hedgequantx 2.5.23 → 2.5.25

package/src/services/ai/index.js

@@ -374,58 +374,28 @@ const validateConnection = async (providerId, optionId, credentials) => {
 const validateAnthropic = async (credentials) => {
   try {
     const token = credentials.apiKey || credentials.sessionKey || credentials.accessToken;
+    if (!token) return { valid: false, error: 'No API key provided' };
     
-    // Check if it's an OAuth token (sk-ant-oat...) vs API key (sk-ant-api...)
-    const isOAuthToken = token && token.startsWith('sk-ant-oat');
-    
-    if (isOAuthToken) {
-      // OAuth tokens (from Claude Max/Pro subscription) cannot be validated via public API
-      // They use a different authentication flow through claude.ai
-      // Trust them if they have the correct format (sk-ant-oatXX-...)
-      if (token.length > 50 && /^sk-ant-oat\d{2}-[a-zA-Z0-9_-]+$/.test(token)) {
-        return { 
-          valid: true, 
-          tokenType: 'oauth', 
-          subscriptionType: credentials.subscriptionType || 'max',
-          trusted: credentials.fromKeychain || false
-        };
-      }
-      
-      return { valid: false, error: 'Invalid OAuth token format' };
-    }
-    
-    // Standard API key validation (sk-ant-api...)
-    const response = await fetch('https://api.anthropic.com/v1/messages', {
-      method: 'POST',
+    // Validate by fetching models from API - this proves the token works
+    const response = await fetch('https://api.anthropic.com/v1/models', {
+      method: 'GET',
       headers: {
-        'Content-Type': 'application/json',
         'x-api-key': token,
         'anthropic-version': '2023-06-01'
-      },
-      body: JSON.stringify({
-        model: 'claude-sonnet-4-5-20250929',
-        max_tokens: 10,
-        messages: [{ role: 'user', content: 'Hi' }]
-      })
+      }
     });
     
     if (response.ok) {
-      return { valid: true, tokenType: 'api_key' };
+      const data = await response.json();
+      if (data.data && Array.isArray(data.data) && data.data.length > 0) {
+        return { valid: true, tokenType: 'api_key' };
+      }
+      return { valid: false, error: 'API returned no models' };
     }
     
     const error = await response.json();
     return { valid: false, error: error.error?.message || 'Invalid API key' };
   } catch (e) {
-    // Network error - if it's an OAuth token, still accept it (can't validate anyway)
-    const token = credentials.apiKey || credentials.sessionKey || credentials.accessToken;
-    if (token && token.startsWith('sk-ant-oat') && token.length > 50) {
-      return { 
-        valid: true, 
-        tokenType: 'oauth', 
-        subscriptionType: credentials.subscriptionType || 'max',
-        warning: 'Could not validate online (network error), but token format is valid'
-      };
-    }
     return { valid: false, error: e.message };
   }
 };

package/src/services/ai/oauth-anthropic.js

@@ -0,0 +1,265 @@
+/**
+ * Anthropic OAuth Authentication
+ * 
+ * Implements OAuth 2.0 with PKCE for Anthropic Claude Pro/Max plans.
+ * Based on the public OAuth flow used by OpenCode.
+ * 
+ * Data source: Anthropic OAuth API (https://console.anthropic.com/v1/oauth/token)
+ */
+
+const crypto = require('crypto');
+const https = require('https');
+
+// Public OAuth Client ID (same as OpenCode - registered with Anthropic)
+const CLIENT_ID = '9d1c250a-e61b-44d9-88ed-5944d1962f5e';
+const REDIRECT_URI = 'https://console.anthropic.com/oauth/code/callback';
+
+/**
+ * Generate PKCE code verifier and challenge
+ * @returns {Object} { verifier: string, challenge: string }
+ */
+const generatePKCE = () => {
+  // Generate a random 32-byte code verifier (base64url encoded)
+  const verifier = crypto.randomBytes(32)
+    .toString('base64')
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=/g, '');
+  
+  // Generate SHA256 hash of verifier, then base64url encode it
+  const challenge = crypto.createHash('sha256')
+    .update(verifier)
+    .digest('base64')
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=/g, '');
+  
+  return { verifier, challenge };
+};
+
+/**
+ * Generate OAuth authorization URL
+ * @param {'max' | 'console'} mode - 'max' for Claude Pro/Max, 'console' for API key creation
+ * @returns {Object} { url: string, verifier: string }
+ */
+const authorize = (mode = 'max') => {
+  const pkce = generatePKCE();
+  
+  const baseUrl = mode === 'max' 
+    ? 'https://claude.ai/oauth/authorize'
+    : 'https://console.anthropic.com/oauth/authorize';
+  
+  const url = new URL(baseUrl);
+  url.searchParams.set('code', 'true');
+  url.searchParams.set('client_id', CLIENT_ID);
+  url.searchParams.set('response_type', 'code');
+  url.searchParams.set('redirect_uri', REDIRECT_URI);
+  url.searchParams.set('scope', 'org:create_api_key user:profile user:inference');
+  url.searchParams.set('code_challenge', pkce.challenge);
+  url.searchParams.set('code_challenge_method', 'S256');
+  url.searchParams.set('state', pkce.verifier);
+  
+  return {
+    url: url.toString(),
+    verifier: pkce.verifier
+  };
+};
+
+/**
+ * Make HTTPS request
+ * @param {string} url - Full URL
+ * @param {Object} options - Request options
+ * @returns {Promise<Object>} Response JSON
+ */
+const makeRequest = (url, options) => {
+  return new Promise((resolve, reject) => {
+    const req = https.request(url, {
+      method: options.method || 'POST',
+      headers: options.headers || {}
+    }, (res) => {
+      let data = '';
+      res.on('data', chunk => data += chunk);
+      res.on('end', () => {
+        try {
+          const json = JSON.parse(data);
+          if (res.statusCode >= 200 && res.statusCode < 300) {
+            resolve(json);
+          } else {
+            reject(new Error(json.error?.message || `HTTP ${res.statusCode}: ${data}`));
+          }
+        } catch (e) {
+          reject(new Error(`Invalid JSON response: ${data.substring(0, 200)}`));
+        }
+      });
+    });
+    
+    req.on('error', reject);
+    
+    if (options.body) {
+      req.write(JSON.stringify(options.body));
+    }
+    req.end();
+  });
+};
+
+/**
+ * Exchange authorization code for tokens
+ * @param {string} code - Authorization code from callback (format: code#state)
+ * @param {string} verifier - PKCE code verifier
+ * @returns {Promise<Object>} { type: 'success', access: string, refresh: string, expires: number } or { type: 'failed' }
+ * 
+ * Data source: https://console.anthropic.com/v1/oauth/token (POST)
+ */
+const exchange = async (code, verifier) => {
+  try {
+    // Code format from callback: "authorization_code#state"
+    const splits = code.split('#');
+    const authCode = splits[0];
+    const state = splits[1] || '';
+    
+    const response = await makeRequest('https://console.anthropic.com/v1/oauth/token', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json'
+      },
+      body: {
+        code: authCode,
+        state: state,
+        grant_type: 'authorization_code',
+        client_id: CLIENT_ID,
+        redirect_uri: REDIRECT_URI,
+        code_verifier: verifier
+      }
+    });
+    
+    return {
+      type: 'success',
+      access: response.access_token,
+      refresh: response.refresh_token,
+      expires: Date.now() + (response.expires_in * 1000)
+    };
+  } catch (error) {
+    return {
+      type: 'failed',
+      error: error.message
+    };
+  }
+};
+
+/**
+ * Refresh access token using refresh token
+ * @param {string} refreshToken - The refresh token
+ * @returns {Promise<Object>} { type: 'success', access: string, refresh: string, expires: number } or { type: 'failed' }
+ * 
+ * Data source: https://console.anthropic.com/v1/oauth/token (POST)
+ */
+const refreshToken = async (refreshToken) => {
+  try {
+    const response = await makeRequest('https://console.anthropic.com/v1/oauth/token', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json'
+      },
+      body: {
+        grant_type: 'refresh_token',
+        refresh_token: refreshToken,
+        client_id: CLIENT_ID
+      }
+    });
+    
+    return {
+      type: 'success',
+      access: response.access_token,
+      refresh: response.refresh_token,
+      expires: Date.now() + (response.expires_in * 1000)
+    };
+  } catch (error) {
+    return {
+      type: 'failed',
+      error: error.message
+    };
+  }
+};
+
+/**
+ * Create an API key using OAuth token (for console mode)
+ * @param {string} accessToken - The access token
+ * @returns {Promise<Object>} { type: 'success', key: string } or { type: 'failed' }
+ * 
+ * Data source: https://api.anthropic.com/api/oauth/claude_cli/create_api_key (POST)
+ */
+const createApiKey = async (accessToken) => {
+  try {
+    const response = await makeRequest('https://api.anthropic.com/api/oauth/claude_cli/create_api_key', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${accessToken}`
+      }
+    });
+    
+    return {
+      type: 'success',
+      key: response.raw_key
+    };
+  } catch (error) {
+    return {
+      type: 'failed',
+      error: error.message
+    };
+  }
+};
+
+/**
+ * Get valid access token (refresh if expired)
+ * @param {Object} oauthData - OAuth data { access, refresh, expires }
+ * @returns {Promise<Object>} { access: string, refresh: string, expires: number, refreshed: boolean }
+ */
+const getValidToken = async (oauthData) => {
+  if (!oauthData || !oauthData.refresh) {
+    return null;
+  }
+  
+  // Check if token is expired or will expire in the next 5 minutes
+  const expirationBuffer = 5 * 60 * 1000; // 5 minutes
+  if (oauthData.expires && oauthData.expires > Date.now() + expirationBuffer) {
+    return {
+      ...oauthData,
+      refreshed: false
+    };
+  }
+  
+  // Token expired or about to expire, refresh it
+  const result = await refreshToken(oauthData.refresh);
+  if (result.type === 'success') {
+    return {
+      access: result.access,
+      refresh: result.refresh,
+      expires: result.expires,
+      refreshed: true
+    };
+  }
+  
+  return null;
+};
+
+/**
+ * Check if credentials are OAuth tokens
+ * @param {Object} credentials - Agent credentials
+ * @returns {boolean}
+ */
+const isOAuthCredentials = (credentials) => {
+  return credentials && credentials.oauth && credentials.oauth.refresh;
+};
+
+module.exports = {
+  CLIENT_ID,
+  REDIRECT_URI,
+  generatePKCE,
+  authorize,
+  exchange,
+  refreshToken,
+  createApiKey,
+  getValidToken,
+  isOAuthCredentials
+};

package/src/services/ai/providers/index.js

@@ -10,17 +10,8 @@ const PROVIDERS = {
     name: 'OPENROUTER (RECOMMENDED)',
     description: '1 API key for 100+ models',
     category: 'unified',
-    models: [
-      'anthropic/claude-sonnet-4',
-      'anthropic/claude-3-opus',
-      'openai/gpt-4o',
-      'openai/gpt-4-turbo',
-      'google/gemini-pro-1.5',
-      'meta-llama/llama-3-70b',
-      'mistralai/mistral-large',
-      'deepseek/deepseek-chat'
-    ],
-    defaultModel: 'anthropic/claude-sonnet-4',
+    models: [], // Fetched from API at runtime
+    defaultModel: null, // Will use first model from API
     options: [
       {
         id: 'api_key',
@@ -46,6 +37,16 @@ const PROVIDERS = {
     models: [], // Fetched from API at runtime
     defaultModel: null, // Will use first model from API
     options: [
+      {
+        id: 'oauth_max',
+        label: 'CLAUDE PRO/MAX (OAUTH)',
+        description: [
+          'Login with your Claude subscription',
+          'Unlimited usage with your plan'
+        ],
+        fields: ['oauth'],
+        authType: 'oauth'
+      },
       {
         id: 'api_key',
         label: 'API KEY (PAY-PER-USE)',