byterover-cli 2.2.0 → 2.3.0

package/dist/agent/infra/llm/providers/openai.d.ts

@@ -2,6 +2,18 @@
  * OpenAI Provider Module
  *
  * Direct access to GPT models via @ai-sdk/openai.
+ * Supports both standard OpenAI API and ChatGPT OAuth (Codex) endpoint.
  */
 import type { ProviderModule } from './types.js';
+/**
+ * Custom fetch wrapper for the ChatGPT OAuth endpoint.
+ *
+ * The ChatGPT OAuth Responses API has stricter requirements than the standard
+ * OpenAI API — certain fields are required and others are rejected:
+ * - `instructions` is required (system prompt — defaults to empty)
+ * - `store` must be false
+ * - `max_output_tokens` is not supported (must be omitted)
+ * - `id` fields on input items are rejected
+ */
+export declare function createChatGptOAuthFetch(): typeof globalThis.fetch;
 export declare const openaiProvider: ProviderModule;

package/dist/agent/infra/llm/providers/openai.js

@@ -2,16 +2,67 @@
  * OpenAI Provider Module
  *
  * Direct access to GPT models via @ai-sdk/openai.
+ * Supports both standard OpenAI API and ChatGPT OAuth (Codex) endpoint.
  */
 import { createOpenAI } from '@ai-sdk/openai';
+import { CHATGPT_OAUTH_BASE_URL } from '../../../../shared/constants/oauth.js';
 import { AiSdkContentGenerator } from '../generators/ai-sdk-content-generator.js';
+/**
+ * Custom fetch wrapper for the ChatGPT OAuth endpoint.
+ *
+ * The ChatGPT OAuth Responses API has stricter requirements than the standard
+ * OpenAI API — certain fields are required and others are rejected:
+ * - `instructions` is required (system prompt — defaults to empty)
+ * - `store` must be false
+ * - `max_output_tokens` is not supported (must be omitted)
+ * - `id` fields on input items are rejected
+ */
+/* eslint-disable n/no-unsupported-features/node-builtins */
+export function createChatGptOAuthFetch() {
+    return async (input, init) => {
+        if (init?.method === 'POST' && init.body) {
+            if (typeof init.body !== 'string') {
+                return globalThis.fetch(input, init);
+            }
+            let body;
+            try {
+                body = JSON.parse(init.body);
+            }
+            catch {
+                return globalThis.fetch(input, init);
+            }
+            if (!body.instructions) {
+                body.instructions = '';
+            }
+            body.store = false;
+            delete body.max_output_tokens;
+            if (Array.isArray(body.input)) {
+                for (const item of body.input) {
+                    if (typeof item === 'object' && item !== null && 'id' in item) {
+                        const record = item;
+                        delete record.id;
+                    }
+                }
+            }
+            init = { ...init, body: JSON.stringify(body) };
+        }
+        return globalThis.fetch(input, init);
+    };
+}
+/* eslint-enable n/no-unsupported-features/node-builtins */
 export const openaiProvider = {
     apiKeyUrl: 'https://platform.openai.com/api-keys',
     authType: 'api-key',
     baseUrl: 'https://api.openai.com/v1',
     category: 'popular',
     createGenerator(config) {
-        const provider = createOpenAI({ apiKey: config.apiKey });
+        const useChatGptOAuth = config.baseUrl === CHATGPT_OAUTH_BASE_URL;
+        const provider = createOpenAI({
+            apiKey: config.apiKey ?? '',
+            baseURL: config.baseUrl,
+            fetch: useChatGptOAuth ? createChatGptOAuthFetch() : undefined,
+            headers: config.headers,
+        });
         return new AiSdkContentGenerator({
             model: provider.responses(config.model),
         });

package/dist/oclif/commands/curate/index.js

@@ -3,7 +3,7 @@ import { randomUUID } from 'node:crypto';
 import { TransportStateEventNames } from '../../../server/core/domain/transport/index.js';
 import { extractCurateOperations } from '../../../server/utils/curate-result-parser.js';
 import { TaskEvents } from '../../../shared/transport/events/index.js';
-import { formatConnectionError, hasLeakedHandles, withDaemonRetry, } from '../../lib/daemon-client.js';
+import { formatConnectionError, hasLeakedHandles, providerMissingMessage, withDaemonRetry, } from '../../lib/daemon-client.js';
 import { writeJsonResponse } from '../../lib/json-response.js';
 import { waitForTaskCompletion } from '../../lib/task-client.js';
 export default class Curate extends Command {
@@ -91,7 +91,7 @@ Bad examples:
                     throw new Error('No provider connected. Run "brv providers connect byterover" to use the free built-in provider, or connect another provider.');
                 }
                 if (active.providerKeyMissing) {
-                    throw new Error(`${active.activeProvider} API key is missing from storage.\nPlease reconnect: brv providers connect ${active.activeProvider} --api-key <your-key>`);
+                    throw new Error(providerMissingMessage(active.activeProvider, active.authMethod));
                 }
                 await this.submitTask({ client, content: resolvedContent, flags, format, projectRoot, taskType });
             }, {

package/dist/oclif/commands/model/switch.js

@@ -1,5 +1,5 @@
 import { Args, Command, Flags } from '@oclif/core';
-import { ModelEvents, } from '../../../shared/transport/events/model-events.js';
+import { ModelEvents } from '../../../shared/transport/events/model-events.js';
 import { ProviderEvents, } from '../../../shared/transport/events/provider-events.js';
 import { withDaemonRetry } from '../../lib/daemon-client.js';
 import { writeJsonResponse } from '../../lib/json-response.js';
@@ -42,7 +42,9 @@ export default class ModelSwitch extends Command {
             }
         }
         catch (error) {
-            const errorMessage = error instanceof Error ? error.message : 'An unexpected error occurred while switching the model. Please try again.';
+            const errorMessage = error instanceof Error
+                ? error.message
+                : 'An unexpected error occurred while switching the model. Please try again.';
             if (format === 'json') {
                 writeJsonResponse({ command: 'model switch', data: { error: errorMessage }, success: false });
             }
@@ -68,13 +70,22 @@ export default class ModelSwitch extends Command {
             }
             else {
                 const active = await client.requestWithAck(ProviderEvents.GET_ACTIVE);
+                if (!active.activeProviderId) {
+                    throw new Error('No active provider configured. Run "brv providers connect <provider>" first.');
+                }
                 providerId = active.activeProviderId;
             }
             if (providerId === 'byterover') {
                 throw new Error('ByteRover provider uses its own internal LLM and does not support model switching. Run "brv providers switch <provider>" to switch to a different provider first.');
             }
             // 2. Switch active model
-            await client.requestWithAck(ModelEvents.SET_ACTIVE, { modelId, providerId });
+            const response = await client.requestWithAck(ModelEvents.SET_ACTIVE, {
+                modelId,
+                providerId,
+            });
+            if (!response.success) {
+                throw new Error(response.error ?? 'Failed to switch model');
+            }
             return { modelId, providerId };
         }, options);
     }

package/dist/oclif/commands/providers/connect.d.ts

@@ -9,8 +9,10 @@ export default class ProviderConnect extends Command {
     static flags: {
         'api-key': import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
         'base-url': import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        code: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
         format: import("@oclif/core/interfaces").OptionFlag<string, import("@oclif/core/interfaces").CustomOptions>;
         model: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        oauth: import("@oclif/core/interfaces").BooleanFlag<boolean>;
     };
     protected connectProvider({ apiKey, baseUrl, model, providerId }: {
         apiKey?: string;
@@ -22,5 +24,12 @@ export default class ProviderConnect extends Command {
         providerId: string;
         providerName: string;
     }>;
+    protected connectProviderOAuth({ code, providerId }: {
+        code?: string;
+        providerId: string;
+    }, options?: DaemonClientOptions, onProgress?: (msg: string) => void): Promise<{
+        providerName: string;
+        showInstructions: boolean;
+    }>;
     run(): Promise<void>;
 }

package/dist/oclif/commands/providers/connect.js

@@ -1,5 +1,6 @@
 import { Args, Command, Flags } from '@oclif/core';
-import { ModelEvents, } from '../../../shared/transport/events/model-events.js';
+import { OAUTH_CALLBACK_TIMEOUT_MS } from '../../../shared/constants/oauth.js';
+import { ModelEvents } from '../../../shared/transport/events/model-events.js';
 import { ProviderEvents, } from '../../../shared/transport/events/provider-events.js';
 import { withDaemonRetry } from '../../lib/daemon-client.js';
 import { writeJsonResponse } from '../../lib/json-response.js';
@@ -14,6 +15,7 @@ export default class ProviderConnect extends Command {
     static examples = [
         '<%= config.bin %> providers connect anthropic --api-key sk-xxx',
         '<%= config.bin %> providers connect openai --api-key sk-xxx --model gpt-4.1',
+        '<%= config.bin %> providers connect openai --oauth',
         '<%= config.bin %> providers connect byterover',
         '<%= config.bin %> providers connect openai-compatible --base-url http://localhost:11434/v1',
         '<%= config.bin %> providers connect openai-compatible --base-url http://localhost:11434/v1 --api-key sk-xxx --model llama3',
@@ -27,6 +29,12 @@ export default class ProviderConnect extends Command {
             char: 'b',
             description: 'Base URL for OpenAI-compatible providers (e.g., http://localhost:11434/v1)',
         }),
+        code: Flags.string({
+            char: 'c',
+            description: 'Authorization code for code-paste OAuth providers (e.g., Anthropic). ' +
+                'Not applicable to browser-callback providers like OpenAI — use --oauth without --code instead.',
+            hidden: true,
+        }),
         format: Flags.string({
             default: 'text',
             description: 'Output format (text or json)',
@@ -36,6 +44,10 @@ export default class ProviderConnect extends Command {
             char: 'm',
             description: 'Model to set as active after connecting',
         }),
+        oauth: Flags.boolean({
+            default: false,
+            description: 'Connect via OAuth (browser-based)',
+        }),
     };
     async connectProvider({ apiKey, baseUrl, model, providerId }, options) {
         return withDaemonRetry(async (client) => {
@@ -48,8 +60,8 @@ export default class ProviderConnect extends Command {
             // 2. Validate base URL for openai-compatible
             if (providerId === 'openai-compatible') {
                 if (!baseUrl && !provider.isConnected) {
-                    throw new Error('Provider "openai-compatible" requires a base URL. Use the --base-url flag to provide one.'
-                        + '\nExample: brv providers connect openai-compatible --base-url http://localhost:11434/v1');
+                    throw new Error('Provider "openai-compatible" requires a base URL. Use the --base-url flag to provide one.' +
+                        '\nExample: brv providers connect openai-compatible --base-url http://localhost:11434/v1');
                 }
                 if (baseUrl) {
                     let parsed;
@@ -72,8 +84,8 @@ export default class ProviderConnect extends Command {
                 }
             }
             else if (!apiKey && provider.requiresApiKey && !provider.isConnected) {
-                throw new Error(`Provider "${providerId}" requires an API key. Use the --api-key flag to provide one.`
-                    + (provider.apiKeyUrl ? `\nDon't have one? Get your API key at: ${provider.apiKeyUrl}` : ''));
+                throw new Error(`Provider "${providerId}" requires an API key. Use the --api-key flag to provide one.` +
+                    (provider.apiKeyUrl ? `\nDon't have one? Get your API key at: ${provider.apiKeyUrl}` : ''));
             }
             // 4. Connect or switch active provider
             const hasNewConfig = apiKey || baseUrl;
@@ -87,27 +99,111 @@ export default class ProviderConnect extends Command {
             return { model, providerId, providerName: provider.name };
         }, options);
     }
+    async connectProviderOAuth({ code, providerId }, options, onProgress) {
+        return withDaemonRetry(async (client) => {
+            // 1. Verify provider exists and supports OAuth
+            const { providers } = await client.requestWithAck(ProviderEvents.LIST);
+            const provider = providers.find((p) => p.id === providerId);
+            if (!provider) {
+                throw new Error(`Unknown provider "${providerId}". Run "brv providers list" to see available providers.`);
+            }
+            if (!provider.supportsOAuth) {
+                throw new Error(`Provider "${providerId}" does not support OAuth. Use --api-key instead.`);
+            }
+            // --code is only valid for code-paste providers (e.g., Anthropic).
+            // Browser-callback providers like OpenAI handle the code exchange automatically.
+            if (code && provider.oauthCallbackMode !== 'code-paste') {
+                throw new Error(`Provider "${providerId}" uses browser-based OAuth and does not accept --code.\n` +
+                    `Run: brv providers connect ${providerId} --oauth`);
+            }
+            // If --code is provided, submit it directly (code-paste providers)
+            if (code) {
+                const response = await client.requestWithAck(ProviderEvents.SUBMIT_OAUTH_CODE, { code, providerId });
+                if (!response.success) {
+                    throw new Error(response.error ?? 'OAuth code submission failed');
+                }
+                return { providerName: provider.name, showInstructions: false };
+            }
+            // 2. Start OAuth flow — returns immediately with auth URL
+            const startResponse = await client.requestWithAck(ProviderEvents.START_OAUTH, {
+                providerId,
+            });
+            if (!startResponse.success) {
+                throw new Error(startResponse.error ?? 'Failed to start OAuth flow');
+            }
+            // Always print auth URL (user's machine may not support browser launch)
+            onProgress?.(`\nOpen this URL to authenticate:\n  ${startResponse.authUrl}\n`);
+            // 3. Handle based on callback mode
+            if (startResponse.callbackMode === 'auto') {
+                onProgress?.('Waiting for authentication in browser...');
+                const awaitResponse = await client.requestWithAck(ProviderEvents.AWAIT_OAUTH_CALLBACK, { providerId }, { timeout: OAUTH_CALLBACK_TIMEOUT_MS });
+                if (!awaitResponse.success) {
+                    throw new Error(awaitResponse.error ?? 'OAuth authentication failed');
+                }
+                return { providerName: provider.name, showInstructions: false };
+            }
+            // code-paste mode: print instructions and exit
+            onProgress?.('Copy the authorization code from the browser and run:');
+            onProgress?.(`  brv providers connect ${providerId} --oauth --code <code>`);
+            return { providerName: provider.name, showInstructions: true };
+        }, options);
+    }
     async run() {
         const { args, flags } = await this.parse(ProviderConnect);
         const providerId = args.provider;
         const apiKey = flags['api-key'];
         const baseUrl = flags['base-url'];
-        const { model } = flags;
-        const format = flags.format;
-        try {
-            const result = await this.connectProvider({ apiKey, baseUrl, model, providerId });
+        const { code, model, oauth } = flags;
+        const format = flags.format === 'json' ? 'json' : 'text';
+        // Validate flag combinations
+        if (oauth && apiKey) {
+            const msg = 'Cannot use --oauth and --api-key together';
+            if (format === 'json') {
+                writeJsonResponse({ command: 'providers connect', data: { error: msg }, success: false });
+            }
+            else {
+                this.log(msg);
+            }
+            return;
+        }
+        if (code && !oauth) {
+            const msg = '--code requires the --oauth flag';
             if (format === 'json') {
-                writeJsonResponse({ command: 'providers connect', data: result, success: true });
+                writeJsonResponse({ command: 'providers connect', data: { error: msg }, success: false });
+            }
+            else {
+                this.log(msg);
+            }
+            return;
+        }
+        try {
+            if (oauth) {
+                const onProgress = format === 'text' ? (msg) => this.log(msg) : undefined;
+                const result = await this.connectProviderOAuth({ code, providerId }, undefined, onProgress);
+                if (format === 'json') {
+                    writeJsonResponse({ command: 'providers connect', data: { providerId }, success: true });
+                }
+                else if (!result.showInstructions) {
+                    this.log(`Connected to ${result.providerName} via OAuth`);
+                }
             }
             else {
-                this.log(`Connected to ${result.providerName} (${result.providerId})`);
-                if (result.model) {
-                    this.log(`Model set to: ${result.model}`);
+                const result = await this.connectProvider({ apiKey, baseUrl, model, providerId });
+                if (format === 'json') {
+                    writeJsonResponse({ command: 'providers connect', data: result, success: true });
+                }
+                else {
+                    this.log(`Connected to ${result.providerName} (${result.providerId})`);
+                    if (result.model) {
+                        this.log(`Model set to: ${result.model}`);
+                    }
                 }
             }
         }
         catch (error) {
-            const errorMessage = error instanceof Error ? error.message : 'An unexpected error occurred while connecting the provider. Please try again.';
+            const errorMessage = error instanceof Error
+                ? error.message
+                : 'An unexpected error occurred while connecting the provider. Please try again.';
             if (format === 'json') {
                 writeJsonResponse({ command: 'providers connect', data: { error: errorMessage }, success: false });
             }

package/dist/oclif/commands/providers/list.js

@@ -5,10 +5,7 @@ import { formatConnectionError, withDaemonRetry } from '../../lib/daemon-client.
 import { writeJsonResponse } from '../../lib/json-response.js';
 export default class ProviderList extends Command {
     static description = 'List all available providers and their connection status';
-    static examples = [
-        '<%= config.bin %> providers list',
-        '<%= config.bin %> providers list --format json',
-    ];
+    static examples = ['<%= config.bin %> providers list', '<%= config.bin %> providers list --format json'];
     static flags = {
         format: Flags.string({
             default: 'text',
@@ -30,7 +27,8 @@ export default class ProviderList extends Command {
             }
             for (const p of providers) {
                 const status = p.isCurrent ? chalk.green('(current)') : p.isConnected ? chalk.yellow('(connected)') : '';
-                this.log(`  ${p.name} [${p.id}] ${status}`.trimEnd());
+                const authBadge = p.authMethod === 'oauth' ? chalk.cyan('[OAuth]') : p.authMethod === 'api-key' ? chalk.dim('[API Key]') : '';
+                this.log(`  ${p.name} [${p.id}] ${status} ${authBadge}`.trimEnd());
             }
         }
         catch (error) {

package/dist/oclif/commands/query.js

@@ -2,7 +2,7 @@ import { Args, Command, Flags } from '@oclif/core';
 import { randomUUID } from 'node:crypto';
 import { TransportStateEventNames } from '../../server/core/domain/transport/schemas.js';
 import { TaskEvents } from '../../shared/transport/events/index.js';
-import { formatConnectionError, hasLeakedHandles, withDaemonRetry, } from '../lib/daemon-client.js';
+import { formatConnectionError, hasLeakedHandles, providerMissingMessage, withDaemonRetry, } from '../lib/daemon-client.js';
 import { writeJsonResponse } from '../lib/json-response.js';
 import { waitForTaskCompletion } from '../lib/task-client.js';
 export default class Query extends Command {
@@ -54,7 +54,7 @@ Bad:
                     throw new Error('No provider connected. Run "brv providers connect byterover" to use the free built-in provider, or connect another provider.');
                 }
                 if (active.providerKeyMissing) {
-                    throw new Error(`${active.activeProvider} API key is missing from storage.\nPlease reconnect: brv providers connect ${active.activeProvider} --api-key <your-key>`);
+                    throw new Error(providerMissingMessage(active.activeProvider, active.authMethod));
                 }
                 await this.submitTask({ client, format, projectRoot, query: args.query });
             }, {

package/dist/oclif/lib/daemon-client.d.ts

@@ -30,6 +30,10 @@ export declare function isRetryableError(error: unknown): boolean;
  * Checks if an error left leaked Socket.IO handles that prevent Node.js from exiting.
  */
 export declare function hasLeakedHandles(error: unknown): boolean;
+/**
+ * Builds a user-friendly message when provider credentials are missing from storage.
+ */
+export declare function providerMissingMessage(activeProvider: string, authMethod?: 'api-key' | 'oauth'): string;
 export interface ProviderErrorContext {
     activeModel?: string;
     activeProvider?: string;

package/dist/oclif/lib/daemon-client.js

@@ -12,6 +12,8 @@ const USER_FRIENDLY_MESSAGES = {
     [TaskErrorCode.CONTEXT_TREE_NOT_INITIALIZED]: 'Context tree not initialized.',
     [TaskErrorCode.LOCAL_CHANGES_EXIST]: 'You have local changes. Run "brv push" to save your changes before pulling.',
     [TaskErrorCode.NOT_AUTHENTICATED]: 'Not authenticated. Cloud sync features (push/pull/space) require login — local query and curate work without authentication.',
+    [TaskErrorCode.OAUTH_REFRESH_FAILED]: 'OAuth token refresh failed. Run "brv providers connect <provider> --oauth" to reconnect.',
+    [TaskErrorCode.OAUTH_TOKEN_EXPIRED]: 'OAuth token has expired. Run "brv providers connect <provider> --oauth" to reconnect.',
     [TaskErrorCode.PROJECT_NOT_INIT]: 'Project not initialized. Run "brv restart" to reinitialize.',
     [TaskErrorCode.PROVIDER_NOT_CONFIGURED]: 'No provider connected. Run "brv providers connect byterover" to use the free built-in provider, or connect another provider.',
     [TaskErrorCode.SPACE_NOT_CONFIGURED]: 'No space configured. Run "brv space list" to see available spaces, then "brv space switch --team <team> --name <space>" to select one.',
@@ -83,6 +85,14 @@ export function hasLeakedHandles(error) {
         return false;
     return error.code === TaskErrorCode.AGENT_DISCONNECTED || error.code === TaskErrorCode.AGENT_NOT_AVAILABLE;
 }
+/**
+ * Builds a user-friendly message when provider credentials are missing from storage.
+ */
+export function providerMissingMessage(activeProvider, authMethod) {
+    return authMethod === 'oauth'
+        ? `${activeProvider} authentication has expired.\nPlease reconnect: brv providers connect ${activeProvider} --oauth`
+        : `${activeProvider} API key is missing from storage.\nPlease reconnect: brv providers connect ${activeProvider} --api-key <your-key>`;
+}
 /**
  * Formats a connection error into a user-friendly message.
  */
@@ -131,9 +141,9 @@ export function formatConnectionError(error, providerContext) {
         const provider = providerContext?.activeProvider ?? '<provider>';
         const model = providerContext?.activeModel;
         const currentInfo = model ? `Provider: ${provider}  Model: ${model}\n\n` : `Provider: ${provider}\n\n`;
-        return (`LLM provider API key is missing or invalid.\n${currentInfo}` +
-            '  Reconnect with your API key:\n' +
-            `    brv providers connect ${provider} --api-key <key>\n\n` +
+        return (`LLM provider credentials are missing or invalid.\n${currentInfo}` +
+            '  Reconnect your provider:\n' +
+            `    brv providers connect ${provider}\n\n` +
             '  Switch to a different provider:\n' +
             '    brv providers switch <provider>\n\n' +
             '  See all options:  brv providers --help');

package/dist/server/core/domain/entities/provider-config.d.ts

@@ -12,12 +12,16 @@ export interface ConnectedProviderConfig {
     readonly activeModel?: string;
     /** Context window size of the active model (from provider API, e.g. OpenRouter) */
     readonly activeModelContextLength?: number;
+    /** How this provider was authenticated */
+    readonly authMethod?: 'api-key' | 'oauth';
     /** Custom API base URL (for openai-compatible provider) */
     readonly baseUrl?: string;
     /** When the provider was connected */
     readonly connectedAt: string;
     /** User's favorite models (for quick access) */
     readonly favoriteModels: readonly string[];
+    /** OAuth account ID (e.g. ChatGPT-Account-Id for OpenAI) */
+    readonly oauthAccountId?: string;
     /** Recently used models (last 10) */
     readonly recentModels: readonly string[];
 }
@@ -96,7 +100,9 @@ export declare class ProviderConfig {
      */
     withProviderConnected(providerId: string, options?: {
         activeModel?: string;
+        authMethod?: 'api-key' | 'oauth';
         baseUrl?: string;
+        oauthAccountId?: string;
     }): ProviderConfig;
     /**
      * Create a new config with a provider disconnected.

package/dist/server/core/domain/entities/provider-config.js

@@ -10,10 +10,9 @@
 const isProviderConfigJson = (json) => {
     if (typeof json !== 'object' || json === null)
         return false;
-    const obj = json;
-    if (typeof obj.activeProvider !== 'string')
+    if (!('activeProvider' in json) || typeof json.activeProvider !== 'string')
         return false;
-    if (typeof obj.providers !== 'object' || obj.providers === null)
+    if (!('providers' in json) || typeof json.providers !== 'object' || json.providers === null)
         return false;
     return true;
 };
@@ -164,9 +163,11 @@ export class ProviderConfig {
         const existingConfig = this.providers[providerId];
         const newProviderConfig = {
             activeModel: options?.activeModel ?? existingConfig?.activeModel,
+            authMethod: options?.authMethod ?? existingConfig?.authMethod,
             baseUrl: options?.baseUrl ?? existingConfig?.baseUrl,
             connectedAt: existingConfig?.connectedAt ?? new Date().toISOString(),
             favoriteModels: existingConfig?.favoriteModels ?? [],
+            oauthAccountId: options?.oauthAccountId ?? existingConfig?.oauthAccountId,
             recentModels: existingConfig?.recentModels ?? [],
         };
         return new ProviderConfig({

package/dist/server/core/domain/entities/provider-registry.d.ts

@@ -4,6 +4,44 @@
  * Defines available LLM providers that can be connected to byterover-cli.
  * Inspired by OpenCode's provider system.
  */
+/**
+ * Configuration for a single OAuth authentication mode.
+ */
+export interface OAuthModeConfig {
+    /** Auth URL for this mode */
+    readonly authUrl: string;
+    /** Mode identifier (e.g. 'default', 'pro-max') */
+    readonly id: string;
+    /** Display label (e.g. "Sign in with OpenAI") */
+    readonly label: string;
+}
+/**
+ * OAuth configuration for a provider.
+ */
+export interface ProviderOAuthConfig {
+    /** How the callback is received: local server ('auto') or user pastes code ('code-paste') */
+    readonly callbackMode: 'auto' | 'code-paste';
+    /** Port for local callback server (auto mode only) */
+    readonly callbackPort?: number;
+    /** OAuth client ID */
+    readonly clientId: string;
+    /** Whether to add `code=true` query param to auth URL (code-paste mode only — tells server to display paste-able code) */
+    readonly codeDisplay?: boolean;
+    /** Default model when connected via OAuth (overrides ProviderDefinition.defaultModel) */
+    readonly defaultModel?: string;
+    /** Extra query params appended to the authorization URL (provider-specific) */
+    readonly extraParams?: Readonly<Record<string, string>>;
+    /** Supported OAuth modes (some providers have multiple) */
+    readonly modes: readonly OAuthModeConfig[];
+    /** OAuth redirect URI */
+    readonly redirectUri: string;
+    /** OAuth scopes */
+    readonly scopes: string;
+    /** Token endpoint content type: OpenAI = 'form', Anthropic = 'json' */
+    readonly tokenContentType: 'form' | 'json';
+    /** Token exchange endpoint */
+    readonly tokenUrl: string;
+}
 /**
  * Definition for an LLM provider.
  */
@@ -28,6 +66,8 @@ export interface ProviderDefinition {
     readonly modelsEndpoint: string;
     /** Display name */
     readonly name: string;
+    /** OAuth configuration (only for OAuth-capable providers) */
+    readonly oauth?: ProviderOAuthConfig;
     /** Priority for display order (lower = higher priority) */
     readonly priority: number;
 }
@@ -54,4 +94,4 @@ export declare function getProviderById(id: string): ProviderDefinition | undefi
 /**
  * Check if a provider requires an API key.
  */
-export declare function providerRequiresApiKey(id: string): boolean;
+export declare function providerRequiresApiKey(id: string, authMethod?: 'api-key' | 'oauth'): boolean;

package/dist/server/core/domain/entities/provider-registry.js

@@ -4,6 +4,7 @@
  * Defines available LLM providers that can be connected to byterover-cli.
  * Inspired by OpenCode's provider system.
  */
+import { CHATGPT_OAUTH_ORIGINATOR } from '../../../../shared/constants/oauth.js';
 /**
  * Registry of all available providers.
  * Order by priority for consistent display.
@@ -160,6 +161,26 @@ export const PROVIDER_REGISTRY = {
         id: 'openai',
         modelsEndpoint: '/models',
         name: 'OpenAI',
+        oauth: {
+            callbackMode: 'auto',
+            callbackPort: 1455,
+            // Public OAuth client ID (safe to commit — native app public client, no client secret)
+            clientId: 'app_EMoamEEZ73f0CkXaXp7hrann',
+            // OpenAI Codex model used for the ChatGPT OAuth (Codex CLI) flow
+            defaultModel: 'gpt-5.1-codex-mini',
+            /* eslint-disable camelcase -- OAuth query params follow RFC 6749 naming */
+            extraParams: {
+                codex_cli_simplified_flow: 'true',
+                id_token_add_organizations: 'true',
+                originator: CHATGPT_OAUTH_ORIGINATOR,
+            },
+            /* eslint-enable camelcase */
+            modes: [{ authUrl: 'https://auth.openai.com/oauth/authorize', id: 'default', label: 'Sign in with OpenAI' }],
+            redirectUri: 'http://localhost:1455/auth/callback',
+            scopes: 'openid profile email offline_access',
+            tokenContentType: 'form',
+            tokenUrl: 'https://auth.openai.com/oauth/token',
+        },
         priority: 3,
     },
     'openai-compatible': {
@@ -268,7 +289,9 @@ export function getProviderById(id) {
 /**
  * Check if a provider requires an API key.
  */
-export function providerRequiresApiKey(id) {
+export function providerRequiresApiKey(id, authMethod) {
+    if (authMethod === 'oauth')
+        return false;
     const provider = getProviderById(id);
     if (!provider)
         return false;

package/dist/server/core/domain/errors/task-error.d.ts

@@ -11,6 +11,8 @@ export declare const TaskErrorCode: {
     readonly LLM_RATE_LIMIT: "ERR_LLM_RATE_LIMIT";
     readonly LOCAL_CHANGES_EXIST: "ERR_LOCAL_CHANGES_EXIST";
     readonly NOT_AUTHENTICATED: "ERR_NOT_AUTHENTICATED";
+    readonly OAUTH_REFRESH_FAILED: "ERR_OAUTH_REFRESH_FAILED";
+    readonly OAUTH_TOKEN_EXPIRED: "ERR_OAUTH_TOKEN_EXPIRED";
     readonly PROJECT_NOT_INIT: "ERR_PROJECT_NOT_INIT";
     readonly PROVIDER_NOT_CONFIGURED: "ERR_PROVIDER_NOT_CONFIGURED";
     readonly SPACE_NOT_CONFIGURED: "ERR_SPACE_NOT_CONFIGURED";

package/dist/server/core/domain/errors/task-error.js

@@ -15,6 +15,9 @@ export const TaskErrorCode = {
     LOCAL_CHANGES_EXIST: 'ERR_LOCAL_CHANGES_EXIST',
     // Auth/Init errors
     NOT_AUTHENTICATED: 'ERR_NOT_AUTHENTICATED',
+    // OAuth errors
+    OAUTH_REFRESH_FAILED: 'ERR_OAUTH_REFRESH_FAILED',
+    OAUTH_TOKEN_EXPIRED: 'ERR_OAUTH_TOKEN_EXPIRED',
     // Execution errors
     PROJECT_NOT_INIT: 'ERR_PROJECT_NOT_INIT',
     PROVIDER_NOT_CONFIGURED: 'ERR_PROVIDER_NOT_CONFIGURED',
@@ -100,7 +103,9 @@ export class AgentDisconnectedError extends TaskError {
 }
 export class AgentNotInitializedError extends TaskError {
     constructor(reason) {
-        super(reason ? `Agent failed to initialize: ${reason}` : "Agent failed to initialize. Run 'brv restart' to force a clean restart.", TaskErrorCode.AGENT_NOT_INITIALIZED);
+        super(reason
+            ? `Agent failed to initialize: ${reason}`
+            : "Agent failed to initialize. Run 'brv restart' to force a clean restart.", TaskErrorCode.AGENT_NOT_INITIALIZED);
         this.name = 'AgentNotInitializedError';
     }
 }

package/dist/server/core/domain/transport/schemas.d.ts

@@ -463,6 +463,8 @@ export declare const TransportDaemonEventNames: {
 export interface ProviderConfigResponse {
     activeModel?: string;
     activeProvider: string;
+    /** How the provider was authenticated ('api-key' | 'oauth'). Undefined for internal providers. */
+    authMethod?: 'api-key' | 'oauth';
     maxInputTokens?: number;
     openRouterApiKey?: string;
     provider?: string;