@juspay/neurolink 9.60.0 → 9.61.0

package/dist/cli/commands/proxy.js

@@ -300,14 +300,42 @@ exit 127
     writeFileSync(TRAMPOLINE_PATH, script, { mode: 0o755 });
     chmodSync(TRAMPOLINE_PATH, 0o755);
 }
+/**
+ * Check whether a pnpm binary can install into the global store.
+ *
+ * Multiple pnpm major versions can coexist (e.g., standalone v8 + nvm v10).
+ * They use different store layouts (`store/v10` vs `store/v10/v3`), so a
+ * pnpm that passes `--version` may still fail `pnpm add -g` with
+ * ERR_PNPM_UNEXPECTED_STORE. We detect this by running `pnpm root -g` and
+ * checking whether the resolved global root directory actually exists on disk.
+ */
+function canInstallGlobally(pnpmPath) {
+    try {
+        const { execFileSync } = _require("node:child_process");
+        const { existsSync } = _require("fs");
+        const globalRoot = execFileSync(pnpmPath, ["root", "-g"], {
+            encoding: "utf8",
+            timeout: 10_000,
+            stdio: ["ignore", "pipe", "ignore"],
+        }).trim();
+        // If the global root exists, this pnpm version is compatible with
+        // the current store layout and can install packages there.
+        return !!globalRoot && existsSync(globalRoot);
+    }
+    catch {
+        return false;
+    }
+}
 /**
  * Resolve the `pnpm` binary defensively.
  *
- * Tries multiple candidates in order of preference and validates each by
- * running `--version`. Returns the first one that actually works, along
- * with a list of all candidates tried (for diagnostics). This defends
- * against environments where `which pnpm` returns a broken shim or an
- * incompatible version.
+ * Tries multiple candidates in order of preference. Each candidate must:
+ * 1. Respond to `pnpm --version` (binary works)
+ * 2. Have a compatible global store (`pnpm root -g` points to an existing dir)
+ *
+ * This defends against environments with multiple pnpm major versions
+ * (e.g., standalone v8 + nvm v10) where the wrong one would fail with
+ * ERR_PNPM_UNEXPECTED_STORE on `pnpm add -g`.
  *
  * Honors `NEUROLINK_PNPM_PATH` as an escape hatch.
  */
@@ -348,17 +376,32 @@ function resolveFullPnpmPath() {
         seen.add(p);
         return true;
     });
-    // Probe each candidate
+    // Probe each candidate: must pass --version AND have a compatible global store
     const tried = unique.map((path) => {
         const version = probeBinVersion(path);
-        return { path, version, working: version !== undefined };
+        const working = version !== undefined;
+        const globalStoreOk = working ? canInstallGlobally(path) : false;
+        return { path, version, working, globalStoreOk };
     });
-    const working = tried.find((r) => r.working);
-    if (working) {
+    // Prefer a candidate that can actually install globally
+    const fullyWorking = tried.find((r) => r.working && r.globalStoreOk);
+    if (fullyWorking) {
+        return {
+            bin: fullyWorking.path,
+            resolved: true,
+            version: fullyWorking.version,
+            tried,
+        };
+    }
+    // Fall back to any candidate that at least responds to --version
+    // (better than nothing — the install may still fail, but will be
+    // caught and suppressed by the caller)
+    const anyWorking = tried.find((r) => r.working);
+    if (anyWorking) {
         return {
-            bin: working.path,
+            bin: anyWorking.path,
             resolved: true,
-            version: working.version,
+            version: anyWorking.version,
             tried,
         };
     }

package/dist/core/constants.js

@@ -17,10 +17,21 @@ export const PDF_IMAGE_GENERATION_MODELS = [
 ];
 // Global Location Models
 // Models that require global location configuration (uses aiplatform.googleapis.com instead of region-specific endpoints)
+// Includes Gemini 3.x text and image models, which are only available via the global endpoint on Vertex AI.
+// IMAGE_GENERATION_MODELS is spread in to keep the two lists from drifting:
+// any new image-gen model added there is automatically routed to global here.
 export const GLOBAL_LOCATION_MODELS = [
-    "gemini-3-pro-image-preview",
-    "gemini-2.5-flash-image",
-    "gemini-3.1-flash-image-preview",
+    // Image generation (sourced from IMAGE_GENERATION_MODELS)
+    ...IMAGE_GENERATION_MODELS,
+    // Gemini 3.1 text models (global-only)
+    "gemini-3.1-pro-preview",
+    "gemini-3.1-flash-lite-preview",
+    "gemini-3.1-pro-preview-customtools",
+    // Gemini 3 text models (global-only)
+    "gemini-3-pro-preview",
+    "gemini-3-pro-preview-11-2025",
+    "gemini-3-pro-latest",
+    "gemini-3-flash-preview",
 ];
 // Core AI Generation Defaults
 export const DEFAULT_MAX_TOKENS = undefined; // Unlimited by default - let providers decide their own limits

package/dist/lib/core/constants.js

@@ -17,10 +17,21 @@ export const PDF_IMAGE_GENERATION_MODELS = [
 ];
 // Global Location Models
 // Models that require global location configuration (uses aiplatform.googleapis.com instead of region-specific endpoints)
+// Includes Gemini 3.x text and image models, which are only available via the global endpoint on Vertex AI.
+// IMAGE_GENERATION_MODELS is spread in to keep the two lists from drifting:
+// any new image-gen model added there is automatically routed to global here.
 export const GLOBAL_LOCATION_MODELS = [
-    "gemini-3-pro-image-preview",
-    "gemini-2.5-flash-image",
-    "gemini-3.1-flash-image-preview",
+    // Image generation (sourced from IMAGE_GENERATION_MODELS)
+    ...IMAGE_GENERATION_MODELS,
+    // Gemini 3.1 text models (global-only)
+    "gemini-3.1-pro-preview",
+    "gemini-3.1-flash-lite-preview",
+    "gemini-3.1-pro-preview-customtools",
+    // Gemini 3 text models (global-only)
+    "gemini-3-pro-preview",
+    "gemini-3-pro-preview-11-2025",
+    "gemini-3-pro-latest",
+    "gemini-3-flash-preview",
 ];
 // Core AI Generation Defaults
 export const DEFAULT_MAX_TOKENS = undefined; // Unlimited by default - let providers decide their own limits

package/dist/lib/mcp/auth/oauthClientProvider.js

@@ -5,6 +5,9 @@
 import { randomBytes, createHash } from "crypto";
 import { InMemoryTokenStorage, isTokenExpired, calculateExpiresAt, } from "./tokenStorage.js";
 import { logger } from "../../utils/logger.js";
+import { withTimeout } from "../../utils/errorHandling.js";
+/** Default timeout for OAuth token operations (30 seconds) */
+const OAUTH_TOKEN_TIMEOUT_MS = 30000;
 /**
  * NeuroLink OAuth Provider for MCP HTTP Transport
  * Handles OAuth 2.1 authentication flow with optional PKCE support
@@ -147,15 +150,15 @@ export class NeuroLinkOAuthProvider {
         if (codeVerifier) {
             body.set("code_verifier", codeVerifier);
         }
-        // Request tokens
-        const response = await fetch(this.config.tokenUrl, {
+        // Request tokens with timeout protection
+        const response = await withTimeout(fetch(this.config.tokenUrl, {
             method: "POST",
             headers: {
                 "Content-Type": "application/x-www-form-urlencoded",
                 Accept: "application/json",
             },
             body: body.toString(),
-        });
+        }), OAUTH_TOKEN_TIMEOUT_MS, new Error(`OAuth token exchange timed out after ${OAUTH_TOKEN_TIMEOUT_MS}ms`));
         if (!response.ok) {
             const errorText = await response.text();
             throw new Error(`Token exchange failed: ${response.status} ${response.statusText} - ${errorText}`);
@@ -186,14 +189,15 @@ export class NeuroLinkOAuthProvider {
         if (this.config.clientSecret) {
             body.set("client_secret", this.config.clientSecret);
         }
-        const response = await fetch(this.config.tokenUrl, {
+        // Refresh tokens with timeout protection
+        const response = await withTimeout(fetch(this.config.tokenUrl, {
             method: "POST",
             headers: {
                 "Content-Type": "application/x-www-form-urlencoded",
                 Accept: "application/json",
             },
             body: body.toString(),
-        });
+        }), OAUTH_TOKEN_TIMEOUT_MS, new Error(`OAuth token refresh timed out after ${OAUTH_TOKEN_TIMEOUT_MS}ms`));
         if (!response.ok) {
             const errorText = await response.text();
             throw new Error(`Token refresh failed: ${response.status} ${response.statusText} - ${errorText}`);
@@ -227,13 +231,14 @@ export class NeuroLinkOAuthProvider {
             body.set("client_secret", this.config.clientSecret);
         }
         try {
-            await fetch(revocationUrl, {
+            // Revoke tokens with timeout protection
+            await withTimeout(fetch(revocationUrl, {
                 method: "POST",
                 headers: {
                     "Content-Type": "application/x-www-form-urlencoded",
                 },
                 body: body.toString(),
-            });
+            }), OAUTH_TOKEN_TIMEOUT_MS, new Error(`OAuth token revocation timed out after ${OAUTH_TOKEN_TIMEOUT_MS}ms`));
         }
         catch (error) {
             logger.warn(`[NeuroLinkOAuthProvider] Token revocation failed: ${error instanceof Error ? error.message : String(error)}`);

package/dist/lib/utils/tokenLimits.js

@@ -2,12 +2,54 @@
  * Provider-specific token limit utilities
  * Provides safe maxTokens values based on provider and model capabilities
  */
-import { PROVIDER_MAX_TOKENS } from "../core/constants.js";
+import { PROVIDER_MAX_TOKENS, IMAGE_GENERATION_MODELS, } from "../core/constants.js";
 import { logger } from "./logger.js";
+// Gemini 3 models and Gemini 2.5 image models have a hard limit of 32768 output tokens
+const GEMINI_RESTRICTED_MAX_OUTPUT_TOKENS = 32768;
+/**
+ * Check if a model has the restricted 32768 output token limit
+ * This applies to:
+ * - All Gemini 3 models (gemini-3-flash, gemini-3-pro, etc.)
+ * - All Gemini 2.5 image generation models (gemini-2.5-flash-image)
+ */
+function hasRestrictedOutputLimit(model) {
+    if (!model) {
+        return false;
+    }
+    // Check for Gemini 3 models
+    if (model.includes("gemini-3")) {
+        return true;
+    }
+    // Check for image generation models (includes gemini-2.5-flash-image)
+    if (IMAGE_GENERATION_MODELS.some((m) => model.includes(m))) {
+        return true;
+    }
+    return false;
+}
 /**
  * Get the safe maximum tokens for a provider and model
  */
 export function getSafeMaxTokens(provider, model, requestedMaxTokens) {
+    // CRITICAL: Gemini 3 models AND image generation models have a hard limit of 32768 output tokens
+    // This check must happen FIRST, before any other logic, because these models
+    // will reject requests with maxOutputTokens > 32768
+    const isRestrictedModel = hasRestrictedOutputLimit(model);
+    if (isRestrictedModel) {
+        // Explicit undefined/null check so a caller-supplied 0 is preserved
+        // (truthy checks would treat 0 as "unset" and silently fall back to the cap).
+        if (requestedMaxTokens !== undefined &&
+            requestedMaxTokens !== null &&
+            requestedMaxTokens > GEMINI_RESTRICTED_MAX_OUTPUT_TOKENS) {
+            logger.warn(`Requested maxTokens ${requestedMaxTokens} exceeds ${model} limit of ${GEMINI_RESTRICTED_MAX_OUTPUT_TOKENS}. Using ${GEMINI_RESTRICTED_MAX_OUTPUT_TOKENS} instead.`);
+            return GEMINI_RESTRICTED_MAX_OUTPUT_TOKENS;
+        }
+        // If no maxTokens specified, use the restricted limit as default
+        if (requestedMaxTokens === undefined || requestedMaxTokens === null) {
+            return GEMINI_RESTRICTED_MAX_OUTPUT_TOKENS;
+        }
+        // Otherwise, use the requested value (it's within limits, including 0)
+        return requestedMaxTokens;
+    }
     // Get provider-specific limits
     const providerLimits = PROVIDER_MAX_TOKENS[provider];
     if (!providerLimits) {

package/dist/mcp/auth/oauthClientProvider.js

@@ -5,6 +5,9 @@
 import { randomBytes, createHash } from "crypto";
 import { InMemoryTokenStorage, isTokenExpired, calculateExpiresAt, } from "./tokenStorage.js";
 import { logger } from "../../utils/logger.js";
+import { withTimeout } from "../../utils/errorHandling.js";
+/** Default timeout for OAuth token operations (30 seconds) */
+const OAUTH_TOKEN_TIMEOUT_MS = 30000;
 /**
  * NeuroLink OAuth Provider for MCP HTTP Transport
  * Handles OAuth 2.1 authentication flow with optional PKCE support
@@ -147,15 +150,15 @@ export class NeuroLinkOAuthProvider {
         if (codeVerifier) {
             body.set("code_verifier", codeVerifier);
         }
-        // Request tokens
-        const response = await fetch(this.config.tokenUrl, {
+        // Request tokens with timeout protection
+        const response = await withTimeout(fetch(this.config.tokenUrl, {
             method: "POST",
             headers: {
                 "Content-Type": "application/x-www-form-urlencoded",
                 Accept: "application/json",
             },
             body: body.toString(),
-        });
+        }), OAUTH_TOKEN_TIMEOUT_MS, new Error(`OAuth token exchange timed out after ${OAUTH_TOKEN_TIMEOUT_MS}ms`));
         if (!response.ok) {
             const errorText = await response.text();
             throw new Error(`Token exchange failed: ${response.status} ${response.statusText} - ${errorText}`);
@@ -186,14 +189,15 @@ export class NeuroLinkOAuthProvider {
         if (this.config.clientSecret) {
             body.set("client_secret", this.config.clientSecret);
         }
-        const response = await fetch(this.config.tokenUrl, {
+        // Refresh tokens with timeout protection
+        const response = await withTimeout(fetch(this.config.tokenUrl, {
             method: "POST",
             headers: {
                 "Content-Type": "application/x-www-form-urlencoded",
                 Accept: "application/json",
             },
             body: body.toString(),
-        });
+        }), OAUTH_TOKEN_TIMEOUT_MS, new Error(`OAuth token refresh timed out after ${OAUTH_TOKEN_TIMEOUT_MS}ms`));
         if (!response.ok) {
             const errorText = await response.text();
             throw new Error(`Token refresh failed: ${response.status} ${response.statusText} - ${errorText}`);
@@ -227,13 +231,14 @@ export class NeuroLinkOAuthProvider {
             body.set("client_secret", this.config.clientSecret);
         }
         try {
-            await fetch(revocationUrl, {
+            // Revoke tokens with timeout protection
+            await withTimeout(fetch(revocationUrl, {
                 method: "POST",
                 headers: {
                     "Content-Type": "application/x-www-form-urlencoded",
                 },
                 body: body.toString(),
-            });
+            }), OAUTH_TOKEN_TIMEOUT_MS, new Error(`OAuth token revocation timed out after ${OAUTH_TOKEN_TIMEOUT_MS}ms`));
         }
         catch (error) {
             logger.warn(`[NeuroLinkOAuthProvider] Token revocation failed: ${error instanceof Error ? error.message : String(error)}`);

package/dist/utils/tokenLimits.js

@@ -2,12 +2,54 @@
  * Provider-specific token limit utilities
  * Provides safe maxTokens values based on provider and model capabilities
  */
-import { PROVIDER_MAX_TOKENS } from "../core/constants.js";
+import { PROVIDER_MAX_TOKENS, IMAGE_GENERATION_MODELS, } from "../core/constants.js";
 import { logger } from "./logger.js";
+// Gemini 3 models and Gemini 2.5 image models have a hard limit of 32768 output tokens
+const GEMINI_RESTRICTED_MAX_OUTPUT_TOKENS = 32768;
+/**
+ * Check if a model has the restricted 32768 output token limit
+ * This applies to:
+ * - All Gemini 3 models (gemini-3-flash, gemini-3-pro, etc.)
+ * - All Gemini 2.5 image generation models (gemini-2.5-flash-image)
+ */
+function hasRestrictedOutputLimit(model) {
+    if (!model) {
+        return false;
+    }
+    // Check for Gemini 3 models
+    if (model.includes("gemini-3")) {
+        return true;
+    }
+    // Check for image generation models (includes gemini-2.5-flash-image)
+    if (IMAGE_GENERATION_MODELS.some((m) => model.includes(m))) {
+        return true;
+    }
+    return false;
+}
 /**
  * Get the safe maximum tokens for a provider and model
  */
 export function getSafeMaxTokens(provider, model, requestedMaxTokens) {
+    // CRITICAL: Gemini 3 models AND image generation models have a hard limit of 32768 output tokens
+    // This check must happen FIRST, before any other logic, because these models
+    // will reject requests with maxOutputTokens > 32768
+    const isRestrictedModel = hasRestrictedOutputLimit(model);
+    if (isRestrictedModel) {
+        // Explicit undefined/null check so a caller-supplied 0 is preserved
+        // (truthy checks would treat 0 as "unset" and silently fall back to the cap).
+        if (requestedMaxTokens !== undefined &&
+            requestedMaxTokens !== null &&
+            requestedMaxTokens > GEMINI_RESTRICTED_MAX_OUTPUT_TOKENS) {
+            logger.warn(`Requested maxTokens ${requestedMaxTokens} exceeds ${model} limit of ${GEMINI_RESTRICTED_MAX_OUTPUT_TOKENS}. Using ${GEMINI_RESTRICTED_MAX_OUTPUT_TOKENS} instead.`);
+            return GEMINI_RESTRICTED_MAX_OUTPUT_TOKENS;
+        }
+        // If no maxTokens specified, use the restricted limit as default
+        if (requestedMaxTokens === undefined || requestedMaxTokens === null) {
+            return GEMINI_RESTRICTED_MAX_OUTPUT_TOKENS;
+        }
+        // Otherwise, use the requested value (it's within limits, including 0)
+        return requestedMaxTokens;
+    }
     // Get provider-specific limits
     const providerLimits = PROVIDER_MAX_TOKENS[provider];
     if (!providerLimits) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@juspay/neurolink",
-  "version": "9.60.0",
+  "version": "9.61.0",
   "packageManager": "pnpm@10.15.1",
   "description": "Universal AI Development Platform with working MCP integration, multi-provider support, and professional CLI. Built-in tools operational, 58+ external MCP servers discoverable. Connect to filesystem, GitHub, database operations, and more. Build, test, and deploy AI applications with 13 providers: OpenAI, Anthropic, Google AI, AWS Bedrock, Azure, Hugging Face, Ollama, and Mistral AI.",
   "author": {