responses-proxy 0.1.0

package/dist/billing.test.js

@@ -0,0 +1,228 @@
+import assert from "node:assert/strict";
+import { mkdtempSync, rmSync } from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import test from "node:test";
+import { BillingRepository } from "./billing.js";
+function withRepository(fn) {
+    const dir = mkdtempSync(path.join(os.tmpdir(), "billing-repo-"));
+    try {
+        fn(BillingRepository.create(path.join(dir, "billing.sqlite")));
+    }
+    finally {
+        rmSync(dir, { recursive: true, force: true });
+    }
+}
+test("BillingRepository seeds default plans", () => {
+    withRepository((repo) => {
+        const plans = repo.listPlans();
+        assert.equal(plans.some((plan) => plan.id === "basic"), true);
+        assert.equal(plans.length, 1);
+        assert.equal(plans[0]?.priceCents, 5_000);
+        assert.equal(plans[0]?.currency, "VND");
+        assert.equal(plans[0]?.monthlyTokenLimit, 10_000_000);
+    });
+});
+test("BillingRepository grants subscription and active entitlement", () => {
+    withRepository((repo) => {
+        const granted = repo.grantSubscription({
+            workspaceId: "workspace-1",
+            planId: "basic",
+            days: 30,
+            now: new Date("2026-04-27T00:00:00.000Z"),
+        });
+        assert.equal(granted.subscription.workspaceId, "workspace-1");
+        assert.equal(granted.subscription.planId, "basic");
+        assert.equal(granted.entitlement.workspaceId, "workspace-1");
+        assert.equal(granted.entitlement.status, "active");
+        assert.equal(repo.getActiveEntitlementForWorkspace("workspace-1", new Date("2026-04-28T00:00:00.000Z"))?.id, granted.entitlement.id);
+    });
+});
+test("BillingRepository keeps renewed entitlement pending until the current period ends", () => {
+    withRepository((repo) => {
+        const first = repo.grantSubscription({
+            workspaceId: "workspace-renew",
+            planId: "basic",
+            days: 30,
+            now: new Date("2026-04-01T00:00:00.000Z"),
+        });
+        const renewed = repo.grantSubscription({
+            workspaceId: "workspace-renew",
+            planId: "basic",
+            days: 30,
+            now: new Date("2026-04-15T00:00:00.000Z"),
+        });
+        assert.equal(renewed.subscription.currentPeriodStart, "2026-05-01T00:00:00.000Z");
+        assert.equal(renewed.entitlement.validFrom, "2026-05-01T00:00:00.000Z");
+        assert.equal(repo.getActiveEntitlementForWorkspace("workspace-renew", new Date("2026-04-20T00:00:00.000Z"))?.id, first.entitlement.id);
+        assert.equal(repo.getActiveEntitlementForWorkspace("workspace-renew", new Date("2026-05-02T00:00:00.000Z"))?.id, renewed.entitlement.id);
+    });
+});
+test("BillingRepository expires outdated entitlements and subscriptions", () => {
+    withRepository((repo) => {
+        repo.grantSubscription({
+            workspaceId: "workspace-1",
+            planId: "basic",
+            days: 1,
+            now: new Date("2026-04-27T00:00:00.000Z"),
+        });
+        const changes = repo.expireEntitlements(new Date("2026-04-29T00:00:00.000Z"));
+        assert.equal(changes, 1);
+        assert.equal(repo.getActiveEntitlementForWorkspace("workspace-1", new Date("2026-04-29T00:00:00.000Z")), undefined);
+        assert.equal(repo.getLatestSubscriptionForWorkspace("workspace-1")?.status, "expired");
+    });
+});
+test("BillingRepository tracks entitlement usage totals", () => {
+    withRepository((repo) => {
+        const granted = repo.grantSubscription({
+            workspaceId: "workspace-usage",
+            planId: "basic",
+            days: 30,
+            now: new Date("2026-04-27T00:00:00.000Z"),
+        });
+        repo.incrementEntitlementUsage({
+            entitlementId: granted.entitlement.id,
+            workspaceId: "workspace-usage",
+            customerApiKeyId: "key-1",
+            inputTokens: 10,
+            outputTokens: 5,
+            totalTokens: 15,
+            now: new Date("2026-04-27T01:00:00.000Z"),
+        });
+        const usage = repo.incrementEntitlementUsage({
+            entitlementId: granted.entitlement.id,
+            workspaceId: "workspace-usage",
+            inputTokens: 4,
+            outputTokens: 6,
+            totalTokens: 10,
+            now: new Date("2026-04-27T02:00:00.000Z"),
+        });
+        assert.equal(usage.inputTokens, 14);
+        assert.equal(usage.outputTokens, 11);
+        assert.equal(usage.totalTokens, 25);
+        assert.equal(repo.getEntitlementUsage(granted.entitlement.id)?.totalTokens, 25);
+    });
+});
+test("BillingRepository returns the latest entitlement for expired workspaces", () => {
+    withRepository((repo) => {
+        repo.grantSubscription({
+            workspaceId: "workspace-expired",
+            planId: "basic",
+            days: 1,
+            now: new Date("2026-04-27T00:00:00.000Z"),
+        });
+        repo.expireEntitlements(new Date("2026-04-29T00:00:00.000Z"));
+        const latest = repo.getLatestEntitlementForWorkspace("workspace-expired");
+        assert.ok(latest);
+        assert.equal(latest.status, "expired");
+    });
+});
+test("BillingRepository dedupes duplicate open renewal requests", () => {
+    withRepository((repo) => {
+        const first = repo.createRenewalRequest({
+            workspaceId: "workspace-1",
+            telegramUserId: "42",
+            requestedPlanId: "basic",
+            requestedDays: 30,
+            now: new Date("2026-04-27T00:00:00.000Z"),
+        });
+        const second = repo.createRenewalRequest({
+            workspaceId: "workspace-1",
+            telegramUserId: "42",
+            requestedPlanId: "basic",
+            requestedDays: 30,
+            now: new Date("2026-04-27T01:00:00.000Z"),
+        });
+        assert.equal(first.created, true);
+        assert.equal(second.created, false);
+        assert.equal(first.request.id, second.request.id);
+        assert.equal(repo.listRenewalRequests("open").length, 1);
+    });
+});
+test("BillingRepository keeps token top-up requests separate from renewals", () => {
+    withRepository((repo) => {
+        const renewal = repo.createRenewalRequest({
+            workspaceId: "workspace-kind",
+            telegramUserId: "42",
+            requestedPlanId: "basic",
+            requestedDays: 1,
+        });
+        const topup = repo.createRenewalRequest({
+            workspaceId: "workspace-kind",
+            telegramUserId: "42",
+            kind: "token_topup",
+            requestedTokenDelta: 1_000,
+            requestedTokenLotDays: 7,
+            priceVnd: 5_000,
+        });
+        const duplicateTopup = repo.createRenewalRequest({
+            workspaceId: "workspace-kind",
+            telegramUserId: "42",
+            kind: "token_topup",
+            requestedTokenDelta: 1_000,
+            requestedTokenLotDays: 7,
+            priceVnd: 5_000,
+        });
+        assert.equal(renewal.created, true);
+        assert.equal(topup.created, true);
+        assert.equal(duplicateTopup.created, false);
+        assert.equal(topup.request.kind, "token_topup");
+        assert.equal(topup.request.requestedTokenDelta, 1_000);
+        assert.equal(topup.request.requestedTokenLotDays, 7);
+    });
+});
+test("BillingRepository consumes active token lots by earliest expiry first", () => {
+    withRepository((repo) => {
+        const workspaceId = "workspace-lots";
+        const first = repo.createTokenTopUpLot({
+            workspaceId,
+            tokenDelta: 100,
+            days: 1,
+            now: new Date("2026-04-27T00:00:00.000Z"),
+        });
+        const second = repo.createTokenTopUpLot({
+            workspaceId,
+            tokenDelta: 200,
+            days: 2,
+            now: new Date("2026-04-27T00:00:00.000Z"),
+        });
+        repo.consumeWorkspaceUsage({
+            workspaceId,
+            customerApiKeyId: "key-1",
+            inputTokens: 60,
+            outputTokens: 90,
+            totalTokens: 150,
+            now: new Date("2026-04-27T01:00:00.000Z"),
+        });
+        assert.equal(repo.getEntitlementUsage(first.id)?.totalTokens, 100);
+        assert.equal(repo.getEntitlementUsage(second.id)?.totalTokens, 50);
+        assert.equal((repo.getEntitlementUsage(first.id)?.inputTokens ?? 0) + (repo.getEntitlementUsage(second.id)?.inputTokens ?? 0), 60);
+        assert.equal((repo.getEntitlementUsage(first.id)?.outputTokens ?? 0) + (repo.getEntitlementUsage(second.id)?.outputTokens ?? 0), 90);
+        assert.equal(repo.getUsableActiveEntitlementForWorkspace(workspaceId, new Date("2026-04-27T01:00:00.000Z"))?.id, second.id);
+    });
+});
+test("closing a renewal request does not alter entitlement", () => {
+    withRepository((repo) => {
+        const granted = repo.grantSubscription({
+            workspaceId: "workspace-close",
+            planId: "basic",
+            days: 30,
+            now: new Date("2026-04-27T00:00:00.000Z"),
+        });
+        const request = repo.createRenewalRequest({
+            workspaceId: "workspace-close",
+            telegramUserId: "99",
+            requestedPlanId: "basic",
+            requestedDays: 15,
+            now: new Date("2026-04-27T01:00:00.000Z"),
+        });
+        const closed = repo.closeRenewalRequest({
+            id: request.request.id,
+            resolution: "manual-close",
+            now: new Date("2026-04-27T02:00:00.000Z"),
+        });
+        assert.equal(closed?.status, "closed");
+        assert.equal(closed?.resolution, "manual-close");
+        assert.equal(repo.getActiveEntitlementForWorkspace("workspace-close", new Date("2026-04-27T02:00:00.000Z"))?.id, granted.entitlement.id);
+    });
+});

package/dist/chatgpt-oauth-store.js

@@ -0,0 +1,240 @@
+import { mkdirSync } from "node:fs";
+import path from "node:path";
+import BetterSqlite3 from "better-sqlite3";
+export class ChatGptOAuthStore {
+    db;
+    constructor(db) {
+        this.db = db;
+    }
+    static create(dbFile) {
+        mkdirSync(path.dirname(dbFile), { recursive: true });
+        const db = new BetterSqlite3(dbFile);
+        ensureChatGptOAuthSchema(db);
+        return new ChatGptOAuthStore(db);
+    }
+    createSession(input) {
+        this.ensureSchema();
+        const now = input.now ?? new Date();
+        const expiresAt = new Date(now.getTime() + (input.ttlMs ?? 10 * 60 * 1000)).toISOString();
+        this.db
+            .prepare(`INSERT INTO chatgpt_oauth_sessions
+          (state, code_verifier, redirect_uri, status, error_message, created_at, expires_at)
+         VALUES (?, ?, ?, 'pending', NULL, ?, ?)`)
+            .run(input.state, input.codeVerifier, input.redirectUri, now.toISOString(), expiresAt);
+        return {
+            state: input.state,
+            codeVerifier: input.codeVerifier,
+            redirectUri: input.redirectUri,
+            status: "pending",
+            errorMessage: null,
+            createdAt: now.toISOString(),
+            expiresAt,
+        };
+    }
+    consumeSession(state, now = new Date()) {
+        this.ensureSchema();
+        const row = this.db
+            .prepare("SELECT * FROM chatgpt_oauth_sessions WHERE state = ?")
+            .get(state);
+        if (!row) {
+            throw new Error("Unknown or expired ChatGPT OAuth state");
+        }
+        const session = mapSessionRow(row);
+        if (session.status !== "pending") {
+            throw new Error("ChatGPT OAuth session is not pending");
+        }
+        if (Date.parse(session.expiresAt) <= now.getTime()) {
+            this.markSessionError(state, "OAuth session expired");
+            throw new Error("ChatGPT OAuth session expired");
+        }
+        this.db
+            .prepare("UPDATE chatgpt_oauth_sessions SET status = 'consumed' WHERE state = ?")
+            .run(state);
+        return session;
+    }
+    markSessionError(state, message) {
+        this.ensureSchema();
+        this.db
+            .prepare(`UPDATE chatgpt_oauth_sessions
+         SET status = 'error', error_message = ?
+         WHERE state = ? AND status = 'pending'`)
+            .run(message, state);
+    }
+    upsertAccount(bundle, now = new Date()) {
+        this.ensureSchema();
+        const id = buildAccountId(bundle);
+        const existing = this.getAccount(id);
+        const createdAt = existing?.createdAt ?? now.toISOString();
+        const updatedAt = now.toISOString();
+        this.db
+            .prepare(`INSERT INTO chatgpt_oauth_accounts
+          (id, email, account_id, id_token, access_token, refresh_token, expires_at,
+           last_refresh_at, disabled, created_at, updated_at)
+         VALUES (?, ?, ?, ?, ?, ?, ?, ?, 0, ?, ?)
+         ON CONFLICT(id) DO UPDATE SET
+           email = excluded.email,
+           account_id = excluded.account_id,
+           id_token = excluded.id_token,
+           access_token = excluded.access_token,
+           refresh_token = excluded.refresh_token,
+           expires_at = excluded.expires_at,
+           last_refresh_at = excluded.last_refresh_at,
+           disabled = 0,
+           updated_at = excluded.updated_at`)
+            .run(id, bundle.email, bundle.accountId, bundle.idToken, bundle.accessToken, bundle.refreshToken, bundle.expiresAt, bundle.lastRefreshAt, createdAt, updatedAt);
+        return this.getAccountOrThrow(id);
+    }
+    updateTokens(id, bundle, now = new Date()) {
+        this.ensureSchema();
+        this.db
+            .prepare(`UPDATE chatgpt_oauth_accounts
+         SET email = ?, account_id = ?, id_token = ?, access_token = ?, refresh_token = ?,
+             expires_at = ?, last_refresh_at = ?, updated_at = ?
+         WHERE id = ?`)
+            .run(bundle.email, bundle.accountId, bundle.idToken, bundle.accessToken, bundle.refreshToken, bundle.expiresAt, bundle.lastRefreshAt, now.toISOString(), id);
+        return this.getAccountOrThrow(id);
+    }
+    listAccountsForUi() {
+        this.ensureSchema();
+        return this.listAccounts().map(redactAccount);
+    }
+    getRotationMode() {
+        this.ensureSchema();
+        const row = this.db
+            .prepare("SELECT value FROM chatgpt_oauth_settings WHERE key = 'rotation_mode'")
+            .get();
+        return parseRotationMode(row?.value);
+    }
+    setRotationMode(value) {
+        this.ensureSchema();
+        const mode = parseRotationMode(value);
+        this.db
+            .prepare(`INSERT INTO chatgpt_oauth_settings (key, value)
+         VALUES ('rotation_mode', ?)
+         ON CONFLICT(key) DO UPDATE SET value = excluded.value`)
+            .run(mode);
+        return mode;
+    }
+    listAvailableAccounts() {
+        return this.listAccounts().filter((account) => !account.disabled);
+    }
+    getAccount(id) {
+        this.ensureSchema();
+        const row = this.db
+            .prepare("SELECT * FROM chatgpt_oauth_accounts WHERE id = ?")
+            .get(id);
+        return row ? mapAccountRow(row) : undefined;
+    }
+    disableAccount(id) {
+        this.ensureSchema();
+        const result = this.db
+            .prepare("UPDATE chatgpt_oauth_accounts SET disabled = 1, updated_at = ? WHERE id = ?")
+            .run(new Date().toISOString(), id);
+        return result.changes > 0;
+    }
+    enableAccount(id) {
+        this.ensureSchema();
+        const result = this.db
+            .prepare("UPDATE chatgpt_oauth_accounts SET disabled = 0, updated_at = ? WHERE id = ?")
+            .run(new Date().toISOString(), id);
+        return result.changes > 0;
+    }
+    deleteAccount(id) {
+        this.ensureSchema();
+        const result = this.db.prepare("DELETE FROM chatgpt_oauth_accounts WHERE id = ?").run(id);
+        return result.changes > 0;
+    }
+    getAccountOrThrow(id) {
+        const account = this.getAccount(id);
+        if (!account) {
+            throw new Error(`ChatGPT OAuth account ${id} not found`);
+        }
+        return account;
+    }
+    listAccounts() {
+        this.ensureSchema();
+        const rows = this.db
+            .prepare("SELECT * FROM chatgpt_oauth_accounts ORDER BY email, account_id, id")
+            .all();
+        return rows.map(mapAccountRow);
+    }
+    ensureSchema() {
+        ensureChatGptOAuthSchema(this.db);
+    }
+}
+export function redactAccount(account) {
+    const { idToken: _idToken, accessToken: _accessToken, refreshToken: _refreshToken, ...view } = account;
+    return view;
+}
+function ensureChatGptOAuthSchema(db) {
+    db.exec(`
+    CREATE TABLE IF NOT EXISTS chatgpt_oauth_accounts (
+      id TEXT PRIMARY KEY,
+      email TEXT,
+      account_id TEXT,
+      id_token TEXT NOT NULL,
+      access_token TEXT NOT NULL,
+      refresh_token TEXT NOT NULL,
+      expires_at TEXT NOT NULL,
+      last_refresh_at TEXT,
+      disabled INTEGER NOT NULL DEFAULT 0,
+      created_at TEXT NOT NULL,
+      updated_at TEXT NOT NULL
+    );
+
+    CREATE UNIQUE INDEX IF NOT EXISTS idx_chatgpt_oauth_accounts_account_id
+      ON chatgpt_oauth_accounts(account_id)
+      WHERE account_id IS NOT NULL AND account_id != '';
+
+    CREATE TABLE IF NOT EXISTS chatgpt_oauth_sessions (
+      state TEXT PRIMARY KEY,
+      code_verifier TEXT NOT NULL,
+      redirect_uri TEXT NOT NULL,
+      status TEXT NOT NULL,
+      error_message TEXT,
+      created_at TEXT NOT NULL,
+      expires_at TEXT NOT NULL
+    );
+
+    CREATE TABLE IF NOT EXISTS chatgpt_oauth_settings (
+      key TEXT PRIMARY KEY,
+      value TEXT NOT NULL
+    );
+  `);
+}
+function parseRotationMode(value) {
+    return value === "random" || value === "first_available" ? value : "round_robin";
+}
+function buildAccountId(bundle) {
+    const stableId = bundle.accountId || bundle.email;
+    if (stableId) {
+        return `chatgpt-oauth:${stableId}`;
+    }
+    return `chatgpt-oauth:${bundle.accessToken.slice(0, 16)}`;
+}
+function mapAccountRow(row) {
+    return {
+        id: row.id,
+        email: row.email ?? "",
+        accountId: row.account_id ?? "",
+        idToken: row.id_token,
+        accessToken: row.access_token,
+        refreshToken: row.refresh_token,
+        expiresAt: row.expires_at,
+        lastRefreshAt: row.last_refresh_at,
+        disabled: row.disabled === 1,
+        createdAt: row.created_at,
+        updatedAt: row.updated_at,
+    };
+}
+function mapSessionRow(row) {
+    return {
+        state: row.state,
+        codeVerifier: row.code_verifier,
+        redirectUri: row.redirect_uri,
+        status: row.status,
+        errorMessage: row.error_message,
+        createdAt: row.created_at,
+        expiresAt: row.expires_at,
+    };
+}

package/dist/chatgpt-oauth-store.test.js

@@ -0,0 +1,88 @@
+import assert from "node:assert/strict";
+import { mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import path from "node:path";
+import test from "node:test";
+import { ChatGptOAuthStore } from "./chatgpt-oauth-store.js";
+test("stores ChatGPT OAuth accounts without exposing token fields in UI views", () => {
+    const dir = mkdtempSync(path.join(tmpdir(), "responses-proxy-oauth-"));
+    try {
+        const store = ChatGptOAuthStore.create(path.join(dir, "app.db"));
+        const account = store.upsertAccount({
+            idToken: "id-token",
+            accessToken: "access-token",
+            refreshToken: "refresh-token",
+            accountId: "acct_123",
+            email: "user@example.com",
+            expiresAt: "2026-04-27T01:00:00.000Z",
+            lastRefreshAt: "2026-04-27T00:00:00.000Z",
+        }, new Date("2026-04-27T00:00:00.000Z"));
+        assert.equal(account.id, "chatgpt-oauth:acct_123");
+        assert.equal(account.accessToken, "access-token");
+        const [view] = store.listAccountsForUi();
+        assert.equal(view.id, "chatgpt-oauth:acct_123");
+        assert.equal(view.email, "user@example.com");
+        assert.equal("accessToken" in view, false);
+        assert.equal("refreshToken" in view, false);
+        assert.equal("idToken" in view, false);
+    }
+    finally {
+        rmSync(dir, { recursive: true, force: true });
+    }
+});
+test("rejects expired OAuth sessions", () => {
+    const dir = mkdtempSync(path.join(tmpdir(), "responses-proxy-oauth-"));
+    try {
+        const store = ChatGptOAuthStore.create(path.join(dir, "app.db"));
+        store.createSession({
+            state: "state",
+            codeVerifier: "verifier",
+            redirectUri: "http://localhost/callback",
+            ttlMs: 1,
+            now: new Date("2026-04-27T00:00:00.000Z"),
+        });
+        assert.throws(() => store.consumeSession("state", new Date("2026-04-27T00:00:01.000Z")), /expired/);
+    }
+    finally {
+        rmSync(dir, { recursive: true, force: true });
+    }
+});
+test("persists ChatGPT OAuth rotation mode", () => {
+    const dir = mkdtempSync(path.join(tmpdir(), "responses-proxy-oauth-"));
+    try {
+        const dbFile = path.join(dir, "app.db");
+        const store = ChatGptOAuthStore.create(dbFile);
+        assert.equal(store.getRotationMode(), "round_robin");
+        assert.equal(store.setRotationMode("random"), "random");
+        assert.equal(ChatGptOAuthStore.create(dbFile).getRotationMode(), "random");
+        assert.equal(store.setRotationMode("first_available"), "first_available");
+        assert.equal(store.setRotationMode("invalid"), "round_robin");
+    }
+    finally {
+        rmSync(dir, { recursive: true, force: true });
+    }
+});
+test("can disable and re-enable ChatGPT OAuth accounts", () => {
+    const dir = mkdtempSync(path.join(tmpdir(), "responses-proxy-oauth-"));
+    try {
+        const store = ChatGptOAuthStore.create(path.join(dir, "app.db"));
+        const account = store.upsertAccount({
+            idToken: "id-token",
+            accessToken: "access-token",
+            refreshToken: "refresh-token",
+            accountId: "acct_123",
+            email: "user@example.com",
+            expiresAt: "2026-04-27T01:00:00.000Z",
+            lastRefreshAt: "2026-04-27T00:00:00.000Z",
+        }, new Date("2026-04-27T00:00:00.000Z"));
+        assert.equal(store.disableAccount(account.id), true);
+        assert.equal(store.getAccount(account.id)?.disabled, true);
+        assert.equal(store.listAvailableAccounts().length, 0);
+        assert.equal(store.enableAccount(account.id), true);
+        assert.equal(store.getAccount(account.id)?.disabled, false);
+        assert.equal(store.listAvailableAccounts().length, 1);
+    }
+    finally {
+        rmSync(dir, { recursive: true, force: true });
+    }
+});

package/dist/chatgpt-oauth.js

@@ -0,0 +1,118 @@
+import { createHash, randomBytes } from "node:crypto";
+export function generateChatGptPkceCodes() {
+    const codeVerifier = base64UrlEncode(randomBytes(96));
+    const codeChallenge = base64UrlEncode(createHash("sha256").update(codeVerifier).digest());
+    return { codeVerifier, codeChallenge };
+}
+export function generateChatGptOAuthState() {
+    return base64UrlEncode(randomBytes(32));
+}
+export function buildChatGptAuthUrl(config, state, pkce) {
+    const url = new URL(config.CHATGPT_OAUTH_AUTH_URL);
+    url.searchParams.set("client_id", config.CHATGPT_OAUTH_CLIENT_ID);
+    url.searchParams.set("response_type", "code");
+    url.searchParams.set("redirect_uri", config.CHATGPT_OAUTH_REDIRECT_URI);
+    url.searchParams.set("scope", "openid email profile offline_access");
+    url.searchParams.set("state", state);
+    url.searchParams.set("code_challenge", pkce.codeChallenge);
+    url.searchParams.set("code_challenge_method", "S256");
+    url.searchParams.set("prompt", "login");
+    url.searchParams.set("id_token_add_organizations", "true");
+    url.searchParams.set("codex_cli_simplified_flow", "true");
+    return url.toString();
+}
+export async function exchangeChatGptCodeForTokens(config, code, redirectUri, codeVerifier, fetchFn = fetch, now = new Date()) {
+    const body = new URLSearchParams({
+        grant_type: "authorization_code",
+        client_id: config.CHATGPT_OAUTH_CLIENT_ID,
+        code,
+        redirect_uri: redirectUri,
+        code_verifier: codeVerifier,
+    });
+    return requestTokenBundle(config.CHATGPT_OAUTH_TOKEN_URL, body, fetchFn, now);
+}
+export async function refreshChatGptTokens(config, refreshToken, fetchFn = fetch, now = new Date()) {
+    const body = new URLSearchParams({
+        grant_type: "refresh_token",
+        client_id: config.CHATGPT_OAUTH_CLIENT_ID,
+        refresh_token: refreshToken,
+        scope: "openid profile email",
+    });
+    return requestTokenBundle(config.CHATGPT_OAUTH_TOKEN_URL, body, fetchFn, now);
+}
+export function parseChatGptJwtClaims(idToken) {
+    const [, payload] = idToken.split(".");
+    if (!payload) {
+        return {};
+    }
+    try {
+        const decoded = JSON.parse(Buffer.from(base64UrlToBase64(payload), "base64").toString("utf8"));
+        if (!decoded || typeof decoded !== "object") {
+            return {};
+        }
+        const openAiAuth = readObject(decoded["https://api.openai.com/auth"]);
+        return {
+            email: readString(decoded.email),
+            accountId: readString(openAiAuth?.account_id) ??
+                readString(openAiAuth?.accountId) ??
+                readString(decoded.account_id) ??
+                readString(decoded.accountId) ??
+                readString(decoded.sub),
+        };
+    }
+    catch {
+        return {};
+    }
+}
+async function requestTokenBundle(tokenUrl, body, fetchFn, now) {
+    const response = await fetchFn(tokenUrl, {
+        method: "POST",
+        headers: {
+            Accept: "application/json",
+            "Content-Type": "application/x-www-form-urlencoded",
+        },
+        body,
+    });
+    const text = await response.text();
+    if (!response.ok) {
+        throw new Error(`ChatGPT OAuth token request failed with ${response.status}: ${text}`);
+    }
+    const payload = JSON.parse(text);
+    return normalizeChatGptTokenBundle(payload, now);
+}
+export function normalizeChatGptTokenBundle(payload, now = new Date()) {
+    const idToken = requireString(payload.id_token, "id_token");
+    const accessToken = requireString(payload.access_token, "access_token");
+    const refreshToken = requireString(payload.refresh_token, "refresh_token");
+    const expiresIn = typeof payload.expires_in === "number" ? payload.expires_in : 3600;
+    const claims = parseChatGptJwtClaims(idToken);
+    return {
+        idToken,
+        accessToken,
+        refreshToken,
+        accountId: claims.accountId ?? "",
+        email: claims.email ?? "",
+        expiresAt: new Date(now.getTime() + expiresIn * 1000).toISOString(),
+        lastRefreshAt: now.toISOString(),
+    };
+}
+function requireString(value, field) {
+    if (typeof value !== "string" || !value.trim()) {
+        throw new Error(`ChatGPT OAuth token response missing ${field}`);
+    }
+    return value;
+}
+function readString(value) {
+    return typeof value === "string" && value.trim() ? value.trim() : undefined;
+}
+function readObject(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value)
+        ? value
+        : undefined;
+}
+function base64UrlEncode(bytes) {
+    return bytes.toString("base64url");
+}
+function base64UrlToBase64(value) {
+    return value.replace(/-/g, "+").replace(/_/g, "/");
+}