responses-proxy 0.1.0

package/dist/kiro-forward.js

@@ -0,0 +1,401 @@
+import { randomUUID } from "node:crypto";
+import { KiroAuthError, resolveKiroCredentials } from "./kiro-auth.js";
+import { CODEWHISPERER_GENERATE_PATH, KiroResponseAccumulator, buildCodeWhispererRequest, buildCodeWhispererRequestFromTurns, buildResponsesJson, buildSseDeltaFrame, buildSseFinaleFrames, buildSsePreludeFrames, collectInputText, estimateTokens, extractAssistantDelta, extractCodeWhispererError, mapModelToCodeWhisperer, newSseStreamIds, } from "./kiro-codewhisperer.js";
+import { AnthropicSseEmitter, buildAnthropicMessage, } from "./anthropic-messages.js";
+import { EventStreamParser } from "./kiro-eventstream.js";
+function buildUsage(inputText, outputText) {
+    const inputTokens = estimateTokens(inputText);
+    const outputTokens = estimateTokens(outputText);
+    return {
+        usage: {
+            input_tokens: inputTokens,
+            output_tokens: outputTokens,
+            total_tokens: inputTokens + outputTokens,
+        },
+    };
+}
+/**
+ * Error thrown when the CodeWhisperer upstream rejects a request. Carries the
+ * upstream status + body so `server.ts` can fold it into the standard proxy error
+ * envelope (it mirrors the `statusCode`/`body` shape `buildUpstreamError` produces).
+ */
+export class KiroUpstreamError extends Error {
+    statusCode;
+    body;
+    constructor(requestId, status, body) {
+        super(`[${requestId}] Kiro upstream rejected request (${status})`);
+        this.statusCode = status;
+        this.body = body;
+    }
+}
+/**
+ * Resolve a Kiro credential and open the `generateAssistantResponse` connection
+ * with an overall timeout. The CodeWhisperer request is produced by `buildRequest`
+ * once credentials are known (so the resolved `profileArn` and mapped `modelId` can
+ * be injected), letting the Responses and Anthropic paths share all auth/rotation/
+ * timeout/connection logic. The caller consumes `response.body` and invokes
+ * `cleanup()` (clears the abort timer) when finished.
+ */
+async function openKiroStream(args) {
+    const fetchImpl = args.fetchImpl ?? fetch;
+    const credentials = await resolveKiroCredentials({
+        store: args.store,
+        rotationMode: "round_robin",
+        defaultRegion: args.config.KIRO_DEFAULT_REGION,
+        refreshLeadSeconds: args.config.KIRO_REFRESH_LEAD_SECONDS,
+        poolKey: args.provider.id,
+        fetchImpl,
+    });
+    const modelId = mapModelToCodeWhisperer(args.model, args.provider.capabilities.modelAliases);
+    const cwRequest = args.buildRequest({ profileArn: credentials.profileArn, modelId });
+    const inputText = args.inputText;
+    const url = `https://codewhisperer.${credentials.region}.amazonaws.com${CODEWHISPERER_GENERATE_PATH}`;
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), args.config.REQUEST_TIMEOUT_MS);
+    const cleanup = () => clearTimeout(timeout);
+    const startedAt = Date.now();
+    let response;
+    try {
+        response = await fetchImpl(url, {
+            method: "POST",
+            headers: {
+                Authorization: `Bearer ${credentials.accessToken}`,
+                "Content-Type": "application/json",
+                Accept: "application/vnd.amazon.eventstream",
+                // CodeWhisperer is an AWS JSON-RPC service; X-Amz-Target selects the
+                // operation and the user-agent pair identifies the Kiro IDE client.
+                // These mirror the headers 9router sends and are required for routing.
+                "X-Amz-Target": "AmazonCodeWhispererStreamingService.GenerateAssistantResponse",
+                "User-Agent": "AWS-SDK-JS/3.0.0 kiro-ide/1.0.0",
+                "X-Amz-User-Agent": "aws-sdk-js/3.0.0 kiro-ide/1.0.0",
+                "Amz-Sdk-Request": "attempt=1; max=3",
+                "Amz-Sdk-Invocation-Id": randomUUID(),
+            },
+            body: JSON.stringify(cwRequest),
+            signal: controller.signal,
+        });
+    }
+    catch (error) {
+        cleanup();
+        const reason = error instanceof Error ? error.message : String(error);
+        throw new KiroUpstreamError(args.requestId, 502, `Kiro upstream request failed: ${reason}`);
+    }
+    args.logger.info({
+        requestId: args.requestId,
+        provider: args.provider.id,
+        accountId: credentials.accountId,
+        upstreamStatus: response.status,
+        connectMs: Date.now() - startedAt,
+        modelId,
+    }, "kiro codewhisperer response received");
+    if (!response.ok) {
+        const errorBody = await response.text().catch(() => "");
+        cleanup();
+        throw new KiroUpstreamError(args.requestId, response.status, errorBody);
+    }
+    return { response, model: args.model || modelId, inputText, cleanup };
+}
+/** Non-streaming Kiro path: buffers the stream, returns a Responses JSON payload + usage. */
+export async function forwardKiroJson(args) {
+    const opened = await openKiroStream({
+        ...args,
+        model: typeof args.body.model === "string" ? args.body.model : "",
+        inputText: collectInputText(args.body),
+        buildRequest: ({ profileArn, modelId }) => buildCodeWhispererRequest({ body: args.body, modelId, profileArn }),
+    });
+    try {
+        const buffer = Buffer.from(await opened.response.arrayBuffer());
+        const parser = new EventStreamParser();
+        const messages = parser.push(buffer);
+        let text = "";
+        for (const message of messages) {
+            const errText = extractCodeWhispererError(message);
+            if (errText) {
+                throw new KiroUpstreamError(args.requestId, 502, errText);
+            }
+            text += extractAssistantDelta(message);
+        }
+        const usage = buildUsage(opened.inputText, text);
+        const payload = buildResponsesJson({
+            text,
+            model: opened.model,
+            inputText: opened.inputText,
+        });
+        return { payload, usage };
+    }
+    finally {
+        opened.cleanup();
+    }
+}
+/**
+ * Streaming Kiro path: reads the CodeWhisperer event-stream incrementally and
+ * writes Responses SSE frames as text arrives, so clients see real token-by-token
+ * output. Returns usage totals once the stream completes.
+ */
+export async function forwardKiroSse(args) {
+    const opened = await openKiroStream({
+        ...args,
+        model: typeof args.body.model === "string" ? args.body.model : "",
+        inputText: collectInputText(args.body),
+        buildRequest: ({ profileArn, modelId }) => buildCodeWhispererRequest({ body: args.body, modelId, profileArn }),
+    });
+    const { response } = opened;
+    if (!response.body) {
+        opened.cleanup();
+        throw new KiroUpstreamError(args.requestId, 502, "Kiro upstream returned an empty body");
+    }
+    const ids = newSseStreamIds(opened.model);
+    const parser = new EventStreamParser();
+    const reader = response.body.getReader();
+    let headersSent = false;
+    let fullText = "";
+    let streamError;
+    const ensureHeaders = () => {
+        if (headersSent) {
+            return;
+        }
+        args.responseRaw.setHeader("Content-Type", "text/event-stream");
+        args.responseRaw.setHeader("Cache-Control", "no-cache, no-transform");
+        args.responseRaw.setHeader("Connection", "keep-alive");
+        args.responseRaw.setHeader("X-Accel-Buffering", "no");
+        args.responseRaw.flushHeaders?.();
+        for (const frame of buildSsePreludeFrames(ids)) {
+            args.responseRaw.write(frame);
+        }
+        headersSent = true;
+    };
+    let idleTimer;
+    const resetIdleTimer = () => {
+        if (idleTimer) {
+            clearTimeout(idleTimer);
+        }
+        idleTimer = setTimeout(() => {
+            args.logger.warn({ requestId: args.requestId }, "kiro upstream stream idle timeout reached");
+            void reader.cancel().catch(() => undefined);
+        }, args.config.STREAM_IDLE_TIMEOUT_MS);
+    };
+    try {
+        resetIdleTimer();
+        while (true) {
+            const { done, value } = await reader.read();
+            if (done) {
+                break;
+            }
+            resetIdleTimer();
+            if (!value) {
+                continue;
+            }
+            const messages = parser.push(value);
+            for (const message of messages) {
+                const errText = extractCodeWhispererError(message);
+                if (errText) {
+                    streamError = errText;
+                    // If we have not emitted anything yet, surface a clean error envelope.
+                    if (!headersSent) {
+                        throw new KiroUpstreamError(args.requestId, 502, errText);
+                    }
+                    continue;
+                }
+                const delta = extractAssistantDelta(message);
+                if (delta) {
+                    ensureHeaders();
+                    fullText += delta;
+                    args.responseRaw.write(buildSseDeltaFrame(ids, delta));
+                }
+            }
+        }
+    }
+    catch (error) {
+        if (idleTimer) {
+            clearTimeout(idleTimer);
+        }
+        opened.cleanup();
+        // Headers already sent: we cannot change status, so propagate for the caller
+        // to destroy the socket. Otherwise rethrow so a JSON error envelope is sent.
+        if (error instanceof KiroUpstreamError) {
+            throw error;
+        }
+        const reason = error instanceof Error ? error.message : String(error);
+        throw new KiroUpstreamError(args.requestId, 502, `Kiro stream read failed: ${reason}`);
+    }
+    if (idleTimer) {
+        clearTimeout(idleTimer);
+    }
+    opened.cleanup();
+    // Ensure the client always receives a well-formed completion, even for an empty
+    // response or one whose only signal was a (post-output) error frame.
+    ensureHeaders();
+    const usage = buildUsage(opened.inputText, fullText);
+    for (const frame of buildSseFinaleFrames(ids, {
+        text: fullText,
+        inputTokens: usage.usage.input_tokens,
+        outputTokens: usage.usage.output_tokens,
+    })) {
+        args.responseRaw.write(frame);
+    }
+    args.responseRaw.end();
+    if (streamError) {
+        args.logger.warn({ requestId: args.requestId, streamError }, "kiro stream completed with a post-output error frame");
+    }
+    return usage;
+}
+export { KiroAuthError };
+function anthropicUsage(parsed, outputText) {
+    return buildUsage(parsed.inputText, outputText);
+}
+function openAnthropicStream(args) {
+    return openKiroStream({
+        store: args.store,
+        provider: args.provider,
+        config: args.config,
+        requestId: args.requestId,
+        body: {},
+        logger: args.logger,
+        fetchImpl: args.fetchImpl,
+        model: args.parsed.model,
+        inputText: args.parsed.inputText,
+        buildRequest: ({ profileArn, modelId }) => buildCodeWhispererRequestFromTurns({
+            turns: args.parsed.turns,
+            modelId,
+            tools: args.parsed.tools,
+            profileArn,
+            maxTokens: args.parsed.maxTokens,
+            temperature: args.parsed.temperature,
+            topP: args.parsed.topP,
+        }),
+    });
+}
+/** Non-streaming Anthropic path: buffers the stream, returns an Anthropic message + usage. */
+export async function forwardKiroAnthropicJson(args) {
+    const opened = await openAnthropicStream(args);
+    try {
+        const buffer = Buffer.from(await opened.response.arrayBuffer());
+        const parser = new EventStreamParser();
+        const accumulator = new KiroResponseAccumulator();
+        for (const message of parser.push(buffer)) {
+            accumulator.push(message);
+        }
+        if (accumulator.error) {
+            throw new KiroUpstreamError(args.requestId, 502, accumulator.error);
+        }
+        const toolUses = accumulator.toolUses();
+        const outputText = accumulator.text + toolUses.map((t) => JSON.stringify(t.input)).join("");
+        const usage = anthropicUsage(args.parsed, outputText);
+        const payload = buildAnthropicMessage({
+            text: accumulator.text,
+            toolUses,
+            model: opened.model,
+            inputTokens: usage.usage.input_tokens,
+            outputTokens: usage.usage.output_tokens,
+        });
+        return { payload, usage };
+    }
+    finally {
+        opened.cleanup();
+    }
+}
+/**
+ * Streaming Anthropic path: reads the CodeWhisperer event-stream incrementally and
+ * writes the Anthropic Messages SSE sequence (message_start → content_block_* →
+ * message_delta → message_stop) as text and tool-use deltas arrive.
+ */
+export async function forwardKiroAnthropicSse(args) {
+    const opened = await openAnthropicStream(args);
+    const { response } = opened;
+    if (!response.body) {
+        opened.cleanup();
+        throw new KiroUpstreamError(args.requestId, 502, "Kiro upstream returned an empty body");
+    }
+    const inputTokens = estimateTokens(args.parsed.inputText);
+    const emitter = new AnthropicSseEmitter({ model: opened.model, inputTokens });
+    const parser = new EventStreamParser();
+    const accumulator = new KiroResponseAccumulator();
+    const reader = response.body.getReader();
+    let headersSent = false;
+    const ensureHeaders = () => {
+        if (headersSent) {
+            return;
+        }
+        args.responseRaw.setHeader("Content-Type", "text/event-stream");
+        args.responseRaw.setHeader("Cache-Control", "no-cache, no-transform");
+        args.responseRaw.setHeader("Connection", "keep-alive");
+        args.responseRaw.setHeader("X-Accel-Buffering", "no");
+        args.responseRaw.flushHeaders?.();
+        for (const frame of emitter.start()) {
+            args.responseRaw.write(frame);
+        }
+        headersSent = true;
+    };
+    let idleTimer;
+    const resetIdleTimer = () => {
+        if (idleTimer) {
+            clearTimeout(idleTimer);
+        }
+        idleTimer = setTimeout(() => {
+            args.logger.warn({ requestId: args.requestId }, "kiro upstream stream idle timeout reached");
+            void reader.cancel().catch(() => undefined);
+        }, args.config.STREAM_IDLE_TIMEOUT_MS);
+    };
+    try {
+        resetIdleTimer();
+        while (true) {
+            const { done, value } = await reader.read();
+            if (done) {
+                break;
+            }
+            resetIdleTimer();
+            if (!value) {
+                continue;
+            }
+            for (const message of parser.push(value)) {
+                const errText = extractCodeWhispererError(message);
+                if (errText) {
+                    if (!headersSent) {
+                        throw new KiroUpstreamError(args.requestId, 502, errText);
+                    }
+                    continue;
+                }
+                const result = accumulator.push(message);
+                if (result.textDelta) {
+                    ensureHeaders();
+                    for (const frame of emitter.textDelta(result.textDelta)) {
+                        args.responseRaw.write(frame);
+                    }
+                }
+                if (result.toolUse) {
+                    ensureHeaders();
+                    for (const frame of emitter.toolUseDelta(result.toolUse)) {
+                        args.responseRaw.write(frame);
+                    }
+                }
+            }
+        }
+    }
+    catch (error) {
+        if (idleTimer) {
+            clearTimeout(idleTimer);
+        }
+        opened.cleanup();
+        if (error instanceof KiroUpstreamError) {
+            throw error;
+        }
+        const reason = error instanceof Error ? error.message : String(error);
+        throw new KiroUpstreamError(args.requestId, 502, `Kiro stream read failed: ${reason}`);
+    }
+    if (idleTimer) {
+        clearTimeout(idleTimer);
+    }
+    opened.cleanup();
+    ensureHeaders();
+    const toolUses = accumulator.toolUses();
+    const outputText = accumulator.text + toolUses.map((t) => JSON.stringify(t.input)).join("");
+    const usage = anthropicUsage(args.parsed, outputText);
+    for (const frame of emitter.finish(usage.usage.output_tokens)) {
+        args.responseRaw.write(frame);
+    }
+    args.responseRaw.end();
+    if (accumulator.error) {
+        args.logger.warn({ requestId: args.requestId, streamError: accumulator.error }, "kiro anthropic stream completed with a post-output error frame");
+    }
+    return usage;
+}

package/dist/kiro-import-cli.js

@@ -0,0 +1,69 @@
+/**
+ * CLI: copy Kiro OAuth accounts from a 9router SQLite DB into a resproxy-owned DB
+ * so the proxy can own token refresh (write-back) without sharing 9router's live
+ * database.
+ *
+ * Usage:
+ *   npm run kiro:import -- [--from <9router.sqlite>] [--to <dest.sqlite>] [--provider kiro]
+ *
+ * Defaults:
+ *   --from  $KIRO_SOURCE_DB_PATH or ~/.9router/db/data.sqlite
+ *   --to    $KIRO_DB_PATH or ./logs/kiro.sqlite
+ */
+import os from "node:os";
+import path from "node:path";
+import { importKiroAccounts, KiroImportError } from "./kiro-import.js";
+function parseArgs(argv) {
+    const out = {};
+    for (let i = 0; i < argv.length; i += 1) {
+        const arg = argv[i];
+        if (arg.startsWith("--")) {
+            const key = arg.slice(2);
+            const next = argv[i + 1];
+            if (next && !next.startsWith("--")) {
+                out[key] = next;
+                i += 1;
+            }
+            else {
+                out[key] = "true";
+            }
+        }
+    }
+    return out;
+}
+function defaultSource() {
+    return (process.env.KIRO_SOURCE_DB_PATH?.trim() ||
+        path.join(os.homedir(), ".9router", "db", "data.sqlite"));
+}
+function defaultDest() {
+    return process.env.KIRO_DB_PATH?.trim() || path.resolve("logs", "kiro.sqlite");
+}
+function main() {
+    const args = parseArgs(process.argv.slice(2));
+    const sourceDbPath = args.from ?? defaultSource();
+    const destDbPath = args.to ?? defaultDest();
+    const provider = args.provider ?? "kiro";
+    try {
+        const result = importKiroAccounts({ sourceDbPath, destDbPath, provider });
+        console.log(`[kiro:import] source : ${result.source}`);
+        console.log(`[kiro:import] dest   : ${result.dest}`);
+        console.log(`[kiro:import] copied : ${result.imported} ${provider} account(s)`);
+        for (const id of result.ids) {
+            console.log(`[kiro:import]   - ${id}`);
+        }
+        if (result.imported === 0) {
+            console.log(`[kiro:import] WARNING: no '${provider}' accounts found in the source DB. Nothing to import.`);
+        }
+        else {
+            console.log(`[kiro:import] Done. Point KIRO_DB_PATH at ${result.dest} and set KIRO_WRITE_BACK_ENABLED=true.`);
+        }
+    }
+    catch (error) {
+        if (error instanceof KiroImportError) {
+            console.error(`[kiro:import] ${error.message}`);
+            process.exit(1);
+        }
+        throw error;
+    }
+}
+main();

package/dist/kiro-import.js

@@ -0,0 +1,94 @@
+import { existsSync, mkdirSync } from "node:fs";
+import path from "node:path";
+import BetterSqlite3 from "better-sqlite3";
+/**
+ * Schema for the `providerConnections` table, mirroring the one 9router creates.
+ * Used to materialize a resproxy-owned copy of the Kiro accounts so the proxy can
+ * own token refresh (write-back) without sharing 9router's live database.
+ */
+export const PROVIDER_CONNECTIONS_DDL = `
+CREATE TABLE IF NOT EXISTS providerConnections (
+  id TEXT PRIMARY KEY,
+  provider TEXT NOT NULL,
+  authType TEXT NOT NULL,
+  name TEXT,
+  email TEXT,
+  priority INTEGER,
+  isActive INTEGER DEFAULT 1,
+  data TEXT NOT NULL,
+  createdAt TEXT NOT NULL,
+  updatedAt TEXT NOT NULL
+);
+CREATE INDEX IF NOT EXISTS idx_pc_provider ON providerConnections(provider);
+CREATE INDEX IF NOT EXISTS idx_pc_provider_active ON providerConnections(provider, isActive);
+CREATE INDEX IF NOT EXISTS idx_pc_priority ON providerConnections(provider, priority);
+`;
+export class KiroImportError extends Error {
+}
+/**
+ * Copies the OAuth accounts for a provider (default `kiro`) from a source 9router
+ * SQLite database into a resproxy-owned destination database, preserving every
+ * field verbatim. Existing rows in the destination are upserted by id, so a
+ * re-import re-syncs from 9router (overwriting any tokens the proxy refreshed).
+ *
+ * The source is opened read-only; the destination is created if missing.
+ */
+export function importKiroAccounts(args) {
+    const provider = args.provider ?? "kiro";
+    const sourceDbPath = path.resolve(args.sourceDbPath);
+    const destDbPath = path.resolve(args.destDbPath);
+    if (!existsSync(sourceDbPath)) {
+        throw new KiroImportError(`Source 9router DB not found at ${sourceDbPath}`);
+    }
+    if (sourceDbPath === destDbPath) {
+        throw new KiroImportError("Source and destination databases must be different files");
+    }
+    const source = new BetterSqlite3(sourceDbPath, { fileMustExist: true, readonly: true });
+    let rows;
+    try {
+        rows = source
+            .prepare(`SELECT id, provider, authType, name, email, priority, isActive, data, createdAt, updatedAt
+         FROM providerConnections
+         WHERE provider = ?
+         ORDER BY priority IS NULL, priority, createdAt`)
+            .all(provider);
+    }
+    finally {
+        source.close();
+    }
+    mkdirSync(path.dirname(destDbPath), { recursive: true });
+    const dest = new BetterSqlite3(destDbPath);
+    try {
+        dest.pragma("journal_mode = WAL");
+        dest.exec(PROVIDER_CONNECTIONS_DDL);
+        const upsert = dest.prepare(`INSERT INTO providerConnections
+         (id, provider, authType, name, email, priority, isActive, data, createdAt, updatedAt)
+       VALUES
+         (@id, @provider, @authType, @name, @email, @priority, @isActive, @data, @createdAt, @updatedAt)
+       ON CONFLICT(id) DO UPDATE SET
+         provider = excluded.provider,
+         authType = excluded.authType,
+         name = excluded.name,
+         email = excluded.email,
+         priority = excluded.priority,
+         isActive = excluded.isActive,
+         data = excluded.data,
+         createdAt = excluded.createdAt,
+         updatedAt = excluded.updatedAt`);
+        const runAll = dest.transaction((items) => {
+            for (const row of items) {
+                upsert.run(row);
+            }
+        });
+        runAll(rows);
+    }
+    finally {
+        dest.close();
+    }
+    return {
+        source: sourceDbPath,
+        dest: destDbPath,
+        imported: rows.length,
+        ids: rows.map((row) => row.id),
+    };
+}

package/dist/kiro-import.test.js

@@ -0,0 +1,125 @@
+import assert from "node:assert/strict";
+import { mkdtempSync, rmSync } from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import test from "node:test";
+import BetterSqlite3 from "better-sqlite3";
+import { importKiroAccounts, KiroImportError, PROVIDER_CONNECTIONS_DDL } from "./kiro-import.js";
+function makeSourceDb(dir) {
+    const dbPath = path.join(dir, "source.sqlite");
+    const db = new BetterSqlite3(dbPath);
+    db.exec(PROVIDER_CONNECTIONS_DDL);
+    const insert = db.prepare(`INSERT INTO providerConnections
+       (id, provider, authType, name, email, priority, isActive, data, createdAt, updatedAt)
+     VALUES (@id, @provider, @authType, @name, @email, @priority, @isActive, @data, @createdAt, @updatedAt)`);
+    insert.run({
+        id: "acct-1",
+        provider: "kiro",
+        authType: "oauth",
+        name: "Account 1",
+        email: null,
+        priority: 1,
+        isActive: 1,
+        data: JSON.stringify({ accessToken: "a1", refreshToken: "r1", providerSpecificData: { region: "us-east-1" } }),
+        createdAt: "2026-01-01T00:00:00.000Z",
+        updatedAt: "2026-01-01T00:00:00.000Z",
+    });
+    insert.run({
+        id: "acct-2",
+        provider: "kiro",
+        authType: "oauth",
+        name: "Account 2",
+        email: null,
+        priority: 2,
+        isActive: 1,
+        data: JSON.stringify({ accessToken: "a2", refreshToken: "r2", providerSpecificData: {} }),
+        createdAt: "2026-01-02T00:00:00.000Z",
+        updatedAt: "2026-01-02T00:00:00.000Z",
+    });
+    // A non-kiro row that must NOT be copied.
+    insert.run({
+        id: "other-1",
+        provider: "cursor",
+        authType: "oauth",
+        name: "Cursor",
+        email: null,
+        priority: 1,
+        isActive: 1,
+        data: JSON.stringify({ accessToken: "x" }),
+        createdAt: "2026-01-03T00:00:00.000Z",
+        updatedAt: "2026-01-03T00:00:00.000Z",
+    });
+    db.close();
+    return dbPath;
+}
+function readDest(destPath) {
+    const db = new BetterSqlite3(destPath, { readonly: true });
+    const rows = db.prepare("SELECT * FROM providerConnections ORDER BY id").all();
+    db.close();
+    return rows;
+}
+test("importKiroAccounts copies only kiro rows verbatim", () => {
+    const dir = mkdtempSync(path.join(os.tmpdir(), "kiro-import-"));
+    try {
+        const source = makeSourceDb(dir);
+        const dest = path.join(dir, "nested", "kiro.sqlite");
+        const result = importKiroAccounts({ sourceDbPath: source, destDbPath: dest });
+        assert.equal(result.imported, 2);
+        assert.deepEqual(result.ids.sort(), ["acct-1", "acct-2"]);
+        const rows = readDest(dest);
+        assert.equal(rows.length, 2);
+        assert.equal(rows[0].id, "acct-1");
+        assert.equal(rows[0].provider, "kiro");
+        assert.equal(rows[0].data, JSON.stringify({ accessToken: "a1", refreshToken: "r1", providerSpecificData: { region: "us-east-1" } }));
+        assert.ok(!rows.some((r) => r.provider === "cursor"));
+    }
+    finally {
+        rmSync(dir, { recursive: true, force: true });
+    }
+});
+test("importKiroAccounts upserts on re-import (re-syncs from source)", () => {
+    const dir = mkdtempSync(path.join(os.tmpdir(), "kiro-import-"));
+    try {
+        const source = makeSourceDb(dir);
+        const dest = path.join(dir, "kiro.sqlite");
+        importKiroAccounts({ sourceDbPath: source, destDbPath: dest });
+        // Simulate the proxy refreshing a token in the dest DB.
+        const destDb = new BetterSqlite3(dest);
+        destDb
+            .prepare("UPDATE providerConnections SET data = ? WHERE id = ?")
+            .run(JSON.stringify({ accessToken: "PROXY_REFRESHED" }), "acct-1");
+        destDb.close();
+        // Re-import should overwrite with the source value and not duplicate rows.
+        const result = importKiroAccounts({ sourceDbPath: source, destDbPath: dest });
+        assert.equal(result.imported, 2);
+        const rows = readDest(dest);
+        assert.equal(rows.length, 2);
+        const acct1 = rows.find((r) => r.id === "acct-1");
+        assert.match(String(acct1?.data), /"accessToken":"a1"/);
+    }
+    finally {
+        rmSync(dir, { recursive: true, force: true });
+    }
+});
+test("importKiroAccounts rejects identical source and dest", () => {
+    const dir = mkdtempSync(path.join(os.tmpdir(), "kiro-import-"));
+    try {
+        const source = makeSourceDb(dir);
+        assert.throws(() => importKiroAccounts({ sourceDbPath: source, destDbPath: source }), (error) => error instanceof KiroImportError);
+    }
+    finally {
+        rmSync(dir, { recursive: true, force: true });
+    }
+});
+test("importKiroAccounts throws when the source DB is missing", () => {
+    const dir = mkdtempSync(path.join(os.tmpdir(), "kiro-import-"));
+    try {
+        assert.throws(() => importKiroAccounts({
+            sourceDbPath: path.join(dir, "nope.sqlite"),
+            destDbPath: path.join(dir, "kiro.sqlite"),
+        }), (error) => error instanceof KiroImportError);
+    }
+    finally {
+        rmSync(dir, { recursive: true, force: true });
+    }
+});