@vybestack/llxprt-code 0.9.1 → 0.9.3

package/dist/src/auth/oauth-manager.js

@@ -29,6 +29,12 @@ function isLoggingWrapperCandidate(provider) {
         typeof provider === 'object' &&
         Object.prototype.hasOwnProperty.call(provider, 'wrappedProvider'));
 }
+function hasRequestMetadata(handler) {
+    return (!!handler &&
+        typeof handler === 'object' &&
+        typeof handler.getRequestMetadata ===
+            'function');
+}
 /**
  * @plan PLAN-20251020-STATELESSPROVIDER3.P12
  * @requirement REQ-SP3-003
@@ -455,8 +461,11 @@ export class OAuthManager {
         if (!provider) {
             throw new Error(`Unknown provider: ${providerName}`);
         }
-        // Resolve which bucket to act on (explicit bucket > session bucket > default)
-        const bucketToUse = bucket ?? this.sessionBuckets.get(providerName) ?? 'default';
+        const sessionMetadata = await this.getCurrentProfileSessionMetadata(providerName);
+        // Resolve which bucket to act on (explicit bucket > current-profile session bucket > default)
+        const bucketToUse = bucket ??
+            (await this.getCurrentProfileSessionBucket(providerName, sessionMetadata)) ??
+            'default';
         const tokenForLogout = await this.tokenStore.getToken(providerName, bucketToUse);
         // Call provider logout if exists (best-effort remote revoke), but ALWAYS clear local token
         if ('logout' in provider && typeof provider.logout === 'function') {
@@ -471,8 +480,13 @@ export class OAuthManager {
         }
         await this.tokenStore.removeToken(providerName, bucketToUse);
         // If we just logged out the active session bucket, clear the in-memory override.
-        if (this.sessionBuckets.get(providerName) === bucketToUse) {
-            this.clearSessionBucket(providerName);
+        if ((await this.getCurrentProfileSessionBucket(providerName, sessionMetadata)) === bucketToUse) {
+            if (this.getSessionBucket(providerName, sessionMetadata) === bucketToUse) {
+                this.clearSessionBucket(providerName, sessionMetadata);
+            }
+            if (this.getSessionBucket(providerName) === bucketToUse) {
+                this.clearSessionBucket(providerName);
+            }
         }
         // CRITICAL FIX: Clear all provider auth caches after logout
         // This ensures BaseProvider and specific provider caches are invalidated
@@ -522,8 +536,8 @@ export class OAuthManager {
         // Lines 42-49: FOR EACH provider IN providers DO
         for (const provider of providers) {
             try {
-                // Line 44: AWAIT this.logout(provider)
-                await this.logout(provider);
+                // Line 44: AWAIT this.logoutAllBuckets(provider)
+                await this.logoutAllBuckets(provider);
             }
             catch (error) {
                 // Lines 45-47: LOG "Failed to logout from " + provider + ": " + error
@@ -565,6 +579,10 @@ export class OAuthManager {
         // This fixes subagents created without LoadedSettings: they can reuse existing tokens
         // instead of forcing unnecessary reauth loops.
         logger.debug(() => `[FLOW] Attempting to get existing token for ${providerName}...`);
+        const explicitBucket = typeof bucket === 'string';
+        const requestMetadata = !explicitBucket && bucket && typeof bucket === 'object'
+            ? bucket
+            : undefined;
         const token = await this.getOAuthToken(providerName, bucket);
         // Special handling for different providers
         // @plan:PLAN-20250823-AUTHFIXES.P15
@@ -585,11 +603,11 @@ export class OAuthManager {
         // handle API-error-driven failover. This peek loop only reads the token store
         // directly without mutating any failover state.
         {
-            const profileBuckets = await this.getProfileBuckets(providerName);
+            const profileBuckets = await this.getProfileBuckets(providerName, requestMetadata);
             if (profileBuckets.length > 1) {
                 const nowInSeconds = Math.floor(Date.now() / 1000);
                 const thirtySecondsFromNow = nowInSeconds + 30;
-                const alreadyTriedBucket = this.getSessionBucket(providerName);
+                const alreadyTriedBucket = this.getSessionBucket(providerName, requestMetadata);
                 for (const peekBucket of profileBuckets) {
                     if (peekBucket === alreadyTriedBucket)
                         continue;
@@ -597,7 +615,7 @@ export class OAuthManager {
                         const peekToken = await this.tokenStore.getToken(providerName, peekBucket);
                         if (peekToken && peekToken.expiry > thirtySecondsFromNow) {
                             logger.debug(() => `[issue1616] Found valid token in bucket '${peekBucket}' for ${providerName}, switching session`);
-                            this.setSessionBucket(providerName, peekBucket);
+                            this.setSessionBucket(providerName, peekBucket, requestMetadata);
                             return peekToken.access_token;
                         }
                     }
@@ -620,10 +638,19 @@ export class OAuthManager {
             return null;
         }
         logger.debug(() => `[FLOW] No existing token for ${providerName}, triggering OAuth flow...`);
+        const resolvedProfileBuckets = await this.getProfileBuckets(providerName, requestMetadata);
+        const scopedSessionBucket = explicitBucket
+            ? undefined
+            : this.getSessionBucket(providerName, requestMetadata);
+        const bucketToCheck = explicitBucket
+            ? bucket
+            : (scopedSessionBucket ??
+                (resolvedProfileBuckets.length === 1
+                    ? resolvedProfileBuckets[0]
+                    : undefined));
         // @fix issue1262 & issue1195: Before triggering OAuth, check disk with lock
         // Another process or earlier run may have written a valid token that we missed
         // Use the same locking pattern as PR #1258 to prevent race conditions
-        const bucketToCheck = typeof bucket === 'string' ? bucket : undefined;
         const lockAcquired = await this.tokenStore.acquireRefreshLock(providerName, {
             waitMs: 5000, // Wait up to 5 seconds for lock
             staleMs: 30000,
@@ -680,7 +707,7 @@ export class OAuthManager {
         // Authentication is handled at the turn boundary via ensureBucketsAuthenticated().
         // For single-bucket or non-bucketed profiles, preserve existing auth behavior.
         try {
-            const buckets = await this.getProfileBuckets(providerName);
+            const buckets = resolvedProfileBuckets;
             if (buckets.length > 1) {
                 // Multi-bucket: pure lookup only — return null.
                 // ensureBucketsAuthenticated() at turn boundary handles auth,
@@ -700,14 +727,22 @@ export class OAuthManager {
                 logger.debug('Could not get ephemeral setting (runtime not initialized), using default', runtimeError);
             }
             if (showPrompt) {
-                const effectiveBuckets = buckets.length === 1 ? buckets : ['default'];
+                const effectiveBuckets = bucketToCheck ? [bucketToCheck] : ['default'];
                 logger.debug(`Single-bucket auth with prompt mode for ${providerName}, bucket: ${effectiveBuckets[0]}`);
-                await this.authenticateMultipleBuckets(providerName, effectiveBuckets);
+                await this.authenticateMultipleBuckets(providerName, effectiveBuckets, requestMetadata);
+                const authenticatedBucket = effectiveBuckets[0];
+                if (authenticatedBucket) {
+                    this.setSessionBucket(providerName, authenticatedBucket, requestMetadata);
+                }
             }
             else {
-                await this.authenticate(providerName);
+                const authenticatedBucket = bucketToCheck ?? 'default';
+                await this.authenticate(providerName, authenticatedBucket);
+                if (authenticatedBucket) {
+                    this.setSessionBucket(providerName, authenticatedBucket, requestMetadata);
+                }
             }
-            const newToken = await this.getOAuthToken(providerName);
+            const newToken = await this.getOAuthToken(providerName, explicitBucket ? bucketToCheck : requestMetadata);
             return newToken ? newToken.access_token : null;
         }
         catch (error) {
@@ -756,6 +791,9 @@ export class OAuthManager {
             throw new Error(`Unknown provider: ${providerName}`);
         }
         const explicitBucket = typeof bucket === 'string';
+        const requestMetadata = !explicitBucket && bucket && typeof bucket === 'object'
+            ? bucket
+            : undefined;
         // Determine the bucket to use: explicit bucket parameter or session bucket override
         let bucketToUse;
         if (explicitBucket) {
@@ -767,10 +805,11 @@ export class OAuthManager {
         let failoverHandler;
         if (!explicitBucket) {
             await this.withBucketResolutionLock(providerName, async () => {
-                if (this.sessionBuckets.has(providerName)) {
-                    bucketToUse = this.sessionBuckets.get(providerName);
+                const sessionBucket = this.getSessionBucket(providerName, requestMetadata);
+                if (sessionBucket) {
+                    bucketToUse = sessionBucket;
                 }
-                profileBuckets = await this.getProfileBuckets(providerName);
+                profileBuckets = await this.getProfileBuckets(providerName, requestMetadata);
                 const config = this.getConfig?.();
                 // @fix issue1029 - Enhanced debug logging for failover handler setup
                 logger.debug(() => `[issue1029] getOAuthToken: provider=${providerName}, buckets=${JSON.stringify(profileBuckets)}, hasConfig=${!!config}`);
@@ -779,9 +818,15 @@ export class OAuthManager {
                     const existingBuckets = failoverHandler?.getBuckets?.() ?? [];
                     const sameBuckets = existingBuckets.length === profileBuckets.length &&
                         existingBuckets.every((value, index) => value === profileBuckets[index]);
-                    logger.debug(() => `[issue1029] Failover handler check: hasExisting=${!!failoverHandler}, sameBuckets=${sameBuckets}, existingBuckets=${JSON.stringify(existingBuckets)}`);
-                    if (!failoverHandler || !sameBuckets) {
-                        const handler = new BucketFailoverHandlerImpl(profileBuckets, providerName, this);
+                    const requestedScopeKey = this.getSessionBucketScopeKey(providerName, requestMetadata);
+                    const existingRequestMetadata = hasRequestMetadata(failoverHandler)
+                        ? failoverHandler.getRequestMetadata()
+                        : undefined;
+                    const existingScopeKey = this.getSessionBucketScopeKey(providerName, existingRequestMetadata);
+                    const sameScope = existingScopeKey === requestedScopeKey;
+                    logger.debug(() => `[issue1029] Failover handler check: hasExisting=${!!failoverHandler}, sameBuckets=${sameBuckets}, sameScope=${sameScope}, existingBuckets=${JSON.stringify(existingBuckets)}`);
+                    if (!failoverHandler || !sameBuckets || !sameScope) {
+                        const handler = new BucketFailoverHandlerImpl(profileBuckets, providerName, this, requestMetadata);
                         config.setBucketFailoverHandler(handler);
                         failoverHandler = handler;
                         logger.debug(() => `[issue1029] Created and set new BucketFailoverHandlerImpl on config for ${providerName} with buckets: ${JSON.stringify(profileBuckets)}`);
@@ -802,8 +847,8 @@ export class OAuthManager {
                         bucketToUse = profileBuckets[0];
                     }
                     // Establish a default session bucket for the duration of this CLI session.
-                    if (bucketToUse && !this.sessionBuckets.has(providerName)) {
-                        this.sessionBuckets.set(providerName, bucketToUse);
+                    if (!sessionBucket && bucketToUse) {
+                        this.setSessionBucket(providerName, bucketToUse, requestMetadata);
                     }
                 }
             });
@@ -1326,27 +1371,45 @@ export class OAuthManager {
      * Set session bucket override for a provider
      * Session state is in-memory only and not persisted
      */
-    setSessionBucket(provider, bucket) {
-        this.sessionBuckets.set(provider, bucket);
+    setSessionBucket(provider, bucket, metadata) {
+        this.sessionBuckets.set(this.getSessionBucketScopeKey(provider, metadata), bucket);
     }
     /**
      * Get session bucket override for a provider
      * Returns undefined if no session override set
      */
-    getSessionBucket(provider) {
-        return this.sessionBuckets.get(provider);
+    getSessionBucket(provider, metadata) {
+        return this.sessionBuckets.get(this.getSessionBucketScopeKey(provider, metadata));
+    }
+    async getCurrentProfileSessionBucket(provider, metadata) {
+        const scopedSessionBucket = this.getSessionBucket(provider, metadata);
+        if (scopedSessionBucket) {
+            return scopedSessionBucket;
+        }
+        const profileBuckets = await this.getProfileBuckets(provider, metadata);
+        if (profileBuckets.length === 1) {
+            return profileBuckets[0];
+        }
+        const unscopedSessionBucket = this.getSessionBucket(provider);
+        if (unscopedSessionBucket &&
+            (profileBuckets.length === 0 ||
+                profileBuckets.includes(unscopedSessionBucket))) {
+            return unscopedSessionBucket;
+        }
+        return undefined;
     }
     /**
      * Clear session bucket override for a provider
      */
-    clearSessionBucket(provider) {
-        this.sessionBuckets.delete(provider);
+    clearSessionBucket(provider, metadata) {
+        this.sessionBuckets.delete(this.getSessionBucketScopeKey(provider, metadata));
     }
-    /**
-     * List all buckets for a provider
-     */
-    async listBuckets(provider) {
-        return this.tokenStore.listBuckets(provider);
+    clearAllSessionBuckets(provider) {
+        for (const key of Array.from(this.sessionBuckets.keys())) {
+            if (key === provider || key.startsWith(`${provider}::`)) {
+                this.sessionBuckets.delete(key);
+            }
+        }
     }
     /**
      * Logout from all buckets for a provider
@@ -1361,14 +1424,18 @@ export class OAuthManager {
                 logger.warn(`Failed to logout from bucket ${bucket}:`, error);
             }
         }
-        this.clearSessionBucket(provider);
+        this.clearAllSessionBuckets(provider);
+    }
+    async listBuckets(provider) {
+        return this.tokenStore.listBuckets(provider);
     }
     /**
      * Get authentication status with bucket information
      */
     async getAuthStatusWithBuckets(provider) {
         const buckets = await this.tokenStore.listBuckets(provider);
-        const sessionBucket = this.sessionBuckets.get(provider);
+        const sessionMetadata = await this.getCurrentProfileSessionMetadata(provider);
+        const sessionBucket = await this.getCurrentProfileSessionBucket(provider, sessionMetadata);
         const statuses = [];
         for (const bucket of buckets) {
             const token = await this.tokenStore.getToken(provider, bucket);
@@ -1407,8 +1474,11 @@ export class OAuthManager {
         if (!provider) {
             return null;
         }
+        const sessionMetadata = await this.getCurrentProfileSessionMetadata('anthropic');
         // Get the token for the specified bucket
-        const bucketToUse = bucket ?? this.sessionBuckets.get('anthropic') ?? 'default';
+        const bucketToUse = bucket ??
+            (await this.getCurrentProfileSessionBucket('anthropic', sessionMetadata)) ??
+            'default';
         const token = await this.tokenStore.getToken('anthropic', bucketToUse);
         if (!token) {
             return null;
@@ -1546,48 +1616,95 @@ export class OAuthManager {
         }
         return result;
     }
-    async getProfileBuckets(providerName) {
+    getSessionBucketScopeKey(provider, metadata) {
+        const profileId = typeof metadata?.profileId === 'string' &&
+            metadata.profileId.trim() !== ''
+            ? metadata.profileId.trim()
+            : undefined;
+        return profileId ? `${provider}::${profileId}` : provider;
+    }
+    async getCurrentProfileSessionMetadata(providerName) {
         try {
-            // Try to get profile from runtime settings
             const { getCliRuntimeServices } = await import('../runtime/runtimeSettings.js');
             const { settingsService } = getCliRuntimeServices();
-            // Get current profile name
             const currentProfileName = typeof settingsService.getCurrentProfileName === 'function'
                 ? settingsService.getCurrentProfileName()
-                : settingsService.get('currentProfile');
-            if (!currentProfileName) {
-                return [];
+                : (settingsService.get('currentProfile') ?? null);
+            if (!currentProfileName || currentProfileName.trim() === '') {
+                return undefined;
             }
-            // Load the profile to check for auth.buckets
-            const profileManager = await createProfileManager();
-            const profile = await profileManager.loadProfile(currentProfileName);
-            // Issue #1468: Verify the profile's provider matches the requested provider
-            // Without this check, buckets from one provider's profile could be returned
-            // when requesting buckets for a different provider, causing token storage
-            // corruption (e.g., Anthropic tokens saved under codex:bucket keys)
-            const profileProvider = 'provider' in profile && typeof profile.provider === 'string'
-                ? profile.provider
-                : null;
-            if (profileProvider !== providerName) {
-                logger.debug(`Profile provider '${profileProvider}' does not match requested provider '${providerName}', returning empty buckets`);
-                return [];
+            return {
+                providerId: providerName,
+                profileId: currentProfileName.trim(),
+            };
+        }
+        catch (error) {
+            logger.debug(`Could not resolve current profile session metadata for ${providerName}:`, error);
+            return undefined;
+        }
+    }
+    async getProfileBuckets(providerName, metadata) {
+        // Prefer the request-scoped profile identity supplied by the caller.
+        const requestedProfileName = typeof metadata?.profileId === 'string' &&
+            metadata.profileId.trim() !== ''
+            ? metadata.profileId.trim()
+            : null;
+        let currentProfileName = requestedProfileName;
+        if (!currentProfileName) {
+            try {
+                // Fall back to the CLI runtime's current profile only when the request
+                // did not provide an explicit profile identity.
+                const { getCliRuntimeServices } = await import('../runtime/runtimeSettings.js');
+                const { settingsService } = getCliRuntimeServices();
+                currentProfileName =
+                    typeof settingsService.getCurrentProfileName === 'function'
+                        ? settingsService.getCurrentProfileName()
+                        : (settingsService.get('currentProfile') ??
+                            null);
             }
-            // Check if profile has auth.buckets for this provider
-            if ('auth' in profile &&
-                profile.auth &&
-                typeof profile.auth === 'object' &&
-                'type' in profile.auth &&
-                profile.auth.type === 'oauth' &&
-                'buckets' in profile.auth &&
-                Array.isArray(profile.auth.buckets)) {
-                return profile.auth.buckets;
+            catch (error) {
+                logger.debug(`Could not resolve current profile for ${providerName}:`, error);
+                return [];
             }
+        }
+        if (!currentProfileName) {
             return [];
         }
+        let profile;
+        try {
+            // Load the profile to check for auth.buckets
+            const profileManager = await createProfileManager();
+            profile = await profileManager.loadProfile(currentProfileName);
+        }
         catch (error) {
             logger.debug(`Could not load profile buckets for ${providerName}:`, error);
+            if (requestedProfileName) {
+                throw error;
+            }
+            return [];
+        }
+        // Issue #1468: Verify the profile's provider matches the requested provider
+        // Without this check, buckets from one provider's profile could be returned
+        // when requesting buckets for a different provider, causing token storage
+        // corruption (e.g., Anthropic tokens saved under codex:bucket keys)
+        const profileProvider = 'provider' in profile && typeof profile.provider === 'string'
+            ? profile.provider
+            : null;
+        if (profileProvider !== providerName) {
+            logger.debug(`Profile provider '${profileProvider}' does not match requested provider '${providerName}', returning empty buckets`);
             return [];
         }
+        // Check if profile has auth.buckets for this provider
+        if ('auth' in profile &&
+            profile.auth &&
+            typeof profile.auth === 'object' &&
+            'type' in profile.auth &&
+            profile.auth.type === 'oauth' &&
+            'buckets' in profile.auth &&
+            Array.isArray(profile.auth.buckets)) {
+            return profile.auth.buckets;
+        }
+        return [];
     }
     /**
      * Authenticate multiple OAuth buckets sequentially using MultiBucketAuthenticator
@@ -1596,7 +1713,7 @@ export class OAuthManager {
      * Issue 913: This method now supports eager authentication of all buckets upfront,
      * filtering out already-authenticated buckets to avoid unnecessary prompts.
      */
-    async authenticateMultipleBuckets(providerName, buckets) {
+    async authenticateMultipleBuckets(providerName, buckets, requestMetadata) {
         const { MultiBucketAuthenticator } = await import('./MultiBucketAuthenticator.js');
         // Get ephemeral settings for timing controls
         const { getEphemeralSetting: getRuntimeEphemeralSetting } = await import('../runtime/runtimeSettings.js');
@@ -1851,7 +1968,7 @@ export class OAuthManager {
         if (buckets.length > 1) {
             const config = this.getConfig?.();
             if (config) {
-                const handler = new BucketFailoverHandlerImpl(buckets, providerName, this);
+                const handler = new BucketFailoverHandlerImpl(buckets, providerName, this, requestMetadata);
                 config.setBucketFailoverHandler(handler);
                 logger.debug('Bucket failover handler configured', {
                     provider: providerName,