pi-provider-qoder 0.1.2 → 0.2.0

package/README.md

@@ -30,11 +30,25 @@ Then log in from pi:
 /login qoder
 ```
 
-The login flow will prompt you to complete authorization in your browser.
+The login menu offers two methods:
 
-### Personal Access Token (PAT) Fallback
+- **Browser Login** — OAuth device-code flow; complete authorization in your browser.
+- **Use API Key (PAT)** — paste a Qoder Personal Access Token (`pt-...`).
 
-For non-interactive environments, you can set the `QODER_PERSONAL_ACCESS_TOKEN` (or `QODER_PAT`) environment variable before starting pi. The provider will automatically pick up the PAT and authenticate.
+### Personal Access Token (PAT)
+
+A Qoder PAT (`pt-...`) cannot authenticate API calls directly — the provider
+exchanges it for a short-lived job token (mirroring the official `qodercli`
+flow) and resolves your account identity automatically. You can supply a PAT in
+two ways:
+
+- Run `/login qoder` and choose **Use API Key (PAT)**, then paste the token.
+- Set the `QODER_PERSONAL_ACCESS_TOKEN` (or `QODER_PAT`) environment variable,
+  then run `/login qoder` — the PAT is picked up automatically and exchanged
+  without further prompts. This is the recommended path for headless/CI setups.
+
+> The exchanged job token is short-lived; the provider transparently re-exchanges
+> the stored PAT when it expires.
 
 ## Models
 
@@ -70,8 +84,8 @@ Or let Qoder select automatically:
 src/
 ├── index.ts            # Extension registration
 ├── cosy.ts             # COSY Signature and Machine ID resolver
-├── login.ts            # OAuth Device Flow login sequence
-├── login-ui.ts         # Custom TUI components for login
+├── login.ts            # OAuth Device Flow + PAT login sequence
+├── pat.ts              # PAT → job-token exchange + identity resolution
 ├── models.ts           # Model definitions and Dynamic Config Cache
 ├── oauth.ts            # PAT / OAuth callback orchestrator
 ├── stream.ts           # Main streaming response handler

package/dist/index.js

@@ -1,128 +1,3 @@
-// src/login-ui.ts
-import { DynamicBorder } from "@earendil-works/pi-coding-agent";
-import { Container, SelectList, Text } from "@earendil-works/pi-tui";
-var _ctx;
-function setExtensionContext(ctx) {
-  _ctx = ctx;
-}
-function hasExtensionContext() {
-  return _ctx !== void 0;
-}
-async function showLoginUI() {
-  if (!_ctx) return null;
-  const ctx = _ctx;
-  return ctx.ui.custom((tui, theme, _kb, done) => {
-    const mainItems = [
-      { value: "web", label: "Browser Login", description: "Sign in via browser (OAuth device flow)" }
-    ];
-    const container = new Container();
-    const border = new DynamicBorder((s) => theme.fg("accent", s));
-    const title = new Text(theme.fg("accent", theme.bold("Qoder Login")), 1, 0);
-    const hint = new Text(theme.fg("dim", "\u2191\u2193 navigate \u2022 enter select \u2022 esc cancel"), 1, 0);
-    const borderBottom = new DynamicBorder((s) => theme.fg("accent", s));
-    const selectList = new SelectList(mainItems, mainItems.length, {
-      selectedPrefix: (t) => theme.fg("accent", t),
-      selectedText: (t) => theme.fg("accent", t),
-      description: (t) => theme.fg("muted", t),
-      scrollInfo: (t) => theme.fg("dim", t),
-      noMatch: (t) => theme.fg("warning", t)
-    });
-    selectList.onSelect = (item) => {
-      done({ method: item.value });
-    };
-    selectList.onCancel = () => done(null);
-    container.addChild(border);
-    container.addChild(title);
-    container.addChild(selectList);
-    container.addChild(hint);
-    container.addChild(borderBottom);
-    tui.requestRender();
-    return {
-      render(width) {
-        return container.render(width);
-      },
-      invalidate() {
-        container.invalidate();
-      },
-      handleInput(data) {
-        selectList.handleInput(data);
-        tui.requestRender();
-      }
-    };
-  });
-}
-async function showWaitingUI(outerCallbacks, runAuth) {
-  if (!_ctx) {
-    return runAuth(outerCallbacks);
-  }
-  const ctx = _ctx;
-  return ctx.ui.custom((tui, theme, _kb, done) => {
-    const container = new Container();
-    const border = new DynamicBorder((s) => theme.fg("accent", s));
-    const title = new Text(theme.fg("accent", theme.bold("Qoder Login - Authorization")), 1, 0);
-    const borderBottom = new DynamicBorder((s) => theme.fg("accent", s));
-    const statusText = new Text("Initiating login flow...", 1, 0);
-    const urlText = new Text("", 1, 0);
-    const instructionsText = new Text("", 1, 0);
-    const hint = new Text(theme.fg("dim", "esc cancel / back"), 1, 0);
-    container.addChild(border);
-    container.addChild(title);
-    container.addChild(statusText);
-    container.addChild(urlText);
-    container.addChild(instructionsText);
-    container.addChild(hint);
-    container.addChild(borderBottom);
-    const abortCtrl = new AbortController();
-    let onAuthCalled = false;
-    const mergedCallbacks = {
-      ...outerCallbacks,
-      onProgress: (msg) => {
-        outerCallbacks.onProgress?.(msg);
-        statusText.setText(msg);
-        tui.requestRender();
-      },
-      onAuth: (info) => {
-        if (!onAuthCalled) {
-          onAuthCalled = true;
-          outerCallbacks.onAuth?.(info);
-        }
-        urlText.setText(`URL: ${info.url}`);
-        instructionsText.setText(info.instructions || "");
-        tui.requestRender();
-      },
-      signal: abortCtrl.signal
-    };
-    runAuth(mergedCallbacks).then(
-      (creds) => {
-        done(creds);
-      },
-      (err) => {
-        if (abortCtrl.signal.aborted) {
-          done(null);
-        } else {
-          statusText.setText(theme.fg("warning", `Error: ${err.message || err}`));
-          tui.requestRender();
-          setTimeout(() => done(null), 3e3);
-        }
-      }
-    );
-    return {
-      render(width) {
-        return container.render(width);
-      },
-      invalidate() {
-        container.invalidate();
-      },
-      handleInput(data) {
-        if (data.length === 1 && data.charCodeAt(0) === 27 || data === "q") {
-          abortCtrl.abort();
-          done(null);
-        }
-      }
-    };
-  });
-}
-
 // src/models.ts
 import { existsSync as existsSync2, mkdirSync as mkdirSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2 } from "node:fs";
 import { homedir as homedir2 } from "node:os";
@@ -425,7 +300,7 @@ function getCachedModelConfig(modelKey) {
   if (existsSync2(CACHE_PATH)) {
     try {
       const data = JSON.parse(readFileSync2(CACHE_PATH, "utf8"));
-      if (data && data.configs && data.configs[modelKey]) {
+      if (data?.configs?.[modelKey]) {
         return data.configs[modelKey];
       }
     } catch {
@@ -534,6 +409,101 @@ import { join as join3 } from "node:path";
 
 // src/login.ts
 import crypto2 from "node:crypto";
+
+// src/pat.ts
+var UA = "pi-provider-qoder";
+var EXCHANGE_URL = "https://openapi.qoder.sh/api/v1/jobToken/exchange";
+var USERINFO_URL = "https://openapi.qoder.sh/api/v1/userinfo";
+var PAT_REFRESH_PREFIX = "pat";
+function isPatRefresh(refresh) {
+  return refresh.startsWith(`${PAT_REFRESH_PREFIX}|`);
+}
+function encodePatRefresh(pat, jobRefreshToken, userID, machineID) {
+  return [PAT_REFRESH_PREFIX, pat, jobRefreshToken, userID, machineID].join("|");
+}
+function decodePatRefresh(refresh) {
+  const parts = refresh.split("|");
+  return {
+    pat: parts[1] || "",
+    jobRefreshToken: parts[2] || "",
+    userID: parts[3] || "",
+    machineID: parts[4] || ""
+  };
+}
+async function exchangeJobToken(pat) {
+  const res = await fetch(EXCHANGE_URL, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Accept: "application/json",
+      "User-Agent": UA,
+      "Cosy-Version": "1.0.1",
+      "Cosy-ClientType": "5"
+    },
+    body: JSON.stringify({ personal_token: pat })
+  });
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new Error(`Qoder PAT exchange failed: ${res.status} ${res.statusText}. ${text.slice(0, 200)}`);
+  }
+  const data = await res.json();
+  if (!data.token) {
+    throw new Error("Qoder PAT exchange returned no job token");
+  }
+  let expiresAt = Date.now() + 24 * 60 * 60 * 1e3;
+  if (data.expires_at) {
+    const parsed = Date.parse(data.expires_at);
+    if (!Number.isNaN(parsed)) expiresAt = parsed;
+  } else if (data.expires_in) {
+    expiresAt = Date.now() + data.expires_in;
+  }
+  return {
+    jobToken: data.token,
+    jobRefreshToken: data.refresh_token || "",
+    expiresAt
+  };
+}
+async function fetchUserInfo(jobToken) {
+  let userID = "";
+  let email = "";
+  let name = "";
+  try {
+    const res = await fetch(USERINFO_URL, {
+      headers: {
+        Authorization: `Bearer ${jobToken}`,
+        Accept: "application/json",
+        "User-Agent": UA,
+        "Cosy-Version": "1.0.1",
+        "Cosy-ClientType": "5"
+      }
+    });
+    if (res.ok) {
+      const info = await res.json();
+      userID = info.id || "";
+      email = info.email || "";
+      name = info.name || info.username || "";
+    }
+  } catch {
+  }
+  return { userID, email, name };
+}
+async function credentialsFromPat(pat) {
+  const { jobToken, jobRefreshToken, expiresAt } = await exchangeJobToken(pat);
+  const { userID, email, name } = await fetchUserInfo(jobToken);
+  const machineID = getMachineId();
+  return {
+    refresh: encodePatRefresh(pat, jobRefreshToken, userID, machineID),
+    access: jobToken,
+    expires: expiresAt - 5 * 60 * 1e3,
+    // 5 min buffer
+    userID,
+    email,
+    name,
+    machineID
+  };
+}
+
+// src/login.ts
 function getPrompt(callbacks) {
   return callbacks.onPrompt;
 }
@@ -561,29 +531,39 @@ function parseExpiresAt(s, expiresInSeconds) {
   return Date.now() + 30 * 24 * 60 * 60 * 1e3;
 }
 async function interactiveLogin(callbacks) {
-  if (hasExtensionContext()) {
-    const choice = await showLoginUI();
-    if (!choice) {
-      throw new Error("Login cancelled");
-    }
-    const runAuth = async (mergedCallbacks) => {
-      return runDeviceFlow(mergedCallbacks);
-    };
-    const creds = await showWaitingUI(callbacks, runAuth);
-    if (!creds) {
-      throw new Error("Login cancelled");
-    }
-    return creds;
-  }
   const prompt = getPrompt(callbacks);
-  const proceed = await prompt({
-    message: "Press Enter to start browser login for Qoder",
-    placeholder: "press enter",
+  const pat = await prompt({
+    message: "Paste a Qoder Personal Access Token (pt-...), or leave empty for browser login",
+    placeholder: "pt-...",
     allowEmpty: true
   });
   if (getSignal(callbacks)?.aborted) throw new Error("Login cancelled");
+  if (pat?.trim()) {
+    return patLogin(callbacks, pat.trim());
+  }
+  if (getSignal(callbacks)?.aborted) throw new Error("Login cancelled");
   return runDeviceFlow(callbacks);
 }
+async function patLogin(callbacks, providedPat) {
+  let pat = providedPat;
+  if (!pat) {
+    const prompt = getPrompt(callbacks);
+    const entered = await prompt({
+      message: "Paste your Qoder Personal Access Token (pt-...)",
+      placeholder: "pt-...",
+      allowEmpty: false
+    });
+    if (getSignal(callbacks)?.aborted) throw new Error("Login cancelled");
+    pat = entered?.trim();
+  }
+  if (!pat) {
+    throw new Error("No Personal Access Token provided");
+  }
+  getProgress(callbacks)?.("Exchanging access token...");
+  const creds = await credentialsFromPat(pat);
+  getProgress(callbacks)?.("Login successful!");
+  return creds;
+}
 function abortableDelay(ms, signal) {
   if (signal?.aborted) return Promise.reject(signal.reason || new Error("Login cancelled"));
   return new Promise((resolve, reject) => {
@@ -666,7 +646,8 @@ async function runDeviceFlow(callbacks) {
         machineID
       };
     } catch (e) {
-      if (e.name === "AbortError" || getSignal(callbacks)?.aborted) {
+      const err = e;
+      if (err.name === "AbortError" || getSignal(callbacks)?.aborted) {
         throw new Error("Login cancelled");
       }
       throw e;
@@ -682,7 +663,7 @@ function getCachedCredentials(_accessToken) {
     try {
       const auth = JSON.parse(readFileSync3(AUTH_FILE, "utf-8"));
       const creds = auth?.qoder;
-      if (creds && creds.userID) {
+      if (creds?.userID) {
         return creds;
       }
     } catch {
@@ -694,33 +675,11 @@ async function loginQoder(callbacks) {
   const pat = process.env.QODER_PERSONAL_ACCESS_TOKEN || process.env.QODER_PAT;
   if (pat) {
     try {
-      const userinfoRes = await fetch("https://openapi.qoder.sh/api/v1/userinfo", {
-        headers: {
-          Authorization: `Bearer ${pat}`,
-          Accept: "application/json",
-          "User-Agent": "pi-provider-qoder"
-        }
+      const creds2 = await credentialsFromPat(pat);
+      const qCreds = creds2;
+      updateQoderModelsCache(qCreds.access, qCreds.userID, qCreds.name, qCreds.email).catch(() => {
       });
-      if (userinfoRes.ok) {
-        const userinfo = await userinfoRes.json();
-        const email = userinfo.email || "";
-        const name = userinfo.name || userinfo.username || "";
-        const userID = userinfo.id || "pat";
-        const machineID = getMachineId();
-        const creds2 = {
-          refresh: `pat|${userID}|${machineID}`,
-          access: pat,
-          expires: Date.now() + 30 * 24 * 60 * 60 * 1e3,
-          // 30 days
-          userID,
-          email,
-          name,
-          machineID
-        };
-        updateQoderModelsCache(pat, userID, name, email).catch(() => {
-        });
-        return creds2;
-      }
+      return creds2;
     } catch {
     }
   }
@@ -734,16 +693,31 @@ async function loginQoder(callbacks) {
   return creds;
 }
 async function refreshQoderToken(credentials) {
-  const parts = credentials.refresh.split("|");
-  const refreshToken = parts[0] || "";
-  const userID = parts[1] || "";
-  const machineID = parts[2] || getMachineId();
-  if (refreshToken === "pat") {
+  if (isPatRefresh(credentials.refresh)) {
+    const { pat } = decodePatRefresh(credentials.refresh);
+    if (pat) {
+      try {
+        const refreshed = await credentialsFromPat(pat);
+        const qCreds = refreshed;
+        updateQoderModelsCache(qCreds.access, qCreds.userID, qCreds.name, qCreds.email).catch(() => {
+        });
+        return refreshed;
+      } catch {
+      }
+    }
     return {
       ...credentials,
-      expires: Date.now() + 30 * 24 * 60 * 60 * 1e3
+      expires: Date.now() + 60 * 60 * 1e3
+      // extend 1 hour to retry later
     };
   }
+  const parts = credentials.refresh.split("|");
+  const refreshToken = parts[0] || "";
+  const userID = parts[1] || "";
+  const machineID = parts[2] || getMachineId();
+  const prev = credentials;
+  const prevName = prev.name || "";
+  const prevEmail = prev.email || "";
   const refreshURL = "https://center.qoder.sh/algo/api/v3/user/refresh_token";
   try {
     const response = await fetch(refreshURL, {
@@ -773,16 +747,11 @@ async function refreshQoderToken(credentials) {
         access: newAccess,
         expires: expireMs - 5 * 60 * 1e3,
         userID,
-        email: credentials.email || "",
-        name: credentials.name || "",
+        email: prevEmail,
+        name: prevName,
         machineID
       };
-      updateQoderModelsCache(
-        newAccess,
-        userID,
-        credentials.name || "",
-        credentials.email || ""
-      ).catch(() => {
+      updateQoderModelsCache(newAccess, userID, prevName, prevEmail).catch(() => {
       });
       return refreshed;
     }
@@ -1046,7 +1015,7 @@ function transformMessagesForQoder(messages) {
               };
             }
             return null;
-          }).filter(Boolean);
+          }).filter((p) => p !== null);
         } else {
           content = getContentText(msg);
         }
@@ -1118,11 +1087,11 @@ function stableChatRecordID(model, messages, tools, maxTokens) {
   hash.update("\0");
   hash.update(model);
   for (const msg of messages) {
-    if (msg && msg.role) {
+    if (msg?.role) {
       hash.update("\0");
       hash.update(msg.role);
     }
-    if (msg && msg.content) {
+    if (msg?.content) {
       hash.update("\0");
       hash.update(typeof msg.content === "string" ? msg.content : JSON.stringify(msg.content));
     }
@@ -1186,7 +1155,7 @@ function streamQoder(model, context, options) {
       for (let i = normalizedMessages.length - 1; i >= 0; i--) {
         if (normalizedMessages[i].role === "user") {
           const content = normalizedMessages[i].content;
-          lastUserText = typeof content === "string" ? content : Array.isArray(content) ? content.map((c) => c.text || "").join("") : "";
+          lastUserText = typeof content === "string" ? content : Array.isArray(content) ? content.map((c) => "text" in c ? c.text : "").join("") : "";
           break;
         }
       }
@@ -1361,7 +1330,7 @@ function streamQoder(model, context, options) {
                   for (const tc of delta.tool_calls) {
                     const idx = tc.index ?? 0;
                     if (!toolCallsState[idx]) {
-                      toolCallsState[idx] = { arguments: "" };
+                      toolCallsState[idx] = { arguments: "", id: "", name: "", contentIndex: 0 };
                     }
                     const state = toolCallsState[idx];
                     if (tc.id) state.id = tc.id;
@@ -1407,7 +1376,7 @@ function streamQoder(model, context, options) {
         });
       }
       for (const state of toolCallsState) {
-        if (state && state.emittedStart && !state.emittedEnd) {
+        if (state?.emittedStart && !state.emittedEnd) {
           state.emittedEnd = true;
           let args = {};
           try {
@@ -1498,30 +1467,28 @@ async function fetchQoderUsage(credentials) {
 
 // src/index.ts
 function index_default(pi) {
-  pi.on("session_start", async (_event, ctx) => {
-    setExtensionContext(ctx);
-  });
+  const oauth = {
+    name: "Qoder (Browser OAuth / PAT)",
+    login: loginQoder,
+    refreshToken: refreshQoderToken,
+    getApiKey: (cred) => cred.access,
+    modifyModels: (models, _cred) => {
+      const cached = getCachedModels();
+      const nonQoder = models.filter((m) => m.provider !== "qoder");
+      const modelsToUse = cached.length > 0 ? cached : staticModels;
+      const modifiedQoder = modelsToUse.map((m) => ({
+        ...m,
+        baseUrl: "https://api3.qoder.sh/"
+      }));
+      return [...nonQoder, ...modifiedQoder];
+    },
+    fetchUsage: fetchQoderUsage
+  };
   pi.registerProvider("qoder", {
     baseUrl: "https://api3.qoder.sh/",
     api: "qoder-api",
     models: getCachedModels(),
-    oauth: {
-      name: "Qoder (Browser OAuth / PAT)",
-      login: loginQoder,
-      refreshToken: refreshQoderToken,
-      getApiKey: (cred) => cred.access,
-      modifyModels: (models, cred) => {
-        const cached = getCachedModels();
-        const nonQoder = models.filter((m) => m.provider !== "qoder");
-        const modelsToUse = cached.length > 0 ? cached : staticModels;
-        const modifiedQoder = modelsToUse.map((m) => ({
-          ...m,
-          baseUrl: "https://api3.qoder.sh/"
-        }));
-        return [...nonQoder, ...modifiedQoder];
-      },
-      fetchUsage: fetchQoderUsage
-    },
+    oauth,
     streamSimple: streamQoder
   });
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pi-provider-qoder",
-  "version": "0.1.2",
+  "version": "0.2.0",
   "description": "Pi extension for Qoder AI — with OAuth authentication, COSY signatures and WAF bypass",
   "type": "module",
   "license": "MIT",
@@ -19,7 +19,7 @@
     "README.md"
   ],
   "scripts": {
-    "build": "./node_modules/esbuild/bin/esbuild src/index.ts --bundle --platform=node --format=esm --outfile=dist/index.js --external:@earendil-works/pi-ai --external:@earendil-works/pi-coding-agent --external:@earendil-works/pi-tui",
+    "build": "./node_modules/esbuild/bin/esbuild src/index.ts --bundle --platform=node --format=esm --outfile=dist/index.js --external:@earendil-works/pi-ai --external:@earendil-works/pi-coding-agent",
     "check": "node node_modules/typescript/bin/tsc --noEmit",
     "lint": "node node_modules/@biomejs/biome/bin/biome check .",
     "lint:fix": "node node_modules/@biomejs/biome/bin/biome check --write .",
@@ -36,7 +36,6 @@
     "@biomejs/biome": "2.4.2",
     "@earendil-works/pi-ai": "^0.75.5",
     "@earendil-works/pi-coding-agent": "^0.75.5",
-    "@earendil-works/pi-tui": "^0.75.5",
     "esbuild": "^0.25.0",
     "typescript": "^5.7.0"
   },