@oh-my-pi/pi-ai 11.8.1 → 11.8.3

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@oh-my-pi/pi-ai",
-	"version": "11.8.1",
+	"version": "11.8.3",
 	"description": "Unified LLM API with automatic model discovery and provider configuration",
 	"type": "module",
 	"main": "./src/index.ts",
@@ -63,7 +63,7 @@
 		"@connectrpc/connect-node": "^2.1.1",
 		"@google/genai": "^1.39.0",
 		"@mistralai/mistralai": "^1.13.0",
-		"@oh-my-pi/pi-utils": "11.8.1",
+		"@oh-my-pi/pi-utils": "11.8.3",
 		"@sinclair/typebox": "^0.34.48",
 		"@smithy/node-http-handler": "^4.4.9",
 		"ajv": "^8.17.1",

package/src/cli.ts

@@ -1,5 +1,5 @@
 #!/usr/bin/env bun
-import { createInterface } from "readline";
+import * as readline from "node:readline";
 import { CliAuthStorage } from "./storage";
 import { getOAuthProviders } from "./utils/oauth";
 import { loginAnthropic } from "./utils/oauth/anthropic";
@@ -13,14 +13,14 @@ import type { OAuthCredentials, OAuthProvider } from "./utils/oauth/types";
 
 const PROVIDERS = getOAuthProviders();
 
-function prompt(rl: ReturnType<typeof createInterface>, question: string): Promise<string> {
+function prompt(rl: readline.Interface, question: string): Promise<string> {
 	const { promise, resolve } = Promise.withResolvers<string>();
 	rl.question(question, resolve);
 	return promise;
 }
 
 async function login(provider: OAuthProvider): Promise<void> {
-	const rl = createInterface({ input: process.stdin, output: process.stdout });
+	const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
 
 	const promptFn = (msg: string) => prompt(rl, `${msg} `);
 	const storage = await CliAuthStorage.create();
@@ -201,7 +201,7 @@ Examples:
 					return;
 				}
 
-				const rl = createInterface({ input: process.stdin, output: process.stdout });
+				const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
 				console.log("Select a provider to logout:\n");
 				for (let i = 0; i < providers.length; i++) {
 					console.log(`  ${i + 1}. ${providers[i]}`);
@@ -237,7 +237,7 @@ Examples:
 		let provider = args[1] as OAuthProvider | undefined;
 
 		if (!provider) {
-			const rl = createInterface({ input: process.stdin, output: process.stdout });
+			const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
 			console.log("Select a provider:\n");
 			for (let i = 0; i < PROVIDERS.length; i++) {
 				console.log(`  ${i + 1}. ${PROVIDERS[i].name}`);

package/src/providers/cursor.ts

@@ -317,7 +317,7 @@ export const streamCursor: StreamFunction<"cursor-agent"> = (
 
 		let h2Client: http2.ClientHttp2Session | null = null;
 		let h2Request: http2.ClientHttp2Stream | null = null;
-		let heartbeatTimer: ReturnType<typeof setInterval> | null = null;
+		let heartbeatTimer: NodeJS.Timeout | null = null;
 
 		try {
 			const apiKey = options?.apiKey;

package/src/providers/google-gemini-cli.ts

@@ -4,7 +4,7 @@
  * Uses the Cloud Code Assist API endpoint to access Gemini and Claude models.
  */
 import { createHash } from "node:crypto";
-import type { Content, ThinkingConfig } from "@google/genai";
+import type { Content, FunctionCallingConfigMode, ThinkingConfig } from "@google/genai";
 import { abortableSleep, readSseJson } from "@oh-my-pi/pi-utils";
 import { calculateCost } from "../models";
 import type {
@@ -244,10 +244,10 @@ interface CloudCodeAssistRequest {
 			temperature?: number;
 			thinkingConfig?: ThinkingConfig;
 		};
-		tools?: ReturnType<typeof convertTools>;
+		tools?: { functionDeclarations: Record<string, unknown>[] }[] | undefined;
 		toolConfig?: {
 			functionCallingConfig: {
-				mode: ReturnType<typeof mapToolChoice>;
+				mode: FunctionCallingConfigMode;
 			};
 		};
 	};

package/src/storage.ts

@@ -3,7 +3,7 @@
  * Compatible with coding-agent's agent.db format.
  */
 
-import { Database } from "bun:sqlite";
+import { Database, type Statement } from "bun:sqlite";
 import * as fs from "node:fs/promises";
 import * as os from "node:os";
 import * as path from "node:path";
@@ -84,22 +84,22 @@ function deserializeCredential(row: AuthRow): AuthCredential | null {
  * Use `CliAuthStorage.create()` to instantiate (async initialization).
  */
 export class CliAuthStorage {
-	private db: Database;
-	private insertStmt: ReturnType<Database["prepare"]>;
-	private listByProviderStmt: ReturnType<Database["prepare"]>;
-	private listAllStmt: ReturnType<Database["prepare"]>;
-	private deleteByProviderStmt: ReturnType<Database["prepare"]>;
+	#db: Database;
+	#insertStmt: Statement;
+	#listByProviderStmt: Statement;
+	#listAllStmt: Statement;
+	#deleteByProviderStmt: Statement;
 
 	private constructor(db: Database) {
-		this.db = db;
-		this.initializeSchema();
+		this.#db = db;
+		this.#initializeSchema();
 
-		this.insertStmt = this.db.prepare(
+		this.#insertStmt = this.#db.prepare(
 			"INSERT INTO auth_credentials (provider, credential_type, data) VALUES (?, ?, ?) RETURNING id",
 		);
-		this.listByProviderStmt = this.db.prepare("SELECT * FROM auth_credentials WHERE provider = ?");
-		this.listAllStmt = this.db.prepare("SELECT * FROM auth_credentials");
-		this.deleteByProviderStmt = this.db.prepare("DELETE FROM auth_credentials WHERE provider = ?");
+		this.#listByProviderStmt = this.#db.prepare("SELECT * FROM auth_credentials WHERE provider = ?");
+		this.#listAllStmt = this.#db.prepare("SELECT * FROM auth_credentials");
+		this.#deleteByProviderStmt = this.#db.prepare("DELETE FROM auth_credentials WHERE provider = ?");
 	}
 
 	static async create(dbPath: string = getAgentDbPath()): Promise<CliAuthStorage> {
@@ -122,8 +122,8 @@ export class CliAuthStorage {
 		return new CliAuthStorage(db);
 	}
 
-	private initializeSchema(): void {
-		this.db.exec(`
+	#initializeSchema(): void {
+		this.#db.exec(`
 PRAGMA journal_mode=WAL;
 PRAGMA synchronous=NORMAL;
 PRAGMA busy_timeout=5000;
@@ -145,14 +145,14 @@ CREATE INDEX IF NOT EXISTS idx_auth_provider ON auth_credentials(provider);
 	 */
 	saveOAuth(provider: string, credentials: OAuthCredentials): void {
 		const credential: AuthCredential = { type: "oauth", ...credentials };
-		this.replaceForProvider(provider, credential);
+		this.#replaceForProvider(provider, credential);
 	}
 
 	/**
 	 * Get OAuth credentials for a provider.
 	 */
 	getOAuth(provider: string): OAuthCredentials | null {
-		const rows = this.listByProviderStmt.all(provider) as AuthRow[];
+		const rows = this.#listByProviderStmt.all(provider) as AuthRow[];
 		for (const row of rows) {
 			const credential = deserializeCredential(row);
 			if (credential && credential.type === "oauth") {
@@ -167,7 +167,7 @@ CREATE INDEX IF NOT EXISTS idx_auth_provider ON auth_credentials(provider);
 	 * List all providers with credentials.
 	 */
 	listProviders(): string[] {
-		const rows = this.listAllStmt.all() as AuthRow[];
+		const rows = this.#listAllStmt.all() as AuthRow[];
 		const providers = new Set<string>();
 		for (const row of rows) {
 			providers.add(row.provider);
@@ -179,24 +179,24 @@ CREATE INDEX IF NOT EXISTS idx_auth_provider ON auth_credentials(provider);
 	 * Delete all credentials for a provider.
 	 */
 	deleteProvider(provider: string): void {
-		this.deleteByProviderStmt.run(provider);
+		this.#deleteByProviderStmt.run(provider);
 	}
 
 	/**
 	 * Replace all credentials for a provider with a single credential.
 	 */
-	private replaceForProvider(provider: string, credential: AuthCredential): void {
+	#replaceForProvider(provider: string, credential: AuthCredential): void {
 		const serialized = serializeCredential(credential);
 		if (!serialized) return;
 
-		const replace = this.db.transaction(() => {
-			this.deleteByProviderStmt.run(provider);
-			this.insertStmt.run(provider, serialized.credentialType, serialized.data);
+		const replace = this.#db.transaction(() => {
+			this.#deleteByProviderStmt.run(provider);
+			this.#insertStmt.run(provider, serialized.credentialType, serialized.data);
 		});
 		replace();
 	}
 
 	close(): void {
-		this.db.close();
+		this.#db.close();
 	}
 }

package/src/utils/event-stream.ts

@@ -2,19 +2,20 @@ import type { AssistantMessage, AssistantMessageEvent } from "../types";
 
 // Generic event stream class for async iteration
 export class EventStream<T, R = T> implements AsyncIterable<T> {
-	protected queue: T[] = [];
-	protected waiting: ((value: IteratorResult<T>) => void)[] = [];
-	protected done = false;
-	protected finalResultPromise: Promise<R>;
-	protected resolveFinalResult!: (result: R) => void;
-
-	constructor(
-		protected isComplete: (event: T) => boolean,
-		protected extractResult: (event: T) => R,
-	) {
+	queue: T[] = [];
+	waiting: ((value: IteratorResult<T>) => void)[] = [];
+	done = false;
+	finalResultPromise: Promise<R>;
+	resolveFinalResult!: (result: R) => void;
+	isComplete: (event: T) => boolean;
+	extractResult: (event: T) => R;
+
+	constructor(isComplete: (event: T) => boolean, extractResult: (event: T) => R) {
 		const { promise, resolve } = Promise.withResolvers<R>();
 		this.finalResultPromise = promise;
 		this.resolveFinalResult = resolve;
+		this.isComplete = isComplete;
+		this.extractResult = extractResult;
 	}
 
 	push(event: T): void {
@@ -34,7 +35,7 @@ export class EventStream<T, R = T> implements AsyncIterable<T> {
 		}
 	}
 
-	protected deliver(event: T): void {
+	deliver(event: T): void {
 		const waiter = this.waiting.shift();
 		if (waiter) {
 			waiter({ value: event, done: false });
@@ -55,7 +56,7 @@ export class EventStream<T, R = T> implements AsyncIterable<T> {
 		}
 	}
 
-	protected endWaiting(): void {
+	endWaiting(): void {
 		while (this.waiting.length > 0) {
 			const waiter = this.waiting.shift()!;
 			waiter({ value: undefined as any, done: true });
@@ -93,10 +94,10 @@ function isDeltaEvent(event: AssistantMessageEvent): event is DeltaEvent {
 
 export class AssistantMessageEventStream extends EventStream<AssistantMessageEvent, AssistantMessage> {
 	// Throttling state
-	private deltaBuffer: DeltaEvent[] = [];
-	private flushTimer: ReturnType<typeof setTimeout> | null = null;
-	private lastFlushTime = 0;
-	private readonly throttleMs = 50; // 20 updates/sec
+	#deltaBuffer: DeltaEvent[] = [];
+	#flushTimer?: NodeJS.Timeout;
+	#lastFlushTime = 0;
+	readonly #throttleMs = 50; // 20 updates/sec
 
 	constructor() {
 		super(
@@ -117,25 +118,25 @@ export class AssistantMessageEventStream extends EventStream<AssistantMessageEve
 
 		// Check for completion first
 		if (this.isComplete(event)) {
-			this.flushDeltas(); // Flush any pending deltas before completing
+			this.#flushDeltas(); // Flush any pending deltas before completing
 			this.done = true;
 			this.resolveFinalResult(this.extractResult(event));
 		}
 
 		// Delta events get batched and throttled
 		if (isDeltaEvent(event)) {
-			this.deltaBuffer.push(event);
-			this.scheduleFlush();
+			this.#deltaBuffer.push(event);
+			this.#scheduleFlush();
 			return;
 		}
 
 		// Non-delta events flush pending deltas immediately, then emit
-		this.flushDeltas();
+		this.#flushDeltas();
 		this.deliver(event);
 	}
 
 	override end(result?: AssistantMessage): void {
-		this.flushDeltas();
+		this.#flushDeltas();
 		this.done = true;
 		if (result !== undefined) {
 			this.resolveFinalResult(result);
@@ -143,44 +144,44 @@ export class AssistantMessageEventStream extends EventStream<AssistantMessageEve
 		this.endWaiting();
 	}
 
-	private scheduleFlush(): void {
-		if (this.flushTimer) return; // Already scheduled
+	#scheduleFlush(): void {
+		if (this.#flushTimer) return; // Already scheduled
 
 		const now = Bun.nanoseconds();
-		const timeSinceLastFlush = (now - this.lastFlushTime) / 1e6;
+		const timeSinceLastFlush = (now - this.#lastFlushTime) / 1e6;
 
-		if (timeSinceLastFlush >= this.throttleMs) {
+		if (timeSinceLastFlush >= this.#throttleMs) {
 			// Flush immediately if throttle window has passed
-			this.flushDeltas();
+			this.#flushDeltas();
 		} else {
 			// Schedule flush for when throttle window expires
-			const delay = this.throttleMs - timeSinceLastFlush;
-			this.flushTimer = setTimeout(() => {
-				this.flushTimer = null;
-				this.flushDeltas();
+			const delay = this.#throttleMs - timeSinceLastFlush;
+			this.#flushTimer = setTimeout(() => {
+				this.#flushTimer = undefined;
+				this.#flushDeltas();
 			}, delay);
 		}
 	}
 
-	private flushDeltas(): void {
-		if (this.flushTimer) {
-			clearTimeout(this.flushTimer);
-			this.flushTimer = null;
+	#flushDeltas(): void {
+		if (this.#flushTimer) {
+			clearTimeout(this.#flushTimer);
+			this.#flushTimer = undefined;
 		}
 
-		if (this.deltaBuffer.length === 0) return;
+		if (this.#deltaBuffer.length === 0) return;
 
 		// Merge consecutive deltas for the same content block and type
-		const merged = this.mergeDeltas(this.deltaBuffer);
-		this.deltaBuffer = [];
-		this.lastFlushTime = Bun.nanoseconds();
+		const merged = this.#mergeDeltas(this.#deltaBuffer);
+		this.#deltaBuffer = [];
+		this.#lastFlushTime = Bun.nanoseconds();
 
 		for (const event of merged) {
 			this.deliver(event);
 		}
 	}
 
-	private mergeDeltas(deltas: DeltaEvent[]): AssistantMessageEvent[] {
+	#mergeDeltas(deltas: DeltaEvent[]): AssistantMessageEvent[] {
 		if (deltas.length === 0) return [];
 		if (deltas.length === 1) return [deltas[0]];
 

package/src/utils/oauth/anthropic.ts

@@ -14,20 +14,17 @@ const CALLBACK_PATH = "/callback";
 const SCOPES = "org:create_api_key user:profile user:inference";
 
 class AnthropicOAuthFlow extends OAuthCallbackFlow {
-	private verifier: string = "";
-	private challenge: string = "";
+	#verifier: string = "";
+	#challenge: string = "";
 
 	constructor(ctrl: OAuthController) {
 		super(ctrl, CALLBACK_PORT, CALLBACK_PATH);
 	}
 
-	protected async generateAuthUrl(
-		state: string,
-		redirectUri: string,
-	): Promise<{ url: string; instructions?: string }> {
+	async generateAuthUrl(state: string, redirectUri: string): Promise<{ url: string; instructions?: string }> {
 		const pkce = await generatePKCE();
-		this.verifier = pkce.verifier;
-		this.challenge = pkce.challenge;
+		this.#verifier = pkce.verifier;
+		this.#challenge = pkce.challenge;
 
 		const authParams = new URLSearchParams({
 			code: "true",
@@ -35,7 +32,7 @@ class AnthropicOAuthFlow extends OAuthCallbackFlow {
 			response_type: "code",
 			redirect_uri: redirectUri,
 			scope: SCOPES,
-			code_challenge: this.challenge,
+			code_challenge: this.#challenge,
 			code_challenge_method: "S256",
 			state,
 		});
@@ -44,7 +41,7 @@ class AnthropicOAuthFlow extends OAuthCallbackFlow {
 		return { url };
 	}
 
-	protected async exchangeToken(code: string, state: string, redirectUri: string): Promise<OAuthCredentials> {
+	async exchangeToken(code: string, state: string, redirectUri: string): Promise<OAuthCredentials> {
 		const tokenResponse = await fetch(TOKEN_URL, {
 			method: "POST",
 			headers: {
@@ -57,7 +54,7 @@ class AnthropicOAuthFlow extends OAuthCallbackFlow {
 				code,
 				state,
 				redirect_uri: redirectUri,
-				code_verifier: this.verifier,
+				code_verifier: this.#verifier,
 			}),
 		});
 

package/src/utils/oauth/callback-server.ts

@@ -23,11 +23,11 @@ export type CallbackResult = { code: string; state: string };
  * Abstract base class for OAuth flows with local callback servers.
  */
 export abstract class OAuthCallbackFlow {
-	protected ctrl: OAuthController;
-	protected preferredPort: number;
-	protected callbackPath: string;
-	private callbackResolve?: (result: CallbackResult) => void;
-	private callbackReject?: (error: string) => void;
+	ctrl: OAuthController;
+	preferredPort: number;
+	callbackPath: string;
+	#callbackResolve?: (result: CallbackResult) => void;
+	#callbackReject?: (error: string) => void;
 
 	constructor(ctrl: OAuthController, preferredPort: number, callbackPath: string = CALLBACK_PATH) {
 		this.ctrl = ctrl;
@@ -41,10 +41,7 @@ export abstract class OAuthCallbackFlow {
 	 * @param redirectUri - The actual redirect URI to use (may differ from expected if port fallback occurred)
 	 * @returns Authorization URL and optional instructions
 	 */
-	protected abstract generateAuthUrl(
-		state: string,
-		redirectUri: string,
-	): Promise<{ url: string; instructions?: string }>;
+	abstract generateAuthUrl(state: string, redirectUri: string): Promise<{ url: string; instructions?: string }>;
 
 	/**
 	 * Exchange authorization code for OAuth tokens.
@@ -53,12 +50,12 @@ export abstract class OAuthCallbackFlow {
 	 * @param redirectUri - The actual redirect URI used (must match authorization request)
 	 * @returns OAuth credentials
 	 */
-	protected abstract exchangeToken(code: string, state: string, redirectUri: string): Promise<OAuthCredentials>;
+	abstract exchangeToken(code: string, state: string, redirectUri: string): Promise<OAuthCredentials>;
 
 	/**
 	 * Generate CSRF state token. Override if provider needs custom state generation.
 	 */
-	protected generateState(): string {
+	generateState(): string {
 		const bytes = new Uint8Array(16);
 		crypto.getRandomValues(bytes);
 		return Array.from(bytes)
@@ -73,7 +70,7 @@ export abstract class OAuthCallbackFlow {
 		const state = this.generateState();
 
 		// Start callback server first to get actual redirect URI
-		const { server, redirectUri } = await this.startCallbackServer(state);
+		const { server, redirectUri } = await this.#startCallbackServer(state);
 
 		try {
 			// Generate auth URL with the ACTUAL redirect URI (may differ from expected if port was busy)
@@ -84,7 +81,7 @@ export abstract class OAuthCallbackFlow {
 			this.ctrl.onProgress?.("Waiting for browser authentication...");
 
 			// Wait for callback or manual input
-			const { code } = await this.waitForCallback(state);
+			const { code } = await this.#waitForCallback(state);
 
 			this.ctrl.onProgress?.("Exchanging authorization code for tokens...");
 
@@ -97,18 +94,16 @@ export abstract class OAuthCallbackFlow {
 	/**
 	 * Start callback server, trying preferred port first, falling back to random.
 	 */
-	private async startCallbackServer(
-		expectedState: string,
-	): Promise<{ server: Bun.Server<unknown>; redirectUri: string }> {
+	async #startCallbackServer(expectedState: string): Promise<{ server: Bun.Server<unknown>; redirectUri: string }> {
 		// Try preferred port first
 		try {
 			const redirectUri = `http://${DEFAULT_HOSTNAME}:${this.preferredPort}${this.callbackPath}`;
-			const server = this.createServer(this.preferredPort, expectedState);
+			const server = this.#createServer(this.preferredPort, expectedState);
 			return { server, redirectUri };
 		} catch {
 			// Port busy or unavailable, try random port
 			const randomPort = 0; // Let OS assign
-			const server = this.createServer(randomPort, expectedState);
+			const server = this.#createServer(randomPort, expectedState);
 			const actualPort = server.port;
 			const redirectUri = `http://${DEFAULT_HOSTNAME}:${actualPort}${this.callbackPath}`;
 			this.ctrl.onProgress?.(`Preferred port ${this.preferredPort} unavailable, using port ${actualPort}`);
@@ -119,19 +114,19 @@ export abstract class OAuthCallbackFlow {
 	/**
 	 * Create HTTP server for OAuth callback.
 	 */
-	private createServer(port: number, expectedState: string): Bun.Server<unknown> {
+	#createServer(port: number, expectedState: string): Bun.Server<unknown> {
 		return Bun.serve({
 			hostname: DEFAULT_HOSTNAME,
 			port,
 			reusePort: false,
-			fetch: req => this.handleCallback(req, expectedState),
+			fetch: req => this.#handleCallback(req, expectedState),
 		});
 	}
 
 	/**
 	 * Handle OAuth callback HTTP request.
 	 */
-	private handleCallback(req: Request, expectedState: string): Response {
+	#handleCallback(req: Request, expectedState: string): Response {
 		const url = new URL(req.url);
 
 		if (url.pathname !== this.callbackPath) {
@@ -158,8 +153,8 @@ export abstract class OAuthCallbackFlow {
 		}
 
 		// Signal to waitForCallback - capture refs before they could be cleared
-		const resolve = this.callbackResolve;
-		const reject = this.callbackReject;
+		const resolve = this.#callbackResolve;
+		const reject = this.#callbackReject;
 		queueMicrotask(() => {
 			if (resultState.ok) {
 				resolve?.({ code: resultState.code, state: resultState.state });
@@ -180,17 +175,17 @@ export abstract class OAuthCallbackFlow {
 	/**
 	 * Wait for OAuth callback or manual input (whichever comes first).
 	 */
-	private waitForCallback(expectedState: string): Promise<CallbackResult> {
+	#waitForCallback(expectedState: string): Promise<CallbackResult> {
 		const timeoutSignal = AbortSignal.timeout(DEFAULT_TIMEOUT);
 		const signal = this.ctrl.signal ? AbortSignal.any([this.ctrl.signal, timeoutSignal]) : timeoutSignal;
 
 		const callbackPromise = new Promise<CallbackResult>((resolve, reject) => {
-			this.callbackResolve = resolve;
-			this.callbackReject = reject;
+			this.#callbackResolve = resolve;
+			this.#callbackReject = reject;
 
 			signal.addEventListener("abort", () => {
-				this.callbackResolve = undefined;
-				this.callbackReject = undefined;
+				this.#callbackResolve = undefined;
+				this.#callbackReject = undefined;
 				reject(new Error(`OAuth callback cancelled: ${signal.reason}`));
 			});
 		});

package/src/utils/oauth/google-antigravity.ts

@@ -103,27 +103,24 @@ async function getUserEmail(accessToken: string): Promise<string | undefined> {
 }
 
 class AntigravityOAuthFlow extends OAuthCallbackFlow {
-	private verifier: string = "";
-	private challenge: string = "";
+	#verifier: string = "";
+	#challenge: string = "";
 
 	constructor(ctrl: OAuthController) {
 		super(ctrl, CALLBACK_PORT, CALLBACK_PATH);
 	}
 
-	protected async generateAuthUrl(
-		state: string,
-		redirectUri: string,
-	): Promise<{ url: string; instructions?: string }> {
+	async generateAuthUrl(state: string, redirectUri: string): Promise<{ url: string; instructions?: string }> {
 		const pkce = await generatePKCE();
-		this.verifier = pkce.verifier;
-		this.challenge = pkce.challenge;
+		this.#verifier = pkce.verifier;
+		this.#challenge = pkce.challenge;
 
 		const authParams = new URLSearchParams({
 			client_id: CLIENT_ID,
 			response_type: "code",
 			redirect_uri: redirectUri,
 			scope: SCOPES.join(" "),
-			code_challenge: this.challenge,
+			code_challenge: this.#challenge,
 			code_challenge_method: "S256",
 			state,
 			access_type: "offline",
@@ -134,7 +131,7 @@ class AntigravityOAuthFlow extends OAuthCallbackFlow {
 		return { url, instructions: "Complete the sign-in in your browser." };
 	}
 
-	protected async exchangeToken(code: string, _state: string, redirectUri: string): Promise<OAuthCredentials> {
+	async exchangeToken(code: string, _state: string, redirectUri: string): Promise<OAuthCredentials> {
 		this.ctrl.onProgress?.("Exchanging authorization code for tokens...");
 
 		const tokenResponse = await fetch(TOKEN_URL, {
@@ -146,7 +143,7 @@ class AntigravityOAuthFlow extends OAuthCallbackFlow {
 				code,
 				grant_type: "authorization_code",
 				redirect_uri: redirectUri,
-				code_verifier: this.verifier,
+				code_verifier: this.#verifier,
 			}),
 		});
 

package/src/utils/oauth/google-gemini-cli.ts

@@ -228,27 +228,24 @@ async function getUserEmail(accessToken: string): Promise<string | undefined> {
 }
 
 class GeminiCliOAuthFlow extends OAuthCallbackFlow {
-	private verifier: string = "";
-	private challenge: string = "";
+	#verifier: string = "";
+	#challenge: string = "";
 
 	constructor(ctrl: OAuthController) {
 		super(ctrl, CALLBACK_PORT, CALLBACK_PATH);
 	}
 
-	protected async generateAuthUrl(
-		state: string,
-		redirectUri: string,
-	): Promise<{ url: string; instructions?: string }> {
+	async generateAuthUrl(state: string, redirectUri: string): Promise<{ url: string; instructions?: string }> {
 		const pkce = await generatePKCE();
-		this.verifier = pkce.verifier;
-		this.challenge = pkce.challenge;
+		this.#verifier = pkce.verifier;
+		this.#challenge = pkce.challenge;
 
 		const authParams = new URLSearchParams({
 			client_id: CLIENT_ID,
 			response_type: "code",
 			redirect_uri: redirectUri,
 			scope: SCOPES.join(" "),
-			code_challenge: this.challenge,
+			code_challenge: this.#challenge,
 			code_challenge_method: "S256",
 			state,
 			access_type: "offline",
@@ -259,7 +256,7 @@ class GeminiCliOAuthFlow extends OAuthCallbackFlow {
 		return { url, instructions: "Complete the sign-in in your browser." };
 	}
 
-	protected async exchangeToken(code: string, _state: string, redirectUri: string): Promise<OAuthCredentials> {
+	async exchangeToken(code: string, _state: string, redirectUri: string): Promise<OAuthCredentials> {
 		this.ctrl.onProgress?.("Exchanging authorization code for tokens...");
 
 		const tokenResponse = await fetch(TOKEN_URL, {
@@ -271,7 +268,7 @@ class GeminiCliOAuthFlow extends OAuthCallbackFlow {
 				code,
 				grant_type: "authorization_code",
 				redirect_uri: redirectUri,
-				code_verifier: this.verifier,
+				code_verifier: this.#verifier,
 			}),
 		});
 

package/src/utils/oauth/openai-codex.ts

@@ -53,10 +53,7 @@ class OpenAICodexOAuthFlow extends OAuthCallbackFlow {
 		super(ctrl, CALLBACK_PORT, CALLBACK_PATH);
 	}
 
-	protected async generateAuthUrl(
-		state: string,
-		redirectUri: string,
-	): Promise<{ url: string; instructions?: string }> {
+	async generateAuthUrl(state: string, redirectUri: string): Promise<{ url: string; instructions?: string }> {
 		const searchParams = new URLSearchParams({
 			response_type: "code",
 			client_id: CLIENT_ID,
@@ -74,7 +71,7 @@ class OpenAICodexOAuthFlow extends OAuthCallbackFlow {
 		return { url, instructions: "A browser window should open. Complete login to finish." };
 	}
 
-	protected async exchangeToken(code: string, _state: string, redirectUri: string): Promise<OAuthCredentials> {
+	async exchangeToken(code: string, _state: string, redirectUri: string): Promise<OAuthCredentials> {
 		return exchangeCodeForToken(code, this.pkce.verifier, redirectUri);
 	}
 }

package/src/utils/validation.ts

@@ -1,11 +1,7 @@
-import AjvModule from "ajv";
-import addFormatsModule from "ajv-formats";
+import Ajv from "ajv";
+import addFormats from "ajv-formats";
 import type { Tool, ToolCall } from "../types";
 
-// Handle both default and named exports (ESM/CJS interop)
-const Ajv = (AjvModule as any).default || AjvModule;
-const addFormats = (addFormatsModule as any).default || addFormatsModule;
-
 // ============================================================================
 // Type Coercion Utilities
 // ============================================================================
@@ -281,25 +277,13 @@ function coerceArgsFromErrors(
 	return { value: changed ? nextArgs : args, changed };
 }
 
-// Detect if we're in a browser extension environment with strict CSP
-// Chrome extensions with Manifest V3 don't allow eval/Function constructor
-const isBrowserExtension = typeof globalThis !== "undefined" && (globalThis as any).chrome?.runtime?.id !== undefined;
-
 // Create a singleton AJV instance with formats (only if not in browser extension)
 // AJV requires 'unsafe-eval' CSP which is not allowed in Manifest V3
-let ajv: any = null;
-if (!isBrowserExtension) {
-	try {
-		ajv = new Ajv({
-			allErrors: true,
-			strict: false,
-		});
-		addFormats(ajv);
-	} catch {
-		// AJV initialization failed (likely CSP restriction)
-		console.warn("AJV validation disabled due to CSP restrictions");
-	}
-}
+const ajv = new Ajv({
+	allErrors: true,
+	strict: false,
+});
+addFormats(ajv);
 
 /**
  * Finds a tool by name and validates the tool call arguments against its TypeBox schema
@@ -326,13 +310,6 @@ export function validateToolCall(tools: Tool[], toolCall: ToolCall): any {
 export function validateToolArguments(tool: Tool, toolCall: ToolCall): any {
 	const originalArgs = toolCall.arguments;
 
-	// Skip validation in browser extension environment (CSP restrictions prevent AJV from working)
-	if (!ajv || isBrowserExtension) {
-		// Trust the LLM's output without validation
-		// Browser extensions can't use AJV due to Manifest V3 CSP restrictions
-		return originalArgs;
-	}
-
 	// Compile the schema
 	const validate = ajv.compile(tool.parameters);