npm - byterover-cli - Versions diffs - 2.2.0 → 2.3.0 - Mend

byterover-cli 2.2.0 → 2.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (90) hide show

package/dist/agent/infra/llm/providers/openai.d.ts CHANGED Viewed

@@ -2,6 +2,18 @@
  * OpenAI Provider Module
  *
  * Direct access to GPT models via @ai-sdk/openai.
+ * Supports both standard OpenAI API and ChatGPT OAuth (Codex) endpoint.
  */
 import type { ProviderModule } from './types.js';
+/**
+ * Custom fetch wrapper for the ChatGPT OAuth endpoint.
+ *
+ * The ChatGPT OAuth Responses API has stricter requirements than the standard
+ * OpenAI API — certain fields are required and others are rejected:
+ * - `instructions` is required (system prompt — defaults to empty)
+ * - `store` must be false
+ * - `max_output_tokens` is not supported (must be omitted)
+ * - `id` fields on input items are rejected
+ */
+export declare function createChatGptOAuthFetch(): typeof globalThis.fetch;
 export declare const openaiProvider: ProviderModule;

package/dist/agent/infra/llm/providers/openai.js CHANGED Viewed

@@ -2,16 +2,67 @@
  * OpenAI Provider Module
  *
  * Direct access to GPT models via @ai-sdk/openai.
+ * Supports both standard OpenAI API and ChatGPT OAuth (Codex) endpoint.
  */
 import { createOpenAI } from '@ai-sdk/openai';
+import { CHATGPT_OAUTH_BASE_URL } from '../../../../shared/constants/oauth.js';
 import { AiSdkContentGenerator } from '../generators/ai-sdk-content-generator.js';
+/**
+ * Custom fetch wrapper for the ChatGPT OAuth endpoint.
+ *
+ * The ChatGPT OAuth Responses API has stricter requirements than the standard
+ * OpenAI API — certain fields are required and others are rejected:
+ * - `instructions` is required (system prompt — defaults to empty)
+ * - `store` must be false
+ * - `max_output_tokens` is not supported (must be omitted)
+ * - `id` fields on input items are rejected
+ */
+/* eslint-disable n/no-unsupported-features/node-builtins */
+export function createChatGptOAuthFetch() {
+    return async (input, init) => {
+        if (init?.method === 'POST' && init.body) {
+            if (typeof init.body !== 'string') {
+                return globalThis.fetch(input, init);
+            }
+            let body;
+            try {
+                body = JSON.parse(init.body);
+            }
+            catch {
+                return globalThis.fetch(input, init);
+            }
+            if (!body.instructions) {
+                body.instructions = '';
+            }
+            body.store = false;
+            delete body.max_output_tokens;
+            if (Array.isArray(body.input)) {
+                for (const item of body.input) {
+                    if (typeof item === 'object' && item !== null && 'id' in item) {
+                        const record = item;
+                        delete record.id;
+                    }
+                }
+            }
+            init = { ...init, body: JSON.stringify(body) };
+        }
+        return globalThis.fetch(input, init);
+    };
+}
+/* eslint-enable n/no-unsupported-features/node-builtins */
 export const openaiProvider = {
     apiKeyUrl: 'https://platform.openai.com/api-keys',
     authType: 'api-key',
     baseUrl: 'https://api.openai.com/v1',
     category: 'popular',
     createGenerator(config) {
-        const provider = createOpenAI({ apiKey: config.apiKey });
+        const useChatGptOAuth = config.baseUrl === CHATGPT_OAUTH_BASE_URL;
+        const provider = createOpenAI({
+            apiKey: config.apiKey ?? '',
+            baseURL: config.baseUrl,
+            fetch: useChatGptOAuth ? createChatGptOAuthFetch() : undefined,
+            headers: config.headers,
+        });
         return new AiSdkContentGenerator({
             model: provider.responses(config.model),
         });

package/dist/oclif/commands/curate/index.js CHANGED Viewed

@@ -3,7 +3,7 @@ import { randomUUID } from 'node:crypto';
 import { TransportStateEventNames } from '../../../server/core/domain/transport/index.js';
 import { extractCurateOperations } from '../../../server/utils/curate-result-parser.js';
 import { TaskEvents } from '../../../shared/transport/events/index.js';
-import { formatConnectionError, hasLeakedHandles, withDaemonRetry, } from '../../lib/daemon-client.js';
+import { formatConnectionError, hasLeakedHandles, providerMissingMessage, withDaemonRetry, } from '../../lib/daemon-client.js';
 import { writeJsonResponse } from '../../lib/json-response.js';
 import { waitForTaskCompletion } from '../../lib/task-client.js';
 export default class Curate extends Command {
@@ -91,7 +91,7 @@ Bad examples:
                     throw new Error('No provider connected. Run "brv providers connect byterover" to use the free built-in provider, or connect another provider.');
                 }
                 if (active.providerKeyMissing) {
-                    throw new Error(`${active.activeProvider} API key is missing from storage.\nPlease reconnect: brv providers connect ${active.activeProvider} --api-key <your-key>`);
+                    throw new Error(providerMissingMessage(active.activeProvider, active.authMethod));
                 }
                 await this.submitTask({ client, content: resolvedContent, flags, format, projectRoot, taskType });
             }, {

package/dist/oclif/commands/model/switch.js CHANGED Viewed

@@ -1,5 +1,5 @@
 import { Args, Command, Flags } from '@oclif/core';
-import { ModelEvents, } from '../../../shared/transport/events/model-events.js';
+import { ModelEvents } from '../../../shared/transport/events/model-events.js';
 import { ProviderEvents, } from '../../../shared/transport/events/provider-events.js';
 import { withDaemonRetry } from '../../lib/daemon-client.js';
 import { writeJsonResponse } from '../../lib/json-response.js';
@@ -42,7 +42,9 @@ export default class ModelSwitch extends Command {
             }
         }
         catch (error) {
-            const errorMessage = error instanceof Error ? error.message : 'An unexpected error occurred while switching the model. Please try again.';
+            const errorMessage = error instanceof Error
+                ? error.message
+                : 'An unexpected error occurred while switching the model. Please try again.';
             if (format === 'json') {
                 writeJsonResponse({ command: 'model switch', data: { error: errorMessage }, success: false });
             }
@@ -68,13 +70,22 @@ export default class ModelSwitch extends Command {
             }
             else {
                 const active = await client.requestWithAck(ProviderEvents.GET_ACTIVE);
+                if (!active.activeProviderId) {
+                    throw new Error('No active provider configured. Run "brv providers connect <provider>" first.');
+                }
                 providerId = active.activeProviderId;
             }
             if (providerId === 'byterover') {
                 throw new Error('ByteRover provider uses its own internal LLM and does not support model switching. Run "brv providers switch <provider>" to switch to a different provider first.');
             }
             // 2. Switch active model
-            await client.requestWithAck(ModelEvents.SET_ACTIVE, { modelId, providerId });
+            const response = await client.requestWithAck(ModelEvents.SET_ACTIVE, {
+                modelId,
+                providerId,
+            });
+            if (!response.success) {
+                throw new Error(response.error ?? 'Failed to switch model');
+            }
             return { modelId, providerId };
         }, options);
     }

package/dist/oclif/commands/providers/connect.d.ts CHANGED Viewed

@@ -9,8 +9,10 @@ export default class ProviderConnect extends Command {
     static flags: {
         'api-key': import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
         'base-url': import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        code: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
         format: import("@oclif/core/interfaces").OptionFlag<string, import("@oclif/core/interfaces").CustomOptions>;
         model: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        oauth: import("@oclif/core/interfaces").BooleanFlag<boolean>;
     };
     protected connectProvider({ apiKey, baseUrl, model, providerId }: {
         apiKey?: string;
@@ -22,5 +24,12 @@ export default class ProviderConnect extends Command {
         providerId: string;
         providerName: string;
     }>;
+    protected connectProviderOAuth({ code, providerId }: {
+        code?: string;
+        providerId: string;
+    }, options?: DaemonClientOptions, onProgress?: (msg: string) => void): Promise<{
+        providerName: string;
+        showInstructions: boolean;
+    }>;
     run(): Promise<void>;
 }

package/dist/oclif/commands/providers/connect.js CHANGED Viewed

@@ -1,5 +1,6 @@
 import { Args, Command, Flags } from '@oclif/core';
-import { ModelEvents, } from '../../../shared/transport/events/model-events.js';
+import { OAUTH_CALLBACK_TIMEOUT_MS } from '../../../shared/constants/oauth.js';
+import { ModelEvents } from '../../../shared/transport/events/model-events.js';
 import { ProviderEvents, } from '../../../shared/transport/events/provider-events.js';
 import { withDaemonRetry } from '../../lib/daemon-client.js';
 import { writeJsonResponse } from '../../lib/json-response.js';
@@ -14,6 +15,7 @@ export default class ProviderConnect extends Command {
     static examples = [
         '<%= config.bin %> providers connect anthropic --api-key sk-xxx',
         '<%= config.bin %> providers connect openai --api-key sk-xxx --model gpt-4.1',
+        '<%= config.bin %> providers connect openai --oauth',
         '<%= config.bin %> providers connect byterover',
         '<%= config.bin %> providers connect openai-compatible --base-url http://localhost:11434/v1',
         '<%= config.bin %> providers connect openai-compatible --base-url http://localhost:11434/v1 --api-key sk-xxx --model llama3',
@@ -27,6 +29,12 @@ export default class ProviderConnect extends Command {
             char: 'b',
             description: 'Base URL for OpenAI-compatible providers (e.g., http://localhost:11434/v1)',
         }),
+        code: Flags.string({
+            char: 'c',
+            description: 'Authorization code for code-paste OAuth providers (e.g., Anthropic). ' +
+                'Not applicable to browser-callback providers like OpenAI — use --oauth without --code instead.',
+            hidden: true,
+        }),
         format: Flags.string({
             default: 'text',
             description: 'Output format (text or json)',
@@ -36,6 +44,10 @@ export default class ProviderConnect extends Command {
             char: 'm',
             description: 'Model to set as active after connecting',
         }),
+        oauth: Flags.boolean({
+            default: false,
+            description: 'Connect via OAuth (browser-based)',
+        }),
     };
     async connectProvider({ apiKey, baseUrl, model, providerId }, options) {
         return withDaemonRetry(async (client) => {
@@ -48,8 +60,8 @@ export default class ProviderConnect extends Command {
             // 2. Validate base URL for openai-compatible
             if (providerId === 'openai-compatible') {
                 if (!baseUrl && !provider.isConnected) {
-                    throw new Error('Provider "openai-compatible" requires a base URL. Use the --base-url flag to provide one.'
-                        + '\nExample: brv providers connect openai-compatible --base-url http://localhost:11434/v1');
+                    throw new Error('Provider "openai-compatible" requires a base URL. Use the --base-url flag to provide one.' +
+                        '\nExample: brv providers connect openai-compatible --base-url http://localhost:11434/v1');
                 }
                 if (baseUrl) {
                     let parsed;
@@ -72,8 +84,8 @@ export default class ProviderConnect extends Command {
                 }
             }
             else if (!apiKey && provider.requiresApiKey && !provider.isConnected) {
-                throw new Error(`Provider "${providerId}" requires an API key. Use the --api-key flag to provide one.`
-                    + (provider.apiKeyUrl ? `\nDon't have one? Get your API key at: ${provider.apiKeyUrl}` : ''));
+                throw new Error(`Provider "${providerId}" requires an API key. Use the --api-key flag to provide one.` +
+                    (provider.apiKeyUrl ? `\nDon't have one? Get your API key at: ${provider.apiKeyUrl}` : ''));
             }
             // 4. Connect or switch active provider
             const hasNewConfig = apiKey || baseUrl;
@@ -87,27 +99,111 @@ export default class ProviderConnect extends Command {
             return { model, providerId, providerName: provider.name };
         }, options);
     }
+    async connectProviderOAuth({ code, providerId }, options, onProgress) {
+        return withDaemonRetry(async (client) => {
+            // 1. Verify provider exists and supports OAuth
+            const { providers } = await client.requestWithAck(ProviderEvents.LIST);
+            const provider = providers.find((p) => p.id === providerId);
+            if (!provider) {
+                throw new Error(`Unknown provider "${providerId}". Run "brv providers list" to see available providers.`);
+            }
+            if (!provider.supportsOAuth) {
+                throw new Error(`Provider "${providerId}" does not support OAuth. Use --api-key instead.`);
+            }
+            // --code is only valid for code-paste providers (e.g., Anthropic).
+            // Browser-callback providers like OpenAI handle the code exchange automatically.
+            if (code && provider.oauthCallbackMode !== 'code-paste') {
+                throw new Error(`Provider "${providerId}" uses browser-based OAuth and does not accept --code.\n` +
+                    `Run: brv providers connect ${providerId} --oauth`);
+            }
+            // If --code is provided, submit it directly (code-paste providers)
+            if (code) {
+                const response = await client.requestWithAck(ProviderEvents.SUBMIT_OAUTH_CODE, { code, providerId });
+                if (!response.success) {
+                    throw new Error(response.error ?? 'OAuth code submission failed');
+                }
+                return { providerName: provider.name, showInstructions: false };
+            }
+            // 2. Start OAuth flow — returns immediately with auth URL
+            const startResponse = await client.requestWithAck(ProviderEvents.START_OAUTH, {
+                providerId,
+            });
+            if (!startResponse.success) {
+                throw new Error(startResponse.error ?? 'Failed to start OAuth flow');
+            }
+            // Always print auth URL (user's machine may not support browser launch)
+            onProgress?.(`\nOpen this URL to authenticate:\n  ${startResponse.authUrl}\n`);
+            // 3. Handle based on callback mode
+            if (startResponse.callbackMode === 'auto') {
+                onProgress?.('Waiting for authentication in browser...');
+                const awaitResponse = await client.requestWithAck(ProviderEvents.AWAIT_OAUTH_CALLBACK, { providerId }, { timeout: OAUTH_CALLBACK_TIMEOUT_MS });
+                if (!awaitResponse.success) {
+                    throw new Error(awaitResponse.error ?? 'OAuth authentication failed');
+                }
+                return { providerName: provider.name, showInstructions: false };
+            }
+            // code-paste mode: print instructions and exit
+            onProgress?.('Copy the authorization code from the browser and run:');
+            onProgress?.(`  brv providers connect ${providerId} --oauth --code <code>`);
+            return { providerName: provider.name, showInstructions: true };
+        }, options);
+    }
     async run() {
         const { args, flags } = await this.parse(ProviderConnect);
         const providerId = args.provider;
         const apiKey = flags['api-key'];
         const baseUrl = flags['base-url'];
-        const { model } = flags;
-        const format = flags.format;
-        try {
-            const result = await this.connectProvider({ apiKey, baseUrl, model, providerId });
+        const { code, model, oauth } = flags;
+        const format = flags.format === 'json' ? 'json' : 'text';
+        // Validate flag combinations
+        if (oauth && apiKey) {
+            const msg = 'Cannot use --oauth and --api-key together';
+            if (format === 'json') {
+                writeJsonResponse({ command: 'providers connect', data: { error: msg }, success: false });
+            }
+            else {
+                this.log(msg);
+            }
+            return;
+        }
+        if (code && !oauth) {
+            const msg = '--code requires the --oauth flag';
             if (format === 'json') {
-                writeJsonResponse({ command: 'providers connect', data: result, success: true });
+                writeJsonResponse({ command: 'providers connect', data: { error: msg }, success: false });
+            }
+            else {
+                this.log(msg);
+            }
+            return;
+        }
+        try {
+            if (oauth) {
+                const onProgress = format === 'text' ? (msg) => this.log(msg) : undefined;
+                const result = await this.connectProviderOAuth({ code, providerId }, undefined, onProgress);
+                if (format === 'json') {
+                    writeJsonResponse({ command: 'providers connect', data: { providerId }, success: true });
+                }
+                else if (!result.showInstructions) {
+                    this.log(`Connected to ${result.providerName} via OAuth`);
+                }
             }
             else {
-                this.log(`Connected to ${result.providerName} (${result.providerId})`);
-                if (result.model) {
-                    this.log(`Model set to: ${result.model}`);
+                const result = await this.connectProvider({ apiKey, baseUrl, model, providerId });
+                if (format === 'json') {
+                    writeJsonResponse({ command: 'providers connect', data: result, success: true });
+                }
+                else {
+                    this.log(`Connected to ${result.providerName} (${result.providerId})`);
+                    if (result.model) {
+                        this.log(`Model set to: ${result.model}`);
+                    }
                 }
             }
         }
         catch (error) {
-            const errorMessage = error instanceof Error ? error.message : 'An unexpected error occurred while connecting the provider. Please try again.';
+            const errorMessage = error instanceof Error
+                ? error.message
+                : 'An unexpected error occurred while connecting the provider. Please try again.';
             if (format === 'json') {
                 writeJsonResponse({ command: 'providers connect', data: { error: errorMessage }, success: false });
             }

package/dist/oclif/commands/providers/list.js CHANGED Viewed

@@ -5,10 +5,7 @@ import { formatConnectionError, withDaemonRetry } from '../../lib/daemon-client.
 import { writeJsonResponse } from '../../lib/json-response.js';
 export default class ProviderList extends Command {
     static description = 'List all available providers and their connection status';
-    static examples = [
-        '<%= config.bin %> providers list',
-        '<%= config.bin %> providers list --format json',
-    ];
+    static examples = ['<%= config.bin %> providers list', '<%= config.bin %> providers list --format json'];
     static flags = {
         format: Flags.string({
             default: 'text',
@@ -30,7 +27,8 @@ export default class ProviderList extends Command {
             }
             for (const p of providers) {
                 const status = p.isCurrent ? chalk.green('(current)') : p.isConnected ? chalk.yellow('(connected)') : '';
-                this.log(`  ${p.name} [${p.id}] ${status}`.trimEnd());
+                const authBadge = p.authMethod === 'oauth' ? chalk.cyan('[OAuth]') : p.authMethod === 'api-key' ? chalk.dim('[API Key]') : '';
+                this.log(`  ${p.name} [${p.id}] ${status} ${authBadge}`.trimEnd());
             }
         }
         catch (error) {

package/dist/oclif/commands/query.js CHANGED Viewed

@@ -2,7 +2,7 @@ import { Args, Command, Flags } from '@oclif/core';
 import { randomUUID } from 'node:crypto';
 import { TransportStateEventNames } from '../../server/core/domain/transport/schemas.js';
 import { TaskEvents } from '../../shared/transport/events/index.js';
-import { formatConnectionError, hasLeakedHandles, withDaemonRetry, } from '../lib/daemon-client.js';
+import { formatConnectionError, hasLeakedHandles, providerMissingMessage, withDaemonRetry, } from '../lib/daemon-client.js';
 import { writeJsonResponse } from '../lib/json-response.js';
 import { waitForTaskCompletion } from '../lib/task-client.js';
 export default class Query extends Command {
@@ -54,7 +54,7 @@ Bad:
                     throw new Error('No provider connected. Run "brv providers connect byterover" to use the free built-in provider, or connect another provider.');
                 }
                 if (active.providerKeyMissing) {
-                    throw new Error(`${active.activeProvider} API key is missing from storage.\nPlease reconnect: brv providers connect ${active.activeProvider} --api-key <your-key>`);
+                    throw new Error(providerMissingMessage(active.activeProvider, active.authMethod));
                 }
                 await this.submitTask({ client, format, projectRoot, query: args.query });
             }, {

package/dist/oclif/lib/daemon-client.d.ts CHANGED Viewed

@@ -30,6 +30,10 @@ export declare function isRetryableError(error: unknown): boolean;
  * Checks if an error left leaked Socket.IO handles that prevent Node.js from exiting.
  */
 export declare function hasLeakedHandles(error: unknown): boolean;
+/**
+ * Builds a user-friendly message when provider credentials are missing from storage.
+ */
+export declare function providerMissingMessage(activeProvider: string, authMethod?: 'api-key' | 'oauth'): string;
 export interface ProviderErrorContext {
     activeModel?: string;
     activeProvider?: string;

package/dist/oclif/lib/daemon-client.js CHANGED Viewed

@@ -12,6 +12,8 @@ const USER_FRIENDLY_MESSAGES = {
     [TaskErrorCode.CONTEXT_TREE_NOT_INITIALIZED]: 'Context tree not initialized.',
     [TaskErrorCode.LOCAL_CHANGES_EXIST]: 'You have local changes. Run "brv push" to save your changes before pulling.',
     [TaskErrorCode.NOT_AUTHENTICATED]: 'Not authenticated. Cloud sync features (push/pull/space) require login — local query and curate work without authentication.',
+    [TaskErrorCode.OAUTH_REFRESH_FAILED]: 'OAuth token refresh failed. Run "brv providers connect <provider> --oauth" to reconnect.',
+    [TaskErrorCode.OAUTH_TOKEN_EXPIRED]: 'OAuth token has expired. Run "brv providers connect <provider> --oauth" to reconnect.',
     [TaskErrorCode.PROJECT_NOT_INIT]: 'Project not initialized. Run "brv restart" to reinitialize.',
     [TaskErrorCode.PROVIDER_NOT_CONFIGURED]: 'No provider connected. Run "brv providers connect byterover" to use the free built-in provider, or connect another provider.',
     [TaskErrorCode.SPACE_NOT_CONFIGURED]: 'No space configured. Run "brv space list" to see available spaces, then "brv space switch --team <team> --name <space>" to select one.',
@@ -83,6 +85,14 @@ export function hasLeakedHandles(error) {
         return false;
     return error.code === TaskErrorCode.AGENT_DISCONNECTED || error.code === TaskErrorCode.AGENT_NOT_AVAILABLE;
 }
+/**
+ * Builds a user-friendly message when provider credentials are missing from storage.
+ */
+export function providerMissingMessage(activeProvider, authMethod) {
+    return authMethod === 'oauth'
+        ? `${activeProvider} authentication has expired.\nPlease reconnect: brv providers connect ${activeProvider} --oauth`
+        : `${activeProvider} API key is missing from storage.\nPlease reconnect: brv providers connect ${activeProvider} --api-key <your-key>`;
+}
 /**
  * Formats a connection error into a user-friendly message.
  */
@@ -131,9 +141,9 @@ export function formatConnectionError(error, providerContext) {
         const provider = providerContext?.activeProvider ?? '<provider>';
         const model = providerContext?.activeModel;
         const currentInfo = model ? `Provider: ${provider}  Model: ${model}\n\n` : `Provider: ${provider}\n\n`;
-        return (`LLM provider API key is missing or invalid.\n${currentInfo}` +
-            '  Reconnect with your API key:\n' +
-            `    brv providers connect ${provider} --api-key <key>\n\n` +
+        return (`LLM provider credentials are missing or invalid.\n${currentInfo}` +
+            '  Reconnect your provider:\n' +
+            `    brv providers connect ${provider}\n\n` +
             '  Switch to a different provider:\n' +
             '    brv providers switch <provider>\n\n' +
             '  See all options:  brv providers --help');

package/dist/server/core/domain/entities/provider-config.d.ts CHANGED Viewed

@@ -12,12 +12,16 @@ export interface ConnectedProviderConfig {
     readonly activeModel?: string;
     /** Context window size of the active model (from provider API, e.g. OpenRouter) */
     readonly activeModelContextLength?: number;
+    /** How this provider was authenticated */
+    readonly authMethod?: 'api-key' | 'oauth';
     /** Custom API base URL (for openai-compatible provider) */
     readonly baseUrl?: string;
     /** When the provider was connected */
     readonly connectedAt: string;
     /** User's favorite models (for quick access) */
     readonly favoriteModels: readonly string[];
+    /** OAuth account ID (e.g. ChatGPT-Account-Id for OpenAI) */
+    readonly oauthAccountId?: string;
     /** Recently used models (last 10) */
     readonly recentModels: readonly string[];
 }
@@ -96,7 +100,9 @@ export declare class ProviderConfig {
      */
     withProviderConnected(providerId: string, options?: {
         activeModel?: string;
+        authMethod?: 'api-key' | 'oauth';
         baseUrl?: string;
+        oauthAccountId?: string;
     }): ProviderConfig;
     /**
      * Create a new config with a provider disconnected.

package/dist/server/core/domain/entities/provider-config.js CHANGED Viewed

@@ -10,10 +10,9 @@
 const isProviderConfigJson = (json) => {
     if (typeof json !== 'object' || json === null)
         return false;
-    const obj = json;
-    if (typeof obj.activeProvider !== 'string')
+    if (!('activeProvider' in json) || typeof json.activeProvider !== 'string')
         return false;
-    if (typeof obj.providers !== 'object' || obj.providers === null)
+    if (!('providers' in json) || typeof json.providers !== 'object' || json.providers === null)
         return false;
     return true;
 };
@@ -164,9 +163,11 @@ export class ProviderConfig {
         const existingConfig = this.providers[providerId];
         const newProviderConfig = {
             activeModel: options?.activeModel ?? existingConfig?.activeModel,
+            authMethod: options?.authMethod ?? existingConfig?.authMethod,
             baseUrl: options?.baseUrl ?? existingConfig?.baseUrl,
             connectedAt: existingConfig?.connectedAt ?? new Date().toISOString(),
             favoriteModels: existingConfig?.favoriteModels ?? [],
+            oauthAccountId: options?.oauthAccountId ?? existingConfig?.oauthAccountId,
             recentModels: existingConfig?.recentModels ?? [],
         };
         return new ProviderConfig({

package/dist/server/core/domain/entities/provider-registry.d.ts CHANGED Viewed

@@ -4,6 +4,44 @@
  * Defines available LLM providers that can be connected to byterover-cli.
  * Inspired by OpenCode's provider system.
  */
+/**
+ * Configuration for a single OAuth authentication mode.
+ */
+export interface OAuthModeConfig {
+    /** Auth URL for this mode */
+    readonly authUrl: string;
+    /** Mode identifier (e.g. 'default', 'pro-max') */
+    readonly id: string;
+    /** Display label (e.g. "Sign in with OpenAI") */
+    readonly label: string;
+}
+/**
+ * OAuth configuration for a provider.
+ */
+export interface ProviderOAuthConfig {
+    /** How the callback is received: local server ('auto') or user pastes code ('code-paste') */
+    readonly callbackMode: 'auto' | 'code-paste';
+    /** Port for local callback server (auto mode only) */
+    readonly callbackPort?: number;
+    /** OAuth client ID */
+    readonly clientId: string;
+    /** Whether to add `code=true` query param to auth URL (code-paste mode only — tells server to display paste-able code) */
+    readonly codeDisplay?: boolean;
+    /** Default model when connected via OAuth (overrides ProviderDefinition.defaultModel) */
+    readonly defaultModel?: string;
+    /** Extra query params appended to the authorization URL (provider-specific) */
+    readonly extraParams?: Readonly<Record<string, string>>;
+    /** Supported OAuth modes (some providers have multiple) */
+    readonly modes: readonly OAuthModeConfig[];
+    /** OAuth redirect URI */
+    readonly redirectUri: string;
+    /** OAuth scopes */
+    readonly scopes: string;
+    /** Token endpoint content type: OpenAI = 'form', Anthropic = 'json' */
+    readonly tokenContentType: 'form' | 'json';
+    /** Token exchange endpoint */
+    readonly tokenUrl: string;
+}
 /**
  * Definition for an LLM provider.
  */
@@ -28,6 +66,8 @@ export interface ProviderDefinition {
     readonly modelsEndpoint: string;
     /** Display name */
     readonly name: string;
+    /** OAuth configuration (only for OAuth-capable providers) */
+    readonly oauth?: ProviderOAuthConfig;
     /** Priority for display order (lower = higher priority) */
     readonly priority: number;
 }
@@ -54,4 +94,4 @@ export declare function getProviderById(id: string): ProviderDefinition | undefi
 /**
  * Check if a provider requires an API key.
  */
-export declare function providerRequiresApiKey(id: string): boolean;
+export declare function providerRequiresApiKey(id: string, authMethod?: 'api-key' | 'oauth'): boolean;

package/dist/server/core/domain/entities/provider-registry.js CHANGED Viewed

@@ -4,6 +4,7 @@
  * Defines available LLM providers that can be connected to byterover-cli.
  * Inspired by OpenCode's provider system.
  */
+import { CHATGPT_OAUTH_ORIGINATOR } from '../../../../shared/constants/oauth.js';
 /**
  * Registry of all available providers.
  * Order by priority for consistent display.
@@ -160,6 +161,26 @@ export const PROVIDER_REGISTRY = {
         id: 'openai',
         modelsEndpoint: '/models',
         name: 'OpenAI',
+        oauth: {
+            callbackMode: 'auto',
+            callbackPort: 1455,
+            // Public OAuth client ID (safe to commit — native app public client, no client secret)
+            clientId: 'app_EMoamEEZ73f0CkXaXp7hrann',
+            // OpenAI Codex model used for the ChatGPT OAuth (Codex CLI) flow
+            defaultModel: 'gpt-5.1-codex-mini',
+            /* eslint-disable camelcase -- OAuth query params follow RFC 6749 naming */
+            extraParams: {
+                codex_cli_simplified_flow: 'true',
+                id_token_add_organizations: 'true',
+                originator: CHATGPT_OAUTH_ORIGINATOR,
+            },
+            /* eslint-enable camelcase */
+            modes: [{ authUrl: 'https://auth.openai.com/oauth/authorize', id: 'default', label: 'Sign in with OpenAI' }],
+            redirectUri: 'http://localhost:1455/auth/callback',
+            scopes: 'openid profile email offline_access',
+            tokenContentType: 'form',
+            tokenUrl: 'https://auth.openai.com/oauth/token',
+        },
         priority: 3,
     },
     'openai-compatible': {
@@ -268,7 +289,9 @@ export function getProviderById(id) {
 /**
  * Check if a provider requires an API key.
  */
-export function providerRequiresApiKey(id) {
+export function providerRequiresApiKey(id, authMethod) {
+    if (authMethod === 'oauth')
+        return false;
     const provider = getProviderById(id);
     if (!provider)
         return false;

package/dist/server/core/domain/errors/task-error.d.ts CHANGED Viewed

@@ -11,6 +11,8 @@ export declare const TaskErrorCode: {
     readonly LLM_RATE_LIMIT: "ERR_LLM_RATE_LIMIT";
     readonly LOCAL_CHANGES_EXIST: "ERR_LOCAL_CHANGES_EXIST";
     readonly NOT_AUTHENTICATED: "ERR_NOT_AUTHENTICATED";
+    readonly OAUTH_REFRESH_FAILED: "ERR_OAUTH_REFRESH_FAILED";
+    readonly OAUTH_TOKEN_EXPIRED: "ERR_OAUTH_TOKEN_EXPIRED";
     readonly PROJECT_NOT_INIT: "ERR_PROJECT_NOT_INIT";
     readonly PROVIDER_NOT_CONFIGURED: "ERR_PROVIDER_NOT_CONFIGURED";
     readonly SPACE_NOT_CONFIGURED: "ERR_SPACE_NOT_CONFIGURED";

package/dist/server/core/domain/errors/task-error.js CHANGED Viewed

@@ -15,6 +15,9 @@ export const TaskErrorCode = {
     LOCAL_CHANGES_EXIST: 'ERR_LOCAL_CHANGES_EXIST',
     // Auth/Init errors
     NOT_AUTHENTICATED: 'ERR_NOT_AUTHENTICATED',
+    // OAuth errors
+    OAUTH_REFRESH_FAILED: 'ERR_OAUTH_REFRESH_FAILED',
+    OAUTH_TOKEN_EXPIRED: 'ERR_OAUTH_TOKEN_EXPIRED',
     // Execution errors
     PROJECT_NOT_INIT: 'ERR_PROJECT_NOT_INIT',
     PROVIDER_NOT_CONFIGURED: 'ERR_PROVIDER_NOT_CONFIGURED',
@@ -100,7 +103,9 @@ export class AgentDisconnectedError extends TaskError {
 }
 export class AgentNotInitializedError extends TaskError {
     constructor(reason) {
-        super(reason ? `Agent failed to initialize: ${reason}` : "Agent failed to initialize. Run 'brv restart' to force a clean restart.", TaskErrorCode.AGENT_NOT_INITIALIZED);
+        super(reason
+            ? `Agent failed to initialize: ${reason}`
+            : "Agent failed to initialize. Run 'brv restart' to force a clean restart.", TaskErrorCode.AGENT_NOT_INITIALIZED);
         this.name = 'AgentNotInitializedError';
     }
 }

package/dist/server/core/domain/transport/schemas.d.ts CHANGED Viewed

@@ -463,6 +463,8 @@ export declare const TransportDaemonEventNames: {
 export interface ProviderConfigResponse {
     activeModel?: string;
     activeProvider: string;
+    /** How the provider was authenticated ('api-key' | 'oauth'). Undefined for internal providers. */
+    authMethod?: 'api-key' | 'oauth';
     maxInputTokens?: number;
     openRouterApiKey?: string;
     provider?: string;