@zhafron/opencode-kiro-auth 1.0.0

package/dist/plugin/types.d.ts

@@ -0,0 +1,148 @@
+export type KiroAuthMethod = 'idc';
+export type KiroRegion = 'us-east-1' | 'us-west-2';
+export interface KiroAuthDetails {
+    refresh: string;
+    access: string;
+    expires: number;
+    authMethod: KiroAuthMethod;
+    region: KiroRegion;
+    clientId?: string;
+    clientSecret?: string;
+    email?: string;
+    profileArn?: string;
+}
+export interface RefreshParts {
+    refreshToken: string;
+    clientId?: string;
+    clientSecret?: string;
+    profileArn?: string;
+    authMethod?: KiroAuthMethod;
+}
+export interface ManagedAccount {
+    id: string;
+    email: string;
+    realEmail?: string;
+    authMethod: KiroAuthMethod;
+    region: KiroRegion;
+    clientId?: string;
+    clientSecret?: string;
+    profileArn?: string;
+    refreshToken: string;
+    accessToken: string;
+    expiresAt: number;
+    rateLimitResetTime: number;
+    isHealthy: boolean;
+    unhealthyReason?: string;
+    recoveryTime?: number;
+    usedCount?: number;
+    limitCount?: number;
+    lastUsed?: number;
+}
+export interface AccountMetadata {
+    id: string;
+    email: string;
+    realEmail?: string;
+    authMethod: KiroAuthMethod;
+    region: KiroRegion;
+    clientId?: string;
+    clientSecret?: string;
+    profileArn?: string;
+    refreshToken: string;
+    accessToken: string;
+    expiresAt: number;
+    rateLimitResetTime: number;
+    isHealthy: boolean;
+    unhealthyReason?: string;
+    recoveryTime?: number;
+}
+export interface AccountStorage {
+    version: 1;
+    accounts: AccountMetadata[];
+    activeIndex: number;
+}
+export interface UsageMetadata {
+    usedCount: number;
+    limitCount: number;
+    realEmail?: string;
+    lastSync: number;
+}
+export interface UsageStorage {
+    version: 1;
+    usage: Record<string, UsageMetadata>;
+}
+export interface CodeWhispererMessage {
+    userInputMessage?: {
+        content: string;
+        modelId: string;
+        origin: string;
+        images?: Array<{
+            format: string;
+            source: {
+                bytes: string;
+            };
+        }>;
+        userInputMessageContext?: {
+            toolResults?: Array<{
+                toolUseId: string;
+                content: Array<{
+                    text?: string;
+                }>;
+                status?: string;
+            }>;
+            tools?: Array<{
+                toolSpecification: {
+                    name: string;
+                    description: string;
+                    inputSchema: {
+                        json: Record<string, unknown>;
+                    };
+                };
+            }>;
+        };
+    };
+    assistantResponseMessage?: {
+        content: string;
+        toolUses?: Array<{
+            input: any;
+            name: string;
+            toolUseId: string;
+        }>;
+    };
+}
+export interface CodeWhispererRequest {
+    conversationState: {
+        chatTriggerType: string;
+        conversationId: string;
+        history: CodeWhispererMessage[];
+        currentMessage: CodeWhispererMessage;
+    };
+    profileArn?: string;
+}
+export interface ToolCall {
+    toolUseId: string;
+    name: string;
+    input: string | Record<string, unknown>;
+}
+export interface ParsedResponse {
+    content: string;
+    toolCalls: ToolCall[];
+    stopReason?: string;
+    inputTokens?: number;
+    outputTokens?: number;
+}
+export interface PreparedRequest {
+    url: string;
+    init: RequestInit;
+    streaming: boolean;
+    effectiveModel: string;
+    conversationId: string;
+}
+export type AccountSelectionStrategy = 'sticky' | 'round-robin' | 'lowest-usage';
+export interface StreamEvent {
+    type: string;
+    message?: any;
+    content_block?: any;
+    delta?: any;
+    index?: number;
+    usage?: any;
+}

package/dist/plugin/usage.d.ts

@@ -0,0 +1,3 @@
+import { ManagedAccount, KiroAuthDetails } from './types';
+export declare function fetchUsageLimits(auth: KiroAuthDetails): Promise<any>;
+export declare function updateAccountQuota(account: ManagedAccount, usage: any, accountManager?: any): void;

package/dist/plugin/usage.js

@@ -0,0 +1,36 @@
+export async function fetchUsageLimits(auth) {
+    const url = `https://q.${auth.region}.amazonaws.com/getUsageLimits?isEmailRequired=true&origin=AI_EDITOR&resourceType=AGENTIC_REQUEST`;
+    try {
+        const res = await fetch(url, {
+            method: 'GET',
+            headers: { Authorization: `Bearer ${auth.access}`, 'Content-Type': 'application/json', 'x-amzn-kiro-agent-mode': 'vibe', 'amz-sdk-request': 'attempt=1; max=1' }
+        });
+        if (!res.ok)
+            throw new Error(`Status: ${res.status}`);
+        const data = await res.json();
+        let usedCount = 0, limitCount = 0;
+        if (Array.isArray(data.usageBreakdownList)) {
+            for (const s of data.usageBreakdownList) {
+                if (s.freeTrialInfo) {
+                    usedCount += s.freeTrialInfo.currentUsage || 0;
+                    limitCount += s.freeTrialInfo.usageLimit || 0;
+                }
+                usedCount += s.currentUsage || 0;
+                limitCount += s.usageLimit || 0;
+            }
+        }
+        return { usedCount, limitCount, email: data.userInfo?.email };
+    }
+    catch (e) {
+        throw e;
+    }
+}
+export function updateAccountQuota(account, usage, accountManager) {
+    const meta = { usedCount: usage.usedCount || 0, limitCount: usage.limitCount || 0, realEmail: usage.email };
+    account.usedCount = meta.usedCount;
+    account.limitCount = meta.limitCount;
+    if (meta.realEmail)
+        account.realEmail = meta.realEmail;
+    if (accountManager)
+        accountManager.updateUsage(account.id, meta);
+}

package/dist/plugin.d.ts

@@ -0,0 +1,32 @@
+export declare const createKiroPlugin: (id: string) => ({ client, directory }: any) => Promise<{
+    auth: {
+        provider: string;
+        loader: (getAuth: any) => Promise<{
+            apiKey: string;
+            baseURL: string;
+            fetch(input: any, init?: any): Promise<Response>;
+        }>;
+        methods: {
+            id: string;
+            label: string;
+            type: string;
+            authorize: () => Promise<unknown>;
+        }[];
+    };
+}>;
+export declare const KiroOAuthPlugin: ({ client, directory }: any) => Promise<{
+    auth: {
+        provider: string;
+        loader: (getAuth: any) => Promise<{
+            apiKey: string;
+            baseURL: string;
+            fetch(input: any, init?: any): Promise<Response>;
+        }>;
+        methods: {
+            id: string;
+            label: string;
+            type: string;
+            authorize: () => Promise<unknown>;
+        }[];
+    };
+}>;

package/dist/plugin.js

@@ -0,0 +1,222 @@
+import { loadConfig } from './plugin/config';
+import { AccountManager, generateAccountId } from './plugin/accounts';
+import { accessTokenExpired, encodeRefreshToken } from './kiro/auth';
+import { refreshAccessToken } from './plugin/token';
+import { transformToCodeWhisperer } from './plugin/request';
+import { parseEventStream } from './plugin/response';
+import { transformKiroStream } from './plugin/streaming';
+import { fetchUsageLimits, updateAccountQuota } from './plugin/usage';
+import { authorizeKiroIDC } from './kiro/oauth-idc';
+import { startIDCAuthServer } from './plugin/server';
+import { KiroTokenRefreshError } from './plugin/errors';
+import { KIRO_CONSTANTS } from './constants';
+import * as logger from './plugin/logger';
+const KIRO_PROVIDER_ID = 'kiro';
+const KIRO_API_PATTERN = /^(https?:\/\/)?q\.[a-z0-9-]+\.amazonaws\.com/;
+const sleep = (ms) => new Promise((r) => setTimeout(r, ms));
+const isNetworkError = (e) => e instanceof Error && /econnreset|etimedout|enotfound|network|fetch failed/i.test(e.message);
+const extractModel = (url) => url.match(/models\/([^/:]+)/)?.[1] || null;
+export const createKiroPlugin = (id) => async ({ client, directory }) => {
+    const config = loadConfig(directory);
+    const showToast = (message, variant) => {
+        client.tui.showToast({ body: { message, variant } }).catch(() => { });
+    };
+    return {
+        auth: {
+            provider: id,
+            loader: async (getAuth) => {
+                await getAuth();
+                const am = await AccountManager.loadFromDisk(config.account_selection_strategy);
+                return {
+                    apiKey: '',
+                    baseURL: KIRO_CONSTANTS.BASE_URL.replace('/generateAssistantResponse', '').replace('{{region}}', config.default_region || 'us-east-1'),
+                    async fetch(input, init) {
+                        const url = typeof input === 'string' ? input : input.url;
+                        if (!KIRO_API_PATTERN.test(url))
+                            return fetch(input, init);
+                        const body = init?.body ? JSON.parse(init.body) : {};
+                        const model = extractModel(url) || body.model || 'claude-opus-4-5';
+                        const think = model.endsWith('-thinking') || !!body.providerOptions?.thinkingConfig;
+                        const budget = body.providerOptions?.thinkingConfig?.thinkingBudget || 20000;
+                        let retry = 0;
+                        while (true) {
+                            const count = am.getAccountCount();
+                            if (count === 0)
+                                throw new Error('No accounts. Login first.');
+                            const acc = am.getCurrentOrNext();
+                            if (!acc) {
+                                const w = am.getMinWaitTime() || 60000;
+                                showToast(`All accounts rate-limited. Waiting ${Math.ceil(w / 1000)}s...`, 'warning');
+                                await sleep(w);
+                                continue;
+                            }
+                            if (count > 1 && am.shouldShowToast())
+                                showToast(`Using ${acc.email} (${am.getAccounts().indexOf(acc) + 1}/${count})`, 'info');
+                            let auth = am.toAuthDetails(acc);
+                            if (accessTokenExpired(auth)) {
+                                try {
+                                    logger.log(`Refreshing token for ${acc.email}`);
+                                    auth = await refreshAccessToken(auth);
+                                    am.updateFromAuth(acc, auth);
+                                    await am.saveToDisk();
+                                }
+                                catch (e) {
+                                    const msg = e instanceof KiroTokenRefreshError ? e.message : String(e);
+                                    showToast(`Refresh failed for ${acc.email}: ${msg}`, 'error');
+                                    if (e instanceof KiroTokenRefreshError && e.code === 'invalid_grant') {
+                                        am.removeAccount(acc);
+                                        await am.saveToDisk();
+                                        continue;
+                                    }
+                                    throw e;
+                                }
+                            }
+                            const prep = transformToCodeWhisperer(url, init?.body, model, auth, think, budget);
+                            try {
+                                const res = await fetch(prep.url, prep.init);
+                                if (res.ok) {
+                                    if (config.usage_tracking_enabled)
+                                        fetchUsageLimits(auth)
+                                            .then((u) => {
+                                            updateAccountQuota(acc, u, am);
+                                            am.saveToDisk();
+                                        })
+                                            .catch((e) => logger.warn(`Usage sync failed for ${acc.email}: ${e.message}`));
+                                    if (prep.streaming) {
+                                        const s = transformKiroStream(res, model, prep.conversationId);
+                                        return new Response(new ReadableStream({
+                                            async start(c) {
+                                                try {
+                                                    for await (const e of s)
+                                                        c.enqueue(new TextEncoder().encode(`data: ${JSON.stringify(e)}\n\n`));
+                                                    c.close();
+                                                }
+                                                catch (err) {
+                                                    c.error(err);
+                                                }
+                                            }
+                                        }), { headers: { 'Content-Type': 'text/event-stream' } });
+                                    }
+                                    const text = await res.text();
+                                    const p = parseEventStream(text);
+                                    const oai = {
+                                        id: prep.conversationId,
+                                        object: 'chat.completion',
+                                        created: Math.floor(Date.now() / 1000),
+                                        model,
+                                        choices: [{ index: 0, message: { role: 'assistant', content: p.content }, finish_reason: p.stopReason === 'tool_use' ? 'tool_calls' : 'stop' }],
+                                        usage: { prompt_tokens: p.inputTokens || 0, completion_tokens: p.outputTokens || 0, total_tokens: (p.inputTokens || 0) + (p.outputTokens || 0) }
+                                    };
+                                    if (p.toolCalls.length > 0)
+                                        oai.choices[0].message.tool_calls = p.toolCalls.map((tc) => ({
+                                            id: tc.toolUseId,
+                                            type: 'function',
+                                            function: { name: tc.name, arguments: typeof tc.input === 'string' ? tc.input : JSON.stringify(tc.input) }
+                                        }));
+                                    return new Response(JSON.stringify(oai), { headers: { 'Content-Type': 'application/json' } });
+                                }
+                                if (res.status === 401 && retry < config.rate_limit_max_retries) {
+                                    logger.warn(`Unauthorized (401) on ${acc.email}, retrying...`);
+                                    retry++;
+                                    continue;
+                                }
+                                if (res.status === 429) {
+                                    const wait = parseInt(res.headers.get('retry-after') || '60') * 1000;
+                                    am.markRateLimited(acc, wait);
+                                    await am.saveToDisk();
+                                    if (count > 1) {
+                                        showToast(`Rate limited on ${acc.email}. Switching account...`, 'warning');
+                                        continue;
+                                    }
+                                    else {
+                                        showToast(`Rate limited. Retrying in ${Math.ceil(wait / 1000)}s...`, 'warning');
+                                        await sleep(wait);
+                                        continue;
+                                    }
+                                }
+                                if ((res.status === 402 || res.status === 403) && count > 1) {
+                                    showToast(`${res.status === 402 ? 'Quota exhausted' : 'Forbidden'} on ${acc.email}. Switching...`, 'warning');
+                                    am.markUnhealthy(acc, res.status === 402 ? 'Quota' : 'Forbidden');
+                                    await am.saveToDisk();
+                                    continue;
+                                }
+                                throw new Error(`Kiro Error: ${res.status}`);
+                            }
+                            catch (e) {
+                                if (isNetworkError(e) && retry < config.rate_limit_max_retries) {
+                                    const delay = 5000 * Math.pow(2, retry);
+                                    showToast(`Network error. Retrying in ${Math.ceil(delay / 1000)}s...`, 'warning');
+                                    await sleep(delay);
+                                    retry++;
+                                    continue;
+                                }
+                                throw e;
+                            }
+                        }
+                    }
+                };
+            },
+            methods: [
+                {
+                    id: 'idc',
+                    label: 'AWS Builder ID (IDC)',
+                    type: 'oauth',
+                    authorize: async () => new Promise(async (resolve) => {
+                        const region = config.default_region;
+                        const authData = await authorizeKiroIDC(region);
+                        const { url, waitForAuth } = await startIDCAuthServer(authData);
+                        resolve({
+                            url,
+                            instructions: 'Opening browser...',
+                            method: 'auto',
+                            callback: async () => {
+                                try {
+                                    const res = await waitForAuth();
+                                    const am = await AccountManager.loadFromDisk(config.account_selection_strategy);
+                                    const acc = {
+                                        id: generateAccountId(),
+                                        email: res.email,
+                                        authMethod: 'idc',
+                                        region,
+                                        clientId: res.clientId,
+                                        clientSecret: res.clientSecret,
+                                        refreshToken: res.refreshToken,
+                                        accessToken: res.accessToken,
+                                        expiresAt: res.expiresAt,
+                                        rateLimitResetTime: 0,
+                                        isHealthy: true
+                                    };
+                                    try {
+                                        const u = await fetchUsageLimits({
+                                            refresh: encodeRefreshToken({ refreshToken: res.refreshToken, clientId: res.clientId, clientSecret: res.clientSecret, authMethod: 'idc' }),
+                                            access: res.accessToken,
+                                            expires: res.expiresAt,
+                                            authMethod: 'idc',
+                                            region,
+                                            clientId: res.clientId,
+                                            clientSecret: res.clientSecret,
+                                            email: res.email
+                                        });
+                                        am.updateUsage(acc.id, { usedCount: u.usedCount, limitCount: u.limitCount, realEmail: u.email });
+                                    }
+                                    catch (e) {
+                                        logger.warn(`Initial usage fetch failed: ${e.message}`);
+                                    }
+                                    am.addAccount(acc);
+                                    await am.saveToDisk();
+                                    showToast(`Successfully logged in as ${res.email}`, 'success');
+                                    return { type: 'success', key: res.accessToken };
+                                }
+                                catch (e) {
+                                    logger.error(`Login failed: ${e.message}`);
+                                    return { type: 'failed' };
+                                }
+                            }
+                        });
+                    })
+                }
+            ]
+        }
+    };
+};
+export const KiroOAuthPlugin = createKiroPlugin(KIRO_PROVIDER_ID);

package/dist/src/constants.d.ts

@@ -0,0 +1,22 @@
+import type { KiroRegion } from './plugin/types';
+export declare const KIRO_CONSTANTS: {
+    REFRESH_URL: string;
+    REFRESH_IDC_URL: string;
+    BASE_URL: string;
+    USAGE_LIMITS_URL: string;
+    DEFAULT_REGION: KiroRegion;
+    ACCESS_TOKEN_EXPIRY_BUFFER_MS: number;
+    AXIOS_TIMEOUT: number;
+    USER_AGENT: string;
+    KIRO_VERSION: string;
+    CHAT_TRIGGER_TYPE_MANUAL: string;
+    ORIGIN_AI_EDITOR: string;
+};
+export declare const MODEL_MAPPING: Record<string, string>;
+export declare const SUPPORTED_MODELS: string[];
+export declare const KIRO_AUTH_SERVICE: {
+    ENDPOINT: string;
+    SSO_OIDC_ENDPOINT: string;
+    BUILDER_ID_START_URL: string;
+    SCOPES: string[];
+};

package/dist/src/constants.js

@@ -0,0 +1,35 @@
+export const KIRO_CONSTANTS = {
+    REFRESH_URL: 'https://prod.{{region}}.auth.desktop.kiro.dev/refreshToken',
+    REFRESH_IDC_URL: 'https://oidc.{{region}}.amazonaws.com/token',
+    BASE_URL: 'https://q.{{region}}.amazonaws.com/generateAssistantResponse',
+    USAGE_LIMITS_URL: 'https://q.{{region}}.amazonaws.com/getUsageLimits',
+    DEFAULT_REGION: 'us-east-1',
+    ACCESS_TOKEN_EXPIRY_BUFFER_MS: 60000,
+    AXIOS_TIMEOUT: 120000,
+    USER_AGENT: 'KiroIDE',
+    KIRO_VERSION: '0.7.5',
+    CHAT_TRIGGER_TYPE_MANUAL: 'MANUAL',
+    ORIGIN_AI_EDITOR: 'AI_EDITOR',
+};
+export const MODEL_MAPPING = {
+    'claude-opus-4-5': 'claude-opus-4.5',
+    'claude-opus-4-5-20251101': 'claude-opus-4.5',
+    'claude-haiku-4-5': 'claude-haiku-4.5',
+    'claude-sonnet-4-5': 'CLAUDE_SONNET_4_5_20250929_V1_0',
+    'claude-sonnet-4-5-20250929': 'CLAUDE_SONNET_4_5_20250929_V1_0',
+    'claude-sonnet-4-20250514': 'CLAUDE_SONNET_4_20250514_V1_0',
+    'claude-3-7-sonnet-20250219': 'CLAUDE_3_7_SONNET_20250219_V1_0',
+};
+export const SUPPORTED_MODELS = Object.keys(MODEL_MAPPING);
+export const KIRO_AUTH_SERVICE = {
+    ENDPOINT: 'https://prod.{{region}}.auth.desktop.kiro.dev',
+    SSO_OIDC_ENDPOINT: 'https://oidc.{{region}}.amazonaws.com',
+    BUILDER_ID_START_URL: 'https://view.awsapps.com/start',
+    SCOPES: [
+        'codewhisperer:completions',
+        'codewhisperer:analysis',
+        'codewhisperer:conversations',
+        'codewhisperer:transformations',
+        'codewhisperer:taskassist'
+    ],
+};

package/dist/src/kiro/auth.d.ts

@@ -0,0 +1,5 @@
+import type { KiroAuthDetails, RefreshParts } from '../plugin/types';
+export declare function parseRefreshParts(refresh: string): RefreshParts;
+export declare function accessTokenExpired(auth: KiroAuthDetails): boolean;
+export declare function validateAuthDetails(auth: KiroAuthDetails): boolean;
+export declare function encodeRefreshToken(refreshToken: string, profileArn?: string, clientId?: string, clientSecret?: string, authMethod?: string): string;

package/dist/src/kiro/auth.js

@@ -0,0 +1,69 @@
+import { KIRO_CONSTANTS } from '../constants';
+export function parseRefreshParts(refresh) {
+    const parts = refresh.split('|');
+    if (parts.length < 2) {
+        throw new Error('Invalid refresh token format');
+    }
+    const refreshToken = parts[0];
+    const authMethod = parts[parts.length - 1];
+    if (authMethod === 'social') {
+        if (parts.length !== 3) {
+            throw new Error('Invalid social auth refresh token format');
+        }
+        const profileArn = parts[1];
+        return {
+            refreshToken,
+            profileArn,
+            authMethod: 'social',
+        };
+    }
+    else if (authMethod === 'idc') {
+        if (parts.length !== 4) {
+            throw new Error('Invalid IDC auth refresh token format');
+        }
+        const clientId = parts[1];
+        const clientSecret = parts[2];
+        return {
+            refreshToken,
+            clientId,
+            clientSecret,
+            authMethod: 'idc',
+        };
+    }
+    throw new Error(`Unknown auth method: ${authMethod}`);
+}
+export function accessTokenExpired(auth) {
+    if (!auth.access || !auth.expires) {
+        return true;
+    }
+    const now = Date.now();
+    const expiryWithBuffer = auth.expires - KIRO_CONSTANTS.ACCESS_TOKEN_EXPIRY_BUFFER_MS;
+    return now >= expiryWithBuffer;
+}
+export function validateAuthDetails(auth) {
+    if (!auth.refresh || !auth.authMethod || !auth.region) {
+        return false;
+    }
+    if (auth.authMethod === 'social') {
+        return !!auth.profileArn && !!auth.refresh;
+    }
+    else if (auth.authMethod === 'idc') {
+        return !!auth.clientId && !!auth.clientSecret && !!auth.refresh;
+    }
+    return false;
+}
+export function encodeRefreshToken(refreshToken, profileArn, clientId, clientSecret, authMethod) {
+    if (authMethod === 'social') {
+        if (!profileArn) {
+            throw new Error('Missing profileArn for social auth');
+        }
+        return `${refreshToken}|${profileArn}|social`;
+    }
+    else if (authMethod === 'idc') {
+        if (!clientId || !clientSecret) {
+            throw new Error('Missing clientId or clientSecret for IDC auth');
+        }
+        return `${refreshToken}|${clientId}|${clientSecret}|idc`;
+    }
+    throw new Error(`Unknown auth method: ${authMethod}`);
+}

package/dist/src/kiro/oauth-idc.d.ts

@@ -0,0 +1,22 @@
+import type { KiroRegion } from '../plugin/types';
+export interface KiroIDCAuthorization {
+    url: string;
+    verifier: string;
+    region: KiroRegion;
+    deviceCode: string;
+    userCode: string;
+    clientId: string;
+    clientSecret: string;
+}
+export interface KiroIDCTokenResult {
+    refreshToken: string;
+    accessToken: string;
+    expiresAt: number;
+    email: string;
+    clientId: string;
+    clientSecret: string;
+    region: KiroRegion;
+    authMethod: 'idc';
+}
+export declare function authorizeKiroIDC(region?: KiroRegion): Promise<KiroIDCAuthorization>;
+export declare function exchangeKiroIDC(state: string): Promise<KiroIDCTokenResult>;