@zhafron/opencode-kiro-auth 1.1.3 → 1.2.1

package/README.md

@@ -9,6 +9,9 @@ OpenCode plugin for AWS Kiro (CodeWhisperer) providing access to the latest Clau
 - Automated token refresh and rate limit handling with exponential backoff.
 - Native thinking mode support via virtual model mappings.
 - Decoupled storage for credentials and real-time usage metadata.
+- Configurable request timeout and iteration limits to prevent hangs.
+- Automatic port selection for auth server to avoid conflicts.
+- Usage tracking with automatic retry on sync failures.
 
 ## Installation
 
@@ -68,12 +71,71 @@ Add the plugin to your `opencode.json` or `opencode.jsonc`:
 3. Follow the terminal instructions to complete the AWS Builder ID authentication.
 4. Configuration template will be automatically created at `~/.config/opencode/kiro.json` on first load.
 
+## Configuration
+
+The plugin supports extensive configuration options. Edit `~/.config/opencode/kiro.json`:
+
+```json
+{
+  "account_selection_strategy": "lowest-usage",
+  "default_region": "us-east-1",
+  "rate_limit_retry_delay_ms": 5000,
+  "rate_limit_max_retries": 3,
+  "max_request_iterations": 100,
+  "request_timeout_ms": 300000,
+  "token_expiry_buffer_ms": 120000,
+  "usage_sync_max_retries": 3,
+  "auth_server_port_start": 19847,
+  "auth_server_port_range": 10,
+  "usage_tracking_enabled": true,
+  "enable_log_api_request": false
+}
+```
+
+### Configuration Options
+
+- `account_selection_strategy`: Account rotation strategy (`sticky`, `round-robin`, `lowest-usage`)
+- `default_region`: AWS region (`us-east-1`, `us-west-2`)
+- `rate_limit_retry_delay_ms`: Delay between rate limit retries (1000-60000ms)
+- `rate_limit_max_retries`: Maximum retry attempts for rate limits (0-10)
+- `max_request_iterations`: Maximum loop iterations to prevent hangs (10-1000)
+- `request_timeout_ms`: Request timeout in milliseconds (60000-600000ms)
+- `token_expiry_buffer_ms`: Token refresh buffer time (30000-300000ms)
+- `usage_sync_max_retries`: Retry attempts for usage sync (0-5)
+- `auth_server_port_start`: Starting port for auth server (1024-65535)
+- `auth_server_port_range`: Number of ports to try (1-100)
+- `usage_tracking_enabled`: Enable usage tracking and toast notifications
+- `enable_log_api_request`: Enable detailed API request logging
+
+### Environment Variables
+
+All configuration options can be overridden via environment variables:
+
+- `KIRO_ACCOUNT_SELECTION_STRATEGY`
+- `KIRO_DEFAULT_REGION`
+- `KIRO_RATE_LIMIT_RETRY_DELAY_MS`
+- `KIRO_RATE_LIMIT_MAX_RETRIES`
+- `KIRO_MAX_REQUEST_ITERATIONS`
+- `KIRO_REQUEST_TIMEOUT_MS`
+- `KIRO_TOKEN_EXPIRY_BUFFER_MS`
+- `KIRO_USAGE_SYNC_MAX_RETRIES`
+- `KIRO_AUTH_SERVER_PORT_START`
+- `KIRO_AUTH_SERVER_PORT_RANGE`
+- `KIRO_USAGE_TRACKING_ENABLED`
+- `KIRO_ENABLE_LOG_API_REQUEST`
+
 ## Storage
 
+**Linux/macOS:**
 - Credentials: `~/.config/opencode/kiro-accounts.json`
 - Usage Tracking: `~/.config/opencode/kiro-usage.json`
 - Plugin Config: `~/.config/opencode/kiro.json`
 
+**Windows:**
+- Credentials: `%APPDATA%\opencode\kiro-accounts.json`
+- Usage Tracking: `%APPDATA%\opencode\kiro-usage.json`
+- Plugin Config: `%APPDATA%\opencode\kiro.json`
+
 ## Acknowledgements
 
 Special thanks to [AIClient-2-API](https://github.com/justlovemaki/AIClient-2-API) for providing the foundational Kiro authentication logic and request patterns.

package/dist/constants.d.ts

@@ -9,7 +9,6 @@ export declare const KIRO_CONSTANTS: {
     BASE_URL: string;
     USAGE_LIMITS_URL: string;
     DEFAULT_REGION: KiroRegion;
-    ACCESS_TOKEN_EXPIRY_BUFFER_MS: number;
     AXIOS_TIMEOUT: number;
     USER_AGENT: string;
     KIRO_VERSION: string;

package/dist/constants.js

@@ -33,7 +33,6 @@ export const KIRO_CONSTANTS = {
     BASE_URL: 'https://q.{{region}}.amazonaws.com/generateAssistantResponse',
     USAGE_LIMITS_URL: 'https://q.{{region}}.amazonaws.com/getUsageLimits',
     DEFAULT_REGION: 'us-east-1',
-    ACCESS_TOKEN_EXPIRY_BUFFER_MS: 60000,
     AXIOS_TIMEOUT: 120000,
     USER_AGENT: 'KiroIDE',
     KIRO_VERSION: '0.7.5',

package/dist/kiro/auth.d.ts

@@ -1,5 +1,5 @@
 import type { KiroAuthDetails, RefreshParts } from '../plugin/types';
 export declare function decodeRefreshToken(refresh: string): RefreshParts;
-export declare function accessTokenExpired(auth: KiroAuthDetails): boolean;
+export declare function accessTokenExpired(auth: KiroAuthDetails, bufferMs?: number): boolean;
 export declare function validateAuthDetails(auth: KiroAuthDetails): boolean;
 export declare function encodeRefreshToken(parts: RefreshParts): string;

package/dist/kiro/auth.js

@@ -1,4 +1,3 @@
-import { KIRO_CONSTANTS } from '../constants';
 export function decodeRefreshToken(refresh) {
     const parts = refresh.split('|');
     if (parts.length < 2)
@@ -9,10 +8,10 @@ export function decodeRefreshToken(refresh) {
         return { refreshToken, clientId: parts[1], clientSecret: parts[2], authMethod: 'idc' };
     return { refreshToken, authMethod: 'idc' };
 }
-export function accessTokenExpired(auth) {
+export function accessTokenExpired(auth, bufferMs = 120000) {
     if (!auth.access || !auth.expires)
         return true;
-    return Date.now() >= auth.expires - KIRO_CONSTANTS.ACCESS_TOKEN_EXPIRY_BUFFER_MS;
+    return Date.now() >= auth.expires - bufferMs;
 }
 export function validateAuthDetails(auth) {
     return !!auth.refresh && auth.authMethod === 'idc' && !!auth.clientId && !!auth.clientSecret;

package/dist/plugin/accounts.js

@@ -111,9 +111,20 @@ export class AccountManager {
             this.accounts[i] = a;
     }
     removeAccount(a) {
+        const removedIndex = this.accounts.findIndex((x) => x.id === a.id);
+        if (removedIndex === -1)
+            return;
         this.accounts = this.accounts.filter((x) => x.id !== a.id);
         delete this.usage[a.id];
-        this.cursor = Math.max(0, Math.min(this.cursor, this.accounts.length - 1));
+        if (this.accounts.length === 0) {
+            this.cursor = 0;
+        }
+        else if (this.cursor >= this.accounts.length) {
+            this.cursor = this.accounts.length - 1;
+        }
+        else if (removedIndex <= this.cursor && this.cursor > 0) {
+            this.cursor--;
+        }
     }
     updateFromAuth(a, auth) {
         const acc = this.accounts.find((x) => x.id === a.id);

package/dist/plugin/config/loader.js

@@ -87,11 +87,6 @@ function applyEnvOverrides(config) {
     const env = process.env;
     return {
         ...config,
-        session_recovery: parseBooleanEnv(env.KIRO_SESSION_RECOVERY, config.session_recovery),
-        auto_resume: parseBooleanEnv(env.KIRO_AUTO_RESUME, config.auto_resume),
-        proactive_token_refresh: parseBooleanEnv(env.KIRO_PROACTIVE_TOKEN_REFRESH, config.proactive_token_refresh),
-        token_refresh_interval_seconds: parseNumberEnv(env.KIRO_TOKEN_REFRESH_INTERVAL_SECONDS, config.token_refresh_interval_seconds),
-        token_refresh_buffer_seconds: parseNumberEnv(env.KIRO_TOKEN_REFRESH_BUFFER_SECONDS, config.token_refresh_buffer_seconds),
         account_selection_strategy: env.KIRO_ACCOUNT_SELECTION_STRATEGY
             ? AccountSelectionStrategySchema.catch('lowest-usage').parse(env.KIRO_ACCOUNT_SELECTION_STRATEGY)
             : config.account_selection_strategy,
@@ -100,7 +95,14 @@ function applyEnvOverrides(config) {
             : config.default_region,
         rate_limit_retry_delay_ms: parseNumberEnv(env.KIRO_RATE_LIMIT_RETRY_DELAY_MS, config.rate_limit_retry_delay_ms),
         rate_limit_max_retries: parseNumberEnv(env.KIRO_RATE_LIMIT_MAX_RETRIES, config.rate_limit_max_retries),
-        usage_tracking_enabled: parseBooleanEnv(env.KIRO_USAGE_TRACKING_ENABLED, config.usage_tracking_enabled)
+        max_request_iterations: parseNumberEnv(env.KIRO_MAX_REQUEST_ITERATIONS, config.max_request_iterations),
+        request_timeout_ms: parseNumberEnv(env.KIRO_REQUEST_TIMEOUT_MS, config.request_timeout_ms),
+        token_expiry_buffer_ms: parseNumberEnv(env.KIRO_TOKEN_EXPIRY_BUFFER_MS, config.token_expiry_buffer_ms),
+        usage_sync_max_retries: parseNumberEnv(env.KIRO_USAGE_SYNC_MAX_RETRIES, config.usage_sync_max_retries),
+        auth_server_port_start: parseNumberEnv(env.KIRO_AUTH_SERVER_PORT_START, config.auth_server_port_start),
+        auth_server_port_range: parseNumberEnv(env.KIRO_AUTH_SERVER_PORT_RANGE, config.auth_server_port_range),
+        usage_tracking_enabled: parseBooleanEnv(env.KIRO_USAGE_TRACKING_ENABLED, config.usage_tracking_enabled),
+        enable_log_api_request: parseBooleanEnv(env.KIRO_ENABLE_LOG_API_REQUEST, config.enable_log_api_request)
     };
 }
 export function loadConfig(directory) {

package/dist/plugin/config/schema.d.ts

@@ -5,41 +5,44 @@ export declare const RegionSchema: z.ZodEnum<["us-east-1", "us-west-2"]>;
 export type Region = z.infer<typeof RegionSchema>;
 export declare const KiroConfigSchema: z.ZodObject<{
     $schema: z.ZodOptional<z.ZodString>;
-    session_recovery: z.ZodDefault<z.ZodBoolean>;
-    auto_resume: z.ZodDefault<z.ZodBoolean>;
-    proactive_token_refresh: z.ZodDefault<z.ZodBoolean>;
-    token_refresh_interval_seconds: z.ZodDefault<z.ZodNumber>;
-    token_refresh_buffer_seconds: z.ZodDefault<z.ZodNumber>;
     account_selection_strategy: z.ZodDefault<z.ZodEnum<["sticky", "round-robin", "lowest-usage"]>>;
     default_region: z.ZodDefault<z.ZodEnum<["us-east-1", "us-west-2"]>>;
     rate_limit_retry_delay_ms: z.ZodDefault<z.ZodNumber>;
     rate_limit_max_retries: z.ZodDefault<z.ZodNumber>;
+    max_request_iterations: z.ZodDefault<z.ZodNumber>;
+    request_timeout_ms: z.ZodDefault<z.ZodNumber>;
+    token_expiry_buffer_ms: z.ZodDefault<z.ZodNumber>;
+    usage_sync_max_retries: z.ZodDefault<z.ZodNumber>;
+    auth_server_port_start: z.ZodDefault<z.ZodNumber>;
+    auth_server_port_range: z.ZodDefault<z.ZodNumber>;
     usage_tracking_enabled: z.ZodDefault<z.ZodBoolean>;
     enable_log_api_request: z.ZodDefault<z.ZodBoolean>;
 }, "strip", z.ZodTypeAny, {
-    session_recovery: boolean;
-    auto_resume: boolean;
-    proactive_token_refresh: boolean;
-    token_refresh_interval_seconds: number;
-    token_refresh_buffer_seconds: number;
     account_selection_strategy: "sticky" | "round-robin" | "lowest-usage";
     default_region: "us-east-1" | "us-west-2";
     rate_limit_retry_delay_ms: number;
     rate_limit_max_retries: number;
+    max_request_iterations: number;
+    request_timeout_ms: number;
+    token_expiry_buffer_ms: number;
+    usage_sync_max_retries: number;
+    auth_server_port_start: number;
+    auth_server_port_range: number;
     usage_tracking_enabled: boolean;
     enable_log_api_request: boolean;
     $schema?: string | undefined;
 }, {
     $schema?: string | undefined;
-    session_recovery?: boolean | undefined;
-    auto_resume?: boolean | undefined;
-    proactive_token_refresh?: boolean | undefined;
-    token_refresh_interval_seconds?: number | undefined;
-    token_refresh_buffer_seconds?: number | undefined;
     account_selection_strategy?: "sticky" | "round-robin" | "lowest-usage" | undefined;
     default_region?: "us-east-1" | "us-west-2" | undefined;
     rate_limit_retry_delay_ms?: number | undefined;
     rate_limit_max_retries?: number | undefined;
+    max_request_iterations?: number | undefined;
+    request_timeout_ms?: number | undefined;
+    token_expiry_buffer_ms?: number | undefined;
+    usage_sync_max_retries?: number | undefined;
+    auth_server_port_start?: number | undefined;
+    auth_server_port_range?: number | undefined;
     usage_tracking_enabled?: boolean | undefined;
     enable_log_api_request?: boolean | undefined;
 }>;

package/dist/plugin/config/schema.js

@@ -3,28 +3,30 @@ export const AccountSelectionStrategySchema = z.enum(['sticky', 'round-robin', '
 export const RegionSchema = z.enum(['us-east-1', 'us-west-2']);
 export const KiroConfigSchema = z.object({
     $schema: z.string().optional(),
-    session_recovery: z.boolean().default(true),
-    auto_resume: z.boolean().default(true),
-    proactive_token_refresh: z.boolean().default(true),
-    token_refresh_interval_seconds: z.number().min(60).max(3600).default(300),
-    token_refresh_buffer_seconds: z.number().min(60).max(1800).default(600),
     account_selection_strategy: AccountSelectionStrategySchema.default('lowest-usage'),
     default_region: RegionSchema.default('us-east-1'),
     rate_limit_retry_delay_ms: z.number().min(1000).max(60000).default(5000),
     rate_limit_max_retries: z.number().min(0).max(10).default(3),
+    max_request_iterations: z.number().min(10).max(1000).default(100),
+    request_timeout_ms: z.number().min(60000).max(600000).default(300000),
+    token_expiry_buffer_ms: z.number().min(30000).max(300000).default(120000),
+    usage_sync_max_retries: z.number().min(0).max(5).default(3),
+    auth_server_port_start: z.number().min(1024).max(65535).default(19847),
+    auth_server_port_range: z.number().min(1).max(100).default(10),
     usage_tracking_enabled: z.boolean().default(true),
     enable_log_api_request: z.boolean().default(false)
 });
 export const DEFAULT_CONFIG = {
-    session_recovery: true,
-    auto_resume: true,
-    proactive_token_refresh: true,
-    token_refresh_interval_seconds: 300,
-    token_refresh_buffer_seconds: 600,
     account_selection_strategy: 'lowest-usage',
     default_region: 'us-east-1',
     rate_limit_retry_delay_ms: 5000,
     rate_limit_max_retries: 3,
+    max_request_iterations: 100,
+    request_timeout_ms: 300000,
+    token_expiry_buffer_ms: 120000,
+    usage_sync_max_retries: 3,
+    auth_server_port_start: 19847,
+    auth_server_port_range: 10,
     usage_tracking_enabled: true,
     enable_log_api_request: false
 };

package/dist/plugin/server.d.ts

@@ -18,7 +18,7 @@ export interface IDCAuthData {
     expiresIn: number;
     region: KiroRegion;
 }
-export declare function startIDCAuthServer(authData: IDCAuthData, port?: number): Promise<{
+export declare function startIDCAuthServer(authData: IDCAuthData, startPort?: number, portRange?: number): Promise<{
     url: string;
     waitForAuth: () => Promise<KiroIDCTokenResult>;
 }>;

package/dist/plugin/server.js

@@ -1,8 +1,38 @@
 import { createServer } from 'node:http';
 import { getIDCAuthHtml, getSuccessHtml, getErrorHtml } from './auth-page';
 import * as logger from './logger';
-export function startIDCAuthServer(authData, port = 19847) {
-    return new Promise((resolve, reject) => {
+async function tryPort(port) {
+    return new Promise((resolve) => {
+        const testServer = createServer();
+        testServer.once('error', () => resolve(false));
+        testServer.once('listening', () => {
+            testServer.close();
+            resolve(true);
+        });
+        testServer.listen(port, '127.0.0.1');
+    });
+}
+async function findAvailablePort(startPort, range) {
+    for (let i = 0; i < range; i++) {
+        const port = startPort + i;
+        const available = await tryPort(port);
+        if (available)
+            return port;
+    }
+    throw new Error(`No available ports in range ${startPort}-${startPort + range - 1}. Please close other applications using these ports.`);
+}
+export async function startIDCAuthServer(authData, startPort = 19847, portRange = 10) {
+    return new Promise(async (resolve, reject) => {
+        let port;
+        try {
+            port = await findAvailablePort(startPort, portRange);
+            logger.log(`Auth server will use port ${port}`);
+        }
+        catch (error) {
+            logger.error('Failed to find available port', error);
+            reject(error);
+            return;
+        }
         let server = null;
         let timeoutId = null;
         let resolver = null;
@@ -20,25 +50,46 @@ export function startIDCAuthServer(authData, port = 19847) {
         };
         const poll = async () => {
             try {
-                const body = new URLSearchParams({
-                    grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
-                    device_code: authData.deviceCode,
-                    client_id: authData.clientId,
-                    client_secret: authData.clientSecret
-                });
+                const body = {
+                    grantType: 'urn:ietf:params:oauth:grant-type:device_code',
+                    deviceCode: authData.deviceCode,
+                    clientId: authData.clientId,
+                    clientSecret: authData.clientSecret
+                };
                 const res = await fetch(`https://oidc.${authData.region}.amazonaws.com/token`, {
                     method: 'POST',
-                    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-                    body: body.toString()
+                    headers: { 'Content-Type': 'application/json' },
+                    body: JSON.stringify(body)
                 });
-                const d = await res.json();
+                const responseText = await res.text();
+                let d = {};
+                if (responseText) {
+                    try {
+                        d = JSON.parse(responseText);
+                    }
+                    catch (parseError) {
+                        logger.error(`Auth polling error: Failed to parse JSON (status ${res.status})`, parseError);
+                        throw parseError;
+                    }
+                }
                 if (res.ok) {
-                    const acc = d.access_token, ref = d.refresh_token, exp = Date.now() + d.expires_in * 1000;
-                    const infoRes = await fetch('https://view.awsapps.com/api/user/info', {
-                        headers: { Authorization: `Bearer ${acc}` }
-                    });
-                    const info = await infoRes.json();
-                    const email = info.email || info.userName || 'builder-id@aws.amazon.com';
+                    const acc = d.access_token || d.accessToken, ref = d.refresh_token || d.refreshToken, exp = Date.now() + (d.expires_in || d.expiresIn || 0) * 1000;
+                    let email = 'builder-id@aws.amazon.com';
+                    try {
+                        const infoRes = await fetch('https://view.awsapps.com/api/user/info', {
+                            headers: { Authorization: `Bearer ${acc}` }
+                        });
+                        if (infoRes.ok) {
+                            const info = await infoRes.json();
+                            email = info.email || info.userName || email;
+                        }
+                        else {
+                            logger.warn(`User info request failed with status ${infoRes.status}; using fallback email`);
+                        }
+                    }
+                    catch (infoError) {
+                        logger.warn(`Failed to fetch user info; using fallback email: ${infoError?.message || infoError}`);
+                    }
                     status.status = 'success';
                     if (resolver)
                         resolver({
@@ -57,7 +108,7 @@ export function startIDCAuthServer(authData, port = 19847) {
                 else {
                     status.status = 'failed';
                     status.error = d.error_description || d.error;
-                    logger.error(`Auth polling failed: ${status.error}`);
+                    logger.error(`Auth polling failed a: ${status.error}`);
                     if (rejector)
                         rejector(new Error(status.error));
                     setTimeout(cleanup, 2000);
@@ -66,7 +117,7 @@ export function startIDCAuthServer(authData, port = 19847) {
             catch (e) {
                 status.status = 'failed';
                 status.error = e.message;
-                logger.error(`Auth polling error: ${e.message}`, e);
+                logger.error(`Auth polling error b: ${e.message}`, e);
                 if (rejector)
                     rejector(e);
                 setTimeout(cleanup, 2000);

package/dist/plugin/storage.js

@@ -63,13 +63,20 @@ async function withLock(path, fn) {
     }
 }
 export async function loadAccounts() {
-    try {
-        const content = await fs.readFile(getStoragePath(), 'utf-8');
-        return JSON.parse(content);
-    }
-    catch {
-        return { version: 1, accounts: [], activeIndex: -1 };
-    }
+    const path = getStoragePath();
+    return withLock(path, async () => {
+        try {
+            const content = await fs.readFile(path, 'utf-8');
+            const parsed = JSON.parse(content);
+            if (!parsed || !Array.isArray(parsed.accounts)) {
+                return { version: 1, accounts: [], activeIndex: -1 };
+            }
+            return parsed;
+        }
+        catch {
+            return { version: 1, accounts: [], activeIndex: -1 };
+        }
+    });
 }
 export async function saveAccounts(storage) {
     const path = getStoragePath();
@@ -86,13 +93,20 @@ export async function saveAccounts(storage) {
     }
 }
 export async function loadUsage() {
-    try {
-        const content = await fs.readFile(getUsagePath(), 'utf-8');
-        return JSON.parse(content);
-    }
-    catch {
-        return { version: 1, usage: {} };
-    }
+    const path = getUsagePath();
+    return withLock(path, async () => {
+        try {
+            const content = await fs.readFile(path, 'utf-8');
+            const parsed = JSON.parse(content);
+            if (!parsed || typeof parsed.usage !== 'object' || parsed.usage === null) {
+                return { version: 1, usage: {} };
+            }
+            return parsed;
+        }
+        catch {
+            return { version: 1, usage: {} };
+        }
+    });
 }
 export async function saveUsage(storage) {
     const path = getUsagePath();

package/dist/plugin.js

@@ -1,4 +1,5 @@
 import { loadConfig } from './plugin/config';
+import { exec } from 'node:child_process';
 import { AccountManager, generateAccountId } from './plugin/accounts';
 import { accessTokenExpired, encodeRefreshToken } from './kiro/auth';
 import { refreshAccessToken } from './plugin/token';
@@ -23,6 +24,19 @@ const formatUsageMessage = (usedCount, limitCount, email) => {
     }
     return `Usage (${email}): ${usedCount}`;
 };
+const openBrowser = (url) => {
+    const escapedUrl = url.replace(/"/g, '\\"');
+    const platform = process.platform;
+    const command = platform === 'win32'
+        ? `cmd /c start "" "${escapedUrl}"`
+        : platform === 'darwin'
+            ? `open "${escapedUrl}"`
+            : `xdg-open "${escapedUrl}"`;
+    exec(command, (error) => {
+        if (error)
+            logger.warn(`Failed to open browser automatically: ${error.message}`, error);
+    });
+};
 export const createKiroPlugin = (id) => async ({ client, directory }) => {
     const config = loadConfig(directory);
     const showToast = (message, variant) => {
@@ -46,7 +60,19 @@ export const createKiroPlugin = (id) => async ({ client, directory }) => {
                         const think = model.endsWith('-thinking') || !!body.providerOptions?.thinkingConfig;
                         const budget = body.providerOptions?.thinkingConfig?.thinkingBudget || 20000;
                         let retry = 0;
+                        let iterations = 0;
+                        const startTime = Date.now();
+                        const maxIterations = config.max_request_iterations;
+                        const timeoutMs = config.request_timeout_ms;
                         while (true) {
+                            iterations++;
+                            const elapsed = Date.now() - startTime;
+                            if (iterations > maxIterations) {
+                                throw new Error(`Request exceeded max iterations (${maxIterations}). All accounts may be unhealthy or rate-limited.`);
+                            }
+                            if (elapsed > timeoutMs) {
+                                throw new Error(`Request timeout after ${Math.ceil(elapsed / 1000)}s. Max timeout: ${Math.ceil(timeoutMs / 1000)}s.`);
+                            }
                             const count = am.getAccountCount();
                             if (count === 0)
                                 throw new Error('No accounts. Login first.');
@@ -67,7 +93,7 @@ export const createKiroPlugin = (id) => async ({ client, directory }) => {
                                 showToast(formatUsageMessage(acc.usedCount, acc.limitCount, acc.realEmail || acc.email), variant);
                             }
                             let auth = am.toAuthDetails(acc);
-                            if (accessTokenExpired(auth)) {
+                            if (accessTokenExpired(auth, config.token_expiry_buffer_ms)) {
                                 try {
                                     logger.log(`Refreshing token for ${acc.realEmail || acc.email}`);
                                     auth = await refreshAccessToken(auth);
@@ -122,13 +148,24 @@ export const createKiroPlugin = (id) => async ({ client, directory }) => {
                                     }, apiTimestamp);
                                 }
                                 if (res.ok) {
-                                    if (config.usage_tracking_enabled)
-                                        fetchUsageLimits(auth)
-                                            .then((u) => {
-                                            updateAccountQuota(acc, u, am);
-                                            am.saveToDisk();
-                                        })
-                                            .catch((e) => logger.warn(`Usage sync failed for ${acc.realEmail || acc.email}: ${e.message}`));
+                                    if (config.usage_tracking_enabled) {
+                                        const syncUsage = async (attempt = 0) => {
+                                            try {
+                                                const u = await fetchUsageLimits(auth);
+                                                updateAccountQuota(acc, u, am);
+                                                await am.saveToDisk();
+                                            }
+                                            catch (e) {
+                                                if (attempt < config.usage_sync_max_retries) {
+                                                    const delay = 1000 * Math.pow(2, attempt);
+                                                    await sleep(delay);
+                                                    return syncUsage(attempt + 1);
+                                                }
+                                                logger.warn(`Usage sync failed for ${acc.realEmail || acc.email} after ${attempt + 1} attempts: ${e.message}`);
+                                            }
+                                        };
+                                        syncUsage().catch(() => { });
+                                    }
                                     if (prep.streaming) {
                                         const s = transformKiroStream(res, model, prep.conversationId);
                                         return new Response(new ReadableStream({
@@ -248,10 +285,11 @@ export const createKiroPlugin = (id) => async ({ client, directory }) => {
                         const region = config.default_region;
                         try {
                             const authData = await authorizeKiroIDC(region);
-                            const { url, waitForAuth } = await startIDCAuthServer(authData);
+                            const { url, waitForAuth } = await startIDCAuthServer(authData, config.auth_server_port_start, config.auth_server_port_range);
+                            openBrowser(url);
                             resolve({
                                 url,
-                                instructions: 'Opening browser...',
+                                instructions: `Open this URL to continue: ${url}`,
                                 method: 'auto',
                                 callback: async () => {
                                     try {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zhafron/opencode-kiro-auth",
-  "version": "1.1.3",
+  "version": "1.2.1",
   "description": "OpenCode plugin for AWS Kiro (CodeWhisperer) providing access to Claude models",
   "type": "module",
   "main": "dist/index.js",