funolio-agent 1.0.4 → 1.0.6

package/dist/auth/anthropic-subscription.d.ts

@@ -1,12 +1,32 @@
-/**
- * REMOVED: Anthropic Subscription OAuth auth has been removed.
- *
- * Connection to Anthropic is now exclusively via:
- *   1. claude-cli — spawns the Claude CLI binary (uses your subscription)
- *   2. API key (BYOK) — standard x-api-key authentication
- */
+import { OAuthCredential } from './credential-reader';
 export declare const ANTHROPIC_OAUTH_BETA_HEADER = "oauth-2025-04-20";
+export declare const ANTHROPIC_CLAUDE_CODE_API_KEY_URL = "https://api.anthropic.com/api/oauth/claude_cli/create_api_key";
+export declare const ANTHROPIC_CLAUDE_CODE_MESSAGES_BASE_URL = "https://api.anthropic.com/v1";
+export declare const ANTHROPIC_CLAUDE_CODE_MESSAGES_QUERY = "beta=true";
+export interface AnthropicSubscriptionTokenInput {
+    accessToken: string;
+    refreshToken?: string | null;
+    expiresAt?: number | null;
+    onRefresh?: ((credential: OAuthCredential) => void) | null;
+}
 export type AnthropicAuthMode = 'api-key' | 'oauth-bearer';
-/** @deprecated Subscription API removed. Always throws. */
-export declare function resolveAnthropicSubscriptionAuth(_input: any): Promise<never>;
+export interface AnthropicSubscriptionAuthResult {
+    token: string;
+    authMode: AnthropicAuthMode;
+    credential: OAuthCredential;
+    refreshed: boolean;
+    source: 'api-key-exchange' | 'oauth-bearer';
+}
+export interface ClaudeSubscriptionRequestConfig {
+    baseUrl: string;
+    apiQuery: string;
+    extraHeaders: Record<string, string>;
+}
+export declare function ensureFreshAnthropicCredential(input: AnthropicSubscriptionTokenInput): Promise<{
+    credential: OAuthCredential;
+    refreshed: boolean;
+}>;
+export declare function createAnthropicApiKeyFromOauth(accessToken: string): Promise<string>;
+export declare function resolveAnthropicSubscriptionAuth(input: AnthropicSubscriptionTokenInput): Promise<AnthropicSubscriptionAuthResult>;
+export declare function getClaudeSubscriptionRequestConfig(source?: string | null): ClaudeSubscriptionRequestConfig;
 //# sourceMappingURL=anthropic-subscription.d.ts.map

package/dist/auth/anthropic-subscription.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"anthropic-subscription.d.ts","sourceRoot":"","sources":["../../src/auth/anthropic-subscription.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,eAAO,MAAM,2BAA2B,qBAAqB,CAAC;AAE9D,MAAM,MAAM,iBAAiB,GAAG,SAAS,GAAG,cAAc,CAAC;AAE3D,2DAA2D;AAC3D,wBAAsB,gCAAgC,CAAC,MAAM,EAAE,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAElF"}
+{"version":3,"file":"anthropic-subscription.d.ts","sourceRoot":"","sources":["../../src/auth/anthropic-subscription.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAa,MAAM,qBAAqB,CAAC;AAIjE,eAAO,MAAM,2BAA2B,qBAAqB,CAAC;AAC9D,eAAO,MAAM,iCAAiC,kEAAkE,CAAC;AACjH,eAAO,MAAM,uCAAuC,iCAAiC,CAAC;AACtF,eAAO,MAAM,oCAAoC,cAAc,CAAC;AAUhE,MAAM,WAAW,+BAA+B;IAC9C,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,SAAS,CAAC,EAAE,CAAC,CAAC,UAAU,EAAE,eAAe,KAAK,IAAI,CAAC,GAAG,IAAI,CAAC;CAC5D;AAED,MAAM,MAAM,iBAAiB,GAAG,SAAS,GAAG,cAAc,CAAC;AAE3D,MAAM,WAAW,+BAA+B;IAC9C,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,iBAAiB,CAAC;IAC5B,UAAU,EAAE,eAAe,CAAC;IAC5B,SAAS,EAAE,OAAO,CAAC;IACnB,MAAM,EAAE,kBAAkB,GAAG,cAAc,CAAC;CAC7C;AAED,MAAM,WAAW,+BAA+B;IAC9C,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACtC;AAuDD,wBAAsB,8BAA8B,CAClD,KAAK,EAAE,+BAA+B,GACrC,OAAO,CAAC;IAAE,UAAU,EAAE,eAAe,CAAC;IAAC,SAAS,EAAE,OAAO,CAAA;CAAE,CAAC,CAS9D;AAED,wBAAsB,8BAA8B,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CA4BzF;AAED,wBAAsB,gCAAgC,CACpD,KAAK,EAAE,+BAA+B,GACrC,OAAO,CAAC,+BAA+B,CAAC,CA0B1C;AAED,wBAAgB,kCAAkC,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,+BAA+B,CAU1G"}

package/dist/auth/anthropic-subscription.js

@@ -1,18 +1,139 @@
 "use strict";
-/**
- * REMOVED: Anthropic Subscription OAuth auth has been removed.
- *
- * Connection to Anthropic is now exclusively via:
- *   1. claude-cli — spawns the Claude CLI binary (uses your subscription)
- *   2. API key (BYOK) — standard x-api-key authentication
- */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ANTHROPIC_OAUTH_BETA_HEADER = void 0;
+exports.ANTHROPIC_CLAUDE_CODE_MESSAGES_QUERY = exports.ANTHROPIC_CLAUDE_CODE_MESSAGES_BASE_URL = exports.ANTHROPIC_CLAUDE_CODE_API_KEY_URL = exports.ANTHROPIC_OAUTH_BETA_HEADER = void 0;
+exports.ensureFreshAnthropicCredential = ensureFreshAnthropicCredential;
+exports.createAnthropicApiKeyFromOauth = createAnthropicApiKeyFromOauth;
 exports.resolveAnthropicSubscriptionAuth = resolveAnthropicSubscriptionAuth;
-// Stub types retained for backwards compatibility.
+exports.getClaudeSubscriptionRequestConfig = getClaudeSubscriptionRequestConfig;
+const credential_reader_1 = require("./credential-reader");
+const token_refresh_1 = require("./token-refresh");
+const child_process_1 = require("child_process");
 exports.ANTHROPIC_OAUTH_BETA_HEADER = 'oauth-2025-04-20';
-/** @deprecated Subscription API removed. Always throws. */
-async function resolveAnthropicSubscriptionAuth(_input) {
-    throw new Error('Subscription API has been removed. Use claude-cli or API key instead.');
+exports.ANTHROPIC_CLAUDE_CODE_API_KEY_URL = 'https://api.anthropic.com/api/oauth/claude_cli/create_api_key';
+exports.ANTHROPIC_CLAUDE_CODE_MESSAGES_BASE_URL = 'https://api.anthropic.com/v1';
+exports.ANTHROPIC_CLAUDE_CODE_MESSAGES_QUERY = 'beta=true';
+const API_KEY_CACHE_TTL_MS = 30 * 60_000;
+let cachedClaudeCliUserAgent = null;
+function getClaudeCliUserAgent() {
+    if (cachedClaudeCliUserAgent)
+        return cachedClaudeCliUserAgent;
+    try {
+        const raw = (0, child_process_1.execSync)('claude --version', {
+            encoding: 'utf8',
+            timeout: 5000,
+            stdio: ['pipe', 'pipe', 'pipe'],
+            windowsHide: true,
+        }).trim();
+        const version = raw.match(/\d+\.\d+\.\d+/)?.[0] || '2.1.63';
+        cachedClaudeCliUserAgent = `claude-cli/${version}`;
+        return cachedClaudeCliUserAgent;
+    }
+    catch {
+        cachedClaudeCliUserAgent = 'claude-cli/2.1.63';
+        return cachedClaudeCliUserAgent;
+    }
+}
+const apiKeyCache = new Map();
+function readCachedApiKey(accessToken) {
+    const cached = apiKeyCache.get(accessToken);
+    if (!cached)
+        return null;
+    if (cached.expiresAt <= Date.now()) {
+        apiKeyCache.delete(accessToken);
+        return null;
+    }
+    return cached.rawKey;
+}
+function storeCachedApiKey(accessToken, rawKey) {
+    apiKeyCache.set(accessToken, {
+        rawKey,
+        expiresAt: Date.now() + API_KEY_CACHE_TTL_MS,
+    });
+}
+function toCredential(input) {
+    return {
+        provider: 'anthropic',
+        accessToken: input.accessToken,
+        refreshToken: input.refreshToken || '',
+        expiresAt: input.expiresAt || 0,
+    };
+}
+function isScopeLimitedOauthError(message) {
+    const normalized = message.toLowerCase();
+    return normalized.includes('org:create_api_key')
+        || normalized.includes('permission_error')
+        || normalized.includes('scope requirement');
+}
+async function ensureFreshAnthropicCredential(input) {
+    const credential = toCredential(input);
+    if (!credential.refreshToken || !(0, credential_reader_1.isExpired)(credential)) {
+        return { credential, refreshed: false };
+    }
+    const refreshed = await (0, token_refresh_1.refreshToken)(credential);
+    input.onRefresh?.(refreshed.credential);
+    return { credential: refreshed.credential, refreshed: true };
+}
+async function createAnthropicApiKeyFromOauth(accessToken) {
+    const cached = readCachedApiKey(accessToken);
+    if (cached)
+        return cached;
+    const response = await fetch(exports.ANTHROPIC_CLAUDE_CODE_API_KEY_URL, {
+        method: 'POST',
+        headers: {
+            Authorization: `Bearer ${accessToken}`,
+            'anthropic-beta': exports.ANTHROPIC_OAUTH_BETA_HEADER,
+            'Content-Type': 'application/json',
+            'User-Agent': 'funolio-agent',
+            'x-app': 'funolio-desktop',
+        },
+        body: '{}',
+    });
+    if (!response.ok) {
+        const body = await response.text().catch(() => '');
+        throw new Error(`Anthropic Claude subscription API key exchange failed (${response.status}): ${body}`);
+    }
+    const data = await response.json();
+    if (!data.raw_key) {
+        throw new Error('Anthropic Claude subscription API key exchange returned no raw_key');
+    }
+    storeCachedApiKey(accessToken, data.raw_key);
+    return data.raw_key;
+}
+async function resolveAnthropicSubscriptionAuth(input) {
+    const { credential, refreshed } = await ensureFreshAnthropicCredential(input);
+    try {
+        const apiKey = await createAnthropicApiKeyFromOauth(credential.accessToken);
+        return {
+            token: apiKey,
+            authMode: 'api-key',
+            credential,
+            refreshed,
+            source: 'api-key-exchange',
+        };
+    }
+    catch (err) {
+        const message = err?.message || String(err);
+        if (!isScopeLimitedOauthError(message)) {
+            throw err;
+        }
+        return {
+            token: credential.accessToken,
+            authMode: 'oauth-bearer',
+            credential,
+            refreshed,
+            source: 'oauth-bearer',
+        };
+    }
+}
+function getClaudeSubscriptionRequestConfig(source) {
+    const isOpenClaw = String(source || '').toLowerCase().includes('openclaw');
+    return {
+        baseUrl: exports.ANTHROPIC_CLAUDE_CODE_MESSAGES_BASE_URL,
+        apiQuery: exports.ANTHROPIC_CLAUDE_CODE_MESSAGES_QUERY,
+        extraHeaders: {
+            'User-Agent': isOpenClaw ? getClaudeCliUserAgent() : 'funolio-agent',
+            'x-app': 'funolio-desktop',
+        },
+    };
 }
 //# sourceMappingURL=anthropic-subscription.js.map

package/dist/auth/anthropic-subscription.js.map

@@ -1 +1 @@
-{"version":3,"file":"anthropic-subscription.js","sourceRoot":"","sources":["../../src/auth/anthropic-subscription.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;AASH,4EAEC;AATD,mDAAmD;AAEtC,QAAA,2BAA2B,GAAG,kBAAkB,CAAC;AAI9D,2DAA2D;AACpD,KAAK,UAAU,gCAAgC,CAAC,MAAW;IAChE,MAAM,IAAI,KAAK,CAAC,uEAAuE,CAAC,CAAC;AAC3F,CAAC"}
+{"version":3,"file":"anthropic-subscription.js","sourceRoot":"","sources":["../../src/auth/anthropic-subscription.ts"],"names":[],"mappings":";;;AA6FA,wEAWC;AAED,wEA4BC;AAED,4EA4BC;AAED,gFAUC;AAhLD,2DAAiE;AACjE,mDAA+C;AAC/C,iDAAyC;AAE5B,QAAA,2BAA2B,GAAG,kBAAkB,CAAC;AACjD,QAAA,iCAAiC,GAAG,+DAA+D,CAAC;AACpG,QAAA,uCAAuC,GAAG,8BAA8B,CAAC;AACzE,QAAA,oCAAoC,GAAG,WAAW,CAAC;AAEhE,MAAM,oBAAoB,GAAG,EAAE,GAAG,MAAM,CAAC;AACzC,IAAI,wBAAwB,GAAkB,IAAI,CAAC;AA8BnD,SAAS,qBAAqB;IAC5B,IAAI,wBAAwB;QAAE,OAAO,wBAAwB,CAAC;IAC9D,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,wBAAQ,EAAC,kBAAkB,EAAE;YACvC,QAAQ,EAAE,MAAM;YAChB,OAAO,EAAE,IAAI;YACb,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;YAC/B,WAAW,EAAE,IAAI;SAClB,CAAC,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,eAAe,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,QAAQ,CAAC;QAC5D,wBAAwB,GAAG,cAAc,OAAO,EAAE,CAAC;QACnD,OAAO,wBAAwB,CAAC;IAClC,CAAC;IAAC,MAAM,CAAC;QACP,wBAAwB,GAAG,mBAAmB,CAAC;QAC/C,OAAO,wBAAwB,CAAC;IAClC,CAAC;AACH,CAAC;AAED,MAAM,WAAW,GAAG,IAAI,GAAG,EAAwB,CAAC;AAEpD,SAAS,gBAAgB,CAAC,WAAmB;IAC3C,MAAM,MAAM,GAAG,WAAW,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAC5C,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,IAAI,MAAM,CAAC,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QACnC,WAAW,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAChC,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,MAAM,CAAC,MAAM,CAAC;AACvB,CAAC;AAED,SAAS,iBAAiB,CAAC,WAAmB,EAAE,MAAc;IAC5D,WAAW,CAAC,GAAG,CAAC,WAAW,EAAE;QAC3B,MAAM;QACN,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,oBAAoB;KAC7C,CAAC,CAAC;AACL,CAAC;AAED,SAAS,YAAY,CAAC,KAAsC;IAC1D,OAAO;QACL,QAAQ,EAAE,WAAW;QACrB,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,YAAY,EAAE,KAAK,CAAC,YAAY,IAAI,EAAE;QACtC,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,CAAC;KAChC,CAAC;AACJ,CAAC;AAED,SAAS,wBAAwB,CAAC,OAAe;IAC/C,MAAM,UAAU,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IACzC,OAAO,UAAU,CAAC,QAAQ,CAAC,oBAAoB,CAAC;WAC3C,UAAU,CAAC,QAAQ,CAAC,kBAAkB,CAAC;WACvC,UAAU,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC;AAChD,CAAC;AAEM,KAAK,UAAU,8BAA8B,CAClD,KAAsC;IAEtC,MAAM,UAAU,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IACvC,IAAI,CAAC,UAAU,CAAC,YAAY,IAAI,CAAC,IAAA,6BAAS,EAAC,UAAU,CAAC,EAAE,CAAC;QACvD,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;IAC1C,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,IAAA,4BAAY,EAAC,UAAU,CAAC,CAAC;IACjD,KAAK,CAAC,SAAS,EAAE,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IACxC,OAAO,EAAE,UAAU,EAAE,SAAS,CAAC,UAAU,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;AAC/D,CAAC;AAEM,KAAK,UAAU,8BAA8B,CAAC,WAAmB;IACtE,MAAM,MAAM,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;IAC7C,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,yCAAiC,EAAE;QAC9D,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,WAAW,EAAE;YACtC,gBAAgB,EAAE,mCAA2B;YAC7C,cAAc,EAAE,kBAAkB;YAClC,YAAY,EAAE,eAAe;YAC7B,OAAO,EAAE,iBAAiB;SAC3B;QACD,IAAI,EAAE,IAAI;KACX,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QACnD,MAAM,IAAI,KAAK,CAAC,0DAA0D,QAAQ,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAC;IACzG,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA0B,CAAC;IAC3D,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;IACxF,CAAC;IAED,iBAAiB,CAAC,WAAW,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;IAC7C,OAAO,IAAI,CAAC,OAAO,CAAC;AACtB,CAAC;AAEM,KAAK,UAAU,gCAAgC,CACpD,KAAsC;IAEtC,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,MAAM,8BAA8B,CAAC,KAAK,CAAC,CAAC;IAE9E,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,8BAA8B,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;QAC5E,OAAO;YACL,KAAK,EAAE,MAAM;YACb,QAAQ,EAAE,SAAS;YACnB,UAAU;YACV,SAAS;YACT,MAAM,EAAE,kBAAkB;SAC3B,CAAC;IACJ,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,MAAM,OAAO,GAAG,GAAG,EAAE,OAAO,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC;QAC5C,IAAI,CAAC,wBAAwB,CAAC,OAAO,CAAC,EAAE,CAAC;YACvC,MAAM,GAAG,CAAC;QACZ,CAAC;QAED,OAAO;YACL,KAAK,EAAE,UAAU,CAAC,WAAW;YAC7B,QAAQ,EAAE,cAAc;YACxB,UAAU;YACV,SAAS;YACT,MAAM,EAAE,cAAc;SACvB,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAgB,kCAAkC,CAAC,MAAsB;IACvE,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IAC3E,OAAO;QACL,OAAO,EAAE,+CAAuC;QAChD,QAAQ,EAAE,4CAAoC;QAC9C,YAAY,EAAE;YACZ,YAAY,EAAE,UAAU,CAAC,CAAC,CAAC,qBAAqB,EAAE,CAAC,CAAC,CAAC,eAAe;YACpE,OAAO,EAAE,iBAAiB;SAC3B;KACF,CAAC;AACJ,CAAC"}

package/dist/auth/auto-detect.d.ts

@@ -1,38 +1,16 @@
-/**
- * Auth Auto-Detect — Funolio Agent
- *
- * Resolves the best available authentication method for LLM providers.
- * Supported auth methods:
- *   1. Explicit API key (BYOK) — passed via config or CLI flag
- *   2. Environment variable API keys — ANTHROPIC_API_KEY, OPENAI_API_KEY, etc.
- *
- * CLI providers (claude-cli, codex-cli) do not need auth resolution here —
- * they spawn the CLI binary which handles its own authentication.
- *
- * NOTE: Subscription API / OAuth credential resolution has been removed.
- * OAuth tokens passed in config are ignored. Use CLI providers for
- * subscription-based access, or provide an explicit API key.
- */
+import { OAuthCredential } from './credential-reader';
 export interface ResolvedAuth {
     provider: string;
     model: string;
     apiKey: string;
-    source: 'api-key' | 'env';
+    source: 'oauth' | 'api-key' | 'env';
+    credential?: OAuthCredential;
     expired?: boolean;
     error?: string;
 }
 /**
  * Resolve the best available authentication method.
- *
- * Priority:
- *   1. Explicit API key (from config.apiKey)
- *   2. Environment variable API key
- *
- * OAuth/subscription tokens are ignored. For subscription-based access,
- * use a CLI provider (claude-cli, codex-cli) instead.
- *
- * @param config - Auth configuration. oauthToken fields are accepted for
- *   backwards compatibility but are ignored.
+ * Priority: explicit API key > OAuth credentials > env vars
  */
 export declare function resolveAuth(config: {
     provider?: string;
@@ -43,8 +21,8 @@ export declare function resolveAuth(config: {
     oauthExpiresAt?: number;
 }): Promise<ResolvedAuth | null>;
 /**
- * Ensure the auth is still valid. For API keys, this is a no-op passthrough.
- * OAuth token refresh has been removed.
+ * Ensure the token in a ResolvedAuth is still valid. Refreshes if needed.
+ * Returns the same object if still valid, or a new one with updated token.
  */
 export declare function ensureFreshToken(auth: ResolvedAuth): Promise<ResolvedAuth>;
 //# sourceMappingURL=auto-detect.d.ts.map

package/dist/auth/auto-detect.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auto-detect.d.ts","sourceRoot":"","sources":["../../src/auth/auto-detect.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAIH,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,SAAS,GAAG,KAAK,CAAC;IAC1B,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAwBD;;;;;;;;;;;;GAYG;AACH,wBAAsB,WAAW,CAAC,MAAM,EAAE;IACxC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CA2C/B;AAID;;;GAGG;AACH,wBAAsB,gBAAgB,CAAC,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC,CAGhF"}
+{"version":3,"file":"auto-detect.d.ts","sourceRoot":"","sources":["../../src/auth/auto-detect.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAa,MAAM,qBAAqB,CAAC;AAQjE,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,OAAO,GAAG,SAAS,GAAG,KAAK,CAAC;IACpC,UAAU,CAAC,EAAE,eAAe,CAAC;IAC7B,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAYD;;;GAGG;AACH,wBAAsB,WAAW,CAAC,MAAM,EAAE;IACxC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAiI/B;AAoCD;;;GAGG;AACH,wBAAsB,gBAAgB,CAAC,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC,CAgChF"}

package/dist/auth/auto-detect.js

@@ -1,99 +1,242 @@
 "use strict";
-/**
- * Auth Auto-Detect — Funolio Agent
- *
- * Resolves the best available authentication method for LLM providers.
- * Supported auth methods:
- *   1. Explicit API key (BYOK) — passed via config or CLI flag
- *   2. Environment variable API keys — ANTHROPIC_API_KEY, OPENAI_API_KEY, etc.
- *
- * CLI providers (claude-cli, codex-cli) do not need auth resolution here —
- * they spawn the CLI binary which handles its own authentication.
- *
- * NOTE: Subscription API / OAuth credential resolution has been removed.
- * OAuth tokens passed in config are ignored. Use CLI providers for
- * subscription-based access, or provide an explicit API key.
- */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.resolveAuth = resolveAuth;
 exports.ensureFreshToken = ensureFreshToken;
+const credential_reader_1 = require("./credential-reader");
+const token_refresh_1 = require("./token-refresh");
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
 // ── Default Models ──────────────────────────────────────────────────────────
 const DEFAULT_MODELS = {
     anthropic: 'claude-sonnet-4-5',
     openai: 'gpt-4o',
     'google-gemini': 'gemini-2.5-flash',
 };
-// ── Environment API Key Detection ───────────────────────────────────────────
-function getEnvApiKey(provider) {
-    switch (provider) {
-        case 'anthropic': return process.env.ANTHROPIC_API_KEY;
-        case 'openai': return process.env.OPENAI_API_KEY;
-        case 'google':
-        case 'google-gemini': return process.env.GOOGLE_API_KEY;
-        default: return undefined;
-    }
-}
 // ── resolveAuth ─────────────────────────────────────────────────────────────
 /**
  * Resolve the best available authentication method.
- *
- * Priority:
- *   1. Explicit API key (from config.apiKey)
- *   2. Environment variable API key
- *
- * OAuth/subscription tokens are ignored. For subscription-based access,
- * use a CLI provider (claude-cli, codex-cli) instead.
- *
- * @param config - Auth configuration. oauthToken fields are accepted for
- *   backwards compatibility but are ignored.
+ * Priority: explicit API key > OAuth credentials > env vars
  */
 async function resolveAuth(config) {
-    const provider = config.provider || 'anthropic';
-    const model = config.model || DEFAULT_MODELS[provider] || 'claude-sonnet-4-5';
     // 1. Explicit API key takes priority (BYOK)
     if (config.apiKey) {
+        const provider = config.provider || 'anthropic';
         console.log(`[auto-detect] Using explicit API key (source: api-key, provider: ${provider})`);
         return {
             provider,
-            model,
+            model: config.model || DEFAULT_MODELS[provider] || 'claude-sonnet-4-5',
             apiKey: config.apiKey,
             source: 'api-key',
         };
     }
-    // 2. Anthropic bearer config token (sk-ant-oat01-*)
-    if (config.oauthToken && config.oauthToken.startsWith('sk-ant-oat')) {
-        console.log(`[auto-detect] Using Anthropic bearer config token (source: oauth, provider: ${provider})`);
+    // 2. Use OAuth token from agent config (written during setup/configure)
+    if (config.oauthToken) {
+        const provider = config.provider || 'anthropic';
+        const model = config.model || DEFAULT_MODELS[provider] || 'claude-sonnet-4-5';
+        const credential = {
+            provider: provider,
+            accessToken: config.oauthToken,
+            refreshToken: config.oauthRefreshToken || '',
+            expiresAt: config.oauthExpiresAt || 0,
+        };
+        // If token is expired OR has no expiry info, and no refresh token in config,
+        // try to find one from CLI credentials (which track expiry properly)
+        if (!credential.refreshToken && ((0, credential_reader_1.isExpired)(credential) || !credential.expiresAt)) {
+            console.log(`[auto-detect] Config OAuth token expired with no refresh token — checking CLI credentials...`);
+            const cliCreds = detectClaudeCodeCredentials();
+            if (cliCreds?.refreshToken) {
+                console.log(`[auto-detect] Found refresh token in Claude Code credentials`);
+                credential.refreshToken = cliCreds.refreshToken;
+                credential.expiresAt = cliCreds.expiresAt || credential.expiresAt;
+                // Use CLI access token if it's newer
+                if (cliCreds.accessToken && (!(0, credential_reader_1.isExpired)(cliCreds) || cliCreds.expiresAt > credential.expiresAt)) {
+                    credential.accessToken = cliCreds.accessToken;
+                }
+            }
+        }
+        // Refresh if expired (or if we just imported CLI expiry that shows it's expired)
+        if (credential.refreshToken && ((0, credential_reader_1.isExpired)(credential) || (credential.expiresAt > 0 && Date.now() >= credential.expiresAt))) {
+            try {
+                const result = await (0, token_refresh_1.refreshToken)(credential);
+                credential.accessToken = result.credential.accessToken;
+                credential.refreshToken = result.credential.refreshToken;
+                credential.expiresAt = result.credential.expiresAt;
+                // Persist the refresh token back to config so we don't lose it
+                try {
+                    const configPath = path.join(os.homedir(), '.funolio', 'config.json');
+                    if (fs.existsSync(configPath)) {
+                        const cfg = JSON.parse(fs.readFileSync(configPath, 'utf-8'));
+                        const idx = cfg.providers?.findIndex((p) => p.id === provider);
+                        if (idx >= 0 && cfg.providers[idx]) {
+                            cfg.providers[idx].oauthToken = credential.accessToken;
+                            cfg.providers[idx].oauthRefreshToken = credential.refreshToken;
+                            cfg.providers[idx].oauthExpiresAt = credential.expiresAt;
+                            fs.writeFileSync(configPath, JSON.stringify(cfg, null, 2), 'utf-8');
+                            console.log(`[auto-detect] Persisted refreshed tokens to config`);
+                        }
+                    }
+                }
+                catch (writeErr) {
+                    console.warn(`[auto-detect] Failed to persist refreshed tokens:`, writeErr);
+                }
+            }
+            catch {
+                console.log(`[auto-detect] OAuth token expired and refresh failed for ${provider}`);
+                return {
+                    provider,
+                    model,
+                    apiKey: credential.accessToken,
+                    source: 'oauth',
+                    credential,
+                    expired: true,
+                    error: `OAuth token expired for ${provider}. Run \`funolio-agent configure\` to re-authenticate.`,
+                };
+            }
+        }
+        console.log(`[auto-detect] Resolved auth: provider=${provider}, model=${model}, source=oauth (from config)`);
         return {
             provider,
             model,
-            apiKey: config.oauthToken,
-            source: 'api-key', // Use api-key source type for downstream compat; authMode handles bearer
+            apiKey: credential.accessToken,
+            source: 'oauth',
+            credential,
         };
     }
-    // 3. Check environment variable API keys
-    const envKey = getEnvApiKey(provider);
-    if (envKey) {
-        console.log(`[auto-detect] Using environment variable API key (source: env, provider: ${provider})`);
+    // 3. Try to auto-detect OAuth token from Claude Code credentials
+    const claudeCodeAuth = detectClaudeCodeCredentials();
+    if (claudeCodeAuth) {
+        const provider = config.provider || 'anthropic';
+        const model = config.model || DEFAULT_MODELS[provider] || 'claude-sonnet-4-5';
+        // Refresh if expired
+        if ((0, credential_reader_1.isExpired)(claudeCodeAuth) && claudeCodeAuth.refreshToken) {
+            try {
+                const result = await (0, token_refresh_1.refreshToken)(claudeCodeAuth);
+                claudeCodeAuth.accessToken = result.credential.accessToken;
+                claudeCodeAuth.refreshToken = result.credential.refreshToken;
+                claudeCodeAuth.expiresAt = result.credential.expiresAt;
+            }
+            catch {
+                console.log(`[auto-detect] Claude Code OAuth token expired and refresh failed`);
+                return {
+                    provider,
+                    model,
+                    apiKey: claudeCodeAuth.accessToken,
+                    source: 'oauth',
+                    credential: claudeCodeAuth,
+                    expired: true,
+                    error: `Claude Code OAuth token expired and refresh failed. Run \`claude login\` to re-authenticate.`,
+                };
+            }
+        }
+        console.log(`[auto-detect] Resolved auth: provider=${provider}, model=${model}, source=oauth (from Claude Code credentials)`);
         return {
             provider,
             model,
-            apiKey: envKey,
-            source: 'env',
+            apiKey: claudeCodeAuth.accessToken,
+            source: 'oauth',
+            credential: claudeCodeAuth,
         };
     }
-    // No API key found — CLI providers handle their own auth, so returning null
-    // is expected for claude-cli / codex-cli. For API-based providers, this
-    // means the user needs to configure an API key.
-    console.log(`[auto-detect] No API key found for provider: ${provider}`);
+    console.log('[auto-detect] No API key or OAuth token found in config');
     return null;
 }
+// ── Claude Code Credential Detection ────────────────────────────────────────
+/**
+ * Detect OAuth credentials from Claude Code's local credential files.
+ * Checks ~/.claude/.credentials.json for claudeAiOauth tokens.
+ */
+function detectClaudeCodeCredentials() {
+    try {
+        const credPath = path.join(os.homedir(), '.claude', '.credentials.json');
+        if (!fs.existsSync(credPath))
+            return null;
+        const raw = JSON.parse(fs.readFileSync(credPath, 'utf-8'));
+        const oauth = raw?.claudeAiOauth;
+        if (!oauth?.accessToken?.startsWith('sk-ant-oat01-'))
+            return null;
+        const credential = {
+            provider: 'anthropic',
+            accessToken: oauth.accessToken,
+            refreshToken: oauth.refreshToken || '',
+            expiresAt: oauth.expiresAt || 0,
+        };
+        if ((0, credential_reader_1.isExpired)(credential)) {
+            console.log('[auto-detect] Claude Code OAuth token is expired, will attempt refresh');
+        }
+        return credential;
+    }
+    catch {
+        return null;
+    }
+}
 // ── ensureFreshToken ────────────────────────────────────────────────────────
 /**
- * Ensure the auth is still valid. For API keys, this is a no-op passthrough.
- * OAuth token refresh has been removed.
+ * Ensure the token in a ResolvedAuth is still valid. Refreshes if needed.
+ * Returns the same object if still valid, or a new one with updated token.
  */
 async function ensureFreshToken(auth) {
-    // API keys don't expire — return as-is
-    return auth;
+    if (auth.source !== 'oauth' || !auth.credential) {
+        return auth;
+    }
+    if (!(0, credential_reader_1.isExpired)(auth.credential)) {
+        return auth;
+    }
+    try {
+        const result = await (0, token_refresh_1.refreshToken)(auth.credential);
+        const refreshed = result.credential;
+        if (refreshed.accessToken === auth.credential.accessToken) {
+            return auth; // refresh failed or not needed, return as-is
+        }
+        return {
+            ...auth,
+            apiKey: refreshed.accessToken,
+            credential: refreshed,
+        };
+    }
+    catch (err) {
+        if (err instanceof token_refresh_1.TokenRefreshError) {
+            console.error(`[auto-detect] Token refresh failed for ${err.provider}: ${err.message}`);
+            return {
+                ...auth,
+                expired: true,
+                error: `Token refresh failed for ${err.provider}${err.httpStatus ? ` (HTTP ${err.httpStatus})` : ''}: ${err.message}`,
+            };
+        }
+        throw err;
+    }
 }
 //# sourceMappingURL=auto-detect.js.map

package/dist/auth/auto-detect.js.map

@@ -1 +1 @@
-{"version":3,"file":"auto-detect.js","sourceRoot":"","sources":["../../src/auth/auto-detect.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;AAgDH,kCAkDC;AAQD,4CAGC;AAhGD,+EAA+E;AAE/E,MAAM,cAAc,GAA2B;IAC7C,SAAS,EAAE,mBAAmB;IAC9B,MAAM,EAAE,QAAQ;IAChB,eAAe,EAAE,kBAAkB;CACpC,CAAC;AAEF,+EAA+E;AAE/E,SAAS,YAAY,CAAC,QAAgB;IACpC,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,WAAW,CAAC,CAAC,OAAO,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;QACvD,KAAK,QAAQ,CAAC,CAAC,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;QACjD,KAAK,QAAQ,CAAC;QACd,KAAK,eAAe,CAAC,CAAC,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;QACxD,OAAO,CAAC,CAAC,OAAO,SAAS,CAAC;IAC5B,CAAC;AACH,CAAC;AAED,+EAA+E;AAE/E;;;;;;;;;;;;GAYG;AACI,KAAK,UAAU,WAAW,CAAC,MAOjC;IACC,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,IAAI,WAAW,CAAC;IAChD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,IAAI,cAAc,CAAC,QAAQ,CAAC,IAAI,mBAAmB,CAAC;IAE9E,4CAA4C;IAC5C,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAClB,OAAO,CAAC,GAAG,CAAC,oEAAoE,QAAQ,GAAG,CAAC,CAAC;QAC7F,OAAO;YACL,QAAQ;YACR,KAAK;YACL,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,MAAM,EAAE,SAAS;SAClB,CAAC;IACJ,CAAC;IAED,oDAAoD;IACpD,IAAI,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QACpE,OAAO,CAAC,GAAG,CAAC,+EAA+E,QAAQ,GAAG,CAAC,CAAC;QACxG,OAAO;YACL,QAAQ;YACR,KAAK;YACL,MAAM,EAAE,MAAM,CAAC,UAAU;YACzB,MAAM,EAAE,SAAS,EAAG,yEAAyE;SAC9F,CAAC;IACJ,CAAC;IAED,yCAAyC;IACzC,MAAM,MAAM,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;IACtC,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,CAAC,GAAG,CAAC,4EAA4E,QAAQ,GAAG,CAAC,CAAC;QACrG,OAAO;YACL,QAAQ;YACR,KAAK;YACL,MAAM,EAAE,MAAM;YACd,MAAM,EAAE,KAAK;SACd,CAAC;IACJ,CAAC;IAED,4EAA4E;IAC5E,wEAAwE;IACxE,gDAAgD;IAChD,OAAO,CAAC,GAAG,CAAC,gDAAgD,QAAQ,EAAE,CAAC,CAAC;IACxE,OAAO,IAAI,CAAC;AACd,CAAC;AAED,+EAA+E;AAE/E;;;GAGG;AACI,KAAK,UAAU,gBAAgB,CAAC,IAAkB;IACvD,uCAAuC;IACvC,OAAO,IAAI,CAAC;AACd,CAAC"}
+{"version":3,"file":"auto-detect.js","sourceRoot":"","sources":["../../src/auth/auto-detect.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgCA,kCAwIC;AAwCD,4CAgCC;AAhPD,2DAAiE;AACjE,mDAAiF;AACjF,uCAAyB;AACzB,2CAA6B;AAC7B,uCAAyB;AAczB,+EAA+E;AAE/E,MAAM,cAAc,GAA2B;IAC7C,SAAS,EAAE,mBAAmB;IAC9B,MAAM,EAAE,QAAQ;IAChB,eAAe,EAAE,kBAAkB;CACpC,CAAC;AAEF,+EAA+E;AAE/E;;;GAGG;AACI,KAAK,UAAU,WAAW,CAAC,MAOjC;IACC,4CAA4C;IAC5C,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAClB,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,IAAI,WAAW,CAAC;QAChD,OAAO,CAAC,GAAG,CAAC,oEAAoE,QAAQ,GAAG,CAAC,CAAC;QAC7F,OAAO;YACL,QAAQ;YACR,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,cAAc,CAAC,QAAQ,CAAC,IAAI,mBAAmB;YACtE,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,MAAM,EAAE,SAAS;SAClB,CAAC;IACJ,CAAC;IAED,wEAAwE;IACxE,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;QACtB,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,IAAI,WAAW,CAAC;QAChD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,IAAI,cAAc,CAAC,QAAQ,CAAC,IAAI,mBAAmB,CAAC;QAE9E,MAAM,UAAU,GAAoB;YAClC,QAAQ,EAAE,QAAuC;YACjD,WAAW,EAAE,MAAM,CAAC,UAAU;YAC9B,YAAY,EAAE,MAAM,CAAC,iBAAiB,IAAI,EAAE;YAC5C,SAAS,EAAE,MAAM,CAAC,cAAc,IAAI,CAAC;SACtC,CAAC;QAEF,6EAA6E;QAC7E,qEAAqE;QACrE,IAAI,CAAC,UAAU,CAAC,YAAY,IAAI,CAAC,IAAA,6BAAS,EAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACjF,OAAO,CAAC,GAAG,CAAC,8FAA8F,CAAC,CAAC;YAC5G,MAAM,QAAQ,GAAG,2BAA2B,EAAE,CAAC;YAC/C,IAAI,QAAQ,EAAE,YAAY,EAAE,CAAC;gBAC3B,OAAO,CAAC,GAAG,CAAC,8DAA8D,CAAC,CAAC;gBAC5E,UAAU,CAAC,YAAY,GAAG,QAAQ,CAAC,YAAY,CAAC;gBAChD,UAAU,CAAC,SAAS,GAAG,QAAQ,CAAC,SAAS,IAAI,UAAU,CAAC,SAAS,CAAC;gBAClE,qCAAqC;gBACrC,IAAI,QAAQ,CAAC,WAAW,IAAI,CAAC,CAAC,IAAA,6BAAS,EAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,SAAS,GAAG,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;oBAChG,UAAU,CAAC,WAAW,GAAG,QAAQ,CAAC,WAAW,CAAC;gBAChD,CAAC;YACH,CAAC;QACH,CAAC;QAED,iFAAiF;QACjF,IAAI,UAAU,CAAC,YAAY,IAAI,CAAC,IAAA,6BAAS,EAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,SAAS,GAAG,CAAC,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;YAC3H,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,IAAA,4BAAY,EAAC,UAAU,CAAC,CAAC;gBAC9C,UAAU,CAAC,WAAW,GAAG,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC;gBACvD,UAAU,CAAC,YAAY,GAAG,MAAM,CAAC,UAAU,CAAC,YAAY,CAAC;gBACzD,UAAU,CAAC,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC;gBAEnD,+DAA+D;gBAC/D,IAAI,CAAC;oBACH,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;oBACtE,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;wBAC9B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;wBAC7D,MAAM,GAAG,GAAG,GAAG,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,QAAQ,CAAC,CAAC;wBACpE,IAAI,GAAG,IAAI,CAAC,IAAI,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC;4BACnC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,UAAU,GAAG,UAAU,CAAC,WAAW,CAAC;4BACvD,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,iBAAiB,GAAG,UAAU,CAAC,YAAY,CAAC;4BAC/D,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,cAAc,GAAG,UAAU,CAAC,SAAS,CAAC;4BACzD,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;4BACpE,OAAO,CAAC,GAAG,CAAC,oDAAoD,CAAC,CAAC;wBACpE,CAAC;oBACH,CAAC;gBACH,CAAC;gBAAC,OAAO,QAAQ,EAAE,CAAC;oBAClB,OAAO,CAAC,IAAI,CAAC,mDAAmD,EAAE,QAAQ,CAAC,CAAC;gBAC9E,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,CAAC,GAAG,CAAC,4DAA4D,QAAQ,EAAE,CAAC,CAAC;gBACpF,OAAO;oBACL,QAAQ;oBACR,KAAK;oBACL,MAAM,EAAE,UAAU,CAAC,WAAW;oBAC9B,MAAM,EAAE,OAAO;oBACf,UAAU;oBACV,OAAO,EAAE,IAAI;oBACb,KAAK,EAAE,2BAA2B,QAAQ,uDAAuD;iBAClG,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,yCAAyC,QAAQ,WAAW,KAAK,8BAA8B,CAAC,CAAC;QAC7G,OAAO;YACL,QAAQ;YACR,KAAK;YACL,MAAM,EAAE,UAAU,CAAC,WAAW;YAC9B,MAAM,EAAE,OAAO;YACf,UAAU;SACX,CAAC;IACJ,CAAC;IAED,iEAAiE;IACjE,MAAM,cAAc,GAAG,2BAA2B,EAAE,CAAC;IACrD,IAAI,cAAc,EAAE,CAAC;QACnB,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,IAAI,WAAW,CAAC;QAChD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,IAAI,cAAc,CAAC,QAAQ,CAAC,IAAI,mBAAmB,CAAC;QAE9E,qBAAqB;QACrB,IAAI,IAAA,6BAAS,EAAC,cAAc,CAAC,IAAI,cAAc,CAAC,YAAY,EAAE,CAAC;YAC7D,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,IAAA,4BAAY,EAAC,cAAc,CAAC,CAAC;gBAClD,cAAc,CAAC,WAAW,GAAG,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC;gBAC3D,cAAc,CAAC,YAAY,GAAG,MAAM,CAAC,UAAU,CAAC,YAAY,CAAC;gBAC7D,cAAc,CAAC,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC;YACzD,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,CAAC,GAAG,CAAC,kEAAkE,CAAC,CAAC;gBAChF,OAAO;oBACL,QAAQ;oBACR,KAAK;oBACL,MAAM,EAAE,cAAc,CAAC,WAAW;oBAClC,MAAM,EAAE,OAAO;oBACf,UAAU,EAAE,cAAc;oBAC1B,OAAO,EAAE,IAAI;oBACb,KAAK,EAAE,8FAA8F;iBACtG,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,yCAAyC,QAAQ,WAAW,KAAK,+CAA+C,CAAC,CAAC;QAC9H,OAAO;YACL,QAAQ;YACR,KAAK;YACL,MAAM,EAAE,cAAc,CAAC,WAAW;YAClC,MAAM,EAAE,OAAO;YACf,UAAU,EAAE,cAAc;SAC3B,CAAC;IACJ,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,yDAAyD,CAAC,CAAC;IACvE,OAAO,IAAI,CAAC;AACd,CAAC;AAED,+EAA+E;AAE/E;;;GAGG;AACH,SAAS,2BAA2B;IAClC,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,mBAAmB,CAAC,CAAC;QACzE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;YAAE,OAAO,IAAI,CAAC;QAE1C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC;QAC3D,MAAM,KAAK,GAAG,GAAG,EAAE,aAAa,CAAC;QACjC,IAAI,CAAC,KAAK,EAAE,WAAW,EAAE,UAAU,CAAC,eAAe,CAAC;YAAE,OAAO,IAAI,CAAC;QAElE,MAAM,UAAU,GAAoB;YAClC,QAAQ,EAAE,WAAW;YACrB,WAAW,EAAE,KAAK,CAAC,WAAW;YAC9B,YAAY,EAAE,KAAK,CAAC,YAAY,IAAI,EAAE;YACtC,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,CAAC;SAChC,CAAC;QAEF,IAAI,IAAA,6BAAS,EAAC,UAAU,CAAC,EAAE,CAAC;YAC1B,OAAO,CAAC,GAAG,CAAC,wEAAwE,CAAC,CAAC;QACxF,CAAC;QAED,OAAO,UAAU,CAAC;IACpB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,+EAA+E;AAE/E;;;GAGG;AACI,KAAK,UAAU,gBAAgB,CAAC,IAAkB;IACvD,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;QAChD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC,IAAA,6BAAS,EAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;QAChC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,IAAA,4BAAY,EAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACnD,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC;QACpC,IAAI,SAAS,CAAC,WAAW,KAAK,IAAI,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC;YAC1D,OAAO,IAAI,CAAC,CAAC,6CAA6C;QAC5D,CAAC;QAED,OAAO;YACL,GAAG,IAAI;YACP,MAAM,EAAE,SAAS,CAAC,WAAW;YAC7B,UAAU,EAAE,SAAS;SACtB,CAAC;IACJ,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,IAAI,GAAG,YAAY,iCAAiB,EAAE,CAAC;YACrC,OAAO,CAAC,KAAK,CAAC,0CAA0C,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;YACxF,OAAO;gBACL,GAAG,IAAI;gBACP,OAAO,EAAE,IAAI;gBACb,KAAK,EAAE,4BAA4B,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,UAAU,GAAG,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,OAAO,EAAE;aACtH,CAAC;QACJ,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC"}

package/dist/auth/credential-reader.d.ts

@@ -1,18 +1,3 @@
-/**
- * REMOVED: OAuth credential reading from disk has been removed.
- *
- * Connection to LLM providers is now exclusively via:
- *   1. CLI providers (claude-cli, codex-cli) — spawns the CLI binary
- *   2. API key (BYOK) — standard x-api-key authentication
- *
- * The credential-reader previously read OAuth tokens from:
- *   - ~/.claude/.credentials.json (Anthropic)
- *   - ~/.codex/auth.json (OpenAI)
- *   - ~/.config/gcloud/application_default_credentials.json (Google)
- *
- * These files are now only used by the CLI providers themselves (claude, codex)
- * and are not read by the Funolio agent.
- */
 export interface OAuthCredential {
     provider: 'anthropic' | 'openai' | 'google-gemini';
     accessToken: string;
@@ -29,16 +14,11 @@ export interface CredentialDetectionResult {
         error: string;
     }[];
 }
-/** @deprecated Always returns empty results. */
-export declare function detectCredentials(): CredentialDetectionResult;
-/** @deprecated Always returns null. */
+/** Clear the credential cache (useful for testing or forced refresh). */
+export declare function clearCache(): void;
 export declare function readClaudeCredentials(): OAuthCredential | null;
-/** @deprecated Always returns null. */
 export declare function readCodexCredentials(): OAuthCredential | null;
-/** @deprecated Always returns null. */
 export declare function readGeminiCredentials(): OAuthCredential | null;
-/** Clear the credential cache (no-op). */
-export declare function clearCache(): void;
-/** @deprecated Always returns true (expired). */
-export declare function isExpired(_cred: OAuthCredential): boolean;
+export declare function detectCredentials(): CredentialDetectionResult;
+export declare function isExpired(cred: OAuthCredential): boolean;
 //# sourceMappingURL=credential-reader.d.ts.map