klaude-code 1.2.6__py3-none-any.whl → 1.8.0__py3-none-any.whl

klaude_code/auth/__init__.py

@@ -0,0 +1,24 @@
+"""Authentication module.
+
+Currently includes Codex OAuth helpers in ``klaude_code.auth.codex``.
+"""
+
+from klaude_code.auth.codex import (
+    CodexAuthError,
+    CodexAuthState,
+    CodexNotLoggedInError,
+    CodexOAuth,
+    CodexOAuthError,
+    CodexTokenExpiredError,
+    CodexTokenManager,
+)
+
+__all__ = [
+    "CodexAuthError",
+    "CodexAuthState",
+    "CodexNotLoggedInError",
+    "CodexOAuth",
+    "CodexOAuthError",
+    "CodexTokenExpiredError",
+    "CodexTokenManager",
+]

klaude_code/auth/codex/__init__.py

@@ -0,0 +1,20 @@
+"""Codex authentication helpers."""
+
+from klaude_code.auth.codex.exceptions import (
+    CodexAuthError,
+    CodexNotLoggedInError,
+    CodexOAuthError,
+    CodexTokenExpiredError,
+)
+from klaude_code.auth.codex.oauth import CodexOAuth
+from klaude_code.auth.codex.token_manager import CodexAuthState, CodexTokenManager
+
+__all__ = [
+    "CodexAuthError",
+    "CodexAuthState",
+    "CodexNotLoggedInError",
+    "CodexOAuth",
+    "CodexOAuthError",
+    "CodexTokenExpiredError",
+    "CodexTokenManager",
+]

klaude_code/auth/codex/exceptions.py

@@ -0,0 +1,17 @@
+"""Exceptions for Codex authentication."""
+
+
+class CodexAuthError(Exception):
+    """Base exception for Codex authentication errors."""
+
+
+class CodexNotLoggedInError(CodexAuthError):
+    """User has not logged in to Codex."""
+
+
+class CodexTokenExpiredError(CodexAuthError):
+    """Token expired and refresh failed."""
+
+
+class CodexOAuthError(CodexAuthError):
+    """OAuth flow failed."""

klaude_code/auth/codex/jwt_utils.py

@@ -0,0 +1,45 @@
+"""JWT parsing utilities for Codex authentication."""
+
+import base64
+import json
+from typing import Any
+
+
+def decode_jwt_payload(token: str) -> dict[str, Any]:
+    """Decode JWT payload without verification.
+
+    Args:
+        token: JWT token string
+
+    Returns:
+        Decoded payload as a dictionary
+    """
+    parts = token.split(".")
+    if len(parts) != 3:
+        raise ValueError("Invalid JWT format")
+
+    payload = parts[1]
+    # Add padding if needed
+    padding = 4 - len(payload) % 4
+    if padding != 4:
+        payload += "=" * padding
+
+    decoded = base64.urlsafe_b64decode(payload)
+    return json.loads(decoded)
+
+
+def extract_account_id(token: str) -> str:
+    """Extract ChatGPT account ID from JWT token.
+
+    Args:
+        token: JWT access token from OpenAI OAuth
+
+    Returns:
+        The chatgpt_account_id from the token claims
+    """
+    payload = decode_jwt_payload(token)
+    auth_claim = payload.get("https://api.openai.com/auth", {})
+    account_id = auth_claim.get("chatgpt_account_id")
+    if not account_id:
+        raise ValueError("chatgpt_account_id not found in token")
+    return account_id

klaude_code/auth/codex/oauth.py

@@ -0,0 +1,229 @@
+"""OAuth PKCE flow for Codex authentication."""
+
+import base64
+import hashlib
+import secrets
+import time
+import webbrowser
+from http.server import BaseHTTPRequestHandler, HTTPServer
+from threading import Thread
+from typing import Any
+from urllib.parse import parse_qs, urlencode, urlparse
+
+import httpx
+
+from klaude_code.auth.codex.exceptions import CodexOAuthError
+from klaude_code.auth.codex.jwt_utils import extract_account_id
+from klaude_code.auth.codex.token_manager import CodexAuthState, CodexTokenManager
+
+# OAuth configuration
+CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann"
+AUTHORIZE_URL = "https://auth.openai.com/oauth/authorize"
+TOKEN_URL = "https://auth.openai.com/oauth/token"
+REDIRECT_URI = "http://localhost:1455/auth/callback"
+REDIRECT_PORT = 1455
+SCOPE = "openid profile email offline_access"
+
+
+def generate_code_verifier() -> str:
+    """Generate a random code verifier for PKCE."""
+    return secrets.token_urlsafe(64)[:128]
+
+
+def generate_code_challenge(verifier: str) -> str:
+    """Generate code challenge from verifier using S256 method."""
+    digest = hashlib.sha256(verifier.encode()).digest()
+    return base64.urlsafe_b64encode(digest).rstrip(b"=").decode()
+
+
+def build_authorize_url(code_challenge: str, state: str) -> str:
+    """Build the authorization URL with all required parameters."""
+    params = {
+        "response_type": "code",
+        "client_id": CLIENT_ID,
+        "redirect_uri": REDIRECT_URI,
+        "scope": SCOPE,
+        "code_challenge": code_challenge,
+        "code_challenge_method": "S256",
+        "state": state,
+        "id_token_add_organizations": "true",
+        "codex_cli_simplified_flow": "true",
+        "originator": "codex_cli_rs",
+    }
+    return f"{AUTHORIZE_URL}?{urlencode(params)}"
+
+
+class OAuthCallbackHandler(BaseHTTPRequestHandler):
+    """HTTP request handler for OAuth callback."""
+
+    code: str | None = None
+    state: str | None = None
+    error: str | None = None
+
+    def log_message(self, format: str, *args: Any) -> None:
+        """Suppress HTTP server logs."""
+        pass
+
+    def do_GET(self) -> None:
+        """Handle GET request from OAuth callback."""
+        parsed = urlparse(self.path)
+        params = parse_qs(parsed.query)
+
+        OAuthCallbackHandler.code = params.get("code", [None])[0]
+        OAuthCallbackHandler.state = params.get("state", [None])[0]
+        OAuthCallbackHandler.error = params.get("error", [None])[0]
+
+        self.send_response(200)
+        self.send_header("Content-Type", "text/html")
+        self.end_headers()
+
+        if OAuthCallbackHandler.error:
+            html = f"""
+            <html><body style="font-family: sans-serif; text-align: center; padding: 50px;">
+            <h1>Authentication Failed</h1>
+            <p>Error: {OAuthCallbackHandler.error}</p>
+            <p>Please close this window and try again.</p>
+            </body></html>
+            """
+        else:
+            html = """
+            <html><body style="font-family: sans-serif; text-align: center; padding: 50px;">
+            <h1>Authentication Successful!</h1>
+            <p>You can close this window now.</p>
+            <script>setTimeout(function() { window.close(); }, 2000);</script>
+            </body></html>
+            """
+        self.wfile.write(html.encode())
+
+
+class CodexOAuth:
+    """Handle OAuth PKCE flow for Codex authentication."""
+
+    def __init__(self, token_manager: CodexTokenManager | None = None):
+        self.token_manager = token_manager or CodexTokenManager()
+
+    def login(self) -> CodexAuthState:
+        """Run the complete OAuth login flow."""
+        # Generate PKCE parameters
+        verifier = generate_code_verifier()
+        challenge = generate_code_challenge(verifier)
+        state = secrets.token_urlsafe(32)
+
+        # Build authorization URL
+        auth_url = build_authorize_url(challenge, state)
+
+        # Start callback server
+        OAuthCallbackHandler.code = None
+        OAuthCallbackHandler.state = None
+        OAuthCallbackHandler.error = None
+
+        server = HTTPServer(("localhost", REDIRECT_PORT), OAuthCallbackHandler)
+        server_thread = Thread(target=server.handle_request)
+        server_thread.start()
+
+        # Open browser for user to authenticate
+        webbrowser.open(auth_url)
+
+        # Wait for callback
+        server_thread.join(timeout=300)  # 5 minute timeout
+        server.server_close()
+
+        # Check for errors
+        if OAuthCallbackHandler.error:
+            raise CodexOAuthError(f"OAuth error: {OAuthCallbackHandler.error}")
+
+        if not OAuthCallbackHandler.code:
+            raise CodexOAuthError("No authorization code received")
+
+        if OAuthCallbackHandler.state is None or OAuthCallbackHandler.state != state:
+            raise CodexOAuthError("OAuth state mismatch")
+
+        # Exchange code for tokens
+        auth_state = self._exchange_code(OAuthCallbackHandler.code, verifier)
+
+        # Save tokens
+        self.token_manager.save(auth_state)
+
+        return auth_state
+
+    def _exchange_code(self, code: str, verifier: str) -> CodexAuthState:
+        """Exchange authorization code for tokens."""
+        data = {
+            "grant_type": "authorization_code",
+            "client_id": CLIENT_ID,
+            "code": code,
+            "redirect_uri": REDIRECT_URI,
+            "code_verifier": verifier,
+        }
+
+        with httpx.Client() as client:
+            response = client.post(TOKEN_URL, data=data)
+
+        if response.status_code != 200:
+            raise CodexOAuthError(f"Token exchange failed: {response.text}")
+
+        tokens = response.json()
+        access_token = tokens["access_token"]
+        refresh_token = tokens["refresh_token"]
+        expires_in = tokens.get("expires_in", 3600)
+
+        account_id = extract_account_id(access_token)
+
+        return CodexAuthState(
+            access_token=access_token,
+            refresh_token=refresh_token,
+            expires_at=int(time.time()) + expires_in,
+            account_id=account_id,
+        )
+
+    def refresh(self) -> CodexAuthState:
+        """Refresh the access token using refresh token."""
+        state = self.token_manager.get_state()
+        if state is None:
+            from klaude_code.auth.codex.exceptions import CodexNotLoggedInError
+
+            raise CodexNotLoggedInError("Not logged in to Codex. Run 'klaude login codex' first.")
+
+        data = {
+            "grant_type": "refresh_token",
+            "client_id": CLIENT_ID,
+            "refresh_token": state.refresh_token,
+        }
+
+        with httpx.Client() as client:
+            response = client.post(TOKEN_URL, data=data)
+
+        if response.status_code != 200:
+            from klaude_code.auth.codex.exceptions import CodexTokenExpiredError
+
+            raise CodexTokenExpiredError(f"Token refresh failed: {response.text}")
+
+        tokens = response.json()
+        access_token = tokens["access_token"]
+        refresh_token = tokens.get("refresh_token", state.refresh_token)
+        expires_in = tokens.get("expires_in", 3600)
+
+        account_id = extract_account_id(access_token)
+
+        new_state = CodexAuthState(
+            access_token=access_token,
+            refresh_token=refresh_token,
+            expires_at=int(time.time()) + expires_in,
+            account_id=account_id,
+        )
+
+        self.token_manager.save(new_state)
+        return new_state
+
+    def ensure_valid_token(self) -> str:
+        """Ensure we have a valid access token, refreshing if needed."""
+        state = self.token_manager.get_state()
+        if state is None:
+            from klaude_code.auth.codex.exceptions import CodexNotLoggedInError
+
+            raise CodexNotLoggedInError("Not logged in to Codex. Run 'klaude login codex' first.")
+
+        if state.is_expired():
+            state = self.refresh()
+
+        return state.access_token

klaude_code/auth/codex/token_manager.py

@@ -0,0 +1,84 @@
+"""Token storage and management for Codex authentication."""
+
+import json
+import time
+from pathlib import Path
+
+from pydantic import BaseModel
+
+
+class CodexAuthState(BaseModel):
+    """Stored authentication state for Codex."""
+
+    access_token: str
+    refresh_token: str
+    expires_at: int  # Unix timestamp
+    account_id: str
+
+    def is_expired(self, buffer_seconds: int = 300) -> bool:
+        """Check if token is expired or will expire soon."""
+        return time.time() + buffer_seconds >= self.expires_at
+
+
+CODEX_AUTH_FILE = Path.home() / ".klaude" / "codex-auth.json"
+
+
+class CodexTokenManager:
+    """Manage Codex OAuth tokens."""
+
+    def __init__(self, auth_file: Path | None = None):
+        self.auth_file = auth_file or CODEX_AUTH_FILE
+        self._state: CodexAuthState | None = None
+
+    def load(self) -> CodexAuthState | None:
+        """Load authentication state from file."""
+        if not self.auth_file.exists():
+            return None
+
+        try:
+            data = json.loads(self.auth_file.read_text())
+            self._state = CodexAuthState.model_validate(data)
+            return self._state
+        except (json.JSONDecodeError, ValueError):
+            return None
+
+    def save(self, state: CodexAuthState) -> None:
+        """Save authentication state to file."""
+        self.auth_file.parent.mkdir(parents=True, exist_ok=True)
+        self.auth_file.write_text(state.model_dump_json(indent=2))
+        self._state = state
+
+    def delete(self) -> None:
+        """Delete stored tokens."""
+        if self.auth_file.exists():
+            self.auth_file.unlink()
+        self._state = None
+
+    def is_logged_in(self) -> bool:
+        """Check if user is logged in."""
+        state = self._state or self.load()
+        return state is not None
+
+    def get_state(self) -> CodexAuthState | None:
+        """Get current authentication state."""
+        if self._state is None:
+            self._state = self.load()
+        return self._state
+
+    def get_access_token(self) -> str:
+        """Get access token, raising if not logged in."""
+        state = self.get_state()
+        if state is None:
+            from klaude_code.auth.codex.exceptions import CodexNotLoggedInError
+
+            raise CodexNotLoggedInError("Not logged in to Codex. Run 'klaude login codex' first.")
+        return state.access_token
+
+    def get_account_id(self) -> str:
+        """Get account ID, raising if not logged in."""
+        state = self.get_state()
+        if state is None:
+            from klaude_code.auth.codex.exceptions import CodexNotLoggedInError
+
+            raise CodexNotLoggedInError("Not logged in to Codex. Run 'klaude login codex' first.")
+        return state.account_id

klaude_code/cli/auth_cmd.py

@@ -0,0 +1,73 @@
+"""Authentication commands for CLI."""
+
+import datetime
+
+import typer
+
+from klaude_code.trace import log
+
+
+def login_command(
+    provider: str = typer.Argument("codex", help="Provider to login (codex)"),
+) -> None:
+    """Login to a provider using OAuth."""
+    if provider.lower() != "codex":
+        log((f"Error: Unknown provider '{provider}'. Currently only 'codex' is supported.", "red"))
+        raise typer.Exit(1)
+
+    from klaude_code.auth.codex.oauth import CodexOAuth
+    from klaude_code.auth.codex.token_manager import CodexTokenManager
+
+    token_manager = CodexTokenManager()
+
+    # Check if already logged in
+    if token_manager.is_logged_in():
+        state = token_manager.get_state()
+        if state and not state.is_expired():
+            log(("You are already logged in to Codex.", "green"))
+            log(f"  Account ID: {state.account_id[:8]}...")
+            expires_dt = datetime.datetime.fromtimestamp(state.expires_at, tz=datetime.UTC)
+            log(f"  Expires: {expires_dt.strftime('%Y-%m-%d %H:%M:%S UTC')}")
+            if not typer.confirm("Do you want to re-login?"):
+                return
+
+    log("Starting Codex OAuth login flow...")
+    log("A browser window will open for authentication.")
+
+    try:
+        oauth = CodexOAuth(token_manager)
+        state = oauth.login()
+        log(("Login successful!", "green"))
+        log(f"  Account ID: {state.account_id[:8]}...")
+        expires_dt = datetime.datetime.fromtimestamp(state.expires_at, tz=datetime.UTC)
+        log(f"  Expires: {expires_dt.strftime('%Y-%m-%d %H:%M:%S UTC')}")
+    except Exception as e:
+        log((f"Login failed: {e}", "red"))
+        raise typer.Exit(1) from None
+
+
+def logout_command(
+    provider: str = typer.Argument("codex", help="Provider to logout (codex)"),
+) -> None:
+    """Logout from a provider."""
+    if provider.lower() != "codex":
+        log((f"Error: Unknown provider '{provider}'. Currently only 'codex' is supported.", "red"))
+        raise typer.Exit(1)
+
+    from klaude_code.auth.codex.token_manager import CodexTokenManager
+
+    token_manager = CodexTokenManager()
+
+    if not token_manager.is_logged_in():
+        log("You are not logged in to Codex.")
+        return
+
+    if typer.confirm("Are you sure you want to logout from Codex?"):
+        token_manager.delete()
+        log(("Logged out from Codex.", "green"))
+
+
+def register_auth_commands(app: typer.Typer) -> None:
+    """Register auth commands to the given Typer app."""
+    app.command("login")(login_command)
+    app.command("logout")(logout_command)

klaude_code/cli/config_cmd.py

@@ -0,0 +1,91 @@
+"""Configuration commands for CLI."""
+
+import os
+import subprocess
+import sys
+
+import typer
+
+from klaude_code.config import config_path, create_example_config, example_config_path, load_config
+from klaude_code.trace import log
+
+
+def list_models() -> None:
+    """List all models and providers configuration"""
+    from klaude_code.cli.list_model import display_models_and_providers
+    from klaude_code.ui.terminal.color import is_light_terminal_background
+
+    config = load_config()
+
+    # Auto-detect theme when not explicitly set in config, to match other CLI entrypoints.
+    if config.theme is None:
+        detected = is_light_terminal_background()
+        if detected is True:
+            config.theme = "light"
+        elif detected is False:
+            config.theme = "dark"
+
+    display_models_and_providers(config)
+
+
+def edit_config() -> None:
+    """Open the configuration file in $EDITOR or default system editor"""
+    editor = os.environ.get("EDITOR")
+
+    # If no EDITOR is set, prioritize TextEdit on macOS
+    if not editor:
+        # Try common editors in order of preference on other platforms
+        for cmd in [
+            "code",
+            "nvim",
+            "vim",
+            "nano",
+        ]:
+            try:
+                subprocess.run(["which", cmd], check=True, capture_output=True)
+                editor = cmd
+                break
+            except (subprocess.CalledProcessError, FileNotFoundError):
+                continue
+
+    # If no editor found, try platform-specific defaults
+    if not editor:
+        if sys.platform == "darwin":  # macOS
+            editor = "open"
+        elif sys.platform == "win32":  # Windows
+            editor = "notepad"
+        else:  # Linux and other Unix systems
+            editor = "xdg-open"
+
+    # Ensure config directory exists and create example config if needed
+    config_path.parent.mkdir(parents=True, exist_ok=True)
+    if create_example_config():
+        log(f"Created example config: {example_config_path}", style="dim")
+
+    # Decide which file to open
+    target_path = config_path if config_path.exists() else example_config_path
+    if target_path == example_config_path:
+        log(f"Opening example config (copy to {config_path.name} to use)", style="yellow")
+
+    try:
+        if editor == "open -a TextEdit":
+            subprocess.run(["open", "-a", "TextEdit", str(target_path)], check=True)
+        elif editor in ["open", "xdg-open"]:
+            # For open/xdg-open, we need to pass the file directly
+            subprocess.run([editor, str(target_path)], check=True)
+        else:
+            subprocess.run([editor, str(target_path)], check=True)
+    except subprocess.CalledProcessError as e:
+        log((f"Error: Failed to open editor: {e}", "red"))
+        raise typer.Exit(1) from None
+    except FileNotFoundError:
+        log((f"Error: Editor '{editor}' not found", "red"))
+        log("Please install a text editor or set your $EDITOR environment variable")
+        raise typer.Exit(1) from None
+
+
+def register_config_commands(app: typer.Typer) -> None:
+    """Register config commands to the given Typer app."""
+    app.command("list")(list_models)
+    app.command("config")(edit_config)
+    app.command("conf", hidden=True)(edit_config)