@zhafron/opencode-kiro-auth 1.5.3 → 1.6.0

package/README.md

@@ -8,7 +8,7 @@ OpenCode plugin for AWS Kiro (CodeWhisperer) providing access to Claude Sonnet a
 
 ## Features
 
-- **Multiple Auth Methods**: Supports AWS Builder ID (IDC) and Kiro Desktop (CLI-based) authentication.
+- **Multiple Auth Methods**: Supports AWS Builder ID (IDC), IAM Identity Center (custom Start URL), and Kiro Desktop (CLI-based) authentication.
 - **Auto-Sync Kiro CLI**: Automatically imports and synchronizes active sessions from your local `kiro-cli` SQLite database.
 - **Gradual Context Truncation**: Intelligently prevents error 400 by reducing context size dynamically during retries.
 - **Intelligent Account Rotation**: Prioritizes multi-account usage based on lowest available quota.
@@ -116,7 +116,10 @@ Add the plugin to your `opencode.json` or `opencode.jsonc`:
 2. **Direct Authentication**:
    - Run `opencode auth login`.
    - Select `Other`, type `kiro`, and press enter.
-   - Follow the instructions for **AWS Builder ID (IDC)**.
+   - A browser page will open asking for your **IAM Identity Center Start URL**.
+     - Leave it blank to sign in with **AWS Builder ID**.
+     - Enter your company's Start URL (e.g. `https://your-company.awsapps.com/start`) to use **IAM Identity Center (SSO)**.
+   - You can also pre-configure the Start URL in `~/.config/opencode/kiro.json` via `idc_start_url` to skip the prompt.
 3. Configuration will be automatically managed at `~/.config/opencode/kiro.db`.
 
 ## Troubleshooting
@@ -155,6 +158,7 @@ The plugin supports extensive configuration options. Edit `~/.config/opencode/ki
   "auto_sync_kiro_cli": true,
   "account_selection_strategy": "lowest-usage",
   "default_region": "us-east-1",
+  "idc_start_url": "https://your-company.awsapps.com/start",
   "rate_limit_retry_delay_ms": 5000,
   "rate_limit_max_retries": 3,
   "max_request_iterations": 20,
@@ -173,6 +177,7 @@ The plugin supports extensive configuration options. Edit `~/.config/opencode/ki
 - `auto_sync_kiro_cli`: Automatically sync sessions from Kiro CLI (default: `true`).
 - `account_selection_strategy`: Account rotation strategy (`sticky`, `round-robin`, `lowest-usage`).
 - `default_region`: AWS region (`us-east-1`, `us-west-2`).
+- `idc_start_url`: Pre-configure your IAM Identity Center Start URL (e.g. `https://your-company.awsapps.com/start`). If set, the browser auth page will pre-fill this value. Leave unset to default to AWS Builder ID.
 - `rate_limit_retry_delay_ms`: Delay between rate limit retries (1000-60000ms).
 - `rate_limit_max_retries`: Maximum retry attempts for rate limits (0-10).
 - `max_request_iterations`: Maximum loop iterations to prevent hangs (10-1000).

package/dist/constants.d.ts

@@ -20,5 +20,6 @@ export declare const KIRO_AUTH_SERVICE: {
     ENDPOINT: string;
     SSO_OIDC_ENDPOINT: string;
     BUILDER_ID_START_URL: string;
+    USER_INFO_URL: string;
     SCOPES: string[];
 };

package/dist/constants.js

@@ -37,12 +37,16 @@ export const MODEL_MAPPING = {
     'claude-sonnet-4-5-thinking': 'CLAUDE_SONNET_4_5_20250929_V1_0',
     'claude-sonnet-4-5-1m': 'CLAUDE_SONNET_4_5_20250929_LONG_V1_0',
     'claude-sonnet-4-5-1m-thinking': 'CLAUDE_SONNET_4_5_20250929_LONG_V1_0',
+    'claude-sonnet-4-6': 'claude-sonnet-4.6',
+    'claude-sonnet-4-6-thinking': 'claude-sonnet-4.6',
+    'claude-sonnet-4-6-1m': 'claude-sonnet-4.6',
+    'claude-sonnet-4-6-1m-thinking': 'claude-sonnet-4.6',
     'claude-opus-4-5': 'CLAUDE_OPUS_4_5_20251101_V1_0',
     'claude-opus-4-5-thinking': 'CLAUDE_OPUS_4_5_20251101_V1_0',
-    'claude-opus-4-6': 'CLAUDE_OPUS_4_6_V1',
-    'claude-opus-4-6-thinking': 'CLAUDE_OPUS_4_6_V1',
-    'claude-opus-4-6-1m': 'CLAUDE_OPUS_4_6_LONG_V1',
-    'claude-opus-4-6-1m-thinking': 'CLAUDE_OPUS_4_6_LONG_V1',
+    'claude-opus-4-6': 'claude-opus-4.6',
+    'claude-opus-4-6-thinking': 'claude-opus-4.6',
+    'claude-opus-4-6-1m': 'claude-opus-4.6',
+    'claude-opus-4-6-1m-thinking': 'claude-opus-4.6',
     'claude-sonnet-4': 'CLAUDE_SONNET_4_20250514_V1_0',
     'claude-3-7-sonnet': 'CLAUDE_3_7_SONNET_20250219_V1_0',
     'nova-swe': 'AGI_NOVA_SWE_V1_5',
@@ -56,6 +60,7 @@ export const KIRO_AUTH_SERVICE = {
     ENDPOINT: 'https://prod.{{region}}.auth.desktop.kiro.dev',
     SSO_OIDC_ENDPOINT: 'https://oidc.{{region}}.amazonaws.com',
     BUILDER_ID_START_URL: 'https://view.awsapps.com/start',
+    USER_INFO_URL: 'https://view.awsapps.com/api/user/info',
     SCOPES: [
         'codewhisperer:completions',
         'codewhisperer:analysis',

package/dist/core/auth/auth-handler.d.ts

@@ -1,3 +1,4 @@
+import type { AuthHook } from '@opencode-ai/plugin';
 import type { AccountRepository } from '../../infrastructure/database/account-repository.js';
 export declare class AuthHandler {
     private config;
@@ -6,10 +7,5 @@ export declare class AuthHandler {
     constructor(config: any, repository: AccountRepository);
     initialize(): Promise<void>;
     setAccountManager(am: any): void;
-    getMethods(): Array<{
-        id: string;
-        label: string;
-        type: 'oauth';
-        authorize: (inputs?: any) => Promise<any>;
-    }>;
+    getMethods(): AuthHook['methods'];
 }

package/dist/core/auth/auth-handler.js

@@ -23,9 +23,27 @@ export class AuthHandler {
         const idcMethod = new IdcAuthMethod(this.config, this.repository);
         return [
             {
-                id: 'idc',
-                label: 'AWS Builder ID (IDC)',
+                label: 'AWS Builder ID / IAM Identity Center',
                 type: 'oauth',
+                prompts: [
+                    {
+                        type: 'text',
+                        key: 'start_url',
+                        message: 'IAM Identity Center Start URL (leave blank for AWS Builder ID)',
+                        placeholder: 'https://your-company.awsapps.com/start',
+                        validate: (value) => {
+                            if (!value)
+                                return undefined;
+                            try {
+                                new URL(value);
+                                return undefined;
+                            }
+                            catch {
+                                return 'Please enter a valid URL';
+                            }
+                        }
+                    }
+                ],
                 authorize: (inputs) => idcMethod.authorize(inputs)
             }
         ];

package/dist/core/auth/idc-auth-method.d.ts

@@ -1,17 +1,10 @@
+import type { AuthOuathResult } from '@opencode-ai/plugin';
 import type { AccountRepository } from '../../infrastructure/database/account-repository.js';
 export declare class IdcAuthMethod {
     private config;
     private repository;
     constructor(config: any, repository: AccountRepository);
-    authorize(inputs?: any): Promise<{
-        url: string;
-        instructions: string;
-        method: 'auto';
-        callback: () => Promise<{
-            type: 'success' | 'failed';
-            key?: string;
-        }>;
-    }>;
+    authorize(inputs?: Record<string, string>): Promise<AuthOuathResult>;
     private handleMultipleLogin;
     private handleSingleLogin;
 }

package/dist/core/auth/idc-auth-method.js

@@ -1,9 +1,8 @@
 import { exec } from 'node:child_process';
-import { authorizeKiroIDC } from '../../kiro/oauth-idc.js';
 import { createDeterministicAccountId } from '../../plugin/accounts.js';
 import { promptAddAnotherAccount, promptDeleteAccount, promptLoginMode } from '../../plugin/cli.js';
 import * as logger from '../../plugin/logger.js';
-import { startIDCAuthServer } from '../../plugin/server.js';
+import { startIDCAuthServerWithInput } from '../../plugin/server.js';
 import { fetchUsageLimits } from '../../plugin/usage.js';
 const openBrowser = (url) => {
     const escapedUrl = url.replace(/"/g, '\\"');
@@ -28,15 +27,17 @@ export class IdcAuthMethod {
     async authorize(inputs) {
         return new Promise(async (resolve) => {
             const region = this.config.default_region;
+            // inputs.start_url takes priority over config; browser input page will also allow override
+            const defaultStartUrl = inputs?.start_url || this.config.idc_start_url;
             if (inputs) {
-                await this.handleMultipleLogin(region, resolve);
+                await this.handleMultipleLogin(region, defaultStartUrl, resolve);
             }
             else {
-                await this.handleSingleLogin(region, resolve);
+                await this.handleSingleLogin(region, defaultStartUrl, resolve);
             }
         });
     }
-    async handleMultipleLogin(region, resolve) {
+    async handleMultipleLogin(region, defaultStartUrl, resolve) {
         const accounts = [];
         let startFresh = true;
         while (true) {
@@ -75,10 +76,10 @@ export class IdcAuthMethod {
         }
         while (true) {
             try {
-                const authData = await authorizeKiroIDC(region);
-                const { url, waitForAuth } = await startIDCAuthServer(authData, this.config.auth_server_port_start, this.config.auth_server_port_range);
+                const { url, waitForAuth } = await startIDCAuthServerWithInput(region, defaultStartUrl, this.config.auth_server_port_start, this.config.auth_server_port_range);
                 openBrowser(url);
                 const res = await waitForAuth();
+                const startUrl = defaultStartUrl;
                 const u = await fetchUsageLimits({
                     refresh: '',
                     access: res.accessToken,
@@ -108,6 +109,7 @@ export class IdcAuthMethod {
                     region,
                     clientId: res.clientId,
                     clientSecret: res.clientSecret,
+                    startUrl: startUrl || undefined,
                     refreshToken: res.refreshToken,
                     accessToken: res.accessToken,
                     expiresAt: res.expiresAt,
@@ -139,10 +141,9 @@ export class IdcAuthMethod {
             })
         });
     }
-    async handleSingleLogin(region, resolve) {
+    async handleSingleLogin(region, defaultStartUrl, resolve) {
         try {
-            const authData = await authorizeKiroIDC(region);
-            const { url, waitForAuth } = await startIDCAuthServer(authData, this.config.auth_server_port_start, this.config.auth_server_port_range);
+            const { url, waitForAuth } = await startIDCAuthServerWithInput(region, defaultStartUrl, this.config.auth_server_port_start, this.config.auth_server_port_range);
             openBrowser(url);
             resolve({
                 url,
@@ -151,6 +152,7 @@ export class IdcAuthMethod {
                 callback: async () => {
                     try {
                         const res = await waitForAuth();
+                        const startUrl = defaultStartUrl;
                         const u = await fetchUsageLimits({
                             refresh: '',
                             access: res.accessToken,
@@ -170,6 +172,7 @@ export class IdcAuthMethod {
                             region,
                             clientId: res.clientId,
                             clientSecret: res.clientSecret,
+                            startUrl: startUrl || undefined,
                             refreshToken: res.refreshToken,
                             accessToken: res.accessToken,
                             expiresAt: res.expiresAt,

package/dist/infrastructure/database/account-repository.js

@@ -18,6 +18,7 @@ export class AccountRepository {
             clientId: r.client_id,
             clientSecret: r.client_secret,
             profileArn: r.profile_arn,
+            startUrl: r.start_url || undefined,
             refreshToken: r.refresh_token,
             accessToken: r.access_token,
             expiresAt: r.expires_at,

package/dist/kiro/oauth-idc.d.ts

@@ -9,6 +9,7 @@ export interface KiroIDCAuthorization {
     interval: number;
     expiresIn: number;
     region: KiroRegion;
+    startUrl: string;
 }
 export interface KiroIDCTokenResult {
     refreshToken: string;
@@ -20,5 +21,5 @@ export interface KiroIDCTokenResult {
     region: KiroRegion;
     authMethod: 'idc';
 }
-export declare function authorizeKiroIDC(region?: KiroRegion): Promise<KiroIDCAuthorization>;
+export declare function authorizeKiroIDC(region?: KiroRegion, startUrl?: string): Promise<KiroIDCAuthorization>;
 export declare function pollKiroIDCToken(clientId: string, clientSecret: string, deviceCode: string, interval: number, expiresIn: number, region: KiroRegion): Promise<KiroIDCTokenResult>;

package/dist/kiro/oauth-idc.js

@@ -1,7 +1,8 @@
 import { KIRO_AUTH_SERVICE, KIRO_CONSTANTS, buildUrl, normalizeRegion } from '../constants';
-export async function authorizeKiroIDC(region) {
+export async function authorizeKiroIDC(region, startUrl) {
     const effectiveRegion = normalizeRegion(region);
     const ssoOIDCEndpoint = buildUrl(KIRO_AUTH_SERVICE.SSO_OIDC_ENDPOINT, effectiveRegion);
+    const effectiveStartUrl = startUrl || KIRO_AUTH_SERVICE.BUILDER_ID_START_URL;
     try {
         const registerResponse = await fetch(`${ssoOIDCEndpoint}/client/register`, {
             method: 'POST',
@@ -36,7 +37,7 @@ export async function authorizeKiroIDC(region) {
             body: JSON.stringify({
                 clientId,
                 clientSecret,
-                startUrl: KIRO_AUTH_SERVICE.BUILDER_ID_START_URL
+                startUrl: effectiveStartUrl
             })
         });
         if (!deviceAuthResponse.ok) {
@@ -59,7 +60,8 @@ export async function authorizeKiroIDC(region) {
             clientSecret,
             interval,
             expiresIn,
-            region: effectiveRegion
+            region: effectiveRegion,
+            startUrl: effectiveStartUrl
         };
     }
     catch (error) {

package/dist/plugin/accounts.js

@@ -30,6 +30,7 @@ export class AccountManager {
             clientId: r.client_id,
             clientSecret: r.client_secret,
             profileArn: r.profile_arn,
+            startUrl: r.start_url || undefined,
             refreshToken: r.refresh_token,
             accessToken: r.access_token,
             expiresAt: r.expires_at,

package/dist/plugin/auth-page.d.ts

@@ -1,3 +1,4 @@
 export declare function getIDCAuthHtml(verificationUrl: string, userCode: string, statusUrl: string): string;
 export declare function getSuccessHtml(): string;
 export declare function getErrorHtml(message: string): string;
+export declare function getStartUrlInputHtml(defaultStartUrl: string, submitUrl: string): string;

package/dist/plugin/auth-page.js

@@ -571,3 +571,151 @@ export function getErrorHtml(message) {
 </body>
 </html>`;
 }
+export function getStartUrlInputHtml(defaultStartUrl, submitUrl) {
+    const escapedDefault = escapeHtml(defaultStartUrl);
+    const escapedSubmit = escapeHtml(submitUrl);
+    return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>AWS Authentication Setup</title>
+  <style>
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif;
+      background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+      min-height: 100vh;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      padding: 20px;
+    }
+    .container {
+      background: white;
+      border-radius: 16px;
+      box-shadow: 0 20px 60px rgba(0,0,0,0.3);
+      max-width: 500px;
+      width: 100%;
+      padding: 48px 40px;
+      animation: slideIn 0.4s ease-out;
+    }
+    @keyframes slideIn {
+      from { opacity: 0; transform: translateY(-20px); }
+      to { opacity: 1; transform: translateY(0); }
+    }
+    h1 { color: #1a202c; font-size: 26px; font-weight: 700; margin-bottom: 10px; }
+    .subtitle { color: #718096; font-size: 15px; margin-bottom: 32px; line-height: 1.5; }
+    label { display: block; color: #4a5568; font-size: 14px; font-weight: 600; margin-bottom: 8px; }
+    input[type="url"], input[type="text"] {
+      width: 100%;
+      padding: 12px 16px;
+      border: 2px solid #e2e8f0;
+      border-radius: 8px;
+      font-size: 15px;
+      color: #2d3748;
+      outline: none;
+      transition: border-color 0.2s;
+    }
+    input:focus { border-color: #667eea; }
+    .hint { color: #a0aec0; font-size: 13px; margin-top: 8px; margin-bottom: 24px; }
+    .hint a { color: #667eea; text-decoration: none; }
+    button {
+      width: 100%;
+      padding: 14px;
+      background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+      color: white;
+      border: none;
+      border-radius: 8px;
+      font-size: 16px;
+      font-weight: 600;
+      cursor: pointer;
+      transition: opacity 0.2s, transform 0.1s;
+    }
+    button:hover { opacity: 0.9; transform: translateY(-1px); }
+    button:active { transform: translateY(0); }
+    button:disabled { opacity: 0.6; cursor: not-allowed; transform: none; }
+    .error { color: #e53e3e; font-size: 13px; margin-top: 8px; display: none; }
+    .loading { display: none; text-align: center; color: #718096; margin-top: 16px; font-size: 14px; }
+    .spinner {
+      display: inline-block; width: 16px; height: 16px;
+      border: 2px solid #e2e8f0; border-top-color: #667eea;
+      border-radius: 50%; animation: spin 0.8s linear infinite;
+      vertical-align: middle; margin-right: 8px;
+    }
+    @keyframes spin { to { transform: rotate(360deg); } }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <h1>AWS Authentication</h1>
+    <p class="subtitle">Enter your IAM Identity Center Start URL, or leave blank to use AWS Builder ID.</p>
+
+    <form id="form" onsubmit="handleSubmit(event)">
+      <label for="startUrl">Start URL</label>
+      <input
+        type="text"
+        id="startUrl"
+        name="startUrl"
+        placeholder="https://your-company.awsapps.com/start"
+        value="${escapedDefault}"
+        autocomplete="url"
+        spellcheck="false"
+      />
+      <div class="hint">Leave blank to sign in with <strong>AWS Builder ID</strong></div>
+      <div class="error" id="error"></div>
+      <button type="submit" id="btn">Continue</button>
+    </form>
+
+    <div class="loading" id="loading">
+      <span class="spinner"></span>Initializing authentication...
+    </div>
+  </div>
+
+  <script>
+    async function handleSubmit(e) {
+      e.preventDefault();
+      const input = document.getElementById('startUrl');
+      const errorEl = document.getElementById('error');
+      const btn = document.getElementById('btn');
+      const loading = document.getElementById('loading');
+      const val = input.value.trim();
+
+      if (val) {
+        try { new URL(val); } catch {
+          errorEl.textContent = 'Please enter a valid URL';
+          errorEl.style.display = 'block';
+          return;
+        }
+      }
+
+      errorEl.style.display = 'none';
+      btn.disabled = true;
+      loading.style.display = 'block';
+
+      try {
+        const res = await fetch('${escapedSubmit}', {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ startUrl: val || '' })
+        });
+        const data = await res.json();
+        if (data.error) {
+          errorEl.textContent = data.error;
+          errorEl.style.display = 'block';
+          btn.disabled = false;
+          loading.style.display = 'none';
+        } else {
+          window.location.href = '/auth?code=' + encodeURIComponent(data.userCode) + '&url=' + encodeURIComponent(data.verificationUriComplete);
+        }
+      } catch (err) {
+        errorEl.textContent = 'Failed to connect. Please try again.';
+        errorEl.style.display = 'block';
+        btn.disabled = false;
+        loading.style.display = 'none';
+      }
+    }
+  </script>
+</body>
+</html>`;
+}

package/dist/plugin/config/schema.d.ts

@@ -5,6 +5,7 @@ export declare const RegionSchema: z.ZodEnum<["us-east-1", "us-west-2"]>;
 export type Region = z.infer<typeof RegionSchema>;
 export declare const KiroConfigSchema: z.ZodObject<{
     $schema: z.ZodOptional<z.ZodString>;
+    idc_start_url: z.ZodOptional<z.ZodString>;
     account_selection_strategy: z.ZodDefault<z.ZodEnum<["sticky", "round-robin", "lowest-usage"]>>;
     default_region: z.ZodDefault<z.ZodEnum<["us-east-1", "us-west-2"]>>;
     rate_limit_retry_delay_ms: z.ZodDefault<z.ZodNumber>;
@@ -33,8 +34,10 @@ export declare const KiroConfigSchema: z.ZodObject<{
     auto_sync_kiro_cli: boolean;
     enable_log_api_request: boolean;
     $schema?: string | undefined;
+    idc_start_url?: string | undefined;
 }, {
     $schema?: string | undefined;
+    idc_start_url?: string | undefined;
     account_selection_strategy?: "sticky" | "round-robin" | "lowest-usage" | undefined;
     default_region?: "us-east-1" | "us-west-2" | undefined;
     rate_limit_retry_delay_ms?: number | undefined;

package/dist/plugin/config/schema.js

@@ -3,6 +3,7 @@ export const AccountSelectionStrategySchema = z.enum(['sticky', 'round-robin', '
 export const RegionSchema = z.enum(['us-east-1', 'us-west-2']);
 export const KiroConfigSchema = z.object({
     $schema: z.string().optional(),
+    idc_start_url: z.string().url().optional(),
     account_selection_strategy: AccountSelectionStrategySchema.default('lowest-usage'),
     default_region: RegionSchema.default('us-east-1'),
     rate_limit_retry_delay_ms: z.number().min(1000).max(60000).default(5000),

package/dist/plugin/server.d.ts

@@ -17,8 +17,18 @@ export interface IDCAuthData {
     interval: number;
     expiresIn: number;
     region: KiroRegion;
+    startUrl: string;
 }
 export declare function startIDCAuthServer(authData: IDCAuthData, startPort?: number, portRange?: number): Promise<{
     url: string;
     waitForAuth: () => Promise<KiroIDCTokenResult>;
 }>;
+/**
+ * Starts a local auth server that first shows a Start URL input page.
+ * After the user submits, it calls authorizeKiroIDC internally and transitions
+ * to the verification code page — no need to call authorizeKiroIDC beforehand.
+ */
+export declare function startIDCAuthServerWithInput(region: KiroRegion, defaultStartUrl: string | undefined, startPort?: number, portRange?: number): Promise<{
+    url: string;
+    waitForAuth: () => Promise<KiroIDCTokenResult>;
+}>;

package/dist/plugin/server.js

@@ -1,5 +1,6 @@
 import { createServer } from 'node:http';
-import { getErrorHtml, getIDCAuthHtml, getSuccessHtml } from './auth-page';
+import { authorizeKiroIDC } from '../kiro/oauth-idc';
+import { getErrorHtml, getIDCAuthHtml, getStartUrlInputHtml, getSuccessHtml } from './auth-page';
 import * as logger from './logger';
 async function tryPort(port) {
     return new Promise((resolve) => {
@@ -76,7 +77,9 @@ export async function startIDCAuthServer(authData, startPort = 19847, portRange
                     const acc = d.access_token || d.accessToken, ref = d.refresh_token || d.refreshToken, exp = Date.now() + (d.expires_in || d.expiresIn || 0) * 1000;
                     let email = 'builder-id@aws.amazon.com';
                     try {
-                        const infoRes = await fetch('https://view.awsapps.com/api/user/info', {
+                        // Derive user info URL from startUrl: replace /start with /api/user/info
+                        const userInfoUrl = authData.startUrl.replace(/\/start\/?$/, '/api/user/info');
+                        const infoRes = await fetch(userInfoUrl, {
                             headers: { Authorization: `Bearer ${acc}` }
                         });
                         if (infoRes.ok) {
@@ -164,3 +167,196 @@ export async function startIDCAuthServer(authData, startPort = 19847, portRange
         });
     });
 }
+/**
+ * Starts a local auth server that first shows a Start URL input page.
+ * After the user submits, it calls authorizeKiroIDC internally and transitions
+ * to the verification code page — no need to call authorizeKiroIDC beforehand.
+ */
+export async function startIDCAuthServerWithInput(region, defaultStartUrl, startPort = 19847, portRange = 10) {
+    return new Promise(async (resolve, reject) => {
+        let port;
+        try {
+            port = await findAvailablePort(startPort, portRange);
+            logger.log(`Auth server (with input) will use port ${port}`);
+        }
+        catch (error) {
+            logger.error('Failed to find available port', error);
+            reject(error);
+            return;
+        }
+        let server = null;
+        let timeoutId = null;
+        let resolver = null;
+        let rejector = null;
+        const status = { status: 'pending' };
+        // authData is populated after the user submits the start URL form
+        let authData = null;
+        const cleanup = () => {
+            if (timeoutId)
+                clearTimeout(timeoutId);
+            if (server)
+                server.close();
+        };
+        const sendHtml = (res, html) => {
+            res.writeHead(200, { 'Content-Type': 'text/html' });
+            res.end(html);
+        };
+        const sendJson = (res, code, data) => {
+            res.writeHead(code, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify(data));
+        };
+        const poll = async (data) => {
+            try {
+                const body = {
+                    grantType: 'urn:ietf:params:oauth:grant-type:device_code',
+                    deviceCode: data.deviceCode,
+                    clientId: data.clientId,
+                    clientSecret: data.clientSecret
+                };
+                const res = await fetch(`https://oidc.${data.region}.amazonaws.com/token`, {
+                    method: 'POST',
+                    headers: { 'Content-Type': 'application/json' },
+                    body: JSON.stringify(body)
+                });
+                const responseText = await res.text();
+                let d = {};
+                if (responseText) {
+                    try {
+                        d = JSON.parse(responseText);
+                    }
+                    catch (parseError) {
+                        logger.error(`Auth polling error: Failed to parse JSON (status ${res.status})`, parseError);
+                        throw parseError;
+                    }
+                }
+                if (res.ok) {
+                    const acc = d.access_token || d.accessToken, ref = d.refresh_token || d.refreshToken, exp = Date.now() + (d.expires_in || d.expiresIn || 0) * 1000;
+                    let email = 'builder-id@aws.amazon.com';
+                    try {
+                        const userInfoUrl = data.startUrl.replace(/\/start\/?$/, '/api/user/info');
+                        const infoRes = await fetch(userInfoUrl, {
+                            headers: { Authorization: `Bearer ${acc}` }
+                        });
+                        if (infoRes.ok) {
+                            const info = await infoRes.json();
+                            email = info.email || info.userName || email;
+                        }
+                        else {
+                            logger.warn(`User info request failed with status ${infoRes.status}; using fallback email`);
+                        }
+                    }
+                    catch (infoError) {
+                        logger.warn(`Failed to fetch user info; using fallback email: ${infoError?.message || infoError}`);
+                    }
+                    status.status = 'success';
+                    if (resolver)
+                        resolver({
+                            email,
+                            accessToken: acc,
+                            refreshToken: ref,
+                            expiresAt: exp,
+                            clientId: data.clientId,
+                            clientSecret: data.clientSecret
+                        });
+                    setTimeout(cleanup, 2000);
+                }
+                else if (d.error === 'authorization_pending') {
+                    setTimeout(() => poll(data), data.interval * 1000);
+                }
+                else {
+                    status.status = 'failed';
+                    status.error = d.error_description || d.error;
+                    logger.error(`Auth polling failed: ${status.error}`);
+                    if (rejector)
+                        rejector(new Error(status.error));
+                    setTimeout(cleanup, 2000);
+                }
+            }
+            catch (e) {
+                status.status = 'failed';
+                status.error = e.message;
+                logger.error(`Auth polling error: ${e.message}`, e);
+                if (rejector)
+                    rejector(e);
+                setTimeout(cleanup, 2000);
+            }
+        };
+        server = createServer(async (req, res) => {
+            const u = req.url || '';
+            // Step 1: Show start URL input page
+            if (u === '/' || u === '') {
+                sendHtml(res, getStartUrlInputHtml(defaultStartUrl || '', `http://127.0.0.1:${port}/setup`));
+                return;
+            }
+            // Step 2: Receive start URL, call authorizeKiroIDC, return auth info to browser
+            if (u === '/setup' && req.method === 'POST') {
+                let body = '';
+                req.on('data', (chunk) => {
+                    body += chunk;
+                });
+                req.on('end', async () => {
+                    try {
+                        const { startUrl } = JSON.parse(body);
+                        const effectiveStartUrl = startUrl || undefined;
+                        const data = await authorizeKiroIDC(region, effectiveStartUrl);
+                        authData = data;
+                        // Start polling now that we have device code
+                        poll(authData);
+                        sendJson(res, 200, {
+                            userCode: data.userCode,
+                            verificationUriComplete: data.verificationUriComplete
+                        });
+                    }
+                    catch (e) {
+                        logger.error('authorizeKiroIDC failed', e);
+                        sendJson(res, 500, { error: e.message || 'Failed to initialize authentication' });
+                    }
+                });
+                return;
+            }
+            // Step 3: Show verification code page (browser redirects here after /setup)
+            if (u.startsWith('/auth')) {
+                const params = new URL(u, `http://127.0.0.1:${port}`).searchParams;
+                const code = params.get('code') || '';
+                const verUrl = params.get('url') || '';
+                sendHtml(res, getIDCAuthHtml(verUrl, code, `http://127.0.0.1:${port}/status`));
+                return;
+            }
+            if (u === '/status') {
+                sendJson(res, 200, status);
+                return;
+            }
+            if (u === '/success') {
+                sendHtml(res, getSuccessHtml());
+                return;
+            }
+            if (u.startsWith('/error')) {
+                sendHtml(res, getErrorHtml(status.error || 'Failed'));
+                return;
+            }
+            res.writeHead(404);
+            res.end();
+        });
+        server.on('error', (e) => {
+            logger.error(`Auth server error on port ${port}`, e);
+            cleanup();
+            reject(e);
+        });
+        server.listen(port, '127.0.0.1', () => {
+            timeoutId = setTimeout(() => {
+                status.status = 'timeout';
+                logger.warn('Auth timeout waiting for authorization');
+                if (rejector)
+                    rejector(new Error('Timeout'));
+                cleanup();
+            }, 900000);
+            resolve({
+                url: `http://127.0.0.1:${port}`,
+                waitForAuth: () => new Promise((rv, rj) => {
+                    resolver = rv;
+                    rejector = rj;
+                })
+            });
+        });
+    });
+}

package/dist/plugin/storage/migrations.js

@@ -2,6 +2,7 @@ export function runMigrations(db) {
     migrateToUniqueRefreshToken(db);
     migrateRealEmailColumn(db);
     migrateUsageTable(db);
+    migrateStartUrlColumn(db);
 }
 function migrateToUniqueRefreshToken(db) {
     const hasIndex = db
@@ -107,3 +108,10 @@ function migrateUsageTable(db) {
         db.run('DROP TABLE usage');
     }
 }
+function migrateStartUrlColumn(db) {
+    const columns = db.prepare('PRAGMA table_info(accounts)').all();
+    const names = new Set(columns.map((c) => c.name));
+    if (!names.has('start_url')) {
+        db.run('ALTER TABLE accounts ADD COLUMN start_url TEXT');
+    }
+}

package/dist/plugin/storage/sqlite.js

@@ -29,6 +29,7 @@ export class KiroDatabase {
       CREATE TABLE IF NOT EXISTS accounts (
         id TEXT PRIMARY KEY, email TEXT NOT NULL, auth_method TEXT NOT NULL,
         region TEXT NOT NULL, client_id TEXT, client_secret TEXT, profile_arn TEXT,
+        start_url TEXT,
         refresh_token TEXT NOT NULL, access_token TEXT NOT NULL, expires_at INTEGER NOT NULL,
         rate_limit_reset INTEGER DEFAULT 0, is_healthy INTEGER DEFAULT 1, unhealthy_reason TEXT,
         recovery_time INTEGER, fail_count INTEGER DEFAULT 0, last_used INTEGER DEFAULT 0,
@@ -45,20 +46,21 @@ export class KiroDatabase {
             .prepare(`
       INSERT INTO accounts (
         id, email, auth_method, region, client_id, client_secret,
-        profile_arn, refresh_token, access_token, expires_at, rate_limit_reset,
+        profile_arn, start_url, refresh_token, access_token, expires_at, rate_limit_reset,
         is_healthy, unhealthy_reason, recovery_time, fail_count, last_used,
         used_count, limit_count, last_sync
-      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
       ON CONFLICT(refresh_token) DO UPDATE SET
         id=excluded.id, email=excluded.email, auth_method=excluded.auth_method,
         region=excluded.region, client_id=excluded.client_id, client_secret=excluded.client_secret,
-        profile_arn=excluded.profile_arn, access_token=excluded.access_token, expires_at=excluded.expires_at,
+        profile_arn=excluded.profile_arn, start_url=excluded.start_url,
+        access_token=excluded.access_token, expires_at=excluded.expires_at,
         rate_limit_reset=excluded.rate_limit_reset, is_healthy=excluded.is_healthy,
         unhealthy_reason=excluded.unhealthy_reason, recovery_time=excluded.recovery_time,
         fail_count=excluded.fail_count, last_used=excluded.last_used,
         used_count=excluded.used_count, limit_count=excluded.limit_count, last_sync=excluded.last_sync
     `)
-            .run(acc.id, acc.email, acc.authMethod, acc.region, acc.clientId || null, acc.clientSecret || null, acc.profileArn || null, acc.refreshToken, acc.accessToken, acc.expiresAt, acc.rateLimitResetTime || 0, acc.isHealthy ? 1 : 0, acc.unhealthyReason || null, acc.recoveryTime || null, acc.failCount || 0, acc.lastUsed || 0, acc.usedCount || 0, acc.limitCount || 0, acc.lastSync || 0);
+            .run(acc.id, acc.email, acc.authMethod, acc.region, acc.clientId || null, acc.clientSecret || null, acc.profileArn || null, acc.startUrl || null, acc.refreshToken, acc.accessToken, acc.expiresAt, acc.rateLimitResetTime || 0, acc.isHealthy ? 1 : 0, acc.unhealthyReason || null, acc.recoveryTime || null, acc.failCount || 0, acc.lastUsed || 0, acc.usedCount || 0, acc.limitCount || 0, acc.lastSync || 0);
     }
     async upsertAccount(acc) {
         await withDatabaseLock(this.path, async () => {
@@ -110,6 +112,7 @@ export class KiroDatabase {
             clientId: row.client_id,
             clientSecret: row.client_secret,
             profileArn: row.profile_arn,
+            startUrl: row.start_url || undefined,
             refreshToken: row.refresh_token,
             accessToken: row.access_token,
             expiresAt: row.expires_at,

package/dist/plugin/types.d.ts

@@ -26,6 +26,7 @@ export interface ManagedAccount {
     clientId?: string;
     clientSecret?: string;
     profileArn?: string;
+    startUrl?: string;
     refreshToken: string;
     accessToken: string;
     expiresAt: number;

package/dist/plugin.d.ts

@@ -6,12 +6,57 @@ export declare const createKiroPlugin: (id: string) => ({ client, directory }: a
             baseURL: string;
             fetch: (input: any, init?: any) => Promise<Response>;
         }>;
-        methods: {
-            id: string;
-            label: string;
+        methods: ({
             type: "oauth";
-            authorize: (inputs?: any) => Promise<any>;
-        }[];
+            label: string;
+            prompts?: Array<{
+                type: "text";
+                key: string;
+                message: string;
+                placeholder?: string;
+                validate?: (value: string) => string | undefined;
+                condition?: (inputs: Record<string, string>) => boolean;
+            } | {
+                type: "select";
+                key: string;
+                message: string;
+                options: Array<{
+                    label: string;
+                    value: string;
+                    hint?: string;
+                }>;
+                condition?: (inputs: Record<string, string>) => boolean;
+            }>;
+            authorize(inputs?: Record<string, string>): Promise<import("@opencode-ai/plugin").AuthOuathResult>;
+        } | {
+            type: "api";
+            label: string;
+            prompts?: Array<{
+                type: "text";
+                key: string;
+                message: string;
+                placeholder?: string;
+                validate?: (value: string) => string | undefined;
+                condition?: (inputs: Record<string, string>) => boolean;
+            } | {
+                type: "select";
+                key: string;
+                message: string;
+                options: Array<{
+                    label: string;
+                    value: string;
+                    hint?: string;
+                }>;
+                condition?: (inputs: Record<string, string>) => boolean;
+            }>;
+            authorize?(inputs?: Record<string, string>): Promise<{
+                type: "success";
+                key: string;
+                provider?: string;
+            } | {
+                type: "failed";
+            }>;
+        })[];
     };
 }>;
 export declare const KiroOAuthPlugin: ({ client, directory }: any) => Promise<{
@@ -22,11 +67,56 @@ export declare const KiroOAuthPlugin: ({ client, directory }: any) => Promise<{
             baseURL: string;
             fetch: (input: any, init?: any) => Promise<Response>;
         }>;
-        methods: {
-            id: string;
-            label: string;
+        methods: ({
             type: "oauth";
-            authorize: (inputs?: any) => Promise<any>;
-        }[];
+            label: string;
+            prompts?: Array<{
+                type: "text";
+                key: string;
+                message: string;
+                placeholder?: string;
+                validate?: (value: string) => string | undefined;
+                condition?: (inputs: Record<string, string>) => boolean;
+            } | {
+                type: "select";
+                key: string;
+                message: string;
+                options: Array<{
+                    label: string;
+                    value: string;
+                    hint?: string;
+                }>;
+                condition?: (inputs: Record<string, string>) => boolean;
+            }>;
+            authorize(inputs?: Record<string, string>): Promise<import("@opencode-ai/plugin").AuthOuathResult>;
+        } | {
+            type: "api";
+            label: string;
+            prompts?: Array<{
+                type: "text";
+                key: string;
+                message: string;
+                placeholder?: string;
+                validate?: (value: string) => string | undefined;
+                condition?: (inputs: Record<string, string>) => boolean;
+            } | {
+                type: "select";
+                key: string;
+                message: string;
+                options: Array<{
+                    label: string;
+                    value: string;
+                    hint?: string;
+                }>;
+                condition?: (inputs: Record<string, string>) => boolean;
+            }>;
+            authorize?(inputs?: Record<string, string>): Promise<{
+                type: "success";
+                key: string;
+                provider?: string;
+            } | {
+                type: "failed";
+            }>;
+        })[];
     };
 }>;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zhafron/opencode-kiro-auth",
-  "version": "1.5.3",
+  "version": "1.6.0",
   "description": "OpenCode plugin for AWS Kiro (CodeWhisperer) providing access to Claude models",
   "type": "module",
   "main": "dist/index.js",
@@ -31,7 +31,7 @@
     "access": "public"
   },
   "dependencies": {
-    "@opencode-ai/plugin": "^0.15.30",
+    "@opencode-ai/plugin": "^1.2.6",
     "proper-lockfile": "^4.1.2",
     "zod": "^3.24.0"
   },