CAAC,eAAe;QACnB,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,kDAAkD;QAClD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;QAC9B,MAAM,SAAS,GAAG,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC;QAE3C,IAAI,SAAS,IAAI,SAAS,GAAG,GAAG,GAAG,EAAE,EAAE,CAAC;YACtC,iCAAiC;YACjC,uCAAuC;YACvC,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC;QAC7C,CAAC;QAED,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;CACF"}
+{"version":3,"file":"gemini-oauth-provider.js","sourceRoot":"","sources":["../../../src/auth/gemini-oauth-provider.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EACL,qBAAqB,EACrB,UAAU,EACV,iBAAiB,EACjB,oBAAoB,EACpB,YAAY,EACZ,mBAAmB,EACnB,WAAW,GACZ,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,SAAS,CAAC;AAGzB,IAAK,mBAKJ;AALD,WAAK,mBAAmB;IACtB,iDAA0B,CAAA;IAC1B,iDAA0B,CAAA;IAC1B,8CAAuB,CAAA;IACvB,wCAAiB,CAAA;AACnB,CAAC,EALI,mBAAmB,KAAnB,mBAAmB,QAKvB;AAED,MAAM,OAAO,mBAAmB;IAC9B,IAAI,GAAG,QAAQ,CAAC;IACR,YAAY,GAAsB,IAAI,CAAC;IACvC,UAAU,CAAc;IACxB,mBAAmB,GAAG,mBAAmB,CAAC,UAAU,CAAC;IACrD,qBAAqB,CAAiB;IACtC,mBAAmB,CAAS;IAC5B,YAAY,CAAuB;IACnC,YAAY,CAAe;IAC3B,MAAM,CAAc;IAE5B,YAAY,UAAuB;QACjC,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC7B,IAAI,CAAC,YAAY,GAAG,IAAI,YAAY,EAAE,CAAC;QACvC,IAAI,CAAC,YAAY,GAAG,IAAI,oBAAoB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAChE,IAAI,CAAC,MAAM,GAAG,IAAI,WAAW,CAAC,oBAAoB,CAAC,CAAC;QAEpD,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,CAAC,IAAI,CACV,gBAAgB,IAAI,CAAC,IAAI,8CAA8C;gBACrE,2DAA2D,CAC9D,CAAC;QACJ,CAAC;QAED,8DAA8D;IAChE,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,iBAAiB;QAC7B,2CAA2C;QAC3C,IAAI,IAAI,CAAC,mBAAmB,KAAK,mBAAmB,CAAC,SAAS,EAAE,CAAC;YAC/D,OAAO;QACT,CAAC;QAED,oDAAoD;QACpD,IAAI,IAAI,CAAC,mBAAmB,KAAK,mBAAmB,CAAC,MAAM,EAAE,CAAC;YAC5D,IAAI,CAAC,mBAAmB,GAAG,mBAAmB,CAAC,UAAU,CAAC;YAC1D,IAAI,CAAC,qBAAqB,GAAG,SAAS,CAAC;YACvC,IAAI,CAAC,mBAAmB,GAAG,SAAS,CAAC;QACvC,CAAC;QAED,uCAAuC;QACvC,IAAI,IAAI,CAAC,mBAAmB,KAAK,mBAAmB,CAAC,UAAU,EAAE,CAAC;YAChE,IAAI,CAAC,mBAAmB,GAAG,mBAAmB,CAAC,UAAU,CAAC;YAC1D,IAAI,CAAC,qBAAqB,GAAG,IAAI,CAAC,eAAe,EAAE,CAAC;QACtD,CAAC;QAED,iEAAiE;QACjE,IAAI,IAAI,CAAC,qBAAqB,EAAE,CAAC;YAC/B,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,qBAAqB,CAAC;gBACjC,IAAI,CAAC,mBAAmB,GAAG,mBAAmB,CAAC,SAAS,CAAC;YAC3D,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IAAI,CAAC,mBAAmB,GAAG,mBAAmB,CAAC,MAAM,CAAC;gBACtD,IAAI,CAAC,mBAAmB;oBACtB,KAAK,YAAY,UAAU;wBACzB,CAAC,CAAC,KAAK;wBACP,CAAC,CAAC,iBAAiB,CAAC,WAAW,CAC3B,IAAI,CAAC,IAAI,EACT,KAAK,EACL,mBAAmB,CACpB,CAAC;gBACR,MAAM,IAAI,CAAC,mBAAmB,CAAC;YACjC,CAAC;QACH,CAAC;IACH,CAAC;IAED,KAAK,CAAC,eAAe;QACnB,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACrB,OAAO;QACT,CAAC;QAED,OAAO,IAAI,CAAC,YAAY,CAAC,gBAAgB,CACvC,KAAK,IAAI,EAAE;YACT,sCAAsC;YACtC,IAAI,UAAU,GAAG,MAAM,IAAI,CAAC,UAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAE3D,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,uCAAuC;gBACvC,UAAU,GAAG,MAAM,IAAI,CAAC,uBAAuB,EAAE,CAAC;YACpD,CAAC;YAED,IAAI,UAAU,EAAE,CAAC;gBACf,IAAI,CAAC,YAAY,GAAG,UAAU,CAAC;YACjC,CAAC;QACH,CAAC,EACD,SAAS,EAAE,sDAAsD;QACjE,IAAI,CAAC,IAAI,EACT,iBAAiB,CAClB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,YAAY;QAChB,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAE/B,OAAO,IAAI,CAAC,YAAY,CAAC,UAAU,CACjC,KAAK,IAAI,EAAE;YACT,kDAAkD;YAClD,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,6BAA6B,CAAC,CAAC;YAC/D,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE,GAAG,UAAU,CAAC;YAEhD,8EAA8E;YAC9E,+EAA+E;YAC/E,MAAM,MAAM,GAAG;gBACb,QAAQ,EAAE,GAAG,EAAE,CAAC,SAAS;gBACzB,yBAAyB,EAAE,GAAG,EAAE,CAAC,CAAC,mBAAmB,EAAE;aACL,CAAC;YAErD,+DAA+D;YAC/D,IAAI,MAAM,CAAC;YACX,IAAI,CAAC;gBACH,MAAM,GAAG,MAAM,cAAc,CAAC,QAAQ,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC;YACpE,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,0DAA0D;gBAC1D,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;oBAC3B,2CAA2C;oBAC3C,IACE,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;wBACnC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC;wBAChC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC;wBACvC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EACxC,CAAC;wBACD,yDAAyD;wBACzD,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,GAAG,EAAE,CACH,gDAAgD,KAAK,CAAC,OAAO,EAAE,CAClE,CAAC;wBAEF,qCAAqC;wBACrC,OAAO,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;wBACnC,OAAO,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;wBACrD,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;wBACjC,OAAO,CAAC,GAAG,CAAC,oDAAoD,CAAC,CAAC;wBAClE,OAAO,CAAC,GAAG,CACT,sDAAsD,CACvD,CAAC;wBACF,OAAO,CAAC,GAAG,CAAC,yCAAyC,CAAC,CAAC;wBACvD,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;wBAE5B,2DAA2D;wBAC3D,MAAM,iBAAiB,CAAC,sBAAsB,CAAC,IAAI,CAAC,IAAI,EAAE;4BACxD,MAAM,EACJ,2FAA2F;yBAC9F,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;gBACD,uCAAuC;gBACvC,MAAM,KAAK,CAAC;YACd,CAAC;YAED,+CAA+C;YAC/C,8BAA8B;YAC9B,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC;YACvC,IAAI,WAAW,IAAI,WAAW,CAAC,YAAY,EAAE,CAAC;gBAC5C,MAAM,KAAK,GAAG,IAAI,CAAC,uBAAuB,CAAC,WAAW,CAAC,CAAC;gBACxD,IAAI,KAAK,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;oBAC7B,IAAI,CAAC;wBACH,MAAM,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;wBACjD,IAAI,CAAC,YAAY,GAAG,KAAK,CAAC;oBAC5B,CAAC;oBAAC,OAAO,SAAS,EAAE,CAAC;wBACnB,MAAM,iBAAiB,CAAC,YAAY,CAClC,IAAI,CAAC,IAAI,EACT,SAAS,YAAY,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,EAClD;4BACE,SAAS,EAAE,WAAW;yBACvB,CACF,CAAC;oBACJ,CAAC;gBACH,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,MAAM,iBAAiB,CAAC,sBAAsB,CAAC,IAAI,CAAC,IAAI,EAAE;oBACxD,MAAM,EAAE,iDAAiD;iBAC1D,CAAC,CAAC;YACL,CAAC;QACH,CAAC,EACD,IAAI,CAAC,IAAI,EACT,cAAc,CACf,EAAE,CAAC;IACN,CAAC;IAED,KAAK,CAAC,QAAQ;QACZ,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAE/B,OAAO,IAAI,CAAC,YAAY,CAAC,gBAAgB,CACvC,KAAK,IAAI,EAAE;YACT,+BAA+B;YAC/B,IAAI,KAAK,GAAG,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;YAEzC,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,uDAAuD;gBACvD,KAAK,GAAG,MAAM,IAAI,CAAC,uBAAuB,EAAE,CAAC;gBAE7C,oBAAoB;gBACpB,IAAI,KAAK,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;oBAC7B,IAAI,CAAC;wBACH,MAAM,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;wBACjD,IAAI,CAAC,YAAY,GAAG,KAAK,CAAC;oBAC5B,CAAC;oBAAC,OAAO,KAAK,EAAE,CAAC;wBACf,+CAA+C;wBAC/C,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,GAAG,EAAE,CAAC,4CAA4C,KAAK,EAAE,CAC1D,CAAC;oBACJ,CAAC;gBACH,CAAC;YACH,CAAC;YAED,OAAO,KAAK,CAAC;QACf,CAAC,EACD,IAAI,EAAE,uBAAuB;QAC7B,IAAI,CAAC,IAAI,EACT,UAAU,CACX,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,eAAe;QACnB,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAC/B,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,IAAI,CAAC,YAAY,CAAC,gBAAgB,CACvC,KAAK,IAAI,EAAE;YACT,kDAAkD;YAClD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;YAC9B,MAAM,SAAS,GAAG,IAAI,CAAC,YAAa,CAAC,MAAM,CAAC;YAE5C,IAAI,SAAS,IAAI,SAAS,IAAI,GAAG,GAAG,EAAE,EAAE,CAAC;gBACvC,mCAAmC;gBACnC,6EAA6E;gBAC7E,mFAAmF;gBACnF,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;gBACzB,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;oBACpB,IAAI,CAAC;wBACH,MAAM,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;oBAC9C,CAAC;oBAAC,OAAO,KAAK,EAAE,CAAC;wBACf,MAAM,iBAAiB,CAAC,YAAY,CAClC,IAAI,CAAC,IAAI,EACT,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,EAC1C;4BACE,SAAS,EAAE,oBAAoB;yBAChC,CACF,CAAC;oBACJ,CAAC;gBACH,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC;YAED,OAAO,IAAI,CAAC,YAAY,CAAC;QAC3B,CAAC,EACD,IAAI,EAAE,uBAAuB;QAC7B,IAAI,CAAC,IAAI,EACT,iBAAiB,CAClB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,MAAM;QACV,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAE/B,4CAA4C;QAC5C,sBAAsB;QACtB,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;QAEzB,6DAA6D;QAC7D,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,MAAM,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;QAC9C,CAAC;QAED,qCAAqC;QACrC,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAE/B,6EAA6E;QAC7E,iFAAiF;QACjF,IAAI,CAAC;YACH,qBAAqB,EAAE,CAAC;QAC1B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,4DAA4D;YAC5D,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,GAAG,EAAE,CACH,4DAA4D,KAAK,EAAE,CACtE,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACK,uBAAuB,CAAC,KAAkB;QAChD,IAAI,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC;YACxB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,KAAK,GAAe;YACxB,YAAY,EAAE,KAAK,CAAC,YAAY;YAChC,aAAa,EAAE,KAAK,CAAC,aAAa,IAAI,SAAS;YAC/C,yEAAyE;YACzE,MAAM,EAAE,KAAK,CAAC,WAAW;gBACvB,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,WAAW,GAAG,IAAI,CAAC;gBACtC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI;YACxC,UAAU,EAAE,QAAiB;YAC7B,KAAK,EAAE,KAAK,CAAC,KAAK,IAAI,SAAS;SAChC,CAAC;QAEF,qDAAqD;QACrD,IAAI,KAAK,CAAC,QAAQ,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;YACjE,KAA4C,CAAC,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAC;QAC1E,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,uBAAuB;QACnC,OAAO,IAAI,CAAC,YAAY,CAAC,gBAAgB,CACvC,KAAK,IAAI,EAAE;YACT,uDAAuD;YACvD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,kBAAkB,CAAC,CAAC;YACxE,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YACtD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAgB,CAAC;YAEnD,IAAI,KAAK,CAAC,aAAa,IAAI,KAAK,CAAC,YAAY,EAAE,CAAC;gBAC9C,OAAO,IAAI,CAAC,uBAAuB,CAAC,KAAK,CAAC,CAAC;YAC7C,CAAC;YAED,OAAO,IAAI,CAAC;QACd,CAAC,EACD,IAAI,EAAE,wCAAwC;QAC9C,IAAI,CAAC,IAAI,EACT,yBAAyB,CAC1B,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,uBAAuB;QACnC,OAAO,IAAI,CAAC,YAAY,CAAC,gBAAgB,CACvC,KAAK,IAAI,EAAE;YACT,8CAA8C;YAC9C,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,uBAAuB,EAAE,CAAC;YAEnD,IAAI,KAAK,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;gBAC7B,IAAI,CAAC;oBACH,uBAAuB;oBACvB,MAAM,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;oBACjD,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,GAAG,EAAE,CAAC,yDAAyD,CAChE,CAAC;oBACF,OAAO,KAAK,CAAC;gBACf,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,MAAM,iBAAiB,CAAC,YAAY,CAClC,IAAI,CAAC,IAAI,EACT,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,EAC1C;wBACE,SAAS,EAAE,cAAc;qBAC1B,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;YAED,OAAO,KAAK,CAAC;QACf,CAAC,EACD,IAAI,EAAE,iCAAiC;QACvC,IAAI,CAAC,IAAI,EACT,yBAAyB,CAC1B,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,iBAAiB;QAC7B,MAAM,WAAW,GAAG;YAClB,gCAAgC;YAChC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,kBAAkB,CAAC;YACtD,8BAA8B;YAC9B,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,sBAAsB,CAAC;SAC3D,CAAC;QAEF,6DAA6D;QAC7D,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CACtC,WAAW,CAAC,GAAG,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE;YACnC,IAAI,CAAC;gBACH,MAAM,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;gBAC5B,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,8BAA8B,UAAU,EAAE,CAAC,CAAC;YACtE,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,0EAA0E;gBAC1E,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,GAAG,EAAE,CAAC,sCAAsC,UAAU,KAAK,KAAK,EAAE,CACnE,CAAC;YACJ,CAAC;QACH,CAAC,CAAC,CACH,CAAC;QAEF,4CAA4C;QAC5C,OAAO,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,KAAK,EAAE,EAAE;YAChC,IAAI,MAAM,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;gBACjC,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,GAAG,EAAE,CACH,6BAA6B,WAAW,CAAC,KAAK,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,CACtE,CAAC;YACJ,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;CACF"}

package/dist/src/auth/migration.d.ts

@@ -0,0 +1,26 @@
+/**
+ * @license
+ * Copyright 2025 Vybestack LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+/**
+ * @plan PLAN-20250823-AUTHFIXES.P16
+ * @requirement REQ-004.2
+ * Migration utilities for OAuth token storage modernization
+ *
+ * This module handles migration of tokens from legacy storage formats
+ * to the new standardized TokenStore persistence system.
+ */
+import { OAuthProvider } from './oauth-manager.js';
+import { TokenStore } from '@vybestack/llxprt-code-core';
+/**
+ * Migrate any in-memory tokens to persistent storage
+ *
+ * @param providers - Map of OAuth provider instances
+ * @param tokenStore - Token persistence store
+ */
+export declare function migrateInMemoryTokens(providers: Map<string, OAuthProvider>, tokenStore: TokenStore): Promise<void>;
+/**
+ * Display migration notice to users about OAuth token storage changes
+ */
+export declare function showMigrationNotice(): void;

package/dist/src/auth/migration.js

@@ -0,0 +1,54 @@
+/**
+ * @license
+ * Copyright 2025 Vybestack LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+/**
+ * Migrate any in-memory tokens to persistent storage
+ *
+ * @param providers - Map of OAuth provider instances
+ * @param tokenStore - Token persistence store
+ */
+export async function migrateInMemoryTokens(providers, tokenStore) {
+    for (const [name, provider] of providers) {
+        try {
+            // Check for in-memory token
+            const token = await provider.getToken();
+            if (token) {
+                const stored = await tokenStore.getToken(name);
+                if (!stored) {
+                    // Migrate to storage
+                    await tokenStore.saveToken(name, token);
+                    console.log(`Migrated ${name} token to persistent storage`);
+                }
+            }
+        }
+        catch (_error) {
+            // Skip providers that don't have valid tokens
+            // This is expected during normal operation
+            continue;
+        }
+    }
+}
+/**
+ * Display migration notice to users about OAuth token storage changes
+ */
+export function showMigrationNotice() {
+    console.log(`
+LLXPRT OAuth Token Storage Migration
+====================================
+
+Your OAuth tokens are now stored in standardized locations:
+- Anthropic: ~/.llxprt/oauth/anthropic.json
+- Gemini: ~/.llxprt/oauth/gemini.json  
+- Qwen: ~/.llxprt/oauth/qwen.json
+
+If you experience authentication issues, please re-login:
+- llxprt auth login anthropic
+- llxprt auth login gemini
+- llxprt auth login qwen
+
+Legacy Gemini tokens in ~/.llxprt/oauth_creds.json are no longer used.
+`);
+}
+//# sourceMappingURL=migration.js.map

package/dist/src/auth/migration.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"migration.js","sourceRoot":"","sources":["../../../src/auth/migration.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAcH;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,SAAqC,EACrC,UAAsB;IAEtB,KAAK,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,SAAS,EAAE,CAAC;QACzC,IAAI,CAAC;YACH,4BAA4B;YAC5B,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,CAAC;YACxC,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;gBAC/C,IAAI,CAAC,MAAM,EAAE,CAAC;oBACZ,qBAAqB;oBACrB,MAAM,UAAU,CAAC,SAAS,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;oBACxC,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,8BAA8B,CAAC,CAAC;gBAC9D,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,MAAM,EAAE,CAAC;YAChB,8CAA8C;YAC9C,2CAA2C;YAC3C,SAAS;QACX,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB;IACjC,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;;;;;;CAeb,CAAC,CAAC;AACH,CAAC"}

package/dist/src/auth/oauth-manager.d.ts

@@ -60,11 +60,29 @@ export declare class OAuthManager {
      */
     getAuthStatus(): Promise<AuthStatus[]>;
     /**
+     * @plan PLAN-20250823-AUTHFIXES.P14
+     * @requirement REQ-002
+     * @pseudocode lines 51-68
      * Check if authenticated with a specific provider (required by precedence resolver)
      * @param providerName - Name of the provider
      * @returns True if authenticated, false otherwise
      */
     isAuthenticated(providerName: string): Promise<boolean>;
+    /**
+     * @plan PLAN-20250823-AUTHFIXES.P14
+     * @requirement REQ-002.1
+     * @pseudocode lines 4-37
+     * Logout from a specific provider by clearing stored tokens
+     * @param providerName - Name of the provider to logout from
+     */
+    logout(providerName: string): Promise<void>;
+    /**
+     * @plan PLAN-20250823-AUTHFIXES.P14
+     * @requirement REQ-002
+     * @pseudocode lines 39-49
+     * Logout from all providers by clearing all stored tokens
+     */
+    logoutAll(): Promise<void>;
     /**
      * Get OAuth token for a specific provider
      * Compatible with precedence resolver - returns access token string
@@ -107,4 +125,10 @@ export declare class OAuthManager {
      * @returns True if compatible, false otherwise
      */
     private isQwenCompatibleUrl;
+    /**
+     * CRITICAL FIX: Clear all auth caches for a provider after logout
+     * This method finds and clears auth caches from both BaseProvider and provider-specific implementations
+     * @param providerName - Name of the provider to clear caches for
+     */
+    private clearProviderAuthCaches;
 }