jeo-code 0.1.0

package/src/auth/callback-server.ts

@@ -0,0 +1,195 @@
+/**
+ * Local OAuth callback server + flow base class.
+ *
+ * Pure-TS / Bun.serve reimplementation of gjc's
+ * `packages/ai/src/utils/oauth/callback-server.ts`. Handles:
+ *  - preferred-port binding with random fallback (unless a fixed redirectUri is required)
+ *  - CSRF state validation
+ *  - browser callback OR manual paste of the redirect URL / code (whichever lands first)
+ */
+import type { OAuthController, OAuthCredentials } from "./types";
+import { generateState } from "./pkce";
+
+const DEFAULT_TIMEOUT_MS = 300_000;
+const DEFAULT_HOSTNAME = "localhost";
+const DEFAULT_CALLBACK_PATH = "/callback";
+
+export interface OAuthCallbackFlowOptions {
+  preferredPort: number;
+  callbackPath?: string;
+  callbackHostname?: string;
+  /** Exact redirect URI advertised to the provider; disables port fallback when set. */
+  redirectUri?: string;
+}
+
+export type CallbackResult = { code: string; state: string };
+
+const SUCCESS_HTML = `<!doctype html><html><head><meta charset="utf-8"><title>joc — login complete</title>
+<style>body{font-family:system-ui,sans-serif;background:#0d1117;color:#e6edf3;display:flex;align-items:center;justify-content:center;height:100vh;margin:0}
+.card{text-align:center;padding:2rem 3rem;border:1px solid #30363d;border-radius:12px;background:#161b22}
+h1{margin:0 0 .5rem;font-size:1.4rem}p{margin:0;color:#8b949e}</style></head>
+<body><div class="card"><h1>__TITLE__</h1><p>__MSG__</p></div></body></html>`;
+
+function renderHtml(ok: boolean, msg: string): string {
+  return SUCCESS_HTML
+    .replace("__TITLE__", ok ? "Login complete \u2713" : "Login failed")
+    .replace("__MSG__", msg);
+}
+
+export abstract class OAuthCallbackFlow {
+  protected ctrl: OAuthController;
+  protected preferredPort: number;
+  protected callbackPath: string;
+  protected callbackHostname: string;
+  protected fixedRedirectUri?: string;
+  #resolve?: (r: CallbackResult) => void;
+  #reject?: (e: Error) => void;
+
+  constructor(ctrl: OAuthController, opts: number | OAuthCallbackFlowOptions, callbackPath = DEFAULT_CALLBACK_PATH) {
+    this.ctrl = ctrl;
+    if (typeof opts === "number") {
+      this.preferredPort = opts;
+      this.callbackPath = callbackPath;
+      this.callbackHostname = DEFAULT_HOSTNAME;
+      return;
+    }
+    this.preferredPort = opts.preferredPort;
+    this.callbackPath = opts.callbackPath ?? DEFAULT_CALLBACK_PATH;
+    this.callbackHostname = opts.callbackHostname ?? DEFAULT_HOSTNAME;
+    this.fixedRedirectUri = opts.redirectUri;
+  }
+
+  abstract generateAuthUrl(state: string, redirectUri: string): Promise<{ url: string; instructions?: string }>;
+  abstract exchangeToken(code: string, state: string, redirectUri: string): Promise<OAuthCredentials>;
+
+  async login(): Promise<OAuthCredentials> {
+    const state = generateState();
+    const { server, redirectUri } = this.#startServer(state);
+    try {
+      const { url, instructions } = await this.generateAuthUrl(state, redirectUri);
+      this.ctrl.onAuth?.({ url, instructions });
+      this.ctrl.onProgress?.("Waiting for browser authentication...");
+      const { code, state: returnedState } = await this.#waitForCallback(state);
+      this.ctrl.onProgress?.("Exchanging authorization code for tokens...");
+      return await this.exchangeToken(code, returnedState || state, redirectUri);
+    } finally {
+      server.stop();
+    }
+  }
+
+  #startServer(expectedState: string): { server: Bun.Server<unknown>; redirectUri: string } {
+    const serve = (port: number) =>
+      Bun.serve({
+        hostname: this.callbackHostname,
+        port,
+        fetch: req => this.#handle(req, expectedState),
+      });
+    try {
+      const server = serve(this.preferredPort);
+      const redirectUri =
+        this.fixedRedirectUri ?? `http://${this.callbackHostname}:${server.port}${this.callbackPath}`;
+      return { server, redirectUri };
+    } catch {
+      if (this.fixedRedirectUri) {
+        throw new Error(
+          `OAuth callback port ${this.preferredPort} unavailable and this provider requires a fixed redirect URI.`
+        );
+      }
+      const server = serve(0);
+      const redirectUri = `http://${this.callbackHostname}:${server.port}${this.callbackPath}`;
+      this.ctrl.onProgress?.(`Port ${this.preferredPort} busy; using ${server.port}.`);
+      return { server, redirectUri };
+    }
+  }
+
+  #handle(req: Request, expectedState: string): Response {
+    const url = new URL(req.url);
+    if (url.pathname !== this.callbackPath) return new Response("Not Found", { status: 404 });
+
+    const code = url.searchParams.get("code");
+    const state = url.searchParams.get("state") || "";
+    const error = url.searchParams.get("error");
+    const errorDesc = url.searchParams.get("error_description") || error;
+
+    let ok = false;
+    let message: string;
+    if (error) message = `Authorization failed: ${errorDesc}`;
+    else if (!code) message = "Missing authorization code";
+    else if (expectedState && state !== expectedState) message = "State mismatch — possible CSRF attack";
+    else {
+      ok = true;
+      message = "You can close this tab and return to the terminal.";
+    }
+
+    const resolve = this.#resolve;
+    const reject = this.#reject;
+    queueMicrotask(() => {
+      if (ok && code) resolve?.({ code, state });
+      else reject?.(new Error(message));
+    });
+
+    return new Response(renderHtml(ok, message), {
+      status: ok ? 200 : 400,
+      headers: { "content-type": "text/html" },
+    });
+  }
+
+  #waitForCallback(expectedState: string): Promise<CallbackResult> {
+    const timeout = AbortSignal.timeout(DEFAULT_TIMEOUT_MS);
+    const signal = this.ctrl.signal ? AbortSignal.any([this.ctrl.signal, timeout]) : timeout;
+
+    const callbackPromise = new Promise<CallbackResult>((resolve, reject) => {
+      this.#resolve = resolve;
+      this.#reject = reject;
+      signal.addEventListener("abort", () => {
+        this.#resolve = undefined;
+        this.#reject = undefined;
+        reject(new Error(`OAuth callback cancelled: ${signal.reason}`));
+      });
+    });
+
+    if (this.ctrl.onManualCodeInput) {
+      const ask = this.ctrl.onManualCodeInput;
+      const manualPromise = (async (): Promise<CallbackResult> => {
+        while (true) {
+          const result = await Promise.race<CallbackResult | null>([
+            callbackPromise,
+            ask()
+              .then(input => {
+                const parsed = parseCallbackInput(input);
+                if (!parsed.code) return null;
+                if (expectedState && parsed.state !== expectedState) return null; // reject missing OR mismatched state
+                return { code: parsed.code, state: parsed.state ?? "" } as CallbackResult;
+              })
+              .catch(() => null),
+          ]);
+          if (result) return result;
+        }
+      })();
+      return Promise.race([callbackPromise, manualPromise]);
+    }
+
+    return callbackPromise;
+  }
+}
+
+/** Parse a pasted redirect URL or bare `code#state` into its parts. */
+export function parseCallbackInput(input: string): { code?: string; state?: string } {
+  const value = input.trim();
+  if (!value) return {};
+  try {
+    const url = new URL(value);
+    return {
+      code: url.searchParams.get("code") ?? undefined,
+      state: url.searchParams.get("state") ?? undefined,
+    };
+  } catch {
+    /* not a URL */
+  }
+  if (value.includes("code=")) {
+    const params = new URLSearchParams(value.replace(/^[?#]/, ""));
+    return { code: params.get("code") ?? undefined, state: params.get("state") ?? undefined };
+  }
+  const [code, state] = value.split("#", 2);
+  return { code, state };
+}

package/src/auth/flows/anthropic.ts

@@ -0,0 +1,114 @@
+/**
+ * Anthropic (Claude Pro/Max) OAuth — real PKCE flow.
+ * Faithful port of gjc's packages/ai/src/utils/oauth/anthropic.ts.
+ *
+ * The resulting access token is used as `Authorization: Bearer` with the
+ * `anthropic-beta: oauth-2025-04-20` header against api.anthropic.com/v1/messages.
+ */
+import { OAuthCallbackFlow } from "../callback-server";
+import { generatePKCE } from "../pkce";
+import type { OAuthController, OAuthCredentials } from "../types";
+
+const decode = (s: string) => atob(s);
+const CLIENT_ID = decode("OWQxYzI1MGEtZTYxYi00NGQ5LTg4ZWQtNTk0NGQxOTYyZjVl");
+const AUTHORIZE_URL = "https://claude.ai/oauth/authorize";
+const TOKEN_URL = "https://api.anthropic.com/v1/oauth/token";
+const CALLBACK_PORT = 54545;
+const CALLBACK_PATH = "/callback";
+const SCOPES = "org:create_api_key user:profile user:inference";
+
+interface AnthropicTokenResponse {
+  access_token: string;
+  refresh_token: string;
+  expires_in: number;
+  account?: { uuid?: string; email_address?: string };
+}
+
+async function postJson(url: string, body: Record<string, string>): Promise<AnthropicTokenResponse> {
+  const res = await fetch(url, {
+    method: "POST",
+    headers: { "content-type": "application/json", accept: "application/json" },
+    body: JSON.stringify(body),
+    signal: AbortSignal.timeout(30_000),
+  });
+  const text = await res.text();
+  if (!res.ok) throw new Error(`Anthropic OAuth request failed (HTTP ${res.status}): ${text}`);
+  try {
+    return JSON.parse(text) as AnthropicTokenResponse;
+  } catch {
+    throw new Error(`Anthropic OAuth returned invalid JSON: ${text}`);
+  }
+}
+
+function lift(data: AnthropicTokenResponse): OAuthCredentials {
+  const uuid = data.account?.uuid;
+  const email = data.account?.email_address;
+  return {
+    access: data.access_token,
+    refresh: data.refresh_token,
+    expires: Date.now() + data.expires_in * 1000 - 5 * 60 * 1000,
+    accountId: typeof uuid === "string" && uuid ? uuid : undefined,
+    email: typeof email === "string" && email ? email : undefined,
+  };
+}
+
+class AnthropicOAuthFlow extends OAuthCallbackFlow {
+  #verifier = "";
+
+  constructor(ctrl: OAuthController) {
+    super(ctrl, { preferredPort: CALLBACK_PORT, callbackPath: CALLBACK_PATH });
+  }
+
+  async generateAuthUrl(state: string, redirectUri: string) {
+    const pkce = await generatePKCE();
+    this.#verifier = pkce.verifier;
+    const params = new URLSearchParams({
+      code: "true",
+      client_id: CLIENT_ID,
+      response_type: "code",
+      redirect_uri: redirectUri,
+      scope: SCOPES,
+      code_challenge: pkce.challenge,
+      code_challenge_method: "S256",
+      state,
+    });
+    return {
+      url: `${AUTHORIZE_URL}?${params.toString()}`,
+      instructions:
+        "Approve in your browser. If it cannot reach this machine, paste the final redirect URL or code when prompted.",
+    };
+  }
+
+  async exchangeToken(code: string, state: string, redirectUri: string): Promise<OAuthCredentials> {
+    let exchangeCode = code;
+    let exchangeState = state;
+    const hashIdx = code.indexOf("#");
+    if (hashIdx >= 0) {
+      exchangeCode = code.slice(0, hashIdx);
+      const frag = code.slice(hashIdx + 1);
+      if (frag) exchangeState = frag;
+    }
+    const data = await postJson(TOKEN_URL, {
+      grant_type: "authorization_code",
+      client_id: CLIENT_ID,
+      code: exchangeCode,
+      state: exchangeState,
+      redirect_uri: redirectUri,
+      code_verifier: this.#verifier,
+    });
+    return lift(data);
+  }
+}
+
+export async function loginAnthropic(ctrl: OAuthController): Promise<OAuthCredentials> {
+  return new AnthropicOAuthFlow(ctrl).login();
+}
+
+export async function refreshAnthropicToken(refreshToken: string): Promise<OAuthCredentials> {
+  const data = await postJson(TOKEN_URL, {
+    grant_type: "refresh_token",
+    client_id: CLIENT_ID,
+    refresh_token: refreshToken,
+  });
+  return { ...lift(data), refresh: data.refresh_token || refreshToken };
+}

package/src/auth/flows/google.ts

@@ -0,0 +1,120 @@
+/**
+ * Google (Gemini CLI / Cloud Code Assist) OAuth — standard authorization-code flow.
+ * Port of gjc's google-oauth-shared.ts + google-gemini-cli.ts constants.
+ *
+ * NOTE: these tokens authenticate against Google's Cloud Code Assist backend.
+ * joc's default `gemini` adapter targets the public generativelanguage API,
+ * which prefers an API key (`GEMINI_API_KEY`). The login/refresh machinery is
+ * real; project provisioning is best-effort (env-driven) to keep joc lean.
+ */
+import { OAuthCallbackFlow } from "../callback-server";
+import type { OAuthController, OAuthCredentials } from "../types";
+
+const decode = (s: string) => atob(s);
+const CLIENT_ID = decode(
+  "NjgxMjU1ODA5Mzk1LW9vOGZ0Mm9wcmRybnA5ZTNhcWY2YXYzaG1kaWIxMzVqLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29t"
+);
+// Google's installed-app ("desktop") OAuth client secret is not a true secret —
+// gemini-cli ships it publicly — but committing the literal trips secret
+// scanners. Source it from env so the repo stays clean; the gemini-cli value is
+// the documented default for `GEMINI_OAUTH_CLIENT_SECRET`.
+const CLIENT_SECRET = process.env.GEMINI_OAUTH_CLIENT_SECRET ?? "";
+
+function requireClientSecret(): string {
+  if (!CLIENT_SECRET) {
+    throw new Error(
+      "Google OAuth requires GEMINI_OAUTH_CLIENT_SECRET (the public gemini-cli desktop client secret). " +
+        "Set it in your environment, or use a GEMINI_API_KEY with the bundled adapter instead."
+    );
+  }
+  return CLIENT_SECRET;
+}
+const AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth";
+const TOKEN_URL = "https://oauth2.googleapis.com/token";
+const CALLBACK_PORT = 8085;
+const CALLBACK_PATH = "/oauth2callback";
+const SCOPES = [
+  "https://www.googleapis.com/auth/cloud-platform",
+  "https://www.googleapis.com/auth/userinfo.email",
+  "https://www.googleapis.com/auth/userinfo.profile",
+];
+
+async function getUserEmail(access: string): Promise<string | undefined> {
+  try {
+    const res = await fetch("https://www.googleapis.com/oauth2/v1/userinfo?alt=json", {
+      headers: { authorization: `Bearer ${access}` },
+    });
+    if (res.ok) return ((await res.json()) as { email?: string }).email;
+  } catch {
+    /* email is optional */
+  }
+  return undefined;
+}
+
+class GoogleOAuthFlow extends OAuthCallbackFlow {
+  constructor(ctrl: OAuthController) {
+    super(ctrl, { preferredPort: CALLBACK_PORT, callbackPath: CALLBACK_PATH });
+  }
+
+  async generateAuthUrl(state: string, redirectUri: string) {
+    const params = new URLSearchParams({
+      client_id: CLIENT_ID,
+      response_type: "code",
+      redirect_uri: redirectUri,
+      scope: SCOPES.join(" "),
+      state,
+      access_type: "offline",
+      prompt: "consent",
+    });
+    return { url: `${AUTH_URL}?${params.toString()}`, instructions: "Complete the sign-in in your browser." };
+  }
+
+  async exchangeToken(code: string, _state: string, redirectUri: string): Promise<OAuthCredentials> {
+    const res = await fetch(TOKEN_URL, {
+      method: "POST",
+      headers: { "content-type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({
+        client_id: CLIENT_ID,
+        client_secret: requireClientSecret(),
+        code,
+        grant_type: "authorization_code",
+        redirect_uri: redirectUri,
+      }),
+    });
+    if (!res.ok) throw new Error(`Google token exchange failed (HTTP ${res.status}): ${await res.text()}`);
+    const data = (await res.json()) as { access_token: string; refresh_token?: string; expires_in: number };
+    if (!data.refresh_token) throw new Error("No refresh token received from Google. Try again with prompt=consent.");
+    const email = await getUserEmail(data.access_token);
+    return {
+      access: data.access_token,
+      refresh: data.refresh_token,
+      expires: Date.now() + data.expires_in * 1000 - 5 * 60 * 1000,
+      email,
+      projectId: process.env.GOOGLE_CLOUD_PROJECT || process.env.GOOGLE_CLOUD_PROJECT_ID || undefined,
+    };
+  }
+}
+
+export async function loginGoogle(ctrl: OAuthController): Promise<OAuthCredentials> {
+  return new GoogleOAuthFlow(ctrl).login();
+}
+
+export async function refreshGoogleToken(refreshToken: string): Promise<OAuthCredentials> {
+  const res = await fetch(TOKEN_URL, {
+    method: "POST",
+    headers: { "content-type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      client_id: CLIENT_ID,
+      client_secret: requireClientSecret(),
+      refresh_token: refreshToken,
+      grant_type: "refresh_token",
+    }),
+  });
+  if (!res.ok) throw new Error(`Google token refresh failed (HTTP ${res.status}): ${await res.text()}`);
+  const data = (await res.json()) as { access_token: string; expires_in: number; refresh_token?: string };
+  return {
+    access: data.access_token,
+    refresh: data.refresh_token || refreshToken,
+    expires: Date.now() + data.expires_in * 1000 - 5 * 60 * 1000,
+  };
+}

package/src/auth/flows/index.ts

@@ -0,0 +1,50 @@
+/** Per-provider OAuth login + refresh dispatch. */
+import type { AuthProvider } from "../storage";
+import type { OAuthController, OAuthCredentials } from "../types";
+import { loginAnthropic, refreshAnthropicToken } from "./anthropic";
+import { loginOpenAI, refreshOpenAIToken } from "./openai";
+import { loginGoogle, refreshGoogleToken } from "./google";
+
+export interface OAuthFlow {
+  readonly provider: AuthProvider;
+  readonly label: string;
+  /** Run the interactive browser/PKCE login. */
+  login(ctrl: OAuthController): Promise<OAuthCredentials>;
+  /** Exchange a refresh token for a fresh access token. */
+  refresh(refreshToken: string): Promise<OAuthCredentials>;
+  /** Whether the minted token works with joc's bundled adapter end-to-end. */
+  readonly verifiedEndToEnd: boolean;
+  /** Human note about adapter compatibility. */
+  readonly note?: string;
+}
+
+export const OAUTH_FLOW_REGISTRY: Record<AuthProvider, OAuthFlow> = {
+  anthropic: {
+    provider: "anthropic",
+    label: "Anthropic (Claude Pro/Max)",
+    login: loginAnthropic,
+    refresh: refreshAnthropicToken,
+    verifiedEndToEnd: true,
+    note: "Works directly with the bundled Anthropic Messages adapter.",
+  },
+  openai: {
+    provider: "openai",
+    label: "OpenAI (ChatGPT/Codex)",
+    login: loginOpenAI,
+    refresh: refreshOpenAIToken,
+    verifiedEndToEnd: false,
+    note: "Token targets the ChatGPT/Codex backend; the bundled chat adapter expects an OPENAI_API_KEY.",
+  },
+  gemini: {
+    provider: "gemini",
+    label: "Google (Gemini CLI / Cloud Code Assist)",
+    login: loginGoogle,
+    refresh: refreshGoogleToken,
+    verifiedEndToEnd: false,
+    note: "Token targets Cloud Code Assist; the bundled generativelanguage adapter prefers GEMINI_API_KEY.",
+  },
+};
+
+export { loginAnthropic, refreshAnthropicToken } from "./anthropic";
+export { loginOpenAI, refreshOpenAIToken } from "./openai";
+export { loginGoogle, refreshGoogleToken } from "./google";

package/src/auth/flows/openai.ts

@@ -0,0 +1,130 @@
+/**
+ * OpenAI (ChatGPT / Codex) OAuth — real PKCE flow with device-code fallback.
+ * Faithful port of gjc's packages/ai/src/utils/oauth/openai-codex.ts.
+ *
+ * NOTE: tokens minted here authenticate against OpenAI's ChatGPT/Codex
+ * backend. joc's default `openai` adapter targets the Chat Completions API,
+ * which expects a platform API key. Use this flow with a Codex-compatible
+ * endpoint, or prefer an `OPENAI_API_KEY` for the bundled chat adapter.
+ */
+import { OAuthCallbackFlow } from "../callback-server";
+import { generatePKCE } from "../pkce";
+import type { OAuthController, OAuthCredentials } from "../types";
+
+const CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
+const AUTHORIZE_URL = "https://auth.openai.com/oauth/authorize";
+const TOKEN_URL = "https://auth.openai.com/oauth/token";
+const CALLBACK_PORT = 1455;
+const CALLBACK_PATH = "/auth/callback";
+const SCOPE = "openid profile email offline_access";
+const TIMEOUT_MS = 15_000;
+const JWT_AUTH_CLAIM = "https://api.openai.com/auth";
+const JWT_PROFILE_CLAIM = "https://api.openai.com/profile";
+
+function decodeJwt<T = Record<string, unknown>>(token: string): T | null {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    return JSON.parse(Buffer.from(parts[1] ?? "", "base64").toString("utf-8")) as T;
+  } catch {
+    return null;
+  }
+}
+
+function profileFromToken(access: string): { accountId?: string; email?: string } {
+  const payload = decodeJwt<Record<string, any>>(access);
+  const accountId = payload?.[JWT_AUTH_CLAIM]?.chatgpt_account_id;
+  const email = payload?.[JWT_PROFILE_CLAIM]?.email?.trim?.().toLowerCase?.();
+  return {
+    accountId: typeof accountId === "string" && accountId ? accountId : undefined,
+    email: typeof email === "string" && email ? email : undefined,
+  };
+}
+
+async function exchangeCodeForToken(code: string, verifier: string, redirectUri: string): Promise<OAuthCredentials> {
+  const res = await fetch(TOKEN_URL, {
+    method: "POST",
+    headers: { "content-type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "authorization_code",
+      client_id: CLIENT_ID,
+      code,
+      code_verifier: verifier,
+      redirect_uri: redirectUri,
+    }),
+    signal: AbortSignal.timeout(TIMEOUT_MS),
+  });
+  if (!res.ok) throw new Error(`OpenAI token exchange failed (HTTP ${res.status}): ${await res.text()}`);
+  const data = (await res.json()) as { access_token?: string; refresh_token?: string; expires_in?: number };
+  if (!data.access_token || !data.refresh_token || typeof data.expires_in !== "number") {
+    throw new Error("OpenAI token response missing required fields");
+  }
+  const { accountId, email } = profileFromToken(data.access_token);
+  return {
+    access: data.access_token,
+    refresh: data.refresh_token,
+    expires: Date.now() + data.expires_in * 1000 - 5 * 60 * 1000,
+    accountId,
+    email,
+  };
+}
+
+class OpenAIOAuthFlow extends OAuthCallbackFlow {
+  #verifier = "";
+
+  constructor(ctrl: OAuthController) {
+    super(ctrl, {
+      preferredPort: CALLBACK_PORT,
+      callbackPath: CALLBACK_PATH,
+      redirectUri: `http://localhost:${CALLBACK_PORT}${CALLBACK_PATH}`,
+    });
+  }
+
+  async generateAuthUrl(state: string, redirectUri: string) {
+    const pkce = await generatePKCE();
+    this.#verifier = pkce.verifier;
+    const params = new URLSearchParams({
+      response_type: "code",
+      client_id: CLIENT_ID,
+      redirect_uri: redirectUri,
+      scope: SCOPE,
+      code_challenge: pkce.challenge,
+      code_challenge_method: "S256",
+      state,
+      id_token_add_organizations: "true",
+      codex_cli_simplified_flow: "true",
+      originator: "joc",
+    });
+    return { url: `${AUTHORIZE_URL}?${params.toString()}`, instructions: "Complete login in your browser." };
+  }
+
+  async exchangeToken(code: string, _state: string, redirectUri: string): Promise<OAuthCredentials> {
+    return exchangeCodeForToken(code, this.#verifier, redirectUri);
+  }
+}
+
+export async function loginOpenAI(ctrl: OAuthController): Promise<OAuthCredentials> {
+  return new OpenAIOAuthFlow(ctrl).login();
+}
+
+export async function refreshOpenAIToken(refreshToken: string): Promise<OAuthCredentials> {
+  const res = await fetch(TOKEN_URL, {
+    method: "POST",
+    headers: { "content-type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({ grant_type: "refresh_token", refresh_token: refreshToken, client_id: CLIENT_ID }),
+    signal: AbortSignal.timeout(TIMEOUT_MS),
+  });
+  if (!res.ok) throw new Error(`OpenAI token refresh failed (HTTP ${res.status}): ${await res.text()}`);
+  const data = (await res.json()) as { access_token?: string; refresh_token?: string; expires_in?: number };
+  if (!data.access_token || typeof data.expires_in !== "number") {
+    throw new Error("OpenAI refresh response missing required fields");
+  }
+  const { accountId, email } = profileFromToken(data.access_token);
+  return {
+    access: data.access_token,
+    refresh: data.refresh_token || refreshToken,
+    expires: Date.now() + data.expires_in * 1000 - 5 * 60 * 1000,
+    accountId,
+    email,
+  };
+}

package/src/auth/index.ts

@@ -0,0 +1,23 @@
+export {
+  resolveCredential,
+  snapshotProvider,
+  getStoredOAuth,
+  setOauthToken,
+  setOauthCredential,
+  clearOauthToken,
+  setApiKey,
+} from "./storage";
+export type { AuthProvider, Credential, AuthSnapshot } from "./storage";
+export {
+  OAUTH_FLOWS,
+  openInBrowser,
+  interactiveLogin,
+  loginOAuth,
+  logoutOAuth,
+} from "./oauth";
+export type { OauthFlowDef } from "./oauth";
+export { refreshOAuthToken, rotateOAuthToken } from "./refresh";
+export type { RefreshResult } from "./refresh";
+export { OAUTH_FLOW_REGISTRY } from "./flows";
+export type { OAuthFlow } from "./flows";
+export type { OAuthController, OAuthCredentials, OAuthAuthInfo } from "./types";