kimaki 0.4.78 → 0.4.80

package/src/commands/login.ts

@@ -1,5 +1,13 @@
-// /login command - Authenticate with AI providers (OAuth or API key).
-// Supports GitHub Copilot (device flow), OpenAI Codex (device flow), and API keys.
+// /login command — authenticate with AI providers (OAuth or API key).
+//
+// Uses a unified select handler (`login_select:<hash>`) for all sequential
+// select menus (provider → method → plugin prompts). The context tracks a
+// `step` field so one handler drives the whole flow.
+//
+// CustomId patterns:
+//   login_select:<hash>  — all select menus (provider, method, prompts)
+//   login_apikey:<hash>  — API key modal submission
+//   login_text:<hash>    — text prompt modal submission
 
 import {
   ChatInputCommandInteraction,
@@ -10,37 +18,108 @@ import {
   TextInputBuilder,
   TextInputStyle,
   ModalSubmitInteraction,
+  ButtonBuilder,
+  ButtonStyle,
+  type ButtonInteraction,
   ChannelType,
   type ThreadChannel,
   type TextChannel,
   MessageFlags,
 } from 'discord.js'
+import type { AuthHook } from '@opencode-ai/plugin'
 import crypto from 'node:crypto'
-import { initializeOpencodeForDirectory } from '../opencode.js'
+import {
+  initializeOpencodeForDirectory,
+  getOpencodeServerPort,
+} from '../opencode.js'
 import { resolveTextChannel, getKimakiMetadata } from '../discord-utils.js'
 import { createLogger, LogPrefix } from '../logger.js'
+import { buildPaginatedOptions, parsePaginationValue } from './paginated-select.js'
 
 const loginLogger = createLogger(LogPrefix.LOGIN)
 
-// Store context by hash to avoid customId length limits (Discord max: 100 chars).
-// TTL'd to prevent unbounded growth when users open /login and never interact.
+// ── Types ───────────────────────────────────────────────────────
+// Derive prompt types from the plugin package so they stay in sync.
+// Strip runtime-only callback fields (validate, condition) that
+// aren't present in the REST response from the opencode server.
+// Add `when` rule — the server's zod schema includes it but the
+// published plugin package hasn't been updated yet.
+
+type WhenRule = { key: string; op: 'eq' | 'neq'; value: string }
+
+// Extract prompt option type from the plugin's select prompt
+type PluginMethod = AuthHook['methods'][number]
+type PluginSelectPrompt = Extract<
+  NonNullable<PluginMethod['prompts']>[number],
+  { type: 'select' }
+>
+type PromptOption = PluginSelectPrompt['options'][number]
+
+type AuthPromptText = {
+  type: 'text'
+  key: string
+  message: string
+  placeholder?: string
+  when?: WhenRule
+}
+
+type AuthPromptSelect = {
+  type: 'select'
+  key: string
+  message: string
+  options: PromptOption[]
+  when?: WhenRule
+}
+
+type AuthPrompt = AuthPromptText | AuthPromptSelect
+
+type ProviderAuthMethod = {
+  type: 'oauth' | 'api'
+  label: string
+  prompts?: AuthPrompt[]
+}
+
+// ── Login step state machine ────────────────────────────────────
+// Each step describes what the next select menu should show.
+// Steps are built lazily: provider step is set by /login, method
+// and prompt steps are added after the provider is selected.
+
+type StepProvider = { type: 'provider' }
+type StepMethod = { type: 'method'; methods: ProviderAuthMethod[] }
+type StepPrompt = { type: 'prompt'; prompt: AuthPrompt }
+type LoginStep = StepProvider | StepMethod | StepPrompt
+
+type LoginContext = {
+  dir: string
+  channelId: string
+  providerId?: string
+  providerName?: string
+  methodIndex?: number
+  methodType?: 'oauth' | 'api'
+  steps: LoginStep[]
+  stepIndex: number
+  inputs: Record<string, string>
+  providerPage?: number
+}
+
+// ── Context store ───────────────────────────────────────────────
+// Keyed by random hash to stay under Discord's 100-char customId limit.
+// TTL prevents unbounded growth when users open /login and never interact.
+
 const LOGIN_CONTEXT_TTL_MS = 10 * 60 * 1000
-const pendingLoginContexts = new Map<
-  string,
-  {
-    dir: string
-    channelId: string
-    providerId?: string
-    providerName?: string
-    methodIndex?: number
-    methodType?: 'oauth' | 'api'
-    methodLabel?: string
-  }
->()
-
-// Popularity-ordered provider IDs for the select menu.
-// Discord select menus cap at 25 options, so we show these first,
-// then fill remaining slots with unlisted providers alphabetically.
+const pendingLoginContexts = new Map<string, LoginContext>()
+
+function createContextHash(context: LoginContext): string {
+  const hash = crypto.randomBytes(8).toString('hex')
+  pendingLoginContexts.set(hash, context)
+  setTimeout(() => {
+    pendingLoginContexts.delete(hash)
+  }, LOGIN_CONTEXT_TTL_MS).unref()
+  return hash
+}
+
+// ── Provider popularity order ───────────────────────────────────
+// Discord select menus cap at 25 options, so we show popular ones first.
 // IDs sourced from opencode's provider.list() API (scripts/list-providers.ts).
 const PROVIDER_POPULARITY_ORDER: string[] = [
   'anthropic',
@@ -70,15 +149,57 @@ const PROVIDER_POPULARITY_ORDER: string[] = [
   'llama',
 ]
 
-export type ProviderAuthMethod = {
-  type: 'oauth' | 'api'
-  label: string
+// ── Helpers ─────────────────────────────────────────────────────
+
+function extractErrorMessage({
+  error,
+  fallback,
+}: {
+  error: unknown
+  fallback: string
+}): string {
+  if (!error || typeof error !== 'object') {
+    return fallback
+  }
+  const parsed = error as { message?: string; data?: { message?: string } }
+  return parsed.data?.message || parsed.message || fallback
 }
 
-/**
- * Handle the /login slash command.
- * Shows a select menu with available providers.
- */
+function shouldShowPrompt(
+  prompt: AuthPrompt,
+  inputs: Record<string, string>,
+): boolean {
+  if (!prompt.when) {
+    return true
+  }
+  const value = inputs[prompt.when.key]
+  if (prompt.when.op === 'eq') {
+    return value === prompt.when.value
+  }
+  if (prompt.when.op === 'neq') {
+    return value !== prompt.when.value
+  }
+  return true
+}
+
+function buildSelectMenu({
+  customId,
+  placeholder,
+  options,
+}: {
+  customId: string
+  placeholder: string
+  options: Array<{ label: string; value: string; description?: string }>
+}): ActionRowBuilder<StringSelectMenuBuilder> {
+  const menu = new StringSelectMenuBuilder()
+    .setCustomId(customId)
+    .setPlaceholder(placeholder)
+    .addOptions(options)
+  return new ActionRowBuilder<StringSelectMenuBuilder>().addComponents(menu)
+}
+
+// ── /login command ──────────────────────────────────────────────
+
 export async function handleLoginCommand({
   interaction,
 }: {
@@ -87,12 +208,9 @@ export async function handleLoginCommand({
 }): Promise<void> {
   loginLogger.log('[LOGIN] handleLoginCommand called')
 
-  // Defer reply immediately to avoid 3-second timeout
   await interaction.deferReply({ flags: MessageFlags.Ephemeral })
-  loginLogger.log('[LOGIN] Deferred reply')
 
   const channel = interaction.channel
-
   if (!channel) {
     await interaction.editReply({
       content: 'This command can only be used in a channel',
@@ -100,7 +218,6 @@ export async function handleLoginCommand({
     return
   }
 
-  // Determine if we're in a thread or text channel
   const isThread = [
     ChannelType.PublicThread,
     ChannelType.PrivateThread,
@@ -147,24 +264,18 @@ export async function handleLoginCommand({
     })
 
     if (!providersResponse.data) {
-      await interaction.editReply({
-        content: 'Failed to fetch providers',
-      })
+      await interaction.editReply({ content: 'Failed to fetch providers' })
       return
     }
 
     const { all: allProviders, connected } = providersResponse.data
 
     if (allProviders.length === 0) {
-      await interaction.editReply({
-        content: 'No providers available.',
-      })
+      await interaction.editReply({ content: 'No providers available.' })
       return
     }
 
-    // Sort by hardcoded popularity order, then alphabetically for unlisted ones.
-    // Discord select menus cap at 25, so we show the most popular providers.
-    const options = [...allProviders]
+    const allProviderOptions = [...allProviders]
       .sort((a, b) => {
         const rankA = PROVIDER_POPULARITY_ORDER.indexOf(a.id)
         const rankB = PROVIDER_POPULARITY_ORDER.indexOf(b.id)
@@ -175,14 +286,10 @@ export async function handleLoginCommand({
         }
         return a.name.localeCompare(b.name)
       })
-      .slice(0, 25)
       .map((provider) => {
         const isConnected = connected.includes(provider.id)
         return {
-          label: `${provider.name}${isConnected ? ' ✓' : ''}`.slice(
-            0,
-            100,
-          ),
+          label: `${provider.name}${isConnected ? ' ✓' : ''}`.slice(0, 100),
           value: provider.id,
           description: isConnected
             ? 'Connected - select to re-authenticate'
@@ -190,28 +297,29 @@ export async function handleLoginCommand({
         }
       })
 
-    // Store context with a short hash key to avoid customId length limits
-    const context = {
+    const { options } = buildPaginatedOptions({
+      allOptions: allProviderOptions,
+      page: 0,
+    })
+
+    const context: LoginContext = {
       dir: projectDirectory,
       channelId: targetChannelId,
+      steps: [{ type: 'provider' }],
+      stepIndex: 0,
+      inputs: {},
     }
-    const contextHash = crypto.randomBytes(8).toString('hex')
-    pendingLoginContexts.set(contextHash, context)
-    setTimeout(() => {
-      pendingLoginContexts.delete(contextHash)
-    }, LOGIN_CONTEXT_TTL_MS).unref()
-
-    const selectMenu = new StringSelectMenuBuilder()
-      .setCustomId(`login_provider:${contextHash}`)
-      .setPlaceholder('Select a provider to authenticate')
-      .addOptions(options)
-
-    const actionRow =
-      new ActionRowBuilder<StringSelectMenuBuilder>().addComponents(selectMenu)
+    const hash = createContextHash(context)
 
     await interaction.editReply({
       content: '**Authenticate with Provider**\nSelect a provider:',
-      components: [actionRow],
+      components: [
+        buildSelectMenu({
+          customId: `login_select:${hash}`,
+          placeholder: 'Select a provider to authenticate',
+          options,
+        }),
+      ],
     })
   } catch (error) {
     loginLogger.error('Error loading providers:', error)
@@ -221,23 +329,22 @@ export async function handleLoginCommand({
   }
 }
 
-/**
- * Handle the provider select menu interaction.
- * Shows a second select menu with auth methods for the chosen provider.
- */
-export async function handleLoginProviderSelectMenu(
+// ── Unified select handler ──────────────────────────────────────
+// Handles all select menu interactions for the login flow.
+// Reads the current step from context, processes the answer,
+// then either shows the next step or proceeds to authorize/API key.
+
+export async function handleLoginSelect(
   interaction: StringSelectMenuInteraction,
 ): Promise<void> {
-  const customId = interaction.customId
-
-  if (!customId.startsWith('login_provider:')) {
+  if (!interaction.customId.startsWith('login_select:')) {
     return
   }
 
-  const contextHash = customId.replace('login_provider:', '')
-  const context = pendingLoginContexts.get(contextHash)
+  const hash = interaction.customId.replace('login_select:', '')
+  const ctx = pendingLoginContexts.get(hash)
 
-  if (!context) {
+  if (!ctx) {
     await interaction.deferUpdate()
     await interaction.editReply({
       content: 'Selection expired. Please run /login again.',
@@ -246,97 +353,280 @@ export async function handleLoginProviderSelectMenu(
     return
   }
 
-  const selectedProviderId = interaction.values[0]
-  if (!selectedProviderId) {
+  const value = interaction.values[0]
+  if (!value) {
+    await interaction.deferUpdate()
+    await interaction.editReply({
+      content: 'No option selected.',
+      components: [],
+    })
+    return
+  }
+
+  const step = ctx.steps[ctx.stepIndex]
+  if (!step) {
     await interaction.deferUpdate()
     await interaction.editReply({
-      content: 'No provider selected',
+      content: 'Invalid state. Please run /login again.',
       components: [],
     })
     return
   }
 
   try {
-    const getClient = await initializeOpencodeForDirectory(context.dir)
-    if (getClient instanceof Error) {
+    if (step.type === 'provider') {
+      await handleProviderStep(interaction, ctx, hash, value)
+    } else if (step.type === 'method') {
+      await handleMethodStep(interaction, ctx, hash, value, step)
+    } else if (step.type === 'prompt') {
+      await handlePromptStep(interaction, ctx, hash, value, step)
+    }
+  } catch (error) {
+    loginLogger.error('Error in login select:', error)
+    if (!interaction.deferred && !interaction.replied) {
       await interaction.deferUpdate()
-      await interaction.editReply({
-        content: getClient.message,
-        components: [],
-      })
+    }
+    await interaction.editReply({
+      content: `Login error: ${error instanceof Error ? error.message : 'Unknown error'}`,
+      components: [],
+    })
+  }
+}
+
+// ── Step handlers ───────────────────────────────────────────────
+
+async function handleProviderStep(
+  interaction: StringSelectMenuInteraction,
+  ctx: LoginContext,
+  hash: string,
+  providerId: string,
+): Promise<void> {
+  // Handle pagination nav — re-render the same provider select with new page
+  const navPage = parsePaginationValue(providerId)
+  if (navPage !== undefined) {
+    await interaction.deferUpdate()
+    ctx.providerPage = navPage
+
+    const getClient = await initializeOpencodeForDirectory(ctx.dir)
+    if (getClient instanceof Error) {
+      await interaction.editReply({ content: getClient.message, components: [] })
+      return
+    }
+    const providersResponse = await getClient().provider.list({ directory: ctx.dir })
+    if (!providersResponse.data) {
+      await interaction.editReply({ content: 'Failed to fetch providers', components: [] })
       return
     }
+    const { all: allProviders, connected } = providersResponse.data
+    const allProviderOptions = [...allProviders]
+      .sort((a, b) => {
+        const rankA = PROVIDER_POPULARITY_ORDER.indexOf(a.id)
+        const rankB = PROVIDER_POPULARITY_ORDER.indexOf(b.id)
+        const posA = rankA === -1 ? Infinity : rankA
+        const posB = rankB === -1 ? Infinity : rankB
+        if (posA !== posB) {
+          return posA - posB
+        }
+        return a.name.localeCompare(b.name)
+      })
+      .map((p) => {
+        const isConnected = connected.includes(p.id)
+        return {
+          label: `${p.name}${isConnected ? ' ✓' : ''}`.slice(0, 100),
+          value: p.id,
+          description: isConnected ? 'Connected - select to re-authenticate' : 'Not connected',
+        }
+      })
+    const { options } = buildPaginatedOptions({ allOptions: allProviderOptions, page: navPage })
+    await interaction.editReply({
+      content: '**Authenticate with Provider**\nSelect a provider:',
+      components: [
+        buildSelectMenu({
+          customId: `login_select:${hash}`,
+          placeholder: 'Select a provider to authenticate',
+          options,
+        }),
+      ],
+    })
+    return
+  }
 
-    // Get provider info for display
-    const providersResponse = await getClient().provider.list({
-      directory: context.dir,
+  const getClient = await initializeOpencodeForDirectory(ctx.dir)
+  if (getClient instanceof Error) {
+    await interaction.deferUpdate()
+    await interaction.editReply({ content: getClient.message, components: [] })
+    return
+  }
+
+  const providersResponse = await getClient().provider.list({
+    directory: ctx.dir,
+  })
+  const provider = providersResponse.data?.all.find(
+    (p) => p.id === providerId,
+  )
+  const providerName = provider?.name || providerId
+
+  const authResponse = await getClient().provider.auth({ directory: ctx.dir })
+  if (!authResponse.data) {
+    await interaction.deferUpdate()
+    await interaction.editReply({
+      content: 'Failed to fetch authentication methods',
+      components: [],
     })
+    return
+  }
 
-    const provider = providersResponse.data?.all.find(
-      (p) => p.id === selectedProviderId,
-    )
-    const providerName = provider?.name || selectedProviderId
+  // The server returns prompts in the auth response when the opencode
+  // version supports it (dev branch, not yet released as of v1.2.27).
+  // Once released, plugin-defined prompts will be collected and passed
+  // as inputs to the authorize call automatically.
+  const methods: ProviderAuthMethod[] = authResponse.data[providerId] || [
+    { type: 'api', label: 'API Key' },
+  ]
 
-    // Get auth methods for all providers
-    const authMethodsResponse = await getClient().provider.auth({
-      directory: context.dir,
+  if (methods.length === 0) {
+    await interaction.deferUpdate()
+    await interaction.editReply({
+      content: `No authentication methods available for ${providerName}`,
+      components: [],
     })
+    return
+  }
 
-    if (!authMethodsResponse.data) {
-      await interaction.deferUpdate()
-      await interaction.editReply({
-        content: 'Failed to fetch authentication methods',
-        components: [],
-      })
-      return
-    }
+  ctx.providerId = providerId
+  ctx.providerName = providerName
 
-    // Get methods for this specific provider, default to API key if none defined
-    const methods: ProviderAuthMethod[] = authMethodsResponse.data[
-      selectedProviderId
-    ] || [{ type: 'api', label: 'API Key' }]
+  if (methods.length === 1) {
+    // Single method — skip method select, go straight to prompts or action
+    const method = methods[0]!
+    ctx.methodIndex = 0
+    ctx.methodType = method.type
 
-    if (methods.length === 0) {
+    const promptSteps = buildPromptSteps(method)
+    if (promptSteps.length > 0) {
+      // Has prompts — defer and show first prompt
+      ctx.steps = promptSteps
+      ctx.stepIndex = 0
       await interaction.deferUpdate()
-      await interaction.editReply({
-        content: `No authentication methods available for ${providerName}`,
-        components: [],
-      })
-      return
+      await showNextStep(interaction, ctx, hash)
+    } else if (method.type === 'api') {
+      // API key with no prompts — show modal directly (don't defer)
+      await showApiKeyModal(interaction, hash, providerName)
+    } else {
+      // OAuth with no prompts — defer and authorize
+      await interaction.deferUpdate()
+      await startOAuthFlow(interaction, ctx, hash)
     }
+    return
+  }
 
-    // Update context with provider info
-    context.providerId = selectedProviderId
-    context.providerName = providerName
-    pendingLoginContexts.set(contextHash, context)
-
-    // If only one method and it's API, show modal directly (no defer)
-    if (methods.length === 1 && methods[0]!.type === 'api') {
-      const method = methods[0]!
-      context.methodIndex = 0
-      context.methodType = method.type
-      context.methodLabel = method.label
-      pendingLoginContexts.set(contextHash, context)
-      await showApiKeyModal(interaction, contextHash, providerName)
-      return
-    }
+  // Multiple methods — show method select
+  ctx.steps = [
+    { type: 'method', methods },
+  ]
+  ctx.stepIndex = 0
+  await interaction.deferUpdate()
+  await showNextStep(interaction, ctx, hash)
+}
 
-    // For OAuth or multiple methods, defer and continue
+async function handleMethodStep(
+  interaction: StringSelectMenuInteraction,
+  ctx: LoginContext,
+  hash: string,
+  value: string,
+  step: StepMethod,
+): Promise<void> {
+  const methodIndex = parseInt(value, 10)
+  const method = step.methods[methodIndex]
+  if (!method) {
     await interaction.deferUpdate()
+    await interaction.editReply({
+      content: 'Invalid method selected.',
+      components: [],
+    })
+    return
+  }
 
-    // If only one method and it's OAuth, start flow directly
-    if (methods.length === 1) {
-      const method = methods[0]!
-      context.methodIndex = 0
-      context.methodType = method.type
-      context.methodLabel = method.label
-      pendingLoginContexts.set(contextHash, context)
-      await startOAuthFlow(interaction, context, contextHash)
-      return
+  ctx.methodIndex = methodIndex
+  ctx.methodType = method.type
+
+  const promptSteps = buildPromptSteps(method)
+  if (promptSteps.length > 0) {
+    // Replace remaining steps with prompt steps
+    ctx.steps = promptSteps
+    ctx.stepIndex = 0
+    await interaction.deferUpdate()
+    await showNextStep(interaction, ctx, hash)
+  } else if (method.type === 'api') {
+    // API key with no prompts — show modal directly (don't defer)
+    await showApiKeyModal(interaction, hash, ctx.providerName || '')
+  } else {
+    // OAuth with no prompts
+    await interaction.deferUpdate()
+    await startOAuthFlow(interaction, ctx, hash)
+  }
+}
+
+async function handlePromptStep(
+  interaction: StringSelectMenuInteraction,
+  ctx: LoginContext,
+  hash: string,
+  value: string,
+  step: StepPrompt,
+): Promise<void> {
+  // Store the answer
+  ctx.inputs[step.prompt.key] = value
+  ctx.stepIndex++
+
+  // Find the next prompt step that passes its `when` condition
+  await interaction.deferUpdate()
+  await showNextStep(interaction, ctx, hash)
+}
+
+// ── Step rendering ──────────────────────────────────────────────
+// Advances through steps, skipping prompts whose `when` condition
+// fails, until it finds one to show or reaches the end.
+
+async function showNextStep(
+  interaction: StringSelectMenuInteraction | ModalSubmitInteraction,
+  ctx: LoginContext,
+  hash: string,
+): Promise<void> {
+  // Skip prompts whose `when` condition doesn't match
+  while (ctx.stepIndex < ctx.steps.length) {
+    const step = ctx.steps[ctx.stepIndex]!
+    if (step.type === 'prompt' && !shouldShowPrompt(step.prompt, ctx.inputs)) {
+      ctx.stepIndex++
+      continue
     }
+    break
+  }
 
-    // Multiple methods - show selection menu
-    const options = methods.slice(0, 25).map((method, index) => ({
+  if (ctx.stepIndex >= ctx.steps.length) {
+    // All steps done — proceed to action
+    if (ctx.methodType === 'api') {
+      // We're deferred, so show a button that opens the API key modal
+      const button = new ButtonBuilder()
+        .setCustomId(`login_apikey_btn:${hash}`)
+        .setLabel('Enter API Key')
+        .setStyle(ButtonStyle.Primary)
+      await interaction.editReply({
+        content: `**Authenticate with ${ctx.providerName}**\nClick to enter your API key.`,
+        components: [
+          new ActionRowBuilder<ButtonBuilder>().addComponents(button),
+        ],
+      })
+    } else {
+      await startOAuthFlow(interaction, ctx, hash)
+    }
+    return
+  }
+
+  const step = ctx.steps[ctx.stepIndex]!
+  pendingLoginContexts.set(hash, ctx)
+
+  if (step.type === 'method') {
+    const options = step.methods.slice(0, 25).map((method, index) => ({
       label: method.label.slice(0, 100),
       value: String(index),
       description:
@@ -345,48 +635,129 @@ export async function handleLoginProviderSelectMenu(
           : 'Enter API key manually',
     }))
 
-    const selectMenu = new StringSelectMenuBuilder()
-      .setCustomId(`login_method:${contextHash}`)
-      .setPlaceholder('Select authentication method')
-      .addOptions(options)
-
-    const actionRow =
-      new ActionRowBuilder<StringSelectMenuBuilder>().addComponents(selectMenu)
-
     await interaction.editReply({
-      content: `**Authenticate with ${providerName}**\nSelect authentication method:`,
-      components: [actionRow],
+      content: `**Authenticate with ${ctx.providerName}**\nSelect authentication method:`,
+      components: [
+        buildSelectMenu({
+          customId: `login_select:${hash}`,
+          placeholder: 'Select authentication method',
+          options,
+        }),
+      ],
     })
-  } catch (error) {
-    loginLogger.error('Error loading auth methods:', error)
-    if (!interaction.deferred && !interaction.replied) {
-      await interaction.deferUpdate()
+    return
+  }
+
+  if (step.type === 'prompt') {
+    const prompt = step.prompt
+    if (prompt.type === 'select') {
+      const options = prompt.options.slice(0, 25).map((opt) => ({
+        label: opt.label.slice(0, 100),
+        value: opt.value,
+        description: opt.hint?.slice(0, 100),
+      }))
+
+      await interaction.editReply({
+        content: `**Authenticate with ${ctx.providerName}**\n${prompt.message}`,
+        components: [
+          buildSelectMenu({
+            customId: `login_select:${hash}`,
+            placeholder: prompt.message.slice(0, 150),
+            options,
+          }),
+        ],
+      })
+      return
+    }
+
+    if (prompt.type === 'text') {
+      // Text prompts need a modal, but we're deferred. Show a button.
+      const button = new ButtonBuilder()
+        .setCustomId(`login_text_btn:${hash}`)
+        .setLabel(prompt.message.slice(0, 80))
+        .setStyle(ButtonStyle.Primary)
+
+      await interaction.editReply({
+        content: `**Authenticate with ${ctx.providerName}**\n${prompt.message}`,
+        components: [
+          new ActionRowBuilder<ButtonBuilder>().addComponents(button),
+        ],
+      })
+      return
     }
-    await interaction.editReply({
-      content: `Failed to load auth methods: ${error instanceof Error ? error.message : 'Unknown error'}`,
-      components: [],
-    })
   }
 }
 
-/**
- * Handle the auth method select menu interaction.
- * Starts OAuth flow or shows API key modal.
- */
-export async function handleLoginMethodSelectMenu(
-  interaction: StringSelectMenuInteraction,
+function buildPromptSteps(method: ProviderAuthMethod): StepPrompt[] {
+  return (method.prompts || []).map((prompt) => ({
+    type: 'prompt' as const,
+    prompt,
+  }))
+}
+
+// ── Text prompt button + modal ──────────────────────────────────
+// When a text prompt needs to be shown but we're in a deferred state,
+// we show a button. Clicking it opens a modal for text input.
+
+export async function handleLoginTextButton(
+  interaction: ButtonInteraction,
 ): Promise<void> {
-  const customId = interaction.customId
+  if (!interaction.customId.startsWith('login_text_btn:')) {
+    return
+  }
+
+  const hash = interaction.customId.replace('login_text_btn:', '')
+  const ctx = pendingLoginContexts.get(hash)
 
-  if (!customId.startsWith('login_method:')) {
+  if (!ctx) {
+    await interaction.reply({
+      content: 'Selection expired. Please run /login again.',
+      flags: MessageFlags.Ephemeral,
+    })
     return
   }
 
-  const contextHash = customId.replace('login_method:', '')
-  const context = pendingLoginContexts.get(contextHash)
+  const step = ctx.steps[ctx.stepIndex]
+  if (!step || step.type !== 'prompt' || step.prompt.type !== 'text') {
+    await interaction.reply({
+      content: 'Invalid state. Please run /login again.',
+      flags: MessageFlags.Ephemeral,
+    })
+    return
+  }
 
-  if (!context || !context.providerId || !context.providerName) {
-    await interaction.deferUpdate()
+  const modal = new ModalBuilder()
+    .setCustomId(`login_text:${hash}`)
+    .setTitle(`${ctx.providerName || 'Provider'} Login`.slice(0, 45))
+
+  const textInput = new TextInputBuilder()
+    .setCustomId('prompt_value')
+    .setLabel(step.prompt.message.slice(0, 45))
+    .setPlaceholder(
+      step.prompt.type === 'text' ? (step.prompt.placeholder || '') : '',
+    )
+    .setStyle(TextInputStyle.Short)
+    .setRequired(true)
+
+  modal.addComponents(
+    new ActionRowBuilder<TextInputBuilder>().addComponents(textInput),
+  )
+  await interaction.showModal(modal)
+}
+
+export async function handleLoginTextModalSubmit(
+  interaction: ModalSubmitInteraction,
+): Promise<void> {
+  if (!interaction.customId.startsWith('login_text:')) {
+    return
+  }
+
+  await interaction.deferUpdate()
+
+  const hash = interaction.customId.replace('login_text:', '')
+  const ctx = pendingLoginContexts.get(hash)
+
+  if (!ctx) {
     await interaction.editReply({
       content: 'Selection expired. Please run /login again.',
       components: [],
@@ -394,78 +765,60 @@ export async function handleLoginMethodSelectMenu(
     return
   }
 
-  const selectedMethodIndex = parseInt(interaction.values[0] || '0', 10)
-
-  try {
-    const getClient = await initializeOpencodeForDirectory(context.dir)
-    if (getClient instanceof Error) {
-      await interaction.deferUpdate()
-      await interaction.editReply({
-        content: getClient.message,
-        components: [],
-      })
-      return
-    }
+  const step = ctx.steps[ctx.stepIndex]
+  if (!step || step.type !== 'prompt' || step.prompt.type !== 'text') {
+    await interaction.editReply({
+      content: 'Invalid state. Please run /login again.',
+      components: [],
+    })
+    return
+  }
 
-    // Get auth methods again to get the selected one
-    const authMethodsResponse = await getClient().provider.auth({
-      directory: context.dir,
+  const value = interaction.fields.getTextInputValue('prompt_value')
+  if (!value?.trim()) {
+    await interaction.editReply({
+      content: 'A value is required.',
+      components: [],
     })
+    return
+  }
 
-    const methods: ProviderAuthMethod[] = authMethodsResponse.data?.[
-      context.providerId
-    ] || [{ type: 'api', label: 'API Key' }]
+  ctx.inputs[step.prompt.key] = value.trim()
+  ctx.stepIndex++
+  await showNextStep(interaction, ctx, hash)
+}
 
-    const selectedMethod = methods[selectedMethodIndex]
-    if (!selectedMethod) {
-      await interaction.deferUpdate()
-      await interaction.editReply({
-        content: 'Invalid method selected',
-        components: [],
-      })
-      return
-    }
+// ── API key button + modal ──────────────────────────────────────
+// When we're deferred and need an API key modal, show a button first.
 
-    // Update context
-    context.methodIndex = selectedMethodIndex
-    context.methodType = selectedMethod.type
-    context.methodLabel = selectedMethod.label
-    pendingLoginContexts.set(contextHash, context)
+export async function handleLoginApiKeyButton(
+  interaction: ButtonInteraction,
+): Promise<void> {
+  if (!interaction.customId.startsWith('login_apikey_btn:')) {
+    return
+  }
 
-    if (selectedMethod.type === 'api') {
-      // Show API key modal (don't defer for modals)
-      await showApiKeyModal(interaction, contextHash, context.providerName)
-    } else {
-      // Start OAuth flow
-      await interaction.deferUpdate()
-      await startOAuthFlow(interaction, context, contextHash)
-    }
-  } catch (error) {
-    loginLogger.error('Error processing auth method:', error)
-    try {
-      if (!interaction.deferred && !interaction.replied) {
-        await interaction.deferUpdate()
-      }
-      await interaction.editReply({
-        content: `Failed to process auth method: ${error instanceof Error ? error.message : 'Unknown error'}`,
-        components: [],
-      })
-    } catch {
-      // Ignore follow-up errors
-    }
+  const hash = interaction.customId.replace('login_apikey_btn:', '')
+  const ctx = pendingLoginContexts.get(hash)
+
+  if (!ctx || !ctx.providerName) {
+    await interaction.reply({
+      content: 'Selection expired. Please run /login again.',
+      flags: MessageFlags.Ephemeral,
+    })
+    return
   }
+
+  await showApiKeyModal(interaction, hash, ctx.providerName)
 }
 
-/**
- * Show API key input modal.
- */
 async function showApiKeyModal(
-  interaction: StringSelectMenuInteraction,
-  contextHash: string,
+  interaction: StringSelectMenuInteraction | ButtonInteraction,
+  hash: string,
   providerName: string,
 ): Promise<void> {
   const modal = new ModalBuilder()
-    .setCustomId(`login_apikey:${contextHash}`)
+    .setCustomId(`login_apikey:${hash}`)
     .setTitle(`${providerName} API Key`.slice(0, 45))
 
   const apiKeyInput = new TextInputBuilder()
@@ -475,38 +828,83 @@ async function showApiKeyModal(
     .setStyle(TextInputStyle.Short)
     .setRequired(true)
 
-  const actionRow = new ActionRowBuilder<TextInputBuilder>().addComponents(
-    apiKeyInput,
+  modal.addComponents(
+    new ActionRowBuilder<TextInputBuilder>().addComponents(apiKeyInput),
   )
-  modal.addComponents(actionRow)
+  await interaction.showModal(modal)
+}
+
+// ── OAuth code submission (code mode) ───────────────────────────
+// When the OAuth flow returns method="code", the user completes login
+// in a browser (possibly on a different machine) and pastes the final
+// callback URL or authorization code here.
 
+export async function handleOAuthCodeButton(
+  interaction: ButtonInteraction,
+): Promise<void> {
+  if (!interaction.customId.startsWith('login_oauth_code_btn:')) {
+    return
+  }
+
+  const hash = interaction.customId.replace('login_oauth_code_btn:', '')
+  const ctx = pendingLoginContexts.get(hash)
+
+  if (!ctx || !ctx.providerId || !ctx.providerName) {
+    await interaction.reply({
+      content: 'Selection expired. Please run /login again.',
+      flags: MessageFlags.Ephemeral,
+    })
+    return
+  }
+
+  const modal = new ModalBuilder()
+    .setCustomId(`login_oauth_code:${hash}`)
+    .setTitle(`${ctx.providerName} Authorization`.slice(0, 45))
+
+  const codeInput = new TextInputBuilder()
+    .setCustomId('oauth_code')
+    .setLabel('Authorization code or callback URL')
+    .setPlaceholder('Paste the code or full callback URL')
+    .setStyle(TextInputStyle.Paragraph)
+    .setRequired(true)
+
+  modal.addComponents(
+    new ActionRowBuilder<TextInputBuilder>().addComponents(codeInput),
+  )
   await interaction.showModal(modal)
 }
 
-/**
- * Start OAuth authorization flow.
- */
-async function startOAuthFlow(
-  interaction: StringSelectMenuInteraction,
-  context: {
-    dir: string
-    providerId?: string
-    providerName?: string
-    methodIndex?: number
-    methodLabel?: string
-  },
-  contextHash: string,
+export async function handleOAuthCodeModalSubmit(
+  interaction: ModalSubmitInteraction,
 ): Promise<void> {
-  if (!context.providerId || context.methodIndex === undefined) {
+  if (!interaction.customId.startsWith('login_oauth_code:')) {
+    return
+  }
+
+  await interaction.deferUpdate()
+
+  const hash = interaction.customId.replace('login_oauth_code:', '')
+  const ctx = pendingLoginContexts.get(hash)
+
+  if (!ctx || !ctx.providerId || !ctx.providerName || ctx.methodIndex === undefined) {
     await interaction.editReply({
-      content: 'Invalid context for OAuth flow',
+      content: 'Session expired. Please run /login again.',
+      components: [],
+    })
+    return
+  }
+
+  const code = interaction.fields.getTextInputValue('oauth_code')?.trim()
+  if (!code) {
+    await interaction.editReply({
+      content: 'Authorization code is required.',
       components: [],
     })
     return
   }
 
   try {
-    const getClient = await initializeOpencodeForDirectory(context.dir)
+    const getClient = await initializeOpencodeForDirectory(ctx.dir)
     if (getClient instanceof Error) {
       await interaction.editReply({
         content: getClient.message,
@@ -516,88 +914,36 @@ async function startOAuthFlow(
     }
 
     await interaction.editReply({
-      content: `**Authenticating with ${context.providerName}**\nStarting authorization...`,
+      content: `**Authenticating with ${ctx.providerName}**\nVerifying authorization...`,
       components: [],
     })
 
-    // Start OAuth authorization
-    const authorizeResponse = await getClient().provider.oauth.authorize({
-      providerID: context.providerId,
-      method: context.methodIndex,
-      directory: context.dir,
+    const callbackResponse = await getClient().provider.oauth.callback({
+      providerID: ctx.providerId,
+      method: ctx.methodIndex,
+      code,
+      directory: ctx.dir,
     })
 
-    if (!authorizeResponse.data) {
-      const errorData = authorizeResponse.error as
-        | { data?: { message?: string } }
-        | undefined
+    if (callbackResponse.error) {
+      pendingLoginContexts.delete(hash)
       await interaction.editReply({
-        content: `Failed to start authorization: ${errorData?.data?.message || 'Unknown error'}`,
+        content: `**Authentication Failed**\n${extractErrorMessage({ error: callbackResponse.error, fallback: 'Authorization code was invalid or expired' })}`,
         components: [],
       })
       return
     }
 
-    const { url, method, instructions } = authorizeResponse.data
-
-    // Show authorization URL and instructions
-    let message = `**Authenticating with ${context.providerName}**\n\n`
-    message += `Open this URL to authorize:\n${url}\n\n`
-
-    if (instructions) {
-      // Extract code from instructions like "Enter code: ABC-123"
-      const codeMatch = instructions.match(/code[:\s]+([A-Z0-9-]+)/i)
-      if (codeMatch) {
-        message += `**Code:** \`${codeMatch[1]}\`\n\n`
-      } else {
-        message += `${instructions}\n\n`
-      }
-    }
-
-    if (method === 'auto') {
-      message += '_Waiting for authorization to complete..._'
-    }
+    await getClient().instance.dispose({ directory: ctx.dir })
+    pendingLoginContexts.delete(hash)
 
     await interaction.editReply({
-      content: message,
+      content: `✅ **Successfully authenticated with ${ctx.providerName}!**\n\nYou can now use models from this provider.`,
       components: [],
     })
-
-    if (method === 'auto') {
-      // Poll for completion (device flow)
-      const callbackResponse = await getClient().provider.oauth.callback({
-        providerID: context.providerId,
-        method: context.methodIndex,
-        directory: context.dir,
-      })
-
-      if (callbackResponse.error) {
-        const errorData = callbackResponse.error as
-          | { data?: { message?: string } }
-          | undefined
-        await interaction.editReply({
-          content: `**Authentication Failed**\n${errorData?.data?.message || 'Authorization was not completed'}`,
-          components: [],
-        })
-        return
-      }
-
-      // Dispose to refresh provider state so new credentials are recognized
-      await getClient().instance.dispose({ directory: context.dir })
-
-      await interaction.editReply({
-        content: `✅ **Successfully authenticated with ${context.providerName}!**\n\nYou can now use models from this provider.`,
-        components: [],
-      })
-    }
-    // For 'code' method, we would need to prompt for code input
-    // But Discord modals can't be shown after deferUpdate, so we'd need a different flow
-    // For now, most providers use 'auto' (device flow) which works well for Discord
-
-    // Clean up context
-    pendingLoginContexts.delete(contextHash)
   } catch (error) {
-    loginLogger.error('OAuth flow error:', error)
+    loginLogger.error('OAuth code submission error:', error)
+    pendingLoginContexts.delete(hash)
     await interaction.editReply({
       content: `**Authentication Failed**\n${error instanceof Error ? error.message : 'Unknown error'}`,
       components: [],
@@ -605,24 +951,19 @@ async function startOAuthFlow(
   }
 }
 
-/**
- * Handle API key modal submission.
- */
 export async function handleApiKeyModalSubmit(
   interaction: ModalSubmitInteraction,
 ): Promise<void> {
-  const customId = interaction.customId
-
-  if (!customId.startsWith('login_apikey:')) {
+  if (!interaction.customId.startsWith('login_apikey:')) {
     return
   }
 
   await interaction.deferReply({ flags: MessageFlags.Ephemeral })
 
-  const contextHash = customId.replace('login_apikey:', '')
-  const context = pendingLoginContexts.get(contextHash)
+  const hash = interaction.customId.replace('login_apikey:', '')
+  const ctx = pendingLoginContexts.get(hash)
 
-  if (!context || !context.providerId || !context.providerName) {
+  if (!ctx || !ctx.providerId || !ctx.providerName) {
     await interaction.editReply({
       content: 'Session expired. Please run /login again.',
     })
@@ -632,39 +973,30 @@ export async function handleApiKeyModalSubmit(
   const apiKey = interaction.fields.getTextInputValue('apikey')
 
   if (!apiKey?.trim()) {
-    await interaction.editReply({
-      content: 'API key is required.',
-    })
+    await interaction.editReply({ content: 'API key is required.' })
     return
   }
 
   try {
-    const getClient = await initializeOpencodeForDirectory(context.dir)
+    const getClient = await initializeOpencodeForDirectory(ctx.dir)
     if (getClient instanceof Error) {
-      await interaction.editReply({
-        content: getClient.message,
-      })
+      await interaction.editReply({ content: getClient.message })
       return
     }
 
-    // Set the API key
     await getClient().auth.set({
-      providerID: context.providerId,
-      auth: {
-        type: 'api',
-        key: apiKey.trim(),
-      },
+      providerID: ctx.providerId,
+      auth: { type: 'api', key: apiKey.trim() },
     })
 
     // Dispose to refresh provider state so new credentials are recognized
-    await getClient().instance.dispose({ directory: context.dir })
+    await getClient().instance.dispose({ directory: ctx.dir })
 
     await interaction.editReply({
-      content: `✅ **Successfully authenticated with ${context.providerName}!**\n\nYou can now use models from this provider.`,
+      content: `✅ **Successfully authenticated with ${ctx.providerName}!**\n\nYou can now use models from this provider.`,
     })
 
-    // Clean up context
-    pendingLoginContexts.delete(contextHash)
+    pendingLoginContexts.delete(hash)
   } catch (error) {
     loginLogger.error('API key save error:', error)
     await interaction.editReply({
@@ -672,3 +1004,170 @@ export async function handleApiKeyModalSubmit(
     })
   }
 }
+
+// ── OAuth flow ──────────────────────────────────────────────────
+
+async function startOAuthFlow(
+  interaction: StringSelectMenuInteraction | ModalSubmitInteraction,
+  ctx: LoginContext,
+  hash: string,
+): Promise<void> {
+  if (!ctx.providerId || ctx.methodIndex === undefined) {
+    await interaction.editReply({
+      content: 'Invalid context for OAuth flow',
+      components: [],
+    })
+    return
+  }
+
+  try {
+    const getClient = await initializeOpencodeForDirectory(ctx.dir)
+    if (getClient instanceof Error) {
+      await interaction.editReply({
+        content: getClient.message,
+        components: [],
+      })
+      return
+    }
+
+    await interaction.editReply({
+      content: `**Authenticating with ${ctx.providerName}**\nStarting authorization...`,
+      components: [],
+    })
+
+    // Direct fetch to the server because the SDK's buildClientParams drops
+    // unknown keys — `inputs` would be silently stripped. The server accepts
+    // `inputs` in the body (see opencode server/routes/provider.ts).
+    const port = getOpencodeServerPort()
+    if (!port) {
+      await interaction.editReply({
+        content: 'OpenCode server is not running. Please try again.',
+        components: [],
+      })
+      return
+    }
+
+    const hasInputs = Object.keys(ctx.inputs).length > 0
+    const authorizeUrl = new URL(
+      `/provider/${encodeURIComponent(ctx.providerId)}/oauth/authorize`,
+      `http://127.0.0.1:${port}`,
+    )
+    authorizeUrl.searchParams.set('directory', ctx.dir)
+
+    // Include basic auth if OPENCODE_SERVER_PASSWORD is set,
+    // matching the opencode server's optional basicAuth middleware.
+    const fetchHeaders: Record<string, string> = {
+      'Content-Type': 'application/json',
+      'x-opencode-directory': ctx.dir,
+    }
+    const serverPassword = process.env.OPENCODE_SERVER_PASSWORD
+    if (serverPassword) {
+      const username = process.env.OPENCODE_SERVER_USERNAME || 'opencode'
+      fetchHeaders['Authorization'] =
+        `Basic ${Buffer.from(`${username}:${serverPassword}`).toString('base64')}`
+    }
+
+    const authorizeRes = await fetch(authorizeUrl, {
+      method: 'POST',
+      headers: fetchHeaders,
+      body: JSON.stringify({
+        method: ctx.methodIndex,
+        ...(hasInputs ? { inputs: ctx.inputs } : {}),
+      }),
+    })
+
+    if (!authorizeRes.ok) {
+      const errorText = await authorizeRes.text().catch(() => '')
+      let errorMessage = 'Unknown error'
+      try {
+        const parsed = JSON.parse(errorText) as {
+          message?: string
+          data?: { message?: string }
+        }
+        errorMessage = parsed?.data?.message || parsed?.message || errorMessage
+      } catch {
+        errorMessage = errorText || errorMessage
+      }
+      await interaction.editReply({
+        content: `Failed to start authorization: ${errorMessage}`,
+        components: [],
+      })
+      return
+    }
+
+    const { url, method, instructions } = (await authorizeRes.json()) as {
+      url: string
+      method: 'auto' | 'code'
+      instructions: string
+    }
+
+    let message = `**Authenticating with ${ctx.providerName}**\n\n`
+    message += `Open this URL to authorize:\n${url}\n\n`
+
+    if (instructions) {
+      // Match "code: ABC-123" or "code: WXYZ1234" but not natural language
+      // like "code will". Require a colon separator and uppercase alphanum code.
+      const codeMatch = instructions.match(/code:\s*([A-Z0-9][A-Z0-9-]+)/)
+      if (codeMatch) {
+        message += `**Code:** \`${codeMatch[1]}\`\n\n`
+      } else {
+        message += `${instructions}\n\n`
+      }
+    }
+
+    if (method === 'auto') {
+      message += '_Waiting for authorization to complete..._'
+    }
+
+    if (method === 'code') {
+      // Code mode: show a button to paste the auth code/URL after
+      // completing login in a browser (possibly on a different machine).
+      const button = new ButtonBuilder()
+        .setCustomId(`login_oauth_code_btn:${hash}`)
+        .setLabel('Paste authorization code')
+        .setStyle(ButtonStyle.Primary)
+
+      await interaction.editReply({
+        content: message,
+        components: [
+          new ActionRowBuilder<ButtonBuilder>().addComponents(button),
+        ],
+      })
+      // Don't delete context — we need it for the code submission
+      return
+    }
+
+    await interaction.editReply({ content: message, components: [] })
+
+    // Auto mode: poll for completion (device flow / localhost callback)
+    const callbackResponse = await getClient().provider.oauth.callback({
+      providerID: ctx.providerId,
+      method: ctx.methodIndex,
+      directory: ctx.dir,
+    })
+
+    if (callbackResponse.error) {
+      pendingLoginContexts.delete(hash)
+      await interaction.editReply({
+        content: `**Authentication Failed**\n${extractErrorMessage({ error: callbackResponse.error, fallback: 'Authorization was not completed' })}`,
+        components: [],
+      })
+      return
+    }
+
+    await getClient().instance.dispose({ directory: ctx.dir })
+    pendingLoginContexts.delete(hash)
+
+    await interaction.editReply({
+      content: `✅ **Successfully authenticated with ${ctx.providerName}!**\n\nYou can now use models from this provider.`,
+      components: [],
+    })
+  } catch (error) {
+    loginLogger.error('OAuth flow error:', error)
+    pendingLoginContexts.delete(hash)
+    await interaction.editReply({
+      content: `**Authentication Failed**\n${error instanceof Error ? error.message : 'Unknown error'}`,
+      components: [],
+    })
+  }
+}