byterover-cli 2.2.0 → 2.3.0

package/dist/server/infra/process/feature-handlers.d.ts

@@ -6,6 +6,7 @@
  */
 import type { IProviderConfigStore } from '../../core/interfaces/i-provider-config-store.js';
 import type { IProviderKeychainStore } from '../../core/interfaces/i-provider-keychain-store.js';
+import type { IProviderOAuthTokenStore } from '../../core/interfaces/i-provider-oauth-token-store.js';
 import type { IProjectRegistry } from '../../core/interfaces/project/i-project-registry.js';
 import type { IAuthStateStore } from '../../core/interfaces/state/i-auth-state-store.js';
 import type { ITransportServer } from '../../core/interfaces/transport/i-transport-server.js';
@@ -18,6 +19,7 @@ export interface FeatureHandlersOptions {
     projectRegistry: IProjectRegistry;
     providerConfigStore: IProviderConfigStore;
     providerKeychainStore: IProviderKeychainStore;
+    providerOAuthTokenStore: IProviderOAuthTokenStore;
     resolveProjectPath: ProjectPathResolver;
     transport: ITransportServer;
 }
@@ -25,4 +27,4 @@ export interface FeatureHandlersOptions {
  * Setup all feature handlers on the transport server.
  * These handlers implement the TUI ↔ Server event contract (auth:*, config:*, status:*, etc.).
  */
-export declare function setupFeatureHandlers({ authStateStore, broadcastToProject, getActiveProjectPaths, log, projectRegistry, providerConfigStore, providerKeychainStore, resolveProjectPath, transport, }: FeatureHandlersOptions): Promise<void>;
+export declare function setupFeatureHandlers({ authStateStore, broadcastToProject, getActiveProjectPaths, log, projectRegistry, providerConfigStore, providerKeychainStore, providerOAuthTokenStore, resolveProjectPath, transport, }: FeatureHandlersOptions): Promise<void>;

package/dist/server/infra/process/feature-handlers.js

@@ -35,7 +35,7 @@ import { HttpUserService } from '../user/http-user-service.js';
  * Setup all feature handlers on the transport server.
  * These handlers implement the TUI ↔ Server event contract (auth:*, config:*, status:*, etc.).
  */
-export async function setupFeatureHandlers({ authStateStore, broadcastToProject, getActiveProjectPaths, log, projectRegistry, providerConfigStore, providerKeychainStore, resolveProjectPath, transport, }) {
+export async function setupFeatureHandlers({ authStateStore, broadcastToProject, getActiveProjectPaths, log, projectRegistry, providerConfigStore, providerKeychainStore, providerOAuthTokenStore, resolveProjectPath, transport, }) {
     const envConfig = getCurrentConfig();
     const tokenStore = createTokenStore();
     const projectConfigStore = new ProjectConfigStore();
@@ -59,8 +59,10 @@ export async function setupFeatureHandlers({ authStateStore, broadcastToProject,
         userService,
     }).setup();
     new ProviderHandler({
+        browserLauncher: new SystemBrowserLauncher(),
         providerConfigStore,
         providerKeychainStore,
+        providerOAuthTokenStore,
         transport,
     }).setup();
     new ModelHandler({

package/dist/server/infra/provider/provider-config-resolver.d.ts

@@ -7,6 +7,8 @@
  */
 import type { IProviderConfigStore } from '../../core/interfaces/i-provider-config-store.js';
 import type { IProviderKeychainStore } from '../../core/interfaces/i-provider-keychain-store.js';
+import type { IProviderOAuthTokenStore } from '../../core/interfaces/i-provider-oauth-token-store.js';
+import type { ITokenRefreshManager } from '../../core/interfaces/i-token-refresh-manager.js';
 import { type ProviderConfigResponse } from '../../core/domain/transport/schemas.js';
 /**
  * Validate provider config integrity at startup.
@@ -19,7 +21,7 @@ import { type ProviderConfigResponse } from '../../core/domain/transport/schemas
  * empty string so the TUI routes to the provider setup flow — bypassing the
  * 'byterover' fallback that withProviderDisconnected() would otherwise apply.
  */
-export declare function clearStaleProviderConfig(providerConfigStore: IProviderConfigStore, providerKeychainStore: IProviderKeychainStore): Promise<void>;
+export declare function clearStaleProviderConfig(providerConfigStore: IProviderConfigStore, providerKeychainStore: IProviderKeychainStore, providerOAuthTokenStore?: IProviderOAuthTokenStore): Promise<void>;
 /**
  * Resolve the active provider's full configuration.
  *
@@ -27,4 +29,4 @@ export declare function clearStaleProviderConfig(providerConfigStore: IProviderC
  * the API key (keychain → env fallback), and maps provider-specific
  * fields (base URL, headers, location, etc.).
  */
-export declare function resolveProviderConfig(providerConfigStore: IProviderConfigStore, providerKeychainStore: IProviderKeychainStore): Promise<ProviderConfigResponse>;
+export declare function resolveProviderConfig(providerConfigStore: IProviderConfigStore, providerKeychainStore: IProviderKeychainStore, tokenRefreshManager?: ITokenRefreshManager): Promise<ProviderConfigResponse>;

package/dist/server/infra/provider/provider-config-resolver.js

@@ -5,8 +5,18 @@
  * for the currently active provider. Used by the daemon state server to serve
  * agent child processes on startup and after provider hot-swap.
  */
+import { CHATGPT_OAUTH_BASE_URL, CHATGPT_OAUTH_ORIGINATOR } from '../../../shared/constants/oauth.js';
 import { getProviderById, providerRequiresApiKey } from '../../core/domain/entities/provider-registry.js';
 import { getProviderApiKeyFromEnv } from './env-provider-detector.js';
+/**
+ * Check if a provider's credential (API key or OAuth access token) is accessible.
+ *
+ * Note: authMethod is intentionally NOT passed to providerRequiresApiKey() here.
+ * OAuth access tokens are stored in the keychain (as the provider's "API key"),
+ * so the keychain check on the next line correctly handles both auth methods.
+ * If an OAuth token expires and the refresh manager (Issue 5) deletes it from
+ * keychain, this function returns false — correctly marking the provider as stale.
+ */
 async function isProviderCredentialAccessible(providerId, providerKeychainStore) {
     if (!providerRequiresApiKey(providerId))
         return true;
@@ -23,7 +33,7 @@ async function isProviderCredentialAccessible(providerId, providerKeychainStore)
  * empty string so the TUI routes to the provider setup flow — bypassing the
  * 'byterover' fallback that withProviderDisconnected() would otherwise apply.
  */
-export async function clearStaleProviderConfig(providerConfigStore, providerKeychainStore) {
+export async function clearStaleProviderConfig(providerConfigStore, providerKeychainStore, providerOAuthTokenStore) {
     try {
         const config = await providerConfigStore.read();
         const results = await Promise.all(Object.keys(config.providers).map(async (providerId) => ({
@@ -46,6 +56,11 @@ export async function clearStaleProviderConfig(providerConfigStore, providerKeyc
             newConfig = newConfig.withActiveProvider('');
         }
         await providerConfigStore.write(newConfig);
+        // Clean up orphaned OAuth tokens for stale providers (consistent with
+        // the 3-store cleanup in TokenRefreshManager and ProviderHandler.setupDisconnect)
+        if (providerOAuthTokenStore) {
+            await Promise.all(staleProviderIds.map((id) => providerOAuthTokenStore.delete(id).catch(() => { })));
+        }
     }
     catch {
         // Non-critical: if validation fails, daemon continues normally.
@@ -59,7 +74,7 @@ export async function clearStaleProviderConfig(providerConfigStore, providerKeyc
  * the API key (keychain → env fallback), and maps provider-specific
  * fields (base URL, headers, location, etc.).
  */
-export async function resolveProviderConfig(providerConfigStore, providerKeychainStore) {
+export async function resolveProviderConfig(providerConfigStore, providerKeychainStore, tokenRefreshManager) {
     const config = await providerConfigStore.read();
     const { activeProvider } = config;
     const activeModel = config.getActiveModel(activeProvider);
@@ -96,16 +111,56 @@ export async function resolveProviderConfig(providerConfigStore, providerKeychai
         }
         default: {
             const providerDef = getProviderById(activeProvider);
+            const providerConfig = config.providers[activeProvider];
+            if (!providerConfig) {
+                return { activeModel, activeProvider, maxInputTokens };
+            }
+            const { authMethod } = providerConfig;
+            // Attempt OAuth token refresh if provider is OAuth-connected
+            if (authMethod === 'oauth' && tokenRefreshManager) {
+                try {
+                    const refreshed = await tokenRefreshManager.refreshIfNeeded(activeProvider);
+                    if (!refreshed) {
+                        return { activeModel, activeProvider, authMethod, maxInputTokens, providerKeyMissing: true };
+                    }
+                    // Re-read API key after potential refresh
+                    apiKey = (await providerKeychainStore.getApiKey(activeProvider)) ?? apiKey;
+                }
+                catch {
+                    return { activeModel, activeProvider, authMethod, maxInputTokens, providerKeyMissing: true };
+                }
+            }
+            // OAuth-connected OpenAI: use Codex endpoint + required headers
+            if (activeProvider === 'openai' && authMethod === 'oauth') {
+                const codexHeaders = {
+                    originator: CHATGPT_OAUTH_ORIGINATOR,
+                };
+                if (providerConfig.oauthAccountId) {
+                    codexHeaders['ChatGPT-Account-Id'] = providerConfig.oauthAccountId;
+                }
+                return {
+                    activeModel,
+                    activeProvider,
+                    authMethod,
+                    maxInputTokens,
+                    provider: activeProvider,
+                    providerApiKey: apiKey || undefined,
+                    providerBaseUrl: CHATGPT_OAUTH_BASE_URL,
+                    providerHeaders: codexHeaders,
+                    providerKeyMissing: providerRequiresApiKey(activeProvider, authMethod) && !apiKey,
+                };
+            }
             const headers = providerDef?.headers;
             return {
                 activeModel,
                 activeProvider,
+                authMethod,
                 maxInputTokens,
                 provider: activeProvider,
                 providerApiKey: apiKey || undefined,
-                providerBaseUrl: providerDef?.baseUrl || undefined,
+                providerBaseUrl: config.getBaseUrl(activeProvider) || providerDef?.baseUrl || undefined,
                 providerHeaders: headers && Object.keys(headers).length > 0 ? { ...headers } : undefined,
-                providerKeyMissing: providerRequiresApiKey(activeProvider) && !apiKey,
+                providerKeyMissing: providerRequiresApiKey(activeProvider, authMethod) && !apiKey,
             };
         }
     }

package/dist/server/infra/provider-oauth/callback-server.d.ts

@@ -0,0 +1,24 @@
+import type { ProviderCallbackResult } from './types.js';
+type ProviderCallbackServerOptions = {
+    callbackPath?: string;
+    port: number;
+};
+export declare class ProviderCallbackServer {
+    private readonly callbackPath;
+    private readonly connections;
+    private isStopping;
+    private onCallback;
+    private onError;
+    private pendingTimeout;
+    private readonly port;
+    private server;
+    constructor(options: ProviderCallbackServerOptions);
+    getAddress(): undefined | {
+        port: number;
+    };
+    start(): Promise<number>;
+    stop(): Promise<void>;
+    waitForCallback(expectedState: string, timeoutMs?: number): Promise<ProviderCallbackResult>;
+    private handleRequest;
+}
+export {};

package/dist/server/infra/provider-oauth/callback-server.js

@@ -0,0 +1,203 @@
+import http from 'node:http';
+import { OAUTH_CALLBACK_TIMEOUT_MS } from '../../../shared/constants/oauth.js';
+import { ProviderCallbackOAuthError, ProviderCallbackStateError, ProviderCallbackTimeoutError, ProviderOAuthError, } from './errors.js';
+const DEFAULT_CALLBACK_PATH = '/auth/callback';
+const SUCCESS_HTML = `<!DOCTYPE html>
+<html>
+<head>
+  <title>ByteRover - Authorization Successful</title>
+  <style>
+    body { font-family: 'Plus Jakarta Sans', system-ui, -apple-system, sans-serif; display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0; background: #0f0f0f; color: #e5e5e5; }
+    .container { text-align: center; padding: 2rem; }
+    h1 { color: #17b26a; margin-bottom: 1rem; }
+    p { color: #a3a3a3; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <h1>Authorization Successful</h1>
+    <p>You can close this window and return to ByteRover.</p>
+  </div>
+  <script>setTimeout(() => window.close(), 2000);</script>
+</body>
+</html>`;
+function errorHtml(message) {
+    return `<!DOCTYPE html>
+<html>
+<head>
+  <title>ByteRover - Authorization Failed</title>
+  <style>
+    body { font-family: 'Plus Jakarta Sans', system-ui, -apple-system, sans-serif; display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0; background: #0f0f0f; color: #e5e5e5; }
+    .container { text-align: center; padding: 2rem; }
+    h1 { color: #f87171; margin-bottom: 1rem; }
+    p { color: #a3a3a3; }
+    .error { color: #fca5a5; font-family: monospace; margin-top: 1rem; padding: 1rem; background: rgba(248,113,113,0.1); border-radius: 0.5rem; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <h1>Authorization Failed</h1>
+    <p>An error occurred during authorization.</p>
+    <div class="error">${escapeHtml(message)}</div>
+  </div>
+</body>
+</html>`;
+}
+function escapeHtml(text) {
+    return text
+        .replaceAll('&', '&amp;')
+        .replaceAll('<', '&lt;')
+        .replaceAll('>', '&gt;')
+        .replaceAll('"', '&quot;')
+        .replaceAll("'", '&#39;');
+}
+export class ProviderCallbackServer {
+    callbackPath;
+    connections = new Set();
+    isStopping = false;
+    onCallback;
+    onError;
+    pendingTimeout;
+    port;
+    server = undefined;
+    constructor(options) {
+        this.port = options.port;
+        this.callbackPath = options.callbackPath ?? DEFAULT_CALLBACK_PATH;
+    }
+    getAddress() {
+        const address = this.server?.address();
+        if (address !== null && address !== undefined && typeof address !== 'string') {
+            return { port: address.port };
+        }
+        return undefined;
+    }
+    async start() {
+        const address = this.getAddress();
+        if (address !== undefined) {
+            return address.port;
+        }
+        return new Promise((resolve, reject) => {
+            this.server = http.createServer((req, res) => {
+                this.handleRequest(req, res);
+            });
+            this.server.on('connection', (conn) => {
+                this.connections.add(conn);
+                conn.on('close', () => {
+                    this.connections.delete(conn);
+                });
+            });
+            this.server.on('error', reject);
+            this.server.listen(this.port, '127.0.0.1', () => {
+                const address = this.server?.address();
+                if (address !== null && address !== undefined && typeof address !== 'string') {
+                    resolve(address.port);
+                }
+                else {
+                    reject(new Error('Failed to start provider callback server'));
+                }
+            });
+        });
+    }
+    async stop() {
+        if (this.isStopping)
+            return;
+        this.isStopping = true;
+        // Reject any pending waitForCallback promise so consumers don't hang
+        this.onError?.(new ProviderOAuthError('Callback server was stopped'));
+        this.onCallback = undefined;
+        this.onError = undefined;
+        if (this.pendingTimeout !== undefined) {
+            clearTimeout(this.pendingTimeout);
+            this.pendingTimeout = undefined;
+        }
+        return new Promise((resolve) => {
+            if (this.server === undefined) {
+                this.isStopping = false;
+                resolve();
+                return;
+            }
+            for (const conn of this.connections) {
+                conn.destroy();
+            }
+            this.connections.clear();
+            this.server.close(() => {
+                this.server = undefined;
+                this.isStopping = false;
+                resolve();
+            });
+        });
+    }
+    waitForCallback(expectedState, timeoutMs = OAUTH_CALLBACK_TIMEOUT_MS) {
+        if (this.onCallback !== undefined) {
+            return Promise.reject(new ProviderOAuthError('A callback is already pending'));
+        }
+        const promise = new Promise((resolve, reject) => {
+            let settled = false;
+            this.pendingTimeout = setTimeout(() => {
+                if (!settled) {
+                    settled = true;
+                    this.pendingTimeout = undefined;
+                    reject(new ProviderCallbackTimeoutError(timeoutMs));
+                }
+            }, timeoutMs);
+            this.onCallback = (code, state) => {
+                if (settled)
+                    return;
+                clearTimeout(this.pendingTimeout);
+                this.pendingTimeout = undefined;
+                if (state !== expectedState) {
+                    settled = true;
+                    reject(new ProviderCallbackStateError());
+                    return;
+                }
+                settled = true;
+                resolve({ code, state });
+            };
+            this.onError = (error) => {
+                if (settled)
+                    return;
+                clearTimeout(this.pendingTimeout);
+                this.pendingTimeout = undefined;
+                settled = true;
+                reject(error);
+            };
+        });
+        // Auto-close server after callback or timeout (ticket requirement)
+        const autoClose = () => this.stop();
+        promise.then(autoClose, autoClose);
+        return promise;
+    }
+    handleRequest(req, res) {
+        const url = new URL(req.url ?? '/', `http://localhost:${this.port}`);
+        if (url.pathname !== this.callbackPath) {
+            res.writeHead(404);
+            res.end('Not found');
+            return;
+        }
+        const error = url.searchParams.get('error');
+        const errorDescription = url.searchParams.get('error_description');
+        const code = url.searchParams.get('code');
+        const state = url.searchParams.get('state');
+        if (error !== null) {
+            res.writeHead(400, { 'Content-Type': 'text/html' });
+            res.end(errorHtml(errorDescription ?? error));
+            this.onError?.(new ProviderCallbackOAuthError(error, errorDescription ?? undefined));
+            this.onCallback = undefined;
+            this.onError = undefined;
+            return;
+        }
+        if (code === null || state === null) {
+            res.writeHead(400, { 'Content-Type': 'text/html' });
+            res.end(errorHtml('Missing code or state parameter'));
+            this.onError?.(new ProviderOAuthError('Missing code or state parameter'));
+            this.onCallback = undefined;
+            this.onError = undefined;
+            return;
+        }
+        res.writeHead(200, { 'Content-Type': 'text/html' });
+        res.end(SUCCESS_HTML);
+        this.onCallback?.(code, state);
+        this.onCallback = undefined;
+        this.onError = undefined;
+    }
+}

package/dist/server/infra/provider-oauth/errors.d.ts

@@ -0,0 +1,39 @@
+export declare class ProviderOAuthError extends Error {
+    constructor(message: string);
+}
+export declare class ProviderCallbackTimeoutError extends ProviderOAuthError {
+    readonly timeoutMs: number;
+    constructor(timeoutMs: number);
+}
+export declare class ProviderCallbackStateError extends ProviderOAuthError {
+    constructor();
+}
+export declare class ProviderCallbackOAuthError extends ProviderOAuthError {
+    readonly errorCode: string;
+    constructor(errorCode: string, errorDescription?: string);
+}
+export declare class ProviderTokenExchangeError extends ProviderOAuthError {
+    readonly errorCode?: string;
+    readonly statusCode?: number;
+    constructor(params: {
+        errorCode?: string;
+        message: string;
+        statusCode?: number;
+    });
+}
+/**
+ * Extracts OAuth error fields from an unknown error response body.
+ * Shared by token-exchange and refresh-token-exchange.
+ */
+export declare function extractOAuthErrorFields(data: unknown): {
+    error?: string;
+    error_description?: string;
+};
+/**
+ * Checks whether an OAuth token refresh error is permanent (token revoked, client invalid)
+ * vs. transient (network timeout, server error).
+ *
+ * Permanent errors require disconnecting the provider and re-authenticating.
+ * Transient errors should preserve credentials so the existing access token can still be used.
+ */
+export declare function isPermanentOAuthError(error: unknown): boolean;

package/dist/server/infra/provider-oauth/errors.js

@@ -0,0 +1,76 @@
+export class ProviderOAuthError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'ProviderOAuthError';
+    }
+}
+export class ProviderCallbackTimeoutError extends ProviderOAuthError {
+    timeoutMs;
+    constructor(timeoutMs) {
+        super(`OAuth callback timed out after ${timeoutMs}ms`);
+        this.name = 'ProviderCallbackTimeoutError';
+        this.timeoutMs = timeoutMs;
+    }
+}
+export class ProviderCallbackStateError extends ProviderOAuthError {
+    constructor() {
+        super('OAuth callback state mismatch — possible CSRF attack');
+        this.name = 'ProviderCallbackStateError';
+    }
+}
+export class ProviderCallbackOAuthError extends ProviderOAuthError {
+    errorCode;
+    constructor(errorCode, errorDescription) {
+        super(errorDescription ?? `OAuth provider returned error: ${errorCode}`);
+        this.name = 'ProviderCallbackOAuthError';
+        this.errorCode = errorCode;
+    }
+}
+export class ProviderTokenExchangeError extends ProviderOAuthError {
+    errorCode;
+    statusCode;
+    constructor(params) {
+        super(params.message);
+        this.name = 'ProviderTokenExchangeError';
+        this.errorCode = params.errorCode;
+        this.statusCode = params.statusCode;
+    }
+}
+/**
+ * Extracts OAuth error fields from an unknown error response body.
+ * Shared by token-exchange and refresh-token-exchange.
+ */
+export function extractOAuthErrorFields(data) {
+    if (typeof data !== 'object' || data === null) {
+        return {};
+    }
+    return {
+        error: 'error' in data && typeof data.error === 'string' ? data.error : undefined,
+        // eslint-disable-next-line camelcase
+        error_description: 'error_description' in data && typeof data.error_description === 'string' ? data.error_description : undefined,
+    };
+}
+/**
+ * Checks whether an OAuth token refresh error is permanent (token revoked, client invalid)
+ * vs. transient (network timeout, server error).
+ *
+ * Permanent errors require disconnecting the provider and re-authenticating.
+ * Transient errors should preserve credentials so the existing access token can still be used.
+ */
+export function isPermanentOAuthError(error) {
+    if (!(error instanceof ProviderTokenExchangeError)) {
+        return false;
+    }
+    // 401/403 are unconditionally permanent (credentials rejected)
+    if (error.statusCode && [401, 403].includes(error.statusCode)) {
+        return true;
+    }
+    // 400 is only permanent when the OAuth error code explicitly indicates it.
+    // A 400 with an unknown or transient error code (e.g. temporarily_unavailable)
+    // should preserve credentials so the existing access token can still be used.
+    const permanentErrorCodes = new Set(['invalid_client', 'invalid_grant', 'unauthorized_client']);
+    if (error.errorCode && permanentErrorCodes.has(error.errorCode)) {
+        return true;
+    }
+    return false;
+}

package/dist/server/infra/provider-oauth/index.d.ts

@@ -0,0 +1,9 @@
+export * from './callback-server.js';
+export * from './errors.js';
+export * from './jwt-utils.js';
+export * from './pkce-service.js';
+export * from './provider-oauth-token-store.js';
+export * from './refresh-token-exchange.js';
+export * from './token-exchange.js';
+export * from './token-refresh-manager.js';
+export * from './types.js';

package/dist/server/infra/provider-oauth/index.js

@@ -0,0 +1,9 @@
+export * from './callback-server.js';
+export * from './errors.js';
+export * from './jwt-utils.js';
+export * from './pkce-service.js';
+export * from './provider-oauth-token-store.js';
+export * from './refresh-token-exchange.js';
+export * from './token-exchange.js';
+export * from './token-refresh-manager.js';
+export * from './types.js';

package/dist/server/infra/provider-oauth/jwt-utils.d.ts

@@ -0,0 +1,17 @@
+/**
+ * JWT Utilities for Provider OAuth
+ *
+ * Parses provider-specific claims from OAuth id_tokens.
+ * Uses manual base64url decoding — no external JWT library needed.
+ */
+/**
+ * Extracts the ChatGPT Account ID from an OpenAI id_token.
+ *
+ * Checks claims in priority order:
+ * 1. `chatgpt_account_id` (top-level claim)
+ * 2. `["https://api.openai.com/auth"].chatgpt_account_id` (nested claim)
+ * 3. `organizations[0].id` (fallback)
+ *
+ * @returns The account ID string, or undefined if not found or token is malformed
+ */
+export declare function parseAccountIdFromIdToken(idToken: string): string | undefined;

package/dist/server/infra/provider-oauth/jwt-utils.js

@@ -0,0 +1,51 @@
+/**
+ * JWT Utilities for Provider OAuth
+ *
+ * Parses provider-specific claims from OAuth id_tokens.
+ * Uses manual base64url decoding — no external JWT library needed.
+ */
+function isRecord(value) {
+    return typeof value === 'object' && value !== null && !Array.isArray(value);
+}
+/**
+ * Extracts the ChatGPT Account ID from an OpenAI id_token.
+ *
+ * Checks claims in priority order:
+ * 1. `chatgpt_account_id` (top-level claim)
+ * 2. `["https://api.openai.com/auth"].chatgpt_account_id` (nested claim)
+ * 3. `organizations[0].id` (fallback)
+ *
+ * @returns The account ID string, or undefined if not found or token is malformed
+ */
+export function parseAccountIdFromIdToken(idToken) {
+    try {
+        const parts = idToken.split('.');
+        if (parts.length < 2 || !parts[1])
+            return undefined;
+        const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString('utf8'));
+        if (!isRecord(payload))
+            return undefined;
+        // 1. Top-level claim
+        if (typeof payload.chatgpt_account_id === 'string' && payload.chatgpt_account_id) {
+            return payload.chatgpt_account_id;
+        }
+        // 2. Nested claim under OpenAI auth namespace
+        const authNamespace = payload['https://api.openai.com/auth'];
+        if (isRecord(authNamespace) &&
+            typeof authNamespace.chatgpt_account_id === 'string' &&
+            authNamespace.chatgpt_account_id) {
+            return authNamespace.chatgpt_account_id;
+        }
+        // 3. Organizations fallback
+        if (Array.isArray(payload.organizations) && payload.organizations.length > 0) {
+            const org = payload.organizations[0];
+            if (isRecord(org) && typeof org.id === 'string' && org.id) {
+                return org.id;
+            }
+        }
+        return undefined;
+    }
+    catch {
+        return undefined;
+    }
+}

package/dist/server/infra/provider-oauth/pkce-service.d.ts

@@ -0,0 +1,22 @@
+import type { PkceParameters } from './types.js';
+/**
+ * Generates a cryptographically secure PKCE code verifier.
+ * Output is 43 characters (base64url encoding of 32 random bytes).
+ * Meets the OAuth 2.0 PKCE spec requirement of 43-128 characters.
+ */
+export declare function generateCodeVerifier(): string;
+/**
+ * Generates S256 code challenge from a code verifier.
+ * SHA-256 hash of the verifier, base64url-encoded.
+ */
+export declare function generateCodeChallenge(codeVerifier: string): string;
+/**
+ * Generates a cryptographically secure state parameter for CSRF protection.
+ * Output is 22 characters (base64url encoding of 16 random bytes).
+ */
+export declare function generateState(): string;
+/**
+ * Generates a complete set of PKCE parameters for an authorization request.
+ * Convenience function combining verifier, challenge, and state generation.
+ */
+export declare function generatePkce(): PkceParameters;

package/dist/server/infra/provider-oauth/pkce-service.js

@@ -0,0 +1,33 @@
+import crypto from 'node:crypto';
+/**
+ * Generates a cryptographically secure PKCE code verifier.
+ * Output is 43 characters (base64url encoding of 32 random bytes).
+ * Meets the OAuth 2.0 PKCE spec requirement of 43-128 characters.
+ */
+export function generateCodeVerifier() {
+    return crypto.randomBytes(32).toString('base64url');
+}
+/**
+ * Generates S256 code challenge from a code verifier.
+ * SHA-256 hash of the verifier, base64url-encoded.
+ */
+export function generateCodeChallenge(codeVerifier) {
+    return crypto.createHash('sha256').update(codeVerifier).digest('base64url');
+}
+/**
+ * Generates a cryptographically secure state parameter for CSRF protection.
+ * Output is 22 characters (base64url encoding of 16 random bytes).
+ */
+export function generateState() {
+    return crypto.randomBytes(16).toString('base64url');
+}
+/**
+ * Generates a complete set of PKCE parameters for an authorization request.
+ * Convenience function combining verifier, challenge, and state generation.
+ */
+export function generatePkce() {
+    const codeVerifier = generateCodeVerifier();
+    const codeChallenge = generateCodeChallenge(codeVerifier);
+    const state = generateState();
+    return { codeChallenge, codeVerifier, state };
+}