@zhangferry-dev/tokendash 1.6.2 → 1.7.0

package/dist/electron-server.cjs

@@ -2259,6 +2259,32 @@ var QuotaService = class {
     }
     return this.fetchAll();
   }
+  /**
+   * Validate a credential without caching it or writing it to disk. This keeps
+   * the settings form transactional: only credentials accepted upstream are
+   * persisted by the native app.
+   */
+  async validateCredential(provider, credential) {
+    const adapter = this.registry.get(provider);
+    if (!adapter) {
+      return {
+        provider,
+        valid: false,
+        status: { state: "not_configured", message: "Unsupported provider" }
+      };
+    }
+    try {
+      const snapshot = await withTimeout(
+        adapter.fetch({ credential }),
+        this.fetchTimeoutMs,
+        provider
+      );
+      const validated = validateQuotaSnapshot(snapshot);
+      return { provider, valid: validated.status.state === "ok", status: validated.status };
+    } catch (err) {
+      return { provider, valid: false, status: statusForError(err, this.fetchTimeoutMs) };
+    }
+  }
   async fetchWithTimeout(adapter) {
     try {
       const snapshot = await withTimeout(adapter.fetch(), this.fetchTimeoutMs, adapter.provider);
@@ -2270,14 +2296,7 @@ var QuotaService = class {
     }
   }
   handleFailure(adapter, err) {
-    let status;
-    if (err instanceof QuotaError) {
-      status = err.status;
-    } else if (err instanceof TimeoutError) {
-      status = { state: "timed_out", message: `upstream did not respond within ${this.fetchTimeoutMs}ms` };
-    } else {
-      status = { state: "error", message: redact(err), category: "unexpected" };
-    }
+    const status = statusForError(err, this.fetchTimeoutMs);
     const stale = this.cache.getStale(adapter.provider);
     if (stale) {
       return { ...stale, freshness: "stale", status };
@@ -2292,6 +2311,13 @@ var QuotaService = class {
     };
   }
 };
+function statusForError(err, timeoutMs) {
+  if (err instanceof QuotaError) return err.status;
+  if (err instanceof TimeoutError) {
+    return { state: "timed_out", message: `upstream did not respond within ${timeoutMs}ms` };
+  }
+  return { state: "error", message: redact(err), category: "unexpected" };
+}
 var TimeoutError = class extends Error {
   constructor(provider) {
     super(`quota fetch timed out: ${provider}`);
@@ -2416,8 +2442,7 @@ var codexAdapter = {
   provider: "codex",
   displayName: "OpenAI Codex",
   async isConfigured() {
-    if ((0, import_node_fs8.existsSync)((0, import_node_path8.join)(codexHome(), "auth.json"))) return true;
-    return await codexBinaryAvailable();
+    return (0, import_node_fs8.existsSync)((0, import_node_path8.join)(codexHome(), "auth.json")) && resolveCodexBinary() !== null;
   },
   async fetch() {
     const result = await queryRateLimits();
@@ -2460,10 +2485,16 @@ function capitalize(s) {
   return s.charAt(0).toUpperCase() + s.slice(1);
 }
 async function queryRateLimits() {
-  if (!await codexBinaryAvailable()) {
-    throw new QuotaError({ state: "not_configured", message: "codex CLI not found on PATH" });
-  }
-  const proc = (0, import_node_child_process2.spawn)("codex", ["app-server"], { stdio: ["pipe", "pipe", "pipe"] });
+  const codexBinary = resolveCodexBinary();
+  if (!codexBinary) {
+    throw new QuotaError({ state: "not_configured", message: "official Codex CLI not found" });
+  }
+  const binaryDir = (0, import_node_path8.dirname)(codexBinary);
+  const childPath = [binaryDir, process.env.PATH].filter(Boolean).join(":");
+  const proc = (0, import_node_child_process2.spawn)(codexBinary, ["app-server"], {
+    stdio: ["pipe", "pipe", "pipe"],
+    env: { ...process.env, PATH: childPath }
+  });
   const client = new JsonRpcClient(proc);
   try {
     await client.request("initialize", {
@@ -2552,24 +2583,44 @@ var JsonRpcClient = class {
     this.pending.clear();
   }
 };
-var cachedCodexPath;
-async function codexBinaryAvailable() {
-  if (cachedCodexPath !== void 0) return cachedCodexPath !== null;
-  return new Promise((resolve2) => {
-    const proc = (0, import_node_child_process2.spawn)("which", ["codex"], { stdio: ["ignore", "pipe", "ignore"] });
-    let out = "";
-    proc.stdout.on("data", (c) => {
-      out += c;
-    });
-    proc.on("close", () => {
-      cachedCodexPath = out.trim() || null;
-      resolve2(cachedCodexPath !== null);
-    });
-    proc.on("error", () => {
-      cachedCodexPath = null;
-      resolve2(false);
-    });
-  });
+function resolveCodexBinary(options = {}) {
+  const home = options.home ?? (0, import_node_os8.homedir)();
+  const path = options.path ?? process.env.PATH ?? "";
+  const explicitBinary = options.explicitBinary ?? process.env.CODEX_BIN;
+  const isExecutable = options.isExecutable ?? defaultIsExecutable;
+  const nvmRoot = (0, import_node_path8.join)(home, ".nvm", "versions", "node");
+  const nvmVersions = options.nvmVersions ?? readDirectoryNames(nvmRoot);
+  const candidates = [
+    explicitBinary,
+    "/Applications/Codex.app/Contents/Resources/codex",
+    (0, import_node_path8.join)(home, "Applications", "Codex.app", "Contents", "Resources", "codex"),
+    "/opt/homebrew/bin/codex",
+    "/usr/local/bin/codex",
+    (0, import_node_path8.join)(home, ".local", "bin", "codex"),
+    (0, import_node_path8.join)(home, ".volta", "bin", "codex"),
+    (0, import_node_path8.join)(home, ".bun", "bin", "codex"),
+    ...nvmVersions.sort((a, b) => b.localeCompare(a, void 0, { numeric: true })).map((version) => (0, import_node_path8.join)(nvmRoot, version, "bin", "codex")),
+    ...path.split(":").filter(Boolean).map((directory) => (0, import_node_path8.join)(directory, "codex"))
+  ];
+  for (const candidate of candidates) {
+    if (candidate && isExecutable(candidate)) return candidate;
+  }
+  return null;
+}
+function defaultIsExecutable(candidate) {
+  try {
+    (0, import_node_fs8.accessSync)(candidate, import_node_fs8.constants.X_OK);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function readDirectoryNames(directory) {
+  try {
+    return (0, import_node_fs8.readdirSync)(directory, { withFileTypes: true }).filter((entry) => entry.isDirectory()).map((entry) => entry.name);
+  } catch {
+    return [];
+  }
 }
 
 // src/server/quota/adapters/claude.ts
@@ -2577,6 +2628,7 @@ var import_node_fs9 = require("node:fs");
 var import_node_path9 = require("node:path");
 var import_node_os9 = require("node:os");
 var import_node_child_process3 = require("node:child_process");
+var import_node_crypto = require("node:crypto");
 var claudeAdapter = {
   provider: "claude",
   displayName: "Claude Code",
@@ -2645,7 +2697,7 @@ function readClaudeToken() {
   if ((0, import_node_fs9.existsSync)(credPath)) {
     try {
       const parsed = JSON.parse((0, import_node_fs9.readFileSync)(credPath, "utf8"));
-      return parsed?.claudeAiOauth?.accessToken ?? null;
+      return extractClaudeAccessToken(parsed);
     } catch {
       return null;
     }
@@ -2653,33 +2705,55 @@ function readClaudeToken() {
   return null;
 }
 function readFromKeychain() {
-  const candidates = ["Claude Code-credentials"];
+  const candidates = claudeKeychainServiceNames(process.env.CLAUDE_CONFIG_DIR);
   try {
     const list = (0, import_node_child_process3.execFileSync)("security", ["dump-keychain"], { stdio: ["ignore", "pipe", "ignore"], encoding: "utf8" });
-    for (const m of list.matchAll(/"srvname"<blob>="([^"]*Claude Code-credentials[^"]*)"/g)) {
+    for (const m of list.matchAll(/"svce"<blob>="([^"]*Claude Code-credentials[^"]*)"/g)) {
       if (m[1] && !candidates.includes(m[1])) candidates.push(m[1]);
     }
   } catch {
   }
+  const accounts = [safeUsername(), void 0];
   for (const name of candidates) {
-    try {
-      const raw = (0, import_node_child_process3.execFileSync)("security", ["find-generic-password", "-s", name, "-w"], {
-        stdio: ["ignore", "pipe", "ignore"],
-        encoding: "utf8"
-      }).trim();
-      if (!raw) continue;
+    for (const account of accounts) {
       try {
-        const parsed = JSON.parse(raw);
-        return parsed?.claudeAiOauth?.accessToken ?? null;
+        const args = ["find-generic-password", "-s", name];
+        if (account) args.push("-a", account);
+        args.push("-w");
+        const raw = (0, import_node_child_process3.execFileSync)("/usr/bin/security", args, {
+          stdio: ["ignore", "pipe", "ignore"],
+          encoding: "utf8",
+          timeout: 2e3
+        }).trim();
+        if (!raw) continue;
+        const token = extractClaudeAccessToken(JSON.parse(raw));
+        if (token) return token;
       } catch {
-        return raw;
+        continue;
       }
-    } catch {
-      continue;
     }
   }
   return null;
 }
+function claudeKeychainServiceNames(configDir) {
+  if (!configDir) return ["Claude Code-credentials"];
+  const hash = (0, import_node_crypto.createHash)("sha256").update(configDir).digest("hex").slice(0, 8);
+  return [`Claude Code-credentials-${hash}`, "Claude Code-credentials"];
+}
+function extractClaudeAccessToken(value) {
+  if (!value || typeof value !== "object") return null;
+  const root = value;
+  const nested = root.claudeAiOauth;
+  const credentials = nested && typeof nested === "object" ? nested : root;
+  return typeof credentials.accessToken === "string" && credentials.accessToken ? credentials.accessToken : null;
+}
+function safeUsername() {
+  try {
+    return (0, import_node_os9.userInfo)().username?.trim() || void 0;
+  } catch {
+    return void 0;
+  }
+}
 
 // src/server/quota/adapters/glm.ts
 var import_node_fs11 = require("node:fs");
@@ -2715,8 +2789,8 @@ var glmAdapter = {
   async isConfigured() {
     return !!resolveCredential();
   },
-  async fetch() {
-    const cred = resolveCredential();
+  async fetch(options) {
+    const cred = resolveCredential(options?.credential);
     if (!cred) {
       throw new QuotaError({ state: "not_configured", message: "set ZAI_API_KEY or ZHIPU_API_KEY" });
     }
@@ -2772,7 +2846,13 @@ function classifyFetchError2(err) {
   const msg = err instanceof Error ? err.message : String(err);
   return new QuotaError({ state: "upstream_unavailable", message: msg.slice(0, 200) });
 }
-function resolveCredential() {
+function resolveCredential(proposed) {
+  if (proposed?.apiKey) {
+    return {
+      key: proposed.apiKey,
+      base: proposed.baseUrl || "https://open.bigmodel.cn"
+    };
+  }
   const stored = readStoredCredential("glm");
   if (stored) return { key: stored.apiKey, base: stored.baseUrl || "https://open.bigmodel.cn" };
   const zai = envOrConfig("ZAI_API_KEY");
@@ -2827,8 +2907,8 @@ var minimaxAdapter = {
   async isConfigured() {
     return !!resolveCredential2();
   },
-  async fetch() {
-    const cred = resolveCredential2();
+  async fetch(options) {
+    const cred = resolveCredential2(options?.credential);
     if (!cred) {
       throw new QuotaError({ state: "not_configured", message: "set MINIMAX_API_KEY (Subscription Key)" });
     }
@@ -2887,7 +2967,12 @@ function classifyFetchError3(err) {
   const msg = err instanceof Error ? err.message : String(err);
   return new QuotaError({ state: "upstream_unavailable", message: msg.slice(0, 200) });
 }
-function resolveCredential2() {
+function resolveCredential2(proposed) {
+  if (proposed?.apiKey) {
+    const region2 = (process.env.MINIMAX_REGION || "").toLowerCase();
+    const base2 = proposed.baseUrl || (region2 === "cn" ? "https://www.minimaxi.com" : "https://www.minimax.io");
+    return { key: proposed.apiKey, base: base2 };
+  }
   const stored = readStoredCredential("minimax");
   if (stored) {
     const region2 = (process.env.MINIMAX_REGION || "").toLowerCase();
@@ -2915,9 +3000,9 @@ var kimiAdapter = {
     const cred = readCredentials();
     return !!cred && !!cred.access_token;
   },
-  async fetch() {
+  async fetch(options) {
     const credPath = credentialsPath();
-    let cred = readCredentials();
+    let cred = options?.credential?.apiKey ? { access_token: options.credential.apiKey, token_type: "Bearer" } : readCredentials();
     if (!cred || !cred.access_token) {
       throw new QuotaError({ state: "not_configured", message: "run `kimi` to log in first" });
     }
@@ -3069,6 +3154,24 @@ async function getQuota(_req, res) {
     res.status(500).json({ error: "Failed to fetch quota", hint: message });
   }
 }
+var editableQuotaProviders = /* @__PURE__ */ new Set(["glm", "kimi", "minimax"]);
+async function validateQuotaCredential(req, res) {
+  const provider = req.body?.provider;
+  const apiKey = typeof req.body?.apiKey === "string" ? req.body.apiKey.trim() : "";
+  const baseUrl = typeof req.body?.baseUrl === "string" ? req.body.baseUrl.trim() : void 0;
+  if (!editableQuotaProviders.has(provider) || !apiKey) {
+    res.status(400).json({
+      error: "Invalid credential request",
+      hint: "A supported provider and non-empty token are required."
+    });
+    return;
+  }
+  const result = await quotaService.validateCredential(provider, {
+    apiKey,
+    baseUrl: baseUrl || void 0
+  });
+  res.status(result.valid ? 200 : 422).json(result);
+}
 function getAgents(_req, res) {
   try {
     const agents = detectAvailableAgents();
@@ -3102,6 +3205,7 @@ function registerApiRoutes(router, appInfo) {
   router.get("/blocks", getBlocks);
   router.get("/analytics", getAnalytics);
   router.get("/quota", getQuota);
+  router.post("/quota/validate", validateQuotaCredential);
 }
 
 // src/server/index.ts
@@ -3235,6 +3339,7 @@ function resolveStaticAssetBaseDir(moduleUrl = __esbuild_import_meta_url, baseDi
 function createApp(_port, baseDir) {
   const app = (0, import_express.default)();
   const router = import_express.default.Router();
+  app.use(import_express.default.json({ limit: "16kb" }));
   registerApiRoutes(router, {
     packageName: PACKAGE_NAME,
     version: getPackageVersion(),