mastracode 0.18.1 → 0.19.0-alpha.2

package/CHANGELOG.md

@@ -1,5 +1,46 @@
 # mastracode
 
+## 0.19.0-alpha.2
+
+### Patch Changes
+
+- Updated dependencies [[`bdb4cbf`](https://github.com/mastra-ai/mastra/commit/bdb4cbf8ba4b685d7481f28bb9dc3de6c79c9ed2)]:
+  - @mastra/core@1.34.0-alpha.2
+
+## 0.19.0-alpha.1
+
+### Patch Changes
+
+- Updated dependencies [[`fceae1f`](https://github.com/mastra-ai/mastra/commit/fceae1f5f5db4722cb078a663c6eb4bd22944123), [`97fe629`](https://github.com/mastra-ai/mastra/commit/97fe629d07b0a9952e6657b1e6334ca4d9aa15ce), [`bf02acb`](https://github.com/mastra-ai/mastra/commit/bf02acbb8a6110f638ac844e89f1ebf04cb7fe74), [`0fd3fbe`](https://github.com/mastra-ai/mastra/commit/0fd3fbe40fb63657aedd72f6e7b38c8e8ee6940d), [`fed0475`](https://github.com/mastra-ai/mastra/commit/fed0475ccfea31e4fc251469ac05640d0742c1f0), [`522f44d`](https://github.com/mastra-ai/mastra/commit/522f44d947214bfc06cff50599bae1ef3494880d)]:
+  - @mastra/core@1.34.0-alpha.1
+  - @mastra/memory@1.18.1-alpha.0
+
+## 0.19.0-alpha.0
+
+### Minor Changes
+
+- Improved OpenAI Codex OAuth support in Mastra Code. When you select the Codex provider in `/login` or during onboarding, Mastra Code now asks how to sign in — **Browser (local callback)** or **Device code (headless)** — so the device-code flow is discoverable without setting an env var. `MASTRACODE_OPENAI_CODEX_AUTH_MODE=device` still works as a preselect for scripted environments. ([#16548](https://github.com/mastra-ai/mastra/pull/16548))
+
+  HTTP MCP server config can now pass OAuth client metadata to `@mastra/mcp` and store per-server OAuth state without sharing tokens across projects:
+
+  ```json
+  {
+    "mcpServers": {
+      "remote-api": {
+        "url": "https://mcp.example.com/mcp",
+        "oauth": {
+          "redirectUrl": "http://localhost:3000/oauth/callback"
+        }
+      }
+    }
+  }
+  ```
+
+### Patch Changes
+
+- Updated dependencies [[`20787de`](https://github.com/mastra-ai/mastra/commit/20787de5965234a1af28fe35f49437c537dbfa0d), [`784ad98`](https://github.com/mastra-ai/mastra/commit/784ad989549de91dc5d33ab8ef36caa6f7dcd34e), [`0d53730`](https://github.com/mastra-ai/mastra/commit/0d53730c1ed87ef80c87caa5701c4170ea8028e6)]:
+  - @mastra/core@1.34.0-alpha.0
+
 ## 0.18.1
 
 ### Patch Changes

package/dist/agents/model.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"model.d.ts","sourceRoot":"","sources":["../../src/agents/model.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAE9C,OAAO,EAAsC,wBAAwB,EAAE,MAAM,kBAAkB,CAAC;AAChG,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAInE,OAAO,EAGL,yBAAyB,EAE1B,MAAM,4BAA4B,CAAC;AACpC,OAAO,EAAE,qBAAqB,EAAE,MAAM,gCAAgC,CAAC;AACvE,OAAO,EAIL,mBAAmB,EAEpB,MAAM,8BAA8B,CAAC;AACtC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAgBlE,KAAK,aAAa,GACd,UAAU,CAAC,OAAO,mBAAmB,CAAC,GACtC,UAAU,CAAC,OAAO,yBAAyB,CAAC,GAC5C,UAAU,CAAC,OAAO,qBAAqB,CAAC,GACxC,wBAAwB,GACxB,UAAU,CAAC,UAAU,CAAC,OAAO,eAAe,CAAC,CAAC,GAC9C,UAAU,CAAC,UAAU,CAAC,OAAO,YAAY,CAAC,CAAC,CAAC;AAsBhD,wBAAgB,6BAA6B,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAoBrE;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,GAAG,SAAS,CAQvD;AAED;;;GAGG;AACH,wBAAgB,eAAe,IAAI,MAAM,GAAG,SAAS,CAQpD;AA0BD;;;;;;;;GAQG;AACH,wBAAgB,YAAY,CAC1B,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE;IAAE,aAAa,CAAC,EAAE,aAAa,CAAC;IAAC,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAAC,cAAc,CAAC,EAAE,cAAc,CAAA;CAAE,GACzG,aAAa,CA2Jf;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,EAAE,cAAc,EAAE,EAAE;IAAE,cAAc,EAAE,cAAc,CAAA;CAAE,GAAG,aAAa,CAWrG"}
+{"version":3,"file":"model.d.ts","sourceRoot":"","sources":["../../src/agents/model.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAE9C,OAAO,EAAsC,wBAAwB,EAAE,MAAM,kBAAkB,CAAC;AAChG,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAInE,OAAO,EAGL,yBAAyB,EAE1B,MAAM,4BAA4B,CAAC;AACpC,OAAO,EAAE,qBAAqB,EAAE,MAAM,gCAAgC,CAAC;AACvE,OAAO,EAIL,mBAAmB,EAEpB,MAAM,8BAA8B,CAAC;AACtC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAgBlE,KAAK,aAAa,GACd,UAAU,CAAC,OAAO,mBAAmB,CAAC,GACtC,UAAU,CAAC,OAAO,yBAAyB,CAAC,GAC5C,UAAU,CAAC,OAAO,qBAAqB,CAAC,GACxC,wBAAwB,GACxB,UAAU,CAAC,UAAU,CAAC,OAAO,eAAe,CAAC,CAAC,GAC9C,UAAU,CAAC,UAAU,CAAC,OAAO,YAAY,CAAC,CAAC,CAAC;AAsBhD,wBAAgB,6BAA6B,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAoBrE;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,GAAG,SAAS,CAQvD;AAED;;;GAGG;AACH,wBAAgB,eAAe,IAAI,MAAM,GAAG,SAAS,CAQpD;AA0BD;;;;;;;;GAQG;AACH,wBAAgB,YAAY,CAC1B,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE;IAAE,aAAa,CAAC,EAAE,aAAa,CAAC;IAAC,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAAC,cAAc,CAAC,EAAE,cAAc,CAAA;CAAE,GACzG,aAAa,CAuJf;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,EAAE,cAAc,EAAE,EAAE;IAAE,cAAc,EAAE,cAAc,CAAA;CAAE,GAAG,aAAa,CAWrG"}

package/dist/auth/index.d.ts

@@ -5,4 +5,5 @@ export * from './types.js';
 export * from './storage.js';
 export { anthropicOAuthProvider } from './providers/anthropic.js';
 export { githubCopilotOAuthProvider } from './providers/github-copilot.js';
+export { openaiCodexOAuthProvider } from './providers/openai-codex.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,cAAc,YAAY,CAAC;AAC3B,cAAc,cAAc,CAAC;AAC7B,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,0BAA0B,EAAE,MAAM,+BAA+B,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,cAAc,YAAY,CAAC;AAC3B,cAAc,cAAc,CAAC;AAC7B,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,0BAA0B,EAAE,MAAM,+BAA+B,CAAC;AAC3E,OAAO,EAAE,wBAAwB,EAAE,MAAM,6BAA6B,CAAC"}

package/dist/auth/providers/openai-codex.d.ts

@@ -7,7 +7,26 @@
  * NOTE: This module uses Node.js crypto and http for the OAuth callback.
  * It is only intended for CLI use, not browser environments.
  */
-import type { OAuthCredentials, OAuthPrompt, OAuthProviderInterface } from '../types.js';
+import type { AuthMode, OAuthCredentials, OAuthPrompt, OAuthProviderInterface } from '../types.js';
+export declare const OPENAI_CODEX_AUTH_MODES: ReadonlyArray<AuthMode>;
+declare const JWT_CLAIM_PATH = "https://api.openai.com/auth";
+type JwtPayload = {
+    chatgpt_account_id?: string;
+    [JWT_CLAIM_PATH]?: {
+        chatgpt_account_id?: string;
+    };
+    [key: string]: unknown;
+};
+declare function decodeJwt(token: string): JwtPayload | null;
+declare function extractAccountIdFromClaims(payload: JwtPayload | null | undefined): string | null;
+declare function getAccountId(tokens: {
+    idToken?: string;
+    access: string;
+}, fallback?: string): string | undefined;
+declare function requireAccountId(tokens: {
+    idToken?: string;
+    access: string;
+}, fallback?: string): string;
 declare function createAuthorizationFlow(redirectUri: string, state: string, originator?: string): Promise<{
     verifier: string;
     url: string;
@@ -26,6 +45,15 @@ type CallbackPorts = {
     fallbackPort: number;
 };
 declare function startLocalOAuthServer(state: string, ports?: CallbackPorts): Promise<OAuthServerInfo>;
+declare function loginOpenAICodexDevice(options: {
+    onAuth: (info: {
+        url: string;
+        instructions?: string;
+    }) => void;
+    onProgress?: (message: string) => void;
+    signal?: AbortSignal;
+    sleep?: (ms: number) => Promise<void>;
+}): Promise<OAuthCredentials>;
 /**
  * Login with OpenAI Codex OAuth
  *
@@ -35,7 +63,7 @@ declare function startLocalOAuthServer(state: string, ports?: CallbackPorts): Pr
  * @param options.onManualCodeInput - Optional promise that resolves with user-pasted code.
  *                                    Races with browser callback - whichever completes first wins.
  *                                    Useful for showing paste input immediately alongside browser flow.
- * @param options.originator - OAuth originator parameter (defaults to "pi")
+ * @param options.originator - OAuth originator parameter (defaults to "mastracode")
  */
 export declare function loginOpenAICodex(options: {
     onAuth: (info: {
@@ -45,16 +73,23 @@ export declare function loginOpenAICodex(options: {
     onPrompt: (prompt: OAuthPrompt) => Promise<string>;
     onProgress?: (message: string) => void;
     onManualCodeInput?: () => Promise<string>;
+    signal?: AbortSignal;
     originator?: string;
+    mode?: 'browser' | 'device';
 }): Promise<OAuthCredentials>;
 export declare const __testing: {
     createAuthorizationFlow: typeof createAuthorizationFlow;
+    decodeJwt: typeof decodeJwt;
+    extractAccountIdFromClaims: typeof extractAccountIdFromClaims;
+    getAccountId: typeof getAccountId;
+    loginOpenAICodexDevice: typeof loginOpenAICodexDevice;
+    requireAccountId: typeof requireAccountId;
     startLocalOAuthServer: typeof startLocalOAuthServer;
 };
 /**
  * Refresh OpenAI Codex OAuth token
  */
-export declare function refreshOpenAICodexToken(refreshToken: string): Promise<OAuthCredentials>;
+export declare function refreshOpenAICodexToken(refreshToken: string, previousAccountId?: string): Promise<OAuthCredentials>;
 export declare const openaiCodexOAuthProvider: OAuthProviderInterface;
 export {};
 //# sourceMappingURL=openai-codex.d.ts.map

package/dist/auth/providers/openai-codex.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"openai-codex.d.ts","sourceRoot":"","sources":["../../../src/auth/providers/openai-codex.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAyBH,OAAO,KAAK,EAAE,gBAAgB,EAAuB,WAAW,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AAyK9G,iBAAe,uBAAuB,CACpC,WAAW,EAAE,MAAM,EACnB,KAAK,EAAE,MAAM,EACb,UAAU,GAAE,MAAa,GACxB,OAAO,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,CAAC,CAgB5C;AAED,KAAK,eAAe,GAAG;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,IAAI,CAAC;IAClB,UAAU,EAAE,MAAM,IAAI,CAAC;IACvB,WAAW,EAAE,MAAM,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC,CAAC;CACrD,CAAC;AAEF,KAAK,aAAa,GAAG;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;CACtB,CAAC;AAkDF,iBAAe,qBAAqB,CAClC,KAAK,EAAE,MAAM,EACb,KAAK,GAAE,aAAoC,GAC1C,OAAO,CAAC,eAAe,CAAC,CA4E1B;AASD;;;;;;;;;;GAUG;AACH,wBAAsB,gBAAgB,CAAC,OAAO,EAAE;IAC9C,MAAM,EAAE,CAAC,IAAI,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,YAAY,CAAC,EAAE,MAAM,CAAA;KAAE,KAAK,IAAI,CAAC;IAC/D,QAAQ,EAAE,CAAC,MAAM,EAAE,WAAW,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IACnD,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IACvC,iBAAiB,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;IAC1C,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CA4G5B;AAED,eAAO,MAAM,SAAS;;;CAGrB,CAAC;AAEF;;GAEG;AACH,wBAAsB,uBAAuB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAiB7F;AAED,eAAO,MAAM,wBAAwB,EAAE,sBAqBtC,CAAC"}
+{"version":3,"file":"openai-codex.d.ts","sourceRoot":"","sources":["../../../src/auth/providers/openai-codex.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AA4BH,OAAO,KAAK,EAAE,QAAQ,EAAE,gBAAgB,EAAuB,WAAW,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AAExH,eAAO,MAAM,uBAAuB,EAAE,aAAa,CAAC,QAAQ,CAW3D,CAAC;AAeF,QAAA,MAAM,cAAc,gCAAgC,CAAC;AAwBrD,KAAK,UAAU,GAAG;IAChB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,CAAC,cAAc,CAAC,CAAC,EAAE;QACjB,kBAAkB,CAAC,EAAE,MAAM,CAAC;KAC7B,CAAC;IACF,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB,CAAC;AAwCF,iBAAS,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI,CAcnD;AAED,iBAAS,0BAA0B,CAAC,OAAO,EAAE,UAAU,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,GAAG,IAAI,CAIzF;AAED,iBAAS,YAAY,CAAC,MAAM,EAAE;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAQzG;AAED,iBAAS,gBAAgB,CAAC,MAAM,EAAE;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,CAMjG;AAiFD,iBAAe,uBAAuB,CACpC,WAAW,EAAE,MAAM,EACnB,KAAK,EAAE,MAAM,EACb,UAAU,GAAE,MAAqB,GAChC,OAAO,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,CAAC,CAgB5C;AAED,KAAK,eAAe,GAAG;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,IAAI,CAAC;IAClB,UAAU,EAAE,MAAM,IAAI,CAAC;IACvB,WAAW,EAAE,MAAM,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC,CAAC;CACrD,CAAC;AAEF,KAAK,aAAa,GAAG;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;CACtB,CAAC;AAkDF,iBAAe,qBAAqB,CAClC,KAAK,EAAE,MAAM,EACb,KAAK,GAAE,aAAoC,GAC1C,OAAO,CAAC,eAAe,CAAC,CA4E1B;AAED,iBAAe,sBAAsB,CAAC,OAAO,EAAE;IAC7C,MAAM,EAAE,CAAC,IAAI,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,YAAY,CAAC,EAAE,MAAM,CAAA;KAAE,KAAK,IAAI,CAAC;IAC/D,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IACvC,MAAM,CAAC,EAAE,WAAW,CAAC;IACrB,KAAK,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACvC,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAgG5B;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,gBAAgB,CAAC,OAAO,EAAE;IAC9C,MAAM,EAAE,CAAC,IAAI,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,YAAY,CAAC,EAAE,MAAM,CAAA;KAAE,KAAK,IAAI,CAAC;IAC/D,QAAQ,EAAE,CAAC,MAAM,EAAE,WAAW,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IACnD,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IACvC,iBAAiB,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;IAC1C,MAAM,CAAC,EAAE,WAAW,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,SAAS,GAAG,QAAQ,CAAC;CAC7B,GAAG,OAAO,CAAC,gBAAgB,CAAC,CA0H5B;AAED,eAAO,MAAM,SAAS;;;;;;;;CAQrB,CAAC;AAEF;;GAEG;AACH,wBAAsB,uBAAuB,CAC3C,YAAY,EAAE,MAAM,EACpB,iBAAiB,CAAC,EAAE,MAAM,GACzB,OAAO,CAAC,gBAAgB,CAAC,CAc3B;AAED,eAAO,MAAM,wBAAwB,EAAE,sBAyBtC,CAAC"}

package/dist/auth/types.d.ts

@@ -17,18 +17,38 @@ export interface OAuthPrompt {
     placeholder?: string;
     allowEmpty?: boolean;
 }
+/**
+ * A selectable authentication mode for an OAuth provider.
+ * Providers that support multiple flows (e.g. browser callback vs. device code)
+ * advertise them via `OAuthProviderInterface.authModes`. The TUI shows a
+ * sub-selector when more than one mode is available so users don't need to
+ * discover the flow through environment variables.
+ */
+export interface AuthMode {
+    id: string;
+    name: string;
+    description?: string;
+}
 export interface OAuthLoginCallbacks {
     onAuth: (info: OAuthAuthInfo) => void;
     onPrompt: (prompt: OAuthPrompt) => Promise<string>;
     onProgress?: (message: string) => void;
     onManualCodeInput?: () => Promise<string>;
     signal?: AbortSignal;
+    /** Selected authentication mode id (matches one of `OAuthProviderInterface.authModes`). */
+    authMode?: string;
 }
 export interface OAuthProviderInterface {
     readonly id: OAuthProviderId;
     readonly name: string;
     /** Whether this provider uses a local callback server (vs manual code paste) */
     readonly usesCallbackServer?: boolean;
+    /**
+     * Optional list of selectable auth flows. When set with two or more entries,
+     * the TUI prompts the user to pick a mode before starting the login flow and
+     * forwards the choice via `OAuthLoginCallbacks.authMode`.
+     */
+    readonly authModes?: ReadonlyArray<AuthMode>;
     /** Run the login flow, return credentials to persist */
     login(callbacks: OAuthLoginCallbacks): Promise<OAuthCredentials>;
     /** Refresh expired credentials, return updated credentials to persist */

package/dist/auth/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,MAAM,eAAe,GAAG,MAAM,CAAC;AAErC,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,CAAC,IAAI,EAAE,aAAa,KAAK,IAAI,CAAC;IACtC,QAAQ,EAAE,CAAC,MAAM,EAAE,WAAW,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IACnD,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IACvC,iBAAiB,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;IAC1C,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB;AAED,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,EAAE,EAAE,eAAe,CAAC;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAEtB,gFAAgF;IAChF,QAAQ,CAAC,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAEtC,wDAAwD;IACxD,KAAK,CAAC,SAAS,EAAE,mBAAmB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAEjE,yEAAyE;IACzE,YAAY,CAAC,WAAW,EAAE,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAEvE,6DAA6D;IAC7D,SAAS,CAAC,WAAW,EAAE,gBAAgB,GAAG,MAAM,CAAC;CAClD;AAED,MAAM,MAAM,gBAAgB,GAAG;IAC7B,IAAI,EAAE,SAAS,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,MAAM,eAAe,GAAG;IAC5B,IAAI,EAAE,OAAO,CAAC;CACf,GAAG,gBAAgB,CAAC;AAErB,MAAM,MAAM,cAAc,GAAG,gBAAgB,GAAG,eAAe,CAAC;AAEhE,MAAM,MAAM,eAAe,GAAG,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,MAAM,eAAe,GAAG,MAAM,CAAC;AAErC,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED;;;;;;GAMG;AACH,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,CAAC,IAAI,EAAE,aAAa,KAAK,IAAI,CAAC;IACtC,QAAQ,EAAE,CAAC,MAAM,EAAE,WAAW,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IACnD,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IACvC,iBAAiB,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;IAC1C,MAAM,CAAC,EAAE,WAAW,CAAC;IACrB,2FAA2F;IAC3F,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,EAAE,EAAE,eAAe,CAAC;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAEtB,gFAAgF;IAChF,QAAQ,CAAC,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAEtC;;;;OAIG;IACH,QAAQ,CAAC,SAAS,CAAC,EAAE,aAAa,CAAC,QAAQ,CAAC,CAAC;IAE7C,wDAAwD;IACxD,KAAK,CAAC,SAAS,EAAE,mBAAmB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAEjE,yEAAyE;IACzE,YAAY,CAAC,WAAW,EAAE,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAEvE,6DAA6D;IAC7D,SAAS,CAAC,WAAW,EAAE,gBAAgB,GAAG,MAAM,CAAC;CAClD;AAED,MAAM,MAAM,gBAAgB,GAAG;IAC7B,IAAI,EAAE,SAAS,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,MAAM,eAAe,GAAG;IAC5B,IAAI,EAAE,OAAO,CAAC;CACf,GAAG,gBAAgB,CAAC;AAErB,MAAM,MAAM,cAAc,GAAG,gBAAgB,GAAG,eAAe,CAAC;AAEhE,MAAM,MAAM,eAAe,GAAG,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC"}

package/dist/{chunk-EQBHZCMR.js → chunk-5YJR6NJL.js}

@@ -674,23 +674,44 @@ var githubCopilotOAuthProvider = {
 
 // src/auth/providers/openai-codex.ts
 var _randomBytes = null;
+var _cryptoPromise = null;
 var _httpPromise = null;
 var _http = null;
 if (typeof process !== "undefined" && (process.versions?.node || process.versions?.bun)) {
-  import('crypto').then((m) => {
+  _cryptoPromise = import('crypto').then((m) => {
     _randomBytes = m.randomBytes;
+    return m;
   });
   _httpPromise = import('http').then((m) => {
     _http = m;
     return m;
   });
 }
+var OPENAI_CODEX_AUTH_MODES = [
+  {
+    id: "browser",
+    name: "Browser (local callback)",
+    description: "Opens the browser and waits for the OAuth callback on localhost."
+  },
+  {
+    id: "device",
+    name: "Device code (headless)",
+    description: "Shows a code to enter at openai.com \u2014 for SSH, remote, or no-browser environments."
+  }
+];
 var CLIENT_ID3 = "app_EMoamEEZ73f0CkXaXp7hrann";
-var AUTHORIZE_URL2 = "https://auth.openai.com/oauth/authorize";
-var TOKEN_URL2 = "https://auth.openai.com/oauth/token";
+var ISSUER = "https://auth.openai.com";
+var AUTHORIZE_URL2 = `${ISSUER}/oauth/authorize`;
+var TOKEN_URL2 = `${ISSUER}/oauth/token`;
+var DEVICE_USER_CODE_URL = `${ISSUER}/api/accounts/deviceauth/usercode`;
+var DEVICE_TOKEN_URL = `${ISSUER}/api/accounts/deviceauth/token`;
+var DEVICE_AUTHORIZE_URL = `${ISSUER}/codex/device`;
+var DEVICE_REDIRECT_URI = `${ISSUER}/deviceauth/callback`;
 var DEFAULT_CALLBACK_PORT = 1455;
 var FALLBACK_CALLBACK_PORT = 1457;
-var SCOPE = "openid profile email offline_access";
+var DEFAULT_TOKEN_EXPIRES_IN_SECONDS = 3600;
+var DEVICE_AUTH_TIMEOUT_MS = 15 * 60 * 1e3;
+var SCOPE = "openid profile email offline_access api.connectors.read api.connectors.invoke";
 var JWT_CLAIM_PATH = "https://api.openai.com/auth";
 var SUCCESS_HTML = `<!doctype html>
 <html lang="en">
@@ -703,11 +724,9 @@ var SUCCESS_HTML = `<!doctype html>
   <p>Authentication successful. Return to your terminal to continue.</p>
 </body>
 </html>`;
-function createState() {
-  if (!_randomBytes) {
-    throw new Error("OpenAI Codex OAuth is only available in Node.js environments");
-  }
-  return _randomBytes(16).toString("hex");
+async function createState() {
+  const randomBytes = await getRandomBytes();
+  return randomBytes(16).toString("hex");
 }
 function parseAuthorizationInput(input) {
   const value = input.trim();
@@ -738,12 +757,45 @@ function decodeJwt(token) {
     const parts = token.split(".");
     if (parts.length !== 3) return null;
     const payload = parts[1] ?? "";
-    const decoded = atob(payload);
+    const padded = payload.replace(/-/g, "+").replace(/_/g, "/").padEnd(Math.ceil(payload.length / 4) * 4, "=");
+    const decoded = atob(padded);
     return JSON.parse(decoded);
   } catch {
     return null;
   }
 }
+function extractAccountIdFromClaims(payload) {
+  if (!payload) return null;
+  const accountId = payload.chatgpt_account_id ?? payload[JWT_CLAIM_PATH]?.chatgpt_account_id;
+  return typeof accountId === "string" && accountId.length > 0 ? accountId : null;
+}
+function getAccountId(tokens, fallback) {
+  const fromIdToken = tokens.idToken ? extractAccountIdFromClaims(decodeJwt(tokens.idToken)) : null;
+  if (fromIdToken) return fromIdToken;
+  const fromAccessToken = extractAccountIdFromClaims(decodeJwt(tokens.access));
+  if (fromAccessToken) return fromAccessToken;
+  return fallback;
+}
+function requireAccountId(tokens, fallback) {
+  const accountId = getAccountId(tokens, fallback);
+  if (!accountId) {
+    throw new Error("Failed to extract ChatGPT account id from OpenAI Codex token");
+  }
+  return accountId;
+}
+function tokenResponseToResult(json, logPrefix) {
+  if (!json.access_token || !json.refresh_token) {
+    console.error(`[openai-codex] ${logPrefix} response missing fields:`, json);
+    return { type: "failed" };
+  }
+  return {
+    type: "success",
+    access: json.access_token,
+    refresh: json.refresh_token,
+    expires: Date.now() + (json.expires_in ?? DEFAULT_TOKEN_EXPIRES_IN_SECONDS) * 1e3,
+    idToken: json.id_token
+  };
+}
 async function exchangeAuthorizationCode(code, verifier, redirectUri) {
   const response = await fetch(TOKEN_URL2, {
     method: "POST",
@@ -761,17 +813,7 @@ async function exchangeAuthorizationCode(code, verifier, redirectUri) {
     console.error("[openai-codex] code->token failed:", response.status, text);
     return { type: "failed" };
   }
-  const json = await response.json();
-  if (!json.access_token || !json.refresh_token || typeof json.expires_in !== "number") {
-    console.error("[openai-codex] token response missing fields:", json);
-    return { type: "failed" };
-  }
-  return {
-    type: "success",
-    access: json.access_token,
-    refresh: json.refresh_token,
-    expires: Date.now() + json.expires_in * 1e3
-  };
+  return tokenResponseToResult(await response.json(), "token");
 }
 async function refreshAccessToken(refreshToken) {
   try {
@@ -789,23 +831,22 @@ async function refreshAccessToken(refreshToken) {
       console.error("[openai-codex] Token refresh failed:", response.status, text);
       return { type: "failed" };
     }
-    const json = await response.json();
-    if (!json.access_token || !json.refresh_token || typeof json.expires_in !== "number") {
-      console.error("[openai-codex] Token refresh response missing fields:", json);
-      return { type: "failed" };
-    }
-    return {
-      type: "success",
-      access: json.access_token,
-      refresh: json.refresh_token,
-      expires: Date.now() + json.expires_in * 1e3
-    };
+    return tokenResponseToResult(await response.json(), "Token refresh");
   } catch (error) {
     console.error("[openai-codex] Token refresh error:", error);
     return { type: "failed" };
   }
 }
-async function createAuthorizationFlow(redirectUri, state, originator = "pi") {
+async function getRandomBytes() {
+  if (!_randomBytes && _cryptoPromise) {
+    _randomBytes = (await _cryptoPromise).randomBytes;
+  }
+  if (!_randomBytes) {
+    throw new Error("OpenAI Codex OAuth is only available in Node.js environments");
+  }
+  return _randomBytes;
+}
+async function createAuthorizationFlow(redirectUri, state, originator = "mastracode") {
   const { verifier, challenge } = await generatePKCE();
   const url = new URL(AUTHORIZE_URL2);
   url.searchParams.set("response_type", "code");
@@ -935,19 +976,100 @@ async function startLocalOAuthServer(state, ports = CODEX_CALLBACK_PORTS) {
     });
   });
 }
-function getAccountId(accessToken) {
-  const payload = decodeJwt(accessToken);
-  const auth = payload?.[JWT_CLAIM_PATH];
-  const accountId = auth?.chatgpt_account_id;
-  return typeof accountId === "string" && accountId.length > 0 ? accountId : null;
+async function loginOpenAICodexDevice(options) {
+  const response = await fetch(DEVICE_USER_CODE_URL, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "User-Agent": "mastracode"
+    },
+    body: JSON.stringify({ client_id: CLIENT_ID3, originator: "mastracode" }),
+    signal: options.signal
+  });
+  if (!response.ok) {
+    throw new Error(`Failed to initiate OpenAI Codex device authorization: ${response.status}`);
+  }
+  const deviceData = await response.json();
+  const userCode = deviceData.user_code ?? deviceData.usercode;
+  if (!deviceData.device_auth_id || !userCode) {
+    throw new Error("OpenAI Codex device authorization response missing required fields");
+  }
+  const intervalSeconds = typeof deviceData.interval === "number" ? deviceData.interval : Number.parseInt(deviceData.interval ?? "", 10) || 5;
+  const pollDelayMs = Math.max(intervalSeconds, 1) * 1e3;
+  const sleep = options.sleep ?? ((ms) => new Promise((resolve) => setTimeout(resolve, ms)));
+  const startedAt = Date.now();
+  options.onAuth({
+    url: DEVICE_AUTHORIZE_URL,
+    instructions: `Enter code: ${userCode}`
+  });
+  while (true) {
+    if (options.signal?.aborted) {
+      throw new Error("Login cancelled");
+    }
+    if (Date.now() - startedAt >= DEVICE_AUTH_TIMEOUT_MS) {
+      throw new Error("OpenAI Codex device authorization timed out after 15 minutes");
+    }
+    const pollResponse = await fetch(DEVICE_TOKEN_URL, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "User-Agent": "mastracode"
+      },
+      body: JSON.stringify({
+        device_auth_id: deviceData.device_auth_id,
+        user_code: userCode
+      }),
+      signal: options.signal
+    });
+    if (pollResponse.ok) {
+      const data = await pollResponse.json();
+      if (!data.authorization_code || !data.code_verifier) {
+        throw new Error("OpenAI Codex device token response missing required fields");
+      }
+      const tokenResult = await exchangeAuthorizationCode(
+        data.authorization_code,
+        data.code_verifier,
+        DEVICE_REDIRECT_URI
+      );
+      if (tokenResult.type !== "success") {
+        throw new Error("Token exchange failed");
+      }
+      const accountId = requireAccountId(tokenResult);
+      return {
+        access: tokenResult.access,
+        refresh: tokenResult.refresh,
+        expires: tokenResult.expires,
+        accountId
+      };
+    }
+    if (pollResponse.status !== 403 && pollResponse.status !== 404) {
+      const text = await pollResponse.text().catch(() => "");
+      throw new Error(`OpenAI Codex device authorization failed: ${pollResponse.status}${text ? ` ${text}` : ""}`);
+    }
+    options.onProgress?.("Waiting for OpenAI Codex device authorization...");
+    await sleep(pollDelayMs);
+  }
 }
 async function loginOpenAICodex(options) {
-  const state = createState();
+  const envMode = typeof process !== "undefined" && process.env?.MASTRACODE_OPENAI_CODEX_AUTH_MODE === "device" ? "device" : void 0;
+  const mode = options.mode ?? envMode ?? "browser";
+  if (mode === "device") {
+    return loginOpenAICodexDevice({
+      onAuth: options.onAuth,
+      onProgress: options.onProgress,
+      signal: options.signal
+    });
+  }
+  const state = await createState();
   const server = await startLocalOAuthServer(state);
   if (server.warning) {
     options.onProgress?.(server.warning);
   }
-  const { verifier, url } = await createAuthorizationFlow(server.redirectUri, state, options.originator);
+  const { verifier, url } = await createAuthorizationFlow(
+    server.redirectUri,
+    state,
+    options.originator ?? "mastracode"
+  );
   options.onAuth({
     url,
     instructions: server.warning ? `${server.warning} You can still paste the authorization code or full redirect URL manually.` : "A browser window should open. Complete login to finish."
@@ -1013,10 +1135,7 @@ async function loginOpenAICodex(options) {
     if (tokenResult.type !== "success") {
       throw new Error("Token exchange failed");
     }
-    const accountId = getAccountId(tokenResult.access);
-    if (!accountId) {
-      throw new Error("Failed to extract accountId from token");
-    }
+    const accountId = requireAccountId(tokenResult);
     return {
       access: tokenResult.access,
       refresh: tokenResult.refresh,
@@ -1027,15 +1146,12 @@ async function loginOpenAICodex(options) {
     server.close();
   }
 }
-async function refreshOpenAICodexToken(refreshToken) {
+async function refreshOpenAICodexToken(refreshToken, previousAccountId) {
   const result = await refreshAccessToken(refreshToken);
   if (result.type !== "success") {
     throw new Error("Failed to refresh OpenAI Codex token");
   }
-  const accountId = getAccountId(result.access);
-  if (!accountId) {
-    throw new Error("Failed to extract accountId from token");
-  }
+  const accountId = requireAccountId(result, previousAccountId);
   return {
     access: result.access,
     refresh: result.refresh,
@@ -1047,16 +1163,20 @@ var openaiCodexOAuthProvider = {
   id: "openai-codex",
   name: "ChatGPT Plus/Pro (Codex Subscription)",
   usesCallbackServer: true,
+  authModes: OPENAI_CODEX_AUTH_MODES,
   async login(callbacks) {
+    const mode = callbacks.authMode === "device" || callbacks.authMode === "browser" ? callbacks.authMode : void 0;
     return loginOpenAICodex({
       onAuth: callbacks.onAuth,
       onPrompt: callbacks.onPrompt,
       onProgress: callbacks.onProgress,
-      onManualCodeInput: callbacks.onManualCodeInput
+      onManualCodeInput: callbacks.onManualCodeInput,
+      signal: callbacks.signal,
+      mode
     });
   },
   async refreshToken(credentials) {
-    return refreshOpenAICodexToken(credentials.refresh);
+    return refreshOpenAICodexToken(credentials.refresh, credentials.accountId);
   },
   getApiKey(credentials) {
     return credentials.access;
@@ -1088,6 +1208,7 @@ var AuthStorage = class {
     this.authPath = authPath;
     this.reload();
   }
+  authPath;
   data = {};
   /**
    * Reload credentials from disk.
@@ -1239,5 +1360,5 @@ var AuthStorage = class {
 };
 
 export { AuthStorage, COPILOT_HEADERS, PROVIDER_DEFAULT_MODELS, detectProject, fetchCopilotModels, getAppDataDir, getCurrentGitBranch, getDatabasePath, getGitHubCopilotBaseUrl, getOAuthProvider, getOAuthProviders, getObservabilityDatabasePath, getOmScope, getResourceIdOverride, getStorageConfig, getUserId, getUserName, getVectorDatabasePath };
-//# sourceMappingURL=chunk-EQBHZCMR.js.map
-//# sourceMappingURL=chunk-EQBHZCMR.js.map
+//# sourceMappingURL=chunk-5YJR6NJL.js.map
+//# sourceMappingURL=chunk-5YJR6NJL.js.map