@zhafron/opencode-kiro-auth 1.0.0

package/README.md

@@ -0,0 +1,85 @@
+# @zhafron/opencode-kiro-auth
+
+OpenCode plugin for AWS Kiro (CodeWhisperer) providing access to the latest Claude 3.5/4.5 models with substantial trial quotas.
+
+## Features
+
+- AWS Builder ID (IDC) authentication with seamless device code flow.
+- Intelligent multi-account rotation prioritized by lowest usage.
+- Automated token refresh and rate limit handling with exponential backoff.
+- Native thinking mode support via virtual model mappings.
+- Decoupled storage for credentials and real-time usage metadata.
+
+## Installation
+
+Add the plugin to your `opencode.json` or `opencode.jsonc`:
+
+```json
+{
+  "plugin": ["@zhafron/opencode-kiro-auth"],
+  "provider": {
+    "kiro": {
+      "models": {
+        "claude-opus-4-5": {
+          "name": "Claude Opus 4.5",
+          "limit": { "context": 200000, "output": 64000 },
+          "modalities": { "input": ["text", "image"], "output": ["text"] }
+        },
+        "claude-opus-4-5-thinking": {
+          "name": "Claude Opus 4.5 Thinking",
+          "limit": { "context": 200000, "output": 64000 },
+          "modalities": { "input": ["text", "image"], "output": ["text"] },
+          "variants": {
+            "low": { "thinkingConfig": { "thinkingBudget": 8192 } },
+            "medium": { "thinkingConfig": { "thinkingBudget": 16384 } },
+            "max": { "thinkingConfig": { "thinkingBudget": 32768 } }
+          }
+        },
+        "claude-sonnet-4-5": {
+          "name": "Claude Sonnet 4.5",
+          "limit": { "context": 200000, "output": 64000 },
+          "modalities": { "input": ["text", "image"], "output": ["text"] }
+        },
+        "claude-sonnet-4-5-thinking": {
+          "name": "Claude Sonnet 4.5 Thinking",
+          "limit": { "context": 200000, "output": 64000 },
+          "modalities": { "input": ["text", "image"], "output": ["text"] },
+          "variants": {
+            "low": { "thinkingConfig": { "thinkingBudget": 8192 } },
+            "medium": { "thinkingConfig": { "thinkingBudget": 16384 } },
+            "max": { "thinkingConfig": { "thinkingBudget": 32768 } }
+          }
+        },
+        "claude-haiku-4-5": {
+          "name": "Claude Haiku 4.5",
+          "limit": { "context": 200000, "output": 64000 },
+          "modalities": { "input": ["text", "image"], "output": ["text"] }
+        }
+      }
+    }
+  }
+}
+```
+
+## Setup
+
+1. Run `opencode auth login`.
+2. Select `Other`, type `kiro`, and press enter.
+3. Follow the terminal instructions to complete the AWS Builder ID authentication.
+4. Configuration template will be automatically created at `~/.config/opencode/kiro.json` on first load.
+
+## Storage
+
+- Credentials: `~/.config/opencode/kiro-accounts.json`
+- Usage Tracking: `~/.config/opencode/kiro-usage.json`
+- Plugin Config: `~/.config/opencode/kiro.json`
+
+## Acknowledgements
+
+Special thanks to [AIClient-2-API](https://github.com/justlovemaki/AIClient-2-API) for providing the foundational Kiro authentication logic and request patterns.
+
+## Disclaimer
+
+This plugin is provided strictly for learning and educational purposes. It is an independent implementation and is not affiliated with, endorsed by, or supported by Amazon Web Services (AWS) or Anthropic. Use of this plugin is at your own risk.
+
+Feel free to open a PR to optimize this plugin further.

package/dist/constants.d.ts

@@ -0,0 +1,26 @@
+import type { KiroRegion } from './plugin/types';
+export declare function isValidRegion(region: string): region is KiroRegion;
+export declare function normalizeRegion(region: string | undefined): KiroRegion;
+export declare function buildUrl(template: string, region: KiroRegion): string;
+export declare function validateUrl(url: string): boolean;
+export declare const KIRO_CONSTANTS: {
+    REFRESH_URL: string;
+    REFRESH_IDC_URL: string;
+    BASE_URL: string;
+    USAGE_LIMITS_URL: string;
+    DEFAULT_REGION: KiroRegion;
+    ACCESS_TOKEN_EXPIRY_BUFFER_MS: number;
+    AXIOS_TIMEOUT: number;
+    USER_AGENT: string;
+    KIRO_VERSION: string;
+    CHAT_TRIGGER_TYPE_MANUAL: string;
+    ORIGIN_AI_EDITOR: string;
+};
+export declare const MODEL_MAPPING: Record<string, string>;
+export declare const SUPPORTED_MODELS: string[];
+export declare const KIRO_AUTH_SERVICE: {
+    ENDPOINT: string;
+    SSO_OIDC_ENDPOINT: string;
+    BUILDER_ID_START_URL: string;
+    SCOPES: string[];
+};

package/dist/constants.js

@@ -0,0 +1,60 @@
+const VALID_REGIONS = ['us-east-1', 'us-west-2'];
+export function isValidRegion(region) {
+    return VALID_REGIONS.includes(region);
+}
+export function normalizeRegion(region) {
+    if (!region || !isValidRegion(region)) {
+        return 'us-east-1';
+    }
+    return region;
+}
+export function buildUrl(template, region) {
+    const url = template.replace('{{region}}', region);
+    try {
+        new URL(url);
+        return url;
+    }
+    catch {
+        throw new Error(`Invalid URL generated: ${url}`);
+    }
+}
+export function validateUrl(url) {
+    try {
+        new URL(url);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export const KIRO_CONSTANTS = {
+    REFRESH_URL: 'https://prod.{{region}}.auth.desktop.kiro.dev/refreshToken',
+    REFRESH_IDC_URL: 'https://oidc.{{region}}.amazonaws.com/token',
+    BASE_URL: 'https://q.{{region}}.amazonaws.com/generateAssistantResponse',
+    USAGE_LIMITS_URL: 'https://q.{{region}}.amazonaws.com/getUsageLimits',
+    DEFAULT_REGION: 'us-east-1',
+    ACCESS_TOKEN_EXPIRY_BUFFER_MS: 60000,
+    AXIOS_TIMEOUT: 120000,
+    USER_AGENT: 'KiroIDE',
+    KIRO_VERSION: '0.7.5',
+    CHAT_TRIGGER_TYPE_MANUAL: 'MANUAL',
+    ORIGIN_AI_EDITOR: 'AI_EDITOR'
+};
+export const MODEL_MAPPING = {
+    'claude-opus-4-5': 'claude-opus-4.5',
+    'claude-opus-4-5-thinking': 'claude-opus-4.5',
+    'claude-opus-4-5-20251101': 'claude-opus-4.5',
+    'claude-haiku-4-5': 'claude-haiku-4.5',
+    'claude-sonnet-4-5': 'CLAUDE_SONNET_4_5_20250929_V1_0',
+    'claude-sonnet-4-5-thinking': 'CLAUDE_SONNET_4_5_20250929_V1_0',
+    'claude-sonnet-4-5-20250929': 'CLAUDE_SONNET_4_5_20250929_V1_0',
+    'claude-sonnet-4-20250514': 'CLAUDE_SONNET_4_20250514_V1_0',
+    'claude-3-7-sonnet-20250219': 'CLAUDE_3_7_SONNET_20250219_V1_0'
+};
+export const SUPPORTED_MODELS = Object.keys(MODEL_MAPPING);
+export const KIRO_AUTH_SERVICE = {
+    ENDPOINT: 'https://prod.{{region}}.auth.desktop.kiro.dev',
+    SSO_OIDC_ENDPOINT: 'https://oidc.{{region}}.amazonaws.com',
+    BUILDER_ID_START_URL: 'https://view.awsapps.com/start',
+    SCOPES: ['codewhisperer:completions', 'codewhisperer:analysis', 'codewhisperer:conversations', 'codewhisperer:transformations', 'codewhisperer:taskassist']
+};

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+export { KiroOAuthPlugin } from './plugin.js';
+export type { KiroConfig } from './plugin/config/index.js';
+export type { KiroRegion, KiroAuthMethod, ManagedAccount } from './plugin/types.js';

package/dist/index.js

@@ -0,0 +1 @@
+export { KiroOAuthPlugin } from './plugin.js';

package/dist/kiro/auth.d.ts

@@ -0,0 +1,5 @@
+import type { KiroAuthDetails, RefreshParts } from '../plugin/types';
+export declare function decodeRefreshToken(refresh: string): RefreshParts;
+export declare function accessTokenExpired(auth: KiroAuthDetails): boolean;
+export declare function validateAuthDetails(auth: KiroAuthDetails): boolean;
+export declare function encodeRefreshToken(parts: RefreshParts): string;

package/dist/kiro/auth.js

@@ -0,0 +1,24 @@
+import { KIRO_CONSTANTS } from '../constants';
+export function decodeRefreshToken(refresh) {
+    const parts = refresh.split('|');
+    if (parts.length < 2)
+        return { refreshToken: parts[0], authMethod: 'idc' };
+    const refreshToken = parts[0];
+    const authMethod = parts[parts.length - 1];
+    if (authMethod === 'idc')
+        return { refreshToken, clientId: parts[1], clientSecret: parts[2], authMethod: 'idc' };
+    return { refreshToken, authMethod: 'idc' };
+}
+export function accessTokenExpired(auth) {
+    if (!auth.access || !auth.expires)
+        return true;
+    return Date.now() >= auth.expires - KIRO_CONSTANTS.ACCESS_TOKEN_EXPIRY_BUFFER_MS;
+}
+export function validateAuthDetails(auth) {
+    return !!auth.refresh && auth.authMethod === 'idc' && !!auth.clientId && !!auth.clientSecret;
+}
+export function encodeRefreshToken(parts) {
+    if (!parts.clientId || !parts.clientSecret)
+        throw new Error('Missing credentials');
+    return `${parts.refreshToken}|${parts.clientId}|${parts.clientSecret}|idc`;
+}

package/dist/kiro/oauth-idc.d.ts

@@ -0,0 +1,24 @@
+import type { KiroRegion } from '../plugin/types';
+export interface KiroIDCAuthorization {
+    verificationUrl: string;
+    verificationUriComplete: string;
+    userCode: string;
+    deviceCode: string;
+    clientId: string;
+    clientSecret: string;
+    interval: number;
+    expiresIn: number;
+    region: KiroRegion;
+}
+export interface KiroIDCTokenResult {
+    refreshToken: string;
+    accessToken: string;
+    expiresAt: number;
+    email: string;
+    clientId: string;
+    clientSecret: string;
+    region: KiroRegion;
+    authMethod: 'idc';
+}
+export declare function authorizeKiroIDC(region?: KiroRegion): Promise<KiroIDCAuthorization>;
+export declare function pollKiroIDCToken(clientId: string, clientSecret: string, deviceCode: string, interval: number, expiresIn: number, region: KiroRegion): Promise<KiroIDCTokenResult>;

package/dist/kiro/oauth-idc.js

@@ -0,0 +1,132 @@
+import { KIRO_AUTH_SERVICE, KIRO_CONSTANTS, buildUrl, normalizeRegion } from '../constants';
+export async function authorizeKiroIDC(region) {
+    const effectiveRegion = normalizeRegion(region);
+    const ssoOIDCEndpoint = buildUrl(KIRO_AUTH_SERVICE.SSO_OIDC_ENDPOINT, effectiveRegion);
+    const registerResponse = await fetch(`${ssoOIDCEndpoint}/client/register`, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            'User-Agent': KIRO_CONSTANTS.USER_AGENT
+        },
+        body: JSON.stringify({
+            clientName: 'Kiro IDE',
+            clientType: 'public',
+            scopes: KIRO_AUTH_SERVICE.SCOPES,
+            grantTypes: ['urn:ietf:params:oauth:grant-type:device_code', 'refresh_token']
+        })
+    });
+    if (!registerResponse.ok) {
+        const errorText = await registerResponse.text().catch(() => '');
+        throw new Error(`Client registration failed: ${registerResponse.status} ${errorText}`);
+    }
+    const registerData = await registerResponse.json();
+    const { clientId, clientSecret } = registerData;
+    if (!clientId || !clientSecret) {
+        throw new Error('Client registration response missing clientId or clientSecret');
+    }
+    const deviceAuthResponse = await fetch(`${ssoOIDCEndpoint}/device_authorization`, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            'User-Agent': KIRO_CONSTANTS.USER_AGENT
+        },
+        body: JSON.stringify({
+            clientId,
+            clientSecret,
+            startUrl: KIRO_AUTH_SERVICE.BUILDER_ID_START_URL
+        })
+    });
+    if (!deviceAuthResponse.ok) {
+        const errorText = await deviceAuthResponse.text().catch(() => '');
+        throw new Error(`Device authorization failed: ${deviceAuthResponse.status} ${errorText}`);
+    }
+    const deviceAuthData = await deviceAuthResponse.json();
+    const { verificationUri, verificationUriComplete, userCode, deviceCode, interval = 5, expiresIn = 600 } = deviceAuthData;
+    if (!deviceCode || !userCode || !verificationUri || !verificationUriComplete) {
+        throw new Error('Device authorization response missing required fields');
+    }
+    return {
+        verificationUrl: verificationUri,
+        verificationUriComplete,
+        userCode,
+        deviceCode,
+        clientId,
+        clientSecret,
+        interval,
+        expiresIn,
+        region: effectiveRegion
+    };
+}
+export async function pollKiroIDCToken(clientId, clientSecret, deviceCode, interval, expiresIn, region) {
+    if (!clientId || !clientSecret || !deviceCode) {
+        throw new Error('Missing required parameters for token polling');
+    }
+    const effectiveRegion = normalizeRegion(region);
+    const ssoOIDCEndpoint = buildUrl(KIRO_AUTH_SERVICE.SSO_OIDC_ENDPOINT, effectiveRegion);
+    const maxAttempts = Math.floor(expiresIn / interval);
+    let currentInterval = interval * 1000;
+    let attempts = 0;
+    while (attempts < maxAttempts) {
+        attempts++;
+        await new Promise((resolve) => setTimeout(resolve, currentInterval));
+        try {
+            const tokenResponse = await fetch(`${ssoOIDCEndpoint}/token`, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json',
+                    'User-Agent': KIRO_CONSTANTS.USER_AGENT
+                },
+                body: JSON.stringify({
+                    clientId,
+                    clientSecret,
+                    deviceCode,
+                    grantType: 'urn:ietf:params:oauth:grant-type:device_code'
+                })
+            });
+            const tokenData = await tokenResponse.json();
+            if (tokenData.error) {
+                const errorType = tokenData.error;
+                if (errorType === 'authorization_pending') {
+                    continue;
+                }
+                if (errorType === 'slow_down') {
+                    currentInterval += 5000;
+                    continue;
+                }
+                if (errorType === 'expired_token') {
+                    throw new Error('Device code has expired. Please restart the authorization process.');
+                }
+                if (errorType === 'access_denied') {
+                    throw new Error('Authorization was denied by the user.');
+                }
+                throw new Error(`Token polling failed: ${errorType} - ${tokenData.error_description || ''}`);
+            }
+            if (tokenData.accessToken && tokenData.refreshToken) {
+                const expiresInSeconds = tokenData.expiresIn || 3600;
+                const expiresAt = Date.now() + expiresInSeconds * 1000;
+                return {
+                    refreshToken: tokenData.refreshToken,
+                    accessToken: tokenData.accessToken,
+                    expiresAt,
+                    email: 'builder-id@aws.amazon.com',
+                    clientId,
+                    clientSecret,
+                    region: effectiveRegion,
+                    authMethod: 'idc'
+                };
+            }
+            if (!tokenResponse.ok) {
+                throw new Error(`Token request failed with status: ${tokenResponse.status}`);
+            }
+        }
+        catch (error) {
+            if (error instanceof Error && (error.message.includes('expired') || error.message.includes('denied') || error.message.includes('failed'))) {
+                throw error;
+            }
+            if (attempts >= maxAttempts) {
+                throw new Error(`Token polling failed after ${attempts} attempts: ${error instanceof Error ? error.message : 'Unknown error'}`);
+            }
+        }
+    }
+    throw new Error('Token polling timed out. Authorization may have expired.');
+}

package/dist/kiro/oauth-social.d.ts

@@ -0,0 +1,17 @@
+import type { KiroRegion } from '../plugin/types';
+export interface KiroSocialAuthorization {
+    url: string;
+    verifier: string;
+    region: KiroRegion;
+}
+export interface KiroSocialTokenResult {
+    refreshToken: string;
+    accessToken: string;
+    expiresAt: number;
+    email: string;
+    profileArn: string;
+    region: KiroRegion;
+    authMethod: 'social';
+}
+export declare function authorizeKiroSocial(port: number, state: string, challenge: string, region?: KiroRegion): Promise<string>;
+export declare function exchangeKiroSocial(code: string, verifier: string, region: KiroRegion, port: number): Promise<KiroSocialTokenResult>;

package/dist/kiro/oauth-social.js

@@ -0,0 +1,51 @@
+import { KIRO_AUTH_SERVICE, KIRO_CONSTANTS } from '../constants';
+export async function authorizeKiroSocial(port, state, challenge, region) {
+    const effectiveRegion = region || KIRO_CONSTANTS.DEFAULT_REGION;
+    const authServiceEndpoint = KIRO_AUTH_SERVICE.ENDPOINT.replace('{{region}}', effectiveRegion);
+    const redirectUri = `http://127.0.0.1:${port}/oauth/callback`;
+    const params = new URLSearchParams({
+        idp: 'Google',
+        redirect_uri: redirectUri,
+        code_challenge: challenge,
+        code_challenge_method: 'S256',
+        state: state,
+        prompt: 'select_account',
+    });
+    return `${authServiceEndpoint}/login?${params.toString()}`;
+}
+export async function exchangeKiroSocial(code, verifier, region, port) {
+    const authServiceEndpoint = KIRO_AUTH_SERVICE.ENDPOINT.replace('{{region}}', region);
+    const redirectUri = `http://127.0.0.1:${port}/oauth/callback`;
+    const tokenResponse = await fetch(`${authServiceEndpoint}/oauth/token`, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            'User-Agent': KIRO_CONSTANTS.USER_AGENT,
+        },
+        body: JSON.stringify({
+            code,
+            code_verifier: verifier,
+            redirect_uri: redirectUri,
+        }),
+    });
+    if (!tokenResponse.ok) {
+        const errorText = await tokenResponse.text();
+        throw new Error(`Token exchange failed: ${tokenResponse.status} ${errorText}`);
+    }
+    const tokenData = await tokenResponse.json();
+    if (!tokenData.accessToken || !tokenData.refreshToken || !tokenData.profileArn) {
+        throw new Error('Invalid token response: missing required fields');
+    }
+    const expiresIn = tokenData.expiresIn || 3600;
+    const expiresAt = Date.now() + expiresIn * 1000;
+    const email = tokenData.email || 'unknown@kiro.dev';
+    return {
+        refreshToken: tokenData.refreshToken,
+        accessToken: tokenData.accessToken,
+        expiresAt,
+        email,
+        profileArn: tokenData.profileArn,
+        region,
+        authMethod: 'social',
+    };
+}

package/dist/plugin/accounts.d.ts

@@ -0,0 +1,28 @@
+import type { ManagedAccount, AccountSelectionStrategy, KiroAuthDetails, UsageMetadata } from './types';
+export declare function generateAccountId(): string;
+export declare class AccountManager {
+    private accounts;
+    private usage;
+    private cursor;
+    private strategy;
+    private lastToastTime;
+    constructor(accounts: ManagedAccount[], usage: Record<string, UsageMetadata>, strategy?: AccountSelectionStrategy);
+    static loadFromDisk(strategy?: AccountSelectionStrategy): Promise<AccountManager>;
+    getAccountCount(): number;
+    getAccounts(): ManagedAccount[];
+    shouldShowToast(debounce?: number): boolean;
+    getMinWaitTime(): number;
+    getCurrentOrNext(): ManagedAccount | null;
+    updateUsage(id: string, meta: {
+        usedCount: number;
+        limitCount: number;
+        realEmail?: string;
+    }): void;
+    addAccount(a: ManagedAccount): void;
+    removeAccount(a: ManagedAccount): void;
+    updateFromAuth(a: ManagedAccount, auth: KiroAuthDetails): void;
+    markRateLimited(a: ManagedAccount, ms: number): void;
+    markUnhealthy(a: ManagedAccount, reason: string, recovery?: number): void;
+    saveToDisk(): Promise<void>;
+    toAuthDetails(a: ManagedAccount): KiroAuthDetails;
+}

package/dist/plugin/accounts.js

@@ -0,0 +1,156 @@
+import { randomBytes } from 'node:crypto';
+import { loadAccounts, saveAccounts, loadUsage, saveUsage } from './storage';
+import { KIRO_CONSTANTS } from '../constants';
+import { encodeRefreshToken, decodeRefreshToken } from '../kiro/auth';
+export function generateAccountId() {
+    return randomBytes(16).toString('hex');
+}
+export class AccountManager {
+    accounts;
+    usage;
+    cursor;
+    strategy;
+    lastToastTime = 0;
+    constructor(accounts, usage, strategy = 'sticky') {
+        this.accounts = accounts;
+        this.usage = usage;
+        this.cursor = 0;
+        this.strategy = strategy;
+        for (const a of this.accounts) {
+            const m = this.usage[a.id];
+            if (m) {
+                a.usedCount = m.usedCount;
+                a.limitCount = m.limitCount;
+                a.realEmail = m.realEmail;
+            }
+        }
+    }
+    static async loadFromDisk(strategy) {
+        const s = await loadAccounts();
+        const u = await loadUsage();
+        const accounts = s.accounts.map((m) => ({ ...m, region: m.region || KIRO_CONSTANTS.DEFAULT_REGION }));
+        return new AccountManager(accounts, u.usage, strategy || 'sticky');
+    }
+    getAccountCount() {
+        return this.accounts.length;
+    }
+    getAccounts() {
+        return [...this.accounts];
+    }
+    shouldShowToast(debounce = 30000) {
+        if (Date.now() - this.lastToastTime < debounce)
+            return false;
+        this.lastToastTime = Date.now();
+        return true;
+    }
+    getMinWaitTime() {
+        const now = Date.now();
+        const waits = this.accounts.map((a) => (a.rateLimitResetTime || 0) - now).filter((t) => t > 0);
+        return waits.length > 0 ? Math.min(...waits) : 0;
+    }
+    getCurrentOrNext() {
+        const now = Date.now();
+        const available = this.accounts.filter((a) => {
+            if (!a.isHealthy) {
+                if (a.recoveryTime && now >= a.recoveryTime) {
+                    a.isHealthy = true;
+                    delete a.unhealthyReason;
+                    delete a.recoveryTime;
+                    return true;
+                }
+                return false;
+            }
+            return !(a.rateLimitResetTime && now < a.rateLimitResetTime);
+        });
+        if (available.length === 0)
+            return null;
+        let selected;
+        if (this.strategy === 'sticky') {
+            selected = available.find((_, i) => i === this.cursor) || available[0];
+        }
+        else if (this.strategy === 'round-robin') {
+            selected = available[this.cursor % available.length];
+            this.cursor = (this.cursor + 1) % available.length;
+        }
+        else if (this.strategy === 'lowest-usage') {
+            selected = [...available].sort((a, b) => (a.usedCount || 0) - (b.usedCount || 0) || (a.lastUsed || 0) - (b.lastUsed || 0))[0];
+        }
+        if (selected) {
+            selected.lastUsed = now;
+            selected.usedCount = (selected.usedCount || 0) + 1;
+            this.cursor = this.accounts.indexOf(selected);
+            return selected;
+        }
+        return null;
+    }
+    updateUsage(id, meta) {
+        const a = this.accounts.find((x) => x.id === id);
+        if (a) {
+            a.usedCount = meta.usedCount;
+            a.limitCount = meta.limitCount;
+            if (meta.realEmail)
+                a.realEmail = meta.realEmail;
+        }
+        this.usage[id] = { ...meta, lastSync: Date.now() };
+    }
+    addAccount(a) {
+        const i = this.accounts.findIndex((x) => x.id === a.id);
+        if (i === -1)
+            this.accounts.push(a);
+        else
+            this.accounts[i] = a;
+    }
+    removeAccount(a) {
+        this.accounts = this.accounts.filter((x) => x.id !== a.id);
+        delete this.usage[a.id];
+        this.cursor = Math.max(0, Math.min(this.cursor, this.accounts.length - 1));
+    }
+    updateFromAuth(a, auth) {
+        const acc = this.accounts.find((x) => x.id === a.id);
+        if (acc) {
+            acc.accessToken = auth.access;
+            acc.expiresAt = auth.expires;
+            acc.lastUsed = Date.now();
+            if (auth.email && auth.email !== 'builder-id@aws.amazon.com')
+                acc.realEmail = auth.email;
+            const p = decodeRefreshToken(auth.refresh);
+            acc.refreshToken = p.refreshToken;
+            if (p.profileArn)
+                acc.profileArn = p.profileArn;
+            if (p.clientId)
+                acc.clientId = p.clientId;
+        }
+    }
+    markRateLimited(a, ms) {
+        const acc = this.accounts.find((x) => x.id === a.id);
+        if (acc)
+            acc.rateLimitResetTime = Date.now() + ms;
+    }
+    markUnhealthy(a, reason, recovery) {
+        const acc = this.accounts.find((x) => x.id === a.id);
+        if (acc) {
+            acc.isHealthy = false;
+            acc.unhealthyReason = reason;
+            acc.recoveryTime = recovery;
+        }
+    }
+    async saveToDisk() {
+        const metadata = this.accounts.map(({ usedCount, limitCount, lastUsed, ...rest }) => rest);
+        await saveAccounts({ version: 1, accounts: metadata, activeIndex: this.cursor });
+        await saveUsage({ version: 1, usage: this.usage });
+    }
+    toAuthDetails(a) {
+        const p = { refreshToken: a.refreshToken, profileArn: a.profileArn, clientId: a.clientId, clientSecret: a.clientSecret, authMethod: a.authMethod };
+        return {
+            refresh: encodeRefreshToken(p),
+            access: a.accessToken,
+            expires: a.expiresAt,
+            authMethod: a.authMethod,
+            region: a.region,
+            profileArn: a.profileArn,
+            clientId: a.clientId,
+            clientSecret: a.clientSecret,
+            email: a.email
+        };
+    }
+}

package/dist/plugin/auth-page.d.ts

@@ -0,0 +1,3 @@
+export declare function getIDCAuthHtml(verificationUrl: string, userCode: string, statusUrl: string): string;
+export declare function getSuccessHtml(): string;
+export declare function getErrorHtml(message: string): string;