ethagent 2.1.0 → 2.2.0

package/README.md

@@ -49,7 +49,7 @@ Once running:
 The Identity Hub manages everything portable about the agent:
 
 - **Public Profile** edits name, description, icon, and the Agent Card.
-- **ENS Name** links the agent to a subdomain and authorizes operator wallets to write the subdomain's records.
+- **ENS Name** links the agent to a subdomain under a parent name the owner wallet controls.
 - **Custody Mode** switches between Simple and Advanced by depositing the token into its Vault or unwrapping it back out.
 - **Prepare Transfer** stages a dual-wallet snapshot before sending the token externally.
 - **Refetch Latest** pulls the most recent published snapshot back to local files.
@@ -89,7 +89,7 @@ The vault is an immutable Foundry contract at `contracts/src/Vault.sol`. New vau
 
 Subdomains live under a parent name you control, never on root `.eth` names directly. You keep `you.eth`; the agent gets `agent.you.eth`. The split makes the boundary explicit: one address speaks for the human, the other speaks for the agent.
 
-For agents in Advanced custody, the owner wallet approves operator wallets on the resolver once. After that, an approved operator wallet can update the agent's ENS profile pointer (the IPFS CID for the latest agent card) on every snapshot save without another owner signature.
+ENS records stay owner-controlled in both custody modes. Operator wallets in Advanced custody rotate the ERC-8004 token URI through the Vault (see Custody Modes), not ENS. Any ENS text-record update requires an owner signature.
 
 Save the token ID + network somewhere safe. ENS records can be cleared and rebuilt; the token ID is the durable handle.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ethagent",
-  "version": "2.1.0",
+  "version": "2.2.0",
   "description": "A privacy-first AI agent with a portable Ethereum identity",
   "type": "module",
   "main": "bin/ethagent.js",

package/src/auth/openaiOAuth/credentials.ts

@@ -0,0 +1,47 @@
+import { getSecret, rmSecret, setSecret } from '../../storage/secrets.js'
+
+const ACCOUNT = 'openai-oauth'
+
+export type OpenAIOAuthCredentials = {
+  accessToken: string
+  refreshToken: string
+  idToken?: string
+  accountId?: string
+  expiresAt: number
+  lastRefreshAt: number
+}
+
+export async function getOpenAIOAuthCredentials(): Promise<OpenAIOAuthCredentials | null> {
+  const raw = await getSecret(ACCOUNT)
+  if (!raw) return null
+  try {
+    const parsed = JSON.parse(raw) as Partial<OpenAIOAuthCredentials>
+    if (typeof parsed.accessToken !== 'string' || !parsed.accessToken) return null
+    if (typeof parsed.refreshToken !== 'string' || !parsed.refreshToken) return null
+    if (typeof parsed.expiresAt !== 'number' || !Number.isFinite(parsed.expiresAt)) return null
+    if (typeof parsed.lastRefreshAt !== 'number' || !Number.isFinite(parsed.lastRefreshAt)) return null
+    return {
+      accessToken: parsed.accessToken,
+      refreshToken: parsed.refreshToken,
+      idToken: typeof parsed.idToken === 'string' ? parsed.idToken : undefined,
+      accountId: typeof parsed.accountId === 'string' ? parsed.accountId : undefined,
+      expiresAt: parsed.expiresAt,
+      lastRefreshAt: parsed.lastRefreshAt,
+    }
+  } catch {
+    return null
+  }
+}
+
+export async function setOpenAIOAuthCredentials(creds: OpenAIOAuthCredentials): Promise<void> {
+  await setSecret(ACCOUNT, JSON.stringify(creds))
+}
+
+export async function rmOpenAIOAuthCredentials(): Promise<void> {
+  await rmSecret(ACCOUNT)
+}
+
+export async function hasOpenAIOAuthCredentials(): Promise<boolean> {
+  const creds = await getOpenAIOAuthCredentials()
+  return creds !== null
+}

package/src/auth/openaiOAuth/crypto.ts

@@ -0,0 +1,23 @@
+import { randomBytes, webcrypto } from 'node:crypto'
+
+function base64UrlEncode(buffer: Buffer): string {
+  return buffer
+    .toString('base64')
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=/g, '')
+}
+
+export function generateCodeVerifier(): string {
+  return base64UrlEncode(randomBytes(32))
+}
+
+export async function generateCodeChallenge(verifier: string): Promise<string> {
+  const encoded = new TextEncoder().encode(verifier)
+  const digest = await webcrypto.subtle.digest('SHA-256', encoded)
+  return base64UrlEncode(Buffer.from(digest))
+}
+
+export function generateState(): string {
+  return base64UrlEncode(randomBytes(32))
+}

package/src/auth/openaiOAuth/index.ts

@@ -0,0 +1,238 @@
+import { AuthCodeListener } from './listener.js'
+import { generateCodeChallenge, generateCodeVerifier, generateState } from './crypto.js'
+import {
+  OPENAI_OAUTH_CALLBACK_PORT,
+  OPENAI_OAUTH_CLIENT_ID,
+  OPENAI_OAUTH_ISSUER,
+  OPENAI_OAUTH_ORIGINATOR,
+  OPENAI_OAUTH_SCOPE,
+  OPENAI_OAUTH_TOKEN_URL,
+  asTrimmedString,
+  exchangeIdTokenForApiKey,
+  parseChatgptAccountId,
+} from './shared.js'
+import { setOpenAIOAuthCredentials } from './credentials.js'
+import { renderOAuthLandingPage } from './landingPage.js'
+
+type OpenAIOAuthTokenResponse = {
+  id_token?: string
+  access_token?: string
+  refresh_token?: string
+  expires_in?: number
+}
+
+export type OpenAIOAuthResult =
+  | { kind: 'apikey'; apiKey: string; accountId?: string }
+  | { kind: 'oauth-only'; accountId?: string; reason?: string }
+
+export type OpenAIOAuthOnReady = (authUrl: string) => void | Promise<void>
+
+function buildAuthorizeUrl(args: { port: number; codeChallenge: string; state: string }): string {
+  const redirectUri = `http://localhost:${args.port}/auth/callback`
+  const params: Array<[string, string]> = [
+    ['response_type', 'code'],
+    ['client_id', OPENAI_OAUTH_CLIENT_ID],
+    ['redirect_uri', redirectUri],
+    ['scope', OPENAI_OAUTH_SCOPE],
+    ['code_challenge', args.codeChallenge],
+    ['code_challenge_method', 'S256'],
+    ['id_token_add_organizations', 'true'],
+    ['codex_cli_simplified_flow', 'true'],
+    ['state', args.state],
+    ['originator', OPENAI_OAUTH_ORIGINATOR],
+  ]
+  const qs = params
+    .map(([k, v]) => `${encodeURIComponent(k)}=${encodeURIComponent(v)}`)
+    .join('&')
+  return `${OPENAI_OAUTH_ISSUER}/oauth/authorize?${qs}`
+}
+
+function renderSuccessPage(): string {
+  return renderOAuthLandingPage({
+    tone: 'success',
+    pageTitle: 'OpenAI Sign-in Complete',
+    headline: 'OpenAI sign-in complete',
+    message: 'You can return to your terminal.',
+  })
+}
+
+function renderErrorPage(reason: string): string {
+  return renderOAuthLandingPage({
+    tone: 'error',
+    pageTitle: 'OpenAI Sign-in Failed',
+    headline: 'OpenAI sign-in failed',
+    message: reason,
+  })
+}
+
+function renderCancelledPage(): string {
+  return renderOAuthLandingPage({
+    tone: 'cancelled',
+    pageTitle: 'OpenAI Sign-in Cancelled',
+    headline: 'OpenAI sign-in cancelled',
+    message: 'You can return to your terminal.',
+  })
+}
+
+async function exchangeAuthorizationCode(args: {
+  authorizationCode: string
+  codeVerifier: string
+  port: number
+  signal: AbortSignal
+}): Promise<OpenAIOAuthResult> {
+  const redirectUri = `http://localhost:${args.port}/auth/callback`
+  const body = new URLSearchParams({
+    grant_type: 'authorization_code',
+    code: args.authorizationCode,
+    redirect_uri: redirectUri,
+    client_id: OPENAI_OAUTH_CLIENT_ID,
+    code_verifier: args.codeVerifier,
+  })
+
+  const response = await fetch(OPENAI_OAUTH_TOKEN_URL, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    body,
+    signal: AbortSignal.any([args.signal, AbortSignal.timeout(15_000)]),
+  })
+
+  if (!response.ok) {
+    const errorText = await response.text().catch(() => '')
+    throw new Error(
+      errorText.trim()
+        ? `OpenAI OAuth token exchange failed (${response.status}): ${errorText.trim()}`
+        : `OpenAI OAuth token exchange failed with status ${response.status}.`,
+    )
+  }
+
+  const payload = (await response.json()) as OpenAIOAuthTokenResponse
+  const accessToken = asTrimmedString(payload.access_token)
+  const refreshToken = asTrimmedString(payload.refresh_token)
+  const idToken = asTrimmedString(payload.id_token)
+  if (!accessToken || !refreshToken) {
+    throw new Error('OpenAI OAuth completed, but the response was missing access_token or refresh_token.')
+  }
+
+  const accountId = parseChatgptAccountId(idToken) ?? parseChatgptAccountId(accessToken)
+  const expiresIn = typeof payload.expires_in === 'number' && payload.expires_in > 0
+    ? payload.expires_in
+    : 3600
+  const now = Date.now()
+  await setOpenAIOAuthCredentials({
+    accessToken,
+    refreshToken,
+    idToken,
+    accountId,
+    expiresAt: now + expiresIn * 1000,
+    lastRefreshAt: now,
+  })
+
+  if (!idToken) {
+    return { kind: 'oauth-only', accountId, reason: 'no id_token returned' }
+  }
+
+  try {
+    const apiKey = await exchangeIdTokenForApiKey(idToken)
+    if (typeof apiKey !== 'string' || apiKey.length === 0) {
+      return { kind: 'oauth-only', accountId, reason: 'API key exchange returned an empty token' }
+    }
+    return { kind: 'apikey', apiKey, accountId }
+  } catch (err) {
+    const reason = err instanceof Error ? err.message : String(err)
+    return { kind: 'oauth-only', accountId, reason }
+  }
+}
+
+export class OpenAIOAuthService {
+  private listener: AuthCodeListener | null = null
+  private exchangeAbort: AbortController | null = null
+
+  async start(onReady: OpenAIOAuthOnReady): Promise<OpenAIOAuthResult> {
+    const codeVerifier = generateCodeVerifier()
+    const listener = new AuthCodeListener('/auth/callback')
+    this.listener = listener
+
+    let port: number
+    try {
+      port = await listener.start(OPENAI_OAUTH_CALLBACK_PORT)
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err)
+      if (message.includes('EADDRINUSE') || message.includes(String(OPENAI_OAUTH_CALLBACK_PORT))) {
+        listener.close()
+        this.listener = null
+        throw new Error(
+          `OpenAI sign-in needs localhost:${OPENAI_OAUTH_CALLBACK_PORT} for its callback. Close any app already using that port and try again.`,
+        )
+      }
+      listener.close()
+      this.listener = null
+      throw err
+    }
+
+    const state = generateState()
+    const codeChallenge = await generateCodeChallenge(codeVerifier)
+    const authUrl = buildAuthorizeUrl({ port, codeChallenge, state })
+
+    try {
+      const authorizationCode = await listener.waitForAuthorization(state, async () => {
+        await onReady(authUrl)
+      })
+
+      const abort = new AbortController()
+      this.exchangeAbort = abort
+      let result: OpenAIOAuthResult
+      try {
+        result = await exchangeAuthorizationCode({
+          authorizationCode,
+          codeVerifier,
+          port,
+          signal: abort.signal,
+        })
+      } finally {
+        if (this.exchangeAbort === abort) this.exchangeAbort = null
+      }
+
+      if (this.listener !== listener) {
+        throw new Error('OpenAI sign-in was cancelled.')
+      }
+
+      listener.handleSuccessRedirect([], res => {
+        res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' })
+        res.end(renderSuccessPage())
+      })
+
+      return result
+    } catch (error) {
+      const resolved = this.listener === listener
+        ? error
+        : new Error('OpenAI sign-in was cancelled.')
+
+      if (listener.hasPendingResponse()) {
+        const isCancellation = resolved instanceof Error && resolved.message === 'OpenAI sign-in was cancelled.'
+        listener.handleErrorRedirect(res => {
+          res.writeHead(isCancellation ? 200 : 400, { 'Content-Type': 'text/html; charset=utf-8' })
+          res.end(isCancellation ? renderCancelledPage() : renderErrorPage(
+            resolved instanceof Error ? resolved.message : String(resolved),
+          ))
+        })
+      }
+      throw resolved
+    } finally {
+      this.cleanup()
+    }
+  }
+
+  cleanup(): void {
+    const cancellationError = new Error('OpenAI sign-in was cancelled.')
+    this.exchangeAbort?.abort(cancellationError)
+    this.exchangeAbort = null
+    if (this.listener?.hasPendingResponse()) {
+      this.listener.handleErrorRedirect(res => {
+        res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' })
+        res.end(renderCancelledPage())
+      })
+    }
+    this.listener?.cancelPendingAuthorization(cancellationError)
+    this.listener = null
+  }
+}

package/src/auth/openaiOAuth/landingPage.ts

@@ -0,0 +1,125 @@
+import { readFileSync } from 'node:fs'
+import { dirname, join } from 'node:path'
+import { fileURLToPath } from 'node:url'
+import { transformSync } from 'esbuild'
+import { WALLET_CSS } from '../../identity/wallet/page/styles/index.js'
+import { glyphs } from '../../identity/wallet/page/html.js'
+import { escapeHtml } from './shared.js'
+
+export type LandingTone = 'success' | 'error' | 'cancelled'
+
+const GRAINIENT_SOURCE_FILE = join(
+  dirname(fileURLToPath(import.meta.url)),
+  '..',
+  '..',
+  'identity',
+  'wallet',
+  'page',
+  'grainient.ts',
+)
+
+const COMPILED_GRAINIENT = compileGrainientModule()
+
+const GRAINIENT_OPTIONS = {
+  color1: '#000422',
+  color2: '#d8dcfa',
+  color3: '#000422',
+  timeSpeed: 0.25,
+  colorBalance: 0,
+  warpStrength: 1,
+  warpFrequency: 5,
+  warpSpeed: 2,
+  warpAmplitude: 10,
+  blendAngle: 0,
+  blendSoftness: 0.05,
+  rotationAmount: 500,
+  noiseScale: 2,
+  grainAmount: 0.1,
+  grainScale: 2,
+  grainAnimated: false,
+  contrast: 1.5,
+  gamma: 1,
+  saturation: 1,
+  centerX: 0,
+  centerY: 0,
+  zoom: 0.9,
+}
+
+const CHECK_SVG = '<svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"><polyline points="20 6 9 17 4 12"></polyline></svg>'
+
+const LANDING_EXTRA_CSS = `
+main[data-flow="signin"] .body > .status { margin-top: 9px; }
+main[data-tone="error"] .status .marker {
+  color: var(--c-danger);
+  border-color: color-mix(in srgb, var(--c-danger) 45%, transparent);
+}
+`
+
+function markerHtml(tone: LandingTone): string {
+  if (tone === 'success') return CHECK_SVG
+  if (tone === 'error') return '<span aria-hidden="true">!</span>'
+  return '<span aria-hidden="true">–</span>'
+}
+
+export function renderOAuthLandingPage(args: {
+  tone: LandingTone
+  pageTitle: string
+  headline: string
+  message: string
+}): string {
+  const title = escapeHtml(args.pageTitle)
+  const headline = escapeHtml(args.headline)
+  const message = escapeHtml(args.message)
+  const splash = escapeHtml(glyphs.eyes)
+  const optionsJson = JSON.stringify(GRAINIENT_OPTIONS).replaceAll('<', '\\u003c')
+  const safeScript = COMPILED_GRAINIENT.replaceAll('</', '<\\/')
+  const marker = markerHtml(args.tone)
+
+  return `<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>${title}</title>
+  <style>${WALLET_CSS}
+${LANDING_EXTRA_CSS}</style>
+</head>
+<body>
+  <canvas id="grainient" class="grainient-canvas" aria-hidden="true"></canvas>
+  <main id="card" data-flow="signin" data-tone="${args.tone}">
+    <div class="chrome">
+      <span class="chrome-spacer"></span>
+      <span class="chrome-title">ethagent</span>
+      <span class="chrome-actions"></span>
+    </div>
+    <div class="body">
+      <div class="splash-wrap"><pre class="splash">${splash}</pre></div>
+      <h2 class="flow-title">${headline}</h2>
+      <div class="status">
+        <p class="status-line">
+          <span class="marker">${marker}</span>
+          <span>${message}</span>
+        </p>
+        <p class="status-hint">You may close this tab now.</p>
+      </div>
+    </div>
+  </main>
+  <script>
+${safeScript}
+;(function () {
+  var canvas = document.getElementById('grainient');
+  if (canvas) startGrainient(canvas, ${optionsJson});
+})();
+  </script>
+</body>
+</html>`
+}
+
+function compileGrainientModule(): string {
+  const source = readFileSync(GRAINIENT_SOURCE_FILE, 'utf8')
+  const stripped = source
+    .split(/\r?\n/)
+    .map(line => line.replace(/^export\s+(?=(function|const|let|interface|type|class)\b)/, ''))
+    .join('\n')
+  return transformSync(stripped, { loader: 'ts', target: 'es2020' }).code
+}

package/src/auth/openaiOAuth/listener.ts

@@ -0,0 +1,151 @@
+import { createServer, type IncomingMessage, type Server, type ServerResponse } from 'node:http'
+import type { AddressInfo } from 'node:net'
+
+export class AuthCodeListener {
+  private localServer: Server
+  private port = 0
+  private promiseResolver: ((authorizationCode: string) => void) | null = null
+  private promiseRejecter: ((error: Error) => void) | null = null
+  private expectedState: string | null = null
+  private pendingResponse: ServerResponse | null = null
+  private readonly callbackPath: string
+
+  constructor(callbackPath = '/auth/callback') {
+    this.localServer = createServer()
+    this.callbackPath = callbackPath
+  }
+
+  async start(port?: number): Promise<number> {
+    return new Promise((resolve, reject) => {
+      const onError = (err: Error): void => {
+        reject(new Error(`Failed to start OAuth callback server: ${err.message}`))
+      }
+      this.localServer.once('error', onError)
+      this.localServer.listen(port ?? 0, 'localhost', () => {
+        this.localServer.removeListener('error', onError)
+        const address = this.localServer.address() as AddressInfo
+        this.port = address.port
+        resolve(this.port)
+      })
+    })
+  }
+
+  getPort(): number {
+    return this.port
+  }
+
+  hasPendingResponse(): boolean {
+    return this.pendingResponse !== null
+  }
+
+  async waitForAuthorization(
+    state: string,
+    onReady: () => Promise<void> | void,
+  ): Promise<string> {
+    return new Promise<string>((resolve, reject) => {
+      this.promiseResolver = resolve
+      this.promiseRejecter = reject
+      this.expectedState = state
+      this.localServer.on('request', this.handleRedirect.bind(this))
+      this.localServer.on('error', err => this.cancelPendingAuthorization(err))
+      void Promise.resolve(onReady()).catch(err => this.cancelPendingAuthorization(err as Error))
+    })
+  }
+
+  handleSuccessRedirect(
+    _scopes: string[],
+    customHandler?: (res: ServerResponse) => void,
+  ): void {
+    if (!this.pendingResponse) return
+    const response = this.pendingResponse
+    try {
+      if (customHandler) customHandler(response)
+      else {
+        response.writeHead(200, { 'Content-Type': 'text/plain; charset=utf-8' })
+        response.end('OpenAI sign-in complete. You can close this tab.')
+      }
+      if (!response.writableEnded && !response.destroyed) response.end()
+    } finally {
+      this.pendingResponse = null
+    }
+  }
+
+  handleErrorRedirect(customHandler?: (res: ServerResponse) => void): void {
+    if (!this.pendingResponse) return
+    const response = this.pendingResponse
+    try {
+      if (customHandler) customHandler(response)
+      else {
+        response.writeHead(400, { 'Content-Type': 'text/plain; charset=utf-8' })
+        response.end('OpenAI sign-in failed. You can close this tab.')
+      }
+      if (!response.writableEnded && !response.destroyed) response.end()
+    } finally {
+      this.pendingResponse = null
+    }
+  }
+
+  cancelPendingAuthorization(error: Error = new Error('OAuth authorization was cancelled.')): void {
+    this.reject(error)
+    this.close()
+  }
+
+  private handleRedirect(req: IncomingMessage, res: ServerResponse): void {
+    const parsedUrl = new URL(req.url || '', `http://${req.headers.host || 'localhost'}`)
+    if (parsedUrl.pathname !== this.callbackPath) {
+      res.writeHead(404)
+      res.end()
+      return
+    }
+    const authCode = parsedUrl.searchParams.get('code') ?? undefined
+    const state = parsedUrl.searchParams.get('state') ?? undefined
+    this.validateAndRespond(authCode, state, res)
+  }
+
+  private validateAndRespond(
+    authCode: string | undefined,
+    state: string | undefined,
+    res: ServerResponse,
+  ): void {
+    if (!authCode) {
+      res.writeHead(400)
+      res.end('Authorization code not found')
+      this.reject(new Error('No authorization code received'))
+      return
+    }
+    if (state !== this.expectedState) {
+      res.writeHead(400)
+      res.end('Invalid state parameter')
+      this.reject(new Error('Invalid state parameter'))
+      return
+    }
+    this.pendingResponse = res
+    this.resolve(authCode)
+  }
+
+  private resolve(authorizationCode: string): void {
+    if (this.promiseResolver) {
+      this.promiseResolver(authorizationCode)
+      this.promiseResolver = null
+      this.promiseRejecter = null
+      this.expectedState = null
+    }
+  }
+
+  private reject(error: Error): void {
+    if (this.promiseRejecter) {
+      this.promiseRejecter(error)
+      this.promiseResolver = null
+      this.promiseRejecter = null
+      this.expectedState = null
+    }
+  }
+
+  close(): void {
+    if (this.pendingResponse) this.handleErrorRedirect()
+    this.localServer.removeAllListeners()
+    this.localServer.close()
+    this.expectedState = null
+    this.port = 0
+  }
+}

package/src/auth/openaiOAuth/refresh.ts

@@ -0,0 +1,70 @@
+import {
+  OPENAI_OAUTH_CLIENT_ID,
+  OPENAI_OAUTH_TOKEN_URL,
+  asTrimmedString,
+  parseChatgptAccountId,
+} from './shared.js'
+import type { OpenAIOAuthCredentials } from './credentials.js'
+
+export type RefreshedTokens = {
+  accessToken: string
+  refreshToken: string
+  idToken?: string
+  accountId?: string
+  expiresIn: number
+}
+
+const REFRESH_LEEWAY_MS = 60_000
+
+export function shouldRefresh(creds: OpenAIOAuthCredentials, now: number = Date.now()): boolean {
+  return now >= creds.expiresAt - REFRESH_LEEWAY_MS
+}
+
+export async function refreshOpenAIAccessToken(refreshToken: string): Promise<RefreshedTokens> {
+  const body = new URLSearchParams({
+    client_id: OPENAI_OAUTH_CLIENT_ID,
+    grant_type: 'refresh_token',
+    refresh_token: refreshToken,
+  })
+
+  const response = await fetch(OPENAI_OAUTH_TOKEN_URL, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    body,
+    signal: AbortSignal.timeout(15_000),
+  })
+
+  if (!response.ok) {
+    const errorText = await response.text().catch(() => '')
+    throw new Error(
+      errorText.trim()
+        ? `OpenAI token refresh failed (${response.status}): ${errorText.trim()}`
+        : `OpenAI token refresh failed with status ${response.status}.`,
+    )
+  }
+
+  const payload = (await response.json()) as {
+    access_token?: string
+    refresh_token?: string
+    id_token?: string
+    expires_in?: number
+  }
+  const accessToken = asTrimmedString(payload.access_token)
+  if (!accessToken) {
+    throw new Error('OpenAI token refresh succeeded without a new access token.')
+  }
+  const nextRefresh = asTrimmedString(payload.refresh_token) ?? refreshToken
+  const idToken = asTrimmedString(payload.id_token)
+  const expiresIn = typeof payload.expires_in === 'number' && payload.expires_in > 0
+    ? payload.expires_in
+    : 3600
+  const accountId = parseChatgptAccountId(idToken) ?? parseChatgptAccountId(accessToken)
+
+  return {
+    accessToken,
+    refreshToken: nextRefresh,
+    idToken,
+    accountId,
+    expiresIn,
+  }
+}