piclaw 0.0.20 → 0.0.21

package/.output/server/_libs/mariozechner__pi-ai.mjs

@@ -0,0 +1,1472 @@
+import { r as __exportAll } from "../_runtime.mjs";
+import { c as getModels } from "./@mariozechner/pi-agent-core+[...].mjs";
+/**
+* PKCE utilities using Web Crypto API.
+* Works in both Node.js 20+ and browsers.
+*/
+/**
+* Encode bytes as base64url string.
+*/
+function base64urlEncode(bytes) {
+	let binary = "";
+	for (const byte of bytes) binary += String.fromCharCode(byte);
+	return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+/**
+* Generate PKCE code verifier and challenge.
+* Uses Web Crypto API for cross-platform compatibility.
+*/
+async function generatePKCE() {
+	const verifierBytes = new Uint8Array(32);
+	crypto.getRandomValues(verifierBytes);
+	const verifier = base64urlEncode(verifierBytes);
+	const data = new TextEncoder().encode(verifier);
+	const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+	return {
+		verifier,
+		challenge: base64urlEncode(new Uint8Array(hashBuffer))
+	};
+}
+/**
+* Anthropic OAuth flow (Claude Pro/Max)
+*/
+var decode$3 = (s) => atob(s);
+var CLIENT_ID$4 = decode$3("OWQxYzI1MGEtZTYxYi00NGQ5LTg4ZWQtNTk0NGQxOTYyZjVl");
+var AUTHORIZE_URL$1 = "https://claude.ai/oauth/authorize";
+var TOKEN_URL$3 = "https://console.anthropic.com/v1/oauth/token";
+var REDIRECT_URI$3 = "https://console.anthropic.com/oauth/code/callback";
+var SCOPES$2 = "org:create_api_key user:profile user:inference";
+/**
+* Login with Anthropic OAuth (device code flow)
+*
+* @param onAuthUrl - Callback to handle the authorization URL (e.g., open browser)
+* @param onPromptCode - Callback to prompt user for the authorization code
+*/
+async function loginAnthropic(onAuthUrl, onPromptCode) {
+	const { verifier, challenge } = await generatePKCE();
+	onAuthUrl(`${AUTHORIZE_URL$1}?${new URLSearchParams({
+		code: "true",
+		client_id: CLIENT_ID$4,
+		response_type: "code",
+		redirect_uri: REDIRECT_URI$3,
+		scope: SCOPES$2,
+		code_challenge: challenge,
+		code_challenge_method: "S256",
+		state: verifier
+	}).toString()}`);
+	const splits = (await onPromptCode()).split("#");
+	const code = splits[0];
+	const state = splits[1];
+	const tokenResponse = await fetch(TOKEN_URL$3, {
+		method: "POST",
+		headers: { "Content-Type": "application/json" },
+		body: JSON.stringify({
+			grant_type: "authorization_code",
+			client_id: CLIENT_ID$4,
+			code,
+			state,
+			redirect_uri: REDIRECT_URI$3,
+			code_verifier: verifier
+		})
+	});
+	if (!tokenResponse.ok) {
+		const error = await tokenResponse.text();
+		throw new Error(`Token exchange failed: ${error}`);
+	}
+	const tokenData = await tokenResponse.json();
+	const expiresAt = Date.now() + tokenData.expires_in * 1e3 - 300 * 1e3;
+	return {
+		refresh: tokenData.refresh_token,
+		access: tokenData.access_token,
+		expires: expiresAt
+	};
+}
+/**
+* Refresh Anthropic OAuth token
+*/
+async function refreshAnthropicToken(refreshToken) {
+	const response = await fetch(TOKEN_URL$3, {
+		method: "POST",
+		headers: { "Content-Type": "application/json" },
+		body: JSON.stringify({
+			grant_type: "refresh_token",
+			client_id: CLIENT_ID$4,
+			refresh_token: refreshToken
+		})
+	});
+	if (!response.ok) {
+		const error = await response.text();
+		throw new Error(`Anthropic token refresh failed: ${error}`);
+	}
+	const data = await response.json();
+	return {
+		refresh: data.refresh_token,
+		access: data.access_token,
+		expires: Date.now() + data.expires_in * 1e3 - 300 * 1e3
+	};
+}
+const anthropicOAuthProvider = {
+	id: "anthropic",
+	name: "Anthropic (Claude Pro/Max)",
+	async login(callbacks) {
+		return loginAnthropic((url) => callbacks.onAuth({ url }), () => callbacks.onPrompt({ message: "Paste the authorization code:" }));
+	},
+	async refreshToken(credentials) {
+		return refreshAnthropicToken(credentials.refresh);
+	},
+	getApiKey(credentials) {
+		return credentials.access;
+	}
+};
+/**
+* GitHub Copilot OAuth flow
+*/
+var decode$2 = (s) => atob(s);
+var CLIENT_ID$3 = decode$2("SXYxLmI1MDdhMDhjODdlY2ZlOTg=");
+var COPILOT_HEADERS = {
+	"User-Agent": "GitHubCopilotChat/0.35.0",
+	"Editor-Version": "vscode/1.107.0",
+	"Editor-Plugin-Version": "copilot-chat/0.35.0",
+	"Copilot-Integration-Id": "vscode-chat"
+};
+function normalizeDomain(input) {
+	const trimmed = input.trim();
+	if (!trimmed) return null;
+	try {
+		return (trimmed.includes("://") ? new URL(trimmed) : new URL(`https://${trimmed}`)).hostname;
+	} catch {
+		return null;
+	}
+}
+function getUrls(domain) {
+	return {
+		deviceCodeUrl: `https://${domain}/login/device/code`,
+		accessTokenUrl: `https://${domain}/login/oauth/access_token`,
+		copilotTokenUrl: `https://api.${domain}/copilot_internal/v2/token`
+	};
+}
+/**
+* Parse the proxy-ep from a Copilot token and convert to API base URL.
+* Token format: tid=...;exp=...;proxy-ep=proxy.individual.githubcopilot.com;...
+* Returns API URL like https://api.individual.githubcopilot.com
+*/
+function getBaseUrlFromToken(token) {
+	const match = token.match(/proxy-ep=([^;]+)/);
+	if (!match) return null;
+	return `https://${match[1].replace(/^proxy\./, "api.")}`;
+}
+function getGitHubCopilotBaseUrl(token, enterpriseDomain) {
+	if (token) {
+		const urlFromToken = getBaseUrlFromToken(token);
+		if (urlFromToken) return urlFromToken;
+	}
+	if (enterpriseDomain) return `https://copilot-api.${enterpriseDomain}`;
+	return "https://api.individual.githubcopilot.com";
+}
+async function fetchJson(url, init) {
+	const response = await fetch(url, init);
+	if (!response.ok) {
+		const text = await response.text();
+		throw new Error(`${response.status} ${response.statusText}: ${text}`);
+	}
+	return response.json();
+}
+async function startDeviceFlow(domain) {
+	const data = await fetchJson(getUrls(domain).deviceCodeUrl, {
+		method: "POST",
+		headers: {
+			Accept: "application/json",
+			"Content-Type": "application/json",
+			"User-Agent": "GitHubCopilotChat/0.35.0"
+		},
+		body: JSON.stringify({
+			client_id: CLIENT_ID$3,
+			scope: "read:user"
+		})
+	});
+	if (!data || typeof data !== "object") throw new Error("Invalid device code response");
+	const deviceCode = data.device_code;
+	const userCode = data.user_code;
+	const verificationUri = data.verification_uri;
+	const interval = data.interval;
+	const expiresIn = data.expires_in;
+	if (typeof deviceCode !== "string" || typeof userCode !== "string" || typeof verificationUri !== "string" || typeof interval !== "number" || typeof expiresIn !== "number") throw new Error("Invalid device code response fields");
+	return {
+		device_code: deviceCode,
+		user_code: userCode,
+		verification_uri: verificationUri,
+		interval,
+		expires_in: expiresIn
+	};
+}
+/**
+* Sleep that can be interrupted by an AbortSignal
+*/
+function abortableSleep(ms, signal) {
+	return new Promise((resolve, reject) => {
+		if (signal?.aborted) {
+			reject(/* @__PURE__ */ new Error("Login cancelled"));
+			return;
+		}
+		const timeout = setTimeout(resolve, ms);
+		signal?.addEventListener("abort", () => {
+			clearTimeout(timeout);
+			reject(/* @__PURE__ */ new Error("Login cancelled"));
+		}, { once: true });
+	});
+}
+async function pollForGitHubAccessToken(domain, deviceCode, intervalSeconds, expiresIn, signal) {
+	const urls = getUrls(domain);
+	const deadline = Date.now() + expiresIn * 1e3;
+	let intervalMs = Math.max(1e3, Math.floor(intervalSeconds * 1e3));
+	while (Date.now() < deadline) {
+		if (signal?.aborted) throw new Error("Login cancelled");
+		const raw = await fetchJson(urls.accessTokenUrl, {
+			method: "POST",
+			headers: {
+				Accept: "application/json",
+				"Content-Type": "application/json",
+				"User-Agent": "GitHubCopilotChat/0.35.0"
+			},
+			body: JSON.stringify({
+				client_id: CLIENT_ID$3,
+				device_code: deviceCode,
+				grant_type: "urn:ietf:params:oauth:grant-type:device_code"
+			})
+		});
+		if (raw && typeof raw === "object" && typeof raw.access_token === "string") return raw.access_token;
+		if (raw && typeof raw === "object" && typeof raw.error === "string") {
+			const err = raw.error;
+			if (err === "authorization_pending") {
+				await abortableSleep(intervalMs, signal);
+				continue;
+			}
+			if (err === "slow_down") {
+				intervalMs += 5e3;
+				await abortableSleep(intervalMs, signal);
+				continue;
+			}
+			throw new Error(`Device flow failed: ${err}`);
+		}
+		await abortableSleep(intervalMs, signal);
+	}
+	throw new Error("Device flow timed out");
+}
+/**
+* Refresh GitHub Copilot token
+*/
+async function refreshGitHubCopilotToken(refreshToken, enterpriseDomain) {
+	const raw = await fetchJson(getUrls(enterpriseDomain || "github.com").copilotTokenUrl, { headers: {
+		Accept: "application/json",
+		Authorization: `Bearer ${refreshToken}`,
+		...COPILOT_HEADERS
+	} });
+	if (!raw || typeof raw !== "object") throw new Error("Invalid Copilot token response");
+	const token = raw.token;
+	const expiresAt = raw.expires_at;
+	if (typeof token !== "string" || typeof expiresAt !== "number") throw new Error("Invalid Copilot token response fields");
+	return {
+		refresh: refreshToken,
+		access: token,
+		expires: expiresAt * 1e3 - 300 * 1e3,
+		enterpriseUrl: enterpriseDomain
+	};
+}
+/**
+* Enable a model for the user's GitHub Copilot account.
+* This is required for some models (like Claude, Grok) before they can be used.
+*/
+async function enableGitHubCopilotModel(token, modelId, enterpriseDomain) {
+	const url = `${getGitHubCopilotBaseUrl(token, enterpriseDomain)}/models/${modelId}/policy`;
+	try {
+		return (await fetch(url, {
+			method: "POST",
+			headers: {
+				"Content-Type": "application/json",
+				Authorization: `Bearer ${token}`,
+				...COPILOT_HEADERS,
+				"openai-intent": "chat-policy",
+				"x-interaction-type": "chat-policy"
+			},
+			body: JSON.stringify({ state: "enabled" })
+		})).ok;
+	} catch {
+		return false;
+	}
+}
+/**
+* Enable all known GitHub Copilot models that may require policy acceptance.
+* Called after successful login to ensure all models are available.
+*/
+async function enableAllGitHubCopilotModels(token, enterpriseDomain, onProgress) {
+	const models = getModels("github-copilot");
+	await Promise.all(models.map(async (model) => {
+		const success = await enableGitHubCopilotModel(token, model.id, enterpriseDomain);
+		onProgress?.(model.id, success);
+	}));
+}
+/**
+* Login with GitHub Copilot OAuth (device code flow)
+*
+* @param options.onAuth - Callback with URL and optional instructions (user code)
+* @param options.onPrompt - Callback to prompt user for input
+* @param options.onProgress - Optional progress callback
+* @param options.signal - Optional AbortSignal for cancellation
+*/
+async function loginGitHubCopilot(options) {
+	const input = await options.onPrompt({
+		message: "GitHub Enterprise URL/domain (blank for github.com)",
+		placeholder: "company.ghe.com",
+		allowEmpty: true
+	});
+	if (options.signal?.aborted) throw new Error("Login cancelled");
+	const trimmed = input.trim();
+	const enterpriseDomain = normalizeDomain(input);
+	if (trimmed && !enterpriseDomain) throw new Error("Invalid GitHub Enterprise URL/domain");
+	const domain = enterpriseDomain || "github.com";
+	const device = await startDeviceFlow(domain);
+	options.onAuth(device.verification_uri, `Enter code: ${device.user_code}`);
+	const credentials = await refreshGitHubCopilotToken(await pollForGitHubAccessToken(domain, device.device_code, device.interval, device.expires_in, options.signal), enterpriseDomain ?? void 0);
+	options.onProgress?.("Enabling models...");
+	await enableAllGitHubCopilotModels(credentials.access, enterpriseDomain ?? void 0);
+	return credentials;
+}
+const githubCopilotOAuthProvider = {
+	id: "github-copilot",
+	name: "GitHub Copilot",
+	async login(callbacks) {
+		return loginGitHubCopilot({
+			onAuth: (url, instructions) => callbacks.onAuth({
+				url,
+				instructions
+			}),
+			onPrompt: callbacks.onPrompt,
+			onProgress: callbacks.onProgress,
+			signal: callbacks.signal
+		});
+	},
+	async refreshToken(credentials) {
+		const creds = credentials;
+		return refreshGitHubCopilotToken(creds.refresh, creds.enterpriseUrl);
+	},
+	getApiKey(credentials) {
+		return credentials.access;
+	},
+	modifyModels(models, credentials) {
+		const creds = credentials;
+		const domain = creds.enterpriseUrl ? normalizeDomain(creds.enterpriseUrl) ?? void 0 : void 0;
+		const baseUrl = getGitHubCopilotBaseUrl(creds.access, domain);
+		return models.map((m) => m.provider === "github-copilot" ? {
+			...m,
+			baseUrl
+		} : m);
+	}
+};
+/**
+* Antigravity OAuth flow (Gemini 3, Claude, GPT-OSS via Google Cloud)
+* Uses different OAuth credentials than google-gemini-cli for access to additional models.
+*
+* NOTE: This module uses Node.js http.createServer for the OAuth callback.
+* It is only intended for CLI use, not browser environments.
+*/
+var _createServer$1 = null;
+var _httpImportPromise$1 = null;
+if (typeof process !== "undefined" && (process.versions?.node || process.versions?.bun)) _httpImportPromise$1 = import("node:http").then((m) => {
+	_createServer$1 = m.createServer;
+});
+var decode$1 = (s) => atob(s);
+var CLIENT_ID$2 = decode$1("MTA3MTAwNjA2MDU5MS10bWhzc2luMmgyMWxjcmUyMzV2dG9sb2poNGc0MDNlcC5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbQ==");
+var CLIENT_SECRET$1 = decode$1("R09DU1BYLUs1OEZXUjQ4NkxkTEoxbUxCOHNYQzR6NnFEQWY=");
+var REDIRECT_URI$2 = "http://localhost:51121/oauth-callback";
+var SCOPES$1 = [
+	"https://www.googleapis.com/auth/cloud-platform",
+	"https://www.googleapis.com/auth/userinfo.email",
+	"https://www.googleapis.com/auth/userinfo.profile",
+	"https://www.googleapis.com/auth/cclog",
+	"https://www.googleapis.com/auth/experimentsandconfigs"
+];
+var AUTH_URL$1 = "https://accounts.google.com/o/oauth2/v2/auth";
+var TOKEN_URL$2 = "https://oauth2.googleapis.com/token";
+var DEFAULT_PROJECT_ID = "rising-fact-p41fc";
+/**
+* Start a local HTTP server to receive the OAuth callback
+*/
+async function getNodeCreateServer$1() {
+	if (_createServer$1) return _createServer$1;
+	if (_httpImportPromise$1) await _httpImportPromise$1;
+	if (_createServer$1) return _createServer$1;
+	throw new Error("Antigravity OAuth is only available in Node.js environments");
+}
+async function startCallbackServer$1() {
+	const createServer = await getNodeCreateServer$1();
+	return new Promise((resolve, reject) => {
+		let result = null;
+		let cancelled = false;
+		const server = createServer((req, res) => {
+			const url = new URL(req.url || "", `http://localhost:51121`);
+			if (url.pathname === "/oauth-callback") {
+				const code = url.searchParams.get("code");
+				const state = url.searchParams.get("state");
+				const error = url.searchParams.get("error");
+				if (error) {
+					res.writeHead(400, { "Content-Type": "text/html" });
+					res.end(`<html><body><h1>Authentication Failed</h1><p>Error: ${error}</p><p>You can close this window.</p></body></html>`);
+					return;
+				}
+				if (code && state) {
+					res.writeHead(200, { "Content-Type": "text/html" });
+					res.end(`<html><body><h1>Authentication Successful</h1><p>You can close this window and return to the terminal.</p></body></html>`);
+					result = {
+						code,
+						state
+					};
+				} else {
+					res.writeHead(400, { "Content-Type": "text/html" });
+					res.end(`<html><body><h1>Authentication Failed</h1><p>Missing code or state parameter.</p></body></html>`);
+				}
+			} else {
+				res.writeHead(404);
+				res.end();
+			}
+		});
+		server.on("error", (err) => {
+			reject(err);
+		});
+		server.listen(51121, "127.0.0.1", () => {
+			resolve({
+				server,
+				cancelWait: () => {
+					cancelled = true;
+				},
+				waitForCode: async () => {
+					const sleep = () => new Promise((r) => setTimeout(r, 100));
+					while (!result && !cancelled) await sleep();
+					return result;
+				}
+			});
+		});
+	});
+}
+/**
+* Parse redirect URL to extract code and state
+*/
+function parseRedirectUrl$1(input) {
+	const value = input.trim();
+	if (!value) return {};
+	try {
+		const url = new URL(value);
+		return {
+			code: url.searchParams.get("code") ?? void 0,
+			state: url.searchParams.get("state") ?? void 0
+		};
+	} catch {
+		return {};
+	}
+}
+/**
+* Discover or provision a project for the user
+*/
+async function discoverProject$1(accessToken, onProgress) {
+	const headers = {
+		Authorization: `Bearer ${accessToken}`,
+		"Content-Type": "application/json",
+		"User-Agent": "google-api-nodejs-client/9.15.1",
+		"X-Goog-Api-Client": "google-cloud-sdk vscode_cloudshelleditor/0.1",
+		"Client-Metadata": JSON.stringify({
+			ideType: "IDE_UNSPECIFIED",
+			platform: "PLATFORM_UNSPECIFIED",
+			pluginType: "GEMINI"
+		})
+	};
+	const endpoints = ["https://cloudcode-pa.googleapis.com", "https://daily-cloudcode-pa.sandbox.googleapis.com"];
+	onProgress?.("Checking for existing project...");
+	for (const endpoint of endpoints) try {
+		const loadResponse = await fetch(`${endpoint}/v1internal:loadCodeAssist`, {
+			method: "POST",
+			headers,
+			body: JSON.stringify({ metadata: {
+				ideType: "IDE_UNSPECIFIED",
+				platform: "PLATFORM_UNSPECIFIED",
+				pluginType: "GEMINI"
+			} })
+		});
+		if (loadResponse.ok) {
+			const data = await loadResponse.json();
+			if (typeof data.cloudaicompanionProject === "string" && data.cloudaicompanionProject) return data.cloudaicompanionProject;
+			if (data.cloudaicompanionProject && typeof data.cloudaicompanionProject === "object" && data.cloudaicompanionProject.id) return data.cloudaicompanionProject.id;
+		}
+	} catch {}
+	onProgress?.("Using default project...");
+	return DEFAULT_PROJECT_ID;
+}
+/**
+* Get user email from the access token
+*/
+async function getUserEmail$1(accessToken) {
+	try {
+		const response = await fetch("https://www.googleapis.com/oauth2/v1/userinfo?alt=json", { headers: { Authorization: `Bearer ${accessToken}` } });
+		if (response.ok) return (await response.json()).email;
+	} catch {}
+}
+/**
+* Refresh Antigravity token
+*/
+async function refreshAntigravityToken(refreshToken, projectId) {
+	const response = await fetch(TOKEN_URL$2, {
+		method: "POST",
+		headers: { "Content-Type": "application/x-www-form-urlencoded" },
+		body: new URLSearchParams({
+			client_id: CLIENT_ID$2,
+			client_secret: CLIENT_SECRET$1,
+			refresh_token: refreshToken,
+			grant_type: "refresh_token"
+		})
+	});
+	if (!response.ok) {
+		const error = await response.text();
+		throw new Error(`Antigravity token refresh failed: ${error}`);
+	}
+	const data = await response.json();
+	return {
+		refresh: data.refresh_token || refreshToken,
+		access: data.access_token,
+		expires: Date.now() + data.expires_in * 1e3 - 300 * 1e3,
+		projectId
+	};
+}
+/**
+* Login with Antigravity OAuth
+*
+* @param onAuth - Callback with URL and optional instructions
+* @param onProgress - Optional progress callback
+* @param onManualCodeInput - Optional promise that resolves with user-pasted redirect URL.
+*                            Races with browser callback - whichever completes first wins.
+*/
+async function loginAntigravity(onAuth, onProgress, onManualCodeInput) {
+	const { verifier, challenge } = await generatePKCE();
+	onProgress?.("Starting local server for OAuth callback...");
+	const server = await startCallbackServer$1();
+	let code;
+	try {
+		onAuth({
+			url: `${AUTH_URL$1}?${new URLSearchParams({
+				client_id: CLIENT_ID$2,
+				response_type: "code",
+				redirect_uri: REDIRECT_URI$2,
+				scope: SCOPES$1.join(" "),
+				code_challenge: challenge,
+				code_challenge_method: "S256",
+				state: verifier,
+				access_type: "offline",
+				prompt: "consent"
+			}).toString()}`,
+			instructions: "Complete the sign-in in your browser."
+		});
+		onProgress?.("Waiting for OAuth callback...");
+		if (onManualCodeInput) {
+			let manualInput;
+			let manualError;
+			const manualPromise = onManualCodeInput().then((input) => {
+				manualInput = input;
+				server.cancelWait();
+			}).catch((err) => {
+				manualError = err instanceof Error ? err : new Error(String(err));
+				server.cancelWait();
+			});
+			const result = await server.waitForCode();
+			if (manualError) throw manualError;
+			if (result?.code) {
+				if (result.state !== verifier) throw new Error("OAuth state mismatch - possible CSRF attack");
+				code = result.code;
+			} else if (manualInput) {
+				const parsed = parseRedirectUrl$1(manualInput);
+				if (parsed.state && parsed.state !== verifier) throw new Error("OAuth state mismatch - possible CSRF attack");
+				code = parsed.code;
+			}
+			if (!code) {
+				await manualPromise;
+				if (manualError) throw manualError;
+				if (manualInput) {
+					const parsed = parseRedirectUrl$1(manualInput);
+					if (parsed.state && parsed.state !== verifier) throw new Error("OAuth state mismatch - possible CSRF attack");
+					code = parsed.code;
+				}
+			}
+		} else {
+			const result = await server.waitForCode();
+			if (result?.code) {
+				if (result.state !== verifier) throw new Error("OAuth state mismatch - possible CSRF attack");
+				code = result.code;
+			}
+		}
+		if (!code) throw new Error("No authorization code received");
+		onProgress?.("Exchanging authorization code for tokens...");
+		const tokenResponse = await fetch(TOKEN_URL$2, {
+			method: "POST",
+			headers: { "Content-Type": "application/x-www-form-urlencoded" },
+			body: new URLSearchParams({
+				client_id: CLIENT_ID$2,
+				client_secret: CLIENT_SECRET$1,
+				code,
+				grant_type: "authorization_code",
+				redirect_uri: REDIRECT_URI$2,
+				code_verifier: verifier
+			})
+		});
+		if (!tokenResponse.ok) {
+			const error = await tokenResponse.text();
+			throw new Error(`Token exchange failed: ${error}`);
+		}
+		const tokenData = await tokenResponse.json();
+		if (!tokenData.refresh_token) throw new Error("No refresh token received. Please try again.");
+		onProgress?.("Getting user info...");
+		const email = await getUserEmail$1(tokenData.access_token);
+		const projectId = await discoverProject$1(tokenData.access_token, onProgress);
+		const expiresAt = Date.now() + tokenData.expires_in * 1e3 - 300 * 1e3;
+		return {
+			refresh: tokenData.refresh_token,
+			access: tokenData.access_token,
+			expires: expiresAt,
+			projectId,
+			email
+		};
+	} finally {
+		server.server.close();
+	}
+}
+const antigravityOAuthProvider = {
+	id: "google-antigravity",
+	name: "Antigravity (Gemini 3, Claude, GPT-OSS)",
+	usesCallbackServer: true,
+	async login(callbacks) {
+		return loginAntigravity(callbacks.onAuth, callbacks.onProgress, callbacks.onManualCodeInput);
+	},
+	async refreshToken(credentials) {
+		const creds = credentials;
+		if (!creds.projectId) throw new Error("Antigravity credentials missing projectId");
+		return refreshAntigravityToken(creds.refresh, creds.projectId);
+	},
+	getApiKey(credentials) {
+		const creds = credentials;
+		return JSON.stringify({
+			token: creds.access,
+			projectId: creds.projectId
+		});
+	}
+};
+/**
+* Gemini CLI OAuth flow (Google Cloud Code Assist)
+* Standard Gemini models only (gemini-2.0-flash, gemini-2.5-*)
+*
+* NOTE: This module uses Node.js http.createServer for the OAuth callback.
+* It is only intended for CLI use, not browser environments.
+*/
+var _createServer = null;
+var _httpImportPromise = null;
+if (typeof process !== "undefined" && (process.versions?.node || process.versions?.bun)) _httpImportPromise = import("node:http").then((m) => {
+	_createServer = m.createServer;
+});
+var decode = (s) => atob(s);
+var CLIENT_ID$1 = decode("NjgxMjU1ODA5Mzk1LW9vOGZ0Mm9wcmRybnA5ZTNhcWY2YXYzaG1kaWIxMzVqLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29t");
+var CLIENT_SECRET = decode("R09DU1BYLTR1SGdNUG0tMW83U2stZ2VWNkN1NWNsWEZzeGw=");
+var REDIRECT_URI$1 = "http://localhost:8085/oauth2callback";
+var SCOPES = [
+	"https://www.googleapis.com/auth/cloud-platform",
+	"https://www.googleapis.com/auth/userinfo.email",
+	"https://www.googleapis.com/auth/userinfo.profile"
+];
+var AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth";
+var TOKEN_URL$1 = "https://oauth2.googleapis.com/token";
+var CODE_ASSIST_ENDPOINT = "https://cloudcode-pa.googleapis.com";
+/**
+* Start a local HTTP server to receive the OAuth callback
+*/
+async function getNodeCreateServer() {
+	if (_createServer) return _createServer;
+	if (_httpImportPromise) await _httpImportPromise;
+	if (_createServer) return _createServer;
+	throw new Error("Gemini CLI OAuth is only available in Node.js environments");
+}
+async function startCallbackServer() {
+	const createServer = await getNodeCreateServer();
+	return new Promise((resolve, reject) => {
+		let result = null;
+		let cancelled = false;
+		const server = createServer((req, res) => {
+			const url = new URL(req.url || "", `http://localhost:8085`);
+			if (url.pathname === "/oauth2callback") {
+				const code = url.searchParams.get("code");
+				const state = url.searchParams.get("state");
+				const error = url.searchParams.get("error");
+				if (error) {
+					res.writeHead(400, { "Content-Type": "text/html" });
+					res.end(`<html><body><h1>Authentication Failed</h1><p>Error: ${error}</p><p>You can close this window.</p></body></html>`);
+					return;
+				}
+				if (code && state) {
+					res.writeHead(200, { "Content-Type": "text/html" });
+					res.end(`<html><body><h1>Authentication Successful</h1><p>You can close this window and return to the terminal.</p></body></html>`);
+					result = {
+						code,
+						state
+					};
+				} else {
+					res.writeHead(400, { "Content-Type": "text/html" });
+					res.end(`<html><body><h1>Authentication Failed</h1><p>Missing code or state parameter.</p></body></html>`);
+				}
+			} else {
+				res.writeHead(404);
+				res.end();
+			}
+		});
+		server.on("error", (err) => {
+			reject(err);
+		});
+		server.listen(8085, "127.0.0.1", () => {
+			resolve({
+				server,
+				cancelWait: () => {
+					cancelled = true;
+				},
+				waitForCode: async () => {
+					const sleep = () => new Promise((r) => setTimeout(r, 100));
+					while (!result && !cancelled) await sleep();
+					return result;
+				}
+			});
+		});
+	});
+}
+/**
+* Parse redirect URL to extract code and state
+*/
+function parseRedirectUrl(input) {
+	const value = input.trim();
+	if (!value) return {};
+	try {
+		const url = new URL(value);
+		return {
+			code: url.searchParams.get("code") ?? void 0,
+			state: url.searchParams.get("state") ?? void 0
+		};
+	} catch {
+		return {};
+	}
+}
+var TIER_FREE = "free-tier";
+var TIER_LEGACY = "legacy-tier";
+var TIER_STANDARD = "standard-tier";
+/**
+* Wait helper for onboarding retries
+*/
+function wait(ms) {
+	return new Promise((resolve) => setTimeout(resolve, ms));
+}
+/**
+* Get default tier from allowed tiers
+*/
+function getDefaultTier(allowedTiers) {
+	if (!allowedTiers || allowedTiers.length === 0) return { id: TIER_LEGACY };
+	return allowedTiers.find((t) => t.isDefault) ?? { id: TIER_LEGACY };
+}
+function isVpcScAffectedUser(payload) {
+	if (!payload || typeof payload !== "object") return false;
+	if (!("error" in payload)) return false;
+	const error = payload.error;
+	if (!error?.details || !Array.isArray(error.details)) return false;
+	return error.details.some((detail) => detail.reason === "SECURITY_POLICY_VIOLATED");
+}
+/**
+* Poll a long-running operation until completion
+*/
+async function pollOperation(operationName, headers, onProgress) {
+	let attempt = 0;
+	while (true) {
+		if (attempt > 0) {
+			onProgress?.(`Waiting for project provisioning (attempt ${attempt + 1})...`);
+			await wait(5e3);
+		}
+		const response = await fetch(`${CODE_ASSIST_ENDPOINT}/v1internal/${operationName}`, {
+			method: "GET",
+			headers
+		});
+		if (!response.ok) throw new Error(`Failed to poll operation: ${response.status} ${response.statusText}`);
+		const data = await response.json();
+		if (data.done) return data;
+		attempt += 1;
+	}
+}
+/**
+* Discover or provision a Google Cloud project for the user
+*/
+async function discoverProject(accessToken, onProgress) {
+	const envProjectId = process.env.GOOGLE_CLOUD_PROJECT || process.env.GOOGLE_CLOUD_PROJECT_ID;
+	const headers = {
+		Authorization: `Bearer ${accessToken}`,
+		"Content-Type": "application/json",
+		"User-Agent": "google-api-nodejs-client/9.15.1",
+		"X-Goog-Api-Client": "gl-node/22.17.0"
+	};
+	onProgress?.("Checking for existing Cloud Code Assist project...");
+	const loadResponse = await fetch(`${CODE_ASSIST_ENDPOINT}/v1internal:loadCodeAssist`, {
+		method: "POST",
+		headers,
+		body: JSON.stringify({
+			cloudaicompanionProject: envProjectId,
+			metadata: {
+				ideType: "IDE_UNSPECIFIED",
+				platform: "PLATFORM_UNSPECIFIED",
+				pluginType: "GEMINI",
+				duetProject: envProjectId
+			}
+		})
+	});
+	let data;
+	if (!loadResponse.ok) {
+		let errorPayload;
+		try {
+			errorPayload = await loadResponse.clone().json();
+		} catch {
+			errorPayload = void 0;
+		}
+		if (isVpcScAffectedUser(errorPayload)) data = { currentTier: { id: TIER_STANDARD } };
+		else {
+			const errorText = await loadResponse.text();
+			throw new Error(`loadCodeAssist failed: ${loadResponse.status} ${loadResponse.statusText}: ${errorText}`);
+		}
+	} else data = await loadResponse.json();
+	if (data.currentTier) {
+		if (data.cloudaicompanionProject) return data.cloudaicompanionProject;
+		if (envProjectId) return envProjectId;
+		throw new Error("This account requires setting the GOOGLE_CLOUD_PROJECT or GOOGLE_CLOUD_PROJECT_ID environment variable. See https://goo.gle/gemini-cli-auth-docs#workspace-gca");
+	}
+	const tierId = getDefaultTier(data.allowedTiers)?.id ?? TIER_FREE;
+	if (tierId !== TIER_FREE && !envProjectId) throw new Error("This account requires setting the GOOGLE_CLOUD_PROJECT or GOOGLE_CLOUD_PROJECT_ID environment variable. See https://goo.gle/gemini-cli-auth-docs#workspace-gca");
+	onProgress?.("Provisioning Cloud Code Assist project (this may take a moment)...");
+	const onboardBody = {
+		tierId,
+		metadata: {
+			ideType: "IDE_UNSPECIFIED",
+			platform: "PLATFORM_UNSPECIFIED",
+			pluginType: "GEMINI"
+		}
+	};
+	if (tierId !== TIER_FREE && envProjectId) {
+		onboardBody.cloudaicompanionProject = envProjectId;
+		onboardBody.metadata.duetProject = envProjectId;
+	}
+	const onboardResponse = await fetch(`${CODE_ASSIST_ENDPOINT}/v1internal:onboardUser`, {
+		method: "POST",
+		headers,
+		body: JSON.stringify(onboardBody)
+	});
+	if (!onboardResponse.ok) {
+		const errorText = await onboardResponse.text();
+		throw new Error(`onboardUser failed: ${onboardResponse.status} ${onboardResponse.statusText}: ${errorText}`);
+	}
+	let lroData = await onboardResponse.json();
+	if (!lroData.done && lroData.name) lroData = await pollOperation(lroData.name, headers, onProgress);
+	const projectId = lroData.response?.cloudaicompanionProject?.id;
+	if (projectId) return projectId;
+	if (envProjectId) return envProjectId;
+	throw new Error("Could not discover or provision a Google Cloud project. Try setting the GOOGLE_CLOUD_PROJECT or GOOGLE_CLOUD_PROJECT_ID environment variable. See https://goo.gle/gemini-cli-auth-docs#workspace-gca");
+}
+/**
+* Get user email from the access token
+*/
+async function getUserEmail(accessToken) {
+	try {
+		const response = await fetch("https://www.googleapis.com/oauth2/v1/userinfo?alt=json", { headers: { Authorization: `Bearer ${accessToken}` } });
+		if (response.ok) return (await response.json()).email;
+	} catch {}
+}
+/**
+* Refresh Google Cloud Code Assist token
+*/
+async function refreshGoogleCloudToken(refreshToken, projectId) {
+	const response = await fetch(TOKEN_URL$1, {
+		method: "POST",
+		headers: { "Content-Type": "application/x-www-form-urlencoded" },
+		body: new URLSearchParams({
+			client_id: CLIENT_ID$1,
+			client_secret: CLIENT_SECRET,
+			refresh_token: refreshToken,
+			grant_type: "refresh_token"
+		})
+	});
+	if (!response.ok) {
+		const error = await response.text();
+		throw new Error(`Google Cloud token refresh failed: ${error}`);
+	}
+	const data = await response.json();
+	return {
+		refresh: data.refresh_token || refreshToken,
+		access: data.access_token,
+		expires: Date.now() + data.expires_in * 1e3 - 300 * 1e3,
+		projectId
+	};
+}
+/**
+* Login with Gemini CLI (Google Cloud Code Assist) OAuth
+*
+* @param onAuth - Callback with URL and optional instructions
+* @param onProgress - Optional progress callback
+* @param onManualCodeInput - Optional promise that resolves with user-pasted redirect URL.
+*                            Races with browser callback - whichever completes first wins.
+*/
+async function loginGeminiCli(onAuth, onProgress, onManualCodeInput) {
+	const { verifier, challenge } = await generatePKCE();
+	onProgress?.("Starting local server for OAuth callback...");
+	const server = await startCallbackServer();
+	let code;
+	try {
+		onAuth({
+			url: `${AUTH_URL}?${new URLSearchParams({
+				client_id: CLIENT_ID$1,
+				response_type: "code",
+				redirect_uri: REDIRECT_URI$1,
+				scope: SCOPES.join(" "),
+				code_challenge: challenge,
+				code_challenge_method: "S256",
+				state: verifier,
+				access_type: "offline",
+				prompt: "consent"
+			}).toString()}`,
+			instructions: "Complete the sign-in in your browser."
+		});
+		onProgress?.("Waiting for OAuth callback...");
+		if (onManualCodeInput) {
+			let manualInput;
+			let manualError;
+			const manualPromise = onManualCodeInput().then((input) => {
+				manualInput = input;
+				server.cancelWait();
+			}).catch((err) => {
+				manualError = err instanceof Error ? err : new Error(String(err));
+				server.cancelWait();
+			});
+			const result = await server.waitForCode();
+			if (manualError) throw manualError;
+			if (result?.code) {
+				if (result.state !== verifier) throw new Error("OAuth state mismatch - possible CSRF attack");
+				code = result.code;
+			} else if (manualInput) {
+				const parsed = parseRedirectUrl(manualInput);
+				if (parsed.state && parsed.state !== verifier) throw new Error("OAuth state mismatch - possible CSRF attack");
+				code = parsed.code;
+			}
+			if (!code) {
+				await manualPromise;
+				if (manualError) throw manualError;
+				if (manualInput) {
+					const parsed = parseRedirectUrl(manualInput);
+					if (parsed.state && parsed.state !== verifier) throw new Error("OAuth state mismatch - possible CSRF attack");
+					code = parsed.code;
+				}
+			}
+		} else {
+			const result = await server.waitForCode();
+			if (result?.code) {
+				if (result.state !== verifier) throw new Error("OAuth state mismatch - possible CSRF attack");
+				code = result.code;
+			}
+		}
+		if (!code) throw new Error("No authorization code received");
+		onProgress?.("Exchanging authorization code for tokens...");
+		const tokenResponse = await fetch(TOKEN_URL$1, {
+			method: "POST",
+			headers: { "Content-Type": "application/x-www-form-urlencoded" },
+			body: new URLSearchParams({
+				client_id: CLIENT_ID$1,
+				client_secret: CLIENT_SECRET,
+				code,
+				grant_type: "authorization_code",
+				redirect_uri: REDIRECT_URI$1,
+				code_verifier: verifier
+			})
+		});
+		if (!tokenResponse.ok) {
+			const error = await tokenResponse.text();
+			throw new Error(`Token exchange failed: ${error}`);
+		}
+		const tokenData = await tokenResponse.json();
+		if (!tokenData.refresh_token) throw new Error("No refresh token received. Please try again.");
+		onProgress?.("Getting user info...");
+		const email = await getUserEmail(tokenData.access_token);
+		const projectId = await discoverProject(tokenData.access_token, onProgress);
+		const expiresAt = Date.now() + tokenData.expires_in * 1e3 - 300 * 1e3;
+		return {
+			refresh: tokenData.refresh_token,
+			access: tokenData.access_token,
+			expires: expiresAt,
+			projectId,
+			email
+		};
+	} finally {
+		server.server.close();
+	}
+}
+const geminiCliOAuthProvider = {
+	id: "google-gemini-cli",
+	name: "Google Cloud Code Assist (Gemini CLI)",
+	usesCallbackServer: true,
+	async login(callbacks) {
+		return loginGeminiCli(callbacks.onAuth, callbacks.onProgress, callbacks.onManualCodeInput);
+	},
+	async refreshToken(credentials) {
+		const creds = credentials;
+		if (!creds.projectId) throw new Error("Google Cloud credentials missing projectId");
+		return refreshGoogleCloudToken(creds.refresh, creds.projectId);
+	},
+	getApiKey(credentials) {
+		const creds = credentials;
+		return JSON.stringify({
+			token: creds.access,
+			projectId: creds.projectId
+		});
+	}
+};
+/**
+* OpenAI Codex (ChatGPT OAuth) flow
+*
+* NOTE: This module uses Node.js crypto and http for the OAuth callback.
+* It is only intended for CLI use, not browser environments.
+*/
+var _randomBytes = null;
+var _http = null;
+if (typeof process !== "undefined" && (process.versions?.node || process.versions?.bun)) {
+	import("node:crypto").then((m) => {
+		_randomBytes = m.randomBytes;
+	});
+	import("node:http").then((m) => {
+		_http = m;
+	});
+}
+var CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
+var AUTHORIZE_URL = "https://auth.openai.com/oauth/authorize";
+var TOKEN_URL = "https://auth.openai.com/oauth/token";
+var REDIRECT_URI = "http://localhost:1455/auth/callback";
+var SCOPE = "openid profile email offline_access";
+var JWT_CLAIM_PATH = "https://api.openai.com/auth";
+var SUCCESS_HTML = `<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>Authentication successful</title>
+</head>
+<body>
+  <p>Authentication successful. Return to your terminal to continue.</p>
+</body>
+</html>`;
+function createState() {
+	if (!_randomBytes) throw new Error("OpenAI Codex OAuth is only available in Node.js environments");
+	return _randomBytes(16).toString("hex");
+}
+function parseAuthorizationInput(input) {
+	const value = input.trim();
+	if (!value) return {};
+	try {
+		const url = new URL(value);
+		return {
+			code: url.searchParams.get("code") ?? void 0,
+			state: url.searchParams.get("state") ?? void 0
+		};
+	} catch {}
+	if (value.includes("#")) {
+		const [code, state] = value.split("#", 2);
+		return {
+			code,
+			state
+		};
+	}
+	if (value.includes("code=")) {
+		const params = new URLSearchParams(value);
+		return {
+			code: params.get("code") ?? void 0,
+			state: params.get("state") ?? void 0
+		};
+	}
+	return { code: value };
+}
+function decodeJwt(token) {
+	try {
+		const parts = token.split(".");
+		if (parts.length !== 3) return null;
+		const payload = parts[1] ?? "";
+		const decoded = atob(payload);
+		return JSON.parse(decoded);
+	} catch {
+		return null;
+	}
+}
+async function exchangeAuthorizationCode(code, verifier, redirectUri = REDIRECT_URI) {
+	const response = await fetch(TOKEN_URL, {
+		method: "POST",
+		headers: { "Content-Type": "application/x-www-form-urlencoded" },
+		body: new URLSearchParams({
+			grant_type: "authorization_code",
+			client_id: CLIENT_ID,
+			code,
+			code_verifier: verifier,
+			redirect_uri: redirectUri
+		})
+	});
+	if (!response.ok) {
+		const text = await response.text().catch(() => "");
+		console.error("[openai-codex] code->token failed:", response.status, text);
+		return { type: "failed" };
+	}
+	const json = await response.json();
+	if (!json.access_token || !json.refresh_token || typeof json.expires_in !== "number") {
+		console.error("[openai-codex] token response missing fields:", json);
+		return { type: "failed" };
+	}
+	return {
+		type: "success",
+		access: json.access_token,
+		refresh: json.refresh_token,
+		expires: Date.now() + json.expires_in * 1e3
+	};
+}
+async function refreshAccessToken(refreshToken) {
+	try {
+		const response = await fetch(TOKEN_URL, {
+			method: "POST",
+			headers: { "Content-Type": "application/x-www-form-urlencoded" },
+			body: new URLSearchParams({
+				grant_type: "refresh_token",
+				refresh_token: refreshToken,
+				client_id: CLIENT_ID
+			})
+		});
+		if (!response.ok) {
+			const text = await response.text().catch(() => "");
+			console.error("[openai-codex] Token refresh failed:", response.status, text);
+			return { type: "failed" };
+		}
+		const json = await response.json();
+		if (!json.access_token || !json.refresh_token || typeof json.expires_in !== "number") {
+			console.error("[openai-codex] Token refresh response missing fields:", json);
+			return { type: "failed" };
+		}
+		return {
+			type: "success",
+			access: json.access_token,
+			refresh: json.refresh_token,
+			expires: Date.now() + json.expires_in * 1e3
+		};
+	} catch (error) {
+		console.error("[openai-codex] Token refresh error:", error);
+		return { type: "failed" };
+	}
+}
+async function createAuthorizationFlow(originator = "pi") {
+	const { verifier, challenge } = await generatePKCE();
+	const state = createState();
+	const url = new URL(AUTHORIZE_URL);
+	url.searchParams.set("response_type", "code");
+	url.searchParams.set("client_id", CLIENT_ID);
+	url.searchParams.set("redirect_uri", REDIRECT_URI);
+	url.searchParams.set("scope", SCOPE);
+	url.searchParams.set("code_challenge", challenge);
+	url.searchParams.set("code_challenge_method", "S256");
+	url.searchParams.set("state", state);
+	url.searchParams.set("id_token_add_organizations", "true");
+	url.searchParams.set("codex_cli_simplified_flow", "true");
+	url.searchParams.set("originator", originator);
+	return {
+		verifier,
+		state,
+		url: url.toString()
+	};
+}
+function startLocalOAuthServer(state) {
+	if (!_http) throw new Error("OpenAI Codex OAuth is only available in Node.js environments");
+	let lastCode = null;
+	let cancelled = false;
+	const server = _http.createServer((req, res) => {
+		try {
+			const url = new URL(req.url || "", "http://localhost");
+			if (url.pathname !== "/auth/callback") {
+				res.statusCode = 404;
+				res.end("Not found");
+				return;
+			}
+			if (url.searchParams.get("state") !== state) {
+				res.statusCode = 400;
+				res.end("State mismatch");
+				return;
+			}
+			const code = url.searchParams.get("code");
+			if (!code) {
+				res.statusCode = 400;
+				res.end("Missing authorization code");
+				return;
+			}
+			res.statusCode = 200;
+			res.setHeader("Content-Type", "text/html; charset=utf-8");
+			res.end(SUCCESS_HTML);
+			lastCode = code;
+		} catch {
+			res.statusCode = 500;
+			res.end("Internal error");
+		}
+	});
+	return new Promise((resolve) => {
+		server.listen(1455, "127.0.0.1", () => {
+			resolve({
+				close: () => server.close(),
+				cancelWait: () => {
+					cancelled = true;
+				},
+				waitForCode: async () => {
+					const sleep = () => new Promise((r) => setTimeout(r, 100));
+					for (let i = 0; i < 600; i += 1) {
+						if (lastCode) return { code: lastCode };
+						if (cancelled) return null;
+						await sleep();
+					}
+					return null;
+				}
+			});
+		}).on("error", (err) => {
+			console.error("[openai-codex] Failed to bind http://127.0.0.1:1455 (", err.code, ") Falling back to manual paste.");
+			resolve({
+				close: () => {
+					try {
+						server.close();
+					} catch {}
+				},
+				cancelWait: () => {},
+				waitForCode: async () => null
+			});
+		});
+	});
+}
+function getAccountId(accessToken) {
+	const accountId = (decodeJwt(accessToken)?.[JWT_CLAIM_PATH])?.chatgpt_account_id;
+	return typeof accountId === "string" && accountId.length > 0 ? accountId : null;
+}
+/**
+* Login with OpenAI Codex OAuth
+*
+* @param options.onAuth - Called with URL and instructions when auth starts
+* @param options.onPrompt - Called to prompt user for manual code paste (fallback if no onManualCodeInput)
+* @param options.onProgress - Optional progress messages
+* @param options.onManualCodeInput - Optional promise that resolves with user-pasted code.
+*                                    Races with browser callback - whichever completes first wins.
+*                                    Useful for showing paste input immediately alongside browser flow.
+* @param options.originator - OAuth originator parameter (defaults to "pi")
+*/
+async function loginOpenAICodex(options) {
+	const { verifier, state, url } = await createAuthorizationFlow(options.originator);
+	const server = await startLocalOAuthServer(state);
+	options.onAuth({
+		url,
+		instructions: "A browser window should open. Complete login to finish."
+	});
+	let code;
+	try {
+		if (options.onManualCodeInput) {
+			let manualCode;
+			let manualError;
+			const manualPromise = options.onManualCodeInput().then((input) => {
+				manualCode = input;
+				server.cancelWait();
+			}).catch((err) => {
+				manualError = err instanceof Error ? err : new Error(String(err));
+				server.cancelWait();
+			});
+			const result = await server.waitForCode();
+			if (manualError) throw manualError;
+			if (result?.code) code = result.code;
+			else if (manualCode) {
+				const parsed = parseAuthorizationInput(manualCode);
+				if (parsed.state && parsed.state !== state) throw new Error("State mismatch");
+				code = parsed.code;
+			}
+			if (!code) {
+				await manualPromise;
+				if (manualError) throw manualError;
+				if (manualCode) {
+					const parsed = parseAuthorizationInput(manualCode);
+					if (parsed.state && parsed.state !== state) throw new Error("State mismatch");
+					code = parsed.code;
+				}
+			}
+		} else {
+			const result = await server.waitForCode();
+			if (result?.code) code = result.code;
+		}
+		if (!code) {
+			const parsed = parseAuthorizationInput(await options.onPrompt({ message: "Paste the authorization code (or full redirect URL):" }));
+			if (parsed.state && parsed.state !== state) throw new Error("State mismatch");
+			code = parsed.code;
+		}
+		if (!code) throw new Error("Missing authorization code");
+		const tokenResult = await exchangeAuthorizationCode(code, verifier);
+		if (tokenResult.type !== "success") throw new Error("Token exchange failed");
+		const accountId = getAccountId(tokenResult.access);
+		if (!accountId) throw new Error("Failed to extract accountId from token");
+		return {
+			access: tokenResult.access,
+			refresh: tokenResult.refresh,
+			expires: tokenResult.expires,
+			accountId
+		};
+	} finally {
+		server.close();
+	}
+}
+/**
+* Refresh OpenAI Codex OAuth token
+*/
+async function refreshOpenAICodexToken(refreshToken) {
+	const result = await refreshAccessToken(refreshToken);
+	if (result.type !== "success") throw new Error("Failed to refresh OpenAI Codex token");
+	const accountId = getAccountId(result.access);
+	if (!accountId) throw new Error("Failed to extract accountId from token");
+	return {
+		access: result.access,
+		refresh: result.refresh,
+		expires: result.expires,
+		accountId
+	};
+}
+const openaiCodexOAuthProvider = {
+	id: "openai-codex",
+	name: "ChatGPT Plus/Pro (Codex Subscription)",
+	usesCallbackServer: true,
+	async login(callbacks) {
+		return loginOpenAICodex({
+			onAuth: callbacks.onAuth,
+			onPrompt: callbacks.onPrompt,
+			onProgress: callbacks.onProgress,
+			onManualCodeInput: callbacks.onManualCodeInput
+		});
+	},
+	async refreshToken(credentials) {
+		return refreshOpenAICodexToken(credentials.refresh);
+	},
+	getApiKey(credentials) {
+		return credentials.access;
+	}
+};
+var BUILT_IN_OAUTH_PROVIDERS = [
+	anthropicOAuthProvider,
+	githubCopilotOAuthProvider,
+	geminiCliOAuthProvider,
+	antigravityOAuthProvider,
+	openaiCodexOAuthProvider
+];
+var oauthProviderRegistry = new Map(BUILT_IN_OAUTH_PROVIDERS.map((provider) => [provider.id, provider]));
+/**
+* Get an OAuth provider by ID
+*/
+function getOAuthProvider(id) {
+	return oauthProviderRegistry.get(id);
+}
+/**
+* Register a custom OAuth provider
+*/
+function registerOAuthProvider(provider) {
+	oauthProviderRegistry.set(provider.id, provider);
+}
+/**
+* Unregister an OAuth provider.
+*
+* If the provider is built-in, restores the built-in implementation.
+* Custom providers are removed completely.
+*/
+function unregisterOAuthProvider(id) {
+	const builtInProvider = BUILT_IN_OAUTH_PROVIDERS.find((provider) => provider.id === id);
+	if (builtInProvider) {
+		oauthProviderRegistry.set(id, builtInProvider);
+		return;
+	}
+	oauthProviderRegistry.delete(id);
+}
+/**
+* Reset OAuth providers to built-ins.
+*/
+function resetOAuthProviders() {
+	oauthProviderRegistry.clear();
+	for (const provider of BUILT_IN_OAUTH_PROVIDERS) oauthProviderRegistry.set(provider.id, provider);
+}
+/**
+* Get all registered OAuth providers
+*/
+function getOAuthProviders() {
+	return Array.from(oauthProviderRegistry.values());
+}
+/**
+* @deprecated Use getOAuthProviders() which returns OAuthProviderInterface[]
+*/
+function getOAuthProviderInfoList() {
+	return getOAuthProviders().map((p) => ({
+		id: p.id,
+		name: p.name,
+		available: true
+	}));
+}
+/**
+* Refresh token for any OAuth provider.
+* @deprecated Use getOAuthProvider(id).refreshToken() instead
+*/
+async function refreshOAuthToken(providerId, credentials) {
+	const provider = getOAuthProvider(providerId);
+	if (!provider) throw new Error(`Unknown OAuth provider: ${providerId}`);
+	return provider.refreshToken(credentials);
+}
+/**
+* Get API key for a provider from OAuth credentials.
+* Automatically refreshes expired tokens.
+*
+* @returns API key string and updated credentials, or null if no credentials
+* @throws Error if refresh fails
+*/
+async function getOAuthApiKey(providerId, credentials) {
+	const provider = getOAuthProvider(providerId);
+	if (!provider) throw new Error(`Unknown OAuth provider: ${providerId}`);
+	let creds = credentials[providerId];
+	if (!creds) return null;
+	if (Date.now() >= creds.expires) try {
+		creds = await provider.refreshToken(creds);
+	} catch (_error) {
+		throw new Error(`Failed to refresh OAuth token for ${providerId}`);
+	}
+	const apiKey = provider.getApiKey(creds);
+	return {
+		newCredentials: creds,
+		apiKey
+	};
+}
+var oauth_exports = /* @__PURE__ */ __exportAll({
+	anthropicOAuthProvider: () => anthropicOAuthProvider,
+	antigravityOAuthProvider: () => antigravityOAuthProvider,
+	geminiCliOAuthProvider: () => geminiCliOAuthProvider,
+	getGitHubCopilotBaseUrl: () => getGitHubCopilotBaseUrl,
+	getOAuthApiKey: () => getOAuthApiKey,
+	getOAuthProvider: () => getOAuthProvider,
+	getOAuthProviderInfoList: () => getOAuthProviderInfoList,
+	getOAuthProviders: () => getOAuthProviders,
+	githubCopilotOAuthProvider: () => githubCopilotOAuthProvider,
+	loginAnthropic: () => loginAnthropic,
+	loginAntigravity: () => loginAntigravity,
+	loginGeminiCli: () => loginGeminiCli,
+	loginGitHubCopilot: () => loginGitHubCopilot,
+	loginOpenAICodex: () => loginOpenAICodex,
+	normalizeDomain: () => normalizeDomain,
+	openaiCodexOAuthProvider: () => openaiCodexOAuthProvider,
+	refreshAnthropicToken: () => refreshAnthropicToken,
+	refreshAntigravityToken: () => refreshAntigravityToken,
+	refreshGitHubCopilotToken: () => refreshGitHubCopilotToken,
+	refreshGoogleCloudToken: () => refreshGoogleCloudToken,
+	refreshOAuthToken: () => refreshOAuthToken,
+	refreshOpenAICodexToken: () => refreshOpenAICodexToken,
+	registerOAuthProvider: () => registerOAuthProvider,
+	resetOAuthProviders: () => resetOAuthProviders,
+	unregisterOAuthProvider: () => unregisterOAuthProvider
+});
+export { registerOAuthProvider as a, getOAuthProviders as i, getOAuthApiKey as n, resetOAuthProviders as o, getOAuthProvider as r, oauth_exports as t };