@oh-my-pi/pi-ai 3.37.0 → 4.0.0

package/README.md

@@ -909,12 +909,48 @@ Several providers require OAuth authentication instead of static API keys:
 - **Anthropic** (Claude Pro/Max subscription)
 - **OpenAI Codex** (ChatGPT Plus/Pro subscription, access to GPT-5.x Codex models)
 - **GitHub Copilot** (Copilot subscription)
-- **Google Gemini CLI** (Free Gemini 2.0/2.5 via Google Cloud Code Assist)
+- **Google Gemini CLI** (Gemini 2.0/2.5 via Google Cloud Code Assist; free tier or paid subscription)
 - **Antigravity** (Free Gemini 3, Claude, GPT-OSS via Google Cloud)
 
+For paid Cloud Code Assist subscriptions, set `GOOGLE_CLOUD_PROJECT` or `GOOGLE_CLOUD_PROJECT_ID` to your project ID.
+
 ### Vertex AI (ADC)
 
-Vertex AI models use Application Default Credentials. Run `gcloud auth application-default login`, set `GOOGLE_CLOUD_PROJECT` (or `GCLOUD_PROJECT`), and `GOOGLE_CLOUD_LOCATION`. You can also pass `project`/`location` in the call options.
+Vertex AI models use Application Default Credentials (ADC):
+
+- **Local development**: Run `gcloud auth application-default login`
+- **CI/Production**: Set `GOOGLE_APPLICATION_CREDENTIALS` to point to a service account JSON key file
+
+Also set `GOOGLE_CLOUD_PROJECT` (or `GCLOUD_PROJECT`) and `GOOGLE_CLOUD_LOCATION`. You can also pass `project`/`location` in the call options.
+
+Example:
+
+```bash
+# Local (uses your user credentials)
+gcloud auth application-default login
+export GOOGLE_CLOUD_PROJECT="my-project"
+export GOOGLE_CLOUD_LOCATION="us-central1"
+
+# CI/Production (service account key file)
+export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account.json"
+```
+
+```typescript
+import { getModel, complete } from "@oh-my-pi/pi-ai";
+
+(async () => {
+	const model = getModel("google-vertex", "gemini-2.5-flash");
+	const response = await complete(model, {
+		messages: [{ role: "user", content: "Hello from Vertex AI" }],
+	});
+
+	for (const block of response.content) {
+		if (block.type === "text") console.log(block.text);
+	}
+})().catch(console.error);
+```
+
+Official docs: [Application Default Credentials](https://cloud.google.com/docs/authentication/application-default-credentials)
 
 ### CLI Login
 

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@oh-my-pi/pi-ai",
-	"version": "3.37.0",
+	"version": "4.0.0",
 	"description": "Unified LLM API with automatic model discovery and provider configuration",
 	"type": "module",
 	"main": "./src/index.ts",

package/src/cli.ts

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 
-import { existsSync, readFileSync, writeFileSync } from "fs";
+import { existsSync, readFileSync, writeFileSync } from "node:fs";
 import { createInterface } from "readline";
 import { loginAnthropic } from "./utils/oauth/anthropic";
 import { loginGitHubCopilot } from "./utils/oauth/github-copilot";

package/src/models.generated.ts

@@ -1156,10 +1156,10 @@ export const MODELS = {
 			reasoning: true,
 			input: ["text", "image"],
 			cost: {
-				input: 0,
-				output: 0,
-				cacheRead: 0,
-				cacheWrite: 0,
+				input: 5,
+				output: 25,
+				cacheRead: 0.5,
+				cacheWrite: 6.25,
 			},
 			contextWindow: 200000,
 			maxTokens: 64000,
@@ -1173,10 +1173,10 @@ export const MODELS = {
 			reasoning: false,
 			input: ["text", "image"],
 			cost: {
-				input: 0,
-				output: 0,
-				cacheRead: 0,
-				cacheWrite: 0,
+				input: 3,
+				output: 15,
+				cacheRead: 0.3,
+				cacheWrite: 3.75,
 			},
 			contextWindow: 200000,
 			maxTokens: 64000,
@@ -1190,10 +1190,10 @@ export const MODELS = {
 			reasoning: true,
 			input: ["text", "image"],
 			cost: {
-				input: 0,
-				output: 0,
-				cacheRead: 0,
-				cacheWrite: 0,
+				input: 3,
+				output: 15,
+				cacheRead: 0.3,
+				cacheWrite: 3.75,
 			},
 			contextWindow: 200000,
 			maxTokens: 64000,
@@ -1207,9 +1207,9 @@ export const MODELS = {
 			reasoning: true,
 			input: ["text", "image"],
 			cost: {
-				input: 0,
-				output: 0,
-				cacheRead: 0,
+				input: 0.5,
+				output: 3,
+				cacheRead: 0.5,
 				cacheWrite: 0,
 			},
 			contextWindow: 1048576,
@@ -1224,10 +1224,10 @@ export const MODELS = {
 			reasoning: true,
 			input: ["text", "image"],
 			cost: {
-				input: 0,
-				output: 0,
-				cacheRead: 0,
-				cacheWrite: 0,
+				input: 2,
+				output: 12,
+				cacheRead: 0.2,
+				cacheWrite: 2.375,
 			},
 			contextWindow: 1048576,
 			maxTokens: 65535,
@@ -1241,10 +1241,10 @@ export const MODELS = {
 			reasoning: true,
 			input: ["text", "image"],
 			cost: {
-				input: 0,
-				output: 0,
-				cacheRead: 0,
-				cacheWrite: 0,
+				input: 2,
+				output: 12,
+				cacheRead: 0.2,
+				cacheWrite: 2.375,
 			},
 			contextWindow: 1048576,
 			maxTokens: 65535,
@@ -1258,8 +1258,8 @@ export const MODELS = {
 			reasoning: false,
 			input: ["text"],
 			cost: {
-				input: 0,
-				output: 0,
+				input: 0.09,
+				output: 0.36,
 				cacheRead: 0,
 				cacheWrite: 0,
 			},
@@ -5192,17 +5192,17 @@ export const MODELS = {
 			contextWindow: 262144,
 			maxTokens: 65535,
 		} satisfies Model<"openai-completions">,
-		"nex-agi/deepseek-v3.1-nex-n1:free": {
-			id: "nex-agi/deepseek-v3.1-nex-n1:free",
-			name: "Nex AGI: DeepSeek V3.1 Nex N1 (free)",
+		"nex-agi/deepseek-v3.1-nex-n1": {
+			id: "nex-agi/deepseek-v3.1-nex-n1",
+			name: "Nex AGI: DeepSeek V3.1 Nex N1",
 			api: "openai-completions",
 			provider: "openrouter",
 			baseUrl: "https://openrouter.ai/api/v1",
 			reasoning: false,
 			input: ["text"],
 			cost: {
-				input: 0,
-				output: 0,
+				input: 0.27,
+				output: 1,
 				cacheRead: 0,
 				cacheWrite: 0,
 			},

package/src/providers/anthropic.ts

@@ -29,15 +29,32 @@ import { sanitizeSurrogates } from "../utils/sanitize-unicode";
 
 import { transformMessages } from "./transorm-messages";
 
-// Stealth mode: Mimic Claude Code's tool naming exactly
-const claudeCodeVersion = "2.1.2";
-
-// Prefix all tool names to avoid collisions with Claude Code's built-in tools
-const toolNamePrefix = "cli_";
+// Stealth mode: Mimic Claude Code headers while avoiding tool name collisions.
+export const claudeCodeVersion = "1.0.83";
+export const claudeToolPrefix = "proxy_";
+export const claudeCodeSystemInstruction = "You are Claude Code, Anthropic's official CLI for Claude.";
+export const claudeCodeHeaders = {
+	"anthropic-version": "2023-06-01",
+	"x-stainless-helper-method": "stream",
+	"x-stainless-retry-count": "0",
+	"x-stainless-runtime-version": "v24.3.0",
+	"x-stainless-package-version": "0.55.1",
+	"x-stainless-runtime": "node",
+	"x-stainless-lang": "js",
+	"x-stainless-arch": "arm64",
+	"x-stainless-os": "MacOS",
+	"x-stainless-timeout": "60",
+} as const;
+
+export const applyClaudeToolPrefix = (name: string) => {
+	if (!claudeToolPrefix || name.startsWith(claudeToolPrefix)) return name;
+	return `${claudeToolPrefix}${name}`;
+};
 
-const toClaudeCodeName = (name: string) => toolNamePrefix + name;
-const fromClaudeCodeName = (name: string) =>
-	name.startsWith(toolNamePrefix) ? name.slice(toolNamePrefix.length) : name;
+export const stripClaudeToolPrefix = (name: string) => {
+	if (!claudeToolPrefix || !name.startsWith(claudeToolPrefix)) return name;
+	return name.slice(claudeToolPrefix.length);
+};
 
 /**
  * Convert content blocks to Anthropic API format
@@ -96,6 +113,7 @@ export interface AnthropicOptions extends StreamOptions {
 	thinkingBudgetTokens?: number;
 	interleavedThinking?: boolean;
 	toolChoice?: "auto" | "any" | "none" | { type: "tool"; name: string };
+	betas?: string[] | string;
 }
 
 export const streamAnthropic: StreamFunction<"anthropic-messages"> = (
@@ -126,7 +144,8 @@ export const streamAnthropic: StreamFunction<"anthropic-messages"> = (
 
 		try {
 			const apiKey = options?.apiKey ?? getEnvApiKey(model.provider) ?? "";
-			const { client, isOAuthToken } = createClient(model, apiKey, options?.interleavedThinking ?? true);
+			const extraBetas = normalizeExtraBetas(options?.betas);
+			const { client, isOAuthToken } = createClient(model, apiKey, options?.interleavedThinking ?? true, extraBetas);
 			const params = buildParams(model, context, isOAuthToken, options);
 			const anthropicStream = client.messages.stream({ ...params, stream: true }, { signal: options?.signal });
 			stream.push({ type: "start", partial: output });
@@ -168,7 +187,7 @@ export const streamAnthropic: StreamFunction<"anthropic-messages"> = (
 						const block: Block = {
 							type: "toolCall",
 							id: event.content_block.id,
-							name: isOAuthToken ? fromClaudeCodeName(event.content_block.name) : event.content_block.name,
+							name: isOAuthToken ? stripClaudeToolPrefix(event.content_block.name) : event.content_block.name,
 							arguments: event.content_block.input as Record<string, any>,
 							partialJson: "",
 							index: event.index,
@@ -293,8 +312,14 @@ function isOAuthToken(apiKey: string): boolean {
 	return apiKey.includes("sk-ant-oat");
 }
 
+export function normalizeExtraBetas(betas?: string[] | string): string[] {
+	if (!betas) return [];
+	const raw = Array.isArray(betas) ? betas : betas.split(",");
+	return raw.map((beta) => beta.trim()).filter((beta) => beta.length > 0);
+}
+
 // Build deduplicated beta header string
-function buildBetaHeader(baseBetas: string[], extraBetas: string[]): string {
+export function buildBetaHeader(baseBetas: string[], extraBetas: string[]): string {
 	const seen = new Set<string>();
 	const result: string[] = [];
 	for (const beta of [...baseBetas, ...extraBetas]) {
@@ -311,32 +336,33 @@ function createClient(
 	model: Model<"anthropic-messages">,
 	apiKey: string,
 	interleavedThinking: boolean,
+	extraBetas: string[],
 ): { client: Anthropic; isOAuthToken: boolean } {
 	const oauthToken = isOAuthToken(apiKey);
 
 	// Base betas required for Claude Code compatibility
 	const baseBetas = oauthToken
-		? [
-				"claude-code-20250219",
-				"oauth-2025-04-20",
-				"interleaved-thinking-2025-05-14",
-				"fine-grained-tool-streaming-2025-05-14",
-			]
+		? ["claude-code-20250219", "oauth-2025-04-20", "fine-grained-tool-streaming-2025-05-14"]
 		: ["fine-grained-tool-streaming-2025-05-14"];
 
-	// Add interleaved thinking if requested (and not already in base)
-	const extraBetas: string[] = [];
-	if (interleavedThinking && !oauthToken) {
-		extraBetas.push("interleaved-thinking-2025-05-14");
+	// Add interleaved thinking if requested
+	const mergedBetas: string[] = [];
+	if (interleavedThinking) {
+		mergedBetas.push("interleaved-thinking-2025-05-14");
 	}
 
 	// Include any betas from model headers
 	const modelBeta = model.headers?.["anthropic-beta"];
 	if (modelBeta) {
-		extraBetas.push(...modelBeta.split(","));
+		mergedBetas.push(...normalizeExtraBetas(modelBeta));
 	}
 
-	const betaHeader = buildBetaHeader(baseBetas, extraBetas);
+	// Include any betas passed via options
+	if (extraBetas.length > 0) {
+		mergedBetas.push(...extraBetas);
+	}
+
+	const betaHeader = buildBetaHeader(baseBetas, mergedBetas);
 
 	if (oauthToken) {
 		// Stealth mode: Mimic Claude Code's headers exactly
@@ -346,6 +372,7 @@ function createClient(
 			"anthropic-beta": betaHeader,
 			"user-agent": `claude-cli/${claudeCodeVersion} (external, cli)`,
 			"x-app": "cli",
+			...claudeCodeHeaders,
 			...(model.headers || {}),
 		};
 		// Don't duplicate anthropic-beta from model.headers
@@ -367,6 +394,9 @@ function createClient(
 		accept: "application/json",
 		"anthropic-dangerous-direct-browser-access": "true",
 		"anthropic-beta": betaHeader,
+		"user-agent": `claude-cli/${claudeCodeVersion} (external, cli)`,
+		"x-app": "cli",
+		...claudeCodeHeaders,
 		...(model.headers || {}),
 	};
 	// Ensure our beta header takes precedence
@@ -382,6 +412,80 @@ function createClient(
 	return { client, isOAuthToken: false };
 }
 
+export type AnthropicSystemBlock = {
+	type: "text";
+	text: string;
+	cache_control?: { type: "ephemeral" };
+};
+
+type SystemBlockOptions = {
+	includeClaudeCodeInstruction?: boolean;
+	includeCacheControl?: boolean;
+	extraInstructions?: string[];
+};
+
+export function buildAnthropicSystemBlocks(
+	systemPrompt: string | undefined,
+	options: SystemBlockOptions = {},
+): AnthropicSystemBlock[] | undefined {
+	const { includeClaudeCodeInstruction = false, includeCacheControl = true, extraInstructions = [] } = options;
+	const blocks: AnthropicSystemBlock[] = [];
+	const sanitizedPrompt = systemPrompt ? sanitizeSurrogates(systemPrompt) : "";
+	const hasClaudeCodeInstruction = sanitizedPrompt.includes(claudeCodeSystemInstruction);
+	const cacheControl = includeCacheControl ? { type: "ephemeral" as const } : undefined;
+
+	if (includeClaudeCodeInstruction && !hasClaudeCodeInstruction) {
+		blocks.push({
+			type: "text",
+			text: claudeCodeSystemInstruction,
+			...(cacheControl ? { cache_control: cacheControl } : {}),
+		});
+	}
+
+	for (const instruction of extraInstructions) {
+		const trimmed = instruction.trim();
+		if (!trimmed) continue;
+		blocks.push({
+			type: "text",
+			text: trimmed,
+			...(cacheControl ? { cache_control: cacheControl } : {}),
+		});
+	}
+
+	if (systemPrompt) {
+		blocks.push({
+			type: "text",
+			text: sanitizedPrompt,
+			...(cacheControl ? { cache_control: cacheControl } : {}),
+		});
+	}
+
+	return blocks.length > 0 ? blocks : undefined;
+}
+
+function disableThinkingIfToolChoiceForced(params: MessageCreateParamsStreaming): void {
+	const toolChoice = params.tool_choice;
+	if (!toolChoice) return;
+	if (toolChoice.type === "any" || toolChoice.type === "tool") {
+		delete params.thinking;
+	}
+}
+
+function ensureMaxTokensForThinking(params: MessageCreateParamsStreaming, model: Model<"anthropic-messages">): void {
+	const thinking = params.thinking;
+	if (!thinking || thinking.type !== "enabled") return;
+
+	const budgetTokens = thinking.budget_tokens ?? 0;
+	if (budgetTokens <= 0) return;
+
+	const maxTokens = params.max_tokens ?? 0;
+	const fallbackBuffer = 4000;
+	const requiredMaxTokens = model.maxTokens > 0 ? model.maxTokens : budgetTokens + fallbackBuffer;
+	if (maxTokens < requiredMaxTokens) {
+		params.max_tokens = requiredMaxTokens;
+	}
+}
+
 function buildParams(
 	model: Model<"anthropic-messages">,
 	context: Context,
@@ -395,37 +499,13 @@ function buildParams(
 		stream: true,
 	};
 
-	// For OAuth tokens, we MUST include Claude Code identity
-	if (isOAuthToken) {
-		params.system = [
-			{
-				type: "text",
-				text: "You are Claude Code, Anthropic's official CLI for Claude.",
-				cache_control: {
-					type: "ephemeral",
-				},
-			},
-		];
-		if (context.systemPrompt) {
-			params.system.push({
-				type: "text",
-				text: sanitizeSurrogates(context.systemPrompt),
-				cache_control: {
-					type: "ephemeral",
-				},
-			});
-		}
-	} else if (context.systemPrompt) {
-		// Add cache control to system prompt for non-OAuth tokens
-		params.system = [
-			{
-				type: "text",
-				text: sanitizeSurrogates(context.systemPrompt),
-				cache_control: {
-					type: "ephemeral",
-				},
-			},
-		];
+	const includeClaudeCodeSystem = !model.id.startsWith("claude-3-5-haiku");
+	const systemBlocks = buildAnthropicSystemBlocks(context.systemPrompt, {
+		includeClaudeCodeInstruction: includeClaudeCodeSystem,
+		includeCacheControl: true,
+	});
+	if (systemBlocks) {
+		params.system = systemBlocks;
 	}
 
 	if (options?.temperature !== undefined) {
@@ -448,12 +528,15 @@ function buildParams(
 			params.tool_choice = { type: options.toolChoice };
 		} else if (isOAuthToken && options.toolChoice.name) {
 			// Prefix tool name in tool_choice for OAuth mode
-			params.tool_choice = { ...options.toolChoice, name: toClaudeCodeName(options.toolChoice.name) };
+			params.tool_choice = { ...options.toolChoice, name: applyClaudeToolPrefix(options.toolChoice.name) };
 		} else {
 			params.tool_choice = options.toolChoice;
 		}
 	}
 
+	disableThinkingIfToolChoiceForced(params);
+	ensureMaxTokensForThinking(params, model);
+
 	return params;
 }
 
@@ -546,7 +629,7 @@ function convertMessages(
 					blocks.push({
 						type: "tool_use",
 						id: sanitizeToolCallId(block.id),
-						name: isOAuthToken ? toClaudeCodeName(block.name) : block.name,
+						name: isOAuthToken ? applyClaudeToolPrefix(block.name) : block.name,
 						input: block.arguments,
 					});
 				}
@@ -619,7 +702,7 @@ function convertTools(tools: Tool[], isOAuthToken: boolean): Anthropic.Messages.
 		const jsonSchema = tool.parameters as any; // TypeBox already generates JSON Schema
 
 		return {
-			name: isOAuthToken ? toClaudeCodeName(tool.name) : tool.name,
+			name: isOAuthToken ? applyClaudeToolPrefix(tool.name) : tool.name,
 			description: tool.description,
 			input_schema: {
 				type: "object" as const,

package/src/providers/openai-completions.ts

@@ -308,6 +308,9 @@ export const streamOpenAICompletions: StreamFunction<"openai-completions"> = (
 			for (const block of output.content) delete (block as any).index;
 			output.stopReason = options?.signal?.aborted ? "aborted" : "error";
 			output.errorMessage = formatErrorMessageWithRetryAfter(error);
+			// Some providers via OpenRouter include extra details here.
+			const rawMetadata = (error as { error?: { metadata?: { raw?: string } } })?.error?.metadata?.raw;
+			if (rawMetadata) output.errorMessage += `\n${rawMetadata}`;
 			stream.push({ type: "error", reason: output.stopReason, error: output });
 			stream.end();
 		}
@@ -368,9 +371,12 @@ function buildParams(model: Model<"openai-completions">, context: Context, optio
 		model: model.id,
 		messages,
 		stream: true,
-		stream_options: { include_usage: true },
 	};
 
+	if (compat.supportsUsageInStreaming !== false) {
+		(params as { stream_options?: { include_usage: boolean } }).stream_options = { include_usage: true };
+	}
+
 	if (compat.supportsStore) {
 		params.store = false;
 	}
@@ -610,6 +616,7 @@ function convertTools(tools: Tool[]): OpenAI.Chat.Completions.ChatCompletionTool
 			name: tool.name,
 			description: tool.description,
 			parameters: tool.parameters as any, // TypeBox already generates JSON Schema
+			strict: false, // Disable strict mode to allow optional parameters without null unions
 		},
 	}));
 }
@@ -654,6 +661,7 @@ function detectCompatFromUrl(baseUrl: string): Required<OpenAICompat> {
 		supportsStore: !isNonStandard,
 		supportsDeveloperRole: !isNonStandard,
 		supportsReasoningEffort: !isGrok,
+		supportsUsageInStreaming: true,
 		maxTokensField: useMaxTokens ? "max_tokens" : "max_completion_tokens",
 		requiresToolResultName: isMistral,
 		requiresAssistantAfterToolResult: false, // Mistral no longer requires this as of Dec 2024
@@ -674,6 +682,7 @@ function getCompat(model: Model<"openai-completions">): Required<OpenAICompat> {
 		supportsStore: model.compat.supportsStore ?? detected.supportsStore,
 		supportsDeveloperRole: model.compat.supportsDeveloperRole ?? detected.supportsDeveloperRole,
 		supportsReasoningEffort: model.compat.supportsReasoningEffort ?? detected.supportsReasoningEffort,
+		supportsUsageInStreaming: model.compat.supportsUsageInStreaming ?? detected.supportsUsageInStreaming,
 		maxTokensField: model.compat.maxTokensField ?? detected.maxTokensField,
 		requiresToolResultName: model.compat.requiresToolResultName ?? detected.requiresToolResultName,
 		requiresAssistantAfterToolResult:

package/src/providers/openai-responses.ts

@@ -544,7 +544,7 @@ function convertTools(tools: Tool[]): OpenAITool[] {
 		name: tool.name,
 		description: tool.description,
 		parameters: tool.parameters as any, // TypeBox already generates JSON Schema
-		strict: null,
+		strict: false,
 	}));
 }
 

package/src/stream.ts

@@ -26,13 +26,18 @@ import type {
 	ThinkingLevel,
 } from "./types";
 
-const VERTEX_ADC_CREDENTIALS_PATH = join(homedir(), ".config", "gcloud", "application_default_credentials.json");
-
 let cachedVertexAdcCredentialsExists: boolean | null = null;
 
 function hasVertexAdcCredentials(): boolean {
 	if (cachedVertexAdcCredentialsExists === null) {
-		cachedVertexAdcCredentialsExists = existsSync(VERTEX_ADC_CREDENTIALS_PATH);
+		const gacPath = process.env.GOOGLE_APPLICATION_CREDENTIALS;
+		if (gacPath) {
+			cachedVertexAdcCredentialsExists = existsSync(gacPath);
+		} else {
+			cachedVertexAdcCredentialsExists = existsSync(
+				join(homedir(), ".config", "gcloud", "application_default_credentials.json"),
+			);
+		}
 	}
 	return cachedVertexAdcCredentialsExists;
 }

package/src/types.ts

@@ -208,6 +208,8 @@ export interface OpenAICompat {
 	supportsDeveloperRole?: boolean;
 	/** Whether the provider supports `reasoning_effort`. Default: auto-detected from URL. */
 	supportsReasoningEffort?: boolean;
+	/** Whether the provider supports `stream_options: { include_usage: true }` for token usage in streaming responses. Default: true. */
+	supportsUsageInStreaming?: boolean;
 	/** Which field to use for max tokens. Default: auto-detected from URL. */
 	maxTokensField?: "max_completion_tokens" | "max_tokens";
 	/** Whether tool results require the `name` field. Default: auto-detected from URL. */

package/src/utils/oauth/anthropic.ts

@@ -12,6 +12,30 @@ const TOKEN_URL = "https://console.anthropic.com/v1/oauth/token";
 const REDIRECT_URI = "https://console.anthropic.com/oauth/code/callback";
 const SCOPES = "org:create_api_key user:profile user:inference";
 
+function parseAuthCode(input: string): { code: string; state?: string } {
+	const trimmed = input.trim();
+	if (!trimmed) return { code: "" };
+
+	try {
+		const url = new URL(trimmed);
+		const code = url.searchParams.get("code") ?? "";
+		const state = url.searchParams.get("state") ?? undefined;
+		if (code) return { code, state };
+	} catch {
+		// Ignore invalid URL parsing and fall back to manual parsing.
+	}
+
+	if (trimmed.includes("code=")) {
+		const params = new URLSearchParams(trimmed.replace(/^[?#]/, ""));
+		const code = params.get("code") ?? "";
+		const state = params.get("state") ?? undefined;
+		if (code) return { code, state };
+	}
+
+	const [code, state] = trimmed.split("#");
+	return { code, state };
+}
+
 /**
  * Login with Anthropic OAuth (device code flow)
  *
@@ -43,9 +67,7 @@ export async function loginAnthropic(
 
 	// Wait for user to paste authorization code (format: code#state)
 	const authCode = await onPromptCode();
-	const splits = authCode.split("#");
-	const code = splits[0];
-	const state = splits[1];
+	const { code, state } = parseAuthCode(authCode);
 
 	// Exchange code for tokens
 	const tokenResponse = await fetch(TOKEN_URL, {
@@ -56,8 +78,8 @@ export async function loginAnthropic(
 		body: JSON.stringify({
 			grant_type: "authorization_code",
 			client_id: CLIENT_ID,
-			code: code,
-			state: state,
+			code,
+			...(state ? { state } : {}),
 			redirect_uri: REDIRECT_URI,
 			code_verifier: verifier,
 		}),
@@ -111,7 +133,7 @@ export async function refreshAnthropicToken(refreshToken: string): Promise<OAuth
 	};
 
 	return {
-		refresh: data.refresh_token,
+		refresh: data.refresh_token || refreshToken,
 		access: data.access_token,
 		expires: Date.now() + data.expires_in * 1000 - 5 * 60 * 1000,
 	};

package/src/utils/oauth/google-gemini-cli.ts

@@ -122,13 +122,28 @@ interface LoadCodeAssistPayload {
 	allowedTiers?: Array<{ id?: string; isDefault?: boolean }>;
 }
 
-interface OnboardUserPayload {
+/**
+ * Long-running operation response from onboardUser
+ */
+interface LongRunningOperationResponse {
+	name?: string;
 	done?: boolean;
 	response?: {
 		cloudaicompanionProject?: { id?: string };
 	};
 }
 
+// Tier IDs as used by the Cloud Code API
+const TIER_FREE = "free-tier";
+const TIER_LEGACY = "legacy-tier";
+const TIER_STANDARD = "standard-tier";
+
+interface GoogleRpcErrorResponse {
+	error?: {
+		details?: Array<{ reason?: string }>;
+	};
+}
+
 /**
  * Wait helper for onboarding retries
  */
@@ -137,18 +152,62 @@ function wait(ms: number): Promise<void> {
 }
 
 /**
- * Get default tier ID from allowed tiers
+ * Get default tier from allowed tiers
  */
-function getDefaultTierId(allowedTiers?: Array<{ id?: string; isDefault?: boolean }>): string | undefined {
-	if (!allowedTiers || allowedTiers.length === 0) return undefined;
+function getDefaultTier(allowedTiers?: Array<{ id?: string; isDefault?: boolean }>): { id?: string } {
+	if (!allowedTiers || allowedTiers.length === 0) return { id: TIER_LEGACY };
 	const defaultTier = allowedTiers.find((t) => t.isDefault);
-	return defaultTier?.id ?? allowedTiers[0]?.id;
+	return defaultTier ?? { id: TIER_LEGACY };
+}
+
+function isVpcScAffectedUser(payload: unknown): boolean {
+	if (!payload || typeof payload !== "object") return false;
+	if (!("error" in payload)) return false;
+	const error = (payload as GoogleRpcErrorResponse).error;
+	if (!error?.details || !Array.isArray(error.details)) return false;
+	return error.details.some((detail) => detail.reason === "SECURITY_POLICY_VIOLATED");
+}
+
+/**
+ * Poll a long-running operation until completion
+ */
+async function pollOperation(
+	operationName: string,
+	headers: Record<string, string>,
+	onProgress?: (message: string) => void,
+): Promise<LongRunningOperationResponse> {
+	let attempt = 0;
+	while (true) {
+		if (attempt > 0) {
+			onProgress?.(`Waiting for project provisioning (attempt ${attempt + 1})...`);
+			await wait(5000);
+		}
+
+		const response = await fetch(`${CODE_ASSIST_ENDPOINT}/v1internal/${operationName}`, {
+			method: "GET",
+			headers,
+		});
+
+		if (!response.ok) {
+			throw new Error(`Failed to poll operation: ${response.status} ${response.statusText}`);
+		}
+
+		const data = (await response.json()) as LongRunningOperationResponse;
+		if (data.done) {
+			return data;
+		}
+
+		attempt += 1;
+	}
 }
 
 /**
  * Discover or provision a Google Cloud project for the user
  */
 async function discoverProject(accessToken: string, onProgress?: (message: string) => void): Promise<string> {
+	// Check for user-provided project ID via environment variable
+	const envProjectId = process.env.GOOGLE_CLOUD_PROJECT || process.env.GOOGLE_CLOUD_PROJECT_ID;
+
 	const headers = {
 		Authorization: `Bearer ${accessToken}`,
 		"Content-Type": "application/json",
@@ -162,62 +221,114 @@ async function discoverProject(accessToken: string, onProgress?: (message: strin
 		method: "POST",
 		headers,
 		body: JSON.stringify({
+			cloudaicompanionProject: envProjectId,
 			metadata: {
 				ideType: "IDE_UNSPECIFIED",
 				platform: "PLATFORM_UNSPECIFIED",
 				pluginType: "GEMINI",
+				duetProject: envProjectId,
 			},
 		}),
 	});
 
-	if (loadResponse.ok) {
-		const data = (await loadResponse.json()) as LoadCodeAssistPayload;
+	let data: LoadCodeAssistPayload;
 
-		// If we have an existing project, use it
+	if (!loadResponse.ok) {
+		let errorPayload: unknown;
+		try {
+			errorPayload = await loadResponse.clone().json();
+		} catch {
+			errorPayload = undefined;
+		}
+
+		if (isVpcScAffectedUser(errorPayload)) {
+			data = { currentTier: { id: TIER_STANDARD } };
+		} else {
+			const errorText = await loadResponse.text();
+			throw new Error(`loadCodeAssist failed: ${loadResponse.status} ${loadResponse.statusText}: ${errorText}`);
+		}
+	} else {
+		data = (await loadResponse.json()) as LoadCodeAssistPayload;
+	}
+
+	// If user already has a current tier and project, use it
+	if (data.currentTier) {
 		if (data.cloudaicompanionProject) {
 			return data.cloudaicompanionProject;
 		}
+		// User has a tier but no managed project - they need to provide one via env var
+		if (envProjectId) {
+			return envProjectId;
+		}
+		throw new Error(
+			"This account requires setting the GOOGLE_CLOUD_PROJECT or GOOGLE_CLOUD_PROJECT_ID environment variable. " +
+				"See https://goo.gle/gemini-cli-auth-docs#workspace-gca",
+		);
+	}
 
-		// Otherwise, try to onboard with the FREE tier
-		const tierId = getDefaultTierId(data.allowedTiers) ?? "FREE";
-
-		onProgress?.("Provisioning Cloud Code Assist project (this may take a moment)...");
-
-		// Onboard with retries (the API may take time to provision)
-		for (let attempt = 0; attempt < 10; attempt++) {
-			const onboardResponse = await fetch(`${CODE_ASSIST_ENDPOINT}/v1internal:onboardUser`, {
-				method: "POST",
-				headers,
-				body: JSON.stringify({
-					tierId,
-					metadata: {
-						ideType: "IDE_UNSPECIFIED",
-						platform: "PLATFORM_UNSPECIFIED",
-						pluginType: "GEMINI",
-					},
-				}),
-			});
+	// User needs to be onboarded - get the default tier
+	const tier = getDefaultTier(data.allowedTiers);
+	const tierId = tier?.id ?? TIER_FREE;
 
-			if (onboardResponse.ok) {
-				const onboardData = (await onboardResponse.json()) as OnboardUserPayload;
-				const projectId = onboardData.response?.cloudaicompanionProject?.id;
+	if (tierId !== TIER_FREE && !envProjectId) {
+		throw new Error(
+			"This account requires setting the GOOGLE_CLOUD_PROJECT or GOOGLE_CLOUD_PROJECT_ID environment variable. " +
+				"See https://goo.gle/gemini-cli-auth-docs#workspace-gca",
+		);
+	}
 
-				if (onboardData.done && projectId) {
-					return projectId;
-				}
-			}
+	onProgress?.("Provisioning Cloud Code Assist project (this may take a moment)...");
+
+	// Build onboard request - for free tier, don't include project ID (Google provisions one)
+	// For other tiers, include the user's project ID if available
+	const onboardBody: Record<string, unknown> = {
+		tierId,
+		metadata: {
+			ideType: "IDE_UNSPECIFIED",
+			platform: "PLATFORM_UNSPECIFIED",
+			pluginType: "GEMINI",
+		},
+	};
 
-			// Wait before retrying
-			if (attempt < 9) {
-				onProgress?.(`Waiting for project provisioning (attempt ${attempt + 2}/10)...`);
-				await wait(3000);
-			}
-		}
+	if (tierId !== TIER_FREE && envProjectId) {
+		onboardBody.cloudaicompanionProject = envProjectId;
+		(onboardBody.metadata as Record<string, unknown>).duetProject = envProjectId;
+	}
+
+	// Start onboarding - this returns a long-running operation
+	const onboardResponse = await fetch(`${CODE_ASSIST_ENDPOINT}/v1internal:onboardUser`, {
+		method: "POST",
+		headers,
+		body: JSON.stringify(onboardBody),
+	});
+
+	if (!onboardResponse.ok) {
+		const errorText = await onboardResponse.text();
+		throw new Error(`onboardUser failed: ${onboardResponse.status} ${onboardResponse.statusText}: ${errorText}`);
+	}
+
+	let lroData = (await onboardResponse.json()) as LongRunningOperationResponse;
+
+	// If the operation isn't done yet, poll until completion
+	if (!lroData.done && lroData.name) {
+		lroData = await pollOperation(lroData.name, headers, onProgress);
+	}
+
+	// Try to get project ID from the response
+	const projectId = lroData.response?.cloudaicompanionProject?.id;
+	if (projectId) {
+		return projectId;
+	}
+
+	// If no project ID from onboarding, fall back to env var
+	if (envProjectId) {
+		return envProjectId;
 	}
 
 	throw new Error(
 		"Could not discover or provision a Google Cloud project. " +
-			"Please ensure you have access to Google Cloud Code Assist (Gemini CLI).",
+			"Try setting the GOOGLE_CLOUD_PROJECT or GOOGLE_CLOUD_PROJECT_ID environment variable. " +
+			"See https://goo.gle/gemini-cli-auth-docs#workspace-gca",
 	);
 }
 

package/src/utils/validation.ts

@@ -1,12 +1,257 @@
 import AjvModule from "ajv";
 import addFormatsModule from "ajv-formats";
 
-// Handle both default and named exports
+// Handle both default and named exports (ESM/CJS interop)
 const Ajv = (AjvModule as any).default || AjvModule;
 const addFormats = (addFormatsModule as any).default || addFormatsModule;
 
 import type { Tool, ToolCall } from "../types";
 
+// ============================================================================
+// Type Coercion Utilities
+// ============================================================================
+//
+// LLMs sometimes produce tool arguments where a value that should be a number,
+// boolean, array, or object is instead passed as a JSON-encoded string. For
+// example, an array parameter might arrive as `"[1, 2, 3]"` instead of `[1, 2, 3]`.
+//
+// Rather than rejecting these outright, we attempt automatic coercion:
+//   1. AJV validates the arguments and reports type errors
+//   2. For each type error where the actual value is a string, we check if
+//      parsing it as JSON yields a value matching the expected type
+//   3. If so, we replace the string with the parsed value and re-validate
+//
+// This is intentionally conservative: we only parse strings that look like
+// valid JSON literals (objects, arrays, booleans, null, numbers) and only
+// accept the result if it matches the schema's expected type.
+// ============================================================================
+
+/** Regex matching valid JSON number literals (integers, decimals, scientific notation) */
+const JSON_NUMBER_PATTERN = /^[+-]?(?:0|[1-9]\d*)(?:\.\d+)?(?:[eE][+-]?\d+)?$/;
+
+/**
+ * Normalizes AJV's `params.type` into a consistent string array.
+ * AJV may report the expected type as a single string or an array of strings
+ * (for union types like `["string", "null"]`).
+ */
+function normalizeExpectedTypes(typeParam: unknown): string[] {
+	if (typeof typeParam === "string") return [typeParam];
+	if (Array.isArray(typeParam)) {
+		return typeParam.filter((entry): entry is string => typeof entry === "string");
+	}
+	return [];
+}
+
+/**
+ * Checks if a value matches any of the expected JSON Schema types.
+ * Used to verify that a parsed JSON value is actually what the schema wants.
+ */
+function matchesExpectedType(value: unknown, expectedTypes: string[]): boolean {
+	return expectedTypes.some((type) => {
+		switch (type) {
+			case "string":
+				return typeof value === "string";
+			case "number":
+				return typeof value === "number" && Number.isFinite(value);
+			case "integer":
+				return typeof value === "number" && Number.isInteger(value);
+			case "boolean":
+				return typeof value === "boolean";
+			case "null":
+				return value === null;
+			case "array":
+				return Array.isArray(value);
+			case "object":
+				return value !== null && typeof value === "object" && !Array.isArray(value);
+			default:
+				return false;
+		}
+	});
+}
+
+/**
+ * Attempts to parse a string as JSON if it looks like a JSON literal and
+ * the parsed result matches one of the expected types.
+ *
+ * Only attempts parsing for strings that syntactically look like JSON:
+ *   - Objects: `{...}`
+ *   - Arrays: `[...]`
+ *   - Literals: `true`, `false`, `null`, or numeric strings
+ *
+ * Returns `{ changed: true }` only if parsing succeeded AND the result
+ * matches an expected type. This prevents false positives like parsing
+ * the string `"123"` when the schema actually wants a string.
+ */
+function tryParseJsonForTypes(value: string, expectedTypes: string[]): { value: unknown; changed: boolean } {
+	const trimmed = value.trim();
+	if (!trimmed) return { value, changed: false };
+
+	// Quick syntactic checks to avoid unnecessary parse attempts
+	const looksJsonObject = trimmed.startsWith("{") && trimmed.endsWith("}");
+	const looksJsonArray = trimmed.startsWith("[") && trimmed.endsWith("]");
+	const looksJsonLiteral =
+		trimmed === "true" || trimmed === "false" || trimmed === "null" || JSON_NUMBER_PATTERN.test(trimmed);
+
+	if (!looksJsonObject && !looksJsonArray && !looksJsonLiteral) {
+		return { value, changed: false };
+	}
+
+	try {
+		const parsed = JSON.parse(trimmed) as unknown;
+		// Only accept if the parsed type matches what the schema expects
+		if (matchesExpectedType(parsed, expectedTypes)) {
+			return { value: parsed, changed: true };
+		}
+	} catch {
+		// Invalid JSON - leave as-is
+		return { value, changed: false };
+	}
+
+	return { value, changed: false };
+}
+
+// ============================================================================
+// JSON Pointer Utilities (RFC 6901)
+// ============================================================================
+//
+// AJV reports error locations using JSON Pointer syntax (e.g., `/foo/0/bar`).
+// These utilities allow reading and writing values at those paths.
+// ============================================================================
+
+/**
+ * Decodes a JSON Pointer string into path segments.
+ * Handles RFC 6901 escape sequences: ~1 -> /, ~0 -> ~
+ */
+function decodeJsonPointer(pointer: string): string[] {
+	if (!pointer) return [];
+	return pointer
+		.split("/")
+		.slice(1) // Remove leading empty segment from initial "/"
+		.map((segment) => segment.replace(/~1/g, "/").replace(/~0/g, "~"));
+}
+
+/**
+ * Retrieves a value from a nested object/array structure using a JSON Pointer.
+ * Returns undefined if the path doesn't exist or traversal fails.
+ */
+function getValueAtPointer(root: unknown, pointer: string): unknown {
+	if (!pointer) return root;
+	const segments = decodeJsonPointer(pointer);
+	let current: unknown = root;
+
+	for (const segment of segments) {
+		if (current === null || current === undefined) return undefined;
+		if (Array.isArray(current)) {
+			const index = Number(segment);
+			if (!Number.isInteger(index)) return undefined;
+			current = current[index];
+			continue;
+		}
+		if (typeof current !== "object") return undefined;
+		current = (current as Record<string, unknown>)[segment];
+	}
+
+	return current;
+}
+
+/**
+ * Sets a value in a nested object/array structure using a JSON Pointer.
+ * Mutates the structure in-place. Returns the root (possibly unchanged if
+ * the path was invalid).
+ */
+function setValueAtPointer(root: unknown, pointer: string, value: unknown): unknown {
+	if (!pointer) return value;
+	const segments = decodeJsonPointer(pointer);
+	let current: unknown = root;
+
+	// Navigate to the parent of the target location
+	for (let index = 0; index < segments.length - 1; index += 1) {
+		const segment = segments[index];
+		if (current === null || current === undefined) return root;
+		if (Array.isArray(current)) {
+			const arrayIndex = Number(segment);
+			if (!Number.isInteger(arrayIndex)) return root;
+			current = current[arrayIndex];
+			continue;
+		}
+		if (typeof current !== "object") return root;
+		current = (current as Record<string, unknown>)[segment];
+	}
+
+	// Set the value at the final segment
+	const lastSegment = segments[segments.length - 1];
+	if (Array.isArray(current)) {
+		const arrayIndex = Number(lastSegment);
+		if (!Number.isInteger(arrayIndex)) return root;
+		current[arrayIndex] = value;
+		return root;
+	}
+
+	if (typeof current !== "object" || current === null) return root;
+	(current as Record<string, unknown>)[lastSegment] = value;
+	return root;
+}
+
+/**
+ * Deep clones a JSON-serializable value.
+ * Uses structuredClone when available (faster), falls back to JSON round-trip.
+ */
+function cloneJsonValue<T>(value: T): T {
+	if (typeof structuredClone === "function") {
+		return structuredClone(value);
+	}
+	return JSON.parse(JSON.stringify(value)) as T;
+}
+
+/**
+ * Attempts to fix type errors by parsing JSON-encoded strings.
+ *
+ * When AJV reports type errors, this function checks if the offending values
+ * are strings that contain valid JSON matching the expected type. If so, it
+ * returns a new args object with those strings replaced by their parsed values.
+ *
+ * The function is designed to be safe and conservative:
+ *   - Only processes "type" errors (not format, pattern, etc.)
+ *   - Only attempts coercion on string values
+ *   - Only accepts parsed results that match the expected type
+ *   - Clones the args object before mutation (copy-on-write)
+ */
+function coerceArgsFromErrors(
+	args: unknown,
+	errors: Array<{ keyword?: string; instancePath?: string; params?: { type?: unknown } }> | null | undefined,
+): { value: unknown; changed: boolean } {
+	if (!errors || errors.length === 0) return { value: args, changed: false };
+
+	let changed = false;
+	let nextArgs: unknown = args;
+
+	for (const error of errors) {
+		// Only handle type mismatch errors
+		if (error.keyword !== "type") continue;
+
+		const instancePath = error.instancePath ?? "";
+		const expectedTypes = normalizeExpectedTypes(error.params?.type);
+		if (expectedTypes.length === 0) continue;
+
+		// Get the current value at the error location
+		const currentValue = getValueAtPointer(nextArgs, instancePath);
+		if (typeof currentValue !== "string") continue;
+
+		// Try to parse the string as JSON
+		const result = tryParseJsonForTypes(currentValue, expectedTypes);
+		if (!result.changed) continue;
+
+		// Clone on first modification (copy-on-write)
+		if (!changed) {
+			nextArgs = cloneJsonValue(nextArgs);
+			changed = true;
+		}
+		nextArgs = setValueAtPointer(nextArgs, instancePath, result.value);
+	}
+
+	return { value: changed ? nextArgs : args, changed };
+}
+
 // Detect if we're in a browser extension environment with strict CSP
 // Chrome extensions with Manifest V3 don't allow eval/Function constructor
 const isBrowserExtension = typeof globalThis !== "undefined" && (globalThis as any).chrome?.runtime?.id !== undefined;
@@ -19,7 +264,6 @@ if (!isBrowserExtension) {
 		ajv = new Ajv({
 			allErrors: true,
 			strict: false,
-			coerceTypes: true,
 		});
 		addFormats(ajv);
 	} catch (_e) {
@@ -51,19 +295,26 @@ export function validateToolCall(tools: Tool[], toolCall: ToolCall): any {
  * @throws Error with formatted message if validation fails
  */
 export function validateToolArguments(tool: Tool, toolCall: ToolCall): any {
+	const originalArgs = toolCall.arguments;
+
 	// Skip validation in browser extension environment (CSP restrictions prevent AJV from working)
 	if (!ajv || isBrowserExtension) {
 		// Trust the LLM's output without validation
 		// Browser extensions can't use AJV due to Manifest V3 CSP restrictions
-		return toolCall.arguments;
+		return originalArgs;
 	}
 
 	// Compile the schema
 	const validate = ajv.compile(tool.parameters);
 
 	// Validate the arguments
-	if (validate(toolCall.arguments)) {
-		return toolCall.arguments;
+	if (validate(originalArgs)) {
+		return originalArgs;
+	}
+
+	const { value: coercedArgs, changed } = coerceArgsFromErrors(originalArgs, validate.errors);
+	if (changed && validate(coercedArgs)) {
+		return coercedArgs;
 	}
 
 	// Format validation errors nicely
@@ -75,7 +326,14 @@ export function validateToolArguments(tool: Tool, toolCall: ToolCall): any {
 			})
 			.join("\n") || "Unknown validation error";
 
-	const errorMessage = `Validation failed for tool "${toolCall.name}":\n${errors}\n\nReceived arguments:\n${JSON.stringify(toolCall.arguments, null, 2)}`;
+	const receivedArgs = changed
+		? {
+				original: originalArgs,
+				normalized: coercedArgs,
+			}
+		: originalArgs;
+
+	const errorMessage = `Validation failed for tool "${toolCall.name}":\n${errors}\n\nReceived arguments:\n${JSON.stringify(receivedArgs, null, 2)}`;
 
 	throw new Error(errorMessage);
 }