claudish 6.5.1 → 6.5.3

package/dist/index.js

@@ -20811,6 +20811,9 @@ class TokenTracker {
   setQuotaRemaining(fraction) {
     this.quotaRemaining = fraction;
   }
+  rewrite() {
+    this.writeFile(this.sessionInputTokens, this.sessionOutputTokens);
+  }
   update(inputTokens, outputTokens) {
     this.sessionInputTokens = inputTokens;
     this.sessionOutputTokens += outputTokens;
@@ -23896,512 +23899,6 @@ var init_stats = __esm(() => {
   });
 });
 
-// src/auth/gemini-oauth.ts
-var exports_gemini_oauth = {};
-__export(exports_gemini_oauth, {
-  setupGeminiUser: () => setupGeminiUser,
-  retrieveUserQuota: () => retrieveUserQuota,
-  getValidAccessToken: () => getValidAccessToken,
-  getGeminiTierFullName: () => getGeminiTierFullName,
-  getGeminiTierDisplayName: () => getGeminiTierDisplayName,
-  getGeminiOAuth: () => getGeminiOAuth,
-  GeminiOAuth: () => GeminiOAuth
-});
-import { createServer } from "http";
-import { randomBytes as randomBytes2, createHash as createHash2 } from "crypto";
-import { readFileSync as readFileSync5, existsSync as existsSync7, unlinkSync as unlinkSync3, openSync, writeSync, closeSync } from "fs";
-import { homedir as homedir8 } from "os";
-import { join as join9 } from "path";
-import { exec } from "child_process";
-import { promisify } from "util";
-
-class GeminiOAuth {
-  static instance = null;
-  credentials = null;
-  refreshPromise = null;
-  tokenRefreshMargin = 5 * 60 * 1000;
-  oauthState = null;
-  static getInstance() {
-    if (!GeminiOAuth.instance) {
-      GeminiOAuth.instance = new GeminiOAuth;
-    }
-    return GeminiOAuth.instance;
-  }
-  constructor() {
-    this.credentials = this.loadCredentials();
-  }
-  hasCredentials() {
-    return this.credentials !== null && !!this.credentials.refresh_token;
-  }
-  getCredentialsPath() {
-    const claudishDir = join9(homedir8(), ".claudish");
-    return join9(claudishDir, "gemini-oauth.json");
-  }
-  async login() {
-    log("[GeminiOAuth] Starting OAuth login flow");
-    const codeVerifier = this.generateCodeVerifier();
-    const codeChallenge = await this.generateCodeChallenge(codeVerifier);
-    this.oauthState = randomBytes2(32).toString("base64url");
-    const { authCode, redirectUri } = await this.startCallbackServer(codeChallenge, this.oauthState);
-    const tokens = await this.exchangeCodeForTokens(authCode, codeVerifier, redirectUri);
-    const credentials = {
-      access_token: tokens.access_token,
-      refresh_token: tokens.refresh_token,
-      expires_at: Date.now() + tokens.expires_in * 1000
-    };
-    this.saveCredentials(credentials);
-    this.credentials = credentials;
-    this.oauthState = null;
-    log("[GeminiOAuth] Login successful");
-  }
-  async logout() {
-    const credPath = this.getCredentialsPath();
-    if (existsSync7(credPath)) {
-      unlinkSync3(credPath);
-      log("[GeminiOAuth] Credentials deleted");
-    }
-    this.credentials = null;
-  }
-  async getAccessToken() {
-    if (this.refreshPromise) {
-      log("[GeminiOAuth] Waiting for in-progress refresh");
-      return this.refreshPromise;
-    }
-    if (!this.credentials) {
-      throw new Error("No Gemini OAuth credentials found. Please run `claudish login gemini` first.");
-    }
-    if (this.isTokenValid()) {
-      return this.credentials.access_token;
-    }
-    this.refreshPromise = this.doRefreshToken();
-    try {
-      const token = await this.refreshPromise;
-      return token;
-    } finally {
-      this.refreshPromise = null;
-    }
-  }
-  async refreshToken() {
-    if (!this.credentials) {
-      throw new Error("No Gemini OAuth credentials found. Please run `claudish login gemini` first.");
-    }
-    await this.doRefreshToken();
-  }
-  isTokenValid() {
-    if (!this.credentials)
-      return false;
-    return Date.now() < this.credentials.expires_at - this.tokenRefreshMargin;
-  }
-  async doRefreshToken() {
-    if (!this.credentials) {
-      throw new Error("No Gemini OAuth credentials found. Please run `claudish login gemini` first.");
-    }
-    log("[GeminiOAuth] Refreshing access token");
-    try {
-      const response = await fetch(OAUTH_CONFIG.tokenUrl, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/x-www-form-urlencoded"
-        },
-        body: new URLSearchParams({
-          grant_type: "refresh_token",
-          refresh_token: this.credentials.refresh_token,
-          client_id: OAUTH_CONFIG.clientId,
-          client_secret: OAUTH_CONFIG.clientSecret
-        })
-      });
-      if (!response.ok) {
-        const errorText = await response.text();
-        throw new Error(`Token refresh failed: ${response.status} - ${errorText}`);
-      }
-      const tokens = await response.json();
-      const updatedCredentials = {
-        access_token: tokens.access_token,
-        refresh_token: tokens.refresh_token || this.credentials.refresh_token,
-        expires_at: Date.now() + tokens.expires_in * 1000
-      };
-      this.saveCredentials(updatedCredentials);
-      this.credentials = updatedCredentials;
-      log(`[GeminiOAuth] Token refreshed, valid until ${new Date(updatedCredentials.expires_at).toISOString()}`);
-      return updatedCredentials.access_token;
-    } catch (e) {
-      log(`[GeminiOAuth] Refresh failed: ${e.message}`);
-      throw new Error(`OAuth credentials invalid. Please run \`claudish login gemini\` again.
-
-Details: ${e.message}`);
-    }
-  }
-  loadCredentials() {
-    const credPath = this.getCredentialsPath();
-    if (!existsSync7(credPath)) {
-      return null;
-    }
-    try {
-      const data = readFileSync5(credPath, "utf-8");
-      const credentials = JSON.parse(data);
-      if (!credentials.access_token || !credentials.refresh_token || !credentials.expires_at) {
-        log("[GeminiOAuth] Invalid credentials file structure");
-        return null;
-      }
-      log("[GeminiOAuth] Loaded credentials from file");
-      return credentials;
-    } catch (e) {
-      log(`[GeminiOAuth] Failed to load credentials: ${e.message}`);
-      return null;
-    }
-  }
-  saveCredentials(credentials) {
-    const credPath = this.getCredentialsPath();
-    const claudishDir = join9(homedir8(), ".claudish");
-    if (!existsSync7(claudishDir)) {
-      const { mkdirSync: mkdirSync8 } = __require("fs");
-      mkdirSync8(claudishDir, { recursive: true });
-    }
-    const fd = openSync(credPath, "w", 384);
-    try {
-      const data = JSON.stringify(credentials, null, 2);
-      writeSync(fd, data, 0, "utf-8");
-    } finally {
-      closeSync(fd);
-    }
-    log(`[GeminiOAuth] Credentials saved to ${credPath}`);
-  }
-  generateCodeVerifier() {
-    return randomBytes2(64).toString("base64url");
-  }
-  async generateCodeChallenge(verifier) {
-    const hash = createHash2("sha256").update(verifier).digest("base64url");
-    return hash;
-  }
-  buildAuthUrl(codeChallenge, state, redirectUri) {
-    const params = new URLSearchParams({
-      client_id: OAUTH_CONFIG.clientId,
-      redirect_uri: redirectUri,
-      response_type: "code",
-      scope: OAUTH_CONFIG.scopes.join(" "),
-      code_challenge: codeChallenge,
-      code_challenge_method: "S256",
-      access_type: "offline",
-      prompt: "consent",
-      state
-    });
-    return `${OAUTH_CONFIG.authUrl}?${params.toString()}`;
-  }
-  async startCallbackServer(codeChallenge, state) {
-    return new Promise((resolve2, reject) => {
-      let redirectUri = "";
-      const server = createServer((req, res) => {
-        const url = new URL(req.url, redirectUri.replace("/callback", ""));
-        if (url.pathname === "/callback") {
-          const code = url.searchParams.get("code");
-          const callbackState = url.searchParams.get("state");
-          const error2 = url.searchParams.get("error");
-          if (error2) {
-            res.writeHead(400, { "Content-Type": "text/html" });
-            res.end(`
-              <html>
-                <body>
-                  <h1>Authentication Failed</h1>
-                  <p>Error: ${error2}</p>
-                  <p>You can close this window.</p>
-                </body>
-              </html>
-            `);
-            server.close();
-            reject(new Error(`OAuth error: ${error2}`));
-            return;
-          }
-          if (!callbackState || callbackState !== this.oauthState) {
-            res.writeHead(400, { "Content-Type": "text/html" });
-            res.end(`
-              <html>
-                <body>
-                  <h1>Authentication Failed</h1>
-                  <p>Invalid state parameter. Possible CSRF attack.</p>
-                  <p>You can close this window.</p>
-                </body>
-              </html>
-            `);
-            server.close();
-            reject(new Error("Invalid OAuth state parameter (CSRF protection)"));
-            return;
-          }
-          if (!code) {
-            res.writeHead(400, { "Content-Type": "text/html" });
-            res.end(`
-              <html>
-                <body>
-                  <h1>Authentication Failed</h1>
-                  <p>No authorization code received.</p>
-                  <p>You can close this window.</p>
-                </body>
-              </html>
-            `);
-            server.close();
-            reject(new Error("No authorization code received"));
-            return;
-          }
-          res.writeHead(200, { "Content-Type": "text/html" });
-          res.end(`
-            <html>
-              <body>
-                <h1>Authentication Successful!</h1>
-                <p>You can now close this window and return to your terminal.</p>
-              </body>
-            </html>
-          `);
-          server.close();
-          resolve2({ authCode: code, redirectUri });
-        } else {
-          res.writeHead(404, { "Content-Type": "text/plain" });
-          res.end("Not found");
-        }
-      });
-      server.listen(0, () => {
-        const address = server.address();
-        if (!address || typeof address === "string") {
-          reject(new Error("Failed to get server port"));
-          return;
-        }
-        const port = address.port;
-        redirectUri = `http://localhost:${port}/callback`;
-        log(`[GeminiOAuth] Callback server started on http://localhost:${port}`);
-        const authUrl = this.buildAuthUrl(codeChallenge, state, redirectUri);
-        this.openBrowser(authUrl);
-      });
-      server.on("error", (err) => {
-        reject(new Error(`Failed to start callback server: ${err.message}`));
-      });
-      setTimeout(() => {
-        server.close();
-        reject(new Error("OAuth login timed out after 5 minutes"));
-      }, 5 * 60 * 1000);
-    });
-  }
-  async exchangeCodeForTokens(code, verifier, redirectUri) {
-    log("[GeminiOAuth] Exchanging auth code for tokens");
-    try {
-      const response = await fetch(OAUTH_CONFIG.tokenUrl, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/x-www-form-urlencoded"
-        },
-        body: new URLSearchParams({
-          grant_type: "authorization_code",
-          code,
-          redirect_uri: redirectUri,
-          client_id: OAUTH_CONFIG.clientId,
-          client_secret: OAUTH_CONFIG.clientSecret,
-          code_verifier: verifier
-        })
-      });
-      if (!response.ok) {
-        const errorText = await response.text();
-        throw new Error(`Token exchange failed: ${response.status} - ${errorText}`);
-      }
-      const tokens = await response.json();
-      if (!tokens.access_token || !tokens.refresh_token) {
-        throw new Error("Token response missing access_token or refresh_token");
-      }
-      return tokens;
-    } catch (e) {
-      throw new Error(`Failed to authenticate with Google OAuth: ${e.message}`);
-    }
-  }
-  async openBrowser(url) {
-    const platform = process.platform;
-    try {
-      if (platform === "darwin") {
-        await execAsync(`open "${url}"`);
-      } else if (platform === "win32") {
-        await execAsync(`start "${url}"`);
-      } else {
-        await execAsync(`xdg-open "${url}"`);
-      }
-      console.log(`
-Opening browser for authentication...`);
-      console.log(`If the browser doesn't open, visit this URL:
-${url}
-`);
-    } catch (e) {
-      console.log(`
-Please open this URL in your browser to authenticate:`);
-      console.log(url);
-      console.log("");
-    }
-  }
-}
-function getGeminiOAuth() {
-  return GeminiOAuth.getInstance();
-}
-async function getValidAccessToken() {
-  const oauth = GeminiOAuth.getInstance();
-  return oauth.getAccessToken();
-}
-function getGeminiTierDisplayName() {
-  if (!cachedTierId)
-    return "Gemini Free";
-  return TIER_SHORT_NAMES[cachedTierId] || cachedTierId.replace(/-tier$/, "");
-}
-function getGeminiTierFullName() {
-  if (cachedTierName)
-    return cachedTierName;
-  return getGeminiTierDisplayName();
-}
-async function setupGeminiUser(accessToken) {
-  if (cachedProjectId && cachedTierId) {
-    log(`[GeminiOAuth] Using cached project ID: ${cachedProjectId}, tier: ${cachedTierId}`);
-    return { projectId: cachedProjectId, tierId: cachedTierId };
-  }
-  const envProject = process.env.GOOGLE_CLOUD_PROJECT || process.env.GOOGLE_CLOUD_PROJECT_ID;
-  log("[GeminiOAuth] Calling loadCodeAssist...");
-  const loadRes = await callLoadCodeAssist(accessToken, envProject);
-  log(`[GeminiOAuth] loadCodeAssist response: ${JSON.stringify(loadRes)}`);
-  const resolvedTier = loadRes.paidTier?.id || (typeof loadRes.currentTier === "object" ? loadRes.currentTier?.id : loadRes.currentTier) || null;
-  if ((loadRes.currentTier || loadRes.paidTier) && loadRes.cloudaicompanionProject) {
-    const projectId2 = envProject || loadRes.cloudaicompanionProject;
-    if (projectId2) {
-      cachedProjectId = projectId2;
-      cachedTierId = resolvedTier || "free-tier";
-      cachedTierName = loadRes.paidTier?.name || null;
-      log(`[GeminiOAuth] User already set up, project: ${projectId2}, tier: ${cachedTierId}`);
-      return { projectId: projectId2, tierId: cachedTierId };
-    }
-  }
-  const tierId = resolvedTier || loadRes.allowedTiers?.[0]?.id || "free-tier";
-  const isFree = tierId === "free-tier";
-  const onboardProject = isFree ? undefined : envProject;
-  const MAX_POLL_ATTEMPTS = 30;
-  log(`[GeminiOAuth] Onboarding user to ${tierId}...`);
-  let lro = await callOnboardUser(accessToken, tierId, onboardProject);
-  log(`[GeminiOAuth] Initial onboardUser response: done=${lro.done}`);
-  let attempts = 0;
-  while (!lro.done && attempts < MAX_POLL_ATTEMPTS) {
-    attempts++;
-    log(`[GeminiOAuth] Polling onboardUser (attempt ${attempts}/${MAX_POLL_ATTEMPTS})...`);
-    await new Promise((r) => setTimeout(r, 2000));
-    lro = await callOnboardUser(accessToken, tierId, onboardProject);
-  }
-  if (!lro.done) {
-    throw new Error(`Gemini onboarding timed out after ${MAX_POLL_ATTEMPTS * 2} seconds`);
-  }
-  if (lro.error) {
-    throw new Error(`Gemini onboarding failed: ${JSON.stringify(lro.error)}`);
-  }
-  const projectId = lro.response?.cloudaicompanionProject?.id;
-  if (!projectId) {
-    if (envProject) {
-      cachedProjectId = envProject;
-      cachedTierId = tierId;
-      return { projectId: envProject, tierId };
-    }
-    throw new Error("Gemini onboarding completed but no project ID returned.");
-  }
-  cachedProjectId = projectId;
-  cachedTierId = tierId;
-  log(`[GeminiOAuth] Onboarding complete, project: ${projectId}, tier: ${tierId}`);
-  return { projectId, tierId };
-}
-async function callLoadCodeAssist(accessToken, projectId) {
-  const metadata = {
-    pluginType: "GEMINI",
-    ideType: "IDE_UNSPECIFIED",
-    platform: "PLATFORM_UNSPECIFIED",
-    duetProject: projectId
-  };
-  const res = await fetch(`${CODE_ASSIST_API_BASE}:loadCodeAssist`, {
-    method: "POST",
-    headers: {
-      Authorization: `Bearer ${accessToken}`,
-      "Content-Type": "application/json"
-    },
-    body: JSON.stringify({ metadata, cloudaicompanionProject: projectId })
-  });
-  if (!res.ok) {
-    throw new Error(`loadCodeAssist failed: ${res.status} ${await res.text()}`);
-  }
-  return await res.json();
-}
-async function callOnboardUser(accessToken, tierId, projectId) {
-  const metadata = {
-    pluginType: "GEMINI",
-    ideType: "IDE_UNSPECIFIED",
-    platform: "PLATFORM_UNSPECIFIED",
-    duetProject: projectId
-  };
-  const res = await fetch(`${CODE_ASSIST_API_BASE}:onboardUser`, {
-    method: "POST",
-    headers: {
-      Authorization: `Bearer ${accessToken}`,
-      "Content-Type": "application/json"
-    },
-    body: JSON.stringify({
-      tierId,
-      metadata,
-      cloudaicompanionProject: projectId
-    })
-  });
-  if (!res.ok) {
-    throw new Error(`onboardUser failed: ${res.status} ${await res.text()}`);
-  }
-  return await res.json();
-}
-async function retrieveUserQuota(accessToken, projectId) {
-  try {
-    const res = await fetch(`${CODE_ASSIST_API_BASE}:retrieveUserQuota`, {
-      method: "POST",
-      headers: {
-        Authorization: `Bearer ${accessToken}`,
-        "Content-Type": "application/json",
-        "User-Agent": `GeminiCLI/0.5.6/gemini-code-assist (${process.platform}; ${process.arch})`
-      },
-      body: JSON.stringify({ project: projectId })
-    });
-    if (!res.ok) {
-      log(`[GeminiOAuth] retrieveUserQuota failed: ${res.status}`);
-      return null;
-    }
-    return await res.json();
-  } catch (err) {
-    log(`[GeminiOAuth] retrieveUserQuota error: ${err}`);
-    return null;
-  }
-}
-var execAsync, getDefaultClientId = () => {
-  const parts = [
-    "681255809395",
-    "oo8ft2oprdrnp9e3aqf6av3hmdib135j",
-    "apps",
-    "googleusercontent",
-    "com"
-  ];
-  return `${parts[0]}-${parts[1]}.${parts[2]}.${parts[3]}.${parts[4]}`;
-}, getDefaultClientSecret = () => {
-  const p = ["GOCSPX", "4uHgMPm", "1o7Sk", "geV6Cu5clXFsxl"];
-  return `${p[0]}-${p[1]}-${p[2]}-${p[3]}`;
-}, OAUTH_CONFIG, CODE_ASSIST_API_BASE = "https://cloudcode-pa.googleapis.com/v1internal", cachedProjectId = null, cachedTierId = null, cachedTierName = null, TIER_SHORT_NAMES;
-var init_gemini_oauth = __esm(() => {
-  init_logger();
-  execAsync = promisify(exec);
-  OAUTH_CONFIG = {
-    clientId: process.env.GEMINI_CLIENT_ID || getDefaultClientId(),
-    clientSecret: process.env.GEMINI_CLIENT_SECRET || getDefaultClientSecret(),
-    authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
-    tokenUrl: "https://oauth2.googleapis.com/token",
-    scopes: [
-      "https://www.googleapis.com/auth/cloud-platform",
-      "https://www.googleapis.com/auth/userinfo.email",
-      "https://www.googleapis.com/auth/userinfo.profile"
-    ]
-  };
-  TIER_SHORT_NAMES = {
-    "free-tier": "GeminiCA Free",
-    "standard-tier": "GeminiCA Std",
-    "g1-pro-tier": "GeminiCA Pro",
-    "legacy-tier": "GeminiCA Legacy"
-  };
-});
-
 // src/handlers/composed-handler.ts
 function extractAuthHeaders(c) {
   const headers = c.req.header();
@@ -24566,8 +24063,11 @@ class ComposedHandler {
         if (this.provider.displayName) {
           this.tokenTracker.setProviderDisplayName(this.provider.displayName);
         }
-        if (this.provider.name === "gemini-codeassist") {
-          this.fetchQuotaForStatusLine().catch(() => {});
+        if (typeof this.provider.getQuotaRemaining === "function") {
+          await Promise.race([
+            this.fetchQuotaForStatusLine(),
+            new Promise((r) => setTimeout(r, 2000))
+          ]).catch(() => {});
         }
       } catch (err) {
         log(`[${this.provider.displayName}] Auth/health check failed: ${err.message}`);
@@ -24904,19 +24404,14 @@ class ComposedHandler {
   }
   async fetchQuotaForStatusLine() {
     try {
-      const { retrieveUserQuota: retrieveUserQuota2, getValidAccessToken: getValidAccessToken2 } = await Promise.resolve().then(() => (init_gemini_oauth(), exports_gemini_oauth));
-      const token = await getValidAccessToken2();
-      const transport = this.provider;
-      const projectId = transport.projectId;
-      if (!projectId)
+      const fn = this.provider.getQuotaRemaining;
+      if (typeof fn !== "function")
         return;
-      const quota = await retrieveUserQuota2(token, projectId);
-      if (!quota?.buckets?.length)
-        return;
-      const modelName = this.targetModel;
-      const bucket = quota.buckets.find((b) => b.modelId === modelName);
-      if (bucket && typeof bucket.remainingFraction === "number") {
-        this.tokenTracker.setQuotaRemaining(bucket.remainingFraction);
+      const bareModel = this.targetModel.includes("@") ? this.targetModel.split("@")[1] : this.targetModel;
+      const remaining = await fn.call(this.provider, bareModel);
+      if (typeof remaining === "number") {
+        this.tokenTracker.setQuotaRemaining(remaining);
+        this.tokenTracker.rewrite();
       }
     } catch {}
   }
@@ -25169,18 +24664,18 @@ var init_remote_provider_registry = __esm(() => {
 });
 
 // src/auth/oauth-registry.ts
-import { existsSync as existsSync8, readFileSync as readFileSync6 } from "fs";
-import { join as join10 } from "path";
-import { homedir as homedir9 } from "os";
+import { existsSync as existsSync7, readFileSync as readFileSync5 } from "fs";
+import { join as join9 } from "path";
+import { homedir as homedir8 } from "os";
 function hasValidOAuthCredentials(descriptor) {
-  const credPath = join10(homedir9(), ".claudish", descriptor.credentialFile);
-  if (!existsSync8(credPath))
+  const credPath = join9(homedir8(), ".claudish", descriptor.credentialFile);
+  if (!existsSync7(credPath))
     return false;
   if (descriptor.validationMode === "file-exists") {
     return true;
   }
   try {
-    const data = JSON.parse(readFileSync6(credPath, "utf-8"));
+    const data = JSON.parse(readFileSync5(credPath, "utf-8"));
     if (!data.access_token)
       return false;
     if (data.refresh_token)
@@ -25266,9 +24761,9 @@ var init_static_fallback = __esm(() => {
 });
 
 // src/providers/catalog-resolvers/openrouter.ts
-import { readFileSync as readFileSync7, existsSync as existsSync9 } from "fs";
-import { join as join11 } from "path";
-import { homedir as homedir10 } from "os";
+import { readFileSync as readFileSync6, existsSync as existsSync8 } from "fs";
+import { join as join10 } from "path";
+import { homedir as homedir9 } from "os";
 
 class OpenRouterCatalogResolver {
   provider = "openrouter";
@@ -25313,10 +24808,10 @@ class OpenRouterCatalogResolver {
   _getModels() {
     if (_memCache)
       return _memCache;
-    const diskPath = join11(homedir10(), ".claudish", "all-models.json");
-    if (existsSync9(diskPath)) {
+    const diskPath = join10(homedir9(), ".claudish", "all-models.json");
+    if (existsSync8(diskPath)) {
       try {
-        const data = JSON.parse(readFileSync7(diskPath, "utf-8"));
+        const data = JSON.parse(readFileSync6(diskPath, "utf-8"));
         if (Array.isArray(data.models) && data.models.length > 0) {
           _memCache = data.models;
           return _memCache;
@@ -25333,16 +24828,16 @@ var init_openrouter2 = __esm(() => {
 });
 
 // src/providers/catalog-resolvers/litellm.ts
-import { readFileSync as readFileSync8, existsSync as existsSync10 } from "fs";
-import { join as join12 } from "path";
-import { homedir as homedir11 } from "os";
-import { createHash as createHash3 } from "crypto";
+import { readFileSync as readFileSync7, existsSync as existsSync9 } from "fs";
+import { join as join11 } from "path";
+import { homedir as homedir10 } from "os";
+import { createHash as createHash2 } from "crypto";
 function getCachePath() {
   const baseUrl = process.env.LITELLM_BASE_URL;
   if (!baseUrl)
     return null;
-  const hash = createHash3("sha256").update(baseUrl).digest("hex").substring(0, 16);
-  return join12(homedir11(), ".claudish", `litellm-models-${hash}.json`);
+  const hash = createHash2("sha256").update(baseUrl).digest("hex").substring(0, 16);
+  return join11(homedir10(), ".claudish", `litellm-models-${hash}.json`);
 }
 
 class LiteLLMCatalogResolver {
@@ -25370,10 +24865,10 @@ class LiteLLMCatalogResolver {
   }
   async warmCache() {
     const path = getCachePath();
-    if (!path || !existsSync10(path))
+    if (!path || !existsSync9(path))
       return;
     try {
-      const data = JSON.parse(readFileSync8(path, "utf-8"));
+      const data = JSON.parse(readFileSync7(path, "utf-8"));
       if (Array.isArray(data.models)) {
         _memCache2 = data.models.map((m) => m.name ?? m.id?.replace("litellm@", "") ?? "");
       }
@@ -25386,10 +24881,10 @@ class LiteLLMCatalogResolver {
     if (_memCache2)
       return _memCache2;
     const path = getCachePath();
-    if (!path || !existsSync10(path))
+    if (!path || !existsSync9(path))
       return null;
     try {
-      const data = JSON.parse(readFileSync8(path, "utf-8"));
+      const data = JSON.parse(readFileSync7(path, "utf-8"));
       if (Array.isArray(data.models)) {
         _memCache2 = data.models.map((m) => m.name ?? m.id?.replace("litellm@", "") ?? "");
         return _memCache2;
@@ -25448,17 +24943,17 @@ var init_model_catalog_resolver = __esm(() => {
 });
 
 // src/providers/auto-route.ts
-import { existsSync as existsSync11, readFileSync as readFileSync9 } from "fs";
-import { join as join13 } from "path";
-import { homedir as homedir12 } from "os";
-import { createHash as createHash4 } from "crypto";
+import { existsSync as existsSync10, readFileSync as readFileSync8 } from "fs";
+import { join as join12 } from "path";
+import { homedir as homedir11 } from "os";
+import { createHash as createHash3 } from "crypto";
 function readLiteLLMCacheSync(baseUrl) {
-  const hash = createHash4("sha256").update(baseUrl).digest("hex").substring(0, 16);
-  const cachePath = join13(homedir12(), ".claudish", `litellm-models-${hash}.json`);
-  if (!existsSync11(cachePath))
+  const hash = createHash3("sha256").update(baseUrl).digest("hex").substring(0, 16);
+  const cachePath = join12(homedir11(), ".claudish", `litellm-models-${hash}.json`);
+  if (!existsSync10(cachePath))
     return null;
   try {
-    const data = JSON.parse(readFileSync9(cachePath, "utf-8"));
+    const data = JSON.parse(readFileSync8(cachePath, "utf-8"));
     if (!Array.isArray(data.models))
       return null;
     return data.models;
@@ -25579,17 +25074,17 @@ async function warmZenModelCache() {
   const models = (data.data ?? []).map((m) => ({ id: m.id }));
   if (models.length === 0)
     return;
-  const cacheDir = join13(homedir12(), ".claudish");
-  const { mkdirSync: mkdirSync8, writeFileSync: writeSync2 } = await import("fs");
+  const cacheDir = join12(homedir11(), ".claudish");
+  const { mkdirSync: mkdirSync8, writeFileSync: writeSync } = await import("fs");
   mkdirSync8(cacheDir, { recursive: true });
-  writeSync2(join13(cacheDir, "zen-models.json"), JSON.stringify({ models, fetchedAt: new Date().toISOString() }));
+  writeSync(join12(cacheDir, "zen-models.json"), JSON.stringify({ models, fetchedAt: new Date().toISOString() }));
 }
 function readZenGoModelCacheSync() {
-  const cachePath = join13(homedir12(), ".claudish", "zen-go-models.json");
-  if (!existsSync11(cachePath))
+  const cachePath = join12(homedir11(), ".claudish", "zen-go-models.json");
+  if (!existsSync10(cachePath))
     return null;
   try {
-    const data = JSON.parse(readFileSync9(cachePath, "utf-8"));
+    const data = JSON.parse(readFileSync8(cachePath, "utf-8"));
     if (!Array.isArray(data.models))
       return null;
     return new Set(data.models.map((m) => m.id));
@@ -25616,10 +25111,10 @@ async function warmZenGoModelCache() {
   const models = (data.data ?? []).map((m) => ({ id: m.id }));
   if (models.length === 0)
     return;
-  const cacheDir = join13(homedir12(), ".claudish");
-  const { mkdirSync: mkdirSync8, writeFileSync: writeSync2 } = await import("fs");
+  const cacheDir = join12(homedir11(), ".claudish");
+  const { mkdirSync: mkdirSync8, writeFileSync: writeSync } = await import("fs");
   mkdirSync8(cacheDir, { recursive: true });
-  writeSync2(join13(cacheDir, "zen-go-models.json"), JSON.stringify({ models, fetchedAt: new Date().toISOString() }));
+  writeSync(join12(cacheDir, "zen-go-models.json"), JSON.stringify({ models, fetchedAt: new Date().toISOString() }));
 }
 function hasProviderCredentials(provider) {
   const keyInfo = getApiKeyEnvVars(provider);
@@ -25755,9 +25250,9 @@ __export(exports_provider_resolver, {
   getMissingKeyResolutions: () => getMissingKeyResolutions,
   getMissingKeyError: () => getMissingKeyError
 });
-import { existsSync as existsSync12 } from "fs";
-import { join as join14 } from "path";
-import { homedir as homedir13 } from "os";
+import { existsSync as existsSync11 } from "fs";
+import { join as join13 } from "path";
+import { homedir as homedir12 } from "os";
 function getApiKeyInfoForProvider(providerName) {
   const lookupName = providerName === "gemini" ? "google" : providerName;
   const info = getApiKeyInfo(lookupName);
@@ -25792,8 +25287,8 @@ function isApiKeyAvailable(info) {
   }
   if (info.oauthFallback) {
     try {
-      const credPath = join14(homedir13(), ".claudish", info.oauthFallback);
-      if (existsSync12(credPath)) {
+      const credPath = join13(homedir12(), ".claudish", info.oauthFallback);
+      if (existsSync11(credPath)) {
         return true;
       }
     } catch {}
@@ -26094,9 +25589,9 @@ var init_provider_resolver = __esm(() => {
 });
 
 // src/services/pricing-cache.ts
-import { readFileSync as readFileSync10, writeFileSync as writeFileSync8, existsSync as existsSync13, mkdirSync as mkdirSync8, statSync as statSync2 } from "fs";
-import { homedir as homedir14 } from "os";
-import { join as join15 } from "path";
+import { readFileSync as readFileSync9, writeFileSync as writeFileSync8, existsSync as existsSync12, mkdirSync as mkdirSync8, statSync as statSync2 } from "fs";
+import { homedir as homedir13 } from "os";
+import { join as join14 } from "path";
 function getDynamicPricingSync(provider, modelName) {
   if (provider === "openrouter") {
     const direct = pricingMap.get(modelName);
@@ -26161,12 +25656,12 @@ async function warmPricingCache() {
 }
 function loadDiskCache() {
   try {
-    if (!existsSync13(CACHE_FILE))
+    if (!existsSync12(CACHE_FILE))
       return false;
     const stat = statSync2(CACHE_FILE);
     const age = Date.now() - stat.mtimeMs;
     const isFresh = age < CACHE_TTL_MS;
-    const raw2 = readFileSync10(CACHE_FILE, "utf-8");
+    const raw2 = readFileSync9(CACHE_FILE, "utf-8");
     const data = JSON.parse(raw2);
     for (const [key, pricing] of Object.entries(data)) {
       pricingMap.set(key, pricing);
@@ -26213,8 +25708,8 @@ var init_pricing_cache = __esm(() => {
   init_model_loader();
   init_remote_provider_types();
   pricingMap = new Map;
-  CACHE_DIR = join15(homedir14(), ".claudish");
-  CACHE_FILE = join15(CACHE_DIR, "pricing-cache.json");
+  CACHE_DIR = join14(homedir13(), ".claudish");
+  CACHE_FILE = join14(CACHE_DIR, "pricing-cache.json");
   CACHE_TTL_MS = 24 * 60 * 60 * 1000;
   PROVIDER_TO_OR_PREFIX = {
     openai: ["openai/"],
@@ -26602,6 +26097,512 @@ var init_gemini_apikey = __esm(() => {
   init_gemini_queue();
 });
 
+// src/auth/gemini-oauth.ts
+var exports_gemini_oauth = {};
+__export(exports_gemini_oauth, {
+  setupGeminiUser: () => setupGeminiUser,
+  retrieveUserQuota: () => retrieveUserQuota,
+  getValidAccessToken: () => getValidAccessToken,
+  getGeminiTierFullName: () => getGeminiTierFullName,
+  getGeminiTierDisplayName: () => getGeminiTierDisplayName,
+  getGeminiOAuth: () => getGeminiOAuth,
+  GeminiOAuth: () => GeminiOAuth
+});
+import { createServer } from "http";
+import { randomBytes as randomBytes2, createHash as createHash4 } from "crypto";
+import { readFileSync as readFileSync10, existsSync as existsSync13, unlinkSync as unlinkSync3, openSync, writeSync, closeSync } from "fs";
+import { homedir as homedir14 } from "os";
+import { join as join15 } from "path";
+import { exec } from "child_process";
+import { promisify } from "util";
+
+class GeminiOAuth {
+  static instance = null;
+  credentials = null;
+  refreshPromise = null;
+  tokenRefreshMargin = 5 * 60 * 1000;
+  oauthState = null;
+  static getInstance() {
+    if (!GeminiOAuth.instance) {
+      GeminiOAuth.instance = new GeminiOAuth;
+    }
+    return GeminiOAuth.instance;
+  }
+  constructor() {
+    this.credentials = this.loadCredentials();
+  }
+  hasCredentials() {
+    return this.credentials !== null && !!this.credentials.refresh_token;
+  }
+  getCredentialsPath() {
+    const claudishDir = join15(homedir14(), ".claudish");
+    return join15(claudishDir, "gemini-oauth.json");
+  }
+  async login() {
+    log("[GeminiOAuth] Starting OAuth login flow");
+    const codeVerifier = this.generateCodeVerifier();
+    const codeChallenge = await this.generateCodeChallenge(codeVerifier);
+    this.oauthState = randomBytes2(32).toString("base64url");
+    const { authCode, redirectUri } = await this.startCallbackServer(codeChallenge, this.oauthState);
+    const tokens = await this.exchangeCodeForTokens(authCode, codeVerifier, redirectUri);
+    const credentials = {
+      access_token: tokens.access_token,
+      refresh_token: tokens.refresh_token,
+      expires_at: Date.now() + tokens.expires_in * 1000
+    };
+    this.saveCredentials(credentials);
+    this.credentials = credentials;
+    this.oauthState = null;
+    log("[GeminiOAuth] Login successful");
+  }
+  async logout() {
+    const credPath = this.getCredentialsPath();
+    if (existsSync13(credPath)) {
+      unlinkSync3(credPath);
+      log("[GeminiOAuth] Credentials deleted");
+    }
+    this.credentials = null;
+  }
+  async getAccessToken() {
+    if (this.refreshPromise) {
+      log("[GeminiOAuth] Waiting for in-progress refresh");
+      return this.refreshPromise;
+    }
+    if (!this.credentials) {
+      throw new Error("No Gemini OAuth credentials found. Please run `claudish login gemini` first.");
+    }
+    if (this.isTokenValid()) {
+      return this.credentials.access_token;
+    }
+    this.refreshPromise = this.doRefreshToken();
+    try {
+      const token = await this.refreshPromise;
+      return token;
+    } finally {
+      this.refreshPromise = null;
+    }
+  }
+  async refreshToken() {
+    if (!this.credentials) {
+      throw new Error("No Gemini OAuth credentials found. Please run `claudish login gemini` first.");
+    }
+    await this.doRefreshToken();
+  }
+  isTokenValid() {
+    if (!this.credentials)
+      return false;
+    return Date.now() < this.credentials.expires_at - this.tokenRefreshMargin;
+  }
+  async doRefreshToken() {
+    if (!this.credentials) {
+      throw new Error("No Gemini OAuth credentials found. Please run `claudish login gemini` first.");
+    }
+    log("[GeminiOAuth] Refreshing access token");
+    try {
+      const response = await fetch(OAUTH_CONFIG.tokenUrl, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded"
+        },
+        body: new URLSearchParams({
+          grant_type: "refresh_token",
+          refresh_token: this.credentials.refresh_token,
+          client_id: OAUTH_CONFIG.clientId,
+          client_secret: OAUTH_CONFIG.clientSecret
+        })
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`Token refresh failed: ${response.status} - ${errorText}`);
+      }
+      const tokens = await response.json();
+      const updatedCredentials = {
+        access_token: tokens.access_token,
+        refresh_token: tokens.refresh_token || this.credentials.refresh_token,
+        expires_at: Date.now() + tokens.expires_in * 1000
+      };
+      this.saveCredentials(updatedCredentials);
+      this.credentials = updatedCredentials;
+      log(`[GeminiOAuth] Token refreshed, valid until ${new Date(updatedCredentials.expires_at).toISOString()}`);
+      return updatedCredentials.access_token;
+    } catch (e) {
+      log(`[GeminiOAuth] Refresh failed: ${e.message}`);
+      throw new Error(`OAuth credentials invalid. Please run \`claudish login gemini\` again.
+
+Details: ${e.message}`);
+    }
+  }
+  loadCredentials() {
+    const credPath = this.getCredentialsPath();
+    if (!existsSync13(credPath)) {
+      return null;
+    }
+    try {
+      const data = readFileSync10(credPath, "utf-8");
+      const credentials = JSON.parse(data);
+      if (!credentials.access_token || !credentials.refresh_token || !credentials.expires_at) {
+        log("[GeminiOAuth] Invalid credentials file structure");
+        return null;
+      }
+      log("[GeminiOAuth] Loaded credentials from file");
+      return credentials;
+    } catch (e) {
+      log(`[GeminiOAuth] Failed to load credentials: ${e.message}`);
+      return null;
+    }
+  }
+  saveCredentials(credentials) {
+    const credPath = this.getCredentialsPath();
+    const claudishDir = join15(homedir14(), ".claudish");
+    if (!existsSync13(claudishDir)) {
+      const { mkdirSync: mkdirSync9 } = __require("fs");
+      mkdirSync9(claudishDir, { recursive: true });
+    }
+    const fd = openSync(credPath, "w", 384);
+    try {
+      const data = JSON.stringify(credentials, null, 2);
+      writeSync(fd, data, 0, "utf-8");
+    } finally {
+      closeSync(fd);
+    }
+    log(`[GeminiOAuth] Credentials saved to ${credPath}`);
+  }
+  generateCodeVerifier() {
+    return randomBytes2(64).toString("base64url");
+  }
+  async generateCodeChallenge(verifier) {
+    const hash = createHash4("sha256").update(verifier).digest("base64url");
+    return hash;
+  }
+  buildAuthUrl(codeChallenge, state, redirectUri) {
+    const params = new URLSearchParams({
+      client_id: OAUTH_CONFIG.clientId,
+      redirect_uri: redirectUri,
+      response_type: "code",
+      scope: OAUTH_CONFIG.scopes.join(" "),
+      code_challenge: codeChallenge,
+      code_challenge_method: "S256",
+      access_type: "offline",
+      prompt: "consent",
+      state
+    });
+    return `${OAUTH_CONFIG.authUrl}?${params.toString()}`;
+  }
+  async startCallbackServer(codeChallenge, state) {
+    return new Promise((resolve2, reject) => {
+      let redirectUri = "";
+      const server = createServer((req, res) => {
+        const url = new URL(req.url, redirectUri.replace("/callback", ""));
+        if (url.pathname === "/callback") {
+          const code = url.searchParams.get("code");
+          const callbackState = url.searchParams.get("state");
+          const error2 = url.searchParams.get("error");
+          if (error2) {
+            res.writeHead(400, { "Content-Type": "text/html" });
+            res.end(`
+              <html>
+                <body>
+                  <h1>Authentication Failed</h1>
+                  <p>Error: ${error2}</p>
+                  <p>You can close this window.</p>
+                </body>
+              </html>
+            `);
+            server.close();
+            reject(new Error(`OAuth error: ${error2}`));
+            return;
+          }
+          if (!callbackState || callbackState !== this.oauthState) {
+            res.writeHead(400, { "Content-Type": "text/html" });
+            res.end(`
+              <html>
+                <body>
+                  <h1>Authentication Failed</h1>
+                  <p>Invalid state parameter. Possible CSRF attack.</p>
+                  <p>You can close this window.</p>
+                </body>
+              </html>
+            `);
+            server.close();
+            reject(new Error("Invalid OAuth state parameter (CSRF protection)"));
+            return;
+          }
+          if (!code) {
+            res.writeHead(400, { "Content-Type": "text/html" });
+            res.end(`
+              <html>
+                <body>
+                  <h1>Authentication Failed</h1>
+                  <p>No authorization code received.</p>
+                  <p>You can close this window.</p>
+                </body>
+              </html>
+            `);
+            server.close();
+            reject(new Error("No authorization code received"));
+            return;
+          }
+          res.writeHead(200, { "Content-Type": "text/html" });
+          res.end(`
+            <html>
+              <body>
+                <h1>Authentication Successful!</h1>
+                <p>You can now close this window and return to your terminal.</p>
+              </body>
+            </html>
+          `);
+          server.close();
+          resolve2({ authCode: code, redirectUri });
+        } else {
+          res.writeHead(404, { "Content-Type": "text/plain" });
+          res.end("Not found");
+        }
+      });
+      server.listen(0, () => {
+        const address = server.address();
+        if (!address || typeof address === "string") {
+          reject(new Error("Failed to get server port"));
+          return;
+        }
+        const port = address.port;
+        redirectUri = `http://localhost:${port}/callback`;
+        log(`[GeminiOAuth] Callback server started on http://localhost:${port}`);
+        const authUrl = this.buildAuthUrl(codeChallenge, state, redirectUri);
+        this.openBrowser(authUrl);
+      });
+      server.on("error", (err) => {
+        reject(new Error(`Failed to start callback server: ${err.message}`));
+      });
+      setTimeout(() => {
+        server.close();
+        reject(new Error("OAuth login timed out after 5 minutes"));
+      }, 5 * 60 * 1000);
+    });
+  }
+  async exchangeCodeForTokens(code, verifier, redirectUri) {
+    log("[GeminiOAuth] Exchanging auth code for tokens");
+    try {
+      const response = await fetch(OAUTH_CONFIG.tokenUrl, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded"
+        },
+        body: new URLSearchParams({
+          grant_type: "authorization_code",
+          code,
+          redirect_uri: redirectUri,
+          client_id: OAUTH_CONFIG.clientId,
+          client_secret: OAUTH_CONFIG.clientSecret,
+          code_verifier: verifier
+        })
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`Token exchange failed: ${response.status} - ${errorText}`);
+      }
+      const tokens = await response.json();
+      if (!tokens.access_token || !tokens.refresh_token) {
+        throw new Error("Token response missing access_token or refresh_token");
+      }
+      return tokens;
+    } catch (e) {
+      throw new Error(`Failed to authenticate with Google OAuth: ${e.message}`);
+    }
+  }
+  async openBrowser(url) {
+    const platform = process.platform;
+    try {
+      if (platform === "darwin") {
+        await execAsync(`open "${url}"`);
+      } else if (platform === "win32") {
+        await execAsync(`start "${url}"`);
+      } else {
+        await execAsync(`xdg-open "${url}"`);
+      }
+      console.log(`
+Opening browser for authentication...`);
+      console.log(`If the browser doesn't open, visit this URL:
+${url}
+`);
+    } catch (e) {
+      console.log(`
+Please open this URL in your browser to authenticate:`);
+      console.log(url);
+      console.log("");
+    }
+  }
+}
+function getGeminiOAuth() {
+  return GeminiOAuth.getInstance();
+}
+async function getValidAccessToken() {
+  const oauth = GeminiOAuth.getInstance();
+  return oauth.getAccessToken();
+}
+function getGeminiTierDisplayName() {
+  if (!cachedTierId)
+    return "Gemini Free";
+  return TIER_SHORT_NAMES[cachedTierId] || cachedTierId.replace(/-tier$/, "");
+}
+function getGeminiTierFullName() {
+  if (cachedTierName)
+    return cachedTierName;
+  return getGeminiTierDisplayName();
+}
+async function setupGeminiUser(accessToken) {
+  if (cachedProjectId && cachedTierId) {
+    log(`[GeminiOAuth] Using cached project ID: ${cachedProjectId}, tier: ${cachedTierId}`);
+    return { projectId: cachedProjectId, tierId: cachedTierId };
+  }
+  const envProject = process.env.GOOGLE_CLOUD_PROJECT || process.env.GOOGLE_CLOUD_PROJECT_ID;
+  log("[GeminiOAuth] Calling loadCodeAssist...");
+  const loadRes = await callLoadCodeAssist(accessToken, envProject);
+  log(`[GeminiOAuth] loadCodeAssist response: ${JSON.stringify(loadRes)}`);
+  const resolvedTier = loadRes.paidTier?.id || (typeof loadRes.currentTier === "object" ? loadRes.currentTier?.id : loadRes.currentTier) || null;
+  if ((loadRes.currentTier || loadRes.paidTier) && loadRes.cloudaicompanionProject) {
+    const projectId2 = envProject || loadRes.cloudaicompanionProject;
+    if (projectId2) {
+      cachedProjectId = projectId2;
+      cachedTierId = resolvedTier || "free-tier";
+      cachedTierName = loadRes.paidTier?.name || null;
+      log(`[GeminiOAuth] User already set up, project: ${projectId2}, tier: ${cachedTierId}`);
+      return { projectId: projectId2, tierId: cachedTierId };
+    }
+  }
+  const tierId = resolvedTier || loadRes.allowedTiers?.[0]?.id || "free-tier";
+  const isFree = tierId === "free-tier";
+  const onboardProject = isFree ? undefined : envProject;
+  const MAX_POLL_ATTEMPTS = 30;
+  log(`[GeminiOAuth] Onboarding user to ${tierId}...`);
+  let lro = await callOnboardUser(accessToken, tierId, onboardProject);
+  log(`[GeminiOAuth] Initial onboardUser response: done=${lro.done}`);
+  let attempts = 0;
+  while (!lro.done && attempts < MAX_POLL_ATTEMPTS) {
+    attempts++;
+    log(`[GeminiOAuth] Polling onboardUser (attempt ${attempts}/${MAX_POLL_ATTEMPTS})...`);
+    await new Promise((r) => setTimeout(r, 2000));
+    lro = await callOnboardUser(accessToken, tierId, onboardProject);
+  }
+  if (!lro.done) {
+    throw new Error(`Gemini onboarding timed out after ${MAX_POLL_ATTEMPTS * 2} seconds`);
+  }
+  if (lro.error) {
+    throw new Error(`Gemini onboarding failed: ${JSON.stringify(lro.error)}`);
+  }
+  const projectId = lro.response?.cloudaicompanionProject?.id;
+  if (!projectId) {
+    if (envProject) {
+      cachedProjectId = envProject;
+      cachedTierId = tierId;
+      return { projectId: envProject, tierId };
+    }
+    throw new Error("Gemini onboarding completed but no project ID returned.");
+  }
+  cachedProjectId = projectId;
+  cachedTierId = tierId;
+  log(`[GeminiOAuth] Onboarding complete, project: ${projectId}, tier: ${tierId}`);
+  return { projectId, tierId };
+}
+async function callLoadCodeAssist(accessToken, projectId) {
+  const metadata = {
+    pluginType: "GEMINI",
+    ideType: "IDE_UNSPECIFIED",
+    platform: "PLATFORM_UNSPECIFIED",
+    duetProject: projectId
+  };
+  const res = await fetch(`${CODE_ASSIST_API_BASE}:loadCodeAssist`, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${accessToken}`,
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({ metadata, cloudaicompanionProject: projectId })
+  });
+  if (!res.ok) {
+    throw new Error(`loadCodeAssist failed: ${res.status} ${await res.text()}`);
+  }
+  return await res.json();
+}
+async function callOnboardUser(accessToken, tierId, projectId) {
+  const metadata = {
+    pluginType: "GEMINI",
+    ideType: "IDE_UNSPECIFIED",
+    platform: "PLATFORM_UNSPECIFIED",
+    duetProject: projectId
+  };
+  const res = await fetch(`${CODE_ASSIST_API_BASE}:onboardUser`, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${accessToken}`,
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({
+      tierId,
+      metadata,
+      cloudaicompanionProject: projectId
+    })
+  });
+  if (!res.ok) {
+    throw new Error(`onboardUser failed: ${res.status} ${await res.text()}`);
+  }
+  return await res.json();
+}
+async function retrieveUserQuota(accessToken, projectId) {
+  try {
+    const res = await fetch(`${CODE_ASSIST_API_BASE}:retrieveUserQuota`, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Content-Type": "application/json",
+        "User-Agent": `GeminiCLI/0.5.6/gemini-code-assist (${process.platform}; ${process.arch})`
+      },
+      body: JSON.stringify({ project: projectId })
+    });
+    if (!res.ok) {
+      log(`[GeminiOAuth] retrieveUserQuota failed: ${res.status}`);
+      return null;
+    }
+    return await res.json();
+  } catch (err) {
+    log(`[GeminiOAuth] retrieveUserQuota error: ${err}`);
+    return null;
+  }
+}
+var execAsync, getDefaultClientId = () => {
+  const parts = [
+    "681255809395",
+    "oo8ft2oprdrnp9e3aqf6av3hmdib135j",
+    "apps",
+    "googleusercontent",
+    "com"
+  ];
+  return `${parts[0]}-${parts[1]}.${parts[2]}.${parts[3]}.${parts[4]}`;
+}, getDefaultClientSecret = () => {
+  const p = ["GOCSPX", "4uHgMPm", "1o7Sk", "geV6Cu5clXFsxl"];
+  return `${p[0]}-${p[1]}-${p[2]}-${p[3]}`;
+}, OAUTH_CONFIG, CODE_ASSIST_API_BASE = "https://cloudcode-pa.googleapis.com/v1internal", cachedProjectId = null, cachedTierId = null, cachedTierName = null, TIER_SHORT_NAMES;
+var init_gemini_oauth = __esm(() => {
+  init_logger();
+  execAsync = promisify(exec);
+  OAUTH_CONFIG = {
+    clientId: process.env.GEMINI_CLIENT_ID || getDefaultClientId(),
+    clientSecret: process.env.GEMINI_CLIENT_SECRET || getDefaultClientSecret(),
+    authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+    tokenUrl: "https://oauth2.googleapis.com/token",
+    scopes: [
+      "https://www.googleapis.com/auth/cloud-platform",
+      "https://www.googleapis.com/auth/userinfo.email",
+      "https://www.googleapis.com/auth/userinfo.profile"
+    ]
+  };
+  TIER_SHORT_NAMES = {
+    "free-tier": "GeminiCA Free",
+    "standard-tier": "GeminiCA Std",
+    "g1-pro-tier": "GeminiCA Pro",
+    "legacy-tier": "GeminiCA Legacy"
+  };
+});
+
 // src/providers/transport/gemini-codeassist.ts
 import { randomUUID as randomUUID2 } from "crypto";
 function buildGeminiCliUserAgent(model) {
@@ -26829,6 +26830,20 @@ ${lines.join(`
       }
     } catch {}
   }
+  async getQuotaRemaining(modelName) {
+    if (!this.accessToken || !this.projectId)
+      return;
+    try {
+      const { retrieveUserQuota: retrieveUserQuota2 } = await Promise.resolve().then(() => (init_gemini_oauth(), exports_gemini_oauth));
+      const data = await retrieveUserQuota2(this.accessToken, this.projectId);
+      if (!data?.buckets?.length)
+        return;
+      const bucket = data.buckets.find((b) => b.modelId === modelName);
+      return typeof bucket?.remainingFraction === "number" ? bucket.remainingFraction : undefined;
+    } catch {
+      return;
+    }
+  }
 }
 var CODE_ASSIST_BASE = "https://cloudcode-pa.googleapis.com", CODE_ASSIST_ENDPOINT, CODE_ASSIST_FALLBACK_CHAIN, MAX_RETRY_ATTEMPTS = 3, DEFAULT_RATE_LIMIT_DELAY_MS = 1e4;
 var init_gemini_codeassist = __esm(() => {
@@ -34296,7 +34311,7 @@ async function fetchGLMCodingModels() {
     return [];
   }
 }
-var __filename4, __dirname4, VERSION = "6.5.1", CACHE_MAX_AGE_DAYS2 = 2, CLAUDISH_CACHE_DIR2, BUNDLED_MODELS_PATH, CACHED_MODELS_PATH, ALL_MODELS_JSON_PATH;
+var __filename4, __dirname4, VERSION = "6.5.3", CACHE_MAX_AGE_DAYS2 = 2, CLAUDISH_CACHE_DIR2, BUNDLED_MODELS_PATH, CACHED_MODELS_PATH, ALL_MODELS_JSON_PATH;
 var init_cli = __esm(() => {
   init_config();
   init_model_loader();
@@ -96521,6 +96536,8 @@ class MtmDiagRunner {
   modelName = "";
   provider = "";
   port = "";
+  quotaRemaining;
+  tokenPollTimer = null;
   lastError = "";
   errorCount = 0;
   requestCount = 0;
@@ -96530,6 +96547,11 @@ class MtmDiagRunner {
   adapters = "";
   setPort(port) {
     this.port = String(port);
+    this.tokenPollTimer = setInterval(() => {
+      const changed = this.readTokenFile();
+      if (changed)
+        this.refreshStatusBar();
+    }, 3000);
   }
   setModel(name) {
     this.modelName = name.includes("/") ? name.split("/").pop() : name;
@@ -96539,16 +96561,28 @@ class MtmDiagRunner {
       this.provider = name.split("/")[0];
     }
   }
-  refreshStatusBar() {
-    let quotaRemaining;
+  readTokenFile() {
+    if (!this.port)
+      return false;
     try {
       const tokPath = join31(homedir27(), ".claudish", `tokens-${this.port}.json`);
       const tok = JSON.parse(readFileSync24(tokPath, "utf-8"));
-      if (typeof tok.quota_remaining === "number")
-        quotaRemaining = tok.quota_remaining;
-      if (!this.provider && tok.provider_name)
+      let changed = false;
+      if (typeof tok.quota_remaining === "number" && tok.quota_remaining !== this.quotaRemaining) {
+        this.quotaRemaining = tok.quota_remaining;
+        changed = true;
+      }
+      if (tok.provider_name && tok.provider_name !== this.provider) {
         this.provider = tok.provider_name;
-    } catch {}
+        changed = true;
+      }
+      return changed;
+    } catch {
+      return false;
+    }
+  }
+  refreshStatusBar() {
+    this.readTokenFile();
     const bar = renderStatusBar({
       model: this.modelName,
       provider: this.provider,
@@ -96556,7 +96590,7 @@ class MtmDiagRunner {
       lastError: this.lastError,
       requestCount: this.requestCount,
       avgRoundtripMs: this.avgRoundtripMs,
-      quotaRemaining
+      quotaRemaining: this.quotaRemaining
     });
     try {
       appendFileSync2(this.statusPath, bar + `
@@ -96567,6 +96601,10 @@ class MtmDiagRunner {
     return this.logPath;
   }
   cleanup() {
+    if (this.tokenPollTimer) {
+      clearInterval(this.tokenPollTimer);
+      this.tokenPollTimer = null;
+    }
     if (this.logStream) {
       try {
         this.logStream.end();
@@ -96624,15 +96662,10 @@ function renderStatusBar(state) {
   const { model, provider, errorCount, lastError, requestCount, avgRoundtripMs, quotaRemaining } = state;
   const parts = [];
   parts.push("M: claudish ");
+  if (provider)
+    parts.push(`D: ${provider} `);
   if (model)
     parts.push(`C: ${model} `);
-  if (provider)
-    parts.push(`W: ${provider} `);
-  if (typeof quotaRemaining === "number") {
-    const pct = Math.round(quotaRemaining * 100);
-    const color = pct > 50 ? "G" : pct > 20 ? "Y" : "R";
-    parts.push(`${color}: ${pct}% quota `);
-  }
   if (errorCount > 0) {
     const errLabel = errorCount === 1 ? " \u26A0 1 error " : ` \u26A0 ${errorCount} errors `;
     parts.push(`R:${errLabel}`);
@@ -96641,6 +96674,11 @@ function renderStatusBar(state) {
   } else {
     parts.push("G: \u25CF ok ");
   }
+  if (typeof quotaRemaining === "number") {
+    const pct = Math.round(quotaRemaining * 100);
+    const color = pct > 50 ? "G" : pct > 20 ? "Y" : "R";
+    parts.push(`${color}: ${pct}% quota `);
+  }
   return parts.join("\t");
 }
 function parseLogMessage(msg) {