claude-glm 1.3.3 → 1.4.0

package/adapters/anthropic-gateway.ts

@@ -5,8 +5,16 @@ import type { AnthropicRequest, ProviderModel } from "./types.js";
 import { chatOpenAI } from "./providers/openai.js";
 import { chatOpenRouter } from "./providers/openrouter.js";
 import { chatGemini } from "./providers/gemini.js";
+import { chatGeminiOAuth } from "./providers/gemini-oauth.js";
 import { passThrough } from "./providers/anthropic-pass.js";
 import { preprocessImages } from "./vision-preprocess.js";
+import {
+  buildLoginUrl,
+  handleOAuthCallback,
+  getLoginStatus,
+  googleLogout,
+  loginPage,
+} from "./google-auth.js";
 import { config } from "dotenv";
 import { join } from "path";
 import { homedir } from "os";
@@ -32,6 +40,76 @@ fastify.get("/_status", async () => {
   return active ?? { provider: "glm", model: "glm-5" };
 });
 
+// ── Google OAuth endpoints ─────────────────────────────────────────────
+
+// Landing page with sign-in button
+fastify.get("/google/login", async (_req, reply) => {
+  reply.type("text/html").send(loginPage(PORT));
+});
+
+// Start OAuth flow (redirects to Google)
+fastify.get("/google/login/start", async (_req, reply) => {
+  const authUrl = buildLoginUrl(PORT);
+  reply.redirect(authUrl);
+});
+
+// OAuth callback (receives auth code from Google)
+fastify.get("/google/callback", async (req, reply) => {
+  const query = req.query as Record<string, string>;
+  const { code, state, error } = query;
+
+  if (error) {
+    return reply.type("text/html").code(400).send(
+      `<html><body style="font-family:system-ui;text-align:center;padding:60px;background:#0f172a;color:#e2e8f0;">
+        <h1 style="color:#f87171;">Login Failed</h1><p>${error}</p>
+        <a href="/google/login" style="color:#60a5fa;">Try again</a>
+      </body></html>`
+    );
+  }
+
+  if (!code || !state) {
+    return reply.type("text/html").code(400).send(
+      `<html><body style="font-family:system-ui;text-align:center;padding:60px;background:#0f172a;color:#e2e8f0;">
+        <h1 style="color:#f87171;">Missing Parameters</h1><p>No authorization code received.</p>
+        <a href="/google/login" style="color:#60a5fa;">Try again</a>
+      </body></html>`
+    );
+  }
+
+  try {
+    const tokens = await handleOAuthCallback(code, state);
+    reply.type("text/html").send(
+      `<html><body style="font-family:system-ui;display:flex;justify-content:center;align-items:center;height:100vh;margin:0;background:#0f172a;">
+        <div style="text-align:center;color:#e2e8f0;max-width:500px;">
+          <div style="font-size:48px;">&#10003;</div>
+          <h1 style="color:#4ade80;">Authenticated Successfully</h1>
+          <p>Logged in as: <strong>${tokens.email || "unknown"}</strong></p>
+          ${tokens.project_id ? `<p>Code Assist Project: <code style="background:#1e293b;padding:2px 8px;border-radius:4px;">${tokens.project_id}</code></p>` : `<p style="color:#94a3b8;">Using standard Generative Language API</p>`}
+          <p style="color:#64748b;margin-top:24px;">You can close this window.<br>Use <code style="background:#1e293b;padding:2px 8px;border-radius:4px;">go:gemini-3.1-pro-preview</code> as your model in Claude Code.</p>
+        </div>
+      </body></html>`
+    );
+  } catch (e: any) {
+    reply.type("text/html").code(500).send(
+      `<html><body style="font-family:system-ui;text-align:center;padding:60px;background:#0f172a;color:#e2e8f0;">
+        <h1 style="color:#f87171;">Login Failed</h1><p>${e.message}</p>
+        <a href="/google/login" style="color:#60a5fa;">Try again</a>
+      </body></html>`
+    );
+  }
+});
+
+// Login status
+fastify.get("/google/status", async () => {
+  return getLoginStatus();
+});
+
+// Logout
+fastify.post("/google/logout", async () => {
+  await googleLogout();
+  return { ok: true, message: "Logged out of Google" };
+});
+
 // Main messages endpoint - routes by model prefix
 fastify.post("/v1/messages", async (req, res) => {
   try {
@@ -81,6 +159,15 @@ fastify.post("/v1/messages", async (req, res) => {
       return chatOpenRouter(res, body, model, key);
     }
 
+    if (provider === "gemini-oauth") {
+      res.raw.setHeader("Content-Type", "text/event-stream");
+      res.raw.setHeader("Cache-Control", "no-cache, no-transform");
+      res.raw.setHeader("Connection", "keep-alive");
+      // @ts-ignore
+      res.raw.flushHeaders?.();
+      return chatGeminiOAuth(res, body, model);
+    }
+
     if (provider === "gemini") {
       const key = process.env.GEMINI_API_KEY;
       if (!key) {
@@ -142,7 +229,18 @@ fastify.post("/v1/messages", async (req, res) => {
     });
   } catch (e: any) {
     const status = e?.statusCode ?? 500;
-    return res.code(status).send({ error: e?.message || "proxy error" });
+    const msg = e?.message || "proxy error";
+    console.error(`[ccx] ERROR: ${msg}`);
+
+    // If SSE headers already sent, we can't send a JSON error - write error as SSE event
+    if (res.raw.headersSent) {
+      try {
+        res.raw.write(`event: error\ndata: ${JSON.stringify({ type: "error", error: { type: "api_error", message: msg } })}\n\n`);
+        res.raw.end();
+      } catch { /* stream already closed */ }
+      return;
+    }
+    return res.code(status).send({ error: msg });
   }
 });
 
@@ -155,9 +253,17 @@ function apiError(status: number, message: string) {
 
 fastify
   .listen({ port: PORT, host: "127.0.0.1" })
-  .then(() => {
+  .then(async () => {
     console.log(`[ccx] Proxy listening on http://127.0.0.1:${PORT}`);
     console.log(`[ccx] Configure API keys in: ${envPath}`);
+
+    // Show Google login status
+    const gStatus = await getLoginStatus();
+    if (gStatus.loggedIn) {
+      console.log(`[ccx] Google: logged in as ${gStatus.email || "unknown"} (${gStatus.mode})`);
+    } else {
+      console.log(`[ccx] Google: not logged in. Visit http://127.0.0.1:${PORT}/google/login to authenticate`);
+    }
   })
   .catch((err) => {
     console.error("[ccx] Failed to start proxy:", err.message);

package/adapters/google-auth.ts

@@ -0,0 +1,602 @@
+// Google OAuth 2.0 authentication for Gemini via Code Assist API
+// Uses the same client credentials as the official Gemini CLI
+// (safe to include - this is an "installed application" per Google's OAuth2 docs)
+
+import * as http from "http";
+import * as crypto from "crypto";
+import { readFile, writeFile, mkdir } from "fs/promises";
+import { join } from "path";
+import { homedir } from "os";
+import { execSync } from "child_process";
+
+// ── OAuth constants (from official Gemini CLI) ─────────────────────────
+
+const OAUTH_CLIENT_ID =
+  "681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com";
+const OAUTH_CLIENT_SECRET = "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";
+
+const OAUTH_SCOPES = [
+  "https://www.googleapis.com/auth/cloud-platform",
+  "https://www.googleapis.com/auth/userinfo.email",
+  "https://www.googleapis.com/auth/userinfo.profile",
+];
+
+const AUTH_ENDPOINT = "https://accounts.google.com/o/oauth2/v2/auth";
+const TOKEN_ENDPOINT = "https://oauth2.googleapis.com/token";
+const USERINFO_ENDPOINT = "https://www.googleapis.com/oauth2/v2/userinfo";
+
+// Code Assist API for Pro subscribers
+const CA_ENDPOINT = "https://cloudcode-pa.googleapis.com";
+const CA_VERSION = "v1internal";
+
+// ── Storage ────────────────────────────────────────────────────────────
+
+const PROXY_DIR = join(homedir(), ".claude-proxy");
+const AUTH_FILE = join(PROXY_DIR, "google-oauth.json");
+
+export interface GoogleTokens {
+  access_token: string;
+  refresh_token: string;
+  expires_at: number; // timestamp in ms
+  email?: string;
+  project_id?: string;
+}
+
+export async function loadTokens(): Promise<GoogleTokens | null> {
+  try {
+    const data = await readFile(AUTH_FILE, "utf-8");
+    const parsed = JSON.parse(data);
+    if (!parsed.access_token || !parsed.refresh_token) return null;
+    return parsed as GoogleTokens;
+  } catch {
+    return null;
+  }
+}
+
+async function saveTokens(tokens: GoogleTokens): Promise<void> {
+  await mkdir(PROXY_DIR, { recursive: true });
+  await writeFile(AUTH_FILE, JSON.stringify(tokens, null, 2), { mode: 0o600 });
+}
+
+// ── PKCE helpers ───────────────────────────────────────────────────────
+
+function generatePKCE() {
+  const verifier = crypto.randomBytes(32).toString("base64url");
+  const challenge = crypto
+    .createHash("sha256")
+    .update(verifier)
+    .digest("base64url");
+  return { verifier, challenge };
+}
+
+// ── Token refresh ──────────────────────────────────────────────────────
+
+async function refreshAccessToken(
+  refreshToken: string
+): Promise<{ access_token: string; expires_in: number }> {
+  const resp = await fetch(TOKEN_ENDPOINT, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      client_id: OAUTH_CLIENT_ID,
+      client_secret: OAUTH_CLIENT_SECRET,
+      refresh_token: refreshToken,
+      grant_type: "refresh_token",
+    }),
+  });
+
+  if (!resp.ok) {
+    const text = await resp.text();
+    throw new Error(`Token refresh failed (${resp.status}): ${text}`);
+  }
+
+  return (await resp.json()) as { access_token: string; expires_in: number };
+}
+
+/** Get a valid access token, auto-refreshing if needed */
+export async function getAccessToken(): Promise<string> {
+  const tokens = await loadTokens();
+  if (!tokens) {
+    throw new Error(
+      "Not logged in to Google. Visit http://127.0.0.1:" +
+        (process.env.CLAUDE_PROXY_PORT || "17870") +
+        "/google/login to authenticate."
+    );
+  }
+
+  // Refresh if expired or within 5-minute buffer
+  if (Date.now() > tokens.expires_at - 5 * 60 * 1000) {
+    console.log("[gemini-oauth] Access token expired, refreshing...");
+    try {
+      const refreshed = await refreshAccessToken(tokens.refresh_token);
+      tokens.access_token = refreshed.access_token;
+      tokens.expires_at = Date.now() + refreshed.expires_in * 1000;
+      await saveTokens(tokens);
+      console.log("[gemini-oauth] Token refreshed successfully");
+    } catch (e: any) {
+      throw new Error(
+        `Token refresh failed: ${e.message}. Please re-login at /google/login`
+      );
+    }
+  }
+
+  return tokens.access_token;
+}
+
+// ── User info ──────────────────────────────────────────────────────────
+
+async function fetchUserEmail(
+  accessToken: string
+): Promise<string | undefined> {
+  try {
+    const resp = await fetch(USERINFO_ENDPOINT, {
+      headers: { Authorization: `Bearer ${accessToken}` },
+    });
+    if (resp.ok) {
+      const data = (await resp.json()) as any;
+      return data.email;
+    }
+  } catch {}
+  return undefined;
+}
+
+// ── Code Assist project setup ──────────────────────────────────────────
+
+async function setupCodeAssist(
+  accessToken: string
+): Promise<string | undefined> {
+  try {
+    console.log("[gemini-oauth] Setting up Code Assist project...");
+
+    const resp = await fetch(`${CA_ENDPOINT}/${CA_VERSION}:loadCodeAssist`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${accessToken}`,
+      },
+      body: JSON.stringify({
+        metadata: {
+          ideType: "IDE_UNSPECIFIED",
+          platform: "PLATFORM_UNSPECIFIED",
+          pluginType: "GEMINI",
+        },
+      }),
+    });
+
+    if (!resp.ok) {
+      console.warn(
+        `[gemini-oauth] Code Assist setup returned ${resp.status} - will use standard API`
+      );
+      return undefined;
+    }
+
+    const data = (await resp.json()) as any;
+
+    // Already set up
+    if (data.cloudaicompanionProject) {
+      console.log(
+        `[gemini-oauth] Code Assist project: ${data.cloudaicompanionProject}`
+      );
+      if (data.currentTier) {
+        console.log(
+          `[gemini-oauth] Tier: ${data.currentTier.name || data.currentTier.id}`
+        );
+      }
+      return data.cloudaicompanionProject;
+    }
+
+    // Need to onboard
+    const tier =
+      data.paidTier ||
+      data.currentTier ||
+      data.availableTiers?.find(
+        (t: any) => t.id === "STANDARD" || t.id === "FREE"
+      ) ||
+      data.availableTiers?.[0];
+
+    if (!tier) {
+      console.warn("[gemini-oauth] No tier available for onboarding");
+      return undefined;
+    }
+
+    console.log(
+      `[gemini-oauth] Onboarding to tier: ${tier.name || tier.id}...`
+    );
+    const onboardResp = await fetch(
+      `${CA_ENDPOINT}/${CA_VERSION}:onboardUser`,
+      {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${accessToken}`,
+        },
+        body: JSON.stringify({
+          tierId: tier.id,
+          metadata: {
+            ideType: "IDE_UNSPECIFIED",
+            platform: "PLATFORM_UNSPECIFIED",
+            pluginType: "GEMINI",
+          },
+        }),
+      }
+    );
+
+    if (!onboardResp.ok) {
+      console.warn(
+        `[gemini-oauth] Onboard failed (${onboardResp.status}) - will use standard API`
+      );
+      return undefined;
+    }
+
+    const onboardData = (await onboardResp.json()) as any;
+
+    // Handle long-running operation
+    if (!onboardData.done && onboardData.name) {
+      console.log("[gemini-oauth] Waiting for onboarding to complete...");
+      const opName = onboardData.name;
+      let attempts = 0;
+      while (attempts < 12) {
+        await new Promise((r) => setTimeout(r, 5000));
+        const opResp = await fetch(
+          `${CA_ENDPOINT}/${CA_VERSION}/operations/${opName}`,
+          {
+            headers: { Authorization: `Bearer ${accessToken}` },
+          }
+        );
+        if (!opResp.ok) break;
+        const opData = (await opResp.json()) as any;
+        if (opData.done) {
+          const projectId = opData.response?.cloudaicompanionProject?.id;
+          if (projectId) {
+            console.log(
+              `[gemini-oauth] Onboarded to project: ${projectId}`
+            );
+            return projectId;
+          }
+          break;
+        }
+        attempts++;
+      }
+    }
+
+    const projectId = onboardData.response?.cloudaicompanionProject?.id;
+    if (projectId) {
+      console.log(`[gemini-oauth] Onboarded to project: ${projectId}`);
+      return projectId;
+    }
+
+    return undefined;
+  } catch (e: any) {
+    console.warn("[gemini-oauth] Code Assist setup error:", e.message);
+    return undefined;
+  }
+}
+
+// ── Browser opener ─────────────────────────────────────────────────────
+
+function openBrowser(url: string) {
+  try {
+    if (process.platform === "darwin") {
+      execSync(`open "${url}"`);
+    } else if (process.platform === "win32") {
+      execSync(`start "" "${url}"`);
+    } else {
+      execSync(`xdg-open "${url}"`);
+    }
+  } catch {
+    // Browser open failed - URL is shown in console anyway
+  }
+}
+
+// ── Standalone login (browser-based OAuth from terminal) ───────────────
+
+export async function googleLoginStandalone(): Promise<GoogleTokens> {
+  // Find an available port for callback
+  const port = await new Promise<number>((resolve, reject) => {
+    const srv = http.createServer();
+    srv.listen(0, "127.0.0.1", () => {
+      const addr = srv.address();
+      if (addr && typeof addr === "object") {
+        const p = addr.port;
+        srv.close(() => resolve(p));
+      } else {
+        reject(new Error("Could not find available port"));
+      }
+    });
+  });
+
+  const redirectUri = `http://127.0.0.1:${port}/oauth2callback`;
+  const state = crypto.randomBytes(32).toString("hex");
+  const { verifier, challenge } = generatePKCE();
+
+  const params = new URLSearchParams({
+    client_id: OAUTH_CLIENT_ID,
+    redirect_uri: redirectUri,
+    response_type: "code",
+    scope: OAUTH_SCOPES.join(" "),
+    access_type: "offline",
+    prompt: "consent",
+    state,
+    code_challenge_method: "S256",
+    code_challenge: challenge,
+  });
+
+  const authUrl = `${AUTH_ENDPOINT}?${params}`;
+
+  return new Promise((resolve, reject) => {
+    const timeout = setTimeout(() => {
+      server.close();
+      reject(new Error("Login timed out after 5 minutes"));
+    }, 5 * 60 * 1000);
+
+    const server = http.createServer(async (req, res) => {
+      if (!req.url?.startsWith("/oauth2callback")) {
+        res.writeHead(404);
+        res.end("Not found");
+        return;
+      }
+
+      try {
+        const url = new URL(req.url, `http://127.0.0.1:${port}`);
+        const error = url.searchParams.get("error");
+        const code = url.searchParams.get("code");
+        const returnedState = url.searchParams.get("state");
+
+        if (error) {
+          res.writeHead(400, { "Content-Type": "text/html" });
+          res.end(errorPage(`OAuth error: ${error}`));
+          clearTimeout(timeout);
+          server.close();
+          reject(new Error(`OAuth error: ${error}`));
+          return;
+        }
+
+        if (returnedState !== state) {
+          res.writeHead(400, { "Content-Type": "text/html" });
+          res.end(errorPage("State mismatch - possible CSRF attack"));
+          clearTimeout(timeout);
+          server.close();
+          reject(new Error("OAuth state mismatch"));
+          return;
+        }
+
+        if (!code) {
+          res.writeHead(400, { "Content-Type": "text/html" });
+          res.end(errorPage("No authorization code received"));
+          clearTimeout(timeout);
+          server.close();
+          reject(new Error("No authorization code"));
+          return;
+        }
+
+        // Exchange code for tokens
+        const tokenResp = await fetch(TOKEN_ENDPOINT, {
+          method: "POST",
+          headers: { "Content-Type": "application/x-www-form-urlencoded" },
+          body: new URLSearchParams({
+            client_id: OAUTH_CLIENT_ID,
+            client_secret: OAUTH_CLIENT_SECRET,
+            code,
+            code_verifier: verifier,
+            grant_type: "authorization_code",
+            redirect_uri: redirectUri,
+          }),
+        });
+
+        if (!tokenResp.ok) {
+          const text = await tokenResp.text();
+          res.writeHead(500, { "Content-Type": "text/html" });
+          res.end(errorPage(`Token exchange failed: ${text}`));
+          clearTimeout(timeout);
+          server.close();
+          reject(new Error(`Token exchange failed: ${text}`));
+          return;
+        }
+
+        const tokenData = (await tokenResp.json()) as any;
+
+        const tokens: GoogleTokens = {
+          access_token: tokenData.access_token,
+          refresh_token: tokenData.refresh_token,
+          expires_at: Date.now() + tokenData.expires_in * 1000,
+        };
+
+        // Fetch user info
+        tokens.email = await fetchUserEmail(tokens.access_token);
+
+        // Setup Code Assist
+        tokens.project_id = await setupCodeAssist(tokens.access_token);
+
+        // Save
+        await saveTokens(tokens);
+
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end(successPage(tokens.email, tokens.project_id));
+
+        clearTimeout(timeout);
+        server.close();
+        resolve(tokens);
+      } catch (e: any) {
+        res.writeHead(500, { "Content-Type": "text/html" });
+        res.end(errorPage(e.message));
+        clearTimeout(timeout);
+        server.close();
+        reject(e);
+      }
+    });
+
+    server.listen(port, "127.0.0.1", () => {
+      console.log(`\n[gemini-oauth] Opening browser for Google login...`);
+      console.log(`[gemini-oauth] If browser doesn't open, visit:`);
+      console.log(`  ${authUrl}\n`);
+      openBrowser(authUrl);
+    });
+  });
+}
+
+// ── Proxy-integrated login (via Fastify routes) ────────────────────────
+
+// In-memory pending OAuth state for proxy-integrated login
+let pendingOAuth: {
+  state: string;
+  verifier: string;
+  redirectUri: string;
+} | null = null;
+
+/** Build the Google OAuth authorization URL (for proxy-integrated login) */
+export function buildLoginUrl(proxyPort: number): string {
+  const redirectUri = `http://127.0.0.1:${proxyPort}/google/callback`;
+  const state = crypto.randomBytes(32).toString("hex");
+  const { verifier, challenge } = generatePKCE();
+
+  pendingOAuth = { state, verifier, redirectUri };
+
+  const params = new URLSearchParams({
+    client_id: OAUTH_CLIENT_ID,
+    redirect_uri: redirectUri,
+    response_type: "code",
+    scope: OAUTH_SCOPES.join(" "),
+    access_type: "offline",
+    prompt: "consent",
+    state,
+    code_challenge_method: "S256",
+    code_challenge: challenge,
+  });
+
+  return `${AUTH_ENDPOINT}?${params}`;
+}
+
+/** Handle OAuth callback (for proxy-integrated login) */
+export async function handleOAuthCallback(
+  code: string,
+  state: string
+): Promise<GoogleTokens> {
+  if (!pendingOAuth) {
+    throw new Error("No pending OAuth flow. Visit /google/login first.");
+  }
+
+  if (state !== pendingOAuth.state) {
+    pendingOAuth = null;
+    throw new Error("OAuth state mismatch - possible CSRF attack.");
+  }
+
+  const { verifier, redirectUri } = pendingOAuth;
+  pendingOAuth = null;
+
+  // Exchange code for tokens
+  const tokenResp = await fetch(TOKEN_ENDPOINT, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      client_id: OAUTH_CLIENT_ID,
+      client_secret: OAUTH_CLIENT_SECRET,
+      code,
+      code_verifier: verifier,
+      grant_type: "authorization_code",
+      redirect_uri: redirectUri,
+    }),
+  });
+
+  if (!tokenResp.ok) {
+    const text = await tokenResp.text();
+    throw new Error(`Token exchange failed (${tokenResp.status}): ${text}`);
+  }
+
+  const tokenData = (await tokenResp.json()) as any;
+
+  const tokens: GoogleTokens = {
+    access_token: tokenData.access_token,
+    refresh_token: tokenData.refresh_token,
+    expires_at: Date.now() + tokenData.expires_in * 1000,
+  };
+
+  // Fetch user info
+  tokens.email = await fetchUserEmail(tokens.access_token);
+
+  // Setup Code Assist
+  tokens.project_id = await setupCodeAssist(tokens.access_token);
+
+  // Save
+  await saveTokens(tokens);
+
+  console.log(
+    `[gemini-oauth] Login successful! Email: ${tokens.email || "unknown"}, Project: ${tokens.project_id || "none (using standard API)"}`
+  );
+
+  return tokens;
+}
+
+/** Get login status */
+export async function getLoginStatus(): Promise<{
+  loggedIn: boolean;
+  email?: string;
+  projectId?: string;
+  expiresAt?: number;
+  mode?: string;
+}> {
+  const tokens = await loadTokens();
+  if (!tokens) return { loggedIn: false };
+  return {
+    loggedIn: true,
+    email: tokens.email,
+    projectId: tokens.project_id,
+    expiresAt: tokens.expires_at,
+    mode: tokens.project_id ? "code-assist" : "standard-api",
+  };
+}
+
+/** Logout */
+export async function googleLogout(): Promise<void> {
+  try {
+    const { unlink } = await import("fs/promises");
+    await unlink(AUTH_FILE);
+    console.log("[gemini-oauth] Logged out, credentials removed.");
+  } catch {
+    console.log("[gemini-oauth] Already logged out.");
+  }
+}
+
+// ── HTML pages ─────────────────────────────────────────────────────────
+
+function successPage(email?: string, projectId?: string): string {
+  return `<!DOCTYPE html>
+<html><head><title>Login Successful</title></head>
+<body style="font-family:system-ui;display:flex;justify-content:center;align-items:center;height:100vh;margin:0;background:#0f172a;">
+<div style="text-align:center;color:#e2e8f0;max-width:500px;">
+  <div style="font-size:48px;margin-bottom:16px;">&#10003;</div>
+  <h1 style="color:#4ade80;margin:0 0 12px;">Authenticated Successfully</h1>
+  <p>Logged in as: <strong>${email || "unknown"}</strong></p>
+  ${projectId ? `<p>Code Assist Project: <code style="background:#1e293b;padding:2px 8px;border-radius:4px;">${projectId}</code></p>` : `<p style="color:#94a3b8;">No Code Assist project (using standard API)</p>`}
+  <p style="color:#64748b;margin-top:24px;">You can close this window and return to your terminal.<br>Use <code style="background:#1e293b;padding:2px 8px;border-radius:4px;">go:gemini-3.1-pro-preview</code> as your model.</p>
+</div>
+</body></html>`;
+}
+
+function errorPage(message: string): string {
+  return `<!DOCTYPE html>
+<html><head><title>Login Failed</title></head>
+<body style="font-family:system-ui;display:flex;justify-content:center;align-items:center;height:100vh;margin:0;background:#0f172a;">
+<div style="text-align:center;color:#e2e8f0;max-width:500px;">
+  <div style="font-size:48px;margin-bottom:16px;">&#10007;</div>
+  <h1 style="color:#f87171;margin:0 0 12px;">Authentication Failed</h1>
+  <p>${message}</p>
+  <p style="color:#64748b;margin-top:24px;">Please try again at <a href="/google/login" style="color:#60a5fa;">/google/login</a></p>
+</div>
+</body></html>`;
+}
+
+export function loginPage(_proxyPort: number): string {
+  return `<!DOCTYPE html>
+<html><head><title>Google Login</title></head>
+<body style="font-family:system-ui;display:flex;justify-content:center;align-items:center;height:100vh;margin:0;background:#0f172a;">
+<div style="text-align:center;color:#e2e8f0;max-width:500px;">
+  <h1 style="margin:0 0 12px;">Google Login for Gemini</h1>
+  <p style="color:#94a3b8;">Click the button below to authenticate with your Google account.</p>
+  <p style="color:#94a3b8;">This uses the same OAuth flow as the official Gemini CLI.</p>
+  <a href="/google/login/start" style="display:inline-block;margin-top:24px;padding:12px 32px;background:#4285f4;color:white;text-decoration:none;border-radius:8px;font-size:16px;font-weight:600;">
+    Sign in with Google
+  </a>
+  <p style="color:#475569;margin-top:32px;font-size:14px;">Scopes: cloud-platform, userinfo.email, userinfo.profile</p>
+</div>
+</body></html>`;
+}

package/adapters/map.ts

@@ -10,6 +10,7 @@ const PROVIDER_PREFIXES: ProviderKey[] = [
   "openai",
   "openrouter",
   "gemini",
+  "gemini-oauth",
   "glm",
   "anthropic",
 ];
@@ -32,6 +33,15 @@ const MODEL_SHORTCUTS: Record<string, string> = {
   opus: "anthropic:claude-opus-4-5-20251101",
   sonnet: "anthropic:claude-sonnet-4-5-20250929",
   haiku: "anthropic:claude-haiku-4-5-20251001",
+  // Gemini OAuth shortcuts (Google account login)
+  go: "gemini-oauth:gemini-3-pro-preview",
+  gp: "gemini-oauth:gemini-3-pro-preview",
+  g3: "gemini-oauth:gemini-3-pro-preview",
+  "gemini-pro": "gemini-oauth:gemini-3-pro-preview",
+  gf: "gemini-oauth:gemini-3-flash-preview",
+  "gemini-flash": "gemini-oauth:gemini-3-flash-preview",
+  "g25p": "gemini-oauth:gemini-2.5-pro",
+  "g25f": "gemini-oauth:gemini-2.5-flash",
   // Add more shortcuts as needed
 };
 
@@ -91,8 +101,8 @@ export function warnIfTools(
   provider: ProviderKey,
 ): void {
   if (req.tools && req.tools.length > 0) {
-    // Only GLM and Anthropic support tools natively
-    if (provider !== "glm" && provider !== "anthropic") {
+    // GLM, Anthropic, and Gemini OAuth support tools natively
+    if (provider !== "glm" && provider !== "anthropic" && provider !== "gemini-oauth") {
       console.warn(
         `[proxy] Warning: ${provider} may not fully support Anthropic-style tools. Passing through anyway.`,
       );

package/adapters/providers/gemini-oauth.ts

@@ -0,0 +1,470 @@
+// Gemini OAuth adapter - uses Google OAuth tokens with Code Assist API or standard Generative Language API
+// Supports full tool/function calling and streaming
+
+import { FastifyReply } from "fastify";
+import { createParser } from "eventsource-parser";
+import { sendEvent } from "../sse.js";
+import { getAccessToken, loadTokens } from "../google-auth.js";
+import type {
+  AnthropicRequest,
+  AnthropicMessage,
+  AnthropicTool,
+  AnthropicContentBlock,
+} from "../types.js";
+import * as crypto from "crypto";
+
+// ── Endpoints ──────────────────────────────────────────────────────────
+
+const CA_ENDPOINT = "https://cloudcode-pa.googleapis.com";
+const CA_VERSION = "v1internal";
+const GL_ENDPOINT =
+  process.env.GEMINI_BASE_URL ||
+  "https://generativelanguage.googleapis.com/v1beta";
+
+// ── Format converters: Anthropic → Gemini ──────────────────────────────
+
+/** Find tool name by tool_use_id in message history */
+function findToolName(messages: AnthropicMessage[], toolUseId: string): string {
+  for (const m of messages) {
+    if (typeof m.content === "string") continue;
+    for (const block of m.content as AnthropicContentBlock[]) {
+      if (block.type === "tool_use" && block.id === toolUseId) {
+        return block.name;
+      }
+    }
+  }
+  return "unknown_tool";
+}
+
+/** Convert Anthropic content blocks to Gemini parts */
+function toGeminiParts(
+  content: AnthropicMessage["content"],
+  allMessages: AnthropicMessage[]
+): any[] {
+  if (typeof content === "string") {
+    return content ? [{ text: content }] : [{ text: " " }];
+  }
+
+  const parts: any[] = [];
+  for (const block of content as AnthropicContentBlock[]) {
+    if (block.type === "text") {
+      if (block.text) parts.push({ text: block.text });
+    } else if (block.type === "image") {
+      parts.push({
+        inlineData: {
+          mimeType: block.source.media_type,
+          data: block.source.data,
+        },
+      });
+    } else if (block.type === "tool_use") {
+      parts.push({
+        functionCall: {
+          name: block.name,
+          args:
+            typeof block.input === "string"
+              ? JSON.parse(block.input)
+              : block.input,
+        },
+        thoughtSignature: "skip_thought_signature_validator",
+      });
+    } else if (block.type === "tool_result") {
+      const functionName = findToolName(allMessages, block.tool_use_id);
+      const resultContent =
+        typeof block.content === "string"
+          ? block.content
+          : JSON.stringify(block.content);
+      parts.push({
+        functionResponse: {
+          name: functionName,
+          response: { content: resultContent },
+        },
+      });
+    }
+  }
+
+  return parts.length > 0 ? parts : [{ text: " " }];
+}
+
+/** Convert Anthropic messages to Gemini contents array */
+function toGeminiContents(messages: AnthropicMessage[]) {
+  // Gemini requires alternating user/model roles
+  // Merge consecutive same-role messages
+  const merged: { role: string; parts: any[] }[] = [];
+
+  for (const m of messages) {
+    const role = m.role === "assistant" ? "model" : "user";
+    const parts = toGeminiParts(m.content, messages);
+
+    if (merged.length > 0 && merged[merged.length - 1].role === role) {
+      // Merge into previous message of same role
+      merged[merged.length - 1].parts.push(...parts);
+    } else {
+      merged.push({ role, parts });
+    }
+  }
+
+  return merged;
+}
+
+/** Whitelist of fields Gemini actually accepts in function declaration schemas */
+const GEMINI_ALLOWED = new Set([
+  "type", "properties", "required", "description",
+  "enum", "items", "format", "nullable", "title",
+  "anyOf", "$ref", "$defs", "$id", "$anchor",
+  "minimum", "maximum", "minItems", "maxItems",
+  "prefixItems", "additionalProperties", "propertyOrdering",
+]);
+
+/** Recursively strip JSON Schema fields Gemini doesn't support.
+ *  `isPropertyMap` = true when we're inside a "properties" object,
+ *  where keys are user-defined property names (not schema keywords). */
+function sanitizeSchema(obj: any, isPropertyMap = false): any {
+  if (obj === null || obj === undefined || typeof obj !== "object") return obj;
+  if (Array.isArray(obj)) return obj.map((v) => sanitizeSchema(v, false));
+
+  const clean: any = {};
+  for (const [key, val] of Object.entries(obj)) {
+    if (!isPropertyMap && !GEMINI_ALLOWED.has(key)) continue;
+    // When key is "properties", its value is a map of name→schema
+    clean[key] = sanitizeSchema(val, key === "properties");
+  }
+  return clean;
+}
+
+/** Convert Anthropic tools to Gemini function declarations */
+function toGeminiTools(tools: AnthropicTool[]) {
+  return [
+    {
+      functionDeclarations: tools.map((t) => ({
+        name: t.name,
+        description: t.description || "",
+        parameters: sanitizeSchema(t.input_schema) || { type: "object", properties: {} },
+      })),
+    },
+  ];
+}
+
+// ── Main adapter ────────────────────────────────────────────────────────
+
+export async function chatGeminiOAuth(
+  res: FastifyReply,
+  body: AnthropicRequest,
+  model: string
+) {
+  // Helper to send error as SSE (since headers are already flushed by the gateway)
+  function sendSSEError(msg: string) {
+    try {
+      const id = `msg_${Date.now()}`;
+      res.raw.write(`event: message_start\ndata: ${JSON.stringify({ type: "message_start", message: { id, type: "message", role: "assistant", model, content: [], stop_reason: null, stop_sequence: null, usage: { input_tokens: 0, output_tokens: 0 } } })}\n\n`);
+      res.raw.write(`event: content_block_start\ndata: ${JSON.stringify({ type: "content_block_start", index: 0, content_block: { type: "text", text: "" } })}\n\n`);
+      res.raw.write(`event: content_block_delta\ndata: ${JSON.stringify({ type: "content_block_delta", index: 0, delta: { type: "text_delta", text: `[Gemini OAuth Error] ${msg}` } })}\n\n`);
+      res.raw.write(`event: content_block_stop\ndata: ${JSON.stringify({ type: "content_block_stop", index: 0 })}\n\n`);
+      res.raw.write(`event: message_delta\ndata: ${JSON.stringify({ type: "message_delta", delta: { stop_reason: "end_turn", stop_sequence: null }, usage: { output_tokens: 0 } })}\n\n`);
+      res.raw.write(`event: message_stop\ndata: ${JSON.stringify({ type: "message_stop" })}\n\n`);
+    } catch { /* stream closed */ }
+    try { res.raw.end(); } catch {}
+  }
+
+  try {
+    return await _chatGeminiOAuthInner(res, body, model);
+  } catch (e: any) {
+    console.error(`[gemini-oauth] ERROR: ${e.message}`);
+    sendSSEError(e.message);
+  }
+}
+
+async function _chatGeminiOAuthInner(
+  res: FastifyReply,
+  body: AnthropicRequest,
+  model: string
+) {
+  // Get access token (auto-refreshes if expired)
+  const accessToken = await getAccessToken();
+  const tokens = await loadTokens();
+  const projectId = tokens?.project_id;
+
+  // Build Gemini request
+  const contents = toGeminiContents(body.messages);
+
+  // Generation config matching Gemini CLI defaults for chat
+  const generationConfig: any = {
+    temperature: body.temperature ?? 1,
+    topP: 0.95,
+    topK: 64,
+    thinkingConfig: { includeThoughts: true },
+  };
+  if (body.max_tokens !== undefined) {
+    generationConfig.maxOutputTokens = body.max_tokens;
+  }
+
+  // Tools
+  const tools =
+    body.tools && body.tools.length > 0 ? toGeminiTools(body.tools) : undefined;
+
+  if (tools) {
+    console.log(
+      `[gemini-oauth] Sending ${body.tools!.length} tools as Gemini function declarations`
+    );
+  }
+
+  let url: string;
+  let reqBody: any;
+
+  if (projectId) {
+    // Code Assist API - systemInstruction has a different protobuf schema,
+    // so prepend system prompt to first user message instead
+    if (body.system) {
+      if (contents.length > 0 && contents[0].role === "user") {
+        contents[0].parts.unshift({ text: `[System Instructions]\n${body.system}\n[End System Instructions]\n\n` });
+      } else {
+        contents.unshift({
+          role: "user",
+          parts: [{ text: `[System Instructions]\n${body.system}\n[End System Instructions]` }],
+        });
+      }
+    }
+
+    url = `${CA_ENDPOINT}/${CA_VERSION}:streamGenerateContent?alt=sse`;
+    reqBody = {
+      model,
+      project: projectId,
+      user_prompt_id: crypto.randomUUID(),
+      request: {
+        contents,
+        generationConfig,
+        ...(tools && { tools }),
+      },
+    };
+    console.log(
+      `[gemini-oauth] Code Assist API | model="${model}" project="${projectId}"`
+    );
+  } else {
+    // Standard Generative Language API - systemInstruction works natively
+    const systemInstruction = body.system
+      ? { role: "user", parts: [{ text: body.system }] }
+      : undefined;
+
+    url = `${GL_ENDPOINT}/models/${encodeURIComponent(model)}:streamGenerateContent?alt=sse`;
+    reqBody = {
+      contents,
+      ...(systemInstruction && { systemInstruction }),
+      generationConfig,
+      ...(tools && { tools }),
+    };
+    console.log(`[gemini-oauth] Standard API | model="${model}"`);
+  }
+
+  // Log outgoing request for debugging
+  const reqJson = JSON.stringify(reqBody);
+  console.log(`[gemini-oauth] REQUEST URL: ${url}`);
+  console.log(`[gemini-oauth] REQUEST BODY (${reqJson.length} bytes): ${reqJson.slice(0, 500)}...`);
+
+  const resp = await fetch(url, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${accessToken}`,
+      // Required headers matching Gemini CLI client identity
+      "User-Agent": "google-api-nodejs-client/9.15.1",
+      "X-Goog-Api-Client": "gl-node/22.17.0",
+      "Client-Metadata": "ideType=IDE_UNSPECIFIED,platform=PLATFORM_UNSPECIFIED,pluginType=GEMINI",
+    },
+    body: reqJson,
+  });
+
+  if (!resp.ok || !resp.body) {
+    const text = await safeText(resp);
+    console.error(`[gemini-oauth] API error ${resp.status}: ${text}`);
+    throw new Error(`Gemini API returned ${resp.status}: ${text.slice(0, 300)}`);
+  }
+
+  // ── Stream response and convert to Anthropic SSE format ──────────────
+
+  const msgId = `msg_${Date.now()}`;
+  let contentIndex = 0;
+  let hasStartedMessage = false;
+  let hasStartedThinking = false;
+  let hasStartedContent = false;
+
+  // Accumulate function calls from streaming chunks
+  const pendingToolCalls: { id: string; name: string; args: any }[] = [];
+
+  function ensureMessageStarted() {
+    if (!hasStartedMessage) {
+      hasStartedMessage = true;
+      sendEvent(res, "message_start", {
+        type: "message_start",
+        message: {
+          id: msgId,
+          type: "message",
+          role: "assistant",
+          model,
+          content: [],
+          stop_reason: null,
+          stop_sequence: null,
+          usage: { input_tokens: 0, output_tokens: 0 },
+        },
+      });
+    }
+  }
+
+  function ensureThinkingBlockStarted() {
+    if (!hasStartedThinking) {
+      hasStartedThinking = true;
+      ensureMessageStarted();
+      sendEvent(res, "content_block_start", {
+        type: "content_block_start",
+        index: contentIndex,
+        content_block: { type: "thinking", thinking: "" },
+      });
+    }
+  }
+
+  function closeThinkingBlock() {
+    if (hasStartedThinking) {
+      sendEvent(res, "content_block_stop", {
+        type: "content_block_stop",
+        index: contentIndex,
+      });
+      contentIndex++;
+      hasStartedThinking = false;
+    }
+  }
+
+  function ensureContentBlockStarted() {
+    if (!hasStartedContent) {
+      closeThinkingBlock();
+      hasStartedContent = true;
+      ensureMessageStarted();
+      sendEvent(res, "content_block_start", {
+        type: "content_block_start",
+        index: contentIndex,
+        content_block: { type: "text", text: "" },
+      });
+    }
+  }
+
+  function closeContentBlock() {
+    if (hasStartedContent) {
+      sendEvent(res, "content_block_stop", {
+        type: "content_block_stop",
+        index: contentIndex,
+      });
+      contentIndex++;
+      hasStartedContent = false;
+    }
+  }
+
+  const reader = resp.body.getReader();
+  const decoder = new TextDecoder();
+  const parser = createParser({ onEvent: (event: any) => {
+    const data = event.data;
+    if (!data) return;
+    try {
+      const json = JSON.parse(data);
+
+      // Handle both Code Assist (wrapped) and standard API (unwrapped) responses
+      const candidateData = json.response || json;
+      const candidate = candidateData?.candidates?.[0];
+      if (!candidate?.content?.parts) return;
+
+      for (const part of candidate.content.parts) {
+        // Handle thinking/reasoning (Gemini 2.5+ models)
+        if (part.thought === true && part.text) {
+          ensureThinkingBlockStarted();
+          sendEvent(res, "content_block_delta", {
+            type: "content_block_delta",
+            index: contentIndex,
+            delta: { type: "thinking_delta", thinking: part.text },
+          });
+        }
+        // Handle regular text
+        else if (part.text && part.thought !== true) {
+          ensureContentBlockStarted();
+          sendEvent(res, "content_block_delta", {
+            type: "content_block_delta",
+            index: contentIndex,
+            delta: { type: "text_delta", text: part.text },
+          });
+        }
+
+        // Handle function calls
+        if (part.functionCall) {
+          pendingToolCalls.push({
+            id: `toolu_${crypto.randomBytes(12).toString("hex")}`,
+            name: part.functionCall.name,
+            args: part.functionCall.args || {},
+          });
+        }
+      }
+    } catch {
+      // ignore parse errors in SSE stream
+    }
+  }});
+
+  while (true) {
+    const { value, done } = await reader.read();
+    if (done) break;
+    parser.feed(decoder.decode(value, { stream: true }));
+  }
+
+  // ── Finalize: close blocks and emit tool_use if any ──────────────────
+
+  ensureMessageStarted();
+  closeThinkingBlock();
+  closeContentBlock();
+
+  // Emit tool_use content blocks
+  if (pendingToolCalls.length > 0) {
+    for (const tc of pendingToolCalls) {
+      sendEvent(res, "content_block_start", {
+        type: "content_block_start",
+        index: contentIndex,
+        content_block: {
+          type: "tool_use",
+          id: tc.id,
+          name: tc.name,
+          input: {},
+        },
+      });
+
+      sendEvent(res, "content_block_delta", {
+        type: "content_block_delta",
+        index: contentIndex,
+        delta: {
+          type: "input_json_delta",
+          partial_json: JSON.stringify(tc.args),
+        },
+      });
+
+      sendEvent(res, "content_block_stop", {
+        type: "content_block_stop",
+        index: contentIndex,
+      });
+
+      contentIndex++;
+    }
+  }
+
+  // Stop reason
+  const stopReason = pendingToolCalls.length > 0 ? "tool_use" : "end_turn";
+
+  sendEvent(res, "message_delta", {
+    type: "message_delta",
+    delta: { stop_reason: stopReason, stop_sequence: null },
+    usage: { output_tokens: 0 },
+  });
+  sendEvent(res, "message_stop", { type: "message_stop" });
+
+  res.raw.end();
+}
+
+// ── Helpers ────────────────────────────────────────────────────────────
+
+async function safeText(resp: Response) {
+  try {
+    return await resp.text();
+  } catch {
+    return "<no-body>";
+  }
+}

package/adapters/providers/gemini.ts

@@ -47,8 +47,7 @@ export async function chatGemini(
 
   const reader = resp.body.getReader();
   const decoder = new TextDecoder();
-  const parser = createParser((event) => {
-    if (event.type !== "event") return;
+  const parser = createParser({ onEvent: (event: any) => {
     const data = event.data;
     if (!data) return;
     try {
@@ -62,7 +61,7 @@ export async function chatGemini(
     } catch {
       // ignore parse errors
     }
-  });
+  }});
 
   while (true) {
     const { value, done } = await reader.read();

package/adapters/providers/openai.ts

@@ -52,8 +52,7 @@ export async function chatOpenAI(
 
   const reader = resp.body.getReader();
   const decoder = new TextDecoder();
-  const parser = createParser((event) => {
-    if (event.type !== "event") return;
+  const parser = createParser({ onEvent: (event: any) => {
     const data = event.data;
     if (!data || data === "[DONE]") return;
     try {
@@ -63,7 +62,7 @@ export async function chatOpenAI(
     } catch {
       // ignore parse errors on keepalives, etc.
     }
-  });
+  }});
 
   while (true) {
     const { value, done } = await reader.read();

package/adapters/providers/openrouter.ts

@@ -219,8 +219,7 @@ export async function chatOpenRouter(
 
   const reader = resp.body.getReader();
   const decoder = new TextDecoder();
-  const parser = createParser((event) => {
-    if (event.type !== "event") return;
+  const parser = createParser({ onEvent: (event: any) => {
     const data = event.data;
     if (!data || data === "[DONE]") return;
     try {
@@ -268,7 +267,7 @@ export async function chatOpenRouter(
     } catch {
       // ignore parse errors
     }
-  });
+  }});
 
   while (true) {
     const { value, done } = await reader.read();

package/adapters/types.ts

@@ -28,7 +28,7 @@ export type AnthropicRequest = {
   system?: string;
 };
 
-export type ProviderKey = "openai" | "openrouter" | "gemini" | "glm" | "anthropic";
+export type ProviderKey = "openai" | "openrouter" | "gemini" | "gemini-oauth" | "glm" | "anthropic";
 
 export type ProviderModel = {
   provider: ProviderKey;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "claude-glm",
-  "version": "1.3.3",
-  "description": "Cross-platform installer for Claude Code with Z.AI GLM models, multi-provider proxy, and dangerously-skip-permissions shortcuts. Run with: npx claude-glm",
+  "version": "1.4.0",
+  "description": "Cross-platform installer for Claude Code with Z.AI GLM models, multi-provider proxy, Gemini OAuth, and dangerously-skip-permissions shortcuts. Run with: npx claude-glm",
   "keywords": [
     "claude",
     "claude-code",
@@ -10,6 +10,8 @@
     "openai",
     "openrouter",
     "gemini",
+    "gemini-oauth",
+    "google",
     "ai",
     "llm",
     "installer",
@@ -48,13 +50,14 @@
     "node": ">=18.0.0"
   },
   "dependencies": {
-    "dotenv": "^16.4.5",
-    "eventsource-parser": "^1.1.2",
-    "fastify": "^4.28.1"
+    "dotenv": "^16.6.1",
+    "eventsource-parser": "^3.0.0",
+    "fastify": "^4.29.1"
   },
   "devDependencies": {
     "@types/node": "^20.14.0",
-    "tsx": "^4.15.6",
+    "tsx": "^4.21.0",
     "typescript": "^5.6.3"
-  }
+  },
+  "main": "index.js"
 }