aemeathcli 1.0.0

package/dist/gemini-login-ZZLYC3J6.js

@@ -0,0 +1,346 @@
+import { CredentialStore } from './chunk-4IJD72YB.js';
+import './chunk-CGEV3ARR.js';
+import './chunk-CYQNBB25.js';
+import './chunk-NBR3GHMT.js';
+import './chunk-CS5X3BWX.js';
+import './chunk-HCIHOHLX.js';
+import { AuthenticationError } from './chunk-ZGOHARPV.js';
+import { logger } from './chunk-JAXXTYID.js';
+import { createServer } from 'http';
+import { randomBytes, createHash } from 'crypto';
+import { URL } from 'url';
+import { existsSync, readFileSync, mkdirSync, writeFileSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+
+var CLIENT_ID = "681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com";
+var CLIENT_SECRET = "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";
+var AUTHORIZE_URL = "https://accounts.google.com/o/oauth2/v2/auth";
+var TOKEN_URL = "https://oauth2.googleapis.com/token";
+var SCOPE = [
+  "openid",
+  "https://www.googleapis.com/auth/userinfo.email",
+  "https://www.googleapis.com/auth/cloud-platform",
+  "https://www.googleapis.com/auth/generative-language"
+].join(" ");
+var CALLBACK_TIMEOUT_MS = 3e5;
+var LOCALHOST = "127.0.0.1";
+function getGeminiHome() {
+  return process.env["GEMINI_HOME"] ?? join(homedir(), ".gemini");
+}
+function getOAuthCredsPath() {
+  return join(getGeminiHome(), "oauth_creds.json");
+}
+function getGoogleAccountsPath() {
+  return join(getGeminiHome(), "google_accounts.json");
+}
+function readOAuthCreds() {
+  const credsPath = getOAuthCredsPath();
+  if (!existsSync(credsPath)) return void 0;
+  try {
+    return JSON.parse(readFileSync(credsPath, "utf-8"));
+  } catch {
+    return void 0;
+  }
+}
+function readGoogleAccounts() {
+  const accountsPath = getGoogleAccountsPath();
+  if (!existsSync(accountsPath)) return void 0;
+  try {
+    return JSON.parse(readFileSync(accountsPath, "utf-8"));
+  } catch {
+    return void 0;
+  }
+}
+function writeOAuthCreds(creds) {
+  const geminiHome = getGeminiHome();
+  try {
+    if (!existsSync(geminiHome)) {
+      mkdirSync(geminiHome, { recursive: true, mode: 448 });
+    }
+    writeFileSync(getOAuthCredsPath(), JSON.stringify(creds, null, 2), {
+      encoding: "utf-8",
+      mode: 384
+    });
+  } catch (error) {
+    logger.warn({ err: error }, "Failed to write Gemini oauth_creds.json");
+  }
+}
+function writeGoogleAccounts(email) {
+  const geminiHome = getGeminiHome();
+  try {
+    if (!existsSync(geminiHome)) {
+      mkdirSync(geminiHome, { recursive: true, mode: 448 });
+    }
+    const existing = readGoogleAccounts();
+    const data = { active: email, old: existing?.active && existing.active !== email ? [existing.active] : [] };
+    writeFileSync(getGoogleAccountsPath(), JSON.stringify(data, null, 2), { encoding: "utf-8" });
+  } catch {
+  }
+}
+function generateCodeVerifier() {
+  return randomBytes(32).toString("base64url");
+}
+function generateCodeChallenge(verifier) {
+  return createHash("sha256").update(verifier).digest("base64url");
+}
+function generateState() {
+  return randomBytes(16).toString("hex");
+}
+function escapeHtml(unsafe) {
+  return unsafe.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
+}
+function successHtml() {
+  return `<!DOCTYPE html>
+<html><head><title>AemeathCLI \u2014 Google Login Successful</title></head>
+<body style="font-family:system-ui;text-align:center;padding:40px">
+<h1>Google Login Successful</h1>
+<p>You can close this window and return to your terminal.</p>
+</body></html>`;
+}
+function errorHtml(message) {
+  return `<!DOCTYPE html>
+<html><head><title>AemeathCLI \u2014 Google Login Failed</title></head>
+<body style="font-family:system-ui;text-align:center;padding:40px">
+<h1>Login Failed</h1>
+<p>${escapeHtml(message)}</p>
+</body></html>`;
+}
+function extractEmailFromIdToken(idToken) {
+  try {
+    const payload = idToken.split(".")[1];
+    if (!payload) return void 0;
+    const decoded = JSON.parse(Buffer.from(payload, "base64url").toString("utf8"));
+    return decoded.email;
+  } catch {
+    return void 0;
+  }
+}
+var GeminiLogin = class {
+  credentialStore;
+  callbackServer;
+  constructor(store) {
+    this.credentialStore = store ?? new CredentialStore();
+  }
+  /**
+   * Run browser-based Google OAuth login using the same client ID
+   * as the official Gemini CLI. Browser opens automatically.
+   */
+  async login() {
+    const existing = this.readCachedCredential();
+    if (existing) {
+      const isExpired = existing.expiresAt ? /* @__PURE__ */ new Date() > existing.expiresAt : false;
+      if (!isExpired) {
+        logger.info("Imported existing Gemini CLI credentials");
+        await this.credentialStore.set("google", existing);
+        return existing;
+      }
+    }
+    const codeVerifier = generateCodeVerifier();
+    const codeChallenge = generateCodeChallenge(codeVerifier);
+    const state = generateState();
+    const { port, server } = await this.startCallbackServer();
+    this.callbackServer = server;
+    const redirectUri = `http://${LOCALHOST}:${port}/callback`;
+    const authUrl = new URL(AUTHORIZE_URL);
+    authUrl.searchParams.set("client_id", CLIENT_ID);
+    authUrl.searchParams.set("redirect_uri", redirectUri);
+    authUrl.searchParams.set("response_type", "code");
+    authUrl.searchParams.set("scope", SCOPE);
+    authUrl.searchParams.set("state", state);
+    authUrl.searchParams.set("code_challenge", codeChallenge);
+    authUrl.searchParams.set("code_challenge_method", "S256");
+    authUrl.searchParams.set("access_type", "offline");
+    authUrl.searchParams.set("prompt", "consent");
+    logger.info("Opening browser for Google OAuth login");
+    try {
+      const openModule = await import('open');
+      await openModule.default(authUrl.toString());
+    } catch {
+      this.stopServer();
+      throw new AuthenticationError("google", "Failed to open browser for login");
+    }
+    try {
+      const code = await this.waitForCallback(state);
+      const credential = await this.exchangeCodeForToken(code, codeVerifier, redirectUri);
+      await this.credentialStore.set("google", credential);
+      logger.info("Google OAuth login successful");
+      return credential;
+    } finally {
+      this.stopServer();
+    }
+  }
+  async logout() {
+    await this.credentialStore.delete("google");
+    logger.info("Google session revoked");
+  }
+  async isLoggedIn() {
+    const credential = this.readCachedCredential();
+    if (!credential) return false;
+    if (credential.expiresAt && /* @__PURE__ */ new Date() > credential.expiresAt && credential.refreshToken === void 0) {
+      return false;
+    }
+    await this.credentialStore.set("google", credential);
+    return true;
+  }
+  async getStatus() {
+    const loggedIn = await this.isLoggedIn();
+    if (!loggedIn) return { loggedIn: false };
+    const credential = await this.credentialStore.get("google");
+    if (!credential) return { loggedIn: false };
+    return {
+      loggedIn: true,
+      ...credential.email !== void 0 ? { email: credential.email } : {},
+      plan: "Google AI"
+    };
+  }
+  async getCachedCredential() {
+    const credential = this.readCachedCredential();
+    if (credential) {
+      await this.credentialStore.set("google", credential);
+    }
+    return credential;
+  }
+  // ── Read from Gemini CLI cache ────────────────────────────────────────
+  readCachedCredential() {
+    const oauthCreds = readOAuthCreds();
+    if (!oauthCreds?.access_token) return void 0;
+    let email;
+    const accounts = readGoogleAccounts();
+    if (accounts?.active) {
+      email = accounts.active;
+    } else if (oauthCreds.id_token) {
+      email = extractEmailFromIdToken(oauthCreds.id_token);
+    }
+    const expiresAt = oauthCreds.expiry_date ? new Date(oauthCreds.expiry_date) : void 0;
+    return {
+      provider: "google",
+      method: "native_login",
+      token: oauthCreds.access_token,
+      ...oauthCreds.refresh_token !== void 0 ? { refreshToken: oauthCreds.refresh_token } : {},
+      ...expiresAt !== void 0 ? { expiresAt } : {},
+      ...email !== void 0 ? { email } : {},
+      plan: "Google AI"
+    };
+  }
+  // ── Internal ──────────────────────────────────────────────────────────
+  startCallbackServer() {
+    return new Promise((resolve, reject) => {
+      const server = createServer();
+      server.listen(0, LOCALHOST, () => {
+        const address = server.address();
+        if (address === null || typeof address === "string") {
+          server.close();
+          reject(new Error("Failed to bind callback server"));
+          return;
+        }
+        resolve({ port: address.port, server });
+      });
+      server.on("error", reject);
+    });
+  }
+  waitForCallback(expectedState) {
+    return new Promise((resolve, reject) => {
+      const server = this.callbackServer;
+      if (server === void 0) {
+        reject(new AuthenticationError("google", "Callback server not started"));
+        return;
+      }
+      const timeout = setTimeout(() => {
+        reject(new AuthenticationError("google", "Login timed out"));
+      }, CALLBACK_TIMEOUT_MS);
+      server.on("request", (req, res) => {
+        const requestUrl = new URL(req.url ?? "/", `http://${LOCALHOST}`);
+        if (requestUrl.pathname !== "/callback") {
+          res.writeHead(404);
+          res.end("Not found");
+          return;
+        }
+        clearTimeout(timeout);
+        const code = requestUrl.searchParams.get("code");
+        const state = requestUrl.searchParams.get("state");
+        const error = requestUrl.searchParams.get("error");
+        if (error) {
+          res.writeHead(400, { "Content-Type": "text/html" });
+          res.end(errorHtml(`Google OAuth error: ${error}`));
+          reject(new AuthenticationError("google", `OAuth error: ${error}`));
+          return;
+        }
+        if (state !== expectedState) {
+          res.writeHead(400, { "Content-Type": "text/html" });
+          res.end(errorHtml("State mismatch"));
+          reject(new AuthenticationError("google", "OAuth state mismatch"));
+          return;
+        }
+        if (!code) {
+          res.writeHead(400, { "Content-Type": "text/html" });
+          res.end(errorHtml("Missing authorization code"));
+          reject(new AuthenticationError("google", "No authorization code received"));
+          return;
+        }
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end(successHtml());
+        resolve(code);
+      });
+    });
+  }
+  async exchangeCodeForToken(code, codeVerifier, redirectUri) {
+    const body = new URLSearchParams({
+      grant_type: "authorization_code",
+      code,
+      redirect_uri: redirectUri,
+      client_id: CLIENT_ID,
+      client_secret: CLIENT_SECRET,
+      code_verifier: codeVerifier
+    });
+    const response = await fetch(TOKEN_URL, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: body.toString()
+    });
+    if (!response.ok) {
+      const text = await response.text();
+      throw new AuthenticationError("google", `Token exchange failed: ${response.status} ${text}`);
+    }
+    const data = await response.json();
+    if (!data.access_token) {
+      throw new AuthenticationError("google", "Token exchange returned no access_token");
+    }
+    const expiresAt = data.expires_in ? new Date(Date.now() + data.expires_in * 1e3) : void 0;
+    let email;
+    if (data.id_token) {
+      email = extractEmailFromIdToken(data.id_token);
+    }
+    const geminiCreds = {
+      access_token: data.access_token,
+      ...data.scope !== void 0 ? { scope: data.scope } : {},
+      ...data.token_type !== void 0 ? { token_type: data.token_type } : {},
+      ...data.id_token !== void 0 ? { id_token: data.id_token } : {},
+      ...expiresAt !== void 0 ? { expiry_date: expiresAt.getTime() } : {},
+      ...data.refresh_token !== void 0 ? { refresh_token: data.refresh_token } : {}
+    };
+    writeOAuthCreds(geminiCreds);
+    if (email) {
+      writeGoogleAccounts(email);
+    }
+    return {
+      provider: "google",
+      method: "native_login",
+      token: data.access_token,
+      ...data.refresh_token !== void 0 ? { refreshToken: data.refresh_token } : {},
+      ...expiresAt !== void 0 ? { expiresAt } : {},
+      ...email !== void 0 ? { email } : {},
+      plan: "Google AI"
+    };
+  }
+  stopServer() {
+    if (this.callbackServer !== void 0) {
+      this.callbackServer.close();
+      this.callbackServer = void 0;
+    }
+  }
+};
+
+export { GeminiLogin };
+//# sourceMappingURL=gemini-login-ZZLYC3J6.js.map
+//# sourceMappingURL=gemini-login-ZZLYC3J6.js.map

package/dist/gemini-login-ZZLYC3J6.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/auth/providers/gemini-login.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAoBA,IAAM,SAAA,GAAY,0EAAA;AAClB,IAAM,aAAA,GAAgB,qCAAA;AACtB,IAAM,aAAA,GAAgB,8CAAA;AACtB,IAAM,SAAA,GAAY,qCAAA;AAClB,IAAM,KAAA,GAAQ;AAAA,EACZ,QAAA;AAAA,EACA,gDAAA;AAAA,EACA,gDAAA;AAAA,EACA;AACF,CAAA,CAAE,KAAK,GAAG,CAAA;AACV,IAAM,mBAAA,GAAsB,GAAA;AAC5B,IAAM,SAAA,GAAY,WAAA;AAIlB,SAAS,aAAA,GAAwB;AAC/B,EAAA,OAAO,QAAQ,GAAA,CAAI,aAAa,KAAK,IAAA,CAAK,OAAA,IAAW,SAAS,CAAA;AAChE;AAEA,SAAS,iBAAA,GAA4B;AACnC,EAAA,OAAO,IAAA,CAAK,aAAA,EAAc,EAAG,kBAAkB,CAAA;AACjD;AAEA,SAAS,qBAAA,GAAgC;AACvC,EAAA,OAAO,IAAA,CAAK,aAAA,EAAc,EAAG,sBAAsB,CAAA;AACrD;AAiBA,SAAS,cAAA,GAAgD;AACvD,EAAA,MAAM,YAAY,iBAAA,EAAkB;AACpC,EAAA,IAAI,CAAC,UAAA,CAAW,SAAS,CAAA,EAAG,OAAO,MAAA;AACnC,EAAA,IAAI;AACF,IAAA,OAAO,IAAA,CAAK,KAAA,CAAM,YAAA,CAAa,SAAA,EAAW,OAAO,CAAC,CAAA;AAAA,EACpD,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,MAAA;AAAA,EACT;AACF;AAEA,SAAS,kBAAA,GAAkD;AACzD,EAAA,MAAM,eAAe,qBAAA,EAAsB;AAC3C,EAAA,IAAI,CAAC,UAAA,CAAW,YAAY,CAAA,EAAG,OAAO,MAAA;AACtC,EAAA,IAAI;AACF,IAAA,OAAO,IAAA,CAAK,KAAA,CAAM,YAAA,CAAa,YAAA,EAAc,OAAO,CAAC,CAAA;AAAA,EACvD,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,MAAA;AAAA,EACT;AACF;AAIA,SAAS,gBAAgB,KAAA,EAAgC;AACvD,EAAA,MAAM,aAAa,aAAA,EAAc;AACjC,EAAA,IAAI;AACF,IAAA,IAAI,CAAC,UAAA,CAAW,UAAU,CAAA,EAAG;AAC3B,MAAA,SAAA,CAAU,YAAY,EAAE,SAAA,EAAW,IAAA,EAAM,IAAA,EAAM,KAAO,CAAA;AAAA,IACxD;AACA,IAAA,aAAA,CAAc,mBAAkB,EAAG,IAAA,CAAK,UAAU,KAAA,EAAO,IAAA,EAAM,CAAC,CAAA,EAAG;AAAA,MACjE,QAAA,EAAU,OAAA;AAAA,MACV,IAAA,EAAM;AAAA,KACP,CAAA;AAAA,EACH,SAAS,KAAA,EAAgB;AACvB,IAAA,MAAA,CAAO,IAAA,CAAK,EAAE,GAAA,EAAK,KAAA,IAAS,yCAAyC,CAAA;AAAA,EACvE;AACF;AAEA,SAAS,oBAAoB,KAAA,EAAqB;AAChD,EAAA,MAAM,aAAa,aAAA,EAAc;AACjC,EAAA,IAAI;AACF,IAAA,IAAI,CAAC,UAAA,CAAW,UAAU,CAAA,EAAG;AAC3B,MAAA,SAAA,CAAU,YAAY,EAAE,SAAA,EAAW,IAAA,EAAM,IAAA,EAAM,KAAO,CAAA;AAAA,IACxD;AACA,IAAA,MAAM,WAAW,kBAAA,EAAmB;AACpC,IAAA,MAAM,IAAA,GAAO,EAAE,MAAA,EAAQ,KAAA,EAAO,KAAK,QAAA,EAAU,MAAA,IAAU,QAAA,CAAS,MAAA,KAAW,QAAQ,CAAC,QAAA,CAAS,MAAM,CAAA,GAAI,EAAC,EAAE;AAC1G,IAAA,aAAA,CAAc,qBAAA,EAAsB,EAAG,IAAA,CAAK,SAAA,CAAU,IAAA,EAAM,IAAA,EAAM,CAAC,CAAA,EAAG,EAAE,QAAA,EAAU,OAAA,EAAS,CAAA;AAAA,EAC7F,CAAA,CAAA,MAAQ;AAAA,EAER;AACF;AAIA,SAAS,oBAAA,GAA+B;AACtC,EAAA,OAAO,WAAA,CAAY,EAAE,CAAA,CAAE,QAAA,CAAS,WAAW,CAAA;AAC7C;AAEA,SAAS,sBAAsB,QAAA,EAA0B;AACvD,EAAA,OAAO,WAAW,QAAQ,CAAA,CAAE,OAAO,QAAQ,CAAA,CAAE,OAAO,WAAW,CAAA;AACjE;AAEA,SAAS,aAAA,GAAwB;AAC/B,EAAA,OAAO,WAAA,CAAY,EAAE,CAAA,CAAE,QAAA,CAAS,KAAK,CAAA;AACvC;AAIA,SAAS,WAAW,MAAA,EAAwB;AAC1C,EAAA,OAAO,OAAO,OAAA,CAAQ,IAAA,EAAM,OAAO,CAAA,CAAE,OAAA,CAAQ,MAAM,MAAM,CAAA,CAAE,QAAQ,IAAA,EAAM,MAAM,EAC5E,OAAA,CAAQ,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,CAAQ,MAAM,QAAQ,CAAA;AACnD;AAEA,SAAS,WAAA,GAAsB;AAC7B,EAAA,OAAO,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,cAAA,CAAA;AAMT;AAEA,SAAS,UAAU,OAAA,EAAyB;AAC1C,EAAA,OAAO,CAAA;AAAA;AAAA;AAAA;AAAA,GAAA,EAIJ,UAAA,CAAW,OAAO,CAAC,CAAA;AAAA,cAAA,CAAA;AAExB;AAEA,SAAS,wBAAwB,OAAA,EAAqC;AACpE,EAAA,IAAI;AACF,IAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,KAAA,CAAM,GAAG,EAAE,CAAC,CAAA;AACpC,IAAA,IAAI,CAAC,SAAS,OAAO,KAAA,CAAA;AACrB,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,KAAA,CAAM,MAAA,CAAO,IAAA,CAAK,SAAS,WAAW,CAAA,CAAE,QAAA,CAAS,MAAM,CAAC,CAAA;AAC7E,IAAA,OAAO,OAAA,CAAQ,KAAA;AAAA,EACjB,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,MAAA;AAAA,EACT;AACF;AAIO,IAAM,cAAN,MAAkB;AAAA,EACN,eAAA;AAAA,EACT,cAAA;AAAA,EAER,YAAY,KAAA,EAAyB;AACnC,IAAA,IAAA,CAAK,eAAA,GAAkB,KAAA,IAAS,IAAI,eAAA,EAAgB;AAAA,EACtD;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,KAAA,GAA8B;AAElC,IAAA,MAAM,QAAA,GAAW,KAAK,oBAAA,EAAqB;AAC3C,IAAA,IAAI,QAAA,EAAU;AACZ,MAAA,MAAM,YAAY,QAAA,CAAS,SAAA,uBAAgB,IAAA,EAAK,GAAI,SAAS,SAAA,GAAY,KAAA;AACzE,MAAA,IAAI,CAAC,SAAA,EAAW;AACd,QAAA,MAAA,CAAO,KAAK,0CAA0C,CAAA;AACtD,QAAA,MAAM,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAI,QAAA,EAAU,QAAQ,CAAA;AACjD,QAAA,OAAO,QAAA;AAAA,MACT;AAAA,IACF;AAGA,IAAA,MAAM,eAAe,oBAAA,EAAqB;AAC1C,IAAA,MAAM,aAAA,GAAgB,sBAAsB,YAAY,CAAA;AACxD,IAAA,MAAM,QAAQ,aAAA,EAAc;AAE5B,IAAA,MAAM,EAAE,IAAA,EAAM,MAAA,EAAO,GAAI,MAAM,KAAK,mBAAA,EAAoB;AACxD,IAAA,IAAA,CAAK,cAAA,GAAiB,MAAA;AAEtB,IAAA,MAAM,WAAA,GAAc,CAAA,OAAA,EAAU,SAAS,CAAA,CAAA,EAAI,IAAI,CAAA,SAAA,CAAA;AAE/C,IAAA,MAAM,OAAA,GAAU,IAAI,GAAA,CAAI,aAAa,CAAA;AACrC,IAAA,OAAA,CAAQ,YAAA,CAAa,GAAA,CAAI,WAAA,EAAa,SAAS,CAAA;AAC/C,IAAA,OAAA,CAAQ,YAAA,CAAa,GAAA,CAAI,cAAA,EAAgB,WAAW,CAAA;AACpD,IAAA,OAAA,CAAQ,YAAA,CAAa,GAAA,CAAI,eAAA,EAAiB,MAAM,CAAA;AAChD,IAAA,OAAA,CAAQ,YAAA,CAAa,GAAA,CAAI,OAAA,EAAS,KAAK,CAAA;AACvC,IAAA,OAAA,CAAQ,YAAA,CAAa,GAAA,CAAI,OAAA,EAAS,KAAK,CAAA;AACvC,IAAA,OAAA,CAAQ,YAAA,CAAa,GAAA,CAAI,gBAAA,EAAkB,aAAa,CAAA;AACxD,IAAA,OAAA,CAAQ,YAAA,CAAa,GAAA,CAAI,uBAAA,EAAyB,MAAM,CAAA;AACxD,IAAA,OAAA,CAAQ,YAAA,CAAa,GAAA,CAAI,aAAA,EAAe,SAAS,CAAA;AACjD,IAAA,OAAA,CAAQ,YAAA,CAAa,GAAA,CAAI,QAAA,EAAU,SAAS,CAAA;AAE5C,IAAA,MAAA,CAAO,KAAK,wCAAwC,CAAA;AAEpD,IAAA,IAAI;AACF,MAAA,MAAM,UAAA,GAAa,MAAM,OAAO,MAAM,CAAA;AACtC,MAAA,MAAM,UAAA,CAAW,OAAA,CAAQ,OAAA,CAAQ,QAAA,EAAU,CAAA;AAAA,IAC7C,CAAA,CAAA,MAAQ;AACN,MAAA,IAAA,CAAK,UAAA,EAAW;AAChB,MAAA,MAAM,IAAI,mBAAA,CAAoB,QAAA,EAAU,kCAAkC,CAAA;AAAA,IAC5E;AAEA,IAAA,IAAI;AACF,MAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,eAAA,CAAgB,KAAK,CAAA;AAC7C,MAAA,MAAM,aAAa,MAAM,IAAA,CAAK,oBAAA,CAAqB,IAAA,EAAM,cAAc,WAAW,CAAA;AAElF,MAAA,MAAM,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAI,QAAA,EAAU,UAAU,CAAA;AACnD,MAAA,MAAA,CAAO,KAAK,+BAA+B,CAAA;AAE3C,MAAA,OAAO,UAAA;AAAA,IACT,CAAA,SAAE;AACA,MAAA,IAAA,CAAK,UAAA,EAAW;AAAA,IAClB;AAAA,EACF;AAAA,EAEA,MAAM,MAAA,GAAwB;AAC5B,IAAA,MAAM,IAAA,CAAK,eAAA,CAAgB,MAAA,CAAO,QAAQ,CAAA;AAC1C,IAAA,MAAA,CAAO,KAAK,wBAAwB,CAAA;AAAA,EACtC;AAAA,EAEA,MAAM,UAAA,GAA+B;AACnC,IAAA,MAAM,UAAA,GAAa,KAAK,oBAAA,EAAqB;AAC7C,IAAA,IAAI,CAAC,YAAY,OAAO,KAAA;AACxB,IAAA,IAAI,UAAA,CAAW,6BAAa,IAAI,IAAA,KAAS,UAAA,CAAW,SAAA,IAAa,UAAA,CAAW,YAAA,KAAiB,MAAA,EAAW;AACtG,MAAA,OAAO,KAAA;AAAA,IACT;AAEA,IAAA,MAAM,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAI,QAAA,EAAU,UAAU,CAAA;AACnD,IAAA,OAAO,IAAA;AAAA,EACT;AAAA,EAEA,MAAM,SAAA,GAAmG;AACvG,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,UAAA,EAAW;AACvC,IAAA,IAAI,CAAC,QAAA,EAAU,OAAO,EAAE,UAAU,KAAA,EAAM;AAExC,IAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,eAAA,CAAgB,IAAI,QAAQ,CAAA;AAC1D,IAAA,IAAI,CAAC,UAAA,EAAY,OAAO,EAAE,UAAU,KAAA,EAAM;AAE1C,IAAA,OAAO;AAAA,MACL,QAAA,EAAU,IAAA;AAAA,MACV,GAAI,WAAW,KAAA,KAAU,MAAA,GAAY,EAAE,KAAA,EAAO,UAAA,CAAW,KAAA,EAAM,GAAI,EAAC;AAAA,MACpE,IAAA,EAAM;AAAA,KACR;AAAA,EACF;AAAA,EAEA,MAAM,mBAAA,GAAwD;AAC5D,IAAA,MAAM,UAAA,GAAa,KAAK,oBAAA,EAAqB;AAC7C,IAAA,IAAI,UAAA,EAAY;AACd,MAAA,MAAM,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAI,QAAA,EAAU,UAAU,CAAA;AAAA,IACrD;AACA,IAAA,OAAO,UAAA;AAAA,EACT;AAAA;AAAA,EAIQ,oBAAA,GAAgD;AACtD,IAAA,MAAM,aAAa,cAAA,EAAe;AAClC,IAAA,IAAI,CAAC,UAAA,EAAY,YAAA,EAAc,OAAO,MAAA;AAEtC,IAAA,IAAI,KAAA;AACJ,IAAA,MAAM,WAAW,kBAAA,EAAmB;AACpC,IAAA,IAAI,UAAU,MAAA,EAAQ;AACpB,MAAA,KAAA,GAAQ,QAAA,CAAS,MAAA;AAAA,IACnB,CAAA,MAAA,IAAW,WAAW,QAAA,EAAU;AAC9B,MAAA,KAAA,GAAQ,uBAAA,CAAwB,WAAW,QAAQ,CAAA;AAAA,IACrD;AAEA,IAAA,MAAM,YAAY,UAAA,CAAW,WAAA,GAAc,IAAI,IAAA,CAAK,UAAA,CAAW,WAAW,CAAA,GAAI,MAAA;AAE9E,IAAA,OAAO;AAAA,MACL,QAAA,EAAU,QAAA;AAAA,MACV,MAAA,EAAQ,cAAA;AAAA,MACR,OAAO,UAAA,CAAW,YAAA;AAAA,MAClB,GAAI,WAAW,aAAA,KAAkB,MAAA,GAAY,EAAE,YAAA,EAAc,UAAA,CAAW,aAAA,EAAc,GAAI,EAAC;AAAA,MAC3F,GAAI,SAAA,KAAc,MAAA,GAAY,EAAE,SAAA,KAAc,EAAC;AAAA,MAC/C,GAAI,KAAA,KAAU,MAAA,GAAY,EAAE,KAAA,KAAU,EAAC;AAAA,MACvC,IAAA,EAAM;AAAA,KACR;AAAA,EACF;AAAA;AAAA,EAIQ,mBAAA,GAAiE;AACvE,IAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,EAAS,MAAA,KAAW;AACtC,MAAA,MAAM,SAAS,YAAA,EAAa;AAC5B,MAAA,MAAA,CAAO,MAAA,CAAO,CAAA,EAAG,SAAA,EAAW,MAAM;AAChC,QAAA,MAAM,OAAA,GAAU,OAAO,OAAA,EAAQ;AAC/B,QAAA,IAAI,OAAA,KAAY,IAAA,IAAQ,OAAO,OAAA,KAAY,QAAA,EAAU;AACnD,UAAA,MAAA,CAAO,KAAA,EAAM;AACb,UAAA,MAAA,CAAO,IAAI,KAAA,CAAM,gCAAgC,CAAC,CAAA;AAClD,UAAA;AAAA,QACF;AACA,QAAA,OAAA,CAAQ,EAAE,IAAA,EAAM,OAAA,CAAQ,IAAA,EAAM,QAAQ,CAAA;AAAA,MACxC,CAAC,CAAA;AACD,MAAA,MAAA,CAAO,EAAA,CAAG,SAAS,MAAM,CAAA;AAAA,IAC3B,CAAC,CAAA;AAAA,EACH;AAAA,EAEQ,gBAAgB,aAAA,EAAwC;AAC9D,IAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,EAAS,MAAA,KAAW;AACtC,MAAA,MAAM,SAAS,IAAA,CAAK,cAAA;AACpB,MAAA,IAAI,WAAW,MAAA,EAAW;AACxB,QAAA,MAAA,CAAO,IAAI,mBAAA,CAAoB,QAAA,EAAU,6BAA6B,CAAC,CAAA;AACvE,QAAA;AAAA,MACF;AAEA,MAAA,MAAM,OAAA,GAAU,WAAW,MAAM;AAC/B,QAAA,MAAA,CAAO,IAAI,mBAAA,CAAoB,QAAA,EAAU,iBAAiB,CAAC,CAAA;AAAA,MAC7D,GAAG,mBAAmB,CAAA;AAEtB,MAAA,MAAA,CAAO,EAAA,CAAG,SAAA,EAAW,CAAC,GAAA,EAAsB,GAAA,KAAwB;AAClE,QAAA,MAAM,UAAA,GAAa,IAAI,GAAA,CAAI,GAAA,CAAI,OAAO,GAAA,EAAK,CAAA,OAAA,EAAU,SAAS,CAAA,CAAE,CAAA;AAChE,QAAA,IAAI,UAAA,CAAW,aAAa,WAAA,EAAa;AACvC,UAAA,GAAA,CAAI,UAAU,GAAG,CAAA;AACjB,UAAA,GAAA,CAAI,IAAI,WAAW,CAAA;AACnB,UAAA;AAAA,QACF;AAEA,QAAA,YAAA,CAAa,OAAO,CAAA;AAEpB,QAAA,MAAM,IAAA,GAAO,UAAA,CAAW,YAAA,CAAa,GAAA,CAAI,MAAM,CAAA;AAC/C,QAAA,MAAM,KAAA,GAAQ,UAAA,CAAW,YAAA,CAAa,GAAA,CAAI,OAAO,CAAA;AACjD,QAAA,MAAM,KAAA,GAAQ,UAAA,CAAW,YAAA,CAAa,GAAA,CAAI,OAAO,CAAA;AAEjD,QAAA,IAAI,KAAA,EAAO;AACT,UAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,aAAa,CAAA;AAClD,UAAA,GAAA,CAAI,GAAA,CAAI,SAAA,CAAU,CAAA,oBAAA,EAAuB,KAAK,EAAE,CAAC,CAAA;AACjD,UAAA,MAAA,CAAO,IAAI,mBAAA,CAAoB,QAAA,EAAU,CAAA,aAAA,EAAgB,KAAK,EAAE,CAAC,CAAA;AACjE,UAAA;AAAA,QACF;AACA,QAAA,IAAI,UAAU,aAAA,EAAe;AAC3B,UAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,aAAa,CAAA;AAClD,UAAA,GAAA,CAAI,GAAA,CAAI,SAAA,CAAU,gBAAgB,CAAC,CAAA;AACnC,UAAA,MAAA,CAAO,IAAI,mBAAA,CAAoB,QAAA,EAAU,sBAAsB,CAAC,CAAA;AAChE,UAAA;AAAA,QACF;AACA,QAAA,IAAI,CAAC,IAAA,EAAM;AACT,UAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,aAAa,CAAA;AAClD,UAAA,GAAA,CAAI,GAAA,CAAI,SAAA,CAAU,4BAA4B,CAAC,CAAA;AAC/C,UAAA,MAAA,CAAO,IAAI,mBAAA,CAAoB,QAAA,EAAU,gCAAgC,CAAC,CAAA;AAC1E,UAAA;AAAA,QACF;AAEA,QAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,aAAa,CAAA;AAClD,QAAA,GAAA,CAAI,GAAA,CAAI,aAAa,CAAA;AACrB,QAAA,OAAA,CAAQ,IAAI,CAAA;AAAA,MACd,CAAC,CAAA;AAAA,IACH,CAAC,CAAA;AAAA,EACH;AAAA,EAEA,MAAc,oBAAA,CACZ,IAAA,EACA,YAAA,EACA,WAAA,EACsB;AACtB,IAAA,MAAM,IAAA,GAAO,IAAI,eAAA,CAAgB;AAAA,MAC/B,UAAA,EAAY,oBAAA;AAAA,MACZ,IAAA;AAAA,MACA,YAAA,EAAc,WAAA;AAAA,MACd,SAAA,EAAW,SAAA;AAAA,MACX,aAAA,EAAe,aAAA;AAAA,MACf,aAAA,EAAe;AAAA,KAChB,CAAA;AAED,IAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,SAAA,EAAW;AAAA,MACtC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,MAC/D,IAAA,EAAM,KAAK,QAAA;AAAS,KACrB,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,MAAM,IAAA,GAAO,MAAM,QAAA,CAAS,IAAA,EAAK;AACjC,MAAA,MAAM,IAAI,oBAAoB,QAAA,EAAU,CAAA,uBAAA,EAA0B,SAAS,MAAM,CAAA,CAAA,EAAI,IAAI,CAAA,CAAE,CAAA;AAAA,IAC7F;AAEA,IAAA,MAAM,IAAA,GAAQ,MAAM,QAAA,CAAS,IAAA,EAAK;AASlC,IAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACtB,MAAA,MAAM,IAAI,mBAAA,CAAoB,QAAA,EAAU,yCAAyC,CAAA;AAAA,IACnF;AAEA,IAAA,MAAM,SAAA,GAAY,IAAA,CAAK,UAAA,GACnB,IAAI,IAAA,CAAK,IAAA,CAAK,GAAA,EAAI,GAAI,IAAA,CAAK,UAAA,GAAa,GAAI,CAAA,GAC5C,MAAA;AAEJ,IAAA,IAAI,KAAA;AACJ,IAAA,IAAI,KAAK,QAAA,EAAU;AACjB,MAAA,KAAA,GAAQ,uBAAA,CAAwB,KAAK,QAAQ,CAAA;AAAA,IAC/C;AAGA,IAAA,MAAM,WAAA,GAAiC;AAAA,MACrC,cAAc,IAAA,CAAK,YAAA;AAAA,MACnB,GAAI,KAAK,KAAA,KAAU,MAAA,GAAY,EAAE,KAAA,EAAO,IAAA,CAAK,KAAA,EAAM,GAAI,EAAC;AAAA,MACxD,GAAI,KAAK,UAAA,KAAe,MAAA,GAAY,EAAE,UAAA,EAAY,IAAA,CAAK,UAAA,EAAW,GAAI,EAAC;AAAA,MACvE,GAAI,KAAK,QAAA,KAAa,MAAA,GAAY,EAAE,QAAA,EAAU,IAAA,CAAK,QAAA,EAAS,GAAI,EAAC;AAAA,MACjE,GAAI,cAAc,MAAA,GAAY,EAAE,aAAa,SAAA,CAAU,OAAA,EAAQ,EAAE,GAAI,EAAC;AAAA,MACtE,GAAI,KAAK,aAAA,KAAkB,MAAA,GAAY,EAAE,aAAA,EAAe,IAAA,CAAK,aAAA,EAAc,GAAI;AAAC,KAClF;AACA,IAAA,eAAA,CAAgB,WAAW,CAAA;AAE3B,IAAA,IAAI,KAAA,EAAO;AACT,MAAA,mBAAA,CAAoB,KAAK,CAAA;AAAA,IAC3B;AAEA,IAAA,OAAO;AAAA,MACL,QAAA,EAAU,QAAA;AAAA,MACV,MAAA,EAAQ,cAAA;AAAA,MACR,OAAO,IAAA,CAAK,YAAA;AAAA,MACZ,GAAI,KAAK,aAAA,KAAkB,MAAA,GAAY,EAAE,YAAA,EAAc,IAAA,CAAK,aAAA,EAAc,GAAI,EAAC;AAAA,MAC/E,GAAI,SAAA,KAAc,MAAA,GAAY,EAAE,SAAA,KAAc,EAAC;AAAA,MAC/C,GAAI,KAAA,KAAU,MAAA,GAAY,EAAE,KAAA,KAAU,EAAC;AAAA,MACvC,IAAA,EAAM;AAAA,KACR;AAAA,EACF;AAAA,EAEQ,UAAA,GAAmB;AACzB,IAAA,IAAI,IAAA,CAAK,mBAAmB,MAAA,EAAW;AACrC,MAAA,IAAA,CAAK,eAAe,KAAA,EAAM;AAC1B,MAAA,IAAA,CAAK,cAAA,GAAiB,MAAA;AAAA,IACxB;AAAA,EACF;AACF","file":"gemini-login-ZZLYC3J6.js","sourcesContent":["/**\n * Gemini (Google) OAuth login\n * Uses the same client ID as the official Gemini CLI.\n * After login, stores tokens at ~/.gemini/oauth_creds.json\n * so credentials are shared with the official Gemini CLI.\n */\n\nimport { createServer, type Server, type IncomingMessage, type ServerResponse } from \"node:http\";\nimport { randomBytes, createHash } from \"node:crypto\";\nimport { URL } from \"node:url\";\nimport { writeFileSync, readFileSync, existsSync, mkdirSync } from \"node:fs\";\nimport { join } from \"node:path\";\nimport { homedir } from \"node:os\";\nimport type { ICredential } from \"../../types/index.js\";\nimport { AuthenticationError } from \"../../types/index.js\";\nimport { CredentialStore } from \"../credential-store.js\";\nimport { logger } from \"../../utils/index.js\";\n\n// ── Gemini CLI OAuth Config (same as official Gemini CLI) ───────────────\n\nconst CLIENT_ID = \"681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com\";\nconst CLIENT_SECRET = \"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\";\nconst AUTHORIZE_URL = \"https://accounts.google.com/o/oauth2/v2/auth\";\nconst TOKEN_URL = \"https://oauth2.googleapis.com/token\";\nconst SCOPE = [\n  \"openid\",\n  \"https://www.googleapis.com/auth/userinfo.email\",\n  \"https://www.googleapis.com/auth/cloud-platform\",\n  \"https://www.googleapis.com/auth/generative-language\",\n].join(\" \");\nconst CALLBACK_TIMEOUT_MS = 300_000;\nconst LOCALHOST = \"127.0.0.1\";\n\n// ── Gemini CLI Token Paths ──────────────────────────────────────────────\n\nfunction getGeminiHome(): string {\n  return process.env[\"GEMINI_HOME\"] ?? join(homedir(), \".gemini\");\n}\n\nfunction getOAuthCredsPath(): string {\n  return join(getGeminiHome(), \"oauth_creds.json\");\n}\n\nfunction getGoogleAccountsPath(): string {\n  return join(getGeminiHome(), \"google_accounts.json\");\n}\n\n// ── Read existing tokens from Gemini CLI cache ──────────────────────────\n\ninterface IGeminiOAuthCreds {\n  readonly access_token?: string;\n  readonly scope?: string;\n  readonly token_type?: string;\n  readonly id_token?: string;\n  readonly expiry_date?: number;\n  readonly refresh_token?: string;\n}\n\ninterface IGoogleAccounts {\n  readonly active?: string;\n}\n\nfunction readOAuthCreds(): IGeminiOAuthCreds | undefined {\n  const credsPath = getOAuthCredsPath();\n  if (!existsSync(credsPath)) return undefined;\n  try {\n    return JSON.parse(readFileSync(credsPath, \"utf-8\")) as IGeminiOAuthCreds;\n  } catch {\n    return undefined;\n  }\n}\n\nfunction readGoogleAccounts(): IGoogleAccounts | undefined {\n  const accountsPath = getGoogleAccountsPath();\n  if (!existsSync(accountsPath)) return undefined;\n  try {\n    return JSON.parse(readFileSync(accountsPath, \"utf-8\")) as IGoogleAccounts;\n  } catch {\n    return undefined;\n  }\n}\n\n// ── Write tokens in Gemini CLI format ───────────────────────────────────\n\nfunction writeOAuthCreds(creds: IGeminiOAuthCreds): void {\n  const geminiHome = getGeminiHome();\n  try {\n    if (!existsSync(geminiHome)) {\n      mkdirSync(geminiHome, { recursive: true, mode: 0o700 });\n    }\n    writeFileSync(getOAuthCredsPath(), JSON.stringify(creds, null, 2), {\n      encoding: \"utf-8\",\n      mode: 0o600,\n    });\n  } catch (error: unknown) {\n    logger.warn({ err: error }, \"Failed to write Gemini oauth_creds.json\");\n  }\n}\n\nfunction writeGoogleAccounts(email: string): void {\n  const geminiHome = getGeminiHome();\n  try {\n    if (!existsSync(geminiHome)) {\n      mkdirSync(geminiHome, { recursive: true, mode: 0o700 });\n    }\n    const existing = readGoogleAccounts();\n    const data = { active: email, old: existing?.active && existing.active !== email ? [existing.active] : [] };\n    writeFileSync(getGoogleAccountsPath(), JSON.stringify(data, null, 2), { encoding: \"utf-8\" });\n  } catch {\n    // Non-critical\n  }\n}\n\n// ── PKCE Helpers ────────────────────────────────────────────────────────\n\nfunction generateCodeVerifier(): string {\n  return randomBytes(32).toString(\"base64url\");\n}\n\nfunction generateCodeChallenge(verifier: string): string {\n  return createHash(\"sha256\").update(verifier).digest(\"base64url\");\n}\n\nfunction generateState(): string {\n  return randomBytes(16).toString(\"hex\");\n}\n\n// ── HTML Responses ──────────────────────────────────────────────────────\n\nfunction escapeHtml(unsafe: string): string {\n  return unsafe.replace(/&/g, \"&amp;\").replace(/</g, \"&lt;\").replace(/>/g, \"&gt;\")\n    .replace(/\"/g, \"&quot;\").replace(/'/g, \"&#039;\");\n}\n\nfunction successHtml(): string {\n  return `<!DOCTYPE html>\n<html><head><title>AemeathCLI — Google Login Successful</title></head>\n<body style=\"font-family:system-ui;text-align:center;padding:40px\">\n<h1>Google Login Successful</h1>\n<p>You can close this window and return to your terminal.</p>\n</body></html>`;\n}\n\nfunction errorHtml(message: string): string {\n  return `<!DOCTYPE html>\n<html><head><title>AemeathCLI — Google Login Failed</title></head>\n<body style=\"font-family:system-ui;text-align:center;padding:40px\">\n<h1>Login Failed</h1>\n<p>${escapeHtml(message)}</p>\n</body></html>`;\n}\n\nfunction extractEmailFromIdToken(idToken: string): string | undefined {\n  try {\n    const payload = idToken.split(\".\")[1];\n    if (!payload) return undefined;\n    const decoded = JSON.parse(Buffer.from(payload, \"base64url\").toString(\"utf8\")) as { email?: string };\n    return decoded.email;\n  } catch {\n    return undefined;\n  }\n}\n\n// ── GeminiLogin Class ───────────────────────────────────────────────────\n\nexport class GeminiLogin {\n  private readonly credentialStore: CredentialStore;\n  private callbackServer: Server | undefined;\n\n  constructor(store?: CredentialStore) {\n    this.credentialStore = store ?? new CredentialStore();\n  }\n\n  /**\n   * Run browser-based Google OAuth login using the same client ID\n   * as the official Gemini CLI. Browser opens automatically.\n   */\n  async login(): Promise<ICredential> {\n    // First try importing existing credentials from Gemini CLI's cache\n    const existing = this.readCachedCredential();\n    if (existing) {\n      const isExpired = existing.expiresAt ? new Date() > existing.expiresAt : false;\n      if (!isExpired) {\n        logger.info(\"Imported existing Gemini CLI credentials\");\n        await this.credentialStore.set(\"google\", existing);\n        return existing;\n      }\n    }\n\n    // Run the OAuth flow — browser opens automatically\n    const codeVerifier = generateCodeVerifier();\n    const codeChallenge = generateCodeChallenge(codeVerifier);\n    const state = generateState();\n\n    const { port, server } = await this.startCallbackServer();\n    this.callbackServer = server;\n\n    const redirectUri = `http://${LOCALHOST}:${port}/callback`;\n\n    const authUrl = new URL(AUTHORIZE_URL);\n    authUrl.searchParams.set(\"client_id\", CLIENT_ID);\n    authUrl.searchParams.set(\"redirect_uri\", redirectUri);\n    authUrl.searchParams.set(\"response_type\", \"code\");\n    authUrl.searchParams.set(\"scope\", SCOPE);\n    authUrl.searchParams.set(\"state\", state);\n    authUrl.searchParams.set(\"code_challenge\", codeChallenge);\n    authUrl.searchParams.set(\"code_challenge_method\", \"S256\");\n    authUrl.searchParams.set(\"access_type\", \"offline\");\n    authUrl.searchParams.set(\"prompt\", \"consent\");\n\n    logger.info(\"Opening browser for Google OAuth login\");\n\n    try {\n      const openModule = await import(\"open\");\n      await openModule.default(authUrl.toString());\n    } catch {\n      this.stopServer();\n      throw new AuthenticationError(\"google\", \"Failed to open browser for login\");\n    }\n\n    try {\n      const code = await this.waitForCallback(state);\n      const credential = await this.exchangeCodeForToken(code, codeVerifier, redirectUri);\n\n      await this.credentialStore.set(\"google\", credential);\n      logger.info(\"Google OAuth login successful\");\n\n      return credential;\n    } finally {\n      this.stopServer();\n    }\n  }\n\n  async logout(): Promise<void> {\n    await this.credentialStore.delete(\"google\");\n    logger.info(\"Google session revoked\");\n  }\n\n  async isLoggedIn(): Promise<boolean> {\n    const credential = this.readCachedCredential();\n    if (!credential) return false;\n    if (credential.expiresAt && new Date() > credential.expiresAt && credential.refreshToken === undefined) {\n      return false;\n    }\n\n    await this.credentialStore.set(\"google\", credential);\n    return true;\n  }\n\n  async getStatus(): Promise<{ loggedIn: boolean; email?: string | undefined; plan?: string | undefined }> {\n    const loggedIn = await this.isLoggedIn();\n    if (!loggedIn) return { loggedIn: false };\n\n    const credential = await this.credentialStore.get(\"google\");\n    if (!credential) return { loggedIn: false };\n\n    return {\n      loggedIn: true,\n      ...(credential.email !== undefined ? { email: credential.email } : {}),\n      plan: \"Google AI\",\n    };\n  }\n\n  async getCachedCredential(): Promise<ICredential | undefined> {\n    const credential = this.readCachedCredential();\n    if (credential) {\n      await this.credentialStore.set(\"google\", credential);\n    }\n    return credential;\n  }\n\n  // ── Read from Gemini CLI cache ────────────────────────────────────────\n\n  private readCachedCredential(): ICredential | undefined {\n    const oauthCreds = readOAuthCreds();\n    if (!oauthCreds?.access_token) return undefined;\n\n    let email: string | undefined;\n    const accounts = readGoogleAccounts();\n    if (accounts?.active) {\n      email = accounts.active;\n    } else if (oauthCreds.id_token) {\n      email = extractEmailFromIdToken(oauthCreds.id_token);\n    }\n\n    const expiresAt = oauthCreds.expiry_date ? new Date(oauthCreds.expiry_date) : undefined;\n\n    return {\n      provider: \"google\",\n      method: \"native_login\",\n      token: oauthCreds.access_token,\n      ...(oauthCreds.refresh_token !== undefined ? { refreshToken: oauthCreds.refresh_token } : {}),\n      ...(expiresAt !== undefined ? { expiresAt } : {}),\n      ...(email !== undefined ? { email } : {}),\n      plan: \"Google AI\",\n    };\n  }\n\n  // ── Internal ──────────────────────────────────────────────────────────\n\n  private startCallbackServer(): Promise<{ port: number; server: Server }> {\n    return new Promise((resolve, reject) => {\n      const server = createServer();\n      server.listen(0, LOCALHOST, () => {\n        const address = server.address();\n        if (address === null || typeof address === \"string\") {\n          server.close();\n          reject(new Error(\"Failed to bind callback server\"));\n          return;\n        }\n        resolve({ port: address.port, server });\n      });\n      server.on(\"error\", reject);\n    });\n  }\n\n  private waitForCallback(expectedState: string): Promise<string> {\n    return new Promise((resolve, reject) => {\n      const server = this.callbackServer;\n      if (server === undefined) {\n        reject(new AuthenticationError(\"google\", \"Callback server not started\"));\n        return;\n      }\n\n      const timeout = setTimeout(() => {\n        reject(new AuthenticationError(\"google\", \"Login timed out\"));\n      }, CALLBACK_TIMEOUT_MS);\n\n      server.on(\"request\", (req: IncomingMessage, res: ServerResponse) => {\n        const requestUrl = new URL(req.url ?? \"/\", `http://${LOCALHOST}`);\n        if (requestUrl.pathname !== \"/callback\") {\n          res.writeHead(404);\n          res.end(\"Not found\");\n          return;\n        }\n\n        clearTimeout(timeout);\n\n        const code = requestUrl.searchParams.get(\"code\");\n        const state = requestUrl.searchParams.get(\"state\");\n        const error = requestUrl.searchParams.get(\"error\");\n\n        if (error) {\n          res.writeHead(400, { \"Content-Type\": \"text/html\" });\n          res.end(errorHtml(`Google OAuth error: ${error}`));\n          reject(new AuthenticationError(\"google\", `OAuth error: ${error}`));\n          return;\n        }\n        if (state !== expectedState) {\n          res.writeHead(400, { \"Content-Type\": \"text/html\" });\n          res.end(errorHtml(\"State mismatch\"));\n          reject(new AuthenticationError(\"google\", \"OAuth state mismatch\"));\n          return;\n        }\n        if (!code) {\n          res.writeHead(400, { \"Content-Type\": \"text/html\" });\n          res.end(errorHtml(\"Missing authorization code\"));\n          reject(new AuthenticationError(\"google\", \"No authorization code received\"));\n          return;\n        }\n\n        res.writeHead(200, { \"Content-Type\": \"text/html\" });\n        res.end(successHtml());\n        resolve(code);\n      });\n    });\n  }\n\n  private async exchangeCodeForToken(\n    code: string,\n    codeVerifier: string,\n    redirectUri: string,\n  ): Promise<ICredential> {\n    const body = new URLSearchParams({\n      grant_type: \"authorization_code\",\n      code,\n      redirect_uri: redirectUri,\n      client_id: CLIENT_ID,\n      client_secret: CLIENT_SECRET,\n      code_verifier: codeVerifier,\n    });\n\n    const response = await fetch(TOKEN_URL, {\n      method: \"POST\",\n      headers: { \"Content-Type\": \"application/x-www-form-urlencoded\" },\n      body: body.toString(),\n    });\n\n    if (!response.ok) {\n      const text = await response.text();\n      throw new AuthenticationError(\"google\", `Token exchange failed: ${response.status} ${text}`);\n    }\n\n    const data = (await response.json()) as {\n      access_token?: string;\n      refresh_token?: string;\n      expires_in?: number;\n      id_token?: string;\n      scope?: string;\n      token_type?: string;\n    };\n\n    if (!data.access_token) {\n      throw new AuthenticationError(\"google\", \"Token exchange returned no access_token\");\n    }\n\n    const expiresAt = data.expires_in\n      ? new Date(Date.now() + data.expires_in * 1000)\n      : undefined;\n\n    let email: string | undefined;\n    if (data.id_token) {\n      email = extractEmailFromIdToken(data.id_token);\n    }\n\n    // Write tokens in Gemini CLI format so the Gemini CLI can also use them\n    const geminiCreds: IGeminiOAuthCreds = {\n      access_token: data.access_token,\n      ...(data.scope !== undefined ? { scope: data.scope } : {}),\n      ...(data.token_type !== undefined ? { token_type: data.token_type } : {}),\n      ...(data.id_token !== undefined ? { id_token: data.id_token } : {}),\n      ...(expiresAt !== undefined ? { expiry_date: expiresAt.getTime() } : {}),\n      ...(data.refresh_token !== undefined ? { refresh_token: data.refresh_token } : {}),\n    };\n    writeOAuthCreds(geminiCreds);\n\n    if (email) {\n      writeGoogleAccounts(email);\n    }\n\n    return {\n      provider: \"google\",\n      method: \"native_login\",\n      token: data.access_token,\n      ...(data.refresh_token !== undefined ? { refreshToken: data.refresh_token } : {}),\n      ...(expiresAt !== undefined ? { expiresAt } : {}),\n      ...(email !== undefined ? { email } : {}),\n      plan: \"Google AI\",\n    };\n  }\n\n  private stopServer(): void {\n    if (this.callbackServer !== undefined) {\n      this.callbackServer.close();\n      this.callbackServer = undefined;\n    }\n  }\n}\n"]}