npm - coding-tool-x - Versions diffs - 3.3.7 → 3.3.9 - Mend

coding-tool-x 3.3.7 → 3.3.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (89) hide show

package/CHANGELOG.md +20 -0
package/README.md +253 -326
package/dist/web/assets/{Analytics-IW6eAy9u.js → Analytics-D6LzK9hk.js} +1 -1
package/dist/web/assets/{ConfigTemplates-BPtkTMSc.js → ConfigTemplates-BUDYuxRi.js} +1 -1
package/dist/web/assets/Home-BQxQ1LhR.css +1 -0
package/dist/web/assets/Home-D7KX7iF8.js +1 -0
package/dist/web/assets/{PluginManager-BGx9MSDV.js → PluginManager-DTgQ--vB.js} +1 -1
package/dist/web/assets/{ProjectList-BCn-mrCx.js → ProjectList-DMCiGmCT.js} +1 -1
package/dist/web/assets/{SessionList-CzLfebJQ.js → SessionList-CRBsdVRe.js} +1 -1
package/dist/web/assets/{SkillManager-CXz2vBQx.js → SkillManager-DMwx2Q4k.js} +1 -1
package/dist/web/assets/{WorkspaceManager-CHtgMfKc.js → WorkspaceManager-DapB4ljL.js} +1 -1
package/dist/web/assets/{icons-B29onFfZ.js → icons-B5Pl4lrD.js} +1 -1
package/dist/web/assets/index-CL-qpoJ_.js +2 -0
package/dist/web/assets/index-D_5dRFOL.css +1 -0
package/dist/web/assets/{markdown-C9MYpaSi.js → markdown-DyTJGI4N.js} +1 -1
package/dist/web/assets/{naive-ui-CxpuzdjU.js → naive-ui-Bdxp09n2.js} +1 -1
package/dist/web/assets/{vendors-DMjSfzlv.js → vendors-CKPV1OAU.js} +2 -2
package/dist/web/assets/{vue-vendor-DET08QYg.js → vue-vendor-3bf-fPGP.js} +1 -1
package/dist/web/index.html +7 -7
package/docs/home.png +0 -0
package/package.json +14 -5
package/src/commands/daemon.js +3 -2
package/src/commands/security.js +1 -2
package/src/commands/toggle-proxy.js +100 -5
package/src/config/paths.js +718 -90
package/src/server/api/agents.js +1 -1
package/src/server/api/channels.js +9 -0
package/src/server/api/claude-hooks.js +13 -8
package/src/server/api/codex-channels.js +9 -0
package/src/server/api/codex-proxy.js +27 -15
package/src/server/api/gemini-proxy.js +22 -11
package/src/server/api/hooks.js +45 -0
package/src/server/api/oauth-credentials.js +163 -0
package/src/server/api/opencode-proxy.js +22 -10
package/src/server/api/plugins.js +2 -1
package/src/server/api/proxy.js +39 -44
package/src/server/api/skills.js +91 -13
package/src/server/api/ui-config.js +5 -0
package/src/server/codex-proxy-server.js +90 -70
package/src/server/gemini-proxy-server.js +107 -88
package/src/server/index.js +2 -0
package/src/server/opencode-proxy-server.js +381 -225
package/src/server/proxy-server.js +86 -60
package/src/server/services/alias.js +3 -3
package/src/server/services/channels.js +21 -24
package/src/server/services/codex-channels.js +158 -255
package/src/server/services/codex-config.js +2 -5
package/src/server/services/codex-env-manager.js +423 -0
package/src/server/services/codex-settings-manager.js +21 -357
package/src/server/services/codex-statistics-service.js +3 -27
package/src/server/services/config-export-service.js +43 -9
package/src/server/services/config-registry-service.js +3 -2
package/src/server/services/config-sync-manager.js +1 -1
package/src/server/services/favorites.js +4 -3
package/src/server/services/gemini-channels.js +14 -12
package/src/server/services/gemini-statistics-service.js +3 -25
package/src/server/services/mcp-service.js +35 -19
package/src/server/services/model-detector.js +4 -3
package/src/server/services/native-keychain.js +243 -0
package/src/server/services/native-oauth-adapters.js +891 -0
package/src/server/services/network-access.js +39 -1
package/src/server/services/notification-hooks.js +951 -0
package/src/server/services/oauth-credentials-service.js +786 -0
package/src/server/services/oauth-utils.js +49 -0
package/src/server/services/opencode-channels.js +19 -15
package/src/server/services/opencode-sessions.js +2 -2
package/src/server/services/opencode-settings-manager.js +169 -16
package/src/server/services/opencode-statistics-service.js +3 -27
package/src/server/services/plugins-service.js +115 -15
package/src/server/services/prompts-service.js +2 -3
package/src/server/services/proxy-log-helper.js +242 -0
package/src/server/services/proxy-runtime.js +6 -4
package/src/server/services/repo-scanner-base.js +12 -4
package/src/server/services/request-logger.js +7 -7
package/src/server/services/security-config.js +4 -4
package/src/server/services/session-cache.js +2 -2
package/src/server/services/sessions.js +2 -2
package/src/server/services/settings-manager.js +13 -0
package/src/server/services/skill-service.js +867 -368
package/src/server/services/statistics-service.js +5 -5
package/src/server/services/ui-config.js +4 -3
package/src/server/services/workspace-service.js +1 -1
package/src/server/websocket-server.js +5 -4
package/dist/web/assets/Home-BsSioaaB.css +0 -1
package/dist/web/assets/Home-obifg_9E.js +0 -1
package/dist/web/assets/index-C7LPdVsN.js +0 -2
package/dist/web/assets/index-eEmjZKWP.css +0 -1
package/docs/bannel.png +0 -0
package/docs/model-redirection.md +0 -251

package/src/server/services/native-oauth-adapters.js ADDED Viewed

@@ -0,0 +1,891 @@
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const crypto = require('crypto');
+const toml = require('toml');
+const tomlStringify = require('@iarna/toml').stringify;
+const { NATIVE_PATHS, PATHS } = require('../../config/paths');
+const claudeSettingsManager = require('./settings-manager');
+const codexSettingsManager = require('./codex-settings-manager');
+const geminiSettingsManager = require('./gemini-settings-manager');
+const opencodeSettingsManager = require('./opencode-settings-manager');
+const { syncCodexUserEnvironment } = require('./codex-env-manager');
+const nativeKeychain = require('./native-keychain');
+const { maskToken, decodeJwtPayload, removeFileIfExists, sha256 } = require('./oauth-utils');
+const SUPPORTED_TOOLS = ['claude', 'codex', 'gemini', 'opencode'];
+const GEMINI_MAIN_ACCOUNT_KEY = 'main-account';
+const GEMINI_KEYCHAIN_SERVICE = 'gemini-cli-oauth';
+const CODEX_KEYCHAIN_SERVICE = 'Codex Auth';
+function ensureDir(dirPath) {
+  if (!dirPath) return;
+  fs.mkdirSync(dirPath, { recursive: true });
+}
+function ensureFileMode(filePath, mode = 0o600) {
+  if (process.platform === 'win32') {
+    return;
+  }
+  try {
+    fs.chmodSync(filePath, mode);
+  } catch {
+    // ignore chmod failures
+  }
+}
+function writeJsonFile(filePath, value) {
+  ensureDir(path.dirname(filePath));
+  fs.writeFileSync(filePath, JSON.stringify(value, null, 2), 'utf8');
+  ensureFileMode(filePath);
+}
+function readJsonFile(filePath, fallback = null) {
+  try {
+    if (!fs.existsSync(filePath)) {
+      return fallback;
+    }
+    return JSON.parse(fs.readFileSync(filePath, 'utf8'));
+  } catch {
+    return fallback;
+  }
+}
+function fingerprintFor(tool, value) {
+  return sha256(`${tool}:${value || ''}`);
+}
+function loadChannelsFile(tool) {
+  const filePath = PATHS.channels?.[tool];
+  const payload = readJsonFile(filePath, { channels: [] });
+  return Array.isArray(payload?.channels) ? payload.channels : [];
+}
+function buildNativeSummary(data = {}) {
+  return {
+    providerId: data.providerId || '',
+    accountId: data.accountId || '',
+    accountEmail: data.accountEmail || '',
+    expiresAt: data.expiresAt || null,
+    storage: data.storage || '',
+    tokenPreview: maskToken(data.primaryToken || data.accessToken || ''),
+    lastRefresh: data.lastRefresh || null
+  };
+}
+function parseClaudeOAuthPayload(raw) {
+  const parsed = raw?.claudeAiOauth && typeof raw.claudeAiOauth === 'object'
+    ? raw.claudeAiOauth
+    : raw;
+  if (!parsed || typeof parsed !== 'object') {
+    return null;
+  }
+  const accessToken = String(
+    parsed.accessToken
+      || parsed.access_token
+      || parsed.authToken
+      || parsed.token
+      || ''
+  ).trim();
+  if (!accessToken) {
+    return null;
+  }
+  return {
+    accessToken,
+    refreshToken: String(parsed.refreshToken || parsed.refresh_token || '').trim() || '',
+    expiresAt: Number(parsed.expiresAt || parsed.expiryDate || parsed.expiry_date || 0) || null,
+    primaryToken: accessToken
+  };
+}
+function getClaudeKeychainServiceName() {
+  const oauthSuffix = process.env.CLAUDE_CODE_CUSTOM_OAUTH_URL ? '-custom-oauth' : '';
+  const customConfigDir = process.env.CLAUDE_CONFIG_DIR ? NATIVE_PATHS.claude.dir : '';
+  const suffix = customConfigDir ? `-${sha256(customConfigDir).slice(0, 8)}` : '';
+  return `Claude Code${oauthSuffix}-credentials${suffix}`;
+}
+function getClaudeKeychainAccountName() {
+  return process.env.USER || os.userInfo().username;
+}
+function readClaudeNativeOAuth() {
+  const keychainRaw = nativeKeychain.isSupported()
+    ? nativeKeychain.getPassword(getClaudeKeychainServiceName(), getClaudeKeychainAccountName())
+    : null;
+  if (keychainRaw) {
+    const parsed = parseClaudeOAuthPayload(readJsonFileFromString(keychainRaw));
+    if (parsed) {
+      return { ...parsed, storage: 'keychain' };
+    }
+  }
+  const filePayload = readJsonFile(NATIVE_PATHS.claude.credentials, null);
+  const parsedFile = parseClaudeOAuthPayload(filePayload);
+  if (parsedFile) {
+    return { ...parsedFile, storage: 'file' };
+  }
+  return null;
+}
+function clearClaudeOAuth() {
+  if (nativeKeychain.isSupported()) {
+    nativeKeychain.deletePassword(getClaudeKeychainServiceName(), getClaudeKeychainAccountName());
+  }
+  removeFileIfExists(NATIVE_PATHS.claude.credentials);
+  let settings = {};
+  try {
+    settings = claudeSettingsManager.settingsExists()
+      ? claudeSettingsManager.readSettings()
+      : {};
+  } catch {
+    settings = {};
+  }
+  settings.env = settings.env || {};
+  delete settings.env.ANTHROPIC_AUTH_TOKEN;
+  delete settings.env.CLAUDE_CODE_OAUTH_TOKEN;
+  claudeSettingsManager.writeSettings(settings);
+}
+function applyClaudeOAuth(credential) {
+  clearClaudeOAuth();
+  let settings = {};
+  try {
+    settings = claudeSettingsManager.settingsExists()
+      ? claudeSettingsManager.readSettings()
+      : {};
+  } catch {
+    settings = {};
+  }
+  settings.env = settings.env || {};
+  delete settings.env.ANTHROPIC_API_KEY;
+  delete settings.env.ANTHROPIC_BASE_URL;
+  delete settings.env.ANTHROPIC_MODEL;
+  delete settings.env.ANTHROPIC_DEFAULT_HAIKU_MODEL;
+  delete settings.env.ANTHROPIC_DEFAULT_SONNET_MODEL;
+  delete settings.env.ANTHROPIC_DEFAULT_OPUS_MODEL;
+  // 不删除 HTTP_PROXY / HTTPS_PROXY / NO_PROXY，这些是与 OAuth 无关的通用网络配置
+  delete settings.apiKeyHelper;
+  const wrappedPayload = {
+    claudeAiOauth: {
+      accessToken: credential.accessToken,
+      refreshToken: credential.refreshToken || undefined,
+      expiresAt: credential.expiresAt || undefined
+    }
+  };
+  const rawPayload = JSON.stringify(wrappedPayload);
+  const wroteKeychain = nativeKeychain.isSupported()
+    ? nativeKeychain.setPassword(getClaudeKeychainServiceName(), getClaudeKeychainAccountName(), rawPayload)
+    : false;
+  if (!wroteKeychain) {
+    writeJsonFile(NATIVE_PATHS.claude.credentials, wrappedPayload);
+  }
+  claudeSettingsManager.writeSettings(settings);
+  return { storage: wroteKeychain ? 'keychain' : 'file' };
+}
+function inspectClaudeState() {
+  const { getProxyStatus } = require('../proxy-server');
+  const proxyStatus = getProxyStatus();
+  const nativeOAuth = readClaudeNativeOAuth();
+  let channelConfigured = false;
+  try {
+    const settings = claudeSettingsManager.settingsExists()
+      ? claudeSettingsManager.readSettings()
+      : {};
+    const env = settings?.env || {};
+    channelConfigured = Boolean(
+      String(env.ANTHROPIC_API_KEY || '').trim()
+      || String(env.ANTHROPIC_BASE_URL || '').trim()
+      || String(settings.apiKeyHelper || '').trim()
+    );
+  } catch {
+    channelConfigured = false;
+  }
+  return {
+    tool: 'claude',
+    mode: proxyStatus.running ? 'proxy' : (nativeOAuth ? 'oauth' : (channelConfigured ? 'channel' : 'idle')),
+    proxyRunning: proxyStatus.running,
+    oauthPresent: Boolean(nativeOAuth),
+    channelConfigured,
+    nativeCredential: nativeOAuth ? buildNativeSummary(nativeOAuth) : null
+  };
+}
+function readJsonFileFromString(raw) {
+  try {
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+function getCodexKeychainAccount() {
+  const codexHome = NATIVE_PATHS.codex.dir;
+  const resolvedPath = fs.existsSync(codexHome)
+    ? fs.realpathSync.native(codexHome)
+    : path.resolve(codexHome);
+  return `cli|${sha256(resolvedPath).slice(0, 16)}`;
+}
+function parseCodexAuthPayload(raw) {
+  if (!raw || typeof raw !== 'object') {
+    return null;
+  }
+  const auth = raw.tokens ? raw : {
+    auth_mode: 'chatgpt',
+    tokens: raw
+  };
+  const tokens = auth.tokens && typeof auth.tokens === 'object' ? auth.tokens : null;
+  if (!tokens || !tokens.access_token) {
+    return null;
+  }
+  const idTokenPayload = decodeJwtPayload(tokens.id_token);
+  const accessTokenPayload = decodeJwtPayload(tokens.access_token);
+  const exp = Number(idTokenPayload?.exp || accessTokenPayload?.exp || 0) || null;
+  return {
+    authMode: String(auth.auth_mode || 'chatgpt').trim() || 'chatgpt',
+    accessToken: String(tokens.access_token || '').trim(),
+    refreshToken: String(tokens.refresh_token || '').trim() || '',
+    idToken: String(tokens.id_token || '').trim() || '',
+    accountId: String(tokens.account_id || '').trim() || '',
+    accountEmail: String(idTokenPayload?.email || '').trim() || '',
+    expiresAt: exp ? exp * 1000 : null,
+    lastRefresh: auth.last_refresh || null,
+    primaryToken: String(tokens.access_token || '').trim()
+  };
+}
+function readCodexKeychainAuth() {
+  const raw = nativeKeychain.isSupported()
+    ? nativeKeychain.getPassword(CODEX_KEYCHAIN_SERVICE, getCodexKeychainAccount())
+    : null;
+  if (!raw) {
+    return null;
+  }
+  const parsed = parseCodexAuthPayload(readJsonFileFromString(raw));
+  return parsed ? { ...parsed, storage: 'keychain' } : null;
+}
+function readCodexFileAuth() {
+  const payload = readJsonFile(NATIVE_PATHS.codex.auth, null);
+  const parsed = parseCodexAuthPayload(payload);
+  return parsed ? { ...parsed, storage: 'auth-file' } : null;
+}
+function readCodexNativeOAuth() {
+  return readCodexKeychainAuth() || readCodexFileAuth();
+}
+function clearCodexOAuth() {
+  if (nativeKeychain.isSupported()) {
+    nativeKeychain.deletePassword(CODEX_KEYCHAIN_SERVICE, getCodexKeychainAccount());
+  }
+  let auth = {};
+  try {
+    auth = codexSettingsManager.readAuth();
+  } catch {
+    auth = {};
+  }
+  delete auth.tokens;
+  delete auth.auth_mode;
+  delete auth.last_refresh;
+  codexSettingsManager.writeAuth(auth);
+}
+function removeCodexChannelEnvVars() {
+  syncCodexUserEnvironment({}, { replace: true });
+}
+function clearCodexChannelConfig() {
+  removeCodexChannelEnvVars();
+  const configPath = NATIVE_PATHS.codex.config;
+  let config = {};
+  if (fs.existsSync(configPath)) {
+    try {
+      config = toml.parse(fs.readFileSync(configPath, 'utf8'));
+    } catch {
+      config = {};
+    }
+  }
+  const managedProviderKeys = new Set(['cc-proxy']);
+  loadChannelsFile('codex').forEach((channel) => {
+    if (channel?.providerKey) {
+      managedProviderKeys.add(channel.providerKey);
+    }
+  });
+  if (config.model_provider && managedProviderKeys.has(config.model_provider)) {
+    delete config.model_provider;
+  }
+  if (config.model_providers && typeof config.model_providers === 'object') {
+    Object.keys(config.model_providers).forEach((providerKey) => {
+      if (managedProviderKeys.has(providerKey)) {
+        delete config.model_providers[providerKey];
+      }
+    });
+    if (Object.keys(config.model_providers).length === 0) {
+      delete config.model_providers;
+    }
+  }
+  ensureDir(path.dirname(configPath));
+  fs.writeFileSync(configPath, tomlStringify(config), 'utf8');
+}
+function applyCodexOAuth(credential) {
+  clearCodexOAuth();
+  clearCodexChannelConfig();
+  const authPayload = {
+    auth_mode: credential.authMode || 'chatgpt',
+    tokens: {
+      access_token: credential.accessToken,
+      refresh_token: credential.refreshToken || '',
+      id_token: credential.idToken || '',
+      account_id: credential.accountId || ''
+    },
+    last_refresh: credential.lastRefresh || new Date().toISOString()
+  };
+  writeJsonFile(NATIVE_PATHS.codex.auth, authPayload);
+  const wroteKeychain = nativeKeychain.isSupported()
+    ? nativeKeychain.setPassword(CODEX_KEYCHAIN_SERVICE, getCodexKeychainAccount(), JSON.stringify(authPayload))
+    : false;
+  return { storage: wroteKeychain ? 'auth-file+keychain' : 'auth-file' };
+}
+function inspectCodexState() {
+  const { getCodexProxyStatus } = require('../codex-proxy-server');
+  const proxyStatus = getCodexProxyStatus();
+  const nativeOAuth = readCodexNativeOAuth();
+  let channelConfigured = false;
+  try {
+    const config = codexSettingsManager.readConfig();
+    channelConfigured = Boolean(
+      (config?.model_provider && config.model_provider !== 'cc-proxy')
+      || (config?.model_providers && Object.keys(config.model_providers).length > 0)
+    );
+  } catch {
+    channelConfigured = false;
+  }
+  return {
+    tool: 'codex',
+    mode: proxyStatus.running ? 'proxy' : (nativeOAuth ? 'oauth' : (channelConfigured ? 'channel' : 'idle')),
+    proxyRunning: proxyStatus.running,
+    oauthPresent: Boolean(nativeOAuth),
+    channelConfigured,
+    nativeCredential: nativeOAuth ? buildNativeSummary(nativeOAuth) : null
+  };
+}
+function deriveGeminiEncryptionKey() {
+  const salt = `${os.hostname()}-${os.userInfo().username}-gemini-cli`;
+  return crypto.scryptSync(GEMINI_KEYCHAIN_SERVICE, salt, 32);
+}
+function encryptGeminiPayload(value) {
+  const key = deriveGeminiEncryptionKey();
+  const iv = crypto.randomBytes(16);
+  const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+  let encrypted = cipher.update(value, 'utf8', 'hex');
+  encrypted += cipher.final('hex');
+  const authTag = cipher.getAuthTag();
+  return `${iv.toString('hex')}:${authTag.toString('hex')}:${encrypted}`;
+}
+function decryptGeminiPayload(value) {
+  const parts = String(value || '').split(':');
+  if (parts.length !== 3) {
+    throw new Error('Invalid encrypted data format');
+  }
+  const key = deriveGeminiEncryptionKey();
+  const iv = Buffer.from(parts[0], 'hex');
+  const authTag = Buffer.from(parts[1], 'hex');
+  const encrypted = parts[2];
+  const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
+  decipher.setAuthTag(authTag);
+  let decrypted = decipher.update(encrypted, 'hex', 'utf8');
+  decrypted += decipher.final('utf8');
+  return decrypted;
+}
+function parseGeminiCredential(raw, googleAccounts = null) {
+  if (!raw || typeof raw !== 'object') {
+    return null;
+  }
+  const credential = raw.token && typeof raw.token === 'object'
+    ? raw
+    : raw.access_token
+      ? {
+          serverName: GEMINI_MAIN_ACCOUNT_KEY,
+          token: {
+            accessToken: raw.access_token,
+            refreshToken: raw.refresh_token || '',
+            tokenType: raw.token_type || 'Bearer',
+            scope: raw.scope || '',
+            expiresAt: raw.expiry_date || null
+          },
+          updatedAt: Date.now()
+        }
+      : null;
+  if (!credential?.token?.accessToken) {
+    return null;
+  }
+  return {
+    accessToken: String(credential.token.accessToken || '').trim(),
+    refreshToken: String(credential.token.refreshToken || '').trim() || '',
+    tokenType: String(credential.token.tokenType || 'Bearer').trim() || 'Bearer',
+    scope: String(credential.token.scope || '').trim() || '',
+    expiresAt: Number(credential.token.expiresAt || 0) || null,
+    accountEmail: String(googleAccounts?.active || '').trim() || '',
+    primaryToken: String(credential.token.accessToken || '').trim()
+  };
+}
+function readGeminiEncryptedCredential() {
+  try {
+    if (!fs.existsSync(NATIVE_PATHS.gemini.oauthCredentialsEncrypted)) {
+      return null;
+    }
+    const encrypted = fs.readFileSync(NATIVE_PATHS.gemini.oauthCredentialsEncrypted, 'utf8');
+    const decrypted = decryptGeminiPayload(encrypted);
+    const payload = JSON.parse(decrypted);
+    const googleAccounts = readJsonFile(NATIVE_PATHS.gemini.googleAccounts, null);
+    return parseGeminiCredential(payload[GEMINI_MAIN_ACCOUNT_KEY], googleAccounts)
+      || parseGeminiCredential(payload, googleAccounts);
+  } catch {
+    return null;
+  }
+}
+function readGeminiKeychainCredential() {
+  const raw = nativeKeychain.isSupported()
+    ? nativeKeychain.getPassword(GEMINI_KEYCHAIN_SERVICE, GEMINI_MAIN_ACCOUNT_KEY)
+    : null;
+  if (!raw) {
+    return null;
+  }
+  const googleAccounts = readJsonFile(NATIVE_PATHS.gemini.googleAccounts, null);
+  const parsed = parseGeminiCredential(readJsonFileFromString(raw), googleAccounts);
+  return parsed ? { ...parsed, storage: 'keychain' } : null;
+}
+function readGeminiLegacyCredential() {
+  const payload = readJsonFile(NATIVE_PATHS.gemini.oauthCredentialsLegacy, null);
+  const googleAccounts = readJsonFile(NATIVE_PATHS.gemini.googleAccounts, null);
+  const parsed = parseGeminiCredential(payload, googleAccounts);
+  return parsed ? { ...parsed, storage: 'legacy-file' } : null;
+}
+function readGeminiNativeOAuth() {
+  const keychain = readGeminiKeychainCredential();
+  if (keychain) {
+    return keychain;
+  }
+  const encrypted = readGeminiEncryptedCredential();
+  if (encrypted) {
+    return { ...encrypted, storage: 'encrypted-file' };
+  }
+  return readGeminiLegacyCredential();
+}
+function clearGeminiOAuth() {
+  if (nativeKeychain.isSupported()) {
+    nativeKeychain.deletePassword(GEMINI_KEYCHAIN_SERVICE, GEMINI_MAIN_ACCOUNT_KEY);
+  }
+  removeFileIfExists(NATIVE_PATHS.gemini.oauthCredentialsEncrypted);
+  removeFileIfExists(NATIVE_PATHS.gemini.oauthCredentialsLegacy);
+  const googleAccounts = readJsonFile(NATIVE_PATHS.gemini.googleAccounts, null);
+  if (googleAccounts && typeof googleAccounts === 'object') {
+    googleAccounts.active = null;
+    writeJsonFile(NATIVE_PATHS.gemini.googleAccounts, googleAccounts);
+  }
+}
+function clearGeminiChannelConfig() {
+  const env = geminiSettingsManager.configExists()
+    ? geminiSettingsManager.readEnv()
+    : {};
+  delete env.GOOGLE_GEMINI_BASE_URL;
+  delete env.GEMINI_API_KEY;
+  delete env.GEMINI_MODEL;
+  geminiSettingsManager.writeEnv(env);
+}
+function applyGeminiOAuth(credential) {
+  clearGeminiOAuth();
+  clearGeminiChannelConfig();
+  const payload = {
+    [GEMINI_MAIN_ACCOUNT_KEY]: {
+      serverName: GEMINI_MAIN_ACCOUNT_KEY,
+      token: {
+        accessToken: credential.accessToken,
+        refreshToken: credential.refreshToken || undefined,
+        tokenType: credential.tokenType || 'Bearer',
+        scope: credential.scope || undefined,
+        expiresAt: credential.expiresAt || undefined
+      },
+      updatedAt: Date.now()
+    }
+  };
+  ensureDir(path.dirname(NATIVE_PATHS.gemini.oauthCredentialsEncrypted));
+  fs.writeFileSync(
+    NATIVE_PATHS.gemini.oauthCredentialsEncrypted,
+    encryptGeminiPayload(JSON.stringify(payload, null, 2)),
+    'utf8'
+  );
+  ensureFileMode(NATIVE_PATHS.gemini.oauthCredentialsEncrypted);
+  const wroteKeychain = nativeKeychain.isSupported()
+    ? nativeKeychain.setPassword(
+        GEMINI_KEYCHAIN_SERVICE,
+        GEMINI_MAIN_ACCOUNT_KEY,
+        JSON.stringify(payload[GEMINI_MAIN_ACCOUNT_KEY])
+      )
+    : false;
+  const settings = geminiSettingsManager.settingsExists()
+    ? geminiSettingsManager.readSettings()
+    : {};
+  settings.security = settings.security || {};
+  settings.security.auth = settings.security.auth || {};
+  settings.security.auth.selectedType = 'oauth-personal';
+  geminiSettingsManager.writeSettings(settings);
+  if (credential.accountEmail) {
+    writeJsonFile(NATIVE_PATHS.gemini.googleAccounts, {
+      active: credential.accountEmail,
+      old: []
+    });
+  }
+  return { storage: wroteKeychain ? 'encrypted-file+keychain' : 'encrypted-file' };
+}
+function inspectGeminiState() {
+  const { getGeminiProxyStatus } = require('../gemini-proxy-server');
+  const proxyStatus = getGeminiProxyStatus();
+  const nativeOAuth = readGeminiNativeOAuth();
+  let channelConfigured = false;
+  try {
+    const env = geminiSettingsManager.configExists()
+      ? geminiSettingsManager.readEnv()
+      : {};
+    const settings = geminiSettingsManager.settingsExists()
+      ? geminiSettingsManager.readSettings()
+      : {};
+    channelConfigured = Boolean(
+      String(env.GOOGLE_GEMINI_BASE_URL || '').trim()
+      || String(env.GEMINI_API_KEY || '').trim()
+      || settings?.security?.auth?.selectedType === 'gemini-api-key'
+    );
+  } catch {
+    channelConfigured = false;
+  }
+  return {
+    tool: 'gemini',
+    mode: proxyStatus.running ? 'proxy' : (nativeOAuth ? 'oauth' : (channelConfigured ? 'channel' : 'idle')),
+    proxyRunning: proxyStatus.running,
+    oauthPresent: Boolean(nativeOAuth),
+    channelConfigured,
+    nativeCredential: nativeOAuth ? buildNativeSummary(nativeOAuth) : null
+  };
+}
+function parseOpenCodeOAuthPayload(raw) {
+  if (!raw || typeof raw !== 'object') {
+    return null;
+  }
+  if (raw.type === 'oauth' || raw.access) {
+    return parseOpenCodeOAuthEntry(raw.providerId, raw);
+  }
+  if (raw.openai && typeof raw.openai === 'object') {
+    return parseOpenCodeOAuthEntry('openai', raw.openai);
+  }
+  for (const [providerId, value] of Object.entries(raw)) {
+    const parsed = parseOpenCodeOAuthEntry(providerId, value);
+    if (parsed) {
+      return parsed;
+    }
+  }
+  return null;
+}
+function parseOpenCodeOAuthEntry(providerId, target) {
+  const normalizedProviderId = String(providerId || 'openai').trim() || 'openai';
+  if (!target || target.type !== 'oauth' || !target.access) {
+    return null;
+  }
+  return {
+    providerId: normalizedProviderId,
+    accessToken: String(target.access || '').trim(),
+    refreshToken: String(target.refresh || '').trim() || '',
+    expiresAt: Number(target.expires || 0) || null,
+    accountId: String(target.accountId || '').trim() || '',
+    enterpriseUrl: String(target.enterpriseUrl || '').trim() || '',
+    primaryToken: String(target.access || '').trim()
+  };
+}
+function getActiveOpenCodeProviderId() {
+  try {
+    const configPath = opencodeSettingsManager.selectConfigPath();
+    if (!configPath || !fs.existsSync(configPath)) {
+      return '';
+    }
+    const config = opencodeSettingsManager.readConfig(configPath);
+    const modelRef = String(config?.model || '').trim();
+    if (modelRef.includes('/')) {
+      return modelRef.split('/')[0].trim();
+    }
+    const providerIds = config?.provider && typeof config.provider === 'object'
+      ? Object.keys(config.provider).filter(Boolean)
+      : [];
+    return providerIds.length === 1 ? providerIds[0] : '';
+  } catch {
+    return '';
+  }
+}
+function readAllOpenCodeNativeOAuth() {
+  const payload = readJsonFile(NATIVE_PATHS.opencode.auth, null);
+  if (!payload || typeof payload !== 'object') {
+    return [];
+  }
+  const activeProviderId = getActiveOpenCodeProviderId();
+  const credentials = Object.entries(payload)
+    .map(([providerId, value]) => parseOpenCodeOAuthEntry(providerId, value))
+    .filter(Boolean)
+    .map((entry) => ({ ...entry, storage: 'auth-file' }));
+  if (!activeProviderId || credentials.length <= 1) {
+    return credentials;
+  }
+  return credentials.sort((left, right) => {
+    if (left.providerId === activeProviderId) return -1;
+    if (right.providerId === activeProviderId) return 1;
+    return left.providerId.localeCompare(right.providerId);
+  });
+}
+function readOpenCodeNativeOAuth() {
+  return readAllOpenCodeNativeOAuth()[0] || null;
+}
+function clearOpenCodeOAuth() {
+  const payload = readJsonFile(NATIVE_PATHS.opencode.auth, {});
+  if (!payload || typeof payload !== 'object') {
+    return;
+  }
+  Object.keys(payload).forEach((providerId) => {
+    if (payload[providerId]?.type === 'oauth') {
+      delete payload[providerId];
+    }
+  });
+  if (Object.keys(payload).length === 0) {
+    removeFileIfExists(NATIVE_PATHS.opencode.auth);
+    return;
+  }
+  writeJsonFile(NATIVE_PATHS.opencode.auth, payload);
+}
+function applyOpenCodeOAuth(credential) {
+  clearOpenCodeOAuth();
+  opencodeSettingsManager.clearManagedChannelConfig();
+  const providerId = String(credential.providerId || 'openai').trim() || 'openai';
+  const payload = readJsonFile(NATIVE_PATHS.opencode.auth, {});
+  payload[providerId] = {
+    type: 'oauth',
+    access: credential.accessToken,
+    refresh: credential.refreshToken || '',
+    expires: credential.expiresAt || null,
+    accountId: credential.accountId || undefined,
+    enterpriseUrl: credential.enterpriseUrl || undefined
+  };
+  writeJsonFile(NATIVE_PATHS.opencode.auth, payload);
+  const configPath = opencodeSettingsManager.selectConfigPath();
+  const config = fs.existsSync(configPath)
+    ? opencodeSettingsManager.readConfig(configPath)
+    : {};
+  config.provider = config.provider && typeof config.provider === 'object' ? config.provider : {};
+  if (!config.provider[providerId]) {
+    config.provider[providerId] = {};
+  }
+  opencodeSettingsManager.writeConfig(configPath, config);
+  return { storage: 'auth-file' };
+}
+function inspectOpenCodeState() {
+  const { getOpenCodeProxyStatus } = require('../opencode-proxy-server');
+  const proxyStatus = getOpenCodeProxyStatus();
+  const nativeOAuth = readOpenCodeNativeOAuth();
+  let channelConfigured = false;
+  try {
+    const configPath = opencodeSettingsManager.selectConfigPath();
+    const config = fs.existsSync(configPath)
+      ? opencodeSettingsManager.readConfig(configPath)
+      : {};
+    const providers = config?.provider && typeof config.provider === 'object'
+      ? Object.values(config.provider)
+      : [];
+    channelConfigured = providers.some(provider => provider?.__ctx_managed__ === true);
+  } catch {
+    channelConfigured = false;
+  }
+  return {
+    tool: 'opencode',
+    mode: proxyStatus.running ? 'proxy' : (nativeOAuth ? 'oauth' : (channelConfigured ? 'channel' : 'idle')),
+    proxyRunning: proxyStatus.running,
+    oauthPresent: Boolean(nativeOAuth),
+    channelConfigured,
+    nativeCredential: nativeOAuth ? buildNativeSummary(nativeOAuth) : null
+  };
+}
+function inspectTool(tool) {
+  switch (tool) {
+    case 'claude':
+      return inspectClaudeState();
+    case 'codex':
+      return inspectCodexState();
+    case 'gemini':
+      return inspectGeminiState();
+    case 'opencode':
+      return inspectOpenCodeState();
+    default:
+      throw new Error(`Unsupported OAuth tool: ${tool}`);
+  }
+}
+function readNativeOAuth(tool) {
+  switch (tool) {
+    case 'claude':
+      return readClaudeNativeOAuth();
+    case 'codex':
+      return readCodexNativeOAuth();
+    case 'gemini':
+      return readGeminiNativeOAuth();
+    case 'opencode':
+      return readOpenCodeNativeOAuth();
+    default:
+      throw new Error(`Unsupported OAuth tool: ${tool}`);
+  }
+}
+function readAllNativeOAuth(tool) {
+  switch (tool) {
+    case 'claude': {
+      const credential = readClaudeNativeOAuth();
+      return credential ? [credential] : [];
+    }
+    case 'codex': {
+      const credential = readCodexNativeOAuth();
+      return credential ? [credential] : [];
+    }
+    case 'gemini': {
+      const credential = readGeminiNativeOAuth();
+      return credential ? [credential] : [];
+    }
+    case 'opencode':
+      return readAllOpenCodeNativeOAuth();
+    default:
+      throw new Error(`Unsupported OAuth tool: ${tool}`);
+  }
+}
+function clearNativeOAuth(tool) {
+  switch (tool) {
+    case 'claude':
+      clearClaudeOAuth();
+      return;
+    case 'codex':
+      clearCodexOAuth();
+      return;
+    case 'gemini':
+      clearGeminiOAuth();
+      return;
+    case 'opencode':
+      clearOpenCodeOAuth();
+      return;
+    default:
+      throw new Error(`Unsupported OAuth tool: ${tool}`);
+  }
+}
+function applyOAuthCredential(tool, credential) {
+  switch (tool) {
+    case 'claude':
+      return applyClaudeOAuth(credential);
+    case 'codex':
+      return applyCodexOAuth(credential);
+    case 'gemini':
+      return applyGeminiOAuth(credential);
+    case 'opencode':
+      return applyOpenCodeOAuth(credential);
+    default:
+      throw new Error(`Unsupported OAuth tool: ${tool}`);
+  }
+}
+module.exports = {
+  SUPPORTED_TOOLS,
+  fingerprintFor,
+  inspectTool,
+  readNativeOAuth,
+  readAllNativeOAuth,
+  clearNativeOAuth,
+  applyOAuthCredential
+};