opencode-deepseek-auth 1.0.0

package/.github/workflows/main.yml

@@ -0,0 +1,23 @@
+name: Node.js Package
+
+on:
+  workflow_dispatch: 
+
+jobs:
+  publish-npm:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          registry-url: https://registry.npmjs.org/
+      
+      # BƯỚC QUAN TRỌNG: Phải cài thư viện thì mới build được
+      - run: npm ci
+
+      # Lệnh này sẽ tự động chạy: prepare -> build -> publish
+      - run: npm publish
+        env:
+          NODE_AUTH_TOKEN: ${{secrets.npm_token}}

package/README.md

@@ -0,0 +1,126 @@
+# DeepSeek Authentication Plugin for OpenCode
+
+![License](https://img.shields.io/npm/l/opencode-deepseek-auth)
+![Version](https://img.shields.io/npm/v/opencode-deepseek-auth)
+
+**Authenticate the OpenCode CLI with your DeepSeek account credentials.** This plugin enables
+you to use your existing DeepSeek account directly within OpenCode, bypassing the need for separate API keys.
+
+## Prerequisites
+
+- [OpenCode CLI](https://opencode.ai) installed.
+- A DeepSeek account with access to their service.
+
+## Installation
+
+Add the plugin to your OpenCode configuration file
+(`~/.config/opencode/opencode.json` or similar):
+
+```json
+{
+  "$schema": "https://opencode.ai/config.json",
+  "plugin": ["opencode-deepseek-auth@latest"]
+}
+```
+
+## Usage
+
+1. **Login**: Run the authentication command in your terminal:
+
+   ```bash
+   opencode auth login
+   ```
+
+2. **Select Provider**: Choose **DeepSeek** from the list.
+3. **Authenticate**: Select **Login with DeepSeek Account**.
+   - Enter your email and password when prompted
+   - Your credentials will be stored securely for future use
+
+Once authenticated, OpenCode will use your DeepSeek account for requests.
+
+## Configuration
+
+### Model list
+
+Below are example model entries you can add under `provider.deepseek.models` in your
+OpenCode config. 
+
+**File:** `~/.config/opencode/opencode.json`
+```json
+{
+  "provider": {
+    "deepseek": {
+      "models": {
+        "deepseek-chat": {
+          "displayName": "DeepSeek Chat",
+          "maxTokens": 8192
+        },
+        "deepseek-reasoner": {
+          "displayName": "DeepSeek Reasoner",
+          "maxTokens": 8192
+        }
+      }
+    }
+  }
+}
+```
+
+## Features
+
+- Direct authentication using DeepSeek account credentials (email/password)
+- Secure storage of credentials
+- Automatic token refresh when expired
+- Compatibility with OpenCode's authentication system
+- Free usage through your existing DeepSeek account
+
+## How It Works
+
+The plugin works by:
+1. Authenticating directly with DeepSeek's API using your email and password
+2. Obtaining an access token from DeepSeek
+3. Using this token to make authenticated requests to DeepSeek's API
+4. Managing token lifecycle and refreshing when needed
+
+This approach bypasses the need for separate API keys, letting you use your existing DeepSeek account quota and features.
+
+## Troubleshooting
+
+### Credentials Not Working
+
+- Verify that your email and password are correct
+- Check that your account is active and not suspended
+- Make sure you're not hitting rate limits
+
+### Token Expiration
+
+The plugin handles token refresh automatically, but if you encounter authentication errors, you can re-authenticate with:
+```bash
+opencode auth login
+```
+
+## Development
+
+To develop on this plugin locally:
+
+1. **Clone**:
+
+   ```bash
+   git clone https://github.com/yourusername/opencode-deepseek-auth.git
+   cd opencode-deepseek-auth
+   npm install
+   npm run build
+   ```
+
+2. **Link**:
+   Update your OpenCode config to point to your local directory using a
+   `file://` URL:
+
+   ```json
+   {
+     "plugin": ["file:///absolute/path/to/opencode-deepseek-auth"]
+   }
+   ```
+
+## License
+
+MIT

package/dist/constants.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Constants used for DeepSeek authentication flows and API integration.
+ */
+/**
+ * OAuth redirect URI used by the local CLI callback server.
+ */
+export declare const DEEPSEEK_REDIRECT_URI = "http://localhost:8085/oauth2callback";
+/**
+ * Base endpoint for the DeepSeek API
+ */
+export declare const DEEPSEEK_API_BASE_URL = "https://chat.deepseek.com/api/v0";
+/**
+ * Login endpoint
+ */
+export declare const DEEPSEEK_LOGIN_URL = "https://chat.deepseek.com/api/v0/users/login";
+/**
+ * Headers used for DeepSeek API requests
+ */
+export declare const DEEPSEEK_BASE_HEADERS: {
+    readonly Host: "chat.deepseek.com";
+    readonly "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36";
+    readonly Accept: "application/json";
+    readonly "Accept-Encoding": "gzip";
+    readonly "Content-Type": "application/json";
+    readonly "x-client-platform": "web";
+    readonly "x-client-version": "1.5.0";
+    readonly "x-client-locale": "en_US";
+    readonly "accept-charset": "UTF-8";
+    readonly origin: "https://chat.deepseek.com";
+    readonly referer: "https://chat.deepseek.com/";
+};
+/**
+ * Provider identifier shared between the plugin loader and credential store.
+ */
+export declare const DEEPSEEK_PROVIDER_ID = "deepseek";
+export declare const DEEPSEEK_AUTH_SCOPES: string[];
+//# sourceMappingURL=constants.d.ts.map

package/dist/constants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH;;GAEG;AACH,eAAO,MAAM,qBAAqB,yCAAyC,CAAC;AAE5E;;GAEG;AACH,eAAO,MAAM,qBAAqB,qCAAqC,CAAC;AAExE;;GAEG;AACH,eAAO,MAAM,kBAAkB,iDAAyC,CAAC;AAEzE;;GAEG;AACH,eAAO,MAAM,qBAAqB;;;;;;;;;;;;CAYxB,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,oBAAoB,aAAa,CAAC;AAE/C,eAAO,MAAM,oBAAoB,UAIhC,CAAC"}

package/dist/constants.js

@@ -0,0 +1,44 @@
+"use strict";
+/**
+ * Constants used for DeepSeek authentication flows and API integration.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEEPSEEK_AUTH_SCOPES = exports.DEEPSEEK_PROVIDER_ID = exports.DEEPSEEK_BASE_HEADERS = exports.DEEPSEEK_LOGIN_URL = exports.DEEPSEEK_API_BASE_URL = exports.DEEPSEEK_REDIRECT_URI = void 0;
+/**
+ * OAuth redirect URI used by the local CLI callback server.
+ */
+exports.DEEPSEEK_REDIRECT_URI = "http://localhost:8085/oauth2callback";
+/**
+ * Base endpoint for the DeepSeek API
+ */
+exports.DEEPSEEK_API_BASE_URL = "https://chat.deepseek.com/api/v0";
+/**
+ * Login endpoint
+ */
+exports.DEEPSEEK_LOGIN_URL = `${exports.DEEPSEEK_API_BASE_URL}/users/login`;
+/**
+ * Headers used for DeepSeek API requests
+ */
+exports.DEEPSEEK_BASE_HEADERS = {
+    "Host": "chat.deepseek.com",
+    "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
+    "Accept": "application/json",
+    "Accept-Encoding": "gzip",
+    "Content-Type": "application/json",
+    "x-client-platform": "web",
+    "x-client-version": "1.5.0",
+    "x-client-locale": "en_US",
+    "accept-charset": "UTF-8",
+    "origin": "https://chat.deepseek.com",
+    "referer": "https://chat.deepseek.com/"
+};
+/**
+ * Provider identifier shared between the plugin loader and credential store.
+ */
+exports.DEEPSEEK_PROVIDER_ID = "deepseek";
+exports.DEEPSEEK_AUTH_SCOPES = [
+    "user:profile",
+    "user:chat",
+    "user:tokens"
+];
+//# sourceMappingURL=constants.js.map

package/dist/constants.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":";AAAA;;GAEG;;;AAEH;;GAEG;AACU,QAAA,qBAAqB,GAAG,sCAAsC,CAAC;AAE5E;;GAEG;AACU,QAAA,qBAAqB,GAAG,kCAAkC,CAAC;AAExE;;GAEG;AACU,QAAA,kBAAkB,GAAG,GAAG,6BAAqB,cAAc,CAAC;AAEzE;;GAEG;AACU,QAAA,qBAAqB,GAAG;IACnC,MAAM,EAAE,mBAAmB;IAC3B,YAAY,EAAE,uHAAuH;IACrI,QAAQ,EAAE,kBAAkB;IAC5B,iBAAiB,EAAE,MAAM;IACzB,cAAc,EAAE,kBAAkB;IAClC,mBAAmB,EAAE,KAAK;IAC1B,kBAAkB,EAAE,OAAO;IAC3B,iBAAiB,EAAE,OAAO;IAC1B,gBAAgB,EAAE,OAAO;IACzB,QAAQ,EAAE,2BAA2B;IACrC,SAAS,EAAE,4BAA4B;CAC/B,CAAC;AAEX;;GAEG;AACU,QAAA,oBAAoB,GAAG,UAAU,CAAC;AAElC,QAAA,oBAAoB,GAAG;IAClC,cAAc;IACd,WAAW;IACX,aAAa;CACd,CAAC"}

package/dist/deepseek/auth.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Result returned to the caller after constructing an auth URL or completing login.
+ */
+export interface DeepSeekAuthorization {
+    url?: string;
+    verifier: string;
+    success?: boolean;
+    token?: string;
+}
+interface DeepSeekTokenExchangeSuccess {
+    type: "success";
+    access: string;
+    expires: number;
+    email?: string;
+}
+interface DeepSeekTokenExchangeFailure {
+    type: "failed";
+    error: string;
+}
+export type DeepSeekTokenExchangeResult = DeepSeekTokenExchangeSuccess | DeepSeekTokenExchangeFailure;
+/**
+ * Direct login to DeepSeek using email/password
+ */
+export declare function loginDeepSeek(email: string, password: string): Promise<DeepSeekTokenExchangeResult>;
+/**
+ * Exchange credentials for tokens (for direct login approach)
+ */
+export declare function exchangeDeepSeek(credentials: {
+    email: string;
+    password: string;
+}): Promise<DeepSeekTokenExchangeResult>;
+/**
+ * Placeholder authorize function for compatibility
+ */
+export declare function authorizeDeepSeek(): Promise<DeepSeekAuthorization>;
+export {};
+//# sourceMappingURL=auth.d.ts.map

package/dist/deepseek/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/deepseek/auth.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,UAAU,4BAA4B;IACpC,IAAI,EAAE,SAAS,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,UAAU,4BAA4B;IACpC,IAAI,EAAE,QAAQ,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,MAAM,2BAA2B,GACnC,4BAA4B,GAC5B,4BAA4B,CAAC;AAEjC;;GAEG;AACH,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,2BAA2B,CAAC,CAyEzG;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,WAAW,EAAE;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,2BAA2B,CAAC,CAE7H;AAED;;GAEG;AACH,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,qBAAqB,CAAC,CAQxE"}

package/dist/deepseek/auth.js

@@ -0,0 +1,94 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loginDeepSeek = loginDeepSeek;
+exports.exchangeDeepSeek = exchangeDeepSeek;
+exports.authorizeDeepSeek = authorizeDeepSeek;
+/**
+ * Direct login to DeepSeek using email/password
+ */
+async function loginDeepSeek(email, password) {
+    try {
+        // Prepare login payload
+        const payload = {
+            email,
+            password,
+            device_id: "opencode-plugin",
+            os: "web"
+        };
+        // Make login request to DeepSeek API
+        const response = await fetch("https://chat.deepseek.com/api/v0/users/login", {
+            method: "POST",
+            headers: {
+                "Host": "chat.deepseek.com",
+                "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
+                "Accept": "application/json",
+                "Accept-Encoding": "gzip",
+                "Content-Type": "application/json",
+                "x-client-platform": "web",
+                "x-client-version": "1.5.0",
+                "x-client-locale": "en_US",
+                "accept-charset": "UTF-8",
+                "origin": "https://chat.deepseek.com",
+                "referer": "https://chat.deepseek.com/"
+            },
+            body: JSON.stringify(payload)
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            return {
+                type: "failed",
+                error: `Login failed with status ${response.status}: ${errorText}`
+            };
+        }
+        const data = await response.json();
+        if (!data.data || !data.data.biz_data || !data.data.biz_data.user) {
+            return {
+                type: "failed",
+                error: "Invalid response format from DeepSeek login API"
+            };
+        }
+        const userData = data.data.biz_data.user;
+        const token = userData.token;
+        if (!token) {
+            return {
+                type: "failed",
+                error: "No token returned from DeepSeek login"
+            };
+        }
+        // Calculate expiration (default to 1 hour if not provided)
+        // In the actual DeepSeek API response, look for expires_in field
+        const expiresIn = data.data.biz_data.expires_in || 3600;
+        const expiresAt = Date.now() + (expiresIn * 1000);
+        return {
+            type: "success",
+            access: token,
+            expires: expiresAt,
+            email: userData.email || email
+        };
+    }
+    catch (error) {
+        return {
+            type: "failed",
+            error: error instanceof Error ? error.message : "Unknown error occurred during login"
+        };
+    }
+}
+/**
+ * Exchange credentials for tokens (for direct login approach)
+ */
+async function exchangeDeepSeek(credentials) {
+    return loginDeepSeek(credentials.email, credentials.password);
+}
+/**
+ * Placeholder authorize function for compatibility
+ */
+async function authorizeDeepSeek() {
+    // Since DeepSeek doesn't use standard OAuth, we'll return info indicating 
+    // that direct login should be used
+    return {
+        verifier: "", // Placeholder since we don't use PKCE
+        success: false,
+        url: "Direct login required - use email and password"
+    };
+}
+//# sourceMappingURL=auth.js.map

package/dist/deepseek/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/deepseek/auth.ts"],"names":[],"mappings":";;AA6BA,sCAyEC;AAKD,4CAEC;AAKD,8CAQC;AAhGD;;GAEG;AACI,KAAK,UAAU,aAAa,CAAC,KAAa,EAAE,QAAgB;IACjE,IAAI,CAAC;QACH,wBAAwB;QACxB,MAAM,OAAO,GAAG;YACd,KAAK;YACL,QAAQ;YACR,SAAS,EAAE,iBAAiB;YAC5B,EAAE,EAAE,KAAK;SACV,CAAC;QAEF,qCAAqC;QACrC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,8CAA8C,EAAE;YAC3E,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,MAAM,EAAE,mBAAmB;gBAC3B,YAAY,EAAE,uHAAuH;gBACrI,QAAQ,EAAE,kBAAkB;gBAC5B,iBAAiB,EAAE,MAAM;gBACzB,cAAc,EAAE,kBAAkB;gBAClC,mBAAmB,EAAE,KAAK;gBAC1B,kBAAkB,EAAE,OAAO;gBAC3B,iBAAiB,EAAE,OAAO;gBAC1B,gBAAgB,EAAE,OAAO;gBACzB,QAAQ,EAAE,2BAA2B;gBACrC,SAAS,EAAE,4BAA4B;aACxC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;SAC9B,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACxC,OAAO;gBACL,IAAI,EAAE,QAAQ;gBACd,KAAK,EAAE,4BAA4B,QAAQ,CAAC,MAAM,KAAK,SAAS,EAAE;aACnE,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAQ,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAExC,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;YAClE,OAAO;gBACL,IAAI,EAAE,QAAQ;gBACd,KAAK,EAAE,iDAAiD;aACzD,CAAC;QACJ,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;QACzC,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC;QAE7B,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO;gBACL,IAAI,EAAE,QAAQ;gBACd,KAAK,EAAE,uCAAuC;aAC/C,CAAC;QACJ,CAAC;QAED,2DAA2D;QAC3D,iEAAiE;QACjE,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,IAAI,IAAI,CAAC;QACxD,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC;QAElD,OAAO;YACL,IAAI,EAAE,SAAS;YACf,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,SAAS;YAClB,KAAK,EAAE,QAAQ,CAAC,KAAK,IAAI,KAAK;SAC/B,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,IAAI,EAAE,QAAQ;YACd,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,qCAAqC;SACtF,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,gBAAgB,CAAC,WAAgD;IACrF,OAAO,aAAa,CAAC,WAAW,CAAC,KAAK,EAAE,WAAW,CAAC,QAAQ,CAAC,CAAC;AAChE,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,iBAAiB;IACrC,2EAA2E;IAC3E,mCAAmC;IACnC,OAAO;QACL,QAAQ,EAAE,EAAE,EAAE,sCAAsC;QACpD,OAAO,EAAE,KAAK;QACd,GAAG,EAAE,gDAAgD;KACtD,CAAC;AACJ,CAAC"}

package/dist/plugin.d.ts

@@ -0,0 +1,7 @@
+import type { PluginContext, PluginResult } from "./types";
+/**
+ * Registers the DeepSeek Auth provider for Opencode, handling auth, request rewriting,
+ * and response normalization for DeepSeek requests.
+ */
+export declare const DeepSeekAuthPlugin: ({ client }: PluginContext) => Promise<PluginResult>;
+//# sourceMappingURL=plugin.d.ts.map

package/dist/plugin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"plugin.d.ts","sourceRoot":"","sources":["../src/plugin.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAGV,aAAa,EACb,YAAY,EAEb,MAAM,SAAS,CAAC;AAqGjB;;;GAGG;AACH,eAAO,MAAM,kBAAkB,GAC7B,YAAY,aAAa,KACxB,OAAO,CAAC,YAAY,CA8GrB,CAAC"}

package/dist/plugin.js

@@ -0,0 +1,182 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DeepSeekAuthPlugin = void 0;
+const constants_1 = require("./constants");
+const auth_1 = require("./deepseek/auth");
+// Keep track of active tokens
+const tokenCache = new Map();
+/**
+ * Checks if an access token has expired
+ */
+function accessTokenExpired(authRecord) {
+    const now = Date.now();
+    return !authRecord.expires || now >= authRecord.expires - 60000; // 1 minute before expiry
+}
+/**
+ * Determines if the auth method is OAuth-based
+ */
+function isOAuthAuth(auth) {
+    return auth && auth.type === "oauth";
+}
+/**
+ * Refresh access token if expired
+ */
+async function refreshAccessToken(authRecord, client) {
+    // DeepSeek doesn't have refresh tokens, so a full re-login is required
+    const email = authRecord.email;
+    const password = authRecord.password;
+    if (!email || !password) {
+        return null;
+    }
+    const result = await (0, auth_1.loginDeepSeek)(email, password);
+    if (result.type === "success") {
+        // Update the stored credentials
+        const newAuth = {
+            type: "oauth",
+            access: result.access,
+            expires: result.expires,
+            email: result.email || email,
+            password: password // Store password for refresh
+        };
+        // Update cache
+        tokenCache.set(email, {
+            token: result.access,
+            expires: result.expires,
+            email: result.email || email
+        });
+        return newAuth;
+    }
+    return null;
+}
+/**
+ * Prepares the request to DeepSeek API by setting appropriate headers and transforming the payload
+ */
+function prepareDeepSeekRequest(input, init, accessToken) {
+    // Clone the original init to avoid mutating it
+    const transformedInit = { ...init };
+    // Set authorization header
+    transformedInit.headers = {
+        ...transformedInit.headers,
+        ...constants_1.DEEPSEEK_BASE_HEADERS,
+        "authorization": `Bearer ${accessToken}`
+    };
+    // Construct the request
+    const request = new Request(input, transformedInit);
+    return { request, init: transformedInit };
+}
+/**
+ * Transforms the DeepSeek API response to match expected format
+ */
+async function transformDeepSeekResponse(response) {
+    // For now, just pass through the response
+    // If needed, we could transform to match OpenAI format
+    return response;
+}
+/**
+ * Validates if this is a DeepSeek API request
+ */
+function isDeepSeekRequest(input) {
+    const urlString = typeof input === 'string' ? input :
+        input instanceof URL ? input.toString() :
+            input.url || '';
+    return urlString.includes('deepseek.com') || urlString.includes('/v1/chat/completions');
+}
+/**
+ * Registers the DeepSeek Auth provider for Opencode, handling auth, request rewriting,
+ * and response normalization for DeepSeek requests.
+ */
+const DeepSeekAuthPlugin = async ({ client }) => ({
+    auth: {
+        provider: constants_1.DEEPSEEK_PROVIDER_ID,
+        loader: async (getAuth, provider) => {
+            const auth = await getAuth();
+            if (!isOAuthAuth(auth)) {
+                return null;
+            }
+            // If models are defined in the provider, set cost to 0 to indicate free usage
+            if (provider.models) {
+                for (const model of Object.values(provider.models)) {
+                    if (model) {
+                        model.cost = { input: 0, output: 0 };
+                    }
+                }
+            }
+            return {
+                apiKey: "",
+                async fetch(input, init) {
+                    // If this isn't a DeepSeek request, pass through normally
+                    if (!isDeepSeekRequest(input)) {
+                        return fetch(input, init);
+                    }
+                    // Get current auth state
+                    const latestAuth = await getAuth();
+                    if (!isOAuthAuth(latestAuth)) {
+                        return fetch(input, init);
+                    }
+                    let authRecord = latestAuth;
+                    // Check if token has expired and refresh if possible
+                    if (accessTokenExpired(authRecord)) {
+                        const refreshed = await refreshAccessToken(authRecord, client);
+                        if (!refreshed) {
+                            console.warn("Could not refresh DeepSeek access token");
+                            return fetch(input, init);
+                        }
+                        authRecord = refreshed;
+                    }
+                    const accessToken = authRecord.access;
+                    if (!accessToken) {
+                        return fetch(input, init);
+                    }
+                    // Prepare the request with proper headers
+                    const { request, init: transformedInit } = prepareDeepSeekRequest(input, init, accessToken);
+                    // Make the API call
+                    const response = await fetch(request, transformedInit);
+                    // Transform response if needed
+                    return transformDeepSeekResponse(response);
+                },
+            };
+        },
+        methods: [
+            {
+                label: "Login with DeepSeek Account",
+                type: "oauth",
+                authorize: async () => {
+                    // For DeepSeek, we'll implement direct credential-based auth
+                    // since they don't use standard OAuth
+                    return {
+                        url: "",
+                        instructions: "Please enter your DeepSeek account credentials (email and password). Your credentials will be stored securely and used for authentication.",
+                        method: "credentials",
+                        callback: async (credentials) => {
+                            // Validate inputs
+                            if (!credentials.email || !credentials.password) {
+                                return {
+                                    type: "failed",
+                                    error: "Email and password are required for DeepSeek authentication"
+                                };
+                            }
+                            // Attempt to log in using the provided credentials
+                            const result = await (0, auth_1.loginDeepSeek)(credentials.email, credentials.password);
+                            if (result.type === "success") {
+                                // Cache the token
+                                tokenCache.set(credentials.email, {
+                                    token: result.access,
+                                    expires: result.expires,
+                                    email: result.email || credentials.email
+                                });
+                            }
+                            return result;
+                        },
+                    };
+                },
+            },
+            {
+                provider: constants_1.DEEPSEEK_PROVIDER_ID,
+                label: "Manually enter API Key",
+                type: "api",
+            },
+        ],
+    },
+});
+exports.DeepSeekAuthPlugin = DeepSeekAuthPlugin;
+//# sourceMappingURL=plugin.js.map

package/dist/plugin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"plugin.js","sourceRoot":"","sources":["../src/plugin.ts"],"names":[],"mappings":";;;AAEA,2CAAiG;AACjG,0CAIyB;AAWzB,8BAA8B;AAC9B,MAAM,UAAU,GAAG,IAAI,GAAG,EAA6D,CAAC;AAExF;;GAEG;AACH,SAAS,kBAAkB,CAAC,UAAe;IACzC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,OAAO,CAAC,UAAU,CAAC,OAAO,IAAI,GAAG,IAAI,UAAU,CAAC,OAAO,GAAG,KAAK,CAAC,CAAC,yBAAyB;AAC5F,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,IAAS;IAC5B,OAAO,IAAI,IAAI,IAAI,CAAC,IAAI,KAAK,OAAO,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,kBAAkB,CAAC,UAAe,EAAE,MAAW;IAC5D,uEAAuE;IACvE,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC;IAC/B,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,CAAC;IAErC,IAAI,CAAC,KAAK,IAAI,CAAC,QAAQ,EAAE,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,IAAA,oBAAa,EAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IACpD,IAAI,MAAM,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC9B,gCAAgC;QAChC,MAAM,OAAO,GAAG;YACd,IAAI,EAAE,OAAO;YACb,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,KAAK;YAC5B,QAAQ,EAAE,QAAQ,CAAE,6BAA6B;SAClD,CAAC;QAEF,eAAe;QACf,UAAU,CAAC,GAAG,CAAC,KAAK,EAAE;YACpB,KAAK,EAAE,MAAM,CAAC,MAAM;YACpB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,KAAK;SAC7B,CAAC,CAAC;QAEH,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAC7B,KAAkC,EAClC,IAA6B,EAC7B,WAAmB;IAEnB,+CAA+C;IAC/C,MAAM,eAAe,GAAG,EAAE,GAAG,IAAI,EAAE,CAAC;IAEpC,2BAA2B;IAC3B,eAAe,CAAC,OAAO,GAAG;QACxB,GAAG,eAAe,CAAC,OAAO;QAC1B,GAAG,iCAAqB;QACxB,eAAe,EAAE,UAAU,WAAW,EAAE;KACzC,CAAC;IAEF,wBAAwB;IACxB,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,KAAoB,EAAE,eAAe,CAAC,CAAC;IAEnE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,eAAe,EAAE,CAAC;AAC5C,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,yBAAyB,CACtC,QAAkB;IAElB,0CAA0C;IAC1C,uDAAuD;IACvD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,KAAkC;IAC3D,MAAM,SAAS,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QACpC,KAAK,YAAY,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;YACxC,KAAiB,CAAC,GAAG,IAAI,EAAE,CAAC;IAC9C,OAAO,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAC;AAC1F,CAAC;AAED;;;GAGG;AACI,MAAM,kBAAkB,GAAG,KAAK,EACrC,EAAE,MAAM,EAAiB,EACF,EAAE,CAAC,CAAC;IAC3B,IAAI,EAAE;QACJ,QAAQ,EAAE,gCAAoB;QAC9B,MAAM,EAAE,KAAK,EAAE,OAAgB,EAAE,QAAkB,EAAgC,EAAE;YACnF,MAAM,IAAI,GAAG,MAAM,OAAO,EAAE,CAAC;YAC7B,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,OAAO,IAAI,CAAC;YACd,CAAC;YAED,8EAA8E;YAC9E,IAAI,QAAQ,CAAC,MAAM,EAAE,CAAC;gBACpB,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;oBACnD,IAAI,KAAK,EAAE,CAAC;wBACV,KAAK,CAAC,IAAI,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;oBACvC,CAAC;gBACH,CAAC;YACH,CAAC;YAED,OAAO;gBACL,MAAM,EAAE,EAAE;gBACV,KAAK,CAAC,KAAK,CAAC,KAAkC,EAAE,IAAkB;oBAChE,0DAA0D;oBAC1D,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,EAAE,CAAC;wBAC9B,OAAO,KAAK,CAAC,KAAoB,EAAE,IAAI,CAAC,CAAC;oBAC3C,CAAC;oBAED,yBAAyB;oBACzB,MAAM,UAAU,GAAG,MAAM,OAAO,EAAE,CAAC;oBACnC,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,EAAE,CAAC;wBAC7B,OAAO,KAAK,CAAC,KAAoB,EAAE,IAAI,CAAC,CAAC;oBAC3C,CAAC;oBAED,IAAI,UAAU,GAAG,UAAU,CAAC;oBAE5B,qDAAqD;oBACrD,IAAI,kBAAkB,CAAC,UAAU,CAAC,EAAE,CAAC;wBACnC,MAAM,SAAS,GAAG,MAAM,kBAAkB,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;wBAC/D,IAAI,CAAC,SAAS,EAAE,CAAC;4BACf,OAAO,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC;4BACxD,OAAO,KAAK,CAAC,KAAoB,EAAE,IAAI,CAAC,CAAC;wBAC3C,CAAC;wBACD,UAAU,GAAG,SAAS,CAAC;oBACzB,CAAC;oBAED,MAAM,WAAW,GAAG,UAAU,CAAC,MAAM,CAAC;oBACtC,IAAI,CAAC,WAAW,EAAE,CAAC;wBACjB,OAAO,KAAK,CAAC,KAAoB,EAAE,IAAI,CAAC,CAAC;oBAC3C,CAAC;oBAED,0CAA0C;oBAC1C,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,eAAe,EAAE,GAAG,sBAAsB,CAC/D,KAAK,EACL,IAAI,EACJ,WAAW,CACZ,CAAC;oBAEF,oBAAoB;oBACpB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;oBAEvD,+BAA+B;oBAC/B,OAAO,yBAAyB,CAAC,QAAQ,CAAC,CAAC;gBAC7C,CAAC;aACF,CAAC;QACJ,CAAC;QACD,OAAO,EAAE;YACP;gBACE,KAAK,EAAE,6BAA6B;gBACpC,IAAI,EAAE,OAAO;gBACb,SAAS,EAAE,KAAK,IAAI,EAAE;oBACpB,6DAA6D;oBAC7D,sCAAsC;oBAEtC,OAAO;wBACL,GAAG,EAAE,EAAE;wBACP,YAAY,EACV,4IAA4I;wBAC9I,MAAM,EAAE,aAAa;wBACrB,QAAQ,EAAE,KAAK,EAAE,WAAgD,EAAwC,EAAE;4BACzG,kBAAkB;4BAClB,IAAI,CAAC,WAAW,CAAC,KAAK,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC;gCAChD,OAAO;oCACL,IAAI,EAAE,QAAQ;oCACd,KAAK,EAAE,6DAA6D;iCACrE,CAAC;4BACJ,CAAC;4BAED,mDAAmD;4BACnD,MAAM,MAAM,GAAG,MAAM,IAAA,oBAAa,EAAC,WAAW,CAAC,KAAK,EAAE,WAAW,CAAC,QAAQ,CAAC,CAAC;4BAE5E,IAAI,MAAM,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gCAC9B,kBAAkB;gCAClB,UAAU,CAAC,GAAG,CAAC,WAAW,CAAC,KAAK,EAAE;oCAChC,KAAK,EAAE,MAAM,CAAC,MAAM;oCACpB,OAAO,EAAE,MAAM,CAAC,OAAO;oCACvB,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,WAAW,CAAC,KAAK;iCACzC,CAAC,CAAC;4BACL,CAAC;4BAED,OAAO,MAAM,CAAC;wBAChB,CAAC;qBACF,CAAC;gBACJ,CAAC;aACF;YACD;gBACE,QAAQ,EAAE,gCAAoB;gBAC9B,KAAK,EAAE,wBAAwB;gBAC/B,IAAI,EAAE,KAAK;aACZ;SACF;KACF;CACF,CAAC,CAAC;AAhHU,QAAA,kBAAkB,sBAgH5B"}

package/dist/types.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Types for the DeepSeek Auth plugin
+ */
+export interface PluginContext {
+    client: any;
+}
+export interface PluginResult {
+    auth: {
+        provider: string;
+        loader: (getAuth: GetAuth, provider: Provider) => Promise<LoaderResult | null>;
+        methods: AuthMethod[];
+    };
+}
+export interface GetAuth {
+    (): Promise<any>;
+}
+export interface LoaderResult {
+    apiKey: string;
+    fetch: (input: Parameters<typeof fetch>[0], init?: RequestInit) => Promise<Response>;
+}
+export interface Provider {
+    id?: string;
+    models?: Record<string, any>;
+    options?: Record<string, any>;
+}
+export interface AuthMethod {
+    label: string;
+    type: string;
+    provider?: string;
+    authorize?: () => Promise<{
+        url: string;
+        instructions: string;
+        method: string;
+        callback: (params?: any) => Promise<any>;
+    }>;
+}
+export interface ProjectContextResult {
+    effectiveProjectId: string;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,GAAG,CAAC;CACb;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE;QACJ,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,KAAK,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAAC;QAC/E,OAAO,EAAE,UAAU,EAAE,CAAC;KACvB,CAAC;CACH;AAED,MAAM,WAAW,OAAO;IACtB,IAAI,OAAO,CAAC,GAAG,CAAC,CAAC;CAClB;AAED,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,CAAC,KAAK,EAAE,UAAU,CAAC,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,EAAE,WAAW,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;CACtF;AAED,MAAM,WAAW,QAAQ;IACvB,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC7B,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;CAC/B;AAED,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,OAAO,CAAC;QACxB,GAAG,EAAE,MAAM,CAAC;QACZ,YAAY,EAAE,MAAM,CAAC;QACrB,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE,CAAC,MAAM,CAAC,EAAE,GAAG,KAAK,OAAO,CAAC,GAAG,CAAC,CAAC;KAC1C,CAAC,CAAC;CACJ;AAED,MAAM,WAAW,oBAAoB;IACnC,kBAAkB,EAAE,MAAM,CAAC;CAC5B"}

package/dist/types.js

@@ -0,0 +1,6 @@
+"use strict";
+/**
+ * Types for the DeepSeek Auth plugin
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":";AAAA;;GAEG"}

package/index.ts

@@ -0,0 +1,13 @@
+export {
+  DeepSeekAuthPlugin,
+} from "./src/plugin";
+
+export {
+  authorizeDeepSeek,
+  exchangeDeepSeek,
+} from "./src/deepseek/auth";
+
+export type {
+  DeepSeekAuthorization,
+  DeepSeekTokenExchangeResult,
+} from "./src/deepseek/auth";

package/package.json

@@ -0,0 +1,28 @@
+{
+  "name": "opencode-deepseek-auth",
+  "version": "1.0.0",
+  "description": "Authenticate the Opencode CLI with your DeepSeek account credentials",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "scripts": {
+    "build": "tsc",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "opencode",
+    "deepseek",
+    "authentication",
+    "oauth",
+    "plugin"
+  ],
+  "author": "OpenCode",
+  "license": "MIT",
+  "dependencies": {
+    "node-fetch": "^2.6.7"
+  },
+  "devDependencies": {
+    "@types/node": "^20.0.0",
+    "@types/node-fetch": "^2.6.4",
+    "typescript": "^5.0.0"
+  }
+}

package/src/constants.ts

@@ -0,0 +1,46 @@
+/**
+ * Constants used for DeepSeek authentication flows and API integration.
+ */
+
+/**
+ * OAuth redirect URI used by the local CLI callback server.
+ */
+export const DEEPSEEK_REDIRECT_URI = "http://localhost:8085/oauth2callback";
+
+/**
+ * Base endpoint for the DeepSeek API
+ */
+export const DEEPSEEK_API_BASE_URL = "https://chat.deepseek.com/api/v0";
+
+/**
+ * Login endpoint
+ */
+export const DEEPSEEK_LOGIN_URL = `${DEEPSEEK_API_BASE_URL}/users/login`;
+
+/**
+ * Headers used for DeepSeek API requests
+ */
+export const DEEPSEEK_BASE_HEADERS = {
+  "Host": "chat.deepseek.com",
+  "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
+  "Accept": "application/json",
+  "Accept-Encoding": "gzip",
+  "Content-Type": "application/json",
+  "x-client-platform": "web",
+  "x-client-version": "1.5.0",
+  "x-client-locale": "en_US",
+  "accept-charset": "UTF-8",
+  "origin": "https://chat.deepseek.com",
+  "referer": "https://chat.deepseek.com/"
+} as const;
+
+/**
+ * Provider identifier shared between the plugin loader and credential store.
+ */
+export const DEEPSEEK_PROVIDER_ID = "deepseek";
+
+export const DEEPSEEK_AUTH_SCOPES = [
+  "user:profile",
+  "user:chat",
+  "user:tokens"
+];

package/src/deepseek/auth.ts

@@ -0,0 +1,123 @@
+/**
+ * Result returned to the caller after constructing an auth URL or completing login.
+ */
+export interface DeepSeekAuthorization {
+  url?: string;
+  verifier: string; // Required for interface compatibility even if not used
+  success?: boolean;
+  token?: string;
+}
+
+interface DeepSeekTokenExchangeSuccess {
+  type: "success";
+  access: string;
+  expires: number;
+  email?: string;
+}
+
+interface DeepSeekTokenExchangeFailure {
+  type: "failed";
+  error: string;
+}
+
+export type DeepSeekTokenExchangeResult =
+  | DeepSeekTokenExchangeSuccess
+  | DeepSeekTokenExchangeFailure;
+
+/**
+ * Direct login to DeepSeek using email/password
+ */
+export async function loginDeepSeek(email: string, password: string): Promise<DeepSeekTokenExchangeResult> {
+  try {
+    // Prepare login payload
+    const payload = {
+      email,
+      password,
+      device_id: "opencode-plugin",
+      os: "web"
+    };
+
+    // Make login request to DeepSeek API
+    const response = await fetch("https://chat.deepseek.com/api/v0/users/login", {
+      method: "POST",
+      headers: {
+        "Host": "chat.deepseek.com",
+        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
+        "Accept": "application/json",
+        "Accept-Encoding": "gzip",
+        "Content-Type": "application/json",
+        "x-client-platform": "web",
+        "x-client-version": "1.5.0",
+        "x-client-locale": "en_US",
+        "accept-charset": "UTF-8",
+        "origin": "https://chat.deepseek.com",
+        "referer": "https://chat.deepseek.com/"
+      },
+      body: JSON.stringify(payload)
+    });
+
+    if (!response.ok) {
+      const errorText = await response.text();
+      return { 
+        type: "failed", 
+        error: `Login failed with status ${response.status}: ${errorText}` 
+      };
+    }
+
+    const data: any = await response.json();
+    
+    if (!data.data || !data.data.biz_data || !data.data.biz_data.user) {
+      return { 
+        type: "failed", 
+        error: "Invalid response format from DeepSeek login API" 
+      };
+    }
+
+    const userData = data.data.biz_data.user;
+    const token = userData.token;
+
+    if (!token) {
+      return { 
+        type: "failed", 
+        error: "No token returned from DeepSeek login" 
+      };
+    }
+
+    // Calculate expiration (default to 1 hour if not provided)
+    // In the actual DeepSeek API response, look for expires_in field
+    const expiresIn = data.data.biz_data.expires_in || 3600;
+    const expiresAt = Date.now() + (expiresIn * 1000);
+
+    return {
+      type: "success",
+      access: token,
+      expires: expiresAt,
+      email: userData.email || email
+    };
+  } catch (error) {
+    return {
+      type: "failed",
+      error: error instanceof Error ? error.message : "Unknown error occurred during login"
+    };
+  }
+}
+
+/**
+ * Exchange credentials for tokens (for direct login approach)
+ */
+export async function exchangeDeepSeek(credentials: { email: string, password: string }): Promise<DeepSeekTokenExchangeResult> {
+  return loginDeepSeek(credentials.email, credentials.password);
+}
+
+/**
+ * Placeholder authorize function for compatibility
+ */
+export async function authorizeDeepSeek(): Promise<DeepSeekAuthorization> {
+  // Since DeepSeek doesn't use standard OAuth, we'll return info indicating 
+  // that direct login should be used
+  return {
+    verifier: "", // Placeholder since we don't use PKCE
+    success: false,
+    url: "Direct login required - use email and password"
+  };
+}

package/src/plugin.ts

@@ -0,0 +1,234 @@
+import { spawn } from "node:child_process";
+
+import { DEEPSEEK_PROVIDER_ID, DEEPSEEK_REDIRECT_URI, DEEPSEEK_BASE_HEADERS } from "./constants";
+import {
+  authorizeDeepSeek,
+  exchangeDeepSeek,
+  loginDeepSeek
+} from "./deepseek/auth";
+import type { DeepSeekTokenExchangeResult } from "./deepseek/auth";
+
+import type {
+  GetAuth,
+  LoaderResult,
+  PluginContext,
+  PluginResult,
+  Provider,
+} from "./types";
+
+// Keep track of active tokens
+const tokenCache = new Map<string, { token: string, expires: number, email: string }>();
+
+/**
+ * Checks if an access token has expired
+ */
+function accessTokenExpired(authRecord: any): boolean {
+  const now = Date.now();
+  return !authRecord.expires || now >= authRecord.expires - 60000; // 1 minute before expiry
+}
+
+/**
+ * Determines if the auth method is OAuth-based
+ */
+function isOAuthAuth(auth: any): boolean {
+  return auth && auth.type === "oauth";
+}
+
+/**
+ * Refresh access token if expired
+ */
+async function refreshAccessToken(authRecord: any, client: any): Promise<any | null> {
+  // DeepSeek doesn't have refresh tokens, so a full re-login is required
+  const email = authRecord.email;
+  const password = authRecord.password;
+  
+  if (!email || !password) {
+    return null;
+  }
+  
+  const result = await loginDeepSeek(email, password);
+  if (result.type === "success") {
+    // Update the stored credentials
+    const newAuth = {
+      type: "oauth",
+      access: result.access,
+      expires: result.expires,
+      email: result.email || email,
+      password: password  // Store password for refresh
+    };
+    
+    // Update cache
+    tokenCache.set(email, {
+      token: result.access,
+      expires: result.expires,
+      email: result.email || email
+    });
+    
+    return newAuth;
+  }
+  
+  return null;
+}
+
+/**
+ * Prepares the request to DeepSeek API by setting appropriate headers and transforming the payload
+ */
+function prepareDeepSeekRequest(
+  input: Parameters<typeof fetch>[0],
+  init: RequestInit | undefined,
+  accessToken: string
+): { request: Request, init: RequestInit } {
+  // Clone the original init to avoid mutating it
+  const transformedInit = { ...init };
+  
+  // Set authorization header
+  transformedInit.headers = {
+    ...transformedInit.headers,
+    ...DEEPSEEK_BASE_HEADERS,
+    "authorization": `Bearer ${accessToken}`
+  };
+  
+  // Construct the request
+  const request = new Request(input as RequestInfo, transformedInit);
+  
+  return { request, init: transformedInit };
+}
+
+/**
+ * Transforms the DeepSeek API response to match expected format
+ */
+async function transformDeepSeekResponse(
+  response: Response
+): Promise<Response> {
+  // For now, just pass through the response
+  // If needed, we could transform to match OpenAI format
+  return response;
+}
+
+/**
+ * Validates if this is a DeepSeek API request
+ */
+function isDeepSeekRequest(input: Parameters<typeof fetch>[0]): boolean {
+  const urlString = typeof input === 'string' ? input : 
+                   input instanceof URL ? input.toString() : 
+                   (input as Request).url || '';
+  return urlString.includes('deepseek.com') || urlString.includes('/v1/chat/completions');
+}
+
+/**
+ * Registers the DeepSeek Auth provider for Opencode, handling auth, request rewriting,
+ * and response normalization for DeepSeek requests.
+ */
+export const DeepSeekAuthPlugin = async (
+  { client }: PluginContext,
+): Promise<PluginResult> => ({
+  auth: {
+    provider: DEEPSEEK_PROVIDER_ID,
+    loader: async (getAuth: GetAuth, provider: Provider): Promise<LoaderResult | null> => {
+      const auth = await getAuth();
+      if (!isOAuthAuth(auth)) {
+        return null;
+      }
+
+      // If models are defined in the provider, set cost to 0 to indicate free usage
+      if (provider.models) {
+        for (const model of Object.values(provider.models)) {
+          if (model) {
+            model.cost = { input: 0, output: 0 };
+          }
+        }
+      }
+
+      return {
+        apiKey: "",
+        async fetch(input: Parameters<typeof fetch>[0], init?: RequestInit) {
+          // If this isn't a DeepSeek request, pass through normally
+          if (!isDeepSeekRequest(input)) {
+            return fetch(input as RequestInfo, init);
+          }
+
+          // Get current auth state
+          const latestAuth = await getAuth();
+          if (!isOAuthAuth(latestAuth)) {
+            return fetch(input as RequestInfo, init);
+          }
+
+          let authRecord = latestAuth;
+          
+          // Check if token has expired and refresh if possible
+          if (accessTokenExpired(authRecord)) {
+            const refreshed = await refreshAccessToken(authRecord, client);
+            if (!refreshed) {
+              console.warn("Could not refresh DeepSeek access token");
+              return fetch(input as RequestInfo, init);
+            }
+            authRecord = refreshed;
+          }
+
+          const accessToken = authRecord.access;
+          if (!accessToken) {
+            return fetch(input as RequestInfo, init);
+          }
+
+          // Prepare the request with proper headers
+          const { request, init: transformedInit } = prepareDeepSeekRequest(
+            input,
+            init,
+            accessToken
+          );
+
+          // Make the API call
+          const response = await fetch(request, transformedInit);
+          
+          // Transform response if needed
+          return transformDeepSeekResponse(response);
+        },
+      };
+    },
+    methods: [
+      {
+        label: "Login with DeepSeek Account",
+        type: "oauth",
+        authorize: async () => {
+          // For DeepSeek, we'll implement direct credential-based auth
+          // since they don't use standard OAuth
+        
+          return {
+            url: "",
+            instructions:
+              "Please enter your DeepSeek account credentials (email and password). Your credentials will be stored securely and used for authentication.",
+            method: "credentials",
+            callback: async (credentials: { email: string, password: string }): Promise<DeepSeekTokenExchangeResult> => {
+              // Validate inputs
+              if (!credentials.email || !credentials.password) {
+                return {
+                  type: "failed",
+                  error: "Email and password are required for DeepSeek authentication"
+                };
+              }
+
+              // Attempt to log in using the provided credentials
+              const result = await loginDeepSeek(credentials.email, credentials.password);
+              
+              if (result.type === "success") {
+                // Cache the token
+                tokenCache.set(credentials.email, {
+                  token: result.access,
+                  expires: result.expires,
+                  email: result.email || credentials.email
+                });
+              }
+              
+              return result;
+            },
+          };
+        },
+      },
+      {
+        provider: DEEPSEEK_PROVIDER_ID,
+        label: "Manually enter API Key",
+        type: "api",
+      },
+    ],
+  },
+});

package/src/types.ts

@@ -0,0 +1,46 @@
+/**
+ * Types for the DeepSeek Auth plugin
+ */
+
+export interface PluginContext {
+  client: any;
+}
+
+export interface PluginResult {
+  auth: {
+    provider: string;
+    loader: (getAuth: GetAuth, provider: Provider) => Promise<LoaderResult | null>;
+    methods: AuthMethod[];
+  };
+}
+
+export interface GetAuth {
+  (): Promise<any>;
+}
+
+export interface LoaderResult {
+  apiKey: string;
+  fetch: (input: Parameters<typeof fetch>[0], init?: RequestInit) => Promise<Response>;
+}
+
+export interface Provider {
+  id?: string;
+  models?: Record<string, any>;
+  options?: Record<string, any>;
+}
+
+export interface AuthMethod {
+  label: string;
+  type: string;
+  provider?: string;
+  authorize?: () => Promise<{
+    url: string;
+    instructions: string;
+    method: string;
+    callback: (params?: any) => Promise<any>;
+  }>;
+}
+
+export interface ProjectContextResult {
+  effectiveProjectId: string;
+}

package/test.js

@@ -0,0 +1,28 @@
+/**
+ * Test script to verify the DeepSeek Auth plugin functionality
+ */
+
+const { loginDeepSeek } = require('./dist/deepseek/auth');
+
+console.log('Testing DeepSeek authentication functionality...');
+
+// Example test - this would require actual credentials to work properly
+async function testDeepSeekLogin() {
+  console.log('Testing login function initialization...');
+  
+  // Just calling the function to make sure it's available
+  console.log('Function loginDeepSeek is available:', typeof loginDeepSeek);
+  
+  // Testing with mock credentials (would fail without real credentials)
+  try {
+    console.log('Attempting to call loginDeepSeek with mock credentials...');
+    const result = await loginDeepSeek('test@example.com', 'mock_password');
+    console.log('Expected failure result for mock credentials:', result);
+  } catch (error) {
+    console.log('Caught error (expected for mock credentials):', error.message);
+  }
+  
+  console.log('Test completed successfully!');
+}
+
+testDeepSeekLogin().catch(console.error);

package/test.ts

@@ -0,0 +1,23 @@
+/**
+ * Test file for DeepSeek Auth plugin
+ */
+
+import { loginDeepSeek } from './src/deepseek/auth';
+
+// Example test - in real usage, you would test with actual credentials
+async function testDeepSeekLogin() {
+  console.log('Testing DeepSeek authentication...');
+  
+  // Note: This would require actual credentials to work properly
+  // This is just a demonstration of how the function is structured
+  try {
+    // This would fail without real credentials, but demonstrates the API
+    const result = await loginDeepSeek('test@example.com', 'password');
+    console.log('Login result:', result);
+  } catch (error) {
+    console.error('Test failed as expected (no real credentials):', error);
+  }
+}
+
+// Run test
+testDeepSeekLogin().catch(console.error);

package/tsconfig.json

@@ -0,0 +1,32 @@
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "CommonJS",
+    "lib": ["ES2020", "DOM"],
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "declaration": true,
+    "declarationMap": true,
+    "sourceMap": true,
+    "removeComments": false,
+    "noImplicitAny": true,
+    "strictNullChecks": true,
+    "strictFunctionTypes": true,
+    "noImplicitReturns": true,
+    "noFallthroughCasesInSwitch": true,
+    "moduleResolution": "node",
+    "allowSyntheticDefaultImports": true,
+    "resolveJsonModule": true
+  },
+  "include": [
+    "src/**/*"
+  ],
+  "exclude": [
+    "node_modules",
+    "dist"
+  ]
+}