openai-codex-oauth 0.0.0

package/dist/chunk-DXYYRLYI.js

@@ -0,0 +1,526 @@
+import {
+  deriveAccountId,
+  deriveExpiresAt
+} from "./chunk-SCKIRN2D.js";
+
+// src/types.ts
+var OpenAIOAuthError = class extends Error {
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.name = "OpenAIOAuthError";
+    this.code = code;
+  }
+};
+
+// src/device-flow.ts
+var DEFAULT_CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
+var DEFAULT_ISSUER = "https://auth.openai.com";
+var POLL_BUFFER_MS = 3e3;
+function pickFetch(customFetch) {
+  if (typeof customFetch === "function") {
+    return customFetch;
+  }
+  if (typeof globalThis.fetch === "function") {
+    return globalThis.fetch.bind(globalThis);
+  }
+  throw new OpenAIOAuthError("fetch_required", "A fetch implementation is required for OpenAI OAuth.");
+}
+async function startOpenAIDeviceFlow(options = {}) {
+  const fetch = pickFetch(options.fetch);
+  const issuer = (options.issuer ?? DEFAULT_ISSUER).replace(/\/$/, "");
+  const clientId = options.clientId ?? DEFAULT_CLIENT_ID;
+  const now = options.now ?? (() => Date.now());
+  const sleep = options.sleep ?? ((ms) => new Promise((resolve) => setTimeout(resolve, ms)));
+  const codeResponse = await fetch(`${issuer}/api/accounts/deviceauth/usercode`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({ client_id: clientId })
+  });
+  if (!codeResponse.ok) {
+    throw new OpenAIOAuthError("auth_failed", "Failed to initiate OpenAI authorization.");
+  }
+  const device = await codeResponse.json();
+  if (!device.device_auth_id || !device.user_code) {
+    throw new OpenAIOAuthError("auth_failed", "OpenAI authorization response did not include a device code.");
+  }
+  const intervalSeconds = typeof device.interval === "number" ? device.interval : parseInt(device.interval ?? "5", 10);
+  const intervalMs = Math.max(Number.isFinite(intervalSeconds) ? intervalSeconds : 5, 1) * 1e3;
+  return {
+    providerId: "openai",
+    url: `${issuer}/codex/device`,
+    code: device.user_code,
+    instructions: `Enter code: ${device.user_code}`,
+    async complete() {
+      while (true) {
+        const poll = await fetch(`${issuer}/api/accounts/deviceauth/token`, {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json"
+          },
+          body: JSON.stringify({
+            device_auth_id: device.device_auth_id,
+            user_code: device.user_code
+          })
+        });
+        if (poll.ok) {
+          const grant = await poll.json();
+          if (!grant.authorization_code || !grant.code_verifier) {
+            throw new OpenAIOAuthError("auth_failed", "OpenAI authorization grant was incomplete.");
+          }
+          const tokens = await exchangeAuthorizationCode({
+            fetch,
+            issuer,
+            clientId,
+            authorizationCode: grant.authorization_code,
+            codeVerifier: grant.code_verifier,
+            now
+          });
+          await options.tokenStore?.save(tokens);
+          return tokens;
+        }
+        if (poll.status !== 403 && poll.status !== 404) {
+          throw new OpenAIOAuthError("auth_failed", "OpenAI OAuth authorization failed.");
+        }
+        await sleep(intervalMs + POLL_BUFFER_MS);
+      }
+    }
+  };
+}
+async function exchangeAuthorizationCode({
+  fetch,
+  issuer,
+  clientId,
+  authorizationCode,
+  codeVerifier,
+  now
+}) {
+  const response = await fetch(`${issuer}/oauth/token`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded"
+    },
+    body: new URLSearchParams({
+      grant_type: "authorization_code",
+      code: authorizationCode,
+      redirect_uri: `${issuer}/deviceauth/callback`,
+      client_id: clientId,
+      code_verifier: codeVerifier
+    }).toString()
+  });
+  if (!response.ok) {
+    throw new OpenAIOAuthError("auth_failed", "OpenAI token exchange failed.");
+  }
+  const token = await response.json();
+  if (!token.access_token) {
+    throw new OpenAIOAuthError("auth_failed", "OpenAI token exchange did not return an access token.");
+  }
+  return {
+    refreshToken: token.refresh_token,
+    accessToken: token.access_token,
+    idToken: token.id_token,
+    expiresAt: now() + (token.expires_in ?? 3600) * 1e3,
+    accountId: deriveAccountId(token.id_token, token.access_token)
+  };
+}
+async function refreshOpenAITokens({
+  tokens,
+  fetch,
+  clientId = DEFAULT_CLIENT_ID,
+  issuer = DEFAULT_ISSUER,
+  tokenUrl,
+  now = () => Date.now()
+}) {
+  if (!tokens.refreshToken) {
+    return void 0;
+  }
+  const resolvedIssuer = issuer.replace(/\/$/, "");
+  const response = await fetch(tokenUrl ?? `${resolvedIssuer}/oauth/token`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded"
+    },
+    body: new URLSearchParams({
+      grant_type: "refresh_token",
+      refresh_token: tokens.refreshToken,
+      client_id: clientId,
+      scope: "openid profile email offline_access"
+    }).toString()
+  });
+  if (!response.ok) {
+    return void 0;
+  }
+  const payload = await response.json();
+  if (!payload.access_token) {
+    return void 0;
+  }
+  const next = {
+    accessToken: payload.access_token,
+    refreshToken: payload.refresh_token ?? tokens.refreshToken,
+    idToken: payload.id_token ?? tokens.idToken,
+    expiresAt: now() + (payload.expires_in ?? 3600) * 1e3
+  };
+  next.accountId = deriveAccountId(next.idToken, next.accessToken) ?? tokens.accountId;
+  return next;
+}
+
+// src/memory-token-store.ts
+function createMemoryTokenStore(initial) {
+  let current = initial;
+  return {
+    async load() {
+      return current;
+    },
+    async save(tokens) {
+      current = tokens;
+    }
+  };
+}
+
+// src/codex-fetch.ts
+var DEFAULT_CODEX_BASE_URL = "https://chatgpt.com/backend-api/codex";
+var DEFAULT_BROWSER_PROXY_BASE_URL = "/api/proxy/openai/codex";
+var DEFAULT_REFRESH_MARGIN_MS = 5 * 60 * 1e3;
+var DEFAULT_INSTRUCTIONS = "";
+var DEFAULT_ORIGINATOR = "openai-codex-oauth";
+function pickFetch2(customFetch) {
+  if (typeof customFetch === "function") {
+    return customFetch;
+  }
+  if (typeof globalThis.fetch === "function") {
+    return globalThis.fetch.bind(globalThis);
+  }
+  throw new OpenAIOAuthError("fetch_required", "A fetch implementation is required for OpenAI OAuth.");
+}
+function withoutTrailingSlash(value) {
+  return value.replace(/\/$/, "");
+}
+function resolveBaseURL(baseURL) {
+  return withoutTrailingSlash(baseURL ?? DEFAULT_CODEX_BASE_URL);
+}
+function createStore(settings) {
+  if (settings.tokenStore) {
+    return settings.tokenStore;
+  }
+  if (settings.tokens) {
+    return createMemoryTokenStore(settings.tokens);
+  }
+  throw new OpenAIOAuthError(
+    "tokens_required",
+    "OpenAI OAuth tokens are required. Pass `tokens`, `tokenStore`, or use `createCodexAuthFileStore` from `@tolksyn/openai-oauth/node`."
+  );
+}
+function needsRefresh(tokens, now, marginMs) {
+  const expiresAt = tokens.expiresAt ?? deriveExpiresAt(tokens.accessToken);
+  if (!tokens.accessToken) {
+    return true;
+  }
+  if (expiresAt == null || expiresAt <= 0) {
+    return false;
+  }
+  return expiresAt <= now + marginMs;
+}
+function hasExpired(tokens, now) {
+  const expiresAt = tokens.expiresAt ?? deriveExpiresAt(tokens.accessToken);
+  return expiresAt != null && expiresAt > 0 && expiresAt <= now;
+}
+var TokenManager = class {
+  constructor(settings, store, fetch) {
+    this.settings = settings;
+    this.store = store;
+    this.fetch = fetch;
+  }
+  settings;
+  store;
+  fetch;
+  /** Promise for an in-flight token refresh to coalesce concurrent requests. */
+  inflight;
+  /** Cached current tokens to avoid redundant store loads. */
+  current;
+  /**
+   * Gets valid OAuth tokens, triggering refresh if needed.
+   * Coalesces concurrent requests to avoid duplicate refresh calls.
+   */
+  async get() {
+    if (this.inflight) {
+      return this.inflight;
+    }
+    this.inflight = this.loadFresh().then((tokens) => {
+      this.current = tokens;
+      this.inflight = void 0;
+      return tokens;
+    }).catch((error) => {
+      this.inflight = void 0;
+      throw error;
+    });
+    return this.inflight;
+  }
+  /**
+   * Loads fresh tokens, optionally refreshing if expired or near expiry.
+   * Derives account ID from JWT claims if not explicitly provided.
+   */
+  async loadFresh() {
+    let tokens = this.current ?? await this.store.load();
+    if (!tokens?.accessToken) {
+      throw new OpenAIOAuthError("auth_failed", "OpenAI OAuth access token is missing.");
+    }
+    const now = this.settings.now?.() ?? Date.now();
+    const refreshMarginMs = this.settings.refreshMarginMs ?? DEFAULT_REFRESH_MARGIN_MS;
+    if (needsRefresh(tokens, now, refreshMarginMs)) {
+      const refreshed = await refreshOpenAITokens({
+        tokens,
+        fetch: this.fetch,
+        clientId: this.settings.clientId,
+        issuer: this.settings.issuer,
+        tokenUrl: this.settings.tokenUrl,
+        now: this.settings.now
+      });
+      if (refreshed) {
+        tokens = refreshed;
+        await this.store.save(tokens);
+        await this.settings.onTokens?.(tokens);
+      } else if (hasExpired(tokens, now)) {
+        throw new OpenAIOAuthError("auth_failed", "OpenAI OAuth access token expired and refresh failed.");
+      }
+    }
+    const accountId = tokens.accountId ?? deriveAccountId(tokens.idToken, tokens.accessToken);
+    if (!accountId) {
+      throw new OpenAIOAuthError(
+        "account_id_missing",
+        "OpenAI OAuth account id is missing. Store `accountId` with the tokens or include an id_token with the ChatGPT account claim."
+      );
+    }
+    return {
+      ...tokens,
+      accountId
+    };
+  }
+};
+function resolveTargetUrl(input, baseURL) {
+  const base = new URL(baseURL);
+  const parsed = /^https?:\/\//.test(input) ? new URL(input) : new URL(input, "https://codex.invalid");
+  let pathname = parsed.pathname;
+  const basePath = withoutTrailingSlash(base.pathname);
+  if (pathname === basePath) {
+    pathname = "/";
+  } else if (basePath && pathname.startsWith(`${basePath}/`)) {
+    pathname = pathname.slice(basePath.length);
+  }
+  if (pathname === "/v1") {
+    pathname = "/";
+  } else if (pathname.startsWith("/v1/")) {
+    pathname = pathname.slice(3);
+  }
+  if (!pathname.startsWith("/")) {
+    pathname = `/${pathname}`;
+  }
+  return `${base.origin}${basePath}${pathname}${parsed.search}`;
+}
+function browserOrigin() {
+  const maybeWindow = globalThis.window;
+  return typeof maybeWindow?.location?.origin === "string" ? maybeWindow.location.origin.replace(/\/$/, "") : void 0;
+}
+function resolveBrowserProxyUrl(target, baseURL, settings) {
+  const origin = browserOrigin();
+  if (!origin || settings.browserProxyBaseUrl === false) {
+    return void 0;
+  }
+  const proxyBase = settings.browserProxyBaseUrl ?? DEFAULT_BROWSER_PROXY_BASE_URL;
+  const absoluteProxyBase = /^https?:\/\//.test(proxyBase) ? proxyBase.replace(/\/$/, "") : `${origin}${proxyBase.startsWith("/") ? "" : "/"}${proxyBase}`.replace(/\/$/, "");
+  const upstreamBasePath = withoutTrailingSlash(new URL(baseURL).pathname);
+  let pathname = target.pathname;
+  if (upstreamBasePath && pathname.startsWith(`${upstreamBasePath}/`)) {
+    pathname = pathname.slice(upstreamBasePath.length);
+  }
+  return `${absoluteProxyBase}${pathname}${target.search}`;
+}
+async function readRequestParts(input, init) {
+  if (input instanceof Request) {
+    const headers = new Headers(input.headers);
+    if (init?.headers) {
+      new Headers(init.headers).forEach((value, key) => headers.set(key, value));
+    }
+    return {
+      url: input.url,
+      method: init?.method ?? input.method,
+      headers,
+      body: init?.body ?? (input.body == null ? void 0 : await input.clone().text()),
+      signal: init?.signal ?? input.signal
+    };
+  }
+  return {
+    url: String(input),
+    method: init?.method,
+    headers: new Headers(init?.headers),
+    body: init?.body,
+    signal: init?.signal
+  };
+}
+async function decodeBody(body) {
+  if (body == null) {
+    return void 0;
+  }
+  if (typeof body === "string") {
+    return body;
+  }
+  if (body instanceof URLSearchParams || body instanceof FormData || body instanceof ReadableStream) {
+    return void 0;
+  }
+  if (body instanceof Blob) {
+    return body.text();
+  }
+  if (body instanceof ArrayBuffer) {
+    return new TextDecoder().decode(body);
+  }
+  if (ArrayBuffer.isView(body)) {
+    return new TextDecoder().decode(body);
+  }
+  return void 0;
+}
+function normalizeCodexResponsesBody(body, options = {}) {
+  const normalized = { ...body };
+  if (typeof normalized.instructions !== "string") {
+    normalized.instructions = options.instructions ?? DEFAULT_INSTRUCTIONS;
+  }
+  if (normalized.store === void 0) {
+    normalized.store = options.store ?? false;
+  }
+  delete normalized.max_output_tokens;
+  return normalized;
+}
+async function prepareBody(pathname, headers, body, settings) {
+  if (!pathname.endsWith("/responses")) {
+    return body;
+  }
+  const contentType = headers.get("content-type");
+  if (contentType && !contentType.includes("application/json")) {
+    return body;
+  }
+  const bodyText = await decodeBody(body);
+  if (typeof bodyText !== "string") {
+    return body;
+  }
+  try {
+    const parsed = JSON.parse(bodyText);
+    if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
+      return body;
+    }
+    return JSON.stringify(normalizeCodexResponsesBody(parsed, settings));
+  } catch {
+    return body;
+  }
+}
+function createCodexOAuthFetch(settings = {}) {
+  const fetch = pickFetch2(settings.fetch);
+  const store = createStore(settings);
+  const manager = new TokenManager(settings, store, fetch);
+  const baseURL = resolveBaseURL(settings.baseURL);
+  return async (input, init) => {
+    const request = await readRequestParts(input, init);
+    const targetUrl = resolveTargetUrl(request.url, baseURL);
+    const target = new URL(targetUrl);
+    const tokens = await manager.get();
+    const headers = new Headers(settings.headers);
+    request.headers.forEach((value, key) => headers.set(key, value));
+    headers.delete("authorization");
+    headers.delete("chatgpt-account-id");
+    headers.delete("openai-beta");
+    headers.set("Authorization", `Bearer ${tokens.accessToken}`);
+    headers.set("ChatGPT-Account-Id", tokens.accountId);
+    headers.set("OpenAI-Beta", "responses=experimental");
+    if (settings.originator !== false && !headers.has("originator")) {
+      headers.set("originator", settings.originator ?? DEFAULT_ORIGINATOR);
+    }
+    const body = await prepareBody(target.pathname, headers, request.body, settings);
+    return fetch(resolveBrowserProxyUrl(target, baseURL, settings) ?? target.toString(), {
+      method: request.method ?? init?.method,
+      headers,
+      body,
+      signal: request.signal ?? void 0
+    });
+  };
+}
+function createCodexOAuthClient(settings = {}) {
+  const baseURL = resolveBaseURL(settings.baseURL);
+  const fetch = createCodexOAuthFetch(settings);
+  return {
+    baseURL,
+    fetch,
+    request: (path, init) => fetch(resolveTargetUrl(path, baseURL), init)
+  };
+}
+
+// src/proxy.ts
+function pickFetch3(customFetch) {
+  if (typeof customFetch === "function") return customFetch;
+  if (typeof globalThis.fetch === "function") return globalThis.fetch.bind(globalThis);
+  throw new Error("A fetch implementation is required for OpenAI Codex proxy handlers.");
+}
+function noStoreText(text, status) {
+  return new Response(text, {
+    status,
+    headers: {
+      "Content-Type": "text/plain; charset=utf-8",
+      "Cache-Control": "no-store"
+    }
+  });
+}
+async function requestBody(request, options) {
+  const text = await request.text();
+  if (!text.trim()) return text;
+  try {
+    const parsed = JSON.parse(text);
+    if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) return text;
+    return JSON.stringify(normalizeCodexResponsesBody(parsed, options));
+  } catch {
+    return text;
+  }
+}
+function createOpenAIOAuthProxy(options = {}) {
+  const fetch = pickFetch3(options.fetch);
+  const baseURL = (options.baseURL ?? DEFAULT_CODEX_BASE_URL).replace(/\/$/, "");
+  return {
+    async responses(request) {
+      const authorization = request.headers.get("authorization") ?? "";
+      const accountId = request.headers.get("chatgpt-account-id") ?? "";
+      if (!authorization.trim() || !accountId.trim()) {
+        return noStoreText("Missing OpenAI OAuth credentials.", 401);
+      }
+      const upstream = await fetch(`${baseURL}/responses${new URL(request.url).search}`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: authorization,
+          "ChatGPT-Account-Id": accountId,
+          "OpenAI-Beta": "responses=experimental",
+          ...options.originator === false ? {} : { originator: options.originator ?? "openai-codex-oauth" }
+        },
+        body: await requestBody(request, options)
+      });
+      return new Response(await upstream.text(), {
+        status: upstream.status,
+        headers: {
+          "Content-Type": upstream.headers.get("Content-Type") ?? "application/json",
+          "Cache-Control": "no-store"
+        }
+      });
+    }
+  };
+}
+
+export {
+  OpenAIOAuthError,
+  DEFAULT_CLIENT_ID,
+  DEFAULT_ISSUER,
+  startOpenAIDeviceFlow,
+  refreshOpenAITokens,
+  createMemoryTokenStore,
+  DEFAULT_CODEX_BASE_URL,
+  normalizeCodexResponsesBody,
+  createCodexOAuthFetch,
+  createCodexOAuthClient,
+  createOpenAIOAuthProxy
+};
+//# sourceMappingURL=chunk-DXYYRLYI.js.map

package/dist/chunk-DXYYRLYI.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/types.ts","../src/device-flow.ts","../src/memory-token-store.ts","../src/codex-fetch.ts","../src/proxy.ts"],"sourcesContent":["/**\n * @file types.ts\n *\n * Core type definitions for the OpenAI Codex OAuth library.\n * These types define the contract for authentication, token management,\n * and configuration across all modules.\n */\n\n/**\n * Type alias for the global fetch function signature.\n * Used to allow custom fetch implementations in various environments.\n */\nexport type FetchLike = typeof globalThis.fetch;\n\n/**\n * OAuth credentials used to call the OpenAI Codex backend.\n * Treat these as password-equivalent secrets.\n */\nexport type OpenAIOAuthTokens = {\n  /** Bearer token sent to the Codex backend. */\n  accessToken: string;\n  /** Refresh token used to obtain a new access token before expiry. */\n  refreshToken?: string;\n  /** Access-token expiry as epoch milliseconds. */\n  expiresAt?: number;\n  /** Optional OpenID token. Used to derive `accountId` when available. */\n  idToken?: string;\n  /** ChatGPT account id required by the Codex backend. */\n  accountId?: string;\n};\n\n/** Async storage interface for loading and persisting OAuth credentials. */\nexport type TokenStore = {\n  /** Load the latest known credentials. Return `undefined` when the user is not signed in. */\n  load(): Promise<OpenAIOAuthTokens | undefined>;\n  /** Persist new credentials after sign-in or refresh. */\n  save(tokens: OpenAIOAuthTokens): Promise<void>;\n};\n\n/** In-progress OpenAI Codex device authorization flow. */\nexport type OpenAIDeviceFlow = {\n  providerId: 'openai';\n  /** URL the user should open to authorize the device flow. */\n  url: string;\n  /** User code to enter on the authorization page. */\n  code: string;\n  /** Human-readable instruction string for command-line or app UI. */\n  instructions: string;\n  /** Poll until authorization completes, exchange the grant, and return OAuth tokens. */\n  complete(): Promise<OpenAIOAuthTokens>;\n};\n\n/** Options for starting OpenAI's Codex device OAuth flow. */\nexport type OpenAIDeviceFlowOptions = {\n  /** Custom fetch implementation, useful for tests and non-standard runtimes. */\n  fetch?: FetchLike;\n  /** Clock override returning epoch milliseconds. */\n  now?: () => number;\n  /** Sleep override used between polling attempts. */\n  sleep?: (ms: number) => Promise<void>;\n  /** OAuth client id. Defaults to the Codex client id. */\n  clientId?: string;\n  /** OAuth issuer. Defaults to `https://auth.openai.com`. */\n  issuer?: string;\n  /** Optional store that receives tokens after successful authorization. */\n  tokenStore?: TokenStore;\n};\n\n/** Shared settings for Codex OAuth fetch, client, and AI SDK provider creation. */\nexport type OpenAIOAuthSettings = {\n  /** Custom fetch implementation for both token refresh and Codex requests. */\n  fetch?: FetchLike;\n  /** Secure token storage used to load and save refreshed credentials. */\n  tokenStore?: TokenStore;\n  /** Inline tokens for scripts/tests. Prefer `tokenStore` for production apps. */\n  tokens?: OpenAIOAuthTokens;\n  /** OAuth client id. Defaults to the Codex client id. */\n  clientId?: string;\n  /** OAuth issuer. Defaults to `https://auth.openai.com`. */\n  issuer?: string;\n  /** Override token endpoint for refresh. */\n  tokenUrl?: string;\n  /** Codex backend base URL. Defaults to `https://chatgpt.com/backend-api/codex`. */\n  baseURL?: string;\n  /** Browser proxy base URL for Codex requests. Defaults to `/api/proxy/openai/codex` in browsers. Pass `false` to disable. */\n  browserProxyBaseUrl?: string | false;\n  /** Additional headers sent to the Codex backend before OAuth headers are applied. */\n  headers?: Record<string, string>;\n  /** Default `instructions` value for Responses requests that omit it. */\n  instructions?: string;\n  /** Default OpenAI Responses `store` value. Defaults to `false`. */\n  store?: boolean;\n  /** Upstream `originator` header. Pass `false` to omit it. */\n  originator?: string | false;\n  /** Refresh access tokens this many milliseconds before expiry. */\n  refreshMarginMs?: number;\n  /** Clock override returning epoch milliseconds. */\n  now?: () => number;\n  /** Called after a successful token refresh. */\n  onTokens?: (tokens: OpenAIOAuthTokens) => void | Promise<void>;\n};\n\n/** Settings for the AI SDK provider factory. */\nexport type OpenAIOAuthProviderSettings = OpenAIOAuthSettings & {\n  /** Provider name exposed to AI SDK telemetry and metadata. */\n  name?: string;\n};\n\n/** Error class used for OAuth, token, and credential setup failures. */\nexport class OpenAIOAuthError extends Error {\n  readonly code: string;\n\n  constructor(code: string, message: string, options?: ErrorOptions) {\n    super(message, options);\n    this.name = 'OpenAIOAuthError';\n    this.code = code;\n  }\n}\n","/**\n * @file device-flow.ts\n *\n * Implements the OAuth 2.0 Device Authorization Grant flow for OpenAI Codex.\n * This flow is designed for CLI tools and headless applications where\n * the user authorizes on a separate device with a browser.\n *\n * The flow:\n * 1. Client requests a device code from the authorization server\n * 2. User visits the authorization URL and enters the displayed code\n * 3. Client polls for authorization completion\n * 4. On success, client exchanges the authorization grant for tokens\n */\n\nimport { deriveAccountId, deriveExpiresAt } from './jwt';\nimport type { FetchLike, OpenAIDeviceFlow, OpenAIDeviceFlowOptions, OpenAIOAuthTokens } from './types';\nimport { OpenAIOAuthError } from './types';\n\n/** Default OAuth client ID for Codex/ChatGPT. */\nconst DEFAULT_CLIENT_ID = 'app_EMoamEEZ73f0CkXaXp7hrann';\n/** Default OAuth issuer/authorization server URL. */\nconst DEFAULT_ISSUER = 'https://auth.openai.com';\n/** Additional wait time added to the poll interval to avoid race conditions. */\nconst POLL_BUFFER_MS = 3000;\n\n/**\n * Resolves the fetch function to use for OAuth requests.\n */\nfunction pickFetch(customFetch?: FetchLike): FetchLike {\n  if (typeof customFetch === 'function') {\n    return customFetch;\n  }\n\n  if (typeof globalThis.fetch === 'function') {\n    return globalThis.fetch.bind(globalThis);\n  }\n\n  throw new OpenAIOAuthError('fetch_required', 'A fetch implementation is required for OpenAI OAuth.');\n}\n\n/**\n * Start OpenAI's Codex device OAuth flow.\n *\n * The returned flow contains a URL and user code for authorization. Call\n * `flow.complete()` after showing those values to poll for authorization and\n * exchange the grant for OAuth tokens.\n */\nexport async function startOpenAIDeviceFlow(options: OpenAIDeviceFlowOptions = {}): Promise<OpenAIDeviceFlow> {\n  const fetch = pickFetch(options.fetch);\n  const issuer = (options.issuer ?? DEFAULT_ISSUER).replace(/\\/$/, '');\n  const clientId = options.clientId ?? DEFAULT_CLIENT_ID;\n  const now = options.now ?? (() => Date.now());\n  const sleep = options.sleep ?? ((ms: number) => new Promise<void>((resolve) => setTimeout(resolve, ms)));\n\n  const codeResponse = await fetch(`${issuer}/api/accounts/deviceauth/usercode`, {\n    method: 'POST',\n    headers: {\n      'Content-Type': 'application/json',\n    },\n    body: JSON.stringify({ client_id: clientId }),\n  });\n\n  if (!codeResponse.ok) {\n    throw new OpenAIOAuthError('auth_failed', 'Failed to initiate OpenAI authorization.');\n  }\n\n  const device = (await codeResponse.json()) as {\n    device_auth_id?: string;\n    user_code?: string;\n    interval?: string | number;\n  };\n\n  if (!device.device_auth_id || !device.user_code) {\n    throw new OpenAIOAuthError('auth_failed', 'OpenAI authorization response did not include a device code.');\n  }\n\n  const intervalSeconds = typeof device.interval === 'number' ? device.interval : parseInt(device.interval ?? '5', 10);\n  const intervalMs = Math.max(Number.isFinite(intervalSeconds) ? intervalSeconds : 5, 1) * 1000;\n\n  return {\n    providerId: 'openai',\n    url: `${issuer}/codex/device`,\n    code: device.user_code,\n    instructions: `Enter code: ${device.user_code}`,\n    async complete() {\n      while (true) {\n        const poll = await fetch(`${issuer}/api/accounts/deviceauth/token`, {\n          method: 'POST',\n          headers: {\n            'Content-Type': 'application/json',\n          },\n          body: JSON.stringify({\n            device_auth_id: device.device_auth_id,\n            user_code: device.user_code,\n          }),\n        });\n\n        if (poll.ok) {\n          const grant = (await poll.json()) as {\n            authorization_code?: string;\n            code_verifier?: string;\n          };\n\n          if (!grant.authorization_code || !grant.code_verifier) {\n            throw new OpenAIOAuthError('auth_failed', 'OpenAI authorization grant was incomplete.');\n          }\n\n          const tokens = await exchangeAuthorizationCode({\n            fetch,\n            issuer,\n            clientId,\n            authorizationCode: grant.authorization_code,\n            codeVerifier: grant.code_verifier,\n            now,\n          });\n\n          await options.tokenStore?.save(tokens);\n          return tokens;\n        }\n\n        if (poll.status !== 403 && poll.status !== 404) {\n          throw new OpenAIOAuthError('auth_failed', 'OpenAI OAuth authorization failed.');\n        }\n\n        await sleep(intervalMs + POLL_BUFFER_MS);\n      }\n    },\n  };\n}\n\nasync function exchangeAuthorizationCode({\n  fetch,\n  issuer,\n  clientId,\n  authorizationCode,\n  codeVerifier,\n  now,\n}: {\n  fetch: FetchLike;\n  issuer: string;\n  clientId: string;\n  authorizationCode: string;\n  codeVerifier: string;\n  now: () => number;\n}): Promise<OpenAIOAuthTokens> {\n  const response = await fetch(`${issuer}/oauth/token`, {\n    method: 'POST',\n    headers: {\n      'Content-Type': 'application/x-www-form-urlencoded',\n    },\n    body: new URLSearchParams({\n      grant_type: 'authorization_code',\n      code: authorizationCode,\n      redirect_uri: `${issuer}/deviceauth/callback`,\n      client_id: clientId,\n      code_verifier: codeVerifier,\n    }).toString(),\n  });\n\n  if (!response.ok) {\n    throw new OpenAIOAuthError('auth_failed', 'OpenAI token exchange failed.');\n  }\n\n  const token = (await response.json()) as {\n    refresh_token?: string;\n    access_token?: string;\n    id_token?: string;\n    expires_in?: number;\n  };\n\n  if (!token.access_token) {\n    throw new OpenAIOAuthError('auth_failed', 'OpenAI token exchange did not return an access token.');\n  }\n\n  return {\n    refreshToken: token.refresh_token,\n    accessToken: token.access_token,\n    idToken: token.id_token,\n    expiresAt: now() + (token.expires_in ?? 3600) * 1000,\n    accountId: deriveAccountId(token.id_token, token.access_token),\n  };\n}\n\n/**\n * Refresh OpenAI OAuth credentials with a refresh token.\n *\n * Returns `undefined` when refresh is not possible or the server rejects the\n * refresh request. Callers should treat expired credentials as unusable when\n * this returns `undefined`.\n */\nexport async function refreshOpenAITokens({\n  tokens,\n  fetch,\n  clientId = DEFAULT_CLIENT_ID,\n  issuer = DEFAULT_ISSUER,\n  tokenUrl,\n  now = () => Date.now(),\n}: {\n  tokens: OpenAIOAuthTokens;\n  fetch: FetchLike;\n  clientId?: string;\n  issuer?: string;\n  tokenUrl?: string;\n  now?: () => number;\n}): Promise<OpenAIOAuthTokens | undefined> {\n  if (!tokens.refreshToken) {\n    return undefined;\n  }\n\n  const resolvedIssuer = issuer.replace(/\\/$/, '');\n  const response = await fetch(tokenUrl ?? `${resolvedIssuer}/oauth/token`, {\n    method: 'POST',\n    headers: {\n      'Content-Type': 'application/x-www-form-urlencoded',\n    },\n    body: new URLSearchParams({\n      grant_type: 'refresh_token',\n      refresh_token: tokens.refreshToken,\n      client_id: clientId,\n      scope: 'openid profile email offline_access',\n    }).toString(),\n  });\n\n  if (!response.ok) {\n    return undefined;\n  }\n\n  const payload = (await response.json()) as {\n    access_token?: string;\n    refresh_token?: string;\n    id_token?: string;\n    expires_in?: number;\n  };\n\n  if (!payload.access_token) {\n    return undefined;\n  }\n\n  const next: OpenAIOAuthTokens = {\n    accessToken: payload.access_token,\n    refreshToken: payload.refresh_token ?? tokens.refreshToken,\n    idToken: payload.id_token ?? tokens.idToken,\n    expiresAt: now() + (payload.expires_in ?? 3600) * 1000,\n  };\n  next.accountId = deriveAccountId(next.idToken, next.accessToken) ?? tokens.accountId;\n\n  return next;\n}\n\nexport { DEFAULT_CLIENT_ID, DEFAULT_ISSUER };\n","/**\n * @file memory-token-store.ts\n *\n * In-memory token storage implementation.\n * Useful for testing and short-lived processes that don't need\n * persistent token storage.\n */\n\nimport type { OpenAIOAuthTokens, TokenStore } from './types';\n\n/**\n * Create an in-memory token store.\n *\n * This is useful for tests and short-lived scripts. It does not persist tokens\n * across process restarts.\n */\nexport function createMemoryTokenStore(initial?: OpenAIOAuthTokens): TokenStore {\n  let current = initial;\n\n  return {\n    async load() {\n      return current;\n    },\n    async save(tokens) {\n      current = tokens;\n    },\n  };\n}\n","/**\n * @file codex-fetch.ts\n *\n * Core module that provides the fetch wrapper for authenticated Codex requests.\n * This is the main entry point for making OAuth-authenticated requests to\n * the OpenAI Codex backend.\n *\n * Key features:\n * - Automatic token management and refresh before expiry\n * - Request/response normalization for Codex API compatibility\n * - Browser proxy URL resolution for cross-origin requests\n * - Account ID derivation from JWT claims\n */\n\nimport { refreshOpenAITokens } from './device-flow';\nimport { deriveAccountId, deriveExpiresAt } from './jwt';\nimport { createMemoryTokenStore } from './memory-token-store';\nimport type { FetchLike, OpenAIOAuthSettings, OpenAIOAuthTokens, TokenStore } from './types';\nimport { OpenAIOAuthError } from './types';\n\n/** Default OpenAI Codex backend base URL. */\nexport const DEFAULT_CODEX_BASE_URL = 'https://chatgpt.com/backend-api/codex';\n/** Default proxy base path when running in a browser environment. */\nconst DEFAULT_BROWSER_PROXY_BASE_URL = '/api/proxy/openai/codex';\n/** Default time (5 minutes) before expiry to trigger token refresh. */\nconst DEFAULT_REFRESH_MARGIN_MS = 5 * 60 * 1000;\n/** Default empty instructions value for Responses API requests. */\nconst DEFAULT_INSTRUCTIONS = '';\n/** Default originator header value identifying this library. */\nconst DEFAULT_ORIGINATOR = 'openai-codex-oauth';\n\n/**\n * Parsed request components used internally for request transformation.\n */\ntype RequestParts = {\n  url: string;\n  method?: string;\n  headers: Headers;\n  body?: BodyInit | null;\n  signal?: AbortSignal | null;\n};\n\n/**\n * Resolves the fetch function to use for OAuth and Codex requests.\n * Prefers a custom fetch if provided, falls back to globalThis.fetch.\n */\nfunction pickFetch(customFetch?: FetchLike): FetchLike {\n  if (typeof customFetch === 'function') {\n    return customFetch;\n  }\n\n  if (typeof globalThis.fetch === 'function') {\n    return globalThis.fetch.bind(globalThis);\n  }\n\n  throw new OpenAIOAuthError('fetch_required', 'A fetch implementation is required for OpenAI OAuth.');\n}\n\n/** Removes trailing slash from a URL string for consistent handling. */\nfunction withoutTrailingSlash(value: string): string {\n  return value.replace(/\\/$/, '');\n}\n\n/** Resolves the base URL for Codex requests, defaulting to the official endpoint. */\nfunction resolveBaseURL(baseURL?: string): string {\n  return withoutTrailingSlash(baseURL ?? DEFAULT_CODEX_BASE_URL);\n}\n\n/**\n * Creates a token store based on provided settings.\n * Prefers explicit tokenStore, then inline tokens, then throws an error.\n */\nfunction createStore(settings: OpenAIOAuthSettings): TokenStore {\n  if (settings.tokenStore) {\n    return settings.tokenStore;\n  }\n\n  if (settings.tokens) {\n    return createMemoryTokenStore(settings.tokens);\n  }\n\n  throw new OpenAIOAuthError(\n    'tokens_required',\n    'OpenAI OAuth tokens are required. Pass `tokens`, `tokenStore`, or use `createCodexAuthFileStore` from `@tolksyn/openai-oauth/node`.',\n  );\n}\n\n/**\n * Determines whether a token needs refresh based on expiry time.\n * Considers the marginMs parameter to refresh proactively before actual expiry.\n */\nfunction needsRefresh(tokens: OpenAIOAuthTokens, now: number, marginMs: number): boolean {\n  const expiresAt = tokens.expiresAt ?? deriveExpiresAt(tokens.accessToken);\n  if (!tokens.accessToken) {\n    return true;\n  }\n\n  if (expiresAt == null || expiresAt <= 0) {\n    return false;\n  }\n\n  return expiresAt <= now + marginMs;\n}\n\n/**\n * Checks if a token has already expired based on current time.\n */\nfunction hasExpired(tokens: OpenAIOAuthTokens, now: number): boolean {\n  const expiresAt = tokens.expiresAt ?? deriveExpiresAt(tokens.accessToken);\n  return expiresAt != null && expiresAt > 0 && expiresAt <= now;\n}\n\n/**\n * Manages OAuth token lifecycle including loading, caching, refresh, and validation.\n * Uses a promise coalescing pattern to handle concurrent token requests efficiently.\n */\nclass TokenManager {\n  /** Promise for an in-flight token refresh to coalesce concurrent requests. */\n  private inflight?: Promise<OpenAIOAuthTokens>;\n  /** Cached current tokens to avoid redundant store loads. */\n  private current?: OpenAIOAuthTokens;\n\n  constructor(\n    private readonly settings: OpenAIOAuthSettings,\n    private readonly store: TokenStore,\n    private readonly fetch: FetchLike,\n  ) {}\n\n  /**\n   * Gets valid OAuth tokens, triggering refresh if needed.\n   * Coalesces concurrent requests to avoid duplicate refresh calls.\n   */\n  async get(): Promise<OpenAIOAuthTokens> {\n    if (this.inflight) {\n      return this.inflight;\n    }\n\n    this.inflight = this.loadFresh()\n      .then((tokens) => {\n        this.current = tokens;\n        this.inflight = undefined;\n        return tokens;\n      })\n      .catch((error) => {\n        this.inflight = undefined;\n        throw error;\n      });\n\n    return this.inflight;\n  }\n\n  /**\n   * Loads fresh tokens, optionally refreshing if expired or near expiry.\n   * Derives account ID from JWT claims if not explicitly provided.\n   */\n  private async loadFresh(): Promise<OpenAIOAuthTokens> {\n    let tokens = this.current ?? (await this.store.load());\n    if (!tokens?.accessToken) {\n      throw new OpenAIOAuthError('auth_failed', 'OpenAI OAuth access token is missing.');\n    }\n\n    const now = this.settings.now?.() ?? Date.now();\n    const refreshMarginMs = this.settings.refreshMarginMs ?? DEFAULT_REFRESH_MARGIN_MS;\n\n    if (needsRefresh(tokens, now, refreshMarginMs)) {\n      const refreshed = await refreshOpenAITokens({\n        tokens,\n        fetch: this.fetch,\n        clientId: this.settings.clientId,\n        issuer: this.settings.issuer,\n        tokenUrl: this.settings.tokenUrl,\n        now: this.settings.now,\n      });\n\n      if (refreshed) {\n        tokens = refreshed;\n        await this.store.save(tokens);\n        await this.settings.onTokens?.(tokens);\n      } else if (hasExpired(tokens, now)) {\n        throw new OpenAIOAuthError('auth_failed', 'OpenAI OAuth access token expired and refresh failed.');\n      }\n    }\n\n    const accountId = tokens.accountId ?? deriveAccountId(tokens.idToken, tokens.accessToken);\n    if (!accountId) {\n      throw new OpenAIOAuthError(\n        'account_id_missing',\n        'OpenAI OAuth account id is missing. Store `accountId` with the tokens or include an id_token with the ChatGPT account claim.',\n      );\n    }\n\n    return {\n      ...tokens,\n      accountId,\n    };\n  }\n}\n\n/**\n * Resolves a target URL relative to the Codex base URL.\n * Handles path rewriting from `/v1/responses` to Codex backend paths.\n */\nfunction resolveTargetUrl(input: string, baseURL: string): string {\n  const base = new URL(baseURL);\n  const parsed = /^https?:\\/\\//.test(input) ? new URL(input) : new URL(input, 'https://codex.invalid');\n  let pathname = parsed.pathname;\n  const basePath = withoutTrailingSlash(base.pathname);\n\n  if (pathname === basePath) {\n    pathname = '/';\n  } else if (basePath && pathname.startsWith(`${basePath}/`)) {\n    pathname = pathname.slice(basePath.length);\n  }\n\n  if (pathname === '/v1') {\n    pathname = '/';\n  } else if (pathname.startsWith('/v1/')) {\n    pathname = pathname.slice(3);\n  }\n\n  if (!pathname.startsWith('/')) {\n    pathname = `/${pathname}`;\n  }\n\n  return `${base.origin}${basePath}${pathname}${parsed.search}`;\n}\n\n/**\n * Detects the browser's origin from window.location if available.\n * Returns undefined in non-browser environments.\n */\nfunction browserOrigin(): string | undefined {\n  const maybeWindow = (globalThis as { window?: { location?: { origin?: string } } }).window;\n  return typeof maybeWindow?.location?.origin === 'string' ? maybeWindow.location.origin.replace(/\\/$/, '') : undefined;\n}\n\n/**\n * Resolves a proxy URL for browser environments to handle cross-origin requests.\n * When running in a browser, direct Codex requests may fail CORS, so we proxy\n * through a local path that forwards to the Codex backend.\n */\nfunction resolveBrowserProxyUrl(target: URL, baseURL: string, settings: OpenAIOAuthSettings): string | undefined {\n  const origin = browserOrigin();\n  if (!origin || settings.browserProxyBaseUrl === false) {\n    return undefined;\n  }\n\n  const proxyBase = settings.browserProxyBaseUrl ?? DEFAULT_BROWSER_PROXY_BASE_URL;\n  const absoluteProxyBase = /^https?:\\/\\//.test(proxyBase) ? proxyBase.replace(/\\/$/, '') : `${origin}${proxyBase.startsWith('/') ? '' : '/'}${proxyBase}`.replace(/\\/$/, '');\n  const upstreamBasePath = withoutTrailingSlash(new URL(baseURL).pathname);\n  let pathname = target.pathname;\n\n  if (upstreamBasePath && pathname.startsWith(`${upstreamBasePath}/`)) {\n    pathname = pathname.slice(upstreamBasePath.length);\n  }\n\n  return `${absoluteProxyBase}${pathname}${target.search}`;\n}\n\n/**\n * Parses a fetch input (Request or URL string) into structured request parts.\n * Handles merging of Request defaults with optional init overrides.\n */\nasync function readRequestParts(input: Parameters<FetchLike>[0], init?: Parameters<FetchLike>[1]): Promise<RequestParts> {\n  if (input instanceof Request) {\n    const headers = new Headers(input.headers);\n    if (init?.headers) {\n      new Headers(init.headers).forEach((value, key) => headers.set(key, value));\n    }\n\n    return {\n      url: input.url,\n      method: init?.method ?? input.method,\n      headers,\n      body: init?.body ?? (input.body == null ? undefined : await input.clone().text()),\n      signal: init?.signal ?? input.signal,\n    };\n  }\n\n  return {\n    url: String(input),\n    method: init?.method,\n    headers: new Headers(init?.headers),\n    body: init?.body,\n    signal: init?.signal,\n  };\n}\n\n/**\n * Attempts to decode a request body to a string for JSON parsing.\n * Supports string, Blob, and ArrayBuffer types; returns undefined for\n * types that cannot be meaningfully decoded (FormData, ReadableStream, etc.)\n */\nasync function decodeBody(body: BodyInit | null | undefined): Promise<string | undefined> {\n  if (body == null) {\n    return undefined;\n  }\n\n  if (typeof body === 'string') {\n    return body;\n  }\n\n  if (body instanceof URLSearchParams || body instanceof FormData || body instanceof ReadableStream) {\n    return undefined;\n  }\n\n  if (body instanceof Blob) {\n    return body.text();\n  }\n\n  if (body instanceof ArrayBuffer) {\n    return new TextDecoder().decode(body);\n  }\n\n  if (ArrayBuffer.isView(body)) {\n    return new TextDecoder().decode(body);\n  }\n\n  return undefined;\n}\n\n/**\n * Normalize an OpenAI Responses request body for the Codex backend.\n *\n * Codex expects requests to be stateless by default, so `store` defaults to\n * `false`. Unsupported `max_output_tokens` is removed.\n */\nexport function normalizeCodexResponsesBody(\n  body: Record<string, unknown>,\n  options: Pick<OpenAIOAuthSettings, 'instructions' | 'store'> = {},\n): Record<string, unknown> {\n  const normalized = { ...body };\n\n  if (typeof normalized.instructions !== 'string') {\n    normalized.instructions = options.instructions ?? DEFAULT_INSTRUCTIONS;\n  }\n\n  if (normalized.store === undefined) {\n    normalized.store = options.store ?? false;\n  }\n\n  delete normalized.max_output_tokens;\n\n  return normalized;\n}\n\n/**\n * Prepares the request body for Codex /responses endpoints.\n * Normalizes JSON bodies to ensure Codex-compatible request format.\n */\nasync function prepareBody(pathname: string, headers: Headers, body: BodyInit | null | undefined, settings: OpenAIOAuthSettings) {\n  if (!pathname.endsWith('/responses')) {\n    return body;\n  }\n\n  const contentType = headers.get('content-type');\n  if (contentType && !contentType.includes('application/json')) {\n    return body;\n  }\n\n  const bodyText = await decodeBody(body);\n  if (typeof bodyText !== 'string') {\n    return body;\n  }\n\n  try {\n    const parsed = JSON.parse(bodyText) as unknown;\n    if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {\n      return body;\n    }\n\n    return JSON.stringify(normalizeCodexResponsesBody(parsed as Record<string, unknown>, settings));\n  } catch {\n    return body;\n  }\n}\n\n/**\n * Create a fetch implementation that authenticates OpenAI Responses requests\n * with Codex OAuth credentials.\n *\n * The returned function rewrites `/v1/responses` requests to the Codex backend,\n * injects `Authorization` and `ChatGPT-Account-Id`, and refreshes credentials\n * before expiry when a refresh token is available.\n */\nexport function createCodexOAuthFetch(settings: OpenAIOAuthSettings = {}): FetchLike {\n  const fetch = pickFetch(settings.fetch);\n  const store = createStore(settings);\n  const manager = new TokenManager(settings, store, fetch);\n  const baseURL = resolveBaseURL(settings.baseURL);\n\n  return async (input, init) => {\n    const request = await readRequestParts(input, init);\n    const targetUrl = resolveTargetUrl(request.url, baseURL);\n    const target = new URL(targetUrl);\n    const tokens = await manager.get();\n    const headers = new Headers(settings.headers);\n\n    request.headers.forEach((value, key) => headers.set(key, value));\n    headers.delete('authorization');\n    headers.delete('chatgpt-account-id');\n    headers.delete('openai-beta');\n\n    headers.set('Authorization', `Bearer ${tokens.accessToken}`);\n    headers.set('ChatGPT-Account-Id', tokens.accountId!);\n    headers.set('OpenAI-Beta', 'responses=experimental');\n\n    if (settings.originator !== false && !headers.has('originator')) {\n      headers.set('originator', settings.originator ?? DEFAULT_ORIGINATOR);\n    }\n\n    const body = await prepareBody(target.pathname, headers, request.body, settings);\n\n    return fetch(resolveBrowserProxyUrl(target, baseURL, settings) ?? target.toString(), {\n      method: request.method ?? init?.method,\n      headers,\n      body,\n      signal: request.signal ?? undefined,\n    });\n  };\n}\n\n/** Create a small Codex client around `createCodexOAuthFetch`. */\nexport function createCodexOAuthClient(settings: OpenAIOAuthSettings = {}) {\n  const baseURL = resolveBaseURL(settings.baseURL);\n  const fetch = createCodexOAuthFetch(settings);\n\n  return {\n    baseURL,\n    fetch,\n    request: (path: string, init?: RequestInit) => fetch(resolveTargetUrl(path, baseURL), init),\n  };\n}\n","/**\n * @file proxy.ts\n *\n * Server-side request handlers for proxying OpenAI Codex OAuth requests.\n * This module provides framework-agnostic handlers that can be used in\n * various server environments (Node.js, Deno, Cloudflare Workers, etc.)\n * to enable browser clients to make authenticated Codex requests.\n *\n * The proxy validates OAuth credentials (Authorization header and account ID),\n * rewrites requests to the Codex backend, and passes through responses.\n */\n\nimport { DEFAULT_CODEX_BASE_URL, normalizeCodexResponsesBody } from './codex-fetch';\nimport type { FetchLike, OpenAIOAuthSettings } from './types';\n\nexport type OpenAIOAuthProxyOptions = Pick<OpenAIOAuthSettings, 'instructions' | 'originator' | 'store'> & {\n  fetch?: FetchLike;\n  baseURL?: string;\n};\n\n/**\n * Resolves the fetch function to use for upstream requests.\n * Prefers a custom fetch if provided, falls back to globalThis.fetch,\n * and throws if neither is available.\n */\nfunction pickFetch(customFetch?: FetchLike): FetchLike {\n  if (typeof customFetch === 'function') return customFetch;\n  if (typeof globalThis.fetch === 'function') return globalThis.fetch.bind(globalThis);\n  throw new Error('A fetch implementation is required for OpenAI Codex proxy handlers.');\n}\n\n/**\n * Creates a Response with no-store cache control header.\n * Used for error responses to prevent caching.\n */\nfunction noStoreText(text: string, status: number): Response {\n  return new Response(text, {\n    status,\n    headers: {\n      'Content-Type': 'text/plain; charset=utf-8',\n      'Cache-Control': 'no-store',\n    },\n  });\n}\n\n/**\n * Extracts and optionally normalizes the request body.\n * For JSON bodies, normalizes Codex-specific fields like instructions and store.\n */\nasync function requestBody(request: Request, options: OpenAIOAuthProxyOptions): Promise<string> {\n  const text = await request.text();\n  if (!text.trim()) return text;\n\n  try {\n    const parsed = JSON.parse(text) as unknown;\n    if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) return text;\n    return JSON.stringify(normalizeCodexResponsesBody(parsed as Record<string, unknown>, options));\n  } catch {\n    return text;\n  }\n}\n\n/** Create framework-agnostic server handlers for browser-safe Codex OAuth proxying. */\nexport function createOpenAIOAuthProxy(options: OpenAIOAuthProxyOptions = {}) {\n  const fetch = pickFetch(options.fetch);\n  const baseURL = (options.baseURL ?? DEFAULT_CODEX_BASE_URL).replace(/\\/$/, '');\n\n  return {\n    async responses(request: Request): Promise<Response> {\n      const authorization = request.headers.get('authorization') ?? '';\n      const accountId = request.headers.get('chatgpt-account-id') ?? '';\n      if (!authorization.trim() || !accountId.trim()) {\n        return noStoreText('Missing OpenAI OAuth credentials.', 401);\n      }\n\n      const upstream = await fetch(`${baseURL}/responses${new URL(request.url).search}`, {\n        method: 'POST',\n        headers: {\n          'Content-Type': 'application/json',\n          Authorization: authorization,\n          'ChatGPT-Account-Id': accountId,\n          'OpenAI-Beta': 'responses=experimental',\n          ...(options.originator === false ? {} : { originator: options.originator ?? 'openai-codex-oauth' }),\n        },\n        body: await requestBody(request, options),\n      });\n\n      return new Response(await upstream.text(), {\n        status: upstream.status,\n        headers: {\n          'Content-Type': upstream.headers.get('Content-Type') ?? 'application/json',\n          'Cache-Control': 'no-store',\n        },\n      });\n    },\n  };\n}\n"],"mappings":";;;;;;AA6GO,IAAM,mBAAN,cAA+B,MAAM;AAAA,EACjC;AAAA,EAET,YAAY,MAAc,SAAiB,SAAwB;AACjE,UAAM,SAAS,OAAO;AACtB,SAAK,OAAO;AACZ,SAAK,OAAO;AAAA,EACd;AACF;;;AClGA,IAAM,oBAAoB;AAE1B,IAAM,iBAAiB;AAEvB,IAAM,iBAAiB;AAKvB,SAAS,UAAU,aAAoC;AACrD,MAAI,OAAO,gBAAgB,YAAY;AACrC,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,WAAW,UAAU,YAAY;AAC1C,WAAO,WAAW,MAAM,KAAK,UAAU;AAAA,EACzC;AAEA,QAAM,IAAI,iBAAiB,kBAAkB,sDAAsD;AACrG;AASA,eAAsB,sBAAsB,UAAmC,CAAC,GAA8B;AAC5G,QAAM,QAAQ,UAAU,QAAQ,KAAK;AACrC,QAAM,UAAU,QAAQ,UAAU,gBAAgB,QAAQ,OAAO,EAAE;AACnE,QAAM,WAAW,QAAQ,YAAY;AACrC,QAAM,MAAM,QAAQ,QAAQ,MAAM,KAAK,IAAI;AAC3C,QAAM,QAAQ,QAAQ,UAAU,CAAC,OAAe,IAAI,QAAc,CAAC,YAAY,WAAW,SAAS,EAAE,CAAC;AAEtG,QAAM,eAAe,MAAM,MAAM,GAAG,MAAM,qCAAqC;AAAA,IAC7E,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,gBAAgB;AAAA,IAClB;AAAA,IACA,MAAM,KAAK,UAAU,EAAE,WAAW,SAAS,CAAC;AAAA,EAC9C,CAAC;AAED,MAAI,CAAC,aAAa,IAAI;AACpB,UAAM,IAAI,iBAAiB,eAAe,0CAA0C;AAAA,EACtF;AAEA,QAAM,SAAU,MAAM,aAAa,KAAK;AAMxC,MAAI,CAAC,OAAO,kBAAkB,CAAC,OAAO,WAAW;AAC/C,UAAM,IAAI,iBAAiB,eAAe,8DAA8D;AAAA,EAC1G;AAEA,QAAM,kBAAkB,OAAO,OAAO,aAAa,WAAW,OAAO,WAAW,SAAS,OAAO,YAAY,KAAK,EAAE;AACnH,QAAM,aAAa,KAAK,IAAI,OAAO,SAAS,eAAe,IAAI,kBAAkB,GAAG,CAAC,IAAI;AAEzF,SAAO;AAAA,IACL,YAAY;AAAA,IACZ,KAAK,GAAG,MAAM;AAAA,IACd,MAAM,OAAO;AAAA,IACb,cAAc,eAAe,OAAO,SAAS;AAAA,IAC7C,MAAM,WAAW;AACf,aAAO,MAAM;AACX,cAAM,OAAO,MAAM,MAAM,GAAG,MAAM,kCAAkC;AAAA,UAClE,QAAQ;AAAA,UACR,SAAS;AAAA,YACP,gBAAgB;AAAA,UAClB;AAAA,UACA,MAAM,KAAK,UAAU;AAAA,YACnB,gBAAgB,OAAO;AAAA,YACvB,WAAW,OAAO;AAAA,UACpB,CAAC;AAAA,QACH,CAAC;AAED,YAAI,KAAK,IAAI;AACX,gBAAM,QAAS,MAAM,KAAK,KAAK;AAK/B,cAAI,CAAC,MAAM,sBAAsB,CAAC,MAAM,eAAe;AACrD,kBAAM,IAAI,iBAAiB,eAAe,4CAA4C;AAAA,UACxF;AAEA,gBAAM,SAAS,MAAM,0BAA0B;AAAA,YAC7C;AAAA,YACA;AAAA,YACA;AAAA,YACA,mBAAmB,MAAM;AAAA,YACzB,cAAc,MAAM;AAAA,YACpB;AAAA,UACF,CAAC;AAED,gBAAM,QAAQ,YAAY,KAAK,MAAM;AACrC,iBAAO;AAAA,QACT;AAEA,YAAI,KAAK,WAAW,OAAO,KAAK,WAAW,KAAK;AAC9C,gBAAM,IAAI,iBAAiB,eAAe,oCAAoC;AAAA,QAChF;AAEA,cAAM,MAAM,aAAa,cAAc;AAAA,MACzC;AAAA,IACF;AAAA,EACF;AACF;AAEA,eAAe,0BAA0B;AAAA,EACvC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,GAO+B;AAC7B,QAAM,WAAW,MAAM,MAAM,GAAG,MAAM,gBAAgB;AAAA,IACpD,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,gBAAgB;AAAA,IAClB;AAAA,IACA,MAAM,IAAI,gBAAgB;AAAA,MACxB,YAAY;AAAA,MACZ,MAAM;AAAA,MACN,cAAc,GAAG,MAAM;AAAA,MACvB,WAAW;AAAA,MACX,eAAe;AAAA,IACjB,CAAC,EAAE,SAAS;AAAA,EACd,CAAC;AAED,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,IAAI,iBAAiB,eAAe,+BAA+B;AAAA,EAC3E;AAEA,QAAM,QAAS,MAAM,SAAS,KAAK;AAOnC,MAAI,CAAC,MAAM,cAAc;AACvB,UAAM,IAAI,iBAAiB,eAAe,uDAAuD;AAAA,EACnG;AAEA,SAAO;AAAA,IACL,cAAc,MAAM;AAAA,IACpB,aAAa,MAAM;AAAA,IACnB,SAAS,MAAM;AAAA,IACf,WAAW,IAAI,KAAK,MAAM,cAAc,QAAQ;AAAA,IAChD,WAAW,gBAAgB,MAAM,UAAU,MAAM,YAAY;AAAA,EAC/D;AACF;AASA,eAAsB,oBAAoB;AAAA,EACxC;AAAA,EACA;AAAA,EACA,WAAW;AAAA,EACX,SAAS;AAAA,EACT;AAAA,EACA,MAAM,MAAM,KAAK,IAAI;AACvB,GAO2C;AACzC,MAAI,CAAC,OAAO,cAAc;AACxB,WAAO;AAAA,EACT;AAEA,QAAM,iBAAiB,OAAO,QAAQ,OAAO,EAAE;AAC/C,QAAM,WAAW,MAAM,MAAM,YAAY,GAAG,cAAc,gBAAgB;AAAA,IACxE,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,gBAAgB;AAAA,IAClB;AAAA,IACA,MAAM,IAAI,gBAAgB;AAAA,MACxB,YAAY;AAAA,MACZ,eAAe,OAAO;AAAA,MACtB,WAAW;AAAA,MACX,OAAO;AAAA,IACT,CAAC,EAAE,SAAS;AAAA,EACd,CAAC;AAED,MAAI,CAAC,SAAS,IAAI;AAChB,WAAO;AAAA,EACT;AAEA,QAAM,UAAW,MAAM,SAAS,KAAK;AAOrC,MAAI,CAAC,QAAQ,cAAc;AACzB,WAAO;AAAA,EACT;AAEA,QAAM,OAA0B;AAAA,IAC9B,aAAa,QAAQ;AAAA,IACrB,cAAc,QAAQ,iBAAiB,OAAO;AAAA,IAC9C,SAAS,QAAQ,YAAY,OAAO;AAAA,IACpC,WAAW,IAAI,KAAK,QAAQ,cAAc,QAAQ;AAAA,EACpD;AACA,OAAK,YAAY,gBAAgB,KAAK,SAAS,KAAK,WAAW,KAAK,OAAO;AAE3E,SAAO;AACT;;;ACvOO,SAAS,uBAAuB,SAAyC;AAC9E,MAAI,UAAU;AAEd,SAAO;AAAA,IACL,MAAM,OAAO;AACX,aAAO;AAAA,IACT;AAAA,IACA,MAAM,KAAK,QAAQ;AACjB,gBAAU;AAAA,IACZ;AAAA,EACF;AACF;;;ACNO,IAAM,yBAAyB;AAEtC,IAAM,iCAAiC;AAEvC,IAAM,4BAA4B,IAAI,KAAK;AAE3C,IAAM,uBAAuB;AAE7B,IAAM,qBAAqB;AAiB3B,SAASA,WAAU,aAAoC;AACrD,MAAI,OAAO,gBAAgB,YAAY;AACrC,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,WAAW,UAAU,YAAY;AAC1C,WAAO,WAAW,MAAM,KAAK,UAAU;AAAA,EACzC;AAEA,QAAM,IAAI,iBAAiB,kBAAkB,sDAAsD;AACrG;AAGA,SAAS,qBAAqB,OAAuB;AACnD,SAAO,MAAM,QAAQ,OAAO,EAAE;AAChC;AAGA,SAAS,eAAe,SAA0B;AAChD,SAAO,qBAAqB,WAAW,sBAAsB;AAC/D;AAMA,SAAS,YAAY,UAA2C;AAC9D,MAAI,SAAS,YAAY;AACvB,WAAO,SAAS;AAAA,EAClB;AAEA,MAAI,SAAS,QAAQ;AACnB,WAAO,uBAAuB,SAAS,MAAM;AAAA,EAC/C;AAEA,QAAM,IAAI;AAAA,IACR;AAAA,IACA;AAAA,EACF;AACF;AAMA,SAAS,aAAa,QAA2B,KAAa,UAA2B;AACvF,QAAM,YAAY,OAAO,aAAa,gBAAgB,OAAO,WAAW;AACxE,MAAI,CAAC,OAAO,aAAa;AACvB,WAAO;AAAA,EACT;AAEA,MAAI,aAAa,QAAQ,aAAa,GAAG;AACvC,WAAO;AAAA,EACT;AAEA,SAAO,aAAa,MAAM;AAC5B;AAKA,SAAS,WAAW,QAA2B,KAAsB;AACnE,QAAM,YAAY,OAAO,aAAa,gBAAgB,OAAO,WAAW;AACxE,SAAO,aAAa,QAAQ,YAAY,KAAK,aAAa;AAC5D;AAMA,IAAM,eAAN,MAAmB;AAAA,EAMjB,YACmB,UACA,OACA,OACjB;AAHiB;AACA;AACA;AAAA,EAChB;AAAA,EAHgB;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAPX;AAAA;AAAA,EAEA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYR,MAAM,MAAkC;AACtC,QAAI,KAAK,UAAU;AACjB,aAAO,KAAK;AAAA,IACd;AAEA,SAAK,WAAW,KAAK,UAAU,EAC5B,KAAK,CAAC,WAAW;AAChB,WAAK,UAAU;AACf,WAAK,WAAW;AAChB,aAAO;AAAA,IACT,CAAC,EACA,MAAM,CAAC,UAAU;AAChB,WAAK,WAAW;AAChB,YAAM;AAAA,IACR,CAAC;AAEH,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,YAAwC;AACpD,QAAI,SAAS,KAAK,WAAY,MAAM,KAAK,MAAM,KAAK;AACpD,QAAI,CAAC,QAAQ,aAAa;AACxB,YAAM,IAAI,iBAAiB,eAAe,uCAAuC;AAAA,IACnF;AAEA,UAAM,MAAM,KAAK,SAAS,MAAM,KAAK,KAAK,IAAI;AAC9C,UAAM,kBAAkB,KAAK,SAAS,mBAAmB;AAEzD,QAAI,aAAa,QAAQ,KAAK,eAAe,GAAG;AAC9C,YAAM,YAAY,MAAM,oBAAoB;AAAA,QAC1C;AAAA,QACA,OAAO,KAAK;AAAA,QACZ,UAAU,KAAK,SAAS;AAAA,QACxB,QAAQ,KAAK,SAAS;AAAA,QACtB,UAAU,KAAK,SAAS;AAAA,QACxB,KAAK,KAAK,SAAS;AAAA,MACrB,CAAC;AAED,UAAI,WAAW;AACb,iBAAS;AACT,cAAM,KAAK,MAAM,KAAK,MAAM;AAC5B,cAAM,KAAK,SAAS,WAAW,MAAM;AAAA,MACvC,WAAW,WAAW,QAAQ,GAAG,GAAG;AAClC,cAAM,IAAI,iBAAiB,eAAe,uDAAuD;AAAA,MACnG;AAAA,IACF;AAEA,UAAM,YAAY,OAAO,aAAa,gBAAgB,OAAO,SAAS,OAAO,WAAW;AACxF,QAAI,CAAC,WAAW;AACd,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,MACL,GAAG;AAAA,MACH;AAAA,IACF;AAAA,EACF;AACF;AAMA,SAAS,iBAAiB,OAAe,SAAyB;AAChE,QAAM,OAAO,IAAI,IAAI,OAAO;AAC5B,QAAM,SAAS,eAAe,KAAK,KAAK,IAAI,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,OAAO,uBAAuB;AACnG,MAAI,WAAW,OAAO;AACtB,QAAM,WAAW,qBAAqB,KAAK,QAAQ;AAEnD,MAAI,aAAa,UAAU;AACzB,eAAW;AAAA,EACb,WAAW,YAAY,SAAS,WAAW,GAAG,QAAQ,GAAG,GAAG;AAC1D,eAAW,SAAS,MAAM,SAAS,MAAM;AAAA,EAC3C;AAEA,MAAI,aAAa,OAAO;AACtB,eAAW;AAAA,EACb,WAAW,SAAS,WAAW,MAAM,GAAG;AACtC,eAAW,SAAS,MAAM,CAAC;AAAA,EAC7B;AAEA,MAAI,CAAC,SAAS,WAAW,GAAG,GAAG;AAC7B,eAAW,IAAI,QAAQ;AAAA,EACzB;AAEA,SAAO,GAAG,KAAK,MAAM,GAAG,QAAQ,GAAG,QAAQ,GAAG,OAAO,MAAM;AAC7D;AAMA,SAAS,gBAAoC;AAC3C,QAAM,cAAe,WAA+D;AACpF,SAAO,OAAO,aAAa,UAAU,WAAW,WAAW,YAAY,SAAS,OAAO,QAAQ,OAAO,EAAE,IAAI;AAC9G;AAOA,SAAS,uBAAuB,QAAa,SAAiB,UAAmD;AAC/G,QAAM,SAAS,cAAc;AAC7B,MAAI,CAAC,UAAU,SAAS,wBAAwB,OAAO;AACrD,WAAO;AAAA,EACT;AAEA,QAAM,YAAY,SAAS,uBAAuB;AAClD,QAAM,oBAAoB,eAAe,KAAK,SAAS,IAAI,UAAU,QAAQ,OAAO,EAAE,IAAI,GAAG,MAAM,GAAG,UAAU,WAAW,GAAG,IAAI,KAAK,GAAG,GAAG,SAAS,GAAG,QAAQ,OAAO,EAAE;AAC1K,QAAM,mBAAmB,qBAAqB,IAAI,IAAI,OAAO,EAAE,QAAQ;AACvE,MAAI,WAAW,OAAO;AAEtB,MAAI,oBAAoB,SAAS,WAAW,GAAG,gBAAgB,GAAG,GAAG;AACnE,eAAW,SAAS,MAAM,iBAAiB,MAAM;AAAA,EACnD;AAEA,SAAO,GAAG,iBAAiB,GAAG,QAAQ,GAAG,OAAO,MAAM;AACxD;AAMA,eAAe,iBAAiB,OAAiC,MAAwD;AACvH,MAAI,iBAAiB,SAAS;AAC5B,UAAM,UAAU,IAAI,QAAQ,MAAM,OAAO;AACzC,QAAI,MAAM,SAAS;AACjB,UAAI,QAAQ,KAAK,OAAO,EAAE,QAAQ,CAAC,OAAO,QAAQ,QAAQ,IAAI,KAAK,KAAK,CAAC;AAAA,IAC3E;AAEA,WAAO;AAAA,MACL,KAAK,MAAM;AAAA,MACX,QAAQ,MAAM,UAAU,MAAM;AAAA,MAC9B;AAAA,MACA,MAAM,MAAM,SAAS,MAAM,QAAQ,OAAO,SAAY,MAAM,MAAM,MAAM,EAAE,KAAK;AAAA,MAC/E,QAAQ,MAAM,UAAU,MAAM;AAAA,IAChC;AAAA,EACF;AAEA,SAAO;AAAA,IACL,KAAK,OAAO,KAAK;AAAA,IACjB,QAAQ,MAAM;AAAA,IACd,SAAS,IAAI,QAAQ,MAAM,OAAO;AAAA,IAClC,MAAM,MAAM;AAAA,IACZ,QAAQ,MAAM;AAAA,EAChB;AACF;AAOA,eAAe,WAAW,MAAgE;AACxF,MAAI,QAAQ,MAAM;AAChB,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,SAAS,UAAU;AAC5B,WAAO;AAAA,EACT;AAEA,MAAI,gBAAgB,mBAAmB,gBAAgB,YAAY,gBAAgB,gBAAgB;AACjG,WAAO;AAAA,EACT;AAEA,MAAI,gBAAgB,MAAM;AACxB,WAAO,KAAK,KAAK;AAAA,EACnB;AAEA,MAAI,gBAAgB,aAAa;AAC/B,WAAO,IAAI,YAAY,EAAE,OAAO,IAAI;AAAA,EACtC;AAEA,MAAI,YAAY,OAAO,IAAI,GAAG;AAC5B,WAAO,IAAI,YAAY,EAAE,OAAO,IAAI;AAAA,EACtC;AAEA,SAAO;AACT;AAQO,SAAS,4BACd,MACA,UAA+D,CAAC,GACvC;AACzB,QAAM,aAAa,EAAE,GAAG,KAAK;AAE7B,MAAI,OAAO,WAAW,iBAAiB,UAAU;AAC/C,eAAW,eAAe,QAAQ,gBAAgB;AAAA,EACpD;AAEA,MAAI,WAAW,UAAU,QAAW;AAClC,eAAW,QAAQ,QAAQ,SAAS;AAAA,EACtC;AAEA,SAAO,WAAW;AAElB,SAAO;AACT;AAMA,eAAe,YAAY,UAAkB,SAAkB,MAAmC,UAA+B;AAC/H,MAAI,CAAC,SAAS,SAAS,YAAY,GAAG;AACpC,WAAO;AAAA,EACT;AAEA,QAAM,cAAc,QAAQ,IAAI,cAAc;AAC9C,MAAI,eAAe,CAAC,YAAY,SAAS,kBAAkB,GAAG;AAC5D,WAAO;AAAA,EACT;AAEA,QAAM,WAAW,MAAM,WAAW,IAAI;AACtC,MAAI,OAAO,aAAa,UAAU;AAChC,WAAO;AAAA,EACT;AAEA,MAAI;AACF,UAAM,SAAS,KAAK,MAAM,QAAQ;AAClC,QAAI,OAAO,WAAW,YAAY,WAAW,QAAQ,MAAM,QAAQ,MAAM,GAAG;AAC1E,aAAO;AAAA,IACT;AAEA,WAAO,KAAK,UAAU,4BAA4B,QAAmC,QAAQ,CAAC;AAAA,EAChG,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAUO,SAAS,sBAAsB,WAAgC,CAAC,GAAc;AACnF,QAAM,QAAQA,WAAU,SAAS,KAAK;AACtC,QAAM,QAAQ,YAAY,QAAQ;AAClC,QAAM,UAAU,IAAI,aAAa,UAAU,OAAO,KAAK;AACvD,QAAM,UAAU,eAAe,SAAS,OAAO;AAE/C,SAAO,OAAO,OAAO,SAAS;AAC5B,UAAM,UAAU,MAAM,iBAAiB,OAAO,IAAI;AAClD,UAAM,YAAY,iBAAiB,QAAQ,KAAK,OAAO;AACvD,UAAM,SAAS,IAAI,IAAI,SAAS;AAChC,UAAM,SAAS,MAAM,QAAQ,IAAI;AACjC,UAAM,UAAU,IAAI,QAAQ,SAAS,OAAO;AAE5C,YAAQ,QAAQ,QAAQ,CAAC,OAAO,QAAQ,QAAQ,IAAI,KAAK,KAAK,CAAC;AAC/D,YAAQ,OAAO,eAAe;AAC9B,YAAQ,OAAO,oBAAoB;AACnC,YAAQ,OAAO,aAAa;AAE5B,YAAQ,IAAI,iBAAiB,UAAU,OAAO,WAAW,EAAE;AAC3D,YAAQ,IAAI,sBAAsB,OAAO,SAAU;AACnD,YAAQ,IAAI,eAAe,wBAAwB;AAEnD,QAAI,SAAS,eAAe,SAAS,CAAC,QAAQ,IAAI,YAAY,GAAG;AAC/D,cAAQ,IAAI,cAAc,SAAS,cAAc,kBAAkB;AAAA,IACrE;AAEA,UAAM,OAAO,MAAM,YAAY,OAAO,UAAU,SAAS,QAAQ,MAAM,QAAQ;AAE/E,WAAO,MAAM,uBAAuB,QAAQ,SAAS,QAAQ,KAAK,OAAO,SAAS,GAAG;AAAA,MACnF,QAAQ,QAAQ,UAAU,MAAM;AAAA,MAChC;AAAA,MACA;AAAA,MACA,QAAQ,QAAQ,UAAU;AAAA,IAC5B,CAAC;AAAA,EACH;AACF;AAGO,SAAS,uBAAuB,WAAgC,CAAC,GAAG;AACzE,QAAM,UAAU,eAAe,SAAS,OAAO;AAC/C,QAAM,QAAQ,sBAAsB,QAAQ;AAE5C,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,SAAS,CAAC,MAAc,SAAuB,MAAM,iBAAiB,MAAM,OAAO,GAAG,IAAI;AAAA,EAC5F;AACF;;;ACvZA,SAASC,WAAU,aAAoC;AACrD,MAAI,OAAO,gBAAgB,WAAY,QAAO;AAC9C,MAAI,OAAO,WAAW,UAAU,WAAY,QAAO,WAAW,MAAM,KAAK,UAAU;AACnF,QAAM,IAAI,MAAM,qEAAqE;AACvF;AAMA,SAAS,YAAY,MAAc,QAA0B;AAC3D,SAAO,IAAI,SAAS,MAAM;AAAA,IACxB;AAAA,IACA,SAAS;AAAA,MACP,gBAAgB;AAAA,MAChB,iBAAiB;AAAA,IACnB;AAAA,EACF,CAAC;AACH;AAMA,eAAe,YAAY,SAAkB,SAAmD;AAC9F,QAAM,OAAO,MAAM,QAAQ,KAAK;AAChC,MAAI,CAAC,KAAK,KAAK,EAAG,QAAO;AAEzB,MAAI;AACF,UAAM,SAAS,KAAK,MAAM,IAAI;AAC9B,QAAI,OAAO,WAAW,YAAY,WAAW,QAAQ,MAAM,QAAQ,MAAM,EAAG,QAAO;AACnF,WAAO,KAAK,UAAU,4BAA4B,QAAmC,OAAO,CAAC;AAAA,EAC/F,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAGO,SAAS,uBAAuB,UAAmC,CAAC,GAAG;AAC5E,QAAM,QAAQA,WAAU,QAAQ,KAAK;AACrC,QAAM,WAAW,QAAQ,WAAW,wBAAwB,QAAQ,OAAO,EAAE;AAE7E,SAAO;AAAA,IACL,MAAM,UAAU,SAAqC;AACnD,YAAM,gBAAgB,QAAQ,QAAQ,IAAI,eAAe,KAAK;AAC9D,YAAM,YAAY,QAAQ,QAAQ,IAAI,oBAAoB,KAAK;AAC/D,UAAI,CAAC,cAAc,KAAK,KAAK,CAAC,UAAU,KAAK,GAAG;AAC9C,eAAO,YAAY,qCAAqC,GAAG;AAAA,MAC7D;AAEA,YAAM,WAAW,MAAM,MAAM,GAAG,OAAO,aAAa,IAAI,IAAI,QAAQ,GAAG,EAAE,MAAM,IAAI;AAAA,QACjF,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,eAAe;AAAA,UACf,sBAAsB;AAAA,UACtB,eAAe;AAAA,UACf,GAAI,QAAQ,eAAe,QAAQ,CAAC,IAAI,EAAE,YAAY,QAAQ,cAAc,qBAAqB;AAAA,QACnG;AAAA,QACA,MAAM,MAAM,YAAY,SAAS,OAAO;AAAA,MAC1C,CAAC;AAED,aAAO,IAAI,SAAS,MAAM,SAAS,KAAK,GAAG;AAAA,QACzC,QAAQ,SAAS;AAAA,QACjB,SAAS;AAAA,UACP,gBAAgB,SAAS,QAAQ,IAAI,cAAc,KAAK;AAAA,UACxD,iBAAiB;AAAA,QACnB;AAAA,MACF,CAAC;AAAA,IACH;AAAA,EACF;AACF;","names":["pickFetch","pickFetch"]}

package/dist/chunk-SCKIRN2D.js

@@ -0,0 +1,58 @@
+// src/jwt.ts
+function decodeBase64Url(value) {
+  try {
+    const base64 = value.replace(/-/g, "+").replace(/_/g, "/");
+    const padded = base64 + "=".repeat((4 - base64.length % 4) % 4);
+    if (typeof globalThis.atob === "function") {
+      const binary = globalThis.atob(padded);
+      const bytes = Uint8Array.from(binary, (char) => char.charCodeAt(0));
+      return new TextDecoder().decode(bytes);
+    }
+    return Buffer.from(padded, "base64").toString("utf8");
+  } catch {
+    return void 0;
+  }
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function parseJwtClaims(token) {
+  if (!token?.includes(".")) {
+    return void 0;
+  }
+  const parts = token.split(".");
+  if (parts.length !== 3 || !parts[1]) {
+    return void 0;
+  }
+  const payload = decodeBase64Url(parts[1]);
+  if (!payload) {
+    return void 0;
+  }
+  try {
+    const parsed = JSON.parse(payload);
+    return isRecord(parsed) ? parsed : void 0;
+  } catch {
+    return void 0;
+  }
+}
+function deriveAccountId(...tokens) {
+  for (const token of tokens) {
+    const claims = parseJwtClaims(token);
+    const auth = claims?.["https://api.openai.com/auth"];
+    if (isRecord(auth) && typeof auth.chatgpt_account_id === "string" && auth.chatgpt_account_id.length > 0) {
+      return auth.chatgpt_account_id;
+    }
+  }
+  return void 0;
+}
+function deriveExpiresAt(token) {
+  const claims = parseJwtClaims(token);
+  return typeof claims?.exp === "number" ? claims.exp * 1e3 : void 0;
+}
+
+export {
+  parseJwtClaims,
+  deriveAccountId,
+  deriveExpiresAt
+};
+//# sourceMappingURL=chunk-SCKIRN2D.js.map