CLIProxyAPIPlus uses device code flow for Kiro authentication, returning
{method: "device_code", state, status} without an immediate URL. The URL
is provided via polling the /get-auth-status endpoint.
Previously, Kiro was configured as authorization_code flow, causing
dashboard auth to fail with "No authorization URL received from CLIProxyAPI"
because the web-server routes expected synchronous URL response.
Changes:
- provider-capabilities.ts: kiro.oauthFlow = 'device_code', callbackPort = null
- provider-config.ts: Add 'kiro' to DEVICE_CODE_PROVIDERS array
- provider-capabilities.test.ts: Update test expectations
This routes Kiro through /start endpoint which properly handles device code
flow via WebSocket events (deviceCodeReceived, deviceCodeCompleted, etc).
Closes#552
- require model when changing single-variant provider to avoid mixed config
- rewrite provider-specific core env when provider changes while preserving custom fields
- preserve custom composite settings path and return persisted composite PUT state
When abort fires after streaming begins, onAbort closed HTTP/2 handles
but never closed the ReadableStream controller. Consumers waiting on
reader.read() could hang indefinitely since end/error handlers were
gated by streamClosed flag.
Hoist controller reference to outer scope so abort handler can close it.
- Check response.status before calling transformProtobufToSSE in fetch fallback
- Move abort signal registration before response headers to handle early cancellation
- P1: Thinking "off" now fully disables all tier thinking
When thinkingValue === 'off' AND no per-tier config, return early
Preserves behavior for "off" with per-tier config (skips main, processes tiers)
Fixes regression where tier defaults were applied despite explicit off setting
- P2: Handle composite-create thrown errors in POST route
Wrap createCompositeVariant() in try/catch
Returns 400 instead of generic 500 when function throws (e.g., legacy mode)
- P2: Edit dialog no longer seeds empty model string
Changed `variant.model || ''` to `variant.model ?? undefined`
Added payload filtering to exclude undefined/empty values before API call
Prevents unintended model overwrites when user only changes other fields
- P3: Composite --config guidance now uses variant name
Added profileName to ExecutorConfig interface
Error message now shows correct variant name instead of default tier provider
e.g., "ccs cliproxy edit my-mix" instead of "ccs cliproxy edit gemini"
- P1: Remove premature variant deletion in --force mode
Fix destructive overwrite path - old variant preserved if user
cancels auth or creation fails (createVariant handles overwrite)
- P2: Validate all composite tier providers at runtime
Backend gating now checks all providers in composite, not just
default tier. Prevents kiro/ghcp on non-default tiers bypassing
Plus backend requirement.
- P2: Preserve tier thinking when default tier is off
Early return skipped tier processing when default thinking was
"off". Now uses flag-based approach - only main model skipped,
tier loop continues with per-tier thinking config.
- Add requireAllTiers parameter to validateCompositeTiers (default false)
- POST/create passes true to enforce all 3 tiers required
- PUT/update passes false (default) to allow partial updates
- Guard against null tier values that would throw at runtime
- Add cursor section serialization after copilot, before global_env
- Fixes P1 data loss: cursor settings now persist to config.yaml
- Previously cursor was merged in memory but never written to disk
P1 (Critical): Remote composite execution now correctly uses remote endpoint
- Reorder condition to check useRemoteProxy before isComposite
- Composite variants now work with remote CLIProxy instances
P2a (Medium): Tier deep-merge preserves optional fields during updates
- Use spread merge instead of ?? to preserve fallback/thinking/account
P2b (Medium): API accepts partial tier updates in PUT endpoint
- Skip validation for tiers not present in request
- Aligns with updateCompositeVariant's merge behavior
- Validate fallback doesn't point to same provider+model (circular)
- Reject empty/whitespace model strings in composite tiers
- Add TODO comment for concurrent modification race condition
- Block variant deletion when CLIProxy has active sessions
- Use temp file + rename pattern for atomic settings writes
- Prevents partial writes on crash/interruption
- Continue to remaining providers on auth failure instead of throwing
- Aggregate failures and show summary of succeeded/failed providers
- Improves UX when one provider fails in composite variant
- Add optional chaining for tier access in env-resolver
- Throw error if default tier model missing in env-builder
- Add null checks for composite.tiers in profile-detector
- Allow partial composite updates in PUT endpoint (|| -> &&)
- Map service validation errors to 400 status, not 404
- Widen 4xx regex to cover full 400-499 range
- Route all `ccs cursor *` to handleCursorCommand (no profile-switching)
- Add --ccs-daemon marker to spawned process for stable PID validation
- Use random port in lifecycle integration test to prevent CI conflicts
- Remove unnecessary .toFixed(1) on integer tokenAge
- Validate PID belongs to cursor daemon via /proc before signaling
- Tighten detectProvider regex to avoid over-matching o-prefixed models
- Add integration test for daemon start→health→stop lifecycle
- Add void cast on discarded handleHelp() return value
- Update model catalog date comment
- Export detectProvider and formatModelName from barrel index
- Export CURSOR_SUBCOMMANDS from cursor-command.ts, import in ccs.ts
- Use getCcsDir() in tests instead of manual path construction
- Add handleCursorCommand routing test for unknown subcommand
- Add removePidFile() in safeResolve on failure to prevent stale PIDs
- Only send SIGKILL in stopDaemon if SIGTERM wait loop exhausted
- Check isDaemonRunning before model fetch to avoid 5s timeout
- Add port validation unit tests for startDaemon
- Change spawn stdio from piped to 'ignore' preventing buffer deadlock
- Replace setInterval with sequential setTimeout polling
- Fix TOCTOU in SIGKILL escalation (send directly without probing)
- Move CursorConfig interface to types.ts
- Change detectProvider default from 'openai' to 'unknown'
- Remove redundant removePidFile() when PID is null
- Change /start and /stop to /daemon/start and /daemon/stop matching copilot convention
- Add enabled field to CursorConfig for dashboard toggle parity
- Simplify getCursorConfig() to trust mergeWithDefaults()
- Handle bare 'ccs cursor' to show help instead of reserved-name error