@google/gemini-cli 0.45.0-preview.0 → 0.45.0-preview.1

package/bundle/{interactiveCli-BVZLMTVC.js → interactiveCli-UUI7OUZK.js}

@@ -155,13 +155,13 @@ import {
   widestLineFromStyledChars,
   wordBreakStyledChars,
   wrapStyledChars
-} from "./chunk-TH3OOWK4.js";
+} from "./chunk-BO72FGK2.js";
 import {
   appEvents
 } from "./chunk-5PS3AYFU.js";
 import {
   require_source
-} from "./chunk-IPQLMJS5.js";
+} from "./chunk-4KX3ETW3.js";
 import {
   ACTIVE_SHELL_MAX_LINES,
   COMPACT_TOOL_SUBVIEW_MAX_LINES,
@@ -211,24 +211,24 @@ import {
   stringWidth,
   stripUnsafeCharacters,
   toCodePoints
-} from "./chunk-VS2OY6HJ.js";
+} from "./chunk-6WWGBNKT.js";
 import {
   handleAutoUpdate,
   isDevelopment,
   relaunchApp,
   setUpdateHandler
-} from "./chunk-N4X4WHSW.js";
+} from "./chunk-NB2NOE4L.js";
 import {
   isTodoList,
   mapCoreStatusToDisplayStatus,
   require_react
-} from "./chunk-APSDEHHA.js";
+} from "./chunk-E3KBY4EQ.js";
 import {
   registerCleanup,
   removeCleanup,
   runExitCleanup,
   setupTtyCheck
-} from "./chunk-Y5REX36P.js";
+} from "./chunk-HVWNKZSB.js";
 import {
   ACTIVATE_SKILL_TOOL_NAME,
   AGENT_TOOL_NAME,
@@ -410,7 +410,7 @@ import {
   validatePlanContent,
   validatePlanPath,
   writeToStdout
-} from "./chunk-J7SEBVDD.js";
+} from "./chunk-R52453KY.js";
 import "./chunk-6HI7VNOG.js";
 import "./chunk-TUDYL3X4.js";
 import "./chunk-IUUIT4SU.js";
@@ -33702,7 +33702,7 @@ ${queuedText}` : queuedText;
       if (keyMatchers["app.showErrorDetails" /* SHOW_ERROR_DETAILS */](key)) {
         if (settings.merged.general.devtools) {
           void (async () => {
-            const { toggleDevToolsPanel } = await import("./devtoolsService-F5XFL4BF.js");
+            const { toggleDevToolsPanel } = await import("./devtoolsService-XYSZCMQM.js");
             await toggleDevToolsPanel(
               config,
               showErrorDetails,

package/bundle/{liteRtServerManager-6N5DYDEQ.js → liteRtServerManager-2VKZTPMY.js}

@@ -3,11 +3,11 @@ import {
   DEFAULT_PORT,
   getBinaryPath,
   isServerRunning
-} from "./chunk-GIXFMPPJ.js";
-import "./chunk-WPCNMQ6J.js";
+} from "./chunk-TCAVPMJX.js";
+import "./chunk-CJHCK2YW.js";
 import {
   debugLogger
-} from "./chunk-CWAXEILN.js";
+} from "./chunk-5YTIYFJO.js";
 import "./chunk-6HI7VNOG.js";
 import "./chunk-TUDYL3X4.js";
 import "./chunk-IUUIT4SU.js";
@@ -41,7 +41,7 @@ var LiteRtServerManager = class {
       `[LiteRtServerManager] Auto-starting LiteRT server on port ${port}...`
     );
     try {
-      const { startServer } = await import("./start-XLIGOOW3.js");
+      const { startServer } = await import("./start-3LEQZELI.js");
       const started = await startServer(binaryPath, port);
       if (started) {
         debugLogger.log(`[LiteRtServerManager] Server started on port ${port}`);

package/bundle/{liteRtServerManager-JVMDH3TN.js → liteRtServerManager-4PZ3X7SS.js}

@@ -3,11 +3,11 @@ import {
   DEFAULT_PORT,
   getBinaryPath,
   isServerRunning
-} from "./chunk-DMCSPKNM.js";
-import "./chunk-NOJPXYUJ.js";
+} from "./chunk-IGJG7DNZ.js";
+import "./chunk-OQLEYMM2.js";
 import {
   debugLogger
-} from "./chunk-4FNXKOEB.js";
+} from "./chunk-565MWDPP.js";
 import "./chunk-6HI7VNOG.js";
 import "./chunk-TUDYL3X4.js";
 import "./chunk-IUUIT4SU.js";
@@ -41,7 +41,7 @@ var LiteRtServerManager = class {
       `[LiteRtServerManager] Auto-starting LiteRT server on port ${port}...`
     );
     try {
-      const { startServer } = await import("./start-KOAGXRA2.js");
+      const { startServer } = await import("./start-J7G6YXDJ.js");
       const started = await startServer(binaryPath, port);
       if (started) {
         debugLogger.log(`[LiteRtServerManager] Server started on port ${port}`);

package/bundle/{liteRtServerManager-3HS3VUPU.js → liteRtServerManager-GH6VHWTU.js}

@@ -3,11 +3,11 @@ import {
   DEFAULT_PORT,
   getBinaryPath,
   isServerRunning
-} from "./chunk-VS2OY6HJ.js";
-import "./chunk-APSDEHHA.js";
+} from "./chunk-6WWGBNKT.js";
+import "./chunk-E3KBY4EQ.js";
 import {
   debugLogger
-} from "./chunk-J7SEBVDD.js";
+} from "./chunk-R52453KY.js";
 import "./chunk-6HI7VNOG.js";
 import "./chunk-TUDYL3X4.js";
 import "./chunk-IUUIT4SU.js";
@@ -41,7 +41,7 @@ var LiteRtServerManager = class {
       `[LiteRtServerManager] Auto-starting LiteRT server on port ${port}...`
     );
     try {
-      const { startServer } = await import("./start-DJ6EBFEA.js");
+      const { startServer } = await import("./start-FPEO7KCZ.js");
       const started = await startServer(binaryPath, port);
       if (started) {
         debugLogger.log(`[LiteRtServerManager] Server started on port ${port}`);

package/bundle/liteRtServerManager-OMSM6SJU.js

@@ -0,0 +1,65 @@
+const require = (await import('node:module')).createRequire(import.meta.url); const __chunk_filename = (await import('node:url')).fileURLToPath(import.meta.url); const __chunk_dirname = (await import('node:path')).dirname(__chunk_filename);
+import {
+  DEFAULT_PORT,
+  getBinaryPath,
+  isServerRunning
+} from "./chunk-K43EAKOP.js";
+import "./chunk-FEY3T6LA.js";
+import {
+  debugLogger
+} from "./chunk-DDJWQSDN.js";
+import "./chunk-6HI7VNOG.js";
+import "./chunk-TUDYL3X4.js";
+import "./chunk-IUUIT4SU.js";
+import "./chunk-34MYV7JD.js";
+
+// packages/cli/src/services/liteRtServerManager.ts
+import fs from "node:fs";
+var LiteRtServerManager = class {
+  static async ensureRunning(gemmaSettings) {
+    if (!gemmaSettings?.enabled) return;
+    if (gemmaSettings.autoStartServer === false) return;
+    const binaryPath = getBinaryPath();
+    if (!binaryPath || !fs.existsSync(binaryPath)) {
+      debugLogger.log(
+        '[LiteRtServerManager] Binary not installed, skipping auto-start. Run "gemini gemma setup".'
+      );
+      return;
+    }
+    const port = parseInt(
+      gemmaSettings.classifier?.host?.match(/:(\d+)/)?.[1] ?? "",
+      10
+    ) || DEFAULT_PORT;
+    const running = await isServerRunning(port);
+    if (running) {
+      debugLogger.log(
+        `[LiteRtServerManager] Server already running on port ${port}`
+      );
+      return;
+    }
+    debugLogger.log(
+      `[LiteRtServerManager] Auto-starting LiteRT server on port ${port}...`
+    );
+    try {
+      const { startServer } = await import("./start-FH2E2VQ2.js");
+      const started = await startServer(binaryPath, port);
+      if (started) {
+        debugLogger.log(`[LiteRtServerManager] Server started on port ${port}`);
+      } else {
+        debugLogger.warn(
+          `[LiteRtServerManager] Server may not have started correctly on port ${port}`
+        );
+      }
+    } catch (error) {
+      debugLogger.warn("[LiteRtServerManager] Auto-start failed:", error);
+    }
+  }
+};
+export {
+  LiteRtServerManager
+};
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */

package/bundle/{oauth2-provider-U72EWZHQ.js → oauth2-provider-4UIWNIX3.js}

@@ -16,7 +16,7 @@ import {
   openBrowserSecurely,
   refreshAccessToken,
   startCallbackServer
-} from "./chunk-J7SEBVDD.js";
+} from "./chunk-R52453KY.js";
 import "./chunk-6HI7VNOG.js";
 import "./chunk-TUDYL3X4.js";
 import "./chunk-IUUIT4SU.js";

package/bundle/{oauth2-provider-RUFABDNL.js → oauth2-provider-BDX6V2YX.js}

@@ -16,7 +16,7 @@ import {
   openBrowserSecurely,
   refreshAccessToken,
   startCallbackServer
-} from "./chunk-4FNXKOEB.js";
+} from "./chunk-DDJWQSDN.js";
 import "./chunk-6HI7VNOG.js";
 import "./chunk-TUDYL3X4.js";
 import "./chunk-IUUIT4SU.js";

package/bundle/{oauth2-provider-WS7LUQ5V.js → oauth2-provider-N2ZY2DXQ.js}

@@ -16,35 +16,35 @@ import {
   openBrowserSecurely,
   refreshAccessToken,
   startCallbackServer
-} from "./chunk-CWAXEILN.js";
+} from "./chunk-565MWDPP.js";
 import "./chunk-6HI7VNOG.js";
 import "./chunk-TUDYL3X4.js";
 import "./chunk-IUUIT4SU.js";
 import "./chunk-34MYV7JD.js";
 
-// packages/core/src/agents/auth-provider/oauth2-provider.ts
+// packages/core/dist/src/agents/auth-provider/oauth2-provider.js
 var OAuth2AuthProvider = class extends BaseA2AAuthProvider {
+  config;
+  agentName;
+  agentCardUrl;
+  type = "oauth2";
+  tokenStorage;
+  cachedToken = null;
+  /** Resolved OAuth URLs — may come from config or agent card. */
+  authorizationUrl;
+  tokenUrl;
+  scopes;
   constructor(config, agentName, agentCard, agentCardUrl) {
     super();
     this.config = config;
     this.agentName = agentName;
     this.agentCardUrl = agentCardUrl;
-    this.tokenStorage = new MCPOAuthTokenStorage(
-      Storage.getA2AOAuthTokensPath(),
-      "gemini-cli-a2a"
-    );
+    this.tokenStorage = new MCPOAuthTokenStorage(Storage.getA2AOAuthTokensPath(), "gemini-cli-a2a");
     this.authorizationUrl = config.authorization_url;
     this.tokenUrl = config.token_url;
     this.scopes = config.scopes;
     this.mergeAgentCardDefaults(agentCard);
   }
-  type = "oauth2";
-  tokenStorage;
-  cachedToken = null;
-  /** Resolved OAuth URLs — may come from config or agent card. */
-  authorizationUrl;
-  tokenUrl;
-  scopes;
   /**
    * Initialize the provider by loading any persisted token from storage.
    * Also discovers OAuth URLs from the agent card if not yet resolved.
@@ -56,9 +56,7 @@ var OAuth2AuthProvider = class extends BaseA2AAuthProvider {
     const credentials = await this.tokenStorage.getCredentials(this.agentName);
     if (credentials && !this.tokenStorage.isTokenExpired(credentials.token)) {
       this.cachedToken = credentials.token;
-      debugLogger.debug(
-        `[OAuth2AuthProvider] Loaded valid cached token for "${this.agentName}"`
-      );
+      debugLogger.debug(`[OAuth2AuthProvider] Loaded valid cached token for "${this.agentName}"`);
     }
   }
   /**
@@ -71,25 +69,16 @@ var OAuth2AuthProvider = class extends BaseA2AAuthProvider {
     }
     if (this.cachedToken?.refreshToken && this.tokenUrl && this.config.client_id) {
       try {
-        const refreshed = await refreshAccessToken(
-          {
-            clientId: this.config.client_id,
-            clientSecret: this.config.client_secret,
-            scopes: this.scopes
-          },
-          this.cachedToken.refreshToken,
-          this.tokenUrl
-        );
-        this.cachedToken = this.toOAuthToken(
-          refreshed,
-          this.cachedToken.refreshToken
-        );
+        const refreshed = await refreshAccessToken({
+          clientId: this.config.client_id,
+          clientSecret: this.config.client_secret,
+          scopes: this.scopes
+        }, this.cachedToken.refreshToken, this.tokenUrl);
+        this.cachedToken = this.toOAuthToken(refreshed, this.cachedToken.refreshToken);
         await this.persistToken();
         return { Authorization: `Bearer ${this.cachedToken.accessToken}` };
       } catch (error) {
-        debugLogger.debug(
-          `[OAuth2AuthProvider] Refresh failed, falling back to interactive flow: ${getErrorMessage(error)}`
-        );
+        debugLogger.debug(`[OAuth2AuthProvider] Refresh failed, falling back to interactive flow: ${getErrorMessage(error)}`);
         await this.tokenStorage.deleteCredentials(this.agentName);
       }
     }
@@ -108,9 +97,7 @@ var OAuth2AuthProvider = class extends BaseA2AAuthProvider {
       return void 0;
     }
     this.authRetryCount++;
-    debugLogger.debug(
-      "[OAuth2AuthProvider] Auth failure, clearing token and re-authenticating"
-    );
+    debugLogger.debug("[OAuth2AuthProvider] Auth failure, clearing token and re-authenticating");
     this.cachedToken = null;
     await this.tokenStorage.deleteCredentials(this.agentName);
     return this.headers();
@@ -123,7 +110,8 @@ var OAuth2AuthProvider = class extends BaseA2AAuthProvider {
    * `securitySchemes` when not already provided via user config.
    */
   mergeAgentCardDefaults(agentCard) {
-    if (!agentCard?.securitySchemes) return;
+    if (!agentCard?.securitySchemes)
+      return;
     for (const scheme of Object.values(agentCard.securitySchemes)) {
       if (scheme.type === "oauth2" && scheme.flows.authorizationCode) {
         const flow = scheme.flows.authorizationCode;
@@ -139,18 +127,15 @@ var OAuth2AuthProvider = class extends BaseA2AAuthProvider {
    * (which normalizes proto-format cards) and extract OAuth2 URLs.
    */
   async fetchAgentCardDefaults() {
-    if (!this.agentCardUrl) return;
+    if (!this.agentCardUrl)
+      return;
     try {
-      debugLogger.debug(
-        `[OAuth2AuthProvider] Fetching agent card from ${this.agentCardUrl}`
-      );
+      debugLogger.debug(`[OAuth2AuthProvider] Fetching agent card from ${this.agentCardUrl}`);
       const resolver = new DefaultAgentCardResolver();
       const card = await resolver.resolve(this.agentCardUrl, "");
       this.mergeAgentCardDefaults(card);
     } catch (error) {
-      debugLogger.warn(
-        `[OAuth2AuthProvider] Could not fetch agent card for OAuth URL discovery: ${getErrorMessage(error)}`
-      );
+      debugLogger.warn(`[OAuth2AuthProvider] Could not fetch agent card for OAuth URL discovery: ${getErrorMessage(error)}`);
     }
   }
   /**
@@ -158,14 +143,10 @@ var OAuth2AuthProvider = class extends BaseA2AAuthProvider {
    */
   async authenticateInteractively() {
     if (!this.config.client_id) {
-      throw new Error(
-        `OAuth2 authentication for agent "${this.agentName}" requires a client_id. Add client_id to the auth config in your agent definition.`
-      );
+      throw new Error(`OAuth2 authentication for agent "${this.agentName}" requires a client_id. Add client_id to the auth config in your agent definition.`);
     }
     if (!this.authorizationUrl || !this.tokenUrl) {
-      throw new Error(
-        `OAuth2 authentication for agent "${this.agentName}" requires authorization_url and token_url. Provide them in the auth config or ensure the agent card exposes an oauth2 security scheme.`
-      );
+      throw new Error(`OAuth2 authentication for agent "${this.agentName}" requires authorization_url and token_url. Provide them in the auth config or ensure the agent card exposes an oauth2 security scheme.`);
     }
     const flowConfig = {
       clientId: this.config.client_id,
@@ -184,36 +165,25 @@ var OAuth2AuthProvider = class extends BaseA2AAuthProvider {
       redirectPort,
       /* resource= */
       void 0
-      // No MCP resource parameter for A2A.
-    );
-    const consent = await getConsentForOauth(
-      `Authentication required for A2A agent: '${this.agentName}'.`
     );
+    const consent = await getConsentForOauth(`Authentication required for A2A agent: '${this.agentName}'.`);
     if (!consent) {
       throw new FatalCancellationError("Authentication cancelled by user.");
     }
-    coreEvents.emitFeedback(
-      "info",
-      `\u2192 Opening your browser for OAuth sign-in...
+    coreEvents.emitFeedback("info", `\u2192 Opening your browser for OAuth sign-in...
 
 If the browser does not open, copy and paste this URL into your browser:
 ${authUrl}
 
 \u{1F4A1} TIP: Triple-click to select the entire URL, then copy and paste it into your browser.
-\u26A0\uFE0F  Make sure to copy the COMPLETE URL - it may wrap across multiple lines.`
-    );
+\u26A0\uFE0F  Make sure to copy the COMPLETE URL - it may wrap across multiple lines.`);
     try {
       await openBrowserSecurely(authUrl);
     } catch (error) {
-      debugLogger.warn(
-        "Failed to open browser automatically:",
-        getErrorMessage(error)
-      );
+      debugLogger.warn("Failed to open browser automatically:", getErrorMessage(error));
     }
     const { code } = await callbackServer.response;
-    debugLogger.debug(
-      "\u2713 Authorization code received, exchanging for tokens..."
-    );
+    debugLogger.debug("\u2713 Authorization code received, exchanging for tokens...");
     const tokenResponse = await exchangeCodeForToken(
       flowConfig,
       code,
@@ -250,13 +220,9 @@ ${authUrl}
    * Persist the current cached token to disk.
    */
   async persistToken() {
-    if (!this.cachedToken) return;
-    await this.tokenStorage.saveToken(
-      this.agentName,
-      this.cachedToken,
-      this.config.client_id,
-      this.tokenUrl
-    );
+    if (!this.cachedToken)
+      return;
+    await this.tokenStorage.saveToken(this.agentName, this.cachedToken, this.config.client_id, this.tokenUrl);
   }
 };
 export {

package/bundle/oauth2-provider-TRRJCE2P.js

@@ -0,0 +1,235 @@
+const require = (await import('node:module')).createRequire(import.meta.url); const __chunk_filename = (await import('node:url')).fileURLToPath(import.meta.url); const __chunk_dirname = (await import('node:path')).dirname(__chunk_filename);
+import {
+  BaseA2AAuthProvider,
+  DefaultAgentCardResolver,
+  FatalCancellationError,
+  MCPOAuthTokenStorage,
+  Storage,
+  buildAuthorizationUrl,
+  coreEvents,
+  debugLogger,
+  exchangeCodeForToken,
+  generatePKCEParams,
+  getConsentForOauth,
+  getErrorMessage,
+  getPortFromUrl,
+  openBrowserSecurely,
+  refreshAccessToken,
+  startCallbackServer
+} from "./chunk-5YTIYFJO.js";
+import "./chunk-6HI7VNOG.js";
+import "./chunk-TUDYL3X4.js";
+import "./chunk-IUUIT4SU.js";
+import "./chunk-34MYV7JD.js";
+
+// packages/core/dist/src/agents/auth-provider/oauth2-provider.js
+var OAuth2AuthProvider = class extends BaseA2AAuthProvider {
+  config;
+  agentName;
+  agentCardUrl;
+  type = "oauth2";
+  tokenStorage;
+  cachedToken = null;
+  /** Resolved OAuth URLs — may come from config or agent card. */
+  authorizationUrl;
+  tokenUrl;
+  scopes;
+  constructor(config, agentName, agentCard, agentCardUrl) {
+    super();
+    this.config = config;
+    this.agentName = agentName;
+    this.agentCardUrl = agentCardUrl;
+    this.tokenStorage = new MCPOAuthTokenStorage(Storage.getA2AOAuthTokensPath(), "gemini-cli-a2a");
+    this.authorizationUrl = config.authorization_url;
+    this.tokenUrl = config.token_url;
+    this.scopes = config.scopes;
+    this.mergeAgentCardDefaults(agentCard);
+  }
+  /**
+   * Initialize the provider by loading any persisted token from storage.
+   * Also discovers OAuth URLs from the agent card if not yet resolved.
+   */
+  async initialize() {
+    if ((!this.authorizationUrl || !this.tokenUrl) && this.agentCardUrl) {
+      await this.fetchAgentCardDefaults();
+    }
+    const credentials = await this.tokenStorage.getCredentials(this.agentName);
+    if (credentials && !this.tokenStorage.isTokenExpired(credentials.token)) {
+      this.cachedToken = credentials.token;
+      debugLogger.debug(`[OAuth2AuthProvider] Loaded valid cached token for "${this.agentName}"`);
+    }
+  }
+  /**
+   * Return an Authorization header with a valid Bearer token.
+   * Refreshes or triggers interactive auth as needed.
+   */
+  async headers() {
+    if (this.cachedToken && !this.tokenStorage.isTokenExpired(this.cachedToken)) {
+      return { Authorization: `Bearer ${this.cachedToken.accessToken}` };
+    }
+    if (this.cachedToken?.refreshToken && this.tokenUrl && this.config.client_id) {
+      try {
+        const refreshed = await refreshAccessToken({
+          clientId: this.config.client_id,
+          clientSecret: this.config.client_secret,
+          scopes: this.scopes
+        }, this.cachedToken.refreshToken, this.tokenUrl);
+        this.cachedToken = this.toOAuthToken(refreshed, this.cachedToken.refreshToken);
+        await this.persistToken();
+        return { Authorization: `Bearer ${this.cachedToken.accessToken}` };
+      } catch (error) {
+        debugLogger.debug(`[OAuth2AuthProvider] Refresh failed, falling back to interactive flow: ${getErrorMessage(error)}`);
+        await this.tokenStorage.deleteCredentials(this.agentName);
+      }
+    }
+    this.cachedToken = await this.authenticateInteractively();
+    return { Authorization: `Bearer ${this.cachedToken.accessToken}` };
+  }
+  /**
+   * On 401/403, clear the cached token and re-authenticate (up to MAX_AUTH_RETRIES).
+   */
+  async shouldRetryWithHeaders(_req, res) {
+    if (res.status !== 401 && res.status !== 403) {
+      this.authRetryCount = 0;
+      return void 0;
+    }
+    if (this.authRetryCount >= BaseA2AAuthProvider.MAX_AUTH_RETRIES) {
+      return void 0;
+    }
+    this.authRetryCount++;
+    debugLogger.debug("[OAuth2AuthProvider] Auth failure, clearing token and re-authenticating");
+    this.cachedToken = null;
+    await this.tokenStorage.deleteCredentials(this.agentName);
+    return this.headers();
+  }
+  // ---------------------------------------------------------------------------
+  // Private helpers
+  // ---------------------------------------------------------------------------
+  /**
+   * Merge authorization_url, token_url, and scopes from the agent card's
+   * `securitySchemes` when not already provided via user config.
+   */
+  mergeAgentCardDefaults(agentCard) {
+    if (!agentCard?.securitySchemes)
+      return;
+    for (const scheme of Object.values(agentCard.securitySchemes)) {
+      if (scheme.type === "oauth2" && scheme.flows.authorizationCode) {
+        const flow = scheme.flows.authorizationCode;
+        this.authorizationUrl ??= flow.authorizationUrl;
+        this.tokenUrl ??= flow.tokenUrl;
+        this.scopes ??= Object.keys(flow.scopes);
+        break;
+      }
+    }
+  }
+  /**
+   * Fetch the agent card from `agentCardUrl` using `DefaultAgentCardResolver`
+   * (which normalizes proto-format cards) and extract OAuth2 URLs.
+   */
+  async fetchAgentCardDefaults() {
+    if (!this.agentCardUrl)
+      return;
+    try {
+      debugLogger.debug(`[OAuth2AuthProvider] Fetching agent card from ${this.agentCardUrl}`);
+      const resolver = new DefaultAgentCardResolver();
+      const card = await resolver.resolve(this.agentCardUrl, "");
+      this.mergeAgentCardDefaults(card);
+    } catch (error) {
+      debugLogger.warn(`[OAuth2AuthProvider] Could not fetch agent card for OAuth URL discovery: ${getErrorMessage(error)}`);
+    }
+  }
+  /**
+   * Run a full OAuth 2.0 Authorization Code + PKCE flow through the browser.
+   */
+  async authenticateInteractively() {
+    if (!this.config.client_id) {
+      throw new Error(`OAuth2 authentication for agent "${this.agentName}" requires a client_id. Add client_id to the auth config in your agent definition.`);
+    }
+    if (!this.authorizationUrl || !this.tokenUrl) {
+      throw new Error(`OAuth2 authentication for agent "${this.agentName}" requires authorization_url and token_url. Provide them in the auth config or ensure the agent card exposes an oauth2 security scheme.`);
+    }
+    const flowConfig = {
+      clientId: this.config.client_id,
+      clientSecret: this.config.client_secret,
+      authorizationUrl: this.authorizationUrl,
+      tokenUrl: this.tokenUrl,
+      scopes: this.scopes
+    };
+    const pkceParams = generatePKCEParams();
+    const preferredPort = getPortFromUrl(flowConfig.redirectUri);
+    const callbackServer = startCallbackServer(pkceParams.state, preferredPort);
+    const redirectPort = await callbackServer.port;
+    const authUrl = buildAuthorizationUrl(
+      flowConfig,
+      pkceParams,
+      redirectPort,
+      /* resource= */
+      void 0
+    );
+    const consent = await getConsentForOauth(`Authentication required for A2A agent: '${this.agentName}'.`);
+    if (!consent) {
+      throw new FatalCancellationError("Authentication cancelled by user.");
+    }
+    coreEvents.emitFeedback("info", `\u2192 Opening your browser for OAuth sign-in...
+
+If the browser does not open, copy and paste this URL into your browser:
+${authUrl}
+
+\u{1F4A1} TIP: Triple-click to select the entire URL, then copy and paste it into your browser.
+\u26A0\uFE0F  Make sure to copy the COMPLETE URL - it may wrap across multiple lines.`);
+    try {
+      await openBrowserSecurely(authUrl);
+    } catch (error) {
+      debugLogger.warn("Failed to open browser automatically:", getErrorMessage(error));
+    }
+    const { code } = await callbackServer.response;
+    debugLogger.debug("\u2713 Authorization code received, exchanging for tokens...");
+    const tokenResponse = await exchangeCodeForToken(
+      flowConfig,
+      code,
+      pkceParams.codeVerifier,
+      redirectPort,
+      /* resource= */
+      void 0
+    );
+    if (!tokenResponse.access_token) {
+      throw new Error("No access token received from token endpoint");
+    }
+    const token = this.toOAuthToken(tokenResponse);
+    this.cachedToken = token;
+    await this.persistToken();
+    debugLogger.debug("\u2713 OAuth2 authentication successful! Token saved.");
+    return token;
+  }
+  /**
+   * Convert an `OAuthTokenResponse` into the internal `OAuthToken` format.
+   */
+  toOAuthToken(response, fallbackRefreshToken) {
+    const token = {
+      accessToken: response.access_token,
+      tokenType: response.token_type || "Bearer",
+      refreshToken: response.refresh_token || fallbackRefreshToken,
+      scope: response.scope
+    };
+    if (response.expires_in) {
+      token.expiresAt = Date.now() + response.expires_in * 1e3;
+    }
+    return token;
+  }
+  /**
+   * Persist the current cached token to disk.
+   */
+  async persistToken() {
+    if (!this.cachedToken)
+      return;
+    await this.tokenStorage.saveToken(this.agentName, this.cachedToken, this.config.client_id, this.tokenUrl);
+  }
+};
+export {
+  OAuth2AuthProvider
+};
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */