@wrongstack/providers 0.265.1 → 0.268.0

package/dist/index.d.ts

@@ -1,3 +1,4 @@
+import * as _wrongstack_core from '@wrongstack/core';
 import { Provider, Capabilities, Request, Response, StreamEvent, ProviderError, TextBlock, Message, Tool, WireFamily, ProviderFactory, Usage, StopReason, ModelsRegistry, CustomModelDefinition, ContentBlock, Logger, ProviderConfig } from '@wrongstack/core';
 
 /**
@@ -92,7 +93,7 @@ declare abstract class WireAdapter implements Provider {
     /** Map Request fields to the wire request body. */
     protected abstract buildBody(req: Request): Record<string, unknown>;
     /** Translate wire SSE events into canonical StreamEvent[]. */
-    protected abstract parseStream(body: ReadableStream<Uint8Array> | NodeJS.ReadableStream | null, fallbackModel: string): AsyncIterable<StreamEvent>;
+    protected abstract parseStream(body: ReadableStream<Uint8Array> | NodeJS.ReadableStream | null, fallbackModel: string, req: Request): AsyncIterable<StreamEvent>;
     /** Build a ProviderError from an HTTP failure response. */
     protected translateError(status: number, body: string): ProviderError;
 }
@@ -107,14 +108,14 @@ interface AnthropicProviderOptions {
     streamOpts?: WireAdapterStreamOptions | undefined;
 }
 declare class AnthropicProvider extends WireAdapter {
-    readonly id = "anthropic";
+    readonly id: string;
     readonly capabilities: Capabilities;
     private readonly opts;
     constructor(opts: AnthropicProviderOptions);
     protected buildUrl(_req: Request): string;
     protected buildHeaders(req: Request): Record<string, string>;
     protected buildBody(req: Request): Record<string, unknown>;
-    protected parseStream(body: Parameters<typeof parseSSE>[0], fallbackModel: string): AsyncIterable<StreamEvent>;
+    protected parseStream(body: Parameters<typeof parseSSE>[0], fallbackModel: string, req: Request): AsyncIterable<StreamEvent>;
     protected translateError(status: number, text: string): ProviderError;
     private normalizeMessage;
 }
@@ -196,6 +197,7 @@ interface OpenAIProviderOptions {
     quirks?: ConvertOptions & {
         parallelToolsDisabled?: boolean | undefined;
         jsonArgumentsBuggy?: boolean | undefined;
+        thinkingParam?: 'zai-glm' | 'kimi-toggle' | 'always-on' | undefined;
     } | undefined;
     id?: string | undefined;
     capabilities?: Partial<Capabilities> | undefined;
@@ -230,6 +232,7 @@ interface CompatibilityQuirks {
     parallelToolsDisabled?: boolean | undefined;
     jsonArgumentsBuggy?: boolean | undefined;
     emptyToolCallContent?: 'null' | 'empty_string' | undefined;
+    thinkingParam?: 'zai-glm' | 'kimi-toggle' | 'always-on' | undefined;
 }
 interface OpenAICompatibleOptions {
     id: string;
@@ -259,6 +262,7 @@ declare class OpenAICompatibleProvider extends OpenAIProvider {
      * OpenAI's newer `max_completion_tokens`. Keep the legacy field here. See #10.
      */
     protected tokenLimitParam(): string;
+    protected buildBody(req: Request): Record<string, unknown>;
     protected buildHeaders(req: Request): Record<string, string>;
 }
 
@@ -295,6 +299,212 @@ declare class GoogleProvider extends WireAdapter {
     private buildGenConfig;
 }
 
+/**
+ * `openai-codex` wire family — the ChatGPT-backend Responses API.
+ *
+ * This is the transport used by "Sign in with ChatGPT" (OAuth) credentials.
+ * It speaks the OpenAI **Responses** wire format (NOT chat/completions) and
+ * targets `https://chatgpt.com/backend-api/codex/responses`, authenticating
+ * with the OAuth access token + `chatgpt-account-id` header. It deliberately
+ * leaves the API-key `openai` family (api.openai.com/chat/completions)
+ * untouched — the two coexist as separate providers.
+ *
+ * Token lifecycle: the access token is short-lived. This adapter refreshes it
+ * transparently — before a request when it is near expiry, and once more on a
+ * 401 — using the stored refresh token, then invokes `onRefresh` so the CLI
+ * can persist the rotated tokens back to the vault.
+ *
+ * The refresh endpoint + client id are duplicated here (rather than imported
+ * from the CLI) to respect the package layering: `providers` must not depend
+ * on `cli`. They are tiny constants that match the CLI login module.
+ */
+
+interface CodexOAuthTokens {
+    access: string;
+    refresh: string;
+    /** Absolute expiry in epoch milliseconds. */
+    expires: number;
+}
+/** Refresh an expired Codex access token using its refresh token. */
+declare function refreshCodexAccessToken(refreshToken: string, signal?: AbortSignal): Promise<CodexOAuthTokens>;
+/** Extract `chatgpt_account_id` from an access-token JWT, or null. */
+declare function extractAccountId(token: string): string | null;
+interface CodexCredentials {
+    /** The OAuth access token (a JWT). */
+    accessToken: string;
+    /** The refresh token, used to mint a new access token before/at expiry. */
+    refreshToken?: string | undefined;
+    /** Access-token expiry, epoch ms. When absent, refresh only fires on 401. */
+    expiresAt?: number | undefined;
+    /** Cached ChatGPT account id. Re-derived from the live token when missing. */
+    accountId?: string | undefined;
+}
+interface OpenAICodexProviderOptions {
+    credentials: CodexCredentials;
+    baseUrl?: string | undefined;
+    id?: string | undefined;
+    fetchImpl?: typeof fetch | undefined;
+    capabilities?: Partial<Capabilities> | undefined;
+    streamOpts?: WireAdapterStreamOptions | undefined;
+    /**
+     * Persist rotated tokens after a successful refresh. The CLI wires this to
+     * write back to the encrypted config so the new access/refresh pair survive
+     * the session.
+     */
+    onRefresh?: ((creds: {
+        accessToken: string;
+        refreshToken: string;
+        expiresAt: number;
+        accountId: string | undefined;
+    }) => void) | undefined;
+    /** Override the refresh call (tests). */
+    refreshFn?: ((refreshToken: string, signal?: AbortSignal) => Promise<CodexOAuthTokens>) | undefined;
+    /**
+     * Reasoning effort for the Codex (gpt-5.x) reasoning models. Sent as
+     * `reasoning.effort` with `summary: 'auto'` so chain-of-thought streams back
+     * as thinking deltas. Default 'medium'. Set 'none' to omit reasoning entirely.
+     */
+    reasoningEffort?: 'none' | 'minimal' | 'low' | 'medium' | 'high' | undefined;
+}
+declare class OpenAICodexProvider extends WireAdapter {
+    readonly id: string;
+    readonly capabilities: Capabilities;
+    private access;
+    private refresh;
+    private expiresAt;
+    private accountId;
+    private readonly onRefresh;
+    private readonly refreshFn;
+    private readonly reasoningEffort;
+    constructor(opts: OpenAICodexProviderOptions);
+    stream(req: Request, opts: {
+        signal: AbortSignal;
+    }): AsyncIterable<StreamEvent>;
+    private ensureFreshToken;
+    private doRefresh;
+    protected buildUrl(_req: Request): string;
+    protected buildHeaders(_req: Request): Record<string, string>;
+    protected buildBody(req: Request): Record<string, unknown>;
+    protected parseStream(body: ReadableStream<Uint8Array> | NodeJS.ReadableStream | null, fallbackModel: string): AsyncIterable<StreamEvent>;
+    protected translateError(status: number, text: string): ProviderError;
+}
+/** Normalize a base URL to the `/codex/responses` endpoint. */
+declare function resolveCodexUrl(baseUrl: string | undefined): string;
+
+/**
+ * `anthropic-oauth` wire family — Claude Pro/Max via "Sign in with Claude".
+ *
+ * Same wire as the API-key `anthropic` family (api.anthropic.com/v1/messages),
+ * but authenticated with an OAuth access token instead of an API key. Three
+ * things differ from the API-key path, all REQUIRED for the subscription
+ * backend to accept the request:
+ *   1. `Authorization: Bearer <access>` (no `x-api-key`).
+ *   2. `anthropic-beta: claude-code-20250219,oauth-2025-04-20`.
+ *   3. The first system block MUST be exactly the Claude Code identity line —
+ *      Anthropic rejects OAuth requests whose system prompt doesn't lead with it.
+ *
+ * The API-key `anthropic` family is untouched. Tokens self-refresh (near-expiry
+ * + once on 401) via the refresh token; rotated tokens persist through the same
+ * `setOAuthTokenPersister` hook the codex family uses.
+ */
+
+/** Required first system block for OAuth/subscription requests. */
+declare const CLAUDE_CODE_SYSTEM_PROMPT = "You are Claude Code, Anthropic's official CLI for Claude.";
+interface AnthropicOAuthTokens {
+    access: string;
+    refresh: string;
+    /** Absolute expiry in epoch milliseconds. */
+    expires: number;
+}
+/** Refresh an expired Claude OAuth access token. */
+declare function refreshAnthropicOAuthToken(refreshToken: string, signal?: AbortSignal): Promise<AnthropicOAuthTokens>;
+interface AnthropicOAuthCredentials {
+    accessToken: string;
+    refreshToken?: string | undefined;
+    expiresAt?: number | undefined;
+}
+interface AnthropicOAuthProviderOptions {
+    credentials: AnthropicOAuthCredentials;
+    baseUrl?: string | undefined;
+    id?: string | undefined;
+    fetchImpl?: typeof fetch | undefined;
+    streamOpts?: WireAdapterStreamOptions | undefined;
+    onRefresh?: ((creds: {
+        accessToken: string;
+        refreshToken: string;
+        expiresAt: number;
+    }) => void) | undefined;
+    refreshFn?: ((refreshToken: string, signal?: AbortSignal) => Promise<AnthropicOAuthTokens>) | undefined;
+}
+declare class AnthropicOAuthProvider extends AnthropicProvider {
+    readonly id: string;
+    readonly capabilities: Capabilities;
+    private access;
+    private refresh;
+    private expiresAt;
+    private readonly onRefresh;
+    private readonly refreshFn;
+    constructor(opts: AnthropicOAuthProviderOptions);
+    stream(req: Request, opts: {
+        signal: AbortSignal;
+    }): AsyncGenerator<StreamEvent, void, any>;
+    /** Map Claude-Code-cased tool_use names in the stream back to real names. */
+    private remapToolNames;
+    private ensureFreshToken;
+    private doRefresh;
+    protected buildHeaders(_req: Request): Record<string, string>;
+    protected buildBody(req: Request): Record<string, unknown>;
+}
+
+/** Derive the Copilot API base URL from a Copilot token's `proxy-ep` field. */
+declare function copilotBaseUrlFromToken(token: string | undefined): string;
+interface CopilotTokenResult {
+    /** The short-lived Copilot token (the access token used for chat). */
+    token: string;
+    /** Absolute expiry in epoch milliseconds. */
+    expires: number;
+}
+/** Mint a fresh Copilot token from the long-lived GitHub OAuth token. */
+declare function refreshCopilotToken(githubToken: string, signal?: AbortSignal): Promise<CopilotTokenResult>;
+interface CopilotCredentials {
+    /** Current Copilot token (access). May be empty → minted on first request. */
+    copilotToken: string;
+    /** Long-lived GitHub OAuth token (refresh; does not rotate). */
+    githubToken?: string | undefined;
+    /** Copilot-token expiry, epoch ms. */
+    expiresAt?: number | undefined;
+}
+interface GitHubCopilotProviderOptions {
+    credentials: CopilotCredentials;
+    id?: string | undefined;
+    fetchImpl?: typeof fetch | undefined;
+    capabilities?: Partial<Capabilities> | undefined;
+    streamOpts?: WireAdapterStreamOptions | undefined;
+    onRefresh?: ((creds: {
+        accessToken: string;
+        refreshToken: string;
+        expiresAt: number;
+    }) => void) | undefined;
+    refreshFn?: ((githubToken: string, signal?: AbortSignal) => Promise<CopilotTokenResult>) | undefined;
+}
+declare class GitHubCopilotProvider extends OpenAIProvider {
+    readonly capabilities: Capabilities;
+    private copilotToken;
+    private readonly githubToken;
+    private expiresAt;
+    private apiBase;
+    private readonly onRefresh;
+    private readonly refreshFn;
+    constructor(opts: GitHubCopilotProviderOptions);
+    stream(req: Request, opts: {
+        signal: AbortSignal;
+    }): AsyncGenerator<_wrongstack_core.StreamEvent, void, any>;
+    private ensureFreshToken;
+    private doRefresh;
+    protected buildUrl(_req: Request): string;
+    protected buildHeaders(_req: Request): Record<string, string>;
+}
+
 /**
  * Singleton gate for stream debug logging.
  *
@@ -608,6 +818,19 @@ interface BuildFactoriesOptions {
     /** Used to log unsupported families during boot. */
     log?: Logger | undefined;
 }
+/** Rotated-token payload handed to the OAuth persister after a refresh. */
+interface OAuthRefreshedTokens {
+    accessToken: string;
+    refreshToken: string;
+    expiresAt: number;
+    /** ChatGPT account id (codex only); undefined for other OAuth families. */
+    accountId?: string | undefined;
+}
+/** @deprecated use OAuthRefreshedTokens */
+type CodexRefreshedTokens = OAuthRefreshedTokens;
+declare function setOAuthTokenPersister(fn: ((providerId: string, creds: OAuthRefreshedTokens) => void) | undefined): void;
+/** @deprecated use setOAuthTokenPersister */
+declare const setCodexTokenPersister: typeof setOAuthTokenPersister;
 /**
  * Build one ProviderFactory per provider known to models.dev. The factory's
  * `create(cfg)` resolves the wire-family at construction time and returns the
@@ -621,4 +844,4 @@ declare function buildProviderFactoriesFromRegistry(opts: BuildFactoriesOptions)
  */
 declare function makeProviderFromConfig(id: string, cfg: ProviderConfig): Provider;
 
-export { AnthropicProvider, type AnthropicProviderOptions, type BuildFactoriesOptions, CAPABILITIES_BY_FAMILY, type CompatibilityQuirks, type ConvertOptions, type DebugStreamCallback, type DebugStreamStats, GoogleProvider, type GoogleProviderOptions, type OpenAIChoice, type OpenAICompatibleOptions, OpenAICompatibleProvider, type OpenAIMessage, OpenAIProvider, type OpenAIProviderOptions, type OpenAIToolCall, WireAdapter, type WireAdapterStreamOptions, type WireFactoryOptions, type WireFormatConfig, WireFormatProvider, anthropicWireFormat, buildProviderFactoriesFromRegistry, capabilitiesFor, capabilitiesForFamily, contentFromAnthropic, contentFromOpenAI, createWireFormatFactory, defaultDebugStreamCallback, defineWireFormat, googleWireFormat, isDebugStreamEnabled, makeProviderFromConfig, messagesToOpenAI, mistralWireFormat, normalizeAnthropic, normalizeOpenAI, openaiWireFormat, parseProviderHttpError, pushDebugChunkStats, setDebugStreamCallback, setDebugStreamEnabled, toolsToAnthropic, toolsToOpenAI };
+export { type AnthropicOAuthCredentials, AnthropicOAuthProvider, type AnthropicOAuthProviderOptions, type AnthropicOAuthTokens, AnthropicProvider, type AnthropicProviderOptions, type BuildFactoriesOptions, CAPABILITIES_BY_FAMILY, CLAUDE_CODE_SYSTEM_PROMPT, type CodexCredentials, type CodexOAuthTokens, type CodexRefreshedTokens, type CompatibilityQuirks, type ConvertOptions, type CopilotCredentials, type CopilotTokenResult, type DebugStreamCallback, type DebugStreamStats, GitHubCopilotProvider, type GitHubCopilotProviderOptions, GoogleProvider, type GoogleProviderOptions, type OAuthRefreshedTokens, type OpenAIChoice, OpenAICodexProvider, type OpenAICodexProviderOptions, type OpenAICompatibleOptions, OpenAICompatibleProvider, type OpenAIMessage, OpenAIProvider, type OpenAIProviderOptions, type OpenAIToolCall, WireAdapter, type WireAdapterStreamOptions, type WireFactoryOptions, type WireFormatConfig, WireFormatProvider, anthropicWireFormat, buildProviderFactoriesFromRegistry, capabilitiesFor, capabilitiesForFamily, contentFromAnthropic, contentFromOpenAI, copilotBaseUrlFromToken, createWireFormatFactory, defaultDebugStreamCallback, defineWireFormat, extractAccountId, googleWireFormat, isDebugStreamEnabled, makeProviderFromConfig, messagesToOpenAI, mistralWireFormat, normalizeAnthropic, normalizeOpenAI, openaiWireFormat, parseProviderHttpError, pushDebugChunkStats, refreshAnthropicOAuthToken, refreshCodexAccessToken, refreshCopilotToken, resolveCodexUrl, setCodexTokenPersister, setDebugStreamCallback, setDebugStreamEnabled, setOAuthTokenPersister, toolsToAnthropic, toolsToOpenAI };