ya-oauth 0.74.0__tar.gz

ya_oauth-0.74.0/.gitignore

@@ -0,0 +1,169 @@
+docs/source
+
+# From https://raw.githubusercontent.com/github/gitignore/main/Python.gitignore
+
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+!apps/
+!apps/ya-claw-web/
+!apps/ya-claw-web/src/
+!apps/ya-claw-web/src/lib/
+!apps/ya-claw-web/src/lib/**
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.yaai/
+**/.yaai/
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.pyright/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# Vscode config files
+# .vscode/
+
+# PyCharm
+#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#  and can be added to the global gitignore or merged into this file.  For a more nuclear
+#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
+#.idea/
+
+TO-DO.json
+dev/
+ya_agent_sdk/sandbox/shell/templates/public
+
+# Sync automaticlly
+yaacli/yaacli/skills/building-agents
+
+# Frontend
+node_modules/
+apps/*/dist/
+!apps/ya-desktop/
+!apps/ya-desktop/src/
+!apps/ya-desktop/src/**
+!apps/ya-desktop/src-tauri/
+!apps/ya-desktop/src-tauri/resources/
+!apps/ya-desktop/src-tauri/resources/uv/
+!apps/ya-desktop/src-tauri/resources/uv/.gitkeep
+apps/ya-desktop/src-tauri/resources/uv/uv
+apps/ya-desktop/src-tauri/resources/uv/uv.exe
+*.tsbuildinfo

ya_oauth-0.74.0/PKG-INFO

@@ -0,0 +1,32 @@
+Metadata-Version: 2.4
+Name: ya-oauth
+Version: 0.74.0
+Summary: OAuth login, refresh, storage, and CLI for YA model providers
+Project-URL: Repository, https://github.com/wh1isper/ya-mono
+Author-email: wh1isper <jizhongsheng957@gmail.com>
+Keywords: agents,ai,oauth
+Classifier: Intended Audience :: Developers
+Classifier: Programming Language :: Python
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Requires-Python: <3.14,>=3.11
+Requires-Dist: click>=8.0
+Requires-Dist: httpx>=0.28.1
+Requires-Dist: pydantic>=2.12.0
+Description-Content-Type: text/markdown
+
+# ya-oauth
+
+OAuth login, refresh, logout, token storage, and CLI for YA model providers.
+
+## Codex login
+
+```bash
+ya-oauth login codex
+ya-oauth status codex
+ya-oauth refresh codex
+```
+
+Credentials are stored in `~/.yaai/auth.json` with directory mode `0700` and file mode `0600`.

ya_oauth-0.74.0/README.md

@@ -0,0 +1,13 @@
+# ya-oauth
+
+OAuth login, refresh, logout, token storage, and CLI for YA model providers.
+
+## Codex login
+
+```bash
+ya-oauth login codex
+ya-oauth status codex
+ya-oauth refresh codex
+```
+
+Credentials are stored in `~/.yaai/auth.json` with directory mode `0700` and file mode `0600`.

ya_oauth-0.74.0/pyproject.toml

@@ -0,0 +1,58 @@
+[project]
+name = "ya-oauth"
+dynamic = ["version", "dependencies"]
+description = "OAuth login, refresh, storage, and CLI for YA model providers"
+authors = [{ name = "wh1isper", email = "jizhongsheng957@gmail.com" }]
+readme = "README.md"
+keywords = ["oauth", "ai", "agents"]
+requires-python = ">=3.11,<3.14"
+classifiers = [
+    "Intended Audience :: Developers",
+    "Programming Language :: Python",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+]
+
+[project.urls]
+Repository = "https://github.com/wh1isper/ya-mono"
+
+[project.scripts]
+ya-oauth = "ya_oauth.cli:cli"
+
+[dependency-groups]
+dev = [
+    "pytest>=7.2.0",
+    "pytest-asyncio>=0.25.3",
+    "pytest-httpx>=0.35.0",
+    "ruff>=0.9.2",
+    "pyright>=1.1.0",
+]
+
+[build-system]
+requires = ["hatchling", "uv-dynamic-versioning>=0.7.0"]
+build-backend = "hatchling.build"
+
+[tool.hatch.version]
+source = "uv-dynamic-versioning"
+
+[tool.uv-dynamic-versioning]
+vcs = "git"
+style = "pep440"
+bump = true
+
+[tool.hatch.metadata.hooks.uv-dynamic-versioning]
+dependencies = [
+    "click>=8.0",
+    "httpx>=0.28.1",
+    "pydantic>=2.12.0",
+]
+
+[tool.hatch.build.targets.wheel]
+packages = ["ya_oauth"]
+
+[tool.deptry]
+ignore = ["DEP001", "DEP002"]
+package_module_name_map = { "click" = "click", "httpx" = "httpx", "pydantic" = "pydantic", "pytest" = "pytest", "pytest-asyncio" = "pytest_asyncio", "pytest-httpx" = "pytest_httpx", "ruff" = "ruff", "pyright" = "pyright" }
+per_rule_ignores = { DEP003 = ["click", "httpx", "pydantic", "pytest"], DEP004 = ["pytest"] }

ya_oauth-0.74.0/tests/test_codex.py

@@ -0,0 +1,155 @@
+from __future__ import annotations
+
+import base64
+import json
+from datetime import UTC, datetime
+
+import httpx
+from ya_oauth.codex import CODEX_CLIENT_ID, CODEX_TOKEN_ENDPOINT, CodexOAuthClient
+from ya_oauth.jwt import account_from_id_token
+from ya_oauth.store import OAuthStore
+from ya_oauth.types import OAuthAccount, OAuthProviderRecord, OAuthTokens
+
+ACCESS_TOKEN = "fixture-access-token"  # noqa: S105
+REFRESH_TOKEN = "fixture-refresh-token"  # noqa: S105
+OLD_ACCESS_TOKEN = "fixture-old-access-token"  # noqa: S105
+OLD_REFRESH_TOKEN = "fixture-old-refresh-token"  # noqa: S105
+NEW_ACCESS_TOKEN = "fixture-new-access-token"  # noqa: S105
+OLD_ID_TOKEN = "fixture-old-id-token"  # noqa: S105
+
+
+def _jwt(payload: dict[str, object]) -> str:
+    def enc(data: dict[str, object]) -> str:
+        raw = json.dumps(data, separators=(",", ":")).encode()
+        return base64.urlsafe_b64encode(raw).decode().rstrip("=")
+
+    return f"{enc({'alg': 'none'})}.{enc(payload)}.sig"
+
+
+def test_account_from_id_token_parses_codex_claims() -> None:
+    token = _jwt({
+        "email": "top@example.com",
+        "https://api.openai.com/auth": {
+            "chatgpt_plan_type": "plus",
+            "chatgpt_user_id": "user_123",
+            "chatgpt_account_id": "acct_123",
+            "chatgpt_account_is_fedramp": True,
+        },
+    })
+
+    account = account_from_id_token(token)
+
+    assert account.email == "top@example.com"
+    assert account.chatgpt_plan_type == "plus"
+    assert account.chatgpt_user_id == "user_123"
+    assert account.chatgpt_account_id == "acct_123"
+    assert account.chatgpt_account_is_fedramp is True
+
+
+def test_codex_device_code_login_requests_match_reference() -> None:
+    id_token = _jwt({
+        "https://api.openai.com/profile": {"email": "dev@example.com"},
+        "https://api.openai.com/auth": {"chatgpt_account_id": "acct_123", "chatgpt_plan_type": "pro"},
+    })
+    seen: list[httpx.Request] = []
+
+    def handler(request: httpx.Request) -> httpx.Response:
+        seen.append(request)
+        if request.url.path == "/api/accounts/deviceauth/usercode":
+            assert json.loads(request.content) == {"client_id": CODEX_CLIENT_ID}
+            return httpx.Response(200, json={"device_auth_id": "dev_1", "user_code": "ABCD", "interval": "1"})
+        if request.url.path == "/api/accounts/deviceauth/token":
+            assert json.loads(request.content) == {"device_auth_id": "dev_1", "user_code": "ABCD"}
+            return httpx.Response(
+                200,
+                json={"authorization_code": "auth_code", "code_challenge": "challenge", "code_verifier": "verifier"},
+            )
+        if request.url.path == "/oauth/token":
+            body = dict(pair.split("=") for pair in request.content.decode().split("&"))
+            assert body["grant_type"] == "authorization_code"
+            assert body["code"] == "auth_code"
+            assert body["client_id"] == CODEX_CLIENT_ID
+            assert body["code_verifier"] == "verifier"
+            return httpx.Response(
+                200, json={"id_token": id_token, "access_token": ACCESS_TOKEN, "refresh_token": REFRESH_TOKEN}
+            )
+        return httpx.Response(404)
+
+    client = CodexOAuthClient(http_client=httpx.Client(transport=httpx.MockTransport(handler)))
+
+    device_code, record = client.login_device_code(timeout_seconds=1)
+
+    assert device_code.user_code == "ABCD"
+    assert record.tokens.access_token == ACCESS_TOKEN
+    assert record.tokens.refresh_token == REFRESH_TOKEN
+    assert record.account.email == "dev@example.com"
+    assert record.account.chatgpt_account_id == "acct_123"
+    assert [request.url.path for request in seen] == [
+        "/api/accounts/deviceauth/usercode",
+        "/api/accounts/deviceauth/token",
+        "/oauth/token",
+    ]
+
+
+def test_codex_refresh_preserves_omitted_token_fields(tmp_path) -> None:
+    id_token = _jwt({"https://api.openai.com/auth": {"chatgpt_account_id": "acct_new"}})
+
+    def handler(request: httpx.Request) -> httpx.Response:
+        assert str(request.url) == CODEX_TOKEN_ENDPOINT
+        assert json.loads(request.content) == {
+            "client_id": CODEX_CLIENT_ID,
+            "grant_type": "refresh_token",
+            "refresh_token": OLD_REFRESH_TOKEN,
+        }
+        return httpx.Response(200, json={"id_token": id_token, "access_token": NEW_ACCESS_TOKEN})
+
+    store = OAuthStore(tmp_path / "auth.json")
+    client = CodexOAuthClient(store=store, http_client=httpx.Client(transport=httpx.MockTransport(handler)))
+    record = OAuthProviderRecord(
+        issuer="https://auth.openai.com",
+        client_id=CODEX_CLIENT_ID,
+        token_endpoint=CODEX_TOKEN_ENDPOINT,
+        tokens=OAuthTokens(
+            id_token=OLD_ID_TOKEN,
+            access_token=OLD_ACCESS_TOKEN,
+            refresh_token=OLD_REFRESH_TOKEN,
+        ),
+        last_refresh_at=datetime.now(UTC),
+    )
+
+    refreshed = client.refresh_record(record)
+
+    assert refreshed.tokens.id_token == id_token
+    assert refreshed.tokens.access_token == NEW_ACCESS_TOKEN
+    assert refreshed.tokens.refresh_token == OLD_REFRESH_TOKEN
+    assert refreshed.account.chatgpt_account_id == "acct_new"
+
+
+def test_codex_refresh_rejects_account_mismatch(tmp_path) -> None:
+    id_token = _jwt({"https://api.openai.com/auth": {"chatgpt_account_id": "acct_new"}})
+
+    def handler(request: httpx.Request) -> httpx.Response:
+        return httpx.Response(200, json={"id_token": id_token, "access_token": NEW_ACCESS_TOKEN})
+
+    store = OAuthStore(tmp_path / "auth.json")
+    client = CodexOAuthClient(store=store, http_client=httpx.Client(transport=httpx.MockTransport(handler)))
+    record = OAuthProviderRecord(
+        issuer="https://auth.openai.com",
+        client_id=CODEX_CLIENT_ID,
+        token_endpoint=CODEX_TOKEN_ENDPOINT,
+        tokens=OAuthTokens(access_token=OLD_ACCESS_TOKEN, refresh_token=OLD_REFRESH_TOKEN),
+        account=OAuthAccount(chatgpt_account_id="acct_old"),
+    )
+
+    import pytest
+
+    with pytest.raises(RuntimeError, match="different ChatGPT account"):
+        client.refresh_record(record)
+
+
+def test_store_permissions(tmp_path) -> None:
+    store = OAuthStore(tmp_path / ".yaai" / "auth.json")
+    store.save(store.load())
+
+    assert oct(store.path.parent.stat().st_mode & 0o777) == "0o700"
+    assert oct(store.path.stat().st_mode & 0o777) == "0o600"

ya_oauth-0.74.0/tests/test_store.py

@@ -0,0 +1,18 @@
+from __future__ import annotations
+
+import json
+
+from ya_oauth.store import OAuthStore
+from ya_oauth.types import AuthFile
+
+
+def test_load_repairs_existing_auth_file_mode(tmp_path) -> None:
+    auth_path = tmp_path / ".yaai" / "auth.json"
+    auth_path.parent.mkdir(mode=0o700)
+    auth_path.write_text(json.dumps(AuthFile().model_dump(mode="json")), encoding="utf-8")
+    auth_path.chmod(0o644)
+
+    store = OAuthStore(auth_path)
+
+    assert store.load().version == 1
+    assert auth_path.stat().st_mode & 0o777 == 0o600

ya_oauth-0.74.0/ya_oauth/__init__.py

@@ -0,0 +1,15 @@
+"""OAuth login, refresh, storage, and CLI for YA model providers."""
+
+from ya_oauth.codex import CODEX_PROFILE, CodexOAuthClient
+from ya_oauth.store import OAuthStore, StoreBackedTokenSource
+from ya_oauth.types import OAuthAccount, OAuthProviderRecord, OAuthTokens
+
+__all__ = [
+    "CODEX_PROFILE",
+    "CodexOAuthClient",
+    "OAuthAccount",
+    "OAuthProviderRecord",
+    "OAuthStore",
+    "OAuthTokens",
+    "StoreBackedTokenSource",
+]

ya_oauth-0.74.0/ya_oauth/cli.py

@@ -0,0 +1,146 @@
+from __future__ import annotations
+
+import os
+import stat
+from pathlib import Path
+
+import click
+
+from ya_oauth.codex import CodexOAuthClient, redact_record
+from ya_oauth.store import DEFAULT_AUTH_PATH, OAuthStore
+
+
+@click.group()
+def cli() -> None:
+    """Manage OAuth credentials for YA model providers."""
+
+
+@cli.command()
+@click.argument("provider", type=click.Choice(["codex"]))
+@click.option(
+    "--auth-file", type=click.Path(path_type=Path), default=None, help="Auth file path. Defaults to ~/.yaai/auth.json."
+)
+def login(provider: str, auth_file: Path | None) -> None:
+    """Log in to an OAuth provider."""
+    store = OAuthStore(auth_file)
+    if provider == "codex":
+        client = CodexOAuthClient(store=store)
+        try:
+            device_code = client.request_device_code()
+            click.echo("Open this URL in your browser and sign in to ChatGPT:")
+            click.echo(device_code.verification_url)
+            click.echo("")
+            click.echo("Enter this one-time code:")
+            click.echo(device_code.user_code)
+            click.echo("")
+            click.echo("Waiting for browser authorization...")
+            token_code = client.poll_device_token(device_code)
+            record = client.exchange_device_code(token_code)
+            store.set_provider("codex", record)
+            email = record.account.email or "unknown account"
+            click.echo(f"Logged in to codex as {email}.")
+        finally:
+            client.close()
+
+
+@cli.command()
+@click.argument("provider", type=click.Choice(["codex"]), required=False)
+@click.option(
+    "--auth-file", type=click.Path(path_type=Path), default=None, help="Auth file path. Defaults to ~/.yaai/auth.json."
+)
+def status(provider: str | None, auth_file: Path | None) -> None:
+    """Show OAuth provider login status."""
+    store = OAuthStore(auth_file)
+    auth = store.load()
+    provider_names = [provider] if provider else sorted(auth.providers)
+    if not provider_names:
+        click.echo("No OAuth providers are logged in.")
+        return
+    for provider_name in provider_names:
+        record = auth.providers.get(provider_name)
+        if record is None:
+            click.echo(f"{provider_name}: not logged in")
+            continue
+        account = record.account
+        identity = account.email or account.chatgpt_user_id or "unknown account"
+        plan = f", plan={account.chatgpt_plan_type}" if account.chatgpt_plan_type else ""
+        refreshed = record.last_refresh_at.isoformat() if record.last_refresh_at else "never"
+        click.echo(f"{provider_name}: logged in as {identity}{plan}, last_refresh_at={refreshed}")
+
+
+@cli.command(name="refresh")
+@click.argument("provider", type=click.Choice(["codex"]))
+@click.option(
+    "--auth-file", type=click.Path(path_type=Path), default=None, help="Auth file path. Defaults to ~/.yaai/auth.json."
+)
+def refresh_cmd(provider: str, auth_file: Path | None) -> None:
+    """Refresh OAuth credentials."""
+    store = OAuthStore(auth_file)
+    if provider == "codex":
+        client = CodexOAuthClient(store=store)
+        try:
+            source = client.make_token_source()
+            snapshot = _run_sync(source.refresh_token())
+            identity = snapshot.account.email or snapshot.account.chatgpt_user_id or "unknown account"
+            click.echo(f"Refreshed codex credentials for {identity}.")
+        finally:
+            client.close()
+
+
+@cli.command()
+@click.argument("provider", type=click.Choice(["codex"]))
+@click.option(
+    "--auth-file", type=click.Path(path_type=Path), default=None, help="Auth file path. Defaults to ~/.yaai/auth.json."
+)
+@click.option("--revoke/--no-revoke", default=True, help="Revoke provider tokens before deleting local credentials.")
+def logout(provider: str, auth_file: Path | None, revoke: bool) -> None:
+    """Log out from an OAuth provider."""
+    store = OAuthStore(auth_file)
+    record = store.get_provider(provider)
+    if record is None:
+        click.echo(f"{provider}: not logged in")
+        return
+    if provider == "codex" and revoke:
+        client = CodexOAuthClient(store=store)
+        try:
+            client.revoke_record(record)
+        finally:
+            client.close()
+    store.delete_provider(provider)
+    click.echo(f"Logged out from {provider}.")
+
+
+@cli.command()
+@click.option(
+    "--auth-file", type=click.Path(path_type=Path), default=None, help="Auth file path. Defaults to ~/.yaai/auth.json."
+)
+def doctor(auth_file: Path | None) -> None:
+    """Inspect OAuth store health without printing tokens."""
+    path = (auth_file or DEFAULT_AUTH_PATH).expanduser()
+    store = OAuthStore(path)
+    auth = store.load()
+    click.echo(f"Auth file: {path}")
+    click.echo(f"Providers: {', '.join(sorted(auth.providers)) if auth.providers else 'none'}")
+    _print_mode("Directory", path.parent, expected=0o700)
+    if path.exists():
+        _print_mode("File", path, expected=0o600)
+    for provider_name, record in sorted(auth.providers.items()):
+        safe_record = redact_record(record)
+        account = safe_record.get("account", {})
+        click.echo(f"{provider_name}: account={account}")
+
+
+def _print_mode(label: str, path: Path, *, expected: int) -> None:
+    mode = stat.S_IMODE(os.stat(path).st_mode)
+    status_text = "ok" if mode == expected else f"expected {expected:o}"
+    click.echo(f"{label} mode: {mode:o} ({status_text})")
+
+
+def _run_sync(awaitable):  # type: ignore[no-untyped-def]
+    import asyncio
+
+    try:
+        loop = asyncio.get_running_loop()
+    except RuntimeError:
+        return asyncio.run(awaitable)
+    raise RuntimeError(f"Cannot run ya-oauth CLI command inside active event loop: {loop}")

ya_oauth-0.74.0/ya_oauth/codex.py

@@ -0,0 +1,239 @@
+from __future__ import annotations
+
+from dataclasses import dataclass
+from datetime import UTC, datetime
+from typing import Any
+
+import httpx
+from pydantic import AliasChoices, BaseModel, Field
+
+from ya_oauth.jwt import account_from_id_token
+from ya_oauth.store import OAuthStore, StoreBackedTokenSource
+from ya_oauth.types import OAuthAccount, OAuthProviderRecord, OAuthTokens
+
+CODEX_ISSUER = "https://auth.openai.com"
+CODEX_CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann"
+CODEX_TOKEN_ENDPOINT = "https://auth.openai.com/oauth/token"  # noqa: S105
+CODEX_REVOKE_ENDPOINT = "https://auth.openai.com/oauth/revoke"
+CODEX_BASE_URL = "https://chatgpt.com/backend-api/codex"
+CODEX_DEVICE_REDIRECT_URI = "https://auth.openai.com/deviceauth/callback"
+CODEX_SCOPES = [
+    "openid",
+    "profile",
+    "email",
+    "offline_access",
+    "api.connectors.read",
+    "api.connectors.invoke",
+]
+
+
+@dataclass(frozen=True)
+class CodexOAuthProfile:
+    issuer: str = CODEX_ISSUER
+    client_id: str = CODEX_CLIENT_ID
+    token_endpoint: str = CODEX_TOKEN_ENDPOINT
+    revoke_endpoint: str = CODEX_REVOKE_ENDPOINT
+    base_url: str = CODEX_BASE_URL
+    scopes: tuple[str, ...] = tuple(CODEX_SCOPES)
+
+    @property
+    def device_user_code_endpoint(self) -> str:
+        return f"{self.issuer.rstrip('/')}/api/accounts/deviceauth/usercode"
+
+    @property
+    def device_token_endpoint(self) -> str:
+        return f"{self.issuer.rstrip('/')}/api/accounts/deviceauth/token"
+
+    @property
+    def verification_url(self) -> str:
+        return f"{self.issuer.rstrip('/')}/codex/device"
+
+    @property
+    def device_redirect_uri(self) -> str:
+        return f"{self.issuer.rstrip('/')}/deviceauth/callback"
+
+
+CODEX_PROFILE = CodexOAuthProfile()
+
+
+class DeviceCode(BaseModel):
+    verification_url: str
+    user_code: str
+    device_auth_id: str
+    interval: int = 5
+
+
+class _UserCodeResponse(BaseModel):
+    device_auth_id: str
+    user_code: str = Field(validation_alias=AliasChoices("user_code", "usercode"))
+    interval: int | str = 5
+
+    def to_device_code(self, profile: CodexOAuthProfile) -> DeviceCode:
+        return DeviceCode(
+            verification_url=profile.verification_url,
+            user_code=self.user_code,
+            device_auth_id=self.device_auth_id,
+            interval=int(self.interval),
+        )
+
+
+class _DeviceTokenResponse(BaseModel):
+    authorization_code: str
+    code_challenge: str
+    code_verifier: str
+
+
+class _TokenResponse(BaseModel):
+    id_token: str | None = None
+    access_token: str | None = None
+    refresh_token: str | None = None
+
+
+class CodexOAuthClient:
+    """Codex OAuth device-code login and refresh client aligned with OpenAI Codex."""
+
+    def __init__(
+        self,
+        *,
+        profile: CodexOAuthProfile = CODEX_PROFILE,
+        store: OAuthStore | None = None,
+        http_client: httpx.Client | None = None,
+    ) -> None:
+        self.profile = profile
+        self.store = store or OAuthStore()
+        self.http_client = http_client or httpx.Client(timeout=30)
+        self._owns_http_client = http_client is None
+
+    def close(self) -> None:
+        if self._owns_http_client:
+            self.http_client.close()
+
+    def request_device_code(self) -> DeviceCode:
+        response = self.http_client.post(
+            self.profile.device_user_code_endpoint,
+            json={"client_id": self.profile.client_id},
+            headers={"Content-Type": "application/json"},
+        )
+        response.raise_for_status()
+        return _UserCodeResponse.model_validate(response.json()).to_device_code(self.profile)
+
+    def poll_device_token(self, device_code: DeviceCode, *, timeout_seconds: int = 15 * 60) -> _DeviceTokenResponse:
+        monotonic = __import__("time").monotonic
+        end_at = monotonic() + timeout_seconds
+        while True:
+            response = self.http_client.post(
+                self.profile.device_token_endpoint,
+                json={"device_auth_id": device_code.device_auth_id, "user_code": device_code.user_code},
+                headers={"Content-Type": "application/json"},
+            )
+            if response.is_success:
+                return _DeviceTokenResponse.model_validate(response.json())
+            if response.status_code in (403, 404) and monotonic() < end_at:
+                sleep_for = min(device_code.interval, max(0.0, end_at - monotonic()))
+                __import__("time").sleep(sleep_for)
+                continue
+            response.raise_for_status()
+            raise RuntimeError("Codex device authorization failed")
+
+    def exchange_device_code(self, code_response: _DeviceTokenResponse) -> OAuthProviderRecord:
+        response = self.http_client.post(
+            self.profile.token_endpoint,
+            data={
+                "grant_type": "authorization_code",
+                "code": code_response.authorization_code,
+                "redirect_uri": self.profile.device_redirect_uri,
+                "client_id": self.profile.client_id,
+                "code_verifier": code_response.code_verifier,
+            },
+            headers={"Content-Type": "application/x-www-form-urlencoded"},
+        )
+        response.raise_for_status()
+        token_response = _TokenResponse.model_validate(response.json())
+        return self._record_from_token_response(token_response)
+
+    def login_device_code(self, *, timeout_seconds: int = 15 * 60) -> tuple[DeviceCode, OAuthProviderRecord]:
+        device_code = self.request_device_code()
+        token_code = self.poll_device_token(device_code, timeout_seconds=timeout_seconds)
+        return device_code, self.exchange_device_code(token_code)
+
+    def refresh_record(self, record: OAuthProviderRecord) -> OAuthProviderRecord:
+        refresh_token = record.tokens.refresh_token
+        if not refresh_token:
+            raise RuntimeError("Codex refresh token is missing; run `ya-oauth login codex` again.")
+        response = self.http_client.post(
+            self.profile.token_endpoint,
+            json={
+                "client_id": self.profile.client_id,
+                "grant_type": "refresh_token",
+                "refresh_token": refresh_token,
+            },
+            headers={"Content-Type": "application/json"},
+        )
+        response.raise_for_status()
+        token_response = _TokenResponse.model_validate(response.json())
+        account = account_from_id_token(token_response.id_token) if token_response.id_token else record.account
+        _validate_same_account(record.account, account)
+        return record.with_refreshed_tokens(
+            id_token=token_response.id_token,
+            access_token=token_response.access_token,
+            refresh_token=token_response.refresh_token,
+            account=account,
+        )
+
+    def revoke_record(self, record: OAuthProviderRecord) -> None:
+        token = record.tokens.refresh_token or record.tokens.access_token
+        if not token or not self.profile.revoke_endpoint:
+            return
+        response = self.http_client.post(
+            self.profile.revoke_endpoint,
+            data={"client_id": self.profile.client_id, "token": token},
+        )
+        if response.status_code < 400:
+            return
+        response.raise_for_status()
+
+    def make_token_source(self) -> StoreBackedTokenSource:
+        return StoreBackedTokenSource("codex", store=self.store, refresh_provider=self.refresh_record)
+
+    def _record_from_token_response(self, token_response: _TokenResponse) -> OAuthProviderRecord:
+        if not token_response.access_token:
+            raise RuntimeError("Codex token response did not include access_token")
+        account = OAuthAccount()
+        if token_response.id_token:
+            account = account_from_id_token(token_response.id_token)
+        return OAuthProviderRecord(
+            issuer=self.profile.issuer,
+            client_id=self.profile.client_id,
+            token_endpoint=self.profile.token_endpoint,
+            revoke_endpoint=self.profile.revoke_endpoint,
+            base_url=self.profile.base_url,
+            scopes=list(self.profile.scopes),
+            tokens=OAuthTokens(
+                id_token=token_response.id_token,
+                access_token=token_response.access_token,
+                refresh_token=token_response.refresh_token,
+            ),
+            account=account,
+            last_refresh_at=datetime.now(UTC),
+        )
+
+
+def _validate_same_account(old: OAuthAccount, new: OAuthAccount) -> None:
+    if old.chatgpt_account_id and new.chatgpt_account_id and old.chatgpt_account_id != new.chatgpt_account_id:
+        raise RuntimeError("Codex refresh returned a different ChatGPT account; run `ya-oauth login codex` again.")
+    if old.chatgpt_user_id and new.chatgpt_user_id and old.chatgpt_user_id != new.chatgpt_user_id:
+        raise RuntimeError("Codex refresh returned a different ChatGPT user; run `ya-oauth login codex` again.")
+
+
+def create_codex_token_source(*, store: OAuthStore | None = None) -> StoreBackedTokenSource:
+    return CodexOAuthClient(store=store).make_token_source()
+
+
+def redact_record(record: OAuthProviderRecord) -> dict[str, Any]:
+    data = record.model_dump(mode="json")
+    tokens = data.get("tokens")
+    if isinstance(tokens, dict):
+        for key in list(tokens):
+            if tokens[key]:
+                tokens[key] = "<redacted>"
+    return data

ya_oauth-0.74.0/ya_oauth/jwt.py

@@ -0,0 +1,50 @@
+from __future__ import annotations
+
+import base64
+import json
+from typing import Any
+
+from ya_oauth.types import OAuthAccount
+
+
+def decode_jwt_payload(jwt: str) -> dict[str, Any]:
+    """Decode a JWT payload without signature validation for local metadata extraction."""
+    parts = jwt.split(".")
+    if len(parts) != 3 or not parts[1]:
+        raise ValueError("invalid JWT format")
+    payload = parts[1]
+    payload += "=" * (-len(payload) % 4)
+    decoded = base64.urlsafe_b64decode(payload.encode("ascii"))
+    data = json.loads(decoded.decode("utf-8"))
+    if not isinstance(data, dict):
+        raise TypeError("invalid JWT payload")
+    return data
+
+
+def account_from_id_token(id_token: str) -> OAuthAccount:
+    """Extract Codex-compatible ChatGPT account metadata from an ID token."""
+    claims = decode_jwt_payload(id_token)
+    profile = claims.get("https://api.openai.com/profile")
+    auth = claims.get("https://api.openai.com/auth")
+    profile_data = profile if isinstance(profile, dict) else {}
+    auth_data = auth if isinstance(auth, dict) else {}
+    return OAuthAccount(
+        email=_string_or_none(claims.get("email")) or _string_or_none(profile_data.get("email")),
+        chatgpt_user_id=_string_or_none(auth_data.get("chatgpt_user_id")) or _string_or_none(auth_data.get("user_id")),
+        chatgpt_account_id=_string_or_none(auth_data.get("chatgpt_account_id")),
+        chatgpt_plan_type=_plan_type(auth_data.get("chatgpt_plan_type")),
+        chatgpt_account_is_fedramp=bool(auth_data.get("chatgpt_account_is_fedramp", False)),
+    )
+
+
+def _string_or_none(value: Any) -> str | None:
+    return value if isinstance(value, str) and value else None
+
+
+def _plan_type(value: Any) -> str | None:
+    if isinstance(value, str):
+        return value
+    if isinstance(value, dict):
+        raw = value.get("raw_value") or value.get("value") or value.get("name")
+        return _string_or_none(raw)
+    return None

ya_oauth-0.74.0/ya_oauth/store.py

@@ -0,0 +1,161 @@
+from __future__ import annotations
+
+import asyncio
+import contextlib
+import fcntl
+import json
+import os
+import stat
+import tempfile
+from collections.abc import Callable
+from pathlib import Path
+from typing import TypeVar
+
+from ya_oauth.types import AuthFile, OAuthProviderRecord, TokenSnapshot
+
+T = TypeVar("T")
+
+DEFAULT_AUTH_DIR = Path.home() / ".yaai"
+DEFAULT_AUTH_PATH = DEFAULT_AUTH_DIR / "auth.json"
+
+
+class OAuthStore:
+    """File-backed OAuth credential store with process-level locking."""
+
+    def __init__(self, path: Path | str | None = None) -> None:
+        self.path = Path(path).expanduser() if path is not None else DEFAULT_AUTH_PATH
+        self.lock_path = self.path.with_suffix(self.path.suffix + ".lock")
+
+    def load(self) -> AuthFile:
+        self._ensure_parent()
+        with self._locked():
+            return self._load_unlocked()
+
+    def save(self, auth_file: AuthFile) -> None:
+        self._ensure_parent()
+        with self._locked():
+            self._save_unlocked(auth_file)
+
+    def get_provider(self, provider_name: str) -> OAuthProviderRecord | None:
+        return self.load().providers.get(provider_name)
+
+    def set_provider(self, provider_name: str, record: OAuthProviderRecord) -> None:
+        def update(auth_file: AuthFile) -> None:
+            auth_file.providers[provider_name] = record
+
+        self.update(update)
+
+    def delete_provider(self, provider_name: str) -> OAuthProviderRecord | None:
+        deleted: OAuthProviderRecord | None = None
+
+        def update(auth_file: AuthFile) -> None:
+            nonlocal deleted
+            deleted = auth_file.providers.pop(provider_name, None)
+
+        self.update(update)
+        return deleted
+
+    def update(self, updater: Callable[[AuthFile], T]) -> T:
+        self._ensure_parent()
+        with self._locked():
+            auth_file = self._load_unlocked()
+            result = updater(auth_file)
+            self._save_unlocked(auth_file)
+            return result
+
+    def _ensure_parent(self) -> None:
+        self.path.parent.mkdir(mode=0o700, parents=True, exist_ok=True)
+        with contextlib.suppress(PermissionError):
+            os.chmod(self.path.parent, 0o700)
+
+    @contextlib.contextmanager
+    def _locked(self):  # type: ignore[no-untyped-def]
+        self.lock_path.parent.mkdir(mode=0o700, parents=True, exist_ok=True)
+        with self.lock_path.open("a+") as lock_file:
+            fcntl.flock(lock_file.fileno(), fcntl.LOCK_EX)
+            try:
+                yield
+            finally:
+                fcntl.flock(lock_file.fileno(), fcntl.LOCK_UN)
+
+    def _load_unlocked(self) -> AuthFile:
+        if not self.path.exists():
+            return AuthFile()
+        self._repair_file_mode_unlocked()
+        with self.path.open("r", encoding="utf-8") as file:
+            data = json.load(file)
+        return AuthFile.model_validate(data)
+
+    def _save_unlocked(self, auth_file: AuthFile) -> None:
+        payload = auth_file.model_dump(mode="json", exclude_none=True)
+        fd, tmp_name = tempfile.mkstemp(prefix=f".{self.path.name}.", suffix=".tmp", dir=self.path.parent, text=True)
+        tmp_path = Path(tmp_name)
+        try:
+            os.chmod(tmp_path, 0o600)
+            with os.fdopen(fd, "w", encoding="utf-8") as file:
+                json.dump(payload, file, indent=2, sort_keys=True)
+                file.write("\n")
+                file.flush()
+                os.fsync(file.fileno())
+            os.replace(tmp_path, self.path)
+        except BaseException:
+            with contextlib.suppress(FileNotFoundError):
+                tmp_path.unlink()
+            raise
+        with contextlib.suppress(PermissionError):
+            os.chmod(self.path, 0o600)
+
+    def _repair_file_mode_unlocked(self) -> None:
+        mode = stat.S_IMODE(self.path.stat().st_mode)
+        if mode != 0o600:
+            os.chmod(self.path, 0o600)
+
+
+class StoreBackedTokenSource:
+    """OAuthTokenSource backed by OAuthStore and a provider-specific refresher."""
+
+    def __init__(
+        self,
+        provider_name: str,
+        *,
+        store: OAuthStore | None = None,
+        refresh_provider: Callable[[OAuthProviderRecord], OAuthProviderRecord],
+    ) -> None:
+        self.provider_name = provider_name
+        self.store = store or OAuthStore()
+        self._refresh_provider = refresh_provider
+
+    async def get_token(self) -> TokenSnapshot:
+        record = self.store.get_provider(self.provider_name)
+        if record is None:
+            raise RuntimeError(f"OAuth provider is not logged in: {self.provider_name}")
+        return _snapshot(self.provider_name, record)
+
+    async def refresh_token(self) -> TokenSnapshot:
+        refreshed = await asyncio.to_thread(self._refresh_and_store)
+        return _snapshot(self.provider_name, refreshed)
+
+    def _refresh_and_store(self) -> OAuthProviderRecord:
+        refreshed: OAuthProviderRecord | None = None
+
+        def update(auth_file: AuthFile) -> None:
+            nonlocal refreshed
+            record = auth_file.providers.get(self.provider_name)
+            if record is None:
+                raise RuntimeError(f"OAuth provider is not logged in: {self.provider_name}")
+            refreshed = self._refresh_provider(record)
+            auth_file.providers[self.provider_name] = refreshed
+
+        self.store.update(update)
+        if refreshed is None:
+            raise RuntimeError(f"OAuth provider refresh failed: {self.provider_name}")
+        return refreshed
+
+
+def _snapshot(provider_name: str, record: OAuthProviderRecord) -> TokenSnapshot:
+    return TokenSnapshot(
+        provider_name=provider_name,
+        access_token=record.tokens.access_token,
+        account=record.account,
+        base_url=record.base_url,
+    )

ya_oauth-0.74.0/ya_oauth/types.py

@@ -0,0 +1,87 @@
+from __future__ import annotations
+
+from datetime import UTC, datetime
+from typing import Any, Protocol
+
+from pydantic import BaseModel, Field
+
+
+class OAuthTokens(BaseModel):
+    """OAuth token material stored for a provider."""
+
+    id_token: str | None = None
+    access_token: str
+    refresh_token: str | None = None
+
+
+class OAuthAccount(BaseModel):
+    """Account metadata derived from provider tokens."""
+
+    email: str | None = None
+    chatgpt_user_id: str | None = None
+    chatgpt_account_id: str | None = None
+    chatgpt_plan_type: str | None = None
+    chatgpt_account_is_fedramp: bool = False
+
+
+class OAuthProviderRecord(BaseModel):
+    """Stored OAuth configuration and credential record for one provider."""
+
+    type: str = "oauth2"
+    issuer: str
+    client_id: str
+    token_endpoint: str
+    revoke_endpoint: str | None = None
+    base_url: str | None = None
+    scopes: list[str] = Field(default_factory=list)
+    tokens: OAuthTokens
+    account: OAuthAccount = Field(default_factory=OAuthAccount)
+    last_refresh_at: datetime | None = None
+
+    def with_refreshed_tokens(
+        self,
+        *,
+        id_token: str | None = None,
+        access_token: str | None = None,
+        refresh_token: str | None = None,
+        account: OAuthAccount | None = None,
+    ) -> OAuthProviderRecord:
+        """Return an updated copy, preserving refresh response fields Codex omits."""
+        return self.model_copy(
+            update={
+                "tokens": self.tokens.model_copy(
+                    update={
+                        "id_token": id_token if id_token is not None else self.tokens.id_token,
+                        "access_token": access_token if access_token is not None else self.tokens.access_token,
+                        "refresh_token": refresh_token if refresh_token is not None else self.tokens.refresh_token,
+                    }
+                ),
+                "account": account if account is not None else self.account,
+                "last_refresh_at": datetime.now(UTC),
+            }
+        )
+
+
+class AuthFile(BaseModel):
+    """On-disk auth file schema for ~/.yaai/auth.json."""
+
+    version: int = 1
+    providers: dict[str, OAuthProviderRecord] = Field(default_factory=dict)
+
+
+class TokenSnapshot(BaseModel):
+    """Provider token state safe for request construction."""
+
+    provider_name: str
+    access_token: str
+    account: OAuthAccount = Field(default_factory=OAuthAccount)
+    base_url: str | None = None
+    metadata: dict[str, Any] = Field(default_factory=dict)
+
+
+class OAuthTokenSource(Protocol):
+    """Async token source consumed by OAuth-backed model providers."""
+
+    async def get_token(self) -> TokenSnapshot: ...
+
+    async def refresh_token(self) -> TokenSnapshot: ...