@zhafron/opencode-kiro-auth 1.6.6 → 1.8.0

package/README.md

@@ -25,7 +25,6 @@ Add the plugin to your `opencode.json` or `opencode.jsonc`:
   "plugin": ["@zhafron/opencode-kiro-auth"],
   "provider": {
     "kiro": {
-      "npm": "@zhafron/opencode-kiro-auth",
       "models": {
         "claude-sonnet-4-5": {
           "name": "Claude Sonnet 4.5",
@@ -147,14 +146,56 @@ Add the plugin to your `opencode.json` or `opencode.jsonc`:
 2. **Direct Authentication**:
    - Run `opencode auth login`.
    - Select `Other`, type `kiro`, and press enter.
-   - A browser page will open asking for your **IAM Identity Center Start URL**.
+   - You'll be prompted for your **IAM Identity Center Start URL** and **IAM Identity Center region** (`sso_region`).
      - Leave it blank to sign in with **AWS Builder ID**.
      - Enter your company's Start URL (e.g. `https://your-company.awsapps.com/start`) to use **IAM Identity Center (SSO)**.
-   - You can also pre-configure the Start URL in `~/.config/opencode/kiro.json` via `idc_start_url` to skip the prompt.
+   - Note: the TUI `/connect` flow currently does **not** run plugin OAuth prompts (Start URL / region), so Identity Center logins may fall back to Builder ID unless you use `opencode auth login` (or preconfigure defaults in `~/.config/opencode/kiro.json`).
+   - For **IAM Identity Center**, you may also need a **profile ARN** (`profileArn`).
+     - If `kiro-cli` is installed and you've selected a profile once (`kiro-cli profile`), the plugin auto-detects it.
+     - Otherwise, set `idc_profile_arn` in `~/.config/opencode/kiro.json`.
+   - A browser window will open directly to AWS' verification URL (no local auth server). If it doesn't, copy/paste the URL and enter the code printed by OpenCode.
+   - You can also pre-configure defaults in `~/.config/opencode/kiro.json` via `idc_start_url` and `idc_region`.
 3. Configuration will be automatically managed at `~/.config/opencode/kiro.db`.
 
+## Local plugin development
+
+OpenCode installs plugins into a cache directory (typically `~/.cache/opencode/node_modules`).
+
+The simplest way to test local changes (without publishing to npm) is to build this repo and hot-swap the cached plugin `dist/` folder:
+
+1. Build this repo: `bun run build` (or `npm run build`)
+2. Hot-swap `dist/` (creates a timestamped backup):
+
+```bash
+PLUGIN_DIR="$HOME/.cache/opencode/node_modules/@zhafron/opencode-kiro-auth"
+TS=$(date +%Y%m%d-%H%M%S)
+cp -a "$PLUGIN_DIR/dist" "$PLUGIN_DIR/dist.bak.$TS"
+rm -rf "$PLUGIN_DIR/dist"
+cp -a "/absolute/path/to/opencode-kiro-auth/dist" "$PLUGIN_DIR/dist"
+echo "Backup at: $PLUGIN_DIR/dist.bak.$TS"
+```
+
+Revert:
+
+```bash
+PLUGIN_DIR="$HOME/.cache/opencode/node_modules/@zhafron/opencode-kiro-auth"
+rm -rf "$PLUGIN_DIR/dist"
+mv "$PLUGIN_DIR/dist.bak.YYYYMMDD-HHMMSS" "$PLUGIN_DIR/dist"
+```
+
 ## Troubleshooting
 
+### Error: Status: 403 (AccessDeniedException / User is not authorized)
+
+If you're using **IAM Identity Center** (a custom Start URL), the Q Developer / CodeWhisperer APIs typically require a **profile ARN**.
+
+This plugin reads the active profile ARN from your local `kiro-cli` database (`state.key = api.codewhisperer.profile`) and sends it as `profileArn`.
+
+Fix:
+
+1. Run `kiro-cli profile` and select a profile (e.g. `QDevProfile-us-east-1`).
+2. Retry `opencode auth login` (or restart OpenCode so it re-syncs).
+
 ### Error: No accounts
 
 This happens when the plugin has no records in `~/.config/opencode/kiro.db`.
@@ -163,6 +204,10 @@ This happens when the plugin has no records in `~/.config/opencode/kiro.db`.
 2. Ensure `auto_sync_kiro_cli` is `true` in `~/.config/opencode/kiro.json`.
 3. Retry the request; the plugin will attempt a Kiro CLI sync when it detects zero accounts.
 
+### Note: `/connect` vs `opencode auth login`
+
+If you need to enter provider-specific values for an OAuth login (like IAM Identity Center Start URL / region), use `opencode auth login`. The current TUI `/connect` flow may not display plugin OAuth prompts, so it can’t collect those inputs.
+
 Note for IDC/SSO (ODIC): the plugin may temporarily create an account with a placeholder email if it cannot fetch the real email during sync (e.g. offline). It will replace it with the real email once usage/email lookup succeeds.
 
 ### Error: ERR_INVALID_URL
@@ -190,14 +235,13 @@ The plugin supports extensive configuration options. Edit `~/.config/opencode/ki
   "account_selection_strategy": "lowest-usage",
   "default_region": "us-east-1",
   "idc_start_url": "https://your-company.awsapps.com/start",
+  "idc_region": "us-east-1",
   "rate_limit_retry_delay_ms": 5000,
   "rate_limit_max_retries": 3,
   "max_request_iterations": 20,
   "request_timeout_ms": 120000,
   "token_expiry_buffer_ms": 120000,
   "usage_sync_max_retries": 3,
-  "auth_server_port_start": 19847,
-  "auth_server_port_range": 10,
   "usage_tracking_enabled": true,
   "enable_log_api_request": false
 }
@@ -208,15 +252,16 @@ The plugin supports extensive configuration options. Edit `~/.config/opencode/ki
 - `auto_sync_kiro_cli`: Automatically sync sessions from Kiro CLI (default: `true`).
 - `account_selection_strategy`: Account rotation strategy (`sticky`, `round-robin`, `lowest-usage`).
 - `default_region`: AWS region (`us-east-1`, `us-west-2`).
-- `idc_start_url`: Pre-configure your IAM Identity Center Start URL (e.g. `https://your-company.awsapps.com/start`). If set, the browser auth page will pre-fill this value. Leave unset to default to AWS Builder ID.
+- `idc_start_url`: Default IAM Identity Center Start URL (e.g. `https://your-company.awsapps.com/start`). Leave unset/blank to default to AWS Builder ID.
+- `idc_region`: IAM Identity Center (SSO OIDC) region (`sso_region`). Defaults to `us-east-1`.
 - `rate_limit_retry_delay_ms`: Delay between rate limit retries (1000-60000ms).
 - `rate_limit_max_retries`: Maximum retry attempts for rate limits (0-10).
 - `max_request_iterations`: Maximum loop iterations to prevent hangs (10-1000).
 - `request_timeout_ms`: Request timeout in milliseconds (60000-600000ms).
 - `token_expiry_buffer_ms`: Token refresh buffer time (30000-300000ms).
 - `usage_sync_max_retries`: Retry attempts for usage sync (0-5).
-- `auth_server_port_start`: Starting port for auth server (1024-65535).
-- `auth_server_port_range`: Number of ports to try (1-100).
+- `auth_server_port_start`: Legacy/ignored (no local auth server).
+- `auth_server_port_range`: Legacy/ignored (no local auth server).
 - `usage_tracking_enabled`: Enable usage tracking and toast notifications.
 - `enable_log_api_request`: Enable detailed API request logging.
 

package/dist/constants.d.ts

@@ -2,6 +2,7 @@ import type { KiroRegion } from './plugin/types';
 export declare function isValidRegion(region: string): region is KiroRegion;
 export declare function normalizeRegion(region: string | undefined): KiroRegion;
 export declare function buildUrl(template: string, region: KiroRegion): string;
+export declare function extractRegionFromArn(arn: string | undefined): KiroRegion | undefined;
 export declare const KIRO_CONSTANTS: {
     REFRESH_URL: string;
     REFRESH_IDC_URL: string;

package/dist/constants.js

@@ -19,6 +19,19 @@ export function buildUrl(template, region) {
         throw new Error(`Invalid URL generated: ${url}`);
     }
 }
+export function extractRegionFromArn(arn) {
+    if (!arn)
+        return undefined;
+    const parts = arn.split(':');
+    if (parts.length < 6)
+        return undefined;
+    if (parts[0] !== 'arn')
+        return undefined;
+    const region = parts[3];
+    if (typeof region !== 'string' || !region)
+        return undefined;
+    return isValidRegion(region) ? region : undefined;
+}
 export const KIRO_CONSTANTS = {
     REFRESH_URL: 'https://prod.{{region}}.auth.desktop.kiro.dev/refreshToken',
     REFRESH_IDC_URL: 'https://oidc.{{region}}.amazonaws.com/token',

package/dist/core/account/account-selector.js

@@ -37,15 +37,6 @@ export class AccountSelector {
             throw new Error('All accounts are unhealthy or rate-limited');
         }
         this.resetCircuitBreaker();
-        if (this.accountManager.shouldShowToast()) {
-            showToast(`Using ${acc.email} (${this.accountManager.getAccounts().indexOf(acc) + 1}/${count})`, 'info');
-        }
-        if (this.accountManager.shouldShowUsageToast() &&
-            acc.usedCount !== undefined &&
-            acc.limitCount !== undefined) {
-            const p = acc.limitCount > 0 ? (acc.usedCount / acc.limitCount) * 100 : 0;
-            showToast(this.formatUsageMessage(acc.usedCount, acc.limitCount, acc.email), p >= 80 ? 'warning' : 'info');
-        }
         return acc;
     }
     async handleEmptyAccounts() {

package/dist/core/auth/auth-handler.js

@@ -1,3 +1,5 @@
+import { RegionSchema } from '../../plugin/config/schema.js';
+import * as logger from '../../plugin/logger.js';
 import { IdcAuthMethod } from './idc-auth-method.js';
 export class AuthHandler {
     config;
@@ -9,8 +11,17 @@ export class AuthHandler {
     }
     async initialize() {
         const { syncFromKiroCli } = await import('../../plugin/sync/kiro-cli.js');
+        logger.log('Auth init', { autoSyncKiroCli: !!this.config.auto_sync_kiro_cli });
         if (this.config.auto_sync_kiro_cli) {
+            logger.log('Kiro CLI sync: start');
             await syncFromKiroCli();
+            this.repository.invalidateCache();
+            const accounts = await this.repository.findAll();
+            if (this.accountManager) {
+                for (const a of accounts)
+                    this.accountManager.addAccount(a);
+            }
+            logger.log('Kiro CLI sync: done', { importedAccounts: accounts.length });
         }
     }
     setAccountManager(am) {
@@ -20,7 +31,7 @@ export class AuthHandler {
         if (!this.accountManager) {
             return [];
         }
-        const idcMethod = new IdcAuthMethod(this.config, this.repository);
+        const idcMethod = new IdcAuthMethod(this.config, this.repository, this.accountManager);
         return [
             {
                 label: 'AWS Builder ID / IAM Identity Center',
@@ -42,6 +53,19 @@ export class AuthHandler {
                                 return 'Please enter a valid URL';
                             }
                         }
+                    },
+                    {
+                        type: 'text',
+                        key: 'idc_region',
+                        message: 'IAM Identity Center region (sso_region) (leave blank for us-east-1)',
+                        placeholder: 'us-east-1',
+                        validate: (value) => {
+                            if (!value)
+                                return undefined;
+                            return RegionSchema.safeParse(value.trim()).success
+                                ? undefined
+                                : 'Please enter a valid AWS region';
+                        }
                     }
                 ],
                 authorize: (inputs) => idcMethod.authorize(inputs)

package/dist/core/auth/idc-auth-method.d.ts

@@ -3,8 +3,7 @@ import type { AccountRepository } from '../../infrastructure/database/account-re
 export declare class IdcAuthMethod {
     private config;
     private repository;
-    constructor(config: any, repository: AccountRepository);
+    private accountManager;
+    constructor(config: any, repository: AccountRepository, accountManager: any);
     authorize(inputs?: Record<string, string>): Promise<AuthOuathResult>;
-    private handleMultipleLogin;
-    private handleSingleLogin;
 }

package/dist/core/auth/idc-auth-method.js

@@ -1,8 +1,9 @@
 import { exec } from 'node:child_process';
+import { extractRegionFromArn, normalizeRegion } from '../../constants.js';
+import { authorizeKiroIDC, pollKiroIDCToken } from '../../kiro/oauth-idc.js';
 import { createDeterministicAccountId } from '../../plugin/accounts.js';
-import { promptAddAnotherAccount, promptDeleteAccount, promptLoginMode } from '../../plugin/cli.js';
 import * as logger from '../../plugin/logger.js';
-import { startIDCAuthServerWithInput } from '../../plugin/server.js';
+import { readActiveProfileArnFromKiroCli } from '../../plugin/sync/kiro-cli-profile.js';
 import { fetchUsageLimits } from '../../plugin/usage.js';
 const openBrowser = (url) => {
     const escapedUrl = url.replace(/"/g, '\\"');
@@ -17,187 +18,125 @@ const openBrowser = (url) => {
             logger.warn(`Browser error: ${error.message}`);
     });
 };
+function normalizeStartUrl(raw) {
+    if (!raw)
+        return undefined;
+    const trimmed = raw.trim();
+    if (!trimmed)
+        return undefined;
+    const url = new URL(trimmed);
+    url.hash = '';
+    url.search = '';
+    // Normalize common portal URL shapes to end in `/start` (AWS Builder ID and IAM Identity Center)
+    if (url.pathname.endsWith('/start/'))
+        url.pathname = url.pathname.replace(/\/start\/$/, '/start');
+    if (!url.pathname.endsWith('/start'))
+        url.pathname = url.pathname.replace(/\/+$/, '') + '/start';
+    return url.toString();
+}
+function buildDeviceUrl(startUrl, userCode) {
+    const url = new URL(startUrl);
+    url.search = '';
+    // Prefer `/start/` (with trailing slash) to match AWS portal URLs like `/start/#/device?...`.
+    if (url.pathname.endsWith('/start'))
+        url.pathname = `${url.pathname}/`;
+    url.pathname = url.pathname.replace(/\/start\/?$/, '/start/');
+    url.hash = `#/device?user_code=${encodeURIComponent(userCode)}`;
+    return url.toString();
+}
 export class IdcAuthMethod {
     config;
     repository;
-    constructor(config, repository) {
+    accountManager;
+    constructor(config, repository, accountManager) {
         this.config = config;
         this.repository = repository;
+        this.accountManager = accountManager;
     }
     async authorize(inputs) {
-        return new Promise(async (resolve) => {
-            const region = this.config.default_region;
-            // inputs.start_url takes priority over config; browser input page will also allow override
-            const defaultStartUrl = inputs?.start_url || this.config.idc_start_url;
-            if (inputs) {
-                await this.handleMultipleLogin(region, defaultStartUrl, resolve);
-            }
-            else {
-                await this.handleSingleLogin(region, defaultStartUrl, resolve);
-            }
+        const configuredServiceRegion = this.config.default_region;
+        const invokedWithoutPrompts = !inputs || Object.keys(inputs).length === 0;
+        const startUrl = normalizeStartUrl(inputs?.start_url || this.config.idc_start_url) || undefined;
+        const oidcRegion = normalizeRegion(inputs?.idc_region || this.config.idc_region);
+        const configuredProfileArn = this.config.idc_profile_arn;
+        logger.log('IDC authorize: resolved defaults', {
+            hasInputs: !!inputs && Object.keys(inputs).length > 0,
+            invokedWithoutPrompts,
+            startUrlSource: inputs?.start_url ? 'inputs' : this.config.idc_start_url ? 'config' : 'none',
+            oidcRegion,
+            startUrl: startUrl ? new URL(startUrl).origin : undefined
         });
-    }
-    async handleMultipleLogin(region, defaultStartUrl, resolve) {
-        const accounts = [];
-        let startFresh = true;
-        while (true) {
-            const existingAccounts = await this.repository.findAll();
-            const idcAccs = existingAccounts.filter((a) => a.authMethod === 'idc');
-            if (idcAccs.length === 0) {
-                break;
-            }
-            const existingAccountsList = idcAccs.map((acc, idx) => ({
-                email: acc.email,
-                index: idx
-            }));
-            const mode = await promptLoginMode(existingAccountsList);
-            if (mode === 'delete') {
-                const deleteIndices = await promptDeleteAccount(existingAccountsList);
-                if (deleteIndices !== null && deleteIndices.length > 0) {
-                    for (const idx of deleteIndices) {
-                        const accToDelete = idcAccs[idx];
-                        if (accToDelete) {
-                            await this.repository.delete(accToDelete.id);
-                            console.log(`[Success] Deleted: ${accToDelete.email}`);
-                        }
-                    }
-                    console.log(`\n[Success] Deleted ${deleteIndices.length} account(s)\n`);
-                }
-                continue;
-            }
-            if (mode === 'add') {
-                startFresh = false;
-                break;
-            }
-            if (mode === 'fresh') {
-                startFresh = true;
-                break;
-            }
-        }
-        while (true) {
-            try {
-                const { url, waitForAuth } = await startIDCAuthServerWithInput(region, defaultStartUrl, this.config.auth_server_port_start, this.config.auth_server_port_range);
-                openBrowser(url);
-                const res = await waitForAuth();
-                const startUrl = defaultStartUrl;
-                const u = await fetchUsageLimits({
-                    refresh: '',
-                    access: res.accessToken,
-                    expires: res.expiresAt,
-                    authMethod: 'idc',
-                    region,
-                    clientId: res.clientId,
-                    clientSecret: res.clientSecret
-                });
-                if (!u.email) {
-                    console.log('\n[Error] Failed to fetch account email. Skipping...\n');
-                    continue;
-                }
-                accounts.push(res);
-                if (accounts.length === 1 && startFresh) {
-                    const allAccounts = await this.repository.findAll();
-                    const idcAccountsToRemove = allAccounts.filter((a) => a.authMethod === 'idc');
-                    for (const acc of idcAccountsToRemove) {
-                        await this.repository.delete(acc.id);
-                    }
-                }
-                const id = createDeterministicAccountId(u.email, 'idc', res.clientId);
-                const acc = {
-                    id,
-                    email: u.email,
-                    authMethod: 'idc',
-                    region,
-                    clientId: res.clientId,
-                    clientSecret: res.clientSecret,
-                    startUrl: startUrl || undefined,
-                    refreshToken: res.refreshToken,
-                    accessToken: res.accessToken,
-                    expiresAt: res.expiresAt,
-                    rateLimitResetTime: 0,
-                    isHealthy: true,
-                    failCount: 0,
-                    usedCount: u.usedCount,
-                    limitCount: u.limitCount
-                };
-                await this.repository.save(acc);
-                const currentCount = (await this.repository.findAll()).length;
-                console.log(`\n[Success] Added: ${u.email} (Quota: ${u.usedCount}/${u.limitCount})\n`);
-                if (!(await promptAddAnotherAccount(currentCount)))
-                    break;
-            }
-            catch (e) {
-                console.log(`\n[Error] Login failed: ${e.message}\n`);
-                break;
-            }
-        }
-        const finalAccounts = await this.repository.findAll();
-        return resolve({
-            url: '',
-            instructions: `Complete (${finalAccounts.length} accounts).`,
+        // Step 1: get device code + verification URL (fast)
+        const auth = await authorizeKiroIDC(oidcRegion, startUrl);
+        // If a custom Identity Center start URL is provided, prefer the portal device page.
+        // This avoids the AWS Builder ID device page (which often prompts for an email)
+        // and routes the user into their org's IAM Identity Center sign-in.
+        const verificationUrl = startUrl
+            ? buildDeviceUrl(startUrl, auth.userCode)
+            : auth.verificationUriComplete || auth.verificationUrl;
+        // Open the *AWS* verification page directly (no local web server).
+        openBrowser(verificationUrl);
+        return {
+            url: verificationUrl,
+            instructions: `Open the verification URL and complete sign-in.\nCode: ${auth.userCode}`,
             method: 'auto',
-            callback: async () => ({
-                type: 'success',
-                key: finalAccounts[0]?.accessToken || ''
-            })
-        });
-    }
-    async handleSingleLogin(region, defaultStartUrl, resolve) {
-        try {
-            const { url, waitForAuth } = await startIDCAuthServerWithInput(region, defaultStartUrl, this.config.auth_server_port_start, this.config.auth_server_port_range);
-            openBrowser(url);
-            resolve({
-                url,
-                instructions: `Open: ${url}`,
-                method: 'auto',
-                callback: async () => {
+            callback: async () => {
+                try {
+                    // Step 2: poll until token is issued (standard device-code flow)
+                    const token = await pollKiroIDCToken(auth.clientId, auth.clientSecret, auth.deviceCode, auth.interval, auth.expiresIn, oidcRegion);
+                    const profileArn = configuredProfileArn || readActiveProfileArnFromKiroCli();
+                    const serviceRegion = extractRegionFromArn(profileArn) || configuredServiceRegion;
+                    let usage;
                     try {
-                        const res = await waitForAuth();
-                        const startUrl = defaultStartUrl;
-                        const u = await fetchUsageLimits({
+                        usage = await fetchUsageLimits({
                             refresh: '',
-                            access: res.accessToken,
-                            expires: res.expiresAt,
+                            access: token.accessToken,
+                            expires: token.expiresAt,
                             authMethod: 'idc',
-                            region,
-                            clientId: res.clientId,
-                            clientSecret: res.clientSecret
+                            region: serviceRegion,
+                            clientId: token.clientId,
+                            clientSecret: token.clientSecret,
+                            profileArn
                         });
-                        if (!u.email)
-                            throw new Error('No email');
-                        const id = createDeterministicAccountId(u.email, 'idc', res.clientId);
-                        const acc = {
-                            id,
-                            email: u.email,
-                            authMethod: 'idc',
-                            region,
-                            clientId: res.clientId,
-                            clientSecret: res.clientSecret,
-                            startUrl: startUrl || undefined,
-                            refreshToken: res.refreshToken,
-                            accessToken: res.accessToken,
-                            expiresAt: res.expiresAt,
-                            rateLimitResetTime: 0,
-                            isHealthy: true,
-                            failCount: 0,
-                            usedCount: u.usedCount,
-                            limitCount: u.limitCount
-                        };
-                        await this.repository.save(acc);
-                        return { type: 'success', key: res.accessToken };
                     }
                     catch (e) {
-                        return { type: 'failed' };
+                        if (startUrl && !profileArn) {
+                            throw new Error(`Missing profile ARN for IAM Identity Center. Set "idc_profile_arn" in ~/.config/opencode/kiro.json, or run "kiro-cli profile" once so it can be auto-detected. Original error: ${e instanceof Error ? e.message : String(e)}`);
+                        }
+                        throw e;
                     }
+                    if (!usage.email)
+                        return { type: 'failed' };
+                    const id = createDeterministicAccountId(usage.email, 'idc', token.clientId, profileArn);
+                    const acc = {
+                        id,
+                        email: usage.email,
+                        authMethod: 'idc',
+                        region: serviceRegion,
+                        oidcRegion,
+                        clientId: token.clientId,
+                        clientSecret: token.clientSecret,
+                        profileArn,
+                        startUrl: startUrl || undefined,
+                        refreshToken: token.refreshToken,
+                        accessToken: token.accessToken,
+                        expiresAt: token.expiresAt,
+                        rateLimitResetTime: 0,
+                        isHealthy: true,
+                        failCount: 0,
+                        usedCount: usage.usedCount,
+                        limitCount: usage.limitCount
+                    };
+                    await this.repository.save(acc);
+                    this.accountManager?.addAccount?.(acc);
+                    return { type: 'success', key: token.accessToken };
+                }
+                catch (e) {
+                    const err = e instanceof Error ? e : new Error(String(e));
+                    logger.error('IDC auth callback failed', err);
+                    throw new Error(`IDC authorization failed: ${err.message}. Check ~/.config/opencode/kiro-logs/plugin.log for details. If this is an Identity Center account, ensure you have selected an AWS Q Developer/CodeWhisperer profile (try: kiro-cli profile).`);
                 }
-            });
-        }
-        catch (e) {
-            resolve({
-                url: '',
-                instructions: 'Failed',
-                method: 'auto',
-                callback: async () => ({ type: 'failed' })
-            });
-        }
+            }
+        };
     }
 }

package/dist/core/auth/token-refresher.js

@@ -1,5 +1,6 @@
 import { accessTokenExpired } from '../../kiro/auth';
 import { KiroTokenRefreshError } from '../../plugin/errors';
+import * as logger from '../../plugin/logger';
 import { refreshAccessToken } from '../../plugin/token';
 export class TokenRefresher {
     config;
@@ -27,6 +28,11 @@ export class TokenRefresher {
         }
     }
     async handleRefreshError(error, account, showToast) {
+        logger.error('Token refresh failed', {
+            email: account.email,
+            code: error instanceof KiroTokenRefreshError ? error.code : undefined,
+            message: error instanceof Error ? error.message : String(error)
+        });
         if (this.config.auto_sync_kiro_cli) {
             await this.syncFromKiroCli();
         }
@@ -48,6 +54,11 @@ export class TokenRefresher {
             await this.repository.batchSave(this.accountManager.getAccounts());
             return { account, shouldContinue: true };
         }
+        logger.error('Token refresh unrecoverable', {
+            email: account.email,
+            code: error instanceof KiroTokenRefreshError ? error.code : undefined,
+            message: error instanceof Error ? error.message : String(error)
+        });
         throw error;
     }
 }

package/dist/core/request/error-handler.js

@@ -1,3 +1,4 @@
+import * as logger from '../../plugin/logger';
 export class ErrorHandler {
     config;
     accountManager;
@@ -8,13 +9,32 @@ export class ErrorHandler {
         this.repository = repository;
     }
     async handle(error, response, account, context, showToast) {
-        if (response.status === 400 && context.reductionFactor > 0.4) {
-            const newFactor = context.reductionFactor - 0.2;
-            showToast(`Context too long. Retrying with ${Math.round(newFactor * 100)}%...`, 'warning');
-            return {
-                shouldRetry: true,
-                newContext: { ...context, reductionFactor: newFactor }
-            };
+        if (response.status === 400) {
+            const body = await response.text();
+            const errorData = (() => {
+                try {
+                    return JSON.parse(body);
+                }
+                catch {
+                    return null;
+                }
+            })();
+            if (errorData?.reason === 'INVALID_MODEL_ID') {
+                throw new Error(`Invalid model: ${errorData.message}`);
+            }
+            logger.warn('HTTP 400 response body', {
+                body,
+                reductionFactor: context.reductionFactor,
+                email: account.email
+            });
+            if (context.reductionFactor > 0.4) {
+                const newFactor = context.reductionFactor - 0.2;
+                showToast(`Context too long. Retrying with ${Math.round(newFactor * 100)}%...`, 'warning');
+                return {
+                    shouldRetry: true,
+                    newContext: { ...context, reductionFactor: newFactor }
+                };
+            }
         }
         if (response.status === 401 && context.retry < this.config.rate_limit_max_retries) {
             return {
@@ -55,7 +75,6 @@ export class ErrorHandler {
             await this.repository.batchSave(this.accountManager.getAccounts());
             const count = this.accountManager.getAccountCount();
             if (count > 1) {
-                showToast(`Rate limited (${account.email}). Switching account...`, 'warning');
                 return { shouldRetry: true, switchAccount: true };
             }
             showToast(`Rate limited. Waiting ${Math.ceil(w / 1000)}s...`, 'warning');
@@ -66,28 +85,27 @@ export class ErrorHandler {
             this.accountManager.getAccountCount() > 1) {
             let errorReason = response.status === 402 ? 'Quota' : 'Forbidden';
             let isPermanent = false;
-            try {
-                const errorBody = await response.text();
-                const errorData = JSON.parse(errorBody);
-                if (errorData.reason === 'INVALID_MODEL_ID') {
-                    throw new Error(`Invalid model: ${errorData.message}`);
+            const errorBody = await response.text();
+            const errorData = (() => {
+                try {
+                    return JSON.parse(errorBody);
                 }
-                if (errorData.reason === 'TEMPORARILY_SUSPENDED') {
-                    errorReason = 'Account Suspended';
-                    isPermanent = true;
+                catch {
+                    return null;
                 }
+            })();
+            if (errorData?.reason === 'INVALID_MODEL_ID') {
+                throw new Error(`Invalid model: ${errorData.message}`);
             }
-            catch (e) {
-                if (e instanceof Error && e.message.includes('Invalid model')) {
-                    throw e;
-                }
+            if (errorData?.reason === 'TEMPORARILY_SUSPENDED') {
+                errorReason = 'Account Suspended';
+                isPermanent = true;
             }
             if (isPermanent) {
                 account.failCount = 10;
             }
             this.accountManager.markUnhealthy(account, errorReason);
             await this.repository.batchSave(this.accountManager.getAccounts());
-            showToast(`${errorReason} (${account.email}). Switching account...`, 'warning');
             return { shouldRetry: true, switchAccount: true };
         }
         return { shouldRetry: false };