npm - @witqq/agent-sdk - Versions diffs - 0.3.1 → 0.4.0 - Mend

@witqq/agent-sdk 0.3.1 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (34) hide show

package/README.md +103 -1
package/dist/auth/index.cjs +359 -0
package/dist/auth/index.cjs.map +1 -0
package/dist/auth/index.d.cts +271 -0
package/dist/auth/index.d.ts +271 -0
package/dist/auth/index.js +352 -0
package/dist/auth/index.js.map +1 -0
package/dist/backends/claude.cjs +81 -13
package/dist/backends/claude.cjs.map +1 -1
package/dist/backends/claude.d.cts +6 -1
package/dist/backends/claude.d.ts +6 -1
package/dist/backends/claude.js +81 -13
package/dist/backends/claude.js.map +1 -1
package/dist/backends/copilot.cjs +75 -12
package/dist/backends/copilot.cjs.map +1 -1
package/dist/backends/copilot.d.cts +1 -1
package/dist/backends/copilot.d.ts +1 -1
package/dist/backends/copilot.js +75 -12
package/dist/backends/copilot.js.map +1 -1
package/dist/backends/vercel-ai.cjs +20 -1
package/dist/backends/vercel-ai.cjs.map +1 -1
package/dist/backends/vercel-ai.d.cts +1 -1
package/dist/backends/vercel-ai.d.ts +1 -1
package/dist/backends/vercel-ai.js +20 -1
package/dist/backends/vercel-ai.js.map +1 -1
package/dist/index.cjs +4 -0
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +12 -0
package/dist/index.d.ts +12 -0
package/dist/index.js +4 -0
package/dist/index.js.map +1 -1
package/dist/{types-ChCH6zvp.d.cts → types-CYtx9gvQ.d.cts} +10 -0
package/dist/{types-ChCH6zvp.d.ts → types-CYtx9gvQ.d.ts} +10 -0
package/package.json +11 -1

package/README.md CHANGED Viewed

@@ -263,6 +263,30 @@ for await (const event of agent.stream("Run a long analysis")) {
 When `heartbeatInterval` is set, heartbeat events are emitted during streaming gaps (e.g., while a tool executes). No heartbeats are emitted when backend events flow continuously. The timer is cleaned up when the stream completes, errors, or is aborted.
+## Persistent Sessions (CLI Backends)
+CLI backends (Copilot, Claude) create a fresh subprocess session per `run()`/`stream()` call by default. Set `sessionMode: "persistent"` to reuse the same CLI session across calls — the CLI backend maintains conversation history natively:
+```typescript
+const agent = service.createAgent({
+  systemPrompt: "You are a helpful assistant.",
+  sessionMode: "persistent", // reuse CLI session across calls
+});
+await agent.run("My name is Alice");
+const result = await agent.run("What is my name?");
+// result.output contains "Alice" — history maintained by CLI
+console.log(agent.sessionId); // CLI session ID for external tracking
+agent.dispose(); // destroys the persistent session
+```
+In persistent mode, if a session encounters an error, it is automatically cleared and recreated on the next call. The `sessionId` property exposes the CLI session ID for logging or external storage.
+Default (`"per-call"`): each call creates and destroys a fresh session. Multi-message context is passed via prompt augmentation through `runWithContext()`/`streamWithContext()`.
+API-based backends (Vercel AI) ignore `sessionMode` — they are stateless by design.
 ## Backend-Specific Options
 ### Copilot
@@ -378,7 +402,7 @@ import { createVercelAIService } from "@witqq/agent-sdk/vercel-ai";
 | Claude | `claude-sonnet-4-5-20250514` | `sonnet` |
 | Vercel AI | `anthropic/claude-sonnet-4-5` | (provider-specific) |
-Use `service.listModels()` to get available model IDs for each backend.
+Use `service.listModels()` to get available model IDs for each backend. Copilot lists models from GitHub API. Claude queries the Anthropic `/v1/models` endpoint when `oauthToken` is provided (returns empty list without token). Vercel AI queries the provider's `/models` endpoint (returns empty list on failure).
 ## Build
@@ -388,6 +412,84 @@ npm run test      # vitest
 npm run typecheck  # tsc --noEmit
 ```
+## Authentication
+Programmatic OAuth flows for obtaining tokens without manual terminal interaction.
+```typescript
+import { CopilotAuth, ClaudeAuth } from "@witqq/agent-sdk/auth";
+```
+### Copilot (GitHub Device Flow)
+```typescript
+const auth = new CopilotAuth();
+const { verificationUrl, userCode, waitForToken } = await auth.startDeviceFlow();
+// Show the user: open verificationUrl and enter userCode
+console.log(`Open ${verificationUrl} and enter code: ${userCode}`);
+const token = await waitForToken(); // polls until authorized
+// token.accessToken = "gho_..." (long-lived, no expiration)
+// Use with Copilot backend:
+const service = createCopilotService({ githubToken: token.accessToken });
+```
+### Claude (OAuth + PKCE)
+```typescript
+const auth = new ClaudeAuth();
+const { authorizeUrl, completeAuth } = auth.startOAuthFlow();
+// Open authorizeUrl in browser — user authorizes, gets redirected
+// completeAuth accepts raw code, full redirect URL, or code#state format
+console.log(`Open: ${authorizeUrl}`);
+const token = await completeAuth(codeOrUrl);
+// token.accessToken = "sk-ant-oat01-..." (expires in 8h, has refreshToken)
+// Refresh before expiry:
+const refreshed = await auth.refreshToken(token.refreshToken);
+// Use with Claude backend:
+const service = createClaudeService({ oauthToken: token.accessToken });
+```
+### Token Types
+```typescript
+interface AuthToken {
+  accessToken: string;
+  tokenType: string;
+  expiresIn?: number;   // seconds until expiry (undefined = long-lived)
+  obtainedAt: number;   // Date.now() when token was obtained
+}
+interface ClaudeAuthToken extends AuthToken {
+  refreshToken: string; // for refreshing expired tokens
+  scopes: string[];
+}
+interface CopilotAuthToken extends AuthToken {
+  login?: string;       // GitHub username
+}
+```
+## Interactive Demo
+A web-based interactive demo showcasing all backends with authentication is in `examples/auth-demo/`.
+```bash
+# Run in Docker (web UI at http://localhost:3456)
+docker compose -f examples/auth-demo/docker-compose.yml up
+# Run locally (CLI mode)
+npx tsx examples/auth-demo/index.ts
+```
+Features: provider selection, auth flows (Device Flow, OAuth+PKCE, API key), model selection, streaming chat with conversation history, token persistence across container restarts, and provider switching.
 ## License
 MIT

package/dist/auth/index.cjs ADDED Viewed

@@ -0,0 +1,359 @@
+'use strict';
+var crypto = require('crypto');
+// src/auth/types.ts
+var AuthError = class extends Error {
+  constructor(message, options) {
+    super(message, options);
+    this.name = "AuthError";
+  }
+};
+var DeviceCodeExpiredError = class extends AuthError {
+  constructor() {
+    super("Device code expired. Please restart the auth flow.");
+    this.name = "DeviceCodeExpiredError";
+  }
+};
+var AccessDeniedError = class extends AuthError {
+  constructor() {
+    super("Access was denied by the user.");
+    this.name = "AccessDeniedError";
+  }
+};
+var TokenExchangeError = class extends AuthError {
+  constructor(message, options) {
+    super(message, options);
+    this.name = "TokenExchangeError";
+  }
+};
+// src/auth/copilot-auth.ts
+var CLIENT_ID = "Ov23ctDVkRmgkPke0Mmm";
+var DEVICE_CODE_URL = "https://github.com/login/device/code";
+var ACCESS_TOKEN_URL = "https://github.com/login/oauth/access_token";
+var USER_API_URL = "https://api.github.com/user";
+var DEFAULT_SCOPES = "read:user,read:org,repo,gist";
+var GRANT_TYPE = "urn:ietf:params:oauth:grant-type:device_code";
+var CopilotAuth = class {
+  fetchFn;
+  /** @param options - Optional configuration with custom fetch for testing */
+  constructor(options) {
+    this.fetchFn = options?.fetch ?? globalThis.fetch;
+  }
+  /**
+   * Start the GitHub Device Flow.
+   * Returns a device code result with user code, verification URL,
+   * and a `waitForToken()` function that polls until the user authorizes.
+   *
+   * @param options - Optional scopes and abort signal
+   * @returns Device flow result with user code, verification URL, and waitForToken poller
+   * @throws {AuthError} If the device code request fails
+   * @throws {DeviceCodeExpiredError} If the device code expires before user authorizes
+   * @throws {AccessDeniedError} If the user denies access
+   *
+   * @example
+   * ```ts
+   * const auth = new CopilotAuth();
+   * const { userCode, verificationUrl, waitForToken } = await auth.startDeviceFlow();
+   * console.log(`Open ${verificationUrl} and enter code: ${userCode}`);
+   * const token = await waitForToken();
+   * ```
+   */
+  async startDeviceFlow(options) {
+    const scopes = options?.scopes ?? DEFAULT_SCOPES;
+    const response = await this.fetchFn(DEVICE_CODE_URL, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Accept: "application/json"
+      },
+      body: new URLSearchParams({
+        client_id: CLIENT_ID,
+        scope: scopes
+      }),
+      signal: options?.signal
+    });
+    if (!response.ok) {
+      throw new AuthError(
+        `Failed to request device code: ${response.status} ${response.statusText}`
+      );
+    }
+    const data = await response.json();
+    return {
+      userCode: data.user_code,
+      verificationUrl: data.verification_uri,
+      waitForToken: (signal) => this.pollForToken(data.device_code, data.interval, signal)
+    };
+  }
+  async pollForToken(deviceCode, interval, signal) {
+    let pollIntervalMs = interval * 1e3;
+    while (true) {
+      if (signal?.aborted) {
+        throw new AuthError("Authentication was aborted.");
+      }
+      await this.delay(pollIntervalMs, signal);
+      const response = await this.fetchFn(ACCESS_TOKEN_URL, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded",
+          Accept: "application/json"
+        },
+        body: new URLSearchParams({
+          client_id: CLIENT_ID,
+          device_code: deviceCode,
+          grant_type: GRANT_TYPE
+        }),
+        signal
+      });
+      if (!response.ok) {
+        throw new AuthError(
+          `Token poll failed: ${response.status} ${response.statusText}`
+        );
+      }
+      const data = await response.json();
+      if (data.access_token) {
+        const token = {
+          accessToken: data.access_token,
+          tokenType: data.token_type ?? "bearer",
+          obtainedAt: Date.now()
+        };
+        try {
+          const login = await this.fetchUserLogin(data.access_token, signal);
+          if (login) token.login = login;
+        } catch {
+        }
+        return token;
+      }
+      if (data.error === "authorization_pending") {
+        continue;
+      }
+      if (data.error === "slow_down") {
+        pollIntervalMs = (data.interval ?? interval + 5) * 1e3;
+        continue;
+      }
+      if (data.error === "expired_token") {
+        throw new DeviceCodeExpiredError();
+      }
+      if (data.error === "access_denied") {
+        throw new AccessDeniedError();
+      }
+      throw new AuthError(
+        data.error_description ?? `Unexpected error: ${data.error}`
+      );
+    }
+  }
+  async fetchUserLogin(token, signal) {
+    const response = await this.fetchFn(USER_API_URL, {
+      headers: {
+        Authorization: `Bearer ${token}`,
+        Accept: "application/json"
+      },
+      signal
+    });
+    if (!response.ok) return void 0;
+    const user = await response.json();
+    return user.login;
+  }
+  delay(ms, signal) {
+    return new Promise((resolve, reject) => {
+      const timer = setTimeout(resolve, ms);
+      signal?.addEventListener(
+        "abort",
+        () => {
+          clearTimeout(timer);
+          reject(new AuthError("Authentication was aborted."));
+        },
+        { once: true }
+      );
+    });
+  }
+};
+var CLIENT_ID2 = "9d1c250a-e61b-44d9-88ed-5944d1962f5e";
+var AUTHORIZE_URL = "https://claude.ai/oauth/authorize";
+var TOKEN_URL = "https://platform.claude.com/v1/oauth/token";
+var DEFAULT_REDIRECT_URI = "https://platform.claude.com/oauth/code/callback";
+var DEFAULT_SCOPES2 = "user:profile user:inference user:sessions:claude_code user:mcp_servers";
+var ClaudeAuth = class _ClaudeAuth {
+  fetchFn;
+  randomBytes;
+  /**
+   * @param options - Optional configuration with custom fetch and random bytes for testing
+   */
+  constructor(options) {
+    this.fetchFn = options?.fetch ?? globalThis.fetch;
+    this.randomBytes = options?.randomBytes ?? defaultRandomBytes;
+  }
+  /**
+   * Start the Claude OAuth+PKCE flow.
+   * Generates PKCE code verifier/challenge and returns an authorize URL
+   * plus a `completeAuth(code)` function for token exchange.
+   *
+   * @param options - Redirect URI and optional scopes
+   * @returns OAuth flow result with authorize URL and completeAuth function
+   * @throws {AuthError} If PKCE generation fails
+   *
+   * @example
+   * ```ts
+   * const auth = new ClaudeAuth();
+   * const { authorizeUrl, completeAuth } = auth.startOAuthFlow({
+   *   redirectUri: "https://platform.claude.com/oauth/code/callback",
+   * });
+   * console.log(`Open: ${authorizeUrl}`);
+   * const token = await completeAuth(authorizationCode);
+   * ```
+   */
+  startOAuthFlow(options) {
+    const redirectUri = options?.redirectUri ?? DEFAULT_REDIRECT_URI;
+    const scopes = options?.scopes ?? DEFAULT_SCOPES2;
+    const codeVerifier = this.generateCodeVerifier();
+    const state = this.generateState();
+    const authorizeUrl = this.buildAuthorizeUrl(
+      redirectUri,
+      scopes,
+      codeVerifier,
+      state
+    );
+    return {
+      authorizeUrl,
+      completeAuth: (codeOrUrl) => {
+        const code = _ClaudeAuth.extractCode(codeOrUrl);
+        return this.exchangeCode(code, codeVerifier, state, redirectUri);
+      }
+    };
+  }
+  /**
+   * Extract an authorization code from user input.
+   * Accepts a raw code string or a full redirect URL containing a `code` query parameter.
+   *
+   * @param input - Raw authorization code or redirect URL
+   * @returns The extracted authorization code
+   *
+   * @example
+   * ```ts
+   * ClaudeAuth.extractCode("abc123"); // "abc123"
+   * ClaudeAuth.extractCode("https://platform.claude.com/oauth/code/callback?code=abc123&state=xyz"); // "abc123"
+   * ```
+   */
+  static extractCode(input) {
+    const trimmed = input.trim();
+    try {
+      const url = new URL(trimmed);
+      const code = url.searchParams.get("code");
+      if (code) return code;
+    } catch {
+    }
+    const hashIdx = trimmed.indexOf("#");
+    if (hashIdx > 0) {
+      return trimmed.substring(0, hashIdx);
+    }
+    return trimmed;
+  }
+  /**
+   * Refresh an expired Claude token.
+   *
+   * @param refreshToken - The refresh token from a previous authentication
+   * @returns New auth token with refreshed access token
+   * @throws {TokenExchangeError} If the refresh request fails
+   *
+   * @example
+   * ```ts
+   * const auth = new ClaudeAuth();
+   * const newToken = await auth.refreshToken(oldToken.refreshToken);
+   * ```
+   */
+  async refreshToken(refreshToken) {
+    const response = await this.fetchFn(TOKEN_URL, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        grant_type: "refresh_token",
+        refresh_token: refreshToken,
+        client_id: CLIENT_ID2
+      })
+    });
+    if (!response.ok) {
+      const text = await response.text();
+      throw new TokenExchangeError(
+        `Token refresh failed: ${response.status} ${text}`
+      );
+    }
+    const data = await response.json();
+    return this.mapTokenResponse(data);
+  }
+  generateCodeVerifier() {
+    const bytes = this.randomBytes(96);
+    return base64Encode(bytes).replace(/\+/g, "~").replace(/=/g, "_").replace(/\//g, "-");
+  }
+  generateState() {
+    const bytes = this.randomBytes(16);
+    return hexEncode(bytes);
+  }
+  buildAuthorizeUrl(redirectUri, scopes, codeVerifier, state) {
+    const codeChallenge = this.generateCodeChallengeSync(codeVerifier);
+    const url = new URL(AUTHORIZE_URL);
+    url.searchParams.set("code", "true");
+    url.searchParams.set("client_id", CLIENT_ID2);
+    url.searchParams.set("response_type", "code");
+    url.searchParams.set("redirect_uri", redirectUri);
+    url.searchParams.set("scope", scopes);
+    url.searchParams.set("code_challenge", codeChallenge);
+    url.searchParams.set("code_challenge_method", "S256");
+    url.searchParams.set("state", state);
+    return url.toString();
+  }
+  generateCodeChallengeSync(verifier) {
+    const hash = crypto.createHash("sha256").update(verifier).digest("base64");
+    return hash.split("=")[0].replace(/\+/g, "-").replace(/\//g, "_");
+  }
+  async exchangeCode(code, codeVerifier, state, redirectUri) {
+    const response = await this.fetchFn(TOKEN_URL, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        grant_type: "authorization_code",
+        code,
+        redirect_uri: redirectUri,
+        client_id: CLIENT_ID2,
+        code_verifier: codeVerifier,
+        state
+      })
+    });
+    if (!response.ok) {
+      const text = await response.text();
+      throw new TokenExchangeError(
+        `Token exchange failed: ${response.status} ${text}`
+      );
+    }
+    const data = await response.json();
+    return this.mapTokenResponse(data);
+  }
+  mapTokenResponse(data) {
+    return {
+      accessToken: data.access_token,
+      tokenType: data.token_type ?? "bearer",
+      expiresIn: data.expires_in,
+      obtainedAt: Date.now(),
+      refreshToken: data.refresh_token,
+      scopes: data.scope?.split(" ") ?? []
+    };
+  }
+};
+function defaultRandomBytes(size) {
+  return new Uint8Array(crypto.randomBytes(size));
+}
+function base64Encode(bytes) {
+  return Buffer.from(bytes).toString("base64");
+}
+function hexEncode(bytes) {
+  return Buffer.from(bytes).toString("hex");
+}
+exports.AccessDeniedError = AccessDeniedError;
+exports.AuthError = AuthError;
+exports.ClaudeAuth = ClaudeAuth;
+exports.CopilotAuth = CopilotAuth;
+exports.DeviceCodeExpiredError = DeviceCodeExpiredError;
+exports.TokenExchangeError = TokenExchangeError;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map

package/dist/auth/index.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../src/auth/types.ts","../../src/auth/copilot-auth.ts","../../src/auth/claude-auth.ts"],"names":["CLIENT_ID","DEFAULT_SCOPES","createHash","nodeRandomBytes"],"mappings":";;;;;AAqIO,IAAM,SAAA,GAAN,cAAwB,KAAA,CAAM;AAAA,EACnC,WAAA,CAAY,SAAiB,OAAA,EAAwB;AACnD,IAAA,KAAA,CAAM,SAAS,OAAO,CAAA;AACtB,IAAA,IAAA,CAAK,IAAA,GAAO,WAAA;AAAA,EACd;AACF;AAGO,IAAM,sBAAA,GAAN,cAAqC,SAAA,CAAU;AAAA,EACpD,WAAA,GAAc;AACZ,IAAA,KAAA,CAAM,oDAAoD,CAAA;AAC1D,IAAA,IAAA,CAAK,IAAA,GAAO,wBAAA;AAAA,EACd;AACF;AAGO,IAAM,iBAAA,GAAN,cAAgC,SAAA,CAAU;AAAA,EAC/C,WAAA,GAAc;AACZ,IAAA,KAAA,CAAM,gCAAgC,CAAA;AACtC,IAAA,IAAA,CAAK,IAAA,GAAO,mBAAA;AAAA,EACd;AACF;AAMO,IAAM,kBAAA,GAAN,cAAiC,SAAA,CAAU;AAAA,EAChD,WAAA,CAAY,SAAiB,OAAA,EAAwB;AACnD,IAAA,KAAA,CAAM,SAAS,OAAO,CAAA;AACtB,IAAA,IAAA,CAAK,IAAA,GAAO,oBAAA;AAAA,EACd;AACF;;;AC9JA,IAAM,SAAA,GAAY,sBAAA;AAClB,IAAM,eAAA,GAAkB,sCAAA;AACxB,IAAM,gBAAA,GAAmB,6CAAA;AACzB,IAAM,YAAA,GAAe,6BAAA;AACrB,IAAM,cAAA,GAAiB,8BAAA;AACvB,IAAM,UAAA,GAAa,8CAAA;AAsCZ,IAAM,cAAN,MAAkB;AAAA,EACN,OAAA;AAAA;AAAA,EAGjB,YAAY,OAAA,EAA+B;AACzC,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA,EAAS,KAAA,IAAS,UAAA,CAAW,KAAA;AAAA,EAC9C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAqBA,MAAM,gBAAgB,OAAA,EAGQ;AAC5B,IAAA,MAAM,MAAA,GAAS,SAAS,MAAA,IAAU,cAAA;AAClC,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,OAAA,CAAQ,eAAA,EAAiB;AAAA,MACnD,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACP,cAAA,EAAgB,mCAAA;AAAA,QAChB,MAAA,EAAQ;AAAA,OACV;AAAA,MACA,IAAA,EAAM,IAAI,eAAA,CAAgB;AAAA,QACxB,SAAA,EAAW,SAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACR,CAAA;AAAA,MACD,QAAQ,OAAA,EAAS;AAAA,KAClB,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,MAAM,IAAI,SAAA;AAAA,QACR,CAAA,+BAAA,EAAkC,QAAA,CAAS,MAAM,CAAA,CAAA,EAAI,SAAS,UAAU,CAAA;AAAA,OAC1E;AAAA,IACF;AAEA,IAAA,MAAM,IAAA,GAAQ,MAAM,QAAA,CAAS,IAAA,EAAK;AAElC,IAAA,OAAO;AAAA,MACL,UAAU,IAAA,CAAK,SAAA;AAAA,MACf,iBAAiB,IAAA,CAAK,gBAAA;AAAA,MACtB,YAAA,EAAc,CAAC,MAAA,KACb,IAAA,CAAK,aAAa,IAAA,CAAK,WAAA,EAAa,IAAA,CAAK,QAAA,EAAU,MAAM;AAAA,KAC7D;AAAA,EACF;AAAA,EAEA,MAAc,YAAA,CACZ,UAAA,EACA,QAAA,EACA,MAAA,EAC2B;AAC3B,IAAA,IAAI,iBAAiB,QAAA,GAAW,GAAA;AAEhC,IAAA,OAAO,IAAA,EAAM;AACX,MAAA,IAAI,QAAQ,OAAA,EAAS;AACnB,QAAA,MAAM,IAAI,UAAU,6BAA6B,CAAA;AAAA,MACnD;AAEA,MAAA,MAAM,IAAA,CAAK,KAAA,CAAM,cAAA,EAAgB,MAAM,CAAA;AAEvC,MAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,OAAA,CAAQ,gBAAA,EAAkB;AAAA,QACpD,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,cAAA,EAAgB,mCAAA;AAAA,UAChB,MAAA,EAAQ;AAAA,SACV;AAAA,QACA,IAAA,EAAM,IAAI,eAAA,CAAgB;AAAA,UACxB,SAAA,EAAW,SAAA;AAAA,UACX,WAAA,EAAa,UAAA;AAAA,UACb,UAAA,EAAY;AAAA,SACb,CAAA;AAAA,QACD;AAAA,OACD,CAAA;AAED,MAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,QAAA,MAAM,IAAI,SAAA;AAAA,UACR,CAAA,mBAAA,EAAsB,QAAA,CAAS,MAAM,CAAA,CAAA,EAAI,SAAS,UAAU,CAAA;AAAA,SAC9D;AAAA,MACF;AAEA,MAAA,MAAM,IAAA,GAAQ,MAAM,QAAA,CAAS,IAAA,EAAK;AAElC,MAAA,IAAI,KAAK,YAAA,EAAc;AACrB,QAAA,MAAM,KAAA,GAA0B;AAAA,UAC9B,aAAa,IAAA,CAAK,YAAA;AAAA,UAClB,SAAA,EAAW,KAAK,UAAA,IAAc,QAAA;AAAA,UAC9B,UAAA,EAAY,KAAK,GAAA;AAAI,SACvB;AAGA,QAAA,IAAI;AACF,UAAA,MAAM,QAAQ,MAAM,IAAA,CAAK,cAAA,CAAe,IAAA,CAAK,cAAc,MAAM,CAAA;AACjE,UAAA,IAAI,KAAA,QAAa,KAAA,GAAQ,KAAA;AAAA,QAC3B,CAAA,CAAA,MAAQ;AAAA,QAER;AAEA,QAAA,OAAO,KAAA;AAAA,MACT;AAEA,MAAA,IAAI,IAAA,CAAK,UAAU,uBAAA,EAAyB;AAC1C,QAAA;AAAA,MACF;AAEA,MAAA,IAAI,IAAA,CAAK,UAAU,WAAA,EAAa;AAC9B,QAAA,cAAA,GAAA,CAAkB,IAAA,CAAK,QAAA,IAAY,QAAA,GAAW,CAAA,IAAK,GAAA;AACnD,QAAA;AAAA,MACF;AAEA,MAAA,IAAI,IAAA,CAAK,UAAU,eAAA,EAAiB;AAClC,QAAA,MAAM,IAAI,sBAAA,EAAuB;AAAA,MACnC;AAEA,MAAA,IAAI,IAAA,CAAK,UAAU,eAAA,EAAiB;AAClC,QAAA,MAAM,IAAI,iBAAA,EAAkB;AAAA,MAC9B;AAEA,MAAA,MAAM,IAAI,SAAA;AAAA,QACR,IAAA,CAAK,iBAAA,IAAqB,CAAA,kBAAA,EAAqB,IAAA,CAAK,KAAK,CAAA;AAAA,OAC3D;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAc,cAAA,CACZ,KAAA,EACA,MAAA,EAC6B;AAC7B,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,OAAA,CAAQ,YAAA,EAAc;AAAA,MAChD,OAAA,EAAS;AAAA,QACP,aAAA,EAAe,UAAU,KAAK,CAAA,CAAA;AAAA,QAC9B,MAAA,EAAQ;AAAA,OACV;AAAA,MACA;AAAA,KACD,CAAA;AAED,IAAA,IAAI,CAAC,QAAA,CAAS,EAAA,EAAI,OAAO,MAAA;AAEzB,IAAA,MAAM,IAAA,GAAQ,MAAM,QAAA,CAAS,IAAA,EAAK;AAClC,IAAA,OAAO,IAAA,CAAK,KAAA;AAAA,EACd;AAAA,EAEQ,KAAA,CAAM,IAAY,MAAA,EAAqC;AAC7D,IAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,EAAS,MAAA,KAAW;AACtC,MAAA,MAAM,KAAA,GAAQ,UAAA,CAAW,OAAA,EAAS,EAAE,CAAA;AACpC,MAAA,MAAA,EAAQ,gBAAA;AAAA,QACN,OAAA;AAAA,QACA,MAAM;AACJ,UAAA,YAAA,CAAa,KAAK,CAAA;AAClB,UAAA,MAAA,CAAO,IAAI,SAAA,CAAU,6BAA6B,CAAC,CAAA;AAAA,QACrD,CAAA;AAAA,QACA,EAAE,MAAM,IAAA;AAAK,OACf;AAAA,IACF,CAAC,CAAA;AAAA,EACH;AACF;ACvNA,IAAMA,UAAAA,GAAY,sCAAA;AAClB,IAAM,aAAA,GAAgB,mCAAA;AACtB,IAAM,SAAA,GAAY,4CAAA;AAClB,IAAM,oBAAA,GACJ,iDAAA;AACF,IAAMC,eAAAA,GACJ,wEAAA;AAsBK,IAAM,UAAA,GAAN,MAAM,WAAA,CAAW;AAAA,EACL,OAAA;AAAA,EACA,WAAA;AAAA;AAAA;AAAA;AAAA,EAKjB,YAAY,OAAA,EAGT;AACD,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA,EAAS,KAAA,IAAS,UAAA,CAAW,KAAA;AAC5C,IAAA,IAAA,CAAK,WAAA,GAAc,SAAS,WAAA,IAAe,kBAAA;AAAA,EAC7C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAqBA,eAAe,OAAA,EAA6C;AAC1D,IAAA,MAAM,WAAA,GAAc,SAAS,WAAA,IAAe,oBAAA;AAC5C,IAAA,MAAM,MAAA,GAAS,SAAS,MAAA,IAAUA,eAAAA;AAElC,IAAA,MAAM,YAAA,GAAe,KAAK,oBAAA,EAAqB;AAC/C,IAAA,MAAM,KAAA,GAAQ,KAAK,aAAA,EAAc;AAEjC,IAAA,MAAM,eAAe,IAAA,CAAK,iBAAA;AAAA,MACxB,WAAA;AAAA,MACA,MAAA;AAAA,MACA,YAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,OAAO;AAAA,MACL,YAAA;AAAA,MACA,YAAA,EAAc,CAAC,SAAA,KAAsB;AACnC,QAAA,MAAM,IAAA,GAAO,WAAA,CAAW,WAAA,CAAY,SAAS,CAAA;AAC7C,QAAA,OAAO,IAAA,CAAK,YAAA,CAAa,IAAA,EAAM,YAAA,EAAc,OAAO,WAAW,CAAA;AAAA,MACjE;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAeA,OAAO,YAAY,KAAA,EAAuB;AACxC,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,EAAK;AAC3B,IAAA,IAAI;AACF,MAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,OAAO,CAAA;AAC3B,MAAA,MAAM,IAAA,GAAO,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,MAAM,CAAA;AACxC,MAAA,IAAI,MAAM,OAAO,IAAA;AAAA,IACnB,CAAA,CAAA,MAAQ;AAAA,IAER;AAEA,IAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,OAAA,CAAQ,GAAG,CAAA;AACnC,IAAA,IAAI,UAAU,CAAA,EAAG;AACf,MAAA,OAAO,OAAA,CAAQ,SAAA,CAAU,CAAA,EAAG,OAAO,CAAA;AAAA,IACrC;AACA,IAAA,OAAO,OAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAeA,MAAM,aAAa,YAAA,EAAgD;AACjE,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,OAAA,CAAQ,SAAA,EAAW;AAAA,MAC7C,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,kBAAA,EAAmB;AAAA,MAC9C,IAAA,EAAM,KAAK,SAAA,CAAU;AAAA,QACnB,UAAA,EAAY,eAAA;AAAA,QACZ,aAAA,EAAe,YAAA;AAAA,QACf,SAAA,EAAWD;AAAA,OACZ;AAAA,KACF,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,MAAM,IAAA,GAAO,MAAM,QAAA,CAAS,IAAA,EAAK;AACjC,MAAA,MAAM,IAAI,kBAAA;AAAA,QACR,CAAA,sBAAA,EAAyB,QAAA,CAAS,MAAM,CAAA,CAAA,EAAI,IAAI,CAAA;AAAA,OAClD;AAAA,IACF;AAEA,IAAA,MAAM,IAAA,GAAQ,MAAM,QAAA,CAAS,IAAA,EAAK;AAClC,IAAA,OAAO,IAAA,CAAK,iBAAiB,IAAI,CAAA;AAAA,EACnC;AAAA,EAEQ,oBAAA,GAA+B;AACrC,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,WAAA,CAAY,EAAE,CAAA;AACjC,IAAA,OAAO,YAAA,CAAa,KAAK,CAAA,CACtB,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAClB,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CACjB,OAAA,CAAQ,OAAO,GAAG,CAAA;AAAA,EACvB;AAAA,EAEQ,aAAA,GAAwB;AAC9B,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,WAAA,CAAY,EAAE,CAAA;AACjC,IAAA,OAAO,UAAU,KAAK,CAAA;AAAA,EACxB;AAAA,EAEQ,iBAAA,CACN,WAAA,EACA,MAAA,EACA,YAAA,EACA,KAAA,EACQ;AACR,IAAA,MAAM,aAAA,GAAgB,IAAA,CAAK,yBAAA,CAA0B,YAAY,CAAA;AAEjE,IAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,aAAa,CAAA;AACjC,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,MAAA,EAAQ,MAAM,CAAA;AACnC,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,WAAA,EAAaA,UAAS,CAAA;AAC3C,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,eAAA,EAAiB,MAAM,CAAA;AAC5C,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,cAAA,EAAgB,WAAW,CAAA;AAChD,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,OAAA,EAAS,MAAM,CAAA;AACpC,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,gBAAA,EAAkB,aAAa,CAAA;AACpD,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,uBAAA,EAAyB,MAAM,CAAA;AACpD,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,OAAA,EAAS,KAAK,CAAA;AAEnC,IAAA,OAAO,IAAI,QAAA,EAAS;AAAA,EACtB;AAAA,EAEQ,0BAA0B,QAAA,EAA0B;AAC1D,IAAA,MAAM,IAAA,GAAOE,kBAAW,QAAQ,CAAA,CAAE,OAAO,QAAQ,CAAA,CAAE,OAAO,QAAQ,CAAA;AAClE,IAAA,OAAO,IAAA,CAAK,KAAA,CAAM,GAAG,CAAA,CAAE,CAAC,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA;AAAA,EAClE;AAAA,EAEA,MAAc,YAAA,CACZ,IAAA,EACA,YAAA,EACA,OACA,WAAA,EAC0B;AAC1B,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,OAAA,CAAQ,SAAA,EAAW;AAAA,MAC7C,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,kBAAA,EAAmB;AAAA,MAC9C,IAAA,EAAM,KAAK,SAAA,CAAU;AAAA,QACnB,UAAA,EAAY,oBAAA;AAAA,QACZ,IAAA;AAAA,QACA,YAAA,EAAc,WAAA;AAAA,QACd,SAAA,EAAWF,UAAAA;AAAA,QACX,aAAA,EAAe,YAAA;AAAA,QACf;AAAA,OACD;AAAA,KACF,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,MAAM,IAAA,GAAO,MAAM,QAAA,CAAS,IAAA,EAAK;AACjC,MAAA,MAAM,IAAI,kBAAA;AAAA,QACR,CAAA,uBAAA,EAA0B,QAAA,CAAS,MAAM,CAAA,CAAA,EAAI,IAAI,CAAA;AAAA,OACnD;AAAA,IACF;AAEA,IAAA,MAAM,IAAA,GAAQ,MAAM,QAAA,CAAS,IAAA,EAAK;AAClC,IAAA,OAAO,IAAA,CAAK,iBAAiB,IAAI,CAAA;AAAA,EACnC;AAAA,EAEQ,iBAAiB,IAAA,EAAsC;AAC7D,IAAA,OAAO;AAAA,MACL,aAAa,IAAA,CAAK,YAAA;AAAA,MAClB,SAAA,EAAW,KAAK,UAAA,IAAc,QAAA;AAAA,MAC9B,WAAW,IAAA,CAAK,UAAA;AAAA,MAChB,UAAA,EAAY,KAAK,GAAA,EAAI;AAAA,MACrB,cAAc,IAAA,CAAK,aAAA;AAAA,MACnB,QAAQ,IAAA,CAAK,KAAA,EAAO,KAAA,CAAM,GAAG,KAAK;AAAC,KACrC;AAAA,EACF;AACF;AAcA,SAAS,mBAAmB,IAAA,EAA0B;AACpD,EAAA,OAAO,IAAI,UAAA,CAAWG,kBAAA,CAAgB,IAAI,CAAC,CAAA;AAC7C;AAEA,SAAS,aAAa,KAAA,EAA2B;AAC/C,EAAA,OAAO,MAAA,CAAO,IAAA,CAAK,KAAK,CAAA,CAAE,SAAS,QAAQ,CAAA;AAC7C;AAEA,SAAS,UAAU,KAAA,EAA2B;AAC5C,EAAA,OAAO,MAAA,CAAO,IAAA,CAAK,KAAK,CAAA,CAAE,SAAS,KAAK,CAAA;AAC1C","file":"index.cjs","sourcesContent":["// ─── Auth Token Types ──────────────────────────────────────────\n\n/**\n * Base auth token returned by all auth providers.\n *\n * @example\n * ```ts\n * import type { AuthToken } from \"@witqq/agent-sdk/auth\";\n *\n * const token: AuthToken = {\n * accessToken: \"gho_abc123...\",\n * tokenType: \"bearer\",\n * obtainedAt: Date.now(),\n * };\n * ```\n */\nexport interface AuthToken {\n /** The access token string */\n accessToken: string;\n /** Token type (e.g. \"bearer\") */\n tokenType: string;\n /** Seconds until token expires (undefined = long-lived) */\n expiresIn?: number;\n /** Timestamp when the token was obtained */\n obtainedAt: number;\n}\n\n/**\n * Copilot-specific token (GitHub OAuth, long-lived).\n *\n * @example\n * ```ts\n * import type { CopilotAuthToken } from \"@witqq/agent-sdk/auth\";\n *\n * const token: CopilotAuthToken = {\n * accessToken: \"gho_abc123...\",\n * tokenType: \"bearer\",\n * obtainedAt: Date.now(),\n * login: \"octocat\",\n * };\n * ```\n */\nexport interface CopilotAuthToken extends AuthToken {\n /** GitHub user login associated with the token */\n login?: string;\n}\n\n/**\n * Claude-specific token (OAuth+PKCE, expires in 8h).\n *\n * @example\n * ```ts\n * import type { ClaudeAuthToken } from \"@witqq/agent-sdk/auth\";\n *\n * const token: ClaudeAuthToken = {\n * accessToken: \"sk-ant-oat01-...\",\n * tokenType: \"bearer\",\n * expiresIn: 28800,\n * obtainedAt: Date.now(),\n * refreshToken: \"sk-ant-rt01-...\",\n * scopes: [\"user:inference\", \"user:profile\"],\n * };\n * ```\n */\nexport interface ClaudeAuthToken extends AuthToken {\n /** Refresh token for obtaining new access tokens */\n refreshToken: string;\n /** OAuth scopes granted */\n scopes: string[];\n}\n\n// ─── Device Flow Types (Copilot) ──────────────────────────────\n\n/**\n * Result of initiating a GitHub Device Flow.\n *\n * @example\n * ```ts\n * import { CopilotAuth } from \"@witqq/agent-sdk/auth\";\n *\n * const auth = new CopilotAuth();\n * const { userCode, verificationUrl, waitForToken } = await auth.startDeviceFlow();\n * console.log(`Open ${verificationUrl} and enter code: ${userCode}`);\n * const token = await waitForToken();\n * ```\n */\nexport interface DeviceFlowResult {\n /** The code the user must enter at the verification URL */\n userCode: string;\n /** URL where the user enters the code */\n verificationUrl: string;\n /** Polls GitHub until user authorizes; resolves with token */\n waitForToken: (signal?: AbortSignal) => Promise<CopilotAuthToken>;\n}\n\n// ─── OAuth Flow Types (Claude) ────────────────────────────────\n\n/** Options for starting a Claude OAuth flow */\nexport interface OAuthFlowOptions {\n /** The redirect URI registered with the OAuth app */\n redirectUri?: string;\n /** OAuth scopes to request (defaults to user:profile user:inference) */\n scopes?: string;\n}\n\n/**\n * Result of initiating a Claude OAuth flow.\n *\n * @example\n * ```ts\n * import type { OAuthFlowResult } from \"@witqq/agent-sdk/auth\";\n *\n * const result: OAuthFlowResult = {\n * authorizeUrl: \"https://claude.ai/oauth/authorize?...\",\n * completeAuth: async (code) => ({ ... }),\n * };\n * // Open result.authorizeUrl in browser, get code from redirect\n * const token = await result.completeAuth(code);\n * ```\n */\nexport interface OAuthFlowResult {\n /** URL to open in browser for user authorization */\n authorizeUrl: string;\n /** Exchange the authorization code (or full redirect URL) for tokens */\n completeAuth: (codeOrUrl: string) => Promise<ClaudeAuthToken>;\n}\n\n// ─── Auth Errors ──────────────────────────────────────────────\n\n/** Base error for auth operations.\n * @param message - Error description\n * @param options - Standard ErrorOptions (e.g. cause)\n */\nexport class AuthError extends Error {\n constructor(message: string, options?: ErrorOptions) {\n super(message, options);\n this.name = \"AuthError\";\n }\n}\n\n/** Device code expired before user authorized */\nexport class DeviceCodeExpiredError extends AuthError {\n constructor() {\n super(\"Device code expired. Please restart the auth flow.\");\n this.name = \"DeviceCodeExpiredError\";\n }\n}\n\n/** User denied access during OAuth flow */\nexport class AccessDeniedError extends AuthError {\n constructor() {\n super(\"Access was denied by the user.\");\n this.name = \"AccessDeniedError\";\n }\n}\n\n/** Token exchange or refresh failed.\n * @param message - Error description\n * @param options - Standard ErrorOptions (e.g. cause)\n */\nexport class TokenExchangeError extends AuthError {\n constructor(message: string, options?: ErrorOptions) {\n super(message, options);\n this.name = \"TokenExchangeError\";\n }\n}\n","import type { CopilotAuthToken, DeviceFlowResult } from \"./types.js\";\nimport {\n AuthError,\n DeviceCodeExpiredError,\n AccessDeniedError,\n} from \"./types.js\";\n\nconst CLIENT_ID = \"Ov23ctDVkRmgkPke0Mmm\";\nconst DEVICE_CODE_URL = \"https://github.com/login/device/code\";\nconst ACCESS_TOKEN_URL = \"https://github.com/login/oauth/access_token\";\nconst USER_API_URL = \"https://api.github.com/user\";\nconst DEFAULT_SCOPES = \"read:user,read:org,repo,gist\";\nconst GRANT_TYPE = \"urn:ietf:params:oauth:grant-type:device_code\";\n\ninterface DeviceCodeResponse {\n device_code: string;\n user_code: string;\n verification_uri: string;\n expires_in: number;\n interval: number;\n}\n\ninterface TokenPollResponse {\n access_token?: string;\n token_type?: string;\n scope?: string;\n error?: string;\n error_description?: string;\n interval?: number;\n}\n\ninterface GitHubUser {\n login: string;\n}\n\n/** Fetch function type for dependency injection in tests */\ntype FetchFn = typeof globalThis.fetch;\n\n/**\n * Programmatic GitHub Device Flow authentication for Copilot SDK.\n *\n * @example\n * ```ts\n * const auth = new CopilotAuth();\n * const flow = await auth.startDeviceFlow();\n * console.log(`Open ${flow.verificationUrl} and enter ${flow.userCode}`);\n * const token = await flow.waitForToken();\n * // Use token.accessToken with CopilotBackendOptions.githubToken\n * ```\n */\nexport class CopilotAuth {\n private readonly fetchFn: FetchFn;\n\n /** @param options - Optional configuration with custom fetch for testing */\n constructor(options?: { fetch?: FetchFn }) {\n this.fetchFn = options?.fetch ?? globalThis.fetch;\n }\n\n /**\n * Start the GitHub Device Flow.\n * Returns a device code result with user code, verification URL,\n * and a `waitForToken()` function that polls until the user authorizes.\n *\n * @param options - Optional scopes and abort signal\n * @returns Device flow result with user code, verification URL, and waitForToken poller\n * @throws {AuthError} If the device code request fails\n * @throws {DeviceCodeExpiredError} If the device code expires before user authorizes\n * @throws {AccessDeniedError} If the user denies access\n *\n * @example\n * ```ts\n * const auth = new CopilotAuth();\n * const { userCode, verificationUrl, waitForToken } = await auth.startDeviceFlow();\n * console.log(`Open ${verificationUrl} and enter code: ${userCode}`);\n * const token = await waitForToken();\n * ```\n */\n async startDeviceFlow(options?: {\n scopes?: string;\n signal?: AbortSignal;\n }): Promise<DeviceFlowResult> {\n const scopes = options?.scopes ?? DEFAULT_SCOPES;\n const response = await this.fetchFn(DEVICE_CODE_URL, {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/x-www-form-urlencoded\",\n Accept: \"application/json\",\n },\n body: new URLSearchParams({\n client_id: CLIENT_ID,\n scope: scopes,\n }),\n signal: options?.signal,\n });\n\n if (!response.ok) {\n throw new AuthError(\n `Failed to request device code: ${response.status} ${response.statusText}`,\n );\n }\n\n const data = (await response.json()) as DeviceCodeResponse;\n\n return {\n userCode: data.user_code,\n verificationUrl: data.verification_uri,\n waitForToken: (signal?: AbortSignal) =>\n this.pollForToken(data.device_code, data.interval, signal),\n };\n }\n\n private async pollForToken(\n deviceCode: string,\n interval: number,\n signal?: AbortSignal,\n ): Promise<CopilotAuthToken> {\n let pollIntervalMs = interval * 1000;\n\n while (true) {\n if (signal?.aborted) {\n throw new AuthError(\"Authentication was aborted.\");\n }\n\n await this.delay(pollIntervalMs, signal);\n\n const response = await this.fetchFn(ACCESS_TOKEN_URL, {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/x-www-form-urlencoded\",\n Accept: \"application/json\",\n },\n body: new URLSearchParams({\n client_id: CLIENT_ID,\n device_code: deviceCode,\n grant_type: GRANT_TYPE,\n }),\n signal,\n });\n\n if (!response.ok) {\n throw new AuthError(\n `Token poll failed: ${response.status} ${response.statusText}`,\n );\n }\n\n const data = (await response.json()) as TokenPollResponse;\n\n if (data.access_token) {\n const token: CopilotAuthToken = {\n accessToken: data.access_token,\n tokenType: data.token_type ?? \"bearer\",\n obtainedAt: Date.now(),\n };\n\n // Try to fetch user login\n try {\n const login = await this.fetchUserLogin(data.access_token, signal);\n if (login) token.login = login;\n } catch {\n // Non-critical: login is optional\n }\n\n return token;\n }\n\n if (data.error === \"authorization_pending\") {\n continue;\n }\n\n if (data.error === \"slow_down\") {\n pollIntervalMs = (data.interval ?? interval + 5) * 1000;\n continue;\n }\n\n if (data.error === \"expired_token\") {\n throw new DeviceCodeExpiredError();\n }\n\n if (data.error === \"access_denied\") {\n throw new AccessDeniedError();\n }\n\n throw new AuthError(\n data.error_description ?? `Unexpected error: ${data.error}`,\n );\n }\n }\n\n private async fetchUserLogin(\n token: string,\n signal?: AbortSignal,\n ): Promise<string | undefined> {\n const response = await this.fetchFn(USER_API_URL, {\n headers: {\n Authorization: `Bearer ${token}`,\n Accept: \"application/json\",\n },\n signal,\n });\n\n if (!response.ok) return undefined;\n\n const user = (await response.json()) as GitHubUser;\n return user.login;\n }\n\n private delay(ms: number, signal?: AbortSignal): Promise<void> {\n return new Promise((resolve, reject) => {\n const timer = setTimeout(resolve, ms);\n signal?.addEventListener(\n \"abort\",\n () => {\n clearTimeout(timer);\n reject(new AuthError(\"Authentication was aborted.\"));\n },\n { once: true },\n );\n });\n }\n}\n","import type { ClaudeAuthToken, OAuthFlowResult, OAuthFlowOptions } from \"./types.js\";\nimport { TokenExchangeError } from \"./types.js\";\nimport { createHash, randomBytes as nodeRandomBytes } from \"node:crypto\";\n\nconst CLIENT_ID = \"9d1c250a-e61b-44d9-88ed-5944d1962f5e\";\nconst AUTHORIZE_URL = \"https://claude.ai/oauth/authorize\";\nconst TOKEN_URL = \"https://platform.claude.com/v1/oauth/token\";\nconst DEFAULT_REDIRECT_URI =\n \"https://platform.claude.com/oauth/code/callback\";\nconst DEFAULT_SCOPES =\n \"user:profile user:inference user:sessions:claude_code user:mcp_servers\";\n\n/** Fetch function type for dependency injection in tests */\ntype FetchFn = typeof globalThis.fetch;\n\n/** Random bytes generator for dependency injection in tests */\ntype RandomBytesFn = (size: number) => Uint8Array;\n\n/**\n * Programmatic OAuth+PKCE authentication for Claude SDK.\n *\n * @example\n * ```ts\n * const auth = new ClaudeAuth();\n * const { authorizeUrl, completeAuth } = auth.startOAuthFlow({\n * redirectUri: \"https://platform.claude.com/oauth/code/callback\",\n * });\n * // Open authorizeUrl in browser, get code from redirect\n * const token = await completeAuth(code);\n * // Use token with ClaudeBackendOptions: env.CLAUDE_CODE_OAUTH_TOKEN\n * ```\n */\nexport class ClaudeAuth {\n private readonly fetchFn: FetchFn;\n private readonly randomBytes: RandomBytesFn;\n\n /**\n * @param options - Optional configuration with custom fetch and random bytes for testing\n */\n constructor(options?: {\n fetch?: FetchFn;\n randomBytes?: RandomBytesFn;\n }) {\n this.fetchFn = options?.fetch ?? globalThis.fetch;\n this.randomBytes = options?.randomBytes ?? defaultRandomBytes;\n }\n\n /**\n * Start the Claude OAuth+PKCE flow.\n * Generates PKCE code verifier/challenge and returns an authorize URL\n * plus a `completeAuth(code)` function for token exchange.\n *\n * @param options - Redirect URI and optional scopes\n * @returns OAuth flow result with authorize URL and completeAuth function\n * @throws {AuthError} If PKCE generation fails\n *\n * @example\n * ```ts\n * const auth = new ClaudeAuth();\n * const { authorizeUrl, completeAuth } = auth.startOAuthFlow({\n * redirectUri: \"https://platform.claude.com/oauth/code/callback\",\n * });\n * console.log(`Open: ${authorizeUrl}`);\n * const token = await completeAuth(authorizationCode);\n * ```\n */\n startOAuthFlow(options?: OAuthFlowOptions): OAuthFlowResult {\n const redirectUri = options?.redirectUri ?? DEFAULT_REDIRECT_URI;\n const scopes = options?.scopes ?? DEFAULT_SCOPES;\n\n const codeVerifier = this.generateCodeVerifier();\n const state = this.generateState();\n\n const authorizeUrl = this.buildAuthorizeUrl(\n redirectUri,\n scopes,\n codeVerifier,\n state,\n );\n\n return {\n authorizeUrl,\n completeAuth: (codeOrUrl: string) => {\n const code = ClaudeAuth.extractCode(codeOrUrl);\n return this.exchangeCode(code, codeVerifier, state, redirectUri);\n },\n };\n }\n\n /**\n * Extract an authorization code from user input.\n * Accepts a raw code string or a full redirect URL containing a `code` query parameter.\n *\n * @param input - Raw authorization code or redirect URL\n * @returns The extracted authorization code\n *\n * @example\n * ```ts\n * ClaudeAuth.extractCode(\"abc123\"); // \"abc123\"\n * ClaudeAuth.extractCode(\"https://platform.claude.com/oauth/code/callback?code=abc123&state=xyz\"); // \"abc123\"\n * ```\n */\n static extractCode(input: string): string {\n const trimmed = input.trim();\n try {\n const url = new URL(trimmed);\n const code = url.searchParams.get(\"code\");\n if (code) return code;\n } catch {\n // Not a URL — treat as raw code\n }\n // Handle code#state format from redirect page\n const hashIdx = trimmed.indexOf(\"#\");\n if (hashIdx > 0) {\n return trimmed.substring(0, hashIdx);\n }\n return trimmed;\n }\n\n /**\n * Refresh an expired Claude token.\n *\n * @param refreshToken - The refresh token from a previous authentication\n * @returns New auth token with refreshed access token\n * @throws {TokenExchangeError} If the refresh request fails\n *\n * @example\n * ```ts\n * const auth = new ClaudeAuth();\n * const newToken = await auth.refreshToken(oldToken.refreshToken);\n * ```\n */\n async refreshToken(refreshToken: string): Promise<ClaudeAuthToken> {\n const response = await this.fetchFn(TOKEN_URL, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({\n grant_type: \"refresh_token\",\n refresh_token: refreshToken,\n client_id: CLIENT_ID,\n }),\n });\n\n if (!response.ok) {\n const text = await response.text();\n throw new TokenExchangeError(\n `Token refresh failed: ${response.status} ${text}`,\n );\n }\n\n const data = (await response.json()) as TokenResponse;\n return this.mapTokenResponse(data);\n }\n\n private generateCodeVerifier(): string {\n const bytes = this.randomBytes(96);\n return base64Encode(bytes)\n .replace(/\\+/g, \"~\")\n .replace(/=/g, \"_\")\n .replace(/\\//g, \"-\");\n }\n\n private generateState(): string {\n const bytes = this.randomBytes(16);\n return hexEncode(bytes);\n }\n\n private buildAuthorizeUrl(\n redirectUri: string,\n scopes: string,\n codeVerifier: string,\n state: string,\n ): string {\n const codeChallenge = this.generateCodeChallengeSync(codeVerifier);\n\n const url = new URL(AUTHORIZE_URL);\n url.searchParams.set(\"code\", \"true\");\n url.searchParams.set(\"client_id\", CLIENT_ID);\n url.searchParams.set(\"response_type\", \"code\");\n url.searchParams.set(\"redirect_uri\", redirectUri);\n url.searchParams.set(\"scope\", scopes);\n url.searchParams.set(\"code_challenge\", codeChallenge);\n url.searchParams.set(\"code_challenge_method\", \"S256\");\n url.searchParams.set(\"state\", state);\n\n return url.toString();\n }\n\n private generateCodeChallengeSync(verifier: string): string {\n const hash = createHash(\"sha256\").update(verifier).digest(\"base64\");\n return hash.split(\"=\")[0].replace(/\\+/g, \"-\").replace(/\\//g, \"_\");\n }\n\n private async exchangeCode(\n code: string,\n codeVerifier: string,\n state: string,\n redirectUri: string,\n ): Promise<ClaudeAuthToken> {\n const response = await this.fetchFn(TOKEN_URL, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({\n grant_type: \"authorization_code\",\n code,\n redirect_uri: redirectUri,\n client_id: CLIENT_ID,\n code_verifier: codeVerifier,\n state,\n }),\n });\n\n if (!response.ok) {\n const text = await response.text();\n throw new TokenExchangeError(\n `Token exchange failed: ${response.status} ${text}`,\n );\n }\n\n const data = (await response.json()) as TokenResponse;\n return this.mapTokenResponse(data);\n }\n\n private mapTokenResponse(data: TokenResponse): ClaudeAuthToken {\n return {\n accessToken: data.access_token,\n tokenType: data.token_type ?? \"bearer\",\n expiresIn: data.expires_in,\n obtainedAt: Date.now(),\n refreshToken: data.refresh_token,\n scopes: data.scope?.split(\" \") ?? [],\n };\n }\n}\n\n// ─── Internal Types ───────────────────────────────────────────\n\ninterface TokenResponse {\n access_token: string;\n token_type?: string;\n expires_in?: number;\n scope?: string;\n refresh_token: string;\n}\n\n// ─── Utility Functions ────────────────────────────────────────\n\nfunction defaultRandomBytes(size: number): Uint8Array {\n return new Uint8Array(nodeRandomBytes(size));\n}\n\nfunction base64Encode(bytes: Uint8Array): string {\n return Buffer.from(bytes).toString(\"base64\");\n}\n\nfunction hexEncode(bytes: Uint8Array): string {\n return Buffer.from(bytes).toString(\"hex\");\n}\n"]}