@google/gemini-cli 0.36.0-preview.0 → 0.36.0-preview.2

package/bundle/{memoryDiscovery-WPGC7DAZ.js → memoryDiscovery-JXHCZBWK.js}

@@ -10,7 +10,7 @@ import {
   loadServerHierarchicalMemory,
   readGeminiMdFiles,
   refreshServerHierarchicalMemory
-} from "./chunk-PVQN7ZVP.js";
+} from "./chunk-PXG3YTLU.js";
 import "./chunk-664ZODQF.js";
 import "./chunk-34MYV7JD.js";
 export {

package/bundle/{memoryDiscovery-FNLUOGLO.js → memoryDiscovery-VQKOP6YW.js}

@@ -10,7 +10,7 @@ import {
   loadServerHierarchicalMemory,
   readGeminiMdFiles,
   refreshServerHierarchicalMemory
-} from "./chunk-BE2CAP4N.js";
+} from "./chunk-HLML5SVJ.js";
 import "./chunk-664ZODQF.js";
 import "./chunk-34MYV7JD.js";
 export {

package/bundle/node_modules/@google/gemini-cli-devtools/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@google/gemini-cli-devtools",
-  "version": "0.36.0-preview.0",
+  "version": "0.36.0-preview.2",
   "license": "Apache-2.0",
   "type": "module",
   "main": "dist/src/index.js",

package/bundle/{oauth2-provider-X3F7PSVB.js → oauth2-provider-D6HJJAVX.js}

@@ -11,14 +11,14 @@ import {
   openBrowserSecurely,
   refreshAccessToken,
   startCallbackServer
-} from "./chunk-6UAL5KXG.js";
+} from "./chunk-EUXACAGL.js";
 import {
   FatalCancellationError,
   Storage,
   coreEvents,
   debugLogger,
   getErrorMessage
-} from "./chunk-BE2CAP4N.js";
+} from "./chunk-HLML5SVJ.js";
 import "./chunk-664ZODQF.js";
 import "./chunk-RJTRUG2J.js";
 import "./chunk-IUUIT4SU.js";

package/bundle/{oauth2-provider-I6AYNUSI.js → oauth2-provider-KEZJCOYM.js}

@@ -11,42 +11,42 @@ import {
   openBrowserSecurely,
   refreshAccessToken,
   startCallbackServer
-} from "./chunk-CDXJ3P4V.js";
+} from "./chunk-SV2TJWFU.js";
 import {
   FatalCancellationError,
   Storage,
   coreEvents,
   debugLogger,
   getErrorMessage
-} from "./chunk-PVQN7ZVP.js";
+} from "./chunk-HLML5SVJ.js";
 import "./chunk-664ZODQF.js";
 import "./chunk-RJTRUG2J.js";
 import "./chunk-IUUIT4SU.js";
 import "./chunk-34MYV7JD.js";
 
-// packages/core/src/agents/auth-provider/oauth2-provider.ts
+// packages/core/dist/src/agents/auth-provider/oauth2-provider.js
 var OAuth2AuthProvider = class extends BaseA2AAuthProvider {
+  config;
+  agentName;
+  agentCardUrl;
+  type = "oauth2";
+  tokenStorage;
+  cachedToken = null;
+  /** Resolved OAuth URLs — may come from config or agent card. */
+  authorizationUrl;
+  tokenUrl;
+  scopes;
   constructor(config, agentName, agentCard, agentCardUrl) {
     super();
     this.config = config;
     this.agentName = agentName;
     this.agentCardUrl = agentCardUrl;
-    this.tokenStorage = new MCPOAuthTokenStorage(
-      Storage.getA2AOAuthTokensPath(),
-      "gemini-cli-a2a"
-    );
+    this.tokenStorage = new MCPOAuthTokenStorage(Storage.getA2AOAuthTokensPath(), "gemini-cli-a2a");
     this.authorizationUrl = config.authorization_url;
     this.tokenUrl = config.token_url;
     this.scopes = config.scopes;
     this.mergeAgentCardDefaults(agentCard);
   }
-  type = "oauth2";
-  tokenStorage;
-  cachedToken = null;
-  /** Resolved OAuth URLs — may come from config or agent card. */
-  authorizationUrl;
-  tokenUrl;
-  scopes;
   /**
    * Initialize the provider by loading any persisted token from storage.
    * Also discovers OAuth URLs from the agent card if not yet resolved.
@@ -58,9 +58,7 @@ var OAuth2AuthProvider = class extends BaseA2AAuthProvider {
     const credentials = await this.tokenStorage.getCredentials(this.agentName);
     if (credentials && !this.tokenStorage.isTokenExpired(credentials.token)) {
       this.cachedToken = credentials.token;
-      debugLogger.debug(
-        `[OAuth2AuthProvider] Loaded valid cached token for "${this.agentName}"`
-      );
+      debugLogger.debug(`[OAuth2AuthProvider] Loaded valid cached token for "${this.agentName}"`);
     }
   }
   /**
@@ -73,25 +71,16 @@ var OAuth2AuthProvider = class extends BaseA2AAuthProvider {
     }
     if (this.cachedToken?.refreshToken && this.tokenUrl && this.config.client_id) {
       try {
-        const refreshed = await refreshAccessToken(
-          {
-            clientId: this.config.client_id,
-            clientSecret: this.config.client_secret,
-            scopes: this.scopes
-          },
-          this.cachedToken.refreshToken,
-          this.tokenUrl
-        );
-        this.cachedToken = this.toOAuthToken(
-          refreshed,
-          this.cachedToken.refreshToken
-        );
+        const refreshed = await refreshAccessToken({
+          clientId: this.config.client_id,
+          clientSecret: this.config.client_secret,
+          scopes: this.scopes
+        }, this.cachedToken.refreshToken, this.tokenUrl);
+        this.cachedToken = this.toOAuthToken(refreshed, this.cachedToken.refreshToken);
         await this.persistToken();
         return { Authorization: `Bearer ${this.cachedToken.accessToken}` };
       } catch (error) {
-        debugLogger.debug(
-          `[OAuth2AuthProvider] Refresh failed, falling back to interactive flow: ${getErrorMessage(error)}`
-        );
+        debugLogger.debug(`[OAuth2AuthProvider] Refresh failed, falling back to interactive flow: ${getErrorMessage(error)}`);
         await this.tokenStorage.deleteCredentials(this.agentName);
       }
     }
@@ -110,9 +99,7 @@ var OAuth2AuthProvider = class extends BaseA2AAuthProvider {
       return void 0;
     }
     this.authRetryCount++;
-    debugLogger.debug(
-      "[OAuth2AuthProvider] Auth failure, clearing token and re-authenticating"
-    );
+    debugLogger.debug("[OAuth2AuthProvider] Auth failure, clearing token and re-authenticating");
     this.cachedToken = null;
     await this.tokenStorage.deleteCredentials(this.agentName);
     return this.headers();
@@ -125,7 +112,8 @@ var OAuth2AuthProvider = class extends BaseA2AAuthProvider {
    * `securitySchemes` when not already provided via user config.
    */
   mergeAgentCardDefaults(agentCard) {
-    if (!agentCard?.securitySchemes) return;
+    if (!agentCard?.securitySchemes)
+      return;
     for (const scheme of Object.values(agentCard.securitySchemes)) {
       if (scheme.type === "oauth2" && scheme.flows.authorizationCode) {
         const flow = scheme.flows.authorizationCode;
@@ -141,18 +129,15 @@ var OAuth2AuthProvider = class extends BaseA2AAuthProvider {
    * (which normalizes proto-format cards) and extract OAuth2 URLs.
    */
   async fetchAgentCardDefaults() {
-    if (!this.agentCardUrl) return;
+    if (!this.agentCardUrl)
+      return;
     try {
-      debugLogger.debug(
-        `[OAuth2AuthProvider] Fetching agent card from ${this.agentCardUrl}`
-      );
+      debugLogger.debug(`[OAuth2AuthProvider] Fetching agent card from ${this.agentCardUrl}`);
       const resolver = new DefaultAgentCardResolver();
       const card = await resolver.resolve(this.agentCardUrl, "");
       this.mergeAgentCardDefaults(card);
     } catch (error) {
-      debugLogger.warn(
-        `[OAuth2AuthProvider] Could not fetch agent card for OAuth URL discovery: ${getErrorMessage(error)}`
-      );
+      debugLogger.warn(`[OAuth2AuthProvider] Could not fetch agent card for OAuth URL discovery: ${getErrorMessage(error)}`);
     }
   }
   /**
@@ -160,14 +145,10 @@ var OAuth2AuthProvider = class extends BaseA2AAuthProvider {
    */
   async authenticateInteractively() {
     if (!this.config.client_id) {
-      throw new Error(
-        `OAuth2 authentication for agent "${this.agentName}" requires a client_id. Add client_id to the auth config in your agent definition.`
-      );
+      throw new Error(`OAuth2 authentication for agent "${this.agentName}" requires a client_id. Add client_id to the auth config in your agent definition.`);
     }
     if (!this.authorizationUrl || !this.tokenUrl) {
-      throw new Error(
-        `OAuth2 authentication for agent "${this.agentName}" requires authorization_url and token_url. Provide them in the auth config or ensure the agent card exposes an oauth2 security scheme.`
-      );
+      throw new Error(`OAuth2 authentication for agent "${this.agentName}" requires authorization_url and token_url. Provide them in the auth config or ensure the agent card exposes an oauth2 security scheme.`);
     }
     const flowConfig = {
       clientId: this.config.client_id,
@@ -186,36 +167,25 @@ var OAuth2AuthProvider = class extends BaseA2AAuthProvider {
       redirectPort,
       /* resource= */
       void 0
-      // No MCP resource parameter for A2A.
-    );
-    const consent = await getConsentForOauth(
-      `Authentication required for A2A agent: '${this.agentName}'.`
     );
+    const consent = await getConsentForOauth(`Authentication required for A2A agent: '${this.agentName}'.`);
     if (!consent) {
       throw new FatalCancellationError("Authentication cancelled by user.");
     }
-    coreEvents.emitFeedback(
-      "info",
-      `\u2192 Opening your browser for OAuth sign-in...
+    coreEvents.emitFeedback("info", `\u2192 Opening your browser for OAuth sign-in...
 
 If the browser does not open, copy and paste this URL into your browser:
 ${authUrl}
 
 \u{1F4A1} TIP: Triple-click to select the entire URL, then copy and paste it into your browser.
-\u26A0\uFE0F  Make sure to copy the COMPLETE URL - it may wrap across multiple lines.`
-    );
+\u26A0\uFE0F  Make sure to copy the COMPLETE URL - it may wrap across multiple lines.`);
     try {
       await openBrowserSecurely(authUrl);
     } catch (error) {
-      debugLogger.warn(
-        "Failed to open browser automatically:",
-        getErrorMessage(error)
-      );
+      debugLogger.warn("Failed to open browser automatically:", getErrorMessage(error));
     }
     const { code } = await callbackServer.response;
-    debugLogger.debug(
-      "\u2713 Authorization code received, exchanging for tokens..."
-    );
+    debugLogger.debug("\u2713 Authorization code received, exchanging for tokens...");
     const tokenResponse = await exchangeCodeForToken(
       flowConfig,
       code,
@@ -252,13 +222,9 @@ ${authUrl}
    * Persist the current cached token to disk.
    */
   async persistToken() {
-    if (!this.cachedToken) return;
-    await this.tokenStorage.saveToken(
-      this.agentName,
-      this.cachedToken,
-      this.config.client_id,
-      this.tokenUrl
-    );
+    if (!this.cachedToken)
+      return;
+    await this.tokenStorage.saveToken(this.agentName, this.cachedToken, this.config.client_id, this.tokenUrl);
   }
 };
 export {

package/bundle/oauth2-provider-TSEQG63I.js

@@ -0,0 +1,237 @@
+const require = (await import('node:module')).createRequire(import.meta.url); const __chunk_filename = (await import('node:url')).fileURLToPath(import.meta.url); const __chunk_dirname = (await import('node:path')).dirname(__chunk_filename);
+import {
+  BaseA2AAuthProvider,
+  DefaultAgentCardResolver,
+  MCPOAuthTokenStorage,
+  buildAuthorizationUrl,
+  exchangeCodeForToken,
+  generatePKCEParams,
+  getConsentForOauth,
+  getPortFromUrl,
+  openBrowserSecurely,
+  refreshAccessToken,
+  startCallbackServer
+} from "./chunk-WHT3ZS7S.js";
+import {
+  FatalCancellationError,
+  Storage,
+  coreEvents,
+  debugLogger,
+  getErrorMessage
+} from "./chunk-HLML5SVJ.js";
+import "./chunk-664ZODQF.js";
+import "./chunk-RJTRUG2J.js";
+import "./chunk-IUUIT4SU.js";
+import "./chunk-34MYV7JD.js";
+
+// packages/core/dist/src/agents/auth-provider/oauth2-provider.js
+var OAuth2AuthProvider = class extends BaseA2AAuthProvider {
+  config;
+  agentName;
+  agentCardUrl;
+  type = "oauth2";
+  tokenStorage;
+  cachedToken = null;
+  /** Resolved OAuth URLs — may come from config or agent card. */
+  authorizationUrl;
+  tokenUrl;
+  scopes;
+  constructor(config, agentName, agentCard, agentCardUrl) {
+    super();
+    this.config = config;
+    this.agentName = agentName;
+    this.agentCardUrl = agentCardUrl;
+    this.tokenStorage = new MCPOAuthTokenStorage(Storage.getA2AOAuthTokensPath(), "gemini-cli-a2a");
+    this.authorizationUrl = config.authorization_url;
+    this.tokenUrl = config.token_url;
+    this.scopes = config.scopes;
+    this.mergeAgentCardDefaults(agentCard);
+  }
+  /**
+   * Initialize the provider by loading any persisted token from storage.
+   * Also discovers OAuth URLs from the agent card if not yet resolved.
+   */
+  async initialize() {
+    if ((!this.authorizationUrl || !this.tokenUrl) && this.agentCardUrl) {
+      await this.fetchAgentCardDefaults();
+    }
+    const credentials = await this.tokenStorage.getCredentials(this.agentName);
+    if (credentials && !this.tokenStorage.isTokenExpired(credentials.token)) {
+      this.cachedToken = credentials.token;
+      debugLogger.debug(`[OAuth2AuthProvider] Loaded valid cached token for "${this.agentName}"`);
+    }
+  }
+  /**
+   * Return an Authorization header with a valid Bearer token.
+   * Refreshes or triggers interactive auth as needed.
+   */
+  async headers() {
+    if (this.cachedToken && !this.tokenStorage.isTokenExpired(this.cachedToken)) {
+      return { Authorization: `Bearer ${this.cachedToken.accessToken}` };
+    }
+    if (this.cachedToken?.refreshToken && this.tokenUrl && this.config.client_id) {
+      try {
+        const refreshed = await refreshAccessToken({
+          clientId: this.config.client_id,
+          clientSecret: this.config.client_secret,
+          scopes: this.scopes
+        }, this.cachedToken.refreshToken, this.tokenUrl);
+        this.cachedToken = this.toOAuthToken(refreshed, this.cachedToken.refreshToken);
+        await this.persistToken();
+        return { Authorization: `Bearer ${this.cachedToken.accessToken}` };
+      } catch (error) {
+        debugLogger.debug(`[OAuth2AuthProvider] Refresh failed, falling back to interactive flow: ${getErrorMessage(error)}`);
+        await this.tokenStorage.deleteCredentials(this.agentName);
+      }
+    }
+    this.cachedToken = await this.authenticateInteractively();
+    return { Authorization: `Bearer ${this.cachedToken.accessToken}` };
+  }
+  /**
+   * On 401/403, clear the cached token and re-authenticate (up to MAX_AUTH_RETRIES).
+   */
+  async shouldRetryWithHeaders(_req, res) {
+    if (res.status !== 401 && res.status !== 403) {
+      this.authRetryCount = 0;
+      return void 0;
+    }
+    if (this.authRetryCount >= BaseA2AAuthProvider.MAX_AUTH_RETRIES) {
+      return void 0;
+    }
+    this.authRetryCount++;
+    debugLogger.debug("[OAuth2AuthProvider] Auth failure, clearing token and re-authenticating");
+    this.cachedToken = null;
+    await this.tokenStorage.deleteCredentials(this.agentName);
+    return this.headers();
+  }
+  // ---------------------------------------------------------------------------
+  // Private helpers
+  // ---------------------------------------------------------------------------
+  /**
+   * Merge authorization_url, token_url, and scopes from the agent card's
+   * `securitySchemes` when not already provided via user config.
+   */
+  mergeAgentCardDefaults(agentCard) {
+    if (!agentCard?.securitySchemes)
+      return;
+    for (const scheme of Object.values(agentCard.securitySchemes)) {
+      if (scheme.type === "oauth2" && scheme.flows.authorizationCode) {
+        const flow = scheme.flows.authorizationCode;
+        this.authorizationUrl ??= flow.authorizationUrl;
+        this.tokenUrl ??= flow.tokenUrl;
+        this.scopes ??= Object.keys(flow.scopes);
+        break;
+      }
+    }
+  }
+  /**
+   * Fetch the agent card from `agentCardUrl` using `DefaultAgentCardResolver`
+   * (which normalizes proto-format cards) and extract OAuth2 URLs.
+   */
+  async fetchAgentCardDefaults() {
+    if (!this.agentCardUrl)
+      return;
+    try {
+      debugLogger.debug(`[OAuth2AuthProvider] Fetching agent card from ${this.agentCardUrl}`);
+      const resolver = new DefaultAgentCardResolver();
+      const card = await resolver.resolve(this.agentCardUrl, "");
+      this.mergeAgentCardDefaults(card);
+    } catch (error) {
+      debugLogger.warn(`[OAuth2AuthProvider] Could not fetch agent card for OAuth URL discovery: ${getErrorMessage(error)}`);
+    }
+  }
+  /**
+   * Run a full OAuth 2.0 Authorization Code + PKCE flow through the browser.
+   */
+  async authenticateInteractively() {
+    if (!this.config.client_id) {
+      throw new Error(`OAuth2 authentication for agent "${this.agentName}" requires a client_id. Add client_id to the auth config in your agent definition.`);
+    }
+    if (!this.authorizationUrl || !this.tokenUrl) {
+      throw new Error(`OAuth2 authentication for agent "${this.agentName}" requires authorization_url and token_url. Provide them in the auth config or ensure the agent card exposes an oauth2 security scheme.`);
+    }
+    const flowConfig = {
+      clientId: this.config.client_id,
+      clientSecret: this.config.client_secret,
+      authorizationUrl: this.authorizationUrl,
+      tokenUrl: this.tokenUrl,
+      scopes: this.scopes
+    };
+    const pkceParams = generatePKCEParams();
+    const preferredPort = getPortFromUrl(flowConfig.redirectUri);
+    const callbackServer = startCallbackServer(pkceParams.state, preferredPort);
+    const redirectPort = await callbackServer.port;
+    const authUrl = buildAuthorizationUrl(
+      flowConfig,
+      pkceParams,
+      redirectPort,
+      /* resource= */
+      void 0
+    );
+    const consent = await getConsentForOauth(`Authentication required for A2A agent: '${this.agentName}'.`);
+    if (!consent) {
+      throw new FatalCancellationError("Authentication cancelled by user.");
+    }
+    coreEvents.emitFeedback("info", `\u2192 Opening your browser for OAuth sign-in...
+
+If the browser does not open, copy and paste this URL into your browser:
+${authUrl}
+
+\u{1F4A1} TIP: Triple-click to select the entire URL, then copy and paste it into your browser.
+\u26A0\uFE0F  Make sure to copy the COMPLETE URL - it may wrap across multiple lines.`);
+    try {
+      await openBrowserSecurely(authUrl);
+    } catch (error) {
+      debugLogger.warn("Failed to open browser automatically:", getErrorMessage(error));
+    }
+    const { code } = await callbackServer.response;
+    debugLogger.debug("\u2713 Authorization code received, exchanging for tokens...");
+    const tokenResponse = await exchangeCodeForToken(
+      flowConfig,
+      code,
+      pkceParams.codeVerifier,
+      redirectPort,
+      /* resource= */
+      void 0
+    );
+    if (!tokenResponse.access_token) {
+      throw new Error("No access token received from token endpoint");
+    }
+    const token = this.toOAuthToken(tokenResponse);
+    this.cachedToken = token;
+    await this.persistToken();
+    debugLogger.debug("\u2713 OAuth2 authentication successful! Token saved.");
+    return token;
+  }
+  /**
+   * Convert an `OAuthTokenResponse` into the internal `OAuthToken` format.
+   */
+  toOAuthToken(response, fallbackRefreshToken) {
+    const token = {
+      accessToken: response.access_token,
+      tokenType: response.token_type || "Bearer",
+      refreshToken: response.refresh_token || fallbackRefreshToken,
+      scope: response.scope
+    };
+    if (response.expires_in) {
+      token.expiresAt = Date.now() + response.expires_in * 1e3;
+    }
+    return token;
+  }
+  /**
+   * Persist the current cached token to disk.
+   */
+  async persistToken() {
+    if (!this.cachedToken)
+      return;
+    await this.tokenStorage.saveToken(this.agentName, this.cachedToken, this.config.client_id, this.tokenUrl);
+  }
+};
+export {
+  OAuth2AuthProvider
+};
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */

package/bundle/{oauth2-provider-G7GIGUQF.js → oauth2-provider-ZT3CIEZO.js}

@@ -11,14 +11,14 @@ import {
   openBrowserSecurely,
   refreshAccessToken,
   startCallbackServer
-} from "./chunk-K2M7OTIP.js";
+} from "./chunk-25V3TYNR.js";
 import {
   FatalCancellationError,
   Storage,
   coreEvents,
   debugLogger,
   getErrorMessage
-} from "./chunk-PVQN7ZVP.js";
+} from "./chunk-PXG3YTLU.js";
 import "./chunk-664ZODQF.js";
 import "./chunk-RJTRUG2J.js";
 import "./chunk-IUUIT4SU.js";

package/bundle/policies/plan.toml

@@ -110,6 +110,8 @@ priority = 70
 modes = ["plan"]
 
 # Allow write_file and replace for .md files in the plans directory (cross-platform)
+# We split this into two rules to avoid ReDoS checker issues with nested optional segments.
+# This rule handles the case where there is a session ID in the plan file path
 [[rule]]
 toolName = ["write_file", "replace"]
 decision = "allow"
@@ -117,6 +119,14 @@ priority = 70
 modes = ["plan"]
 argsPattern = "\\x00\"file_path\":\"[^\"]+[\\\\/]+\\.gemini[\\\\/]+tmp[\\\\/]+[\\w-]+[\\\\/]+[\\w-]+[\\\\/]+plans[\\\\/]+[\\w-]+\\.md\"\\x00"
 
+# This rule handles the case where there isn't a session ID in the plan file path
+[[rule]]
+toolName = ["write_file", "replace"]
+decision = "allow"
+priority = 70
+modes = ["plan"]
+argsPattern = "\\x00\"file_path\":\"[^\"]+[\\\\/]+\\.gemini[\\\\/]+tmp[\\\\/]+[\\w-]+[\\\\/]+plans[\\\\/]+[\\w-]+\\.md\"\\x00"
+
 # Explicitly Deny other write operations in Plan mode with a clear message.
 [[rule]]
 toolName = ["write_file", "replace"]

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@google/gemini-cli",
-  "version": "0.36.0-preview.0",
+  "version": "0.36.0-preview.2",
   "description": "Gemini CLI",
   "license": "Apache-2.0",
   "repository": {