dondo-donuts 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Ragaeeb Haq
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,162 @@
+# Dondo
+
+<p>
+  <img src="./icon.png" alt="Dondo icon" width="96" height="96" />
+</p>
+
+[![npm](https://img.shields.io/npm/v/dondo?color=111827)](https://www.npmjs.com/package/dondo)
+[![Bun](https://img.shields.io/badge/runtime-Bun-fbf0df?logo=bun&logoColor=000)](https://bun.sh)
+[![TypeScript](https://img.shields.io/badge/code-TypeScript-3178c6?logo=typescript&logoColor=fff)](https://www.typescriptlang.org)
+[![Preact](https://img.shields.io/badge/ui-Preact-673ab8?logo=preact&logoColor=fff)](https://preactjs.com)
+[![Biome](https://img.shields.io/badge/lint-Biome-60a5fa?logo=biome&logoColor=fff)](https://biomejs.dev)
+[![macOS](https://img.shields.io/badge/platform-macOS-111827?logo=apple&logoColor=fff)](https://www.apple.com/macos)
+[![Antigravity](https://img.shields.io/badge/switches-Antigravity-2563eb)](https://antigravity.google)
+[![Codex](https://img.shields.io/badge/switches-Codex-10a37f)](https://openai.com/codex)
+[![License: MIT](https://img.shields.io/badge/license-MIT-111827.svg)](./LICENSE)
+[![GitHub issues](https://img.shields.io/github/issues/ragaeeb/dondo?color=6f42c1)](https://github.com/ragaeeb/dondo/issues)
+[![wakatime](https://wakatime.com/badge/user/a0b906ce-b8e7-4463-8bce-383238df6d4b/project/1c226a67-6f05-42d3-a8c3-591ef0fa09fd.svg)](https://wakatime.com/badge/user/a0b906ce-b8e7-4463-8bce-383238df6d4b/project/1c226a67-6f05-42d3-a8c3-591ef0fa09fd)
+
+Dondo is a small local Bun app for saving and switching local AI tool accounts. It starts a local web UI, stores saved accounts in an encrypted local vault, and currently supports Antigravity and Codex.
+
+Current platform support is macOS. Dondo uses the macOS `security` CLI for the local vault key, and Antigravity account switching uses macOS Keychain entries.
+
+## Install
+
+Install Bun 1.3 or newer, then run:
+
+```sh
+bunx dondo
+```
+
+Then open:
+
+```text
+http://localhost:3000
+```
+
+The server binds to `127.0.0.1` only.
+
+## Development
+
+```sh
+bun install
+bun run start
+```
+
+Useful checks:
+
+```sh
+bun run typecheck
+bun run lint
+bun test
+bun build src/server.ts --target=bun --outdir /tmp/dondo-build
+```
+
+## Storage
+
+Dondo stores its vault at the platform data directory:
+
+- macOS: `~/Library/Application Support/Dondo/vault.json`
+- Windows: `%LOCALAPPDATA%/Dondo/Data/vault.json`
+- Linux: `$XDG_DATA_HOME/dondo/vault.json` or `~/.local/share/dondo/vault.json`
+
+Set `DONDO_DATA_DIR` to override the directory, or `ANTIGRAVITY_VAULT` to override the full vault path.
+`DONDO_VAULT` also overrides the full vault path and takes precedence over the historical `ANTIGRAVITY_VAULT` name.
+
+Vault shape:
+
+```json
+{
+    "antigravity": {
+        "data": {},
+        "limits": {}
+    },
+    "codex": {
+        "data": {},
+        "limits": {}
+    }
+}
+```
+
+`antigravity.data` stores saved account snapshots. The token-bearing `password` field is encrypted with AES-256-GCM before writing to disk. Non-secret metadata such as labels, service names, and timestamps remains readable in the vault so the UI can list accounts. The encryption key is a random local secret stored in macOS Keychain as `dondo / vault-key`.
+
+`antigravity.limits` stores cached rate-limit data. Dondo fetches missing limits on first load and refreshes cached limits only when the UI `Refresh limits` button is used.
+
+`codex.data` stores encrypted snapshots of `~/.codex/auth.json`. Loading a saved Codex account writes that snapshot back to `~/.codex/auth.json` with `0600` permissions.
+
+`codex.limits` stores cached Codex ChatGPT usage data. Dondo fetches missing limits on first load and refreshes cached limits only when the UI `Refresh limits` button is used.
+
+Each limit cache entry has this shape:
+
+```json
+{
+    "fetchedAt": "2026-06-02T00:00:00.000Z",
+    "quota": {
+        "ok": true,
+        "tier": "plus",
+        "expires": "",
+        "models": {}
+    }
+}
+```
+
+Encrypted strings use the `enc:v1:` envelope: AES-256-GCM with a 12-byte IV, 16-byte auth tag, then ciphertext, base64 encoded.
+
+## Environment
+
+```sh
+DONDO_PORT=3000
+PORT=3000
+DONDO_DATA_DIR=/custom/data/dir
+DONDO_VAULT=/custom/vault.json
+ANTIGRAVITY_VAULT=/custom/vault.json
+ANTIGRAVITY_SERVICE=gemini
+ANTIGRAVITY_ACCOUNT=antigravity
+ANTIGRAVITY_KEYCHAIN=login.keychain-db
+ANTIGRAVITY_VERSION=2.0.3
+GOOGLE_CLIENT_ID=...
+GOOGLE_CLIENT_SECRET=...
+CODEX_AUTH_PATH=~/.codex/auth.json
+```
+
+`DONDO_PORT` takes precedence over `PORT`. `ANTIGRAVITY_KEYCHAIN` is passed as the keychain argument to macOS `security` commands, for example `login.keychain-db` or an absolute keychain path.
+
+Antigravity limit refreshes require `GOOGLE_CLIENT_ID` and `GOOGLE_CLIENT_SECRET`. Dondo does not ship Google OAuth credentials in source.
+
+## Local API
+
+All API requests must be sent to localhost. Mutating routes require `POST` with a JSON object body.
+
+- `GET /api/antigravity/state`
+- `POST /api/antigravity/limits/refresh` with optional `{ "key": "label" }`
+- `POST /api/antigravity/save` with `{ "key": "label" }`
+- `POST /api/antigravity/load` with `{ "key": "label" }`
+- `POST /api/antigravity/clear`
+- `GET /api/codex/state`
+- `POST /api/codex/limits/refresh` with optional `{ "key": "label" }`
+- `POST /api/codex/save` with `{ "key": "label" }`
+- `POST /api/codex/load` with `{ "key": "label" }`
+
+`Clear live` deletes the live Antigravity Keychain item plus these local Antigravity state paths:
+
+- `~/.antigravity-agent/cloud_accounts.db`
+- `~/.gemini/antigravity`
+- `~/.gemini/antigravity-ide`
+- `~/.gemini/antigravity-backup`
+- `~/Library/Application Support/Antigravity`
+
+## Security Model
+
+Dondo is designed to be easy to inspect:
+
+- The server listens on `127.0.0.1`.
+- Tokens are not returned to the browser API.
+- Saved token payloads are encrypted at rest.
+- Rate-limit API calls happen server-side.
+- Codex `auth.json` contents are never rendered or returned by the API.
+
+This protects against casual plaintext scraping of the vault file. A process running as the same logged-in user may still be able to access local Keychain items depending on operating-system policy. Antigravity restore currently passes the token blob to the macOS `security` CLI as an argument, which can be visible briefly to same-user process listings.
+
+## License
+
+MIT

package/icon.svg

@@ -0,0 +1,69 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 125 33">
+<!-- SVG created with Arrow, by QuiverAI (https://quiver.ai) -->
+  <style type="text/css">.cls-0 {fill:url(#SVGID_1_);}
+.cls-1 {fill:url(#SVGID_2_);}
+.cls-2 {fill:#381C11;}
+.cls-3 {fill:url(#SVGID_3_);}
+.cls-4 {fill:url(#SVGID_4_);}
+.cls-5 {fill:url(#SVGID_5_);}
+.cls-6 {fill:url(#SVGID_6_);}
+.cls-7 {fill:url(#SVGID_7_);}
+.cls-8 {fill:url(#SVGID_8_);}
+.cls-9 {fill:url(#SVGID_9_);}</style>
+  <linearGradient id="SVGID_1_" x1="39.86" x2="39.86" y1="6.582" y2="32.31" gradientUnits="userSpaceOnUse">
+    <stop stop-color="#F7B678" offset="0"/>
+    <stop stop-color="#B05A1B" offset="1"/>
+  </linearGradient>
+  <path class="cls-0" d="m39.9 6.6c-6.5 0.1-12.8 5.4-12.8 13.2 0 6.2 3.9 12.5 12.8 12.5 7.7 0 12.9-4.9 12.9-12.5 0-7.3-5.4-13.2-12.9-13.2zm0 16c-2 0-3.6-1.3-3.6-2.9 0-1.8 1.6-3.3 3.6-3.3s3.9 1.3 3.9 3.3c0 1.8-1.7 2.9-3.9 2.9z"/>
+  <linearGradient id="SVGID_2_" x1="39.79" x2="39.79" y1="6.61" y2="30.82" gradientUnits="userSpaceOnUse">
+    <stop stop-color="#FFA7BC" offset="0"/>
+    <stop stop-color="#FC6986" offset="1"/>
+  </linearGradient>
+  <path class="cls-1" d="m40.1 6.6c-6.6 0-13 4.9-13 12.5 0 3.2 1.3 3.2 1.6 4.7 0.6 2.9 2 3.1 3.3 3.2 1.8 0.1 2.9 3.6 6.4 3.6 2.3 0 3.3-1.7 4.7-1.7 1.1 0 1.5 0.6 2.3 0.7 2.2 0.2 2.5-2.9 4-3.7 1.1-0.5 1.4-1 1.6-2.1 0.4-1.6 1.8-1.2 1.8-4.6 0-6.8-5.4-12.6-12.7-12.6zm-0.3 16c-2 0-4.1-1.5-4.1-3.8 0-1.8 1.8-4 4.1-4 2.1 0 4.4 1.6 4.4 3.9 0 2.2-1.9 3.9-4.4 3.9z"/>
+  <linearGradient id="SVGID_3_" x1="11.45" x2="11.45" y1="1.091" y2="30.69" gradientUnits="userSpaceOnUse">
+    <stop stop-color="#663B28" offset="0"/>
+    <stop stop-color="#47271A" offset="1"/>
+  </linearGradient>
+  <path class="cls-3" d="m12.1 1.1h-9.9c-0.6 0-1 0.4-1 1.2v27.2c0 0.7 0.3 1.1 1 1.1h10c7.4 0.1 14.1-3.8 14.1-14.5 0-8.2-6-15-14.2-15zm-0.7 24.1h-3.8v-17.7h3.8c5.2 0 8.2 3.4 8.2 8.8s-2.6 8.9-8.2 8.9z"/>
+  <linearGradient id="SVGID_4_" x1="63.62" x2="63.62" y1="9.11" y2="30.69" gradientUnits="userSpaceOnUse">
+    <stop stop-color="#663B28" offset="0"/>
+    <stop stop-color="#47271A" offset="1"/>
+  </linearGradient>
+  <path class="cls-4" d="m66.1 9.1c-1.8 0-3.8 0.8-5.4 2.1-0.2 0-0.4-0.1-0.4-0.3 0.1-0.7-0.6-1.3-1.4-1.3h-3.4c-0.7 0-1.2 0.5-1.2 1.3v18.5c0 0.7 0.4 1.2 1.1 1.2h3.7c0.7 0 1.1-0.5 1.1-1.2v-10c0-2.5 1.7-4.4 4-4.4s3.7 1.7 3.7 4.2v10.2c0 0.7 0.4 1.2 1.1 1.2h4c0.7 0 1-0.5 1-1.2v-11.1c0-5.4-2.9-9.2-7.9-9.2z"/>
+  <linearGradient id="SVGID_5_" x1="87.21" x2="87.21" y1=".2488" y2="31.14" gradientUnits="userSpaceOnUse">
+    <stop stop-color="#663B28" offset="0"/>
+    <stop stop-color="#47271A" offset="1"/>
+  </linearGradient>
+  <path class="cls-5" d="m96.9 0.2h-3.8c-0.6 0-1.3 0.4-1.3 1.2v8.6c0 0.3-0.3 0.5-0.6 0.3-1.2-0.8-2.7-1.5-5.1-1.5-4.7 0-10.4 4-10.4 11.1 0 6.7 4.4 11.2 10.3 11.2 2.3 0 4-0.5 5.8-1.8 0.2-0.2 0.4-0.1 0.4 0.2 0 0.7 0.4 1.2 1.1 1.2h3.5c0.8 0 1.2-0.5 1.2-1.3v-28c0-0.7-0.4-1.2-1.1-1.2zm-10.2 25.2c-2.6 0-5-1.9-5-5.4 0-3.3 2.6-5.3 5-5.3s5.2 1.7 5.2 5.3c0 3.3-2.5 5.4-5.2 5.4z"/>
+  <linearGradient id="SVGID_6_" x1="112.3" x2="112.3" y1="6.987" y2="32.26" gradientUnits="userSpaceOnUse">
+    <stop stop-color="#E99449" offset="0"/>
+    <stop stop-color="#B05A1B" offset="1"/>
+  </linearGradient>
+  <path class="cls-6" d="m112.3 7c-6.4 0-12 4.9-12.7 12.1-0.2 5.4 3.1 13.1 12.9 13.1 7.3 0 11.4-5.7 11.4-12 0-7.2-5.2-13.2-11.6-13.2zm0 15.8c-2 0.1-4.1-1.2-4.1-3.1 0-2.1 2-3.3 4-3.3 1.8 0.1 3.6 1.3 3.6 3.1 0 1.9-1.5 3.2-3.5 3.3z"/>
+  <linearGradient id="SVGID_7_" x1="111.4" x2="111.4" y1="7.009" y2="30.57" gradientUnits="userSpaceOnUse">
+    <stop stop-color="#97E3FF" offset="0"/>
+    <stop stop-color="#54CCFF" offset=".4533"/>
+    <stop stop-color="#35A9E1" offset="1"/>
+  </linearGradient>
+  <path class="cls-7" d="m112.5 7c-6.6-0.3-12.5 4.6-12.9 11.6-0.1 4 1.5 4.1 1.8 5.4 0.8 3.4 2.3 2.9 3.6 3.3 1.5 0.4 2 3.1 5.8 3.3 1.8 0 2.8-1.5 4.2-1.5 0.8 0 1.1 0.3 1.7 0.3 1.8-0.1 1.8-2.2 3.2-2.6 1.9-0.5 1.9-1.5 2.3-2.9 0.4-1.5 1.6-0.9 1.7-4.4 0.2-6.4-4.6-12.2-11.4-12.5zm-0.3 15.8c-2.4 0.2-4.1-1.3-4.1-3.8 0-2.1 2-3.9 4.2-3.8s3.8 1.6 3.8 4c0 1.8-1.4 3.4-3.9 3.6z"/>
+  <linearGradient id="SVGID_8_" x1="29.67" x2="39.21" y1="16.01" y2="11.06" gradientUnits="userSpaceOnUse">
+    <stop stop-color="#fff" stop-opacity=".5" offset="0"/>
+    <stop stop-color="#fff" stop-opacity="0" offset="1"/>
+  </linearGradient>
+  <path class="cls-8" d="m38.9 8.4c-5.6 0-9.5 4.4-9.5 8.9 1.4 0.3 1.2-5.1 9.5-7.7 0.9-0.3 0.9-1.2 0-1.2z"/>
+  <linearGradient id="SVGID_9_" x1="102.2" x2="111.5" y1="13.97" y2="11.11" gradientUnits="userSpaceOnUse">
+    <stop stop-color="#fff" stop-opacity=".8" offset="0"/>
+    <stop stop-color="#fff" stop-opacity="0" offset="1"/>
+  </linearGradient>
+  <path class="cls-9" d="m110.6 8.9c-4.8 0.2-9.1 4.5-8.8 8.9 1.4 0.3 1.2-6.1 8.8-7.8 0.8-0.2 0.8-1.2 0-1.1z"/>
+  <path class="cls-2" d="m12.1 1.1c-2.9 0-7.4 0.1-9.8 0.1-0.8 0-0.7 0.4-0.7 0.9v27.4c0 0.5 0.2 0.7 0.7 0.7h9.8c6.8 0 14-2.7 14.2-14.1 0 10.3-5.1 14.6-13.9 14.6h-10.2c-0.7 0-1.2-0.3-1.2-1.2v-27.2c0-0.6 0.3-1.3 1.1-1.3l10 0.1z"/>
+  <path class="cls-2" d="m7.2 7h3.9c4.4 0 8.7 3.2 9.1 8.9-0.6-4.7-3.6-8.4-8.8-8.4h-3.8l-0.4-0.5z"/>
+  <path class="cls-2" d="m54.7 10.7v18.7c0 0.3 0.2 0.6 0.6 0.6h3.8c0.6 0 0.9-0.2 0.9-0.7 0 1.1-0.3 1.4-0.9 1.4h-3.8c-0.6 0-1.1-0.4-1.1-1.3v-18.7c0-0.7 0.4-1.2 1.3-1.2l3.6 0.1h-3.6c-0.6 0-0.8 0.5-0.8 1.1z"/>
+  <path class="cls-2" d="m60.2 17.6c0.5-1.8 1.9-3.3 4-3.3 3.1 0 4.2 2.5 4.2 5.5-0.3-2.8-1.8-4.8-4.2-4.8-1.7 0.1-3.4 1.1-4 2.6z"/>
+  <path class="cls-2" d="m68.5 29.4c0 0.6 0.2 0.8 0.7 0.8h3.7c0.6 0 0.8-0.3 0.8-0.8v-12.3c0.2 0.9 0.2 2 0.2 3.1v9.3c0 0.7-0.2 1.2-1 1.2h-3.9c-0.6 0-1.1-0.4-1.1-1.1l0.6-0.2z"/>
+  <path class="cls-2" d="m76.2 20.5c0-6.3 4.7-11.3 9.9-11.3 2 0 3.6 0.6 5.2 1.6 0.7 0.5 1.3 0.5 1.3-0.5v-8.9c0-0.6 0.3-1.2 1.2-1.2l3.1 0.1h-3.6c-0.6 0-0.8 0.4-0.8 1v8.7c0 0.6-0.3 0.8-0.9 0.4-1.3-0.8-2.7-1.6-5.5-1.6-4.5 0-10.4 3.7-10.4 11.1 0 4.9 2.8 10.6 10.3 10.7 1 0 3.4 0.1 5.9-1.4-2.1 1.5-3.5 1.9-5.9 1.9-6 0-9.8-4.6-9.8-10.6z"/>
+  <path class="cls-2" d="m81.6 20.5c0-3.3 2.2-6.6 5.4-6.7 3.3-0.1 5.6 2.7 5.6 5.9-0.2-2.8-2.7-5-5.5-5-3 0-5.4 2.4-5.5 5.8z"/>
+  <path class="cls-2" d="m92.4 28.7 0.2 0.8c0 0.7 0.3 1.2 0.9 1.2h3.4c0.6 0 0.9-0.5 0.9-1.2v-27.9l0.2-0.1v28c0 0.7-0.3 1.3-1.1 1.3h-3.6c-0.7 0-1.4-0.4-1.3-1.5l0.4-0.6z"/>
+  <path class="cls-2" d="m102.4 26.1c0.9 1.2 2 0.8 2.9 1.1 1.4 0.4 1.9 2.9 5.3 3.2 1.9 0.1 2.9-1.4 4.4-1.4 0.8 0 0.9 0.4 1.7 0.3-2.3 0.8-2.5-0.4-4.2 0.6-0.7 0.5-1.3 0.7-1.9 0.7-3.6 0-4-3-5.7-3.3-1.1-0.1-1.7 0-2.5-1.2z"/>
+  <path class="cls-2" d="m29.9 26c0.8 1.1 1.8 0.8 2.7 1 1.5 0.4 2.4 3.4 5.8 3.5 1.8 0 3-1.8 4.7-1.8 0.8 0 1.1 0.4 2.2 0.7-1.9 0.5-2.2-0.7-3.9 0.4-0.8 0.6-1.6 0.9-3 0.9-3.3-0.1-4.3-3.3-6-3.5-1-0.2-1.7 0-2.5-1.2z"/>
+</svg>

package/package.json

@@ -0,0 +1,58 @@
+{
+    "author": {
+        "name": "Ragaeeb Haq",
+        "url": "https://github.com/ragaeeb"
+    },
+    "bin": {
+        "dondo": "src/server.ts"
+    },
+    "bugs": {
+        "url": "https://github.com/ragaeeb/dondo/issues"
+    },
+    "dependencies": {
+        "preact": "^10.29.2"
+    },
+    "description": "Minimal local UI for switching Antigravity and Codex accounts.",
+    "devDependencies": {
+        "@biomejs/biome": "^2.4.16",
+        "@types/bun": "^1.3.14",
+        "typescript": "^6.0.3"
+    },
+    "engines": {
+        "bun": ">=1.3.14"
+    },
+    "files": [
+        "LICENSE",
+        "README.md",
+        "icon.png",
+        "icon.svg",
+        "src"
+    ],
+    "homepage": "https://github.com/ragaeeb/dondo",
+    "keywords": [
+        "antigravity",
+        "codex",
+        "account-switcher",
+        "bun",
+        "keychain"
+    ],
+    "license": "MIT",
+    "name": "dondo-donuts",
+    "os": [
+        "darwin"
+    ],
+    "packageManager": "bun@1.3.14",
+    "repository": {
+        "type": "git",
+        "url": "git+https://github.com/ragaeeb/dondo.git"
+    },
+    "scripts": {
+        "format": "biome check . --write",
+        "lint": "biome lint .",
+        "start": "bun src/server.ts",
+        "test": "bun test",
+        "typecheck": "tsc --noEmit"
+    },
+    "type": "module",
+    "version": "0.1.0"
+}

package/src/antigravity/google.test.ts

@@ -0,0 +1,70 @@
+import { afterEach, expect, it } from 'bun:test';
+import { decodeToken, fetchLimits } from './google.ts';
+
+const originalFetch = globalThis.fetch;
+const originalClientId = process.env.GOOGLE_CLIENT_ID;
+const originalClientSecret = process.env.GOOGLE_CLIENT_SECRET;
+
+afterEach(() => {
+    globalThis.fetch = originalFetch;
+    process.env.GOOGLE_CLIENT_ID = originalClientId;
+    process.env.GOOGLE_CLIENT_SECRET = originalClientSecret;
+});
+
+it('should decode go-keyring base64 token payloads', () => {
+    const payload = { auth_method: 'oauth-personal', token: { access_token: 'access', refresh_token: 'refresh' } };
+    const encoded = `go-keyring-base64:${Buffer.from(JSON.stringify(payload)).toString('base64')}`;
+
+    expect(decodeToken(encoded)).toEqual(payload);
+});
+
+it('should return null for invalid token payloads', () => {
+    expect(decodeToken('not base64 json')).toBeNull();
+});
+
+it('should return an updated snapshot password after refreshing an expired token', async () => {
+    process.env.GOOGLE_CLIENT_ID = 'test-client';
+    process.env.GOOGLE_CLIENT_SECRET = 'test-secret';
+    globalThis.fetch = (async (url: string | URL | Request) => {
+        const target = String(url);
+        if (target.includes('/token')) {
+            return Response.json({ access_token: 'new-access', expires_in: 3600 });
+        }
+        if (target.includes('loadCodeAssist')) {
+            return Response.json({
+                cloudaicompanionProject: 'project',
+                paidTier: { name: 'plus' },
+            });
+        }
+        return Response.json({
+            models: {
+                'future-model': {
+                    displayName: 'Future Model',
+                    quotaInfo: { remainingFraction: 0.42, resetTime: '2027-01-15T08:00:00.000Z' },
+                },
+            },
+        });
+    }) as typeof fetch;
+    const payload = {
+        auth_method: 'oauth-personal',
+        token: {
+            access_token: 'old-access',
+            expiry: '2000-01-01T00:00:00.000Z',
+            refresh_token: 'refresh',
+        },
+    };
+    const password = `go-keyring-base64:${Buffer.from(JSON.stringify(payload)).toString('base64')}`;
+
+    const result = await fetchLimits({
+        account: 'antigravity',
+        createdAt: '',
+        kind: 'Generic Password',
+        label: 'gemini',
+        password,
+        service: 'gemini',
+        updatedAt: '',
+    });
+
+    expect(result.quota.ok).toBe(true);
+    expect(decodeToken(result.password ?? '')?.token?.access_token).toBe('new-access');
+});

package/src/antigravity/google.ts

@@ -0,0 +1,199 @@
+import {
+    ANTIGRAVITY_VERSION,
+    GOOGLE_CLIENT_ID,
+    GOOGLE_CLIENT_SECRET,
+    GOOGLE_TOKEN_URL,
+    LOAD_PROJECT_URL,
+    QUOTA_URLS,
+} from '../config.ts';
+import type { LimitResult, Snapshot, TokenPayload } from '../types.ts';
+
+type JsonObject = Record<string, unknown>;
+type FetchLimitsResult = {
+    password?: string;
+    quota: LimitResult;
+};
+type GoogleRefreshResponse = {
+    access_token?: string;
+    expires_in?: number;
+    refresh_token?: string;
+};
+
+const REQUEST_TIMEOUT_MS = 15_000;
+const EXPIRY_GRACE_MS = 60_000;
+const TOKEN_PREFIX = 'go-keyring-base64:';
+
+const asObject = (value: unknown): JsonObject => {
+    return typeof value === 'object' && value !== null && !Array.isArray(value) ? (value as JsonObject) : {};
+};
+
+const stringValue = (value: unknown) => (typeof value === 'string' ? value : undefined);
+const numberValue = (value: unknown) => (typeof value === 'number' ? value : undefined);
+
+export const decodeToken = (password: string): TokenPayload | null => {
+    try {
+        const encoded = password.startsWith(TOKEN_PREFIX) ? password.slice(TOKEN_PREFIX.length) : password;
+        return JSON.parse(Buffer.from(encoded, 'base64').toString('utf8'));
+    } catch {
+        return null;
+    }
+};
+
+const encodeToken = (password: string, payload: TokenPayload) => {
+    const encoded = Buffer.from(JSON.stringify(payload)).toString('base64');
+    return password.startsWith(TOKEN_PREFIX) ? `${TOKEN_PREFIX}${encoded}` : encoded;
+};
+
+const headers = (accessToken: string) => {
+    const platform = process.platform === 'darwin' ? 'darwin' : process.platform === 'win32' ? 'windows' : 'linux';
+    const arch = process.arch === 'x64' ? 'amd64' : process.arch;
+    return {
+        Authorization: `Bearer ${accessToken}`,
+        'Content-Type': 'application/json',
+        'User-Agent': `antigravity/${ANTIGRAVITY_VERSION} ${platform}/${arch}`,
+    };
+};
+
+const errorStatus = async (res: Response) => {
+    const text = await res.text();
+    try {
+        const body = asObject(JSON.parse(text));
+        const error = asObject(body.error);
+        return stringValue(error.status) ?? stringValue(error.message) ?? res.statusText;
+    } catch {
+        return res.statusText;
+    }
+};
+
+const postJson = async (url: string, accessToken: string, body: unknown) => {
+    const res = await fetch(url, {
+        body: JSON.stringify(body),
+        headers: headers(accessToken),
+        method: 'POST',
+        signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS),
+    });
+    if (!res.ok) {
+        const status = await errorStatus(res);
+        throw new Error(`HTTP ${res.status}${status ? `: ${status}` : ''}`);
+    }
+    return res.json();
+};
+
+const refreshAccessToken = async (refreshToken: string) => {
+    const clientId = process.env.GOOGLE_CLIENT_ID?.trim() || GOOGLE_CLIENT_ID;
+    const clientSecret = process.env.GOOGLE_CLIENT_SECRET?.trim() || GOOGLE_CLIENT_SECRET;
+    if (!clientId || !clientSecret) {
+        throw new Error('Set GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET to refresh Antigravity limits');
+    }
+
+    const res = await fetch(GOOGLE_TOKEN_URL, {
+        body: new URLSearchParams({
+            client_id: clientId,
+            client_secret: clientSecret,
+            grant_type: 'refresh_token',
+            refresh_token: refreshToken,
+        }),
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        method: 'POST',
+        signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS),
+    });
+    if (!res.ok) {
+        throw new Error(`Token refresh failed: HTTP ${res.status}`);
+    }
+    return (await res.json()) as GoogleRefreshResponse;
+};
+
+const validAccessToken = async (token: NonNullable<TokenPayload['token']>) => {
+    const expiry = token.expiry ? Date.parse(token.expiry) : Number.NaN;
+    if (token.access_token && (!token.expiry || Number.isNaN(expiry) || expiry > Date.now() + EXPIRY_GRACE_MS)) {
+        return { accessToken: token.access_token };
+    }
+    if (!token.refresh_token) {
+        return { accessToken: token.access_token };
+    }
+
+    const refreshed = await refreshAccessToken(token.refresh_token);
+    if (!refreshed.access_token) {
+        return { accessToken: undefined };
+    }
+
+    const nextToken = {
+        ...token,
+        access_token: refreshed.access_token,
+        expiry: refreshed.expires_in ? new Date(Date.now() + refreshed.expires_in * 1000).toISOString() : token.expiry,
+        refresh_token: refreshed.refresh_token ?? token.refresh_token,
+    };
+    return { accessToken: refreshed.access_token, token: nextToken };
+};
+
+export const fetchLimits = async (snap: Snapshot): Promise<FetchLimitsResult> => {
+    const payload = decodeToken(snap.password);
+    const token = payload?.token;
+    if (!token || (!token.access_token && !token.refresh_token)) {
+        return { quota: { error: 'No access token in snapshot', ok: false } };
+    }
+
+    const { accessToken, token: refreshedToken } = await validAccessToken(token);
+    if (!accessToken) {
+        return { quota: { error: 'Could not refresh access token', ok: false } };
+    }
+
+    const projectData = asObject(
+        await postJson(LOAD_PROJECT_URL, accessToken, {
+            metadata: { ideType: 'ANTIGRAVITY' },
+        }),
+    );
+    const project = projectData.cloudaicompanionProject;
+    const paidTier = asObject(projectData.paidTier);
+    const currentTier = asObject(projectData.currentTier);
+    const tier =
+        stringValue(paidTier.name) ??
+        stringValue(paidTier.id) ??
+        stringValue(currentTier.name) ??
+        stringValue(currentTier.id) ??
+        '';
+    let lastError = '';
+
+    for (const url of QUOTA_URLS) {
+        try {
+            const data = asObject(await postJson(url, accessToken, project ? { project } : {}));
+            const responseModels = asObject(data.models);
+            const models = Object.fromEntries(
+                Object.entries(responseModels)
+                    .filter(([, info]) => {
+                        return Boolean(asObject(info).quotaInfo);
+                    })
+                    .map(([name, info]) => {
+                        const model = asObject(info);
+                        const quotaInfo = asObject(model.quotaInfo);
+                        return [
+                            name,
+                            {
+                                displayName: stringValue(model.displayName) ?? name,
+                                percentage: Math.round((numberValue(quotaInfo.remainingFraction) ?? 0) * 100),
+                                resetTime: stringValue(quotaInfo.resetTime) ?? '',
+                            },
+                        ];
+                    }),
+            );
+            return {
+                password: refreshedToken
+                    ? encodeToken(snap.password, { ...payload, token: refreshedToken })
+                    : undefined,
+                quota: { expires: refreshedToken?.expiry ?? token.expiry ?? '', models, ok: true, tier },
+            };
+        } catch (error) {
+            lastError = String(error);
+            if (!/HTTP (?:429|5\d\d|403)/.test(lastError)) {
+                throw error;
+            }
+        }
+    }
+
+    return {
+        quota: {
+            error: `Quota API is rate-limited or unavailable${lastError ? ` (${lastError.replace(/^Error:\s*/, '')})` : ''}`,
+            ok: false,
+        },
+    };
+};

package/src/antigravity/keychain.test.ts

@@ -0,0 +1,8 @@
+import { expect, it } from 'bun:test';
+import { parsePassword } from './keychain.ts';
+
+it('should parse escaped keychain password output without greedy capture', () => {
+    const stderr = '"labl"<blob>="gemini"\npassword: "go-keyring-base64:abc\\"def"\n"extra"<blob>="ignored"';
+
+    expect(parsePassword(stderr)).toBe('go-keyring-base64:abc"def');
+});