inovabiz-opencode-companion 0.1.0

package/LICENSE

@@ -0,0 +1,42 @@
+# INOVABIZ Proprietary Software License
+
+**Copyright © 2026 INOVABIZ. All Rights Reserved.**
+
+This software and all associated source code, documentation, trademarks, and related materials are the exclusive property of **INOVABIZ** and are protected by applicable copyright and intellectual property laws.
+
+No rights are granted except as expressly provided in this license.
+
+## Limited License
+
+INOVABIZ grants a **limited, non-exclusive, non-transferable, non-sublicensable, and revocable** license to install and use this package **only** to:
+
+* Active employees of INOVABIZ;
+* Active collaborators, contractors, or consultants officially engaged by INOVABIZ; and
+* Any other individual or organization that has received prior written authorization from INOVABIZ.
+
+This license remains valid only while such authorization is in effect. Upon termination of employment, collaboration, contract, or authorization, all rights granted under this license immediately cease, and the software must no longer be used.
+
+## Restrictions
+
+Except as expressly authorized in writing by INOVABIZ, you may not:
+
+* Copy, reproduce, distribute, publish, sublicense, rent, lease, lend, or otherwise make the software available to third parties;
+* Modify, adapt, translate, create derivative works, or incorporate the software into other projects;
+* Reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code, except where expressly permitted by applicable law;
+* Remove or alter any copyright, trademark, or proprietary notices;
+* Use the software for any commercial purpose outside the scope of your authorized relationship with INOVABIZ;
+* Redistribute this package through npm, GitHub, or any other repository or distribution channel.
+
+## Ownership
+
+This license does not transfer ownership of the software. All intellectual property rights, including copyrights, trade secrets, trademarks, and all other proprietary rights, remain the exclusive property of INOVABIZ.
+
+## Termination
+
+INOVABIZ may revoke this license at any time, with or without notice. Upon termination, you must immediately cease using the software and destroy all copies in your possession or control.
+
+## Disclaimer
+
+This software is provided "AS IS", without warranties of any kind, express or implied, except where such disclaimers are prohibited by applicable law.
+
+For licensing inquiries or requests for authorization, please contact [INOVABIZ](https://inovabiz.com/).

package/README.md

@@ -0,0 +1,88 @@
+# OpenCode Companion
+
+OpenCode companion plugin for corporate provider authentication and gateway integration.
+
+This package is distributed publicly for installation convenience, but it is not an open source project. Use requires an Entra application, API consent, and backend authorization rules controlled by the owning organization.
+
+## Requirements
+
+- Windows 10/11.
+- Node.js 20 or newer.
+- OpenCode with npm plugin support.
+- A Microsoft Entra public client application.
+- A redirect URI of type **Mobile and desktop applications** using `http://localhost`.
+
+Do not configure or publish a client secret. This plugin uses the Authorization Code flow with PKCE.
+
+## Installation
+
+```powershell
+npm install inovabiz-opencode-companion
+```
+
+Add the package to `opencode.json`:
+
+```json
+{
+  "$schema": "https://opencode.ai/config.json",
+  "plugin": ["inovabiz-opencode-companion"]
+}
+```
+
+## Configuration
+
+Configure the Entra and gateway values either with environment variables or provider options.
+
+Environment variables:
+
+```powershell
+$env:OPENCODE_ENTRA_SSO_TENANT_ID = "<tenant-id>"
+$env:OPENCODE_ENTRA_SSO_CLIENT_ID = "<public-client-id>"
+$env:OPENCODE_ENTRA_SSO_ACCESS_TOKEN_SCOPE = "api://<api-app-id>/<delegated-scope>"
+$env:OPENCODE_ENTRA_SSO_APIM_AUDIENCE = "<expected-token-audience>"
+$env:OPENCODE_ENTRA_SSO_APIM_DELEGATED_SCOPE = "<delegated-scope-name>"
+$env:OPENCODE_ENTRA_SSO_TARGET_BASE_URL = "https://<gateway-host>/<path>/v1"
+```
+
+Provider options:
+
+```json
+{
+  "provider": {
+    "CorporateGateway": {
+      "options": {
+        "baseURL": "https://<gateway-host>/<path>/v1",
+        "inovabizEntraSso": true,
+        "inovabizTenantId": "<tenant-id>",
+        "inovabizClientId": "<public-client-id>",
+        "inovabizAccessTokenScope": "api://<api-app-id>/<delegated-scope>",
+        "inovabizApimAudience": "<expected-token-audience>",
+        "inovabizApimDelegatedScope": "<delegated-scope-name>"
+      }
+    }
+  }
+}
+```
+
+The plugin only modifies requests for providers explicitly marked with `inovabizEntraSso: true`, or providers whose `baseURL` matches `OPENCODE_ENTRA_SSO_TARGET_BASE_URL`.
+
+## Runtime Behavior
+
+For matching providers, the plugin:
+
+- Starts an Entra sign-in flow when a renewable local session is unavailable.
+- Stores MSAL cache data encrypted with Windows DPAPI for the current user.
+- Validates the access token audience and delegated scope before use.
+- Replaces the provider API key in memory with a non-secret marker.
+- Removes the APIM subscription-key header if present.
+- Sends the Entra bearer token plus the encrypted provider API key to the configured gateway.
+
+The backend gateway must still validate JWT issuer, audience, scope, expiration, allowed users or groups, rate limits, and the final API key before forwarding any request.
+
+## Logout
+
+Close OpenCode first, then remove the local token cache:
+
+```powershell
+.\scripts\logout.ps1
+```

package/dist/api-key.d.ts

@@ -0,0 +1,14 @@
+import { type IPersistence } from "@azure/msal-node-extensions";
+export interface LiteLLMApiKeyProvider {
+    getApiKey(options?: LiteLLMApiKeyLookupOptions): Promise<string>;
+}
+export interface LiteLLMApiKeyLookupOptions {
+    accountName?: string;
+    fileName?: string;
+}
+export declare class SecureLiteLLMApiKeyStore implements LiteLLMApiKeyProvider {
+    private persistenceByKey;
+    getApiKey(options?: LiteLLMApiKeyLookupOptions): Promise<string>;
+    private getPersistence;
+}
+export declare function createLiteLLMKeyPersistence(options?: Required<LiteLLMApiKeyLookupOptions>): Promise<IPersistence>;

package/dist/api-key.js

@@ -0,0 +1,46 @@
+import { mkdir } from "node:fs/promises";
+import { join } from "node:path";
+import { DataProtectionScope, PersistenceCreator, } from "@azure/msal-node-extensions";
+import { LITELLM_KEY_ACCOUNT_NAME, LITELLM_KEY_FILE_NAME, LITELLM_KEY_SERVICE_NAME, } from "./config.js";
+export class SecureLiteLLMApiKeyStore {
+    persistenceByKey = new Map();
+    async getApiKey(options = {}) {
+        const value = (await (await this.getPersistence(options)).load())?.trim();
+        if (!value) {
+            throw new Error("LiteLLM API key is not configured in the encrypted Windows store. Run inovabiz-kit setup-opencode again.");
+        }
+        return value;
+    }
+    getPersistence(options) {
+        const accountName = options.accountName || LITELLM_KEY_ACCOUNT_NAME;
+        const fileName = options.fileName || LITELLM_KEY_FILE_NAME;
+        const cacheKey = `${accountName}:${fileName}`;
+        let persistence = this.persistenceByKey.get(cacheKey);
+        if (!persistence) {
+            persistence = createLiteLLMKeyPersistence({ accountName, fileName });
+            this.persistenceByKey.set(cacheKey, persistence);
+        }
+        return persistence;
+    }
+}
+export async function createLiteLLMKeyPersistence(options = {
+    accountName: LITELLM_KEY_ACCOUNT_NAME,
+    fileName: LITELLM_KEY_FILE_NAME,
+}) {
+    if (process.platform !== "win32") {
+        throw new Error("Encrypted LiteLLM API key storage currently supports Windows only.");
+    }
+    const localAppData = process.env.LOCALAPPDATA;
+    if (!localAppData) {
+        throw new Error("LOCALAPPDATA is unavailable; the encrypted LiteLLM key cannot be read.");
+    }
+    const directory = join(localAppData, "Inovabiz", "OpenCodeEntraSso");
+    await mkdir(directory, { recursive: true });
+    return PersistenceCreator.createPersistence({
+        cachePath: join(directory, options.fileName),
+        dataProtectionScope: DataProtectionScope.CurrentUser,
+        serviceName: LITELLM_KEY_SERVICE_NAME,
+        accountName: options.accountName,
+        usePlaintextFileOnLinux: false,
+    });
+}

package/dist/auth.d.ts

@@ -0,0 +1,14 @@
+export interface AccessTokenProvider {
+    getAccessToken(): Promise<string>;
+}
+export declare class EntraTokenService implements AccessTokenProvider {
+    private initialized;
+    private tokenRequest;
+    getAccessToken(): Promise<string>;
+    private initialize;
+    private getClient;
+    private acquireAccessToken;
+    private acquireResourceToken;
+    private acquireApimTokenInteractively;
+}
+export declare function validateApimAccessTokenClaims(token: string): void;

package/dist/auth.js

@@ -0,0 +1,178 @@
+import { mkdir } from "node:fs/promises";
+import { join } from "node:path";
+import { spawn } from "node:child_process";
+import { InteractionRequiredAuthError, PublicClientApplication, } from "@azure/msal-node";
+import { DataProtectionScope, PersistenceCachePlugin, PersistenceCreator, } from "@azure/msal-node-extensions";
+import { CACHE_ACCOUNT_NAME, CACHE_DIRECTORY_NAME, CACHE_FILE_NAME, CACHE_SERVICE_NAME, INTERACTIVE_LOGIN_TIMEOUT_MS, LOGIN_SCOPES, TOKEN_EXPIRY_MARGIN_MS, getConfiguration, } from "./config.js";
+import { TimedLoopbackClient } from "./loopback.js";
+export class EntraTokenService {
+    initialized;
+    tokenRequest;
+    async getAccessToken() {
+        if (!this.tokenRequest) {
+            this.tokenRequest = this.acquireAccessToken().finally(() => {
+                this.tokenRequest = undefined;
+            });
+        }
+        return this.tokenRequest;
+    }
+    async initialize() {
+        if (process.platform !== "win32") {
+            throw new Error("OpenCode Entra SSO v1 supports Windows only.");
+        }
+        const configuration = getConfiguration();
+        const localAppData = process.env.LOCALAPPDATA;
+        if (!localAppData) {
+            throw new Error("OpenCode Entra SSO could not locate LOCALAPPDATA for its DPAPI cache.");
+        }
+        const cacheDirectory = join(localAppData, CACHE_DIRECTORY_NAME);
+        await mkdir(cacheDirectory, { recursive: true });
+        const persistence = await PersistenceCreator.createPersistence({
+            cachePath: join(cacheDirectory, CACHE_FILE_NAME),
+            dataProtectionScope: DataProtectionScope.CurrentUser,
+            serviceName: CACHE_SERVICE_NAME,
+            accountName: CACHE_ACCOUNT_NAME,
+            usePlaintextFileOnLinux: false,
+        });
+        if (!(await persistence.verifyPersistence())) {
+            throw new Error("Windows DPAPI persistence validation failed.");
+        }
+        const client = new PublicClientApplication({
+            auth: {
+                clientId: configuration.clientId,
+                authority: `https://login.microsoftonline.com/${configuration.tenantId}`,
+            },
+            cache: { cachePlugin: new PersistenceCachePlugin(persistence) },
+            system: {
+                loggerOptions: {
+                    piiLoggingEnabled: false,
+                    loggerCallback: () => undefined,
+                },
+            },
+        });
+        return { client, persistence, configurationKey: buildConfigurationKey(configuration) };
+    }
+    getClient() {
+        const configurationKey = buildConfigurationKey(getConfiguration());
+        this.initialized = this.initialized?.then((initialized) => initialized.configurationKey === configurationKey ? initialized : this.initialize()) ?? this.initialize();
+        return this.initialized;
+    }
+    async acquireAccessToken() {
+        try {
+            const { client } = await this.getClient();
+            const accounts = await client.getTokenCache().getAllAccounts();
+            const account = accounts[0];
+            if (account) {
+                const accessToken = await this.acquireResourceToken(client, account);
+                if (accessToken)
+                    return requireApimAccessToken(accessToken);
+            }
+            const result = await this.acquireApimTokenInteractively(client);
+            return requireApimAccessToken(result);
+        }
+        catch (error) {
+            if (error instanceof Error && error.message.startsWith("OpenCode Entra SSO")) {
+                throw error;
+            }
+            const diagnostic = getSafeAuthDiagnostic(error);
+            throw new Error(`OpenCode Entra SSO could not obtain an access token${diagnostic ? ` (${diagnostic})` : ""}. Retry the request or sign in again.`);
+        }
+    }
+    async acquireResourceToken(client, account) {
+        try {
+            let result = await client.acquireTokenSilent({
+                account,
+                scopes: [...getConfiguration().accessTokenScopes],
+            });
+            const expiresAt = result.expiresOn?.getTime() ?? 0;
+            if (expiresAt - Date.now() <= TOKEN_EXPIRY_MARGIN_MS) {
+                result = await client.acquireTokenSilent({
+                    account,
+                    scopes: [...getConfiguration().accessTokenScopes],
+                    forceRefresh: true,
+                });
+            }
+            return result;
+        }
+        catch (error) {
+            if (error instanceof InteractionRequiredAuthError)
+                return undefined;
+            throw error;
+        }
+    }
+    async acquireApimTokenInteractively(client) {
+        const loopbackClient = new TimedLoopbackClient(INTERACTIVE_LOGIN_TIMEOUT_MS);
+        try {
+            return await client.acquireTokenInteractive({
+                scopes: [...LOGIN_SCOPES, ...getConfiguration().accessTokenScopes],
+                loopbackClient,
+                openBrowser: openSystemBrowser,
+                successTemplate: "<!doctype html><meta charset=\"utf-8\"><title>OpenCode SSO</title><p>Autenticación completada. Ya puedes cerrar esta pestaña.</p>",
+                errorTemplate: "<!doctype html><meta charset=\"utf-8\"><title>OpenCode SSO</title><p>No se pudo completar la autenticación. Regresa a OpenCode e inténtalo nuevamente.</p>",
+            });
+        }
+        finally {
+            loopbackClient.closeServer();
+        }
+    }
+}
+function getSafeAuthDiagnostic(error) {
+    if (!error || typeof error !== "object")
+        return undefined;
+    const value = error;
+    const candidates = [value.errorCode, value.subError, value.code];
+    const safe = candidates.filter((candidate) => typeof candidate === "string" && /^[a-zA-Z0-9_.-]{1,100}$/.test(candidate));
+    return safe.length > 0 ? [...new Set(safe)].join("/") : undefined;
+}
+function requireApimAccessToken(result) {
+    if (!result?.accessToken) {
+        throw new Error("Microsoft Entra ID did not issue the APIM access token. Verify delegated API consent.");
+    }
+    validateApimAccessTokenClaims(result.accessToken);
+    return result.accessToken;
+}
+export function validateApimAccessTokenClaims(token) {
+    const claims = decodeJwtPayload(token);
+    const configuration = getConfiguration();
+    if (claims.aud !== configuration.apimAudience) {
+        throw new Error("OpenCode Entra SSO rejected an access token with an unexpected audience.");
+    }
+    const scopes = typeof claims.scp === "string" ? claims.scp.split(/\s+/) : [];
+    if (!scopes.includes(configuration.apimDelegatedScope)) {
+        throw new Error("OpenCode Entra SSO rejected an access token without the required delegated scope.");
+    }
+}
+function buildConfigurationKey(configuration) {
+    return JSON.stringify([
+        configuration.tenantId,
+        configuration.clientId,
+        configuration.accessTokenScopes,
+        configuration.apimAudience,
+        configuration.apimDelegatedScope,
+    ]);
+}
+function decodeJwtPayload(token) {
+    const payload = token.split(".")[1];
+    if (!payload)
+        throw new Error("OpenCode Entra SSO received a malformed access token.");
+    try {
+        return JSON.parse(Buffer.from(payload, "base64url").toString("utf8"));
+    }
+    catch {
+        throw new Error("OpenCode Entra SSO received a malformed access token.");
+    }
+}
+async function openSystemBrowser(url) {
+    await new Promise((resolve, reject) => {
+        const child = spawn("rundll32.exe", ["url.dll,FileProtocolHandler", url], {
+            detached: true,
+            stdio: "ignore",
+            windowsHide: true,
+        });
+        child.once("error", () => reject(new Error("The system browser could not be opened.")));
+        child.once("spawn", () => {
+            child.unref();
+            resolve();
+        });
+    });
+}

package/dist/config.d.ts

@@ -0,0 +1,32 @@
+export declare const LOGIN_SCOPES: readonly ["openid", "profile", "email"];
+export declare const TENANT_ID = "146dfa7a-73f6-4095-95d6-113df6b678bc";
+export declare const CLIENT_ID = "10ee19c8-8a43-45f9-b30c-75aedef8b3f7";
+export declare const ACCESS_TOKEN_SCOPES: readonly ["api://4e1b0e54-27ef-487f-9a43-ac969653a9a4/LiteLLM.Access"];
+export declare const APIM_AUDIENCE = "4e1b0e54-27ef-487f-9a43-ac969653a9a4";
+export declare const APIM_DELEGATED_SCOPE = "LiteLLM.Access";
+export declare const TARGET_BASE_URL = "https://apim-inovabiz-transversal.inovabiz.com/litellm/v1";
+export declare const PROVIDER_API_KEY_PLACEHOLDER = "managed-by-inovabiz-entra-sso";
+export declare const FORBIDDEN_API_KEY_HEADER = "ocp-apim-subscription-key";
+export declare const LITELLM_API_KEY_HEADER = "X-LiteLLM-Api-Key";
+export declare const LITELLM_KEY_SERVICE_NAME = "Inovabiz.OpenCode.LiteLLM";
+export declare const LITELLM_KEY_ACCOUNT_NAME = "litellm-api-key";
+export declare const LITELLM_KEY_FILE_NAME = "litellm-api-key.bin";
+export declare const TOKEN_EXPIRY_MARGIN_MS: number;
+export declare const INTERACTIVE_LOGIN_TIMEOUT_MS: number;
+export declare const STARTUP_AUTH_DELAY_MS = 2000;
+export declare const CACHE_SERVICE_NAME = "Inovabiz.OpenCode.APIM";
+export declare const CACHE_ACCOUNT_NAME = "apim-token-cache";
+export declare const CACHE_DIRECTORY_NAME = "Inovabiz/OpenCodeEntraSso";
+export declare const CACHE_FILE_NAME = "apim-token-cache.bin";
+export interface EntraSsoConfiguration {
+    tenantId: string;
+    clientId: string;
+    accessTokenScopes: readonly string[];
+    apimAudience: string;
+    apimDelegatedScope: string;
+    targetBaseUrl?: string;
+}
+export declare function configureFromProviderOptions(options: Record<string, unknown> | undefined): void;
+export declare function getConfiguration(): EntraSsoConfiguration;
+export declare function isConfigurationMissingError(error: unknown): boolean;
+export declare function getTargetBaseUrlFromEnvironment(): string | undefined;

package/dist/config.js

@@ -0,0 +1,118 @@
+export const LOGIN_SCOPES = ["openid", "profile", "email"];
+export const TENANT_ID = "146dfa7a-73f6-4095-95d6-113df6b678bc";
+export const CLIENT_ID = "10ee19c8-8a43-45f9-b30c-75aedef8b3f7";
+export const ACCESS_TOKEN_SCOPES = [
+    "api://4e1b0e54-27ef-487f-9a43-ac969653a9a4/LiteLLM.Access",
+];
+export const APIM_AUDIENCE = "4e1b0e54-27ef-487f-9a43-ac969653a9a4";
+export const APIM_DELEGATED_SCOPE = "LiteLLM.Access";
+export const TARGET_BASE_URL = "https://apim-inovabiz-transversal.inovabiz.com/litellm/v1";
+export const PROVIDER_API_KEY_PLACEHOLDER = "managed-by-inovabiz-entra-sso";
+export const FORBIDDEN_API_KEY_HEADER = "ocp-apim-subscription-key";
+export const LITELLM_API_KEY_HEADER = "X-LiteLLM-Api-Key";
+export const LITELLM_KEY_SERVICE_NAME = "Inovabiz.OpenCode.LiteLLM";
+export const LITELLM_KEY_ACCOUNT_NAME = "litellm-api-key";
+export const LITELLM_KEY_FILE_NAME = "litellm-api-key.bin";
+export const TOKEN_EXPIRY_MARGIN_MS = 5 * 60 * 1000;
+export const INTERACTIVE_LOGIN_TIMEOUT_MS = 2 * 60 * 1000;
+export const STARTUP_AUTH_DELAY_MS = 2_000;
+export const CACHE_SERVICE_NAME = "Inovabiz.OpenCode.APIM";
+export const CACHE_ACCOUNT_NAME = "apim-token-cache";
+export const CACHE_DIRECTORY_NAME = "Inovabiz/OpenCodeEntraSso";
+export const CACHE_FILE_NAME = "apim-token-cache.bin";
+const CONFIG_OPTION_MAP = {
+    tenantId: "inovabizTenantId",
+    clientId: "inovabizClientId",
+    accessTokenScope: "inovabizAccessTokenScope",
+    apimAudience: "inovabizApimAudience",
+    apimDelegatedScope: "inovabizApimDelegatedScope",
+    targetBaseUrl: "inovabizTargetBaseUrl",
+};
+let configuredOptions = {};
+export function configureFromProviderOptions(options) {
+    if (!options)
+        return;
+    const next = {};
+    const tenantId = getStringOption(options, CONFIG_OPTION_MAP.tenantId);
+    const clientId = getStringOption(options, CONFIG_OPTION_MAP.clientId);
+    const accessTokenScope = getStringOption(options, CONFIG_OPTION_MAP.accessTokenScope);
+    const apimAudience = getStringOption(options, CONFIG_OPTION_MAP.apimAudience);
+    const apimDelegatedScope = getStringOption(options, CONFIG_OPTION_MAP.apimDelegatedScope);
+    const targetBaseUrl = getStringOption(options, CONFIG_OPTION_MAP.targetBaseUrl);
+    if (tenantId)
+        next.tenantId = tenantId;
+    if (clientId)
+        next.clientId = clientId;
+    if (accessTokenScope)
+        next.accessTokenScopes = splitScopes(accessTokenScope);
+    if (apimAudience)
+        next.apimAudience = apimAudience;
+    if (apimDelegatedScope)
+        next.apimDelegatedScope = apimDelegatedScope;
+    if (targetBaseUrl)
+        next.targetBaseUrl = targetBaseUrl;
+    configuredOptions = { ...configuredOptions, ...next };
+}
+export function getConfiguration() {
+    const accessTokenScope = readConfigValue("OPENCODE_ENTRA_SSO_ACCESS_TOKEN_SCOPE");
+    const defaultConfiguration = {
+        tenantId: TENANT_ID,
+        clientId: CLIENT_ID,
+        accessTokenScopes: [...ACCESS_TOKEN_SCOPES],
+        apimAudience: APIM_AUDIENCE,
+        apimDelegatedScope: APIM_DELEGATED_SCOPE,
+        targetBaseUrl: TARGET_BASE_URL,
+    };
+    const environmentConfiguration = {};
+    setIfPresent(environmentConfiguration, "tenantId", readConfigValue("OPENCODE_ENTRA_SSO_TENANT_ID"));
+    setIfPresent(environmentConfiguration, "clientId", readConfigValue("OPENCODE_ENTRA_SSO_CLIENT_ID"));
+    if (accessTokenScope)
+        environmentConfiguration.accessTokenScopes = splitScopes(accessTokenScope);
+    setIfPresent(environmentConfiguration, "apimAudience", readConfigValue("OPENCODE_ENTRA_SSO_APIM_AUDIENCE"));
+    setIfPresent(environmentConfiguration, "apimDelegatedScope", readConfigValue("OPENCODE_ENTRA_SSO_APIM_DELEGATED_SCOPE"));
+    setIfPresent(environmentConfiguration, "targetBaseUrl", readConfigValue("OPENCODE_ENTRA_SSO_TARGET_BASE_URL"));
+    const configuration = {
+        ...defaultConfiguration,
+        ...environmentConfiguration,
+        ...configuredOptions,
+    };
+    const missing = [
+        ["tenant ID", configuration.tenantId],
+        ["client ID", configuration.clientId],
+        ["access token scope", configuration.accessTokenScopes?.[0]],
+        ["APIM audience", configuration.apimAudience],
+        ["APIM delegated scope", configuration.apimDelegatedScope],
+    ]
+        .filter(([, value]) => !value)
+        .map(([name]) => name);
+    if (missing.length > 0) {
+        throw new Error(`OpenCode Entra SSO is not configured. Missing ${missing.join(", ")}.`);
+    }
+    const requiredLoginScopes = ["openid", "profile", "email"];
+    if (!requiredLoginScopes.every((scope) => LOGIN_SCOPES.includes(scope))) {
+        throw new Error("OpenCode Entra SSO requires the same OpenID Connect scopes as inovabiz-kit.");
+    }
+    return configuration;
+}
+export function isConfigurationMissingError(error) {
+    return error instanceof Error &&
+        error.message.startsWith("OpenCode Entra SSO is not configured. Missing ");
+}
+export function getTargetBaseUrlFromEnvironment() {
+    return readConfigValue("OPENCODE_ENTRA_SSO_TARGET_BASE_URL") ?? TARGET_BASE_URL;
+}
+function splitScopes(value) {
+    return value.split(/[,\s]+/).map((scope) => scope.trim()).filter(Boolean);
+}
+function getStringOption(options, key) {
+    const value = options[key];
+    return typeof value === "string" && value.trim() ? value.trim() : undefined;
+}
+function readConfigValue(name) {
+    const value = process.env[name];
+    return value?.trim() || undefined;
+}
+function setIfPresent(target, key, value) {
+    if (value !== undefined)
+        target[key] = value;
+}

package/dist/index.d.ts

@@ -0,0 +1,4 @@
+export declare const InovabizOpenCodeCompanionPlugin: import("@opencode-ai/plugin").Plugin;
+export declare const InovabizEntraSsoPlugin: import("@opencode-ai/plugin").Plugin;
+export declare const Plugin: import("@opencode-ai/plugin").Plugin;
+export default InovabizOpenCodeCompanionPlugin;

package/dist/index.js

@@ -0,0 +1,19 @@
+import { createEntraSsoPlugin } from "./plugin.js";
+let tokenService;
+const lazyTokenProvider = {
+    async getAccessToken() {
+        tokenService ??= import("./auth.js").then(({ EntraTokenService }) => new EntraTokenService());
+        return (await tokenService).getAccessToken();
+    },
+};
+let apiKeyStore;
+const lazyApiKeyProvider = {
+    async getApiKey(options) {
+        apiKeyStore ??= import("./api-key.js").then(({ SecureLiteLLMApiKeyStore }) => new SecureLiteLLMApiKeyStore());
+        return (await apiKeyStore).getApiKey(options);
+    },
+};
+export const InovabizOpenCodeCompanionPlugin = createEntraSsoPlugin(lazyTokenProvider, lazyApiKeyProvider);
+export const InovabizEntraSsoPlugin = InovabizOpenCodeCompanionPlugin;
+export const Plugin = InovabizOpenCodeCompanionPlugin;
+export default InovabizOpenCodeCompanionPlugin;

package/dist/loopback.d.ts

@@ -0,0 +1,12 @@
+type AuthorizationResponse = Record<string, string>;
+export declare class TimedLoopbackClient {
+    private readonly timeoutMs;
+    private server;
+    private redirectUri;
+    private timeout;
+    constructor(timeoutMs: number);
+    listenForAuthCode(successTemplate?: string, errorTemplate?: string): Promise<AuthorizationResponse>;
+    getRedirectUri(): string;
+    closeServer(): void;
+}
+export {};

package/dist/loopback.js

@@ -0,0 +1,87 @@
+import { createServer } from "node:http";
+export class TimedLoopbackClient {
+    timeoutMs;
+    server;
+    redirectUri;
+    timeout;
+    constructor(timeoutMs) {
+        this.timeoutMs = timeoutMs;
+    }
+    listenForAuthCode(successTemplate = "Authentication completed. You can close this tab.", errorTemplate = "Authentication failed. Return to OpenCode and try again.") {
+        if (this.server) {
+            return Promise.reject(new Error("The authentication callback server is already running."));
+        }
+        return new Promise((resolve, reject) => {
+            let settled = false;
+            const finish = (action) => {
+                if (settled)
+                    return;
+                settled = true;
+                if (this.timeout)
+                    clearTimeout(this.timeout);
+                action();
+            };
+            this.server = createServer((request, response) => {
+                if (!request.url || !this.redirectUri) {
+                    response.writeHead(400, { "Content-Type": "text/plain; charset=utf-8" });
+                    response.end(errorTemplate);
+                    finish(() => reject(new Error("The authentication callback was invalid.")));
+                    return;
+                }
+                if (request.url === "/") {
+                    response.writeHead(200, {
+                        "Cache-Control": "no-store",
+                        "Content-Type": "text/html; charset=utf-8",
+                    });
+                    response.end(successTemplate);
+                    return;
+                }
+                const callback = new URL(request.url, this.redirectUri);
+                const result = Object.fromEntries(callback.searchParams.entries());
+                const errorCode = result.error?.match(/^[a-zA-Z0-9_.-]+$/)?.[0];
+                response.writeHead(result.code ? 302 : 400, {
+                    "Cache-Control": "no-store",
+                    ...(result.code ? { Location: this.redirectUri } : {}),
+                });
+                response.end(result.code
+                    ? undefined
+                    : `${errorTemplate}${errorCode ? `<p>Código de Entra: ${errorCode}</p>` : ""}`);
+                finish(() => resolve(result));
+            });
+            this.server.once("error", () => {
+                finish(() => reject(new Error("The local authentication callback server could not start.")));
+            });
+            this.server.listen(0, "127.0.0.1", () => {
+                const address = this.server?.address();
+                if (!address || typeof address === "string") {
+                    finish(() => reject(new Error("The local authentication callback port is unavailable.")));
+                    return;
+                }
+                this.redirectUri = `http://localhost:${address.port}`;
+            });
+            this.timeout = setTimeout(() => {
+                this.closeServer();
+                finish(() => reject(new Error("Microsoft Entra sign-in timed out.")));
+            }, this.timeoutMs);
+            this.timeout.unref();
+        });
+    }
+    getRedirectUri() {
+        if (!this.redirectUri) {
+            throw new Error("The local authentication callback server is not ready.");
+        }
+        return this.redirectUri;
+    }
+    closeServer() {
+        if (this.timeout)
+            clearTimeout(this.timeout);
+        this.timeout = undefined;
+        this.redirectUri = undefined;
+        if (!this.server)
+            return;
+        this.server.close();
+        this.server.closeAllConnections?.();
+        this.server.unref();
+        this.server = undefined;
+    }
+}

package/dist/plugin.d.ts

@@ -0,0 +1,5 @@
+import type { Hooks, Plugin } from "@opencode-ai/plugin";
+import type { AccessTokenProvider } from "./auth.js";
+import type { LiteLLMApiKeyProvider } from "./api-key.js";
+export declare function createEntraSsoHooks(tokenProvider: AccessTokenProvider, apiKeyProvider: LiteLLMApiKeyProvider): Hooks;
+export declare function createEntraSsoPlugin(tokenProvider: AccessTokenProvider, apiKeyProvider: LiteLLMApiKeyProvider, validate?: () => void, startupDelayMs?: number): Plugin;

package/dist/plugin.js

@@ -0,0 +1,164 @@
+import { FORBIDDEN_API_KEY_HEADER, LITELLM_API_KEY_HEADER, PROVIDER_API_KEY_PLACEHOLDER, STARTUP_AUTH_DELAY_MS, configureFromProviderOptions, getConfiguration, getTargetBaseUrlFromEnvironment, isConfigurationMissingError, } from "./config.js";
+const PROVIDER_NAME_OPTION = "inovabizProviderName";
+const ENABLED_OPTION = "inovabizEntraSso";
+export function createEntraSsoHooks(tokenProvider, apiKeyProvider) {
+    return {
+        config: async (config) => {
+            for (const [providerName, provider] of Object.entries(config.provider ?? {})) {
+                if (!isTargetProvider(provider.options, providerName))
+                    continue;
+                provider.options ??= {};
+                configureFromProviderOptions(provider.options);
+                provider.options[PROVIDER_NAME_OPTION] = providerName;
+                provider.options.apiKey = buildProviderApiKeyPlaceholder(providerName);
+                removeForbiddenApiKeyHeader(provider.options.headers);
+            }
+        },
+        "chat.headers": async (input, output) => {
+            if (!isTargetProvider(input.provider.options, undefined))
+                return;
+            configureFromProviderOptions(input.provider.options);
+            removeForbiddenApiKeyHeader(output.headers);
+            const apiKeyLookupOptions = buildApiKeyLookupOptions(input.provider.options, getProviderName(input.provider));
+            const [accessToken, apiKey] = await Promise.all([
+                tokenProvider.getAccessToken(),
+                apiKeyProvider.getApiKey(apiKeyLookupOptions),
+            ]);
+            requireUsableApiKey(apiKey);
+            output.headers.Authorization = `Bearer ${accessToken}`;
+            output.headers[LITELLM_API_KEY_HEADER] = apiKey;
+        },
+    };
+}
+function requireUsableApiKey(value) {
+    if (!value.trim() || value === PROVIDER_API_KEY_PLACEHOLDER) {
+        throw new Error("LiteLLM API key is missing from the encrypted store.");
+    }
+}
+function normalizeBaseUrl(value) {
+    if (typeof value !== "string")
+        return undefined;
+    return value.replace(/\/+$/, "").toLowerCase();
+}
+function isTargetBaseUrl(value) {
+    const configuredTarget = normalizeBaseUrl(getTargetBaseUrlFromEnvironment());
+    return !!configuredTarget && normalizeBaseUrl(value) === configuredTarget;
+}
+function isTargetProvider(options, providerName) {
+    const optionTargetBaseUrl = getStringOption(options, "inovabizTargetBaseUrl");
+    const normalizedBaseUrl = normalizeBaseUrl(options?.baseURL);
+    return (options?.[ENABLED_OPTION] === true ||
+        isProviderApiKeyPlaceholder(getStringOption(options, "apiKey")) ||
+        (!!optionTargetBaseUrl && normalizedBaseUrl === normalizeBaseUrl(optionTargetBaseUrl)) ||
+        isTargetBaseUrl(options?.baseURL) ||
+        isInovabizProviderName(providerName));
+}
+function removeForbiddenApiKeyHeader(value) {
+    if (!value || typeof value !== "object")
+        return;
+    const headers = value;
+    for (const name of Object.keys(headers)) {
+        if (name.toLowerCase() === FORBIDDEN_API_KEY_HEADER)
+            delete headers[name];
+    }
+}
+function buildApiKeyLookupOptions(options, providerName) {
+    const accountName = getStringOption(options, "inovabizApiKeyAccount");
+    const fileName = getStringOption(options, "inovabizApiKeyFileName");
+    const placeholderProviderName = getProviderNameFromPlaceholder(getStringOption(options, "apiKey"));
+    const resolvedProviderName = placeholderProviderName || providerName;
+    if (!accountName && !fileName && resolvedProviderName) {
+        const slug = slugifyProviderName(resolvedProviderName);
+        return {
+            accountName: `litellm-api-key-${slug}`,
+            fileName: `litellm-api-key-${slug}.bin`,
+        };
+    }
+    if (!accountName && !fileName) {
+        throw new Error("Inovabiz provider name is unavailable; cannot select the encrypted LiteLLM key for this provider.");
+    }
+    return {
+        ...(accountName ? { accountName } : {}),
+        ...(fileName ? { fileName } : {}),
+    };
+}
+function getProviderName(provider) {
+    const stampedProviderName = getStringOption(provider.options, PROVIDER_NAME_OPTION);
+    if (stampedProviderName)
+        return stampedProviderName;
+    if (typeof provider.info?.id === "string" && provider.info.id.trim()) {
+        return provider.info.id.trim();
+    }
+    const configuredName = getStringOption(provider.options, "name");
+    return configuredName;
+}
+function getStringOption(options, key) {
+    const value = options?.[key];
+    return typeof value === "string" && value.trim() ? value.trim() : undefined;
+}
+function slugifyProviderName(providerName) {
+    return providerName
+        .normalize("NFD")
+        .replace(/[\u0300-\u036f]/g, "")
+        .toLowerCase()
+        .replace(/[^a-z0-9]+/g, "-")
+        .replace(/^-+|-+$/g, "") || "default";
+}
+function buildProviderApiKeyPlaceholder(providerName) {
+    return `${PROVIDER_API_KEY_PLACEHOLDER}:${encodeURIComponent(providerName)}`;
+}
+function getProviderNameFromPlaceholder(value) {
+    if (!value?.startsWith(`${PROVIDER_API_KEY_PLACEHOLDER}:`))
+        return undefined;
+    const encodedProviderName = value.slice(PROVIDER_API_KEY_PLACEHOLDER.length + 1);
+    try {
+        return decodeURIComponent(encodedProviderName);
+    }
+    catch {
+        return undefined;
+    }
+}
+function isProviderApiKeyPlaceholder(value) {
+    return !!value?.startsWith(`${PROVIDER_API_KEY_PLACEHOLDER}:`);
+}
+function isInovabizProviderName(value) {
+    return !!value && value.trim().toLowerCase().includes("inovabiz");
+}
+export function createEntraSsoPlugin(tokenProvider, apiKeyProvider, validate = getConfiguration, startupDelayMs = STARTUP_AUTH_DELAY_MS) {
+    let startupValidation;
+    let startupScheduled = false;
+    const validatedProvider = {
+        getAccessToken: async () => {
+            validate();
+            return tokenProvider.getAccessToken();
+        },
+    };
+    return async () => {
+        if (!startupScheduled) {
+            startupScheduled = true;
+            const timer = setTimeout(() => {
+                try {
+                    validate();
+                }
+                catch (error) {
+                    if (isConfigurationMissingError(error))
+                        return;
+                    const message = error instanceof Error
+                        ? error.message
+                        : "OpenCode Entra SSO session validation failed.";
+                    console.error(`[inovabiz-entra-sso] ${message}`);
+                    return;
+                }
+                startupValidation ??= tokenProvider.getAccessToken();
+                void startupValidation.catch((error) => {
+                    const message = error instanceof Error
+                        ? error.message
+                        : "OpenCode Entra SSO session validation failed.";
+                    console.error(`[inovabiz-entra-sso] ${message}`);
+                });
+            }, startupDelayMs);
+            timer.unref();
+        }
+        return createEntraSsoHooks(validatedProvider, apiKeyProvider);
+    };
+}

package/package.json

@@ -0,0 +1,46 @@
+{
+  "name": "inovabiz-opencode-companion",
+  "version": "0.1.0",
+  "description": "OpenCode companion plugin for corporate provider authentication and gateway integration.",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    },
+    "./auth": {
+      "types": "./dist/auth.d.ts",
+      "import": "./dist/auth.js"
+    }
+  },
+  "files": [
+    "dist/**/*.js",
+    "dist/**/*.d.ts",
+    "LICENSE",
+    "README.md",
+    "scripts/logout.ps1"
+  ],
+  "author": "Inovabiz",
+  "scripts": {
+    "build": "tsc -p tsconfig.build.json",
+    "typecheck": "tsc -p tsconfig.json --noEmit",
+    "test": "node --test --import tsx test/*.test.ts",
+    "test:apim-auth": "tsx scripts/test-apim-auth.ts"
+  },
+  "engines": {
+    "node": ">=20"
+  },
+  "dependencies": {
+    "@azure/msal-node": "^5.1.2",
+    "@azure/msal-node-extensions": "^5.1.2",
+    "@opencode-ai/plugin": "^1.1.25"
+  },
+  "devDependencies": {
+    "@types/node": "^22.15.3",
+    "tsx": "^4.20.6",
+    "typescript": "^5.8.3"
+  },
+  "license": "UNLICENSED"
+}

package/scripts/logout.ps1

@@ -0,0 +1,10 @@
+$ErrorActionPreference = "Stop"
+
+$cacheDirectory = Join-Path $env:LOCALAPPDATA "Inovabiz\OpenCodeEntraSso"
+$cachePath = Join-Path $cacheDirectory "apim-token-cache.bin"
+$lockPath = "$cachePath.lockfile"
+
+Remove-Item -LiteralPath $cachePath -Force -ErrorAction SilentlyContinue
+Remove-Item -LiteralPath $lockPath -Force -ErrorAction SilentlyContinue
+
+Write-Host "La sesión local de OpenCode Entra SSO fue eliminada."