npm - @gajae-code/ai - Versions diffs - 0.1.1 - Mend

@gajae-code/ai 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (349) hide show

package/CHANGELOG.md +2644 -0
package/README.md +1181 -0
package/dist/types/api-registry.d.ts +30 -0
package/dist/types/auth-broker/client.d.ts +66 -0
package/dist/types/auth-broker/index.d.ts +5 -0
package/dist/types/auth-broker/refresher.d.ts +25 -0
package/dist/types/auth-broker/remote-store.d.ts +96 -0
package/dist/types/auth-broker/server.d.ts +32 -0
package/dist/types/auth-broker/types.d.ts +105 -0
package/dist/types/auth-broker/wire-schemas.d.ts +412 -0
package/dist/types/auth-gateway/http.d.ts +39 -0
package/dist/types/auth-gateway/index.d.ts +3 -0
package/dist/types/auth-gateway/server.d.ts +17 -0
package/dist/types/auth-gateway/types.d.ts +115 -0
package/dist/types/auth-storage.d.ts +641 -0
package/dist/types/cli.d.ts +2 -0
package/dist/types/index.d.ts +49 -0
package/dist/types/model-cache.d.ts +17 -0
package/dist/types/model-manager.d.ts +62 -0
package/dist/types/model-thinking.d.ts +71 -0
package/dist/types/models.d.ts +12 -0
package/dist/types/provider-details.d.ts +24 -0
package/dist/types/provider-models/bundled-references.d.ts +4 -0
package/dist/types/provider-models/descriptors.d.ts +48 -0
package/dist/types/provider-models/google.d.ts +20 -0
package/dist/types/provider-models/index.d.ts +5 -0
package/dist/types/provider-models/ollama.d.ts +7 -0
package/dist/types/provider-models/openai-compat.d.ts +237 -0
package/dist/types/provider-models/special.d.ts +16 -0
package/dist/types/providers/amazon-bedrock.d.ts +36 -0
package/dist/types/providers/anthropic-messages-server-schema.d.ts +450 -0
package/dist/types/providers/anthropic-messages-server.d.ts +17 -0
package/dist/types/providers/anthropic.d.ts +188 -0
package/dist/types/providers/aws-credentials.d.ts +43 -0
package/dist/types/providers/aws-eventstream.d.ts +38 -0
package/dist/types/providers/aws-sigv4.d.ts +55 -0
package/dist/types/providers/azure-openai-responses.d.ts +15 -0
package/dist/types/providers/cursor/gen/agent_pb.d.ts +13022 -0
package/dist/types/providers/cursor.d.ts +42 -0
package/dist/types/providers/error-message.d.ts +27 -0
package/dist/types/providers/github-copilot-headers.d.ts +40 -0
package/dist/types/providers/gitlab-duo.d.ts +27 -0
package/dist/types/providers/google-auth.d.ts +24 -0
package/dist/types/providers/google-gemini-cli.d.ts +72 -0
package/dist/types/providers/google-gemini-headers.d.ts +18 -0
package/dist/types/providers/google-shared.d.ts +163 -0
package/dist/types/providers/google-types.d.ts +138 -0
package/dist/types/providers/google-vertex.d.ts +7 -0
package/dist/types/providers/google.d.ts +4 -0
package/dist/types/providers/grammar.d.ts +1 -0
package/dist/types/providers/kimi.d.ts +27 -0
package/dist/types/providers/mock.d.ts +175 -0
package/dist/types/providers/ollama.d.ts +6 -0
package/dist/types/providers/openai-anthropic-shim.d.ts +31 -0
package/dist/types/providers/openai-chat-server-schema.d.ts +814 -0
package/dist/types/providers/openai-chat-server.d.ts +16 -0
package/dist/types/providers/openai-codex/constants.d.ts +26 -0
package/dist/types/providers/openai-codex/request-transformer.d.ts +49 -0
package/dist/types/providers/openai-codex/response-handler.d.ts +17 -0
package/dist/types/providers/openai-codex-responses.d.ts +67 -0
package/dist/types/providers/openai-completions-compat.d.ts +25 -0
package/dist/types/providers/openai-completions.d.ts +33 -0
package/dist/types/providers/openai-responses-server-schema.d.ts +392 -0
package/dist/types/providers/openai-responses-server.d.ts +17 -0
package/dist/types/providers/openai-responses-shared.d.ts +89 -0
package/dist/types/providers/openai-responses.d.ts +32 -0
package/dist/types/providers/pi-native-client.d.ts +13 -0
package/dist/types/providers/pi-native-server.d.ts +68 -0
package/dist/types/providers/register-builtins.d.ts +31 -0
package/dist/types/providers/synthetic.d.ts +26 -0
package/dist/types/providers/transform-messages.d.ts +12 -0
package/dist/types/providers/vision-guard.d.ts +8 -0
package/dist/types/rate-limit-utils.d.ts +19 -0
package/dist/types/stream.d.ts +24 -0
package/dist/types/types.d.ts +746 -0
package/dist/types/usage/claude.d.ts +3 -0
package/dist/types/usage/gemini.d.ts +2 -0
package/dist/types/usage/github-copilot.d.ts +7 -0
package/dist/types/usage/google-antigravity.d.ts +2 -0
package/dist/types/usage/kimi.d.ts +2 -0
package/dist/types/usage/minimax-code.d.ts +2 -0
package/dist/types/usage/openai-codex.d.ts +3 -0
package/dist/types/usage/shared.d.ts +1 -0
package/dist/types/usage/zai.d.ts +2 -0
package/dist/types/usage.d.ts +258 -0
package/dist/types/utils/abort.d.ts +19 -0
package/dist/types/utils/anthropic-auth.d.ts +31 -0
package/dist/types/utils/discovery/antigravity.d.ts +61 -0
package/dist/types/utils/discovery/codex.d.ts +38 -0
package/dist/types/utils/discovery/cursor.d.ts +23 -0
package/dist/types/utils/discovery/gemini.d.ts +25 -0
package/dist/types/utils/discovery/index.d.ts +4 -0
package/dist/types/utils/discovery/openai-compatible.d.ts +72 -0
package/dist/types/utils/event-stream.d.ts +28 -0
package/dist/types/utils/fireworks-model-id.d.ts +10 -0
package/dist/types/utils/foundry.d.ts +1 -0
package/dist/types/utils/h2-fetch.d.ts +22 -0
package/dist/types/utils/http-inspector.d.ts +31 -0
package/dist/types/utils/idle-iterator.d.ts +67 -0
package/dist/types/utils/json-parse.d.ts +10 -0
package/dist/types/utils/oauth/alibaba-coding-plan.d.ts +18 -0
package/dist/types/utils/oauth/anthropic.d.ts +22 -0
package/dist/types/utils/oauth/api-key-login.d.ts +35 -0
package/dist/types/utils/oauth/api-key-validation.d.ts +27 -0
package/dist/types/utils/oauth/callback-server.d.ts +57 -0
package/dist/types/utils/oauth/cerebras.d.ts +1 -0
package/dist/types/utils/oauth/cloudflare-ai-gateway.d.ts +18 -0
package/dist/types/utils/oauth/cursor.d.ts +15 -0
package/dist/types/utils/oauth/deepseek.d.ts +10 -0
package/dist/types/utils/oauth/firepass.d.ts +1 -0
package/dist/types/utils/oauth/fireworks.d.ts +1 -0
package/dist/types/utils/oauth/github-copilot.d.ts +38 -0
package/dist/types/utils/oauth/gitlab-duo.d.ts +3 -0
package/dist/types/utils/oauth/google-antigravity.d.ts +11 -0
package/dist/types/utils/oauth/google-gemini-cli.d.ts +10 -0
package/dist/types/utils/oauth/google-oauth-shared.d.ts +28 -0
package/dist/types/utils/oauth/huggingface.d.ts +19 -0
package/dist/types/utils/oauth/index.d.ts +38 -0
package/dist/types/utils/oauth/kagi.d.ts +17 -0
package/dist/types/utils/oauth/kilo.d.ts +5 -0
package/dist/types/utils/oauth/kimi.d.ts +21 -0
package/dist/types/utils/oauth/litellm.d.ts +18 -0
package/dist/types/utils/oauth/lm-studio.d.ts +17 -0
package/dist/types/utils/oauth/minimax-code.d.ts +28 -0
package/dist/types/utils/oauth/moonshot.d.ts +1 -0
package/dist/types/utils/oauth/nanogpt.d.ts +1 -0
package/dist/types/utils/oauth/nvidia.d.ts +18 -0
package/dist/types/utils/oauth/ollama-cloud.d.ts +2 -0
package/dist/types/utils/oauth/ollama.d.ts +18 -0
package/dist/types/utils/oauth/openai-codex.d.ts +21 -0
package/dist/types/utils/oauth/opencode.d.ts +18 -0
package/dist/types/utils/oauth/parallel.d.ts +17 -0
package/dist/types/utils/oauth/perplexity.d.ts +9 -0
package/dist/types/utils/oauth/pkce.d.ts +8 -0
package/dist/types/utils/oauth/qianfan.d.ts +17 -0
package/dist/types/utils/oauth/qwen-portal.d.ts +19 -0
package/dist/types/utils/oauth/synthetic.d.ts +1 -0
package/dist/types/utils/oauth/tavily.d.ts +17 -0
package/dist/types/utils/oauth/together.d.ts +1 -0
package/dist/types/utils/oauth/types.d.ts +44 -0
package/dist/types/utils/oauth/venice.d.ts +18 -0
package/dist/types/utils/oauth/vercel-ai-gateway.d.ts +18 -0
package/dist/types/utils/oauth/vllm.d.ts +16 -0
package/dist/types/utils/oauth/xiaomi.d.ts +19 -0
package/dist/types/utils/oauth/zai.d.ts +18 -0
package/dist/types/utils/oauth/zenmux.d.ts +1 -0
package/dist/types/utils/overflow.d.ts +54 -0
package/dist/types/utils/parse-bind.d.ts +23 -0
package/dist/types/utils/provider-response.d.ts +3 -0
package/dist/types/utils/retry-after.d.ts +3 -0
package/dist/types/utils/retry.d.ts +26 -0
package/dist/types/utils/schema/adapt.d.ts +24 -0
package/dist/types/utils/schema/compatibility.d.ts +30 -0
package/dist/types/utils/schema/dereference.d.ts +11 -0
package/dist/types/utils/schema/draft.d.ts +10 -0
package/dist/types/utils/schema/equality.d.ts +4 -0
package/dist/types/utils/schema/fields.d.ts +49 -0
package/dist/types/utils/schema/index.d.ts +13 -0
package/dist/types/utils/schema/json-schema-validator.d.ts +12 -0
package/dist/types/utils/schema/meta-validator.d.ts +2 -0
package/dist/types/utils/schema/normalize.d.ts +93 -0
package/dist/types/utils/schema/spill.d.ts +8 -0
package/dist/types/utils/schema/stamps.d.ts +25 -0
package/dist/types/utils/schema/types.d.ts +4 -0
package/dist/types/utils/schema/wire.d.ts +54 -0
package/dist/types/utils/schema/zod-decontaminate.d.ts +31 -0
package/dist/types/utils/sse-debug.d.ts +10 -0
package/dist/types/utils/tool-call-healing.d.ts +71 -0
package/dist/types/utils/tool-choice.d.ts +50 -0
package/dist/types/utils/validation.d.ts +17 -0
package/dist/types/utils.d.ts +28 -0
package/package.json +146 -0
package/src/api-registry.ts +96 -0
package/src/auth-broker/client.ts +358 -0
package/src/auth-broker/index.ts +5 -0
package/src/auth-broker/refresher.ts +127 -0
package/src/auth-broker/remote-store.ts +623 -0
package/src/auth-broker/server.ts +644 -0
package/src/auth-broker/types.ts +127 -0
package/src/auth-broker/wire-schemas.ts +200 -0
package/src/auth-gateway/http.ts +194 -0
package/src/auth-gateway/index.ts +3 -0
package/src/auth-gateway/server.ts +717 -0
package/src/auth-gateway/types.ts +134 -0
package/src/auth-storage.ts +4104 -0
package/src/cli.ts +262 -0
package/src/index.ts +54 -0
package/src/model-cache.ts +129 -0
package/src/model-manager.ts +450 -0
package/src/model-thinking.ts +691 -0
package/src/models.json +73853 -0
package/src/models.json.d.ts +9 -0
package/src/models.ts +56 -0
package/src/prompts/turn-aborted-guidance.md +4 -0
package/src/provider-details.ts +90 -0
package/src/provider-models/bundled-references.ts +38 -0
package/src/provider-models/descriptors.ts +308 -0
package/src/provider-models/google.ts +91 -0
package/src/provider-models/index.ts +5 -0
package/src/provider-models/ollama.ts +153 -0
package/src/provider-models/openai-compat.ts +2275 -0
package/src/provider-models/special.ts +67 -0
package/src/providers/amazon-bedrock.ts +849 -0
package/src/providers/anthropic-messages-server-schema.ts +229 -0
package/src/providers/anthropic-messages-server.ts +677 -0
package/src/providers/anthropic.ts +2696 -0
package/src/providers/aws-credentials.ts +501 -0
package/src/providers/aws-eventstream.ts +185 -0
package/src/providers/aws-sigv4.ts +218 -0
package/src/providers/azure-openai-responses.ts +337 -0
package/src/providers/cursor/gen/agent_pb.ts +15274 -0
package/src/providers/cursor/proto/agent.proto +3526 -0
package/src/providers/cursor/proto/buf.gen.yaml +6 -0
package/src/providers/cursor/proto/buf.yaml +17 -0
package/src/providers/cursor.ts +2561 -0
package/src/providers/error-message.ts +21 -0
package/src/providers/github-copilot-headers.ts +140 -0
package/src/providers/gitlab-duo.ts +372 -0
package/src/providers/google-auth.ts +252 -0
package/src/providers/google-gemini-cli.ts +795 -0
package/src/providers/google-gemini-headers.ts +41 -0
package/src/providers/google-shared.ts +902 -0
package/src/providers/google-types.ts +167 -0
package/src/providers/google-vertex.ts +88 -0
package/src/providers/google.ts +41 -0
package/src/providers/grammar.ts +70 -0
package/src/providers/kimi.ts +52 -0
package/src/providers/mock.ts +500 -0
package/src/providers/ollama.ts +544 -0
package/src/providers/openai-anthropic-shim.ts +138 -0
package/src/providers/openai-chat-server-schema.ts +243 -0
package/src/providers/openai-chat-server.ts +628 -0
package/src/providers/openai-codex/constants.ts +43 -0
package/src/providers/openai-codex/request-transformer.ts +161 -0
package/src/providers/openai-codex/response-handler.ts +81 -0
package/src/providers/openai-codex-responses.ts +2598 -0
package/src/providers/openai-completions-compat.ts +279 -0
package/src/providers/openai-completions.ts +1853 -0
package/src/providers/openai-responses-server-schema.ts +290 -0
package/src/providers/openai-responses-server.ts +1183 -0
package/src/providers/openai-responses-shared.ts +800 -0
package/src/providers/openai-responses.ts +621 -0
package/src/providers/pi-native-client.ts +228 -0
package/src/providers/pi-native-server.ts +210 -0
package/src/providers/register-builtins.ts +412 -0
package/src/providers/synthetic.ts +50 -0
package/src/providers/transform-messages.ts +309 -0
package/src/providers/vision-guard.ts +31 -0
package/src/rate-limit-utils.ts +84 -0
package/src/stream.ts +895 -0
package/src/types.ts +884 -0
package/src/usage/claude.ts +431 -0
package/src/usage/gemini.ts +250 -0
package/src/usage/github-copilot.ts +421 -0
package/src/usage/google-antigravity.ts +201 -0
package/src/usage/kimi.ts +271 -0
package/src/usage/minimax-code.ts +31 -0
package/src/usage/openai-codex.ts +503 -0
package/src/usage/shared.ts +10 -0
package/src/usage/zai.ts +247 -0
package/src/usage.ts +183 -0
package/src/utils/abort.ts +51 -0
package/src/utils/anthropic-auth.ts +87 -0
package/src/utils/discovery/antigravity.ts +261 -0
package/src/utils/discovery/codex.ts +371 -0
package/src/utils/discovery/cursor.ts +306 -0
package/src/utils/discovery/gemini.ts +248 -0
package/src/utils/discovery/index.ts +4 -0
package/src/utils/discovery/openai-compatible.ts +224 -0
package/src/utils/event-stream.ts +142 -0
package/src/utils/fireworks-model-id.ts +30 -0
package/src/utils/foundry.ts +8 -0
package/src/utils/h2-fetch.ts +60 -0
package/src/utils/http-inspector.ts +176 -0
package/src/utils/idle-iterator.ts +250 -0
package/src/utils/json-parse.ts +148 -0
package/src/utils/oauth/alibaba-coding-plan.ts +59 -0
package/src/utils/oauth/anthropic.ts +200 -0
package/src/utils/oauth/api-key-login.ts +87 -0
package/src/utils/oauth/api-key-validation.ts +92 -0
package/src/utils/oauth/callback-server.ts +276 -0
package/src/utils/oauth/cerebras.ts +16 -0
package/src/utils/oauth/cloudflare-ai-gateway.ts +48 -0
package/src/utils/oauth/cursor.ts +157 -0
package/src/utils/oauth/deepseek.ts +53 -0
package/src/utils/oauth/firepass.ts +24 -0
package/src/utils/oauth/fireworks.ts +15 -0
package/src/utils/oauth/github-copilot.ts +362 -0
package/src/utils/oauth/gitlab-duo.ts +123 -0
package/src/utils/oauth/google-antigravity.ts +200 -0
package/src/utils/oauth/google-gemini-cli.ts +256 -0
package/src/utils/oauth/google-oauth-shared.ts +110 -0
package/src/utils/oauth/huggingface.ts +62 -0
package/src/utils/oauth/index.ts +444 -0
package/src/utils/oauth/kagi.ts +47 -0
package/src/utils/oauth/kilo.ts +87 -0
package/src/utils/oauth/kimi.ts +254 -0
package/src/utils/oauth/litellm.ts +47 -0
package/src/utils/oauth/lm-studio.ts +38 -0
package/src/utils/oauth/minimax-code.ts +78 -0
package/src/utils/oauth/moonshot.ts +16 -0
package/src/utils/oauth/nanogpt.ts +15 -0
package/src/utils/oauth/nvidia.ts +70 -0
package/src/utils/oauth/oauth.html +199 -0
package/src/utils/oauth/ollama-cloud.ts +28 -0
package/src/utils/oauth/ollama.ts +47 -0
package/src/utils/oauth/openai-codex.ts +299 -0
package/src/utils/oauth/opencode.ts +49 -0
package/src/utils/oauth/parallel.ts +46 -0
package/src/utils/oauth/perplexity.ts +206 -0
package/src/utils/oauth/pkce.ts +18 -0
package/src/utils/oauth/qianfan.ts +58 -0
package/src/utils/oauth/qwen-portal.ts +60 -0
package/src/utils/oauth/synthetic.ts +16 -0
package/src/utils/oauth/tavily.ts +46 -0
package/src/utils/oauth/together.ts +16 -0
package/src/utils/oauth/types.ts +94 -0
package/src/utils/oauth/venice.ts +59 -0
package/src/utils/oauth/vercel-ai-gateway.ts +47 -0
package/src/utils/oauth/vllm.ts +40 -0
package/src/utils/oauth/xiaomi.ts +137 -0
package/src/utils/oauth/zai.ts +60 -0
package/src/utils/oauth/zenmux.ts +15 -0
package/src/utils/overflow.ts +137 -0
package/src/utils/parse-bind.ts +54 -0
package/src/utils/provider-response.ts +30 -0
package/src/utils/retry-after.ts +110 -0
package/src/utils/retry.ts +54 -0
package/src/utils/schema/CONSTRAINTS.md +164 -0
package/src/utils/schema/adapt.ts +36 -0
package/src/utils/schema/compatibility.ts +435 -0
package/src/utils/schema/dereference.ts +98 -0
package/src/utils/schema/draft.ts +341 -0
package/src/utils/schema/equality.ts +97 -0
package/src/utils/schema/fields.ts +190 -0
package/src/utils/schema/index.ts +13 -0
package/src/utils/schema/json-schema-validator.ts +577 -0
package/src/utils/schema/meta-validator.ts +167 -0
package/src/utils/schema/normalize.ts +1588 -0
package/src/utils/schema/spill.ts +43 -0
package/src/utils/schema/stamps.ts +97 -0
package/src/utils/schema/types.ts +11 -0
package/src/utils/schema/wire.ts +213 -0
package/src/utils/schema/zod-decontaminate.ts +331 -0
package/src/utils/sse-debug.ts +289 -0
package/src/utils/tool-call-healing.ts +271 -0
package/src/utils/tool-choice.ts +99 -0
package/src/utils/validation.ts +1019 -0
package/src/utils.ts +166 -0

package/src/providers/google-auth.ts ADDED Viewed

@@ -0,0 +1,252 @@
+/**
+ * Application Default Credentials (ADC) resolution for Vertex AI.
+ *
+ * Replaces `google-auth-library` with a direct WebCrypto + REST implementation.
+ * Sources, in priority order:
+ *   1. `GOOGLE_APPLICATION_CREDENTIALS` env → file with `type: "service_account"` (RS256 JWT exchange)
+ *     or `type: "authorized_user"` (refresh-token exchange).
+ *   2. `~/.config/gcloud/application_default_credentials.json` (user ADC, same authorized_user flow).
+ *   3. GCE / Cloud Run metadata server (`metadata.google.internal`).
+ *
+ * Tokens are cached per source key and refreshed `GOOGLE_VERTEX_REFRESH_SKEW_MS` before expiry
+ * (default 60s). Concurrent callers waiting on a refresh share the same in-flight promise.
+ */
+import { Buffer } from "node:buffer";
+import * as os from "node:os";
+import * as path from "node:path";
+import { $envpos, isEnoent, logger } from "@gajae-code/utils";
+import type { FetchImpl } from "../types";
+const OAUTH_TOKEN_URL = "https://oauth2.googleapis.com/token";
+const METADATA_TOKEN_URL = "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token";
+const CLOUD_PLATFORM_SCOPE = "https://www.googleapis.com/auth/cloud-platform";
+const JWT_BEARER_GRANT = "urn:ietf:params:oauth:grant-type:jwt-bearer";
+interface CachedToken {
+	token: string;
+	expiresAtMs: number;
+}
+interface ServiceAccountCredentials {
+	type: "service_account";
+	client_email: string;
+	private_key: string;
+	private_key_id?: string;
+}
+interface AuthorizedUserCredentials {
+	type: "authorized_user";
+	client_id: string;
+	client_secret: string;
+	refresh_token: string;
+}
+type AdcFileCredentials = ServiceAccountCredentials | AuthorizedUserCredentials;
+interface TokenResponse {
+	access_token: string;
+	expires_in: number;
+	token_type?: string;
+}
+const tokenCache = new Map<string, CachedToken>();
+const inflight = new Map<string, Promise<string>>();
+function getRefreshSkewMs(): number {
+	return $envpos("GOOGLE_VERTEX_REFRESH_SKEW_MS", 60_000);
+}
+function userAdcPath(): string {
+	return path.join(os.homedir(), ".config", "gcloud", "application_default_credentials.json");
+}
+async function readJsonFile<T>(filePath: string): Promise<T | undefined> {
+	try {
+		return (await Bun.file(filePath).json()) as T;
+	} catch (err) {
+		if (isEnoent(err)) return undefined;
+		throw err;
+	}
+}
+async function loadAdcCredentials(): Promise<{ source: string; creds: AdcFileCredentials } | undefined> {
+	const gacPath = Bun.env.GOOGLE_APPLICATION_CREDENTIALS;
+	if (gacPath) {
+		const creds = await readJsonFile<AdcFileCredentials>(gacPath);
+		if (!creds) {
+			throw new Error(`GOOGLE_APPLICATION_CREDENTIALS points to a missing file: ${gacPath}`);
+		}
+		return { source: `gac:${gacPath}`, creds };
+	}
+	const userPath = userAdcPath();
+	const creds = await readJsonFile<AdcFileCredentials>(userPath);
+	if (creds) return { source: `user:${userPath}`, creds };
+	return undefined;
+}
+function base64UrlEncode(bytes: Uint8Array | string): string {
+	const buf = typeof bytes === "string" ? Buffer.from(bytes, "utf8") : bytes;
+	return Buffer.from(buf.buffer, buf.byteOffset, buf.byteLength).toString("base64url");
+}
+function pemToPkcs8(pem: string): Uint8Array<ArrayBuffer> {
+	const body = pem
+		.replace(/-----BEGIN [^-]+-----/g, "")
+		.replace(/-----END [^-]+-----/g, "")
+		.replace(/\s+/g, "");
+	if (!body) throw new Error("Invalid PEM: empty body");
+	return Uint8Array.fromBase64(body);
+}
+async function signJwtRs256(claims: Record<string, unknown>, privateKeyPem: string, keyId?: string): Promise<string> {
+	const header: Record<string, unknown> = { alg: "RS256", typ: "JWT" };
+	if (keyId) header.kid = keyId;
+	const payload = `${base64UrlEncode(JSON.stringify(header))}.${base64UrlEncode(JSON.stringify(claims))}`;
+	const key = await globalThis.crypto.subtle.importKey(
+		"pkcs8",
+		pemToPkcs8(privateKeyPem),
+		{ name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
+		false,
+		["sign"],
+	);
+	const signature = new Uint8Array(
+		await globalThis.crypto.subtle.sign("RSASSA-PKCS1-v1_5", key, new TextEncoder().encode(payload)),
+	);
+	return `${payload}.${base64UrlEncode(signature)}`;
+}
+async function exchangeJwtForToken(
+	creds: ServiceAccountCredentials,
+	signal: AbortSignal | undefined,
+	fetchImpl: FetchImpl,
+): Promise<TokenResponse> {
+	const now = Math.floor(Date.now() / 1000);
+	const assertion = await signJwtRs256(
+		{
+			iss: creds.client_email,
+			scope: CLOUD_PLATFORM_SCOPE,
+			aud: OAUTH_TOKEN_URL,
+			exp: now + 3600,
+			iat: now,
+		},
+		creds.private_key,
+		creds.private_key_id,
+	);
+	const body = new URLSearchParams({ grant_type: JWT_BEARER_GRANT, assertion });
+	return postForToken(OAUTH_TOKEN_URL, body, signal, fetchImpl);
+}
+async function exchangeRefreshToken(
+	creds: AuthorizedUserCredentials,
+	signal: AbortSignal | undefined,
+	fetchImpl: FetchImpl,
+): Promise<TokenResponse> {
+	const body = new URLSearchParams({
+		client_id: creds.client_id,
+		client_secret: creds.client_secret,
+		refresh_token: creds.refresh_token,
+		grant_type: "refresh_token",
+	});
+	return postForToken(OAUTH_TOKEN_URL, body, signal, fetchImpl);
+}
+async function fetchMetadataToken(
+	signal: AbortSignal | undefined,
+	fetchImpl: FetchImpl,
+): Promise<TokenResponse | undefined> {
+	const timeout = AbortSignal.timeout(2000);
+	const combined = signal ? AbortSignal.any([signal, timeout]) : timeout;
+	try {
+		const response = await fetchImpl(METADATA_TOKEN_URL, {
+			method: "GET",
+			headers: { "Metadata-Flavor": "Google" },
+			signal: combined,
+		});
+		if (!response.ok) return undefined;
+		return (await response.json()) as TokenResponse;
+	} catch {
+		return undefined;
+	}
+}
+async function postForToken(
+	url: string,
+	body: URLSearchParams,
+	signal: AbortSignal | undefined,
+	fetchImpl: FetchImpl,
+): Promise<TokenResponse> {
+	const response = await fetchImpl(url, {
+		method: "POST",
+		headers: { "Content-Type": "application/x-www-form-urlencoded" },
+		body: body.toString(),
+		signal,
+	});
+	if (!response.ok) {
+		const detail = await response.text().catch(() => "");
+		throw new Error(`Google OAuth token exchange failed (${response.status}): ${detail}`);
+	}
+	return (await response.json()) as TokenResponse;
+}
+async function resolveAccessTokenUncached(
+	signal: AbortSignal | undefined,
+	fetchImpl: FetchImpl,
+): Promise<{ source: string; token: TokenResponse }> {
+	const adc = await loadAdcCredentials();
+	if (adc) {
+		const token =
+			adc.creds.type === "service_account"
+				? await exchangeJwtForToken(adc.creds, signal, fetchImpl)
+				: await exchangeRefreshToken(adc.creds, signal, fetchImpl);
+		return { source: adc.source, token };
+	}
+	const metadata = await fetchMetadataToken(signal, fetchImpl);
+	if (metadata) return { source: "metadata", token: metadata };
+	throw new Error(
+		"Vertex AI requires Application Default Credentials. Set GOOGLE_APPLICATION_CREDENTIALS, run `gcloud auth application-default login`, or run on a GCE/Cloud Run instance with a service account.",
+	);
+}
+/**
+ * Returns a Bearer access token suitable for the `Authorization` header on Vertex AI calls.
+ * The token is cached in module scope and refreshed `GOOGLE_VERTEX_REFRESH_SKEW_MS` ms before it expires.
+ */
+export async function getVertexAccessToken(options?: { signal?: AbortSignal; fetch?: FetchImpl }): Promise<string> {
+	const fetchImpl = options?.fetch ?? globalThis.fetch.bind(globalThis);
+	const skew = getRefreshSkewMs();
+	const now = Date.now();
+	// Best-effort cache key probe: we don't know the source until we resolve, but cached entries
+	// are keyed by their resolved source. Try every cached source first.
+	for (const [source, cached] of tokenCache) {
+		if (cached.expiresAtMs - skew > now) return cached.token;
+		// expired entry — drop and re-resolve
+		tokenCache.delete(source);
+	}
+	const cacheKey = "vertex-adc";
+	const existing = inflight.get(cacheKey);
+	if (existing) return existing;
+	const promise = (async () => {
+		try {
+			const { source, token } = await resolveAccessTokenUncached(options?.signal, fetchImpl);
+			const expiresAtMs = Date.now() + Math.max(0, token.expires_in * 1000);
+			tokenCache.set(source, { token: token.access_token, expiresAtMs });
+			logger.debug("vertex.adc acquired access token", { source, expiresInSec: token.expires_in });
+			return token.access_token;
+		} finally {
+			inflight.delete(cacheKey);
+		}
+	})();
+	inflight.set(cacheKey, promise);
+	return promise;
+}
+/** Test seam: clears every cached token. */
+export function __resetVertexTokenCache(): void {
+	tokenCache.clear();
+	inflight.clear();
+}