backend/internal/repository/openai_oauth_service.go

package repository

import (
	"context"
	"errors"
	"net/http"
	"net/url"
	"strings"
	"time"

	infraerrors "github.com/Wei-Shaw/sub2api/internal/pkg/errors"
	"github.com/Wei-Shaw/sub2api/internal/pkg/openai"
	"github.com/Wei-Shaw/sub2api/internal/service"
	"github.com/imroc/req/v3"
)

// NewOpenAIOAuthClient creates a new OpenAI OAuth client
func NewOpenAIOAuthClient() service.OpenAIOAuthClient {
	return &openaiOAuthService{tokenURL: openai.TokenURL}
}

type openaiOAuthService struct {
	tokenURL string
}

func (s *openaiOAuthService) ExchangeCode(ctx context.Context, code, codeVerifier, redirectURI, proxyURL, clientID string) (*openai.TokenResponse, error) {
	client, err := createOpenAIReqClient(proxyURL)
	if err != nil {
		return nil, infraerrors.Newf(http.StatusBadGateway, "OPENAI_OAUTH_CLIENT_INIT_FAILED", "create HTTP client: %v", err)
	}

	if redirectURI == "" {
		redirectURI = openai.DefaultRedirectURI
	}
	clientID = strings.TrimSpace(clientID)
	if clientID == "" {
		clientID = openai.ClientID
	}

	formData := url.Values{}
	formData.Set("grant_type", "authorization_code")
	formData.Set("client_id", clientID)
	formData.Set("code", code)
	formData.Set("redirect_uri", redirectURI)
	formData.Set("code_verifier", codeVerifier)

	var tokenResp openai.TokenResponse

	resp, err := client.R().
		SetContext(ctx).
		SetHeader("User-Agent", "codex-cli/0.91.0").
		SetFormDataFromValues(formData).
		SetSuccessResult(&tokenResp).
		Post(s.tokenURL)

	if err != nil {
		if shouldReturnOpenAINoProxyHint(ctx, proxyURL, err) {
			return nil, newOpenAINoProxyHintError(err)
		}
		return nil, infraerrors.Newf(http.StatusBadGateway, "OPENAI_OAUTH_REQUEST_FAILED", "request failed: %v", err)
	}

	if !resp.IsSuccessState() {
		return nil, infraerrors.Newf(http.StatusBadGateway, "OPENAI_OAUTH_TOKEN_EXCHANGE_FAILED", "token exchange failed: status %d, body: %s", resp.StatusCode, resp.String())
	}

	return &tokenResp, nil
}

func (s *openaiOAuthService) RefreshToken(ctx context.Context, refreshToken, proxyURL string) (*openai.TokenResponse, error) {
	return s.RefreshTokenWithClientID(ctx, refreshToken, proxyURL, "")
}

func (s *openaiOAuthService) RefreshTokenWithClientID(ctx context.Context, refreshToken, proxyURL string, clientID string) (*openai.TokenResponse, error) {
	// 调用方应始终传入正确的 client_id；为兼容旧数据，未指定时默认使用 OpenAI ClientID
	clientID = strings.TrimSpace(clientID)
	if clientID == "" {
		clientID = openai.ClientID
	}
	return s.refreshTokenWithClientID(ctx, refreshToken, proxyURL, clientID)
}

func (s *openaiOAuthService) refreshTokenWithClientID(ctx context.Context, refreshToken, proxyURL, clientID string) (*openai.TokenResponse, error) {
	client, err := createOpenAIReqClient(proxyURL)
	if err != nil {
		return nil, infraerrors.Newf(http.StatusBadGateway, "OPENAI_OAUTH_CLIENT_INIT_FAILED", "create HTTP client: %v", err)
	}

	formData := url.Values{}
	formData.Set("grant_type", "refresh_token")
	formData.Set("refresh_token", refreshToken)
	formData.Set("client_id", clientID)
	formData.Set("scope", openai.RefreshScopes)

	var tokenResp openai.TokenResponse

	resp, err := client.R().
		SetContext(ctx).
		SetHeader("User-Agent", "codex-cli/0.91.0").
		SetFormDataFromValues(formData).
		SetSuccessResult(&tokenResp).
		Post(s.tokenURL)

	if err != nil {
		if shouldReturnOpenAINoProxyHint(ctx, proxyURL, err) {
			return nil, newOpenAINoProxyHintError(err)
		}
		return nil, infraerrors.Newf(http.StatusBadGateway, "OPENAI_OAUTH_REQUEST_FAILED", "request failed: %v", err)
	}

	if !resp.IsSuccessState() {
		return nil, infraerrors.Newf(http.StatusBadGateway, "OPENAI_OAUTH_TOKEN_REFRESH_FAILED", "token refresh failed: status %d, body: %s", resp.StatusCode, resp.String())
	}

	return &tokenResp, nil
}

func createOpenAIReqClient(proxyURL string) (*req.Client, error) {
	return getSharedReqClient(reqClientOptions{
		ProxyURL: proxyURL,
		Timeout:  120 * time.Second,
	})
}

func shouldReturnOpenAINoProxyHint(ctx context.Context, proxyURL string, err error) bool {
	if strings.TrimSpace(proxyURL) != "" || err == nil {
		return false
	}
	if ctx != nil && ctx.Err() != nil {
		return false
	}
	return !errors.Is(err, context.Canceled)
}

func newOpenAINoProxyHintError(cause error) error {
	return infraerrors.New(
		http.StatusBadGateway,
		"OPENAI_OAUTH_PROXY_REQUIRED",
		"OpenAI OAuth request failed: no proxy is configured and this server could not reach OpenAI directly. Select a proxy that can access OpenAI, then retry; if the authorization code has expired, regenerate the authorization URL.",
	).WithCause(cause)
}
-												feat: 新增支持codex转发

											
										
										
											2025-12-22 22:58:31 +08:00
+								package repository
 								import (
 									"context"
-												fix: clarify OpenAI OAuth proxy errors

											
										
										
											2026-04-23 12:23:04 +08:00
+									"errors"
-												fix(openai-oauth): 改进错误处理和代理支持

- 使用 ApplicationError 返回详细错误信息到前端
- 添加 User-Agent: codex-cli/0.91.0
- 移除 ForceHTTP2 以兼容 HTTP 代理
- 修复代理获取失败时静默忽略的问题
- 500 错误时记录完整错误日志

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

											
										
										
											2026-01-27 19:13:01 +08:00
+									"net/http"
-												feat: 新增支持codex转发

											
										
										
											2025-12-22 22:58:31 +08:00
+									"net/url"
-												feat(sora): 对齐 Sora OAuth 流程并隔离网关请求路径

- 新增并接通 Sora 专用 OAuth 接口与 ST/RT 换取能力
- 完成前端 Sora 授权、RT/ST 手动导入与账号创建流程
- 强化 Sora token 恢复、转发日志与网关路由隔离行为
- 补充后端服务层与路由层相关测试覆盖

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-02-19 08:02:56 +08:00
+									"strings"
-												feat: 新增支持codex转发

											
										
										
											2025-12-22 22:58:31 +08:00
+									"time"
-												fix(openai-oauth): 改进错误处理和代理支持

- 使用 ApplicationError 返回详细错误信息到前端
- 添加 User-Agent: codex-cli/0.91.0
- 移除 ForceHTTP2 以兼容 HTTP 代理
- 修复代理获取失败时静默忽略的问题
- 500 错误时记录完整错误日志

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

											
										
										
											2026-01-27 19:13:01 +08:00
+									infraerrors "github.com/Wei-Shaw/sub2api/internal/pkg/errors"
-												refactor: 重命名 go module

											
										
										
											2025-12-24 21:07:21 +08:00
+									"github.com/Wei-Shaw/sub2api/internal/pkg/openai"
-												refactor: 删除 ports 目录

											
										
										
											2025-12-25 17:15:01 +08:00
+									"github.com/Wei-Shaw/sub2api/internal/service"
-												feat: 新增支持codex转发

											
										
										
											2025-12-22 22:58:31 +08:00
+									"github.com/imroc/req/v3"
 								)
 								// NewOpenAIOAuthClient creates a new OpenAI OAuth client
-												refactor: 删除 ports 目录

											
										
										
											2025-12-25 17:15:01 +08:00
+								func NewOpenAIOAuthClient() service.OpenAIOAuthClient {
-												test: 增加 repository 测试

											
										
										
											2025-12-25 10:52:56 +08:00
+									return &openaiOAuthService{tokenURL: openai.TokenURL}
 								}
 								type openaiOAuthService struct {
 									tokenURL string
-												feat: 新增支持codex转发

											
										
										
											2025-12-22 22:58:31 +08:00
+								}
-												feat(sync): full code sync from release

											
										
										
											2026-02-28 15:01:20 +08:00
+								func (s *openaiOAuthService) ExchangeCode(ctx context.Context, code, codeVerifier, redirectURI, proxyURL, clientID string) (*openai.TokenResponse, error) {
-												feat(proxy): 集中代理 URL 验证并实现全局 fail-fast

提取 proxyurl.Parse() 公共包，将分散在 6 处的代理 URL 验证逻辑
统一收敛，确保无效代理配置在创建时立即失败，永不静默回退直连。

主要变更：
- 新增 proxyurl 包：统一 TrimSpace → url.Parse → Host 校验 → Scheme 白名单
- socks5:// 自动升级为 socks5h://，防止 DNS 泄漏（大小写不敏感）
- antigravity: http.ProxyURL → proxyutil.ConfigureTransportProxy 支持 SOCKS5
- openai_oauth: 删除 newOpenAIOAuthHTTPClient，收编至 httpclient.GetClient
- 移除未使用的 ProxyStrict 字段（fail-fast 已是全局默认行为）
- 补充 15 个 proxyurl 测试 + pricing/usage fail-fast 测试

											
										
										
											2026-03-02 15:53:26 +08:00
+									client, err := createOpenAIReqClient(proxyURL)
 									if err != nil {
 										return nil, infraerrors.Newf(http.StatusBadGateway, "OPENAI_OAUTH_CLIENT_INIT_FAILED", "create HTTP client: %v", err)
 									}
-												feat: 新增支持codex转发

											
										
										
											2025-12-22 22:58:31 +08:00
 									if redirectURI == "" {
 										redirectURI = openai.DefaultRedirectURI
 									}
-												feat(sync): full code sync from release

											
										
										
											2026-02-28 15:01:20 +08:00
+									clientID = strings.TrimSpace(clientID)
 									if clientID == "" {
 										clientID = openai.ClientID
 									}
-												feat: 新增支持codex转发

											
										
										
											2025-12-22 22:58:31 +08:00
 									formData := url.Values{}
 									formData.Set("grant_type", "authorization_code")
-												feat(sync): full code sync from release

											
										
										
											2026-02-28 15:01:20 +08:00
+									formData.Set("client_id", clientID)
-												feat: 新增支持codex转发

											
										
										
											2025-12-22 22:58:31 +08:00
+									formData.Set("code", code)
 									formData.Set("redirect_uri", redirectURI)
 									formData.Set("code_verifier", codeVerifier)
 									var tokenResp openai.TokenResponse
 									resp, err := client.R().
 										SetContext(ctx).
-												fix(openai-oauth): 改进错误处理和代理支持

- 使用 ApplicationError 返回详细错误信息到前端
- 添加 User-Agent: codex-cli/0.91.0
- 移除 ForceHTTP2 以兼容 HTTP 代理
- 修复代理获取失败时静默忽略的问题
- 500 错误时记录完整错误日志

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

											
										
										
											2026-01-27 19:13:01 +08:00
+										SetHeader("User-Agent", "codex-cli/0.91.0").
-												feat: 新增支持codex转发

											
										
										
											2025-12-22 22:58:31 +08:00
+										SetFormDataFromValues(formData).
 										SetSuccessResult(&tokenResp).
-												test: 增加 repository 测试

											
										
										
											2025-12-25 10:52:56 +08:00
+										Post(s.tokenURL)
-												feat: 新增支持codex转发

											
										
										
											2025-12-22 22:58:31 +08:00
 									if err != nil {
-												fix: clarify OpenAI OAuth proxy errors

											
										
										
											2026-04-23 12:23:04 +08:00
+										if shouldReturnOpenAINoProxyHint(ctx, proxyURL, err) {
 											return nil, newOpenAINoProxyHintError(err)
 										}
-												fix(openai-oauth): 改进错误处理和代理支持

- 使用 ApplicationError 返回详细错误信息到前端
- 添加 User-Agent: codex-cli/0.91.0
- 移除 ForceHTTP2 以兼容 HTTP 代理
- 修复代理获取失败时静默忽略的问题
- 500 错误时记录完整错误日志

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

											
										
										
											2026-01-27 19:13:01 +08:00
+										return nil, infraerrors.Newf(http.StatusBadGateway, "OPENAI_OAUTH_REQUEST_FAILED", "request failed: %v", err)
-												feat: 新增支持codex转发

											
										
										
											2025-12-22 22:58:31 +08:00
+									}
 									if !resp.IsSuccessState() {
-												fix(openai-oauth): 改进错误处理和代理支持

- 使用 ApplicationError 返回详细错误信息到前端
- 添加 User-Agent: codex-cli/0.91.0
- 移除 ForceHTTP2 以兼容 HTTP 代理
- 修复代理获取失败时静默忽略的问题
- 500 错误时记录完整错误日志

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

											
										
										
											2026-01-27 19:13:01 +08:00
+										return nil, infraerrors.Newf(http.StatusBadGateway, "OPENAI_OAUTH_TOKEN_EXCHANGE_FAILED", "token exchange failed: status %d, body: %s", resp.StatusCode, resp.String())
-												feat: 新增支持codex转发

											
										
										
											2025-12-22 22:58:31 +08:00
+									}
 									return &tokenResp, nil
 								}
 								func (s *openaiOAuthService) RefreshToken(ctx context.Context, refreshToken, proxyURL string) (*openai.TokenResponse, error) {
-												feat(sora): 对齐 Sora OAuth 流程并隔离网关请求路径

- 新增并接通 Sora 专用 OAuth 接口与 ST/RT 换取能力
- 完成前端 Sora 授权、RT/ST 手动导入与账号创建流程
- 强化 Sora token 恢复、转发日志与网关路由隔离行为
- 补充后端服务层与路由层相关测试覆盖

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-02-19 08:02:56 +08:00
+									return s.RefreshTokenWithClientID(ctx, refreshToken, proxyURL, "")
 								}
 								func (s *openaiOAuthService) RefreshTokenWithClientID(ctx context.Context, refreshToken, proxyURL string, clientID string) (*openai.TokenResponse, error) {
-												feat(sync): full code sync from release

											
										
										
											2026-02-28 15:01:20 +08:00
+									// 调用方应始终传入正确的 client_id；为兼容旧数据，未指定时默认使用 OpenAI ClientID
 									clientID = strings.TrimSpace(clientID)
 									if clientID == "" {
 										clientID = openai.ClientID
-												feat(sora): 对齐 Sora OAuth 流程并隔离网关请求路径

- 新增并接通 Sora 专用 OAuth 接口与 ST/RT 换取能力
- 完成前端 Sora 授权、RT/ST 手动导入与账号创建流程
- 强化 Sora token 恢复、转发日志与网关路由隔离行为
- 补充后端服务层与路由层相关测试覆盖

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-02-19 08:02:56 +08:00
+									}
-												feat(sync): full code sync from release

											
										
										
											2026-02-28 15:01:20 +08:00
+									return s.refreshTokenWithClientID(ctx, refreshToken, proxyURL, clientID)
-												feat(sora): 对齐 Sora OAuth 流程并隔离网关请求路径

- 新增并接通 Sora 专用 OAuth 接口与 ST/RT 换取能力
- 完成前端 Sora 授权、RT/ST 手动导入与账号创建流程
- 强化 Sora token 恢复、转发日志与网关路由隔离行为
- 补充后端服务层与路由层相关测试覆盖

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-02-19 08:02:56 +08:00
+								}
 								func (s *openaiOAuthService) refreshTokenWithClientID(ctx context.Context, refreshToken, proxyURL, clientID string) (*openai.TokenResponse, error) {
-												feat(proxy): 集中代理 URL 验证并实现全局 fail-fast

提取 proxyurl.Parse() 公共包，将分散在 6 处的代理 URL 验证逻辑
统一收敛，确保无效代理配置在创建时立即失败，永不静默回退直连。

主要变更：
- 新增 proxyurl 包：统一 TrimSpace → url.Parse → Host 校验 → Scheme 白名单
- socks5:// 自动升级为 socks5h://，防止 DNS 泄漏（大小写不敏感）
- antigravity: http.ProxyURL → proxyutil.ConfigureTransportProxy 支持 SOCKS5
- openai_oauth: 删除 newOpenAIOAuthHTTPClient，收编至 httpclient.GetClient
- 移除未使用的 ProxyStrict 字段（fail-fast 已是全局默认行为）
- 补充 15 个 proxyurl 测试 + pricing/usage fail-fast 测试

											
										
										
											2026-03-02 15:53:26 +08:00
+									client, err := createOpenAIReqClient(proxyURL)
 									if err != nil {
 										return nil, infraerrors.Newf(http.StatusBadGateway, "OPENAI_OAUTH_CLIENT_INIT_FAILED", "create HTTP client: %v", err)
 									}
-												feat: 新增支持codex转发

											
										
										
											2025-12-22 22:58:31 +08:00
 									formData := url.Values{}
 									formData.Set("grant_type", "refresh_token")
 									formData.Set("refresh_token", refreshToken)
-												feat(sora): 对齐 Sora OAuth 流程并隔离网关请求路径

- 新增并接通 Sora 专用 OAuth 接口与 ST/RT 换取能力
- 完成前端 Sora 授权、RT/ST 手动导入与账号创建流程
- 强化 Sora token 恢复、转发日志与网关路由隔离行为
- 补充后端服务层与路由层相关测试覆盖

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-02-19 08:02:56 +08:00
+									formData.Set("client_id", clientID)
-												feat: 新增支持codex转发

											
										
										
											2025-12-22 22:58:31 +08:00
+									formData.Set("scope", openai.RefreshScopes)
 									var tokenResp openai.TokenResponse
 									resp, err := client.R().
 										SetContext(ctx).
-												fix(openai-oauth): 改进错误处理和代理支持

- 使用 ApplicationError 返回详细错误信息到前端
- 添加 User-Agent: codex-cli/0.91.0
- 移除 ForceHTTP2 以兼容 HTTP 代理
- 修复代理获取失败时静默忽略的问题
- 500 错误时记录完整错误日志

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

											
										
										
											2026-01-27 19:13:01 +08:00
+										SetHeader("User-Agent", "codex-cli/0.91.0").
-												feat: 新增支持codex转发

											
										
										
											2025-12-22 22:58:31 +08:00
+										SetFormDataFromValues(formData).
 										SetSuccessResult(&tokenResp).
-												test: 增加 repository 测试

											
										
										
											2025-12-25 10:52:56 +08:00
+										Post(s.tokenURL)
-												feat: 新增支持codex转发

											
										
										
											2025-12-22 22:58:31 +08:00
 									if err != nil {
-												fix: clarify OpenAI OAuth proxy errors

											
										
										
											2026-04-23 12:23:04 +08:00
+										if shouldReturnOpenAINoProxyHint(ctx, proxyURL, err) {
 											return nil, newOpenAINoProxyHintError(err)
 										}
-												fix(openai-oauth): 改进错误处理和代理支持

- 使用 ApplicationError 返回详细错误信息到前端
- 添加 User-Agent: codex-cli/0.91.0
- 移除 ForceHTTP2 以兼容 HTTP 代理
- 修复代理获取失败时静默忽略的问题
- 500 错误时记录完整错误日志

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

											
										
										
											2026-01-27 19:13:01 +08:00
+										return nil, infraerrors.Newf(http.StatusBadGateway, "OPENAI_OAUTH_REQUEST_FAILED", "request failed: %v", err)
-												feat: 新增支持codex转发

											
										
										
											2025-12-22 22:58:31 +08:00
+									}
 									if !resp.IsSuccessState() {
-												fix(openai-oauth): 改进错误处理和代理支持

- 使用 ApplicationError 返回详细错误信息到前端
- 添加 User-Agent: codex-cli/0.91.0
- 移除 ForceHTTP2 以兼容 HTTP 代理
- 修复代理获取失败时静默忽略的问题
- 500 错误时记录完整错误日志

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

											
										
										
											2026-01-27 19:13:01 +08:00
+										return nil, infraerrors.Newf(http.StatusBadGateway, "OPENAI_OAUTH_TOKEN_REFRESH_FAILED", "token refresh failed: status %d, body: %s", resp.StatusCode, resp.String())
-												feat: 新增支持codex转发

											
										
										
											2025-12-22 22:58:31 +08:00
+									}
 									return &tokenResp, nil
 								}
-												feat(proxy): 集中代理 URL 验证并实现全局 fail-fast

提取 proxyurl.Parse() 公共包，将分散在 6 处的代理 URL 验证逻辑
统一收敛，确保无效代理配置在创建时立即失败，永不静默回退直连。

主要变更：
- 新增 proxyurl 包：统一 TrimSpace → url.Parse → Host 校验 → Scheme 白名单
- socks5:// 自动升级为 socks5h://，防止 DNS 泄漏（大小写不敏感）
- antigravity: http.ProxyURL → proxyutil.ConfigureTransportProxy 支持 SOCKS5
- openai_oauth: 删除 newOpenAIOAuthHTTPClient，收编至 httpclient.GetClient
- 移除未使用的 ProxyStrict 字段（fail-fast 已是全局默认行为）
- 补充 15 个 proxyurl 测试 + pricing/usage fail-fast 测试

											
										
										
											2026-03-02 15:53:26 +08:00
+								func createOpenAIReqClient(proxyURL string) (*req.Client, error) {
-												perf(后端): 完成性能优化与连接池配置

新增 DB/Redis 连接池配置与校验，并补充单测

网关请求体大小限制与 413 处理

HTTP/req 客户端池化并调整上游连接池默认值

并发槽位改为 ZSET+Lua 与指数退避

用量统计改 SQL 聚合并新增索引迁移

计费缓存写入改工作池并补测试/基准

测试: 在 backend/ 下运行 go test ./...

											
										
										
											2025-12-31 08:50:12 +08:00
+									return getSharedReqClient(reqClientOptions{
-												fix(openai-oauth): 改进错误处理和代理支持

- 使用 ApplicationError 返回详细错误信息到前端
- 添加 User-Agent: codex-cli/0.91.0
- 移除 ForceHTTP2 以兼容 HTTP 代理
- 修复代理获取失败时静默忽略的问题
- 500 错误时记录完整错误日志

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

											
										
										
											2026-01-27 19:13:01 +08:00
+										ProxyURL: proxyURL,
 										Timeout:  120 * time.Second,
-												perf(后端): 完成性能优化与连接池配置

新增 DB/Redis 连接池配置与校验，并补充单测

网关请求体大小限制与 413 处理

HTTP/req 客户端池化并调整上游连接池默认值

并发槽位改为 ZSET+Lua 与指数退避

用量统计改 SQL 聚合并新增索引迁移

计费缓存写入改工作池并补测试/基准

测试: 在 backend/ 下运行 go test ./...

											
										
										
											2025-12-31 08:50:12 +08:00
+									})
-												feat: 新增支持codex转发

											
										
										
											2025-12-22 22:58:31 +08:00
+								}
-												fix: clarify OpenAI OAuth proxy errors

											
										
										
											2026-04-23 12:23:04 +08:00
 								func shouldReturnOpenAINoProxyHint(ctx context.Context, proxyURL string, err error) bool {
 									if strings.TrimSpace(proxyURL) != "" || err == nil {
 										return false
 									}
 									if ctx != nil && ctx.Err() != nil {
 										return false
 									}
 									return !errors.Is(err, context.Canceled)
 								}
 								func newOpenAINoProxyHintError(cause error) error {
 									return infraerrors.New(
 										http.StatusBadGateway,
 										"OPENAI_OAUTH_PROXY_REQUIRED",
 										"OpenAI OAuth request failed: no proxy is configured and this server could not reach OpenAI directly. Select a proxy that can access OpenAI, then retry; if the authorization code has expired, regenerate the authorization URL.",
 									).WithCause(cause)
 								}