zidane 5.6.12 → 5.6.13

package/dist/{turn-operations-Dz_vp9En.js → turn-operations-6Yls2HuG.js}

@@ -1,12 +1,12 @@
-import { H as previewLine, R as fmtTokens, U as shortId, a as multiEdit, c as grep, d as resolveOldString, f as styleReplacementForVia, i as readFile$1, l as glob$1, n as createSpawnTool, o as listFiles, t as writeFile$1, u as edit, y as shell } from "./tools-CQuDw7Sw.js";
+import { H as previewLine, R as fmtTokens, U as shortId, a as multiEdit, c as grep, d as resolveOldString, f as styleReplacementForVia, i as readFile$1, l as glob$1, n as createSpawnTool, o as listFiles, t as writeFile$1, u as edit, y as shell } from "./tools-DE9pR_NG.js";
 import { c as errorMessage } from "./errors-DdZXnyXE.js";
 import { r as toolResultToText } from "./types-oKPBdCmL.js";
-import { D as joinSystemPrompt } from "./messages-BRrEqWzH.js";
+import { O as joinSystemPrompt } from "./messages-Dym8S_YH.js";
 import { r as normalizeMcpServers, t as connectMcpServers } from "./mcp-DGeB7-3D.js";
 import { a as discoverSkills } from "./interpolate-DM1UcKeQ.js";
 import { n as formatTokenUsage } from "./stats-Lc3zL3RM.js";
-import { n as definePreset, t as composePresets } from "./presets-B0JQGmDK.js";
-import { i as anthropic, n as openai, o as writeFileAtomic, r as cerebras, t as openrouter } from "./providers-f-2jAcUL.js";
+import { n as definePreset, t as composePresets } from "./presets-CZXS_87d.js";
+import { i as anthropic, n as openai, o as writeFileAtomic, r as cerebras, t as openrouter } from "./providers-beXyD9W9.js";
 import { createRequire } from "node:module";
 import { dirname, isAbsolute, join, posix, relative, resolve, sep } from "node:path";
 import { homedir, tmpdir } from "node:os";
@@ -14,9 +14,10 @@ import { spawn } from "node:child_process";
 import { chmodSync, createReadStream, createWriteStream, existsSync, mkdirSync, mkdtempSync, readFileSync, realpathSync, renameSync, rmSync, statSync, writeFileSync } from "node:fs";
 import { readdir, stat, writeFile } from "node:fs/promises";
 import { Buffer as Buffer$1 } from "node:buffer";
-import { getModel, getModels } from "@mariozechner/pi-ai";
-import { anthropicOAuthProvider, openaiCodexOAuthProvider } from "@mariozechner/pi-ai/oauth";
-import { createHash } from "node:crypto";
+import { getModel, getModels } from "@earendil-works/pi-ai";
+import { createServer } from "node:http";
+import { refreshAnthropicToken, refreshOpenAICodexToken } from "@earendil-works/pi-ai/oauth";
+import { createHash, randomBytes } from "node:crypto";
 import { createGunzip } from "node:zlib";
 import { createContext, useCallback, useContext, useEffect, useMemo, useRef, useState } from "react";
 import { jsx } from "react/jsx-runtime";
@@ -1300,7 +1301,631 @@ function readIfPresent(path, source) {
 	};
 }
 //#endregion
+//#region src/chat/oauth-page/pkce.ts
+/**
+* PKCE helper. Inlined here (rather than imported from pi-ai) because
+* `@earendil-works/pi-ai/oauth` does not re-export it, and we don't want
+* to reach into `node_modules/.../utils/oauth/pkce.js` — that's an
+* implementation-detail path that breaks on minor upstream rearrangements.
+*
+* Web Crypto API only. Works under Bun + Node 22+ without any node:crypto
+* import (matches pi-ai's own behavior). Output is base64url per RFC 7636.
+*/
+function base64UrlEncode(bytes) {
+	let binary = "";
+	for (const byte of bytes) binary += String.fromCharCode(byte);
+	return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+async function generatePkce() {
+	const verifierBytes = new Uint8Array(32);
+	crypto.getRandomValues(verifierBytes);
+	const verifier = base64UrlEncode(verifierBytes);
+	const data = new TextEncoder().encode(verifier);
+	const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+	return {
+		verifier,
+		challenge: base64UrlEncode(new Uint8Array(hashBuffer))
+	};
+}
+//#endregion
+//#region src/chat/oauth-page/server.ts
+const CALLBACK_HOST = process.env.PI_OAUTH_CALLBACK_HOST || "127.0.0.1";
+function buildRequestHandler(opts, pending) {
+	return (req, res) => {
+		try {
+			const url = new URL(req.url || "", "http://localhost");
+			if (url.pathname !== opts.path) {
+				respondError(res, 404, opts, "Callback route not found.");
+				return;
+			}
+			const error = url.searchParams.get("error");
+			if (error) {
+				respondError(res, 400, opts, `${opts.providerName} authentication did not complete.`, `Error: ${error}`);
+				return;
+			}
+			const code = url.searchParams.get("code");
+			const state = url.searchParams.get("state");
+			if (!code || !state) {
+				respondError(res, 400, opts, "Missing code or state parameter.");
+				return;
+			}
+			if (state !== opts.expectedState) {
+				respondError(res, 400, opts, "State mismatch.");
+				return;
+			}
+			res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+			res.end(opts.renderPage({
+				kind: "success",
+				provider: opts.providerName,
+				message: opts.successMessage
+			}));
+			pending.settle({
+				code,
+				state
+			});
+		} catch {
+			respondError(res, 500, opts, "Internal error while processing the callback.");
+		}
+	};
+}
+function respondError(res, status, opts, message, details) {
+	res.writeHead(status, { "Content-Type": "text/html; charset=utf-8" });
+	res.end(opts.renderPage({
+		kind: "error",
+		provider: opts.providerName,
+		message,
+		details
+	}));
+}
+function buildStubHandle(redirectUri, server) {
+	return {
+		redirectUri,
+		waitForCode: async () => null,
+		cancelWait: () => {},
+		close: () => {
+			try {
+				server?.close();
+			} catch {}
+		}
+	};
+}
+/**
+* Start the loopback HTTP callback server. The returned handle is the
+* caller's contract — they `await waitForCode()`, race it against manual
+* paste, then `close()` in a `finally`.
+*/
+async function startCallbackServer(opts) {
+	const onListenError = opts.onListenError ?? "reject";
+	const redirectUri = `http://localhost:${opts.port}${opts.path}`;
+	return new Promise((resolve, reject) => {
+		let settled = false;
+		const pending = { settle: () => {} };
+		const waitPromise = new Promise((resolveWait) => {
+			pending.settle = (value) => {
+				if (settled) return;
+				settled = true;
+				resolveWait(value);
+			};
+		});
+		const server = createServer(buildRequestHandler(opts, pending));
+		server.on("error", (err) => {
+			if (onListenError === "resolveWithStub") {
+				pending.settle(null);
+				resolve(buildStubHandle(redirectUri, server));
+				return;
+			}
+			reject(err);
+		});
+		server.listen(opts.port, CALLBACK_HOST, () => {
+			resolve({
+				redirectUri,
+				waitForCode: () => waitPromise,
+				cancelWait: () => pending.settle(null),
+				close: () => {
+					try {
+						server.close();
+					} catch {}
+				}
+			});
+		});
+	});
+}
+//#endregion
+//#region src/chat/oauth-page/anthropic.ts
+const CLIENT_ID$1 = atob("OWQxYzI1MGEtZTYxYi00NGQ5LTg4ZWQtNTk0NGQxOTYyZjVl");
+const AUTHORIZE_URL$1 = "https://claude.ai/oauth/authorize";
+const TOKEN_URL$1 = "https://platform.claude.com/v1/oauth/token";
+const CALLBACK_PORT$1 = 53692;
+const CALLBACK_PATH$1 = "/callback";
+const SCOPES = "org:create_api_key user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload";
+const PROVIDER_NAME$1 = "Anthropic";
+/**
+* Parse what the user pasted into the manual-code prompt. Accepts:
+*   - the bare authorization code
+*   - the full `redirect_uri?code=...&state=...` URL
+*   - the `code#state` shorthand Anthropic surfaces on the page
+*   - a raw query string with `code=...&state=...`
+*
+* Matches pi-ai's parse table so an existing user's muscle memory still works.
+*/
+function parseAuthorizationInput$1(input) {
+	const value = input.trim();
+	if (!value) return {};
+	try {
+		const url = new URL(value);
+		return {
+			code: url.searchParams.get("code") ?? void 0,
+			state: url.searchParams.get("state") ?? void 0
+		};
+	} catch {}
+	if (value.includes("#")) {
+		const [code, state] = value.split("#", 2);
+		return {
+			code,
+			state
+		};
+	}
+	if (value.includes("code=")) {
+		const params = new URLSearchParams(value);
+		return {
+			code: params.get("code") ?? void 0,
+			state: params.get("state") ?? void 0
+		};
+	}
+	return { code: value };
+}
+async function postJson(url, body) {
+	const response = await fetch(url, {
+		method: "POST",
+		headers: {
+			"Content-Type": "application/json",
+			"Accept": "application/json"
+		},
+		body: JSON.stringify(body),
+		signal: AbortSignal.timeout(3e4)
+	});
+	const responseBody = await response.text();
+	if (!response.ok) throw new Error(`HTTP request failed. status=${response.status}; url=${url}; body=${responseBody}`);
+	return responseBody;
+}
+async function exchangeAuthorizationCode$1(code, state, verifier, redirectUri) {
+	const responseBody = await postJson(TOKEN_URL$1, {
+		grant_type: "authorization_code",
+		client_id: CLIENT_ID$1,
+		code,
+		state,
+		redirect_uri: redirectUri,
+		code_verifier: verifier
+	});
+	const tokenData = JSON.parse(responseBody);
+	return {
+		refresh: tokenData.refresh_token,
+		access: tokenData.access_token,
+		expires: Date.now() + tokenData.expires_in * 1e3 - 300 * 1e3
+	};
+}
+async function loginAnthropicWithCustomPage(options) {
+	const { verifier, challenge } = await generatePkce();
+	const server = await startCallbackServer({
+		port: CALLBACK_PORT$1,
+		path: CALLBACK_PATH$1,
+		expectedState: verifier,
+		providerName: PROVIDER_NAME$1,
+		renderPage: options.renderPage,
+		successMessage: "Anthropic authentication completed. You can close this window.",
+		onListenError: "reject"
+	});
+	let code;
+	let state;
+	try {
+		const authParams = new URLSearchParams({
+			code: "true",
+			client_id: CLIENT_ID$1,
+			response_type: "code",
+			redirect_uri: server.redirectUri,
+			scope: SCOPES,
+			code_challenge: challenge,
+			code_challenge_method: "S256",
+			state: verifier
+		});
+		options.onAuth({
+			url: `${AUTHORIZE_URL$1}?${authParams.toString()}`,
+			instructions: "Complete login in your browser. If the browser is on another machine, paste the final redirect URL here."
+		});
+		if (options.onManualCodeInput) {
+			let manualInput;
+			let manualError;
+			const manualPromise = options.onManualCodeInput().then((input) => {
+				manualInput = input;
+				server.cancelWait();
+			}).catch((err) => {
+				manualError = err instanceof Error ? err : new Error(String(err));
+				server.cancelWait();
+			});
+			const result = await server.waitForCode();
+			if (manualError) throw manualError;
+			if (result?.code) {
+				code = result.code;
+				state = result.state;
+			} else if (manualInput) {
+				const parsed = parseAuthorizationInput$1(manualInput);
+				if (parsed.state && parsed.state !== verifier) throw new Error("OAuth state mismatch");
+				code = parsed.code;
+				state = parsed.state ?? verifier;
+			}
+			if (!code) {
+				await manualPromise;
+				if (manualError) throw manualError;
+				if (manualInput) {
+					const parsed = parseAuthorizationInput$1(manualInput);
+					if (parsed.state && parsed.state !== verifier) throw new Error("OAuth state mismatch");
+					code = parsed.code;
+					state = parsed.state ?? verifier;
+				}
+			}
+		} else {
+			const result = await server.waitForCode();
+			if (result?.code) {
+				code = result.code;
+				state = result.state;
+			}
+		}
+		if (!code) {
+			const parsed = parseAuthorizationInput$1(await options.onPrompt({
+				message: "Paste the authorization code or full redirect URL:",
+				placeholder: server.redirectUri
+			}));
+			if (parsed.state && parsed.state !== verifier) throw new Error("OAuth state mismatch");
+			code = parsed.code;
+			state = parsed.state ?? verifier;
+		}
+		if (!code) throw new Error("Missing authorization code");
+		if (!state) throw new Error("Missing OAuth state");
+		options.onProgress?.("Exchanging authorization code for tokens...");
+		return await exchangeAuthorizationCode$1(code, state, verifier, server.redirectUri);
+	} finally {
+		server.close();
+	}
+}
+/**
+* Build an `OAuthProviderInterface` that behaves identically to pi-ai's
+* `anthropicOAuthProvider` except for the callback page HTML. Drop this
+* onto `ProviderDescriptor.oauthProvider` to override.
+*/
+function createAnthropicOAuthProviderWithCustomPage(renderPage) {
+	return {
+		id: "anthropic",
+		name: "Anthropic (Claude Pro/Max)",
+		usesCallbackServer: true,
+		async login(callbacks) {
+			return loginAnthropicWithCustomPage({
+				renderPage,
+				onAuth: callbacks.onAuth,
+				onPrompt: callbacks.onPrompt,
+				onProgress: callbacks.onProgress,
+				onManualCodeInput: callbacks.onManualCodeInput
+			});
+		},
+		async refreshToken(credentials) {
+			return refreshAnthropicToken(credentials.refresh);
+		},
+		getApiKey(credentials) {
+			return credentials.access;
+		}
+	};
+}
+//#endregion
+//#region src/chat/oauth-page/openai-codex.ts
+const CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
+const AUTHORIZE_URL = "https://auth.openai.com/oauth/authorize";
+const TOKEN_URL = "https://auth.openai.com/oauth/token";
+const CALLBACK_PORT = 1455;
+const CALLBACK_PATH = "/auth/callback";
+const SCOPE = "openid profile email offline_access";
+const JWT_CLAIM_PATH = "https://api.openai.com/auth";
+const PROVIDER_NAME = "OpenAI Codex";
+function createState() {
+	return randomBytes(16).toString("hex");
+}
+function parseAuthorizationInput(input) {
+	const value = input.trim();
+	if (!value) return {};
+	try {
+		const url = new URL(value);
+		return {
+			code: url.searchParams.get("code") ?? void 0,
+			state: url.searchParams.get("state") ?? void 0
+		};
+	} catch {}
+	if (value.includes("#")) {
+		const [code, state] = value.split("#", 2);
+		return {
+			code,
+			state
+		};
+	}
+	if (value.includes("code=")) {
+		const params = new URLSearchParams(value);
+		return {
+			code: params.get("code") ?? void 0,
+			state: params.get("state") ?? void 0
+		};
+	}
+	return { code: value };
+}
+function decodeJwt(token) {
+	try {
+		const parts = token.split(".");
+		if (parts.length !== 3) return null;
+		const payload = parts[1] ?? "";
+		const decoded = atob(payload);
+		return JSON.parse(decoded);
+	} catch {
+		return null;
+	}
+}
+function getAccountId(accessToken) {
+	const accountId = (decodeJwt(accessToken)?.[JWT_CLAIM_PATH])?.chatgpt_account_id;
+	return typeof accountId === "string" && accountId.length > 0 ? accountId : null;
+}
+async function exchangeAuthorizationCode(code, verifier, redirectUri) {
+	const response = await fetch(TOKEN_URL, {
+		method: "POST",
+		headers: { "Content-Type": "application/x-www-form-urlencoded" },
+		body: new URLSearchParams({
+			grant_type: "authorization_code",
+			client_id: CLIENT_ID,
+			code,
+			code_verifier: verifier,
+			redirect_uri: redirectUri
+		})
+	});
+	if (!response.ok) {
+		const text = await response.text().catch(() => "");
+		return {
+			type: "failed",
+			message: `OpenAI Codex token exchange failed (${response.status}): ${text || response.statusText}`
+		};
+	}
+	const json = await response.json();
+	if (!json.access_token || !json.refresh_token || typeof json.expires_in !== "number") return {
+		type: "failed",
+		message: `OpenAI Codex token exchange response missing fields: ${JSON.stringify(json)}`
+	};
+	return {
+		type: "success",
+		access: json.access_token,
+		refresh: json.refresh_token,
+		expires: Date.now() + json.expires_in * 1e3
+	};
+}
+async function loginOpenAICodexWithCustomPage(options) {
+	const { verifier, challenge } = await generatePkce();
+	const state = createState();
+	const originator = options.originator ?? "pi";
+	const server = await startCallbackServer({
+		port: CALLBACK_PORT,
+		path: CALLBACK_PATH,
+		expectedState: state,
+		providerName: PROVIDER_NAME,
+		renderPage: options.renderPage,
+		successMessage: "OpenAI authentication completed. You can close this window.",
+		onListenError: "resolveWithStub"
+	});
+	const authUrl = new URL(AUTHORIZE_URL);
+	authUrl.searchParams.set("response_type", "code");
+	authUrl.searchParams.set("client_id", CLIENT_ID);
+	authUrl.searchParams.set("redirect_uri", server.redirectUri);
+	authUrl.searchParams.set("scope", SCOPE);
+	authUrl.searchParams.set("code_challenge", challenge);
+	authUrl.searchParams.set("code_challenge_method", "S256");
+	authUrl.searchParams.set("state", state);
+	authUrl.searchParams.set("id_token_add_organizations", "true");
+	authUrl.searchParams.set("codex_cli_simplified_flow", "true");
+	authUrl.searchParams.set("originator", originator);
+	options.onAuth({
+		url: authUrl.toString(),
+		instructions: "A browser window should open. Complete login to finish."
+	});
+	let code;
+	try {
+		if (options.onManualCodeInput) {
+			let manualCode;
+			let manualError;
+			const manualPromise = options.onManualCodeInput().then((input) => {
+				manualCode = input;
+				server.cancelWait();
+			}).catch((err) => {
+				manualError = err instanceof Error ? err : new Error(String(err));
+				server.cancelWait();
+			});
+			const result = await server.waitForCode();
+			if (manualError) throw manualError;
+			if (result?.code) code = result.code;
+			else if (manualCode) {
+				const parsed = parseAuthorizationInput(manualCode);
+				if (parsed.state && parsed.state !== state) throw new Error("State mismatch");
+				code = parsed.code;
+			}
+			if (!code) {
+				await manualPromise;
+				if (manualError) throw manualError;
+				if (manualCode) {
+					const parsed = parseAuthorizationInput(manualCode);
+					if (parsed.state && parsed.state !== state) throw new Error("State mismatch");
+					code = parsed.code;
+				}
+			}
+		} else {
+			const result = await server.waitForCode();
+			if (result?.code) code = result.code;
+		}
+		if (!code) {
+			const parsed = parseAuthorizationInput(await options.onPrompt({ message: "Paste the authorization code (or full redirect URL):" }));
+			if (parsed.state && parsed.state !== state) throw new Error("State mismatch");
+			code = parsed.code;
+		}
+		if (!code) throw new Error("Missing authorization code");
+		const tokenResult = await exchangeAuthorizationCode(code, verifier, server.redirectUri);
+		if (tokenResult.type !== "success") throw new Error(tokenResult.message);
+		const accountId = getAccountId(tokenResult.access);
+		if (!accountId) throw new Error("Failed to extract accountId from token");
+		return {
+			access: tokenResult.access,
+			refresh: tokenResult.refresh,
+			expires: tokenResult.expires,
+			accountId
+		};
+	} finally {
+		server.close();
+	}
+}
+/**
+* Build an `OAuthProviderInterface` that behaves identically to pi-ai's
+* `openaiCodexOAuthProvider` except for the callback page HTML.
+*/
+function createOpenAICodexOAuthProviderWithCustomPage(renderPage) {
+	return {
+		id: "openai-codex",
+		name: "ChatGPT Plus/Pro (Codex Subscription)",
+		usesCallbackServer: true,
+		async login(callbacks) {
+			return loginOpenAICodexWithCustomPage({
+				renderPage,
+				onAuth: callbacks.onAuth,
+				onPrompt: callbacks.onPrompt,
+				onProgress: callbacks.onProgress,
+				onManualCodeInput: callbacks.onManualCodeInput
+			});
+		},
+		async refreshToken(credentials) {
+			return refreshOpenAICodexToken(credentials.refresh);
+		},
+		getApiKey(credentials) {
+			return credentials.access;
+		}
+	};
+}
+//#endregion
+//#region src/chat/oauth-page/render.ts
+function escapeHtml(value) {
+	return value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll("\"", "&quot;").replaceAll("'", "&#39;");
+}
+/**
+* Default zidane-themed page. Visually neutral but distinguishable from
+* pi-ai's stock page — dark background, mono headings, no logo (host can
+* pass a custom renderer to add one).
+*/
+const renderDefaultCallbackPage = (page) => {
+	const heading = escapeHtml(page.kind === "success" ? `Signed in to ${page.provider}` : `Could not sign in to ${page.provider}`);
+	const message = escapeHtml(page.message);
+	const details = page.details ? escapeHtml(page.details) : void 0;
+	return `<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>${heading}</title>
+  <style>
+    :root {
+      --text: #f4f4f5;
+      --text-dim: #a1a1aa;
+      --accent: ${page.kind === "success" ? "#22d3ee" : "#f87171"};
+      --page-bg: #0a0a0a;
+      --panel-bg: #131316;
+      --border: #27272a;
+      --font-sans: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+      --font-mono: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, monospace;
+    }
+    * { box-sizing: border-box; }
+    html { color-scheme: dark; }
+    body {
+      margin: 0;
+      min-height: 100vh;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      padding: 24px;
+      background: var(--page-bg);
+      color: var(--text);
+      font-family: var(--font-sans);
+    }
+    main {
+      width: 100%;
+      max-width: 520px;
+      padding: 32px;
+      background: var(--panel-bg);
+      border: 1px solid var(--border);
+      border-radius: 12px;
+    }
+    .label {
+      font-family: var(--font-mono);
+      font-size: 12px;
+      letter-spacing: 0.08em;
+      text-transform: uppercase;
+      color: var(--accent);
+      margin-bottom: 12px;
+    }
+    h1 {
+      margin: 0 0 12px;
+      font-size: 22px;
+      font-weight: 600;
+      letter-spacing: -0.01em;
+      color: var(--text);
+    }
+    p {
+      margin: 0;
+      line-height: 1.6;
+      color: var(--text-dim);
+      font-size: 14px;
+    }
+    .details {
+      margin-top: 18px;
+      padding: 12px 14px;
+      background: var(--page-bg);
+      border: 1px solid var(--border);
+      border-radius: 8px;
+      font-family: var(--font-mono);
+      font-size: 12px;
+      color: var(--text-dim);
+      white-space: pre-wrap;
+      word-break: break-word;
+    }
+  </style>
+</head>
+<body>
+  <main>
+    <div class="label">zidane · OAuth · ${escapeHtml(page.provider)}</div>
+    <h1>${heading}</h1>
+    <p>${message}</p>
+    ${details ? `<div class="details">${details}</div>` : ""}
+  </main>
+</body>
+</html>`;
+};
+//#endregion
+//#region src/chat/oauth-page/index.ts
+/**
+* Bundle helper — returns both Anthropic + OpenAI Codex providers wired
+* with the same renderer. Hosts that want different renderers per provider
+* should call the individual `create…WithCustomPage` factories instead.
+*/
+function createCustomCallbackOAuthProviders(renderPage) {
+	return {
+		anthropic: createAnthropicOAuthProviderWithCustomPage(renderPage),
+		openaiCodex: createOpenAICodexOAuthProviderWithCustomPage(renderPage)
+	};
+}
+//#endregion
 //#region src/chat/providers.ts
+/**
+* pi-ai's stock Anthropic + Codex OAuth providers bake their own callback
+* HTML; we route both through `renderDefaultCallbackPage` so the post-redirect
+* page matches zidane's theme. The override lives in `src/chat/oauth-page/`
+* — see that folder's `index.ts` for the deletion path once pi-ai exposes
+* a `renderCallbackPage` hook upstream.
+*/
+const { anthropic: anthropicOAuthProvider, openaiCodex: openaiCodexOAuthProvider } = createCustomCallbackOAuthProviders(renderDefaultCallbackPage);
 /** Convenience accessor — returns `credentialFileKey ?? key`. */
 function credKeyOf(desc) {
 	return desc.credentialFileKey ?? desc.key;
@@ -9045,10 +9670,22 @@ async function runOAuthLogin(descriptor, options) {
 			options.onUrl(info.url, info.instructions);
 			tryOpenBrowser(info.url);
 		},
+		onDeviceCode: (info) => {
+			if (options.onDeviceCode) {
+				options.onDeviceCode(info);
+				return;
+			}
+			options.onProgress?.(`Device code: ${info.userCode} — open ${info.verificationUri}`);
+			tryOpenBrowser(info.verificationUri);
+		},
 		onPrompt: async (prompt) => {
 			if (!options.onPrompt) throw new Error(`OAuth provider "${descriptor.label}" requested user input ("${prompt.message}") but no onPrompt handler is wired.`);
 			return options.onPrompt(prompt);
 		},
+		onSelect: async (prompt) => {
+			if (options.onSelect) return options.onSelect(prompt);
+			return prompt.options[0]?.id;
+		},
 		onProgress: options.onProgress,
 		signal: options.signal
 	};
@@ -10965,4 +11602,4 @@ function countNeighbors(turnIds, turnId) {
 //#endregion
 export { mcpToolsCachePath as $, KEYBINDING_DEF_BY_ACTION as $n, getModelInfo as $r, CATPPUCCIN_FRAPPE as $t, getSafelist as A, useActiveTodos as Ai, turnSelectionOwnership as An, detectLibc as Ar, clipHintsToWidth as At, oauthUsesManualCodePaste as B, TOKEN_DISCIPLINE_DOCTRINE as Bi, splitLines as Bn, credentialsPath as Br, SETTINGS_CATEGORIES as Bt, resolveSessionExportTarget as C, getArchivedTodosForRun as Ci, saveState as Cn, tryOpenBrowser as Cr, isInteractionTool as Ct, useSafeModeQueue as D, pruneTodosByRun as Di, titleFromTurns as Dn, useUpdateCheck as Dr, useInteractionsActions as Dt, useSafeModeActions as E, pickActiveRunId as Ei, sumRunCosts as En, buildUpdateHint as Er, serializeInteractionResponse as Et, suggestSafelistEntry as F, INTERACTION_GUIDANCE as Fi, computeInlineDiff as Fn, resolvePlatformPackage as Fr, buildHints as Ft, indexOfEntry as G, mergeApprovalAndBodyOutcomes as Gn, writeCredentials as Gr, useSettings as Gt, supportsOAuth as H, buildPlanSystem as Hi, tokenize as Hn, readProviderCredential as Hr, SETTINGS_TOGGLES as Ht, writeProjects as I, INTERACTION_GUIDANCE_NO_PROMPTS as Ii, computeLineDiff as In, AUTO_COMPACT_MIN_GROWTH_FRACTION as Ir, shortChord as It, discoverProjectMcps as J, rewriteMultiEditHeader as Jn, anthropicDescriptor as Jr, resolveChipColor as Jt, buildMcpServers as K, parseEditOutcomesFromResult as Kn, BUILTIN_PROVIDERS as Kr, BUILTIN_THEMES as Kt, splitPromptSegments as L, PLAN_MODE_DOCTRINE as Li, extractEditPayload as Ln, shouldAutoCompact as Lr, listProjectFiles as Lt, matchesSafelistEntry as M, COMMUNICATION_DOCTRINE as Mi, applyEditPayload as Mn, parseSemver as Mr, truncateTrailing as Mt, projectsFilePath as N, DOING_TASKS_DOCTRINE as Ni, buildContextualDiff as Nn, performInPlaceSelfUpdate as Nr, cleanTitle as Nt, IMPLICITLY_SAFE_TOOLS as O, selectActiveTodos as Oi, toolCallPreview as On, checkForUpdate as Or, useInteractionsQueue as Ot, readProjects as P, IDENTITY_PREFIX as Pi, buildUnifiedDiff as Pn, performSelfUpdate as Pr, generateSessionTitle as Pt, loadMcpToolsCache as Q, KEYBINDING_DEFS as Qn, getContextWindow as Qr, GRUVBOX_LIGHT as Qt, formatPathForCwd as R, PLAN_MODE_DOCTRINE_NO_PROMPTS as Ri, filetypeFromPath as Rn, detectAuth as Rr, useEnabledToggleSet as Rt, renderSession as S, createTodoTools as Si, marginTopFor as Sn, buildLinearRamp as Sr, createInteractionTools as St, SafeModeProvider as T, isTodoTool as Ti, stripSpawnTokensLine as Tn, bootTick as Tr, pendingInteractionsFromTurns as Tt, buildModelCatalog as U, envSection as Ui, buildEditOutcomesAnnotation as Un, removeProviderCredential as Ur, SettingsProvider as Ut, runOAuthLogin as V, buildBuildSystem as Vi, summarizeEditPayload as Vn, readCredentials as Vr, SETTINGS_CHOICES as Vt, filterModelCatalog as W, maskToOutcomeKinds as Wn, setProviderCredential as Wr, clampFps as Wt, projectUserPaths as X, summarizeOutcomes as Xn, credKeyOf as Xr, VAPORWAVE_THEME as Xt, parseMcpsFile as Y, stripEditOutcomesAnnotation as Yn, cerebrasDescriptor as Yr, resolveTheme as Yt, clearMcpToolsCache as Z, DEFAULT_KEYBINDINGS as Zn, effectiveContextWindow as Zr, GRUVBOX_DARK as Zt, turnContextSize as _, TODOREAD_TOOL as _i, isTurnHighlighted as _n, collectReferences as _r, splitMarkdownCodeBlocks as _t, computeTurnAnchors as a, discoverAgentsMd as ai, useDiscovery as an, matchesBinding as ar, useMcpToolToggleSet as at, defaultSkillScanPaths as b, TODO_STATUS_GLYPHS as bi, listSessionMeta as bn, useCompletion as br, PRESENT_PLAN_TOOL as bt, formatToolCall as c, BUILD_AGENT as ci, useConfig as cn, readKeybindings as cr, parentServerName as ct, useSelectStyle as d, DEFAULT_BUDGET_EXCLUDE_TOOLS as di, resolveStorageDirs as dn, createSkillsCompletionProvider as dr, patchMcpCredential as dt, modelSupportsReasoning as ei, CATPPUCCIN_LATTE as en, KEYBINDING_KEY_COL_WIDTH as er, refreshMcpToolsCatalog as et, useSurfaces as f, DEFAULT_PERSIST_EXCLUDE_TOOLS as fi, EDIT_TOOL_NAMES as fn, uniqueSkillNamesFromReferences as fr, McpAuthProvider as ft, finalizeStreamingMarkdownForOwner as g, singleAgentRegistry as gi, isEditErrorResult as gn, applyInsert as gr, reduceMcpAuth as gt, finalizeStreamingMarkdown as h, resolveAgentId as hi, eventsFromTurns as hn, uniqueFilesFromReferences as hr, getMcpAuthStatus as ht, turnAsText as i, piIdOf as ii, DiscoveryProvider as in, keybindingsPath as ir, useMcpToolToggleMap as it, isOnSafelist as j, ACTIONS_WITH_CARE_DOCTRINE as ji, updateToolEventOutcomes as jn, detectPackageManager as jr, hintsLength as jt, addToSafelist as k, setTodosForRun as ki, toolResultText as kn, compareSemver as kr, EMPTY_HINTS as kt, ThemeProvider as l, BUILTIN_AGENTS as li, resolveConfig as ln, stripJsonComments as lr, createFileMcpCredentialStore as lt, useTheme as m, accentColor as mi, deriveSessionTitle as mn, createFilesCompletionProvider as mr, useMcpAuthState as mt, deleteTurnSafely as n, openaiDescriptor as ni, CATPPUCCIN_MOCHA as nn, formatBindingForDisplay as nr, subscribeMcpToolsCache as nt, TOOL_DISPLAY as o, renderAgentsMdBlock as oi, useDiscoveryOptional as on, mergeKeybindings as or, buildVisibleMcpRows as ot, useSyntaxStyles as p, PLAN_AGENT as pi, createStateStore as pn, FILES_TRIGGER as pr, useMcpAuthDispatch as pt, defaultMcpsConfigPaths as q, resolveApprovalForPayload as qn, OUTPUT_RESERVE_TOKENS as qr, DEFAULT_THEME as qt, truncateTurnsAt as r, openrouterDescriptor as ri, createDiscoverySlot as rn, groupBindings as rr, buildToolToggle as rt, displayNameFor as s, findGitRoot$1 as si, ConfigProvider as sn, parseBindingSpec as sr, indexOfServerRow as st, countNeighbors as t, modelsForDescriptor as ti, CATPPUCCIN_MACCHIATO as tn, ensureKeybindingsFile as tr, saveMcpToolsCache as tt, useColors as u, DEFAULT_AGENT_ID as ui, resolveStoragePaths as un, SKILLS_TRIGGER as ur, mcpCredentialsPath as ut, useStreamBuffer as v, TODOS_METADATA_KEY as vi, isVisible as vn, findActiveTrigger as vr, ASK_USER_TOOL as vt, writeSessionExport as w, getTodosForRun as wi, selectableTurnIds as wn, bootProfileEnabled as wr, makeRequestInteraction as wt, discoverProjectSkills as x, TODO_WRITE_COUNTS_METADATA_KEY as xi, loadState as xn, blendHsl as xr, buildResumedToolResultsTurn as xt, buildSkillsConfig as y, TODOWRITE_TOOL as yi, lastContextSizeFromTurns as yn, mergeReferences as yr, InteractionsProvider as yt, fetchOAuthRedirect as z, SUBAGENT_GUIDANCE as zi, previewEditPayload as zn, applyApiKeyEnv as zr, DEFAULT_SETTINGS as zt };
 
-//# sourceMappingURL=turn-operations-Dz_vp9En.js.map
+//# sourceMappingURL=turn-operations-6Yls2HuG.js.map