npm - orch-code - Versions diffs - 0.1.1 - Mend

orch-code 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (116) hide show

package/CHANGELOG.md +12 -0
package/LICENSE +21 -0
package/README.md +624 -0
package/cmd/apply.go +111 -0
package/cmd/auth.go +393 -0
package/cmd/auth_test.go +100 -0
package/cmd/diff.go +57 -0
package/cmd/doctor.go +149 -0
package/cmd/explain.go +192 -0
package/cmd/explain_test.go +62 -0
package/cmd/init.go +100 -0
package/cmd/interactive.go +1372 -0
package/cmd/interactive_input.go +45 -0
package/cmd/interactive_input_test.go +55 -0
package/cmd/logs.go +72 -0
package/cmd/model.go +84 -0
package/cmd/plan.go +149 -0
package/cmd/provider.go +189 -0
package/cmd/provider_model_doctor_test.go +91 -0
package/cmd/root.go +67 -0
package/cmd/run.go +123 -0
package/cmd/run_engine.go +208 -0
package/cmd/run_engine_test.go +30 -0
package/cmd/session.go +589 -0
package/cmd/session_helpers.go +54 -0
package/cmd/session_integration_test.go +30 -0
package/cmd/session_list_current_test.go +87 -0
package/cmd/session_messages_test.go +163 -0
package/cmd/session_runs_test.go +68 -0
package/cmd/sprint1_integration_test.go +119 -0
package/cmd/stats.go +173 -0
package/cmd/stats_test.go +71 -0
package/cmd/version.go +4 -0
package/go.mod +45 -0
package/go.sum +108 -0
package/internal/agents/agent.go +31 -0
package/internal/agents/coder.go +167 -0
package/internal/agents/planner.go +155 -0
package/internal/agents/reviewer.go +118 -0
package/internal/agents/runtime.go +25 -0
package/internal/agents/runtime_test.go +77 -0
package/internal/auth/account.go +78 -0
package/internal/auth/oauth.go +523 -0
package/internal/auth/store.go +287 -0
package/internal/confidence/policy.go +174 -0
package/internal/confidence/policy_test.go +71 -0
package/internal/confidence/scorer.go +253 -0
package/internal/confidence/scorer_test.go +83 -0
package/internal/config/config.go +331 -0
package/internal/config/config_defaults_test.go +138 -0
package/internal/execution/contract_builder.go +160 -0
package/internal/execution/contract_builder_test.go +68 -0
package/internal/execution/plan_compliance.go +161 -0
package/internal/execution/plan_compliance_test.go +71 -0
package/internal/execution/retry_directive.go +132 -0
package/internal/execution/scope_guard.go +69 -0
package/internal/logger/logger.go +120 -0
package/internal/models/contracts_test.go +100 -0
package/internal/models/models.go +269 -0
package/internal/orchestrator/orchestrator.go +701 -0
package/internal/orchestrator/orchestrator_retry_test.go +135 -0
package/internal/orchestrator/review_engine_test.go +50 -0
package/internal/orchestrator/state.go +42 -0
package/internal/orchestrator/test_classifier_test.go +68 -0
package/internal/patch/applier.go +131 -0
package/internal/patch/applier_test.go +25 -0
package/internal/patch/parser.go +89 -0
package/internal/patch/patch.go +60 -0
package/internal/patch/summary.go +30 -0
package/internal/patch/validator.go +104 -0
package/internal/planning/normalizer.go +416 -0
package/internal/planning/normalizer_test.go +64 -0
package/internal/providers/errors.go +35 -0
package/internal/providers/openai/client.go +498 -0
package/internal/providers/openai/client_test.go +187 -0
package/internal/providers/provider.go +47 -0
package/internal/providers/registry.go +32 -0
package/internal/providers/registry_test.go +57 -0
package/internal/providers/router.go +52 -0
package/internal/providers/state.go +114 -0
package/internal/providers/state_test.go +64 -0
package/internal/repo/analyzer.go +188 -0
package/internal/repo/context.go +83 -0
package/internal/review/engine.go +267 -0
package/internal/review/engine_test.go +103 -0
package/internal/runstore/store.go +137 -0
package/internal/runstore/store_test.go +59 -0
package/internal/runtime/lock.go +150 -0
package/internal/runtime/lock_test.go +57 -0
package/internal/session/compaction.go +260 -0
package/internal/session/compaction_test.go +36 -0
package/internal/session/service.go +117 -0
package/internal/session/service_test.go +113 -0
package/internal/storage/storage.go +1498 -0
package/internal/storage/storage_test.go +413 -0
package/internal/testing/classifier.go +80 -0
package/internal/testing/classifier_test.go +36 -0
package/internal/tools/command.go +160 -0
package/internal/tools/command_test.go +56 -0
package/internal/tools/file.go +111 -0
package/internal/tools/git.go +77 -0
package/internal/tools/invalid_params_test.go +36 -0
package/internal/tools/policy.go +98 -0
package/internal/tools/policy_test.go +36 -0
package/internal/tools/registry_test.go +52 -0
package/internal/tools/result.go +30 -0
package/internal/tools/search.go +86 -0
package/internal/tools/tool.go +94 -0
package/main.go +9 -0
package/npm/orch.js +25 -0
package/package.json +41 -0
package/scripts/changelog.js +20 -0
package/scripts/check-release-version.js +21 -0
package/scripts/lib/release-utils.js +223 -0
package/scripts/postinstall.js +157 -0
package/scripts/release.js +52 -0

package/internal/providers/openai/client.go ADDED Viewed

@@ -0,0 +1,498 @@
+package openai
+import (
+	"bytes"
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"math/rand"
+	"net/http"
+	"os"
+	"strings"
+	"time"
+	"github.com/furkanbeydemir/orch/internal/config"
+	"github.com/furkanbeydemir/orch/internal/providers"
+)
+type Client struct {
+	cfg          config.OpenAIProviderConfig
+	httpClient   *http.Client
+	rand         *rand.Rand
+	resolveToken func(context.Context) (string, error)
+}
+type requester interface {
+	Do(req *http.Request) (*http.Response, error)
+}
+const (
+	defaultAPIBaseURL   = "https://api.openai.com/v1"
+	defaultCodexBaseURL = "https://chatgpt.com/backend-api"
+)
+func New(cfg config.OpenAIProviderConfig) *Client {
+	timeout := time.Duration(cfg.TimeoutSeconds) * time.Second
+	if timeout <= 0 {
+		timeout = 90 * time.Second
+	}
+	return &Client{
+		cfg: cfg,
+		httpClient: &http.Client{
+			Timeout: timeout,
+		},
+		rand: rand.New(rand.NewSource(time.Now().UnixNano())),
+		resolveToken: func(ctx context.Context) (string, error) {
+			_ = ctx
+			return "", nil
+		},
+	}
+}
+func (c *Client) SetTokenResolver(resolver func(context.Context) (string, error)) {
+	if resolver == nil {
+		return
+	}
+	c.resolveToken = resolver
+}
+func (c *Client) Name() string {
+	return "openai"
+}
+func (c *Client) Validate(ctx context.Context) error {
+	key, err := c.resolveAuthToken(ctx)
+	if err != nil {
+		return err
+	}
+	mode := c.authMode()
+	if mode == "account" {
+		if _, accountErr := extractAccountID(key); accountErr != nil {
+			return &providers.Error{Code: providers.ErrAuthError, Message: "invalid account token", Cause: accountErr}
+		}
+		return nil
+	}
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, c.modelsURL(mode), nil)
+	if err != nil {
+		return err
+	}
+	if err := c.applyAuthHeaders(req, mode, key); err != nil {
+		return err
+	}
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return mapHTTPError(err, 0, "validate")
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode >= 300 {
+		body, _ := io.ReadAll(resp.Body)
+		return mapStatusError(resp.StatusCode, string(body), "validate")
+	}
+	return nil
+}
+func (c *Client) Chat(ctx context.Context, req providers.ChatRequest) (providers.ChatResponse, error) {
+	return c.chatWithDoer(ctx, req, c.httpClient)
+}
+func (c *Client) Stream(ctx context.Context, req providers.ChatRequest) (<-chan providers.StreamEvent, <-chan error) {
+	stream := make(chan providers.StreamEvent, 1)
+	errCh := make(chan error, 1)
+	go func() {
+		defer close(stream)
+		defer close(errCh)
+		resp, err := c.Chat(ctx, req)
+		if err != nil {
+			errCh <- err
+			return
+		}
+		stream <- providers.StreamEvent{Type: "token", Text: resp.Text}
+		stream <- providers.StreamEvent{Type: "done", Metadata: map[string]string{"finish_reason": resp.FinishReason}}
+	}()
+	return stream, errCh
+}
+func (c *Client) chatWithDoer(ctx context.Context, req providers.ChatRequest, doer requester) (providers.ChatResponse, error) {
+	key, err := c.resolveAuthToken(ctx)
+	if err != nil {
+		return providers.ChatResponse{}, err
+	}
+	mode := c.authMode()
+	model := strings.TrimSpace(req.Model)
+	if model == "" {
+		model = c.defaultModel(req.Role)
+	}
+	if model == "" {
+		return providers.ChatResponse{}, &providers.Error{Code: providers.ErrModelUnavailable, Message: fmt.Sprintf("model not configured for role %s", req.Role)}
+	}
+	payload := map[string]any{
+		"model": model,
+		"input": buildInput(req.SystemPrompt, req.UserPrompt),
+	}
+	if effort := strings.TrimSpace(req.ReasoningEffort); effort != "" {
+		payload["reasoning"] = map[string]any{"effort": effort}
+	} else if effort := strings.TrimSpace(c.cfg.ReasoningEffort); effort != "" {
+		payload["reasoning"] = map[string]any{"effort": effort}
+	}
+	bodyBytes, err := json.Marshal(payload)
+	if err != nil {
+		return providers.ChatResponse{}, err
+	}
+	attempts := c.cfg.MaxRetries
+	if attempts <= 0 {
+		attempts = 3
+	}
+	var lastErr error
+	for attempt := 1; attempt <= attempts; attempt++ {
+		httpReq, reqErr := http.NewRequestWithContext(ctx, http.MethodPost, c.responsesURL(mode), bytes.NewReader(bodyBytes))
+		if reqErr != nil {
+			return providers.ChatResponse{}, reqErr
+		}
+		if err := c.applyAuthHeaders(httpReq, mode, key); err != nil {
+			return providers.ChatResponse{}, err
+		}
+		httpReq.Header.Set("Content-Type", "application/json")
+		httpResp, doErr := doer.Do(httpReq)
+		if doErr != nil {
+			mapped := mapHTTPError(doErr, 0, "chat")
+			lastErr = mapped
+			if isRetryable(mapped) && attempt < attempts {
+				c.sleepBackoff(attempt)
+				continue
+			}
+			return providers.ChatResponse{}, mapped
+		}
+		data, readErr := io.ReadAll(httpResp.Body)
+		_ = httpResp.Body.Close()
+		if readErr != nil {
+			lastErr = &providers.Error{Code: providers.ErrInvalidResponse, Message: "failed to read provider response", Cause: readErr}
+			if attempt < attempts {
+				c.sleepBackoff(attempt)
+				continue
+			}
+			return providers.ChatResponse{}, lastErr
+		}
+		if httpResp.StatusCode >= 300 {
+			mapped := mapStatusError(httpResp.StatusCode, string(data), "chat")
+			lastErr = mapped
+			if isRetryable(mapped) && attempt < attempts {
+				c.sleepBackoff(attempt)
+				continue
+			}
+			return providers.ChatResponse{}, mapped
+		}
+		parsed, parseErr := parseResponse(data)
+		if parseErr != nil {
+			lastErr = &providers.Error{Code: providers.ErrInvalidResponse, Message: "failed to parse provider response", Cause: parseErr}
+			if attempt < attempts {
+				c.sleepBackoff(attempt)
+				continue
+			}
+			return providers.ChatResponse{}, lastErr
+		}
+		parsed.ProviderMetadata = map[string]string{
+			"provider": "openai",
+			"model":    model,
+		}
+		return parsed, nil
+	}
+	if lastErr == nil {
+		lastErr = &providers.Error{Code: providers.ErrTransient, Message: "provider call failed"}
+	}
+	return providers.ChatResponse{}, lastErr
+}
+func (c *Client) defaultModel(role providers.Role) string {
+	switch role {
+	case providers.RolePlanner:
+		return c.cfg.Models.Planner
+	case providers.RoleCoder:
+		return c.cfg.Models.Coder
+	case providers.RoleReviewer:
+		return c.cfg.Models.Reviewer
+	default:
+		return ""
+	}
+}
+func buildInput(system, user string) []map[string]any {
+	parts := make([]map[string]any, 0, 2)
+	if strings.TrimSpace(system) != "" {
+		parts = append(parts, map[string]any{
+			"role": "system",
+			"content": []map[string]string{
+				{"type": "input_text", "text": system},
+			},
+		})
+	}
+	parts = append(parts, map[string]any{
+		"role": "user",
+		"content": []map[string]string{
+			{"type": "input_text", "text": user},
+		},
+	})
+	return parts
+}
+type responsesAPI struct {
+	Output []struct {
+		Content []struct {
+			Text string `json:"text"`
+		} `json:"content"`
+	} `json:"output"`
+	OutputText string `json:"output_text"`
+	Usage      struct {
+		InputTokens  int `json:"input_tokens"`
+		OutputTokens int `json:"output_tokens"`
+		TotalTokens  int `json:"total_tokens"`
+	} `json:"usage"`
+	Status string `json:"status"`
+}
+func parseResponse(data []byte) (providers.ChatResponse, error) {
+	var raw responsesAPI
+	if err := json.Unmarshal(data, &raw); err != nil {
+		return providers.ChatResponse{}, err
+	}
+	text := strings.TrimSpace(raw.OutputText)
+	if text == "" {
+		var b strings.Builder
+		for _, out := range raw.Output {
+			for _, c := range out.Content {
+				if strings.TrimSpace(c.Text) != "" {
+					if b.Len() > 0 {
+						b.WriteString("\n")
+					}
+					b.WriteString(c.Text)
+				}
+			}
+		}
+		text = strings.TrimSpace(b.String())
+	}
+	if text == "" {
+		return providers.ChatResponse{}, fmt.Errorf("empty output text")
+	}
+	return providers.ChatResponse{
+		Text:         text,
+		FinishReason: raw.Status,
+		Usage: providers.Usage{
+			InputTokens:  raw.Usage.InputTokens,
+			OutputTokens: raw.Usage.OutputTokens,
+			TotalTokens:  raw.Usage.TotalTokens,
+		},
+	}, nil
+}
+func (c *Client) sleepBackoff(attempt int) {
+	base := time.Duration(250*(1<<(attempt-1))) * time.Millisecond
+	jitter := time.Duration(c.rand.Intn(200)) * time.Millisecond
+	time.Sleep(base + jitter)
+}
+func mapHTTPError(err error, status int, op string) error {
+	if strings.Contains(strings.ToLower(err.Error()), "timeout") {
+		return &providers.Error{Code: providers.ErrTimeout, Message: fmt.Sprintf("%s timeout", op), Cause: err}
+	}
+	if status >= 500 {
+		return &providers.Error{Code: providers.ErrTransient, Message: fmt.Sprintf("%s transient failure", op), Cause: err}
+	}
+	return &providers.Error{Code: providers.ErrTransient, Message: fmt.Sprintf("%s request failed", op), Cause: err}
+}
+func mapStatusError(status int, body, op string) error {
+	trimmed := strings.TrimSpace(body)
+	switch {
+	case status == http.StatusUnauthorized || status == http.StatusForbidden:
+		return &providers.Error{Code: providers.ErrAuthError, Message: fmt.Sprintf("%s unauthorized", op), Cause: fmt.Errorf("status=%d body=%s", status, trimmed)}
+	case status == http.StatusTooManyRequests:
+		return &providers.Error{Code: providers.ErrRateLimited, Message: fmt.Sprintf("%s rate limited", op), Cause: fmt.Errorf("status=%d body=%s", status, trimmed)}
+	case status == http.StatusNotFound:
+		return &providers.Error{Code: providers.ErrModelUnavailable, Message: fmt.Sprintf("%s model unavailable", op), Cause: fmt.Errorf("status=%d body=%s", status, trimmed)}
+	case status >= 500:
+		return &providers.Error{Code: providers.ErrTransient, Message: fmt.Sprintf("%s transient error", op), Cause: fmt.Errorf("status=%d body=%s", status, trimmed)}
+	default:
+		return &providers.Error{Code: providers.ErrInvalidResponse, Message: fmt.Sprintf("%s invalid response", op), Cause: fmt.Errorf("status=%d body=%s", status, trimmed)}
+	}
+}
+func isRetryable(err error) bool {
+	pe, ok := err.(*providers.Error)
+	if !ok {
+		return false
+	}
+	switch pe.Code {
+	case providers.ErrRateLimited, providers.ErrTimeout, providers.ErrTransient:
+		return true
+	default:
+		return false
+	}
+}
+func (c *Client) resolveAuthToken(ctx context.Context) (string, error) {
+	mode := c.authMode()
+	if mode == "" {
+		mode = "api_key"
+	}
+	switch mode {
+	case "api_key":
+		key := strings.TrimSpace(os.Getenv(c.cfg.APIKeyEnv))
+		if key == "" && c.resolveToken != nil {
+			resolved, err := c.resolveToken(ctx)
+			if err != nil {
+				return "", &providers.Error{Code: providers.ErrAuthError, Message: "failed to resolve api key from local auth state", Cause: err}
+			}
+			key = strings.TrimSpace(resolved)
+		}
+		if key == "" {
+			return "", &providers.Error{Code: providers.ErrAuthError, Message: fmt.Sprintf("missing API key in env var %s and local auth state", c.cfg.APIKeyEnv)}
+		}
+		return key, nil
+	case "account":
+		if env := strings.TrimSpace(os.Getenv(c.cfg.AccountTokenEnv)); env != "" {
+			return env, nil
+		}
+		if c.resolveToken != nil {
+			token, err := c.resolveToken(ctx)
+			if err != nil {
+				return "", &providers.Error{Code: providers.ErrAuthError, Message: "failed to resolve account token", Cause: err}
+			}
+			if strings.TrimSpace(token) != "" {
+				return strings.TrimSpace(token), nil
+			}
+		}
+		return "", &providers.Error{Code: providers.ErrAuthError, Message: fmt.Sprintf("missing account token in env var %s and local auth state", c.cfg.AccountTokenEnv)}
+	default:
+		return "", &providers.Error{Code: providers.ErrAuthError, Message: fmt.Sprintf("unsupported auth mode: %s", mode)}
+	}
+}
+func (c *Client) authMode() string {
+	mode := strings.ToLower(strings.TrimSpace(c.cfg.AuthMode))
+	if mode == "" {
+		return "api_key"
+	}
+	return mode
+}
+func (c *Client) baseURLForMode(mode string) string {
+	base := strings.TrimSpace(c.cfg.BaseURL)
+	base = strings.TrimRight(base, "/")
+	if mode == "account" {
+		if base == "" || strings.EqualFold(base, strings.TrimRight(defaultAPIBaseURL, "/")) {
+			return defaultCodexBaseURL
+		}
+		return base
+	}
+	if base == "" {
+		return defaultAPIBaseURL
+	}
+	return base
+}
+func (c *Client) modelsURL(mode string) string {
+	base := c.baseURLForMode(mode)
+	if strings.HasSuffix(base, "/models") {
+		return base
+	}
+	return base + "/models"
+}
+func (c *Client) responsesURL(mode string) string {
+	base := c.baseURLForMode(mode)
+	if mode == "account" {
+		switch {
+		case strings.HasSuffix(base, "/codex/responses"):
+			return base
+		case strings.HasSuffix(base, "/codex"):
+			return base + "/responses"
+		default:
+			return base + "/codex/responses"
+		}
+	}
+	if strings.HasSuffix(base, "/responses") {
+		return base
+	}
+	return base + "/responses"
+}
+func (c *Client) applyAuthHeaders(req *http.Request, mode, token string) error {
+	req.Header.Set("Authorization", "Bearer "+token)
+	if mode != "account" {
+		return nil
+	}
+	accountID, err := extractAccountID(token)
+	if err != nil {
+		return &providers.Error{Code: providers.ErrAuthError, Message: "failed to extract account id from oauth token", Cause: err}
+	}
+	req.Header.Set("ChatGPT-Account-Id", accountID)
+	req.Header.Set("OpenAI-Beta", "responses=experimental")
+	req.Header.Set("originator", "orch")
+	return nil
+}
+func extractAccountID(token string) (string, error) {
+	token = strings.TrimSpace(token)
+	parts := strings.Split(token, ".")
+	if len(parts) != 3 {
+		return "", fmt.Errorf("token is not a jwt")
+	}
+	payload, err := base64.RawURLEncoding.DecodeString(parts[1])
+	if err != nil {
+		payload, err = base64.URLEncoding.DecodeString(parts[1])
+		if err != nil {
+			return "", fmt.Errorf("failed to decode jwt payload: %w", err)
+		}
+	}
+	claims := map[string]any{}
+	if err := json.Unmarshal(payload, &claims); err != nil {
+		return "", fmt.Errorf("failed to parse jwt payload: %w", err)
+	}
+	if id, ok := claims["chatgpt_account_id"].(string); ok && strings.TrimSpace(id) != "" {
+		return strings.TrimSpace(id), nil
+	}
+	if nested, ok := claims["https://api.openai.com/auth"].(map[string]any); ok {
+		if id, ok := nested["chatgpt_account_id"].(string); ok && strings.TrimSpace(id) != "" {
+			return strings.TrimSpace(id), nil
+		}
+	}
+	if organizations, ok := claims["organizations"].([]any); ok && len(organizations) > 0 {
+		if org, ok := organizations[0].(map[string]any); ok {
+			if id, ok := org["id"].(string); ok && strings.TrimSpace(id) != "" {
+				return strings.TrimSpace(id), nil
+			}
+		}
+	}
+	return "", fmt.Errorf("chatgpt_account_id claim not found")
+}

package/internal/providers/openai/client_test.go ADDED Viewed

@@ -0,0 +1,187 @@
+package openai
+import (
+	"context"
+	"encoding/base64"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"strings"
+	"testing"
+	"github.com/furkanbeydemir/orch/internal/config"
+	"github.com/furkanbeydemir/orch/internal/providers"
+)
+type sequenceDoer struct {
+	responses []*http.Response
+	index     int
+}
+type inspectDoer struct {
+	fn func(req *http.Request) (*http.Response, error)
+}
+func (d *inspectDoer) Do(req *http.Request) (*http.Response, error) {
+	if d.fn == nil {
+		return nil, fmt.Errorf("no inspect fn configured")
+	}
+	return d.fn(req)
+}
+func (d *sequenceDoer) Do(req *http.Request) (*http.Response, error) {
+	if d.index >= len(d.responses) {
+		return nil, fmt.Errorf("no response configured")
+	}
+	resp := d.responses[d.index]
+	d.index++
+	return resp, nil
+}
+func TestChatRetriesOnRateLimit(t *testing.T) {
+	t.Setenv("OPENAI_API_KEY", "test-key")
+	client := New(config.OpenAIProviderConfig{
+		APIKeyEnv:      "OPENAI_API_KEY",
+		BaseURL:        "https://example.test/v1",
+		TimeoutSeconds: 5,
+		MaxRetries:     2,
+		Models: config.ProviderRoleModels{
+			Coder: "gpt-5.3-codex",
+		},
+	})
+	doer := &sequenceDoer{responses: []*http.Response{
+		response(http.StatusTooManyRequests, `{"error":"rate"}`),
+		response(http.StatusOK, `{"output_text":"done","status":"completed","usage":{"input_tokens":1,"output_tokens":2,"total_tokens":3}}`),
+	}}
+	out, err := client.chatWithDoer(context.Background(), providers.ChatRequest{Role: providers.RoleCoder}, doer)
+	if err != nil {
+		t.Fatalf("chat should succeed after retry: %v", err)
+	}
+	if strings.TrimSpace(out.Text) != "done" {
+		t.Fatalf("unexpected text: %q", out.Text)
+	}
+	if doer.index != 2 {
+		t.Fatalf("expected 2 attempts, got %d", doer.index)
+	}
+}
+func TestValidateMissingKey(t *testing.T) {
+	_ = os.Unsetenv("OPENAI_API_KEY")
+	client := New(config.OpenAIProviderConfig{APIKeyEnv: "OPENAI_API_KEY", BaseURL: "https://example.test/v1"})
+	err := client.Validate(context.Background())
+	if err == nil {
+		t.Fatalf("expected validate error")
+	}
+	perr, ok := err.(*providers.Error)
+	if !ok {
+		t.Fatalf("expected provider error type")
+	}
+	if perr.Code != providers.ErrAuthError {
+		t.Fatalf("unexpected error code: %s", perr.Code)
+	}
+}
+func TestMapStatusError(t *testing.T) {
+	err := mapStatusError(http.StatusUnauthorized, "bad", "chat")
+	perr, ok := err.(*providers.Error)
+	if !ok {
+		t.Fatalf("expected provider error")
+	}
+	if perr.Code != providers.ErrAuthError {
+		t.Fatalf("unexpected code: %s", perr.Code)
+	}
+}
+func TestResolveAuthTokenAccountModeWithResolver(t *testing.T) {
+	client := New(config.OpenAIProviderConfig{
+		AuthMode:        "account",
+		AccountTokenEnv: "OPENAI_ACCOUNT_TOKEN",
+	})
+	client.SetTokenResolver(func(ctx context.Context) (string, error) {
+		return "account-token", nil
+	})
+	token, err := client.resolveAuthToken(context.Background())
+	if err != nil {
+		t.Fatalf("resolve token: %v", err)
+	}
+	if token != "account-token" {
+		t.Fatalf("unexpected token: %s", token)
+	}
+}
+func TestChatAccountModeUsesCodexEndpointAndAccountHeader(t *testing.T) {
+	client := New(config.OpenAIProviderConfig{
+		AuthMode:        "account",
+		BaseURL:         "https://api.openai.com/v1",
+		AccountTokenEnv: "OPENAI_ACCOUNT_TOKEN",
+		Models: config.ProviderRoleModels{
+			Coder: "gpt-5.3-codex",
+		},
+	})
+	client.SetTokenResolver(func(ctx context.Context) (string, error) {
+		return testAccountToken("acc-123"), nil
+	})
+	doer := &inspectDoer{fn: func(req *http.Request) (*http.Response, error) {
+		if got := req.URL.String(); got != "https://chatgpt.com/backend-api/codex/responses" {
+			return nil, fmt.Errorf("unexpected request url: %s", got)
+		}
+		if got := req.Header.Get("ChatGPT-Account-Id"); got != "acc-123" {
+			return nil, fmt.Errorf("unexpected account header: %s", got)
+		}
+		if got := req.Header.Get("Authorization"); !strings.HasPrefix(got, "Bearer ") {
+			return nil, fmt.Errorf("missing auth header")
+		}
+		return response(http.StatusOK, `{"output_text":"done","status":"completed","usage":{"input_tokens":1,"output_tokens":1,"total_tokens":2}}`), nil
+	}}
+	out, err := client.chatWithDoer(context.Background(), providers.ChatRequest{Role: providers.RoleCoder}, doer)
+	if err != nil {
+		t.Fatalf("chat error: %v", err)
+	}
+	if strings.TrimSpace(out.Text) != "done" {
+		t.Fatalf("unexpected text: %q", out.Text)
+	}
+}
+func TestValidateAccountModeRejectsNonJWTToken(t *testing.T) {
+	client := New(config.OpenAIProviderConfig{
+		AuthMode:        "account",
+		AccountTokenEnv: "OPENAI_ACCOUNT_TOKEN",
+	})
+	client.SetTokenResolver(func(ctx context.Context) (string, error) {
+		return "not-a-jwt", nil
+	})
+	err := client.Validate(context.Background())
+	if err == nil {
+		t.Fatalf("expected validate error")
+	}
+	perr, ok := err.(*providers.Error)
+	if !ok {
+		t.Fatalf("expected provider error type")
+	}
+	if perr.Code != providers.ErrAuthError {
+		t.Fatalf("unexpected error code: %s", perr.Code)
+	}
+}
+func testAccountToken(accountID string) string {
+	header := base64.RawURLEncoding.EncodeToString([]byte(`{"alg":"none"}`))
+	payload := fmt.Sprintf(`{"https://api.openai.com/auth":{"chatgpt_account_id":"%s"}}`, accountID)
+	body := base64.RawURLEncoding.EncodeToString([]byte(payload))
+	return header + "." + body + ".sig"
+}
+func response(status int, body string) *http.Response {
+	return &http.Response{
+		StatusCode: status,
+		Body:       io.NopCloser(strings.NewReader(body)),
+		Header:     make(http.Header),
+	}
+}