agentgui 1.0.751 → 1.0.753

package/lib/agent-discovery.js

@@ -0,0 +1,161 @@
+import fs from 'fs';
+import path from 'path';
+import os from 'os';
+import { fileURLToPath } from 'url';
+import { execSync } from 'child_process';
+
+const BINARIES = [
+  { cmd: 'claude', id: 'claude-code', name: 'Claude Code', icon: 'C', protocol: 'cli' },
+  { cmd: 'opencode', id: 'opencode', name: 'OpenCode', icon: 'O', protocol: 'acp', npxPackage: 'opencode-ai' },
+  { cmd: 'gemini', id: 'gemini', name: 'Gemini CLI', icon: 'G', protocol: 'acp', npxPackage: '@google/gemini-cli' },
+  { cmd: 'kilo', id: 'kilo', name: 'Kilo Code', icon: 'K', protocol: 'acp', npxPackage: '@kilocode/cli' },
+  { cmd: 'goose', id: 'goose', name: 'Goose', icon: 'g', protocol: 'acp' },
+  { cmd: 'openhands', id: 'openhands', name: 'OpenHands', icon: 'H', protocol: 'acp' },
+  { cmd: 'augment', id: 'augment', name: 'Augment Code', icon: 'A', protocol: 'acp' },
+  { cmd: 'cline', id: 'cline', name: 'Cline', icon: 'c', protocol: 'acp' },
+  { cmd: 'kimi', id: 'kimi', name: 'Kimi CLI', icon: 'K', protocol: 'acp' },
+  { cmd: 'qwen-code', id: 'qwen', name: 'Qwen Code', icon: 'Q', protocol: 'acp' },
+  { cmd: 'codex', id: 'codex', name: 'Codex CLI', icon: 'X', protocol: 'acp', npxPackage: '@openai/codex' },
+  { cmd: 'mistral-vibe', id: 'mistral', name: 'Mistral Vibe', icon: 'M', protocol: 'acp' },
+  { cmd: 'kiro', id: 'kiro', name: 'Kiro CLI', icon: 'k', protocol: 'acp' },
+  { cmd: 'fast-agent', id: 'fast-agent', name: 'fast-agent', icon: 'F', protocol: 'acp' },
+];
+
+const CLI_WRAPPERS = [
+  { id: 'cli-opencode', name: 'OpenCode', icon: 'O', protocol: 'cli-wrapper', acpId: 'opencode' },
+  { id: 'cli-gemini', name: 'Gemini', icon: 'G', protocol: 'cli-wrapper', acpId: 'gemini' },
+  { id: 'cli-kilo', name: 'Kilo', icon: 'K', protocol: 'cli-wrapper', acpId: 'kilo' },
+  { id: 'cli-codex', name: 'Codex', icon: 'X', protocol: 'cli-wrapper', acpId: 'codex' },
+];
+
+export function findCommand(cmd, rootDir) {
+  const isWindows = os.platform() === 'win32';
+  const localBin = path.join(rootDir, 'node_modules', '.bin', isWindows ? cmd + '.cmd' : cmd);
+  if (fs.existsSync(localBin)) {
+    console.log(`[agent-discovery] Found ${cmd} in local node_modules`);
+    return localBin;
+  }
+  try {
+    const timeoutMs = 10000;
+    if (isWindows) {
+      const result = execSync(`where ${cmd}`, { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'ignore'], timeout: timeoutMs }).trim();
+      if (result) {
+        console.log(`[agent-discovery] Found ${cmd} in PATH`);
+        return result.split('\n')[0].trim();
+      }
+    } else {
+      const result = execSync(`which ${cmd}`, { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'ignore'], timeout: timeoutMs }).trim();
+      if (result) {
+        console.log(`[agent-discovery] Found ${cmd} in PATH`);
+        return result;
+      }
+    }
+  } catch (err) {
+    console.log(`[agent-discovery] ${cmd} not found or timed out`);
+    return null;
+  }
+  return null;
+}
+
+export async function queryACPServerAgents(baseUrl) {
+  const endpoint = baseUrl.endsWith('/') ? baseUrl + 'agents/search' : baseUrl + '/agents/search';
+  try {
+    const response = await fetch(endpoint, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', 'Accept': 'application/json' },
+      body: JSON.stringify({}),
+      signal: AbortSignal.timeout(5000)
+    });
+    if (!response.ok) {
+      console.error(`Failed to query ACP agents from ${baseUrl}: ${response.status}`);
+      return [];
+    }
+    const data = await response.json();
+    if (!data?.agents || !Array.isArray(data.agents)) {
+      console.error(`Invalid agents response from ${baseUrl}`);
+      return [];
+    }
+    return data.agents.map(agent => ({
+      id: agent.agent_id || agent.id,
+      name: agent.metadata?.ref?.name || agent.name || 'Unknown Agent',
+      metadata: {
+        ref: {
+          name: agent.metadata?.ref?.name,
+          version: agent.metadata?.ref?.version,
+          url: agent.metadata?.ref?.url,
+          tags: agent.metadata?.ref?.tags
+        },
+        description: agent.metadata?.description,
+        author: agent.metadata?.author,
+        license: agent.metadata?.license
+      },
+      specs: agent.specs ? {
+        capabilities: agent.specs.capabilities,
+        input_schema: agent.specs.input_schema || agent.specs.input,
+        output_schema: agent.specs.output_schema || agent.specs.output,
+        thread_state_schema: agent.specs.thread_state_schema || agent.specs.thread_state,
+        config_schema: agent.specs.config_schema || agent.specs.config,
+        custom_streaming_update_schema: agent.specs.custom_streaming_update_schema || agent.specs.custom_streaming_update
+      } : null,
+      custom_data: agent.custom_data,
+      icon: agent.metadata?.ref?.name?.charAt(0) || 'A',
+      protocol: 'acp',
+      path: baseUrl
+    }));
+  } catch (error) {
+    console.error(`ACP agents query failed for ${baseUrl}: ${error.message}`);
+    return [];
+  }
+}
+
+export function discoverAgents(rootDir) {
+  const agents = [];
+  for (const bin of BINARIES) {
+    const result = findCommand(bin.cmd, rootDir);
+    if (result) {
+      agents.push({ id: bin.id, name: bin.name, icon: bin.icon, path: result, protocol: bin.protocol });
+    } else if (bin.npxPackage) {
+      agents.push({ id: bin.id, name: bin.name, icon: bin.icon, path: null, protocol: bin.protocol, npxPackage: bin.npxPackage, npxLaunchable: true });
+    } else if (bin.id === 'claude-code') {
+      agents.push({ id: bin.id, name: bin.name, icon: bin.icon, path: null, protocol: bin.protocol, npxPackage: '@anthropic-ai/claude-code', npxLaunchable: true });
+    }
+  }
+
+  console.log('[discoverAgents] Found agents:', agents.map(a => a.id).join(', '));
+  for (const wrapper of CLI_WRAPPERS) {
+    if (agents.some(a => a.id === wrapper.acpId)) {
+      console.log(`[discoverAgents] Adding CLI wrapper for ${wrapper.id}`);
+      agents.push(wrapper);
+    } else {
+      console.log(`[discoverAgents] Skipping CLI wrapper ${wrapper.id} (ACP agent ${wrapper.acpId} not found)`);
+    }
+  }
+  const wrappedAcpIds = new Set(CLI_WRAPPERS.filter(w => agents.some(a => a.id === w.acpId)).map(w => w.acpId));
+  const filtered = agents.filter(a => !wrappedAcpIds.has(a.id));
+  console.log('[discoverAgents] Final agent count:', filtered.length, 'Agent IDs:', filtered.map(a => a.id).join(', '));
+  return filtered;
+}
+
+export async function discoverExternalACPServers(discoveredAgents) {
+  const externalAgents = [];
+  for (const agent of discoveredAgents.filter(a => a.protocol === 'acp' && a.acpPort)) {
+    try {
+      const agents = await queryACPServerAgents(`http://localhost:${agent.acpPort}`);
+      externalAgents.push(...agents);
+    } catch (_) {}
+  }
+  return externalAgents;
+}
+
+export async function initializeAgentDiscovery(discoveredAgents, rootDir, logError) {
+  try {
+    const agents = discoverAgents(rootDir);
+    discoveredAgents.length = 0;
+    discoveredAgents.push(...agents);
+    console.log('[AGENTS] Discovered:', discoveredAgents.map(a => ({ id: a.id, found: !!a.path, protocol: a.protocol })));
+    console.log('[AGENTS] Total count:', discoveredAgents.length);
+  } catch (err) {
+    console.error('[AGENTS] Discovery error:', err.message);
+    if (logError) logError('initializeAgentDiscovery', err);
+  }
+}

package/lib/oauth-codex.js

@@ -0,0 +1,162 @@
+import fs from 'fs';
+import path from 'path';
+import os from 'os';
+import crypto from 'crypto';
+import { buildBaseUrl, isRemoteRequest, encodeOAuthState, decodeOAuthState, oauthResultPage, oauthRelayPage } from './oauth-common.js';
+
+const CODEX_HOME = process.env.CODEX_HOME || path.join(os.homedir(), '.codex');
+const CODEX_AUTH_FILE = path.join(CODEX_HOME, 'auth.json');
+const CODEX_OAUTH_ISSUER = 'https://auth.openai.com';
+const CODEX_CLIENT_ID = 'app_EMoamEEZ73f0CkXaXp7hrann';
+const CODEX_SCOPES = 'openid profile email offline_access api.connectors.read api.connectors.invoke';
+const CODEX_OAUTH_PORT = 1455;
+
+let codexOAuthState = { status: 'idle', error: null, email: null };
+let codexOAuthPending = null;
+
+function generatePkce() {
+  const verifierBytes = crypto.randomBytes(64);
+  const codeVerifier = verifierBytes.toString('base64url');
+  const challengeBytes = crypto.createHash('sha256').update(codeVerifier).digest();
+  const codeChallenge = challengeBytes.toString('base64url');
+  return { codeVerifier, codeChallenge };
+}
+
+function parseJwtEmail(jwt) {
+  try {
+    const parts = jwt.split('.');
+    if (parts.length < 2) return '';
+    const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+    return payload.email || payload['https://api.openai.com/profile']?.email || '';
+  } catch (_) { return ''; }
+}
+
+function saveCodexCredentials(tokens) {
+  if (!fs.existsSync(CODEX_HOME)) fs.mkdirSync(CODEX_HOME, { recursive: true });
+  const auth = { auth_mode: 'chatgpt', tokens, last_refresh: new Date().toISOString() };
+  fs.writeFileSync(CODEX_AUTH_FILE, JSON.stringify(auth, null, 2), { mode: 0o600 });
+  try { fs.chmodSync(CODEX_AUTH_FILE, 0o600); } catch (_) {}
+}
+
+export function getCodexOAuthStatus() {
+  try {
+    if (fs.existsSync(CODEX_AUTH_FILE)) {
+      const auth = JSON.parse(fs.readFileSync(CODEX_AUTH_FILE, 'utf8'));
+      if (auth.tokens?.access_token || auth.tokens?.refresh_token) {
+        const email = parseJwtEmail(auth.tokens?.id_token || '') || '';
+        return { hasKey: true, apiKey: email || '****oauth', defaultModel: '', path: CODEX_AUTH_FILE, authMethod: 'oauth' };
+      }
+    }
+  } catch (_) {}
+  return null;
+}
+
+export async function startCodexOAuth(req, { PORT, BASE_URL }) {
+  const remote = isRemoteRequest(req);
+  const redirectUri = remote
+    ? `${buildBaseUrl(req, PORT)}${BASE_URL}/codex-oauth2callback`
+    : `http://localhost:${CODEX_OAUTH_PORT}/auth/callback`;
+  const pkce = generatePkce();
+  const csrfToken = crypto.randomBytes(32).toString('hex');
+  const relayUrl = remote ? `${buildBaseUrl(req, PORT)}${BASE_URL}/api/codex-oauth/relay` : null;
+  const state = encodeOAuthState(csrfToken, relayUrl);
+  const params = new URLSearchParams({
+    response_type: 'code',
+    client_id: CODEX_CLIENT_ID,
+    redirect_uri: redirectUri,
+    scope: CODEX_SCOPES,
+    code_challenge: pkce.codeChallenge,
+    code_challenge_method: 'S256',
+    id_token_add_organizations: 'true',
+    codex_cli_simplified_flow: 'true',
+    state,
+  });
+  const authUrl = `${CODEX_OAUTH_ISSUER}/oauth/authorize?${params.toString()}`;
+  const mode = remote ? 'remote' : 'local';
+  codexOAuthPending = { pkce, redirectUri, state: csrfToken };
+  codexOAuthState = { status: 'pending', error: null, email: null };
+  setTimeout(() => {
+    if (codexOAuthState.status === 'pending') {
+      codexOAuthState = { status: 'error', error: 'Authentication timed out', email: null };
+      codexOAuthPending = null;
+    }
+  }, 5 * 60 * 1000);
+  return { authUrl, mode };
+}
+
+export async function exchangeCodexOAuthCode(code, stateParam) {
+  if (!codexOAuthPending) throw new Error('No pending OAuth flow. Please start authentication again.');
+  const { pkce, redirectUri, state: expectedCsrf } = codexOAuthPending;
+  const { csrfToken } = decodeOAuthState(stateParam);
+  if (csrfToken !== expectedCsrf) {
+    codexOAuthState = { status: 'error', error: 'State mismatch', email: null };
+    codexOAuthPending = null;
+    throw new Error('State mismatch - possible CSRF attack.');
+  }
+  if (!code) {
+    codexOAuthState = { status: 'error', error: 'No authorization code received', email: null };
+    codexOAuthPending = null;
+    throw new Error('No authorization code received.');
+  }
+  const body = new URLSearchParams({
+    grant_type: 'authorization_code',
+    code,
+    redirect_uri: redirectUri,
+    client_id: CODEX_CLIENT_ID,
+    code_verifier: pkce.codeVerifier,
+  });
+  const resp = await fetch(`${CODEX_OAUTH_ISSUER}/oauth/token`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    body: body.toString(),
+  });
+  if (!resp.ok) {
+    const text = await resp.text();
+    codexOAuthState = { status: 'error', error: `Token exchange failed: ${resp.status}`, email: null };
+    codexOAuthPending = null;
+    throw new Error(`Token exchange failed (${resp.status}): ${text}`);
+  }
+  const tokens = await resp.json();
+  const email = parseJwtEmail(tokens.id_token || '');
+  saveCodexCredentials(tokens);
+  codexOAuthState = { status: 'success', error: null, email };
+  codexOAuthPending = null;
+  return email;
+}
+
+export async function handleCodexOAuthCallback(req, res, PORT) {
+  const reqUrl = new URL(req.url, `http://localhost:${PORT}`);
+  const code = reqUrl.searchParams.get('code');
+  const state = reqUrl.searchParams.get('state');
+  const error = reqUrl.searchParams.get('error');
+  const errorDesc = reqUrl.searchParams.get('error_description');
+  if (error) {
+    const desc = errorDesc || error;
+    codexOAuthState = { status: 'error', error: desc, email: null };
+    codexOAuthPending = null;
+  }
+  const stateData = decodeOAuthState(state || '');
+  if (stateData.relayUrl) {
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end(oauthRelayPage(code, state, errorDesc || error));
+    return;
+  }
+  if (!codexOAuthPending) {
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end(oauthResultPage('Authentication Failed', 'No pending OAuth flow.', false));
+    return;
+  }
+  try {
+    if (error) throw new Error(errorDesc || error);
+    const email = await exchangeCodexOAuthCode(code, state);
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end(oauthResultPage('Authentication Successful', email ? `Signed in as ${email}` : 'Codex CLI credentials saved.', true));
+  } catch (e) {
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end(oauthResultPage('Authentication Failed', e.message, false));
+  }
+}
+
+export function getCodexOAuthState() { return codexOAuthState; }
+export function getCodexOAuthPending() { return codexOAuthPending; }
+export { CODEX_HOME, CODEX_AUTH_FILE };

package/lib/oauth-common.js

@@ -0,0 +1,92 @@
+import crypto from 'crypto';
+
+export function buildBaseUrl(req, PORT) {
+  const override = process.env.AGENTGUI_BASE_URL;
+  if (override) return override.replace(/\/+$/, '');
+  const fwdProto = req.headers['x-forwarded-proto'];
+  const fwdHost = req.headers['x-forwarded-host'] || req.headers['host'];
+  if (fwdHost) {
+    const proto = fwdProto || (req.socket.encrypted ? 'https' : 'http');
+    const cleanHost = fwdHost.replace(/:443$/, '').replace(/:80$/, '');
+    return `${proto}://${cleanHost}`;
+  }
+  return `http://127.0.0.1:${PORT}`;
+}
+
+export function isRemoteRequest(req) {
+  return !!(req && (req.headers['x-forwarded-for'] || req.headers['x-forwarded-host'] || req.headers['x-forwarded-proto']));
+}
+
+export function encodeOAuthState(csrfToken, relayUrl) {
+  const payload = JSON.stringify({ t: csrfToken, r: relayUrl });
+  return Buffer.from(payload).toString('base64url');
+}
+
+export function decodeOAuthState(stateStr) {
+  try {
+    const payload = JSON.parse(Buffer.from(stateStr, 'base64url').toString());
+    return { csrfToken: payload.t, relayUrl: payload.r };
+  } catch (_) {
+    return { csrfToken: stateStr, relayUrl: null };
+  }
+}
+
+export function oauthResultPage(title, message, success) {
+  const color = success ? '#10b981' : '#ef4444';
+  const icon = success ? '✓' : '✗';
+  return `<!DOCTYPE html><html><head><title>${title}</title></head>
+<body style="margin:0;display:flex;align-items:center;justify-content:center;min-height:100vh;background:#111827;font-family:system-ui,sans-serif;color:white;">
+<div style="text-align:center;max-width:400px;padding:2rem;">
+<div style="font-size:4rem;color:${color};margin-bottom:1rem;">${icon}</div>
+<h1 style="font-size:1.5rem;margin-bottom:0.5rem;">${title}</h1>
+<p style="color:#9ca3af;">${message}</p>
+<p style="color:#6b7280;margin-top:1rem;font-size:0.875rem;">You can close this tab.</p>
+</div></body></html>`;
+}
+
+export function oauthRelayPage(code, state, error) {
+  const stateData = decodeOAuthState(state || '');
+  const relayUrl = stateData.relayUrl || '';
+  const escapedCode = (code || '').replace(/['"\\]/g, '');
+  const escapedState = (state || '').replace(/['"\\]/g, '');
+  const escapedError = (error || '').replace(/['"\\]/g, '');
+  const escapedRelay = relayUrl.replace(/['"\\]/g, '');
+  return `<!DOCTYPE html><html><head><title>Completing sign-in...</title></head>
+<body style="margin:0;display:flex;align-items:center;justify-content:center;min-height:100vh;background:#111827;font-family:system-ui,sans-serif;color:white;">
+<div id="status" style="text-align:center;max-width:400px;padding:2rem;">
+<div id="spinner" style="font-size:2rem;margin-bottom:1rem;">&#8987;</div>
+<h1 id="title" style="font-size:1.5rem;margin-bottom:0.5rem;">Completing sign-in...</h1>
+<p id="msg" style="color:#9ca3af;">Relaying authentication to server...</p>
+</div>
+<script>
+(function() {
+  var code = '${escapedCode}';
+  var state = '${escapedState}';
+  var error = '${escapedError}';
+  var relayUrl = '${escapedRelay}';
+  function show(icon, title, msg, color) {
+    document.getElementById('spinner').textContent = icon;
+    document.getElementById('spinner').style.color = color;
+    document.getElementById('title').textContent = title;
+    document.getElementById('msg').textContent = msg;
+  }
+  if (error) { show('\\u2717', 'Authentication Failed', error, '#ef4444'); return; }
+  if (!code) { show('\\u2717', 'Authentication Failed', 'No authorization code received.', '#ef4444'); return; }
+  if (!relayUrl) { show('\\u2713', 'Authentication Successful', 'Credentials saved. You can close this tab.', '#10b981'); return; }
+  fetch(relayUrl, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ code: code, state: state })
+  }).then(function(r) { return r.json(); }).then(function(data) {
+    if (data.success) {
+      show('\\u2713', 'Authentication Successful', data.email ? 'Signed in as ' + data.email + '. You can close this tab.' : 'Credentials saved. You can close this tab.', '#10b981');
+    } else {
+      show('\\u2717', 'Authentication Failed', data.error || 'Unknown error', '#ef4444');
+    }
+  }).catch(function(e) {
+    show('\\u2717', 'Relay Failed', 'Could not reach server: ' + e.message + '. You may need to paste the URL manually.', '#ef4444');
+  });
+})();
+</script>
+</body></html>`;
+}

package/lib/oauth-gemini.js

@@ -0,0 +1,200 @@
+import fs from 'fs';
+import path from 'path';
+import os from 'os';
+import crypto from 'crypto';
+import { execSync } from 'child_process';
+import { OAuth2Client } from 'google-auth-library';
+import { findCommand } from './agent-discovery.js';
+import { buildBaseUrl, isRemoteRequest, encodeOAuthState, decodeOAuthState, oauthResultPage, oauthRelayPage } from './oauth-common.js';
+
+const GEMINI_SCOPES = [
+  'https://www.googleapis.com/auth/cloud-platform',
+  'https://www.googleapis.com/auth/userinfo.email',
+  'https://www.googleapis.com/auth/userinfo.profile',
+];
+const GEMINI_DIR = path.join(os.homedir(), '.gemini');
+const GEMINI_OAUTH_FILE = path.join(GEMINI_DIR, 'oauth_creds.json');
+const GEMINI_ACCOUNTS_FILE = path.join(GEMINI_DIR, 'google_accounts.json');
+
+let geminiOAuthState = { status: 'idle', error: null, email: null };
+let geminiOAuthPending = null;
+
+function extractOAuthFromFile(oauth2Path) {
+  try {
+    const src = fs.readFileSync(oauth2Path, 'utf8');
+    const idMatch = src.match(/OAUTH_CLIENT_ID\s*=\s*['"]([^'"]+)['"]/);
+    const secretMatch = src.match(/OAUTH_CLIENT_SECRET\s*=\s*['"]([^'"]+)['"]/);
+    if (idMatch && secretMatch) return { clientId: idMatch[1], clientSecret: secretMatch[1] };
+  } catch {}
+  return null;
+}
+
+export function getGeminiOAuthCreds(rootDir) {
+  if (process.env.GOOGLE_OAUTH_CLIENT_ID && process.env.GOOGLE_OAUTH_CLIENT_SECRET) {
+    return { clientId: process.env.GOOGLE_OAUTH_CLIENT_ID, clientSecret: process.env.GOOGLE_OAUTH_CLIENT_SECRET, custom: true };
+  }
+  const oauthRelPath = path.join('node_modules', '@google', 'gemini-cli-core', 'dist', 'src', 'code_assist', 'oauth2.js');
+  try {
+    const geminiPath = findCommand('gemini', rootDir);
+    if (geminiPath) {
+      const realPath = fs.realpathSync(geminiPath);
+      const pkgRoot = path.resolve(path.dirname(realPath), '..');
+      const result = extractOAuthFromFile(path.join(pkgRoot, oauthRelPath));
+      if (result) return result;
+    }
+  } catch (e) {
+    console.error('[gemini-oauth] gemini lookup failed:', e.message);
+  }
+  try {
+    const npmCacheDirs = new Set();
+    const addDir = (d) => { if (d) npmCacheDirs.add(path.join(d, '_npx')); };
+    addDir(path.join(os.homedir(), '.npm'));
+    addDir(path.join(os.homedir(), '.cache', '.npm'));
+    if (process.env.NPM_CACHE) addDir(process.env.NPM_CACHE);
+    if (process.env.npm_config_cache) addDir(process.env.npm_config_cache);
+    try { addDir(execSync('npm config get cache', { encoding: 'utf8', timeout: 5000 }).trim()); } catch {}
+    for (const cacheDir of npmCacheDirs) {
+      if (!fs.existsSync(cacheDir)) continue;
+      for (const d of fs.readdirSync(cacheDir).filter(d => !d.startsWith('.'))) {
+        const result = extractOAuthFromFile(path.join(cacheDir, d, oauthRelPath));
+        if (result) return result;
+      }
+    }
+  } catch (e) {
+    console.error('[gemini-oauth] npm cache scan failed:', e.message);
+  }
+  console.error('[gemini-oauth] Could not find Gemini CLI OAuth credentials in any known location');
+  return null;
+}
+
+function saveGeminiCredentials(tokens, email) {
+  if (!fs.existsSync(GEMINI_DIR)) fs.mkdirSync(GEMINI_DIR, { recursive: true });
+  fs.writeFileSync(GEMINI_OAUTH_FILE, JSON.stringify(tokens, null, 2), { mode: 0o600 });
+  try { fs.chmodSync(GEMINI_OAUTH_FILE, 0o600); } catch (_) {}
+  let accounts = { active: null, old: [] };
+  try {
+    if (fs.existsSync(GEMINI_ACCOUNTS_FILE)) {
+      accounts = JSON.parse(fs.readFileSync(GEMINI_ACCOUNTS_FILE, 'utf8'));
+    }
+  } catch (_) {}
+  if (email) {
+    if (accounts.active && accounts.active !== email && !accounts.old.includes(accounts.active)) {
+      accounts.old.push(accounts.active);
+    }
+    accounts.active = email;
+  }
+  fs.writeFileSync(GEMINI_ACCOUNTS_FILE, JSON.stringify(accounts, null, 2), { mode: 0o600 });
+}
+
+export async function startGeminiOAuth(req, { PORT, BASE_URL, rootDir }) {
+  const creds = getGeminiOAuthCreds(rootDir);
+  if (!creds) throw new Error('Could not find Gemini CLI OAuth credentials. Install gemini CLI first.');
+  const useCustomClient = !!creds.custom;
+  const remote = isRemoteRequest(req);
+  let redirectUri;
+  if (useCustomClient && req) {
+    redirectUri = `${buildBaseUrl(req, PORT)}${BASE_URL}/oauth2callback`;
+  } else {
+    redirectUri = `http://localhost:${PORT}${BASE_URL}/oauth2callback`;
+  }
+  const csrfToken = crypto.randomBytes(32).toString('hex');
+  const relayUrl = req ? `${buildBaseUrl(req, PORT)}${BASE_URL}/api/gemini-oauth/relay` : null;
+  const state = encodeOAuthState(csrfToken, relayUrl);
+  const client = new OAuth2Client({ clientId: creds.clientId, clientSecret: creds.clientSecret });
+  const authUrl = client.generateAuthUrl({ redirect_uri: redirectUri, access_type: 'offline', scope: GEMINI_SCOPES, state });
+  const mode = useCustomClient ? 'custom' : (remote ? 'cli-remote' : 'cli-local');
+  geminiOAuthPending = { client, redirectUri, state: csrfToken };
+  geminiOAuthState = { status: 'pending', error: null, email: null };
+  setTimeout(() => {
+    if (geminiOAuthState.status === 'pending') {
+      geminiOAuthState = { status: 'error', error: 'Authentication timed out', email: null };
+      geminiOAuthPending = null;
+    }
+  }, 5 * 60 * 1000);
+  return { authUrl, mode };
+}
+
+export async function exchangeGeminiOAuthCode(code, stateParam) {
+  if (!geminiOAuthPending) throw new Error('No pending OAuth flow. Please start authentication again.');
+  const { client, redirectUri, state: expectedCsrf } = geminiOAuthPending;
+  const { csrfToken } = decodeOAuthState(stateParam);
+  if (csrfToken !== expectedCsrf) {
+    geminiOAuthState = { status: 'error', error: 'State mismatch', email: null };
+    geminiOAuthPending = null;
+    throw new Error('State mismatch - possible CSRF attack.');
+  }
+  if (!code) {
+    geminiOAuthState = { status: 'error', error: 'No authorization code received', email: null };
+    geminiOAuthPending = null;
+    throw new Error('No authorization code received.');
+  }
+  const { tokens } = await client.getToken({ code, redirect_uri: redirectUri });
+  client.setCredentials(tokens);
+  let email = '';
+  try {
+    const { token } = await client.getAccessToken();
+    if (token) {
+      const resp = await fetch('https://www.googleapis.com/oauth2/v2/userinfo', { headers: { Authorization: `Bearer ${token}` } });
+      if (resp.ok) { const info = await resp.json(); email = info.email || ''; }
+    }
+  } catch (_) {}
+  saveGeminiCredentials(tokens, email);
+  geminiOAuthState = { status: 'success', error: null, email };
+  geminiOAuthPending = null;
+  return email;
+}
+
+export async function handleGeminiOAuthCallback(req, res, PORT) {
+  const reqUrl = new URL(req.url, `http://localhost:${PORT}`);
+  const code = reqUrl.searchParams.get('code');
+  const state = reqUrl.searchParams.get('state');
+  const error = reqUrl.searchParams.get('error');
+  const errorDesc = reqUrl.searchParams.get('error_description');
+  if (error) {
+    const desc = errorDesc || error;
+    geminiOAuthState = { status: 'error', error: desc, email: null };
+    geminiOAuthPending = null;
+  }
+  const stateData = decodeOAuthState(state || '');
+  if (stateData.relayUrl) {
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end(oauthRelayPage(code, state, errorDesc || error));
+    return;
+  }
+  if (!geminiOAuthPending) {
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end(oauthResultPage('Authentication Failed', 'No pending OAuth flow.', false));
+    return;
+  }
+  try {
+    if (error) throw new Error(errorDesc || error);
+    const email = await exchangeGeminiOAuthCode(code, state);
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end(oauthResultPage('Authentication Successful', email ? `Signed in as ${email}` : 'Gemini CLI credentials saved.', true));
+  } catch (e) {
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end(oauthResultPage('Authentication Failed', e.message, false));
+  }
+}
+
+export function getGeminiOAuthStatus() {
+  try {
+    if (fs.existsSync(GEMINI_OAUTH_FILE)) {
+      const creds = JSON.parse(fs.readFileSync(GEMINI_OAUTH_FILE, 'utf8'));
+      if (creds.refresh_token || creds.access_token) {
+        let email = '';
+        try {
+          if (fs.existsSync(GEMINI_ACCOUNTS_FILE)) {
+            const accts = JSON.parse(fs.readFileSync(GEMINI_ACCOUNTS_FILE, 'utf8'));
+            email = accts.active || '';
+          }
+        } catch (_) {}
+        return { hasKey: true, apiKey: email || '****oauth', defaultModel: '', path: GEMINI_OAUTH_FILE, authMethod: 'oauth' };
+      }
+    }
+  } catch (_) {}
+  return null;
+}
+
+export function getGeminiOAuthState() { return geminiOAuthState; }
+export function getGeminiOAuthPending() { return geminiOAuthPending; }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentgui",
-  "version": "1.0.751",
+  "version": "1.0.753",
   "description": "Multi-agent ACP client with real-time communication",
   "type": "module",
   "main": "electron/main.js",